Documentation ¶
Overview ¶
Package checker includes structs and functions used for running a check.
Index ¶
- Constants
- func AggregateScores(scores ...int) int
- func AggregateScoresWithWeight(scores map[int]int) int
- func CreateProportionalScore(success, total int) int
- func GetClients(ctx context.Context, repoURI, localURI string, logger *log.Logger) (clients.Repo, clients.RepoClient, clients.RepoClient, ...)
- func LogFindings(findings []finding.Finding, dl DetailLogger) error
- func NormalizeReason(reason string, score int) string
- type ArchivedStatus
- type BinaryArtifactData
- type BranchProtectionsData
- type CIIBestPracticesData
- type CITestData
- type Changeset
- type Check
- type CheckDetail
- type CheckFn
- type CheckNameToFnMap
- type CheckRequest
- type CheckResult
- func CreateInconclusiveResult(name, reason string) CheckResult
- func CreateMaxScoreResult(name, reason string) CheckResult
- func CreateMinScoreResult(name, reason string) CheckResult
- func CreateProportionalScoreResult(name, reason string, b, t int) CheckResult
- func CreateResultWithScore(name, reason string, score int) CheckResult
- func CreateRuntimeErrorResult(name string, e error) CheckResult
- type CodeReviewData
- type ContributorsData
- type DangerousWorkflow
- type DangerousWorkflowData
- type DangerousWorkflowType
- type Dependency
- type DependencyUpdateToolData
- type DependencyUseType
- type DetailLogger
- type DetailType
- type File
- type FuzzingData
- type License
- type LicenseAttributionType
- type LicenseData
- type LicenseFile
- type LogMessage
- type MaintainedData
- type MetadataData
- type Package
- type PackagingData
- type PermissionLevel
- type PermissionLocation
- type PinningDependenciesData
- type RawResults
- type RequestType
- type ReviewPlatform
- type RevisionCIInfo
- type Run
- type Runner
- type SecurityPolicyData
- type SecurityPolicyFile
- type SecurityPolicyInformation
- type SecurityPolicyInformationType
- type SecurityPolicyValueType
- type SignedReleasesData
- type TokenPermission
- type TokenPermissionsData
- type Tool
- type VulnerabilitiesData
- type WebhooksData
- type WorkflowJob
Constants ¶
const ( // MaxResultScore is the best score that can be given by a check. MaxResultScore = 10 // MinResultScore is the worst score that can be given by a check. MinResultScore = 0 // InconclusiveResultScore is returned when no reliable information can be retrieved by a check. InconclusiveResultScore = -1 // OffsetDefault is used if we can't determine the offset, for example when referencing a file but not a // specific location in the file. OffsetDefault = uint(1) )
Variables ¶
This section is empty.
Functions ¶
func AggregateScores ¶
AggregateScores adds up all scores and normalizes the result. Each score contributes equally.
func AggregateScoresWithWeight ¶
AggregateScoresWithWeight adds up all scores and normalizes the result.
func CreateProportionalScore ¶
CreateProportionalScore creates a proportional score.
func GetClients ¶ added in v4.2.0
func GetClients(ctx context.Context, repoURI, localURI string, logger *log.Logger) ( clients.Repo, clients.RepoClient, clients.RepoClient, clients.CIIBestPracticesClient, clients.VulnerabilitiesClient, error, )
GetClients returns a list of clients for running scorecard checks. TODO(repo): Pass a `http.RoundTripper` here.
func LogFindings ¶ added in v4.11.0
func LogFindings(findings []finding.Finding, dl DetailLogger) error
LogFindings logs the list of findings.
func NormalizeReason ¶
NormalizeReason - placeholder function if we want to update range of scores.
Types ¶
type ArchivedStatus ¶ added in v4.2.0
type ArchivedStatus struct {
Status bool
}
ArchivedStatus definess the archived status.
type BinaryArtifactData ¶
type BinaryArtifactData struct { // Files contains a list of files. Files []File }
BinaryArtifactData contains the raw results for the Binary-Artifact check.
type BranchProtectionsData ¶
BranchProtectionsData contains the raw results for the Branch-Protection check.
type CIIBestPracticesData ¶ added in v4.3.0
type CIIBestPracticesData struct {
Badge clients.BadgeLevel
}
CIIBestPracticesData contains data foor CIIBestPractices check.
type CITestData ¶ added in v4.8.0
type CITestData struct {
CIInfo []RevisionCIInfo
}
type Check ¶ added in v4.1.0
type Check struct { Fn CheckFn SupportedRequestTypes []RequestType }
Check defines a Scorecard check fn and its supported request types.
type CheckDetail ¶
type CheckDetail struct { Msg LogMessage Type DetailType // Any of DetailWarn, DetailInfo, DetailDebug. }
CheckDetail contains information for each detail.
