amend text in def.yml

Signed-off-by: AdamKorcz <[email protected]>
ossf · Sep 28, 2023 · c66893b · c66893b
1 parent c53f5a4
commit c66893b
Show file tree

Hide file tree

Showing 6 changed files with 14 additions and 25 deletions.
diff --git a/checks/evaluation/packaging.go b/checks/evaluation/packaging.go
@@ -18,7 +18,7 @@ import (
 	"github.com/ossf/scorecard/v4/checker"
 	sce "github.com/ossf/scorecard/v4/errors"
 	"github.com/ossf/scorecard/v4/finding"
-	"github.com/ossf/scorecard/v4/probes/packagedWithGithubActions"
+	"github.com/ossf/scorecard/v4/probes/packagedNpmWithGitHubWorkflow"
 )
 
 // Packaging applies the score policy for the Packaging check.
@@ -27,12 +27,12 @@ func Packaging(name string,
 	dl checker.DetailLogger,
 ) checker.CheckResult {
 	expectedProbes := []string{
-		packagedWithGithubActions.Probe,
+		packagedNpmWithGitHubWorkflow.Probe,
 	}
 
-	err := validateFindings(findings, expectedProbes)
-	if err != nil {
-		return checker.CreateRuntimeErrorResult(name, err)
+	if !finding.UniqueProbesEqual(findings, expectedProbes) {
+		e := sce.WithMessage(sce.ErrScorecardInternal, "invalid probe results")
+		return checker.CreateRuntimeErrorResult(name, e)
 	}
 
 	// Currently there is only a single packaging probe that returns
@@ -50,14 +50,3 @@ func Packaging(name string,
 	checker.LogFindings(nonNegativeFindings(findings), dl)
 	return checker.CreateMinScoreResult(name, "project is not published as package")
 }
-
-func validateFindings(findings []finding.Finding, expectedProbes []string) error {
-	if !finding.UniqueProbesEqual(findings, expectedProbes) {
-		return sce.WithMessage(sce.ErrScorecardInternal, "invalid probe results")
-	}
-
-	if len(findings) == 0 {
-		return sce.WithMessage(sce.ErrScorecardInternal, "found 0 findings. Should not happen")
-	}
-	return nil
-}
diff --git a/checks/evaluation/packaging_test.go b/checks/evaluation/packaging_test.go
@@ -33,7 +33,7 @@ func TestPackaging(t *testing.T) {
 			name: "test positive outcome",
 			findings: []finding.Finding{
 				{
-					Probe:   "packagedWithGithubActions",
+					Probe:   "packagedNpmWithGitHubWorkflow",
 					Outcome: finding.OutcomePositive,
 				},
 			},
@@ -59,7 +59,7 @@ func TestPackaging(t *testing.T) {
 			name: "test negative outcome",
 			findings: []finding.Finding{
 				{
-					Probe:   "packagedWithGithubActions",
+					Probe:   "packagedNpmWithGitHubWorkflow",
 					Outcome: finding.OutcomeNegative,
 				},
 			},

diff --git a/probes/entries.go b/probes/entries.go
@@ -24,7 +24,7 @@ import (
 	"github.com/ossf/scorecard/v4/probes/fuzzedWithPropertyBasedHaskell"
 	"github.com/ossf/scorecard/v4/probes/fuzzedWithPropertyBasedJavascript"
 	"github.com/ossf/scorecard/v4/probes/fuzzedWithPropertyBasedTypescript"
-	"github.com/ossf/scorecard/v4/probes/packagedWithGithubActions"
+	"github.com/ossf/scorecard/v4/probes/packagedNpmWithGitHubWorkflow"
 	"github.com/ossf/scorecard/v4/probes/securityPolicyContainsLinks"
 	"github.com/ossf/scorecard/v4/probes/securityPolicyContainsText"
 	"github.com/ossf/scorecard/v4/probes/securityPolicyContainsVulnerabilityDisclosure"
@@ -67,7 +67,7 @@ var (
 		fuzzedWithPropertyBasedJavascript.Run,
 	}
 	Packaging = []ProbeImpl{
-		packagedWithGithubActions.Run,
+		packagedNpmWithGitHubWorkflow.Run,
 	}
 )
 

diff --git a/probes/packagedWithGithubActions/def.yml → probes/packagedNpmWithGitHubWorkflow/def.yml b/probes/packagedWithGithubActions/def.yml → probes/packagedNpmWithGitHubWorkflow/def.yml
@@ -12,12 +12,12 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.
 
-id: packagedWithGithubActions
+id: packagedNpmWithGitHubWorkflow
 short: Check that the project is fuzzed using OSS-Fuzz
 motivation: >
   Packages give users of a project an easy way to download, install, update, and uninstall the software by a package manager. In particular, they make it easy for users to receive security patches as updates.
 implementation: >
-  The implementation checks all the packages of the project. If one of these packages do not have a debug message, then it is considered a release package and the probe returns a positive outcome.
+  The implementation checks whether a project uses common patterns for packaging across multiple ecosystems. Scorecard gets this by checking the projects workflows for specific uses of actions and build commands such as `docker push` or `mvn deploy`. 
 outcome:
   - If the project has a package without a debug message, the outcome is positive.
   - If the project has a package with a debug message, the outcome is negative.

diff --git a/probes/packagedWithGithubActions/impl.go → probes/packagedNpmWithGitHubWorkflow/impl.go b/probes/packagedWithGithubActions/impl.go → probes/packagedNpmWithGitHubWorkflow/impl.go
@@ -13,7 +13,7 @@
 // limitations under the License.
 
 // nolint:stylecheck
-package packagedWithGithubActions
+package packagedNpmWithGitHubWorkflow
 
 import (
 	"embed"
@@ -27,7 +27,7 @@ import (
 //go:embed *.yml
 var fs embed.FS
 
-const Probe = "packagedWithGithubActions"
+const Probe = "packagedNpmWithGitHubWorkflow"
 
 func Run(raw *checker.RawResults) ([]finding.Finding, string, error) {
 	if raw == nil {

diff --git a/...es/packagedWithGithubActions/impl_test.go → ...ackagedNpmWithGitHubWorkflow/impl_test.go b/...es/packagedWithGithubActions/impl_test.go → ...ackagedNpmWithGitHubWorkflow/impl_test.go
@@ -13,7 +13,7 @@
 // limitations under the License.
 
 // nolint:stylecheck
-package packagedWithGithubActions
+package packagedNpmWithGitHubWorkflow
 
 import (
 	"testing"