Remove self-assessment check (#1339)

Signed-off-by: Sergio Castaño Arteaga <[email protected]>
cncf · Nov 14, 2023 · 1e97959 · 1e97959
1 parent 457a936
commit 1e97959
Show file tree

Hide file tree

Showing 17 changed files with 13 additions and 104 deletions.
diff --git a/clomonitor-apiserver/src/router.rs b/clomonitor-apiserver/src/router.rs
@@ -654,7 +654,6 @@ mod tests {
                             sbom: Some(CheckOutput::passed()),
                             security_insights: Some(CheckOutput::passed()),
                             security_policy: Some(CheckOutput::passed()),
-                            self_assessment: Some(CheckOutput::passed()),
                             signed_releases: Some(CheckOutput::passed()),
                             token_permissions: Some(CheckOutput::passed()),
                         },

diff --git a/clomonitor-apiserver/src/testdata/repository-report.golden.md b/clomonitor-apiserver/src/testdata/repository-report.golden.md
@@ -61,7 +61,6 @@
   - [x] Software bill of materials (SBOM) ([_docs_](https://clomonitor.io/docs/topics/checks/#software-bill-of-materials-sbom))
   - [x] Security insights ([_docs_](https://clomonitor.io/docs/topics/checks/#security-insights))
   - [x] Security policy ([_docs_](https://clomonitor.io/docs/topics/checks/#security-policy))
-  - [x] Self-Assessment ([_docs_](https://clomonitor.io/docs/topics/checks/#self-assessment))
   - [x] Signed releases ([_docs_](https://clomonitor.io/docs/topics/checks/#signed-releases-from-openssf-scorecard))
   - [x] Token permissions ([_docs_](https://clomonitor.io/docs/topics/checks/#token-permissions-from-openssf-scorecard))
 

diff --git a/clomonitor-apiserver/templates/repository-report.md b/clomonitor-apiserver/templates/repository-report.md
@@ -70,7 +70,6 @@
   {% call check("software-bill-of-materials-sbom", "Software bill of materials (SBOM)", report.security.sbom) -%}
   {% call check("security-insights", "Security insights", report.security.security_insights) -%}
   {% call check("security-policy", "Security policy", report.security.security_policy) -%}
-  {% call check("self-assessment", "Self-Assessment", report.security.self_assessment) -%}
   {% call check("signed-releases-from-openssf-scorecard", "Signed releases", report.security.signed_releases) -%}
   {% call check("token-permissions-from-openssf-scorecard", "Token permissions", report.security.token_permissions) -%}
 

diff --git a/clomonitor-core/src/linter/checks/mod.rs b/clomonitor-core/src/linter/checks/mod.rs
@@ -31,7 +31,6 @@ pub(crate) mod roadmap;
 pub(crate) mod sbom;
 pub(crate) mod security_insights;
 pub(crate) mod security_policy;
-pub(crate) mod self_assessment;
 pub(crate) mod signed_releases;
 pub(crate) mod slack_presence;
 pub(crate) mod summary_table;
@@ -95,7 +94,6 @@ lazy_static! {
         register_check!(sbom);
         register_check!(security_insights);
         register_check!(security_policy);
-        register_check!(self_assessment);
         register_check!(signed_releases, "Signed-Releases");
         register_check!(slack_presence);
         register_check!(summary_table);

diff --git a/clomonitor-core/src/linter/checks/self_assessment.rs b/clomonitor-core/src/linter/checks/self_assessment.rs
diff --git a/clomonitor-core/src/linter/mod.rs b/clomonitor-core/src/linter/mod.rs
@@ -161,7 +161,6 @@ impl Linter for CoreLinter {
                 sbom: run!(sbom, &ci),
                 security_insights: run!(security_insights, &ci),
                 security_policy: run!(security_policy, &ci),
-                self_assessment: run!(self_assessment, &ci),
                 signed_releases: run!(signed_releases, &ci),
                 token_permissions: run!(token_permissions, &ci),
             },

