resolved code review and doc review comments

Signed-off-by: Scott Hissam <shissam@gmail.com>
ossf · Nov 4, 2022 · c46a581 · c46a581
1 parent 48719cb
commit c46a581
Show file tree

Hide file tree

Showing 4 changed files with 42 additions and 5 deletions.
diff --git a/checks/evaluation/security_policy.go b/checks/evaluation/security_policy.go
@@ -42,8 +42,7 @@ func scoreSecurityCriteria(f checker.File,
 		Text: "",
 	}
 
-	// #1: more than one unique (email/http) linked content found: score += 6
-	//     rationale: if more than one link, even stronger for the community
+	// #1: linked content found (email/http): score += 6
 	if (urls + emails) > 0 {
 		score += 6
 		msg.Text = "Found linked content in security policy"
@@ -91,7 +90,7 @@ func countSecInfo(secInfo []checker.SecurityPolicyInformation,
 	keys := make(map[string]bool)
 	count := 0
 	for _, entry := range secInfo {
-		if _, value := keys[entry.InformationValue.Match]; !value && entry.InformationType == infoType {
+		if _, present := keys[entry.InformationValue.Match]; !present && entry.InformationType == infoType {
 			keys[entry.InformationValue.Match] = true
 			count += 1
 		} else if !unique && entry.InformationType == infoType {
@@ -108,7 +107,7 @@ func findSecInfo(secInfo []checker.SecurityPolicyInformation,
 	keys := make(map[string]bool)
 	var secList []checker.SecurityPolicyInformation
 	for _, entry := range secInfo {
-		if _, value := keys[entry.InformationValue.Match]; !value && entry.InformationType == infoType {
+		if _, present := keys[entry.InformationValue.Match]; !present && entry.InformationType == infoType {
 			keys[entry.InformationValue.Match] = true
 			secList = append(secList, entry)
 		} else if !unique && entry.InformationType == infoType {

diff --git a/checks/raw/security_policy.go b/checks/raw/security_policy.go
@@ -35,7 +35,8 @@ type securityPolicyFilesWithURI struct {
 	files []checker.SecurityPolicyFile
 }
 
-// SecurityPolicy checks for presence of security policy.
+// SecurityPolicy checks for presence of security policy
+// and applicable content discovered by checkSecurityPolicyFileContent().
 func SecurityPolicy(c *checker.CheckRequest) (checker.SecurityPolicyData, error) {
 	data := securityPolicyFilesWithURI{
 		uri: "", files: make([]checker.SecurityPolicyFile, 0),

diff --git a/docs/checks.md b/docs/checks.md
@@ -531,6 +531,24 @@ information about a bug is not publicly visible.
 This check examines the contents of the security policy file awarding points
 for those policies that express vulnerability process(es), disclosure timelines,
 and have links (e.g., URL(s) and email(s)) to support the users.
+
+Linking Requirements (one or more) (6/10 points):
+  - A valid form of an email address to contact for vulnerabilities
+  - A valid form of a http/https address to support vulnerability reporting
+
+Free Form Text (3/10 points):
+  - Free form text is present in the security policy file which is beyond
+    simply having a http/https address and/or email in the file
+  - The string length of any such links in the policy file do not count
+    towards detecting free form text
+
+Security Policy Specific Text (1/10 points):
+  - Specific text providing basic or general information about vulnerability
+    and disclosure practices, expectations, and/or timelines
+  - Text should include a total of 2 or more hits which match (case insensitive)
+    `vuln` and as in "Vulnerability" or "vulnerabilities";
+    `disclos` as "Disclosure" or "disclose";
+    and numbers which convey expectations of times, e.g., 30 days or 90 days
 
 
 **Remediation steps**

diff --git a/docs/checks/internal/checks.yaml b/docs/checks/internal/checks.yaml
@@ -563,6 +563,25 @@ checks:
       This check examines the contents of the security policy file awarding points
       for those policies that express vulnerability process(es), disclosure timelines,
       and have links (e.g., URL(s) and email(s)) to support the users.
+
+      Linking Requirements (one or more) (6/10 points):
+        - A valid form of an email address to contact for vulnerabilities
+        - A valid form of a http/https address to support vulnerability reporting
+
+      Free Form Text (3/10 points):
+        - Free form text is present in the security policy file which is beyond
+          simply having a http/https address and/or email in the file
+        - The string length of any such links in the policy file do not count
+          towards detecting free form text
+
+      Security Policy Specific Text (1/10 points):
+        - Specific text providing basic or general information about vulnerability
+          and disclosure practices, expectations, and/or timelines
+        - Text should include a total of 2 or more hits which match (case insensitive)
+          `vuln` and as in "Vulnerability" or "vulnerabilities";
+          `disclos` as "Disclosure" or "disclose";
+          and numbers which convey expectations of times, e.g., 30 days or 90 days
+
     remediation:
       - >-
         Place a security policy file `SECURITY.md` in the root directory of your