├── .dockerignore ├── .github ├── actions │ ├── project-security-label-threshold-action │ │ ├── Dockerfile │ │ ├── action.yml │ │ └── entrypoint.sh │ └── project-security-report-action │ │ ├── Dockerfile │ │ ├── action.yml │ │ ├── build_fosstars.sh │ │ ├── cleanup_for_config_if_necessary.sh │ │ └── entrypoint.sh ├── dependabot.yml └── workflows │ ├── cli-tests.yml │ ├── codeql-analysis.yml │ ├── fosstars-project-report.yml │ ├── fosstars-rop-report.yml │ ├── maven.yml │ ├── oss-projects-security-label-thresholds.yml │ └── oss-projects-security-report.yml ├── .gitignore ├── .reuse └── dep5 ├── CONTRIBUTING.md ├── EXAMPLE.md ├── LICENSE ├── LICENSES └── Apache-2.0.txt ├── README.md ├── SECURITY.md ├── assembly.xml ├── bin ├── calc.sh └── report.sh ├── checkstyle-suppressions.xml ├── command_line_tool_demo.gif ├── docs ├── README.md ├── _config.yml ├── alternatives.md ├── compare_with_score-card.md ├── confidence.md ├── example.md ├── getting_oss_rules_of_play_rating.md ├── getting_oss_security_rating.md ├── getting_security_risk_introduced_by_oss.md ├── notes.md ├── oss │ └── security │ │ ├── FasterXML │ │ ├── jackson-core.md │ │ ├── jackson-databind.md │ │ └── jackson.md │ │ ├── GoogleChrome │ │ └── lighthouse.md │ │ ├── README.md │ │ ├── apache.yml │ │ ├── apache │ │ ├── activemq.md │ │ ├── airflow.md │ │ ├── ambari.md │ │ ├── apisix.md │ │ ├── arrow.md │ │ ├── avro.md │ │ ├── beam.md │ │ ├── bookkeeper.md │ │ ├── calcite.md │ │ ├── camel.md │ │ ├── carbondata.md │ │ ├── cassandra.md │ │ ├── cloudstack.md │ │ ├── commons-lang.md │ │ ├── cordova-android.md │ │ ├── cordova-ios.md │ │ ├── cordova-plugin-inappbrowser.md │ │ ├── couchdb.md │ │ ├── curator.md │ │ ├── dolphinscheduler.md │ │ ├── drill.md │ │ ├── druid.md │ │ ├── dubbo-admin.md │ │ ├── dubbo-go.md │ │ ├── dubbo-spring-boot-project.md │ │ ├── dubbo.md │ │ ├── echarts.md │ │ ├── flink.md │ │ ├── flume.md │ │ ├── geode.md │ │ ├── gobblin.md │ │ ├── groovy.md │ │ ├── guacamole-server.md │ │ ├── hadoop.md │ │ ├── hbase.md │ │ ├── hive.md │ │ ├── httpcomponents-client.md │ │ ├── httpd.md │ │ ├── hudi.md │ │ ├── iceberg.md │ │ ├── ignite.md │ │ ├── iotdb.md │ │ ├── jmeter.md │ │ ├── kafka.md │ │ ├── kudu.md │ │ ├── kylin.md │ │ ├── libcloud.md │ │ ├── logging-log4j2.md │ │ ├── lucene-solr.md │ │ ├── lucenenet.md │ │ ├── mahout.md │ │ ├── maven.md │ │ ├── mesos.md │ │ ├── nano.md │ │ ├── netbeans.md │ │ ├── nifi.md │ │ ├── nutch.md │ │ ├── opennlp.md │ │ ├── openwhisk.md │ │ ├── parquet-mr.md │ │ ├── pdfbox.md │ │ ├── poi.md │ │ ├── predictionio.md │ │ ├── pulsar.md │ │ ├── rocketmq-externals.md │ │ ├── rocketmq-spring.md │ │ ├── rocketmq.md │ │ ├── servicecomb-java-chassis.md │ │ ├── servicecomb-pack.md │ │ ├── servicecomb-service-center.md │ │ ├── shardingsphere-elasticjob.md │ │ ├── shardingsphere.md │ │ ├── shiro.md │ │ ├── singa.md │ │ ├── skywalking.md │ │ ├── spark.md │ │ ├── storm.md │ │ ├── struts.md │ │ ├── superset.md │ │ ├── thrift.md │ │ ├── tika.md │ │ ├── tinkerpop.md │ │ ├── tomcat.md │ │ ├── trafficserver.md │ │ ├── tvm.md │ │ ├── zeppelin.md │ │ └── zookeeper.md │ │ ├── aws.yml │ │ ├── aws │ │ ├── amazon-ecs-agent.md │ │ ├── amazon-ecs-cli.md │ │ ├── amazon-freertos.md │ │ ├── amazon-vpc-cni-k8s.md │ │ ├── aws-cdk.md │ │ ├── aws-cli.md │ │ ├── aws-fpga.md │ │ ├── aws-lambda-go.md │ │ ├── aws-sam-cli.md │ │ ├── aws-sdk-cpp.md │ │ ├── aws-sdk-go.md │ │ ├── aws-sdk-java-v2.md │ │ ├── aws-sdk-java.md │ │ ├── aws-sdk-js.md │ │ ├── aws-sdk-net.md │ │ ├── aws-sdk-php-laravel.md │ │ ├── aws-sdk-php.md │ │ ├── aws-sdk-ruby.md │ │ ├── chalice.md │ │ ├── containers-roadmap.md │ │ ├── copilot-cli.md │ │ ├── jsii.md │ │ ├── lumberyard.md │ │ ├── opsworks-cookbooks.md │ │ ├── s2n-tls.md │ │ ├── sagemaker-python-sdk.md │ │ └── serverless-application-model.md │ │ ├── bcgit │ │ └── bc-java.md │ │ ├── bouncycastle.yml │ │ ├── curl │ │ └── curl.md │ │ ├── eclipse.yml │ │ ├── eclipse │ │ ├── che.md │ │ ├── deeplearning4j.md │ │ ├── eclipse-collections.md │ │ ├── jetty.project.md │ │ ├── mosquitto.md │ │ ├── mraa.md │ │ ├── paho.mqtt.android.md │ │ ├── paho.mqtt.c.md │ │ ├── paho.mqtt.golang.md │ │ ├── paho.mqtt.java.md │ │ ├── paho.mqtt.python.md │ │ └── sumo.md │ │ ├── github_projects.json │ │ ├── google.yml │ │ ├── google │ │ ├── ExoPlayer.md │ │ ├── brotli.md │ │ ├── cadvisor.md │ │ ├── dagger.md │ │ ├── deepdream.md │ │ ├── filament.md │ │ ├── flatbuffers.md │ │ ├── flexbox-layout.md │ │ ├── grumpy.md │ │ ├── gson.md │ │ ├── guava.md │ │ ├── guetzli.md │ │ ├── guice.md │ │ ├── gvisor.md │ │ ├── iosched.md │ │ ├── jax.md │ │ ├── leveldb.md │ │ ├── libphonenumber.md │ │ ├── mediapipe.md │ │ ├── python-fire.md │ │ ├── tink.md │ │ ├── web-starter-kit.md │ │ ├── yapf.md │ │ └── zx.md │ │ ├── improvements │ │ ├── README.md │ │ ├── conf.yml │ │ ├── github_projects.json │ │ ├── report_Jan_4th_2021_v1_0_0 │ │ │ ├── README.md │ │ │ ├── apache │ │ │ │ ├── commons-collections.md │ │ │ │ ├── commons-fileupload.md │ │ │ │ ├── commons-io.md │ │ │ │ ├── cxf.md │ │ │ │ ├── httpcomponents-client.md │ │ │ │ └── httpcomponents-core.md │ │ │ ├── bcgit │ │ │ │ └── bc-java.md │ │ │ ├── eclipse-ee4j │ │ │ │ └── eclipselink.md │ │ │ ├── madler │ │ │ │ └── zlib.md │ │ │ ├── netty │ │ │ │ └── netty.md │ │ │ └── qos-ch │ │ │ │ └── slf4j.md │ │ ├── report_Jan_4th_2021_v1_1_0 │ │ │ ├── README.md │ │ │ ├── apache │ │ │ │ ├── commons-collections.md │ │ │ │ ├── commons-fileupload.md │ │ │ │ ├── commons-io.md │ │ │ │ ├── cxf.md │ │ │ │ ├── httpcomponents-client.md │ │ │ │ └── httpcomponents-core.md │ │ │ ├── bcgit │ │ │ │ └── bc-java.md │ │ │ ├── eclipse-ee4j │ │ │ │ └── eclipselink.md │ │ │ ├── madler │ │ │ │ └── zlib.md │ │ │ ├── netty │ │ │ │ └── netty.md │ │ │ └── qos-ch │ │ │ │ └── slf4j.md │ │ └── report_Sep_1st_2020_v1_0_0 │ │ │ ├── README.md │ │ │ ├── apache │ │ │ ├── commons-collections.md │ │ │ ├── commons-fileupload.md │ │ │ ├── commons-io.md │ │ │ ├── cxf.md │ │ │ ├── httpcomponents-client.md │ │ │ └── httpcomponents-core.md │ │ │ ├── bcgit │ │ │ └── bc-java.md │ │ │ ├── eclipse-ee4j │ │ │ └── eclipselink.md │ │ │ ├── madler │ │ │ └── zlib.md │ │ │ ├── netty │ │ │ └── netty.md │ │ │ └── qos-ch │ │ │ └── slf4j.md │ │ ├── jackson.yml │ │ ├── netty │ │ ├── netty-tcnative.md │ │ └── netty.md │ │ ├── openssl │ │ └── openssl.md │ │ ├── other.yml │ │ ├── qos-ch │ │ └── slf4j.md │ │ ├── spring-projects │ │ ├── greenhouse.md │ │ ├── spring-batch.md │ │ ├── spring-boot.md │ │ ├── spring-data-book.md │ │ ├── spring-data-elasticsearch.md │ │ ├── spring-data-jpa.md │ │ ├── spring-data-mongodb.md │ │ ├── spring-data-redis.md │ │ ├── spring-framework.md │ │ ├── spring-integration.md │ │ ├── spring-kafka.md │ │ ├── spring-loaded.md │ │ ├── spring-mvc-showcase.md │ │ ├── spring-petclinic.md │ │ ├── spring-retry.md │ │ ├── spring-security-oauth.md │ │ ├── spring-security.md │ │ ├── spring-session.md │ │ └── spring-statemachine.md │ │ └── spring.yml ├── oss_rules_of_play_rating.md ├── oss_security_rating.md ├── oss_security_rating_tuning.md ├── qa.md ├── rating_score_feature_hierarchy.plantuml ├── rating_score_feature_hierarchy.png ├── ratings.md └── tuning.md ├── pom.xml └── src ├── main ├── docker │ └── cli │ │ └── Dockerfile ├── java │ └── com │ │ └── sap │ │ └── oss │ │ └── phosphor │ │ └── fosstars │ │ ├── advice │ │ ├── Advice.java │ │ ├── AdviceContent.java │ │ ├── AdviceContentYamlStorage.java │ │ ├── AdviceContext.java │ │ ├── Advisor.java │ │ ├── CompositeAdvisor.java │ │ ├── Link.java │ │ ├── SimpleAdvice.java │ │ └── oss │ │ │ ├── AbstractOssAdvisor.java │ │ │ ├── ArtifactVersionAdvisor.java │ │ │ ├── BanditAdvisor.java │ │ │ ├── CodeqlAdvisor.java │ │ │ ├── DependabotAdvisor.java │ │ │ ├── FindSecBugsAdvisor.java │ │ │ ├── FuzzingAdvisor.java │ │ │ ├── GoSecAdvisor.java │ │ │ ├── LgtmAdvisor.java │ │ │ ├── MemorySafetyAdvisor.java │ │ │ ├── NoHttpAdvisor.java │ │ │ ├── OssAdviceContentYamlStorage.java │ │ │ ├── OssRulesOfPlayAdvisor.java │ │ │ ├── OwaspDependencyCheckAdvisor.java │ │ │ ├── SecurityPolicyAdvisor.java │ │ │ ├── SigningAdvisor.java │ │ │ ├── SnykAdvisor.java │ │ │ └── github │ │ │ ├── AdviceForGitHubContextFactory.java │ │ │ └── OssSecurityGithubAdvisor.java │ │ ├── data │ │ ├── AbstractCachingDataProvider.java │ │ ├── AbstractDataProvider.java │ │ ├── AbstractReleaseInfoLoader.java │ │ ├── AbstractStaticScanToolsDataProvider.java │ │ ├── Cache.java │ │ ├── DataProvider.java │ │ ├── DataProviderSelector.java │ │ ├── NoUserCallback.java │ │ ├── NoValueCache.java │ │ ├── SimpleCompositeDataProvider.java │ │ ├── StandardValueCache.java │ │ ├── SubjectValueCache.java │ │ ├── Terminal.java │ │ ├── UserCallback.java │ │ ├── ValueCache.java │ │ ├── artifact │ │ │ ├── NvdEntryArtifactCveMatcher.java │ │ │ ├── ReleaseInfoFromMaven.java │ │ │ ├── ReleaseInfoFromNpm.java │ │ │ ├── ReleaseInfoLoader.java │ │ │ ├── VulnerabilitiesFromNpmAudit.java │ │ │ └── VulnerabilitiesFromOwaspDependencyCheck.java │ │ ├── github │ │ │ ├── AbstractDependencyScanDataProvider.java │ │ │ ├── AbstractGitHubDataProvider.java │ │ │ ├── BanditDataProvider.java │ │ │ ├── CachedSingleFeatureGitHubDataProvider.java │ │ │ ├── CodeOfConductGuidelineInfo.java │ │ │ ├── CodeqlDataProvider.java │ │ │ ├── Commit.java │ │ │ ├── ContributingGuidelineInfo.java │ │ │ ├── EstimateImpactUsingKnownVulnerabilities.java │ │ │ ├── FirstCommit.java │ │ │ ├── FuzzedInOssFuzz.java │ │ │ ├── GitCommit.java │ │ │ ├── GitHubCachingDataProvider.java │ │ │ ├── GitHubDataCache.java │ │ │ ├── GitHubDataFetcher.java │ │ │ ├── GoSecDataProvider.java │ │ │ ├── HasBugBountyProgram.java │ │ │ ├── HasCompanySupport.java │ │ │ ├── HasExecutableBinaries.java │ │ │ ├── HasSecurityPolicy.java │ │ │ ├── HasSecurityTeam.java │ │ │ ├── InfoAboutVulnerabilities.java │ │ │ ├── IsApache.java │ │ │ ├── IsEclipse.java │ │ │ ├── LgtmDataProvider.java │ │ │ ├── LicenseInfo.java │ │ │ ├── LocalRepository.java │ │ │ ├── LocalRepositoryInfo.java │ │ │ ├── MyPyDataProvider.java │ │ │ ├── NumberOfCommits.java │ │ │ ├── NumberOfContributors.java │ │ │ ├── NumberOfDependentProjectOnGitHub.java │ │ │ ├── NumberOfStars.java │ │ │ ├── NumberOfWatchers.java │ │ │ ├── NvdEntryMatcher.java │ │ │ ├── OwaspSecurityLibraries.java │ │ │ ├── PackageManagement.java │ │ │ ├── ProgrammingLanguages.java │ │ │ ├── ProjectStarted.java │ │ │ ├── PylintDataProvider.java │ │ │ ├── ReadmeInfo.java │ │ │ ├── ReleasesFromGitHub.java │ │ │ ├── SecurityReviewsFromOpenSSF.java │ │ │ ├── SignsJarArtifacts.java │ │ │ ├── TeamsInfo.java │ │ │ ├── UnpatchedVulnerabilities.java │ │ │ ├── UseReuseDataProvider.java │ │ │ ├── UsesDependabot.java │ │ │ ├── UsesFindSecBugs.java │ │ │ ├── UsesGithubForDevelopment.java │ │ │ ├── UsesNoHttpTool.java │ │ │ ├── UsesOwaspDependencyCheck.java │ │ │ ├── UsesSanitizers.java │ │ │ ├── UsesSignedCommits.java │ │ │ ├── UsesSnyk.java │ │ │ ├── VulnerabilitiesFromNvd.java │ │ │ ├── VulnerabilityAlertsInfo.java │ │ │ ├── experimental │ │ │ │ ├── VulnerabilitiesFromGitHubAdvisories.java │ │ │ │ └── graphql │ │ │ │ │ ├── GitHubAdvisories.java │ │ │ │ │ └── data │ │ │ │ │ ├── Advisory.java │ │ │ │ │ ├── AdvisoryReference.java │ │ │ │ │ ├── Data.java │ │ │ │ │ ├── GitHubAdvisoryEntry.java │ │ │ │ │ ├── Identifier.java │ │ │ │ │ ├── Node.java │ │ │ │ │ ├── Package.java │ │ │ │ │ ├── PageInfo.java │ │ │ │ │ ├── SecurityAdvisories.java │ │ │ │ │ └── SecurityVulnerabilities.java │ │ │ └── package-info.java │ │ ├── interactive │ │ │ ├── AbstractInteractiveDataProvider.java │ │ │ ├── AskAboutSecurityTeam.java │ │ │ ├── AskAboutUnpatchedVulnerabilities.java │ │ │ ├── AskOptions.java │ │ │ ├── AskYesOrNo.java │ │ │ └── SelectFromEnum.java │ │ ├── json │ │ │ ├── AbstractJsonStorage.java │ │ │ ├── BugBountyProgramStorage.java │ │ │ ├── CompanySupportStorage.java │ │ │ ├── SecurityTeamStorage.java │ │ │ ├── UnpatchedVulnerabilitiesStorage.java │ │ │ └── package-info.java │ │ ├── npmaudit │ │ │ └── model │ │ │ │ └── Advisory.java │ │ └── owasp │ │ │ └── model │ │ │ ├── Cvssv2.java │ │ │ ├── Cvssv3.java │ │ │ ├── Dependency.java │ │ │ ├── OwaspDependencyCheckEntry.java │ │ │ ├── OwaspDependencyCheckReference.java │ │ │ ├── OwaspDependencyCheckVuln.java │ │ │ ├── Software.java │ │ │ ├── VulnerableSoftware.java │ │ │ └── package-info.java │ │ ├── github │ │ ├── AbstractGitHubVisitor.java │ │ └── GitHubVisitor.java │ │ ├── maven │ │ ├── AbstractModelVisitor.java │ │ ├── GAV.java │ │ ├── MavenUtils.java │ │ └── ModelVisitor.java │ │ ├── model │ │ ├── Confidence.java │ │ ├── Feature.java │ │ ├── Interval.java │ │ ├── Label.java │ │ ├── Parameter.java │ │ ├── Rating.java │ │ ├── RatingRepository.java │ │ ├── Score.java │ │ ├── Subject.java │ │ ├── Tunable.java │ │ ├── Value.java │ │ ├── ValueSet.java │ │ ├── Visitor.java │ │ ├── Weight.java │ │ ├── feature │ │ │ ├── AbstractFeature.java │ │ │ ├── BooleanFeature.java │ │ │ ├── BoundedDoubleFeature.java │ │ │ ├── BoundedIntegerFeature.java │ │ │ ├── DataConfidentialityType.java │ │ │ ├── DateFeature.java │ │ │ ├── DoubleFeature.java │ │ │ ├── EnumFeature.java │ │ │ ├── Impact.java │ │ │ ├── LgtmGradeFeature.java │ │ │ ├── Likelihood.java │ │ │ ├── OwaspDependencyCheckCvssThreshold.java │ │ │ ├── OwaspDependencyCheckUsageFeature.java │ │ │ ├── PositiveIntegerFeature.java │ │ │ ├── Quantity.java │ │ │ ├── StringFeature.java │ │ │ ├── example │ │ │ │ ├── ExampleFeatures.java │ │ │ │ ├── NumberOfCommitsLastMonthExample.java │ │ │ │ ├── NumberOfContributorsLastMonthExample.java │ │ │ │ ├── SecurityReviewDoneExample.java │ │ │ │ └── StaticCodeAnalysisDoneExample.java │ │ │ └── oss │ │ │ │ ├── ArtifactVersionFeature.java │ │ │ │ ├── ArtifactVersionsFeature.java │ │ │ │ ├── Functionality.java │ │ │ │ ├── LanguagesFeature.java │ │ │ │ ├── OssFeatures.java │ │ │ │ ├── OssRiskFeatures.java │ │ │ │ ├── PackageManagersFeature.java │ │ │ │ ├── SecurityReviewsFeature.java │ │ │ │ └── VulnerabilitiesFeature.java │ │ ├── math │ │ │ ├── DoubleInterval.java │ │ │ └── MathHelper.java │ │ ├── other │ │ │ ├── ImmutabilityChecker.java │ │ │ ├── MakeImmutable.java │ │ │ └── Utils.java │ │ ├── qa │ │ │ ├── AbstractTestVector.java │ │ │ ├── AbstractVerification.java │ │ │ ├── AbstractVerifier.java │ │ │ ├── RatingVerification.java │ │ │ ├── RatingVerifier.java │ │ │ ├── ScoreTestVector.java │ │ │ ├── ScoreVerification.java │ │ │ ├── ScoreVerifier.java │ │ │ ├── StandardTestVector.java │ │ │ ├── TestScoreValue.java │ │ │ ├── TestVector.java │ │ │ ├── TestVectorBuilder.java │ │ │ ├── TestVectorResult.java │ │ │ ├── TestVectorWithDefaults.java │ │ │ ├── TestVectors.java │ │ │ ├── VerificationFailedException.java │ │ │ └── Verifier.java │ │ ├── rating │ │ │ ├── AbstractRating.java │ │ │ ├── NotApplicableLabel.java │ │ │ ├── example │ │ │ │ ├── SecurityRatingExample.java │ │ │ │ ├── SecurityRatingExampleTuningWithCMAES.java │ │ │ │ └── SecurityRatingExampleVerification.java │ │ │ └── oss │ │ │ │ ├── OssArtifactSecurityRating.java │ │ │ │ ├── OssRulesOfPlayRating.java │ │ │ │ ├── OssSecurityRating.java │ │ │ │ └── SecurityRiskIntroducedByOss.java │ │ ├── score │ │ │ ├── AbstractScore.java │ │ │ ├── AverageCompositeScore.java │ │ │ ├── FeatureBasedScore.java │ │ │ ├── WeightedCompositeScore.java │ │ │ ├── example │ │ │ │ ├── ExampleScores.java │ │ │ │ ├── ProjectActivityScoreExample.java │ │ │ │ ├── SecurityScoreExample.java │ │ │ │ └── SecurityTestingScoreExample.java │ │ │ └── oss │ │ │ │ ├── ArtifactLatestReleaseAgeScore.java │ │ │ │ ├── ArtifactReleaseHistoryScore.java │ │ │ │ ├── ArtifactVersionSecurityScore.java │ │ │ │ ├── ArtifactVersionUpToDateScore.java │ │ │ │ ├── ArtifactVersionVulnerabilityScore.java │ │ │ │ ├── BanditScore.java │ │ │ │ ├── CodeqlScore.java │ │ │ │ ├── CommunityCommitmentScore.java │ │ │ │ ├── DependabotScore.java │ │ │ │ ├── DependencyScanScore.java │ │ │ │ ├── FindSecBugsScore.java │ │ │ │ ├── FuzzingScore.java │ │ │ │ ├── GoSecScore.java │ │ │ │ ├── LgtmScore.java │ │ │ │ ├── MemorySafetyTestingScore.java │ │ │ │ ├── MyPyScore.java │ │ │ │ ├── NoHttpToolScore.java │ │ │ │ ├── OssArtifactSecurityScore.java │ │ │ │ ├── OssRulesOfPlayScore.java │ │ │ │ ├── OssSecurityScore.java │ │ │ │ ├── OssSecurityScoreTuningWithCMAES.java │ │ │ │ ├── OwaspDependencyScanScore.java │ │ │ │ ├── ProjectActivityScore.java │ │ │ │ ├── ProjectPopularityScore.java │ │ │ │ ├── ProjectSecurityAwarenessScore.java │ │ │ │ ├── ProjectSecurityTestingScore.java │ │ │ │ ├── PylintScore.java │ │ │ │ ├── SecurityReviewScore.java │ │ │ │ ├── SnykDependencyScanScore.java │ │ │ │ ├── StaticAnalysisScore.java │ │ │ │ ├── UnpatchedVulnerabilitiesScore.java │ │ │ │ ├── VulnerabilityDiscoveryAndSecurityTestingScore.java │ │ │ │ ├── VulnerabilityLifetimeScore.java │ │ │ │ └── risk │ │ │ │ ├── AdoptedRiskLikelihoodFactor.java │ │ │ │ ├── CalculatedSecurityRiskIntroducedByOss.java │ │ │ │ ├── DataConfidentialityRiskImpactFactor.java │ │ │ │ ├── FunctionalityRiskLikelihoodFactor.java │ │ │ │ ├── HandlingUntrustedDataRiskLikelihoodFactor.java │ │ │ │ ├── ImpactScore.java │ │ │ │ ├── RiskImpactScore.java │ │ │ │ ├── RiskLikelihoodCoefficient.java │ │ │ │ ├── RiskLikelihoodFactors.java │ │ │ │ ├── RiskLikelihoodScore.java │ │ │ │ └── UsageRiskLikelihoodFactor.java │ │ ├── subject │ │ │ ├── AbstractSubject.java │ │ │ └── oss │ │ │ │ ├── Artifact.java │ │ │ │ ├── GitHubOrganization.java │ │ │ │ ├── GitHubProject.java │ │ │ │ ├── MavenArtifact.java │ │ │ │ ├── NpmArtifact.java │ │ │ │ └── OpenSourceProject.java │ │ ├── tuning │ │ │ ├── AbstractTuning.java │ │ │ └── TuningWithCMAES.java │ │ ├── value │ │ │ ├── AbstractKnownValue.java │ │ │ ├── AbstractValue.java │ │ │ ├── ArtifactVersion.java │ │ │ ├── ArtifactVersionValue.java │ │ │ ├── ArtifactVersions.java │ │ │ ├── ArtifactVersionsValue.java │ │ │ ├── BooleanValue.java │ │ │ ├── CVSS.java │ │ │ ├── DateValue.java │ │ │ ├── DoubleValue.java │ │ │ ├── EnumValue.java │ │ │ ├── ExpiringValue.java │ │ │ ├── IntegerValue.java │ │ │ ├── Language.java │ │ │ ├── Languages.java │ │ │ ├── LanguagesValue.java │ │ │ ├── LgtmGrade.java │ │ │ ├── LgtmGradeValue.java │ │ │ ├── NotApplicableValue.java │ │ │ ├── OwaspDependencyCheckCvssThresholdValue.java │ │ │ ├── OwaspDependencyCheckUsage.java │ │ │ ├── OwaspDependencyCheckUsageValue.java │ │ │ ├── PackageManager.java │ │ │ ├── PackageManagers.java │ │ │ ├── PackageManagersValue.java │ │ │ ├── RatingValue.java │ │ │ ├── Reference.java │ │ │ ├── ScoreValue.java │ │ │ ├── SecurityReview.java │ │ │ ├── SecurityReviews.java │ │ │ ├── SecurityReviewsValue.java │ │ │ ├── SemanticVersion.java │ │ │ ├── StringValue.java │ │ │ ├── UnknownValue.java │ │ │ ├── ValueHashSet.java │ │ │ ├── VersionRange.java │ │ │ ├── Vulnerabilities.java │ │ │ ├── VulnerabilitiesValue.java │ │ │ └── Vulnerability.java │ │ └── weight │ │ │ ├── AbstractWeight.java │ │ │ ├── ImmutableWeight.java │ │ │ ├── MutableWeight.java │ │ │ └── ScoreWeights.java │ │ ├── nvd │ │ ├── Matcher.java │ │ ├── NVD.java │ │ └── data │ │ │ ├── AbstractCpeUri.java │ │ │ ├── Affects.java │ │ │ ├── BaseMetricV2.java │ │ │ ├── BaseMetricV3.java │ │ │ ├── CVE.java │ │ │ ├── CVSSv2.java │ │ │ ├── CVSSv3.java │ │ │ ├── Configurations.java │ │ │ ├── Cpe22Uri.java │ │ │ ├── Cpe23Uri.java │ │ │ ├── CpeMatch.java │ │ │ ├── CpeName.java │ │ │ ├── CpeUri.java │ │ │ ├── CveMetaData.java │ │ │ ├── Description.java │ │ │ ├── Impact.java │ │ │ ├── LangString.java │ │ │ ├── Node.java │ │ │ ├── NvdEntry.java │ │ │ ├── ProblemType.java │ │ │ ├── ProblemTypeData.java │ │ │ ├── Product.java │ │ │ ├── ProductData.java │ │ │ ├── ReferenceLink.java │ │ │ ├── References.java │ │ │ ├── Vendor.java │ │ │ ├── VendorData.java │ │ │ ├── Version.java │ │ │ └── VersionData.java │ │ ├── tool │ │ ├── AbstractHandler.java │ │ ├── Application.java │ │ ├── Config.java │ │ ├── GitHubProjectFinder.java │ │ ├── Handler.java │ │ ├── InputString.java │ │ ├── InputURL.java │ │ ├── MavenScmFinder.java │ │ ├── MultipleRatingsCalculator.java │ │ ├── NpmScmFinder.java │ │ ├── OssArtifactSecurityRatingHandler.java │ │ ├── OssProjectSecurityRatingHandler.java │ │ ├── OssRulesOfPlayRatingHandler.java │ │ ├── RatingCalculator.java │ │ ├── ReportConfig.java │ │ ├── SecurityRiskIntroducedByOssHandler.java │ │ ├── SingleRatingCalculator.java │ │ ├── SubjectCache.java │ │ ├── YesNoQuestion.java │ │ ├── YesNoSkipQuestion.java │ │ ├── format │ │ │ ├── AbstractMarkdownElement.java │ │ │ ├── AbstractMarkdownFormatter.java │ │ │ ├── BoldMarkdownString.java │ │ │ ├── CommonFormatter.java │ │ │ ├── Formatter.java │ │ │ ├── GroupedMarkdownElements.java │ │ │ ├── JoinedMarkdownElements.java │ │ │ ├── JsonPrettyPrinter.java │ │ │ ├── Markdown.java │ │ │ ├── MarkdownChoice.java │ │ │ ├── MarkdownElement.java │ │ │ ├── MarkdownHeader.java │ │ │ ├── MarkdownHeaderReference.java │ │ │ ├── MarkdownLink.java │ │ │ ├── MarkdownList.java │ │ │ ├── MarkdownRuleIdentifier.java │ │ │ ├── MarkdownSection.java │ │ │ ├── MarkdownString.java │ │ │ ├── MarkdownTemplate.java │ │ │ ├── OrderedMarkdownList.java │ │ │ ├── OssArtifactSecurityRatingMarkdownFormatter.java │ │ │ ├── OssRulesOfPlayRatingMarkdownFormatter.java │ │ │ ├── OssSecurityRatingMarkdownFormatter.java │ │ │ ├── PrettyPrinter.java │ │ │ ├── UnorderedMarkdownList.java │ │ │ └── model │ │ │ │ ├── Advices.java │ │ │ │ ├── Feature.java │ │ │ │ ├── Rating.java │ │ │ │ └── Score.java │ │ └── report │ │ │ ├── AbstractReporter.java │ │ │ ├── MergedJsonReporter.java │ │ │ ├── OssRulesOfPlayGitHubIssuesReporter.java │ │ │ ├── OssRulesOfPlayMarkdownReporter.java │ │ │ ├── OssSecurityRatingJsonReporter.java │ │ │ ├── OssSecurityRatingMarkdownReporter.java │ │ │ └── Reporter.java │ │ └── util │ │ ├── Config.java │ │ ├── Deserialization.java │ │ ├── Json.java │ │ └── Yaml.java ├── jupyter │ └── oss │ │ └── security │ │ ├── README.md │ │ ├── SecurityRatingAnalysis.ipynb │ │ └── commons.py └── resources │ ├── com │ └── sap │ │ └── oss │ │ └── phosphor │ │ └── fosstars │ │ ├── advice │ │ └── oss │ │ │ └── OssAdvice.yml │ │ ├── data │ │ ├── BugBountyPrograms.json │ │ ├── CompanySupport.json │ │ ├── SecurityReview.json │ │ ├── SecurityTeams.json │ │ ├── UnpatchedVulnerabilities.json │ │ └── github │ │ │ └── experimental │ │ │ └── graphql │ │ │ ├── first_run_template │ │ │ └── next_page_run_template │ │ ├── model │ │ ├── rating │ │ │ ├── example │ │ │ │ └── SecurityRatingExample.json │ │ │ └── oss │ │ │ │ ├── OssArtifactSecurityRatingThresholds.json │ │ │ │ └── OssSecurityRatingThresholds.json │ │ └── score │ │ │ └── oss │ │ │ ├── OssArtifactSecurityScoreWeights.json │ │ │ ├── OssSecurityScoreWeights.yml │ │ │ └── ProjectSecurityTestingScoreWeights.yml │ │ └── tool │ │ ├── format │ │ ├── OssArtifactSecurityRatingMarkdownRatingValueTemplate.md │ │ ├── OssRulesOfPlayMarkdownRatingValueTemplate.md │ │ └── OssSecurityRatingMarkdownRatingValueTemplate.md │ │ └── report │ │ ├── MarkdownProjectDetailsTemplate.md │ │ ├── OssRulesOfPlayMarkdownReporterTemplate.md │ │ └── OssSecurityRatingMarkdownReporterMainTemplate.md │ └── log4j2.xml └── test ├── java └── com │ └── sap │ └── oss │ └── phosphor │ ├── fosstars │ ├── ScoreCollector.java │ ├── TestUtils.java │ ├── advice │ │ ├── AdviceContentTest.java │ │ ├── AdviceContentYamlStorageTest.java │ │ ├── LinkTest.java │ │ ├── SimpleAdviceTest.java │ │ └── oss │ │ │ ├── BanditAdvisorTest.java │ │ │ ├── CodeqlAdvisorTest.java │ │ │ ├── DependabotAdvisorTest.java │ │ │ ├── FindSecBugsAdvisorTest.java │ │ │ ├── FuzzingAdvisorTest.java │ │ │ ├── GoSecAdvisorTest.java │ │ │ ├── LgtmScoreAdvisorTest.java │ │ │ ├── MemorySafetyAdvisorTest.java │ │ │ ├── NoHttpAdvisorTest.java │ │ │ ├── OssAdviceContentYamlStorageTest.java │ │ │ ├── OssRulesOfPlayAdvisorTest.java │ │ │ ├── OwaspDependencyCheckAdvisorTest.java │ │ │ ├── SecurityPolicyAdvisorTest.java │ │ │ ├── SigningAdvisorTest.java │ │ │ ├── SnykAdvisorTest.java │ │ │ └── github │ │ │ └── OssSecurityGithubAdvisorTest.java │ ├── data │ │ ├── AbstractCachingDataProviderTest.java │ │ ├── AbstractStaticScanToolsDataProviderTest.java │ │ ├── DataProviderSelectorTest.java │ │ ├── NoUserCallbackTest.java │ │ ├── NoValueCacheTest.java │ │ ├── SimpleCompositeDataProviderTest.java │ │ ├── StandardValueCacheTest.java │ │ ├── TerminalTest.java │ │ ├── artifact │ │ │ ├── ReleaseInfoFromMavenTest.java │ │ │ ├── ReleaseInfoFromNpmTest.java │ │ │ ├── ReleaseInfoLoaderTest.java │ │ │ ├── VulnerabilitiesFromNpmAuditTest.java │ │ │ └── VulnerabilitiesFromOwaspDependencyCheckTest.java │ │ ├── github │ │ │ ├── BanditDataProviderTest.java │ │ │ ├── CodeOfConductGuidelineInfoTest.java │ │ │ ├── CodeqlDataProviderTest.java │ │ │ ├── ContributingGuidelineInfoTest.java │ │ │ ├── EstimateImpactUsingKnownVulnerabilitiesTest.java │ │ │ ├── FuzzedInOssFuzzTest.java │ │ │ ├── GitHubDataCacheTest.java │ │ │ ├── GitHubDataFetcherTest.java │ │ │ ├── GoSecDataProviderTest.java │ │ │ ├── HasBugBountyProgramTest.java │ │ │ ├── HasCompanySupportTest.java │ │ │ ├── HasExecutableBinariesTest.java │ │ │ ├── HasSecurityPolicyTest.java │ │ │ ├── HasSecurityTeamTest.java │ │ │ ├── IsEclipseTest.java │ │ │ ├── LgtmDataProviderTest.java │ │ │ ├── LicenseInfoTest.java │ │ │ ├── LocalRepositoryInfoTest.java │ │ │ ├── LocalRepositoryTest.java │ │ │ ├── MyPyDataProviderTest.java │ │ │ ├── NumberOfContributorsTest.java │ │ │ ├── NumberOfDependentProjectOnGitHubTest.java │ │ │ ├── NvdEntryMatcherTest.java │ │ │ ├── OwaspSecurityLibrariesTest.java │ │ │ ├── PackageManagementTest.java │ │ │ ├── ProgrammingLanguagesTest.java │ │ │ ├── PylintDataProviderTest.java │ │ │ ├── ReadmeInfoTest.java │ │ │ ├── ReleasesFromGitHubTest.java │ │ │ ├── SecurityReviewsFromOpenSSFTest.java │ │ │ ├── SignsJarArtifactsTest.java │ │ │ ├── TeamsInfoTest.java │ │ │ ├── TestGitHubDataFetcherHolder.java │ │ │ ├── UnpatchedVulnerabilitiesTest.java │ │ │ ├── UseReuseDataProviderTest.java │ │ │ ├── UsesDependabotTest.java │ │ │ ├── UsesFindSecBugsTest.java │ │ │ ├── UsesGithubForDevelopmentTest.java │ │ │ ├── UsesNoHttpToolTest.java │ │ │ ├── UsesOwaspDependencyCheckTest.java │ │ │ ├── UsesSanitizersTest.java │ │ │ ├── UsesSignedCommitTest.java │ │ │ ├── UsesSnykTest.java │ │ │ └── VulnerabilityAlertsInfoTest.java │ │ ├── interactive │ │ │ ├── AskAboutSecurityTeamTest.java │ │ │ ├── AskAboutUnpatchedVulnerabilitiesTest.java │ │ │ └── TestUserCallback.java │ │ └── json │ │ │ ├── CompanySupportStorageTest.java │ │ │ ├── SecurityTeamStorageTest.java │ │ │ └── UnpatchedVulnerabilitiesStorageTest.java │ ├── maven │ │ ├── GAVTest.java │ │ └── ModelVisitorTest.java │ ├── model │ │ ├── ConfidenceTest.java │ │ ├── RatingRepositoryTest.java │ │ ├── feature │ │ │ ├── DoubleFeatureTest.java │ │ │ ├── EnumFeatureTest.java │ │ │ ├── LgtmGradeFeatureTest.java │ │ │ ├── StringFeatureTest.java │ │ │ ├── example │ │ │ │ ├── NumberOfCommitsLastMonthExampleTest.java │ │ │ │ ├── NumberOfContributorsLastMonthExampleTest.java │ │ │ │ ├── SecurityReviewDoneExampleTest.java │ │ │ │ └── StaticCodeAnalysisDoneExampleTest.java │ │ │ └── oss │ │ │ │ ├── ArtifactVersionFeatureTest.java │ │ │ │ ├── ArtifactVersionsFeatureTest.java │ │ │ │ ├── LanguagesFeatureTest.java │ │ │ │ ├── PackageManagersFeatureTest.java │ │ │ │ ├── SecurityReviewsFeatureTest.java │ │ │ │ └── VulnerabilitiesFeatureTest.java │ │ ├── math │ │ │ ├── DoubleIntervalTest.java │ │ │ └── MathHelperTest.java │ │ ├── other │ │ │ └── UtilsTest.java │ │ ├── qa │ │ │ ├── RatingVerificationTest.java │ │ │ ├── RatingVerifierTest.java │ │ │ ├── ScoreTestVectorTest.java │ │ │ ├── ScoreVerificationTest.java │ │ │ ├── ScoreVerifierTest.java │ │ │ ├── StandardTestVectorTest.java │ │ │ ├── TestVectorBuilderTest.java │ │ │ ├── TestVectorResultTest.java │ │ │ └── TestVectorsTest.java │ │ ├── rating │ │ │ ├── NotApplicableLabelTest.java │ │ │ ├── example │ │ │ │ ├── SecurityRatingExampleTest.java │ │ │ │ └── SecurityRatingExampleVectorsTest.java │ │ │ └── oss │ │ │ │ ├── OssArtifactSecurityRatingTest.java │ │ │ │ ├── OssArtifactSecurityRatingVerificationTest.java │ │ │ │ ├── OssRulesOfPlayRatingTest.java │ │ │ │ ├── OssSecurityRatingTest.java │ │ │ │ ├── OssSecurityRatingVerificationTest.java │ │ │ │ ├── SecurityRiskIntroducedByOssTest.java │ │ │ │ ├── SecurityRiskIntroducedByOssVerificationTest.java │ │ │ │ └── TestArtifactVersion.java │ │ ├── score │ │ │ ├── AbstractScoreTest.java │ │ │ ├── AverageCompositeScoreTest.java │ │ │ ├── FeatureBasedScoreTest.java │ │ │ ├── WeightedCompositeScoreTest.java │ │ │ ├── example │ │ │ │ └── ProjectActivityScoreExampleTest.java │ │ │ └── oss │ │ │ │ ├── ArtifactLatestReleaseAgeScoreTest.java │ │ │ │ ├── ArtifactReleaseHistoryScoreTest.java │ │ │ │ ├── ArtifactVersionSecurityScoreTest.java │ │ │ │ ├── ArtifactVersionUpToDateScoreTest.java │ │ │ │ ├── ArtifactVersionVulnerabilityScoreTest.java │ │ │ │ ├── BanditScoreTest.java │ │ │ │ ├── CodeqlScoreTest.java │ │ │ │ ├── CommunityCommitmentScoreTest.java │ │ │ │ ├── DependabotScoreTest.java │ │ │ │ ├── DependencyScanScoreTest.java │ │ │ │ ├── FindSecBugsScoreTest.java │ │ │ │ ├── FuzzingScoreTest.java │ │ │ │ ├── GoSecScoreTest.java │ │ │ │ ├── LgtmScoreTest.java │ │ │ │ ├── MemorySafetyTestingScoreTest.java │ │ │ │ ├── MyPyScoreTest.java │ │ │ │ ├── NoHttpToolScoreTest.java │ │ │ │ ├── OssArtifactSecurityScoreTest.java │ │ │ │ ├── OssRulesOfPlayScoreTest.java │ │ │ │ ├── OssSecurityScoreTest.java │ │ │ │ ├── OwaspDependencyScanScoreTest.java │ │ │ │ ├── ProjectActivityScoreTest.java │ │ │ │ ├── ProjectPopularityScoreTest.java │ │ │ │ ├── ProjectSecurityAwarenessScoreTest.java │ │ │ │ ├── ProjectSecurityTestingScoreTest.java │ │ │ │ ├── PylintScoreTest.java │ │ │ │ ├── ScoreVerificationTest.java │ │ │ │ ├── SecurityReviewScoreTest.java │ │ │ │ ├── SnykDependencyScanScoreTest.java │ │ │ │ ├── StaticAnalysisScoreTest.java │ │ │ │ ├── UnpatchedVulnerabilitiesScoreTest.java │ │ │ │ ├── VulnerabilityDiscoveryAndSecurityTestingScoreTest.java │ │ │ │ ├── VulnerabilityLifetimeScoreTest.java │ │ │ │ └── risk │ │ │ │ ├── AdoptedRiskLikelihoodFactorTest.java │ │ │ │ ├── CalculatedSecurityRiskIntroducedByOssTest.java │ │ │ │ ├── DataConfidentialityRiskImpactFactorTest.java │ │ │ │ ├── FunctionalityRiskLikelihoodFactorTest.java │ │ │ │ ├── HandlingUntrustedDataRiskLikelihoodFactorTest.java │ │ │ │ ├── ImpactScoreTest.java │ │ │ │ ├── RiskImpactScoreTest.java │ │ │ │ ├── RiskImpactScoreVerificationTest.java │ │ │ │ ├── RiskLikelihoodCoefficientTest.java │ │ │ │ ├── RiskLikelihoodCoefficientVerificationTest.java │ │ │ │ ├── RiskLikelihoodFactorsTest.java │ │ │ │ ├── RiskLikelihoodScoreTest.java │ │ │ │ ├── RiskLikelihoodScoreVerificationTest.java │ │ │ │ └── UsageRiskLikelihoodFactorTest.java │ │ ├── subject │ │ │ ├── AbstractSubjectTest.java │ │ │ └── oss │ │ │ │ ├── GitHubOrganizationTest.java │ │ │ │ ├── GitHubProjectTest.java │ │ │ │ ├── MavenArtifactTest.java │ │ │ │ └── NpmArtifactTest.java │ │ ├── tuning │ │ │ └── TuningWithCMAESTest.java │ │ ├── value │ │ │ ├── AbstractKnownValueTest.java │ │ │ ├── ArtifactVersionTest.java │ │ │ ├── ArtifactVersionValueTest.java │ │ │ ├── ArtifactVersionsTest.java │ │ │ ├── ArtifactVersionsValueTest.java │ │ │ ├── BooleanValueTest.java │ │ │ ├── CvssTest.java │ │ │ ├── DateValueTest.java │ │ │ ├── DoubleValueTest.java │ │ │ ├── EnumValueTest.java │ │ │ ├── IntegerValueTest.java │ │ │ ├── LanguageTest.java │ │ │ ├── LanguagesTest.java │ │ │ ├── LanguagesValueTest.java │ │ │ ├── LgtmGradeTest.java │ │ │ ├── LgtmGradeValueTest.java │ │ │ ├── NotApplicableValueTest.java │ │ │ ├── OwaspDependencyCheckCvssThresholdValueTest.java │ │ │ ├── PackageManagersTest.java │ │ │ ├── PackageManagersValueTest.java │ │ │ ├── RatingValueTest.java │ │ │ ├── ReferenceTest.java │ │ │ ├── ScoreValueTest.java │ │ │ ├── SecurityReviewTest.java │ │ │ ├── SecurityReviewsTest.java │ │ │ ├── SecurityReviewsValueTest.java │ │ │ ├── SemanticVersionTest.java │ │ │ ├── StringValueTest.java │ │ │ ├── UnknownValueTest.java │ │ │ ├── ValueHashSetTest.java │ │ │ ├── VersionRangeTest.java │ │ │ ├── VulnerabilitiesTest.java │ │ │ ├── VulnerabilitiesValueTest.java │ │ │ └── VulnerabilityTest.java │ │ └── weight │ │ │ ├── AbstractWeightTest.java │ │ │ ├── ImmutableWeightTest.java │ │ │ ├── MutableWeightTest.java │ │ │ └── ScoreWeightsTest.java │ ├── nvd │ │ ├── NVDTest.java │ │ └── TestNVD.java │ ├── tool │ │ ├── ApplicationTest.java │ │ ├── GitHubProjectFinderTest.java │ │ ├── MavenScmFinderTest.java │ │ ├── MultipleRatingsCalculatorTest.java │ │ ├── SingleRatingCalculatorTest.java │ │ ├── SubjectCacheTest.java │ │ ├── format │ │ │ ├── MarkdownBuilderTest.java │ │ │ ├── OssRulesOfPlayRatingMarkdownFormatterTest.java │ │ │ ├── OssSecurityRatingMarkdownFormatterTest.java │ │ │ └── PrettyPrinterTest.java │ │ └── report │ │ │ ├── MergedJsonReporterTest.java │ │ │ ├── OssRulesOfPlayGitHubIssuesReporterTest.java │ │ │ ├── OssRulesOfPlayMarkdownReporterTest.java │ │ │ ├── OssSecurityRatingJsonReporterTest.java │ │ │ └── OssSecurityRatingMarkdownReporterTest.java │ └── util │ │ └── SafeDeserializationTest.java │ └── test │ ├── AnotherData.java │ ├── Data.java │ ├── DoubleData.java │ ├── Entity.java │ └── IntegerData.java ├── resources └── com │ └── sap │ └── oss │ └── phosphor │ └── fosstars │ ├── advice │ └── AdviceContentStorageTest.yml │ ├── data │ ├── artifact │ │ ├── NoCvesFromNpmAudit.json │ │ ├── NoPatchForAdvisory.json │ │ ├── NotAllCvesFromNpmAudit.json │ │ ├── NpmVulnerabilitiesFromNvd.json │ │ ├── OwaspDependencyHasNoVulnerabilities.json │ │ ├── ReleaseInfoFromMaven.html │ │ ├── ReleaseInfoFromMavenNoArtifactInList.html │ │ ├── ReleaseInfoFromNpm.json │ │ ├── VulnerabilitiesFromNpmAudit.json │ │ ├── VulnerabilitiesFromOwaspDependencyCheck.json │ │ └── VulnerabilitiesFromOwaspNoDependencies.json │ └── github │ │ ├── GradleCheckStyleWithNoHttp.gradle │ │ ├── GradleCheckStyleWithoutNoHttp.gradle │ │ ├── GradleWithOwaspDependencyCheck.gradle │ │ ├── GradleWithOwaspDependencyCheckWithFailBuildOnAnyIssueFalse.gradle │ │ ├── GradleWithOwaspDependencyCheckWithFailBuildOnAnyIssueTrue.gradle │ │ ├── GradleWithOwaspDependencyCheckWithFailBuildOnCvss.gradle │ │ ├── GradleWithOwaspSecurityTools.gradle │ │ ├── GradleWithoutOwaspDependencyCheck.gradle │ │ ├── GradleWithoutOwaspSecurityTools.gradle │ │ ├── LgtmProjectDoesNotExistReply.json │ │ ├── LgtmProjectInfoReply.json │ │ ├── MavenCheckStyleWithNoHttp.xml │ │ ├── MavenCheckStyleWithNoHttpInProfilesBuild.xml │ │ ├── MavenCheckStyleWithoutNoHttp.xml │ │ ├── MavenPomWithMavenGPG.xml │ │ ├── MavenPomWithoutMavenGPG.xml │ │ ├── MavenWithFindSecBugs.xml │ │ ├── MavenWithFindSecBugsInProfilesBuild.xml │ │ ├── MavenWithOwaspDependencyCheckInBuild.xml │ │ ├── MavenWithOwaspDependencyCheckInBuildAndProfile.xml │ │ ├── MavenWithOwaspDependencyCheckInBuildPluginManagement.xml │ │ ├── MavenWithOwaspDependencyCheckInProfilesBuild.xml │ │ ├── MavenWithOwaspDependencyCheckInProfilesReporting.xml │ │ ├── MavenWithOwaspDependencyCheckInReporting.xml │ │ ├── MavenWithOwaspEsapiInDefaultDependencies.xml │ │ ├── MavenWithOwaspEsapiInProfiledDependencies.xml │ │ ├── MavenWithOwaspJavaEncoderInDefaultDependencies.xml │ │ ├── MavenWithOwaspJavaHtmlSanitizerInDefaultDependencies.xml │ │ ├── MavenWithoutFindSecBugs.xml │ │ ├── MavenWithoutOwaspDependencyCheck.xml │ │ ├── MavenWithoutOwaspEsapiDependency.xml │ │ ├── bandit-analysis-with-multiple-jobs.yml │ │ ├── bandit-analysis-with-no-bandit-run-but-uses-bandit.yml │ │ ├── bandit-analysis-with-no-bandit-run.yml │ │ ├── bandit-analysis-with-run.yml │ │ ├── codeql-analysis-with-pr.yml │ │ ├── codeql-analysis-without-pr.yml │ │ ├── gosec-analysis-run-with-exclude-rules.yml │ │ ├── gosec-analysis-run-with-include-rules.yml │ │ ├── gosec-analysis-run-without-rules.yml │ │ ├── gosec-analysis-uses-without-with-key.yml │ │ ├── gosec-analysis-with-multiple-jobs.yml │ │ ├── gosec-analysis-with-no-gosec-run.yml │ │ ├── gosec-analysis-with-rules-in-different-step.yml │ │ ├── gosec-analysis-with-run.yml │ │ ├── gosec-analysis-with-uses.yml │ │ ├── mypy-analysis-with-pre-commit-hook.yml │ │ ├── mypy-analysis-with-prospector.yml │ │ ├── mypy-analysis-with-run.yml │ │ ├── no-codeql-analysis.yml │ │ ├── pylint-analysis-as-pre-commit-hook.yml │ │ ├── pylint-analysis-no-pylint-hook.yml │ │ ├── pylint-analysis-with-multiple-jobs.yml │ │ ├── pylint-analysis-with-no-pylint-run-but-uses-pylint.yml │ │ ├── pylint-analysis-with-no-pylint-run.yml │ │ ├── pylint-analysis-with-prospector.yml │ │ ├── pylint-analysis-with-pylint-in-entry.yml │ │ ├── pylint-analysis-with-pylint-in-repo.yml │ │ ├── pylint-analysis-with-pylint-in-rev.yml │ │ ├── pylint-analysis-with-run.yml │ │ ├── tox-no-pylint.ini │ │ └── tox.ini │ ├── maven │ └── PomWithDependencies.xml │ ├── model │ ├── rating │ │ ├── example │ │ │ └── SecurityRatingExampleVerificationTestVectors.yml │ │ └── oss │ │ │ ├── OssArtifactSecurityRatingTestVectors.yml │ │ │ └── OssSecurityRatingTestVectors.yml │ └── score │ │ └── oss │ │ ├── BanditScoreTestVectors.yml │ │ ├── CodeqlScoreTestVectors.yml │ │ ├── CommunityCommitmentScoreTestVectors.yml │ │ ├── DependabotScoreTestVectors.yml │ │ ├── DependencyScanScoreTestVectors.yml │ │ ├── FindSecBugsScoreTestVectors.yml │ │ ├── FuzzingScoreTestVectors.yml │ │ ├── GoSecScoreTestVectors.yml │ │ ├── LgtmScoreTestVectors.yml │ │ ├── MemorySafetyTestingScoreTestVectors.yml │ │ ├── MyPyScoreTestVectors.yml │ │ ├── NoHttpToolScoreTestVectors.yml │ │ ├── OssSecurityScoreTestVectors.yml │ │ ├── OwaspDependencyScanScoreTestVectors.yml │ │ ├── ProjectActivityScoreTestVectors.yml │ │ ├── ProjectPopularityScoreTestVectors.yml │ │ ├── ProjectSecurityAwarenessScoreTestVectors.yml │ │ ├── ProjectSecurityTestingScoreTestVectors.yml │ │ ├── PylintScoreTestVectors.yml │ │ ├── SecurityReviewScoreTestVectors.yml │ │ ├── SnykDependencyScanScoreTestVectors.yml │ │ ├── StaticAnalysisScoreTestVectors.yml │ │ ├── UnpatchedVulnerabilitiesScoreTestVectors.yml │ │ ├── VulnerabilityDiscoveryAndSecurityTestingScoreTestVectors.yml │ │ └── VulnerabilityLifetimeScoreTestVectors.yml │ ├── nvd │ ├── NVD_matcher.json │ └── NVD_part.json │ └── tool │ ├── NoOrganizationsProjectFinderConfig.yml │ ├── ValidProjectFinderConfig.yml │ └── ValidSecurityRatingCalculatorConfig.yml └── shell └── tool └── github ├── CodeOfConductGuidelineInfo.config.yml ├── ContributingGuidelineInfo.config.yml ├── LicenseInfo.config.yml ├── OssRulesOfPlayRatingMarkdownFormatter.config.yml ├── README.md ├── lib.sh ├── run_tests.sh ├── test_anonymous_connection.sh ├── test_artifact_security_with_gav.sh ├── test_artifact_security_with_npm.sh ├── test_artifact_security_with_purl.sh ├── test_both_url_and_config.sh ├── test_help.sh ├── test_oss_rop_config.yml ├── test_oss_rop_with_config.sh ├── test_oss_rop_with_scm.sh ├── test_project_security_with_config.sh ├── test_project_security_with_gav.sh ├── test_project_security_with_npm.sh ├── test_project_security_with_pom.sh ├── test_project_security_with_pom.xml ├── test_project_security_with_purl.sh ├── test_project_security_with_scm.sh ├── test_security_config.yml └── test_security_risk_with_scm.sh /.dockerignore: -------------------------------------------------------------------------------- 1 | .fosstars 2 | .git 3 | .github 4 | .idea 5 | .reuse 6 | docs 7 | */test -------------------------------------------------------------------------------- /.github/actions/project-security-label-threshold-action/Dockerfile: -------------------------------------------------------------------------------- 1 | FROM python:3 2 | 3 | RUN apt-get update && \ 4 | apt-get upgrade -y && \ 5 | apt-get install -y git jupyter python3-pandas python3-yaml cowsay 6 | 7 | ENV PATH $PATH:/usr/games 8 | 9 | COPY entrypoint.sh /opt/entrypoint.sh 10 | 11 | ENTRYPOINT [ "/opt/entrypoint.sh" ] 12 | -------------------------------------------------------------------------------- /.github/actions/project-security-label-threshold-action/action.yml: -------------------------------------------------------------------------------- 1 | name: "Calculate label thresholds for Fosstars security ratings" 2 | description: "The action calculates label thresholds for Fosstars project security rating procedure." 3 | inputs: 4 | input-file: 5 | description: "A path to an input JSON file" 6 | default: "github_projects.json" 7 | required: true 8 | report-branch: 9 | description: "A branch where the output file should be stored" 10 | required: true 11 | default: oss-security-report 12 | fosstars-version: 13 | description: "A version of Fosstars" 14 | required: true 15 | default: master 16 | runs: 17 | using: "docker" 18 | image: "Dockerfile" 19 | args: 20 | - ${{ inputs.input-file }} 21 | - ${{ inputs.report-branch }} 22 | - ${{ inputs.fosstars-version }} 23 | -------------------------------------------------------------------------------- /.github/actions/project-security-report-action/Dockerfile: -------------------------------------------------------------------------------- 1 | FROM openjdk:8 2 | 3 | RUN apt-get update && \ 4 | apt-get upgrade -y && \ 5 | apt-get install -y git jq 6 | 7 | RUN wget https://downloads.apache.org/maven/maven-3/3.6.3/binaries/apache-maven-3.6.3-bin.tar.gz && \ 8 | HASH=c35a1803a6e70a126e80b2b3ae33eed961f83ed74d18fcd16909b2d44d7dada3203f1ffe726c17ef8dcca2dcaa9fca676987befeadc9b9f759967a8cb77181c0 && \ 9 | echo "$HASH apache-maven-3.6.3-bin.tar.gz" | sha512sum --check --status && \ 10 | tar xf apache-maven-3.6.3-bin.tar.gz -C /opt 11 | 12 | ENV M2_HOME="/opt/apache-maven-3.6.3" 13 | ENV MAVEN_HOME="/opt/apache-maven-3.6.3" 14 | ENV PATH="${MAVEN_HOME}/bin:${PATH}" 15 | 16 | RUN mvn -version 17 | 18 | COPY build_fosstars.sh /opt/build_fosstars.sh 19 | COPY cleanup_for_config_if_necessary.sh /opt/cleanup_for_config_if_necessary.sh 20 | COPY entrypoint.sh /opt/entrypoint.sh 21 | 22 | ENTRYPOINT [ "/opt/entrypoint.sh" ] 23 | -------------------------------------------------------------------------------- /.github/actions/project-security-report-action/action.yml: -------------------------------------------------------------------------------- 1 | name: "Calculate Fosstars security ratings for open source projects" 2 | description: "The action calculates security ratings for a number of open source projects." 3 | inputs: 4 | config-file: 5 | description: "A path to a config file" 6 | required: true 7 | report-branch: 8 | description: "A branch where the report is stored" 9 | required: true 10 | default: oss-security-report 11 | fosstars-version: 12 | description: "A version of Fosstars" 13 | required: true 14 | default: master 15 | token: 16 | description: "A GitHub token for accessing the repository" 17 | required: true 18 | cleanup: 19 | description: "Tells the action to remove the old report and data" 20 | required: false 21 | default: No 22 | runs: 23 | using: "docker" 24 | image: "Dockerfile" 25 | args: 26 | - ${{ inputs.config-file }} 27 | - ${{ inputs.report-branch }} 28 | - ${{ inputs.fosstars-version }} 29 | - ${{ inputs.token }} 30 | - ${{ inputs.cleanup }} -------------------------------------------------------------------------------- /.github/actions/project-security-report-action/build_fosstars.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | old_directory=$(pwd) 4 | git clone https://github.com/SAP/fosstars-rating-core && \ 5 | cd fosstars-rating-core && \ 6 | git checkout $FOSSTARS_VERSION && \ 7 | mvn package -ntp -DskipTests -Dcheckstyle.skip -Dmaven.javadoc.skip 8 | code=$? 9 | cd ${old_directory} 10 | exit $code 11 | -------------------------------------------------------------------------------- /.github/actions/project-security-report-action/cleanup_for_config_if_necessary.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | if [ "$CLEANUP" == "Yes" ]; then 4 | echo "Remove the old report and data" 5 | echo "Remove .fosstars" 6 | rm -rf .fosstars > /dev/null 2>&1 7 | 8 | echo "Remove Markdown files" 9 | for file in $(find . -name "*.md") 10 | do 11 | rm $file > /dev/null 2>&1 12 | done 13 | 14 | echo "Remove JSON files" 15 | for file in $(find . -name "*.json") 16 | do 17 | rm $file > /dev/null 2>&1 18 | done 19 | fi -------------------------------------------------------------------------------- /.github/dependabot.yml: -------------------------------------------------------------------------------- 1 | version: 2 2 | updates: 3 | 4 | # Maintain dependencies for GitHub Actions 5 | - package-ecosystem: "github-actions" 6 | directory: "/" 7 | schedule: 8 | interval: "daily" 9 | labels: 10 | - "dependency" 11 | reviewers: 12 | - "SAP/fosstars-rating-core-team" 13 | 14 | - package-ecosystem: "maven" 15 | directory: "/" 16 | schedule: 17 | interval: "daily" 18 | labels: 19 | - "dependency" 20 | reviewers: 21 | - "SAP/fosstars-rating-core-team" 22 | -------------------------------------------------------------------------------- /.github/workflows/cli-tests.yml: -------------------------------------------------------------------------------- 1 | name: CLI tests 2 | 3 | on: 4 | push: 5 | branches: 6 | - master 7 | pull_request: 8 | branches: 9 | - master 10 | 11 | jobs: 12 | build: 13 | runs-on: ${{ matrix.os }} 14 | strategy: 15 | matrix: 16 | os: [ubuntu-latest, windows-latest, macos-latest] 17 | steps: 18 | - uses: actions/checkout@v3.5.3 19 | - name: Set up JDK 1.8 20 | uses: actions/setup-java@v3 21 | with: 22 | distribution: 'adopt' 23 | java-version: 8 24 | - name: Build 25 | run: mvn -B -ntp --file pom.xml -DskipTests package 26 | env: 27 | MAVEN_OPTS: -Dorg.slf4j.simpleLogger.log.org.apache.maven.cli.transfer.Slf4jMavenTransferListener=warn 28 | - name: Run CLI tests 29 | run: bash src/test/shell/tool/github/run_tests.sh 30 | env: 31 | TOKEN: ${{ secrets.GITHUB_TOKEN }} 32 | -------------------------------------------------------------------------------- /.github/workflows/codeql-analysis.yml: -------------------------------------------------------------------------------- 1 | name: "CodeQL" 2 | 3 | on: 4 | push: 5 | branches: [ master ] 6 | pull_request: 7 | # The branches below must be a subset of the branches above 8 | branches: [ master ] 9 | schedule: 10 | - cron: '34 23 * * 5' 11 | 12 | jobs: 13 | analyze: 14 | name: Analyze 15 | runs-on: ubuntu-latest 16 | 17 | strategy: 18 | fail-fast: false 19 | matrix: 20 | language: [ 'java', 'python' ] 21 | 22 | steps: 23 | - name: Checkout repository 24 | uses: actions/checkout@v3.5.3 25 | 26 | # Initializes the CodeQL tools for scanning. 27 | - name: Initialize CodeQL 28 | uses: github/codeql-action/init@v2 29 | with: 30 | languages: ${{ matrix.language }} 31 | 32 | - run: mvn clean package -ntp -DskipTests -Dcheckstyle.skip -Dmaven.javadoc.skip=true 33 | env: 34 | MAVEN_OPTS: -Dorg.slf4j.simpleLogger.log.org.apache.maven.cli.transfer.Slf4jMavenTransferListener=warn 35 | 36 | - name: Perform CodeQL Analysis 37 | uses: github/codeql-action/analyze@v2 38 | -------------------------------------------------------------------------------- /.github/workflows/fosstars-project-report.yml: -------------------------------------------------------------------------------- 1 | name: "Fosstars (Security)" 2 | on: 3 | workflow_dispatch: 4 | schedule: 5 | - cron: "0 0 * * *" 6 | 7 | jobs: 8 | create_fosstars_report: 9 | runs-on: ubuntu-latest 10 | name: "Security rating" 11 | steps: 12 | - uses: actions/checkout@v3.5.3 13 | - uses: SAP/fosstars-rating-core-action@v1.14.0 14 | with: 15 | report-branch: fosstars-report 16 | token: "${{ secrets.GITHUB_TOKEN }}" 17 | -------------------------------------------------------------------------------- /.github/workflows/fosstars-rop-report.yml: -------------------------------------------------------------------------------- 1 | name: "Fosstars RoP report" 2 | on: 3 | workflow_dispatch: ~ 4 | schedule: 5 | - cron: "1 1 * * *" 6 | 7 | jobs: 8 | create_fosstars_rop_report: 9 | runs-on: ubuntu-latest 10 | name: "RoP report" 11 | steps: 12 | - uses: actions/checkout@v3.5.3 13 | - uses: SAP/fosstars-rating-core-action@v1.14.0 14 | with: 15 | rating: oss-rules-of-play 16 | report-branch: fosstars-rop-report 17 | report-file: README.md 18 | badge-file: fosstars_rop_rating.svg 19 | token: ${{ secrets.ROP_TOKEN }} 20 | -------------------------------------------------------------------------------- /.github/workflows/maven.yml: -------------------------------------------------------------------------------- 1 | name: Java CI 2 | 3 | on: 4 | push: 5 | branches: 6 | - master 7 | pull_request: 8 | branches: 9 | - master 10 | schedule: 11 | - cron: "0 2 * * 1-5" 12 | 13 | jobs: 14 | build: 15 | runs-on: ${{ matrix.os }} 16 | strategy: 17 | matrix: 18 | os: [ubuntu-latest, windows-latest, macos-latest] 19 | steps: 20 | - uses: actions/checkout@v3.5.3 21 | - name: Set up JDK 1.8 22 | uses: actions/setup-java@v3 23 | with: 24 | distribution: 'adopt' 25 | java-version: 8 26 | - name: Build with Maven 27 | run: mvn -B -ntp package --file pom.xml 28 | env: 29 | MAVEN_OPTS: -Dorg.slf4j.simpleLogger.log.org.apache.maven.cli.transfer.Slf4jMavenTransferListener=warn 30 | -------------------------------------------------------------------------------- /.github/workflows/oss-projects-security-label-thresholds.yml: -------------------------------------------------------------------------------- 1 | name: "Calculate label thresholds" 2 | on: workflow_dispatch 3 | 4 | jobs: 5 | thresholds: 6 | runs-on: ubuntu-latest 7 | name: "Calculate label thresholds" 8 | steps: 9 | - uses: actions/checkout@v3.5.3 10 | - uses: ./.github/actions/project-security-label-threshold-action 11 | with: 12 | input-file: github_projects.json 13 | fosstars-version: master 14 | -------------------------------------------------------------------------------- /.gitignore: -------------------------------------------------------------------------------- 1 | .idea 2 | *.iml 3 | target 4 | .attach_pid* 5 | .fosstars 6 | src/main/jupyter/oss/security/.ipynb_checkpoints 7 | src/main/jupyter/oss/security/__pycache__/ 8 | src/test/shell/tool/github/*.log 9 | .classpath 10 | .project 11 | .settings 12 | .checkstyle -------------------------------------------------------------------------------- /.reuse/dep5: -------------------------------------------------------------------------------- 1 | Format: https://www.debian.org/doc/packaging-manuals/copyright-format/1.0/ 2 | Upstream-Name: Fosstars Rating Core 3 | Upstream-Contact: Artem Smotrakov 4 | Source: https://github.com/SAP/fosstars-rating-core 5 | 6 | Files: * 7 | Copyright: 2020 SAP SE or an SAP affiliate company and Fosstars Rating Core contributors 8 | License: Apache-2.0 9 | -------------------------------------------------------------------------------- /SECURITY.md: -------------------------------------------------------------------------------- 1 | # Reporting a vulnerability 2 | 3 | If you think you found a security issue, please report it to phosphor@sap.com 4 | 5 | -------------------------------------------------------------------------------- /assembly.xml: -------------------------------------------------------------------------------- 1 | 5 | calc 6 | 7 | jar 8 | 9 | false 10 | 11 | 12 | / 13 | true 14 | true 15 | test 16 | 17 | 18 | 19 | 20 | ${project.build.directory}/test-classes 21 | / 22 | 23 | **/*.class 24 | 25 | true 26 | 27 | 28 | -------------------------------------------------------------------------------- /bin/calc.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | if [ ! -d target ]; then 4 | mvn clean package -DskipTests 5 | fi 6 | java -jar $(find target -name "*-all.jar") $@ 7 | 8 | -------------------------------------------------------------------------------- /bin/report.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | if [ "${TOKEN}" = "" ]; then 4 | echo "Achtung! No GitHub token! Set TOKEN environment variable!" 5 | exit 1 6 | fi 7 | 8 | set -e 9 | 10 | if [ "${BUILD}" = "yes" ]; then 11 | mvn clean package -DskipTests 12 | fi 13 | 14 | if [ "${CLEAN}" = "yes" ]; then 15 | rm -rf .fosstars/github_project_value_cache.json 16 | rm -rf .fosstars/project_rating_cache.json 17 | echo "[]" > docs/oss/security/github_projects.json 18 | 19 | for file in $(find docs/oss/security -name "*.md" | grep -v README | grep -v improvements) 20 | do 21 | rm $file 22 | done 23 | fi 24 | 25 | configs=$(ls docs/oss/security/*.yml) 26 | 27 | echo "" > report.log 28 | for config in ${configs} 29 | do 30 | java -jar target/fosstars-github-rating-calc.jar \ 31 | --verbose --token ${TOKEN} --config ${config} 2>&1 | tee report.log 32 | done 33 | 34 | if grep -i exception report.log > /dev/null 2>&1; then 35 | echo "Achtung! Looks like there were some errors, check out report.log" 36 | fi 37 | 38 | -------------------------------------------------------------------------------- /command_line_tool_demo.gif: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/SAP/fosstars-rating-core/7b172f42f218f6cfad42f81bd9c9ef49de35b919/command_line_tool_demo.gif -------------------------------------------------------------------------------- /docs/README.md: -------------------------------------------------------------------------------- 1 | # Ratings for open source projects 2 | 3 | 1. [Defining a rating for an open source project](ratings.md) 4 | 1. [Example](example.md) 5 | 1. [Quality assurance](qa.md) 6 | 1. [Tuning a rating](tuning.md) 7 | 1. [Rating confidence](confidence.md) 8 | 1. [Security rating for open source projects](oss_security_rating.md) 9 | 1. [Getting security ratings for open source projects](getting_oss_security_rating.md) 10 | 1. [Rules of play rating for open source projects](oss_rules_of_play_rating.md) 11 | 1. [Getting rules of play ratings for open source projects](getting_oss_rules_of_play_rating.md) 12 | 1. [Alternatives](alternatives.md) 13 | 1. [Notes](notes.md) 14 | -------------------------------------------------------------------------------- /docs/_config.yml: -------------------------------------------------------------------------------- 1 | theme: jekyll-theme-minimal -------------------------------------------------------------------------------- /docs/confidence.md: -------------------------------------------------------------------------------- 1 | # Confidence of scores and ratings 2 | 3 | A feature value may be unknown. In turn, scoring functions should expect unknown values, 4 | and still produce a score. In this case, the scoring function has to produce a result 5 | taking into account some amount of uncertainty. The same applies to rating procedures. 6 | 7 | To let a user know about how accurate a score is, a scoring function provides a confidence level 8 | for the calculated score. 9 | 10 | Let's define a **confidence level** as a float number in the interval `[0, 10]` 11 | where `0` means the lowest confidence, and `10` means the highest confidence. 12 | 13 | Both scoring function and rating procedure provide a confidence level for score and rating values 14 | that they produce. The confidence level mainly depends on a number of unknown features 15 | that were used to calculate the score. 16 | 17 | The way how a confidence level is calculated depends on a particular scoring function. 18 | In general, a scoring function should take into account the weights of the sub-scores. 19 | 20 | --- 21 | 22 | Next: [open source security rating](oss_security_rating.md) 23 | -------------------------------------------------------------------------------- /docs/oss/security/apache.yml: -------------------------------------------------------------------------------- 1 | # this is a configuration for generating a report for Apache projects 2 | cache: .fosstars/project_rating_cache.json 3 | reports: 4 | - type: markdown 5 | where: docs/oss/security 6 | source: docs/oss/security/github_projects.json 7 | - type: json 8 | where: docs/oss/security/github_projects.json 9 | finder: 10 | organizations: 11 | - name: apache 12 | stars: 1000 13 | exclude: 14 | - incubator 15 | - website 16 | - docs 17 | - site 18 | - example 19 | - test 20 | - vscode 21 | - staging 22 | - tutorial 23 | - integration 24 | - wiki 25 | - infra 26 | - github.io 27 | - demo 28 | - sample -------------------------------------------------------------------------------- /docs/oss/security/aws.yml: -------------------------------------------------------------------------------- 1 | # this is a configuration for generating a report for AWS projects 2 | cache: .fosstars/project_rating_cache.json 3 | reports: 4 | - type: markdown 5 | where: docs/oss/security 6 | source: docs/oss/security/github_projects.json 7 | - type: json 8 | where: docs/oss/security/github_projects.json 9 | finder: 10 | organizations: 11 | - name: aws 12 | stars: 1000 13 | exclude: 14 | - example 15 | - sample 16 | - build 17 | - ide 18 | - docs 19 | - test 20 | -------------------------------------------------------------------------------- /docs/oss/security/bouncycastle.yml: -------------------------------------------------------------------------------- 1 | # this is a configuration for generating a report for Bouncy Castle projects 2 | cache: .fosstars/project_rating_cache.json 3 | reports: 4 | - type: markdown 5 | where: docs/oss/security 6 | source: docs/oss/security/github_projects.json 7 | - type: json 8 | where: docs/oss/security/github_projects.json 9 | finder: 10 | organizations: 11 | - name: bcgit 12 | stars: 1000 13 | exclude: 14 | - example 15 | - sample 16 | - build 17 | - ide 18 | - docs 19 | - test -------------------------------------------------------------------------------- /docs/oss/security/eclipse.yml: -------------------------------------------------------------------------------- 1 | # this is a configuration for generating a report for Eclipse projects 2 | cache: .fosstars/project_rating_cache.json 3 | reports: 4 | - type: markdown 5 | where: docs/oss/security 6 | source: docs/oss/security/github_projects.json 7 | - type: json 8 | where: docs/oss/security/github_projects.json 9 | finder: 10 | organizations: 11 | - name: eclipse 12 | stars: 1000 13 | exclude: 14 | - incubator 15 | - website 16 | - docs 17 | - site 18 | - example 19 | - test 20 | - vscode 21 | - staging 22 | - tutorial 23 | - integration 24 | - wiki 25 | - Test 26 | - org.eclipse 27 | - demo 28 | - sample 29 | -------------------------------------------------------------------------------- /docs/oss/security/google.yml: -------------------------------------------------------------------------------- 1 | # this is a configuration for generating a report for Google projects 2 | cache: .fosstars/project_rating_cache.json 3 | reports: 4 | - type: markdown 5 | where: docs/oss/security 6 | source: docs/oss/security/github_projects.json 7 | - type: json 8 | where: docs/oss/security/github_projects.json 9 | finder: 10 | organizations: 11 | - name: google 12 | stars: 10000 13 | exclude: 14 | - icons 15 | - design 16 | - styleguide 17 | - eng-practices 18 | - fonts 19 | - WebFundamentals 20 | - test 21 | - benchmark 22 | - fuzz -------------------------------------------------------------------------------- /docs/oss/security/jackson.yml: -------------------------------------------------------------------------------- 1 | # this is a configuration for generating a report for FasterXML projects 2 | cache: .fosstars/project_rating_cache.json 3 | reports: 4 | - type: markdown 5 | where: docs/oss/security 6 | source: docs/oss/security/github_projects.json 7 | - type: json 8 | where: docs/oss/security/github_projects.json 9 | finder: 10 | organizations: 11 | - name: FasterXML 12 | stars: 1000 13 | exclude: 14 | - docs 15 | - test 16 | - benchmark -------------------------------------------------------------------------------- /docs/oss/security/other.yml: -------------------------------------------------------------------------------- 1 | # this is a configuration for generating a report for other projects 2 | cache: .fosstars/project_rating_cache.json 3 | reports: 4 | - type: markdown 5 | where: docs/oss/security 6 | source: docs/oss/security/github_projects.json 7 | - type: json 8 | where: docs/oss/security/github_projects.json 9 | finder: 10 | repositories: 11 | - organization: netty 12 | name: netty 13 | - organization: netty 14 | name: netty-tcnative 15 | - organization: curl 16 | name: curl 17 | - organization: qos-ch 18 | name: slf4j 19 | - organization: GoogleChrome 20 | name: lighthouse 21 | - organization: coredns 22 | name: coredns 23 | - organization: envoyproxy 24 | name: envoy 25 | - organization: madler 26 | name: zlib 27 | - organization: openssl 28 | name: openssl -------------------------------------------------------------------------------- /docs/oss/security/spring.yml: -------------------------------------------------------------------------------- 1 | # this is a configuration for generating a report for Spring projects 2 | cache: .fosstars/project_rating_cache.json 3 | reports: 4 | - type: markdown 5 | where: docs/oss/security 6 | source: docs/oss/security/github_projects.json 7 | - type: json 8 | where: docs/oss/security/github_projects.json 9 | finder: 10 | organizations: 11 | - name: spring-projects 12 | stars: 1000 13 | exclude: 14 | - example 15 | - sample 16 | - build 17 | - ide 18 | - docs 19 | - test -------------------------------------------------------------------------------- /docs/rating_score_feature_hierarchy.plantuml: -------------------------------------------------------------------------------- 1 | @startuml 2 | 3 | component rating [ 4 | Rating 5 | ] 6 | 7 | component score [ 8 | Score 9 | ] 10 | 11 | component score_1 [ 12 | Score 1 13 | ] 14 | 15 | component score_2 [ 16 | Score 2 17 | ] 18 | 19 | component feature_1 [ 20 | Feature 1 21 | ] 22 | 23 | component feature_2 [ 24 | Feature 2 25 | ] 26 | 27 | component feature_3 [ 28 | Feature 3 29 | ] 30 | 31 | component feature_4 [ 32 | Feature 4 33 | ] 34 | 35 | component feature_5 [ 36 | Feature 5 37 | ] 38 | 39 | rating <-- score 40 | score <-- score_1 41 | score <-- score_2 42 | score_1 <-- feature_1 43 | score_1 <-- feature_2 44 | score_1 <-- feature_3 45 | score_2 <-- feature_3 46 | score_2 <-- feature_4 47 | score_2 <-- feature_5 48 | 49 | @enduml 50 | -------------------------------------------------------------------------------- /docs/rating_score_feature_hierarchy.