diff --git a/clomonitor-core/src/linter/report.rs b/clomonitor-core/src/linter/report.rs
@@ -137,7 +137,6 @@ pub struct Security {
     pub sbom: Option<CheckOutput>,
     pub security_insights: Option<CheckOutput>,
     pub security_policy: Option<CheckOutput>,
-    pub self_assessment: Option<CheckOutput>,
     pub signed_releases: Option<CheckOutput>,
     pub token_permissions: Option<CheckOutput>,
 }
@@ -154,7 +153,6 @@ section_impl!(
     sbom,
     security_insights,
     security_policy,
-    self_assessment,
     signed_releases,
     token_permissions
 );

diff --git a/clomonitor-core/src/score/mod.rs b/clomonitor-core/src/score/mod.rs
@@ -292,7 +292,6 @@ mod tests {
                     sbom: Some(CheckOutput::passed()),
                     security_insights: Some(CheckOutput::passed()),
                     security_policy: Some(CheckOutput::passed()),
-                    self_assessment: Some(CheckOutput::passed()),
                     signed_releases: Some(CheckOutput::passed()),
                     token_permissions: Some(CheckOutput::passed()),
                 },
@@ -302,15 +301,15 @@ mod tests {
             }),
             Score {
                 global: 100.0,
-                global_weight: 98,
+                global_weight: 96,
                 documentation: Some(99.999_999_999_999_99),
                 documentation_weight: Some(30),
                 license: Some(100.0),
                 license_weight: Some(20),
                 best_practices: Some(99.999_999_999_999_99),
                 best_practices_weight: Some(19),
-                security: Some(99.999_999_999_999_99),
-                security_weight: Some(24),
+                security: Some(100.000_000_000_000_01),
+                security_weight: Some(22),
                 legal: Some(100.0),
                 legal_weight: Some(5),
             }
@@ -359,7 +358,6 @@ mod tests {
                     sbom: Some(CheckOutput::not_passed()),
                     security_insights: Some(CheckOutput::not_passed()),
                     security_policy: Some(CheckOutput::not_passed()),
-                    self_assessment: Some(CheckOutput::not_passed()),
                     signed_releases: Some(CheckOutput::not_passed()),
                     token_permissions: Some(CheckOutput::not_passed()),
                 },
@@ -369,15 +367,15 @@ mod tests {
             }),
             Score {
                 global: 0.0,
-                global_weight: 98,
+                global_weight: 96,
                 documentation: Some(0.0),
                 documentation_weight: Some(30),
                 license: Some(0.0),
                 license_weight: Some(20),
                 best_practices: Some(0.0),
                 best_practices_weight: Some(19),
                 security: Some(0.0),
-                security_weight: Some(24),
+                security_weight: Some(22),
                 legal: Some(0.0),
                 legal_weight: Some(5),
             }
@@ -430,7 +428,6 @@ mod tests {
                     sbom: Some(CheckOutput::passed()),
                     security_policy: Some(CheckOutput::passed()),
                     security_insights: Some(CheckOutput::passed()),
-                    self_assessment: Some(CheckOutput::passed()),
                     signed_releases: Some(CheckOutput::passed()),
                     token_permissions: Some(CheckOutput::passed()),
                 },
@@ -440,15 +437,15 @@ mod tests {
             }),
             Score {
                 global: 100.0,
-                global_weight: 78,
+                global_weight: 76,
                 documentation: Some(100.0),
                 documentation_weight: Some(18),
                 license: Some(100.0),
                 license_weight: Some(20),
                 best_practices: Some(100.0),
                 best_practices_weight: Some(16),
-                security: Some(99.999_999_999_999_99),
-                security_weight: Some(24),
+                security: Some(100.000_000_000_000_01),
+                security_weight: Some(22),
                 legal: None,
                 legal_weight: None,
             }

