2022-12-02 02:08:48 +03:00
|
|
|
// Copyright 2021 OpenSSF Scorecard Authors
|
2021-04-02 05:09:45 +03:00
|
|
|
//
|
|
|
|
// Licensed under the Apache License, Version 2.0 (the "License");
|
|
|
|
// you may not use this file except in compliance with the License.
|
|
|
|
// You may obtain a copy of the License at
|
|
|
|
//
|
2022-09-21 21:14:58 +03:00
|
|
|
// http://www.apache.org/licenses/LICENSE-2.0
|
2021-04-02 05:09:45 +03:00
|
|
|
//
|
|
|
|
// Unless required by applicable law or agreed to in writing, software
|
|
|
|
// distributed under the License is distributed on an "AS IS" BASIS,
|
|
|
|
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
|
|
|
// See the License for the specific language governing permissions and
|
|
|
|
// limitations under the License.
|
2021-01-15 23:18:43 +03:00
|
|
|
package e2e
|
|
|
|
|
|
|
|
import (
|
|
|
|
"context"
|
2022-04-02 03:21:25 +03:00
|
|
|
"os"
|
2021-01-15 23:18:43 +03:00
|
|
|
|
2022-04-02 03:21:25 +03:00
|
|
|
"github.com/go-git/go-git/v5"
|
2022-02-15 22:27:45 +03:00
|
|
|
. "github.com/onsi/ginkgo/v2"
|
2021-01-15 23:18:43 +03:00
|
|
|
. "github.com/onsi/gomega"
|
2021-05-24 06:51:52 +03:00
|
|
|
|
2022-01-12 22:49:01 +03:00
|
|
|
"github.com/ossf/scorecard/v4/checker"
|
|
|
|
"github.com/ossf/scorecard/v4/checks"
|
2022-02-15 01:24:35 +03:00
|
|
|
"github.com/ossf/scorecard/v4/clients"
|
2022-01-12 22:49:01 +03:00
|
|
|
"github.com/ossf/scorecard/v4/clients/githubrepo"
|
2022-04-02 03:21:25 +03:00
|
|
|
"github.com/ossf/scorecard/v4/clients/localdir"
|
2022-01-12 22:49:01 +03:00
|
|
|
scut "github.com/ossf/scorecard/v4/utests"
|
2021-01-15 23:18:43 +03:00
|
|
|
)
|
|
|
|
|
2021-07-21 19:21:43 +03:00
|
|
|
// TODO: use dedicated repo that don't change.
|
|
|
|
// TODO: need negative results.
|
2021-07-28 02:32:24 +03:00
|
|
|
var _ = Describe("E2E TEST:"+checks.CheckPinnedDependencies, func() {
|
2021-07-29 21:55:25 +03:00
|
|
|
Context("E2E TEST:Validating dependencies check is working", func() {
|
|
|
|
It("Should return dependencies check is working", func() {
|
2021-07-21 19:21:43 +03:00
|
|
|
dl := scut.TestDetailLogger{}
|
2021-09-10 20:13:14 +03:00
|
|
|
repo, err := githubrepo.MakeGithubRepo("ossf-tests/scorecard-check-pinned-dependencies-e2e")
|
|
|
|
Expect(err).Should(BeNil())
|
2021-09-02 05:32:26 +03:00
|
|
|
repoClient := githubrepo.CreateGithubRepoClient(context.Background(), logger)
|
✨ Commit depth feature (#2407)
* :seedling: Bump actions/dependency-review-action from 2.4.1 to 2.5.1
Bumps [actions/dependency-review-action](https://github.com/actions/dependency-review-action) from 2.4.1 to 2.5.1.
- [Release notes](https://github.com/actions/dependency-review-action/releases)
- [Commits](https://github.com/actions/dependency-review-action/compare/9c96258789e5d9e85fe4ca86115ba4cc62b780cf...0efb1d1d84fc9633afcdaad14c485cbbc90ef46c)
---
updated-dependencies:
- dependency-name: actions/dependency-review-action
dependency-type: direct:production
update-type: version-update:semver-minor
...
