From 17a435e9b9eef469ae40eb2e1e7ab071bdcb8a23 Mon Sep 17 00:00:00 2001 From: Theresa Mammarella Date: Tue, 4 Oct 2022 22:01:33 +0100 Subject: [PATCH] Add Sonatype Lift as a dependency update tool, doc upgrade Signed-off-by: Theresa Mammarella --- checks/evaluation/dependency_update_tool.go | 8 ++------ checks/raw/dependency_update_tool.go | 13 +++++++++++++ checks/raw/dependency_update_tool_test.go | 18 ++++++++++++++++++ docs/checks/internal/checks.yaml | 17 ++++++++--------- 4 files changed, 41 insertions(+), 15 deletions(-) diff --git a/checks/evaluation/dependency_update_tool.go b/checks/evaluation/dependency_update_tool.go index 7f709727e78d..053d4a8be233 100644 --- a/checks/evaluation/dependency_update_tool.go +++ b/checks/evaluation/dependency_update_tool.go @@ -33,12 +33,8 @@ func DependencyUpdateTool(name string, dl checker.DetailLogger, // Apply the policy evaluation. if r.Tools == nil || len(r.Tools) == 0 { dl.Warn(&checker.LogMessage{ - Text: `dependabot config file not detected in source location. - We recommend setting this configuration in code so it can be easily verified by others.`, - }) - dl.Warn(&checker.LogMessage{ - Text: `renovatebot config file not detected in source location. - We recommend setting this configuration in code so it can be easily verified by others.`, + Text: `Config file not detected in source location for dependabot, renovatebot, Sonatype Lift, or + PyUp (Python). We recommend setting this configuration in code so it can be easily verified by others.`, }) return checker.CreateMinScoreResult(name, "no update tool detected") } diff --git a/checks/raw/dependency_update_tool.go b/checks/raw/dependency_update_tool.go index 81357b077caf..9580e75f3ad8 100644 --- a/checks/raw/dependency_update_tool.go +++ b/checks/raw/dependency_update_tool.go @@ -112,6 +112,19 @@ var checkDependencyFileExists fileparser.DoWhileTrueOnFilename = func(name strin }, }, }) + case ".lift.toml", ".lift/config.toml": + *ptools = append(*ptools, checker.Tool{ + Name: "Sonatype Lift", + URL: asPointer("https://lift.sonatype.com"), + Desc: asPointer("Automated dependency updates. Multi-platform and multi-language."), + Files: []checker.File{ + { + Path: name, + Type: checker.FileTypeSource, + Offset: checker.OffsetDefault, + }, + }, + }) default: // Continue iterating. return true, nil diff --git a/checks/raw/dependency_update_tool_test.go b/checks/raw/dependency_update_tool_test.go index 70ed4480eae8..b7bf6252d4ad 100644 --- a/checks/raw/dependency_update_tool_test.go +++ b/checks/raw/dependency_update_tool_test.go @@ -119,6 +119,24 @@ func Test_checkDependencyFileExists(t *testing.T) { want: false, wantErr: false, }, + { + name: ".lift.toml", + args: args{ + name: ".lift.toml", + data: &[]checker.Tool{}, + }, + want: false, + wantErr: false, + }, + { + name: ".lift/config.toml", + args: args{ + name: ".lift/config.toml", + data: &[]checker.Tool{}, + }, + want: false, + wantErr: false, + }, } for _, tt := range tests { tt := tt diff --git a/docs/checks/internal/checks.yaml b/docs/checks/internal/checks.yaml index c30952c8fce4..9db0bab3bbca 100644 --- a/docs/checks/internal/checks.yaml +++ b/docs/checks/internal/checks.yaml @@ -57,9 +57,12 @@ checks: Risk: `High` (possibly vulnerable to attacks on known flaws) This check tries to determine if the project uses a dependency update tool, - specifically [dependabot](https://docs.github.com/en/code-security/supply-chain-security/keeping-your-dependencies-updated-automatically/configuration-options-for-dependency-updates) or - [renovatebot](https://docs.renovatebot.com/configuration-options/). Out-of-date - dependencies make a project vulnerable to known flaws and prone to attacks. + specifically one of: + - [dependabot](https://docs.github.com/en/code-security/supply-chain-security/keeping-your-dependencies-updated-automatically/configuration-options-for-dependency-updates) + - [renovatebot](https://docs.renovatebot.com/configuration-options/) + - [Sonatype Lift](https://help.sonatype.com/lift/getting-started) + - [PyUp](https://docs.pyup.io/docs) (Python) + Out-of-date dependencies make a project vulnerable to known flaws and prone to attacks. These tools automate the process of updating dependencies by scanning for outdated or insecure requirements, and opening a pull request to update them if found. @@ -75,9 +78,7 @@ checks: remediation: - >- - Signup for automatic dependency updates with - [dependabot](https://docs.github.com/en/code-security/supply-chain-security/keeping-your-dependencies-updated-automatically/configuration-options-for-dependency-updates) or - [renovatebot](https://docs.renovatebot.com/configuration-options/) and place + Signup for automatic dependency updates with one of the previously listed dependency update tools and place the config file in the locations that are recommended by these tools. Due to https://github.com/dependabot/dependabot-core/issues/2804 Dependabot can be enabled for forks where security updates have ever been turned on so projects @@ -510,9 +511,7 @@ checks: the "Pin actions to a full length commit SHA". You may also tick the "Restrict permissions for GITHUB_TOKEN" to fix issues found by the Token-Permissions check. - >- - To help update your dependencies after pinning them, use tools such as - Github's [dependabot](https://github.blog/2020-06-01-keep-all-your-packages-up-to-date-with-dependabot/) - or [renovate bot](https://github.com/renovatebot/renovate). + To help update your dependencies after pinning them, use tools such as those listed for the dependency update tool check. SAST: risk: Medium tags: supply-chain, security, testing