🌱 convert binary artifact check to probe (#3508)

* 🌱 convert binary artifact check to probe Signed-off-by: AdamKorcz <[email protected]> * Reword motivation Signed-off-by: AdamKorcz <[email protected]> * remove unused variable in test Signed-off-by: AdamKorcz <[email protected]> * remove positiveOutcome() and length check Signed-off-by: AdamKorcz <[email protected]> * fix wrong check name Signed-off-by: AdamKorcz <[email protected]> * Split into two probes: One with and one without gradle-wrappers Signed-off-by: AdamKorcz <[email protected]> * Add description about what Scorecard considers a verified binary Signed-off-by: Adam Korczynski <[email protected]> * change 'trusted' to 'verified' Signed-off-by: Adam Korczynski <[email protected]> * remove nil check Signed-off-by: Adam Korczynski <[email protected]> * remove filtering Signed-off-by: Adam Korczynski <[email protected]> * use const scores in tests Signed-off-by: Adam Korczynski <[email protected]> * rename test Signed-off-by: Adam Korczynski <[email protected]> * add sanity check in loop Signed-off-by: Adam Korczynski <[email protected]> * rename binary file const Signed-off-by: Adam Korczynski <[email protected]> --------- Signed-off-by: AdamKorcz <[email protected]> Signed-off-by: Adam Korczynski <[email protected]>
ossf · Dec 5, 2023 · cb721a8 · cb721a8
1 parent 483cc31
commit cb721a8
Show file tree

Hide file tree

Showing 13 changed files with 637 additions and 263 deletions.
diff --git a/checks/binary_artifact.go b/checks/binary_artifact.go
@@ -19,6 +19,8 @@ import (
 	"github.com/ossf/scorecard/v4/checks/evaluation"
 	"github.com/ossf/scorecard/v4/checks/raw"
 	sce "github.com/ossf/scorecard/v4/errors"
+	"github.com/ossf/scorecard/v4/probes"
+	"github.com/ossf/scorecard/v4/probes/zrunner"
 )
 
 // CheckBinaryArtifacts is the exported name for Binary-Artifacts check.
@@ -38,17 +40,22 @@ func init() {
 
 // BinaryArtifacts  will check the repository contains binary artifacts.
 func BinaryArtifacts(c *checker.CheckRequest) checker.CheckResult {
-	rawData, err := raw.BinaryArtifacts(c.RepoClient)
+	rawData, err := raw.BinaryArtifacts(c)
 	if err != nil {
 		e := sce.WithMessage(sce.ErrScorecardInternal, err.Error())
 		return checker.CreateRuntimeErrorResult(CheckBinaryArtifacts, e)
 	}
 
-	// Return raw results.
-	if c.RawResults != nil {
-		c.RawResults.BinaryArtifactResults = rawData
+	// Set the raw results.
+	pRawResults := getRawResults(c)
+	pRawResults.BinaryArtifactResults = rawData
+
+	// Evaluate the probes.
+	findings, err := zrunner.Run(pRawResults, probes.BinaryArtifacts)
+	if err != nil {
+		e := sce.WithMessage(sce.ErrScorecardInternal, err.Error())
+		return checker.CreateRuntimeErrorResult(CheckBinaryArtifacts, e)
 	}
 
-	// Return the score evaluation.
-	return evaluation.BinaryArtifacts(CheckBinaryArtifacts, c.Dlogger, &rawData)
+	return evaluation.BinaryArtifacts(CheckBinaryArtifacts, findings, c.Dlogger)
 }
diff --git a/checks/evaluation/binary_artifacts.go b/checks/evaluation/binary_artifacts.go
@@ -18,33 +18,46 @@ import (
 	"github.com/ossf/scorecard/v4/checker"
 	sce "github.com/ossf/scorecard/v4/errors"
 	"github.com/ossf/scorecard/v4/finding"
+	"github.com/ossf/scorecard/v4/probes/freeOfUnverifiedBinaryArtifacts"
 )
 
 // BinaryArtifacts applies the score policy for the Binary-Artifacts check.
-func BinaryArtifacts(name string, dl checker.DetailLogger,
-	r *checker.BinaryArtifactData,
+func BinaryArtifacts(name string,
+	findings []finding.Finding,
+	dl checker.DetailLogger,
 ) checker.CheckResult {
-	if r == nil {
-		e := sce.WithMessage(sce.ErrScorecardInternal, "empty raw data")
+	expectedProbes := []string{
+		freeOfUnverifiedBinaryArtifacts.Probe,
+	}
+
+	if !finding.UniqueProbesEqual(findings, expectedProbes) {
+		e := sce.WithMessage(sce.ErrScorecardInternal, "invalid probe results")
 		return checker.CreateRuntimeErrorResult(name, e)
 	}
 
-	// Apply the policy evaluation.
-	if r.Files == nil || len(r.Files) == 0 {
+	if findings[0].Outcome == finding.OutcomePositive {
 		return checker.CreateMaxScoreResult(name, "no binaries found in the repo")
 	}
 
-	score := checker.MaxResultScore
-	for _, f := range r.Files {
+	for i := range findings {
+		f := &findings[i]
+		if f.Outcome != finding.OutcomeNegative {
+			continue
+		}
 		dl.Warn(&checker.LogMessage{
-			Path: f.Path, Type: finding.FileTypeBinary,
-			Offset: f.Offset,
+			Path:   f.Location.Path,
+			Type:   f.Location.Type,
+			Offset: *f.Location.LineStart,
 			Text:   "binary detected",
 		})
-		// We remove one point for each binary.
-		score--
 	}
 
+	// There are only negative findings.
+	// Deduct the number of findings from max score
+	numberOfBinaryFilesFound := len(findings)
+
+	score := checker.MaxResultScore - numberOfBinaryFilesFound
+
 	if score < checker.MinResultScore {
 		score = checker.MinResultScore
 	}