Signed-off-by: dependabot[bot] <support@github.com>
Signed-off-by: latortuga71 <christopheralonso1@gmail.com>
* commit_depth feature
Signed-off-by: latortuga71 <christopheralonso1@gmail.com>
* added more descriptive comments, changed numberofcommits variable name, moved paging for commits into seperate function.
small changes
Signed-off-by: latortuga71 <christopheralonso1@gmail.com>
linter
Signed-off-by: latortuga71 <christopheralonso1@gmail.com>
* added unit tests
Signed-off-by: latortuga71 <christopheralonso1@gmail.com>
added test in e2e
Signed-off-by: latortuga71 <christopheralonso1@gmail.com>
* :seedling: Bump github.com/spf13/cobra from 1.6.0 to 1.6.1 (#2397)
Bumps [github.com/spf13/cobra](https://github.com/spf13/cobra) from 1.6.0 to 1.6.1.
- [Release notes](https://github.com/spf13/cobra/releases)
- [Commits](https://github.com/spf13/cobra/compare/v1.6.0...v1.6.1)
---
updated-dependencies:
- dependency-name: github.com/spf13/cobra
dependency-type: direct:production
update-type: version-update:semver-patch
...
Signed-off-by: dependabot[bot] <support@github.com>
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Signed-off-by: latortuga71 <christopheralonso1@gmail.com>
* :seedling: Bump github.com/onsi/ginkgo/v2 from 2.1.6 to 2.4.0
Bumps [github.com/onsi/ginkgo/v2](https://github.com/onsi/ginkgo) from 2.1.6 to 2.4.0.
- [Release notes](https://github.com/onsi/ginkgo/releases)
- [Changelog](https://github.com/onsi/ginkgo/blob/master/CHANGELOG.md)
- [Commits](https://github.com/onsi/ginkgo/compare/v2.1.6...v2.4.0)
---
updated-dependencies:
- dependency-name: github.com/onsi/ginkgo/v2
dependency-type: direct:production
update-type: version-update:semver-minor
...
Signed-off-by: dependabot[bot] <support@github.com>
Signed-off-by: latortuga71 <christopheralonso1@gmail.com>
* :seedling: Bump cloud.google.com/go/pubsub from 1.25.1 to 1.26.0
Bumps [cloud.google.com/go/pubsub](https://github.com/googleapis/google-cloud-go) from 1.25.1 to 1.26.0.
- [Release notes](https://github.com/googleapis/google-cloud-go/releases)
- [Changelog](https://github.com/googleapis/google-cloud-go/blob/main/CHANGES.md)
- [Commits](https://github.com/googleapis/google-cloud-go/compare/pubsub/v1.25.1...pubsub/v1.26.0)
---
updated-dependencies:
- dependency-name: cloud.google.com/go/pubsub
dependency-type: direct:production
update-type: version-update:semver-minor
...
Signed-off-by: dependabot[bot] <support@github.com>
Signed-off-by: latortuga71 <christopheralonso1@gmail.com>
* :seedling: Bump github.com/xanzy/go-gitlab from 0.73.1 to 0.74.0
Bumps [github.com/xanzy/go-gitlab](https://github.com/xanzy/go-gitlab) from 0.73.1 to 0.74.0.
- [Release notes](https://github.com/xanzy/go-gitlab/releases)
- [Changelog](https://github.com/xanzy/go-gitlab/blob/master/releases_test.go)
- [Commits](https://github.com/xanzy/go-gitlab/compare/v0.73.1...v0.74.0)
---
updated-dependencies:
- dependency-name: github.com/xanzy/go-gitlab
dependency-type: direct:production
update-type: version-update:semver-minor
...
Signed-off-by: dependabot[bot] <support@github.com>
Signed-off-by: latortuga71 <christopheralonso1@gmail.com>
* :seedling: Bump github.com/onsi/gomega from 1.20.2 to 1.23.0 (#2409)
Bumps [github.com/onsi/gomega](https://github.com/onsi/gomega) from 1.20.2 to 1.23.0.
- [Release notes](https://github.com/onsi/gomega/releases)
- [Changelog](https://github.com/onsi/gomega/blob/master/CHANGELOG.md)
- [Commits](https://github.com/onsi/gomega/compare/v1.20.2...v1.23.0)
---
updated-dependencies:
- dependency-name: github.com/onsi/gomega
dependency-type: direct:production
update-type: version-update:semver-minor
...
