From 2f63b5a08529a3872fde9695ba9f6b96482a2765 Mon Sep 17 00:00:00 2001 From: ManjunathMS35 Date: Wed, 17 Aug 2022 09:55:23 +0200 Subject: [PATCH] Use Snyk as data provider (#860) Fixes #717 --- .../AbstractDependencyScanDataProvider.java | 140 ++++++++++++++++++ .../data/github/HasExecutableBinaries.java | 2 - .../data/github/PackageManagement.java | 2 +- .../fosstars/data/github/UsesDependabot.java | 127 ++-------------- .../fosstars/data/github/UsesSnyk.java | 128 ++-------------- .../model/feature/oss/OssFeatures.java | 15 +- .../model/score/oss/DependabotScore.java | 2 +- .../score/oss/SnykDependencyScanScore.java | 2 +- .../advice/oss/BanditAdvisorTest.java | 3 - .../fosstars/advice/oss/SnykAdvisorTest.java | 12 +- .../CodeOfConductGuidelineInfoTest.java | 2 - .../oss/SnykDependencyScanScoreTest.java | 3 +- .../score/oss/DependabotScoreTestVectors.yml | 4 +- .../oss/DependencyScanScoreTestVectors.yml | 4 +- .../SnykDependencyScanScoreTestVectors.yml | 4 +- ...veryAndSecurityTestingScoreTestVectors.yml | 7 +- src/test/shell/tool/github/lib.sh | 2 + 17 files changed, 184 insertions(+), 275 deletions(-) create mode 100644 src/main/java/com/sap/oss/phosphor/fosstars/data/github/AbstractDependencyScanDataProvider.java diff --git a/src/main/java/com/sap/oss/phosphor/fosstars/data/github/AbstractDependencyScanDataProvider.java b/src/main/java/com/sap/oss/phosphor/fosstars/data/github/AbstractDependencyScanDataProvider.java new file mode 100644 index 000000000..19ec932e3 --- /dev/null +++ b/src/main/java/com/sap/oss/phosphor/fosstars/data/github/AbstractDependencyScanDataProvider.java @@ -0,0 +1,140 @@ +package com.sap.oss.phosphor.fosstars.data.github; + +import com.sap.oss.phosphor.fosstars.model.subject.oss.GitHubProject; +import java.io.IOException; +import java.time.Duration; +import java.time.Instant; +import java.util.Date; +import java.util.Optional; +import org.kohsuke.github.GHIssueState; +import org.kohsuke.github.GHPullRequest; +import org.kohsuke.github.GHUser; + +/** + * This is a base class for dependency checker data providers such as Dependabot and Snyk. + */ +public abstract class AbstractDependencyScanDataProvider extends GitHubCachingDataProvider { + + /** + * Period of time to be checked. + */ + private static final Duration ONE_YEAR = Duration.ofDays(365); + + /** + * A minimal number of characters in a config for dependency checker. + */ + private static final int ACCEPTABLE_CONFIG_SIZE = 10; + + protected abstract String getDependencyCheckerPattern(); + + /** + * Initializes a data provider. + * + * @param fetcher An interface to GitHub. + */ + public AbstractDependencyScanDataProvider( + GitHubDataFetcher fetcher) { + super(fetcher); + } + + /** + * Checks if a repository contains commits from dependency checker in the commit history. + * + * @param repository The repository. + * @return True if at least one commit from dependency checker was found, false otherwise. + */ + public boolean hasDependencyCheckerCommits(LocalRepository repository) { + Date date = Date.from(Instant.now().minus(ONE_YEAR)); + + try { + for (Commit commit : repository.commitsAfter(date)) { + if (isDependencyChecker(commit)) { + return true; + } + } + } catch (IOException e) { + logger.warn("Something went wrong!", e); + } + + return false; + } + + /** + * Checks if a repository has a configuration file for dependency checker. + * + * @param repository The repository + * @param configs The config files path as String array + * @return True if a config was found, false otherwise. + * @throws IOException If something went wrong. + */ + public boolean