Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

✨ New probes: code-review #3302

Merged
merged 140 commits into from
Jan 26, 2024
Merged
Show file tree
Hide file tree
Changes from 101 commits
Commits
Show all changes
140 commits
Select commit Hold shift + click to select a range
f0797d0
:seedling: Bump github.com/goreleaser/goreleaser in /tools (#3238)
dependabot[bot] Jul 1, 2023
3849d68
begin implementing probe: minTwoCodeReviewers
andrelmbackman Jul 4, 2023
1faa277
print raw results
andrelmbackman Jul 4, 2023
6364f45
print raw results
andrelmbackman Jul 5, 2023
4bd6385
print raw results
andrelmbackman Jul 5, 2023
141f506
rename probe directory: minimumCodeReviewers
andrelmbackman Jul 6, 2023
2f5838e
rename probe CodeReviewers
andrelmbackman Jul 7, 2023
28aa0dd
rename import for CodeReviewers probe
andrelmbackman Jul 7, 2023
618da95
update code reviewers definition
andrelmbackman Jul 10, 2023
8041581
update code reviewers implementation; fixed embed FS usage
andrelmbackman Jul 10, 2023
e1f4224
printing all findings, work out where to concatenate them
andrelmbackman Jul 10, 2023
de2ae3d
concatenated findings to one single finding, outcome is based on the …
andrelmbackman Jul 10, 2023
4d3cafd
refactored uniqueCodeReviewers probe, needs more error checks
andrelmbackman Jul 12, 2023
f5bd4dd
add error handling for cases of non-existant author and/or reviewer l…
andrelmbackman Jul 13, 2023
5199945
add error handling for cases of non-existant author and/or reviewer l…
andrelmbackman Jul 13, 2023
801486c
rename probe
andrelmbackman Jul 18, 2023
a722686
update codeReviewTwoReviewers definition
andrelmbackman Jul 18, 2023
58951c5
rename unique code reviewers probe
andrelmbackman Jul 18, 2023
aba6bde
implement codeApproved probe, validation of reviews needs fixing
andrelmbackman Jul 18, 2023
35cc1d6
update codeApproved probe, validation of reviews needs fixing
andrelmbackman Jul 18, 2023
82ed957
working version of codeApproved probe
andrelmbackman Jul 19, 2023
55a1b79
codeReviewed probe implemented
andrelmbackman Jul 19, 2023
2e97583
clean up comments, add imports, run all probes
andrelmbackman Jul 24, 2023
40eb06e
update license comments
Jul 25, 2023
f2aa772
Merge branch 'main' into probes/code-review
andrelmbackman Jul 25, 2023
24933f3
Update def.yml license
andrelmbackman Jul 26, 2023
87d95d3
Update def.yml license
andrelmbackman Jul 26, 2023
06b0e03
Update def.yml license
andrelmbackman Jul 26, 2023
afec9db
Update impl.go license
andrelmbackman Jul 26, 2023
570533d
Update impl.go license to Apache 2
andrelmbackman Jul 26, 2023
a1bd39d
Update impl.go license to Apache 2
andrelmbackman Jul 26, 2023
e761489
Update code_review.go license
andrelmbackman Jul 26, 2023
39b8548
Update entries.go; CodeReviewChecks now called CodeReview
andrelmbackman Jul 26, 2023
613f48d
Update impl.go, refactor codeReviewTwoReviewers; moved utility functi…
andrelmbackman Jul 26, 2023