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/SAP/fosstars-rating-core/7b172f42f218f6cfad42f81bd9c9ef49de35b919/docs/rating_score_feature_hierarchy.png -------------------------------------------------------------------------------- /src/main/docker/cli/Dockerfile: -------------------------------------------------------------------------------- 1 | FROM openjdk:8 2 | 3 | RUN apt-get update && \ 4 | apt-get upgrade -y && \ 5 | apt-get install -y git jq 6 | 7 | RUN wget https://downloads.apache.org/maven/maven-3/3.6.3/binaries/apache-maven-3.6.3-bin.tar.gz && \ 8 | HASH=c35a1803a6e70a126e80b2b3ae33eed961f83ed74d18fcd16909b2d44d7dada3203f1ffe726c17ef8dcca2dcaa9fca676987befeadc9b9f759967a8cb77181c0 && \ 9 | echo "$HASH apache-maven-3.6.3-bin.tar.gz" | sha512sum --check --status && \ 10 | tar xf apache-maven-3.6.3-bin.tar.gz -C /opt 11 | 12 | ENV M2_HOME="/opt/apache-maven-3.6.3" 13 | ENV MAVEN_HOME="/opt/apache-maven-3.6.3" 14 | ENV PATH="${MAVEN_HOME}/bin:${PATH}" 15 | 16 | ADD . /fosstars 17 | RUN cd /fosstars && mvn package -ntp -DskipTests -Dcheckstyle.skip -Dmaven.javadoc.skip 18 | 19 | RUN mkdir /work 20 | WORKDIR /work 21 | 22 | ENTRYPOINT [ "java", "-jar", "/fosstars/target/fosstars-github-rating-calc.jar" ] -------------------------------------------------------------------------------- /src/main/java/com/sap/oss/phosphor/fosstars/advice/Advice.java: -------------------------------------------------------------------------------- 1 | package com.sap.oss.phosphor.fosstars.advice; 2 | 3 | import com.sap.oss.phosphor.fosstars.model.Subject; 4 | import com.sap.oss.phosphor.fosstars.model.Value; 5 | 6 | /** 7 | * An advice about a subject's rating, score or feature value. 8 | */ 9 | public interface Advice { 10 | 11 | /** 12 | * Get a subject of the advice. 13 | * 14 | * @return The subject. 15 | */ 16 | Subject subject(); 17 | 18 | /** 19 | * Get a value for which the advice was given. 20 | * 21 | * @return The value. 22 | */ 23 | Value value(); 24 | 25 | /** 26 | * Get a content of the advice. 27 | * 28 | * @return The content. 29 | */ 30 | AdviceContent content(); 31 | } 32 | -------------------------------------------------------------------------------- /src/main/java/com/sap/oss/phosphor/fosstars/advice/AdviceContext.java: -------------------------------------------------------------------------------- 1 | package com.sap.oss.phosphor.fosstars.advice; 2 | 3 | import java.util.Optional; 4 | 5 | /** 6 | * A context for making advice more detailed for a specific subject. 7 | */ 8 | public interface AdviceContext { 9 | 10 | /** 11 | * A context that provides no details. 12 | */ 13 | AdviceContext EMPTY_ADVICE_CONTEXT = name -> Optional.empty(); 14 | 15 | /** 16 | * Returns a value of a variable in the context. 17 | * 18 | * @param variable The variable name. 19 | * @return A value of the variable in the context if it's available. 20 | */ 21 | Optional resolve(String variable); 22 | } 23 | -------------------------------------------------------------------------------- /src/main/java/com/sap/oss/phosphor/fosstars/advice/Advisor.java: -------------------------------------------------------------------------------- 1 | package com.sap.oss.phosphor.fosstars.advice; 2 | 3 | import com.sap.oss.phosphor.fosstars.model.Subject; 4 | import java.io.IOException; 5 | import java.util.Collections; 6 | import java.util.List; 7 | 8 | /** 9 | * An advisor that can give advice about a rating and scores of a subject. 10 | */ 11 | public interface Advisor { 12 | 13 | /** 14 | * An advisor that gives no advice. 15 | */ 16 | Advisor DUMMY = subject -> Collections.emptyList(); 17 | 18 | /** 19 | * Get a list of advice for a subject. 20 | * 21 | * @param subject The subject. 22 | * @return A list of advice for the subject. 23 | * @throws IOException If something went wrong. 24 | */ 25 | List adviceFor(Subject subject) throws IOException; 26 | } 27 | -------------------------------------------------------------------------------- /src/main/java/com/sap/oss/phosphor/fosstars/data/Cache.java: -------------------------------------------------------------------------------- 1 | package com.sap.oss.phosphor.fosstars.data; 2 | 3 | import java.util.Date; 4 | import java.util.Optional; 5 | 6 | /** 7 | * This is an interface of a cache that stores different data types for a specific type of objects. 8 | */ 9 | public interface Cache { 10 | 11 | /** 12 | * Returns a value of a object type for a key. 13 | * 14 | * @param key The key. 15 | * @return An {@link Optional} with the value if the cache has it. 16 | */ 17 | Optional get(K key); 18 | 19 | /** 20 | * Updates a value of an object type for a key. 21 | * 22 | * @param key The key. 23 | * @param value The value. 24 | */ 25 | void put(K key, V value); 26 | 27 | /** 28 | * Updates a value of an object type for a key. 29 | * 30 | * @param key The key. 31 | * @param value The value. 32 | * @param expiration When the value expires. 33 | */ 34 | void put(K key, V value, Date expiration); 35 | 36 | /** 37 | * Get a size of the cache. 38 | * 39 | * @return A number of elements in the cache. 40 | */ 41 | int size(); 42 | } 43 | -------------------------------------------------------------------------------- /src/main/java/com/sap/oss/phosphor/fosstars/data/NoUserCallback.java: -------------------------------------------------------------------------------- 1 | package com.sap.oss.phosphor.fosstars.data; 2 | 3 | /** 4 | * A fake {@link UserCallback}. 5 | */ 6 | public class NoUserCallback implements UserCallback { 7 | 8 | /** 9 | * Singleton. 10 | */ 11 | public static final NoUserCallback INSTANCE = new NoUserCallback(); 12 | 13 | /** 14 | * Initialize a fake user callback. 15 | */ 16 | private NoUserCallback() { 17 | 18 | } 19 | 20 | @Override 21 | public boolean canTalk() { 22 | return false; 23 | } 24 | 25 | @Override 26 | public String ask() { 27 | throw new UnsupportedOperationException("I can't talk!"); 28 | } 29 | 30 | @Override 31 | public String ask(String question) { 32 | throw new UnsupportedOperationException("I can't talk!"); 33 | } 34 | 35 | @Override 36 | public void say(String phrase) { 37 | throw new UnsupportedOperationException("I can't talk!"); 38 | } 39 | } 40 | -------------------------------------------------------------------------------- /src/main/java/com/sap/oss/phosphor/fosstars/data/NoValueCache.java: -------------------------------------------------------------------------------- 1 | package com.sap.oss.phosphor.fosstars.data; 2 | 3 | import com.sap.oss.phosphor.fosstars.model.Feature; 4 | import com.sap.oss.phosphor.fosstars.model.Value; 5 | import com.sap.oss.phosphor.fosstars.model.ValueSet; 6 | import java.util.Date; 7 | import java.util.Optional; 8 | 9 | /** 10 | * This is a dummy cache which stores nothing. 11 | */ 12 | public class NoValueCache implements ValueCache { 13 | 14 | /** 15 | * Creates an instance of {@link NoValueCache}. 16 | * 17 | * @param Type of keys. 18 | * @return A new cache. 19 | */ 20 | public static NoValueCache create() { 21 | return new NoValueCache<>(); 22 | } 23 | 24 | @Override 25 | public Optional> get(K key, Feature feature) { 26 | return Optional.empty(); 27 | } 28 | 29 | @Override 30 | public Optional get(K key) { 31 | return Optional.empty(); 32 | } 33 | 34 | @Override 35 | public void put(K key, ValueSet value) { 36 | // do nothing 37 | } 38 | 39 | @Override 40 | public void put(K key, ValueSet value, Date expiration) { 41 | // do nothing 42 | } 43 | 44 | @Override 45 | public int size() { 46 | return 0; 47 | } 48 | } 49 | -------------------------------------------------------------------------------- /src/main/java/com/sap/oss/phosphor/fosstars/data/Terminal.java: -------------------------------------------------------------------------------- 1 | package com.sap.oss.phosphor.fosstars.data; 2 | 3 | import java.util.Scanner; 4 | import org.apache.logging.log4j.LogManager; 5 | import org.apache.logging.log4j.Logger; 6 | 7 | /** 8 | * A {@link UserCallback} which interacts with a user via terminal. 9 | */ 10 | public class Terminal implements UserCallback { 11 | 12 | /** 13 | * A logger. 14 | */ 15 | private static final Logger LOGGER = LogManager.getLogger(Terminal.class); 16 | 17 | @Override 18 | public boolean canTalk() { 19 | return true; 20 | } 21 | 22 | @Override 23 | public String ask() { 24 | LOGGER.info(">>> "); 25 | return new Scanner(System.in).nextLine(); 26 | } 27 | 28 | @Override 29 | public String ask(String question) { 30 | LOGGER.info(question); 31 | LOGGER.info(">>> "); 32 | return new Scanner(System.in).nextLine(); 33 | } 34 | 35 | @Override 36 | public void say(String phrase) { 37 | LOGGER.info(phrase); 38 | } 39 | } 40 | -------------------------------------------------------------------------------- /src/main/java/com/sap/oss/phosphor/fosstars/data/UserCallback.java: -------------------------------------------------------------------------------- 1 | package com.sap.oss.phosphor.fosstars.data; 2 | 3 | /** 4 | * An interface which allows communicating with a user. 5 | */ 6 | public interface UserCallback { 7 | 8 | /** 9 | * Checks if the user callback can interact with a user. 10 | * 11 | * @return True is the user callback can interact with a user, false otherwise 12 | */ 13 | boolean canTalk(); 14 | 15 | /** 16 | * Asks a user for a reply. 17 | * 18 | * @return User's reply. 19 | */ 20 | String ask(); 21 | 22 | /** 23 | * Prints a question to a user, and waits for his reply. 24 | * 25 | * @param question The questions to be asked. 26 | * @return User's reply. 27 | */ 28 | String ask(String question); 29 | 30 | /** 31 | * Prints a message to a user. 32 | * 33 | * @param phrase The message for user. 34 | */ 35 | void say(String phrase); 36 | } 37 | -------------------------------------------------------------------------------- /src/main/java/com/sap/oss/phosphor/fosstars/data/ValueCache.java: -------------------------------------------------------------------------------- 1 | package com.sap.oss.phosphor.fosstars.data; 2 | 3 | import com.sap.oss.phosphor.fosstars.model.Feature; 4 | import com.sap.oss.phosphor.fosstars.model.Value; 5 | import com.sap.oss.phosphor.fosstars.model.ValueSet; 6 | import java.util.Optional; 7 | 8 | /** 9 | * This is an interface of a cache that stores feature values 10 | * for a specific type of objects. 11 | * 12 | * @param The type of objects. 13 | */ 14 | public interface ValueCache extends Cache { 15 | 16 | /** 17 | * Return a value of a feature for a key. 18 | * 19 | * @param key The key. 20 | * @param feature The feature. 21 | * @param Type of data held by the feature. 22 | * @return An {@link Optional} with the value if the cache has it. 23 | */ 24 | Optional> get(K key, Feature feature); 25 | } 26 | -------------------------------------------------------------------------------- /src/main/java/com/sap/oss/phosphor/fosstars/data/github/AbstractGitHubDataProvider.java: -------------------------------------------------------------------------------- 1 | package com.sap.oss.phosphor.fosstars.data.github; 2 | 3 | import com.sap.oss.phosphor.fosstars.data.AbstractDataProvider; 4 | import com.sap.oss.phosphor.fosstars.model.Subject; 5 | import com.sap.oss.phosphor.fosstars.model.subject.oss.GitHubProject; 6 | import java.util.Objects; 7 | 8 | /** 9 | * Base class for data providers which get data from GitHub. 10 | */ 11 | public abstract class AbstractGitHubDataProvider extends AbstractDataProvider { 12 | 13 | /** 14 | * An interface to GitHub. 15 | */ 16 | protected final GitHubDataFetcher fetcher; 17 | 18 | /** 19 | * Initializes a data provider. 20 | * 21 | * @param fetcher An interface to GitHub. 22 | */ 23 | public AbstractGitHubDataProvider(GitHubDataFetcher fetcher) { 24 | this.fetcher = Objects.requireNonNull( 25 | fetcher, "Oh no! You gave me a null instead of a GitHub fetcher!"); 26 | } 27 | 28 | @Override 29 | public boolean supports(Subject subject) { 30 | return subject instanceof GitHubProject; 31 | } 32 | 33 | /** 34 | * The method always returns false, so that all child classes can't be interactive. 35 | */ 36 | @Override 37 | public final boolean interactive() { 38 | return false; 39 | } 40 | } 41 | -------------------------------------------------------------------------------- /src/main/java/com/sap/oss/phosphor/fosstars/data/github/Commit.java: -------------------------------------------------------------------------------- 1 | package com.sap.oss.phosphor.fosstars.data.github; 2 | 3 | import java.util.Date; 4 | import java.util.List; 5 | 6 | /** 7 | * An interface of a commit. 8 | */ 9 | public interface Commit { 10 | 11 | /** 12 | * Get a date of the commit. 13 | * 14 | * @return A date when the commit was done. 15 | */ 16 | Date date(); 17 | 18 | /** 19 | * Get a name of the committer. 20 | * 21 | * @return A name of the committer. 22 | */ 23 | String committerName(); 24 | 25 | /** 26 | * Get a name of the author. 27 | * 28 | * @return A name of the author. 29 | */ 30 | String authorName(); 31 | 32 | /** 33 | * Tells whether the commit is signed or not. 34 | * 35 | * @return True if the commit is signed, false otherwise. 36 | */ 37 | boolean isSigned(); 38 | 39 | /** 40 | * Returns the commit message. 41 | * 42 | * @return The commit message. 43 | */ 44 | List message(); 45 | } 46 | -------------------------------------------------------------------------------- /src/main/java/com/sap/oss/phosphor/fosstars/data/github/IsApache.java: -------------------------------------------------------------------------------- 1 | package com.sap.oss.phosphor.fosstars.data.github; 2 | 3 | import static com.sap.oss.phosphor.fosstars.model.feature.oss.OssFeatures.IS_APACHE; 4 | 5 | import com.sap.oss.phosphor.fosstars.model.Feature; 6 | import com.sap.oss.phosphor.fosstars.model.Value; 7 | import com.sap.oss.phosphor.fosstars.model.subject.oss.GitHubProject; 8 | import java.io.IOException; 9 | 10 | /** 11 | * The data provider tries to figure out if an open-source project belongs to the Apache Software 12 | * Foundation. 13 | */ 14 | public class IsApache extends CachedSingleFeatureGitHubDataProvider { 15 | 16 | /** 17 | * Initializes a data provider. 18 | * 19 | * @param fetcher An interface to GitHub. 20 | */ 21 | public IsApache(GitHubDataFetcher fetcher) { 22 | super(fetcher); 23 | } 24 | 25 | @Override 26 | protected Feature supportedFeature() { 27 | return IS_APACHE; 28 | } 29 | 30 | @Override 31 | protected Value fetchValueFor(GitHubProject project) throws IOException { 32 | logger.info("Figuring out if the project belongs to the Apache Software Foundation ..."); 33 | return IS_APACHE.value("apache".equalsIgnoreCase(project.organization().name())); 34 | } 35 | 36 | } 37 | -------------------------------------------------------------------------------- /src/main/java/com/sap/oss/phosphor/fosstars/data/github/package-info.java: -------------------------------------------------------------------------------- 1 | /** 2 | * The package contains data providers which fetch data from GitHub. 3 | */ 4 | package com.sap.oss.phosphor.fosstars.data.github; -------------------------------------------------------------------------------- /src/main/java/com/sap/oss/phosphor/fosstars/data/json/package-info.java: -------------------------------------------------------------------------------- 1 | /** 2 | * The package contains data storage that store data in local JSON files. 3 | */ 4 | package com.sap.oss.phosphor.fosstars.data.json; -------------------------------------------------------------------------------- /src/main/java/com/sap/oss/phosphor/fosstars/data/npmaudit/model/Advisory.java: -------------------------------------------------------------------------------- 1 | 2 | package com.sap.oss.phosphor.fosstars.data.npmaudit.model; 3 | 4 | import com.fasterxml.jackson.annotation.JsonIgnoreProperties; 5 | import com.fasterxml.jackson.annotation.JsonInclude; 6 | import com.fasterxml.jackson.annotation.JsonProperty; 7 | import java.util.List; 8 | 9 | @JsonInclude(JsonInclude.Include.NON_NULL) 10 | @JsonIgnoreProperties(ignoreUnknown = true) 11 | public class Advisory { 12 | 13 | @JsonProperty("cves") 14 | private List cves = null; 15 | 16 | @JsonProperty("patched_versions") 17 | private String patchedVersions; 18 | 19 | @JsonProperty("cves") 20 | public List getCves() { 21 | return cves; 22 | } 23 | 24 | @JsonProperty("patched_versions") 25 | public String getPatchedVersions() { 26 | return patchedVersions; 27 | } 28 | } -------------------------------------------------------------------------------- /src/main/java/com/sap/oss/phosphor/fosstars/data/owasp/model/Cvssv2.java: -------------------------------------------------------------------------------- 1 | package com.sap.oss.phosphor.fosstars.data.owasp.model; 2 | 3 | import com.fasterxml.jackson.annotation.JsonIgnoreProperties; 4 | import com.fasterxml.jackson.annotation.JsonInclude; 5 | import com.fasterxml.jackson.annotation.JsonProperty; 6 | import java.io.Serializable; 7 | 8 | @JsonInclude(JsonInclude.Include.NON_NULL) 9 | @JsonIgnoreProperties(ignoreUnknown = true) 10 | public class Cvssv2 implements Serializable { 11 | 12 | @JsonProperty("score") 13 | private float score; 14 | 15 | @JsonProperty("score") 16 | public double getScore() { 17 | return score; 18 | } 19 | } 20 | -------------------------------------------------------------------------------- /src/main/java/com/sap/oss/phosphor/fosstars/data/owasp/model/Cvssv3.java: -------------------------------------------------------------------------------- 1 | package com.sap.oss.phosphor.fosstars.data.owasp.model; 2 | 3 | import com.fasterxml.jackson.annotation.JsonIgnoreProperties; 4 | import com.fasterxml.jackson.annotation.JsonInclude; 5 | import com.fasterxml.jackson.annotation.JsonProperty; 6 | import java.io.Serializable; 7 | 8 | @JsonInclude(JsonInclude.Include.NON_NULL) 9 | @JsonIgnoreProperties(ignoreUnknown = true) 10 | public class Cvssv3 implements Serializable { 11 | 12 | @JsonProperty("baseScore") 13 | private float baseScore; 14 | 15 | @JsonProperty("baseScore") 16 | public double getBaseScore() { 17 | return baseScore; 18 | } 19 | } 20 | -------------------------------------------------------------------------------- /src/main/java/com/sap/oss/phosphor/fosstars/data/owasp/model/Dependency.java: -------------------------------------------------------------------------------- 1 | package com.sap.oss.phosphor.fosstars.data.owasp.model; 2 | 3 | import com.fasterxml.jackson.annotation.JsonIgnoreProperties; 4 | import com.fasterxml.jackson.annotation.JsonInclude; 5 | import com.fasterxml.jackson.annotation.JsonProperty; 6 | import java.io.Serializable; 7 | import java.util.List; 8 | 9 | @JsonInclude(JsonInclude.Include.NON_NULL) 10 | @JsonIgnoreProperties(ignoreUnknown = true) 11 | public class Dependency implements Serializable { 12 | 13 | @JsonProperty("vulnerabilities") 14 | private List vulnerabilities = null; 15 | 16 | @JsonProperty("vulnerabilities") 17 | public List getVulnerabilities() { 18 | return vulnerabilities; 19 | } 20 | } -------------------------------------------------------------------------------- /src/main/java/com/sap/oss/phosphor/fosstars/data/owasp/model/OwaspDependencyCheckEntry.java: -------------------------------------------------------------------------------- 1 | package com.sap.oss.phosphor.fosstars.data.owasp.model; 2 | 3 | import com.fasterxml.jackson.annotation.JsonIgnoreProperties; 4 | import com.fasterxml.jackson.annotation.JsonInclude; 5 | import com.fasterxml.jackson.annotation.JsonProperty; 6 | import java.io.Serializable; 7 | import java.util.List; 8 | 9 | @JsonInclude(JsonInclude.Include.NON_NULL) 10 | @JsonIgnoreProperties(ignoreUnknown = true) 11 | public class OwaspDependencyCheckEntry implements Serializable { 12 | 13 | @JsonProperty("dependencies") 14 | private List dependencies = null; 15 | 16 | @JsonProperty("dependencies") 17 | public List getDependencies() { 18 | return dependencies; 19 | } 20 | } -------------------------------------------------------------------------------- /src/main/java/com/sap/oss/phosphor/fosstars/data/owasp/model/OwaspDependencyCheckReference.java: -------------------------------------------------------------------------------- 1 | package com.sap.oss.phosphor.fosstars.data.owasp.model; 2 | 3 | import com.fasterxml.jackson.annotation.JsonIgnoreProperties; 4 | import com.fasterxml.jackson.annotation.JsonInclude; 5 | import com.fasterxml.jackson.annotation.JsonProperty; 6 | import com.fasterxml.jackson.annotation.JsonPropertyOrder; 7 | import java.io.Serializable; 8 | 9 | @JsonInclude(JsonInclude.Include.NON_NULL) 10 | @JsonPropertyOrder({"url", "name"}) 11 | @JsonIgnoreProperties(ignoreUnknown = true) 12 | public class OwaspDependencyCheckReference implements Serializable { 13 | 14 | @JsonProperty("url") 15 | private String url; 16 | 17 | @JsonProperty("name") 18 | private String name; 19 | 20 | @JsonProperty("url") 21 | public String getUrl() { 22 | return url; 23 | } 24 | 25 | @JsonProperty("name") 26 | public String getName() { 27 | return name; 28 | } 29 | } 30 | -------------------------------------------------------------------------------- /src/main/java/com/sap/oss/phosphor/fosstars/data/owasp/model/Software.java: -------------------------------------------------------------------------------- 1 | package com.sap.oss.phosphor.fosstars.data.owasp.model; 2 | 3 | import com.fasterxml.jackson.annotation.JsonIgnoreProperties; 4 | import com.fasterxml.jackson.annotation.JsonInclude; 5 | import com.fasterxml.jackson.annotation.JsonProperty; 6 | import com.fasterxml.jackson.annotation.JsonPropertyOrder; 7 | import java.io.Serializable; 8 | 9 | @JsonInclude(JsonInclude.Include.NON_NULL) 10 | @JsonPropertyOrder({"versionStartIncluding", "versionEndIncluding"}) 11 | @JsonIgnoreProperties(ignoreUnknown = true) 12 | public class Software implements Serializable { 13 | 14 | @JsonProperty("versionStartIncluding") 15 | private String versionStartIncluding; 16 | 17 | @JsonProperty("versionEndIncluding") 18 | private String versionEndIncluding; 19 | 20 | @JsonProperty("versionStartIncluding") 21 | public String getVersionStartIncluding() { 22 | return versionStartIncluding; 23 | } 24 | 25 | @JsonProperty("versionEndIncluding") 26 | public String getVersionEndIncluding() { 27 | return versionEndIncluding; 28 | } 29 | } 30 | -------------------------------------------------------------------------------- /src/main/java/com/sap/oss/phosphor/fosstars/data/owasp/model/VulnerableSoftware.java: -------------------------------------------------------------------------------- 1 | package com.sap.oss.phosphor.fosstars.data.owasp.model; 2 | 3 | import com.fasterxml.jackson.annotation.JsonIgnoreProperties; 4 | import com.fasterxml.jackson.annotation.JsonInclude; 5 | import com.fasterxml.jackson.annotation.JsonProperty; 6 | import java.io.Serializable; 7 | 8 | @JsonInclude(JsonInclude.Include.NON_NULL) 9 | @JsonIgnoreProperties(ignoreUnknown = true) 10 | public class VulnerableSoftware implements Serializable { 11 | 12 | @JsonProperty("software") 13 | private Software software; 14 | 15 | @JsonProperty("software") 16 | public Software getSoftware() { 17 | return software; 18 | } 19 | } 20 | -------------------------------------------------------------------------------- /src/main/java/com/sap/oss/phosphor/fosstars/data/owasp/model/package-info.java: -------------------------------------------------------------------------------- 1 | /** 2 | * The package contains POJOs which was manually generated based on a sample OWASP Dependency-Check 3 | * result. 4 | */ 5 | package com.sap.oss.phosphor.fosstars.data.owasp.model; -------------------------------------------------------------------------------- /src/main/java/com/sap/oss/phosphor/fosstars/maven/AbstractModelVisitor.java: -------------------------------------------------------------------------------- 1 | package com.sap.oss.phosphor.fosstars.maven; 2 | 3 | import java.util.Set; 4 | import org.apache.maven.model.Dependency; 5 | import org.apache.maven.model.Plugin; 6 | import org.apache.maven.model.ReportPlugin; 7 | 8 | /** 9 | * An implementation of {@link ModelVisitor} that does nothing. 10 | */ 11 | public abstract class AbstractModelVisitor implements ModelVisitor { 12 | 13 | @Override 14 | public void accept(Plugin plugin, Set locations) { 15 | // do nothing 16 | } 17 | 18 | @Override 19 | public void accept(ReportPlugin plugin, Set locations) { 20 | // do nothing 21 | } 22 | 23 | @Override 24 | public void accept(Dependency dependency, Set locations) { 25 | // do nothing 26 | } 27 | } 28 | -------------------------------------------------------------------------------- /src/main/java/com/sap/oss/phosphor/fosstars/maven/ModelVisitor.java: -------------------------------------------------------------------------------- 1 | package com.sap.oss.phosphor.fosstars.maven; 2 | 3 | import java.util.Set; 4 | import org.apache.maven.model.Dependency; 5 | import org.apache.maven.model.Plugin; 6 | import org.apache.maven.model.ReportPlugin; 7 | 8 | /** 9 | * A visitor for visiting elements in a POM file. 10 | */ 11 | public interface ModelVisitor { 12 | 13 | /** 14 | * Known locations of elements in a POM file. 15 | */ 16 | enum Location { 17 | BUILD, REPORTING, PROFILE, MANAGEMENT, DEPENDENCIES 18 | } 19 | 20 | /** 21 | * Visit a plugin. 22 | * 23 | * @param plugin The plugin. 24 | * @param locations A set of locations that tells where the plugin is located. 25 | */ 26 | void accept(Plugin plugin, Set locations); 27 | 28 | /** 29 | * Visit a report plugin. 30 | * 31 | * @param plugin The plugin. 32 | * @param locations A set of locations that tells where the plugin is located. 33 | */ 34 | void accept(ReportPlugin plugin, Set locations); 35 | 36 | /** 37 | * Visit a dependency. 38 | * 39 | * @param dependency The plugin. 40 | * @param locations A set of locations that tells where the dependency is located. 41 | */ 42 | void accept(Dependency dependency, Set locations); 43 | } 44 | -------------------------------------------------------------------------------- /src/main/java/com/sap/oss/phosphor/fosstars/model/Interval.java: -------------------------------------------------------------------------------- 1 | package com.sap.oss.phosphor.fosstars.model; 2 | 3 | import com.fasterxml.jackson.annotation.JsonTypeInfo; 4 | 5 | /** 6 | * An interface which represents an interval. 7 | */ 8 | @JsonTypeInfo(use = JsonTypeInfo.Id.NAME, property = "type") 9 | public interface Interval { 10 | 11 | /** 12 | * Checks if a double belongs to the interval. 13 | * 14 | * @param n A number to be checked. 15 | * @return True if the number belongs to the interval, false otherwise. 16 | */ 17 | boolean contains(double n); 18 | 19 | /** 20 | * Checks if an integer belongs to the interval. 21 | * 22 | * @param n A number to be checked. 23 | * @return True if the number belongs to the interval, false otherwise. 24 | */ 25 | boolean contains(int n); 26 | 27 | /** 28 | * Calculates a mean of the interval. 29 | * 30 | * @return A mean of the interval. 31 | */ 32 | double mean(); 33 | } 34 | -------------------------------------------------------------------------------- /src/main/java/com/sap/oss/phosphor/fosstars/model/Label.java: -------------------------------------------------------------------------------- 1 | package com.sap.oss.phosphor.fosstars.model; 2 | 3 | import com.fasterxml.jackson.annotation.JsonTypeInfo; 4 | import com.sap.oss.phosphor.fosstars.model.rating.NotApplicableLabel; 5 | 6 | /** 7 | * An interface for a label. 8 | */ 9 | @JsonTypeInfo(use = JsonTypeInfo.Id.NAME, property = "type") 10 | public interface Label { 11 | 12 | /** 13 | * Get the label's name. 14 | * 15 | * @return The label's name. 16 | */ 17 | String name(); 18 | 19 | /** 20 | * Tells if the label is not applicable. 21 | * 22 | * @return True if the value is not applicable in the current context, false otherwise. 23 | */ 24 | default boolean isNotApplicable() { 25 | return false; 26 | } 27 | 28 | /** 29 | * This is a label for a score value that is marked as not-applicable. 30 | */ 31 | Label NOT_APPLICABLE = new NotApplicableLabel(); 32 | } 33 | -------------------------------------------------------------------------------- /src/main/java/com/sap/oss/phosphor/fosstars/model/Parameter.java: -------------------------------------------------------------------------------- 1 | package com.sap.oss.phosphor.fosstars.model; 2 | 3 | /** 4 | * The interface represents a tunable parameter of a score or rating. 5 | */ 6 | public interface Parameter { 7 | 8 | /** 9 | * Get boundaries of the parameter. 10 | * 11 | * @return An interval of valid values of the parameter. 12 | */ 13 | Interval boundaries(); 14 | 15 | /** 16 | * Updates the parameter. 17 | * 18 | * @param v A new value. 19 | * @return The same parameter. 20 | * @throws UnsupportedOperationException If the parameter can't be updated. 21 | */ 22 | Parameter value(double v); 23 | 24 | /** 25 | * Get the value of the parameter. 26 | * 27 | * @return The value of the parameter. 28 | */ 29 | Double value(); 30 | 31 | /** 32 | * Checks if the entity is immutable. 33 | * 34 | * @return True if the entity is immutable, false otherwise. 35 | */ 36 | boolean isImmutable(); 37 | } 38 | -------------------------------------------------------------------------------- /src/main/java/com/sap/oss/phosphor/fosstars/model/Tunable.java: -------------------------------------------------------------------------------- 1 | package com.sap.oss.phosphor.fosstars.model; 2 | 3 | import java.util.List; 4 | 5 | /** 6 | * This interface describes an entity which may be tuned. 7 | */ 8 | public interface Tunable { 9 | 10 | /** 11 | * Get a list of parameters of the tunable object. 12 | * 13 | * @return A list of parameters which may be tuned. 14 | */ 15 | List parameters(); 16 | 17 | /** 18 | * Checks if the entity is immutable. 19 | * 20 | * @return True if the entity is immutable, false otherwise. 21 | */ 22 | boolean isImmutable(); 23 | 24 | /** 25 | * Make the entity immutable. 26 | */ 27 | void makeImmutable(); 28 | } 29 | -------------------------------------------------------------------------------- /src/main/java/com/sap/oss/phosphor/fosstars/model/Visitor.java: -------------------------------------------------------------------------------- 1 | package com.sap.oss.phosphor.fosstars.model; 2 | 3 | /** 4 | * This is an interface of a visitor for browsing the internal structure of ratings and scores. 5 | * Visitors can visit the following objects: 6 | *
