🐛 Signed-Releases - Check releases for signatures even if they only have source code

checks/evaluation/signed_releases.go

@@ -30,7 +30,7 @@ var (
 
 const releaseLookBack = 5
 
-//SignedReleases applies the score policy for the Signed-Releases check.
+// SignedReleases applies the score policy for the Signed-Releases check.
 //nolint
 func SignedReleases(name string, dl checker.DetailLogger, r *checker.SignedReleasesData) checker.CheckResult {
 	if r == nil {
@@ -42,7 +42,10 @@ func SignedReleases(name string, dl checker.DetailLogger, r *checker.SignedRelea
 	total := 0
 	score := 0
 	for _, release := range r.Releases {
-		if len(release.Assets) == 0 {
+		if release.ZipballURL == "" && release.TarballURL == "" && len(release.Assets) == 0 {
+			dl.Warn(&checker.LogMessage{
+				Text: fmt.Sprintf("Couldn't find assets for release %s at url %s", release.TagName, release.URL),
+			})
 			continue
 		}
 
@@ -127,6 +130,6 @@ func SignedReleases(name string, dl checker.DetailLogger, r *checker.SignedRelea
 	}
 
 	score = int(math.Floor(float64(score) / float64(totalReleases)))
-	reason := fmt.Sprintf("%d out of %d artifacts are signed or have provenance", total, totalReleases)
+	reason := fmt.Sprintf("%d out of %d most recent artifacts are signed or have provenance", total, totalReleases)
 	return checker.CreateResultWithScore(name, reason, score)
 }

checks/signed_releases_test.go

@@ -371,6 +371,55 @@ func TestSignedRelease(t *testing.T) {
 				Error: errors.New("Error getting releases"),
 			},
 		},
+		{
+			name: "Releases with no assets",
+			releases: []clients.Release{
+				{
+					TagName:         "v1.0.0",
+					URL:             "http://foo.com/v1.0.0",
+					TargetCommitish: "master",
+					Assets:          []clients.ReleaseAsset{},
+					TarballURL:      "http://foo.com/asset.tar.gz",
+					ZipballURL:      "http://foo.com/asset.zip",
+				},
+			},
+			expected: checker.CheckResult{
+				Score: 0,
+			},
+		},
+		{
+			name: "Some releases with no assets",
+			releases: []clients.Release{
+				{
+					TagName:         "v1.0.0",
+					URL:             "http://foo.com/v1.0.0",
+					TargetCommitish: "master",
+					Assets:          []clients.ReleaseAsset{},
+					TarballURL:      "http://foo.com/asset.tar.gz",
+					ZipballURL:      "http://foo.com/asset.zip",
+				},
+				{
+					TagName:         "v1.0.0",
+					URL:             "http://foo.com/v1.0.0",
+					TargetCommitish: "master",
+					Assets: []clients.ReleaseAsset{
+						{
+							Name: "foo.sig",
+							URL:  "http://foo.com/v2.0.0/foo.sig",
+						},
+						{
+							Name: "foo.txt",
+							URL:  "http://foo.com/v1.0.0/foo.txt",
+						},
+					},
+					TarballURL: "http://foo.com",
+					ZipballURL: "http://foo.com/asset.zip",
+				},
+			},
+			expected: checker.CheckResult{
+				Score: 4,
+			},
+		},
 	}
 
 	for _, tt := range tests {

clients/githubrepo/releases.go

@@ -72,6 +72,8 @@ func releasesFrom(data []*github.RepositoryRelease) []clients.Release {
 			TagName:         r.GetTagName(),
 			URL:             r.GetURL(),
 			TargetCommitish: r.GetTargetCommitish(),
+			ZipballURL:      r.GetZipballURL(),
+			TarballURL:      r.GetTarballURL(),
 		}
 		for _, a := range r.Assets {
 			release.Assets = append(release.Assets, clients.ReleaseAsset{

clients/release.go

@@ -19,6 +19,8 @@ type Release struct {
 	TagName         string
 	URL             string
 	TargetCommitish string
+	ZipballURL      string
+	TarballURL      string
 	Assets          []ReleaseAsset
 }