c0cb1a7
Delete code_review.go utilities
andrelmbackman Jul 26, 2023
aaa93c4
rename probe
andrelmbackman Jul 18, 2023
155c59c
update codeReviewTwoReviewers definition
andrelmbackman Jul 18, 2023
4222294
implement codeApproved probe, validation of reviews needs fixing
andrelmbackman Jul 18, 2023
1be6058
update codeApproved probe, validation of reviews needs fixing
andrelmbackman Jul 18, 2023
1e1b7c9
working version of codeApproved probe
andrelmbackman Jul 19, 2023
9253871
codeReviewed probe implemented
andrelmbackman Jul 19, 2023
36e41ff
clean up comments, add imports, run all probes
andrelmbackman Jul 24, 2023
f51f189
update license comments
Jul 25, 2023
bf17b43
update license comments
Jul 25, 2023
1a3929f
:seedling: Included unit tests (#3242)
naveensrinivasan Jul 5, 2023
d67eb4a
:seedling: Bump golang.org/x/text from 0.10.0 to 0.11.0 (#3243)
dependabot[bot] Jul 6, 2023
e8c2d85
:seedling: Bump golang.org/x/oauth2 from 0.9.0 to 0.10.0 (#3244)
dependabot[bot] Jul 7, 2023
6fc7a1c
:book: Update Branch-Protection admin and non-admin requirements (#2772)
gabibguti Jul 7, 2023
65fe692
:seedling: Linter workflow cleanup (#3247)
spencerschrock Jul 7, 2023
3916141
:seedling: Bump tj-actions/changed-files from 37.0.5 to 37.1.0 (#3253)
dependabot[bot] Jul 10, 2023
5567b9c
:seedling: Bump github.com/goreleaser/goreleaser in /tools (#3252)
dependabot[bot] Jul 10, 2023
4ca2cac
:seedling: Bump golang.org/x/tools from 0.10.0 to 0.11.0
dependabot[bot] Jul 10, 2023
7f556b5
:seedling: Improve rate limit handling in roundtripper (#3237)
naveensrinivasan Jul 10, 2023
f4256e4
:seedling: Bump tj-actions/changed-files from 37.1.0 to 37.1.1 (#3259)
dependabot[bot] Jul 11, 2023
33f4fb3
:seedling: Bump github.com/bradleyfalzon/ghinstallation/v2 (#3260)
dependabot[bot] Jul 12, 2023
4b16bf9
🌱Add urls for opentelemetry, micrometer and new relic to weekly cron …
ajmalab Jul 12, 2023
3fb0fb9
🐛 Add npm installs to Pinned-Dependencies score (#2960)
gabibguti Jul 12, 2023
b3383af
:seedling: Bump github.com/moby/buildkit from 0.11.6 to 0.12.0 (#3264)
dependabot[bot] Jul 13, 2023
aacf508
Ack linter warning and add tracking issue. (#3263)
spencerschrock Jul 13, 2023
afab330
🐛 Forgive job-level permissions (#3162)
pnacht Jul 14, 2023
f21d4a9
:bug: Fix typo (#3267)
eustas Jul 14, 2023
7b54c57
📖 Suggest new score viewer on badge documentation (#3268)
diogoteles08 Jul 16, 2023
498410a
:seedling: Bump tj-actions/changed-files from 37.1.1 to 37.1.2 (#3266)
dependabot[bot] Jul 16, 2023
a09e57d
:seedling: Update the cover profile for e2e (#3271)
naveensrinivasan Jul 17, 2023
5c9bdde
:seedling: Improve e2e workflow tests (#3273)
naveensrinivasan Jul 17, 2023
bc290f0
:seedling: Excluded dependabot from codecov (#3272)
naveensrinivasan Jul 17, 2023
4f2eaea
:seedling: Increase test coverage for searching commits (#3276)
naveensrinivasan Jul 18, 2023
9740339
:bug: Fix Branch-Protection scoring (#3251)
