From bb93f1e1c881803f355c6df0a648e3ab810697fb Mon Sep 17 00:00:00 2001 From: laurentsimon Date: Wed, 3 May 2023 21:59:44 +0000 Subject: [PATCH 01/20] update Signed-off-by: laurentsimon --- checks/evaluation/dependency_update_tool.go | 60 +++++++++++++++++++++ probes/toolSonarTypeLiftInstalled/def.yml | 32 +++++++++++ probes/toolSonarTypeLiftInstalled/impl.go | 38 +++++++++++++ 3 files changed, 130 insertions(+) create mode 100644 probes/toolSonarTypeLiftInstalled/def.yml create mode 100644 probes/toolSonarTypeLiftInstalled/impl.go diff --git a/checks/evaluation/dependency_update_tool.go b/checks/evaluation/dependency_update_tool.go index 239167a4e3b..c2d1f1e23ed 100644 --- a/checks/evaluation/dependency_update_tool.go +++ b/checks/evaluation/dependency_update_tool.go @@ -15,11 +15,16 @@ package evaluation import ( +<<<<<<< HEAD +======= + +>>>>>>> 71718938 (update) "github.com/ossf/scorecard/v4/checker" "github.com/ossf/scorecard/v4/finding" ) // DependencyUpdateTool applies the score policy for the Dependency-Update-Tool check. +<<<<<<< HEAD func DependencyUpdateTool(name string, findings []finding.Finding, ) checker.CheckResult { @@ -31,4 +36,59 @@ func DependencyUpdateTool(name string, } return checker.CreateMinScoreResult(name, "no update tool detected") +======= +func DependencyUpdateTool(name string, dl checker.DetailLogger, + findings []finding.Finding, +) checker.CheckResult { + + // Compute the score. + score := checker.MinResultScore + for i := range findings { + f := findings[i] + if f.Outcome == finding.OutcomePositive { + score = checker.MaxResultScore + break + } + } + + if score == checker.MaxResultScore { + return checker.CreateMaxScoreResult(name, "update tool detected") + } + + return checker.CreateMinScoreResult(name, "no update tool detected") + /* + // Apply the policy evaluation. + if r.Tools == nil || len(r.Tools) == 0 { + dl.Warn(&checker.LogMessage{ + Text: `Config file not detected in source location for dependabot, renovatebot, Sonatype Lift, or + PyUp (Python). We recommend setting this configuration in code so it can be easily verified by others.`, + }) + return checker.CreateMinScoreResult(name, "no update tool detected") + } + + // Validate the input. + if len(r.Tools) != 1 { + e := sce.WithMessage(sce.ErrScorecardInternal, fmt.Sprintf("found %d tools, expected 1", len(r.Tools))) + return checker.CreateRuntimeErrorResult(name, e) + } + + if r.Tools[0].Files == nil { + e := sce.WithMessage(sce.ErrScorecardInternal, "Files are nil") + return checker.CreateRuntimeErrorResult(name, e) + } + + // Iterate over all the files, since a Tool can contain multiple files. + for _, file := range r.Tools[0].Files { + dl.Info(&checker.LogMessage{ + Path: file.Path, + Type: file.Type, + Offset: file.Offset, + Text: fmt.Sprintf("%s detected", r.Tools[0].Name), + }) + } + + // High score result. + return checker.CreateMaxScoreResult(name, "update tool detected") + */ +>>>>>>> 71718938 (update) } diff --git a/probes/toolSonarTypeLiftInstalled/def.yml b/probes/toolSonarTypeLiftInstalled/def.yml new file mode 100644 index 00000000000..be6c8cd5dec --- /dev/null +++ b/probes/toolSonarTypeLiftInstalled/def.yml @@ -0,0 +1,32 @@ +# Copyright 2023 OpenSSF Scorecard Authors +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +id: toolSonarTypeLiftInstalled +short: Check that Sonatype Lyft is installed. +motivation: > + Out-of-date dependencies make a project vulnerable to known flaws and prone to attacks. + Sonatype Lyft automates the process of updating dependencies by scanning for outdated or insecure requirements, and opening a pull request to update them if found. +implementation: > + The implementation looks for the presence of files named ".lift.toml" or ".lift/config.toml". + If none of these files are found, Sonatype Lyft is not installed. + NOTE: the implementation does not ensure that Sonatype Lyft is run or that Sonatype Lyft's pull requests are merged. +outcome: + - If Sonatype Lyft is installed, the probe returns OutcomePositive (1) + - If Sonatype Lyft is not installed, the probe returns OutcomeNegative (0) +remediation: + effort: Low + text: + - Follow the instructions from https://help.sonatype.com/lift/getting-started. + markdown: + - Follow the instructions from [the official documentation](https://help.sonatype.com/lift/getting-started). \ No newline at end of file diff --git a/probes/toolSonarTypeLiftInstalled/impl.go b/probes/toolSonarTypeLiftInstalled/impl.go new file mode 100644 index 00000000000..aa7d2f0c8c3 --- /dev/null +++ b/probes/toolSonarTypeLiftInstalled/impl.go @@ -0,0 +1,38 @@ +// Copyright 2023 OpenSSF Scorecard Authors +// +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. + +package toolSonarTypeLiftInstalled + +import ( + "embed" + + "github.com/ossf/scorecard/v4/checker" + "github.com/ossf/scorecard/v4/finding" + "github.com/ossf/scorecard/v4/probes/utils" +) + +//go:embed *.yml +var fs embed.FS + +var probe = "toolSonarTypeLiftInstalled" + +func matches(tool checker.Tool) bool { + return tool.Name == "Sonatype Lift" +} + +func Run(raw *checker.RawResults) ([]finding.Finding, string, error) { + tools := raw.DependencyUpdateToolResults.Tools + return utils.ToolsRun(tools, fs, probe, + finding.OutcomePositive, finding.OutcomeNegative, matches) +} From 7724633a31f6254c19d80887943ccedc4667c90d Mon Sep 17 00:00:00 2001 From: laurentsimon Date: Wed, 3 May 2023 22:19:44 +0000 Subject: [PATCH 02/20] update Signed-off-by: laurentsimon --- checks/evaluation/dependency_update_tool.go | 12 ++++-------- probes/toolDependabotInstalled/impl.go | 14 ++++++++++++++ probes/toolSonarTypeLiftInstalled/impl.go | 12 +++++++++--- 3 files changed, 27 insertions(+), 11 deletions(-) diff --git a/checks/evaluation/dependency_update_tool.go b/checks/evaluation/dependency_update_tool.go index c2d1f1e23ed..62f7e60668a 100644 --- a/checks/evaluation/dependency_update_tool.go +++ b/checks/evaluation/dependency_update_tool.go @@ -41,21 +41,15 @@ func DependencyUpdateTool(name string, dl checker.DetailLogger, findings []finding.Finding, ) checker.CheckResult { - // Compute the score. - score := checker.MinResultScore for i := range findings { f := findings[i] if f.Outcome == finding.OutcomePositive { - score = checker.MaxResultScore - break + return checker.CreateMaxScoreResult(name, "update tool detected") } } - if score == checker.MaxResultScore { - return checker.CreateMaxScoreResult(name, "update tool detected") - } - return checker.CreateMinScoreResult(name, "no update tool detected") +<<<<<<< HEAD /* // Apply the policy evaluation. if r.Tools == nil || len(r.Tools) == 0 { @@ -91,4 +85,6 @@ func DependencyUpdateTool(name string, dl checker.DetailLogger, return checker.CreateMaxScoreResult(name, "update tool detected") */ >>>>>>> 71718938 (update) +======= +>>>>>>> 10362e90 (update) } diff --git a/probes/toolDependabotInstalled/impl.go b/probes/toolDependabotInstalled/impl.go index 1ca92087e10..80a31b21966 100644 --- a/probes/toolDependabotInstalled/impl.go +++ b/probes/toolDependabotInstalled/impl.go @@ -28,6 +28,7 @@ var fs embed.FS const probe = "toolDependabotInstalled" +<<<<<<< HEAD type dependabot struct{} func (t dependabot) Name() string { @@ -35,12 +36,21 @@ func (t dependabot) Name() string { } func (t dependabot) Matches(tool *checker.Tool) bool { +======= +type dependabot struct {} + +func (t dependabot) Name() string{ + return "Dependabot" +} +func (t dependabot) Matches(tool checker.Tool) bool{ +>>>>>>> 10362e90 (update) return t.Name() == tool.Name } func Run(raw *checker.RawResults) ([]finding.Finding, string, error) { tools := raw.DependencyUpdateToolResults.Tools var matcher dependabot +<<<<<<< HEAD // Check whether Dependabot tool is installed on the repo, // and create the corresponding findings. //nolint:wrapcheck @@ -50,4 +60,8 @@ func Run(raw *checker.RawResults) ([]finding.Finding, string, error) { // Tool not found will generate a negative result. finding.OutcomeNegative, matcher) +======= + return utils.ToolsRun(tools, fs, probe, + finding.OutcomePositive, finding.OutcomeNegative, matcher) +>>>>>>> 10362e90 (update) } diff --git a/probes/toolSonarTypeLiftInstalled/impl.go b/probes/toolSonarTypeLiftInstalled/impl.go index aa7d2f0c8c3..522731ab67b 100644 --- a/probes/toolSonarTypeLiftInstalled/impl.go +++ b/probes/toolSonarTypeLiftInstalled/impl.go @@ -27,12 +27,18 @@ var fs embed.FS var probe = "toolSonarTypeLiftInstalled" -func matches(tool checker.Tool) bool { - return tool.Name == "Sonatype Lift" +type sonartypeLyft struct {} + +func (t sonartypeLyft) Name() string{ + return "Sonatype Lift" +} +func (t sonartypeLyft) Matches(tool checker.Tool) bool{ + return t.Name() == tool.Name } func Run(raw *checker.RawResults) ([]finding.Finding, string, error) { tools := raw.DependencyUpdateToolResults.Tools + var matcher sonartypeLyft return utils.ToolsRun(tools, fs, probe, - finding.OutcomePositive, finding.OutcomeNegative, matches) + finding.OutcomePositive, finding.OutcomeNegative, matcher) } From e6f4e5c92f948c4d41ddc3b8b68ce97c988895b4 Mon Sep 17 00:00:00 2001 From: laurentsimon Date: Thu, 4 May 2023 17:45:18 +0000 Subject: [PATCH 03/20] update Signed-off-by: laurentsimon --- checks/evaluation/dependency_update_tool.go | 56 --------------------- probes/toolDependabotInstalled/impl.go | 14 ------ probes/toolSonarTypeLiftInstalled/def.yml | 32 ------------ probes/toolSonarTypeLiftInstalled/impl.go | 44 ---------------- probes/utils/tools.go | 8 +++ probes/zrunner/runner.go | 9 ++++ 6 files changed, 17 insertions(+), 146 deletions(-) delete mode 100644 probes/toolSonarTypeLiftInstalled/def.yml delete mode 100644 probes/toolSonarTypeLiftInstalled/impl.go diff --git a/checks/evaluation/dependency_update_tool.go b/checks/evaluation/dependency_update_tool.go index 62f7e60668a..239167a4e3b 100644 --- a/checks/evaluation/dependency_update_tool.go +++ b/checks/evaluation/dependency_update_tool.go @@ -15,16 +15,11 @@ package evaluation import ( -<<<<<<< HEAD -======= - ->>>>>>> 71718938 (update) "github.com/ossf/scorecard/v4/checker" "github.com/ossf/scorecard/v4/finding" ) // DependencyUpdateTool applies the score policy for the Dependency-Update-Tool check. -<<<<<<< HEAD func DependencyUpdateTool(name string, findings []finding.Finding, ) checker.CheckResult { @@ -36,55 +31,4 @@ func DependencyUpdateTool(name string, } return checker.CreateMinScoreResult(name, "no update tool detected") -======= -func DependencyUpdateTool(name string, dl checker.DetailLogger, - findings []finding.Finding, -) checker.CheckResult { - - for i := range findings { - f := findings[i] - if f.Outcome == finding.OutcomePositive { - return checker.CreateMaxScoreResult(name, "update tool detected") - } - } - - return checker.CreateMinScoreResult(name, "no update tool detected") -<<<<<<< HEAD - /* - // Apply the policy evaluation. - if r.Tools == nil || len(r.Tools) == 0 { - dl.Warn(&checker.LogMessage{ - Text: `Config file not detected in source location for dependabot, renovatebot, Sonatype Lift, or - PyUp (Python). We recommend setting this configuration in code so it can be easily verified by others.`, - }) - return checker.CreateMinScoreResult(name, "no update tool detected") - } - - // Validate the input. - if len(r.Tools) != 1 { - e := sce.WithMessage(sce.ErrScorecardInternal, fmt.Sprintf("found %d tools, expected 1", len(r.Tools))) - return checker.CreateRuntimeErrorResult(name, e) - } - - if r.Tools[0].Files == nil { - e := sce.WithMessage(sce.ErrScorecardInternal, "Files are nil") - return checker.CreateRuntimeErrorResult(name, e) - } - - // Iterate over all the files, since a Tool can contain multiple files. - for _, file := range r.Tools[0].Files { - dl.Info(&checker.LogMessage{ - Path: file.Path, - Type: file.Type, - Offset: file.Offset, - Text: fmt.Sprintf("%s detected", r.Tools[0].Name), - }) - } - - // High score result. - return checker.CreateMaxScoreResult(name, "update tool detected") - */ ->>>>>>> 71718938 (update) -======= ->>>>>>> 10362e90 (update) } diff --git a/probes/toolDependabotInstalled/impl.go b/probes/toolDependabotInstalled/impl.go index 80a31b21966..1ca92087e10 100644 --- a/probes/toolDependabotInstalled/impl.go +++ b/probes/toolDependabotInstalled/impl.go @@ -28,7 +28,6 @@ var fs embed.FS const probe = "toolDependabotInstalled" -<<<<<<< HEAD type dependabot struct{} func (t dependabot) Name() string { @@ -36,21 +35,12 @@ func (t dependabot) Name() string { } func (t dependabot) Matches(tool *checker.Tool) bool { -======= -type dependabot struct {} - -func (t dependabot) Name() string{ - return "Dependabot" -} -func (t dependabot) Matches(tool checker.Tool) bool{ ->>>>>>> 10362e90 (update) return t.Name() == tool.Name } func