hasDependencyCheckerConfig(LocalRepository repository, String[] configs) + throws IOException { + for (String config : configs) { + Optional content = repository.file(config); + if (content.isPresent() && content.get().length() >= ACCEPTABLE_CONFIG_SIZE) { + return true; + } + } + + return false; + } + + /** + * Checks whether a project has open pull requests from dependency checker. + * + * @param project The project. + * @return True if the project has open pull requests form dependency checker. + * @throws IOException If something went wrong. + */ + public boolean hasOpenPullRequestFromDependencyChecker(GitHubProject project) throws IOException { + return fetcher.repositoryFor(project).getPullRequests(GHIssueState.OPEN).stream() + .anyMatch(this::createdByDependencyChecker); + } + + /** + * Checks if a pull request was created by dependency checker. + * + * @param pullRequest The pull request. + * @return True if the user looks like dependency checker, false otherwise. + */ + private boolean createdByDependencyChecker(GHPullRequest pullRequest) { + try { + GHUser user = pullRequest.getUser(); + return isDependencyChecker(user.getName()) || isDependencyChecker(user.getLogin()); + } catch (IOException e) { + logger.warn("Oops! Could not fetch name or login!", e); + return false; + } + } + + /** + * Checks if a commit was done by dependency checker. + * + * @param commit The commit to be checked. + * @return True if the commit was done by dependency checker, false otherwise. + */ + private boolean isDependencyChecker(Commit commit) { + if (isDependencyChecker(commit.authorName()) || isDependencyChecker(commit.committerName())) { + return true; + } + + for (String line : commit.message()) { + if ((line.startsWith("Signed-off-by:") || line.startsWith("Co-authored-by:")) + && line.contains(getDependencyCheckerPattern())) { + return true; + } + } + + return false; + } + + /** + * Checks whether a name looks like dependency checker. + * + * @param name The name. + * @return True if the name looks like dependency checker, false otherwise. + */ + private boolean isDependencyChecker(String name) { + return name != null && name.toLowerCase().contains(getDependencyCheckerPattern()); + } +} diff --git a/src/main/java/com/sap/oss/phosphor/fosstars/data/github/HasExecutableBinaries.java b/src/main/java/com/sap/oss/phosphor/fosstars/data/github/HasExecutableBinaries.java index 74861e003..ddc61abaf 100644 --- a/src/main/java/com/sap/oss/phosphor/fosstars/data/github/HasExecutableBinaries.java +++ b/src/main/java/com/sap/oss/phosphor/fosstars/data/github/HasExecutableBinaries.java @@ -10,8 +10,6 @@ import java.nio.file.Path; import java.util.Arrays; import java.util.List; -import org.kohsuke.github.GitHub; -import org.kohsuke.github.GitHubBuilder; /** * The data provider tries to figure out if an open-source project has executable binaries (for diff --git a/src/main/java/com/sap/oss/phosphor/fosstars/data/github/PackageManagement.java b/src/main/java/com/sap/oss/phosphor/fosstars/data/github/PackageManagement.java index eeec27f3d..bd18147f7 100644 --- a/src/main/java/com/sap/oss/phosphor/fosstars/data/github/PackageManagement.java +++ b/src/main/java/com/sap/oss/phosphor/fosstars/data/github/PackageManagement.java @@ -86,7 +86,7 @@ public class PackageManagement extends CachedSingleFeatureGitHubDataProviderThis data provider checks if an open-source project on GitHub @@ -28,7 +21,7 @@ * Next, the provider searches for commits from Dependabot in the commit history. * If the commits are found, then the provider also reports that the project uses Dependabot.