diff --git a/clomonitor-linter/src/table.rs b/clomonitor-linter/src/table.rs
@@ -201,10 +201,6 @@ pub(crate) fn display(
             cell_entry("Security / Security policy"),
             cell_check(&report.security.security_policy),
         ])
-        .add_row(vec![
-            cell_entry("Security / Self-Assessment"),
-            cell_check(&report.security.self_assessment),
-        ])
         .add_row(vec![
             cell_entry("Security / Signed release"),
             cell_check(&report.security.signed_releases),
@@ -354,7 +350,6 @@ mod tests {
                 sbom: Some(CheckOutput::passed()),
                 security_insights: Some(CheckOutput::passed()),
                 security_policy: Some(CheckOutput::passed()),
-                self_assessment: Some(CheckOutput::passed()),
                 signed_releases: Some(CheckOutput::passed()),
                 token_permissions: Some(CheckOutput::passed()),
             },

diff --git a/clomonitor-linter/src/testdata/display.golden b/clomonitor-linter/src/testdata/display.golden
@@ -96,8 +96,6 @@ Checks summary
 ├╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌┼╌╌╌╌╌╌╌╌╌╌╌╌┤
 │ Security / Security policy                    ┆      ✓     │
 ├╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌┼╌╌╌╌╌╌╌╌╌╌╌╌┤
-│ Security / Self-Assessment                    ┆      ✓     │
-├╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌┼╌╌╌╌╌╌╌╌╌╌╌╌┤
 │ Security / Signed release                     ┆      ✓     │
 ├╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌┼╌╌╌╌╌╌╌╌╌╌╌╌┤
 │ Security / Token permissions                  ┆      ✓     │

diff --git a/database/migrations/functions/repositories/get_repositories_with_checks.sql b/database/migrations/functions/repositories/get_repositories_with_checks.sql
@@ -38,7 +38,6 @@ returns setof text as $$
             (rp.data->'security'->'sbom'->'passed')::boolean as sbom,
             (rp.data->'security'->'security_insights'->'passed')::boolean as security_insights,
             (rp.data->'security'->'security_policy'->'passed')::boolean as security_policy,
-            (rp.data->'security'->'self_assessment'->'passed')::boolean as self_assessment,
             (rp.data->'security'->'signed_releases'->'passed')::boolean as signed_releases,
             (rp.data->'security'->'token_permissions'->'passed')::boolean as token_permissions,
             (rp.data->'legal'->'trademark_disclaimer'->'passed')::boolean as trademark_disclaimer
@@ -47,7 +46,7 @@ returns setof text as $$
         join report rp using (repository_id)
         order by p.foundation_id asc, p.name asc
     )
-    select 'Foundation,Project,Repository URL,Check Sets,Adopters,Changelog,Code of Conduct,Contributing,Governance,Maintainers,Readme,Roadmap,Summary Table,Website,License Approved,License Scanning,License SPDX ID,ArtifactHub Badge,CLA,Community Meeting,DCO,GitHub discussions,OpenSSF best practices badge,OpenSSF Scorecard badge,Recent Release,Slack Presence,Binary Artifacts,Code Review,Dangerous Workflow,Dependencies Policy,Dependency Update Tool,Maintained,SBOM,Security Insights,Security Policy,Self-Assessment,Signed Releases,Token Permissions,Trademark Disclaimer'
+    select 'Foundation,Project,Repository URL,Check Sets,Adopters,Changelog,Code of Conduct,Contributing,Governance,Maintainers,Readme,Roadmap,Summary Table,Website,License Approved,License Scanning,License SPDX ID,ArtifactHub Badge,CLA,Community Meeting,DCO,GitHub discussions,OpenSSF best practices badge,OpenSSF Scorecard badge,Recent Release,Slack Presence,Binary Artifacts,Code Review,Dangerous Workflow,Dependencies Policy,Dependency Update Tool,Maintained,SBOM,Security Insights,Security Policy,Signed Releases,Token Permissions,Trademark Disclaimer'
     union all
     select rtrim(ltrim(r.*::text, '('), ')') from repositories r;
 $$ language sql;
diff --git a/database/migrations/functions/stats/get_stats.sql b/database/migrations/functions/stats/get_stats.sql
@@ -206,7 +206,6 @@ returns json as $$
                     'sbom', repositories_passing_check(p_foundation, 'security', 'sbom'),
                     'security_insights', repositories_passing_check(p_foundation, 'security', 'security_insights'),
                     'security_policy', repositories_passing_check(p_foundation, 'security', 'security_policy'),
-                    'self_assessment', repositories_passing_check(p_foundation, 'security', 'self_assessment'),
                     'signed_releases', repositories_passing_check(p_foundation, 'security', 'signed_releases'),
                     'token_permissions', repositories_passing_check(p_foundation, 'security', 'token_permissions')
                 ),