gabibguti Jul 18, 2023
4d8e1e4
:sparkles: scdiff: generate cmd skeleton (#3275)
spencerschrock Jul 18, 2023
b0c125c
:seedling: Delete unused project-update functionality. (#3269)
spencerschrock Jul 18, 2023
4662f01
:seedling: Bump tj-actions/changed-files from 37.1.2 to 37.3.0 (#3280)
dependabot[bot] Jul 19, 2023
6c6b8ac
:seedling: Bump github.com/google/osv-scanner from 1.3.5 to 1.3.6 (#3…
dependabot[bot] Jul 19, 2023
9c9bf4a
:seedling: Bump gocloud.dev from 0.30.0 to 0.32.0 (#3284)
dependabot[bot] Jul 20, 2023
8a4b5f8
:seedling: Include attestor Dockerfile in CI and dependabot updates (…
spencerschrock Jul 20, 2023
428a85e
:seedling: Bump tj-actions/changed-files from 37.3.0 to 37.4.0
dependabot[bot] Jul 20, 2023
7b7f526
:seedling: Bump google-appengine/debian11 in /attestor
dependabot[bot] Jul 20, 2023
b469dc6
:seedling: Bump github.com/xanzy/go-gitlab from 0.86.0 to 0.88.0
dependabot[bot] Jul 20, 2023
000756b
:seedling: Use a matrix for docker image building (#3290)
spencerschrock Jul 21, 2023
9a01eaa
:seedling: Improve e2e workflow tests (#3282)
naveensrinivasan Jul 21, 2023
12b1ab2
:seedling: Use a matrix for when building binaries in main.yml (#3291)
spencerschrock Jul 21, 2023
8a2606c
:seedling: Fix hanging docker jobs for doc only changes. (#3292)
spencerschrock Jul 21, 2023
4c6eb93
📖 Add contributor ladder (#3246)
pnacht Jul 21, 2023
d4f7a7e
:seedling: Consolidate GitLab e2e workflows. (#3278)
spencerschrock Jul 21, 2023
fe46425
:seedling: Add separate cache for long-running tests (#3293)
spencerschrock Jul 21, 2023
3d945aa
:seedling: Bump github.com/go-git/go-git/v5 from 5.7.0 to 5.8.0 (#3297)
dependabot[bot] Jul 24, 2023
e36c0cf
:seedling: Bump github.com/onsi/gomega from 1.27.8 to 1.27.9 (#3298)
dependabot[bot] Jul 24, 2023
bcecbe0
:seedling: Improve search commit e2e tests (#3295)
naveensrinivasan Jul 24, 2023
16ff86e
📖 update docs for webhooks documentation (#3299)
leec94 Jul 24, 2023
b78351e
:seedling: Unit tests OSSFuzz client (#3301)
naveensrinivasan Jul 24, 2023
4df887c
:seedling: Ensure check markdown is kept in sync with source yaml. (#…
spencerschrock Jul 24, 2023
ecdac60
Update def.yml license
andrelmbackman Jul 26, 2023
3c748e2
Update def.yml license
andrelmbackman Jul 26, 2023
6816000
Update def.yml license
andrelmbackman Jul 26, 2023
3ceec71
Update code_review.go license
andrelmbackman Jul 26, 2023
6690d74
Update entries.go; CodeReviewChecks now called CodeReview
andrelmbackman Jul 26, 2023
b5db158
refactor codeReviewTwoReviewers; moved utility functions into impl.go
Jul 26, 2023
8ee476b
Update impl.go, refactor codeReviewTwoReviewers; moved utility functi…
andrelmbackman Jul 26, 2023
b9df495
resolved conflicts
Jul 26, 2023
30489fc
Merge branch 'main' into probes/code-review
andrelmbackman Jul 26, 2023
36bfc66
Merge branch 'probes/code-review' of https://github.com/nokia/scoreca…
Jul 26, 2023
63f7aae
Update go.mod, aligned imports
