From 5db396f4fba70117842061348404dcbc8e29d538 Mon Sep 17 00:00:00 2001 From: Colin O'Sullivan Date: Fri, 12 Dec 2025 18:35:54 +0000 Subject: [PATCH] #4751 removing pyup check Signed-off-by: Colin O'Sullivan --- checks/dependency_update_tool_test.go | 13 ------------- checks/evaluation/dependency_update_tool_test.go | 2 +- checks/raw/dependency_update_tool.go | 13 ------------- checks/raw/dependency_update_tool_test.go | 6 ------ docs/beginner-checks.md | 2 +- docs/checks.md | 1 - docs/checks/dependencyupdatetool/README.md | 2 -- docs/checks/internal/checks.yaml | 1 - 8 files changed, 2 insertions(+), 38 deletions(-) diff --git a/checks/dependency_update_tool_test.go b/checks/dependency_update_tool_test.go index 32effcbfd0c..0c107e8213a 100644 --- a/checks/dependency_update_tool_test.go +++ b/checks/dependency_update_tool_test.go @@ -93,19 +93,6 @@ func TestDependencyUpdateTool(t *testing.T) { Score: 10, }, }, - { - name: "pyup config detected", - wantErr: false, - files: []string{ - ".pyup.yml", - }, - CallSearchCommits: 0, - expected: scut.TestReturn{ - NumberOfInfo: 1, - NumberOfWarn: 0, - Score: 10, - }, - }, { name: "random committer ID not detected as dependecy tool bot", wantErr: false, diff --git a/checks/evaluation/dependency_update_tool_test.go b/checks/evaluation/dependency_update_tool_test.go index 973e17f059e..b6328722c29 100644 --- a/checks/evaluation/dependency_update_tool_test.go +++ b/checks/evaluation/dependency_update_tool_test.go @@ -45,7 +45,7 @@ func TestDependencyUpdateTool(t *testing.T) { name: "multiple update tools both logged", findings: []finding.Finding{ depUpdateTool("RenovateBot"), - depUpdateTool("PyUp"), + depUpdateTool("Dependabot"), }, result: scut.TestReturn{ Score: checker.MaxResultScore, diff --git a/checks/raw/dependency_update_tool.go b/checks/raw/dependency_update_tool.go index 9796babce31..cd45be429ae 100644 --- a/checks/raw/dependency_update_tool.go +++ b/checks/raw/dependency_update_tool.go @@ -114,19 +114,6 @@ var checkDependencyFileExists fileparser.DoWhileTrueOnFilename = func(name strin }, }, }) - case ".pyup.yml": - *ptools = append(*ptools, checker.Tool{ - Name: "PyUp", - URL: asPointer("https://pyup.io/"), - Desc: asPointer("Automated dependency updates for Python."), - Files: []checker.File{ - { - Path: name, - Type: finding.FileTypeSource, - Offset: checker.OffsetDefault, - }, - }, - }) // https://github.com/scala-steward-org/scala-steward/blob/main/docs/repo-specific-configuration.md case ".scala-steward.conf", "scala-steward.conf", diff --git a/checks/raw/dependency_update_tool_test.go b/checks/raw/dependency_update_tool_test.go index 542a6194210..7f7f0bb7001 100644 --- a/checks/raw/dependency_update_tool_test.go +++ b/checks/raw/dependency_update_tool_test.go @@ -99,12 +99,6 @@ func Test_checkDependencyFileExists(t *testing.T) { want: true, wantErr: false, }, - { - name: ".pyup.yml", - path: ".pyup.yml", - want: true, - wantErr: false, - }, { name: ".scala-steward.conf", path: ".scala-steward.conf", diff --git a/docs/beginner-checks.md b/docs/beginner-checks.md index dfca3765a53..9225f5c1d3c 100644 --- a/docs/beginner-checks.md +++ b/docs/beginner-checks.md @@ -25,7 +25,7 @@ If vulnerabilities are found in your dependencies, there are a few options: If you have handled the vulnerabilities in your dependencies and are still not satisfied with your score for this check, make sure there are no open, unfixed vulnerabilities in your project’s own codebase. Once you have dealt with those, your score should improve. -Next, Scorecard’s [Dependency-Update-Tool check](https://github.com/ossf/scorecard/blob/main/docs/checks.md#dependency-update-tool) encourages developers to keep their