Run(raw *checker.RawResults) ([]finding.Finding, string, error) { tools := raw.DependencyUpdateToolResults.Tools var matcher dependabot -<<<<<<< HEAD // Check whether Dependabot tool is installed on the repo, // and create the corresponding findings. //nolint:wrapcheck @@ -60,8 +50,4 @@ func Run(raw *checker.RawResults) ([]finding.Finding, string, error) { // Tool not found will generate a negative result. finding.OutcomeNegative, matcher) -======= - return utils.ToolsRun(tools, fs, probe, - finding.OutcomePositive, finding.OutcomeNegative, matcher) ->>>>>>> 10362e90 (update) } diff --git a/probes/toolSonarTypeLiftInstalled/def.yml b/probes/toolSonarTypeLiftInstalled/def.yml deleted file mode 100644 index be6c8cd5dec..00000000000 --- a/probes/toolSonarTypeLiftInstalled/def.yml +++ /dev/null @@ -1,32 +0,0 @@ -# Copyright 2023 OpenSSF Scorecard Authors -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -id: toolSonarTypeLiftInstalled -short: Check that Sonatype Lyft is installed. -motivation: > - Out-of-date dependencies make a project vulnerable to known flaws and prone to attacks. - Sonatype Lyft automates the process of updating dependencies by scanning for outdated or insecure requirements, and opening a pull request to update them if found. -implementation: > - The implementation looks for the presence of files named ".lift.toml" or ".lift/config.toml". - If none of these files are found, Sonatype Lyft is not installed. - NOTE: the implementation does not ensure that Sonatype Lyft is run or that Sonatype Lyft's pull requests are merged. -outcome: - - If Sonatype Lyft is installed, the probe returns OutcomePositive (1) - - If Sonatype Lyft is not installed, the probe returns OutcomeNegative (0) -remediation: - effort: Low - text: - - Follow the instructions from https://help.sonatype.com/lift/getting-started. - markdown: - - Follow the instructions from [the official documentation](https://help.sonatype.com/lift/getting-started). \ No newline at end of file diff --git a/probes/toolSonarTypeLiftInstalled/impl.go b/probes/toolSonarTypeLiftInstalled/impl.go deleted file mode 100644 index 522731ab67b..00000000000 --- a/probes/toolSonarTypeLiftInstalled/impl.go +++ /dev/null @@ -1,44 +0,0 @@ -// Copyright 2023 OpenSSF Scorecard Authors -// -// Licensed under the Apache License, Version 2.0 (the "License"); -// you may not use this file except in compliance with the License. -// You may obtain a copy of the License at -// -// http://www.apache.org/licenses/LICENSE-2.0 -// -// Unless required by applicable law or agreed to in writing, software -// distributed under the License is distributed on an "AS IS" BASIS, -// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -// See the License for the specific language governing permissions and -// limitations under the License. - -package toolSonarTypeLiftInstalled - -import ( - "embed" - - "github.com/ossf/scorecard/v4/checker" - "github.com/ossf/scorecard/v4/finding" - "github.com/ossf/scorecard/v4/probes/utils" -) - -//go:embed *.yml -var fs embed.FS - -var probe = "toolSonarTypeLiftInstalled" - -type sonartypeLyft struct {} - -func (t sonartypeLyft) Name() string{ - return "Sonatype Lift" -} -func (t sonartypeLyft) Matches(tool checker.Tool) bool{ - return t.Name() == tool.Name -} - -func Run(raw *checker.RawResults) ([]finding.Finding, string, error) { - tools := raw.DependencyUpdateToolResults.Tools - var matcher sonartypeLyft - return utils.ToolsRun(tools, fs, probe, - finding.OutcomePositive, finding.OutcomeNegative, matcher) -} diff --git a/probes/utils/tools.go b/probes/utils/tools.go index c802126fe16..e6376f429fc 100644 --- a/probes/utils/tools.go +++ b/probes/utils/tools.go @@ -24,7 +24,11 @@ import ( type toolMatcher interface { Name() string +<<<<<<< HEAD Matches(*checker.Tool) bool +======= + Matches(checker.Tool) bool +>>>>>>> fbcf212a (update) } // ToolsRun runs the probe for a tool. @@ -38,7 +42,11 @@ func ToolsRun(tools []checker.Tool, fs embed.FS, probeID string, var findings []finding.Finding for i := range tools { tool := &tools[i] +<<<<<<< HEAD if !matcher.Matches(tool) { +======= + if !matcher.Matches(*tool) { +>>>>>>> fbcf212a (update) continue } diff --git a/probes/zrunner/runner.go b/probes/zrunner/runner.go index e8c837bbcd4..a742d15adf8 100644 --- a/probes/zrunner/runner.go +++ b/probes/zrunner/runner.go @@ -29,11 +29,17 @@ var errProbeRun = errors.New("probe run failure") // Run runs the probes in probesToRun. func Run(raw *checker.RawResults, probesToRun []probes.ProbeImpl) ([]finding.Finding, error) { var results []finding.Finding +<<<<<<< HEAD var errs []error for _, probeFunc := range probesToRun { findings, probeID, err := probeFunc(raw) if err != nil { errs = append(errs, err) +======= + for _, probeFunc := range probesToRun { + findings, probeID, err := probeFunc(raw) + if err != nil { +>>>>>>> fbcf212a (update) results = append(results, finding.Finding{ Probe: probeID, @@ -44,8 +50,11 @@ func Run(raw *checker.RawResults, probesToRun []probes.ProbeImpl) ([]finding.Fin } results = append(results, findings...) } +<<<<<<< HEAD if len(errs) > 0 { return results, fmt.Errorf("%w: %v", errProbeRun, errs) } +======= +>>>>>>> fbcf212a (update) return results, nil } From 780635ca04dae8f543565663e856ee4a76434bb6 Mon Sep 17 00:00:00 2001 From: laurentsimon Date: Thu, 4 May 2023 17:45:35 +0000 Subject: [PATCH 04/20] update Signed-off-by: laurentsimon --- probes/toolSonatypeLiftInstalled/impl.go | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/probes/toolSonatypeLiftInstalled/impl.go b/probes/toolSonatypeLiftInstalled/impl.go index a7c258fb9e8..ff4b627d8bb 100644 --- a/probes/toolSonatypeLiftInstalled/impl.go +++ b/probes/toolSonatypeLiftInstalled/impl.go @@ -1,6 +1,9 @@ +<<<<<<< HEAD // Copyright 2022 OpenSSF Scorecard Authors // // Licensed under the Apache License, Version 2.0 (the "License"); +======= +>>>>>>> 2953b409 (update) // you may not use this file except in compliance with the License. // You may obtain a copy of the License at // @@ -12,7 +15,10 @@ // See the License for the specific language governing permissions and // limitations under the License. +<<<<<<< HEAD // nolint:stylecheck +======= +>>>>>>> 2953b409 (update) package toolSonatypeLiftInstalled import ( From 96f4883d47ed9da94400b97eb9141ed92f9e5af7 Mon Sep 17 00:00:00 2001 From: laurentsimon