    7 | *
  • {@link Rating}
    • 8 | *
  • {@link Score}
    • 9 | *
  • {@link Feature}
    • 10 | *
  • {@link Parameter}
    • 11 | *
12 | */ 13 | public interface Visitor { 14 | 15 | /** 16 | * Visit a {@link Rating}. 17 | * 18 | * @param rating The rating to be visited. 19 | */ 20 | void visit(Rating rating); 21 | 22 | /** 23 | * Visit a {@link Score}. 24 | * 25 | * @param score The score to be visited. 26 | */ 27 | void visit(Score score); 28 | 29 | /** 30 | * Visit a {@link Feature}. 31 | * 32 | * @param feature The feature to be visited. 33 | */ 34 | void visit(Feature feature); 35 | 36 | /** 37 | * Visit a {@link Parameter}. 38 | * 39 | * @param parameter The parameter to be visited. 40 | */ 41 | void visit(Parameter parameter); 42 | } 43 | -------------------------------------------------------------------------------- /src/main/java/com/sap/oss/phosphor/fosstars/model/feature/DataConfidentialityType.java: -------------------------------------------------------------------------------- 1 | package com.sap.oss.phosphor.fosstars.model.feature; 2 | 3 | /** 4 | * The enum contains values that describe how confidential data is. 5 | */ 6 | public enum DataConfidentialityType { 7 | 8 | TEST, PUBLIC, INTERNAL, CONFIDENTIAL, PERSONAL 9 | } 10 | -------------------------------------------------------------------------------- /src/main/java/com/sap/oss/phosphor/fosstars/model/feature/DateFeature.java: -------------------------------------------------------------------------------- 1 | package com.sap.oss.phosphor.fosstars.model.feature; 2 | 3 | import static com.sap.oss.phosphor.fosstars.model.other.Utils.date; 4 | 5 | import com.fasterxml.jackson.annotation.JsonCreator; 6 | import com.fasterxml.jackson.annotation.JsonProperty; 7 | import com.sap.oss.phosphor.fosstars.model.Value; 8 | import com.sap.oss.phosphor.fosstars.model.value.DateValue; 9 | import java.util.Date; 10 | 11 | /** 12 | * A features which holds a date. 13 | */ 14 | public class DateFeature extends AbstractFeature { 15 | 16 | /** 17 | * Initializes a new feature. 18 | * 19 | * @param name A name of the feature. 20 | */ 21 | @JsonCreator 22 | public DateFeature(@JsonProperty("name") String name) { 23 | super(name); 24 | } 25 | 26 | @Override 27 | public Value value(Date date) { 28 | return new DateValue(this, date); 29 | } 30 | 31 | @Override 32 | public Value parse(String string) { 33 | return value(date(string)); 34 | } 35 | 36 | } 37 | -------------------------------------------------------------------------------- /src/main/java/com/sap/oss/phosphor/fosstars/model/feature/DoubleFeature.java: -------------------------------------------------------------------------------- 1 | package com.sap.oss.phosphor.fosstars.model.feature; 2 | 3 | import com.fasterxml.jackson.annotation.JsonCreator; 4 | import com.fasterxml.jackson.annotation.JsonProperty; 5 | import com.sap.oss.phosphor.fosstars.model.Value; 6 | import com.sap.oss.phosphor.fosstars.model.value.DoubleValue; 7 | import java.util.Objects; 8 | 9 | /** 10 | * A feature which holds a double. 11 | */ 12 | public class DoubleFeature extends AbstractFeature { 13 | 14 | /** 15 | * Initializes a new feature. 16 | * 17 | * @param name A name of the feature. 18 | */ 19 | @JsonCreator 20 | public DoubleFeature(@JsonProperty("name") String name) { 21 | super(name); 22 | } 23 | 24 | @Override 25 | public DoubleValue value(Double n) { 26 | return new DoubleValue(this, n); 27 | } 28 | 29 | @Override 30 | public Value parse(String string) { 31 | Objects.requireNonNull(string, "Hey! String can't be null!"); 32 | if (string.isEmpty()) { 33 | throw new IllegalArgumentException("Hey! String can't be empty!"); 34 | } 35 | return value(Double.parseDouble(string)); 36 | } 37 | } 38 | -------------------------------------------------------------------------------- /src/main/java/com/sap/oss/phosphor/fosstars/model/feature/Impact.java: -------------------------------------------------------------------------------- 1 | package com.sap.oss.phosphor.fosstars.model.feature; 2 | 3 | /** 4 | * The enum contains values that describe impact. 5 | */ 6 | public enum Impact { 7 | 8 | NEGLIGIBLE, LOW, MEDIUM, HIGH 9 | } 10 | -------------------------------------------------------------------------------- /src/main/java/com/sap/oss/phosphor/fosstars/model/feature/LgtmGradeFeature.java: -------------------------------------------------------------------------------- 1 | package com.sap.oss.phosphor.fosstars.model.feature; 2 | 3 | import com.fasterxml.jackson.annotation.JsonCreator; 4 | import com.fasterxml.jackson.annotation.JsonProperty; 5 | import com.sap.oss.phosphor.fosstars.model.Value; 6 | import com.sap.oss.phosphor.fosstars.model.value.LgtmGrade; 7 | import com.sap.oss.phosphor.fosstars.model.value.LgtmGradeValue; 8 | 9 | /** 10 | * This feature contains a grade assigned by LGTM. 11 | */ 12 | public class LgtmGradeFeature extends AbstractFeature { 13 | 14 | /** 15 | * Initializes a new feature. 16 | * 17 | * @param name A name of the feature. 18 | */ 19 | @JsonCreator 20 | public LgtmGradeFeature(@JsonProperty("name") String name) { 21 | super(name); 22 | } 23 | 24 | @Override 25 | public LgtmGradeValue value(LgtmGrade grade) { 26 | return new LgtmGradeValue(this, grade); 27 | } 28 | 29 | @Override 30 | public Value parse(String string) { 31 | return value(LgtmGrade.parse(string)); 32 | } 33 | } 34 | -------------------------------------------------------------------------------- /src/main/java/com/sap/oss/phosphor/fosstars/model/feature/Likelihood.java: -------------------------------------------------------------------------------- 1 | package com.sap.oss.phosphor.fosstars.model.feature; 2 | 3 | /** 4 | * The enum contains values that describe likelihood. 5 | */ 6 | public enum Likelihood { 7 | 8 | NEGLIGIBLE, LOW, MEDIUM, HIGH 9 | } 10 | -------------------------------------------------------------------------------- /src/main/java/com/sap/oss/phosphor/fosstars/model/feature/Quantity.java: -------------------------------------------------------------------------------- 1 | package com.sap.oss.phosphor.fosstars.model.feature; 2 | 3 | /** 4 | * The enum contains values that describe quantity. 5 | */ 6 | public enum Quantity { 7 | 8 | FEW, SOME, QUITE_A_LOT, A_LOT 9 | } 10 | -------------------------------------------------------------------------------- /src/main/java/com/sap/oss/phosphor/fosstars/model/feature/StringFeature.java: -------------------------------------------------------------------------------- 1 | package com.sap.oss.phosphor.fosstars.model.feature; 2 | 3 | import com.fasterxml.jackson.annotation.JsonCreator; 4 | import com.fasterxml.jackson.annotation.JsonProperty; 5 | import com.sap.oss.phosphor.fosstars.model.Value; 6 | import com.sap.oss.phosphor.fosstars.model.value.StringValue; 7 | 8 | /** 9 | * This feature holds a string. 10 | */ 11 | public class StringFeature extends AbstractFeature { 12 | 13 | /** 14 | * Initializes a feature. 15 | * 16 | * @param name The feature name. 17 | */ 18 | @JsonCreator 19 | public StringFeature(@JsonProperty("name") String name) { 20 | super(name); 21 | } 22 | 23 | @Override 24 | public Value value(String content) { 25 | return new StringValue(this, content); 26 | } 27 | 28 | @Override 29 | public Value parse(String string) { 30 | return new StringValue(this, string); 31 | } 32 | } -------------------------------------------------------------------------------- /src/main/java/com/sap/oss/phosphor/fosstars/model/feature/example/ExampleFeatures.java: -------------------------------------------------------------------------------- 1 | package com.sap.oss.phosphor.fosstars.model.feature.example; 2 | 3 | /** 4 | * A collection of sample features. 5 | */ 6 | public class ExampleFeatures { 7 | 8 | /** 9 | * Private constructor, We don't need to create an instance of this class. 10 | */ 11 | private ExampleFeatures() { 12 | 13 | } 14 | 15 | public static final NumberOfCommitsLastMonthExample NUMBER_OF_COMMITS_LAST_MONTH_EXAMPLE 16 | = new NumberOfCommitsLastMonthExample(); 17 | 18 | public static final NumberOfContributorsLastMonthExample NUMBER_OF_CONTRIBUTORS_LAST_MONTH_EXAMPLE 19 | = new NumberOfContributorsLastMonthExample(); 20 | 21 | public static final SecurityReviewDoneExample SECURITY_REVIEW_DONE_EXAMPLE 22 | = new SecurityReviewDoneExample(); 23 | 24 | public static final StaticCodeAnalysisDoneExample STATIC_CODE_ANALYSIS_DONE_EXAMPLE 25 | = new StaticCodeAnalysisDoneExample(); 26 | } 27 | -------------------------------------------------------------------------------- /src/main/java/com/sap/oss/phosphor/fosstars/model/feature/example/SecurityReviewDoneExample.java: -------------------------------------------------------------------------------- 1 | package com.sap.oss.phosphor.fosstars.model.feature.example; 2 | 3 | import com.fasterxml.jackson.databind.annotation.JsonSerialize; 4 | import com.sap.oss.phosphor.fosstars.model.Value; 5 | import com.sap.oss.phosphor.fosstars.model.feature.AbstractFeature; 6 | import com.sap.oss.phosphor.fosstars.model.value.BooleanValue; 7 | 8 | /** 9 | * This is a sample feature which tells if a security review has been done. The feature is stateless 10 | * and therefore immutable. This feature is only for demo purposes. 11 | */ 12 | @JsonSerialize 13 | public class SecurityReviewDoneExample extends AbstractFeature { 14 | 15 | /** 16 | * Initializes a new feature. 17 | */ 18 | SecurityReviewDoneExample() { 19 | super("Security review status (example)"); 20 | } 21 | 22 | @Override 23 | public BooleanValue value(Boolean object) { 24 | return new BooleanValue(this, object); 25 | } 26 | 27 | @Override 28 | public Value parse(String string) { 29 | throw new UnsupportedOperationException(); 30 | } 31 | 32 | } 33 | -------------------------------------------------------------------------------- /src/main/java/com/sap/oss/phosphor/fosstars/model/feature/example/StaticCodeAnalysisDoneExample.java: -------------------------------------------------------------------------------- 1 | package com.sap.oss.phosphor.fosstars.model.feature.example; 2 | 3 | import com.fasterxml.jackson.databind.annotation.JsonSerialize; 4 | import com.sap.oss.phosphor.fosstars.model.Value; 5 | import com.sap.oss.phosphor.fosstars.model.feature.AbstractFeature; 6 | import com.sap.oss.phosphor.fosstars.model.value.BooleanValue; 7 | 8 | /** 9 | * This is a sample feature which tells if a static code analysis has been done. The feature is 10 | * stateless and therefore immutable. This feature is only for demo purposes. 11 | */ 12 | @JsonSerialize 13 | public class StaticCodeAnalysisDoneExample extends AbstractFeature { 14 | 15 | /** 16 | * Initializes a new feature. 17 | */ 18 | StaticCodeAnalysisDoneExample() { 19 | super("Static code analysis status (example)"); 20 | } 21 | 22 | @Override 23 | public BooleanValue value(Boolean object) { 24 | return new BooleanValue(this, object); 25 | } 26 | 27 | @Override 28 | public Value parse(String string) { 29 | throw new UnsupportedOperationException(); 30 | } 31 | 32 | } 33 | -------------------------------------------------------------------------------- /src/main/java/com/sap/oss/phosphor/fosstars/model/feature/oss/ArtifactVersionFeature.java: -------------------------------------------------------------------------------- 1 | package com.sap.oss.phosphor.fosstars.model.feature.oss; 2 | 3 | import com.fasterxml.jackson.annotation.JsonCreator; 4 | import com.fasterxml.jackson.annotation.JsonProperty; 5 | import com.sap.oss.phosphor.fosstars.model.Value; 6 | import com.sap.oss.phosphor.fosstars.model.feature.AbstractFeature; 7 | import com.sap.oss.phosphor.fosstars.model.value.ArtifactVersion; 8 | import com.sap.oss.phosphor.fosstars.model.value.ArtifactVersionValue; 9 | 10 | /** 11 | * This feature contains a version of an artifact released by the open-source project. 12 | */ 13 | public class ArtifactVersionFeature extends AbstractFeature { 14 | 15 | /** 16 | * Initializes a feature. 17 | * 18 | * @param name The feature name. 19 | */ 20 | @JsonCreator 21 | public ArtifactVersionFeature(@JsonProperty("name") String name) { 22 | super(name); 23 | } 24 | 25 | @Override 26 | public Value value(ArtifactVersion artifactVersions) { 27 | return new ArtifactVersionValue(this, artifactVersions); 28 | } 29 | 30 | @Override 31 | public Value parse(String string) { 32 | throw new UnsupportedOperationException("Unfortunately I can't parse versions yet"); 33 | } 34 | } 35 | -------------------------------------------------------------------------------- /src/main/java/com/sap/oss/phosphor/fosstars/model/feature/oss/ArtifactVersionsFeature.java: -------------------------------------------------------------------------------- 1 | package com.sap.oss.phosphor.fosstars.model.feature.oss; 2 | 3 | import com.fasterxml.jackson.annotation.JsonCreator; 4 | import com.fasterxml.jackson.annotation.JsonProperty; 5 | import com.sap.oss.phosphor.fosstars.model.Value; 6 | import com.sap.oss.phosphor.fosstars.model.feature.AbstractFeature; 7 | import com.sap.oss.phosphor.fosstars.model.value.ArtifactVersions; 8 | import com.sap.oss.phosphor.fosstars.model.value.ArtifactVersionsValue; 9 | 10 | /** 11 | * This feature contains a set of versions of the artifact released by the open-source project. 12 | */ 13 | public class ArtifactVersionsFeature extends AbstractFeature { 14 | 15 | /** 16 | * Initializes a feature. 17 | * 18 | * @param name The feature name. 19 | */ 20 | @JsonCreator 21 | public ArtifactVersionsFeature(@JsonProperty("name") String name) { 22 | super(name); 23 | } 24 | 25 | @Override 26 | public Value value(ArtifactVersions artifactVersions) { 27 | return new ArtifactVersionsValue(this, artifactVersions); 28 | } 29 | 30 | @Override 31 | public Value parse(String string) { 32 | throw new UnsupportedOperationException("Unfortunately I can't parse versions yet"); 33 | } 34 | } 35 | -------------------------------------------------------------------------------- /src/main/java/com/sap/oss/phosphor/fosstars/model/feature/oss/Functionality.java: -------------------------------------------------------------------------------- 1 | package com.sap.oss.phosphor.fosstars.model.feature.oss; 2 | 3 | /** 4 | * The enum contains values that describe functionality that an open source project offers. 5 | */ 6 | public enum Functionality { 7 | 8 | APPLICATION_FRAMEWORK, SDK, SECURITY, NETWORKING, ANNOTATIONS, PARSER, LOGGER, TESTING, OTHER 9 | } 10 | -------------------------------------------------------------------------------- /src/main/java/com/sap/oss/phosphor/fosstars/model/feature/oss/LanguagesFeature.java: -------------------------------------------------------------------------------- 1 | package com.sap.oss.phosphor.fosstars.model.feature.oss; 2 | 3 | import com.fasterxml.jackson.annotation.JsonCreator; 4 | import com.fasterxml.jackson.annotation.JsonProperty; 5 | import com.sap.oss.phosphor.fosstars.model.Value; 6 | import com.sap.oss.phosphor.fosstars.model.feature.AbstractFeature; 7 | import com.sap.oss.phosphor.fosstars.model.value.Languages; 8 | import com.sap.oss.phosphor.fosstars.model.value.LanguagesValue; 9 | 10 | /** 11 | * This feature contains a set of programming languages that are used 12 | * in an open-source project. 13 | */ 14 | public class LanguagesFeature extends AbstractFeature { 15 | 16 | /** 17 | * Initializes a feature. 18 | * 19 | * @param name The feature name. 20 | */ 21 | @JsonCreator 22 | public LanguagesFeature(@JsonProperty("name") String name) { 23 | super(name); 24 | } 25 | 26 | @Override 27 | public Value value(Languages languages) { 28 | return new LanguagesValue(this, languages); 29 | } 30 | 31 | @Override 32 | public Value parse(String string) { 33 | throw new UnsupportedOperationException("Unfortunately I can't parse languages"); 34 | } 35 | } 36 | -------------------------------------------------------------------------------- /src/main/java/com/sap/oss/phosphor/fosstars/model/feature/oss/PackageManagersFeature.java: -------------------------------------------------------------------------------- 1 | package com.sap.oss.phosphor.fosstars.model.feature.oss; 2 | 3 | import com.fasterxml.jackson.annotation.JsonCreator; 4 | import com.fasterxml.jackson.annotation.JsonProperty; 5 | import com.sap.oss.phosphor.fosstars.model.Value; 6 | import com.sap.oss.phosphor.fosstars.model.feature.AbstractFeature; 7 | import com.sap.oss.phosphor.fosstars.model.value.PackageManagers; 8 | import com.sap.oss.phosphor.fosstars.model.value.PackageManagersValue; 9 | 10 | /** 11 | * This feature contains a set of package managers that are used 12 | * in an open-source project. 13 | */ 14 | public class PackageManagersFeature extends AbstractFeature { 15 | 16 | /** 17 | * Initializes a feature. 18 | * 19 | * @param name The feature name. 20 | */ 21 | @JsonCreator 22 | public PackageManagersFeature(@JsonProperty("name") String name) { 23 | super(name); 24 | } 25 | 26 | @Override 27 | public Value value(PackageManagers packageManagers) { 28 | return new PackageManagersValue(this, packageManagers); 29 | } 30 | 31 | @Override 32 | public Value parse(String string) { 33 | throw new UnsupportedOperationException("Unfortunately I can't parse package managers"); 34 | } 35 | } 36 | -------------------------------------------------------------------------------- /src/main/java/com/sap/oss/phosphor/fosstars/model/feature/oss/SecurityReviewsFeature.java: -------------------------------------------------------------------------------- 1 | package com.sap.oss.phosphor.fosstars.model.feature.oss; 2 | 3 | import com.fasterxml.jackson.annotation.JsonProperty; 4 | import com.sap.oss.phosphor.fosstars.model.Value; 5 | import com.sap.oss.phosphor.fosstars.model.feature.AbstractFeature; 6 | import com.sap.oss.phosphor.fosstars.model.value.SecurityReviews; 7 | import com.sap.oss.phosphor.fosstars.model.value.SecurityReviewsValue; 8 | 9 | /** 10 | * A features that holds security reviews. 11 | */ 12 | public class SecurityReviewsFeature extends AbstractFeature { 13 | 14 | /** 15 | * Initializes a feature. 16 | * 17 | * @param name The feature name. 18 | */ 19 | public SecurityReviewsFeature(@JsonProperty("name") String name) { 20 | super(name); 21 | } 22 | 23 | @Override 24 | public Value value(SecurityReviews reviews) { 25 | return new SecurityReviewsValue(this, reviews); 26 | } 27 | 28 | @Override 29 | public Value parse(String string) { 30 | throw new UnsupportedOperationException("Unfortunately I can't parse security reviews"); 31 | } 32 | } 33 | -------------------------------------------------------------------------------- /src/main/java/com/sap/oss/phosphor/fosstars/model/qa/ScoreVerifier.java: -------------------------------------------------------------------------------- 1 | package com.sap.oss.phosphor.fosstars.model.qa; 2 | 3 | import com.sap.oss.phosphor.fosstars.model.Score; 4 | import com.sap.oss.phosphor.fosstars.model.value.ScoreValue; 5 | import java.util.ArrayList; 6 | import java.util.List; 7 | import java.util.Objects; 8 | 9 | /** 10 | * The verifier checks that a score passes tests defined by test vectors. 11 | */ 12 | public class ScoreVerifier extends AbstractVerifier { 13 | 14 | /** 15 | * A score to be verified. 16 | */ 17 | private final Score score; 18 | 19 | /** 20 | * Initializes a new verifier. 21 | * 22 | * @param score A score to be verified. 23 | * @param vectors A list of test vectors. 24 | */ 25 | public ScoreVerifier(Score score, TestVectors vectors) { 26 | super(vectors); 27 | 28 | Objects.requireNonNull(score, "Score can't be null!"); 29 | this.score = score; 30 | } 31 | 32 | List runImpl() { 33 | List results = new ArrayList<>(); 34 | 35 | int index = 0; 36 | for (TestVector vector : vectors) { 37 | ScoreValue scoreValue = score.calculate(vector.valuesFor(score)); 38 | results.add(testResultFor(vector, scoreValue, index++)); 39 | } 40 | 41 | return results; 42 | } 43 | 44 | } 45 | -------------------------------------------------------------------------------- /src/main/java/com/sap/oss/phosphor/fosstars/model/qa/VerificationFailedException.java: -------------------------------------------------------------------------------- 1 | package com.sap.oss.phosphor.fosstars.model.qa; 2 | 3 | /** 4 | * An exception which indicates that a verification procedure for a rating failed. 5 | */ 6 | public class VerificationFailedException extends Exception { 7 | 8 | /** 9 | * Creates an exception with a generic message. 10 | */ 11 | public VerificationFailedException() { 12 | super("One of the test vectors failed!"); 13 | } 14 | 15 | /** 16 | * Creates an exception with a specified message. 17 | * 18 | * @param format A format string. 19 | * @param params A number of parameters for the format string. 20 | */ 21 | public VerificationFailedException(String format, Object... params) { 22 | super(String.format(format, params)); 23 | } 24 | } 25 | -------------------------------------------------------------------------------- /src/main/java/com/sap/oss/phosphor/fosstars/model/qa/Verifier.java: -------------------------------------------------------------------------------- 1 | package com.sap.oss.phosphor.fosstars.model.qa; 2 | 3 | import java.util.List; 4 | 5 | /** 6 | * This is an interface of a verifier which can verify scores and ratings. 7 | * The verification is based on test vectors. 8 | * 9 | * @see TestVector 10 | * @see TestVectorResult 11 | */ 12 | public interface Verifier { 13 | 14 | /** 15 | * Runs verification and returns a list of results. 16 | * 17 | * @return A list of {@link TestVectorResult}. 18 | */ 19 | List run(); 20 | 21 | /** 22 | * Runs verification and throws a {@link VerificationFailedException} if the verification failed. 23 | * 24 | * @throws VerificationFailedException If the verification failed. 25 | */ 26 | void verify() throws VerificationFailedException; 27 | } 28 | -------------------------------------------------------------------------------- /src/main/java/com/sap/oss/phosphor/fosstars/model/rating/NotApplicableLabel.java: -------------------------------------------------------------------------------- 1 | package com.sap.oss.phosphor.fosstars.model.rating; 2 | 3 | import com.fasterxml.jackson.annotation.JsonIgnore; 4 | import com.sap.oss.phosphor.fosstars.model.Label; 5 | 6 | /** 7 | * This is a label for a score value that is marked as not-applicable. 8 | */ 9 | public class NotApplicableLabel implements Label { 10 | 11 | @Override 12 | @JsonIgnore 13 | public final String name() { 14 | return "N/A"; 15 | } 16 | 17 | @Override 18 | @JsonIgnore 19 | public final boolean isNotApplicable() { 20 | return true; 21 | } 22 | 23 | @Override 24 | public boolean equals(Object obj) { 25 | if (obj == null) { 26 | return false; 27 | } 28 | if (obj == this) { 29 | return true; 30 | } 31 | return obj instanceof NotApplicableLabel; 32 | } 33 | 34 | @Override 35 | public int hashCode() { 36 | return 42; 37 | } 38 | } 39 | -------------------------------------------------------------------------------- /src/main/java/com/sap/oss/phosphor/fosstars/model/score/example/ExampleScores.java: -------------------------------------------------------------------------------- 1 | package com.sap.oss.phosphor.fosstars.model.score.example; 2 | 3 | /** 4 | * A collection of sample scores. 5 | */ 6 | public class ExampleScores { 7 | 8 | /** 9 | * Private constructor, We don't need to create an instance of this class. 10 | */ 11 | private ExampleScores() { 12 | 13 | } 14 | 15 | public static final ProjectActivityScoreExample PROJECT_ACTIVITY_SCORE_EXAMPLE 16 | = new ProjectActivityScoreExample(); 17 | 18 | public static final SecurityTestingScoreExample SECURITY_TESTING_SCORE_EXAMPLE 19 | = new SecurityTestingScoreExample(); 20 | 21 | public static final SecurityScoreExample SECURITY_SCORE_EXAMPLE 22 | = new SecurityScoreExample(); 23 | } 24 | -------------------------------------------------------------------------------- /src/main/java/com/sap/oss/phosphor/fosstars/model/score/example/SecurityScoreExample.java: -------------------------------------------------------------------------------- 1 | package com.sap.oss.phosphor.fosstars.model.score.example; 2 | 3 | import static com.sap.oss.phosphor.fosstars.model.score.example.ExampleScores.PROJECT_ACTIVITY_SCORE_EXAMPLE; 4 | import static com.sap.oss.phosphor.fosstars.model.score.example.ExampleScores.SECURITY_TESTING_SCORE_EXAMPLE; 5 | 6 | import com.sap.oss.phosphor.fosstars.model.score.WeightedCompositeScore; 7 | 8 | /** 9 | * This is a sample security score which is based on a weighed average of 10 | * SecurityTestingScoreExample and ProjectActivityScoreExample scores. Only for demo purposes. 11 | */ 12 | public class SecurityScoreExample extends WeightedCompositeScore { 13 | 14 | public SecurityScoreExample() { 15 | super("Security score (example)", 16 | SECURITY_TESTING_SCORE_EXAMPLE, PROJECT_ACTIVITY_SCORE_EXAMPLE); 17 | } 18 | 19 | } 20 | -------------------------------------------------------------------------------- /src/main/java/com/sap/oss/phosphor/fosstars/model/score/oss/ProjectSecurityTestingScore.java: -------------------------------------------------------------------------------- 1 | package com.sap.oss.phosphor.fosstars.model.score.oss; 2 | 3 | import com.sap.oss.phosphor.fosstars.model.score.WeightedCompositeScore; 4 | 5 | /** 6 | *

The security testing score uses the following sub-scores.

7 | *
    8 | *
  • {@link DependencyScanScore}
    • 9 | *
  • {@link NoHttpToolScore}
    • 10 | *
  • {@link MemorySafetyTestingScore}
    • 11 | *
  • {@link StaticAnalysisScore}
    • 12 | *
  • {@link FuzzingScore}
    • 13 | *
14 | *

There is plenty room for improvements. 15 | * The score can take into account a lot of other information.

