Add Sonatype Lift as a dependency update tool, doc upgrade

Signed-off-by: Theresa Mammarella <mammarellatheresa8@gmail.com>
ossf · Oct 11, 2022 · 17a435e · 17a435e
1 parent 83db8ba
commit 17a435e
Show file tree

Hide file tree

Showing 4 changed files with 41 additions and 15 deletions.
diff --git a/checks/evaluation/dependency_update_tool.go b/checks/evaluation/dependency_update_tool.go
@@ -33,12 +33,8 @@ func DependencyUpdateTool(name string, dl checker.DetailLogger,
 	// Apply the policy evaluation.
 	if r.Tools == nil || len(r.Tools) == 0 {
 		dl.Warn(&checker.LogMessage{
-			Text: `dependabot config file not detected in source location.
-			We recommend setting this configuration in code so it can be easily verified by others.`,
-		})
-		dl.Warn(&checker.LogMessage{
-			Text: `renovatebot config file not detected in source location.
-			We recommend setting this configuration in code so it can be easily verified by others.`,
+			Text: `Config file not detected in source location for dependabot, renovatebot, Sonatype Lift, or
+			PyUp (Python). We recommend setting this configuration in code so it can be easily verified by others.`,
 		})
 		return checker.CreateMinScoreResult(name, "no update tool detected")
 	}

diff --git a/checks/raw/dependency_update_tool.go b/checks/raw/dependency_update_tool.go
@@ -112,6 +112,19 @@ var checkDependencyFileExists fileparser.DoWhileTrueOnFilename = func(name strin
 				},
 			},
 		})
+	case ".lift.toml", ".lift/config.toml":
+		*ptools = append(*ptools, checker.Tool{
+			Name: "Sonatype Lift",
+			URL:  asPointer("https://lift.sonatype.com"),
+			Desc: asPointer("Automated dependency updates. Multi-platform and multi-language."),
+			Files: []checker.File{
+				{
+					Path:   name,
+					Type:   checker.FileTypeSource,
+					Offset: checker.OffsetDefault,
+				},
+			},
+		})
 	default:
 		// Continue iterating.
 		return true, nil

diff --git a/checks/raw/dependency_update_tool_test.go b/checks/raw/dependency_update_tool_test.go
@@ -119,6 +119,24 @@ func Test_checkDependencyFileExists(t *testing.T) {
 			want:    false,
 			wantErr: false,
 		},
+        {
+            name: ".lift.toml",
+            args: args{
+                name: ".lift.toml",
+                data: &[]checker.Tool{},
+            },
+            want:    false,
+            wantErr: false,
+        },
+        {
+            name: ".lift/config.toml",
+            args: args{
+                name: ".lift/config.toml",
+                data: &[]checker.Tool{},
+            },
+            want:    false,
+            wantErr: false,
+        },
 	}
 	for _, tt := range tests {
 		tt := tt

diff --git a/docs/checks/internal/checks.yaml b/docs/checks/internal/checks.yaml
@@ -57,9 +57,12 @@ checks:
       Risk: `High` (possibly vulnerable to attacks on known flaws)
 
       This check tries to determine if the project uses a dependency update tool,
-      specifically [dependabot](https://docs.github.com/en/code-security/supply-chain-security/keeping-your-dependencies-updated-automatically/configuration-options-for-dependency-updates) or
-      [renovatebot](https://docs.renovatebot.com/configuration-options/). Out-of-date
-      dependencies make a project vulnerable to known flaws and prone to attacks.
+      specifically one of:
+      - [dependabot](https://docs.github.com/en/code-security/supply-chain-security/keeping-your-dependencies-updated-automatically/configuration-options-for-dependency-updates)
+      - [renovatebot](https://docs.renovatebot.com/configuration-options/)
+      - [Sonatype Lift](https://help.sonatype.com/lift/getting-started)
+      - [PyUp](https://docs.pyup.io/docs) (Python)
+      Out-of-date dependencies make a project vulnerable to known flaws and prone to attacks.
       These tools automate the process of updating dependencies by scanning for
       outdated or insecure requirements, and opening a pull request to update them if
       found.
@@ -75,9 +78,7 @@ checks:
 
     remediation:
       - >-
-        Signup for automatic dependency updates with
-        [dependabot](https://docs.github.com/en/code-security/supply-chain-security/keeping-your-dependencies-updated-automatically/configuration-options-for-dependency-updates) or
-        [renovatebot](https://docs.renovatebot.com/configuration-options/) and place
+        Signup for automatic dependency updates with one of the previously listed dependency update tools and place
         the config file in the locations that are recommended by these tools. Due to
         https://github.com/dependabot/dependabot-core/issues/2804 Dependabot can
         be enabled for forks where security updates have ever been turned on so projects
@@ -510,9 +511,7 @@ checks:
         the "Pin actions to a full length commit SHA". You may also tick the "Restrict permissions for GITHUB_TOKEN" to fix issues found
         by the Token-Permissions check.
       - >-
-        To help update your dependencies after pinning them, use tools such as
-         Github's [dependabot](https://github.blog/2020-06-01-keep-all-your-packages-up-to-date-with-dependabot/)
-        or [renovate bot](https://github.com/renovatebot/renovate).
+        To help update your dependencies after pinning them, use tools such as those listed for the dependency update tool check.
   SAST:
     risk: Medium
     tags: supply-chain, security, testing