Skip to content

Commit c1df902

Browse files
authored
🐛 Add npm installs to Pinned-Dependencies score (#2960)
* feat: Add npm install to pinned dependencies score Signed-off-by: Gabriela Gutierrez <[email protected]> * test: Fix pinned dependencies evaluation tests Considering the new npm installs dependencies in Pinned-Dependencies score, there are some changes. Now, all tests generate one more Info log for "npm installs are all pinned". Also, for "various wanrings" test, the total score has to weight now 6 scores instead of 5. The new score counts 10 for actionScore, 0 for dockerFromScore, 0 for dockerDownloadScore, 0 for scriptScore, 0 for pipScore and 10 for npm score, which gives us 20/6~=3. Signed-off-by: Gabriela Gutierrez <[email protected]> * test: Fix pinned dependencies e2e tests Considering the new npm installs dependencies in Pinned-Dependencies score, there are some changes. The repo being tested, ossf-tests/scorecard-check-pinned-dependencies-e2e, has third-party GitHub actions pinned, no npm installs, and all other dependencies types are unpinned. This gives us 8 for actionScore, 10 for npmScore and 0 for all other scores. Previously the total score was 8/5~=1, and now the total score is 18/6=3. Also, since there are no npm installs, there's one more Info log for "npm installs are pinned". Signed-off-by: Gabriela Gutierrez <[email protected]> * test: Fix typo Signed-off-by: Gabriela Gutierrez <[email protected]> * test: Unpinned npm install score When having one unpinned npm install and all other dependencies pinned, the score should be 50/6~=8. Also, it should raise 1 warning for the unpinned npm install, 6 infos saying the other dependency types are pinned (2 for GHAs, 2 for dockerfile image and downdloads, 1 for script downdloads and 1 for pip installs), and 0 debug logs since the npm install dependency does not have an error message. Signed-off-by: Gabriela Gutierrez <[email protected]> * test: Undefined npm install score When an error happens to parse a npm install dependency, the error/debug message is saved in "Msg" field. In this case, we were not able to define if the npm install is pinned or not. This dependency is classified as pinned undefined. We treat such cases as pinned cases, so it logs as Info that npm installs are all pinned and counts the score as 10. Then, the final score makes it to 10 as well. Since it logs the error/debug message, the Debug log goes to 1. Signed-off-by: Gabriela Gutierrez <[email protected]> * test: Fix typo Signed-off-by: Gabriela Gutierrez <[email protected]> * test: Fix "validate various warnings and info" test Considering the new npm installs dependencies in Pinned-Dependencies score, there are some changes. Now, all tests generate one more Info log for "npm installs are all pinned". Also, this test total score has to weight now 6 scores instead of 5. The new score counts 10 for actionScore, 0 for dockerFromScore, 0 for dockerDownloadScore, 0 for scriptScore, 0 for pipScore and 10 for npm score, which gives us 20/6~=3. Signed-off-by: Gabriela Gutierrez <[email protected]> * fix: npm dependencies pinned log Signed-off-by: Gabriela Gutierrez <[email protected]> * test: Remove test of error when parsing an npm dependency Signed-off-by: Gabriela Gutierrez <[email protected]> --------- Signed-off-by: Gabriela Gutierrez <[email protected]>
1 parent 380da96 commit c1df902

3 files changed

Lines changed: 50 additions & 18 deletions

File tree

checks/evaluation/pinned_dependencies.go

Lines changed: 17 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -127,15 +127,22 @@ func PinningDependencies(name string, c *checker.CheckRequest,
127127
return checker.CreateRuntimeErrorResult(name, err)
128128
}
129129

130+
// Npm installs.
131+
npmScore, err := createReturnForIsNpmInstallPinned(pr, dl)
132+
if err != nil {
133+
return checker.CreateRuntimeErrorResult(name, err)
134+
}
135+
130136
// Scores may be inconclusive.
131137
actionScore = maxScore(0, actionScore)
132138
dockerFromScore = maxScore(0, dockerFromScore)
133139
dockerDownloadScore = maxScore(0, dockerDownloadScore)
134140
scriptScore = maxScore(0, scriptScore)
135141
pipScore = maxScore(0, pipScore)
142+
npmScore = maxScore(0, npmScore)
136143

137144
score := checker.AggregateScores(actionScore, dockerFromScore,
138-
dockerDownloadScore, scriptScore, pipScore)
145+
dockerDownloadScore, scriptScore, pipScore, npmScore)
139146

140147
if score == checker.MaxResultScore {
141148
return checker.CreateMaxScoreResult(name, "all dependencies are pinned")
@@ -260,6 +267,15 @@ func createReturnForIsPipInstallPinned(pr map[checker.DependencyUseType]pinnedRe
260267
dl)
261268
}
262269

