update

Signed-off-by: laurentsimon <laurentsimon@google.com>
ossf · Jul 22, 2023 · db2caed · db2caed
1 parent 0cf0da3
commit db2caed
Show file tree

Hide file tree

Showing 14 changed files with 85 additions and 199 deletions.
diff --git a/checks/evaluation/security_policy.go b/checks/evaluation/security_policy.go
@@ -18,15 +18,19 @@ import (
 	"github.com/ossf/scorecard/v4/checker"
 	sce "github.com/ossf/scorecard/v4/errors"
 	"github.com/ossf/scorecard/v4/finding"
+	"github.com/ossf/scorecard/v4/probes/securityPolicyContainsDisclosure"
+	"github.com/ossf/scorecard/v4/probes/securityPolicyContainsLinks"
+	"github.com/ossf/scorecard/v4/probes/securityPolicyContainsText"
+	"github.com/ossf/scorecard/v4/probes/securityPolicyPresent"
 )
 
 // SecurityPolicy applies the score policy for the Security-Policy check.
 func SecurityPolicy(name string, findings []finding.Finding) checker.CheckResult {
 	// We have 5 unique probes, each should have a finding.
 	expectedProbes := []string{
-		"securityPolicyContainsDisclosure", "securityPolicyContainsLinks",
-		"securityPolicyContainsText", "securityPolicyPresentInOrg",
-		"securityPolicyPresentInRepo",
+		securityPolicyContainsDisclosure.Probe, securityPolicyContainsLinks.Probe,
+		securityPolicyContainsText.Probe,
+		securityPolicyPresent.Probe,
 	}
 	if !finding.UniqueProbesEqual(findings, expectedProbes) {
 		e := sce.WithMessage(sce.ErrScorecardInternal, "invalid probe results")
@@ -39,40 +43,33 @@ func SecurityPolicy(name string, findings []finding.Finding) checker.CheckResult
 		f := &findings[i]
 		if f.Outcome == finding.OutcomePositive {
 			switch f.Probe {
-			case "securityPolicyContainsDisclosure":
-				score += scoreUpdate(f.Probe, m, 1)
-			case "securityPolicyContainsLinks":
-				score += scoreUpdate(f.Probe, m, 6)
-			case "securityPolicyContainsText":
-				score += scoreUpdate(f.Probe, m, 3)
-			case "securityPolicyPresentInOrg", "securityPolicyPresentInRepo":
+			case securityPolicyContainsDisclosure.Probe:
+				score += scoreProbeOnce(f.Probe, m, 1)
+			case securityPolicyContainsLinks.Probe:
+				score += scoreProbeOnce(f.Probe, m, 6)
+			case securityPolicyContainsText.Probe:
+				score += scoreProbeOnce(f.Probe, m, 3)
+			case securityPolicyPresent.Probe:
 				m[f.Probe] = true
 			default:
 				e := sce.WithMessage(sce.ErrScorecardInternal, "unknown probe results")
 				return checker.CreateRuntimeErrorResult(name, e)
 			}
 		}
 	}
-	_, inRepo := m["securityPolicyPresentInRepo"]
-	_, inOrg := m["securityPolicyPresentInOrg"]
-	if !inOrg && !inRepo {
+	_, defined := m[securityPolicyPresent.Probe]
+	if !defined {
 		if score > 0 {
 			e := sce.WithMessage(sce.ErrScorecardInternal, "score calculation problem")
 			return checker.CreateRuntimeErrorResult(name, e)
 		}
-		return checker.CreateMinScoreResult(name, "no security file found")
+		return checker.CreateMinScoreResult(name, "no security policy file detected")
 	}
 
-	var msg string
-	if inRepo {
-		msg = "security file found in repository"
-	} else if inOrg {
-		msg = "security file found in organization"
-	}
-	return checker.CreateResultWithScore(name, msg, score)
+	return checker.CreateResultWithScore(name, "security file detected", score)
 }
 