16 | */ 17 | public class ProjectSecurityTestingScore extends WeightedCompositeScore { 18 | 19 | /** 20 | * Initializes a new score. 21 | */ 22 | ProjectSecurityTestingScore() { 23 | super("How well security testing is done for an open-source project", 24 | new DependencyScanScore(), 25 | new NoHttpToolScore(), 26 | new MemorySafetyTestingScore(), 27 | new StaticAnalysisScore(), 28 | new FuzzingScore()); 29 | } 30 | } 31 | -------------------------------------------------------------------------------- /src/main/java/com/sap/oss/phosphor/fosstars/model/subject/oss/Artifact.java: -------------------------------------------------------------------------------- 1 | package com.sap.oss.phosphor.fosstars.model.subject.oss; 2 | 3 | import com.fasterxml.jackson.annotation.JsonTypeInfo; 4 | import com.sap.oss.phosphor.fosstars.model.Subject; 5 | import java.util.Optional; 6 | 7 | /** 8 | * An artifact that is produced by an open source project. For example, it may be a jar file that 9 | * can be downloaded from a Maven repository. 10 | */ 11 | @JsonTypeInfo(use = JsonTypeInfo.Id.NAME, property = "type") 12 | public interface Artifact extends Subject { 13 | 14 | /** 15 | * Returns the GitHub Project of the artifact. 16 | * 17 | * @return A {@link GitHubProject}. 18 | */ 19 | Optional project(); 20 | } -------------------------------------------------------------------------------- /src/main/java/com/sap/oss/phosphor/fosstars/model/subject/oss/OpenSourceProject.java: -------------------------------------------------------------------------------- 1 | package com.sap.oss.phosphor.fosstars.model.subject.oss; 2 | 3 | import com.sap.oss.phosphor.fosstars.model.Subject; 4 | import java.net.URL; 5 | 6 | /** 7 | * An interface of an open-source project. 8 | */ 9 | public interface OpenSourceProject extends Subject { 10 | 11 | /** 12 | * Returns a URL of the projects' SCM. 13 | * 14 | * @return A URL of the projects' SCM. 15 | */ 16 | URL scm(); 17 | } 18 | -------------------------------------------------------------------------------- /src/main/java/com/sap/oss/phosphor/fosstars/model/value/OwaspDependencyCheckUsage.java: -------------------------------------------------------------------------------- 1 | package com.sap.oss.phosphor.fosstars.model.value; 2 | 3 | /** 4 | * Shows how OWASP Dependency Check can be used in a project. 5 | */ 6 | public enum OwaspDependencyCheckUsage { 7 | 8 | MANDATORY, OPTIONAL, NOT_USED; 9 | 10 | @Override 11 | public String toString() { 12 | switch (this) { 13 | case NOT_USED: 14 | return "Not used"; 15 | case OPTIONAL: 16 | return "Optional"; 17 | case MANDATORY: 18 | return "Mandatory"; 19 | default: 20 | return super.toString(); 21 | } 22 | } 23 | } -------------------------------------------------------------------------------- /src/main/java/com/sap/oss/phosphor/fosstars/model/value/PackageManager.java: -------------------------------------------------------------------------------- 1 | package com.sap.oss.phosphor.fosstars.model.value; 2 | 3 | /** 4 | * The enum contains package managers. 5 | */ 6 | public enum PackageManager { 7 | 8 | MAVEN, GRADLE, 9 | 10 | NPM, YARN, DOTNET, PIP, RUBYGEMS, COMPOSER, GOMODULES, 11 | 12 | OTHER 13 | } 14 | -------------------------------------------------------------------------------- /src/main/java/com/sap/oss/phosphor/fosstars/model/weight/AbstractWeight.java: -------------------------------------------------------------------------------- 1 | package com.sap.oss.phosphor.fosstars.model.weight; 2 | 3 | import com.sap.oss.phosphor.fosstars.model.Interval; 4 | import com.sap.oss.phosphor.fosstars.model.Visitor; 5 | import com.sap.oss.phosphor.fosstars.model.Weight; 6 | 7 | /** 8 | * A base class for weights. 9 | */ 10 | abstract class AbstractWeight implements Weight { 11 | 12 | @Override 13 | public void accept(Visitor visitor) { 14 | visitor.visit(this); 15 | } 16 | 17 | @Override 18 | public Interval boundaries() { 19 | return Weight.INTERVAL; 20 | } 21 | 22 | } 23 | -------------------------------------------------------------------------------- /src/main/java/com/sap/oss/phosphor/fosstars/nvd/Matcher.java: -------------------------------------------------------------------------------- 1 | package com.sap.oss.phosphor.fosstars.nvd; 2 | 3 | import com.sap.oss.phosphor.fosstars.nvd.data.NvdEntry; 4 | 5 | /** 6 | * An interface for a matcher that checks if an entry from NVD satisfies a requirement. 7 | */ 8 | public interface Matcher { 9 | 10 | /** 11 | * Checks if an entry from NVD satisfies a requirement. 12 | * 13 | * @param entry The entry to be checked. 14 | * @return True if the requirement is met, false otherwise. 15 | */ 16 | boolean match(NvdEntry entry); 17 | } 18 | -------------------------------------------------------------------------------- /src/main/java/com/sap/oss/phosphor/fosstars/nvd/data/Affects.java: -------------------------------------------------------------------------------- 1 | package com.sap.oss.phosphor.fosstars.nvd.data; 2 | 3 | import com.fasterxml.jackson.annotation.JsonInclude; 4 | import com.fasterxml.jackson.annotation.JsonProperty; 5 | import com.fasterxml.jackson.annotation.JsonPropertyOrder; 6 | 7 | @JsonInclude(JsonInclude.Include.NON_NULL) 8 | @JsonPropertyOrder({ 9 | "vendor" 10 | }) 11 | public class Affects { 12 | 13 | @JsonProperty("vendor") 14 | private Vendor vendor; 15 | 16 | @JsonProperty("vendor") 17 | public Vendor getVendor() { 18 | return vendor; 19 | } 20 | } 21 | -------------------------------------------------------------------------------- /src/main/java/com/sap/oss/phosphor/fosstars/nvd/data/BaseMetricV3.java: -------------------------------------------------------------------------------- 1 | package com.sap.oss.phosphor.fosstars.nvd.data; 2 | 3 | import com.fasterxml.jackson.annotation.JsonInclude; 4 | import com.fasterxml.jackson.annotation.JsonProperty; 5 | import com.fasterxml.jackson.annotation.JsonPropertyOrder; 6 | 7 | /** 8 | * CVSS V3.x score. 9 | */ 10 | @JsonInclude(JsonInclude.Include.NON_NULL) 11 | @JsonPropertyOrder({ 12 | "cvssV3", 13 | "exploitabilityScore", 14 | "impactScore" 15 | }) 16 | public class BaseMetricV3 { 17 | 18 | @JsonProperty("cvssV3") 19 | private CVSSv3 cvssV3; 20 | 21 | @JsonProperty("exploitabilityScore") 22 | private Double exploitabilityScore; 23 | 24 | @JsonProperty("impactScore") 25 | private Double impactScore; 26 | 27 | @JsonProperty("cvssV3") 28 | public CVSSv3 getCVSSv3() { 29 | return cvssV3; 30 | } 31 | } 32 | -------------------------------------------------------------------------------- /src/main/java/com/sap/oss/phosphor/fosstars/nvd/data/Configurations.java: -------------------------------------------------------------------------------- 1 | package com.sap.oss.phosphor.fosstars.nvd.data; 2 | 3 | import com.fasterxml.jackson.annotation.JsonIgnoreProperties; 4 | import com.fasterxml.jackson.annotation.JsonInclude; 5 | import com.fasterxml.jackson.annotation.JsonProperty; 6 | import com.fasterxml.jackson.annotation.JsonPropertyOrder; 7 | import java.util.ArrayList; 8 | import java.util.List; 9 | 10 | /** 11 | * Defines the set of product configurations for a NVD applicability statement. 12 | */ 13 | @JsonInclude(JsonInclude.Include.NON_NULL) 14 | @JsonPropertyOrder({ 15 | "CVE_data_version", 16 | "nodes" 17 | }) 18 | // the properties below are ignored because they are not used 19 | // that saves a bit of memory 20 | // when they become necessary, then can be enabled 21 | @JsonIgnoreProperties({ 22 | "CVE_data_version" 23 | }) 24 | public class Configurations { 25 | 26 | @JsonProperty("CVE_data_version") 27 | private String cveDataVersion; 28 | 29 | @JsonProperty("nodes") 30 | private List nodes = new ArrayList<>(); 31 | 32 | @JsonProperty("nodes") 33 | public List getNodes() { 34 | return nodes; 35 | } 36 | } 37 | -------------------------------------------------------------------------------- /src/main/java/com/sap/oss/phosphor/fosstars/nvd/data/Cpe22Uri.java: -------------------------------------------------------------------------------- 1 | package com.sap.oss.phosphor.fosstars.nvd.data; 2 | 3 | /** 4 | * Extended class from {@link AbstractCpeUri}, highlighting the 2.2 CPE format. 5 | * 6 | * @see CPE 2.2 schema 7 | */ 8 | public class Cpe22Uri extends AbstractCpeUri { 9 | 10 | public Cpe22Uri(String cpeUri) { 11 | super(cpeUri, 2, 3); 12 | } 13 | } -------------------------------------------------------------------------------- /src/main/java/com/sap/oss/phosphor/fosstars/nvd/data/Cpe23Uri.java: -------------------------------------------------------------------------------- 1 | package com.sap.oss.phosphor.fosstars.nvd.data; 2 | 3 | /** 4 | * Extended class from {@link AbstractCpeUri}, highlighting the 2.3 CPE format. 5 | * 6 | * @see CPE 2.3 schema 7 | */ 8 | public class Cpe23Uri extends AbstractCpeUri { 9 | 10 | public Cpe23Uri(String cpeUri) { 11 | super(cpeUri, 3, 4); 12 | } 13 | } -------------------------------------------------------------------------------- /src/main/java/com/sap/oss/phosphor/fosstars/nvd/data/CpeName.java: -------------------------------------------------------------------------------- 1 | package com.sap.oss.phosphor.fosstars.nvd.data; 2 | 3 | import com.fasterxml.jackson.annotation.JsonInclude; 4 | import com.fasterxml.jackson.annotation.JsonProperty; 5 | import com.fasterxml.jackson.annotation.JsonPropertyOrder; 6 | 7 | /** 8 | * CPE name. 9 | */ 10 | @JsonInclude(JsonInclude.Include.NON_NULL) 11 | @JsonPropertyOrder({ 12 | "cpe22Uri", 13 | "cpe23Uri", 14 | "lastModifiedDate" 15 | }) 16 | public class CpeName { 17 | 18 | @JsonProperty("cpe22Uri") 19 | private String cpe22Uri; 20 | 21 | @JsonProperty("cpe23Uri") 22 | private String cpe23Uri; 23 | 24 | @JsonProperty("lastModifiedDate") 25 | private String lastModifiedDate; 26 | } 27 | -------------------------------------------------------------------------------- /src/main/java/com/sap/oss/phosphor/fosstars/nvd/data/CpeUri.java: -------------------------------------------------------------------------------- 1 | package com.sap.oss.phosphor.fosstars.nvd.data; 2 | 3 | /** 4 | * An interface for CPE URI. 5 | */ 6 | public interface CpeUri { 7 | 8 | /** 9 | * Get a vendor. 10 | * 11 | * @return The vendor from the CPE URI. 12 | */ 13 | String getVendor(); 14 | 15 | /** 16 | * Get a product. 17 | * 18 | * @return The product from the CPE URI. 19 | */ 20 | String getProduct(); 21 | } 22 | -------------------------------------------------------------------------------- /src/main/java/com/sap/oss/phosphor/fosstars/nvd/data/CveMetaData.java: -------------------------------------------------------------------------------- 1 | package com.sap.oss.phosphor.fosstars.nvd.data; 2 | 3 | import com.fasterxml.jackson.annotation.JsonIgnoreProperties; 4 | import com.fasterxml.jackson.annotation.JsonInclude; 5 | import com.fasterxml.jackson.annotation.JsonProperty; 6 | import com.fasterxml.jackson.annotation.JsonPropertyOrder; 7 | 8 | @JsonInclude(JsonInclude.Include.NON_NULL) 9 | @JsonPropertyOrder({ 10 | "ID", 11 | "ASSIGNER" 12 | }) 13 | // the properties below are ignored because they are not used 14 | // that saves a bit of memory 15 | // when they become necessary, then can be enabled 16 | @JsonIgnoreProperties({ 17 | "assigner" 18 | }) 19 | public class CveMetaData { 20 | 21 | @JsonProperty("ID") 22 | private String id; 23 | 24 | @JsonProperty("ASSIGNER") 25 | private String assigner; 26 | 27 | @JsonProperty("ID") 28 | public String getId() { 29 | return id; 30 | } 31 | 32 | @JsonProperty("ID") 33 | public void setId(String id) { 34 | this.id = id; 35 | } 36 | 37 | } 38 | -------------------------------------------------------------------------------- /src/main/java/com/sap/oss/phosphor/fosstars/nvd/data/Description.java: -------------------------------------------------------------------------------- 1 | package com.sap.oss.phosphor.fosstars.nvd.data; 2 | 3 | import com.fasterxml.jackson.annotation.JsonInclude; 4 | import com.fasterxml.jackson.annotation.JsonProperty; 5 | import com.fasterxml.jackson.annotation.JsonPropertyOrder; 6 | import java.util.ArrayList; 7 | import java.util.List; 8 | 9 | @JsonInclude(JsonInclude.Include.NON_NULL) 10 | @JsonPropertyOrder({ 11 | "description_data" 12 | }) 13 | public class Description { 14 | 15 | @JsonProperty("description_data") 16 | private List descriptionData = new ArrayList<>(); 17 | 18 | @JsonProperty("description_data") 19 | public List getDescriptionData() { 20 | return descriptionData; 21 | } 22 | } 23 | -------------------------------------------------------------------------------- /src/main/java/com/sap/oss/phosphor/fosstars/nvd/data/Impact.java: -------------------------------------------------------------------------------- 1 | package com.sap.oss.phosphor.fosstars.nvd.data; 2 | 3 | import com.fasterxml.jackson.annotation.JsonInclude; 4 | import com.fasterxml.jackson.annotation.JsonProperty; 5 | import com.fasterxml.jackson.annotation.JsonPropertyOrder; 6 | 7 | /** 8 | * Impact scores for a vulnerability as found on NVD. 9 | */ 10 | @JsonInclude(JsonInclude.Include.NON_NULL) 11 | @JsonPropertyOrder({ 12 | "baseMetricV3", 13 | "baseMetricV2" 14 | }) 15 | public class Impact { 16 | 17 | @JsonProperty("baseMetricV3") 18 | private BaseMetricV3 baseMetricV3; 19 | 20 | @JsonProperty("baseMetricV2") 21 | private BaseMetricV2 baseMetricV2; 22 | 23 | @JsonProperty("baseMetricV2") 24 | public BaseMetricV2 getBaseMetricV2() { 25 | return baseMetricV2; 26 | } 27 | 28 | @JsonProperty("baseMetricV3") 29 | public BaseMetricV3 getBaseMetricV3() { 30 | return baseMetricV3; 31 | } 32 | } 33 | -------------------------------------------------------------------------------- /src/main/java/com/sap/oss/phosphor/fosstars/nvd/data/LangString.java: -------------------------------------------------------------------------------- 1 | package com.sap.oss.phosphor.fosstars.nvd.data; 2 | 3 | import com.fasterxml.jackson.annotation.JsonInclude; 4 | import com.fasterxml.jackson.annotation.JsonProperty; 5 | import com.fasterxml.jackson.annotation.JsonPropertyOrder; 6 | 7 | @JsonInclude(JsonInclude.Include.NON_NULL) 8 | @JsonPropertyOrder({ 9 | "lang", 10 | "value" 11 | }) 12 | public class LangString { 13 | 14 | @JsonProperty("lang") 15 | private String lang; 16 | 17 | @JsonProperty("value") 18 | private String value; 19 | 20 | @JsonProperty("lang") 21 | public String getLang() { 22 | return lang; 23 | } 24 | 25 | @JsonProperty("lang") 26 | public void setLang(String lang) { 27 | this.lang = lang; 28 | } 29 | 30 | @JsonProperty("value") 31 | public String getValue() { 32 | return value; 33 | } 34 | 35 | @JsonProperty("value") 36 | public void setValue(String value) { 37 | this.value = value; 38 | } 39 | } 40 | -------------------------------------------------------------------------------- /src/main/java/com/sap/oss/phosphor/fosstars/nvd/data/ProblemType.java: -------------------------------------------------------------------------------- 1 | package com.sap.oss.phosphor.fosstars.nvd.data; 2 | 3 | import com.fasterxml.jackson.annotation.JsonInclude; 4 | import com.fasterxml.jackson.annotation.JsonProperty; 5 | import com.fasterxml.jackson.annotation.JsonPropertyOrder; 6 | import java.util.ArrayList; 7 | import java.util.List; 8 | 9 | @JsonInclude(JsonInclude.Include.NON_NULL) 10 | @JsonPropertyOrder({ 11 | "problemtype_data" 12 | }) 13 | public class ProblemType { 14 | 15 | @JsonProperty("problemtype_data") 16 | private List problemTypeData = new ArrayList<>(); 17 | } 18 | -------------------------------------------------------------------------------- /src/main/java/com/sap/oss/phosphor/fosstars/nvd/data/ProblemTypeData.java: -------------------------------------------------------------------------------- 1 | package com.sap.oss.phosphor.fosstars.nvd.data; 2 | 3 | import com.fasterxml.jackson.annotation.JsonInclude; 4 | import com.fasterxml.jackson.annotation.JsonProperty; 5 | import com.fasterxml.jackson.annotation.JsonPropertyOrder; 6 | import java.util.ArrayList; 7 | import java.util.List; 8 | 9 | @JsonInclude(JsonInclude.Include.NON_NULL) 10 | @JsonPropertyOrder({ 11 | "description" 12 | }) 13 | public class ProblemTypeData { 14 | 15 | @JsonProperty("description") 16 | private List description = new ArrayList<>(); 17 | } 18 | -------------------------------------------------------------------------------- /src/main/java/com/sap/oss/phosphor/fosstars/nvd/data/Product.java: -------------------------------------------------------------------------------- 1 | package com.sap.oss.phosphor.fosstars.nvd.data; 2 | 3 | import com.fasterxml.jackson.annotation.JsonInclude; 4 | import com.fasterxml.jackson.annotation.JsonProperty; 5 | import com.fasterxml.jackson.annotation.JsonPropertyOrder; 6 | import java.util.ArrayList; 7 | import java.util.List; 8 | 9 | @JsonInclude(JsonInclude.Include.NON_NULL) 10 | @JsonPropertyOrder({ 11 | "product_data" 12 | }) 13 | public class Product { 14 | 15 | @JsonProperty("product_data") 16 | private List productData = new ArrayList<>(); 17 | 18 | @JsonProperty("product_data") 19 | public List getProductData() { 20 | return productData; 21 | } 22 | } 23 | -------------------------------------------------------------------------------- /src/main/java/com/sap/oss/phosphor/fosstars/nvd/data/ProductData.java: -------------------------------------------------------------------------------- 1 | package com.sap.oss.phosphor.fosstars.nvd.data; 2 | 3 | import com.fasterxml.jackson.annotation.JsonInclude; 4 | import com.fasterxml.jackson.annotation.JsonProperty; 5 | import com.fasterxml.jackson.annotation.JsonPropertyOrder; 6 | 7 | @JsonInclude(JsonInclude.Include.NON_NULL) 8 | @JsonPropertyOrder({ 9 | "product_name", 10 | "version" 11 | }) 12 | public class ProductData { 13 | 14 | @JsonProperty("product_name") 15 | private String productName; 16 | 17 | @JsonProperty("version") 18 | private Version version; 19 | 20 | @JsonProperty("product_name") 21 | public String getProductName() { 22 | return productName; 23 | } 24 | } 25 | -------------------------------------------------------------------------------- /src/main/java/com/sap/oss/phosphor/fosstars/nvd/data/References.java: -------------------------------------------------------------------------------- 1 | package com.sap.oss.phosphor.fosstars.nvd.data; 2 | 3 | import com.fasterxml.jackson.annotation.JsonInclude; 4 | import com.fasterxml.jackson.annotation.JsonProperty; 5 | import com.fasterxml.jackson.annotation.JsonPropertyOrder; 6 | import java.util.ArrayList; 7 | import java.util.List; 8 | 9 | @JsonInclude(JsonInclude.Include.NON_NULL) 10 | @JsonPropertyOrder({ 11 | "reference_data" 12 | }) 13 | public class References { 14 | 15 | @JsonProperty("reference_data") 16 | private List referenceData = new ArrayList<>(); 17 | 18 | @JsonProperty("reference_data") 19 | public List getReferenceData() { 20 | return referenceData; 21 | } 22 | } 23 | -------------------------------------------------------------------------------- /src/main/java/com/sap/oss/phosphor/fosstars/nvd/data/Vendor.java: -------------------------------------------------------------------------------- 1 | package com.sap.oss.phosphor.fosstars.nvd.data; 2 | 3 | import com.fasterxml.jackson.annotation.JsonInclude; 4 | import com.fasterxml.jackson.annotation.JsonProperty; 5 | import com.fasterxml.jackson.annotation.JsonPropertyOrder; 6 | import java.util.ArrayList; 7 | import java.util.List; 8 | 9 | @JsonInclude(JsonInclude.Include.NON_NULL) 10 | @JsonPropertyOrder({ 11 | "vendor_data" 12 | }) 13 | public class Vendor { 14 | 15 | @JsonProperty("vendor_data") 16 | private List vendorData = new ArrayList<>(); 17 | 18 | @JsonProperty("vendor_data") 19 | public List getVendorData() { 20 | return vendorData; 21 | } 22 | } 23 | -------------------------------------------------------------------------------- /src/main/java/com/sap/oss/phosphor/fosstars/nvd/data/VendorData.java: -------------------------------------------------------------------------------- 1 | package com.sap.oss.phosphor.fosstars.nvd.data; 2 | 3 | import com.fasterxml.jackson.annotation.JsonInclude; 4 | import com.fasterxml.jackson.annotation.JsonProperty; 5 | import com.fasterxml.jackson.annotation.JsonPropertyOrder; 6 | 7 | @JsonInclude(JsonInclude.Include.NON_NULL) 8 | @JsonPropertyOrder({ 9 | "vendor_name", 10 | "product" 11 | }) 12 | public class VendorData { 13 | 14 | @JsonProperty("vendor_name") 15 | private String vendorName; 16 | 17 | @JsonProperty("product") 18 | private Product product; 19 | 20 | @JsonProperty("vendor_name") 21 | public String getVendorName() { 22 | return vendorName; 23 | } 24 | 25 | @JsonProperty("product") 26 | public Product getProduct() { 27 | return product; 28 | } 29 | } 30 | -------------------------------------------------------------------------------- /src/main/java/com/sap/oss/phosphor/fosstars/nvd/data/Version.java: -------------------------------------------------------------------------------- 1 | package com.sap.oss.phosphor.fosstars.nvd.data; 2 | 3 | import com.fasterxml.jackson.annotation.JsonInclude; 4 | import com.fasterxml.jackson.annotation.JsonProperty; 5 | import com.fasterxml.jackson.annotation.JsonPropertyOrder; 6 | import java.util.ArrayList; 7 | import java.util.List; 8 | 9 | @JsonInclude(JsonInclude.Include.NON_NULL) 10 | @JsonPropertyOrder({ 11 | "version_data" 12 | }) 13 | public class Version { 14 | 15 | @JsonProperty("version_data") 16 | private List versionData = new ArrayList<>(); 17 | } 18 | -------------------------------------------------------------------------------- /src/main/java/com/sap/oss/phosphor/fosstars/nvd/data/VersionData.java: -------------------------------------------------------------------------------- 1 | package com.sap.oss.phosphor.fosstars.nvd.data; 2 | 3 | import com.fasterxml.jackson.annotation.JsonInclude; 4 | import com.fasterxml.jackson.annotation.JsonProperty; 5 | import com.fasterxml.jackson.annotation.JsonPropertyOrder; 6 | 7 | @JsonInclude(JsonInclude.Include.NON_NULL) 8 | @JsonPropertyOrder({ 9 | "version_value" 10 | }) 11 | public class VersionData { 12 | 13 | @JsonProperty("version_value") 14 | private String versionValue; 15 | } 16 | -------------------------------------------------------------------------------- /src/main/java/com/sap/oss/phosphor/fosstars/tool/InputString.java: -------------------------------------------------------------------------------- 1 | package com.sap.oss.phosphor.fosstars.tool; 2 | 3 | import com.sap.oss.phosphor.fosstars.data.UserCallback; 4 | import java.util.Objects; 5 | 6 | /** 7 | * Reads a string provided by a user. 8 | */ 9 | public class InputString { 10 | 11 | /** 12 | * A callback to interact with a user. 13 | */ 14 | private final UserCallback callback; 15 | 16 | /** 17 | * Initializes a new {@link InputString}. 18 | * 19 | * @param callback A callback to interact with a user. 20 | */ 21 | public InputString(UserCallback callback) { 22 | Objects.requireNonNull(callback, "Hey! User callback can't be null!"); 23 | this.callback = callback; 24 | } 25 | 26 | /** 27 | * Asks a user to provide a string. 28 | * 29 | * @return A string provider by a user. 30 | */ 31 | public String get() { 32 | String string; 33 | while (true) { 34 | string = callback.ask(); 35 | if (string != null) { 36 | string = string.trim(); 37 | } 38 | if (string == null || string.isEmpty()) { 39 | callback.say("[!] Hmm ... Looks like an empty string. Please try again ..."); 40 | } else { 41 | break; 42 | } 43 | } 44 | return string; 45 | } 46 | } 47 | -------------------------------------------------------------------------------- /src/main/java/com/sap/oss/phosphor/fosstars/tool/ReportConfig.java: -------------------------------------------------------------------------------- 1 | package com.sap.oss.phosphor.fosstars.tool; 2 | 3 | import com.fasterxml.jackson.annotation.JsonProperty; 4 | 5 | /** 6 | * A config for reporting. 7 | */ 8 | public class ReportConfig { 9 | 10 | /** 11 | * Types of reports. 12 | */ 13 | public enum ReportType { 14 | MARKDOWN, JSON, ISSUES, JSON_REPORT 15 | } 16 | 17 | /** 18 | * A type of a report. 19 | */ 20 | final ReportType type; 21 | 22 | /** 23 | * Where a report should be stored. 24 | */ 25 | final String where; 26 | 27 | /** 28 | * A source of data. 29 | */ 30 | final String source; 31 | 32 | /** 33 | * Creates a new config. 34 | * 35 | * @param type A type of a report. 36 | * @param where Where a report should be stored. 37 | * @param source A source of data 38 | */ 39 | ReportConfig( 40 | @JsonProperty("type") ReportType type, 41 | @JsonProperty("where") String where, 42 | @JsonProperty("source") String source) { 43 | 44 | this.type = type; 45 | this.where = where; 46 | this.source = source; 47 | } 48 | } 49 | -------------------------------------------------------------------------------- /src/main/java/com/sap/oss/phosphor/fosstars/tool/SecurityRiskIntroducedByOssHandler.java: -------------------------------------------------------------------------------- 1 | package com.sap.oss.phosphor.fosstars.tool; 2 | 3 | import static com.sap.oss.phosphor.fosstars.model.other.Utils.setOf; 4 | 5 | import com.sap.oss.phosphor.fosstars.model.RatingRepository; 6 | import com.sap.oss.phosphor.fosstars.model.rating.oss.SecurityRiskIntroducedByOss; 7 | import java.util.Set; 8 | 9 | /** 10 | * This handler calculates {@link SecurityRiskIntroducedByOss}. 11 | */ 12 | public class SecurityRiskIntroducedByOssHandler extends AbstractHandler { 13 | 14 | /** 15 | * Initializes a handler. 16 | */ 17 | public SecurityRiskIntroducedByOssHandler() { 18 | super(RatingRepository.INSTANCE.rating(SecurityRiskIntroducedByOss.class)); 19 | } 20 | 21 | @Override 22 | public String supportedRatingName() { 23 | return "security-risk-from-oss"; 24 | } 25 | 26 | @Override 27 | Set supportedSubjectOptions() { 28 | return setOf("--url"); 29 | } 30 | } 31 | -------------------------------------------------------------------------------- /src/main/java/com/sap/oss/phosphor/fosstars/tool/format/AbstractMarkdownElement.java: -------------------------------------------------------------------------------- 1 | package com.sap.oss.phosphor.fosstars.tool.format; 2 | 3 | /** 4 | * A base class for Markdown elements. 5 | */ 6 | public abstract class AbstractMarkdownElement implements MarkdownElement { 7 | 8 | @Override 9 | public String toString() { 10 | return make(); 11 | } 12 | } 13 | -------------------------------------------------------------------------------- /src/main/java/com/sap/oss/phosphor/fosstars/tool/format/BoldMarkdownString.java: -------------------------------------------------------------------------------- 1 | package com.sap.oss.phosphor.fosstars.tool.format; 2 | 3 | import static java.lang.String.format; 4 | import static java.util.Objects.requireNonNull; 5 | 6 | import org.apache.commons.lang3.StringUtils; 7 | 8 | /** 9 | * A bold string. 10 | */ 11 | public class BoldMarkdownString extends AbstractMarkdownElement { 12 | 13 | /** 14 | * A wrapped Markdown element. 15 | */ 16 | private final MarkdownElement element; 17 | 18 | /** 19 | * Make an element bold. 20 | * 21 | * @param element The element. 22 | */ 23 | public BoldMarkdownString(MarkdownElement element) { 24 | this.element = requireNonNull(element, "Oops! Element is null!"); 25 | } 26 | 27 | @Override 28 | public String make() { 29 | String string = element.make(); 30 | return Markdown.isEmpty(string) ? StringUtils.EMPTY : format("**%s**", string); 31 | } 32 | } 33 | -------------------------------------------------------------------------------- /src/main/java/com/sap/oss/phosphor/fosstars/tool/format/Formatter.java: -------------------------------------------------------------------------------- 1 | package com.sap.oss.phosphor.fosstars.tool.format; 2 | 3 | import com.sap.oss.phosphor.fosstars.model.Subject; 4 | 5 | /** 6 | * The interface of a formatter which knows how to print rating values. 7 | */ 8 | public interface Formatter { 9 | 10 | /** 11 | * Print out a formatted subject. 12 | * 13 | * @param subject The subject. 14 | * @return A formatted subject. 15 | */ 16 | String print(Subject subject); 17 | 18 | } 19 | -------------------------------------------------------------------------------- /src/main/java/com/sap/oss/phosphor/fosstars/tool/format/JoinedMarkdownElements.java: -------------------------------------------------------------------------------- 1 | package com.sap.oss.phosphor.fosstars.tool.format; 2 | 3 | import static java.util.Objects.requireNonNull; 4 | import static java.util.stream.Collectors.joining; 5 | 6 | import java.util.ArrayList; 7 | import java.util.List; 8 | 9 | /** 10 | * A collection of Markdown elements that should be joined using a specified delimiter. 11 | */ 12 | public class JoinedMarkdownElements extends AbstractMarkdownElement { 13 | 14 | /** 15 | * A delimiter for the elements. 16 | */ 17 | private final String delimiter; 18 | 19 | /** 20 | * A list of elements. 21 | */ 22 | private final List elements; 23 | 24 | /** 25 | * Create a collection of joined elements. 26 | * 27 | * @param delimiter A delimiter. 28 | * @param elements A list of elements. 29 | */ 30 | JoinedMarkdownElements(String delimiter, List elements) { 31 | requireNonNull(delimiter, "Oops! Delimiter is null!"); 32 | requireNonNull(elements, "Oops! Elements is null!"); 33 | 34 | this.delimiter = delimiter; 35 | this.elements = new ArrayList<>(elements); 36 | } 37 | 38 | @Override 39 | public String make() { 40 | return elements.stream().map(MarkdownElement::make).collect(joining(delimiter)); 41 | } 42 | } 43 | -------------------------------------------------------------------------------- /src/main/java/com/sap/oss/phosphor/fosstars/tool/format/MarkdownElement.java: -------------------------------------------------------------------------------- 1 | package com.sap.oss.phosphor.fosstars.tool.format; 2 | 3 | /** 4 | * An interface of a Markdown element. 5 | */ 6 | public interface MarkdownElement { 7 | 8 | /** 9 | * Renders the Markdown element. 10 | * 11 | * @return A Markdown-formatted text that represents the element. 12 | */ 13 | String make(); 14 | } 15 | -------------------------------------------------------------------------------- /src/main/java/com/sap/oss/phosphor/fosstars/tool/format/MarkdownLink.java: -------------------------------------------------------------------------------- 1 | package com.sap.oss.phosphor.fosstars.tool.format; 2 | 3 | import static java.lang.String.format; 4 | import static java.util.Objects.requireNonNull; 5 | 6 | /** 7 | * A Markdown link. 8 | */ 9 | public class MarkdownLink extends AbstractMarkdownElement { 10 | 11 | /** 12 | * A link's text. 13 | */ 14 | private final MarkdownElement caption; 15 | 16 | /** 17 | * A link's target. 18 | */ 19 | private final String target; 20 | 21 | /** 22 | * Create a new link. 23 | * 24 | * @param caption A link's text. 25 | * @param target A link's target. 26 | */ 27 | public MarkdownLink(MarkdownElement caption, String target) { 28 | this.caption = requireNonNull(caption, "Oops! Caption is null!"); 29 | this.target = requireNonNull(target, "Oops! Target is null!"); 30 | } 31 | 32 | @Override 33 | public String make() { 34 | return format("[%s](%s)", caption.make(), target); 35 | } 36 | } 37 | -------------------------------------------------------------------------------- /src/main/java/com/sap/oss/phosphor/fosstars/tool/format/MarkdownRuleIdentifier.java: -------------------------------------------------------------------------------- 1 | package com.sap.oss.phosphor.fosstars.tool.format; 2 | 3 | import static java.lang.String.format; 4 | import static java.util.Objects.requireNonNull; 5 | import static org.apache.commons.lang3.StringUtils.EMPTY; 6 | 7 | /** 8 | * A formatted identifier of a rule of play from the OSS RoP rating. 9 | */ 10 | public class MarkdownRuleIdentifier extends AbstractMarkdownElement { 11 | 12 | /** 13 | * A raw identifier. 14 | */ 15 | private final MarkdownElement identifier; 16 | 17 | /** 18 | * Create an identifier for a rule. 19 | * 20 | * @param identifier A rule's raw identifier. 21 | */ 22 | MarkdownRuleIdentifier(MarkdownElement identifier) { 23 | this.identifier = requireNonNull(identifier, "Oops! Identifier is null!"); 24 | } 25 | 26 | @Override 27 | public String make() { 28 | String string = identifier.make(); 29 | return Markdown.isEmpty(string) ? EMPTY : format("**[%s]**", string); 30 | } 31 | } 32 | -------------------------------------------------------------------------------- /src/main/java/com/sap/oss/phosphor/fosstars/tool/format/MarkdownString.java: -------------------------------------------------------------------------------- 1 | package com.sap.oss.phosphor.fosstars.tool.format; 2 | 3 | import static java.util.Objects.requireNonNull; 4 | 5 | import org.apache.commons.lang3.StringUtils; 6 | 7 | /** 8 | * A simple Markdown string. The class just wraps a usual string. 9 | */ 10 | public class MarkdownString extends AbstractMarkdownElement { 11 | 12 | /** 13 | * An empty string. 14 | */ 15 | static final MarkdownString EMPTY = new MarkdownString(StringUtils.EMPTY); 16 | 17 | /** 18 | * The actual string. 19 | */ 20 | private final String string; 21 | 22 | /** 23 | * Create a new Markdown string. 24 | * 25 | * @param string The actual string. 26 | */ 27 | MarkdownString(String string) { 28 | this.string = requireNonNull(string, "Oops! String is null!"); 29 | } 30 | 31 | @Override 32 | public String make() { 33 | return string; 34 | } 35 | } 36 | -------------------------------------------------------------------------------- /src/main/java/com/sap/oss/phosphor/fosstars/tool/format/OrderedMarkdownList.java: -------------------------------------------------------------------------------- 1 | package com.sap.oss.phosphor.fosstars.tool.format; 2 | 3 | import java.util.List; 4 | 5 | /** 6 | * An ordered Markdown list. 7 | */ 8 | public class OrderedMarkdownList extends MarkdownList { 9 | 10 | /** 11 | * Create an ordered Markdown list. 12 | * 13 | * @param elements Elements in the list. 14 | */ 15 | OrderedMarkdownList(List elements) { 16 | super(elements, "1. "); 17 | } 18 | } 19 | -------------------------------------------------------------------------------- /src/main/java/com/sap/oss/phosphor/fosstars/tool/format/UnorderedMarkdownList.java: -------------------------------------------------------------------------------- 1 | package com.sap.oss.phosphor.fosstars.tool.format; 2 | 3 | import java.util.List; 4 | 5 | /** 6 | * An unordered Markdown list with bullets. 7 | */ 8 | public class UnorderedMarkdownList extends MarkdownList { 9 | 10 | /** 11 | * Create an unordered Markdown list. 12 | * 13 | * @param elements Elements in the list. 14 | */ 15 | UnorderedMarkdownList(List elements) { 16 | super(elements, "* "); 17 | } 18 | } 19 | -------------------------------------------------------------------------------- /src/main/java/com/sap/oss/phosphor/fosstars/tool/report/Reporter.java: -------------------------------------------------------------------------------- 1 | package com.sap.oss.phosphor.fosstars.tool.report; 2 | 3 | import com.sap.oss.phosphor.fosstars.model.Subject; 4 | import com.sap.oss.phosphor.fosstars.model.subject.oss.OpenSourceProject; 5 | import java.io.IOException; 6 | import java.util.List; 7 | 8 | /** 9 | * A reporter create a report for a number of open-source projects. 