diff --git a/database/tests/functions/repositories/get_repositories_with_checks.sql b/database/tests/functions/repositories/get_repositories_with_checks.sql
@@ -86,9 +86,6 @@ insert into report (
                 "url": "https://github.com/fluent/fluentd/blob/master/SECURITY.md",
                 "passed": true
             },
-            "self_assessment": {
-                "passed": true
-            },
             "maintained": {
                 "passed": true
             },
@@ -226,9 +223,9 @@ select results_eq(
     $$,
     $$
         values
-            ('Foundation,Project,Repository URL,Check Sets,Adopters,Changelog,Code of Conduct,Contributing,Governance,Maintainers,Readme,Roadmap,Summary Table,Website,License Approved,License Scanning,License SPDX ID,ArtifactHub Badge,CLA,Community Meeting,DCO,GitHub discussions,OpenSSF best practices badge,OpenSSF Scorecard badge,Recent Release,Slack Presence,Binary Artifacts,Code Review,Dangerous Workflow,Dependencies Policy,Dependency Update Tool,Maintained,SBOM,Security Insights,Security Policy,Self-Assessment,Signed Releases,Token Permissions,Trademark Disclaimer'),
-            ('cncf,project1,https://repo1.url,"{code,community}",t,t,t,t,t,t,t,f,f,t,t,f,Apache-2.0,f,t,f,t,t,t,t,t,f,t,t,t,t,f,t,f,t,t,t,f,f,f'),
-            ('cncf,project1,https://repo2.url,{docs},,,,,,,f,,,,t,,Apache-2.0,,,,,,,,,,,,,,,,,,,,,,')
+            ('Foundation,Project,Repository URL,Check Sets,Adopters,Changelog,Code of Conduct,Contributing,Governance,Maintainers,Readme,Roadmap,Summary Table,Website,License Approved,License Scanning,License SPDX ID,ArtifactHub Badge,CLA,Community Meeting,DCO,GitHub discussions,OpenSSF best practices badge,OpenSSF Scorecard badge,Recent Release,Slack Presence,Binary Artifacts,Code Review,Dangerous Workflow,Dependencies Policy,Dependency Update Tool,Maintained,SBOM,Security Insights,Security Policy,Signed Releases,Token Permissions,Trademark Disclaimer'),
+            ('cncf,project1,https://repo1.url,"{code,community}",t,t,t,t,t,t,t,f,f,t,t,f,Apache-2.0,f,t,f,t,t,t,t,t,f,t,t,t,t,f,t,f,t,t,f,f,f'),
+            ('cncf,project1,https://repo2.url,{docs},,,,,,,f,,,,t,,Apache-2.0,,,,,,,,,,,,,,,,,,,,,')
     $$,
     'Return all repositories with all checks'
 );

diff --git a/database/tests/functions/stats/get_stats.sql b/database/tests/functions/stats/get_stats.sql
@@ -137,9 +137,6 @@ insert into report (
                 "url": "https://github.com/fluent/fluentd/blob/master/SECURITY.md",
                 "passed": true
             },
-            "self_assessment": {
-                "passed": true
-            },
             "maintained": {
                 "passed": true
             },
@@ -278,9 +275,6 @@ insert into report (
                 "url": "https://github.com/fluent/fluentd/blob/master/SECURITY.md",
                 "passed": true
             },
-            "self_assessment": {
-                "passed": true
-            },
             "maintained": {
                 "passed": true
             },
@@ -416,9 +410,6 @@ insert into report (
             "security_policy": {
                 "passed": false
             },
-            "self_assessment": {
-                "passed": false
-            },
             "maintained": {
                 "passed": false
             },
@@ -622,7 +613,6 @@ select is(
                     "sbom": 0,
                     "security_insights": 67,
                     "security_policy": 67,
-                    "self_assessment": 67,
                     "signed_releases": 0,
                     "token_permissions": 0
                 },

diff --git a/docs/checks.md b/docs/checks.md
@@ -27,7 +27,6 @@ Checks are organized in `check sets`. Each `check set` defines a number of check
   - Security / Maintained
   - Security / SBOM
   - Security / Policy
-  - Security / Self-Assessment
   - Security / Signed releases
   - Security / Token permissions
 