andrelmbackman Jul 26, 2023
79fe5f0
update license comments
Aug 1, 2023
7533c8c
update license comments
Aug 1, 2023
bbb281c
change EOL = CRLF to LF
Aug 1, 2023
685bd9e
add error handling in case of no changesets
Aug 1, 2023
c640b8d
completed tests for code-review probes
Aug 1, 2023
da497f2
update codeReview probes and utils
Aug 1, 2023
1bda8a1
fixed some lint errors, check for more
Aug 1, 2023
e7172e3
fixed lint issues
Aug 2, 2023
ba6b5ee
fix lint errors
Aug 2, 2023
9ec38ca
add test for multiple reviews with only one unique reviewer
Aug 2, 2023
f561ea2
simplify func uniqueReviewers, use map[string]bool
Aug 2, 2023
1e944dd
fix linting error
Aug 2, 2023
b2f8394
moved probe tests to their own function
Aug 3, 2023
1aa08fe
fix comment syntax
Aug 3, 2023
64cbe05
gci-ed files to fix linter errors
Aug 3, 2023
57adecf
implement change to skip bot-authored changesets that are reviewed/ap…
Aug 3, 2023
46a889a
rewrite finding message
Aug 3, 2023
b23daa1
fix output message; do not count the number of approved bot-authored …
Aug 3, 2023
51a9ac8
fix typos
Aug 3, 2023
e0693be
Merge branch 'main' into probes/code-review
andrelmbackman Aug 4, 2023
9945678
moved probe tests to their corresponding location
andrelmbackman Aug 18, 2023
202c0df
removed redundant probe codeReviewed
andrelmbackman Aug 18, 2023
6f4a3c3
Merge branch 'main' into probes/code-review
andrelmbackman Aug 18, 2023
4a140d5
Merge branch 'main' into probes/code-review
jitsengupta17 Oct 30, 2023
fb2abcc
Merge branch 'main' into probes/code-review
jitsengupta17 Nov 2, 2023
a8d754b
Merge branch 'main' into probes/code-review
jitsengupta17 Nov 10, 2023
2f0358d
Merge branch 'main' into probes/code-review
jitsengupta17 Nov 16, 2023
5d0205a
Merge branch 'main' into probes/code-review
jitsengupta17 Nov 20, 2023
10be378
Update probes/codeApproved/def.yml
jitsengupta17 Nov 20, 2023
7f6c657
Update probes/codeApproved/def.yml
jitsengupta17 Nov 20, 2023
a1a7bd5
Update probes/codeApproved/def.yml
jitsengupta17 Nov 20, 2023
094d54a
Update probes/codeApproved/def.yml
jitsengupta17 Nov 20, 2023
0ca2ee1
Update probes/codeApproved/def.yml
jitsengupta17 Nov 29, 2023
92d1df4
Update probes/codeReviewOneReviewers/def.yml
jitsengupta17 Nov 29, 2023
45be498
Merge branch 'main' into probes/code-review
jitsengupta17 Nov 29, 2023
6ecc06b
Merge branch 'main' into probes/code-review
gowriNSN Nov 30, 2023
4c486eb
Merge branch 'main' into probes/code-review
jitsengupta17 Dec 20, 2023
5ffd59c
Lint
raghavkaul Jan 26, 2024
722892c
Merge branch 'main' into probes/code-review
raghavkaul Jan 26, 2024
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
21 changes: 21 additions & 0 deletions probes/codeApproved/def.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,21 @@
# © 2023 Nokia
# Licensed under the Apache License 2.0
# SPDX-License-Identifier: Apache-2.0
andrelmbackman marked this conversation as resolved.
Show resolved Hide resolved