10 | * 11 | * @param A type of projects. 12 | */ 13 | public interface Reporter { 14 | 15 | /** 16 | * Runs the reporter for a list of projects. 17 | * 18 | * @param projects The projects. 19 | * @throws IOException If something went wrong. 20 | */ 21 | void runFor(List projects) throws IOException; 22 | 23 | /** 24 | * Returns a reporter that does nothing. 25 | * 26 | * @param A type of projects. 27 | * @return A reporter that does nothing. 28 | */ 29 | static Reporter dummy() { 30 | return projects -> {}; 31 | } 32 | } 33 | -------------------------------------------------------------------------------- /src/main/jupyter/oss/security/README.md: -------------------------------------------------------------------------------- 1 | # Jupyter notebooks for analysing security ratings for open-source projects 2 | 3 | First, you need to install [Jupyter Notebook](https://jupyter.org/install). 4 | 5 | Next, run `jupyter notebook`. Then, open `SecurityRatingAnalysis.ipynb`. 6 | -------------------------------------------------------------------------------- /src/main/resources/com/sap/oss/phosphor/fosstars/data/SecurityReview.json: -------------------------------------------------------------------------------- 1 | { 2 | "reviews" : { 3 | "https://github.com/spring-projects/spring-security-oauth" : [ 4 | { 5 | "who": "Artem Smotrakov, Phosphor (SAP)", 6 | "when": "2019-06-06", 7 | "link": "" 8 | } 9 | ] 10 | } 11 | } -------------------------------------------------------------------------------- /src/main/resources/com/sap/oss/phosphor/fosstars/data/SecurityTeams.json: -------------------------------------------------------------------------------- 1 | { 2 | "securityTeams": { 3 | "Apache projects": { 4 | "urls": [ 5 | "https://github.com/apache", 6 | "http://svn.apache.org" 7 | ], 8 | "contact": "security@apache.org", 9 | "link": "https://www.apache.org/security" 10 | }, 11 | "Eclipse projects": { 12 | "urls": [ 13 | "https://github.com/eclipse" 14 | ], 15 | "contact": "security@eclipse.org", 16 | "link": "https://www.eclipse.org/security" 17 | }, 18 | "Spring projects": { 19 | "urls": [ 20 | "https://github.com/spring-projects" 21 | ], 22 | "contact": "security@pivotal.io", 23 | "link": "https://pivotal.io/security" 24 | } 25 | } 26 | } 27 | -------------------------------------------------------------------------------- /src/main/resources/com/sap/oss/phosphor/fosstars/data/github/experimental/graphql/first_run_template: -------------------------------------------------------------------------------- 1 | { 2 | securityVulnerabilities(first: %s, ecosystem: %s, package: \"%s\") { 3 | pageInfo { 4 | endCursor 5 | hasNextPage 6 | } 7 | nodes { 8 | firstPatchedVersion { 9 | identifier 10 | } 11 | package { 12 | name 13 | ecosystem 14 | } 15 | severity 16 | updatedAt 17 | vulnerableVersionRange 18 | advisory { 19 | identifiers { 20 | value 21 | type 22 | } 23 | databaseId 24 | description 25 | ghsaId 26 | id 27 | origin 28 | permalink 29 | publishedAt 30 | references { 31 | url 32 | } 33 | severity 34 | summary 35 | updatedAt 36 | withdrawnAt 37 | } 38 | } 39 | } 40 | } -------------------------------------------------------------------------------- /src/main/resources/com/sap/oss/phosphor/fosstars/data/github/experimental/graphql/next_page_run_template: -------------------------------------------------------------------------------- 1 | { 2 | securityVulnerabilities(first: %s, after: \"%s\", ecosystem: %s, package: \"%s\") { 3 | pageInfo { 4 | endCursor 5 | hasNextPage 6 | } 7 | nodes { 8 | firstPatchedVersion { 9 | identifier 10 | } 11 | package { 12 | name 13 | ecosystem 14 | } 15 | severity 16 | updatedAt 17 | vulnerableVersionRange 18 | advisory { 19 | identifiers { 20 | value 21 | type 22 | } 23 | databaseId 24 | description 25 | ghsaId 26 | id 27 | origin 28 | permalink 29 | publishedAt 30 | references { 31 | url 32 | } 33 | severity 34 | summary 35 | updatedAt 36 | withdrawnAt 37 | } 38 | } 39 | } 40 | } -------------------------------------------------------------------------------- /src/main/resources/com/sap/oss/phosphor/fosstars/model/rating/example/SecurityRatingExample.json: -------------------------------------------------------------------------------- 1 | { 2 | "type" : "SecurityRatingExample", 3 | "name" : "Security rating (example)", 4 | "score" : { 5 | "type" : "SecurityScoreExample", 6 | "name" : "Security score (example)", 7 | "subScores" : [ { 8 | "type" : "ProjectActivityScoreExample", 9 | "name" : "Project activity score (example)" 10 | }, { 11 | "type" : "SecurityTestingScoreExample", 12 | "name" : "Security testing score (example)" 13 | } ], 14 | "weights" : { 15 | "values" : { 16 | "com.sap.oss.phosphor.fosstars.model.score.example.ProjectActivityScoreExample" : { 17 | "type" : "ImmutableWeight", 18 | "value" : 0.23191550842811487 19 | }, 20 | "com.sap.oss.phosphor.fosstars.model.score.example.SecurityTestingScoreExample" : { 21 | "type" : "ImmutableWeight", 22 | "value" : 0.5411361863322678 23 | } 24 | } 25 | } 26 | } 27 | } -------------------------------------------------------------------------------- /src/main/resources/com/sap/oss/phosphor/fosstars/model/rating/oss/OssArtifactSecurityRatingThresholds.json: -------------------------------------------------------------------------------- 1 | { 2 | "good": 5.5, 3 | "moderate": 4.5, 4 | "unclear": 8.0 5 | } -------------------------------------------------------------------------------- /src/main/resources/com/sap/oss/phosphor/fosstars/model/rating/oss/OssSecurityRatingThresholds.json: -------------------------------------------------------------------------------- 1 | { 2 | "good": 5.542402668253732, 3 | "moderate": 4.43126022913257, 4 | "unclear": 8.0 5 | } -------------------------------------------------------------------------------- /src/main/resources/com/sap/oss/phosphor/fosstars/model/score/oss/OssArtifactSecurityScoreWeights.json: -------------------------------------------------------------------------------- 1 | { 2 | "values" : { 3 | "com.sap.oss.phosphor.fosstars.model.score.oss.ArtifactVersionUpToDateScore" : { 4 | "type" : "ImmutableWeight", 5 | "value" : 0.1 6 | }, 7 | "com.sap.oss.phosphor.fosstars.model.score.oss.ArtifactLatestReleaseAgeScore" : { 8 | "type" : "ImmutableWeight", 9 | "value" : 0.1 10 | }, 11 | "com.sap.oss.phosphor.fosstars.model.score.oss.ArtifactReleaseHistoryScore" : { 12 | "type" : "ImmutableWeight", 13 | "value" : 0.5 14 | }, 15 | "com.sap.oss.phosphor.fosstars.model.score.oss.ArtifactVersionVulnerabilityScore" : { 16 | "type" : "ImmutableWeight", 17 | "value" : 1.0 18 | } 19 | } 20 | } 21 | -------------------------------------------------------------------------------- /src/main/resources/com/sap/oss/phosphor/fosstars/model/score/oss/OssSecurityScoreWeights.yml: -------------------------------------------------------------------------------- 1 | --- 2 | values: 3 | com.sap.oss.phosphor.fosstars.model.score.oss.ProjectSecurityAwarenessScore: 4 | type: ImmutableWeight 5 | value: 0.9 6 | com.sap.oss.phosphor.fosstars.model.score.oss.UnpatchedVulnerabilitiesScore: 7 | type: ImmutableWeight 8 | value: 0.5 # unfortunately, we don't have a reliable source of info about unpatched vulnerabilities 9 | com.sap.oss.phosphor.fosstars.model.score.oss.ProjectPopularityScore: 10 | type: ImmutableWeight 11 | value: 0.5 12 | com.sap.oss.phosphor.fosstars.model.score.oss.ProjectActivityScore: 13 | type: ImmutableWeight 14 | value: 0.5 15 | com.sap.oss.phosphor.fosstars.model.score.oss.ProjectSecurityTestingScore: 16 | type: ImmutableWeight 17 | value: 1.0 18 | com.sap.oss.phosphor.fosstars.model.score.oss.CommunityCommitmentScore: 19 | type: ImmutableWeight 20 | value: 0.5 21 | com.sap.oss.phosphor.fosstars.model.score.oss.VulnerabilityDiscoveryAndSecurityTestingScore: 22 | type: ImmutableWeight 23 | value: 0.6 24 | com.sap.oss.phosphor.fosstars.model.score.oss.SecurityReviewScore: 25 | type: ImmutableWeight 26 | value: 0.2 # unfortunately, we don't have many reliable sources of info about reviews 27 | -------------------------------------------------------------------------------- /src/main/resources/com/sap/oss/phosphor/fosstars/model/score/oss/ProjectSecurityTestingScoreWeights.yml: -------------------------------------------------------------------------------- 1 | --- 2 | values: 3 | com.sap.oss.phosphor.fosstars.model.score.oss.MemorySafetyTestingScore: 4 | type: ImmutableWeight 5 | value: 1.0 6 | com.sap.oss.phosphor.fosstars.model.score.oss.StaticAnalysisScore: 7 | type: ImmutableWeight 8 | value: 1.0 9 | com.sap.oss.phosphor.fosstars.model.score.oss.DependencyScanScore: 10 | type: ImmutableWeight 11 | value: 1.0 12 | com.sap.oss.phosphor.fosstars.model.score.oss.NoHttpToolScore: 13 | type: ImmutableWeight 14 | value: 0.2 # NoHTTP looks for all http:// links, that may result to a lot of false-positives 15 | com.sap.oss.phosphor.fosstars.model.score.oss.FuzzingScore: 16 | type: ImmutableWeight 17 | value: 1.0 18 | -------------------------------------------------------------------------------- /src/main/resources/com/sap/oss/phosphor/fosstars/tool/format/OssArtifactSecurityRatingMarkdownRatingValueTemplate.md: -------------------------------------------------------------------------------- 1 | # OSS Artifact Security Rating 2 | 3 | **Rating label**: %RATING_LABEL% (%SCORE_VALUE%, max score is %MAX_SCORE%) 4 | **Confidence**: %CONFIDENCE_LABEL% (%CONFIDENCE_VALUE%, max confidence value is %MAX_CONFIDENCE%) 5 | 6 | ## Advice 7 | 8 | %ADVICE% 9 | 10 | ## %MAIN_SCORE_NAME% 11 | 12 | %MAIN_SCORE_VALUE_DETAILS% 13 | 14 | ## Details to all sub-scores 15 | 16 | %SUB_SCORE_DETAILS% 17 | -------------------------------------------------------------------------------- /src/main/resources/com/sap/oss/phosphor/fosstars/tool/format/OssRulesOfPlayMarkdownRatingValueTemplate.md: -------------------------------------------------------------------------------- 1 | **Status**: **%STATUS%** 2 | 3 | **Confidence**: %CONFIDENCE_LABEL% (%CONFIDENCE_VALUE%, max confidence value is %MAX_CONFIDENCE%) 4 | 5 | %VIOLATED_RULES% 6 | 7 | %WARNINGS% 8 | 9 | %UNCLEAR_RULES% 10 | 11 | %PASSED_RULES% 12 | 13 | %ADVICE% 14 | -------------------------------------------------------------------------------- /src/main/resources/com/sap/oss/phosphor/fosstars/tool/format/OssSecurityRatingMarkdownRatingValueTemplate.md: -------------------------------------------------------------------------------- 1 | **Rating**: **%RATING_LABEL%** 2 | 3 | **Score**: **%SCORE_VALUE%**, max score value is %MAX_SCORE% 4 | 5 | **Confidence**: %CONFIDENCE_LABEL% (%CONFIDENCE_VALUE%, max confidence value is %MAX_CONFIDENCE%) 6 | 7 | ## Details 8 | 9 | The rating is based on **%MAIN_SCORE_NAME%**. 10 | 11 | %MAIN_SCORE_DESCRIPTION% 12 | 13 | %MAIN_SCORE_EXPLANATION% 14 | 15 | It used the following sub-scores: 16 | 17 | %MAIN_SCORE_VALUE_DETAILS% 18 | 19 | %ADVICE% 20 | 21 | ## Sub-scores 22 | 23 | Below are the details about all the used sub-scores. 24 | 25 | %SUB_SCORE_DETAILS% 26 | 27 | ## Known vulnerabilities 28 | 29 | %INFO_ABOUT_VULNERABILITIES% 30 | -------------------------------------------------------------------------------- /src/main/resources/com/sap/oss/phosphor/fosstars/tool/report/MarkdownProjectDetailsTemplate.md: -------------------------------------------------------------------------------- 1 | # %PROJECT_NAME% 2 | 3 | %PROJECT_URL% 4 | 5 | Last updated on %UPDATED_DATE% 6 | 7 | %DETAILS% 8 | -------------------------------------------------------------------------------- /src/main/resources/com/sap/oss/phosphor/fosstars/tool/report/OssRulesOfPlayMarkdownReporterTemplate.md: -------------------------------------------------------------------------------- 1 | # Open Source Rules of Play 2 | 3 | ## Overall Statistics 4 | 5 | | | # or projects | % or projects | 6 | | :------------------------ | -------------------------------: | ---------------------------------: | 7 | | Total | %NUMBER_OF_PROJECTS% | 100% | 8 | | Failed | %NUMBER_FAILED_PROJECTS% | %PERCENT_FAILED_PROJECTS%% | 9 | | Passed with warnings | %NUMBER_PROJECTS_WITH_WARNINGS% | %PERCENT_PROJECTS_WITH_WARNINGS%% | 10 | | Passed | %NUMBER_PASSED_PROJECTS% | %PERCENT_PASSED_PROJECTS%% | 11 | | Unclear | %NUMBER_UNCLEAR_PROJECTS% | %PERCENT_UNCLEAR_PROJECTS%% | 12 | 13 | ## Statistics per Rule 14 | %PER_RULE_STATISTICS% 15 | 16 | ## Projects 17 | 18 | | Project | Status | # of violated rules | 19 | | ------- | :----- | :------------------ | 20 | %PROJECT_TABLE% 21 | -------------------------------------------------------------------------------- /src/main/resources/log4j2.xml: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | 6 | 7 | 8 | 9 | 10 | 11 | 12 | 13 | 14 | 15 | 16 | 17 | 18 | 19 | 20 | -------------------------------------------------------------------------------- /src/test/java/com/sap/oss/phosphor/fosstars/ScoreCollector.java: -------------------------------------------------------------------------------- 1 | package com.sap.oss.phosphor.fosstars; 2 | 3 | import com.sap.oss.phosphor.fosstars.model.Feature; 4 | import com.sap.oss.phosphor.fosstars.model.Parameter; 5 | import com.sap.oss.phosphor.fosstars.model.Rating; 6 | import com.sap.oss.phosphor.fosstars.model.Score; 7 | import com.sap.oss.phosphor.fosstars.model.Visitor; 8 | import java.util.ArrayList; 9 | import java.util.List; 10 | 11 | public class ScoreCollector implements Visitor { 12 | 13 | private final List scores = new ArrayList<>(); 14 | 15 | @Override 16 | public void visit(Score score) { 17 | scores.add(score); 18 | } 19 | 20 | @Override 21 | public void visit(Rating rating) { 22 | // do nothing 23 | } 24 | 25 | @Override 26 | public void visit(Feature feature) { 27 | // do nothing 28 | } 29 | 30 | @Override 31 | public void visit(Parameter parameter) { 32 | // do nothing 33 | } 34 | 35 | public List scores() { 36 | return new ArrayList<>(scores); 37 | } 38 | } 39 | -------------------------------------------------------------------------------- /src/test/java/com/sap/oss/phosphor/fosstars/advice/oss/OssAdviceContentYamlStorageTest.java: -------------------------------------------------------------------------------- 1 | package com.sap.oss.phosphor.fosstars.advice.oss; 2 | 3 | import static com.sap.oss.phosphor.fosstars.advice.oss.OssAdviceContentYamlStorage.OssAdviceContext.EMPTY_OSS_CONTEXT; 4 | import static com.sap.oss.phosphor.fosstars.model.feature.oss.OssFeatures.NUMBER_OF_COLLABORATORS; 5 | import static com.sap.oss.phosphor.fosstars.model.feature.oss.OssFeatures.USES_CODEQL_CHECKS; 6 | import static org.junit.Assert.assertFalse; 7 | import static org.junit.Assert.assertTrue; 8 | 9 | import com.sap.oss.phosphor.fosstars.advice.AdviceContent; 10 | import java.net.MalformedURLException; 11 | import java.util.List; 12 | import org.junit.Test; 13 | 14 | public class OssAdviceContentYamlStorageTest { 15 | 16 | @Test 17 | public void testDefault() throws MalformedURLException { 18 | List advice = OssAdviceContentYamlStorage.DEFAULT.adviceFor( 19 | USES_CODEQL_CHECKS, EMPTY_OSS_CONTEXT); 20 | assertFalse(advice.isEmpty()); 21 | assertFalse(advice.get(0).text().isEmpty()); 22 | assertFalse(advice.get(0).links().isEmpty()); 23 | 24 | assertTrue(OssAdviceContentYamlStorage.DEFAULT.adviceFor( 25 | NUMBER_OF_COLLABORATORS, EMPTY_OSS_CONTEXT).isEmpty()); 26 | } 27 | } -------------------------------------------------------------------------------- /src/test/java/com/sap/oss/phosphor/fosstars/data/NoUserCallbackTest.java: -------------------------------------------------------------------------------- 1 | package com.sap.oss.phosphor.fosstars.data; 2 | 3 | import static org.junit.Assert.assertFalse; 4 | 5 | import org.junit.Test; 6 | 7 | public class NoUserCallbackTest { 8 | 9 | @Test 10 | public void testCanNotTalk() { 11 | assertFalse(NoUserCallback.INSTANCE.canTalk()); 12 | } 13 | 14 | @Test(expected = UnsupportedOperationException.class) 15 | public void testCanNotAsk() { 16 | NoUserCallback.INSTANCE.ask(); 17 | } 18 | 19 | @Test(expected = UnsupportedOperationException.class) 20 | public void testCanNotAskQuestion() { 21 | NoUserCallback.INSTANCE.ask("hmm?"); 22 | } 23 | 24 | @Test(expected = UnsupportedOperationException.class) 25 | public void testCanNotSay() { 26 | NoUserCallback.INSTANCE.say("oops"); 27 | } 28 | 29 | } -------------------------------------------------------------------------------- /src/test/java/com/sap/oss/phosphor/fosstars/data/NoValueCacheTest.java: -------------------------------------------------------------------------------- 1 | package com.sap.oss.phosphor.fosstars.data; 2 | 3 | import static org.junit.Assert.assertEquals; 4 | import static org.junit.Assert.assertFalse; 5 | 6 | import com.sap.oss.phosphor.fosstars.model.value.ValueHashSet; 7 | import java.util.Date; 8 | import org.junit.Test; 9 | 10 | public class NoValueCacheTest { 11 | 12 | @Test 13 | public void testPutAndGet() { 14 | NoValueCache cache = NoValueCache.create(); 15 | Object key = new Object(); 16 | cache.put(key, new ValueHashSet()); 17 | assertEquals(0, NoValueCache.create().size()); 18 | assertFalse(cache.get(key).isPresent()); 19 | } 20 | 21 | @Test 22 | public void testPutAndGetWithExpiration() { 23 | NoValueCache cache = NoValueCache.create(); 24 | Object key = new Object(); 25 | cache.put(key, new ValueHashSet(), new Date()); 26 | assertEquals(0, NoValueCache.create().size()); 27 | assertFalse(cache.get(key).isPresent()); 28 | } 29 | 30 | @Test 31 | public void testSize() { 32 | assertEquals(0, NoValueCache.create().size()); 33 | } 34 | } -------------------------------------------------------------------------------- /src/test/java/com/sap/oss/phosphor/fosstars/data/TerminalTest.java: -------------------------------------------------------------------------------- 1 | package com.sap.oss.phosphor.fosstars.data; 2 | 3 | import static org.junit.Assert.assertTrue; 4 | 5 | import org.junit.Test; 6 | 7 | public class TerminalTest { 8 | 9 | @Test 10 | public void canTalk() { 11 | assertTrue(new Terminal().canTalk()); 12 | } 13 | } -------------------------------------------------------------------------------- /src/test/java/com/sap/oss/phosphor/fosstars/data/github/HasBugBountyProgramTest.java: -------------------------------------------------------------------------------- 1 | package com.sap.oss.phosphor.fosstars.data.github; 2 | 3 | import static com.sap.oss.phosphor.fosstars.model.feature.oss.OssFeatures.HAS_BUG_BOUNTY_PROGRAM; 4 | import static org.junit.Assert.assertEquals; 5 | 6 | import com.sap.oss.phosphor.fosstars.model.subject.oss.GitHubProject; 7 | import java.io.IOException; 8 | import org.junit.Test; 9 | 10 | public class HasBugBountyProgramTest extends TestGitHubDataFetcherHolder { 11 | 12 | @Test 13 | public void supportedFeature() throws IOException { 14 | HasBugBountyProgram provider = new HasBugBountyProgram(fetcher); 15 | assertEquals(provider.supportedFeature(), HAS_BUG_BOUNTY_PROGRAM); 16 | } 17 | 18 | @Test 19 | public void fetchValueFor() throws IOException { 20 | HasBugBountyProgram provider = new HasBugBountyProgram(fetcher); 21 | 22 | GitHubProject curl = new GitHubProject("curl", "curl"); 23 | assertEquals(HAS_BUG_BOUNTY_PROGRAM.value(true), provider.fetchValueFor(curl)); 24 | 25 | GitHubProject other = new GitHubProject("other", "test"); 26 | assertEquals(HAS_BUG_BOUNTY_PROGRAM.value(false), provider.fetchValueFor(other)); 27 | } 28 | } -------------------------------------------------------------------------------- /src/test/java/com/sap/oss/phosphor/fosstars/data/github/HasCompanySupportTest.java: -------------------------------------------------------------------------------- 1 | package com.sap.oss.phosphor.fosstars.data.github; 2 | 3 | import static com.sap.oss.phosphor.fosstars.model.feature.oss.OssFeatures.SUPPORTED_BY_COMPANY; 4 | import static org.junit.Assert.assertEquals; 5 | import static org.junit.Assert.assertFalse; 6 | 7 | import com.sap.oss.phosphor.fosstars.model.Value; 8 | import com.sap.oss.phosphor.fosstars.model.subject.oss.GitHubProject; 9 | import java.io.IOException; 10 | import org.junit.Test; 11 | 12 | public class HasCompanySupportTest extends TestGitHubDataFetcherHolder { 13 | 14 | @Test 15 | public void testSupportedFeature() throws IOException { 16 | HasCompanySupport provider = new HasCompanySupport(fetcher); 17 | assertEquals(SUPPORTED_BY_COMPANY, provider.supportedFeature()); 18 | } 19 | 20 | @Test 21 | public void testGoogleLighthouse() throws IOException { 22 | HasCompanySupport provider = new HasCompanySupport(fetcher); 23 | GitHubProject project = GitHubProject.parse("https://github.com/GoogleChrome/lighthouse"); 24 | Value value = provider.fetchValueFor(project); 25 | assertFalse(value.isUnknown()); 26 | assertEquals(true, value.get()); 27 | } 28 | } -------------------------------------------------------------------------------- /src/test/java/com/sap/oss/phosphor/fosstars/data/github/IsEclipseTest.java: -------------------------------------------------------------------------------- 1 | package com.sap.oss.phosphor.fosstars.data.github; 2 | 3 | import static com.sap.oss.phosphor.fosstars.model.feature.oss.OssFeatures.IS_ECLIPSE; 4 | import static org.junit.Assert.assertEquals; 5 | import static org.junit.Assert.assertFalse; 6 | import static org.junit.Assert.assertTrue; 7 | 8 | import com.sap.oss.phosphor.fosstars.model.subject.oss.GitHubProject; 9 | import java.io.IOException; 10 | import org.junit.Test; 11 | 12 | 13 | public class IsEclipseTest extends TestGitHubDataFetcherHolder { 14 | 15 | @Test 16 | public void testProjects() throws IOException { 17 | IsEclipse provider = new IsEclipse(fetcher); 18 | assertTrue(provider.fetchValueFor( 19 | GitHubProject.parse("https://github.com/eclipse/jgit")).get()); 20 | assertTrue(provider.fetchValueFor( 21 | GitHubProject.parse("https://github.com/eclipse-ee4j/eclipselink")).get()); 22 | assertFalse(provider.fetchValueFor( 23 | GitHubProject.parse("https://github.com/apache/nifi")).get()); 24 | } 25 | 26 | @Test 27 | public void testSupportedFeature() { 28 | assertEquals(IS_ECLIPSE, new IsEclipse(fetcher).supportedFeature()); 29 | } 30 | } -------------------------------------------------------------------------------- /src/test/java/com/sap/oss/phosphor/fosstars/data/github/LocalRepositoryInfoTest.java: -------------------------------------------------------------------------------- 1 | package com.sap.oss.phosphor.fosstars.data.github; 2 | 3 | import static org.junit.Assert.assertEquals; 4 | 5 | import com.sap.oss.phosphor.fosstars.util.Json; 6 | import java.io.IOException; 7 | import java.net.URL; 8 | import java.nio.file.Paths; 9 | import java.util.Date; 10 | import org.junit.Test; 11 | 12 | public class LocalRepositoryInfoTest { 13 | 14 | @Test 15 | public void testSerialization() throws IOException { 16 | LocalRepositoryInfo info = new LocalRepositoryInfo( 17 | Paths.get("."), new Date(), new URL("https://scm/org/test")); 18 | LocalRepositoryInfo clone = Json.mapper().readValue( 19 | Json.toBytes(info), LocalRepositoryInfo.class); 20 | assertEquals(info.updated(), clone.updated()); 21 | assertEquals(info.path().toAbsolutePath(), clone.path().toAbsolutePath()); 22 | assertEquals(info.url(), clone.url()); 23 | } 24 | 25 | } -------------------------------------------------------------------------------- /src/test/java/com/sap/oss/phosphor/fosstars/data/json/SecurityTeamStorageTest.java: -------------------------------------------------------------------------------- 1 | package com.sap.oss.phosphor.fosstars.data.json; 2 | 3 | import static org.junit.Assert.assertFalse; 4 | import static org.junit.Assert.assertTrue; 5 | 6 | import java.io.IOException; 7 | import org.junit.Test; 8 | 9 | public class SecurityTeamStorageTest { 10 | 11 | @Test 12 | public void testSpringSecurityOAuth() throws IOException { 13 | SecurityTeamStorage storage = SecurityTeamStorage.load(); 14 | assertTrue(storage.existsFor("https://github.com/spring-projects/spring-security-oauth")); 15 | } 16 | 17 | @Test 18 | public void testApachePoi() throws IOException { 19 | SecurityTeamStorage storage = SecurityTeamStorage.load(); 20 | assertTrue(storage.existsFor("https://github.com/apache/poi")); 21 | } 22 | 23 | @Test 24 | public void testUnknown() throws IOException { 25 | SecurityTeamStorage storage = SecurityTeamStorage.load(); 26 | assertFalse(storage.existsFor("https://github.com/unknown/project")); 27 | } 28 | 29 | } 30 | -------------------------------------------------------------------------------- /src/test/java/com/sap/oss/phosphor/fosstars/model/feature/LgtmGradeFeatureTest.java: -------------------------------------------------------------------------------- 1 | package com.sap.oss.phosphor.fosstars.model.feature; 2 | 3 | import static org.junit.Assert.assertEquals; 4 | import static org.junit.Assert.assertNotNull; 5 | import static org.junit.Assert.assertTrue; 6 | 7 | import com.sap.oss.phosphor.fosstars.util.Json; 8 | import java.io.IOException; 9 | import org.junit.Test; 10 | 11 | public class LgtmGradeFeatureTest { 12 | 13 | @Test 14 | public void serializeAndDeserialize() throws IOException { 15 | LgtmGradeFeature feature = new LgtmGradeFeature("feature"); 16 | byte[] bytes = Json.toBytes(feature); 17 | assertNotNull(bytes); 18 | assertTrue(bytes.length > 0); 19 | 20 | Object clone = Json.read(bytes, LgtmGradeFeature.class); 21 | assertNotNull(clone); 22 | assertEquals(feature, clone); 23 | assertEquals(feature.hashCode(), clone.hashCode()); 24 | } 25 | 26 | } -------------------------------------------------------------------------------- /src/test/java/com/sap/oss/phosphor/fosstars/model/feature/StringFeatureTest.java: -------------------------------------------------------------------------------- 1 | package com.sap.oss.phosphor.fosstars.model.feature; 2 | 3 | import static org.junit.Assert.assertEquals; 4 | import static org.junit.Assert.assertTrue; 5 | 6 | import com.sap.oss.phosphor.fosstars.model.Value; 7 | import com.sap.oss.phosphor.fosstars.util.Json; 8 | import java.io.IOException; 9 | import org.junit.Test; 10 | 11 | public class StringFeatureTest { 12 | 13 | @Test 14 | public void parse() { 15 | Value value = new StringFeature("name").parse("1.2.3"); 16 | assertEquals("1.2.3", value.get()); 17 | } 18 | 19 | @Test 20 | public void serializationAndDeserialization() throws IOException { 21 | StringFeature feature = new StringFeature("ArtifactVersionFeature"); 22 | StringFeature clone = Json.read(Json.toBytes(feature), StringFeature.class); 23 | assertEquals(feature, clone); 24 | assertTrue(feature.equals(clone) && clone.equals(feature)); 25 | assertEquals(feature.hashCode(), clone.hashCode()); 26 | } 27 | } -------------------------------------------------------------------------------- /src/test/java/com/sap/oss/phosphor/fosstars/model/feature/oss/ArtifactVersionFeatureTest.java: -------------------------------------------------------------------------------- 1 | package com.sap.oss.phosphor.fosstars.model.feature.oss; 2 | 3 | import static org.junit.Assert.assertEquals; 4 | import static org.junit.Assert.assertTrue; 5 | 6 | import com.sap.oss.phosphor.fosstars.util.Json; 7 | import java.io.IOException; 8 | import org.junit.Test; 9 | 10 | public class ArtifactVersionFeatureTest { 11 | 12 | @Test(expected = UnsupportedOperationException.class) 13 | public void testParseNotSupported() { 14 | new ArtifactVersionFeature("name").parse("1.2.3"); 15 | } 16 | 17 | @Test 18 | public void testSerializationAndDeserialization() throws IOException { 19 | ArtifactVersionFeature feature = new ArtifactVersionFeature("ArtifactVersionFeature"); 20 | ArtifactVersionFeature clone = Json.read(Json.toBytes(feature), ArtifactVersionFeature.class); 21 | assertTrue(feature.equals(clone) && clone.equals(feature)); 22 | assertEquals(feature.hashCode(), clone.hashCode()); 23 | } 24 | } -------------------------------------------------------------------------------- /src/test/java/com/sap/oss/phosphor/fosstars/model/feature/oss/ArtifactVersionsFeatureTest.java: -------------------------------------------------------------------------------- 1 | package com.sap.oss.phosphor.fosstars.model.feature.oss; 2 | 3 | import static org.junit.Assert.assertEquals; 4 | import static org.junit.Assert.assertTrue; 5 | 6 | import com.sap.oss.phosphor.fosstars.util.Json; 7 | import java.io.IOException; 8 | import org.junit.Test; 9 | 10 | public class ArtifactVersionsFeatureTest { 11 | 12 | @Test(expected = UnsupportedOperationException.class) 13 | public void testParseNotSupported() { 14 | new ArtifactVersionsFeature("name").parse("1.2.3"); 15 | } 16 | 17 | @Test 18 | public void testSerializationAndDeserialization() throws IOException { 19 | ArtifactVersionsFeature feature = new ArtifactVersionsFeature("ArtifactVersionFeature"); 20 | ArtifactVersionsFeature clone = Json.read(Json.toBytes(feature), ArtifactVersionsFeature.class); 21 | assertEquals(feature, clone); 22 | assertTrue(feature.equals(clone) && clone.equals(feature)); 23 | assertEquals(feature.hashCode(), clone.hashCode()); 24 | } 25 | } -------------------------------------------------------------------------------- /src/test/java/com/sap/oss/phosphor/fosstars/model/feature/oss/LanguagesFeatureTest.java: -------------------------------------------------------------------------------- 1 | package com.sap.oss.phosphor.fosstars.model.feature.oss; 2 | 3 | import static org.junit.Assert.assertEquals; 4 | import static org.junit.Assert.assertTrue; 5 | 6 | import com.sap.oss.phosphor.fosstars.util.Json; 7 | import java.io.IOException; 8 | import org.junit.Test; 9 | 10 | public class LanguagesFeatureTest { 11 | 12 | @Test 13 | public void serializationAndDeserialization() throws IOException { 14 | LanguagesFeature feature = new LanguagesFeature("test"); 15 | LanguagesFeature clone = Json.read(Json.toBytes(feature), LanguagesFeature.class); 16 | assertEquals(feature, clone); 17 | assertTrue(feature.equals(clone) && clone.equals(feature)); 18 | assertEquals(feature.hashCode(), clone.hashCode()); 19 | } 20 | } -------------------------------------------------------------------------------- /src/test/java/com/sap/oss/phosphor/fosstars/model/feature/oss/PackageManagersFeatureTest.java: -------------------------------------------------------------------------------- 1 | package com.sap.oss.phosphor.fosstars.model.feature.oss; 2 | 3 | import static org.junit.Assert.assertEquals; 4 | import static org.junit.Assert.assertTrue; 5 | 6 | import com.sap.oss.phosphor.fosstars.util.Json; 7 | import java.io.IOException; 8 | import org.junit.Test; 9 | 10 | public class PackageManagersFeatureTest { 11 | 12 | @Test 13 | public void testSerializationAndDeserialization() throws IOException { 14 | PackageManagersFeature feature = new PackageManagersFeature("test"); 15 | PackageManagersFeature clone = Json.read(Json.toBytes(feature), PackageManagersFeature.class); 16 | assertEquals(feature, clone); 17 | assertTrue(feature.equals(clone) && clone.equals(feature)); 18 | assertEquals(feature.hashCode(), clone.hashCode()); 19 | } 20 | } -------------------------------------------------------------------------------- /src/test/java/com/sap/oss/phosphor/fosstars/model/feature/oss/SecurityReviewsFeatureTest.java: -------------------------------------------------------------------------------- 1 | package com.sap.oss.phosphor.fosstars.model.feature.oss; 2 | 3 | import static org.junit.Assert.assertEquals; 4 | import static org.junit.Assert.assertTrue; 5 | 6 | import com.sap.oss.phosphor.fosstars.util.Json; 7 | import java.io.IOException; 8 | import org.junit.Test; 9 | 10 | public class SecurityReviewsFeatureTest { 11 | 12 | @Test 13 | public void testJsonSerialization() throws IOException { 14 | SecurityReviewsFeature feature = new SecurityReviewsFeature("test"); 15 | SecurityReviewsFeature clone = Json.read(Json.toBytes(feature), SecurityReviewsFeature.class); 16 | assertTrue(feature.equals(clone) && clone.equals(feature)); 17 | assertEquals(feature.hashCode(), clone.hashCode()); 18 | } 19 | } -------------------------------------------------------------------------------- /src/test/java/com/sap/oss/phosphor/fosstars/model/other/UtilsTest.java: -------------------------------------------------------------------------------- 1 | package com.sap.oss.phosphor.fosstars.model.other; 2 | 3 | import static org.junit.Assert.assertNotNull; 4 | 5 | import java.util.Date; 6 | import org.junit.Test; 7 | 8 | public class UtilsTest { 9 | 10 | @Test 11 | public void date() { 12 | Date date; 13 | 14 | date = Utils.date("Jan 12, 1952"); 15 | assertNotNull(date); 16 | 17 | date = Utils.date("2018-01-29T17:29Z"); 18 | assertNotNull(date); 19 | } 20 | } -------------------------------------------------------------------------------- /src/test/java/com/sap/oss/phosphor/fosstars/model/rating/example/SecurityRatingExampleVectorsTest.java: -------------------------------------------------------------------------------- 1 | package com.sap.oss.phosphor.fosstars.model.rating.example; 2 | 3 | import static org.junit.Assert.assertNotNull; 4 | 5 | import com.sap.oss.phosphor.fosstars.model.RatingRepository; 6 | import com.sap.oss.phosphor.fosstars.model.qa.VerificationFailedException; 7 | import org.junit.Test; 8 | 9 | public class SecurityRatingExampleVectorsTest { 10 | 11 | @Test 12 | public void verify() throws VerificationFailedException { 13 | SecurityRatingExample rating = RatingRepository.INSTANCE.rating(SecurityRatingExample.class); 14 | assertNotNull(rating); 15 | new SecurityRatingExampleVerification(rating).run(); 16 | } 17 | 18 | } -------------------------------------------------------------------------------- /src/test/java/com/sap/oss/phosphor/fosstars/model/rating/oss/TestArtifactVersion.java: -------------------------------------------------------------------------------- 1 | package com.sap.oss.phosphor.fosstars.model.rating.oss; 2 | 3 | import com.fasterxml.jackson.annotation.JsonProperty; 4 | import com.sap.oss.phosphor.fosstars.model.value.ArtifactVersion; 5 | import java.time.Duration; 6 | import java.time.LocalDateTime; 7 | 8 | /** 9 | * An artifact version for testing. 10 | */ 11 | public class TestArtifactVersion extends ArtifactVersion { 12 | 13 | /** 14 | * Creates a new artifact version for testing. 15 | * 16 | * @param version A version string. 17 | * @param age An age of the artifact. 