Skip to content

Commit

Permalink
Merge branch 'main' into pinned-deps-to-probes
Browse files Browse the repository at this point in the history
  • Loading branch information
AdamKorcz authored Feb 17, 2024
2 parents 153fb4e + 54690b4 commit d594ef5
Show file tree
Hide file tree
Showing 93 changed files with 916 additions and 1,306 deletions.
2 changes: 1 addition & 1 deletion .github/workflows/lint.yml
Original file line number Diff line number Diff line change
Expand Up @@ -31,7 +31,7 @@ jobs:
run: |
echo "GOLANGCI_LINT_VERSION=$(cd tools; go list -m -f '{{ .Version }}' github.com/golangci/golangci-lint)" >> "$GITHUB_ENV"
- name: golangci-lint
uses: golangci/golangci-lint-action@3a919529898de77ec3da873e3063ca4b10e7f5cc # v3.7.0
uses: golangci/golangci-lint-action@3cfe3a4abbb849e10058ce4af15d205b6da42804 # v4.0.0
with:
version: ${{ env.GOLANGCI_LINT_VERSION }}
only-new-issues: true
2 changes: 1 addition & 1 deletion attestor/policy/attestation_policy.go
Original file line number Diff line number Diff line change
Expand Up @@ -29,7 +29,7 @@ import (
sclog "github.com/ossf/scorecard/v4/log"
)

//nolint:govet,musttag // JSON usage is test only
//nolint:govet
type AttestationPolicy struct {
// PreventBinaryArtifacts : set to true to require that this project's SCM repo is
// free of binary artifacts
Expand Down
1 change: 1 addition & 0 deletions attestor/policy/attestation_policy_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -28,6 +28,7 @@ import (
)

func (ap *AttestationPolicy) ToJSON() string {
//nolint:musttag
jsonbytes, err := json.Marshal(ap)
if err != nil {
return ""
Expand Down
1 change: 0 additions & 1 deletion checker/client_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -20,7 +20,6 @@ import (
"github.com/ossf/scorecard/v4/log"
)

//nolint:paralleltest // because we are using t.Setenv.
func TestGetClients(t *testing.T) {
type args struct { //nolint:govet
ctx context.Context
Expand Down
58 changes: 15 additions & 43 deletions checks/evaluation/sast.go
Original file line number Diff line number Diff line change
Expand Up @@ -21,34 +21,25 @@ import (
"github.com/ossf/scorecard/v4/checker"
sce "github.com/ossf/scorecard/v4/errors"
"github.com/ossf/scorecard/v4/finding"
"github.com/ossf/scorecard/v4/probes/sastToolCodeQLInstalled"
"github.com/ossf/scorecard/v4/probes/sastToolPysaInstalled"
"github.com/ossf/scorecard/v4/probes/sastToolQodanaInstalled"
"github.com/ossf/scorecard/v4/probes/sastToolConfigured"
"github.com/ossf/scorecard/v4/probes/sastToolRunsOnAllCommits"
"github.com/ossf/scorecard/v4/probes/sastToolSnykInstalled"
"github.com/ossf/scorecard/v4/probes/sastToolSonarInstalled"
)

// SAST applies the score policy for the SAST check.
func SAST(name string,
findings []finding.Finding, dl checker.DetailLogger,
) checker.CheckResult {
// We have 3 unique probes, each should have a finding.
expectedProbes := []string{
sastToolCodeQLInstalled.Probe,
sastToolPysaInstalled.Probe,
sastToolQodanaInstalled.Probe,
sastToolConfigured.Probe,
sastToolRunsOnAllCommits.Probe,
sastToolSonarInstalled.Probe,
sastToolSnykInstalled.Probe,
}

if !finding.UniqueProbesEqual(findings, expectedProbes) {
e := sce.WithMessage(sce.ErrScorecardInternal, "invalid probe results")
return checker.CreateRuntimeErrorResult(name, e)
}

var sastScore, codeQlScore, pysaScore, qodanaScore, snykScore, sonarScore int
var sastScore, codeQlScore, otherScore int
var err error
// Assign sastScore, codeQlScore and sonarScore
for i := range findings {
Expand All @@ -59,43 +50,24 @@ func SAST(name string,
if err != nil {
return checker.CreateRuntimeErrorResult(name, sce.WithMessage(sce.ErrScorecardInternal, err.Error()))
}
case sastToolCodeQLInstalled.Probe:
codeQlScore = getSastToolScore(f, dl)
case sastToolSnykInstalled.Probe:
snykScore = getSastToolScore(f, dl)
case sastToolPysaInstalled.Probe:
pysaScore = getSastToolScore(f, dl)
case sastToolQodanaInstalled.Probe:
qodanaScore = getSastToolScore(f, dl)
case sastToolSonarInstalled.Probe:
if f.Outcome == finding.OutcomePositive {
sonarScore = checker.MaxResultScore
dl.Info(&checker.LogMessage{
Text: f.Message,
Type: f.Location.Type,
Path: f.Location.Path,
Offset: *f.Location.LineStart,
EndOffset: *f.Location.LineEnd,
Snippet: *f.Location.Snippet,
})
} else if f.Outcome == finding.OutcomeNegative {
sonarScore = checker.MinResultScore
case sastToolConfigured.Probe:
tool, ok := f.Values[sastToolConfigured.ToolKey]
if f.Outcome == finding.OutcomePositive && !ok {
return checker.CreateRuntimeErrorResult(name, sce.WithMessage(sce.ErrScorecardInternal, "missing SAST tool"))
}
score := getSastToolScore(f, dl)
switch checker.SASTWorkflowType(tool) {
case checker.CodeQLWorkflow:
codeQlScore = score
default:
otherScore = score
}
}
}