@@ -594,16 +593,6 @@ CASE SENSITIVE: false
 
 - A security policy *file* is found in Github (in the [`.github` default community health files repository](https://docs.github.com/en/communities/setting-up-your-project-for-healthy-contributions/creating-a-default-community-health-file), for example).
 
-### Self-Assessmemt
-
-**ID**: `self_assessment`
-
-Projects should provide a [TAG Security formatted](https://github.com/cncf/tag-security/blob/main/assessments/guide/self-assessment.md) Security Self-Assessment.
-
-This check passes if:
-
-- The details of the security self-assessment (including the evidence url) are available in the `security-artifacts > self-assessment` section of the [OpenSSF Security Insights](https://github.com/ossf/security-insights-spec/blob/v1.0.0/specification.md) *manifest file* (`SECURITY-INSIGHTS.yml`) that should be located at the root of the repository.
-
 ### Signed releases (from OpenSSF Scorecard)
 
 **ID**: `signed_releases`

diff --git a/web/src/data.tsx b/web/src/data.tsx
@@ -19,7 +19,7 @@ import {
 import { FiHexagon } from 'react-icons/fi';
 import { GiFountainPen, GiStamper, GiTiedScroll } from 'react-icons/gi';
 import { GoCommentDiscussion, GoFileBinary, GoLaw } from 'react-icons/go';
-import { GrDocumentLocked, GrDocumentText, GrDocumentVerified } from 'react-icons/gr';
+import { GrDocumentLocked, GrDocumentText } from 'react-icons/gr';
 import { HiOutlinePencilAlt, HiTerminal } from 'react-icons/hi';
 import { ImOffice } from 'react-icons/im';
 import { IoIosPeople, IoMdRibbon } from 'react-icons/io';
@@ -436,23 +436,6 @@ export const REPORT_OPTIONS: ReportOptionInfo = {
     legend: <span>Clearly documented security processes explaining how to report security issues to the project</span>,
     reference: '/docs/topics/checks/#security-policy',
   },
-  [ReportOption.SelfAssessment]: {
-    icon: <GrDocumentVerified />,
-    name: 'Self-Assessment',
-    legend: (
-      <span>
-        The project provides a{' '}
-        <ExternalLink
-          className="d-inline-block text-decoration-underline"
-          href="https://github.com/cncf/tag-security/blob/main/assessments/guide/self-assessment.md"
-        >
-          TAG Security formatted
-        </ExternalLink>{' '}
-        Security Self-Assessment
-      </span>
-    ),
-    reference: '/docs/topics/checks/#self-assessment',
-  },
   [ReportOption.SignedReleases]: {
     icon: <FaSignature />,
     name: 'Signed releases',
@@ -558,7 +541,6 @@ export const CHECKS_PER_CATEGORY: ChecksPerCategory = {
     ReportOption.SBOM,
     ReportOption.SecurityInsights,
     ReportOption.SecurityPolicy,
-    ReportOption.SelfAssessment,
     ReportOption.SignedReleases,
     ReportOption.TokenPermissions,
   ],

diff --git a/web/src/types.ts b/web/src/types.ts
@@ -164,7 +164,6 @@ export enum ReportOption {
   SBOM = 'sbom',
   SecurityInsights = 'security_insights',
   SecurityPolicy = 'security_policy',
-  SelfAssessment = 'self_assessment',
   SignedReleases = 'signed_releases',
   SlackPresence = 'slack_presence',
   SPDX = 'license_spdx_id',