Merge remote-tracking branch 'upstream/main' into gitlab-e2e-testfixes

ossf · May 23, 2023 · 8a09974 · 8a09974
2 parents edb5ba7 + e0a6d15
commit 8a09974
Show file tree

Hide file tree

Showing 32 changed files with 2,298 additions and 244 deletions.
diff --git a/.github/workflows/integration.yml b/.github/workflows/integration.yml
@@ -16,9 +16,6 @@
 name: Integration tests
 
 on:
-  push:
-    branches:
-      - main # The e2e coverage is required to be run on main branch to get the coverage report
   pull_request:
     branches:
       - main

diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml
@@ -70,6 +70,20 @@ jobs:
        with:
          files: ./unit-coverage.out
          verbose: true
+     - name: Run PAT Token E2E  #using retry because the GitHub token is being throttled.
+       uses: nick-invision/retry@943e742917ac94714d2f408a0e8320f2d1fcafcd
+       env:
+          GITHUB_AUTH_TOKEN: ${{ secrets.GH_AUTH_TOKEN }}
+       with:
+          max_attempts: 3
+          retry_on: error
+          timeout_minutes: 30
+          command: make e2e-pat
+     - name: codecov
+       uses: codecov/codecov-action@eaaf4bedf32dbdc6b720b63067d99c4d77d6047d # 2.1.0
+       with:
+         files: "*e2e-coverage.out"
+         verbose: true
   generate-mocks:
     name: generate-mocks
     runs-on: ubuntu-latest

diff --git a/README.md b/README.md
@@ -559,6 +559,17 @@ __Maintainers__ are listed in the [CODEOWNERS file](.github/CODEOWNERS).
 
 To report a security issue, please follow instructions [here](SECURITY.md).
 
+### Join the Scorecards Project Meeting
+
+#### Zoom 
+
+We meet every other Thursday - 4p ET on this [zoom link](https://zoom.us/j/98835923979?pwd=RG5JZ3czZEtmRDlGdms0ZktmMFQvUT09). 
+
+#### Agenda
+
+You can see the [agenda and meeting notes here](https://docs.google.com/document/d/1dB2U7_qZpNW96vtuoG7ShmgKXzIg6R5XT5Tc-0yz6kE/edit#). 
+
+
 ## Stargazers over time
 
 [![Stargazers over time](https://starchart.cc/ossf/scorecard.svg)](https://starchart.cc/ossf/scorecard)

diff --git a/checker/check_result.go b/checker/check_result.go
@@ -193,3 +193,26 @@ func CreateRuntimeErrorResult(name string, e error) CheckResult {
 		Reason:  e.Error(), // Note: message already accessible by caller thru `Error`.
 	}
 }
+
+// LogFindings logs the list of findings.
+func LogFindings(findings []finding.Finding, dl DetailLogger) error {
+	for i := range findings {
+		f := &findings[i]
+		switch f.Outcome {
+		case finding.OutcomeNegative:
+			dl.Warn(&LogMessage{
+				Finding: f,
+			})
+		case finding.OutcomePositive:
+			dl.Info(&LogMessage{
+				Finding: f,
+			})
+		default:
+			dl.Debug(&LogMessage{
+				Finding: f,
+			})
+		}
+	}
+
+	return nil
+}
diff --git a/checker/raw_result.go b/checker/raw_result.go
@@ -242,7 +242,6 @@ type SignedReleasesData struct {
 // for the Dependency-Update-Tool check.
 type DependencyUpdateToolData struct {
 	// Tools contains a list of tools.
-	// Note: we only populate one entry at most.
 	Tools []Tool
 }
 