type CheckNameToFnMap ¶
CheckNameToFnMap defined here for convenience.
type CheckRequest ¶
type CheckRequest struct { Ctx context.Context RepoClient clients.RepoClient CIIClient clients.CIIBestPracticesClient OssFuzzRepo clients.RepoClient Dlogger DetailLogger Repo clients.Repo VulnerabilitiesClient clients.VulnerabilitiesClient // UPGRADEv6: return raw results instead of scores. RawResults *RawResults RequiredTypes []RequestType }
CheckRequest struct encapsulates all data to be passed into a CheckFn.
type CheckResult ¶
type CheckResult struct { Name string Version int Error error Score int Reason string Details []CheckDetail // Structured results. Rules []string // TODO(X): add support. }
CheckResult captures result from a check run.
func CreateInconclusiveResult ¶
func CreateInconclusiveResult(name, reason string) CheckResult
CreateInconclusiveResult is used when the check runs without runtime errors, but we don't have enough evidence to set a score.
func CreateMaxScoreResult ¶
func CreateMaxScoreResult(name, reason string) CheckResult
CreateMaxScoreResult is used when the check runs without runtime errors and we can assign a maximum score to the result.
func CreateMinScoreResult ¶
func CreateMinScoreResult(name, reason string) CheckResult
CreateMinScoreResult is used when the check runs without runtime errors and we can assign a minimum score to the result.
func CreateProportionalScoreResult ¶
func CreateProportionalScoreResult(name, reason string, b, t int) CheckResult
CreateProportionalScoreResult is used when the check runs without runtime errors and we assign a proportional score. This may be used if a check contains multiple tests, and we want to assign a score proportional the number of tests that succeeded.
func CreateResultWithScore ¶
func CreateResultWithScore(name, reason string, score int) CheckResult
CreateResultWithScore is used when the check runs without runtime errors, and we want to assign a specific score.
func CreateRuntimeErrorResult ¶
func CreateRuntimeErrorResult(name string, e error) CheckResult
CreateRuntimeErrorResult is used when the check fails to run because of a runtime error.
type CodeReviewData ¶ added in v4.1.0
type CodeReviewData struct {
DefaultBranchChangesets []Changeset
}
CodeReviewData contains the raw results for the Code-Review check.
type ContributorsData ¶ added in v4.3.1
ContributorsData represents contributor information.
type DangerousWorkflow ¶ added in v4.3.0
type DangerousWorkflow struct { Job *WorkflowJob Type DangerousWorkflowType File File }
DangerousWorkflow represents a dangerous workflow.
type DangerousWorkflowData ¶ added in v4.2.0
type DangerousWorkflowData struct { Workflows []DangerousWorkflow NumWorkflows int }
DangerousWorkflowData contains raw results for dangerous workflow check.
type DangerousWorkflowType ¶ added in v4.3.0
type DangerousWorkflowType string
DangerousWorkflowType represents a type of dangerous workflow.
const ( // DangerousWorkflowScriptInjection represents a script injection. DangerousWorkflowScriptInjection DangerousWorkflowType = "scriptInjection" // DangerousWorkflowUntrustedCheckout represents an untrusted checkout. DangerousWorkflowUntrustedCheckout DangerousWorkflowType = "untrustedCheckout" )
type Dependency ¶ added in v4.4.0
type Dependency struct { // TODO: unique dependency name. // TODO: Job *WorkflowJob Name *string PinnedAt *string Location *File Msg *string // Only for debug messages. Type DependencyUseType }
Dependency represents a dependency.
type DependencyUpdateToolData ¶
type DependencyUpdateToolData struct { // Tools contains a list of tools. Tools []Tool }
DependencyUpdateToolData contains the raw results for the Dependency-Update-Tool check.
type DependencyUseType ¶ added in v4.4.0
type DependencyUseType string
DependencyUseType represents a type of dependency use.
const ( // DependencyUseTypeGHAction is an action. DependencyUseTypeGHAction DependencyUseType = "GitHubAction" // DependencyUseTypeDockerfileContainerImage a container image used via FROM. DependencyUseTypeDockerfileContainerImage DependencyUseType = "containerImage" // DependencyUseTypeDownloadThenRun is a download followed by a run. DependencyUseTypeDownloadThenRun DependencyUseType = "downloadThenRun" // DependencyUseTypeGoCommand is a go command. DependencyUseTypeGoCommand DependencyUseType = "goCommand" // DependencyUseTypeChocoCommand is a choco command. DependencyUseTypeChocoCommand DependencyUseType = "chocoCommand" // DependencyUseTypeNpmCommand is an npm command. DependencyUseTypeNpmCommand DependencyUseType = "npmCommand" // DependencyUseTypePipCommand is a pip command. DependencyUseTypePipCommand DependencyUseType = "pipCommand" // DependencyUseTypeNugetCommand is a nuget command. DependencyUseTypeNugetCommand DependencyUseType = "nugetCommand" )
type DetailLogger ¶
type DetailLogger interface { Info(msg *LogMessage) Warn(msg *LogMessage) Debug(msg *LogMessage) // Flush resets the logger state and returns collected logs. Flush() []CheckDetail }
DetailLogger logs a CheckDetail struct.
