Merge branch 'main' into azeems/commit

ossf · Aug 16, 2022 · 055f096 · 055f096
2 parents c72afe5 + ff9c062
commit 055f096
Show file tree

Hide file tree

Showing 12 changed files with 105 additions and 2 deletions.
diff --git a/README.md b/README.md
@@ -434,7 +434,7 @@ Name        | Description                               | Risk Level | Token Req
 [Dependency-Update-Tool](docs/checks.md#dependency-update-tool) | Does the project use tools to help update its dependencies?                                                                                                                                                                                                                                                                  | High | PAT, GITHUB_TOKEN   |
 [Fuzzing](docs/checks.md#fuzzing)                               | Does the project use fuzzing tools, e.g. [OSS-Fuzz](https://github.com/google/oss-fuzz)?                                                                                                                                                                                                                                     | Medium | PAT, GITHUB_TOKEN   |
 [License](docs/checks.md#license)                               | Does the project declare a license?                                                                                                                                                                                                                                                                                          | Low | PAT, GITHUB_TOKEN   |
-[Maintained](docs/checks.md#maintained)                         | Is the project maintained?                                                                                                                                                                                                                                                                                                   | High | PAT, GITHUB_TOKEN   |
+[Maintained](docs/checks.md#maintained)                         | Is the project at least 90 days old, and maintained?                                                                                                                                                                                                                                                                                                   | High | PAT, GITHUB_TOKEN   |
 [Pinned-Dependencies](docs/checks.md#pinned-dependencies)       | Does the project declare and pin [dependencies](https://docs.github.com/en/free-pro-team@latest/github/visualizing-repository-data-with-graphs/about-the-dependency-graph#supported-package-ecosystems)?                                                                                                                     | Medium | PAT, GITHUB_TOKEN   |
 [Packaging](docs/checks.md#packaging)                           | Does the project build and publish official packages from CI/CD, e.g. [GitHub Publishing](https://docs.github.com/en/free-pro-team@latest/actions/guides/about-packaging-with-github-actions#workflows-for-publishing-packages) ?                                                                                            | Medium | PAT, GITHUB_TOKEN   |
 [SAST](docs/checks.md#sast)                                     | Does the project use static code analysis tools, e.g. [CodeQL](https://docs.github.com/en/free-pro-team@latest/github/finding-security-vulnerabilities-and-errors-in-your-code/enabling-code-scanning-for-a-repository#enabling-code-scanning-using-actions), [LGTM](https://lgtm.com), [SonarCloud](https://sonarcloud.io)? | Medium | PAT, GITHUB_TOKEN   |

diff --git a/checker/raw_result.go b/checker/raw_result.go
@@ -15,6 +15,8 @@
 package checker
 
 import (
+	"time"
+
 	"github.com/ossf/scorecard/v4/clients"
 )
 
@@ -105,6 +107,7 @@ type Dependency struct {
 // MaintainedData contains the raw results
 // for the Maintained check.
 type MaintainedData struct {
+	CreatedAt            time.Time
 	Issues               []clients.Issue
 	DefaultBranchCommits []clients.Commit
 	ArchivedStatus       ArchivedStatus

diff --git a/checks/evaluation/maintained.go b/checks/evaluation/maintained.go
@@ -49,6 +49,19 @@ func Maintained(name string, dl checker.DetailLogger, r *checker.MaintainedData)
 		}
 	}
 
+	// Emit a warning if this repo was created recently
+	recencyThreshold := time.Now().AddDate(0 /*years*/, 0 /*months*/, -1*lookBackDays /*days*/)
+	if r.CreatedAt.After(recencyThreshold) {
+		dl.Warn(&checker.LogMessage{
+			Text: fmt.Sprintf("repo was created in the last %d days (Created at: %s), please review its contents carefully",
+				lookBackDays, r.CreatedAt.Format(time.RFC3339)),
+		})
+		daysSinceRepoCreated := int(time.Since(r.CreatedAt).Hours() / 24)
+		return checker.CreateMinScoreResult(name,
+			fmt.Sprintf("repo was created %d days ago, not enough maintenance history", daysSinceRepoCreated),
+		)
+	}
+
 	issuesUpdatedWithinThreshold := 0
 	for i := range r.Issues {
 		if hasActivityByCollaboratorOrHigher(&r.Issues[i], threshold) {

diff --git a/checks/maintained_test.go b/checks/maintained_test.go
@@ -29,7 +29,7 @@ import (
 
