🌱 Add branch protection probe evaluation (#3759)

* 🌱 Add branch protection evaluation Signed-off-by: Adam Korczynski <[email protected]> * make helper for getting the branchName Signed-off-by: Adam Korczynski <[email protected]> * move check for branch name Signed-off-by: Adam Korczynski <[email protected]> * define size of slice Signed-off-by: Adam Korczynski <[email protected]> * add probe for protected branches. Signed-off-by: Adam Korczynski <[email protected]> * change 'basicNonAdminProtection' to 'deleteAndForcePushProtection' Signed-off-by: Adam Korczynski <[email protected]> * fix markdown in text field in def.yml Signed-off-by: Adam Korczynski <[email protected]> * remove duplicate conditional Signed-off-by: Adam Korczynski <[email protected]> * remove redundant 'protected' value from 'requiresCodeOwnersReview' probe Signed-off-by: Adam Korczynski <[email protected]> * remove protected values from probes Signed-off-by: Adam Korczynski <[email protected]> * Bring back negative outcome in case of 0 codeowners files Signed-off-by: Adam Korczynski <[email protected]> * log based on whether branches are protected Signed-off-by: Adam Korczynski <[email protected]> * remove unnecessary test Signed-off-by: Adam Korczynski <[email protected]> * debug failing tests Signed-off-by: Adam Korczynski <[email protected]> * Fix failing tests Signed-off-by: Adam Korczynski <[email protected]> * rename test Signed-off-by: Adam Korczynski <[email protected]> * update to with latest upstream changes Signed-off-by: AdamKorcz <[email protected]> * fix linting issues Signed-off-by: AdamKorcz <[email protected]> * remove tests that represent impossible scenarios Signed-off-by: AdamKorcz <[email protected]> * remove protected finding value This was discussed previously, but accidentally reverted Signed-off-by: Spencer Schrock <[email protected]> * Revert "debug failing tests" This reverts commit 00acf66. Signed-off-by: Spencer Schrock <[email protected]> * use branchName key for branch name Signed-off-by: Spencer Schrock <[email protected]> * include number of reviews in INFO this was previously included by the old evaluation code Signed-off-by: Spencer Schrock <[email protected]> * reduce info count by 1 requiring codeowners without a corresponding file used to give 1 INFO and 1 WARN now it only gives 1 WARN Signed-off-by: Spencer Schrock <[email protected]> --------- Signed-off-by: Adam Korczynski <[email protected]> Signed-off-by: AdamKorcz <[email protected]> Signed-off-by: Spencer Schrock <[email protected]> Co-authored-by: Spencer Schrock <[email protected]>
ossf · Feb 28, 2024 · 4daefb6 · 4daefb6
1 parent 4ae4ba2
commit 4daefb6
Show file tree

Hide file tree

Showing 24 changed files with 2,203 additions and 671 deletions.
diff --git a/checks/branch_protection.go b/checks/branch_protection.go
@@ -19,6 +19,8 @@ import (
 	"github.com/ossf/scorecard/v4/checks/evaluation"
 	"github.com/ossf/scorecard/v4/checks/raw"
 	sce "github.com/ossf/scorecard/v4/errors"
+	"github.com/ossf/scorecard/v4/probes"
+	"github.com/ossf/scorecard/v4/probes/zrunner"
 )
 
 // CheckBranchProtection is the exported name for Branch-Protected check.
@@ -34,17 +36,23 @@ func init() {
 
 // BranchProtection runs the Branch-Protection check.
 func BranchProtection(c *checker.CheckRequest) checker.CheckResult {
-	rawData, err := raw.BranchProtection(c.RepoClient)
+	rawData, err := raw.BranchProtection(c)
 	if err != nil {
 		e := sce.WithMessage(sce.ErrScorecardInternal, err.Error())
 		return checker.CreateRuntimeErrorResult(CheckBranchProtection, e)
 	}
 
-	// Return raw results.
-	if c.RawResults != nil {
-		c.RawResults.BranchProtectionResults = rawData
+	// Set the raw results.
+	pRawResults := getRawResults(c)
+	pRawResults.BranchProtectionResults = rawData
+
+	// Evaluate the probes.
+	findings, err := zrunner.Run(pRawResults, probes.BranchProtection)
+	if err != nil {
+		e := sce.WithMessage(sce.ErrScorecardInternal, err.Error())
+		return checker.CreateRuntimeErrorResult(CheckBranchProtection, e)
 	}
 
 	// Return the score evaluation.
-	return evaluation.BranchProtection(CheckBranchProtection, c.Dlogger, &rawData)
+	return evaluation.BranchProtection(CheckBranchProtection, findings, c.Dlogger)
 }
diff --git a/checks/branch_protection_test.go b/checks/branch_protection_test.go
@@ -174,7 +174,7 @@ func TestReleaseAndDevBranchProtected(t *testing.T) {
 				Error:         nil,
 				Score:         4,
 				NumberOfWarn:  9,
-				NumberOfInfo:  12,
+				NumberOfInfo:  11,
 				NumberOfDebug: 0,
 			},
 			defaultBranch: main,
@@ -232,7 +232,7 @@ func TestReleaseAndDevBranchProtected(t *testing.T) {
 				Error:         nil,
 				Score:         8,
 				NumberOfWarn:  4,
-				NumberOfInfo:  18,
+				NumberOfInfo:  16,
 				NumberOfDebug: 0,
 			},
 			defaultBranch: main,