18 | */ 19 | public TestArtifactVersion( 20 | @JsonProperty("version") String version, 21 | @JsonProperty("age") String age) { 22 | 23 | super(version, LocalDateTime.now().minus(Duration.parse(age))); 24 | } 25 | } 26 | -------------------------------------------------------------------------------- /src/test/java/com/sap/oss/phosphor/fosstars/model/score/FeatureBasedScoreTest.java: -------------------------------------------------------------------------------- 1 | package com.sap.oss.phosphor.fosstars.model.score; 2 | 3 | import com.sap.oss.phosphor.fosstars.model.Feature; 4 | import com.sap.oss.phosphor.fosstars.model.Value; 5 | import com.sap.oss.phosphor.fosstars.model.score.example.ExampleScores; 6 | import com.sap.oss.phosphor.fosstars.model.value.ScoreValue; 7 | import org.junit.Test; 8 | 9 | public class FeatureBasedScoreTest { 10 | 11 | @Test(expected = IllegalArgumentException.class) 12 | public void testWithScore() { 13 | new TestScore("test", ExampleScores.PROJECT_ACTIVITY_SCORE_EXAMPLE); 14 | } 15 | 16 | private static class TestScore extends FeatureBasedScore { 17 | 18 | TestScore(String name, Feature... features) { 19 | super(name, features); 20 | } 21 | 22 | @Override 23 | public ScoreValue calculate(Value... values) { 24 | throw new UnsupportedOperationException(); 25 | } 26 | } 27 | } -------------------------------------------------------------------------------- /src/test/java/com/sap/oss/phosphor/fosstars/model/value/ArtifactVersionValueTest.java: -------------------------------------------------------------------------------- 1 | package com.sap.oss.phosphor.fosstars.model.value; 2 | 3 | import static org.junit.Assert.assertEquals; 4 | import static org.junit.Assert.assertTrue; 5 | 6 | import com.sap.oss.phosphor.fosstars.model.feature.oss.ArtifactVersionFeature; 7 | import com.sap.oss.phosphor.fosstars.util.Json; 8 | import java.io.IOException; 9 | import java.time.LocalDateTime; 10 | import org.junit.Test; 11 | 12 | public class ArtifactVersionValueTest { 13 | 14 | @Test 15 | public void testSerializationAndDeserialization() throws IOException { 16 | ArtifactVersionFeature feature = new ArtifactVersionFeature("test"); 17 | ArtifactVersion versions = new ArtifactVersion("1.1.1", LocalDateTime.now()); 18 | ArtifactVersionValue value = new ArtifactVersionValue(feature, versions); 19 | ArtifactVersionValue clone = Json.read(Json.toBytes(value), ArtifactVersionValue.class); 20 | assertTrue(value.equals(clone) && clone.equals(value)); 21 | assertEquals(value.hashCode(), clone.hashCode()); 22 | assertEquals(value.get().version(), clone.get().version()); 23 | assertEquals(value.get().releaseDate(), clone.get().releaseDate()); 24 | assertEquals(value.get().getSemanticVersion(), clone.get().getSemanticVersion()); 25 | } 26 | } -------------------------------------------------------------------------------- /src/test/java/com/sap/oss/phosphor/fosstars/model/value/ArtifactVersionsValueTest.java: -------------------------------------------------------------------------------- 1 | package com.sap.oss.phosphor.fosstars.model.value; 2 | 3 | import static org.junit.Assert.assertEquals; 4 | import static org.junit.Assert.assertTrue; 5 | 6 | import com.sap.oss.phosphor.fosstars.model.feature.oss.ArtifactVersionsFeature; 7 | import com.sap.oss.phosphor.fosstars.util.Json; 8 | import java.io.IOException; 9 | import java.time.LocalDateTime; 10 | import org.junit.Test; 11 | 12 | public class ArtifactVersionsValueTest { 13 | 14 | @Test 15 | public void testSerializationAndDeserialization() throws IOException { 16 | ArtifactVersionsFeature feature = new ArtifactVersionsFeature("test"); 17 | ArtifactVersions versions = new ArtifactVersions( 18 | new ArtifactVersion("1.1.1", LocalDateTime.now())); 19 | ArtifactVersionsValue value = new ArtifactVersionsValue(feature, versions); 20 | ArtifactVersionsValue clone = Json.read(Json.toBytes(value), ArtifactVersionsValue.class); 21 | assertTrue(value.equals(clone) && clone.equals(value)); 22 | assertEquals(value.hashCode(), clone.hashCode()); 23 | assertEquals(value.get().sortByReleaseDate().size(), clone.get().sortByReleaseDate().size()); 24 | } 25 | } -------------------------------------------------------------------------------- /src/test/java/com/sap/oss/phosphor/fosstars/model/value/DoubleValueTest.java: -------------------------------------------------------------------------------- 1 | package com.sap.oss.phosphor.fosstars.model.value; 2 | 3 | import static org.junit.Assert.assertEquals; 4 | import static org.junit.Assert.assertNotNull; 5 | import static org.junit.Assert.assertTrue; 6 | 7 | import com.sap.oss.phosphor.fosstars.model.feature.DoubleFeature; 8 | import com.sap.oss.phosphor.fosstars.util.Json; 9 | import java.io.IOException; 10 | import org.junit.Test; 11 | 12 | public class DoubleValueTest { 13 | 14 | @Test 15 | public void testSerialization() throws IOException { 16 | DoubleValue value = new DoubleValue(new DoubleFeature("test"), 10.1); 17 | byte[] bytes = Json.toBytes(value); 18 | assertNotNull(bytes); 19 | assertTrue(bytes.length > 0); 20 | 21 | DoubleValue clone = Json.read(bytes, DoubleValue.class); 22 | assertNotNull(clone); 23 | assertEquals(value, clone); 24 | assertEquals(value.hashCode(), clone.hashCode()); 25 | } 26 | } -------------------------------------------------------------------------------- /src/test/java/com/sap/oss/phosphor/fosstars/model/value/IntegerValueTest.java: -------------------------------------------------------------------------------- 1 | package com.sap.oss.phosphor.fosstars.model.value; 2 | 3 | import static org.junit.Assert.assertEquals; 4 | import static org.junit.Assert.assertNotNull; 5 | import static org.junit.Assert.assertTrue; 6 | 7 | import com.sap.oss.phosphor.fosstars.model.feature.PositiveIntegerFeature; 8 | import com.sap.oss.phosphor.fosstars.util.Json; 9 | import java.io.IOException; 10 | import org.junit.Test; 11 | 12 | public class IntegerValueTest { 13 | 14 | @Test 15 | public void testSerialization() throws IOException { 16 | IntegerValue integerValue = new IntegerValue(new PositiveIntegerFeature("test"), 10); 17 | byte[] bytes = Json.toBytes(integerValue); 18 | assertNotNull(bytes); 19 | assertTrue(bytes.length > 0); 20 | 21 | IntegerValue clone = Json.read(bytes, IntegerValue.class); 22 | assertNotNull(clone); 23 | assertEquals(integerValue, clone); 24 | assertEquals(integerValue.hashCode(), clone.hashCode()); 25 | } 26 | } -------------------------------------------------------------------------------- /src/test/java/com/sap/oss/phosphor/fosstars/model/value/LanguagesValueTest.java: -------------------------------------------------------------------------------- 1 | package com.sap.oss.phosphor.fosstars.model.value; 2 | 3 | import static org.junit.Assert.assertEquals; 4 | import static org.junit.Assert.assertTrue; 5 | 6 | import com.sap.oss.phosphor.fosstars.model.feature.oss.LanguagesFeature; 7 | import com.sap.oss.phosphor.fosstars.util.Json; 8 | import java.io.IOException; 9 | import org.junit.Test; 10 | 11 | public class LanguagesValueTest { 12 | 13 | @Test 14 | public void serializationAndDeserialization() throws IOException { 15 | LanguagesFeature feature = new LanguagesFeature("test"); 16 | LanguagesValue value = new LanguagesValue(feature, new Languages(Language.JAVA, Language.C)); 17 | LanguagesValue clone = Json.read(Json.toBytes(value), LanguagesValue.class); 18 | assertTrue(value.equals(clone) && clone.equals(value)); 19 | assertEquals(value.hashCode(), clone.hashCode()); 20 | } 21 | } -------------------------------------------------------------------------------- /src/test/java/com/sap/oss/phosphor/fosstars/model/value/LgtmGradeTest.java: -------------------------------------------------------------------------------- 1 | package com.sap.oss.phosphor.fosstars.model.value; 2 | 3 | import static org.junit.Assert.assertEquals; 4 | import static org.junit.Assert.assertNotNull; 5 | import static org.junit.Assert.assertTrue; 6 | 7 | import com.sap.oss.phosphor.fosstars.util.Json; 8 | import java.io.IOException; 9 | import org.junit.Test; 10 | 11 | public class LgtmGradeTest { 12 | 13 | @Test 14 | public void testSerializeAndDeserialize() throws IOException { 15 | byte[] bytes = Json.toBytes(LgtmGrade.E); 16 | assertNotNull(bytes); 17 | assertTrue(bytes.length > 0); 18 | 19 | Object clone = Json.read(bytes, LgtmGrade.class); 20 | assertNotNull(clone); 21 | assertEquals(LgtmGrade.E, clone); 22 | assertEquals(LgtmGrade.E.hashCode(), clone.hashCode()); 23 | } 24 | 25 | } -------------------------------------------------------------------------------- /src/test/java/com/sap/oss/phosphor/fosstars/model/value/LgtmGradeValueTest.java: -------------------------------------------------------------------------------- 1 | package com.sap.oss.phosphor.fosstars.model.value; 2 | 3 | import static org.junit.Assert.assertEquals; 4 | import static org.junit.Assert.assertNotNull; 5 | import static org.junit.Assert.assertTrue; 6 | 7 | import com.sap.oss.phosphor.fosstars.model.feature.LgtmGradeFeature; 8 | import com.sap.oss.phosphor.fosstars.util.Json; 9 | import java.io.IOException; 10 | import org.junit.Test; 11 | 12 | public class LgtmGradeValueTest { 13 | 14 | @Test 15 | public void testSerializeAndDeserialize() throws IOException { 16 | LgtmGradeFeature feature = new LgtmGradeFeature("feature"); 17 | LgtmGradeValue a = feature.value(LgtmGrade.A_PLUS); 18 | byte[] bytes = Json.toBytes(a); 19 | assertNotNull(bytes); 20 | assertTrue(bytes.length > 0); 21 | 22 | Object clone = Json.read(bytes, LgtmGradeValue.class); 23 | assertNotNull(clone); 24 | assertEquals(a, clone); 25 | assertEquals(a.hashCode(), clone.hashCode()); 26 | } 27 | 28 | } -------------------------------------------------------------------------------- /src/test/java/com/sap/oss/phosphor/fosstars/model/value/PackageManagersValueTest.java: -------------------------------------------------------------------------------- 1 | package com.sap.oss.phosphor.fosstars.model.value; 2 | 3 | import static org.junit.Assert.assertEquals; 4 | import static org.junit.Assert.assertTrue; 5 | 6 | import com.sap.oss.phosphor.fosstars.model.feature.oss.PackageManagersFeature; 7 | import com.sap.oss.phosphor.fosstars.util.Json; 8 | import java.io.IOException; 9 | import org.junit.Test; 10 | 11 | public class PackageManagersValueTest { 12 | 13 | @Test 14 | public void testSerializationAndDeserialization() throws IOException { 15 | PackageManagersFeature feature = new PackageManagersFeature("test"); 16 | PackageManagersValue value = new PackageManagersValue( 17 | feature, new PackageManagers(PackageManager.MAVEN, PackageManager.OTHER)); 18 | PackageManagersValue clone = Json.read(Json.toBytes(value), PackageManagersValue.class); 19 | assertTrue(value.equals(clone) && clone.equals(value)); 20 | assertEquals(value.hashCode(), clone.hashCode()); 21 | } 22 | } -------------------------------------------------------------------------------- /src/test/java/com/sap/oss/phosphor/fosstars/model/value/ReferenceTest.java: -------------------------------------------------------------------------------- 1 | package com.sap.oss.phosphor.fosstars.model.value; 2 | 3 | import static org.junit.Assert.assertEquals; 4 | import static org.junit.Assert.assertNotNull; 5 | import static org.junit.Assert.assertTrue; 6 | 7 | import com.sap.oss.phosphor.fosstars.util.Json; 8 | import java.io.IOException; 9 | import java.net.URL; 10 | import org.junit.Test; 11 | 12 | public class ReferenceTest { 13 | 14 | @Test 15 | public void testSerialization() throws IOException { 16 | Reference reference = new Reference("test", new URL("https://blog/post/1")); 17 | byte[] bytes = Json.toBytes(reference); 18 | assertNotNull(bytes); 19 | assertTrue(bytes.length > 0); 20 | Reference clone = Json.read(bytes, Reference.class); 21 | assertEquals(reference, clone); 22 | } 23 | 24 | } -------------------------------------------------------------------------------- /src/test/java/com/sap/oss/phosphor/fosstars/model/value/SecurityReviewsValueTest.java: -------------------------------------------------------------------------------- 1 | package com.sap.oss.phosphor.fosstars.model.value; 2 | 3 | import static org.junit.Assert.assertEquals; 4 | import static org.junit.Assert.assertTrue; 5 | 6 | import com.sap.oss.phosphor.fosstars.model.feature.oss.SecurityReviewsFeature; 7 | import com.sap.oss.phosphor.fosstars.util.Json; 8 | import java.io.IOException; 9 | import java.util.Date; 10 | import org.junit.Test; 11 | 12 | public class SecurityReviewsValueTest { 13 | 14 | @Test 15 | public void testJsonSerialization() throws IOException { 16 | SecurityReview firstReview = new SecurityReview(new Date(1), 0.0); 17 | SecurityReview secondReview = new SecurityReview(new Date(2), 1.0); 18 | SecurityReviews reviews = new SecurityReviews(firstReview, secondReview); 19 | SecurityReviewsFeature feature = new SecurityReviewsFeature("feature"); 20 | SecurityReviewsValue value = new SecurityReviewsValue(feature, reviews); 21 | 22 | SecurityReviewsValue clone = Json.read(Json.toBytes(value), SecurityReviewsValue.class); 23 | assertTrue(value.equals(clone) && clone.equals(value)); 24 | assertEquals(value.hashCode(), clone.hashCode()); 25 | } 26 | } -------------------------------------------------------------------------------- /src/test/java/com/sap/oss/phosphor/fosstars/model/value/StringValueTest.java: -------------------------------------------------------------------------------- 1 | package com.sap.oss.phosphor.fosstars.model.value; 2 | 3 | import static org.junit.Assert.assertEquals; 4 | import static org.junit.Assert.assertTrue; 5 | 6 | import com.sap.oss.phosphor.fosstars.model.feature.StringFeature; 7 | import com.sap.oss.phosphor.fosstars.util.Json; 8 | import java.io.IOException; 9 | import org.junit.Test; 10 | 11 | public class StringValueTest { 12 | 13 | @Test 14 | public void serializationAndDeserialization() throws IOException { 15 | StringFeature feature = new StringFeature("test"); 16 | StringValue value = new StringValue(feature, "2.3.3"); 17 | StringValue clone = Json.read(Json.toBytes(value), StringValue.class); 18 | assertTrue(value.equals(clone) && clone.equals(value)); 19 | assertEquals(value.hashCode(), clone.hashCode()); 20 | } 21 | } -------------------------------------------------------------------------------- /src/test/java/com/sap/oss/phosphor/fosstars/model/weight/AbstractWeightTest.java: -------------------------------------------------------------------------------- 1 | package com.sap.oss.phosphor.fosstars.model.weight; 2 | 3 | import static org.junit.Assert.assertEquals; 4 | 5 | import org.junit.Test; 6 | 7 | public class AbstractWeightTest { 8 | 9 | @Test 10 | public void equalBoundaries() { 11 | MutableWeight mutableWeight = new MutableWeight(0.3); 12 | ImmutableWeight immutableWeight = new ImmutableWeight(0.7); 13 | assertEquals(mutableWeight.boundaries(), immutableWeight.boundaries()); 14 | } 15 | } -------------------------------------------------------------------------------- /src/test/java/com/sap/oss/phosphor/fosstars/nvd/TestNVD.java: -------------------------------------------------------------------------------- 1 | package com.sap.oss.phosphor.fosstars.nvd; 2 | 3 | import java.io.ByteArrayInputStream; 4 | import java.io.IOException; 5 | import java.io.InputStream; 6 | import java.util.ArrayList; 7 | import java.util.HashMap; 8 | import java.util.List; 9 | import java.util.Map; 10 | import org.apache.commons.io.IOUtils; 11 | 12 | public class TestNVD extends NVD { 13 | 14 | private final Map content = new HashMap<>(); 15 | 16 | @Override 17 | public void download() { 18 | // do nothing 19 | } 20 | 21 | @Override 22 | public List jsonFiles() { 23 | return new ArrayList<>(content.keySet()); 24 | } 25 | 26 | @Override 27 | InputStream open(String file) { 28 | return new ByteArrayInputStream(content.get(file)); 29 | } 30 | 31 | public void add(String file, InputStream is) throws IOException { 32 | add(file, IOUtils.toByteArray(is)); 33 | } 34 | 35 | public void add(String file, byte[] bytes) { 36 | content.put(file, bytes); 37 | } 38 | } 39 | -------------------------------------------------------------------------------- /src/test/java/com/sap/oss/phosphor/fosstars/util/SafeDeserializationTest.java: -------------------------------------------------------------------------------- 1 | package com.sap.oss.phosphor.fosstars.util; 2 | 3 | import static org.junit.Assert.fail; 4 | 5 | import com.fasterxml.jackson.databind.exc.InvalidTypeIdException; 6 | import com.sap.oss.phosphor.test.AnotherData; 7 | import com.sap.oss.phosphor.test.Entity; 8 | import java.io.IOException; 9 | import org.junit.Test; 10 | 11 | public class SafeDeserializationTest { 12 | 13 | @Test 14 | public void testWithProhibitedClass() throws IOException { 15 | Entity entity = new Entity(new AnotherData()); 16 | 17 | try { 18 | Json.mapper().readValue(Json.toBytes(entity), Entity.class); 19 | fail("Deserialization should fail"); 20 | } catch (InvalidTypeIdException e) { 21 | // ok 22 | } 23 | 24 | try { 25 | Yaml.mapper().readValue(Json.toBytes(entity), Entity.class); 26 | fail("Deserialization should fail"); 27 | } catch (InvalidTypeIdException e) { 28 | // ok 29 | } 30 | 31 | Deserialization.allow(AnotherData.class.getCanonicalName()); 32 | Json.mapper().readValue(Json.toBytes(entity), Entity.class); 33 | Yaml.mapper().readValue(Json.toBytes(entity), Entity.class); 34 | } 35 | 36 | } -------------------------------------------------------------------------------- /src/test/java/com/sap/oss/phosphor/test/AnotherData.java: -------------------------------------------------------------------------------- 1 | package com.sap.oss.phosphor.test; 2 | 3 | public class AnotherData { 4 | 5 | public String string; 6 | } 7 | -------------------------------------------------------------------------------- /src/test/java/com/sap/oss/phosphor/test/Data.java: -------------------------------------------------------------------------------- 1 | package com.sap.oss.phosphor.test; 2 | 3 | public interface Data { 4 | 5 | } 6 | -------------------------------------------------------------------------------- /src/test/java/com/sap/oss/phosphor/test/DoubleData.java: -------------------------------------------------------------------------------- 1 | package com.sap.oss.phosphor.test; 2 | 3 | public class DoubleData implements Data { 4 | 5 | public double number; 6 | } 7 | -------------------------------------------------------------------------------- /src/test/java/com/sap/oss/phosphor/test/Entity.java: -------------------------------------------------------------------------------- 1 | package com.sap.oss.phosphor.test; 2 | 3 | import com.fasterxml.jackson.annotation.JsonCreator; 4 | import com.fasterxml.jackson.annotation.JsonProperty; 5 | import com.fasterxml.jackson.annotation.JsonTypeInfo; 6 | import com.fasterxml.jackson.annotation.JsonTypeInfo.Id; 7 | 8 | public class Entity { 9 | 10 | @JsonTypeInfo(use = Id.CLASS) 11 | private final Object data; 12 | 13 | @JsonCreator 14 | public Entity(@JsonProperty("data") Object data) { 15 | this.data = data; 16 | } 17 | 18 | public Object getData() { 19 | return data; 20 | } 21 | } 22 | -------------------------------------------------------------------------------- /src/test/java/com/sap/oss/phosphor/test/IntegerData.java: -------------------------------------------------------------------------------- 1 | package com.sap.oss.phosphor.test; 2 | 3 | public class IntegerData implements Data { 4 | 5 | public int number; 6 | } 7 | -------------------------------------------------------------------------------- /src/test/resources/com/sap/oss/phosphor/fosstars/advice/AdviceContentStorageTest.yml: -------------------------------------------------------------------------------- 1 | --- 2 | Security review status (example): 3 | - advice: test1 4 | links: 5 | - name: link1 6 | url: https://test/1 7 | - name: link2 8 | url: https://test/2 9 | - advice: test2 10 | links: 11 | - name: link3 12 | url: https://test/3 13 | - name: link4 14 | url: https://test/4 15 | Static code analysis status (example): 16 | - advice: test3 17 | links: 18 | - name: link5 19 | url: https://test/5 20 | - name: link6 21 | url: https://test/6 22 | - advice: Advice with empty links 23 | links: [] 24 | - advice: Advice with no links -------------------------------------------------------------------------------- /src/test/resources/com/sap/oss/phosphor/fosstars/data/github/GradleCheckStyleWithNoHttp.gradle: -------------------------------------------------------------------------------- 1 | plugins { 2 | id "io.spring.nohttp" version "0.0.4.RELEASE" 3 | } 4 | 5 | repositories { 6 | mavenCentral() 7 | } -------------------------------------------------------------------------------- /src/test/resources/com/sap/oss/phosphor/fosstars/data/github/GradleCheckStyleWithoutNoHttp.gradle: -------------------------------------------------------------------------------- 1 | plugins { 2 | id "org.corp.something" version "0.0.4.RELEASE" 3 | } 4 | 5 | repositories { 6 | mavenCentral() 7 | } -------------------------------------------------------------------------------- /src/test/resources/com/sap/oss/phosphor/fosstars/data/github/GradleWithOwaspDependencyCheck.gradle: -------------------------------------------------------------------------------- 1 | buildscript { 2 | repositories { 3 | mavenCentral() 4 | } 5 | dependencies { 6 | classpath 'org.owasp:dependency-check-gradle:5.3.2' 7 | } 8 | } 9 | 10 | apply plugin: 'org.owasp.dependencycheck' 11 | -------------------------------------------------------------------------------- /src/test/resources/com/sap/oss/phosphor/fosstars/data/github/GradleWithOwaspDependencyCheckWithFailBuildOnAnyIssueFalse.gradle: -------------------------------------------------------------------------------- 1 | apply plugin: 'org.owasp.dependencycheck' 2 | 3 | dependencyCheck { 4 | failBuildOnAnyVulnerability = false 5 | } 6 | -------------------------------------------------------------------------------- /src/test/resources/com/sap/oss/phosphor/fosstars/data/github/GradleWithOwaspDependencyCheckWithFailBuildOnAnyIssueTrue.gradle: -------------------------------------------------------------------------------- 1 | apply plugin: 'org.owasp.dependencycheck' 2 | 3 | dependencyCheck { 4 | failBuildOnAnyVulnerability = true 5 | } 6 | -------------------------------------------------------------------------------- /src/test/resources/com/sap/oss/phosphor/fosstars/data/github/GradleWithOwaspDependencyCheckWithFailBuildOnCvss.gradle: -------------------------------------------------------------------------------- 1 | apply plugin: 'org.owasp.dependencycheck' 2 | 3 | dependencyCheck { 4 | failBuildOnCVSS = 5.3 5 | failOnError = true 6 | } 7 | -------------------------------------------------------------------------------- /src/test/resources/com/sap/oss/phosphor/fosstars/data/github/GradleWithOwaspSecurityTools.gradle: -------------------------------------------------------------------------------- 1 | buildscript { 2 | repositories { 3 | mavenCentral() 4 | } 5 | } 6 | 7 | dependencies { 8 | compile 'org.owasp.esapi:esapi:2.1.0' 9 | implementation "com.googlecode.owasp-java-html-sanitizer:owasp-java-html-sanitizer:1.2.3" 10 | runtime "org.owasp.encoder:encoder" 11 | } 12 | 13 | task test() { 14 | 15 | } 16 | -------------------------------------------------------------------------------- /src/test/resources/com/sap/oss/phosphor/fosstars/data/github/GradleWithoutOwaspDependencyCheck.gradle: -------------------------------------------------------------------------------- 1 | buildscript { 2 | repositories { 3 | mavenCentral() 4 | } 5 | dependencies { 6 | classpath 'org.owasp:another-plugin:1.0.0' 7 | } 8 | } 9 | 10 | apply plugin: 'org.owasp:another-plugin' 11 | -------------------------------------------------------------------------------- /src/test/resources/com/sap/oss/phosphor/fosstars/data/github/GradleWithoutOwaspSecurityTools.gradle: -------------------------------------------------------------------------------- 1 | buildscript { 2 | repositories { 3 | mavenCentral() 4 | } 5 | } 6 | 7 | dependencies { 8 | compile 'org.test:something-else' 9 | } 10 | 11 | task test() { 12 | 13 | } 14 | -------------------------------------------------------------------------------- /src/test/resources/com/sap/oss/phosphor/fosstars/data/github/LgtmProjectDoesNotExistReply.json: -------------------------------------------------------------------------------- 1 | { 2 | "code": 404, 3 | "error": "The project specified could not be found." 4 | } 5 | -------------------------------------------------------------------------------- /src/test/resources/com/sap/oss/phosphor/fosstars/data/github/LgtmProjectInfoReply.json: -------------------------------------------------------------------------------- 1 | { 2 | "id": 1234567, 3 | "url-identifier": "g/org/project", 4 | "name": "apache/nifi", 5 | "url": "https://lgtm.com/projects/g/org/project", 6 | "languages": [ 7 | { 8 | "language": "javascript", 9 | "status": "success", 10 | "alerts": 75, 11 | "lines": 51117, 12 | "commit-id": "aedccb8297cab014103df2a98803259334ceb15c", 13 | "commit-date": "2020-01-28T01:07:21.000+0000", 14 | "grade": "A" 15 | }, 16 | { 17 | "language": "python", 18 | "status": "success", 19 | "alerts": 1, 20 | "lines": 45, 21 | "commit-id": "aedccb8297cab014103df2a98803259334ceb15c", 22 | "commit-date": "2020-01-28T01:07:21.000+0000", 23 | "grade": "C" 24 | }, 25 | { 26 | "language": "java", 27 | "status": "success", 28 | "alerts": 411, 29 | "lines": 453269, 30 | "commit-id": "aedccb8297cab014103df2a98803259334ceb15c", 31 | "commit-date": "2020-01-28T01:07:21.000+0000", 32 | "grade": "C" 33 | } 34 | ] 35 | } 36 | -------------------------------------------------------------------------------- /src/test/resources/com/sap/oss/phosphor/fosstars/data/github/MavenPomWithMavenGPG.xml: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | org.apache.maven.plugins 6 | maven-gpg-plugin 7 | 1.6 8 | 9 | 10 | sign-artifacts 11 | verify 12 | 13 | sign 14 | 15 | 16 | ${gpg.keyname} 17 | ${gpg.keyname} 18 | 19 | 20 | 21 | 22 | 23 | 24 | -------------------------------------------------------------------------------- /src/test/resources/com/sap/oss/phosphor/fosstars/data/github/MavenPomWithoutMavenGPG.xml: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | org.apache.maven.plugins 6 | something-else 7 | 1.6 8 | 9 | 10 | 11 | -------------------------------------------------------------------------------- /src/test/resources/com/sap/oss/phosphor/fosstars/data/github/MavenWithFindSecBugs.xml: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | com.github.spotbugs 6 | spotbugs-maven-plugin 7 | 3.1.12 8 | 9 | Max 10 | Low 11 | true 12 | 13 | 14 | com.h3xstream.findsecbugs 15 | findsecbugs-plugin 16 | 1.9.0 17 | 18 | 19 | 20 | 21 | 22 | 23 | -------------------------------------------------------------------------------- /src/test/resources/com/sap/oss/phosphor/fosstars/data/github/MavenWithFindSecBugsInProfilesBuild.xml: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | findsecbugs 5 | 6 | 7 | 8 | com.github.spotbugs 9 | spotbugs-maven-plugin 10 | 3.1.12 11 | 12 | Max 13 | Low 14 | true 15 | 16 | 17 | com.h3xstream.findsecbugs 18 | findsecbugs-plugin 19 | 1.9.0 20 | 21 | 22 | 23 | 24 | 25 | 26 | 27 | 28 | -------------------------------------------------------------------------------- /src/test/resources/com/sap/oss/phosphor/fosstars/data/github/MavenWithOwaspDependencyCheckInBuild.xml: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | org.owasp 6 | dependency-check-maven 7 | 5.3.2 8 | 9 | 10 | 11 | check 12 | 13 | 14 | 15 | 16 | 17 | 18 | -------------------------------------------------------------------------------- /src/test/resources/com/sap/oss/phosphor/fosstars/data/github/MavenWithOwaspDependencyCheckInBuildPluginManagement.xml: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | 6 | 7 | 8 | org.owasp 9 | dependency-check-maven 10 | 5.0.0-M2 11 | 12 | ALL 13 | true 14 | true 15 | false 16 | 17 | 18 | 19 | 20 | 21 | -------------------------------------------------------------------------------- /src/test/resources/com/sap/oss/phosphor/fosstars/data/github/MavenWithOwaspDependencyCheckInProfilesBuild.xml: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | dependency-check 5 | 6 | 7 | 8 | org.owasp 9 | dependency-check-maven 10 | 5.3.2 11 | 12 | 24 13 | 7 14 | true 15 | true 16 | false 17 | true 18 | owasp-dependency-check-suppressions.xml 19 | 20 | 21 | 22 | 23 | check 24 | 25 | 26 | 27 | 28 | 29 | 30 | 31 | 32 | -------------------------------------------------------------------------------- /src/test/resources/com/sap/oss/phosphor/fosstars/data/github/MavenWithOwaspDependencyCheckInProfilesReporting.xml: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | dependency-check 5 | 6 | 7 | 8 | org.owasp 9 | dependency-check-maven 10 | 5.3.2 11 | 12 | true 13 | 14 | 15 | 16 | 17 | 18 | 19 | -------------------------------------------------------------------------------- /src/test/resources/com/sap/oss/phosphor/fosstars/data/github/MavenWithOwaspDependencyCheckInReporting.xml: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | org.owasp 6 | dependency-check-maven 7 | 5.3.2 8 | 9 | 1.3 10 | 11 | 12 | 13 | 14 | aggregate 15 | 16 | 17 | 18 | 19 | 20 | 21 | -------------------------------------------------------------------------------- /src/test/resources/com/sap/oss/phosphor/fosstars/data/github/MavenWithOwaspEsapiInDefaultDependencies.xml: -------------------------------------------------------------------------------- 1 | 5 | 4.0.0 6 | 7 | test 8 | test 9 | 0.1-SNAPSHOT 10 | 11 | 12 | 13 | org.owasp 14 | something 15 | 1.2 16 | 17 | 18 | org.owasp.esapi 19 | esapi 20 | 2.2.1.0 21 | 22 | 23 | 24 | -------------------------------------------------------------------------------- /src/test/resources/com/sap/oss/phosphor/fosstars/data/github/MavenWithOwaspEsapiInProfiledDependencies.xml: -------------------------------------------------------------------------------- 1 | 5 | 4.0.0 6 | 7 | test 8 | test 9 | 0.1-SNAPSHOT 10 | 11 | 12 | 13 | org.owasp 14 | something 15 | 2.2.1.0 16 | 17 | 18 | 19 | 20 | 21 | test 22 | 23 | 24 | org.owasp.esapi 25 | esapi 26 | 2.2.1.0 27 | 28 | 29 | 30 | 31 | 32 | -------------------------------------------------------------------------------- /src/test/resources/com/sap/oss/phosphor/fosstars/data/github/MavenWithOwaspJavaEncoderInDefaultDependencies.xml: -------------------------------------------------------------------------------- 1 | 5 | 4.0.0 6 | 7 | test 8 | test 9 | 0.1-SNAPSHOT 10 | 11 | 12 | 13 | org.owasp 14 | something 15 | 1.2 16 | 17 | 18 | org.owasp.encoder 19 | encoder 20 | 21 | 22 | 23 | -------------------------------------------------------------------------------- /src/test/resources/com/sap/oss/phosphor/fosstars/data/github/MavenWithOwaspJavaHtmlSanitizerInDefaultDependencies.xml: -------------------------------------------------------------------------------- 1 | 5 | 4.0.0 6 | 7 | test 8 | test 9 | 0.1-SNAPSHOT 10 | 11 | 12 | 13 | org.owasp 14 | something 15 | 1.2 16 | 17 | 18 | com.googlecode.owasp-java-html-sanitizer 19 | owasp-java-html-sanitizer 20 | 21 | 22 | 23 | -------------------------------------------------------------------------------- /src/test/resources/com/sap/oss/phosphor/fosstars/data/github/MavenWithoutFindSecBugs.xml: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | com.github.spotbugs 6 | spotbugs-maven-plugin 7 | 3.1.12 8 | 9 | Max 10 | Low 11 | true 12 | 13 | 14 | com.something.else 15 | another-plugin 16 | 1.9.0 17 | 18 | 19 | 20 | 21 | 22 | 23 | -------------------------------------------------------------------------------- /src/test/resources/com/sap/oss/phosphor/fosstars/data/github/MavenWithoutOwaspDependencyCheck.xml: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | -------------------------------------------------------------------------------- /src/test/resources/com/sap/oss/phosphor/fosstars/data/github/MavenWithoutOwaspEsapiDependency.xml: -------------------------------------------------------------------------------- 1 | 5 | 4.0.0 6 | 7 | test 8 | test 9 | 0.1-SNAPSHOT 10 | 11 | 12 | 13 | org.owasp 14 | something 15 | 2.2.1.0 16 | 17 | 18 | 19 | 20 | 21 | test 22 | 23 | 24 | 25 | 26 | 27 | 28 | -------------------------------------------------------------------------------- /src/test/resources/com/sap/oss/phosphor/fosstars/data/github/bandit-analysis-with-multiple-jobs.yml: -------------------------------------------------------------------------------- 1 | name: "Bandit" 2 | on: 3 | push: 4 | branches: [master] 5 | schedule: 6 | - cron: '0 13 * * 3' 7 | jobs: 8 | build: 9 | runs-on: ubuntu-latest 10 | steps: 11 | - uses: actions/checkout@v1 12 | 13 | - name: Use Python 14 | uses: actions/setup-python@v2 15 | with: 16 | python-version: '3.x' 17 | architecture: 'x64' 18 | bandit: 19 | steps: 20 | - run: | 21 | python -m pip install --upgrade pip 22 | pip install -r requirements.txt 23 | - run: | 24 | mkdir -p reports 25 | bandit --format json --output reports/bandit-report.json --recursive test -------------------------------------------------------------------------------- /src/test/resources/com/sap/oss/phosphor/fosstars/data/github/bandit-analysis-with-no-bandit-run-but-uses-bandit.yml: -------------------------------------------------------------------------------- 1 | name: "Bandit" 2 | on: 3 | push: 4 | branches: [master] 5 | pull_request: 6 | branches: [ master ] 7 | schedule: 8 | - cron: '0 13 * * 3' 9 | jobs: 10 | build: 11 | runs-on: ubuntu-latest 12 | steps: 13 | - uses: actions/checkout@v1 14 | - name: Use Python 15 | uses: actions/setup-python@v2 16 | with: 17 | python-version: '3.x' 18 | architecture: 'x64' 19 | - name: Install bandit 20 | run: pip install bandit 21 | bandit: 22 | steps: 23 | - run: | 24 | python -m pip install --upgrade pip 25 | pip install -r requirements.txt 26 | - run: | 27 | mkdir -p reports -------------------------------------------------------------------------------- /src/test/resources/com/sap/oss/phosphor/fosstars/data/github/bandit-analysis-with-no-bandit-run.yml: -------------------------------------------------------------------------------- 1 | name: "Bandit" 2 | on: 3 | push: 4 | branches: [master] 5 | schedule: 6 | - cron: '0 13 * * 3' 7 | jobs: 8 | build: 9 | runs-on: ubuntu-latest 10 | steps: 11 | - uses: actions/checkout@v1 12 | - name: Use Python 13 | uses: actions/setup-python@v2 14 | with: 15 | python-version: '3.x' 16 | architecture: 'x64' 17 | - name: Install bandit 18 | run: pip install bandit 19 | bandit: 20 | steps: 21 | - run: | 22 | python -m pip install --upgrade pip 23 | pip install -r requirements.txt 24 | - run: | 25 | mkdir -p reports -------------------------------------------------------------------------------- /src/test/resources/com/sap/oss/phosphor/fosstars/data/github/bandit-analysis-with-run.yml: -------------------------------------------------------------------------------- 1 | name: "Bandit" 2 | on: 3 | push: 4 | branches: [master] 5 | pull_request: 6 | branches: [master] 7 | schedule: 8 | - cron: '0 