🌱 New check: Mean time to update dependencies

Signed-off-by: Adam Korczynski <[email protected]>

Author: AdamKorcz

checker/raw_result.go

@@ -40,6 +40,7 @@ type RawResults struct {
 	SBOMResults                 SBOMData
 	MaintainedResults           MaintainedData
 	Metadata                    MetadataData
+	MTTUDependenciesResults     MTTUDependenciesData
 	PackagingResults            PackagingData
 	PinningDependenciesResults  PinningDependenciesData
 	SASTResults                 SASTData
@@ -302,6 +303,36 @@ type SecurityPolicyData struct {
 	PolicyFiles []SecurityPolicyFile
 }
 
+type MTTUDependenciesData struct {
+	Dependencies []LockDependency
+}
+
+// Ecosystem represents the ecosystem of a dependency.
+type Ecosystem string
+
+const (
+	EcosystemCargo    Ecosystem = "CARGO"
+	EcosystemGo       Ecosystem = "GO"
+	EcosystemMaven    Ecosystem = "MAVEN"
+	EcosystemNPM      Ecosystem = "NPM"
+	EcosystemNuget    Ecosystem = "NUGET"
+	EcosystemPypi     Ecosystem = "PYPI"
+	EcosystemRubyGems Ecosystem = "RUBYGEMS"
+)
+
+func (e Ecosystem) String() string {
+	return string(e)
+}
+
+type LockDependency struct {
+	TimeSinceOldestReleast time.Time
+	IsLatest               *bool
+	Name                   string
+	Version                string
+	Comparator             string
+	Ecosystem              Ecosystem
+}
+
 // BinaryArtifactData contains the raw results
 // for the Binary-Artifact check.
 type BinaryArtifactData struct {

checks/MTTUDependencies.go

@@ -0,0 +1,64 @@
+// Copyright 2025 OpenSSF Scorecard Authors
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//      http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package checks
+
+import (
+	"github.com/ossf/scorecard/v5/checker"
+	"github.com/ossf/scorecard/v5/checks/evaluation"
+	"github.com/ossf/scorecard/v5/checks/raw"
+	sce "github.com/ossf/scorecard/v5/errors"
+	"github.com/ossf/scorecard/v5/probes"
+	zrunner "github.com/ossf/scorecard/v5/probes/zrunner"
+)
+
+const CheckMTTUDependencies = "MTTUDependencies"
+
+//nolint:gochecknoinits
+func init() {
+	supportedRequestTypes := []checker.RequestType{
+		checker.FileBased,
+	}
+	if err := registerCheck(CheckMTTUDependencies, MTTUDependencies, supportedRequestTypes); err != nil {
+		// this should never happen
+		panic(err)
+	}
+}
+
+// indirections to ease testing.
+var runProbes = zrunner.Run
+
+func MTTUDependencies(c *checker.CheckRequest) checker.CheckResult {
+	// 1) get raw data
+	rawData, err := raw.MTTUDependencies(c)
+	if err != nil {
+		e := sce.WithMessage(sce.ErrScorecardInternal, err.Error())
+		return checker.CreateRuntimeErrorResult(CheckMTTUDependencies, e)
+	}
+
+	// 2) set raw results
+	pRawResults := getRawResults(c)
+	pRawResults.MTTUDependenciesResults = rawData
+
+	// 3) run probes
+	findings, err := runProbes(pRawResults, probes.MTTUDependencies)
+	if err != nil {
+		e := sce.WithMessage(sce.ErrScorecardInternal, err.Error())
+		return checker.CreateRuntimeErrorResult(CheckMTTUDependencies, e)
+	}
+
+	// 4) evaluate
+	ret := evaluation.MTTUDependencies(CheckMTTUDependencies, findings, c.Dlogger)
+	return ret
+}