Date: Mon, 22 May 2023 23:25:13 +0000 Subject: [PATCH 05/20] update Signed-off-by: laurentsimon --- probes/utils/tools.go | 8 ++++---- probes/zrunner/runner.go | 9 --------- 2 files changed, 4 insertions(+), 13 deletions(-) diff --git a/probes/utils/tools.go b/probes/utils/tools.go index e6376f429fc..e5d264e3d6f 100644 --- a/probes/utils/tools.go +++ b/probes/utils/tools.go @@ -24,11 +24,15 @@ import ( type toolMatcher interface { Name() string +<<<<<<< HEAD <<<<<<< HEAD Matches(*checker.Tool) bool ======= Matches(checker.Tool) bool >>>>>>> fbcf212a (update) +======= + Matches(*checker.Tool) bool +>>>>>>> fd20299c (update) } // ToolsRun runs the probe for a tool. @@ -42,11 +46,7 @@ func ToolsRun(tools []checker.Tool, fs embed.FS, probeID string, var findings []finding.Finding for i := range tools { tool := &tools[i] -<<<<<<< HEAD if !matcher.Matches(tool) { -======= - if !matcher.Matches(*tool) { ->>>>>>> fbcf212a (update) continue } diff --git a/probes/zrunner/runner.go b/probes/zrunner/runner.go index a742d15adf8..e8c837bbcd4 100644 --- a/probes/zrunner/runner.go +++ b/probes/zrunner/runner.go @@ -29,17 +29,11 @@ var errProbeRun = errors.New("probe run failure") // Run runs the probes in probesToRun. func Run(raw *checker.RawResults, probesToRun []probes.ProbeImpl) ([]finding.Finding, error) { var results []finding.Finding -<<<<<<< HEAD var errs []error for _, probeFunc := range probesToRun { findings, probeID, err := probeFunc(raw) if err != nil { errs = append(errs, err) -======= - for _, probeFunc := range probesToRun { - findings, probeID, err := probeFunc(raw) - if err != nil { ->>>>>>> fbcf212a (update) results = append(results, finding.Finding{ Probe: probeID, @@ -50,11 +44,8 @@ func Run(raw *checker.RawResults, probesToRun []probes.ProbeImpl) ([]finding.Fin } results = append(results, findings...) } -<<<<<<< HEAD if len(errs) > 0 { return results, fmt.Errorf("%w: %v", errProbeRun, errs) } -======= ->>>>>>> fbcf212a (update) return results, nil } From 67dda9e642fbae0687c502598f6f9679f6c0a635 Mon Sep 17 00:00:00 2001 From: laurentsimon Date: Mon, 22 May 2023 23:41:45 +0000 Subject: [PATCH 06/20] update Signed-off-by: laurentsimon --- probes/toolDependabotInstalled/impl.go | 2 +- probes/toolPyUpInstalled/impl.go | 2 +- probes/toolRenovateInstalled/impl.go | 2 +- probes/toolSonatypeLiftInstalled/impl.go | 8 +------- 4 files changed, 4 insertions(+), 10 deletions(-) diff --git a/probes/toolDependabotInstalled/impl.go b/probes/toolDependabotInstalled/impl.go index 1ca92087e10..d89ba6c9140 100644 --- a/probes/toolDependabotInstalled/impl.go +++ b/probes/toolDependabotInstalled/impl.go @@ -1,4 +1,4 @@ -// Copyright 2022 OpenSSF Scorecard Authors +// Copyright 2023 OpenSSF Scorecard Authors // // Licensed under the Apache License, Version 2.0 (the "License"); // you may not use this file except in compliance with the License. diff --git a/probes/toolPyUpInstalled/impl.go b/probes/toolPyUpInstalled/impl.go index 41c58db88a1..42adb82685d 100644 --- a/probes/toolPyUpInstalled/impl.go +++ b/probes/toolPyUpInstalled/impl.go @@ -1,4 +1,4 @@ -// Copyright 2022 OpenSSF Scorecard Authors +// Copyright 2023 OpenSSF Scorecard Authors // // Licensed under the Apache License, Version 2.0 (the "License"); // you may not use this file except in compliance with the License. diff --git a/probes/toolRenovateInstalled/impl.go b/probes/toolRenovateInstalled/impl.go index a35f91662cc..1c3d0b91161 100644 --- a/probes/toolRenovateInstalled/impl.go +++ b/probes/toolRenovateInstalled/impl.go @@ -1,4 +1,4 @@ -// Copyright 2022 OpenSSF Scorecard Authors +// Copyright 2023 OpenSSF Scorecard Authors // // Licensed under the Apache License, Version 2.0 (the "License"); // you may not use this file except in compliance with the License. diff --git a/probes/toolSonatypeLiftInstalled/impl.go b/probes/toolSonatypeLiftInstalled/impl.go index ff4b627d8bb..98d0363ae72 100644 --- a/probes/toolSonatypeLiftInstalled/impl.go +++ b/probes/toolSonatypeLiftInstalled/impl.go @@ -1,9 +1,6 @@ -<<<<<<< HEAD -// Copyright 2022 OpenSSF Scorecard Authors +// Copyright 2023 OpenSSF Scorecard Authors // // Licensed under the Apache License, Version 2.0 (the "License"); -======= ->>>>>>> 2953b409 (update) // you may not use this file except in compliance with the License. // You may obtain a copy of the License at // @@ -15,10 +12,7 @@ // See the License for the specific language governing permissions and // limitations under the License. -<<<<<<< HEAD // nolint:stylecheck -======= ->>>>>>> 2953b409 (update) package toolSonatypeLiftInstalled import ( From bdce3e855a91e990fd5bb1cf175c2252cabc48d7 Mon Sep 17 00:00:00 2001 From: laurentsimon Date: Tue, 23 May 2023 00:24:46 +0000 Subject: [PATCH 07/20] update Signed-off-by: laurentsimon --- pkg/scorecard_result.go | 2 ++ 1 file changed, 2 insertions(+) diff --git a/pkg/scorecard_result.go b/pkg/scorecard_result.go index 2fd0c67e4fb..004cc5ed21d 100644 --- a/pkg/scorecard_result.go +++ b/pkg/scorecard_result.go @@ -119,6 +119,8 @@ func FormatResults( err = results.AsJSON2(opts.ShowDetails, log.ParseLevel(opts.LogLevel), doc, os.Stdout) case options.FormatFJSON: err = results.AsFJSON(opts.ShowDetails, log.ParseLevel(opts.LogLevel), doc, os.Stdout) + case options.FormatPJSON: + err = results.AsPJSON(os.Stdout) case options.FormatRaw: err = results.AsRawJSON(os.Stdout) default: From 755f483d49181978cff96ecfb3f934f7699aacca Mon Sep 17 00:00:00 2001 From: laurentsimon Date: Tue, 23 May 2023 00:25:34 +0000 Subject: [PATCH 08/20] update Signed-off-by: laurentsimon --- pkg/json_probe_results.go | 63 +++++++++++++++++++++++++++++++++++++++ 1 file changed, 63 insertions(+) create mode 100644 pkg/json_probe_results.go diff --git a/pkg/json_probe_results.go b/pkg/json_probe_results.go new file mode 100644 index 00000000000..7a8c3ba5427 --- /dev/null +++ b/pkg/json_probe_results.go @@ -0,0 +1,63 @@ +// Copyright 2023 OpenSSF Scorecard Authors +// +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. + +package pkg + +import ( + "encoding/json" + "fmt" + "io" + + sce "github.com/ossf/scorecard/v4/errors" + "github.com/ossf/scorecard/v4/finding" +) + +// JSONScorecardProbeResult exports results as JSON for flat findings without checks. +// +//nolint:govet +type JSONScorecardProbeResult struct { + Date string `json:"date"` + Repo jsonRepoV2 `json:"repo"` + Scorecard jsonScorecardV2 `json:"scorecard"` + Findings []finding.Finding `json:"findings"` + Metadata []string `json:"metadata"` +} + +// TODO: finsinds should enventually be part of the scorecard structure. +func (r *ScorecardResult) AsPJSON(writer io.Writer, +) error { + encoder := json.NewEncoder(writer) + out := JSONScorecardProbeResult{ + // TODO: for users to be able to retrieve probe results via + // REST API and apply a check definition file, metadata will need to + // be recorded. + Repo: jsonRepoV2{ + Name: r.Repo.Name, + Commit: r.Repo.CommitSHA, + }, + Scorecard: jsonScorecardV2{ + Version: r.Scorecard.Version, + Commit: r.Scorecard.CommitSHA, + }, + Date: r.Date.Format("2006-01-02"), + Metadata: r.Metadata, + Findings: r.ProbeResults, + } + + if err := encoder.Encode(out); err != nil { + return sce.WithMessage(sce.ErrScorecardInternal, fmt.Sprintf("encoder.Encode: %v", err)) + } + + return nil +} From e58d0227702ee7a0b1a2663abd43c7be24b79901 Mon Sep 17 00:00:00 2001 From: laurentsimon Date: Tue, 23 May 2023 00:27:31 +0000 Subject: [PATCH 09/20] update Signed-off-by: laurentsimon --- pkg/scorecard_result.go | 14 ++++++++------ 1 file changed, 8 insertions(+), 6 deletions(-) diff --git a/pkg/scorecard_result.go b/pkg/scorecard_result.go index 004cc5ed21d..57dfd105056 100644 --- a/pkg/scorecard_result.go +++ b/pkg/scorecard_result.go @@ -25,6 +25,7 @@ import ( "github.com/ossf/scorecard/v4/checker" "github.com/ossf/scorecard/v4/docs/checks" sce "github.com/ossf/scorecard/v4/errors" + "github.com/ossf/scorecard/v4/finding" "github.com/ossf/scorecard/v4/log" "github.com/ossf/scorecard/v4/options" spol "github.com/ossf/scorecard/v4/policy" @@ -45,12 +46,13 @@ type RepoInfo struct { // ScorecardResult struct is returned on a successful Scorecard run. // nolint type ScorecardResult struct { - Repo RepoInfo - Date time.Time - Scorecard ScorecardInfo - Checks []checker.CheckResult - RawResults checker.RawResults - Metadata []string + Repo RepoInfo + Date time.Time + Scorecard ScorecardInfo + Checks []checker.CheckResult + RawResults checker.RawResults + ProbeResults []finding.Finding + Metadata []string } func scoreToString(s float64) string { From 62fc69ae94129c2ebf344534331ac47d41040762 Mon Sep 17 00:00:00 2001 From: laurentsimon Date: Tue, 23 May 2023 00:30:41 +0000 Subject: [PATCH 10/20] update Signed-off-by: laurentsimon --- pkg/scorecard.go | 73 ++++++++++++++++++++++++++++++++++++++++++++++-- 1 file changed, 71 insertions(+), 2 deletions(-) diff --git a/pkg/scorecard.go b/pkg/scorecard.go index dbf7ef570c9..6b712dd1cfd 100644 --- a/pkg/scorecard.go +++ b/pkg/scorecard.go @@ -19,6 +19,7 @@ import ( "context" "errors" "fmt" + "strings" "sync" "time" @@ -27,6 +28,9 @@ import ( "github.com/ossf/scorecard/v4/checker" "github.com/ossf/scorecard/v4/clients" sce "github.com/ossf/scorecard/v4/errors" + "github.com/ossf/scorecard/v4/finding" + "github.com/ossf/scorecard/v4/probes" + "github.com/ossf/scorecard/v4/probes/zrunner" ) func runEnabledChecks(ctx context.Context, @@ -90,6 +94,22 @@ func RunScorecard(ctx context.Context, ossFuzzRepoClient clients.RepoClient, ciiClient clients.CIIBestPracticesClient, vulnsClient clients.VulnerabilitiesClient, +) (ScorecardResult, error) { + return RunScorecardV5(ctx, repo, commitSHA, commitDepth, + checksToRun, nil, repoClient, ossFuzzRepoClient, + ciiClient, vulnsClient) +} + +func RunScorecardV5(ctx context.Context, + repo clients.Repo, + commitSHA string, + commitDepth int, + checksToRun checker.CheckNameToFnMap, + checksDefinitionFile *string, + repoClient clients.RepoClient, + ossFuzzRepoClient clients.RepoClient, + ciiClient clients.CIIBestPracticesClient, + vulnsClient clients.VulnerabilitiesClient, ) (ScorecardResult, error) { if err := repoClient.InitRepo(repo, commitSHA, commitDepth); err != nil { // No need to call sce.WithMessage() since InitRepo will do that for us. @@ -98,10 +118,26 @@ func RunScorecard(ctx context.Context, } defer repoClient.Close() - commitSHA, err := getRepoCommitHash(repoClient) + evaluationRunner, err := evaluation.EvaluationRunnerNew(checksDefinitionFile) + if err != nil { + //nolint:wrapcheck + return ScorecardResult{}, err + } + + if err != nil { + //nolint:wrapcheck + return ScorecardResult{}, err + } + + commitSHA, err = getRepoCommitHash(repoClient) if err != nil || commitSHA == "" { return ScorecardResult{}, err } + defaultBranch, err := repoClient.GetDefaultBranchName() + if err != nil { + return ScorecardResult{}, err + } + versionInfo := version.GetVersionInfo() ret := ScorecardResult{ Repo: RepoInfo{ @@ -115,11 +151,44 @@ func RunScorecard(ctx context.Context, Date: time.Now(), } resultsCh := make(chan checker.CheckResult) - go runEnabledChecks(ctx, repo, &ret.RawResults, checksToRun, repoClient, ossFuzzRepoClient, + + // Set metadata for all checks to use. This is necessary + // to create remediations frmo the probe yaml files. + // TODO: for users to be able to retrieve probe results via + // REST API and apply a check definition file, metadata will need to + // be recorded in the probe results. + ret.RawResults.Metadata = map[string]string{ + "repository.host": repo.Host(), + "repository.name": strings.TrimPrefix(repo.URI(), repo.Host()+"/"), + "repository.uri": repo.URI(), + "repository.sha1": commitSHA, + "repository.defaultBranch": defaultBranch, + } + + // NOTE: we do not support `--checks` options for structured results. + // To support it, we will need to delete entries in checksToRun + // based on the content of evaluationRunner.RequiredChecks(). + // We only want to do that for the default 'json' output that + // does not use a checksDefinitionFile. + + go runEnabledChecks(ctx, repo, &ret.RawResults, checksToRun, + evaluationRunner, repoClient, ossFuzzRepoClient, ciiClient, vulnsClient, resultsCh) for result := range resultsCh { ret.Checks = append(ret.Checks, result) } + + // Run the evaluation part. + var findings []finding.Finding + // TODO: only enable the checks that need to run for the check definition file. + // WARNING: we don't record the probes from the check runs on purpose: + // it lets users use probes that are implemented in scorecard but + // not used in the default built-in check definition file. + findings, err = zrunner.Run(&ret.RawResults, probes.All) + if err != nil { + return ScorecardResult{}, err + } + ret.ProbeResults = findings return ret, nil } From 0932f4973b5db83a16d7ee0c7c1820b67f87d0c0 Mon Sep 17 00:00:00 2001 From: laurentsimon Date: Tue, 23 May 2023 00:32:59 +0000 Subject: [PATCH 11/20] update Signed-off-by: laurentsimon --- checker/raw_result.go | 1 + pkg/scorecard.go | 21 ++------------------- 2 files changed, 3 insertions(+), 19 deletions(-) diff --git a/checker/raw_result.go b/checker/raw_result.go index 37dfcbd3e4f..206ab8f0240 100644 --- a/checker/raw_result.go +++ b/checker/raw_result.go @@ -43,6 +43,7 @@ type RawResults struct { LicenseResults LicenseData TokenPermissionsResults TokenPermissionsData CITestResults CITestData + Metadata map[string]string } type RevisionCIInfo struct { diff --git a/pkg/scorecard.go b/pkg/scorecard.go index 6b712dd1cfd..b5d0abe2d4c 100644 --- a/pkg/scorecard.go +++ b/pkg/scorecard.go @@ -118,18 +118,7 @@ func RunScorecardV5(ctx context.Context, } defer repoClient.Close() - evaluationRunner, err := evaluation.EvaluationRunnerNew(checksDefinitionFile) - if err != nil { - //nolint:wrapcheck - return ScorecardResult{}, err - } - - if err != nil { - //nolint:wrapcheck - return ScorecardResult{}, err - } - - commitSHA, err = getRepoCommitHash(repoClient) + commitSHA, err := getRepoCommitHash(repoClient) if err != nil || commitSHA == "" { return ScorecardResult{}, err } @@ -165,14 +154,8 @@ func RunScorecardV5(ctx context.Context, "repository.defaultBranch": defaultBranch, } - // NOTE: we do not support `--checks` options for structured results. - // To support it, we will need to delete entries in checksToRun - // based on the content of evaluationRunner.RequiredChecks(). - // We only want to do that for the default 'json' output that - // does not use a checksDefinitionFile. - go runEnabledChecks(ctx, repo, &ret.RawResults, checksToRun, - evaluationRunner, repoClient, ossFuzzRepoClient, + repoClient, ossFuzzRepoClient, ciiClient, vulnsClient, resultsCh) for result := range resultsCh { From fa39098115e3e3931d1d3c789fd5de084eca4fdb Mon Sep 17 00:00:00 2001 From: laurentsimon Date: Tue, 23 May 2023 00:39:49 +0000 Subject: [PATCH 12/20] update Signed-off-by: laurentsimon --- pkg/json_probe_results.go | 3 +-- pkg/scorecard.go | 5 +---- 2 files changed, 2 insertions(+), 6 deletions(-) diff --git a/pkg/json_probe_results.go b/pkg/json_probe_results.go index 7a8c3ba5427..badc439eb41 100644 --- a/pkg/json_probe_results.go +++ b/pkg/json_probe_results.go @@ -31,7 +31,7 @@ type JSONScorecardProbeResult struct { Repo jsonRepoV2 `json:"repo"` Scorecard jsonScorecardV2 `json:"scorecard"` Findings []finding.Finding `json:"findings"` - Metadata []string `json:"metadata"` + Metadata map[string]string `json:"metadata"` } // TODO: finsinds should enventually be part of the scorecard structure. @@ -51,7 +51,6 @@ func (r *ScorecardResult) AsPJSON(writer io.Writer, Commit: r.Scorecard.CommitSHA, }, Date: r.Date.Format("2006-01-02"), - Metadata: r.Metadata, Findings: r.ProbeResults, } diff --git a/pkg/scorecard.go b/pkg/scorecard.go index b5d0abe2d4c..2762bd42c5c 100644 --- a/pkg/scorecard.go +++ b/pkg/scorecard.go @@ -142,10 +142,7 @@ func RunScorecardV5(ctx context.Context, resultsCh := make(chan checker.CheckResult) // Set metadata for all checks to use. This is necessary - // to create remediations frmo the probe yaml files. - // TODO: for users to be able to retrieve probe results via - // REST API and apply a check definition file, metadata will need to - // be recorded in the probe results. + // to create remediations from the probe yaml files. ret.RawResults.Metadata = map[string]string{ "repository.host": repo.Host(), "repository.name": strings.TrimPrefix(repo.URI(), repo.Host()+"/"), From 81ca98faadfda213c90460d28feb6eca15eb172c Mon Sep 17 00:00:00 2001 From: laurentsimon Date: Tue, 23 May 2023 01:28:32 +0000 Subject: [PATCH 13/20] update Signed-off-by: laurentsimon --- probes/utils/tools.go | 8 -------- 1 file changed, 8 deletions(-) diff --git a/probes/utils/tools.go b/probes/utils/tools.go index e5d264e3d6f..c802126fe16 100644 --- a/probes/utils/tools.go +++ b/probes/utils/tools.go @@ -24,15 +24,7 @@ import ( type toolMatcher interface { Name() string -<<<<<<< HEAD -<<<<<<< HEAD Matches(*checker.Tool) bool -======= - Matches(checker.Tool) bool ->>>>>>> fbcf212a (update) -======= - Matches(*checker.Tool) bool ->>>>>>> fd20299c (update) } // ToolsRun runs the probe for a tool. From cf5281c6acdcb64ecb58073818fc4874f5526077 Mon Sep 17 00:00:00 2001 From: laurentsimon Date: Tue, 23 May 2023 01:38:27 +0000 Subject: [PATCH 14/20] update Signed-off-by: laurentsimon --- pkg/json_probe_results.go | 3 --- pkg/scorecard.go | 17 ++++++++--------- 2 files changed, 8 insertions(+), 12 deletions(-) diff --git a/pkg/json_probe_results.go b/pkg/json_probe_results.go index badc439eb41..f905b52c874 100644 --- a/pkg/json_probe_results.go +++ b/pkg/json_probe_results.go @@ -39,9 +39,6 @@ func (r *ScorecardResult) AsPJSON(writer io.Writer, ) error { encoder := json.NewEncoder(writer) out := JSONScorecardProbeResult{ - // TODO: for users to be able to retrieve probe results via - // REST API and apply a check definition file, metadata will need to - // be recorded. Repo: jsonRepoV2{ Name: r.Repo.Name, Commit: r.Repo.CommitSHA, diff --git a/pkg/scorecard.go b/pkg/scorecard.go index 2762bd42c5c..e1a0631d574 100644 --- a/pkg/scorecard.go +++ b/pkg/scorecard.go @@ -95,17 +95,16 @@ func RunScorecard(ctx context.Context, ciiClient clients.CIIBestPracticesClient, vulnsClient clients.VulnerabilitiesClient, ) (ScorecardResult, error) { - return RunScorecardV5(ctx, repo, commitSHA, commitDepth, - checksToRun, nil, repoClient, ossFuzzRepoClient, + return RunScorecardChecksV5(ctx, repo, commitSHA, commitDepth, + checksToRun, repoClient, ossFuzzRepoClient, ciiClient, vulnsClient) } -func RunScorecardV5(ctx context.Context, +func RunScorecardChecksV5(ctx context.Context, repo clients.Repo, commitSHA string, commitDepth int, checksToRun checker.CheckNameToFnMap, - checksDefinitionFile *string, repoClient clients.RepoClient, ossFuzzRepoClient clients.RepoClient, ciiClient clients.CIIBestPracticesClient, @@ -159,12 +158,12 @@ func RunScorecardV5(ctx context.Context, ret.Checks = append(ret.Checks, result) } - // Run the evaluation part. + // Run the probes. var findings []finding.Finding - // TODO: only enable the checks that need to run for