if sonarScore == checker.MaxResultScore {
if otherScore == checker.MaxResultScore {
return checker.CreateMaxScoreResult(name, "SAST tool detected")
}
if snykScore == checker.MaxResultScore {
return checker.CreateMaxScoreResult(name, "SAST tool detected: Snyk")
}
if pysaScore == checker.MaxResultScore {
return checker.CreateMaxScoreResult(name, "SAST tool detected: Pysa")
}
if qodanaScore == checker.MaxResultScore {
return checker.CreateMaxScoreResult(name, "SAST tool detected: Qodana")
}

if sastScore == checker.InconclusiveResultScore &&
codeQlScore == checker.InconclusiveResultScore {
Expand Down
164 changes: 20 additions & 144 deletions checks/evaluation/sast_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -19,31 +19,21 @@ import (
"github.com/ossf/scorecard/v4/checker"
sce "github.com/ossf/scorecard/v4/errors"
"github.com/ossf/scorecard/v4/finding"
"github.com/ossf/scorecard/v4/probes/sastToolConfigured"
"github.com/ossf/scorecard/v4/probes/sastToolRunsOnAllCommits"
scut "github.com/ossf/scorecard/v4/utests"
)

func TestSAST(t *testing.T) {
snippet := "some code snippet"
sline := uint(10)
eline := uint(46)
t.Parallel()
tests := []struct {
name string
findings []finding.Finding
result scut.TestReturn
}{
{
name: "SAST - Missing a probe",
name: "SAST - Missing a probe (sastToolConfigured)",
findings: []finding.Finding{
{
Probe: "sastToolCodeQLInstalled",
Outcome: finding.OutcomePositive,
},
{
Probe: "sastToolSnykInstalled",
Outcome: finding.OutcomeNegative,
},
{
Probe: sastToolRunsOnAllCommits.Probe,
Outcome: finding.OutcomePositive,
Expand All @@ -55,24 +45,10 @@ func TestSAST(t *testing.T) {
},
},
{
name: "Sonar and codeQL is installed. Snyk, Qodana and Pysa are not installed.",
name: "Sonar and codeQL is installed",
findings: []finding.Finding{
{
Probe: "sastToolCodeQLInstalled",
Outcome: finding.OutcomePositive,
},
{
Probe: "sastToolSnykInstalled",
Outcome: finding.OutcomeNegative,
},
{
Probe: "sastToolPysaInstalled",
Outcome: finding.OutcomeNegative,
},
{
Probe: "sastToolQodanaInstalled",
Outcome: finding.OutcomeNegative,
},
tool(checker.SonarWorkflow),
tool(checker.CodeQLWorkflow),
{
Probe: sastToolRunsOnAllCommits.Probe,
Outcome: finding.OutcomePositive,
Expand All @@ -81,17 +57,6 @@ func TestSAST(t *testing.T) {
sastToolRunsOnAllCommits.TotalPRsKey: "2",
},
},
{
Probe: "sastToolSonarInstalled",
Outcome: finding.OutcomePositive,
Location: &finding.Location{
Type: finding.FileTypeSource,
Path: "path/to/file.txt",
LineStart: &sline,
LineEnd: &eline,
Snippet: &snippet,
},
},
},
result: scut.TestReturn{
Score: 10,
Expand All @@ -102,22 +67,7 @@ func TestSAST(t *testing.T) {
{
name: "Pysa is installed. CodeQL, Snyk, Qodana and Sonar are not installed.",
findings: []finding.Finding{
{
Probe: "sastToolCodeQLInstalled",
Outcome: finding.OutcomeNegative,
},
{
Probe: "sastToolSnykInstalled",
Outcome: finding.OutcomeNegative,
},
{
Probe: "sastToolPysaInstalled",
Outcome: finding.OutcomePositive,
},
{
Probe: "sastToolQodanaInstalled",
Outcome: finding.OutcomeNegative,
},
tool(checker.PysaWorkflow),
{
Probe: sastToolRunsOnAllCommits.Probe,
Outcome: finding.OutcomePositive,
Expand All @@ -126,10 +76,6 @@ func TestSAST(t *testing.T) {
sastToolRunsOnAllCommits.TotalPRsKey: "2",
},
},
{
Probe: "sastToolSonarInstalled",
Outcome: finding.OutcomeNegative,
},
},
result: scut.TestReturn{
Score: 10,
Expand All @@ -142,37 +88,11 @@ func TestSAST(t *testing.T) {