func NewLogger ¶ added in v4.2.0
func NewLogger() DetailLogger
NewLogger creates a new instance of `DetailLogger`.
type DetailType ¶
type DetailType int
DetailType is the type of details.
const ( // DetailInfo is info-level log. DetailInfo DetailType = iota // DetailWarn is warned log. DetailWarn // DetailDebug is debug log. DetailDebug )
type File ¶
type File struct { Path string Snippet string // Snippet of code Offset uint // Offset in the file of Path (line for source/text files). EndOffset uint // End of offset in the file, e.g. if the command spans multiple lines. FileSize uint // Total size of file. Type finding.FileType // Type of file. }
File represents a file.
type FuzzingData ¶ added in v4.3.1
type FuzzingData struct {
Fuzzers []Tool
}
FuzzingData represents different fuzzing done.
type License ¶ added in v4.9.0
type License struct { Name string // OSI standardized license name SpdxID string // SPDX standardized identifier Attribution LicenseAttributionType // source of licensing information Approved bool // FSF or OSI Approved License }
license details.
type LicenseAttributionType ¶ added in v4.9.0
type LicenseAttributionType string
const ( // sources of license information used to assert repo's license. LicenseAttributionTypeOther LicenseAttributionType = "other" LicenseAttributionTypeAPI LicenseAttributionType = "repositoryAPI" LicenseAttributionTypeHeuristics LicenseAttributionType = "builtinHeuristics" )
type LicenseData ¶ added in v4.2.0
type LicenseData struct {
LicenseFiles []LicenseFile
}
LicenseData contains the raw results for the License check. Some repos may have more than one license.
type LicenseFile ¶ added in v4.9.0
one file contains one license.
type LogMessage ¶
type LogMessage struct { // Structured results. Finding *finding.Finding // Non-structured results. Text string // A short string explaining why the detail was recorded/logged. Path string // Fullpath to the file. Type finding.FileType // Type of file. Offset uint // Offset in the file of Path (line for source/text files). EndOffset uint // End of offset in the file, e.g. if the command spans multiple lines. Snippet string // Snippet of code Remediation *rule.Remediation // Remediation information, if any. }
LogMessage is a structure that encapsulates detail's information. This allows updating the definition easily.
type MaintainedData ¶ added in v4.2.0
type MaintainedData struct { CreatedAt time.Time Issues []clients.Issue DefaultBranchCommits []clients.Commit ArchivedStatus ArchivedStatus }
MaintainedData contains the raw results for the Maintained check.
type MetadataData ¶ added in v4.11.0
type Package ¶ added in v4.4.0
type Package struct { // TODO: not supported yet. This needs to be unique across // ecosystems: purl, OSV, CPE, etc. Name *string Job *WorkflowJob File *File // Note: Msg is populated only for debug messages. Msg *string Runs []Run }
Package represents a package. nolint
type PackagingData ¶ added in v4.4.0
type PackagingData struct {
Packages []Package
}
PackagingData contains results for the Packaging check.
type PermissionLevel ¶ added in v4.5.0
type PermissionLevel string
PermissionLevel represents a permission type.
const ( // PermissionLevelUndeclared is an undeclared permission. PermissionLevelUndeclared PermissionLevel = "undeclared" // PermissionLevelWrite is a permission set to `write` for a permission we consider potentially dangerous. PermissionLevelWrite PermissionLevel = "write" // PermissionLevelRead is a permission set to `read`. PermissionLevelRead PermissionLevel = "read" // PermissionLevelNone is a permission set to `none`. PermissionLevelNone PermissionLevel = "none" // PermissionLevelUnknown is for other kinds of alerts, mostly to support debug messages. // TODO: remove it once we have implemented severity (#1874). PermissionLevelUnknown PermissionLevel = "unknown" )
type PermissionLocation ¶ added in v4.5.0
type PermissionLocation string
PermissionLocation represents a declaration type.
const ( // PermissionLocationTop is top-level workflow permission. PermissionLocationTop PermissionLocation = "topLevel" // PermissionLocationJob is job-level workflow permission. PermissionLocationJob PermissionLocation = "jobLevel" )
type PinningDependenciesData ¶ added in v4.4.0
type PinningDependenciesData struct {
Dependencies []Dependency
}
PinningDependenciesData represents pinned dependency data.