-func scoreUpdate(probeID string, m map[string]bool, bump int) int {
+func scoreProbeOnce(probeID string, m map[string]bool, bump int) int {
 	if _, exists := m[probeID]; !exists {
 		m[probeID] = true
 		return bump

diff --git a/checks/evaluation/security_policy_test.go b/checks/evaluation/security_policy_test.go
@@ -42,11 +42,7 @@ func TestSecurityPolicy(t *testing.T) {
 					Outcome: finding.OutcomeNegative,
 				},
 				{
-					Probe:   "securityPolicyPresentInOrg",
-					Outcome: finding.OutcomeNegative,
-				},
-				{
-					Probe:   "securityPolicyPresentInRepo",
+					Probe:   "securityPolicyPresent",
 					Outcome: finding.OutcomeNegative,
 				},
 			},
@@ -55,7 +51,7 @@ func TestSecurityPolicy(t *testing.T) {
 			},
 		},
 		{
-			name: "invalid findings",
+			name: "invalid probe name",
 			findings: []finding.Finding{
 				{
 					Probe:   "securityPolicyContainsDisclosure",
@@ -70,11 +66,7 @@ func TestSecurityPolicy(t *testing.T) {
 					Outcome: finding.OutcomeNegative,
 				},
 				{
-					Probe:   "securityPolicyPresentInOrg",
-					Outcome: finding.OutcomeNegative,
-				},
-				{
-					Probe:   "securityPolicyPresentInRepo",
+					Probe:   "securityPolicyPresent",
 					Outcome: finding.OutcomeNegative,
 				},
 				{
@@ -87,7 +79,7 @@ func TestSecurityPolicy(t *testing.T) {
 			},
 		},
 		{
-			name: "file found",
+			name: "file found only",
 			findings: []finding.Finding{
 				{
 					Probe:   "securityPolicyContainsDisclosure",
@@ -102,11 +94,7 @@ func TestSecurityPolicy(t *testing.T) {
 					Outcome: finding.OutcomeNegative,
 				},
 				{
-					Probe:   "securityPolicyPresentInOrg",
-					Outcome: finding.OutcomeNegative,
-				},
-				{
-					Probe:   "securityPolicyPresentInRepo",
+					Probe:   "securityPolicyPresent",
 					Outcome: finding.OutcomePositive,
 				},
 			},
@@ -130,11 +118,7 @@ func TestSecurityPolicy(t *testing.T) {
 					Outcome: finding.OutcomePositive,
 				},
 				{
-					Probe:   "securityPolicyPresentInOrg",
-					Outcome: finding.OutcomeNegative,
-				},
-				{
-					Probe:   "securityPolicyPresentInRepo",
+					Probe:   "securityPolicyPresent",
 					Outcome: finding.OutcomeNegative,
 				},
 			},
@@ -143,7 +127,7 @@ func TestSecurityPolicy(t *testing.T) {
 			},
 		},
 		{
-			name: "file found with text",
+			name: "file found with no disclosure and text",
 			findings: []finding.Finding{
 				{
 					Probe:   "securityPolicyContainsDisclosure",
@@ -158,11 +142,7 @@ func TestSecurityPolicy(t *testing.T) {
 					Outcome: finding.OutcomeNegative,
 				},
 				{
-					Probe:   "securityPolicyPresentInOrg",
-					Outcome: finding.OutcomeNegative,
-				},
-				{
-					Probe:   "securityPolicyPresentInRepo",
+					Probe:   "securityPolicyPresent",
 					Outcome: finding.OutcomePositive,
 				},
 			},
@@ -186,11 +166,7 @@ func TestSecurityPolicy(t *testing.T) {
 					Outcome: finding.OutcomePositive,
 				},
 				{
-					Probe:   "securityPolicyPresentInOrg",
-					Outcome: finding.OutcomePositive,
-				},
-				{
-					Probe:   "securityPolicyPresentInRepo",
+					Probe:   "securityPolicyPresent",
 					Outcome: finding.OutcomePositive,
 				},
 			},

