revised the score value based on observation of one *or more* url(s) …

…or one email(s) found; unit tests update accordingly Signed-off-by: Scott Hissam <[email protected]>
ossf · Aug 30, 2022 · fdb4751 · fdb4751
1 parent 9e0215b
commit fdb4751
Show file tree

Hide file tree

Showing 2 changed files with 23 additions and 35 deletions.
diff --git a/checks/evaluation/security_policy.go b/checks/evaluation/security_policy.go
@@ -52,30 +52,18 @@ func scoreSecurityCriteria(f checker.File, info []checker.SecurityPolicyInformat
 		Text: "",
 	}
 
-	// #1: found one linked (email/http) content: score += 3
-	//     rationale: someone to collaborate with or link to
-	//     information (strong for community)
-	if urls >= 1 || emails >= 1 {
-		score += 3
+	// #1: more than one unique (email/http) linked content found: score += 6
+	//     rationale: if more than one link, even stronger for the community
+	if (urls + emails) > 0 {
+		score += 6
 		msg.Text = "Found linked content in security policy"
 		dl.Info(&msg)
 	} else {
 		msg.Text = "no email or URL found in security policy"
 		dl.Warn(&msg)
 	}
 
-	// #2: more than one unique (email/http) linked content found: score += 3
-	//     rationale: if more than one link, even stronger for the community
-	if (urls + emails) > 1 {
-		score += 3
-		msg.Text = "Found multiple linked content in security policy"
-		dl.Info(&msg)
-	} else {
-		msg.Text = "Only one email or URL (if any) found in security policy"
-		dl.Warn(&msg)
-	}
-
-	// #3: more bytes than the sum of the length of all the linked content found: score += 3
+	// #2: more bytes than the sum of the length of all the linked content found: score += 3
 	//     rationale: there appears to be information and context around those links
 	//     no credit if there is just a link to a site or an email address (those given above)
 	//     the test here is that each piece of linked content will likely contain a space
@@ -89,7 +77,7 @@ func scoreSecurityCriteria(f checker.File, info []checker.SecurityPolicyInformat
 		dl.Warn(&msg)
 	}
 
-	// #4: found whole number(s) and or match(es) to "Disclos" and or "Vuln": score += 1
+	// #3: found whole number(s) and or match(es) to "Disclos" and or "Vuln": score += 1
 	//     rationale: works towards the intent of the security policy file
 	//     regarding whom to contact about vuls and disclosures and timing
 	//     e.g., we'll disclose, report a vulnerabily, 30 days, etc.

diff --git a/checks/security_policy_test.go b/checks/security_policy_test.go
@@ -44,20 +44,20 @@ func TestSecurityPolicy(t *testing.T) {
 			},
 			want: scut.TestReturn{
 				Score:        10,
-				NumberOfInfo: 5,
+				NumberOfInfo: 4,
 				NumberOfWarn: 0,
 			},
 		},
 		{
 			name: ".github/security.md",
-			path: "./testdata/securitypolicy/07_realworld",
+			path: "./testdata/securitypolicy/10_realworldtwo",
 			files: []string{
 				".github/security.md",
 			},
 			want: scut.TestReturn{
-				Score:        7,
+				Score:        10,
 				NumberOfInfo: 4,
-				NumberOfWarn: 1,
+				NumberOfWarn: 0,
 			},
 		},
 		{
@@ -69,7 +69,7 @@ func TestSecurityPolicy(t *testing.T) {
 			want: scut.TestReturn{
 				Score:        4,
 				NumberOfInfo: 3,
-				NumberOfWarn: 2,
+				NumberOfWarn: 1,
 			},
 		},
 		{
@@ -81,31 +81,31 @@ func TestSecurityPolicy(t *testing.T) {
 			want: scut.TestReturn{
 				Score:        3,
 				NumberOfInfo: 2,
-				NumberOfWarn: 3,
+				NumberOfWarn: 2,
 			},
 		},
 		{
 			name: ".github/security.rst",
-			path: "./testdata/securitypolicy/03_urlOnly",
+			path: "./testdata/securitypolicy/06_urlOnly",
 			files: []string{
 				".github/security.rst",
 			},
 			want: scut.TestReturn{
-				Score:        3,
+				Score:        6,
 				NumberOfInfo: 2,
-				NumberOfWarn: 3,
+				NumberOfWarn: 2,
 			},
 		},
 		{
 			name: "docs/security.rst",
-			path: "./testdata/securitypolicy/03_emailOnly",
+			path: "./testdata/securitypolicy/06_emailOnly",
 			files: []string{
 				"docs/security.rst",
 			},
 			want: scut.TestReturn{
-				Score:        3,
+				Score:        6,
 				NumberOfInfo: 2,
-				NumberOfWarn: 3,
+				NumberOfWarn: 2,
 			},
 		},
 		{
@@ -116,7 +116,7 @@ func TestSecurityPolicy(t *testing.T) {
 			},
 			want: scut.TestReturn{
 				Score:        6,
-				NumberOfInfo: 3,
+				NumberOfInfo: 2,
 				NumberOfWarn: 2,
 			},
 		},
@@ -128,7 +128,7 @@ func TestSecurityPolicy(t *testing.T) {
 			},
 			want: scut.TestReturn{
 				Score:        9,
-				NumberOfInfo: 4,
+				NumberOfInfo: 3,
 				NumberOfWarn: 1,
 			},
 		},
@@ -140,7 +140,7 @@ func TestSecurityPolicy(t *testing.T) {
 			},
 			want: scut.TestReturn{
 				Score:        10,
-				NumberOfInfo: 5,
+				NumberOfInfo: 4,
 				NumberOfWarn: 0,
 			},
 		},
@@ -153,7 +153,7 @@ func TestSecurityPolicy(t *testing.T) {
 			want: scut.TestReturn{
 				Score:        0,
 				NumberOfInfo: 1,
-				NumberOfWarn: 4,
+				NumberOfWarn: 3,
 			},
 		},
 		{
@@ -165,7 +165,7 @@ func TestSecurityPolicy(t *testing.T) {
 			want: scut.TestReturn{
 				Score:        0,
 				NumberOfInfo: 1,
-				NumberOfWarn: 4,
+				NumberOfWarn: 3,
 			},
 		},
 	}