Signed-off-by: dependabot[bot] <support@github.com>
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Signed-off-by: latortuga71 <christopheralonso1@gmail.com>
* :seedling: Bump github.com/onsi/ginkgo/v2 from 2.1.6 to 2.4.0 in /tools
Bumps [github.com/onsi/ginkgo/v2](https://github.com/onsi/ginkgo) from 2.1.6 to 2.4.0.
- [Release notes](https://github.com/onsi/ginkgo/releases)
- [Changelog](https://github.com/onsi/ginkgo/blob/master/CHANGELOG.md)
- [Commits](https://github.com/onsi/ginkgo/compare/v2.1.6...v2.4.0)
---
updated-dependencies:
- dependency-name: github.com/onsi/ginkgo/v2
dependency-type: direct:production
update-type: version-update:semver-minor
...
Signed-off-by: dependabot[bot] <support@github.com>
Signed-off-by: latortuga71 <christopheralonso1@gmail.com>
* :seedling: Bump github.com/golangci/golangci-lint in /tools
Bumps [github.com/golangci/golangci-lint](https://github.com/golangci/golangci-lint) from 1.50.0 to 1.50.1.
- [Release notes](https://github.com/golangci/golangci-lint/releases)
- [Changelog](https://github.com/golangci/golangci-lint/blob/master/CHANGELOG.md)
- [Commits](https://github.com/golangci/golangci-lint/compare/v1.50.0...v1.50.1)
---
updated-dependencies:
- dependency-name: github.com/golangci/golangci-lint
dependency-type: direct:production
update-type: version-update:semver-patch
...
Signed-off-by: dependabot[bot] <support@github.com>
Signed-off-by: latortuga71 <christopheralonso1@gmail.com>
* :seedling: Bump goreleaser/goreleaser-action from 2.9.1 to 3.2.0 (#2363)
Bumps [goreleaser/goreleaser-action](https://github.com/goreleaser/goreleaser-action) from 2.9.1 to 3.2.0.
- [Release notes](https://github.com/goreleaser/goreleaser-action/releases)
- [Commits](https://github.com/goreleaser/goreleaser-action/compare/b953231f81b8dfd023c58e0854a721e35037f28b...b508e2e3ef3b19d4e4146d4f8fb3ba9db644a757)
---
updated-dependencies:
- dependency-name: goreleaser/goreleaser-action
dependency-type: direct:production
update-type: version-update:semver-major
...
Signed-off-by: dependabot[bot] <support@github.com>
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Signed-off-by: latortuga71 <christopheralonso1@gmail.com>
* :seedling: Bump github.com/goreleaser/goreleaser in /tools (#2373)
Bumps [github.com/goreleaser/goreleaser](https://github.com/goreleaser/goreleaser) from 1.11.5 to 1.12.3.
- [Release notes](https://github.com/goreleaser/goreleaser/releases)
- [Changelog](https://github.com/goreleaser/goreleaser/blob/main/.goreleaser.yaml)
- [Commits](https://github.com/goreleaser/goreleaser/compare/v1.11.5...v1.12.3)
---
updated-dependencies:
- dependency-name: github.com/goreleaser/goreleaser
dependency-type: direct:production
update-type: version-update:semver-minor
...