diff --git a/checks/security_policy_test.go b/checks/security_policy_test.go
@@ -45,7 +45,7 @@ func TestSecurityPolicy(t *testing.T) {
 			want: scut.TestReturn{
 				Score:        10,
 				NumberOfInfo: 4,
-				NumberOfWarn: 1,
+				NumberOfWarn: 0,
 			},
 		},
 		{
@@ -57,7 +57,7 @@ func TestSecurityPolicy(t *testing.T) {
 			want: scut.TestReturn{
 				Score:        10,
 				NumberOfInfo: 4,
-				NumberOfWarn: 1,
+				NumberOfWarn: 0,
 			},
 		},
 		{
@@ -69,7 +69,7 @@ func TestSecurityPolicy(t *testing.T) {
 			want: scut.TestReturn{
 				Score:        4,
 				NumberOfInfo: 3,
-				NumberOfWarn: 2,
+				NumberOfWarn: 1,
 			},
 		},
 		{
@@ -81,7 +81,7 @@ func TestSecurityPolicy(t *testing.T) {
 			want: scut.TestReturn{
 				Score:        3,
 				NumberOfInfo: 2,
-				NumberOfWarn: 3,
+				NumberOfWarn: 2,
 			},
 		},
 		{
@@ -93,7 +93,7 @@ func TestSecurityPolicy(t *testing.T) {
 			want: scut.TestReturn{
 				Score:        6,
 				NumberOfInfo: 2,
-				NumberOfWarn: 3,
+				NumberOfWarn: 2,
 			},
 		},
 		{
@@ -105,7 +105,7 @@ func TestSecurityPolicy(t *testing.T) {
 			want: scut.TestReturn{
 				Score:        6,
 				NumberOfInfo: 2,
-				NumberOfWarn: 3,
+				NumberOfWarn: 2,
 			},
 		},
 		{
@@ -117,7 +117,7 @@ func TestSecurityPolicy(t *testing.T) {
 			want: scut.TestReturn{
 				Score:        6,
 				NumberOfInfo: 2,
-				NumberOfWarn: 3,
+				NumberOfWarn: 2,
 			},
 		},
 		{
@@ -129,7 +129,7 @@ func TestSecurityPolicy(t *testing.T) {
 			want: scut.TestReturn{
 				Score:        9,
 				NumberOfInfo: 3,
-				NumberOfWarn: 2,
+				NumberOfWarn: 1,
 			},
 		},
 		{
@@ -141,7 +141,7 @@ func TestSecurityPolicy(t *testing.T) {
 			want: scut.TestReturn{
 				Score:        10,
 				NumberOfInfo: 4,
-				NumberOfWarn: 1,
+				NumberOfWarn: 0,
 			},
 		},
 		{
@@ -153,7 +153,7 @@ func TestSecurityPolicy(t *testing.T) {
 			want: scut.TestReturn{
 				Score:        0,
 				NumberOfInfo: 1,
-				NumberOfWarn: 4,
+				NumberOfWarn: 3,
 			},
 		},
 		{
@@ -165,7 +165,7 @@ func TestSecurityPolicy(t *testing.T) {
 			want: scut.TestReturn{
 				Score:        0,
 				NumberOfInfo: 1,
-				NumberOfWarn: 4,
+				NumberOfWarn: 3,
 			},
 		},
 	}

diff --git a/e2e/security_policy_test.go b/e2e/security_policy_test.go
@@ -51,7 +51,7 @@ var _ = Describe("E2E TEST:"+checks.CheckSecurityPolicy, func() {
 			expected := scut.TestReturn{
 				Error:         nil,
 				Score:         checker.MaxResultScore,
-				NumberOfWarn:  1,
+				NumberOfWarn:  0,
 				NumberOfInfo:  4,
 				NumberOfDebug: 0,
 			}
@@ -79,7 +79,7 @@ var _ = Describe("E2E TEST:"+checks.CheckSecurityPolicy, func() {
 			expected := scut.TestReturn{
 				Error:         nil,
 				Score:         checker.MaxResultScore,
-				NumberOfWarn:  1,
+				NumberOfWarn:  0,
 				NumberOfInfo:  4,
 				NumberOfDebug: 0,
 			}
@@ -118,7 +118,7 @@ var _ = Describe("E2E TEST:"+checks.CheckSecurityPolicy, func() {
 			expected := scut.TestReturn{
 				Error:         nil,
 				Score:         checker.MaxResultScore,
-				NumberOfWarn:  1,
+				NumberOfWarn:  0,
 				NumberOfInfo:  4,
 				NumberOfDebug: 0,
 			}