*/ -public class UsesDependabot extends GitHubCachingDataProvider { +public class UsesDependabot extends AbstractDependencyScanDataProvider { /** * A list of locations of a Dependabot configuration file in a repository. @@ -41,20 +34,15 @@ public class UsesDependabot extends GitHubCachingDataProvider { ".github/dependabot.yml" }; - /** - * A minimal number of characters in a config for Dependabot. - */ - private static final int ACCEPTABLE_CONFIG_SIZE = 10; - /** * A pattern to detect commits by Dependabot. */ private static final String DEPENDABOT_PATTERN = "dependabot"; - /** - * Period of time to be checked. - */ - private static final Duration ONE_YEAR = Duration.ofDays(365); + @Override + protected String getDependencyCheckerPattern() { + return DEPENDABOT_PATTERN; + } /** * Initializes a data provider. @@ -77,105 +65,10 @@ protected ValueSet fetchValuesFor(GitHubProject project) throws IOException { LocalRepository repository = GitHubDataFetcher.localRepositoryFor(project); return ValueHashSet.from( - USES_DEPENDABOT.value(hasDependabotConfig(repository) || hasDependabotCommits(repository)), - HAS_OPEN_PULL_REQUEST_FROM_DEPENDABOT.value(hasOpenPullRequestFromDependabot(project))); - } - - /** - * Checks if a repository contains commits from Dependabot in the commit history. - * - * @param repository The repository. - * @return True if at least one commit from Dependabot was found, false otherwise. - */ - private boolean hasDependabotCommits(LocalRepository repository) { - Date date = Date.from(Instant.now().minus(ONE_YEAR)); - - try { - for (Commit commit : repository.commitsAfter(date)) { - if (isDependabot(commit)) { - return true; - } - } - } catch (IOException e) { - logger.warn("Something went wrong!", e); - } - - return false; - } - - /** - * Checks if a repository has a configuration file for Dependabot. - * - * @param repository The repository - * @return True if a config was found, false otherwise. - */ - private boolean hasDependabotConfig(LocalRepository repository) throws IOException { - for (String config : DEPENDABOT_CONFIGS) { - Optional content = repository.file(config); - if (content.isPresent() && content.get().length() >= ACCEPTABLE_CONFIG_SIZE) { - return true; - } - } - - return false; - } - - /** - * Checks whether a project has open pull requests from Dependabot. - * - * @param project The project. - * @return True if the project has open pull requests form Dependabot. - * @throws IOException If something went wrong. - */ - private boolean hasOpenPullRequestFromDependabot(GitHubProject project) throws IOException { - return fetcher.repositoryFor(project).getPullRequests(GHIssueState.OPEN).stream() - .anyMatch(this::createdByDependabot); - } - - /** - * Checks if a pull request was created by Dependabot. - * - * @param pullRequest The pull request. - * @return True if the user looks like Dependabot, false otherwise. - */ - private boolean createdByDependabot(GHPullRequest pullRequest) { - try { - GHUser user = pullRequest.getUser(); - return isDependabot(user.getName()) || isDependabot(user.getLogin()); - } catch (IOException e) { - logger.warn("Oops! Could not fetch name or login!", e); - return false; - } - } - - /** - * Checks if a commit was done by Dependabot. - * - * @param commit The commit to be checked. - * @return True if the commit was done by Dependabot, false otherwise. - */ - private static boolean isDependabot(Commit commit) { - if (isDependabot(commit.authorName()) || isDependabot(commit.committerName())) { - return true; - } - - for (String line : commit.message()) { - if ((line.startsWith("Signed-off-by:") || line.startsWith("Co-authored-by:")) - && line.contains(DEPENDABOT_PATTERN)) { - return true; - } - } - - return false; - } - - /** - * Checks whether a name looks like Dependabot. - * - * @param