diff --git a/checks/evaluation/packaging.go b/checks/evaluation/packaging.go index ce86bfb14877..b560a2d605b2 100644 --- a/checks/evaluation/packaging.go +++ b/checks/evaluation/packaging.go @@ -18,7 +18,7 @@ import ( "github.com/ossf/scorecard/v4/checker" sce "github.com/ossf/scorecard/v4/errors" "github.com/ossf/scorecard/v4/finding" - "github.com/ossf/scorecard/v4/probes/packagedWithGithubActions" + "github.com/ossf/scorecard/v4/probes/packagedNpmWithGitHubWorkflow" ) // Packaging applies the score policy for the Packaging check. @@ -27,12 +27,12 @@ func Packaging(name string, dl checker.DetailLogger, ) checker.CheckResult { expectedProbes := []string{ - packagedWithGithubActions.Probe, + packagedNpmWithGitHubWorkflow.Probe, } - err := validateFindings(findings, expectedProbes) - if err != nil { - return checker.CreateRuntimeErrorResult(name, err) + if !finding.UniqueProbesEqual(findings, expectedProbes) { + e := sce.WithMessage(sce.ErrScorecardInternal, "invalid probe results") + return checker.CreateRuntimeErrorResult(name, e) } // Currently there is only a single packaging probe that returns @@ -50,14 +50,3 @@ func Packaging(name string, checker.LogFindings(nonNegativeFindings(findings), dl) return checker.CreateMinScoreResult(name, "project is not published as package") } - -func validateFindings(findings []finding.Finding, expectedProbes []string) error { - if !finding.UniqueProbesEqual(findings, expectedProbes) { - return sce.WithMessage(sce.ErrScorecardInternal, "invalid probe results") - } - - if len(findings) == 0 { - return sce.WithMessage(sce.ErrScorecardInternal, "found 0 findings. Should not happen") - } - return nil -} diff --git a/checks/evaluation/packaging_test.go b/checks/evaluation/packaging_test.go index 18aeb055635e..fd89909ee270 100644 --- a/checks/evaluation/packaging_test.go +++ b/checks/evaluation/packaging_test.go @@ -33,7 +33,7 @@ func TestPackaging(t *testing.T) { name: "test positive outcome", findings: []finding.Finding{ { - Probe: "packagedWithGithubActions", + Probe: "packagedNpmWithGitHubWorkflow", Outcome: finding.OutcomePositive, }, }, @@ -59,7 +59,7 @@ func TestPackaging(t *testing.T) { name: "test negative outcome", findings: []finding.Finding{ { - Probe: "packagedWithGithubActions", + Probe: "packagedNpmWithGitHubWorkflow", Outcome: finding.OutcomeNegative, }, }, diff --git a/probes/entries.go b/probes/entries.go index ce9869bbdfae..41a2c29aef76 100644 --- a/probes/entries.go +++ b/probes/entries.go @@ -24,7 +24,7 @@ import ( "github.com/ossf/scorecard/v4/probes/fuzzedWithPropertyBasedHaskell" "github.com/ossf/scorecard/v4/probes/fuzzedWithPropertyBasedJavascript" "github.com/ossf/scorecard/v4/probes/fuzzedWithPropertyBasedTypescript" - "github.com/ossf/scorecard/v4/probes/packagedWithGithubActions" + "github.com/ossf/scorecard/v4/probes/packagedNpmWithGitHubWorkflow" "github.com/ossf/scorecard/v4/probes/securityPolicyContainsLinks" "github.com/ossf/scorecard/v4/probes/securityPolicyContainsText" "github.com/ossf/scorecard/v4/probes/securityPolicyContainsVulnerabilityDisclosure" @@ -67,7 +67,7 @@ var ( fuzzedWithPropertyBasedJavascript.Run, } Packaging = []ProbeImpl{ - packagedWithGithubActions.Run, + packagedNpmWithGitHubWorkflow.Run, } ) diff --git a/probes/packagedWithGithubActions/def.yml b/probes/packagedNpmWithGitHubWorkflow/def.yml similarity index 80% rename from probes/packagedWithGithubActions/def.yml rename to probes/packagedNpmWithGitHubWorkflow/def.yml index 8ace205660c0..dfa72d5746c2 100644 --- a/probes/packagedWithGithubActions/def.yml +++ b/probes/packagedNpmWithGitHubWorkflow/def.yml @@ -12,12 +12,12 @@ # See the License for the specific language governing permissions and # limitations under the License. -id: packagedWithGithubActions +id: packagedNpmWithGitHubWorkflow short: Check that the project is fuzzed using OSS-Fuzz motivation: > Packages give users of a project an easy way to download, install, update, and uninstall the software by a package manager. In particular, they make it easy for users to receive security patches as updates. implementation: > - The implementation checks all the packages of the project. If one of these packages do not have a debug message, then it is considered a release package and the probe returns a positive outcome. + The implementation checks whether a project uses common patterns for packaging across multiple ecosystems. Scorecard gets this by checking the projects workflows for specific uses of actions and build commands such as `docker push` or `mvn deploy`. outcome: - If the project has a package without a debug message, the outcome is positive. - If the project has a package with a debug message, the outcome is negative. diff --git a/probes/packagedWithGithubActions/impl.go b/probes/packagedNpmWithGitHubWorkflow/impl.go similarity index 95% rename from probes/packagedWithGithubActions/impl.go rename to probes/packagedNpmWithGitHubWorkflow/impl.go index 658ccea33e18..85e59bc21fe7 100644 --- a/probes/packagedWithGithubActions/impl.go +++ b/probes/packagedNpmWithGitHubWorkflow/impl.go @@ -13,7 +13,7 @@ // limitations under the License. // nolint:stylecheck -package packagedWithGithubActions +package packagedNpmWithGitHubWorkflow import ( "embed" @@ -27,7 +27,7 @@ import ( //go:embed *.yml var fs embed.FS -const Probe = "packagedWithGithubActions" +const Probe = "packagedNpmWithGitHubWorkflow" func Run(raw *checker.RawResults) ([]finding.Finding, string, error) { if raw == nil { diff --git a/probes/packagedWithGithubActions/impl_test.go b/probes/packagedNpmWithGitHubWorkflow/impl_test.go similarity index 98% rename from probes/packagedWithGithubActions/impl_test.go rename to probes/packagedNpmWithGitHubWorkflow/impl_test.go index 5d4e5e2b13a3..d156424bd7df 100644 --- a/probes/packagedWithGithubActions/impl_test.go +++ b/probes/packagedNpmWithGitHubWorkflow/impl_test.go @@ -13,7 +13,7 @@ // limitations under the License. // nolint:stylecheck -package packagedWithGithubActions +package packagedNpmWithGitHubWorkflow import ( "testing"