13 * * 3' 9 | jobs: 10 | build: 11 | runs-on: ubuntu-latest 12 | steps: 13 | - uses: actions/checkout@v1 14 | 15 | - name: Use Python 16 | uses: actions/setup-python@v2 17 | with: 18 | python-version: '3.x' 19 | architecture: 'x64' 20 | - name: Install dependencies 21 | run: | 22 | python -m pip install --upgrade pip 23 | pip install -r requirements.txt 24 | - name: Run Bandit (Python code checker) 25 | run: bandit -r . -f xml -o bandit.xml || true -------------------------------------------------------------------------------- /src/test/resources/com/sap/oss/phosphor/fosstars/data/github/codeql-analysis-with-pr.yml: -------------------------------------------------------------------------------- 1 | name: "CodeQL" 2 | 3 | on: 4 | push: 5 | branches: [master] 6 | pull_request: 7 | branches: [master] 8 | schedule: 9 | - cron: '0 13 * * 3' 10 | 11 | jobs: 12 | analyze: 13 | name: Analyze 14 | runs-on: ubuntu-latest 15 | 16 | strategy: 17 | fail-fast: false 18 | matrix: 19 | language: ['java', 'cpp' ] 20 | 21 | steps: 22 | - name: Checkout repository 23 | uses: actions/checkout@v2 24 | with: 25 | fetch-depth: 2 26 | 27 | - run: git checkout HEAD^2 28 | if: ${{ github.event_name == 'pull_request' }} 29 | 30 | - name: Initialize CodeQL 31 | uses: github/codeql-action/init@v1 32 | with: 33 | languages: ${{ matrix.language }} 34 | 35 | - run: ./mvnw clean package -DskipTests 36 | 37 | - name: Perform CodeQL Analysis 38 | uses: github/codeql-action/analyze@v1 39 | -------------------------------------------------------------------------------- /src/test/resources/com/sap/oss/phosphor/fosstars/data/github/codeql-analysis-without-pr.yml: -------------------------------------------------------------------------------- 1 | name: "CodeQL" 2 | 3 | on: 4 | schedule: 5 | - cron: '0 13 * * 3' 6 | 7 | jobs: 8 | analyze: 9 | name: Analyze 10 | runs-on: ubuntu-latest 11 | 12 | strategy: 13 | fail-fast: false 14 | matrix: 15 | language: ['java' ] 16 | 17 | steps: 18 | - name: Checkout repository 19 | uses: actions/checkout@v2 20 | with: 21 | fetch-depth: 2 22 | 23 | - run: git checkout HEAD^2 24 | if: ${{ github.event_name == 'pull_request' }} 25 | 26 | - name: Initialize CodeQL 27 | uses: github/codeql-action/init@v1 28 | with: 29 | languages: ${{ matrix.language }} 30 | 31 | - run: ./mvnw clean package -DskipTests 32 | 33 | - name: Perform CodeQL Analysis 34 | uses: github/codeql-action/analyze@v1 35 | -------------------------------------------------------------------------------- /src/test/resources/com/sap/oss/phosphor/fosstars/data/github/gosec-analysis-run-with-exclude-rules.yml: -------------------------------------------------------------------------------- 1 | name: lint 2 | 3 | on: 4 | pull_request: 5 | push: 6 | branches: 7 | - main 8 | 9 | jobs: 10 | sec: 11 | runs-on: ubuntu-latest 12 | steps: 13 | - 14 | name: Checkout 15 | uses: actions/checkout@v3 16 | - 17 | name: Set up Go 18 | uses: actions/setup-go@v3 19 | with: 20 | go-version: '1.17.7' 21 | - 22 | name: Run Gosec Security Scanner 23 | # https://github.com/securego/gosec/issues/469 24 | run: | 25 | export PATH=$PATH:$(go env GOPATH)/bin 26 | go install github.com/securego/gosec/v2/cmd/gosec@latest 27 | gosec -exclude=G104,G304,G402 -exclude-dir=crypto/bls/herumi ./... -------------------------------------------------------------------------------- /src/test/resources/com/sap/oss/phosphor/fosstars/data/github/gosec-analysis-run-with-include-rules.yml: -------------------------------------------------------------------------------- 1 | name: lint 2 | 3 | on: 4 | pull_request: 5 | push: 6 | branches: 7 | - main 8 | 9 | jobs: 10 | sec: 11 | runs-on: ubuntu-latest 12 | steps: 13 | - 14 | name: Checkout 15 | uses: actions/checkout@v3 16 | - 17 | name: Set up Go 18 | uses: actions/setup-go@v3 19 | with: 20 | go-version: '1.17.7' 21 | - 22 | name: Run Gosec Security Scanner 23 | # https://github.com/securego/gosec/issues/469 24 | run: | 25 | export PATH=$PATH:$(go env GOPATH)/bin 26 | go install github.com/securego/gosec/v2/cmd/gosec@latest 27 | gosec -include=G104,G304,G402 -exclude-dir=crypto/bls/herumi ./... -------------------------------------------------------------------------------- /src/test/resources/com/sap/oss/phosphor/fosstars/data/github/gosec-analysis-run-without-rules.yml: -------------------------------------------------------------------------------- 1 | name: lint 2 | 3 | on: 4 | pull_request: 5 | push: 6 | branches: 7 | - main 8 | 9 | jobs: 10 | sec: 11 | runs-on: ubuntu-latest 12 | steps: 13 | - 14 | name: Checkout 15 | uses: actions/checkout@v3 16 | - 17 | name: Set up Go 18 | uses: actions/setup-go@v3 19 | with: 20 | go-version: '1.17.7' 21 | - 22 | name: Run Gosec Security Scanner 23 | # https://github.com/securego/gosec/issues/469 24 | run: | 25 | export PATH=$PATH:$(go env GOPATH)/bin 26 | go install github.com/securego/gosec/v2/cmd/gosec@latest 27 | gosec -exclude-dir=crypto/bls/herumi ./... -------------------------------------------------------------------------------- /src/test/resources/com/sap/oss/phosphor/fosstars/data/github/gosec-analysis-uses-without-with-key.yml: -------------------------------------------------------------------------------- 1 | on: [push, pull_request] 2 | name: Security 3 | jobs: 4 | Gosec: 5 | runs-on: ubuntu-latest 6 | steps: 7 | - name: Fetch Repository 8 | uses: actions/checkout@v3 9 | - name: Run Gosec 10 | uses: securego/gosec@master -------------------------------------------------------------------------------- /src/test/resources/com/sap/oss/phosphor/fosstars/data/github/gosec-analysis-with-multiple-jobs.yml: -------------------------------------------------------------------------------- 1 | name: Security 2 | on: 3 | push: 4 | branches: 5 | - master 6 | pull_request: 7 | jobs: 8 | test: 9 | strategy: 10 | matrix: 11 | go-version: [1.19.x] 12 | platform: [ubuntu-latest] 13 | runs-on: ${{ matrix.platform }} 14 | env: 15 | GO111MODULE: on 16 | steps: 17 | - uses: actions/checkout@v2 18 | - name: Run Gosec Security Scanner 19 | uses: securego/gosec@v2.12.0 20 | with: 21 | args: '-exclude=G104,G304,G402 ./...' -------------------------------------------------------------------------------- /src/test/resources/com/sap/oss/phosphor/fosstars/data/github/gosec-analysis-with-no-gosec-run.yml: -------------------------------------------------------------------------------- 1 | name: Security 2 | on: 3 | push: 4 | branches: 5 | - master 6 | pull_request: 7 | jobs: 8 | test: 9 | strategy: 10 | matrix: 11 | go-version: [1.19.x] 12 | platform: [ubuntu-latest] 13 | runs-on: ${{ matrix.platform }} 14 | env: 15 | GO111MODULE: on 16 | steps: 17 | - uses: actions/checkout@v2 18 | - name: Run dummy Security Scanner 19 | uses: dummy/gosec@v2.12.0 20 | with: 21 | args: '-exclude=G104,G304,G402 ./...' -------------------------------------------------------------------------------- /src/test/resources/com/sap/oss/phosphor/fosstars/data/github/gosec-analysis-with-rules-in-different-step.yml: -------------------------------------------------------------------------------- 1 | on: [push] 2 | name: Security 3 | jobs: 4 | Gosec: 5 | runs-on: ubuntu-latest 6 | steps: 7 | - name: Fetch Repository 8 | uses: actions/checkout@v3 9 | - name: Run Gosec 10 | uses: securego/gosec@master 11 | with: 12 | args: -exclude-dir=internal/*/ ./... 13 | - name: Run dummy Security Scanner 14 | uses: dummy/gosec@v2.12.0 15 | with: 16 | args: '-exclude=G104,G304,G402 ./...' -------------------------------------------------------------------------------- /src/test/resources/com/sap/oss/phosphor/fosstars/data/github/gosec-analysis-with-run.yml: -------------------------------------------------------------------------------- 1 | name: lint 2 | 3 | on: 4 | pull_request: 5 | push: 6 | branches: 7 | - main 8 | 9 | jobs: 10 | sec: 11 | runs-on: ubuntu-latest 12 | steps: 13 | - 14 | name: Checkout 15 | uses: actions/checkout@v3 16 | - 17 | name: Set up Go 18 | uses: actions/setup-go@v3 19 | with: 20 | go-version: '1.17.7' 21 | - 22 | name: Run Gosec Security Scanner 23 | # https://github.com/securego/gosec/issues/469 24 | run: | 25 | export PATH=$PATH:$(go env GOPATH)/bin 26 | go install github.com/securego/gosec/v2/cmd/gosec@latest 27 | gosec ./... -------------------------------------------------------------------------------- /src/test/resources/com/sap/oss/phosphor/fosstars/data/github/gosec-analysis-with-uses.yml: -------------------------------------------------------------------------------- 1 | on: [push, pull_request] 2 | name: Security 3 | jobs: 4 | Gosec: 5 | runs-on: ubuntu-latest 6 | steps: 7 | - name: Fetch Repository 8 | uses: actions/checkout@v3 9 | - name: Run Gosec 10 | uses: securego/gosec@master 11 | with: 12 | args: -exclude-dir=internal/*/ ./... -------------------------------------------------------------------------------- /src/test/resources/com/sap/oss/phosphor/fosstars/data/github/mypy-analysis-with-prospector.yml: -------------------------------------------------------------------------------- 1 | repos: 2 | - repo: https://github.com/PyCQA/prospector 3 | rev: 1.7.5 4 | hooks: 5 | - id: prospector 6 | additional_dependencies: 7 | - ".[with_pylint,with_mypy]" -------------------------------------------------------------------------------- /src/test/resources/com/sap/oss/phosphor/fosstars/data/github/mypy-analysis-with-run.yml: -------------------------------------------------------------------------------- 1 | name: "Mypy" 2 | on: 3 | push: 4 | branches: [master] 5 | pull_request: 6 | branches: [master] 7 | schedule: 8 | - cron: '0 13 * * 3' 9 | jobs: 10 | mypy: 11 | runs-on: ubuntu-latest 12 | steps: 13 | - name: Setup Python 14 | uses: actions/setup-python@v1 15 | with: 16 | python-version: 3.7.4 17 | architecture: x64 18 | - name: Checkout 19 | uses: actions/checkout@v1 20 | - name: Install mypy 21 | run: pip install mypy 22 | - name: Run mypy 23 | uses: sasanquaneuf/mypy-github-action@releases/v1 24 | with: 25 | checkName: 'mypy' # NOTE: this needs to be the same as the job name 26 | env: 27 | GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} -------------------------------------------------------------------------------- /src/test/resources/com/sap/oss/phosphor/fosstars/data/github/no-codeql-analysis.yml: -------------------------------------------------------------------------------- 1 | name: "Build" 2 | 3 | on: 4 | push: 5 | branches: [master] 6 | pull_request: 7 | branches: [master] 8 | schedule: 9 | - cron: '0 13 * * 3' 10 | 11 | jobs: 12 | analyze: 13 | name: Analyze 14 | runs-on: ubuntu-latest 15 | 16 | strategy: 17 | fail-fast: false 18 | matrix: 19 | language: ['java', 'cpp' ] 20 | 21 | steps: 22 | - name: Checkout repository 23 | uses: actions/checkout@v2 24 | with: 25 | fetch-depth: 2 26 | 27 | - run: ./mvnw clean package -DskipTests 28 | 29 | -------------------------------------------------------------------------------- /src/test/resources/com/sap/oss/phosphor/fosstars/data/github/pylint-analysis-as-pre-commit-hook.yml: -------------------------------------------------------------------------------- 1 | repos: 2 | - repo: https://github.com/pycqa/pylint 3 | rev: pylint-2.6.0 4 | hooks: 5 | - id: pylint 6 | name: pylint 7 | entry: pylint 8 | language: system 9 | types: [python] 10 | args: 11 | [ 12 | "-rn", # Only display messages 13 | "-sn", # Don't display the score 14 | ] -------------------------------------------------------------------------------- /src/test/resources/com/sap/oss/phosphor/fosstars/data/github/pylint-analysis-no-pylint-hook.yml: -------------------------------------------------------------------------------- 1 | repos: 2 | - repo: https://github.com/pycqa/test 3 | rev: test-2.6.0 4 | hooks: 5 | - id: test 6 | name: test 7 | entry: test 8 | language: system 9 | types: [python] 10 | args: 11 | [ 12 | "-rn", # Only display messages 13 | "-sn", # Don't display the score 14 | ] -------------------------------------------------------------------------------- /src/test/resources/com/sap/oss/phosphor/fosstars/data/github/pylint-analysis-with-multiple-jobs.yml: -------------------------------------------------------------------------------- 1 | name: "Pylint" 2 | on: 3 | push: 4 | branches: [master] 5 | schedule: 6 | - cron: '0 13 * * 3' 7 | jobs: 8 | build: 9 | runs-on: ubuntu-latest 10 | steps: 11 | - uses: actions/checkout@v1 12 | 13 | - name: Use Python 14 | uses: actions/setup-python@v2 15 | with: 16 | python-version: '3.x' 17 | architecture: 'x64' 18 | bandit: 19 | steps: 20 | - run: | 21 | python -m pip install --upgrade pip 22 | pip install -r requirements.txt 23 | - run: | 24 | mkdir -p reports 25 | pylint -rn -d unused-variable fileName.py -------------------------------------------------------------------------------- /src/test/resources/com/sap/oss/phosphor/fosstars/data/github/pylint-analysis-with-no-pylint-run-but-uses-pylint.yml: -------------------------------------------------------------------------------- 1 | name: "Pylint" 2 | on: 3 | push: 4 | branches: [master] 5 | pull_request: 6 | branches: [ master ] 7 | schedule: 8 | - cron: '0 13 * * 3' 9 | jobs: 10 | build: 11 | runs-on: ubuntu-latest 12 | steps: 13 | - uses: actions/checkout@v1 14 | - name: Use Python 15 | uses: actions/setup-python@v2 16 | with: 17 | python-version: '3.x' 18 | architecture: 'x64' 19 | - name: Install pylint 20 | run: pip install pylint 21 | bandit: 22 | steps: 23 | - run: | 24 | python -m pip install --upgrade pip 25 | pip install -r requirements.txt 26 | - run: | 27 | mkdir -p reports -------------------------------------------------------------------------------- /src/test/resources/com/sap/oss/phosphor/fosstars/data/github/pylint-analysis-with-no-pylint-run.yml: -------------------------------------------------------------------------------- 1 | name: "Pylint" 2 | on: 3 | push: 4 | branches: [master] 5 | schedule: 6 | - cron: '0 13 * * 3' 7 | jobs: 8 | build: 9 | runs-on: ubuntu-latest 10 | steps: 11 | - uses: actions/checkout@v1 12 | - name: Use Python 13 | uses: actions/setup-python@v2 14 | with: 15 | python-version: '3.x' 16 | architecture: 'x64' 17 | - name: Install pylint 18 | run: pip install pylint 19 | bandit: 20 | steps: 21 | - run: | 22 | python -m pip install --upgrade pip 23 | pip install -r requirements.txt 24 | - run: | 25 | mkdir -p reports -------------------------------------------------------------------------------- /src/test/resources/com/sap/oss/phosphor/fosstars/data/github/pylint-analysis-with-prospector.yml: -------------------------------------------------------------------------------- 1 | repos: 2 | - repo: https://github.com/PyCQA/prospector 3 | rev: 1.7.5 4 | hooks: 5 | - id: prospector 6 | additional_dependencies: 7 | - ".[with_pylint,with_bandit]" -------------------------------------------------------------------------------- /src/test/resources/com/sap/oss/phosphor/fosstars/data/github/pylint-analysis-with-pylint-in-entry.yml: -------------------------------------------------------------------------------- 1 | repos: 2 | - repo: https://github.com/pycqa/test 3 | rev: test-2.6.0 4 | hooks: 5 | - id: test 6 | name: test 7 | entry: pylint 8 | language: system 9 | types: [python] 10 | args: 11 | [ 12 | "-rn", # Only display messages 13 | "-sn", # Don't display the score 14 | ] -------------------------------------------------------------------------------- /src/test/resources/com/sap/oss/phosphor/fosstars/data/github/pylint-analysis-with-pylint-in-repo.yml: -------------------------------------------------------------------------------- 1 | repos: 2 | - repo: https://github.com/pycqa/pylint 3 | rev: 2.6.0 4 | hooks: 5 | - id: test 6 | name: test 7 | entry: test 8 | language: system 9 | types: [python] 10 | args: 11 | [ 12 | "-rn", # Only display messages 13 | "-sn", # Don't display the score 14 | ] -------------------------------------------------------------------------------- /src/test/resources/com/sap/oss/phosphor/fosstars/data/github/pylint-analysis-with-pylint-in-rev.yml: -------------------------------------------------------------------------------- 1 | repos: 2 | - repo: https://github.com/pycqa/test 3 | rev: pylint-2.6.0 4 | hooks: 5 | - id: test 6 | name: test 7 | entry: test 8 | language: system 9 | types: [python] 10 | args: 11 | [ 12 | "-rn", # Only display messages 13 | "-sn", # Don't display the score 14 | ] -------------------------------------------------------------------------------- /src/test/resources/com/sap/oss/phosphor/fosstars/data/github/pylint-analysis-with-run.yml: -------------------------------------------------------------------------------- 1 | name: "Pylint" 2 | on: 3 | push: 4 | branches: [master] 5 | pull_request: 6 | branches: [master] 7 | schedule: 8 | - cron: '0 13 * * 3' 9 | jobs: 10 | build: 11 | runs-on: ubuntu-latest 12 | steps: 13 | - uses: actions/checkout@v1 14 | 15 | - name: Use Python 16 | uses: actions/setup-python@v2 17 | with: 18 | python-version: '3.x' 19 | architecture: 'x64' 20 | - name: Install dependencies 21 | run: | 22 | python -m pip install --upgrade pip 23 | pip install -r requirements.txt 24 | - name: Run Pylint (Python code checker) 25 | run: pylint -r . -f xml -o pylint.xml || true -------------------------------------------------------------------------------- /src/test/resources/com/sap/oss/phosphor/fosstars/maven/PomWithDependencies.xml: -------------------------------------------------------------------------------- 1 | 5 | 4.0.0 6 | 7 | sample 8 | test 9 | 0.1-SNAPSHOT 10 | 11 | 12 | 13 | test.group 14 | dependency-in-default-section 15 | 16 | 17 | 18 | 19 | 20 | test 21 | 22 | 23 | test.group 24 | dependency-in-profile 25 | 26 | 27 | 28 | 29 | 30 | -------------------------------------------------------------------------------- /src/test/resources/com/sap/oss/phosphor/fosstars/tool/NoOrganizationsProjectFinderConfig.yml: -------------------------------------------------------------------------------- 1 | # this is a test configuration for the ConfigParser class 2 | repositories: 3 | - organization: FasterXML 4 | name: jackson-databind 5 | - organization: FasterXML 6 | name: jackson-dataformat-xml 7 | -------------------------------------------------------------------------------- /src/test/resources/com/sap/oss/phosphor/fosstars/tool/ValidProjectFinderConfig.yml: -------------------------------------------------------------------------------- 1 | # this is a test configuration for the ConfigParser class 2 | organizations: 3 | - name: apache 4 | stars: 100 5 | exclude: 6 | - incubator 7 | - incubating 8 | - name: eclipse 9 | exclude: 10 | - incubator 11 | - name: spring-projects 12 | repositories: 13 | - organization: FasterXML 14 | name: jackson-databind 15 | - organization: FasterXML 16 | name: jackson-dataformat-xml 17 | -------------------------------------------------------------------------------- /src/test/resources/com/sap/oss/phosphor/fosstars/tool/ValidSecurityRatingCalculatorConfig.yml: -------------------------------------------------------------------------------- 1 | # this is a test configuration for the SecurityRatingCalculator class 2 | cache: .fosstars/project_rating_cache.json 3 | reports: 4 | - type: markdown 5 | where: .fosstars/report 6 | source: .fosstars/report/github_projects.json 7 | - type: json 8 | where: .fosstars/report/github_projects.json 9 | finder: 10 | organizations: 11 | - name: apache 12 | exclude: 13 | - incubator 14 | - incubating 15 | - name: eclipse 16 | exclude: 17 | - incubator 18 | - name: spring-projects 19 | repositories: 20 | - organization: FasterXML 21 | name: jackson-databind 22 | - organization: FasterXML 23 | name: jackson-dataformat-xml 24 | -------------------------------------------------------------------------------- /src/test/shell/tool/github/CodeOfConductGuidelineInfo.config.yml: -------------------------------------------------------------------------------- 1 | --- 2 | requiredContentPatterns: 3 | - "Contributor Covenant" -------------------------------------------------------------------------------- /src/test/shell/tool/github/ContributingGuidelineInfo.config.yml: -------------------------------------------------------------------------------- 1 | --- 2 | requiredContentPatterns: 3 | - "Developer Certificate of Origin" 4 | - "(?!Contributor(\\s+)License(\\s+)Agreement)" -------------------------------------------------------------------------------- /src/test/shell/tool/github/LicenseInfo.config.yml: -------------------------------------------------------------------------------- 1 | --- 2 | allowedLicensePatterns: "Apache(\\s+)License(\\s+)Version(\\s+)2\\.0" 3 | disallowedLicensePatterns: "This(\\s+)project(\\s+)may(\\s+)include(\\s+)APIs(\\s+)to(\\s+)SAP" -------------------------------------------------------------------------------- /src/test/shell/tool/github/README.md: -------------------------------------------------------------------------------- 1 | # Test suite for the command-line tool 2 | 3 | The test suite contains a number of shell-based tests 4 | to make sure that the command-line tool works fine. 5 | 6 | Setup: 7 | 8 | 1. Build the project with `mvn clean package` command. 9 | 1. Get a token for GitHub. 10 | You can create your personal token [here](https://github.com/settings/tokens). 11 | 12 | Then, you can run the tests: 13 | 14 | ``` 15 | TOKEN=xyz # put your token for GitHub 16 | export TOKEN 17 | bash src/test/shell/tool/github/run_tests.sh 18 | ``` 19 | 20 | Logs are going to be available in `src/test/shell/tool/github`. 21 | 22 | You can only run one test, for example: 23 | 24 | ``` 25 | bash src/test/shell/tool/github/run_tests.sh test_project_security_with_single_project.sh 26 | ``` 27 | -------------------------------------------------------------------------------- /src/test/shell/tool/github/test_anonymous_connection.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | echo "The test is disabled since the tool may hang when an anonymous connection is used" 4 | exit 70 5 | 6 | JAVA="java" 7 | if [ "$JAVA_HOME" != "" ]; then 8 | JAVA="$JAVA_HOME/bin/java" 9 | fi 10 | 11 | JAR=${JAR:-"target/fosstars-github-rating-calc.jar"} 12 | 13 | # check if the tool works with an anonymous connection 14 | $JAVA -jar -Xms6000M -Xmx6000M $JAR \ 15 | --url https://github.com/apache/poi 2>&1 | tee tmp.log 16 | 17 | grep "Rating" tmp.log > /dev/null 2>&1 || exit 1 18 | grep "Confidence" tmp.log > /dev/null 2>&1 || exit 1 19 | grep "Sub-score" tmp.log > /dev/null 2>&1 || exit 1 20 | grep "Value" tmp.log > /dev/null 2>&1 || exit 1 21 | grep "Importance" tmp.log > /dev/null 2>&1 || exit 1 22 | grep "https://github.com/apache/poi" tmp.log > /dev/null 2>&1 || exit 1 23 | 24 | rm tmp.log 25 | -------------------------------------------------------------------------------- /src/test/shell/tool/github/test_artifact_security_with_gav.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | TOKEN_OPTION="" 4 | if [ "$TOKEN" != "" ]; then 5 | TOKEN_OPTION="--token $TOKEN" 6 | fi 7 | 8 | JAVA="java" 9 | if [ "$JAVA_HOME" != "" ]; then 10 | JAVA="$JAVA_HOME/bin/java" 11 | fi 12 | 13 | JAR=${JAR:-"target/fosstars-github-rating-calc.jar"} 14 | 15 | source lib.sh 16 | 17 | clean_cache 18 | 19 | $JAVA -jar -Xms6000M -Xmx6000M $JAR \ 20 | --rating oss-artifact-security \ 21 | --gav org.apache.poi:poi:5.0.0 \ 22 | --verbose \ 23 | $TOKEN_OPTION > tmp.log 2>&1 24 | 25 | if [ $? -ne 0 ]; then 26 | cat tmp.log 27 | echo "Unexpected exit code" 28 | exit 1 29 | fi 30 | 31 | cat tmp.log 32 | 33 | check_expected_output "${artifact_security_default_expected_strings[@]}" | tee | grep Failed 34 | if [ $? -eq 0 ]; then 35 | echo "check_expected_output() failed" 36 | exit 1 37 | fi 38 | 39 | declare -a expected_strings=( 40 | 'pkg:maven/org.apache.poi/poi@5.0.0' 41 | 'Does it belong to Apache?' 42 | 'Does it belong to Eclipse? No' 43 | ) 44 | 45 | check_expected_output "${expected_strings[@]}" | tee | grep Failed 46 | if [ $? -eq 0 ]; then 47 | echo "check_expected_output() failed" 48 | exit 1 49 | fi 50 | 51 | if grep Exception tmp.log > /dev/null 2>&1 ; then 52 | echo "Exceptions found" 53 | exit 1 54 | fi 55 | -------------------------------------------------------------------------------- /src/test/shell/tool/github/test_artifact_security_with_npm.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | TOKEN_OPTION="" 4 | if [ "$TOKEN" != "" ]; then 5 | TOKEN_OPTION="--token $TOKEN" 6 | fi 7 | 8 | JAVA="java" 9 | if [ "$JAVA_HOME" != "" ]; then 10 | JAVA="$JAVA_HOME/bin/java" 11 | fi 12 | 13 | JAR=${JAR:-"target/fosstars-github-rating-calc.jar"} 14 | 15 | source lib.sh 16 | 17 | clean_cache 18 | 19 | $JAVA -jar -Xms6000M -Xmx6000M $JAR \ 20 | --rating oss-artifact-security \ 21 | --npm jquery@3.6.0 \ 22 | --verbose \ 23 | $TOKEN_OPTION > tmp.log 2>&1 24 | 25 | if [ $? -ne 0 ]; then 26 | cat tmp.log 27 | echo "Unexpected exit code" 28 | exit 1 29 | fi 30 | 31 | cat tmp.log 32 | 33 | check_expected_output "${artifact_security_default_expected_strings[@]}" | tee | grep Failed 34 | if [ $? -eq 0 ]; then 35 | echo "check_expected_output() failed" 36 | exit 1 37 | fi 38 | 39 | declare -a expected_strings=( 40 | 'pkg:npm/jquery@3.6.0' 41 | ) 42 | 43 | check_expected_output "${expected_strings[@]}" | tee | grep Failed 44 | if [ $? -eq 0 ]; then 45 | echo "check_expected_output() failed" 46 | exit 1 47 | fi 48 | 49 | if grep Exception tmp.log > /dev/null 2>&1 ; then 50 | echo "Exceptions found" 51 | exit 1 52 | fi 53 | -------------------------------------------------------------------------------- /src/test/shell/tool/github/test_artifact_security_with_purl.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | TOKEN_OPTION="" 4 | if [ "$TOKEN" != "" ]; then 5 | TOKEN_OPTION="--token $TOKEN" 6 | fi 7 | 8 | JAVA="java" 9 | if [ "$JAVA_HOME" != "" ]; then 10 | JAVA="$JAVA_HOME/bin/java" 11 | fi 12 | 13 | JAR=${JAR:-"target/fosstars-github-rating-calc.jar"} 14 | 15 | source lib.sh 16 | 17 | clean_cache 18 | 19 | $JAVA -jar -Xms6000M -Xmx6000M $JAR \ 20 | --rating oss-artifact-security \ 21 | --purl pkg:npm/jquery@3.6.0 \ 22 | --verbose \ 23 | $TOKEN_OPTION > tmp.log 2>&1 24 | 25 | if [ $? -ne 0 ]; then 26 | cat tmp.log 27 | echo "Unexpected exit code" 28 | exit 1 29 | fi 30 | 31 | cat tmp.log 32 | 33 | check_expected_output "${artifact_security_default_expected_strings[@]}" | tee | grep Failed 34 | if [ $? -eq 0 ]; then 35 | echo "check_expected_output() failed" 36 | exit 1 37 | fi 38 | 39 | declare -a expected_strings=( 40 | 'pkg:npm/jquery@3.6.0' 41 | ) 42 | 43 | check_expected_output "${expected_strings[@]}" | tee | grep Failed 44 | if [ $? -eq 0 ]; then 45 | echo "check_expected_output() failed" 46 | exit 1 47 | fi 48 | 49 | if grep Exception tmp.log > /dev/null 2>&1 ; then 50 | echo "Exceptions found" 51 | exit 1 52 | fi 53 | -------------------------------------------------------------------------------- /src/test/shell/tool/github/test_both_url_and_config.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | TOKEN_OPTION="" 4 | if [ "$TOKEN" != "" ]; then 5 | TOKEN_OPTION="--token $TOKEN" 6 | fi 7 | 8 | JAVA="java" 9 | if [ "$JAVA_HOME" != "" ]; then 10 | JAVA="$JAVA_HOME/bin/java" 11 | fi 12 | 13 | JAR=${JAR:-"target/fosstars-github-rating-calc.jar"} 14 | 15 | # check if --url and --config can't be used together 16 | $JAVA -jar -Xms6000M -Xmx6000M $JAR \ 17 | --url https://github.com/apache/poi \ 18 | --config test_config.yml \ 19 | $TOKEN_OPTION 20 | 21 | if [ $? -eq 0 ]; then 22 | exit 1 23 | fi 24 | -------------------------------------------------------------------------------- /src/test/shell/tool/github/test_help.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | JAVA="java" 4 | if [ "$JAVA_HOME" != "" ]; then 5 | JAVA="$JAVA_HOME/bin/java" 6 | fi 7 | 8 | JAR=${JAR:-"target/fosstars-github-rating-calc.jar"} 9 | 10 | # check if the usage message is printed out 11 | $JAVA -jar $JAR -h | grep -i "usage" || exit 1 12 | $JAVA -jar $JAR --help | grep -i "usage" || exit 1 13 | -------------------------------------------------------------------------------- /src/test/shell/tool/github/test_oss_rop_config.yml: -------------------------------------------------------------------------------- 1 | cache: .fosstars/project_rating_cache.json 2 | reports: 3 | - type: markdown 4 | where: .fosstars/report/ 5 | finder: 6 | repositories: 7 | - organization: SAP 8 | name: fosstars-rating-core 9 | - organization: SAP 10 | name: openui5 -------------------------------------------------------------------------------- /src/test/shell/tool/github/test_project_security_with_gav.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | TOKEN_OPTION="" 4 | if [ "$TOKEN" != "" ]; then 5 | TOKEN_OPTION="--token $TOKEN" 6 | fi 7 | 8 | JAVA="java" 9 | if [ "$JAVA_HOME" != "" ]; then 10 | JAVA="$JAVA_HOME/bin/java" 11 | fi 12 | 13 | JAR=${JAR:-"target/fosstars-github-rating-calc.jar"} 14 | 15 | source lib.sh 16 | 17 | clean_cache 18 | 19 | $JAVA -jar -Xms6000M -Xmx6000M $JAR \ 20 | --gav org.apache.poi:poi --verbose \ 21 | $TOKEN_OPTION > tmp.log 2>&1 22 | 23 | if [ $? -ne 0 ]; then 24 | cat tmp.log 25 | echo "Unexpected exit code" 26 | exit 1 27 | fi 28 | 29 | cat tmp.log 30 | 31 | check_expected_output "${project_security_default_expected_strings[@]}" | tee | grep Failed 32 | if [ $? -eq 0 ]; then 33 | echo "check_expected_output() failed" 34 | exit 1 35 | fi 36 | 37 | declare -a expected_strings=( 38 | 'https://github.com/apache/poi' 39 | 'Does it belong to Apache? Yes' 40 | 'Does it belong to Eclipse? No' 41 | ) 42 | 43 | check_expected_output "${expected_strings[@]}" | tee | grep Failed 44 | if [ $? -eq 0 ]; then 45 | echo "check_expected_output() failed" 46 | exit 1 47 | fi 48 | 49 | if grep Exception tmp.log > /dev/null 2>&1 ; then 50 | echo "Exceptions found" 51 | exit 1 52 | fi 53 | -------------------------------------------------------------------------------- /src/test/shell/tool/github/test_project_security_with_npm.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | TOKEN_OPTION="" 4 | if [ "$TOKEN" != "" ]; then 5 | TOKEN_OPTION="--token $TOKEN" 6 | fi 7 | 8 | JAVA="java" 9 | if [ "$JAVA_HOME" != "" ]; then 10 | JAVA="$JAVA_HOME/bin/java" 11 | fi 12 | 13 | JAR=${JAR:-"target/fosstars-github-rating-calc.jar"} 14 | 15 | source lib.sh 16 | 17 | clean_cache 18 | 19 | $JAVA -jar -Xms6000M -Xmx6000M $JAR \ 20 | --npm jquery --verbose \ 21 | $TOKEN_OPTION > tmp.log 2>&1 22 | 23 | if [ $? -ne 0 ]; then 24 | cat tmp.log 25 | echo "Unexpected exit code" 26 | exit 1 27 | fi 28 | 29 | cat tmp.log 30 | 31 | check_expected_output "${project_security_default_expected_strings[@]}" | tee | grep Failed 32 | if [ $? -eq 0 ]; then 33 | echo "check_expected_output() failed" 34 | exit 1 35 | fi 36 | 37 | declare -a expected_strings=( 38 | 'https://github.com/jquery/jquery' 39 | ) 40 | 41 | check_expected_output "${expected_strings[@]}" | tee | grep Failed 42 | if [ $? -eq 0 ]; then 43 | echo "check_expected_output() failed" 44 | exit 1 45 | fi 46 | 47 | if grep Exception tmp.log > /dev/null 2>&1 ; then 48 | echo "Exceptions found" 49 | exit 1 50 | fi 51 | -------------------------------------------------------------------------------- /src/test/shell/tool/github/test_project_security_with_pom.xml: -------------------------------------------------------------------------------- 1 | 2 | 5 | 4.0.0 6 | 7 | com.test 8 | test 9 | 1.2.3-SNAPSHOT 10 | jar 11 | 12 | 13 | 2.12.4 14 | 1.132 15 | 16 | 17 | 18 | 19 | com.fasterxml.jackson.core 20 | jackson-databind 21 | ${version.jackson} 22 | 23 | 24 | org.kohsuke 25 | github-api 26 | ${version.github-api} 27 | 28 | 29 | 30 | 31 | -------------------------------------------------------------------------------- /src/test/shell/tool/github/test_project_security_with_purl.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | TOKEN_OPTION="" 4 | if [ "$TOKEN" != "" ]; then 5 | TOKEN_OPTION="--token $TOKEN" 6 | fi 7 | 8 | JAVA="java" 9 | if [ "$JAVA_HOME" != "" ]; then 10 | JAVA="$JAVA_HOME/bin/java" 11 | fi 12 | 13 | JAR=${JAR:-"target/fosstars-github-rating-calc.jar"} 14 | 15 | source lib.sh 16 | 17 | clean_cache 18 | 19 | $JAVA -jar -Xms6000M -Xmx6000M $JAR \ 20 | --purl pkg:maven/org.apache.poi/poi --verbose \ 21 | $TOKEN_OPTION > tmp.log 2>&1 22 | 23 | if [ $? -ne 0 ]; then 24 | cat tmp.log 25 | echo "Unexpected exit code" 26 | exit 1 27 | fi 28 | 29 | cat tmp.log 30 | 31 | check_expected_output "${project_security_default_expected_strings[@]}" | tee | grep Failed 32 | if [ $? -eq 0 ]; then 33 | echo "check_expected_output() failed" 34 | exit 1 35 | fi 36 | 37 | declare -a expected_strings=( 38 | 'https://github.com/apache/poi' 39 | 'Does it belong to Apache? Yes' 40 | 'Does it belong to Eclipse? No' 41 | ) 42 | 43 | check_expected_output "${expected_strings[@]}" | tee | grep Failed 44 | if [ $? -eq 0 ]; then 45 | echo "check_expected_output() failed" 46 | exit 1 47 | fi 48 | 49 | if grep Exception tmp.log > /dev/null 2>&1 ; then 50 | echo "Exceptions found" 51 | exit 1 52 | fi 53 | -------------------------------------------------------------------------------- /src/test/shell/tool/github/test_project_security_with_scm.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | TOKEN_OPTION="" 4 | if [ "$TOKEN" != "" ]; then 5 | TOKEN_OPTION="--token $TOKEN" 6 | fi 7 | 8 | JAVA="java" 9 | if [ "$JAVA_HOME" != "" ]; then 10 | JAVA="$JAVA_HOME/bin/java" 11 | fi 12 | 13 | JAR=${JAR:-"target/fosstars-github-rating-calc.jar"} 14 | 15 | source lib.sh 16 | 17 | clean_cache 18 | 19 | $JAVA -jar -Xms6000M -Xmx6000M $JAR \ 20 | --url https://github.com/apache/poi --verbose \ 21 | $TOKEN_OPTION > tmp.log 2>&1 22 | 23 | if [ $? -ne 0 ]; then 24 | cat tmp.log 25 | echo "Unexpected exit code" 26 | exit 1 27 | fi 28 | 29 | cat tmp.log 30 | 31 | check_expected_output "${project_security_default_expected_strings[@]}" | tee | grep Failed 32 | if [ $? -eq 0 ]; then 33 | echo "check_expected_output() failed" 34 | exit 1 35 | fi 36 | 37 | declare -a expected_strings=( 38 | 'https://github.com/apache/poi' 39 | 'Does it belong to Apache? Yes' 40 | 'Does it belong to Eclipse? No' 41 | ) 42 | 43 | check_expected_output "${expected_strings[@]}" | tee | grep Failed 44 | if [ $? -eq 0 ]; then 45 | echo "check_expected_output() failed" 46 | exit 1 47 | fi 48 | 49 | if grep Exception tmp.log > /dev/null 2>&1 ; then 50 | echo "Exceptions found" 51 | exit 1 52 | fi 53 | -------------------------------------------------------------------------------- /src/test/shell/tool/github/test_security_config.yml: -------------------------------------------------------------------------------- 1 | # this is a test configuration 2 | cache: .fosstars/project_rating_cache.json 3 | reports: 4 | - type: markdown 5 | where: .fosstars/report 6 | source: .fosstars/report/github_projects.json 7 | - type: json 8 | where: .fosstars/report/github_projects.json 9 | finder: 10 | repositories: 11 | - organization: FasterXML 12 | name: jackson-databind 13 | - organization: netty 14 | name: netty --------------------------------------------------------------------------------