id: codeApproved
short: Check that all recent changesets have been approved by someone who is not the author of the changeset.
motivation: >
To ensure that the review process works, the proposed changes
should have a minimum number of approvals.
implementation: >
The implementation looks for the reviews of a changeset and that their state is "APPROVED"
outcome:
- If all changesets were approved, the probe returns OutcomePositive (1)
- If a changeset was not approved, the prove returns OutcomeNegative (0)
remediation:
effort: Low
text:
- Follow the instructions https://docs.github.com/en/pull-requests/collaborating-with-pull-requests/reviewing-changes-in-pull-requests/approving-a-pull-request-with-required-reviews.
markdown:
- Follow the instructions https://docs.github.com/en/pull-requests/collaborating-with-pull-requests/reviewing-changes-in-pull-requests/approving-a-pull-request-with-required-reviews.
61 changes: 61 additions & 0 deletions probes/codeApproved/impl.go
Original file line number Diff line number Diff line change
@@ -0,0 +1,61 @@
// © 2023 Nokia
// Licensed under the Apache License 2.0
// SPDX-License-Identifier: Apache-2.0

package codeApproved

import (
"embed"
"fmt"

"github.com/ossf/scorecard/v4/checker"
"github.com/ossf/scorecard/v4/finding"
)

//go:embed *.yml
var fs embed.FS

const probe = "codeApproved"

func Run(raw *checker.RawResults) ([]finding.Finding, string, error) {
rawReviewData := &raw.CodeReviewResults
return approvedRun(rawReviewData, fs, probe, finding.OutcomePositive, finding.OutcomeNegative)
}

/*
** Looks through the data and validates that each changeset has been approved at least once.
*/

func approvedRun(reviewData *checker.CodeReviewData, fs embed.FS, probeID string,
positiveOutcome, negativeOutcome finding.Outcome,
) ([]finding.Finding, string, error) {
var findings []finding.Finding
andrelmbackman marked this conversation as resolved.
Show resolved Hide resolved
var approvedReviews = 0
changesets := reviewData.DefaultBranchChangesets
var numChangesets = len(changesets)
for x := range changesets {
data := &changesets[x]
for y := range data.Reviews {
if data.Reviews[y].State == "APPROVED" && data.Reviews[y].Author.Login != data.Author.Login {
approvedReviews += 1
break
}
}
}
if approvedReviews >= numChangesets {
f, err := finding.NewWith(fs, probeID, fmt.Sprintf("All changesets approved (%v out of %v).", approvedReviews, numChangesets),
nil, positiveOutcome)
if err != nil {
return nil, probeID, fmt.Errorf("create finding: %w", err)
}
findings = append(findings, *f)
} else {
f, err := finding.NewWith(fs, probeID, fmt.Sprintf("Not all changesets approved. Found %v approvals among %v changesets.", approvedReviews, numChangesets),
nil, negativeOutcome)
if err != nil {
return nil, probeID, fmt.Errorf("create finding: %w", err)
}
findings = append(findings, *f)
}
return findings, probeID, nil
}
21 changes: 21 additions & 0 deletions probes/codeReviewTwoReviewers/def.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,21 @@
# © 2023 Nokia
# Licensed under the Apache License 2.0
# SPDX-License-Identifier: Apache-2.0

id: codeReviewTwoReviewers
short: Check that at least two reviewers review a change before merging.
motivation: >
To ensure that the review process works, the proposed changes
should have a minimum number of approvals.
implementation: >
The implementation looks for the number of reviewers for the last few changesets.
Only unique reviewer logins that aren't the same as the changeset author are counted.
outcome:
- If all the changes had at least two reviewers, the probe returns OutcomePositive (1)
- If the changes had fewer than two reviewers, the prove returns OutcomeNegative (0)
remediation:
effort: Low
text:
- Follow the instructions https://docs.github.com/en/pull-requests/collaborating-with-pull-requests/reviewing-changes-in-pull-requests/approving-a-pull-request-with-required-reviews.
markdown:
- Follow the instructions https://docs.github.com/en/pull-requests/collaborating-with-pull-requests/reviewing-changes-in-pull-requests/approving-a-pull-request-with-required-reviews.
110 changes: 110 additions & 0 deletions probes/codeReviewTwoReviewers/impl.go
Original file line number Diff line number Diff line change
@@ -0,0 +1,110 @@
// © 2023 Nokia
// Licensed under the Apache License 2.0
// SPDX-License-Identifier: Apache-2.0

package codeReviewTwoReviewers

import (
"embed"
"fmt"
"github.com/ossf/scorecard/v4/checker"
"github.com/ossf/scorecard/v4/finding"
)

//go:embed *.yml
var fs embed.FS

const probe = "codeReviewTwoReviewers"
const minimumReviewers = 2
const noReviewerFound = -1
raghavkaul marked this conversation as resolved.
Show resolved Hide resolved

func Run(raw *checker.RawResults) ([]finding.Finding, string, error) {
rawReviewData := &raw.CodeReviewResults
return codeReviewRun(rawReviewData, fs, probe, finding.OutcomePositive, finding.OutcomeNegative)
}

