Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

🌱 convert binary artifact check to probe #3508

Merged
merged 15 commits into from
Dec 5, 2023
Merged
19 changes: 13 additions & 6 deletions checks/binary_artifact.go
Original file line number Diff line number Diff line change
Expand Up @@ -19,6 +19,8 @@ import (
"github.com/ossf/scorecard/v4/checks/evaluation"
"github.com/ossf/scorecard/v4/checks/raw"
sce "github.com/ossf/scorecard/v4/errors"
"github.com/ossf/scorecard/v4/probes"
"github.com/ossf/scorecard/v4/probes/zrunner"
)

// CheckBinaryArtifacts is the exported name for Binary-Artifacts check.
Expand All @@ -38,17 +40,22 @@ func init() {

// BinaryArtifacts will check the repository contains binary artifacts.
func BinaryArtifacts(c *checker.CheckRequest) checker.CheckResult {
rawData, err := raw.BinaryArtifacts(c.RepoClient)
rawData, err := raw.BinaryArtifacts(c)
if err != nil {
e := sce.WithMessage(sce.ErrScorecardInternal, err.Error())
return checker.CreateRuntimeErrorResult(CheckBinaryArtifacts, e)
}

// Return raw results.
if c.RawResults != nil {
c.RawResults.BinaryArtifactResults = rawData
// Set the raw results.
pRawResults := getRawResults(c)
pRawResults.BinaryArtifactResults = rawData

// Evaluate the probes.
findings, err := zrunner.Run(pRawResults, probes.BinaryArtifacts)
if err != nil {
e := sce.WithMessage(sce.ErrScorecardInternal, err.Error())
return checker.CreateRuntimeErrorResult(CheckBinaryArtifacts, e)
}

// Return the score evaluation.
return evaluation.BinaryArtifacts(CheckBinaryArtifacts, c.Dlogger, &rawData)
return evaluation.BinaryArtifacts(CheckBinaryArtifacts, findings, c.Dlogger)
}
37 changes: 25 additions & 12 deletions checks/evaluation/binary_artifacts.go
Original file line number Diff line number Diff line change
Expand Up @@ -18,33 +18,46 @@ import (
"github.com/ossf/scorecard/v4/checker"
sce "github.com/ossf/scorecard/v4/errors"
"github.com/ossf/scorecard/v4/finding"
"github.com/ossf/scorecard/v4/probes/freeOfUnverifiedBinaryArtifacts"
)

// BinaryArtifacts applies the score policy for the Binary-Artifacts check.
func BinaryArtifacts(name string, dl checker.DetailLogger,
r *checker.BinaryArtifactData,
func BinaryArtifacts(name string,
findings []finding.Finding,
dl checker.DetailLogger,
) checker.CheckResult {
if r == nil {
e := sce.WithMessage(sce.ErrScorecardInternal, "empty raw data")
expectedProbes := []string{
freeOfUnverifiedBinaryArtifacts.Probe,
}

if !finding.UniqueProbesEqual(findings, expectedProbes) {
e := sce.WithMessage(sce.ErrScorecardInternal, "invalid probe results")
return checker.CreateRuntimeErrorResult(name, e)
}

// Apply the policy evaluation.
if r.Files == nil || len(r.Files) == 0 {
if findings[0].Outcome == finding.OutcomePositive {
return checker.CreateMaxScoreResult(name, "no binaries found in the repo")
}

score := checker.MaxResultScore
for _, f := range r.Files {
for i := range findings {
f := &findings[i]
if f.Outcome != finding.OutcomeNegative {
continue
}
dl.Warn(&checker.LogMessage{
Path: f.Path, Type: finding.FileTypeBinary,
Offset: f.Offset,
Path: f.Location.Path,
Type: f.Location.Type,
Offset: *f.Location.LineStart,
Text: "binary detected",
})
// We remove one point for each binary.
score--
}

// There are only negative findings.
// Deduct the number of findings from max score
AdamKorcz marked this conversation as resolved.
Show resolved Hide resolved
numberOfBinaryFilesFound := len(findings)

score := checker.MaxResultScore - numberOfBinaryFilesFound

if score < checker.MinResultScore {
score = checker.MinResultScore
}
Expand Down
Loading