 // ignoring the linter for cyclomatic complexity because it is a test func
 // TestMaintained tests the maintained check.
-//nolint
+// nolint
 func Test_Maintained(t *testing.T) {
 	t.Parallel()
 	threeHundredDaysAgo := time.Now().AddDate(0, 0, -300)
@@ -55,6 +55,7 @@ func Test_Maintained(t *testing.T) {
 		commiterr  error
 		issues     []clients.Issue
 		issueerr   error
+		createdat  time.Time
 		expected   checker.CheckResult
 	}{
 		{
@@ -298,6 +299,29 @@ func Test_Maintained(t *testing.T) {
 				Score: 0,
 			},
 		},
+		{
+			name:       "recently created repo",
+			isarchived: false,
+			commits: []clients.Commit{
+				{
+					CommittedDate: time.Now().AddDate(0, 0, -1),
+				},
+				{
+					CommittedDate: time.Now().AddDate(0, 0, -10),
+				},
+				{
+					CommittedDate: time.Now().AddDate(0, 0, -11),
+				},
+				{
+					CommittedDate: time.Now().AddDate(0, 0, -12),
+				},
+			},
+			issues:    []clients.Issue{},
+			createdat: time.Now().AddDate(0, 0, -1),
+			expected: checker.CheckResult{
+				Score: 0,
+			},
+		},
 	}
 
 	for _, tt := range tests {
@@ -335,6 +359,16 @@ func Test_Maintained(t *testing.T) {
 							return tt.issues, tt.err
 						},
 					).MinTimes(1)
+
+					if tt.issueerr == nil {
+						mockRepo.EXPECT().GetCreatedAt().DoAndReturn(func() (time.Time, error) {
+							if tt.createdat.IsZero() {
+								return time.Now().AddDate(0, 0, -365), nil
+							}
+
+							return tt.createdat, nil
+						})
+					}
 				}
 			}
 

diff --git a/checks/raw/maintained.go b/checks/raw/maintained.go
@@ -45,5 +45,11 @@ func Maintained(c *checker.CheckRequest) (checker.MaintainedData, error) {
 	}
 	result.Issues = issues
 
+	createdAt, err := c.RepoClient.GetCreatedAt()
+	if err != nil {
+		return result, fmt.Errorf("%w", err)
+	}
+	result.CreatedAt = createdAt
+
 	return result, nil
 }
diff --git a/clients/githubrepo/client.go b/clients/githubrepo/client.go
@@ -20,6 +20,7 @@ import (
 	"errors"
 	"fmt"
 	"net/http"
+	"time"
 
 	"github.com/google/go-github/v38/github"
 	"github.com/shurcooL/githubv4"
@@ -174,6 +175,11 @@ func (client *Client) GetBranch(branch string) (*clients.BranchRef, error) {
 	return client.branches.getBranch(branch)
 }
 
+// GetCreatedAt is a getter for repo.CreatedAt
+func (client *Client) GetCreatedAt() (time.Time, error) {
+	return client.repo.CreatedAt.Time, nil
+}
+
 // ListWebhooks implements RepoClient.ListWebhooks.
 func (client *Client) ListWebhooks() ([]clients.Webhook, error) {
 	return client.webhook.listWebhooks()

diff --git a/clients/localdir/client.go b/clients/localdir/client.go
@@ -26,6 +26,7 @@ import (
 	"path/filepath"
 	"strings"
 	"sync"
+	"time"
 
 	clients "github.com/ossf/scorecard/v4/clients"
 	"github.com/ossf/scorecard/v4/log"
@@ -234,6 +235,10 @@ func (client *localDirClient) ListProgrammingLanguages() ([]clients.Language, er
 	return nil, fmt.Errorf("ListProgrammingLanguages: %w", clients.ErrUnsupportedFeature)
 }
 