/*
** Looks through the data and validates author and reviewers of a changeset
** Scorecard currently only supports GitHub revisions and generates a positive
** score in the case of other platforms. This probe is created to ensure that
** there are a number of unique reviewers for each changeset.
*/

func codeReviewRun(reviewData *checker.CodeReviewData, fs embed.FS, probeID string,
positiveOutcome, negativeOutcome finding.Outcome,
) ([]finding.Finding, string, error) {
var findings []finding.Finding
leastFoundReviewers := 0
changesets := reviewData.DefaultBranchChangesets
for i := range changesets {
data := &changesets[i]
if data.Author.Login == "" {
return authorNotFound(findings, probeID, fs)
}
reviewersList := make([]string, len(data.Reviews))
for i := range data.Reviews {
reviewersList[i] = data.Reviews[i].Author.Login
}
numReviewers := uniqueReviewers(data.Author.Login, reviewersList)
if numReviewers == noReviewerFound {
return reviewerNotFound(findings, probeID, fs)
} else if i == 0 || numReviewers < leastFoundReviewers {
leastFoundReviewers = numReviewers
}
}
if leastFoundReviewers >= minimumReviewers {
f, err := finding.NewWith(fs, probeID, fmt.Sprintf("%v unique reviewers found for at least one changeset, %v wanted.", leastFoundReviewers, minimumReviewers),
nil, positiveOutcome)
if err != nil {
return nil, probeID, fmt.Errorf("create finding: %w", err)
}
findings = append(findings, *f)
} else {
f, err := finding.NewWith(fs, probeID, fmt.Sprintf("%v unique reviewer(s) found for at least one changeset, %v wanted.", leastFoundReviewers, minimumReviewers),
nil, negativeOutcome)
if err != nil {
return nil, probeID, fmt.Errorf("create finding: %w", err)
}
findings = append(findings, *f)
}
return findings, probeID, nil
}

func uniqueReviewers(authorLogin string, reviewers []string) int {
raghavkaul marked this conversation as resolved.
Show resolved Hide resolved
uniqueReviewers := 0
for i := range reviewers {
duplicateCount := 0
if (reviewers[i] == "") {
andrelmbackman marked this conversation as resolved.
Show resolved Hide resolved
return -1
}
for j := range reviewers {
if reviewers[j] == reviewers[i] && j > i {
duplicateCount++
}
}
if reviewers[i] != authorLogin && duplicateCount == 0 {
uniqueReviewers++
}
}
return uniqueReviewers
}

func authorNotFound(findings []finding.Finding, probeID string,
raghavkaul marked this conversation as resolved.
Show resolved Hide resolved
fs embed.FS) ([]finding.Finding, string, error) {
f, err := finding.NewNotAvailable(fs, probeID, fmt.Sprintf("Could not retrieve the author of a changeset."), nil)
if err != nil {
return nil, probeID, fmt.Errorf("create finding: %w", err)
}
findings = append(findings, *f)
return findings, probeID, nil
}

func reviewerNotFound(findings []finding.Finding, probeID string,
fs embed.FS) ([]finding.Finding, string, error) {
f, err := finding.NewNegative(fs, probeID, fmt.Sprintf("Could not retrieve reviewers of a changeset."), nil)
if err != nil {
return nil, probeID, fmt.Errorf("create finding: %w", err)
}
findings = append(findings, *f)
return findings, probeID, nil
}
20 changes: 20 additions & 0 deletions probes/codeReviewed/def.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,20 @@
# © 2023 Nokia
# Licensed under the Apache License 2.0
# SPDX-License-Identifier: Apache-2.0

