From 7475206efd8132536ca5836b6c09522f8515192c Mon Sep 17 00:00:00 2001 From: Spencer Schrock Date: Tue, 24 Oct 2023 15:24:06 -0700 Subject: [PATCH] remove sonatype lift Signed-off-by: Spencer Schrock --- checks/dependency_update_tool_test.go | 4 +- checks/evaluation/dependency_update_tool.go | 2 - .../evaluation/dependency_update_tool_test.go | 55 +------- checks/raw/dependency_update_tool.go | 13 -- checks/raw/dependency_update_tool_test.go | 5 +- docs/checks.md | 1 - docs/checks/internal/checks.yaml | 1 - probes/entries.go | 2 - probes/toolSonatypeLiftInstalled/def.yml | 32 ----- probes/toolSonatypeLiftInstalled/impl.go | 58 -------- probes/toolSonatypeLiftInstalled/impl_test.go | 126 ------------------ 11 files changed, 5 insertions(+), 294 deletions(-) delete mode 100644 probes/toolSonatypeLiftInstalled/def.yml delete mode 100644 probes/toolSonatypeLiftInstalled/impl.go delete mode 100644 probes/toolSonatypeLiftInstalled/impl_test.go diff --git a/checks/dependency_update_tool_test.go b/checks/dependency_update_tool_test.go index 6598499c99c..e5d20fdfca0 100644 --- a/checks/dependency_update_tool_test.go +++ b/checks/dependency_update_tool_test.go @@ -77,7 +77,7 @@ func TestDependencyUpdateTool(t *testing.T) { SearchCommits: []clients.Commit{{Committer: clients.User{ID: 111111111}}}, CallSearchCommits: 1, expected: scut.TestReturn{ - NumberOfWarn: 4, + NumberOfWarn: 3, }, }, { @@ -89,7 +89,7 @@ func TestDependencyUpdateTool(t *testing.T) { SearchCommits: []clients.Commit{}, CallSearchCommits: 1, expected: scut.TestReturn{ - NumberOfWarn: 4, + NumberOfWarn: 3, }, }, diff --git a/checks/evaluation/dependency_update_tool.go b/checks/evaluation/dependency_update_tool.go index 6a45afc599e..903252fcde2 100644 --- a/checks/evaluation/dependency_update_tool.go +++ b/checks/evaluation/dependency_update_tool.go @@ -21,7 +21,6 @@ import ( "github.com/ossf/scorecard/v4/probes/toolDependabotInstalled" "github.com/ossf/scorecard/v4/probes/toolPyUpInstalled" "github.com/ossf/scorecard/v4/probes/toolRenovateInstalled" - "github.com/ossf/scorecard/v4/probes/toolSonatypeLiftInstalled" ) // DependencyUpdateTool applies the score policy and logs the details @@ -33,7 +32,6 @@ func DependencyUpdateTool(name string, toolDependabotInstalled.Probe, toolPyUpInstalled.Probe, toolRenovateInstalled.Probe, - toolSonatypeLiftInstalled.Probe, } if !finding.UniqueProbesEqual(findings, expectedProbes) { e := sce.WithMessage(sce.ErrScorecardInternal, "invalid probe results") diff --git a/checks/evaluation/dependency_update_tool_test.go b/checks/evaluation/dependency_update_tool_test.go index bbe0a0e3b0c..0dc19ed6634 100644 --- a/checks/evaluation/dependency_update_tool_test.go +++ b/checks/evaluation/dependency_update_tool_test.go @@ -46,10 +46,6 @@ func TestDependencyUpdateTool(t *testing.T) { Probe: "toolRenovateInstalled", Outcome: finding.OutcomeNegative, }, - { - Probe: "toolSonatypeLiftInstalled", - Outcome: finding.OutcomeNegative, - }, }, result: scut.TestReturn{ Score: checker.MaxResultScore, @@ -71,10 +67,6 @@ func TestDependencyUpdateTool(t *testing.T) { Probe: "toolRenovateInstalled", Outcome: finding.OutcomePositive, }, - { - Probe: "toolSonatypeLiftInstalled", - Outcome: finding.OutcomeNegative, - }, }, result: scut.TestReturn{ Score: checker.MaxResultScore, @@ -96,39 +88,6 @@ func TestDependencyUpdateTool(t *testing.T) { Probe: "toolRenovateInstalled", Outcome: finding.OutcomeNegative, }, - { - Probe: "toolSonatypeLiftInstalled", - Outcome: finding.OutcomeNegative, - }, - }, - result: scut.TestReturn{ - Score: checker.MaxResultScore, - NumberOfInfo: 1, - }, - }, - { - name: "sonatype", - findings: []finding.Finding{ - { - Probe: "toolDependabotInstalled", - Outcome: finding.OutcomeNegative, - }, - { - Probe: "toolPyUpInstalled", - Outcome: finding.OutcomeNegative, - }, - { - Probe: "toolRenovateInstalled", - Outcome: finding.OutcomeNegative, - }, - { - Probe: "toolSonatypeLiftInstalled", - Outcome: finding.OutcomePositive, - }, - { - Probe: "toolRenovateInstalled", - Outcome: finding.OutcomeNegative, - }, }, result: scut.TestReturn{ Score: checker.MaxResultScore, @@ -150,14 +109,10 @@ func TestDependencyUpdateTool(t *testing.T) { Probe: "toolPyUpInstalled", Outcome: finding.OutcomeNegative, }, - { - Probe: "toolSonatypeLiftInstalled", - Outcome: finding.OutcomeNegative, - }, }, result: scut.TestReturn{ Score: checker.MinResultScore, - NumberOfWarn: 4, + NumberOfWarn: 3, }, }, { @@ -171,10 +126,6 @@ func TestDependencyUpdateTool(t *testing.T) { Probe: "toolPyUpInstalled", Outcome: finding.OutcomeNegative, }, - { - Probe: "toolSonatypeInstalled", - Outcome: finding.OutcomeNegative, - }, }, result: scut.TestReturn{ Score: checker.InconclusiveResultScore, @@ -196,10 +147,6 @@ func TestDependencyUpdateTool(t *testing.T) { Probe: "toolPyUpInstalled", Outcome: finding.OutcomeNegative, }, - { - Probe: "toolSonatypeInstalled", - Outcome: finding.OutcomeNegative, - }, { Probe: "toolInvalidProbeName", Outcome: finding.OutcomeNegative, diff --git a/checks/raw/dependency_update_tool.go b/checks/raw/dependency_update_tool.go index 2e2244c1b8b..effeef2891f 100644 --- a/checks/raw/dependency_update_tool.go +++ b/checks/raw/dependency_update_tool.go @@ -113,19 +113,6 @@ var checkDependencyFileExists fileparser.DoWhileTrueOnFilename = func(name strin }, }, }) - case ".lift.toml", ".lift/config.toml": - *ptools = append(*ptools, checker.Tool{ - Name: "Sonatype Lift", - URL: asPointer("https://lift.sonatype.com"), - Desc: asPointer("Automated dependency updates. Multi-platform and multi-language."), - Files: []checker.File{ - { - Path: name, - Type: finding.FileTypeSource, - Offset: checker.OffsetDefault, - }, - }, - }) } // Continue iterating, even if we have found a tool. diff --git a/checks/raw/dependency_update_tool_test.go b/checks/raw/dependency_update_tool_test.go index 02a3128690b..618e606b752 100644 --- a/checks/raw/dependency_update_tool_test.go +++ b/checks/raw/dependency_update_tool_test.go @@ -27,7 +27,6 @@ import ( func Test_checkDependencyFileExists(t *testing.T) { t.Parallel() - //nolint tests := []struct { name string path string @@ -97,13 +96,13 @@ func Test_checkDependencyFileExists(t *testing.T) { { name: ".lift.toml", path: ".lift.toml", - want: true, + want: false, // support removed wantErr: false, }, { name: ".lift/config.toml", path: ".lift/config.toml", - want: true, + want: false, // support removed wantErr: false, }, } diff --git a/docs/checks.md b/docs/checks.md index c360fabff87..88248e88d66 100644 --- a/docs/checks.md +++ b/docs/checks.md @@ -310,7 +310,6 @@ This check tries to determine if the project uses a dependency update tool, specifically one of: - [Dependabot](https://docs.github.com/en/code-security/supply-chain-security/keeping-your-dependencies-updated-automatically/configuration-options-for-dependency-updates) - [Renovate bot](https://docs.renovatebot.com/configuration-options/) -- [Sonatype Lift](https://help.sonatype.com/lift/getting-started) - [PyUp](https://docs.pyup.io/docs) (Python) Out-of-date dependencies make a project vulnerable to known flaws and prone to attacks. These tools automate the process of updating dependencies by scanning for diff --git a/docs/checks/internal/checks.yaml b/docs/checks/internal/checks.yaml index 295cf683d05..5d08a6ce9a3 100644 --- a/docs/checks/internal/checks.yaml +++ b/docs/checks/internal/checks.yaml @@ -60,7 +60,6 @@ checks: specifically one of: - [Dependabot](https://docs.github.com/en/code-security/supply-chain-security/keeping-your-dependencies-updated-automatically/configuration-options-for-dependency-updates) - [Renovate