name The name. - * @return True if the name looks like Dependabot, false otherwise. - */ - private static boolean isDependabot(String name) { - return name != null && name.toLowerCase().contains(DEPENDABOT_PATTERN); + USES_DEPENDABOT.value( + hasDependencyCheckerConfig(repository, DEPENDABOT_CONFIGS) + || hasDependencyCheckerCommits(repository)), + HAS_OPEN_PULL_REQUEST_FROM_DEPENDABOT.value( + hasOpenPullRequestFromDependencyChecker(project))); } } \ No newline at end of file diff --git a/src/main/java/com/sap/oss/phosphor/fosstars/data/github/UsesSnyk.java b/src/main/java/com/sap/oss/phosphor/fosstars/data/github/UsesSnyk.java index 32a508a98..98f8fb85d 100644 --- a/src/main/java/com/sap/oss/phosphor/fosstars/data/github/UsesSnyk.java +++ b/src/main/java/com/sap/oss/phosphor/fosstars/data/github/UsesSnyk.java @@ -11,16 +11,9 @@ import com.sap.oss.phosphor.fosstars.model.value.ValueHashSet; import java.io.IOException; import java.nio.file.Path; -import java.time.Duration; -import java.time.Instant; -import java.util.Date; import java.util.List; -import java.util.Optional; import java.util.Set; import java.util.function.Predicate; -import org.kohsuke.github.GHIssueState; -import org.kohsuke.github.GHPullRequest; -import org.kohsuke.github.GHUser; /** * This data provider checks if an open-source project on GitHub uses Snyk, and fills out the {@link @@ -31,7 +24,7 @@ * commits from Snyk in the commit history. If the commits are found, then the provider also reports * that the project uses Snyk. */ -public class UsesSnyk extends GitHubCachingDataProvider { +public class UsesSnyk extends AbstractDependencyScanDataProvider { /** * A file name containing Snyk policies in a repository. @@ -41,11 +34,6 @@ public class UsesSnyk extends GitHubCachingDataProvider { */ private static String SNYK_POLICY_FILE_NAME = ".snyk"; - /** - * A minimal number of characters in a config for Snyk. - */ - private static final int ACCEPTABLE_CONFIG_SIZE = 10; - /** * A location of a Snyk configuration file in a repository. * @@ -57,7 +45,9 @@ public class UsesSnyk extends GitHubCachingDataProvider { ".github/workflows/snyk.yml" }; - /** Predicate to confirm if there is a file in open-source project with the .snyk extension. */ + /** + * Predicate to confirm if there is a file in open-source project with the .snyk extension. + */ private static final Predicate SNYK_FILE_PREDICATE = path -> path.getFileName().toString().endsWith(SNYK_POLICY_FILE_NAME); @@ -70,8 +60,10 @@ public class UsesSnyk extends GitHubCachingDataProvider { */ private static final String SNYK_PATTERN = "snyk"; - /** Period of time to be checked. */ - private static final Duration ONE_YEAR = Duration.ofDays(365); + @Override + protected String getDependencyCheckerPattern() { + return SNYK_PATTERN; + } /** * Initializes a data provider. @@ -96,26 +88,9 @@ protected ValueSet fetchValuesFor(GitHubProject project) throws IOException { return ValueHashSet.from( USES_SNYK.value( hasSnykPolicy(repository) - || hasSnykConfig(repository) - || hasSnykCommits(repository)), - HAS_OPEN_PULL_REQUEST_FROM_SNYK.value(hasOpenPullRequestFromSnyk(project))); - } - - /** - * Checks if a repository has a configuration file for Snyk. - * - * @param repository The repository - * @return True if a config was found, false otherwise. - */ - private boolean hasSnykConfig(LocalRepository repository) throws IOException { - for (String config : SNYK_CONFIGS) { - Optional content = repository.file(config); - if (content.isPresent() && content.get().length() >= ACCEPTABLE_CONFIG_SIZE) { - return true; - } - } - - return false; + || hasDependencyCheckerConfig(repository, SNYK_CONFIGS) + || hasDependencyCheckerCommits(repository)), + HAS_OPEN_PULL_REQUEST_FROM_SNYK.value(hasOpenPullRequestFromDependencyChecker(project))); } /** @@ -128,85 +103,4 @@ private boolean hasSnykPolicy(LocalRepository repository) throws IOException { List snykPolicyFilePaths = repository.files(SNYK_FILE_PREDICATE); return !snykPolicyFilePaths.isEmpty(); } - - /** - * Checks whether a project has open pull requests from Snyk. - * - * @param project The project. - * @return True if the project has open pull requests form Snyk. - * @throws IOException If something went wrong. - */ - private boolean hasOpenPullRequestFromSnyk(GitHubProject project) throws IOException { - return fetcher.repositoryFor(project).getPullRequests(GHIssueState.OPEN).stream() - .anyMatch(this::createdBySnyk); - } - - /** - * Checks if a pull request was created by Snyk. - * - * @param pullRequest The pull request. - * @return True if the user looks like Snyk, false otherwise. - */ - private boolean createdBySnyk(GHPullRequest pullRequest) { - try { - GHUser user = pullRequest.getUser(); - return isSnyk(user.getName()) || isSnyk(user.getLogin()); - } catch (IOException e) { - logger.warn("Oops! Could not fetch name or login!", e); - return false; - } - } - - /** - * Checks if a repository contains commits from Snyk in the commit history. - * - * @param repository The repository. - * @return True if at least one commit from Snyk was found, false otherwise. - */ - private boolean hasSnykCommits(LocalRepository repository) { - Date date = Date.from(Instant.now().minus(ONE_YEAR)); - - try { - for (Commit commit : repository.commitsAfter(date)) { - if (isSnyk(commit)) { - return true; - } - } - } catch (IOException e) { - logger.warn("Something went wrong!", e); - } - - return false; - } - - /** - * Checks if a commit was done by Snyk. - * - * @param commit The commit to be checked. - * @return True if the commit was done by Snyk, false otherwise. - */ - private static boolean isSnyk(Commit commit) { - if (isSnyk(commit.authorName()) || isSnyk(commit.committerName())) { - return true; - } - - for (String line : commit.message()) { - if ((line.startsWith("Signed-off-by:") || line.startsWith("Co-authored-by:")) - && line.contains(SNYK_PATTERN)) { - return true; - } - } - - return false; - } - - /** - * Checks whether a name looks like Snyk. - * - * @param name The name. - * @return True if the name looks like Snyk, false otherwise. - */ - private static boolean isSnyk(String name) { - return name != null && name.toLowerCase().contains(SNYK_PATTERN); - } } diff --git a/src/main/java/com/sap/oss/phosphor/fosstars/model/feature/oss/OssFeatures.java b/src/main/java/com/sap/oss/phosphor/fosstars/model/feature/oss/OssFeatures.java index e11ed5680..b3884d6af 100755 --- a/src/main/java/com/sap/oss/phosphor/fosstars/model/feature/oss/OssFeatures.java +++ b/src/main/java/com/sap/oss/phosphor/fosstars/model/feature/oss/OssFeatures.java @@ -173,16 +173,17 @@ private OssFeatures() { /** *

Shows if a project uses Snyk.

- *

Snyk offers - * i) Static Application Security Testing (SAST) amd - * i) Static Application Security Testing (SAST) amd - * ii) Automatic dependency updates - * In particular for automatic dependency updates, + *

Snyk introduction offers

+ *
    + *
  • Static Application Security Testing (SAST)
    • + *
  • Automatic dependency updates
    • + *
+ *

In particular for automatic dependency updates, * when Snyk finds a vulnerability in dependencies, * it opens a pull request to update the vulnerable dependency to the safe version.