id: codeReviewed
short: Check that there is some review activity for each changeset.
motivation: >
To ensure that the review process works, the proposed changes
should have a minimum number of reviews.
implementation: >
The implementation looks for the reviews of a changeset.
outcome:
- If all changesets have review activity, the probe returns OutcomePositive (1)
- If a changeset has no review activity, the prove returns OutcomeNegative (0)
remediation:
effort: Low
text:
- Follow the instructions https://docs.github.com/en/pull-requests/collaborating-with-pull-requests/reviewing-changes-in-pull-requests/approving-a-pull-request-with-required-reviews.
markdown:
- Follow the instructions https://docs.github.com/en/pull-requests/collaborating-with-pull-requests/reviewing-changes-in-pull-requests/approving-a-pull-request-with-required-reviews.
58 changes: 58 additions & 0 deletions probes/codeReviewed/impl.go
Original file line number Diff line number Diff line change
@@ -0,0 +1,58 @@
// © 2023 Nokia
// Licensed under the Apache License 2.0
// SPDX-License-Identifier: Apache-2.0

package codeReviewed

import (
"embed"
"fmt"

"github.com/ossf/scorecard/v4/checker"
"github.com/ossf/scorecard/v4/finding"
)

//go:embed *.yml
var fs embed.FS

const probe = "codeReviewed"

func Run(raw *checker.RawResults) ([]finding.Finding, string, error) {
rawReviewData := &raw.CodeReviewResults
return reviewedRun(rawReviewData, fs, probe, finding.OutcomePositive, finding.OutcomeNegative)
}

/*
** Looks through the data and validates that each changeset has been approved at least once.
*/

func reviewedRun(reviewData *checker.CodeReviewData, fs embed.FS, probeID string,
positiveOutcome, negativeOutcome finding.Outcome,
) ([]finding.Finding, string, error) {
var findings []finding.Finding
var numReviews = 0
changesets := reviewData.DefaultBranchChangesets
var numChangesets = len(changesets)
for x := range changesets {
data := &changesets[x]
if len(data.Reviews) > 0 {
numReviews += 1
raghavkaul marked this conversation as resolved.
Show resolved Hide resolved
}
}
if numReviews >= numChangesets {
f, err := finding.NewWith(fs, probeID, fmt.Sprintf("All changesets have review activity (%v out of %v).", numReviews, numChangesets),
nil, positiveOutcome)
if err != nil {
return nil, probeID, fmt.Errorf("create finding: %w", err)
}
findings = append(findings, *f)
} else {
f, err := finding.NewWith(fs, probeID, fmt.Sprintf("Not all changesets have review activity. Found %v reviews among %v changesets.", numReviews, numChangesets),
nil, negativeOutcome)
if err != nil {
return nil, probeID, fmt.Errorf("create finding: %w", err)
}
findings = append(findings, *f)
}
return findings, probeID, nil
}
11 changes: 10 additions & 1 deletion probes/entries.go
Original file line number Diff line number Diff line change
Expand Up @@ -17,6 +17,9 @@ package probes
import (
"github.com/ossf/scorecard/v4/checker"
"github.com/ossf/scorecard/v4/finding"
"github.com/ossf/scorecard/v4/probes/codeApproved"
"github.com/ossf/scorecard/v4/probes/codeReviewed"
"github.com/ossf/scorecard/v4/probes/codeReviewTwoReviewers"
"github.com/ossf/scorecard/v4/probes/toolDependabotInstalled"
"github.com/ossf/scorecard/v4/probes/toolPyUpInstalled"
"github.com/ossf/scorecard/v4/probes/toolRenovateInstalled"
Expand All @@ -30,19 +33,25 @@ var (
// All represents all the probes.
All []ProbeImpl
// DependencyToolUpdates is all the probes for the
// DpendencyUpdateTool check.
// DependencyUpdateTool check.
DependencyToolUpdates = []ProbeImpl{
toolRenovateInstalled.Run,
toolDependabotInstalled.Run,
toolPyUpInstalled.Run,
toolSonatypeLiftInstalled.Run,
}
CodeReview = []ProbeImpl {
codeApproved.Run,
codeReviewed.Run,
codeReviewTwoReviewers.Run,
}
)

//nolint:gochecknoinits
func init() {
All = concatMultipleProbes([][]ProbeImpl{
DependencyToolUpdates,
CodeReview,
})
}

Expand Down