Merge branch 'main' into pinned-deps-probe-cleanup

Author: spencerschrock

.github/workflows/scorecard-analysis.yml

@@ -7,8 +7,6 @@ on:
   schedule:
     # Weekly on Saturdays.
     - cron:  '30 1 * * 6'
-#   pull_request:
-#     branches: [main]
 
 permissions: read-all
 
@@ -17,36 +15,42 @@ jobs:
     name: Scorecard analysis
     runs-on: ubuntu-latest
     permissions:
+      # Needed for Code scanning upload
       security-events: write
+      # Needed for GitHub OIDC token if publish_results is true
       id-token: write
 
     steps:
       - name: "Checkout code"
         uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
+        with:
+          persist-credentials: false
 
       - name: "Run analysis"
         uses: ossf/scorecard-action@0864cf19026789058feabb7e87baa5f140aac736 # v2.3.1
         with:
           results_file: results.sarif
           results_format: sarif
-          repo_token: ${{ secrets.GITHUB_TOKEN }}
           # Scorecard team runs a weekly scan of public GitHub repos,
           # see https://github.com/ossf/scorecard#public-data.
           # Setting `publish_results: true` helps us scale by leveraging your workflow to
           # extract the results instead of relying on our own infrastructure to run scans.
           # And it's free for you!
           publish_results: true
 
+      # Upload the results as artifacts (optional). Commenting out will disable
+      # uploads of run results in SARIF format to the repository Actions tab.
       # https://docs.github.com/en/actions/advanced-guides/storing-workflow-data-as-artifacts
-      # Optional.
       - name: "Upload artifact"
-        uses: actions/upload-artifact@5d5d22a31266ced268874388b861e4b58bb5c2f3 # v3
+        uses: actions/upload-artifact@5d5d22a31266ced268874388b861e4b58bb5c2f3 # v4.3.1
         with:
           name: SARIF file
           path: results.sarif
           retention-days: 5
 
-      - name: "Upload SARIF results"
-        uses: github/codeql-action/upload-sarif@cdcdbb579706841c47f7063dda365e292e5cad7a # v1
+      # Upload the results to GitHub's code scanning dashboard (optional).
+      # Commenting out will disable upload of results to your repo's Code Scanning dashboard
+      - name: "Upload to code-scanning"
+        uses: github/codeql-action/upload-sarif@83a02f7883b12e0e4e1a146174f5e2292a01e601 # v2.16.4
         with:
           sarif_file: results.sarif