the check definition file. - // WARNING: we don't record the probes from the check runs on purpose: - // it lets users use probes that are implemented in scorecard but - // not used in the default built-in check definition file. + // TODO(#3049): only run the probes for checks. + // NOTE: We will need separate functions to support: + // - `--probes X,Y` + // - `--check-definitions-file path/to/config.yml` findings, err = zrunner.Run(&ret.RawResults, probes.All) if err != nil { return ScorecardResult{}, err From 452b7c60baf6078561593461ad982d449c4b0540 Mon Sep 17 00:00:00 2001 From: laurentsimon Date: Thu, 25 May 2023 17:26:58 +0000 Subject: [PATCH 15/20] update Signed-off-by: laurentsimon --- pkg/json_probe_results.go | 6 +++--- pkg/scorecard.go | 24 +++++++++++++++--------- pkg/scorecard_result.go | 14 +++++++------- 3 files changed, 25 insertions(+), 19 deletions(-) diff --git a/pkg/json_probe_results.go b/pkg/json_probe_results.go index f905b52c874..58a8101ed67 100644 --- a/pkg/json_probe_results.go +++ b/pkg/json_probe_results.go @@ -35,8 +35,7 @@ type JSONScorecardProbeResult struct { } // TODO: finsinds should enventually be part of the scorecard structure. -func (r *ScorecardResult) AsPJSON(writer io.Writer, -) error { +func (r *ScorecardResult) AsPJSON(writer io.Writer) error { encoder := json.NewEncoder(writer) out := JSONScorecardProbeResult{ Repo: jsonRepoV2{ @@ -48,7 +47,8 @@ func (r *ScorecardResult) AsPJSON(writer io.Writer, Commit: r.Scorecard.CommitSHA, }, Date: r.Date.Format("2006-01-02"), - Findings: r.ProbeResults, + Findings: r.Findings, + Metadata: r.RawResults.Metadata, } if err := encoder.Encode(out); err != nil { diff --git a/pkg/scorecard.go b/pkg/scorecard.go index e1a0631d574..06ac3f12e8d 100644 --- a/pkg/scorecard.go +++ b/pkg/scorecard.go @@ -95,12 +95,12 @@ func RunScorecard(ctx context.Context, ciiClient clients.CIIBestPracticesClient, vulnsClient clients.VulnerabilitiesClient, ) (ScorecardResult, error) { - return RunScorecardChecksV5(ctx, repo, commitSHA, commitDepth, + return runScorecardChecksV5(ctx, repo, commitSHA, commitDepth, checksToRun, repoClient, ossFuzzRepoClient, ciiClient, vulnsClient) } -func RunScorecardChecksV5(ctx context.Context, +func runScorecardChecksV5(ctx context.Context, repo clients.Repo, commitSHA string, commitDepth int, @@ -119,11 +119,16 @@ func RunScorecardChecksV5(ctx context.Context, commitSHA, err := getRepoCommitHash(repoClient) if err != nil || commitSHA == "" { + //nolint:wrapcheck return ScorecardResult{}, err } defaultBranch, err := repoClient.GetDefaultBranchName() if err != nil { - return ScorecardResult{}, err + if !errors.Is(err, clients.ErrUnsupportedFeature) { + //nolint:wrapcheck + return ScorecardResult{}, err + } + defaultBranch = "" } versionInfo := version.GetVersionInfo() @@ -163,11 +168,12 @@ func RunScorecardChecksV5(ctx context.Context, // TODO(#3049): only run the probes for checks. // NOTE: We will need separate functions to support: // - `--probes X,Y` - // - `--check-definitions-file path/to/config.yml` - findings, err = zrunner.Run(&ret.RawResults, probes.All) - if err != nil { - return ScorecardResult{}, err - } - ret.ProbeResults = findings + // - `--check-definitions-file path/to/config.yml + // NOTE: we discard the returned error because the errors are + // already cotained in the findings and we want to return the findings + // to users. + // See https://github.com/ossf/scorecard/blob/main/probes/zrunner/runner.go#L34-L45. + findings, _ = zrunner.Run(&ret.RawResults, probes.All) + ret.Findings = findings return ret, nil } diff --git a/pkg/scorecard_result.go b/pkg/scorecard_result.go index 57dfd105056..c30167c5293 100644 --- a/pkg/scorecard_result.go +++ b/pkg/scorecard_result.go @@ -46,13 +46,13 @@ type RepoInfo struct { // ScorecardResult struct is returned on a successful Scorecard run. // nolint type ScorecardResult struct { - Repo RepoInfo - Date time.Time - Scorecard ScorecardInfo - Checks []checker.CheckResult - RawResults checker.RawResults - ProbeResults []finding.Finding - Metadata []string + Repo RepoInfo + Date time.Time + Scorecard ScorecardInfo + Checks []checker.CheckResult + RawResults checker.RawResults + Findings []finding.Finding + Metadata []string } func scoreToString(s float64) string { From 508ae2a7137a3e357c9aff2c54b77a6bd51b21bd Mon Sep 17 00:00:00 2001 From: laurentsimon Date: Wed, 31 May 2023 15:31:20 +0000 Subject: [PATCH 16/20] update Signed-off-by: laurentsimon --- pkg/json_probe_results.go | 3 +-- pkg/scorecard.go | 32 ++++++++++++++++++++------------ 2 files changed, 21 insertions(+), 14 deletions(-) diff --git a/pkg/json_probe_results.go b/pkg/json_probe_results.go index 58a8101ed67..84106e5c57a 100644 --- a/pkg/json_probe_results.go +++ b/pkg/json_probe_results.go @@ -31,7 +31,7 @@ type JSONScorecardProbeResult struct { Repo jsonRepoV2 `json:"repo"` Scorecard jsonScorecardV2 `json:"scorecard"` Findings []finding.Finding `json:"findings"` - Metadata map[string]string `json:"metadata"` + Metadata map[string]any `json:"metadata"` } // TODO: finsinds should enventually be part of the scorecard structure. @@ -48,7 +48,6 @@ func (r *ScorecardResult) AsPJSON(writer io.Writer) error { }, Date: r.Date.Format("2006-01-02"), Findings: r.Findings, - Metadata: r.RawResults.Metadata, } if err := encoder.Encode(out); err != nil { diff --git a/pkg/scorecard.go b/pkg/scorecard.go index 06ac3f12e8d..557e74463dd 100644 --- a/pkg/scorecard.go +++ b/pkg/scorecard.go @@ -19,6 +19,7 @@ import ( "context" "errors" "fmt" + "os" "strings" "sync" "time" @@ -29,6 +30,7 @@ import ( "github.com/ossf/scorecard/v4/clients" sce "github.com/ossf/scorecard/v4/errors" "github.com/ossf/scorecard/v4/finding" + "github.com/ossf/scorecard/v4/options" "github.com/ossf/scorecard/v4/probes" "github.com/ossf/scorecard/v4/probes/zrunner" ) @@ -163,17 +165,23 @@ func runScorecardChecksV5(ctx context.Context, ret.Checks = append(ret.Checks, result) } - // Run the probes. - var findings []finding.Finding - // TODO(#3049): only run the probes for checks. - // NOTE: We will need separate functions to support: - // - `--probes X,Y` - // - `--check-definitions-file path/to/config.yml - // NOTE: we discard the returned error because the errors are - // already cotained in the findings and we want to return the findings - // to users. - // See