type RawResults ¶
type RawResults struct { PackagingResults PackagingData CIIBestPracticesResults CIIBestPracticesData DangerousWorkflowResults DangerousWorkflowData VulnerabilitiesResults VulnerabilitiesData BinaryArtifactResults BinaryArtifactData SecurityPolicyResults SecurityPolicyData DependencyUpdateToolResults DependencyUpdateToolData BranchProtectionResults BranchProtectionsData CodeReviewResults CodeReviewData PinningDependenciesResults PinningDependenciesData WebhookResults WebhooksData ContributorsResults ContributorsData MaintainedResults MaintainedData SignedReleasesResults SignedReleasesData FuzzingResults FuzzingData LicenseResults LicenseData TokenPermissionsResults TokenPermissionsData CITestResults CITestData Metadata MetadataData }
RawResults contains results before a policy is applied. nolint
type RequestType ¶ added in v4.1.0
type RequestType int
RequestType identifies special requirements/attributes that need to be supported by checks.
const ( // FileBased request types require checks to run solely on file-content. FileBased RequestType = iota // CommitBased request types require checks to run on non-HEAD commit content. CommitBased )
func ListUnsupported ¶ added in v4.1.0
func ListUnsupported(required, supported []RequestType) []RequestType
ListUnsupported returns []RequestType not in `supported` and are `required`.
type ReviewPlatform ¶ added in v4.7.0
type ReviewPlatform = string
const ( ReviewPlatformGitHub ReviewPlatform = "GitHub" ReviewPlatformProw ReviewPlatform = "Prow" ReviewPlatformGerrit ReviewPlatform = "Gerrit" ReviewPlatformPhabricator ReviewPlatform = "Phabricator" ReviewPlatformPiper ReviewPlatform = "Piper" ReviewPlatformUnknown ReviewPlatform = "Unknown" )
type RevisionCIInfo ¶ added in v4.8.0
type Runner ¶
type Runner struct { CheckName string Repo string CheckRequest CheckRequest }
Runner runs a check with retries.
func NewRunner ¶ added in v4.2.0
func NewRunner(checkName, repo string, checkReq *CheckRequest) *Runner
NewRunner creates a new instance of `Runner`.
func (*Runner) Run ¶
func (r *Runner) Run(ctx context.Context, c Check) CheckResult
Run runs a given check.
func (*Runner) SetCheckName ¶ added in v4.2.0
SetCheckName sets the check name.
func (*Runner) SetCheckRequest ¶ added in v4.2.0
func (r *Runner) SetCheckRequest(checkReq *CheckRequest)
SetCheckRequest sets the check request.
type SecurityPolicyData ¶
type SecurityPolicyData struct {
PolicyFiles []SecurityPolicyFile
}
SecurityPolicyData contains the raw results for the Security-Policy check.
type SecurityPolicyFile ¶ added in v4.9.0
type SecurityPolicyFile struct { // security policy information found in repo or org Information []SecurityPolicyInformation // file that contains the security policy information File File }
type SecurityPolicyInformation ¶ added in v4.9.0
type SecurityPolicyInformation struct { InformationType SecurityPolicyInformationType InformationValue SecurityPolicyValueType }
type SecurityPolicyInformationType ¶ added in v4.9.0
type SecurityPolicyInformationType string
const ( // forms of security policy hints being evaluated. SecurityPolicyInformationTypeEmail SecurityPolicyInformationType = "emailAddress" SecurityPolicyInformationTypeLink SecurityPolicyInformationType = "httpLink" SecurityPolicyInformationTypeText SecurityPolicyInformationType = "vulnDisclosureText" )
type SecurityPolicyValueType ¶ added in v4.9.0
type SignedReleasesData ¶ added in v4.2.0
SignedReleasesData contains the raw results for the Signed-Releases check.
type TokenPermission ¶ added in v4.5.0
type TokenPermission struct { Job *WorkflowJob LocationType *PermissionLocation Name *string Value *string File *File Msg *string Type PermissionLevel }
TokenPermission defines a token permission result.
type TokenPermissionsData ¶ added in v4.5.0
type TokenPermissionsData struct { TokenPermissions []TokenPermission NumTokens int }
TokenPermissionsData represents data about a permission failure.
type Tool ¶
type Tool struct { URL *string Desc *string Files []File Name string // Runs of the tool. Runs []Run // Issues created by the tool. Issues []clients.Issue // Merge requests created by the tool. MergeRequests []clients.PullRequest }
Tool represents a tool.
type VulnerabilitiesData ¶ added in v4.1.0
type VulnerabilitiesData struct {
Vulnerabilities []clients.Vulnerability
}
VulnerabilitiesData contains the raw results for the Vulnerabilities check.
type WebhooksData ¶ added in v4.2.0
WebhooksData contains the raw results for the Webhook check.
type WorkflowJob ¶ added in v4.2.0
WorkflowJob represents a workflow job.