checks/branch_protection_test.go

@@ -92,7 +92,7 @@ func TestReleaseAndDevBranchProtected(t *testing.T) {
 							UpToDateBeforeMerge:  &trueVal,
 							Contexts:             []string{"foo"},
 						},
-						RequiredPullRequestReviews: clients.PullRequestReviewRule{
+						PullRequestRule: clients.PullRequestRule{
 							Required:                     &trueVal,
 							DismissStaleReviews:          &trueVal,
 							RequireCodeOwnerReviews:      &trueVal,
@@ -112,7 +112,7 @@ func TestReleaseAndDevBranchProtected(t *testing.T) {
 							UpToDateBeforeMerge:  &falseVal,
 							Contexts:             nil,
 						},
-						RequiredPullRequestReviews: clients.PullRequestReviewRule{
+						PullRequestRule: clients.PullRequestRule{
 							Required:                     &trueVal,
 							DismissStaleReviews:          &falseVal,
 							RequireCodeOwnerReviews:      &falseVal,
@@ -152,7 +152,7 @@ func TestReleaseAndDevBranchProtected(t *testing.T) {
 							UpToDateBeforeMerge:  &falseVal,
 							Contexts:             nil,
 						},
-						RequiredPullRequestReviews: clients.PullRequestReviewRule{
+						PullRequestRule: clients.PullRequestRule{
 							Required:                     &trueVal,
 							DismissStaleReviews:          &falseVal,
 							RequireCodeOwnerReviews:      &falseVal,
@@ -188,7 +188,7 @@ func TestReleaseAndDevBranchProtected(t *testing.T) {
 							UpToDateBeforeMerge:  &trueVal,
 							Contexts:             []string{"foo"},
 						},
-						RequiredPullRequestReviews: clients.PullRequestReviewRule{
+						PullRequestRule: clients.PullRequestRule{
 							Required:                     &trueVal,
 							DismissStaleReviews:          &trueVal,
 							RequireCodeOwnerReviews:      &trueVal,
@@ -210,7 +210,7 @@ func TestReleaseAndDevBranchProtected(t *testing.T) {
 							UpToDateBeforeMerge:  &falseVal,
 							Contexts:             nil,
 						},
-						RequiredPullRequestReviews: clients.PullRequestReviewRule{
+						PullRequestRule: clients.PullRequestRule{
 							Required:                     &trueVal,
 							DismissStaleReviews:          &falseVal,
 							RequireCodeOwnerReviews:      &falseVal,
@@ -246,7 +246,7 @@ func TestReleaseAndDevBranchProtected(t *testing.T) {
 							UpToDateBeforeMerge:  &trueVal,
 							Contexts:             []string{"foo"},
 						},
-						RequiredPullRequestReviews: clients.PullRequestReviewRule{
+						PullRequestRule: clients.PullRequestRule{
 							Required:                     &trueVal,
 							DismissStaleReviews:          &trueVal,
 							RequireCodeOwnerReviews:      &trueVal,
@@ -268,7 +268,7 @@ func TestReleaseAndDevBranchProtected(t *testing.T) {
 							UpToDateBeforeMerge:  &trueVal,
 							Contexts:             []string{"foo"},
 						},
-						RequiredPullRequestReviews: clients.PullRequestReviewRule{
+						PullRequestRule: clients.PullRequestRule{
 							Required:                     &trueVal,
 							DismissStaleReviews:          &trueVal,
 							RequireCodeOwnerReviews:      &trueVal,
@@ -305,7 +305,7 @@ func TestReleaseAndDevBranchProtected(t *testing.T) {
 							UpToDateBeforeMerge:  &falseVal,
 							Contexts:             nil,
 						},
-						RequiredPullRequestReviews: clients.PullRequestReviewRule{
+						PullRequestRule: clients.PullRequestRule{
 							Required:                     &trueVal,
 							DismissStaleReviews:          &falseVal,
 							RequireCodeOwnerReviews:      &falseVal,
@@ -344,7 +344,7 @@ func TestReleaseAndDevBranchProtected(t *testing.T) {
 							UpToDateBeforeMerge:  &falseVal,
 							Contexts:             nil,
 						},
-						RequiredPullRequestReviews: clients.PullRequestReviewRule{
+						PullRequestRule: clients.PullRequestRule{
 							Required:                     &trueVal,
 							DismissStaleReviews:          &falseVal,
 							RequireCodeOwnerReviews:      &falseVal,