*/ public static final Feature USES_SNYK - = new BooleanFeature("If a project uses Snyk"); + = new BooleanFeature("If a project uses Snyk"); /** * Shows if an open source project has open pull requests from Snyk which means that @@ -191,7 +192,7 @@ private OssFeatures() { * @see Snyk */ public static final BooleanFeature HAS_OPEN_PULL_REQUEST_FROM_SNYK - = new BooleanFeature("If a project has open pull requests from Snyk"); + = new BooleanFeature("If a project has open pull requests from Snyk"); /** * Shows how many GitHub users starred an open-source project. diff --git a/src/main/java/com/sap/oss/phosphor/fosstars/model/score/oss/DependabotScore.java b/src/main/java/com/sap/oss/phosphor/fosstars/model/score/oss/DependabotScore.java index 86caa3746..9d9a46691 100644 --- a/src/main/java/com/sap/oss/phosphor/fosstars/model/score/oss/DependabotScore.java +++ b/src/main/java/com/sap/oss/phosphor/fosstars/model/score/oss/DependabotScore.java @@ -70,7 +70,7 @@ public class DependabotScore extends FeatureBasedScore { * A score value that is returned if it's likely * that a project uses the security alerts on GitHub. */ - private static final double GITHUB_ALERTS_SCORE_VALUE = 3.0; + private static final double GITHUB_ALERTS_SCORE_VALUE = 5.0; /** * Initializes a new score. diff --git a/src/main/java/com/sap/oss/phosphor/fosstars/model/score/oss/SnykDependencyScanScore.java b/src/main/java/com/sap/oss/phosphor/fosstars/model/score/oss/SnykDependencyScanScore.java index 75f0480fd..aad055652 100644 --- a/src/main/java/com/sap/oss/phosphor/fosstars/model/score/oss/SnykDependencyScanScore.java +++ b/src/main/java/com/sap/oss/phosphor/fosstars/model/score/oss/SnykDependencyScanScore.java @@ -53,7 +53,7 @@ public class SnykDependencyScanScore extends FeatureBasedScore { * A score value that is returned if it's likely that a project uses the security alerts on * GitHub. */ - private static final double GITHUB_ALERTS_SCORE_VALUE = 3.0; + private static final double GITHUB_ALERTS_SCORE_VALUE = 5.0; /** Initializes a new score. */ public SnykDependencyScanScore() { diff --git a/src/test/java/com/sap/oss/phosphor/fosstars/advice/oss/BanditAdvisorTest.java b/src/test/java/com/sap/oss/phosphor/fosstars/advice/oss/BanditAdvisorTest.java index 3b9d4b7e2..8f606ea02 100644 --- a/src/test/java/com/sap/oss/phosphor/fosstars/advice/oss/BanditAdvisorTest.java +++ b/src/test/java/com/sap/oss/phosphor/fosstars/advice/oss/BanditAdvisorTest.java @@ -2,10 +2,7 @@ import static com.sap.oss.phosphor.fosstars.model.feature.oss.OssFeatures.LANGUAGES; import static com.sap.oss.phosphor.fosstars.model.feature.oss.OssFeatures.RUNS_BANDIT_SCANS; -import static com.sap.oss.phosphor.fosstars.model.feature.oss.OssFeatures.RUNS_CODEQL_SCANS; import static com.sap.oss.phosphor.fosstars.model.feature.oss.OssFeatures.USES_BANDIT_SCAN_CHECKS; -import static com.sap.oss.phosphor.fosstars.model.feature.oss.OssFeatures.USES_CODEQL_CHECKS; -import static com.sap.oss.phosphor.fosstars.model.feature.oss.OssFeatures.USES_LGTM_CHECKS; import static com.sap.oss.phosphor.fosstars.model.other.Utils.allUnknown; import static com.sap.oss.phosphor.fosstars.model.value.Language.PYTHON; import static org.junit.Assert.assertEquals; diff --git a/src/test/java/com/sap/oss/phosphor/fosstars/advice/oss/SnykAdvisorTest.java b/src/test/java/com/sap/oss/phosphor/fosstars/advice/oss/SnykAdvisorTest.java index fcd1a17f9..0c7207d2e 100644 --- a/src/test/java/com/sap/oss/phosphor/fosstars/advice/oss/SnykAdvisorTest.java +++ b/src/test/java/com/sap/oss/phosphor/fosstars/advice/oss/SnykAdvisorTest.java @@ -1,26 +1,18 @@ package com.sap.oss.phosphor.fosstars.advice.oss; import static com.sap.oss.phosphor.fosstars.advice.oss.AbstractOssAdvisor.OssAdviceContextFactory.WITH_EMPTY_CONTEXT; -import static com.sap.oss.phosphor.fosstars.model.feature.oss.OssFeatures.HAS_OPEN_PULL_REQUEST_FROM_SNYK; import static com.sap.oss.phosphor.fosstars.model.feature.oss.OssFeatures.LANGUAGES; import static com.sap.oss.phosphor.fosstars.model.feature.oss.OssFeatures.PACKAGE_MANAGERS; -import static com.sap.oss.phosphor.fosstars.model.feature.oss.OssFeatures.RUNS_BANDIT_SCANS; -import static