Signed-off-by: dependabot[bot] <support@github.com>
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Signed-off-by: latortuga71 <christopheralonso1@gmail.com>
* ✨ CLI for scorecard-attestor (#2309)
* Reorganize
Signed-off-by: Raghav Kaul <raghavkaul@google.com>
* Working commit
Signed-off-by: Raghav Kaul <raghavkaul@google.com>
* Compile with local scorecard; go mod tidy
Signed-off-by: Raghav Kaul <raghavkaul@google.com>
* Add signing code
Heavily borrowed from https://github.com/grafeas/kritis/blob/master/cmd/kritis/signer/main.go
Signed-off-by: Raghav Kaul <raghavkaul@google.com>
* Update deps
* Naming
* Makefile
Signed-off-by: Raghav Kaul <raghavkaul@google.com>
* Edit license, add lint.yml
Signed-off-by: Raghav Kaul <raghavkaul@google.com>
* checks: go mod tidy, license
Signed-off-by: Raghav Kaul <raghavkaul@google.com>
* Address PR comments
* Split into checker/signer files
* Naming convention
Signed-off-by: Raghav Kaul <raghavkaul@google.com>
* License, remove golangci.yml
Signed-off-by: Raghav Kaul <raghavkaul@google.com>
* Address PR comments
* Use cobra
Signed-off-by: Raghav Kaul <raghavkaul@google.com>
* Add tests for root command
Signed-off-by: Raghav Kaul <raghavkaul@google.com>
* Filter out checks that aren't needed for policy evaluation
Signed-off-by: Raghav Kaul <raghavkaul@google.com>
* Add `make` targets for attestor; submit coverage stats
Signed-off-by: Raghav Kaul <raghavkaul@google.com>
* Improvements
* Use sclog instead of glog
* Remove unneeded subcommands
* Formatting
Signed-off-by: Raghav Kaul <raghavkaul@google.com>
* Flags: Make note-name constant and fix messaging
Signed-off-by: Raghav Kaul <raghavkaul@google.com>
* Remove SupportedRequestTypes
Signed-off-by: Raghav Kaul <raghavkaul@google.com>
* go mod tidy
Signed-off-by: Raghav Kaul <raghavkaul@google.com>
* go mod tidy, makefile
Signed-off-by: Raghav Kaul <raghavkaul@google.com>
* Fix GH actions run
Signed-off-by: Raghav Kaul <raghavkaul@google.com>
Signed-off-by: Raghav Kaul <raghavkaul@google.com>
Signed-off-by: latortuga71 <christopheralonso1@gmail.com>
* fix workflow (#2417)
Signed-off-by: Spencer Schrock <sschrock@google.com>
Signed-off-by: Spencer Schrock <sschrock@google.com>
Signed-off-by: latortuga71 <christopheralonso1@gmail.com>
* Bump scorecard-action (#2416)
Signed-off-by: Spencer Schrock <sschrock@google.com>
Signed-off-by: Spencer Schrock <sschrock@google.com>
Signed-off-by: latortuga71 <christopheralonso1@gmail.com>
* Fail unit-test job if codecov upload fails (#2415)
Signed-off-by: Spencer Schrock <sschrock@google.com>
Signed-off-by: Spencer Schrock <sschrock@google.com>
Signed-off-by: latortuga71 <christopheralonso1@gmail.com>
* 🌱 Enable comparison for alternative isText implementation (#2414)
* use more performant IsText
Signed-off-by: Spencer Schrock <sschrock@google.com>
* AB test isText implementations
Signed-off-by: Spencer Schrock <sschrock@google.com>
* Add comparison env var to release test.
Signed-off-by: Spencer Schrock <sschrock@google.com>
* go mod tidy for attestor
Signed-off-by: Spencer Schrock <sschrock@google.com>
Signed-off-by: Spencer Schrock <sschrock@google.com>
Signed-off-by: latortuga71 <christopheralonso1@gmail.com>
* 🐛 modify alternative isText to accept carriage returns (#2421)
* modify IsText from golang.org/x/tools/godoc/util to accept carriage returns.
Signed-off-by: Spencer Schrock <sschrock@google.com>
* add TODO reminder to cleanup after release tests
Signed-off-by: Spencer Schrock <sschrock@google.com>
Signed-off-by: Spencer Schrock <sschrock@google.com>
Signed-off-by: latortuga71 <christopheralonso1@gmail.com>
* :seedling: Bump github.com/onsi/gomega from 1.23.0 to 1.24.0
Bumps [github.com/onsi/gomega](https://github.com/onsi/gomega) from 1.23.0 to 1.24.0.
- [Release notes](https://github.com/onsi/gomega/releases)
- [Changelog](https://github.com/onsi/gomega/blob/master/CHANGELOG.md)
- [Commits](https://github.com/onsi/gomega/compare/v1.23.0...v1.24.0)
---
updated-dependencies:
- dependency-name: github.com/onsi/gomega
dependency-type: direct:production
update-type: version-update:semver-minor
...