bot](https://docs.renovatebot.com/configuration-options/) - - [Sonatype Lift](https://help.sonatype.com/lift/getting-started) - [PyUp](https://docs.pyup.io/docs) (Python) Out-of-date dependencies make a project vulnerable to known flaws and prone to attacks. These tools automate the process of updating dependencies by scanning for diff --git a/probes/entries.go b/probes/entries.go index 3b4275c49c5..84d5f4f487f 100644 --- a/probes/entries.go +++ b/probes/entries.go @@ -42,7 +42,6 @@ import ( "github.com/ossf/scorecard/v4/probes/toolDependabotInstalled" "github.com/ossf/scorecard/v4/probes/toolPyUpInstalled" "github.com/ossf/scorecard/v4/probes/toolRenovateInstalled" - "github.com/ossf/scorecard/v4/probes/toolSonatypeLiftInstalled" ) // ProbeImpl is the implementation of a probe. @@ -65,7 +64,6 @@ var ( toolRenovateInstalled.Run, toolDependabotInstalled.Run, toolPyUpInstalled.Run, - toolSonatypeLiftInstalled.Run, } Fuzzing = []ProbeImpl{ fuzzedWithOSSFuzz.Run, diff --git a/probes/toolSonatypeLiftInstalled/def.yml b/probes/toolSonatypeLiftInstalled/def.yml deleted file mode 100644 index c68dd3dffec..00000000000 --- a/probes/toolSonatypeLiftInstalled/def.yml +++ /dev/null @@ -1,32 +0,0 @@ -# Copyright 2023 OpenSSF Scorecard Authors -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -id: toolSonatypeLiftInstalled -short: Check that Sonatype Lyft is installed. -motivation: > - Out-of-date dependencies make a project vulnerable to known flaws and prone to attacks. - Sonatype Lyft automates the process of updating dependencies by scanning for outdated or insecure requirements, and opening a pull request to update them if found. -implementation: > - The implementation looks for the presence of files named ".lift.toml" or ".lift/config.toml". - If none of these files are found, Sonatype Lyft is not installed. - NOTE: the implementation does not ensure that Sonatype Lyft is run or that Sonatype Lyft's pull requests are merged. -outcome: - - If Sonatype Lyft is installed, the probe returns OutcomePositive (1) for each configuration. - - If Sonatype Lyft is not installed, the probe returns OutcomeNegative (0). -remediation: - effort: Low - text: - - Follow the instructions from https://help.sonatype.com/lift/getting-started. - markdown: - - Follow the instructions from [the official documentation](https://help.sonatype.com/lift/getting-started). \ No newline at end of file diff --git a/probes/toolSonatypeLiftInstalled/impl.go b/probes/toolSonatypeLiftInstalled/impl.go deleted file mode 100644 index 5bccadee265..00000000000 --- a/probes/toolSonatypeLiftInstalled/impl.go +++ /dev/null @@ -1,58 +0,0 @@ -// Copyright 2023 OpenSSF Scorecard Authors -// -// Licensed under the Apache License, Version 2.0 (the "License"); -// you may not use this file except in compliance with the License. -// You may obtain a copy of the License at -// -// http://www.apache.org/licenses/LICENSE-2.0 -// -// Unless required by applicable law or agreed to in writing, software -// distributed under the License is distributed on an "AS IS" BASIS, -// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -// See the License for the specific language governing permissions and -// limitations under the License. - -// nolint:stylecheck -package toolSonatypeLiftInstalled - -import ( - "embed" - "fmt" - - "github.com/ossf/scorecard/v4/checker" - "github.com/ossf/scorecard/v4/finding" - tls "github.com/ossf/scorecard/v4/probes/internal/utils/tools" - "github.com/ossf/scorecard/v4/probes/internal/utils/uerror" -) - -//go:embed *.yml -var fs embed.FS - -const Probe = "toolSonatypeLiftInstalled" - -type sonatypeLyft struct{} - -func (t sonatypeLyft) Name() string { - return "Sonatype Lift" -} - -func (t sonatypeLyft) Matches(tool *checker.Tool) bool { - return t.Name() == tool.Name -} - -func Run(raw *checker.RawResults) ([]finding.Finding, string, error) { - if raw == nil { - return nil, "", fmt.Errorf("%w: raw", uerror.ErrNil) - } - tools := raw.DependencyUpdateToolResults.Tools - var matcher sonatypeLyft - // Check whether Sona Lyft tool is installed on the repo, - // and create the corresponding findings. - //nolint:wrapcheck - return tls.Run(tools, fs, Probe, - // Tool found will generate a positive result. - finding.OutcomePositive, - // Tool not found will generate a negative result. - finding.OutcomeNegative, - matcher) -} diff --git a/probes/toolSonatypeLiftInstalled/impl_test.go b/probes/toolSonatypeLiftInstalled/impl_test.go deleted file mode 100644 index 4e9c19cd963..00000000000 --- a/probes/toolSonatypeLiftInstalled/impl_test.go +++ /dev/null @@ -1,126 +0,0 @@ -// Copyright 2023 OpenSSF Scorecard Authors -// -// Licensed under the Apache License, Version 2.0 (the "License"); -// you may not use this file except in compliance with the License. -// You may obtain a copy of the License at -// -// http://www.apache.org/licenses/LICENSE-2.0 -// -// Unless required by applicable law or agreed to in writing, software -// distributed under the License is distributed on an "AS IS" BASIS, -// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -// See the License for the specific language governing permissions and -// limitations under the License. - -// nolint:stylecheck -package toolSonatypeLiftInstalled - -import ( - "testing" - - "github.com/google/go-cmp/cmp" - "github.com/google/go-cmp/cmp/cmpopts" - - "github.com/ossf/scorecard/v4/checker" - "github.com/ossf/scorecard/v4/finding" - "github.com/ossf/scorecard/v4/probes/internal/utils/uerror" -) - -func Test_Run(t *testing.T) { - t.Parallel() - // nolint:govet - tests := []struct { - name string - raw *checker.RawResults - outcomes []finding.Outcome - err error - }{ - { - name: "tool present", - raw: &checker.RawResults{ - DependencyUpdateToolResults: checker.DependencyUpdateToolData{ - Tools: []checker.Tool{ - { - Name: "Sonatype Lift", - }, - }, - }, - }, - outcomes: []finding.Outcome{ - finding.OutcomePositive, - }, - }, - { - name: "multiple correct tools", - raw: &checker.RawResults{ - DependencyUpdateToolResults: checker.DependencyUpdateToolData{ - Tools: []checker.Tool{ - { - Name: "Sonatype Lift", - }, - { - Name: "Sonatype Lift", - }, - }, - }, - }, - outcomes: []finding.Outcome{ - finding.OutcomePositive, - finding.OutcomePositive, - }, - }, - { - name: "different tool name", - raw: &checker.RawResults{ - DependencyUpdateToolResults: checker.DependencyUpdateToolData{ - Tools: []checker.Tool{ - { - Name: "not-Sonatype Lift", - }, - }, - }, - }, - outcomes: []finding.Outcome{ - finding.OutcomeNegative, - }, - }, - { - name: "empty results", - raw: &checker.RawResults{}, - outcomes: []finding.Outcome{ - finding.OutcomeNegative, - }, - }, - { - name: "nil raw", - err: uerror.ErrNil, - }, - } - for _, tt := range tests { - tt := tt // Re-initializing variable so it is not changed while executing the closure below - t.Run(tt.name, func(t *testing.T) { - t.Parallel() - - findings, s, err := Run(tt.raw) - if !cmp.Equal(tt.err, err, cmpopts.EquateErrors()) { - t.Errorf("mismatch (-want +got):\n%s", cmp.Diff(tt.err, err, cmpopts.EquateErrors())) - } - if err != nil { - return - } - if diff := cmp.Diff(Probe, s); diff != "" { - t.Errorf("mismatch (-want +got):\n%s", diff) - } - if diff := cmp.Diff(len(tt.outcomes), len(findings)); diff != "" { - t.Errorf("mismatch (-want +got):\n%s", diff) - } - for i := range tt.outcomes { - outcome := &tt.outcomes[i] - f := &findings[i] - if diff := cmp.Diff(*outcome, f.Outcome); diff != "" { - t.Errorf("mismatch (-want +got):\n%s", diff) - } - } - }) - } -}