diff --git a/probes/entries.go b/probes/entries.go
@@ -20,8 +20,7 @@ import (
 	"github.com/ossf/scorecard/v4/probes/securityPolicyContainsDisclosure"
 	"github.com/ossf/scorecard/v4/probes/securityPolicyContainsLinks"
 	"github.com/ossf/scorecard/v4/probes/securityPolicyContainsText"
-	"github.com/ossf/scorecard/v4/probes/securityPolicyPresentInOrg"
-	"github.com/ossf/scorecard/v4/probes/securityPolicyPresentInRepo"
+	"github.com/ossf/scorecard/v4/probes/securityPolicyPresent"
 	"github.com/ossf/scorecard/v4/probes/toolDependabotInstalled"
 	"github.com/ossf/scorecard/v4/probes/toolPyUpInstalled"
 	"github.com/ossf/scorecard/v4/probes/toolRenovateInstalled"
@@ -37,8 +36,7 @@ var (
 	// SecurityPolicy is all the probes for the
 	// SecurityPolicy check.
 	SecurityPolicy = []ProbeImpl{
-		securityPolicyPresentInRepo.Run,
-		securityPolicyPresentInOrg.Run,
+		securityPolicyPresent.Run,
 		securityPolicyContainsLinks.Run,
 		securityPolicyContainsDisclosure.Run,
 		securityPolicyContainsText.Run,

diff --git a/probes/securityPolicyContainsDisclosure/def.yml b/probes/securityPolicyContainsDisclosure/def.yml
@@ -19,7 +19,7 @@ motivation: >
 implementation: >
   The implementation looks for strings "Disclos" and "Vuln".
 outcome:
-  - If information about the disclosure process is found in the security policy file, the probe one finding with OutcomePositive (1).
+  - If information about the disclosure process is found in the security policy file, the probe returns one finding with OutcomePositive (1).
   - If no information about the disclosure process is found, the probe returns one finding with OutcomeNegative (0).
   - if not file is present, one finding with OutcomeNegative (0).
 remediation:

diff --git a/probes/securityPolicyContainsDisclosure/impl.go b/probes/securityPolicyContainsDisclosure/impl.go
@@ -27,7 +27,7 @@ import (
 //go:embed *.yml
 var fs embed.FS
 
-var probe = "securityPolicyContainsDisclosure"
+const Probe = "securityPolicyContainsDisclosure"
 
 func matches(file checker.File) bool {
 	return file.Type != finding.FileTypeURL
@@ -37,34 +37,34 @@ func Run(raw *checker.RawResults) ([]finding.Finding, string, error) {
 	var findings []finding.Finding
 	policies := raw.SecurityPolicyResults.PolicyFiles
 	for i := range policies {
-		policy := policies[i]
+		policy := &policies[i]
 		if !matches(policy.File) {
 			continue
 		}
 		discvuls := utils.CountSecInfo(policy.Information, checker.SecurityPolicyInformationTypeText, false)
 		if discvuls > 1 {
-			f, err := finding.NewPositive(fs, probe,
+			f, err := finding.NewPositive(fs, Probe,
 				"Found disclosure, vulnerability, and/or timelines in security policy", policy.File.Location())
 			if err != nil {
-				return nil, probe, fmt.Errorf("create finding: %w", err)
+				return nil, Probe, fmt.Errorf("create finding: %w", err)
 			}
 			findings = append(findings, *f)
 		} else {
-			f, err := finding.NewNegative(fs, probe,
+			f, err := finding.NewNegative(fs, Probe,
 				"One or no descriptive hints of disclosure, vulnerability, and/or timelines in security policy", nil)
 			if err != nil {
-				return nil, probe, fmt.Errorf("create finding: %w", err)
+				return nil, Probe, fmt.Errorf("create finding: %w", err)
 			}
 			findings = append(findings, *f)
 		}
 	}
 
 	if len(findings) == 0 {
-		f, err := finding.NewNegative(fs, probe, "no security file to analyze", nil)
+		f, err := finding.NewNegative(fs, Probe, "no security file to analyze", nil)
 		if err != nil {
-			return nil, probe, fmt.Errorf("create finding: %w", err)
+			return nil, Probe, fmt.Errorf("create finding: %w", err)
 		}
 		findings = append(findings, *f)
 	}
-	return findings, probe, nil
+	return findings, Probe, nil
 }