dependencies up to date, which is a great way to stay on top of security updates. This check awards a high score to a project if it uses a dependency update tool such as [Dependabot](https://docs.github.com/code-security/dependabot), [Renovate bot](https://docs.renovatebot.com/), or [PyUp](https://github.com/pyupio/pyup#readme). Using one of these tools helps streamline security processes by notifying you when vulnerabilities have surfaced in your dependencies or when new versions of your dependencies become available. +Next, Scorecard’s [Dependency-Update-Tool check](https://github.com/ossf/scorecard/blob/main/docs/checks.md#dependency-update-tool) encourages developers to keep their dependencies up to date, which is a great way to stay on top of security updates. This check awards a high score to a project if it uses a dependency update tool such as [Dependabot](https://docs.github.com/code-security/dependabot) or [Renovate bot](https://docs.renovatebot.com/). Using one of these tools helps streamline security processes by notifying you when vulnerabilities have surfaced in your dependencies or when new versions of your dependencies become available. Automated processes like these save you time and are highly configurable; for example, you can set your bot to update dependencies every day or every week at the same time. diff --git a/docs/checks.md b/docs/checks.md index 9ef31232f46..3c9325711cb 100644 --- a/docs/checks.md +++ b/docs/checks.md @@ -312,7 +312,6 @@ This check tries to determine if the project uses a dependency update tool, specifically one of: - [Dependabot](https://docs.github.com/en/code-security/supply-chain-security/keeping-your-dependencies-updated-automatically/configuration-options-for-dependency-updates) - [Renovate bot](https://docs.renovatebot.com/configuration-options/) -- [PyUp](https://docs.pyup.io/docs) (Python) Out-of-date dependencies make a project vulnerable to known flaws and prone to attacks. These tools automate the process of updating dependencies by scanning for outdated or insecure requirements, and opening a pull request to update them if diff --git a/docs/checks/dependencyupdatetool/README.md b/docs/checks/dependencyupdatetool/README.md index af04ae6c68b..19b7a70c1e8 100644 --- a/docs/checks/dependencyupdatetool/README.md +++ b/docs/checks/dependencyupdatetool/README.md @@ -3,8 +3,6 @@ * Detection is based on a `.github/dependabot.yml` or `.github/dependabot.yaml` file. * [Renovate](https://docs.renovatebot.com/) * Detection is based on the configuration files listed [here](https://docs.renovatebot.com/configuration-options/) -* [PyUp](https://github.com/pyupio/pyup) - * Detection based on a `.pyup.yml` file * [scala-steward](https://github.com/scala-steward-org/scala-steward) * Detection is based on the configuration files listed [here](https://github.com/scala-steward-org/scala-steward/blob/main/docs/repo-specific-configuration.md) diff --git a/docs/checks/internal/checks.yaml b/docs/checks/internal/checks.yaml index 58e30dc3e5f..bab6591a16f 100644 --- a/docs/checks/internal/checks.yaml +++ b/docs/checks/internal/checks.yaml @@ -60,7 +60,6 @@ checks: specifically one of: - [Dependabot](https://docs.github.com/en/code-security/supply-chain-security/keeping-your-dependencies-updated-automatically/configuration-options-for-dependency-updates) - [Renovate bot](https://docs.renovatebot.com/configuration-options/) - - [PyUp](https://docs.pyup.io/docs) (Python) Out-of-date dependencies make a project vulnerable to known flaws and prone to attacks. These tools automate the process of updating dependencies by scanning for outdated or insecure requirements, and opening a pull request to update them if