@@ -375,3 +374,24 @@ type TokenPermission struct {
 	Msg          *string
 	Type         PermissionLevel
 }
+
+// Location generates location from a file.
+func (f *File) Location() *finding.Location {
+	// TODO(2626): merge location and path.
+	if f == nil {
+		return nil
+	}
+	loc := &finding.Location{
+		Type:      f.Type,
+		Path:      f.Path,
+		LineStart: &f.Offset,
+	}
+	if f.EndOffset != 0 {
+		loc.LineEnd = &f.EndOffset
+	}
+	if f.Snippet != "" {
+		loc.Snippet = &f.Snippet
+	}
+
+	return loc
+}
diff --git a/checks/dependency_update_tool.go b/checks/dependency_update_tool.go
@@ -19,12 +19,13 @@ import (
 	"github.com/ossf/scorecard/v4/checks/evaluation"
 	"github.com/ossf/scorecard/v4/checks/raw"
 	sce "github.com/ossf/scorecard/v4/errors"
+	"github.com/ossf/scorecard/v4/probes"
 )
 
 // CheckDependencyUpdateTool is the exported name for Automatic-Depdendency-Update.
 const CheckDependencyUpdateTool = "Dependency-Update-Tool"
 
-//nolint
+// nolint
 func init() {
 	supportedRequestTypes := []checker.RequestType{
 		checker.FileBased,
@@ -48,6 +49,13 @@ func DependencyUpdateTool(c *checker.CheckRequest) checker.CheckResult {
 		c.RawResults.DependencyUpdateToolResults = rawData
 	}
 
+	// Evaluate the probes.
+	findings, err := evaluateProbes(c, CheckDependencyUpdateTool, probes.DependencyToolUpdates)
+	if err != nil {
+		e := sce.WithMessage(sce.ErrScorecardInternal, err.Error())
+		return checker.CreateRuntimeErrorResult(CheckDependencyUpdateTool, e)
+	}
+
 	// Return the score evaluation.
-	return evaluation.DependencyUpdateTool(CheckDependencyUpdateTool, c.Dlogger, &rawData)
+	return evaluation.DependencyUpdateTool(CheckDependencyUpdateTool, findings)
 }
diff --git a/checks/dependency_update_tool_test.go b/checks/dependency_update_tool_test.go
@@ -51,6 +51,7 @@ func TestDependencyUpdateTool(t *testing.T) {
 			CallSearchCommits: 0,
 			expected: scut.TestReturn{
 				NumberOfInfo: 1,
+				NumberOfWarn: 3,
 				Score:        10,
 			},
 		},
@@ -63,6 +64,7 @@ func TestDependencyUpdateTool(t *testing.T) {
 			CallSearchCommits: 0,
 			expected: scut.TestReturn{
 				NumberOfInfo: 1,
+				NumberOfWarn: 3,
 				Score:        10,
 			},
 		},
@@ -75,7 +77,7 @@ func TestDependencyUpdateTool(t *testing.T) {
 			SearchCommits:     []clients.Commit{{Committer: clients.User{ID: 111111111}}},
 			CallSearchCommits: 1,
 			expected: scut.TestReturn{
-				NumberOfWarn: 1,
+				NumberOfWarn: 4,
 			},
 		},
 		{
@@ -87,7 +89,7 @@ func TestDependencyUpdateTool(t *testing.T) {
 			SearchCommits:     []clients.Commit{},
 			CallSearchCommits: 1,
 			expected: scut.TestReturn{
-				NumberOfWarn: 1,
+				NumberOfWarn: 4,
 			},
 		},
 