270+
// Create the result for npm install commands.
271+
func createReturnForIsNpmInstallPinned(pr map[checker.DependencyUseType]pinnedResult,
272+
dl checker.DetailLogger,
273+
) (int, error) {
274+
return createReturnValues(pr, checker.DependencyUseTypeNpmCommand,
275+
"npm installs are pinned",
276+
dl)
277+
}
278+
263279
func createReturnValues(pr map[checker.DependencyUseType]pinnedResult,
264280
t checker.DependencyUseType, infoMsg string,
265281
dl checker.DetailLogger,

checks/evaluation/pinned_dependencies_test.go

Lines changed: 27 additions & 11 deletions
Original file line numberDiff line numberDiff line change
@@ -111,7 +111,7 @@ func Test_PinningDependencies(t *testing.T) {
111111
Error: nil,
112112
Score: checker.MaxResultScore,
113113
NumberOfWarn: 0,
114-
NumberOfInfo: 6,
114+
NumberOfInfo: 7,
115115
NumberOfDebug: 1,
116116
},
117117
},
@@ -132,12 +132,12 @@ func Test_PinningDependencies(t *testing.T) {
132132
Error: nil,
133133
Score: 6,
134134
NumberOfWarn: 1,
135-
NumberOfInfo: 4,
135+
NumberOfInfo: 5,
136136
NumberOfDebug: 1,
137137
},
138138
},
139139
{
140-
name: "various wanrings",
140+
name: "various warnings",
141141
dependencies: []checker.Dependency{
142142
{
143143
Location: &checker.File{},
@@ -158,9 +158,9 @@ func Test_PinningDependencies(t *testing.T) {
158158
},
159159
expected: scut.TestReturn{
160160
Error: nil,
161-
Score: 2,
161+
Score: 3,
162162
NumberOfWarn: 3,
163-
NumberOfInfo: 2,
163+
NumberOfInfo: 3,
164164
NumberOfDebug: 1,
165165
},
166166
},
@@ -176,7 +176,7 @@ func Test_PinningDependencies(t *testing.T) {
176176
Error: nil,
177177
Score: 8,
178178
NumberOfWarn: 1,
179-
NumberOfInfo: 5,
179+
NumberOfInfo: 6,
180180
NumberOfDebug: 0,
181181
},
182182
},
@@ -193,7 +193,7 @@ func Test_PinningDependencies(t *testing.T) {
193193
Error: nil,
194194
Score: 10,
195195
NumberOfWarn: 0,
196-
NumberOfInfo: 6,
196+
NumberOfInfo: 7,
197197
NumberOfDebug: 1,
198198
},
199199
},
@@ -203,12 +203,12 @@ func Test_PinningDependencies(t *testing.T) {
203203
Error: nil,
204204
Score: 10,
205205
NumberOfWarn: 0,
206-
NumberOfInfo: 6,
206+
NumberOfInfo: 7,
207207
NumberOfDebug: 0,
208208
},
209209
},
210210
{
211-
name: "Validate various wanrings and info",
211+
name: "Validate various warnings and info",
212212
dependencies: []checker.Dependency{
213213
{
214214
Location: &checker.File{},
@@ -229,12 +229,28 @@ func Test_PinningDependencies(t *testing.T) {
229229
},
230230
expected: scut.TestReturn{
231231
Error: nil,
232-
Score: 2,
232+
Score: 3,
233233
NumberOfWarn: 3,
234-
NumberOfInfo: 2,
234+
NumberOfInfo: 3,
235235
NumberOfDebug: 1,
236236
},
237237
},
238+
{
239+
name: "unpinned npm install",
240+
dependencies: []checker.Dependency{
241+
{
242+
Location: &checker.File{},
243+
Type: checker.DependencyUseTypeNpmCommand,
244+
},
245+
},
246+
expected: scut.TestReturn{
247+
Error: nil,
248+
Score: 8,
249+
NumberOfWarn: 1,
250+
NumberOfInfo: 6,
251+
NumberOfDebug: 0,
252+
},
253+
},
238254
}
239255

240256
for _, tt := range tests {

e2e/pinned_dependencies_test.go

Lines changed: 6 additions & 6 deletions
Original file line numberDiff line numberDiff line change
@@ -49,9 +49,9 @@ var _ = Describe("E2E TEST:"+checks.CheckPinnedDependencies, func() {
4949
}
5050
expected := scut.TestReturn{
5151
Error: nil,
52-
Score: 1,
52+
Score: 3,
5353
NumberOfWarn: 139,
54-
NumberOfInfo: 1,
54+
NumberOfInfo: 2,
5555
NumberOfDebug: 0,
5656
}
5757
result := checks.PinningDependencies(&req)
@@ -74,9 +74,9 @@ var _ = Describe("E2E TEST:"+checks.CheckPinnedDependencies, func() {
7474
}
7575
expected := scut.TestReturn{
7676
Error: nil,
77-
Score: 1,
77+
Score: 3,
7878
NumberOfWarn: 139,
79-
NumberOfInfo: 1,
79+
NumberOfInfo: 2,
8080
NumberOfDebug: 0,
8181
}
8282
result := checks.PinningDependencies(&req)
@@ -110,9 +110,9 @@ var _ = Describe("E2E TEST:"+checks.CheckPinnedDependencies, func() {
110110
}
111111
expected := scut.TestReturn{
112112
Error: nil,
113-
Score: 1,
113+
Score: 3,
114114
NumberOfWarn: 139,
115-
NumberOfInfo: 1,
115+
NumberOfInfo: 2,
116116
NumberOfDebug: 0,
117117
}
118118
result := checks.PinningDependencies(&req)

0 commit comments

Comments
 (0)