com.sap.oss.phosphor.fosstars.model.feature.oss.OssFeatures.USES_BANDIT_SCAN_CHECKS; -import static com.sap.oss.phosphor.fosstars.model.feature.oss.OssFeatures.USES_DEPENDABOT; import static com.sap.oss.phosphor.fosstars.model.feature.oss.OssFeatures.USES_GITHUB_FOR_DEVELOPMENT; import static com.sap.oss.phosphor.fosstars.model.feature.oss.OssFeatures.USES_SNYK; import static com.sap.oss.phosphor.fosstars.model.other.Utils.allUnknown; import static com.sap.oss.phosphor.fosstars.model.value.Language.C; import static com.sap.oss.phosphor.fosstars.model.value.Language.GO; -import static com.sap.oss.phosphor.fosstars.model.value.Language.JAVA; -import static com.sap.oss.phosphor.fosstars.model.value.Language.PYTHON; import static com.sap.oss.phosphor.fosstars.model.value.PackageManager.GOMODULES; -import static com.sap.oss.phosphor.fosstars.model.value.PackageManager.MAVEN; import static com.sap.oss.phosphor.fosstars.model.value.PackageManager.OTHER; import static org.junit.Assert.assertEquals; import static org.junit.Assert.assertTrue; -import com.sap.oss.phosphor.fosstars.advice.oss.AbstractOssAdvisor.OssAdviceContextFactory; import com.sap.oss.phosphor.fosstars.model.Rating; import com.sap.oss.phosphor.fosstars.model.RatingRepository; import com.sap.oss.phosphor.fosstars.model.ValueSet; @@ -36,7 +28,7 @@ public class SnykAdvisorTest { @Test public void testAdviseForSnyk() throws MalformedURLException { - SnykAdvisor advisor = new SnykAdvisor(WITH_EMPTY_CONTEXT); + final SnykAdvisor advisor = new SnykAdvisor(WITH_EMPTY_CONTEXT); GitHubProject project = new GitHubProject("org", "test"); // no advice if no rating value is set @@ -65,7 +57,7 @@ public void testAdviseForSnyk() throws MalformedURLException { @Test public void testAdviceWhenSnykScoreIsNotApplicable() throws MalformedURLException { - final DependabotAdvisor advisor = new DependabotAdvisor(WITH_EMPTY_CONTEXT); + final SnykAdvisor advisor = new SnykAdvisor(WITH_EMPTY_CONTEXT); final GitHubProject project = new GitHubProject("org", "test"); Rating rating = RatingRepository.INSTANCE.rating(OssSecurityRating.class); diff --git a/src/test/java/com/sap/oss/phosphor/fosstars/data/github/CodeOfConductGuidelineInfoTest.java b/src/test/java/com/sap/oss/phosphor/fosstars/data/github/CodeOfConductGuidelineInfoTest.java index 11f85788f..2f831832a 100644 --- a/src/test/java/com/sap/oss/phosphor/fosstars/data/github/CodeOfConductGuidelineInfoTest.java +++ b/src/test/java/com/sap/oss/phosphor/fosstars/data/github/CodeOfConductGuidelineInfoTest.java @@ -13,8 +13,6 @@ import com.sap.oss.phosphor.fosstars.model.ValueSet; import com.sap.oss.phosphor.fosstars.model.subject.oss.GitHubProject; import java.io.IOException; -import java.nio.charset.Charset; -import java.nio.charset.StandardCharsets; import java.nio.file.Files; import java.nio.file.Path; import java.nio.file.Paths; diff --git a/src/test/java/com/sap/oss/phosphor/fosstars/model/score/oss/SnykDependencyScanScoreTest.java b/src/test/java/com/sap/oss/phosphor/fosstars/model/score/oss/SnykDependencyScanScoreTest.java index 015da8b98..c8e24ef61 100644 --- a/src/test/java/com/sap/oss/phosphor/fosstars/model/score/oss/SnykDependencyScanScoreTest.java +++ b/src/test/java/com/sap/oss/phosphor/fosstars/model/score/oss/SnykDependencyScanScoreTest.java @@ -14,7 +14,6 @@ import com.sap.oss.phosphor.fosstars.model.Confidence; import com.sap.oss.phosphor.fosstars.model.Score; -import com.sap.oss.phosphor.fosstars.model.math.DoubleInterval; import com.sap.oss.phosphor.fosstars.model.other.Utils; import com.sap.oss.phosphor.fosstars.model.value.Languages; import com.sap.oss.phosphor.fosstars.model.value.PackageManagers; @@ -40,7 +39,7 @@ public void testCalculateWhenSnykIsUsed() { @Test public void testCalculateWhenSnykIsNotUsed() { assertScore( - Score.makeInterval(0, 