+func (client *localDirClient) GetCreatedAt() (time.Time, error) {
+	return time.Time{}, fmt.Errorf("GetCreatedAt: %w", clients.ErrUnsupportedFeature)
+}
+
 // CreateLocalDirClient returns a client which implements RepoClient interface.
 func CreateLocalDirClient(ctx context.Context, logger *log.Logger) clients.RepoClient {
 	return &localDirClient{

diff --git a/clients/mockclients/repo_client.go b/clients/mockclients/repo_client.go
diff --git a/clients/repo_client.go b/clients/repo_client.go
@@ -17,6 +17,7 @@ package clients
 
 import (
 	"errors"
+	"time"
 )
 
 // ErrUnsupportedFeature indicates an API that is not supported by the client.
@@ -33,6 +34,7 @@ type RepoClient interface {
 	ListFiles(predicate func(string) (bool, error)) ([]string, error)
 	GetFileContent(filename string) ([]byte, error)
 	GetBranch(branch string) (*BranchRef, error)
+	GetCreatedAt() (time.Time, error)
 	GetDefaultBranchName() (string, error)
 	GetDefaultBranch() (*BranchRef, error)
 	ListCommits() ([]Commit, error)

diff --git a/docs/checks.md b/docs/checks.md
@@ -380,6 +380,11 @@ For example, a library that determines if an integer is even would not normally
 need maintenance unless an underlying implementation language definition
 changed. A lack of active maintenance should signal that potential users should
 investigate further to judge the situation.   
+
+This check will only succeed if a Github project is >90 days old. Projects
+that are younger than this are too new to assess whether they are maintained
+or not, and users should inspect the contents of those projects to ensure they
+are as expected.
 
 
 **Remediation steps**

diff --git a/docs/checks/internal/checks.yaml b/docs/checks/internal/checks.yaml
@@ -37,6 +37,11 @@ checks:
       need maintenance unless an underlying implementation language definition
       changed. A lack of active maintenance should signal that potential users should
       investigate further to judge the situation.   
+
+      This check will only succeed if a Github project is >90 days old. Projects
+      that are younger than this are too new to assess whether they are maintained
+      or not, and users should inspect the contents of those projects to ensure they
+      are as expected.
     remediation:
       - >-
         There is no remediation work needed from projects with a low score; this

diff --git a/pkg/json_raw_results.go b/pkg/json_raw_results.go
@@ -132,6 +132,10 @@ type jsonArchivedStatus struct {
 	// TODO: add fields, e.g. date of archival, etc.
 }
 
+type jsonCreatedAtTime struct {
+	Time time.Time `json:"timestamp"`
+}
+
 type jsonComment struct {
 	CreatedAt *time.Time `json:"createdAt"`
 	Author    *jsonUser  `json:"author"`
@@ -251,6 +255,8 @@ type jsonRawResults struct {
 	DefaultBranchCommits []jsonDefaultBranchCommit `json:"defaultBranchCommits"`
 	// Archived status of the repo.
 	ArchivedStatus jsonArchivedStatus `json:"archived"`
+	// Repo creation time
+	CreatedAtTime jsonCreatedAtTime `json:"createdAt"`
 	// Fuzzers.
 	Fuzzers []jsonTool `json:"fuzzers"`
 	// Releases.
@@ -460,6 +466,8 @@ func (r *jsonScorecardRawResult) addMaintainedRawResults(mr *checker.MaintainedD
 	// Set archived status.
 	r.Results.ArchivedStatus = jsonArchivedStatus{Status: mr.ArchivedStatus.Status}
 
+	r.Results.CreatedAtTime = jsonCreatedAtTime{Time: mr.CreatedAt}
+
 	// Issues.
 	for i := range mr.Issues {
 		issue := jsonIssue{