@@ -101,20 +103,22 @@ func TestDependencyUpdateTool(t *testing.T) {
 			CallSearchCommits: 1,
 			expected: scut.TestReturn{
 				NumberOfInfo: 1,
+				NumberOfWarn: 3,
 				Score:        10,
 			},
 		},
 		{
 			name:    "found in commits 2",
 			wantErr: false,
 			files:   []string{},
-			SearchCommits: []clients.Commit{{Committer: clients.User{ID: 111111111}},
+			SearchCommits: []clients.Commit{
+				{Committer: clients.User{ID: 111111111}},
 				{Committer: clients.User{ID: dependabotID}},
 			},
-
 			CallSearchCommits: 1,
 			expected: scut.TestReturn{
 				NumberOfInfo: 1,
+				NumberOfWarn: 3,
 				Score:        10,
 			},
 		},
@@ -125,12 +129,14 @@ func TestDependencyUpdateTool(t *testing.T) {
 			files: []string{
 				".github/foobar.yml",
 			},
-			SearchCommits: []clients.Commit{{Committer: clients.User{ID: 111111111}},
+			SearchCommits: []clients.Commit{
+				{Committer: clients.User{ID: 111111111}},
 				{Committer: clients.User{ID: dependabotID}},
 			},
 			CallSearchCommits: 1,
 			expected: scut.TestReturn{
 				NumberOfInfo: 1,
+				NumberOfWarn: 3,
 				Score:        10,
 			},
 		},
@@ -144,9 +150,11 @@ func TestDependencyUpdateTool(t *testing.T) {
 			mockRepo.EXPECT().ListFiles(gomock.Any()).Return(tt.files, nil)
 			mockRepo.EXPECT().SearchCommits(gomock.Any()).Return(tt.SearchCommits, nil).Times(tt.CallSearchCommits)
 			dl := scut.TestDetailLogger{}
+			raw := checker.RawResults{}
 			c := &checker.CheckRequest{
 				RepoClient: mockRepo,
 				Dlogger:    &dl,
+				RawResults: &raw,
 			}
 			res := DependencyUpdateTool(c)
 

diff --git a/checks/evaluation/dependency_update_tool.go b/checks/evaluation/dependency_update_tool.go
@@ -15,51 +15,20 @@
 package evaluation
 
 import (
-	"fmt"
-
 	"github.com/ossf/scorecard/v4/checker"
-	sce "github.com/ossf/scorecard/v4/errors"
+	"github.com/ossf/scorecard/v4/finding"
 )
 
 // DependencyUpdateTool applies the score policy for the Dependency-Update-Tool check.
-func DependencyUpdateTool(name string, dl checker.DetailLogger,
-	r *checker.DependencyUpdateToolData,
+func DependencyUpdateTool(name string,
+	findings []finding.Finding,
 ) checker.CheckResult {
-	if r == nil {
-		e := sce.WithMessage(sce.ErrScorecardInternal, "empty raw data")
-		return checker.CreateRuntimeErrorResult(name, e)
-	}
-
-	// Apply the policy evaluation.
-	if r.Tools == nil || len(r.Tools) == 0 {
-		dl.Warn(&checker.LogMessage{
-			Text: `Config file not detected in source location for dependabot, renovatebot, Sonatype Lift, or
-			PyUp (Python). We recommend setting this configuration in code so it can be easily verified by others.`,
-		})
-		return checker.CreateMinScoreResult(name, "no update tool detected")
-	}
-
-	// Validate the input.
-	if len(r.Tools) != 1 {
-		e := sce.WithMessage(sce.ErrScorecardInternal, fmt.Sprintf("found %d tools, expected 1", len(r.Tools)))
-		return checker.CreateRuntimeErrorResult(name, e)
-	}
-
-	if r.Tools[0].Files == nil {
-		e := sce.WithMessage(sce.ErrScorecardInternal, "Files are nil")
-		return checker.CreateRuntimeErrorResult(name, e)
-	}
-
-	// Iterate over all the files, since a Tool can contain multiple files.
-	for _, file := range r.Tools[0].Files {
-		dl.Info(&checker.LogMessage{
-			Path:   file.Path,
-			Type:   file.Type,
-			Offset: file.Offset,
-			Text:   fmt.Sprintf("%s detected", r.Tools[0].Name),
-		})
+	for i := range findings {
+		f := &findings[i]
+		if f.Outcome == finding.OutcomePositive {
+			return checker.CreateMaxScoreResult(name, "update tool detected")
+		}
 	}
 
-	// High score result.
-	return checker.CreateMaxScoreResult(name, "update tool detected")
+	return checker.CreateMinScoreResult(name, "no update tool detected")
 }