3), + Score.makeInterval(0, 5), SCORE, setOf( USES_GITHUB_FOR_DEVELOPMENT.value(true), diff --git a/src/test/resources/com/sap/oss/phosphor/fosstars/model/score/oss/DependabotScoreTestVectors.yml b/src/test/resources/com/sap/oss/phosphor/fosstars/model/score/oss/DependabotScoreTestVectors.yml index 092bcf256..b574d2ee6 100644 --- a/src/test/resources/com/sap/oss/phosphor/fosstars/model/score/oss/DependabotScoreTestVectors.yml +++ b/src/test/resources/com/sap/oss/phosphor/fosstars/model/score/oss/DependabotScoreTestVectors.yml @@ -104,10 +104,10 @@ elements: - "JAVA" expectedScore: type: "DoubleInterval" - from: 1.0 + from: 5.0 openLeft: false negativeInfinity: false - to: 3.0 + to: 8.0 openRight: false positiveInfinity: false expectedLabel: null diff --git a/src/test/resources/com/sap/oss/phosphor/fosstars/model/score/oss/DependencyScanScoreTestVectors.yml b/src/test/resources/com/sap/oss/phosphor/fosstars/model/score/oss/DependencyScanScoreTestVectors.yml index ec6c16230..f3cb02c22 100644 --- a/src/test/resources/com/sap/oss/phosphor/fosstars/model/score/oss/DependencyScanScoreTestVectors.yml +++ b/src/test/resources/com/sap/oss/phosphor/fosstars/model/score/oss/DependencyScanScoreTestVectors.yml @@ -145,10 +145,10 @@ elements: - "GO" expectedScore: type: "DoubleInterval" - from: 5.0 + from: 8.0 openLeft: false negativeInfinity: false - to: 8.0 + to: 10.0 openRight: false positiveInfinity: false expectedLabel: null diff --git a/src/test/resources/com/sap/oss/phosphor/fosstars/model/score/oss/SnykDependencyScanScoreTestVectors.yml b/src/test/resources/com/sap/oss/phosphor/fosstars/model/score/oss/SnykDependencyScanScoreTestVectors.yml index 5974a29e7..5e041a657 100644 --- a/src/test/resources/com/sap/oss/phosphor/fosstars/model/score/oss/SnykDependencyScanScoreTestVectors.yml +++ b/src/test/resources/com/sap/oss/phosphor/fosstars/model/score/oss/SnykDependencyScanScoreTestVectors.yml @@ -104,10 +104,10 @@ elements: - "JAVA" expectedScore: type: "DoubleInterval" - from: 1.0 + from: 5.0 openLeft: false negativeInfinity: false - to: 3.0 + to: 8.0 openRight: false positiveInfinity: false expectedLabel: null diff --git a/src/test/resources/com/sap/oss/phosphor/fosstars/model/score/oss/VulnerabilityDiscoveryAndSecurityTestingScoreTestVectors.yml b/src/test/resources/com/sap/oss/phosphor/fosstars/model/score/oss/VulnerabilityDiscoveryAndSecurityTestingScoreTestVectors.yml index 4b44bcb90..88012ddf9 100644 --- a/src/test/resources/com/sap/oss/phosphor/fosstars/model/score/oss/VulnerabilityDiscoveryAndSecurityTestingScoreTestVectors.yml +++ b/src/test/resources/com/sap/oss/phosphor/fosstars/model/score/oss/VulnerabilityDiscoveryAndSecurityTestingScoreTestVectors.yml @@ -1,10 +1,5 @@ --- -defaults: -- type: "BooleanValue" - feature: - type: "BooleanFeature" - name: "If a project uses Snyk" - flag: false +defaults: [] elements: - type: "StandardTestVector" diff --git a/src/test/shell/tool/github/lib.sh b/src/test/shell/tool/github/lib.sh index 7c15b2848..e77f949da 100644 --- a/src/test/shell/tool/github/lib.sh +++ b/src/test/shell/tool/github/lib.sh @@ -24,6 +24,7 @@ declare -a project_security_default_expected_strings=( 'Figuring out how the project uses LGTM' 'Figuring out if the project uses OWASP security libraries' 'Checking how the project uses Dependabot' + 'Checking how the project uses Snyk' 'Figuring out if the project uses GitHub for development' 'Figuring out if the project uses sanitizers' 'Figuring out if the project uses FindSecBugs' @@ -58,6 +59,7 @@ declare -a project_security_default_expected_strings=( 'Sub-score:....FindSecBugs score' 'Sub-score:....Dependency testing' 'Sub-score:....Dependabot score' + 'Sub-score:....Snyk score' 'Sub-score:....OWASP Dependency Check score' 'Sub-score:....Fuzzing' 'Sub-score:....Memory-safety testing'