checks/dependency_update_tool_test.go

@@ -42,7 +42,7 @@ func TestDependencyUpdateTool(t *testing.T) {
 		wantErr           bool
 	}{
 		{
-			name:    "dependency yml",
+			name:    "dependabot config detected",
 			wantErr: false,
 			files: []string{
 				".github/dependabot.yml",
@@ -55,7 +55,7 @@ func TestDependencyUpdateTool(t *testing.T) {
 			},
 		},
 		{
-			name:    "dependency yaml ",
+			name:    "dependabot alternate yaml extension detected",
 			wantErr: false,
 			files: []string{
 				".github/dependabot.yaml",
@@ -68,66 +68,84 @@ func TestDependencyUpdateTool(t *testing.T) {
 			},
 		},
 		{
-			name:    "foo bar",
+			name:    "renovatebot config detected",
 			wantErr: false,
 			files: []string{
-				".github/foobar.yml",
+				"renovate.json",
 			},
-			SearchCommits:     []clients.Commit{{Committer: clients.User{ID: 111111111}}},
-			CallSearchCommits: 1,
+			CallSearchCommits: 0,
 			expected: scut.TestReturn{
-				NumberOfWarn: 3,
+				NumberOfInfo: 1,
+				NumberOfWarn: 0,
+				Score:        10,
 			},
 		},
 		{
-			name:    "foo bar 2",
+			name:    "alternate renovatebot config detected",
 			wantErr: false,
 			files: []string{
-				".github/foobar.yml",
+				".github/renovate.json5",
 			},
-			SearchCommits:     []clients.Commit{},
-			CallSearchCommits: 1,
+			CallSearchCommits: 0,
 			expected: scut.TestReturn{
-				NumberOfWarn: 3,
+				NumberOfInfo: 1,
+				NumberOfWarn: 0,
+				Score:        10,
 			},
 		},
-
 		{
-			name:    "found in commits",
+			name:    "pyup config detected",
 			wantErr: false,
 			files: []string{
-				".github/foobar.yaml",
+				".pyup.yml",
 			},
-			SearchCommits:     []clients.Commit{{Committer: clients.User{ID: dependabotID}}},
-			CallSearchCommits: 1,
+			CallSearchCommits: 0,
 			expected: scut.TestReturn{
 				NumberOfInfo: 1,
 				NumberOfWarn: 0,
 				Score:        10,
 			},
 		},
 		{
-			name:    "found in commits 2",
+			name:              "random committer ID not detected as dependecy tool bot",
+			wantErr:           false,
+			files:             []string{},
+			SearchCommits:     []clients.Commit{{Committer: clients.User{ID: 111111111}}},
+			CallSearchCommits: 1,
+			expected: scut.TestReturn{
+				NumberOfWarn: 1,
+			},
+		},
+		{
+			name:    "random yaml file not detected as update tool config",
 			wantErr: false,
-			files:   []string{},
-			SearchCommits: []clients.Commit{
-				{Committer: clients.User{ID: 111111111}},
-				{Committer: clients.User{ID: dependabotID}},
+			files: []string{
+				".github/foobar.yml",
 			},
+			SearchCommits:     []clients.Commit{},
+			CallSearchCommits: 1,
+			expected: scut.TestReturn{
+				NumberOfWarn: 1,
+			},
+		},
+		{
+			name:    "dependabot found in recent commits",
+			wantErr: false,
+			files: []string{
+				".github/foobar.yaml",
+			},
+			SearchCommits:     []clients.Commit{{Committer: clients.User{ID: dependabotID}}},
 			CallSearchCommits: 1,
 			expected: scut.TestReturn{
 				NumberOfInfo: 1,
 				NumberOfWarn: 0,
 				Score:        10,
 			},
 		},
-
 		{
-			name:    "many commits",
+			name:    "dependabot bot found in recent commits 2",
 			wantErr: false,
-			files: []string{
-				".github/foobar.yml",
-			},
+			files:   []string{},
 			SearchCommits: []clients.Commit{
 				{Committer: clients.User{ID: 111111111}},
 				{Committer: clients.User{ID: dependabotID}},

checks/evaluation/dependency_update_tool.go

@@ -18,9 +18,7 @@ import (
 	"github.com/ossf/scorecard/v4/checker"
 	sce "github.com/ossf/scorecard/v4/errors"
 	"github.com/ossf/scorecard/v4/finding"
-	"github.com/ossf/scorecard/v4/probes/toolDependabotInstalled"
-	"github.com/ossf/scorecard/v4/probes/toolPyUpInstalled"
-	"github.com/ossf/scorecard/v4/probes/toolRenovateInstalled"
+	"github.com/ossf/scorecard/v4/probes/dependencyUpdateToolConfigured"
 )
 
 // DependencyUpdateTool applies the score policy and logs the details
@@ -29,9 +27,7 @@ func DependencyUpdateTool(name string,
 	findings []finding.Finding, dl checker.DetailLogger,
 ) checker.CheckResult {
 	expectedProbes := []string{
-		toolDependabotInstalled.Probe,
-		toolPyUpInstalled.Probe,
-		toolRenovateInstalled.Probe,
+		dependencyUpdateToolConfigured.Probe,
 	}
 	if !finding.UniqueProbesEqual(findings, expectedProbes) {
 		e := sce.WithMessage(sce.ErrScorecardInternal, "invalid probe results")