https://github.com/ossf/scorecard/blob/main/probes/zrunner/runner.go#L34-L45. - findings, _ = zrunner.Run(&ret.RawResults, probes.All) - ret.Findings = findings + if value, _ := os.LookupEnv(options.EnvVarScorecardExperimental); value == "1" { + // Run the probes. + var findings []finding.Finding + // TODO(#3049): only run the probes for checks. + // NOTE: We will need separate functions to support: + // - `--probes X,Y` + // - `--check-definitions-file path/to/config.yml + // NOTE: we discard the returned error because the errors are + // already cotained in the findings and we want to return the findings + // to users. + // See https://github.com/ossf/scorecard/blob/main/probes/zrunner/runner.go#L34-L45. + // Note: we discard the error because each probe's error is reported within + // the probe and we don't want the entire scorecard run to fail if a single error + // is encountered. + //nolint:errcheck + findings, _ = zrunner.Run(&ret.RawResults, probes.All) + ret.Findings = findings + } return ret, nil } From d180e30f3f5859a177fd31d91d3575bb697228c1 Mon Sep 17 00:00:00 2001 From: laurentsimon Date: Thu, 1 Jun 2023 22:01:17 +0000 Subject: [PATCH 17/20] update Signed-off-by: laurentsimon --- checker/raw_result.go | 6 +++++- pkg/json_probe_results.go | 2 -- pkg/scorecard.go | 23 +++-------------------- 3 files changed, 8 insertions(+), 23 deletions(-) diff --git a/checker/raw_result.go b/checker/raw_result.go index 206ab8f0240..621c84eb8ad 100644 --- a/checker/raw_result.go +++ b/checker/raw_result.go @@ -43,7 +43,11 @@ type RawResults struct { LicenseResults LicenseData TokenPermissionsResults TokenPermissionsData CITestResults CITestData - Metadata map[string]string + Metadata MetadataData +} + +type MetadataData struct { + Metadata map[string]string } type RevisionCIInfo struct { diff --git a/pkg/json_probe_results.go b/pkg/json_probe_results.go index 84106e5c57a..633d39a47d4 100644 --- a/pkg/json_probe_results.go +++ b/pkg/json_probe_results.go @@ -31,10 +31,8 @@ type JSONScorecardProbeResult struct { Repo jsonRepoV2 `json:"repo"` Scorecard jsonScorecardV2 `json:"scorecard"` Findings []finding.Finding `json:"findings"` - Metadata map[string]any `json:"metadata"` } -// TODO: finsinds should enventually be part of the scorecard structure. func (r *ScorecardResult) AsPJSON(writer io.Writer) error { encoder := json.NewEncoder(writer) out := JSONScorecardProbeResult{ diff --git a/pkg/scorecard.go b/pkg/scorecard.go index 557e74463dd..bcd28a11b28 100644 --- a/pkg/scorecard.go +++ b/pkg/scorecard.go @@ -96,21 +96,6 @@ func RunScorecard(ctx context.Context, ossFuzzRepoClient clients.RepoClient, ciiClient clients.CIIBestPracticesClient, vulnsClient clients.VulnerabilitiesClient, -) (ScorecardResult, error) { - return runScorecardChecksV5(ctx, repo, commitSHA, commitDepth, - checksToRun, repoClient, ossFuzzRepoClient, - ciiClient, vulnsClient) -} - -func runScorecardChecksV5(ctx context.Context, - repo clients.Repo, - commitSHA string, - commitDepth int, - checksToRun checker.CheckNameToFnMap, - repoClient clients.RepoClient, - ossFuzzRepoClient clients.RepoClient, - ciiClient clients.CIIBestPracticesClient, - vulnsClient clients.VulnerabilitiesClient, ) (ScorecardResult, error) { if err := repoClient.InitRepo(repo, commitSHA, commitDepth); err != nil { // No need to call sce.WithMessage() since InitRepo will do that for us. @@ -121,16 +106,14 @@ func runScorecardChecksV5(ctx context.Context, commitSHA, err := getRepoCommitHash(repoClient) if err != nil || commitSHA == "" { - //nolint:wrapcheck return ScorecardResult{}, err } defaultBranch, err := repoClient.GetDefaultBranchName() if err != nil { if !errors.Is(err, clients.ErrUnsupportedFeature) { - //nolint:wrapcheck - return ScorecardResult{}, err + return ScorecardResult{}, sce.WithMessage(sce.ErrScorecardInternal, fmt.Sprintf("GetDefaultBranchName:%v", err.Error())) } - defaultBranch = "" + defaultBranch = "unknown" } versionInfo := version.GetVersionInfo() @@ -149,7 +132,7 @@ func runScorecardChecksV5(ctx context.Context, // Set metadata for all checks to use. This is necessary // to create remediations from the probe yaml files. - ret.RawResults.Metadata = map[string]string{ + ret.RawResults.Metadata.Metadata = map[string]string{ "repository.host": repo.Host(), "repository.name": strings.TrimPrefix(repo.URI(), repo.Host()+"/"), "repository.uri": repo.URI(), From 3572cf1b2f7fe6bb25dd83fb3dfbb352043a9580 Mon Sep 17 00:00:00 2001 From: laurentsimon Date: Wed, 7 Jun 2023 17:28:44 +0000 Subject: [PATCH 18/20] update Signed-off-by: laurentsimon --- pkg/scorecard.go | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/pkg/scorecard.go b/pkg/scorecard.go index bcd28a11b28..d44976bf8a7 100644 --- a/pkg/scorecard.go +++ b/pkg/scorecard.go @@ -111,7 +111,8 @@ func RunScorecard(ctx context.Context, defaultBranch, err := repoClient.GetDefaultBranchName() if err != nil { if !errors.Is(err, clients.ErrUnsupportedFeature) { - return ScorecardResult{}, sce.WithMessage(sce.ErrScorecardInternal, fmt.Sprintf("GetDefaultBranchName:%v", err.Error())) + return ScorecardResult{}, + sce.WithMessage(sce.ErrScorecardInternal, fmt.Sprintf("GetDefaultBranchName:%v", err.Error())) } defaultBranch = "unknown" } From 86943a33b4c04418a2e66843ea489c6b49468795 Mon Sep 17 00:00:00 2001 From: laurentsimon Date: Wed, 7 Jun 2023 17:33:31 +0000 Subject: [PATCH 19/20] update Signed-off-by: laurentsimon --- pkg/scorecard.go | 1 + 1 file changed, 1 insertion(+) diff --git a/pkg/scorecard.go b/pkg/scorecard.go index d44976bf8a7..ee8cbb7f93a 100644 --- a/pkg/scorecard.go +++ b/pkg/scorecard.go @@ -70,6 +70,7 @@ func runEnabledChecks(ctx context.Context, close(resultsCh) } + func getRepoCommitHash(r clients.RepoClient) (string, error) { commits, err := r.ListCommits() if err != nil { From 81419ec27eeca82d4e70c1642304f5a4db0f53aa Mon Sep 17 00:00:00 2001 From: laurentsimon Date: Wed, 7 Jun 2023 17:33:57 +0000 Subject: [PATCH 20/20] update Signed-off-by: laurentsimon --- pkg/scorecard.go | 1 - 1 file changed, 1 deletion(-) diff --git a/pkg/scorecard.go b/pkg/scorecard.go index ee8cbb7f93a..d44976bf8a7 100644 --- a/pkg/scorecard.go +++ b/pkg/scorecard.go @@ -70,7 +70,6 @@ func runEnabledChecks(ctx context.Context, close(resultsCh) } - func getRepoCommitHash(r clients.RepoClient) (string, error) { commits, err := r.ListCommits() if err != nil {