Does not have info about whether SAST runs
on every commit.`,
findings: []finding.Finding{
{
Probe: "sastToolCodeQLInstalled",
Outcome: finding.OutcomeNegative,
},
{
Probe: "sastToolSnykInstalled",
Outcome: finding.OutcomeNegative,
},
{
Probe: "sastToolQodanaInstalled",
Outcome: finding.OutcomeNegative,
},
{
Probe: "sastToolPysaInstalled",
Outcome: finding.OutcomeNegative,
},
tool(checker.SonarWorkflow),
{
Probe: sastToolRunsOnAllCommits.Probe,
Outcome: finding.OutcomeNotApplicable,
},
{
Probe: "sastToolSonarInstalled",
Outcome: finding.OutcomePositive,
Location: &finding.Location{
Type: finding.FileTypeSource,
Path: "path/to/file.txt",
LineStart: &sline,
LineEnd: &eline,
Snippet: &snippet,
},
},
},
result: scut.TestReturn{
Score: 10,
Expand All @@ -184,19 +104,7 @@ func TestSAST(t *testing.T) {
name: "Sonar, CodeQL, Snyk, Qodana and Pysa are not installed",
findings: []finding.Finding{
{
Probe: "sastToolCodeQLInstalled",
Outcome: finding.OutcomeNegative,
},
{
Probe: "sastToolSnykInstalled",
Outcome: finding.OutcomeNegative,
},
{
Probe: "sastToolPysaInstalled",
Outcome: finding.OutcomeNegative,
},
{
Probe: "sastToolQodanaInstalled",
Probe: sastToolConfigured.Probe,
Outcome: finding.OutcomeNegative,
},
{
Expand All @@ -207,10 +115,6 @@ func TestSAST(t *testing.T) {
sastToolRunsOnAllCommits.TotalPRsKey: "3",
},
},
{
Probe: "sastToolSonarInstalled",
Outcome: finding.OutcomeNegative,
},
},
result: scut.TestReturn{
Score: 3,
Expand All @@ -221,14 +125,7 @@ func TestSAST(t *testing.T) {
{
name: "Snyk is installed, Sonar, Qodana and CodeQL are not installed",
findings: []finding.Finding{
{
Probe: "sastToolCodeQLInstalled",
Outcome: finding.OutcomeNegative,
},
{
Probe: "sastToolSnykInstalled",
Outcome: finding.OutcomePositive,
},
tool(checker.SnykWorkflow),
{
Probe: sastToolRunsOnAllCommits.Probe,
Outcome: finding.OutcomePositive,
Expand All @@ -237,18 +134,6 @@ func TestSAST(t *testing.T) {
sastToolRunsOnAllCommits.TotalPRsKey: "3",
},
},
{
Probe: "sastToolSonarInstalled",
Outcome: finding.OutcomeNegative,
},
{
Probe: "sastToolPysaInstalled",
Outcome: finding.OutcomeNegative,
},
{
Probe: "sastToolQodanaInstalled",
Outcome: finding.OutcomeNegative,
},
},
result: scut.TestReturn{
Score: 10,
Expand All @@ -259,14 +144,7 @@ func TestSAST(t *testing.T) {
{
name: "Qodana is installed, Snyk, Sonar, and CodeQL are not installed",
findings: []finding.Finding{
{
Probe: "sastToolCodeQLInstalled",
Outcome: finding.OutcomeNegative,
},
{
Probe: "sastToolSnykInstalled",
Outcome: finding.OutcomeNegative,
},
tool(checker.QodanaWorkflow),
{
Probe: sastToolRunsOnAllCommits.Probe,
Outcome: finding.OutcomePositive,
Expand All @@ -275,18 +153,6 @@ func TestSAST(t *testing.T) {
sastToolRunsOnAllCommits.TotalPRsKey: "3",
},
},
{
Probe: "sastToolSonarInstalled",
Outcome: finding.OutcomeNegative,
},
{
Probe: "sastToolPysaInstalled",
Outcome: finding.OutcomeNegative,
},
{
Probe: "sastToolQodanaInstalled",
Outcome: finding.OutcomePositive,
},
},
result: scut.TestReturn{
Score: 10,
Expand All @@ -305,3 +171,13 @@ func TestSAST(t *testing.T) {
})
}
}

func tool(name checker.SASTWorkflowType) finding.Finding {
return finding.Finding{
Probe: sastToolConfigured.Probe,
Outcome: finding.OutcomePositive,
Values: map[string]string{
sastToolConfigured.ToolKey: string(name),
},
}
}
Loading

0 comments on commit d594ef5

Please sign in to comment.