-
Notifications
You must be signed in to change notification settings - Fork 450
/
raw_result.go
245 lines (212 loc) · 6.82 KB
/
raw_result.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
// Copyright 2020 Security Scorecard Authors
//
// Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License.
// You may obtain a copy of the License at
//
// http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
// See the License for the specific language governing permissions and
// limitations under the License.
package checker
import (
"github.com/ossf/scorecard/v4/clients"
)
// RawResults contains results before a policy
// is applied.
//nolint
type RawResults struct {
PackagingResults PackagingData
CIIBestPracticesResults CIIBestPracticesData
DangerousWorkflowResults DangerousWorkflowData
VulnerabilitiesResults VulnerabilitiesData
BinaryArtifactResults BinaryArtifactData
SecurityPolicyResults SecurityPolicyData
DependencyUpdateToolResults DependencyUpdateToolData
BranchProtectionResults BranchProtectionsData
CodeReviewResults CodeReviewData
PinningDependenciesResults PinningDependenciesData
WebhookResults WebhooksData
ContributorsResults ContributorsData
MaintainedResults MaintainedData
SignedReleasesResults SignedReleasesData
FuzzingResults FuzzingData
LicenseResults LicenseData
}
// FuzzingData represents different fuzzing done.
type FuzzingData struct {
Fuzzers []Tool
}
// TODO: Add Msg to all results.
// PackagingData contains results for the Packaging check.
type PackagingData struct {
Packages []Package
}
// Package represents a package.
// nolint
type Package struct {
// TODO: not supported yet. This needs to be unique across
// ecosystems: purl, OSV, CPE, etc.
Name *string
Job *WorkflowJob
File *File
// Note: Msg is populated only for debug messages.
Msg *string
Runs []Run
}
// DependencyUseType reprensets a type of dependency use.
type DependencyUseType string
const (
// DependencyUseTypeGHAction is an action.
DependencyUseTypeGHAction DependencyUseType = "GitHubAction"
// DependencyUseTypeDockerfileContainerImage a container image used via FROM.
DependencyUseTypeDockerfileContainerImage DependencyUseType = "containerImage"
// DependencyUseTypeDownloadThenRun is a download followed by a run.
DependencyUseTypeDownloadThenRun DependencyUseType = "downloadThenRun"
// DependencyUseTypeGoCommand is a go command.
DependencyUseTypeGoCommand DependencyUseType = "goCommand"
// DependencyUseTypeChocoCommand is a choco command.
DependencyUseTypeChocoCommand DependencyUseType = "chocoCommand"
// DependencyUseTypeNpmCommand is an npm command.
DependencyUseTypeNpmCommand DependencyUseType = "npmCommand"
// DependencyUseTypePipCommand is a pipp command.
DependencyUseTypePipCommand DependencyUseType = "pipCommand"
)
// PinningDependenciesData represents pinned dependency data.
type PinningDependenciesData struct {
Dependencies []Dependency
}
// Dependency represents a dependency.
type Dependency struct {
// TODO: unique dependency name.
// TODO: Job *WorkflowJob
Name *string
PinnedAt *string
Location *File
Msg *string // Only for debug messages.
Type DependencyUseType
}
// MaintainedData contains the raw results
// for the Maintained check.
type MaintainedData struct {
Issues []clients.Issue
DefaultBranchCommits []clients.Commit
ArchivedStatus ArchivedStatus
}
// LicenseData contains the raw results
// for the License check.
type LicenseData struct {
Files []File
}
// CodeReviewData contains the raw results
// for the Code-Review check.
type CodeReviewData struct {
DefaultBranchCommits []clients.Commit
}
// ContributorsData represents contributor information.
type ContributorsData struct {
Users []clients.User
}
// VulnerabilitiesData contains the raw results
// for the Vulnerabilities check.
type VulnerabilitiesData struct {
Vulnerabilities []clients.Vulnerability
}
// SecurityPolicyData contains the raw results
// for the Security-Policy check.
type SecurityPolicyData struct {
// Files contains a list of files.
Files []File
}
// BinaryArtifactData contains the raw results
// for the Binary-Artifact check.
type BinaryArtifactData struct {
// Files contains a list of files.
Files []File
}
// SignedReleasesData contains the raw results
// for the Signed-Releases check.
type SignedReleasesData struct {
Releases []clients.Release
}
// DependencyUpdateToolData contains the raw results
// for the Dependency-Update-Tool check.
type DependencyUpdateToolData struct {
// Tools contains a list of tools.
// Note: we only populate one entry at most.
Tools []Tool
}
// WebhooksData contains the raw results
// for the Webhook check.
type WebhooksData struct {
Webhooks []clients.Webhook
}
// BranchProtectionsData contains the raw results
// for the Branch-Protection check.
type BranchProtectionsData struct {
Branches []clients.BranchRef
}
// Tool represents a tool.
type Tool struct {
URL *string
Desc *string
Files []File
Name string
// Runs of the tool.
Runs []Run
// Issues created by the tool.
Issues []clients.Issue
// Merge requests created by the tool.
MergeRequests []clients.PullRequest
// TODO: CodeCoverage, jsonWorkflowJob.
}
// Run represents a run.
type Run struct {
URL string
// TODO: add fields, e.g., Result=["success", "failure"]
}
// ArchivedStatus definess the archived status.
type ArchivedStatus struct {
Status bool
// TODO: add fields, e.g., date of archival.
}
// File represents a file.
type File struct {
Path string
Snippet string // Snippet of code
Offset uint // Offset in the file of Path (line for source/text files).
EndOffset uint // End of offset in the file, e.g. if the command spans multiple lines.
Type FileType // Type of file.
// TODO: add hash.
}
// CIIBestPracticesData contains data foor CIIBestPractices check.
type CIIBestPracticesData struct {
Badge clients.BadgeLevel
}
// DangerousWorkflowType represents a type of dangerous workflow.
type DangerousWorkflowType string
const (
// DangerousWorkflowScriptInjection represents a script injection.
DangerousWorkflowScriptInjection DangerousWorkflowType = "scriptInjection"
// DangerousWorkflowUntrustedCheckout represents an untrusted checkout.
DangerousWorkflowUntrustedCheckout DangerousWorkflowType = "untrustedCheckout"
)
// DangerousWorkflowData contains raw results
// for dangerous workflow check.
type DangerousWorkflowData struct {
Workflows []DangerousWorkflow
}
// DangerousWorkflow represents a dangerous workflow.
type DangerousWorkflow struct {
Job *WorkflowJob
Type DangerousWorkflowType
File File
}
// WorkflowJob reprresents a workflow job.
type WorkflowJob struct {
Name *string
ID *string
}