✨ Automatic dependency update checks

* Checks if the dependencies are automatically updated.
ossf · Jun 4, 2021 · 0eabcdc · 0eabcdc
1 parent 37d979f
commit 0eabcdc
Show file tree

Hide file tree

Showing 4 changed files with 127 additions and 0 deletions.
diff --git a/checks/automatic_dependency_update.go b/checks/automatic_dependency_update.go
@@ -0,0 +1,52 @@
+// Copyright 2020 Security Scorecard Authors
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//      http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package checks
+
+import (
+	"strings"
+
+	"github.com/ossf/scorecard/checker"
+)
+
+const check = "Automatic-Dependency-Update"
+
+//nolint
+func init() {
+	registerCheck(check, AutomaticDependencyUpdate)
+}
+
+// AutomaticDependencyUpdate will check the repository if it contains Automatic dependency update.
+func AutomaticDependencyUpdate(c *checker.CheckRequest) checker.CheckResult {
+	result := CheckIfFileExists(check, c, fileExists)
+	if !result.Pass {
+		result.Confidence = 3
+	}
+	return result
+}
+
+// fileExists will validate the if frozen dependencies file name exists.
+func fileExists(name string, logf func(s string, f ...interface{})) (bool, error) {
+	switch strings.ToLower(name) {
+	case ".github/dependabot.yml":
+		logf("dependabot config found: %s", name)
+		return true, nil
+		// https://docs.renovatebot.com/configuration-options/
+	case ".github/renovate.json", ".github/renovate.json5", ".renovaterc.json", "renovate.json", "renovate.json5", ".renovaterc":
+		logf("renovate config found: %s", name)
+		return true, nil
+	default:
+		return false, nil
+	}
+}
diff --git a/checks/checks.md b/checks/checks.md
@@ -16,6 +16,13 @@ A project which is not active may not be patched, may not have its dependencies
 **Remediation steps**
 - There is *NO* remediation work needed here. This is just to indicate your project activity and maintenance commitment.
 
+## Automatic-Dependency-Update 
+
+This check tries to determine if a project has dependencies automatically updated. The checks looks for [dependabot](https://dependabot.com/docs/config-file/) or [renovatebot](https://docs.renovatebot.com/configuration-options/).This check only looks if  it is enabled and does not ensure that it is run and PullRequests are merged. 
+
+**Remediation steps**
+- Signup for automatic dependency updates with dependabot or renovatebot and place the config file in the locations that are recommended by these tools.
+
 ## Branch-Protection 
 
 Branch protection allows defining rules to enforce certain workflows for branches, such as requiring a review or passing certain status checks. This check would work only when the token has [Admin access](https://git.luolix.topmunity/t/enable-branch-protection-get-api-without-admin/14197) to the repository. This check determines if the default branch is protected. More specifically, the checks for AllowForcePushes (disabled), AllowDeletions (disabled),  EnforceAdmins (enabled), RequireLinearHistory (enabled), RequiredStatusChecks (enabled and must have non-empty context enabled), RequiredPullRequestReviews (>=1), DismissStaleReviews (enabled), RequireCodeOwnerReviews (enabled). 

diff --git a/checks/checks.yaml b/checks/checks.yaml
@@ -54,6 +54,16 @@ checks:
         The file should contain information on what constitutes a vulnerability
         and a way to report it securely (e.g. issue tracker with private issue
         support, encrypted email with a published public key).
+  Automatic-Dependency-Update:
+    description: >-
+      This check tries to determine if a project has dependencies automatically updated.
+      The checks looks for [dependabot](https://dependabot.com/docs/config-file/) or
+      [renovatebot](https://docs.renovatebot.com/configuration-options/). This check only looks if 
+      it is enabled and does not ensure that it is run and pull requests are merged.
+    remediation:
+      - >-
+        Signup for automatic dependency updates with dependabot or renovatebot and place the config
+        file in the locations that are recommended by these tools.
   Contributors:
     description: >-
       This check tries to determine if a project has a set of contributors from

diff --git a/e2e/automatic_deps_test.go b/e2e/automatic_deps_test.go
@@ -0,0 +1,58 @@
+// Copyright 2021 Security Scorecard Authors
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//      http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package e2e
+
+import (
+	"context"
+
+	. "github.com/onsi/ginkgo"
+	. "github.com/onsi/gomega"
+
+	"github.com/ossf/scorecard/checker"
+	"github.com/ossf/scorecard/checks"
+)
+
+var _ = Describe("E2E TEST:Automatic-Dependency-Update", func() {
+	Context("E2E TEST:Validating dependencies are automatically updated", func() {
+		It("Should return deps are automatically updated for dependabot", func() {
+			l := log{}
+			checker := checker.CheckRequest{
+				Ctx:         context.Background(),
+				Client:      ghClient,
+				Owner:       "ossf",
+				Repo:        "scorecard",
+				GraphClient: graphClient,
+				Logf:        l.Logf,
+			}
+			result := checks.AutomaticDependencyUpdate(&checker)
+			Expect(result.Error).Should(BeNil())
+			Expect(result.Pass).Should(BeTrue())
+		})
+		It("Should return deps are automatically updated for renovatebot", func() {
+			l := log{}
+			checker := checker.CheckRequest{
+				Ctx:         context.Background(),
+				Client:      ghClient,
+				Owner:       "netlify",
+				Repo:        "netlify-cms",
+				GraphClient: graphClient,
+				Logf:        l.Logf,
+			}
+			result := checks.AutomaticDependencyUpdate(&checker)
+			Expect(result.Error).Should(BeNil())
+			Expect(result.Pass).Should(BeTrue())
+		})
+	})
+})