Signed-off-by: dependabot[bot] <support@github.com>
Signed-off-by: latortuga71 <christopheralonso1@gmail.com>
* :seedling: Bump github/codeql-action from 2.1.29 to 2.1.30
Bumps [github/codeql-action](https://github.com/github/codeql-action) from 2.1.29 to 2.1.30.
- [Release notes](https://github.com/github/codeql-action/releases)
- [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md)
- [Commits](https://github.com/github/codeql-action/compare/ec3cf9c605b848da5f1e41e8452719eb1ccfb9a6...18fe527fa8b29f134bb91f32f1a5dc5abb15ed7f)
---
updated-dependencies:
- dependency-name: github/codeql-action
dependency-type: direct:production
update-type: version-update:semver-patch
...
Signed-off-by: dependabot[bot] <support@github.com>
Signed-off-by: latortuga71 <christopheralonso1@gmail.com>
* revert failing unit-test on ci error (#2422)
Signed-off-by: Spencer Schrock <sschrock@google.com>
Signed-off-by: Spencer Schrock <sschrock@google.com>
Signed-off-by: latortuga71 <christopheralonso1@gmail.com>
* :sparkles: Improved Security Policy Check (#2195)
* :sparkles: Improved Security Policy Check (#2137)
* Examines and awards points for linked content (URLs / Emails)
* Examines and awards points for hints of disclosure and vulnerability practices
* Examines and awards points for hints of elaboration of timelines
Signed-off-by: Scott Hissam <shissam@gmail.com>
* Repaired Security Policy to correctly use linked content length for evaluation
Signed-off-by: Scott Hissam <shissam@gmail.com>
* gofmt'ed changes
Signed-off-by: Scott Hissam <shissam@gmail.com>
* Repaired the case in the evaluation which was too sensitive to content length over the length of the linked content for urls and emails
Signed-off-by: Scott Hissam <shissam@gmail.com>
* added unit test cases for the new content-based Security Policy checks
Signed-off-by: Scott Hissam <shissam@gmail.com>
* reverted the direct (mistaken) change to checks.md and updated the checks.yaml for generate-docs
Signed-off-by: Scott Hissam <shissam@gmail.com>
* :sparkles: Improved Security Policy Check (#2137) (revisted based on comments)
* replaced reason strings with log.Info & log.Warn (as seen in --show-details)
* internal assertion check for nil (*pinfo) and empty pfile
* internal switched to FileTypeText over FileTypeSource
* internal implement type SecurityPolicyInformationType/SecurityPolicyInformation revised SecurityPolicyData to support only one file
* revised expected unit-test results and revised unit-test to reflect the new SecurityPolicyData type
Signed-off-by: Scott Hissam <shissam@gmail.com>
* revised the score value based on observation of one *or more* url(s) or one email(s) found; unit tests update accordingly
Signed-off-by: Scott Hissam <shissam@gmail.com>
* revised the score value based on observation of one *or more* url(s) or one email(s) found; unit tests update accordingly
Signed-off-by: Scott Hissam <shissam@gmail.com>
* revised the score value based on observation of one *or more* url(s) or one email(s) found; e2e tests update accordingly
Signed-off-by: Scott Hissam <shissam@gmail.com>
* Addressed PR comments; added telemetry for policy hits in security policy file to track hits by line number
Signed-off-by: Scott Hissam <shissam@gmail.com>
* Resolved merge conflict with checks.yaml
Signed-off-by: Scott Hissam <shissam@gmail.com>
* updated raw results to emit all the raw information for the new security policy check
Signed-off-by: Scott Hissam <shissam@gmail.com>
* Resolved merge conflicts and lint errors with json_raw_results.go
Signed-off-by: Scott Hissam <shissam@gmail.com>
* Addressed review comments to reorganize security policy data struct to support the potential for multiple security policy files.
Signed-off-by: Scott Hissam <shissam@gmail.com>
* Added logic to the security policy to process multiple security policy files only after future improvements to aggregating scoring across such files are designed. For now the security policy behaves as originally designed to stop once one of the expected policy files are found in the repo
Signed-off-by: Scott Hissam <shissam@gmail.com>
* added comments regarding the capacity to support multiple policy files and removed unneeded break statements in the code
Signed-off-by: Scott Hissam <shissam@gmail.com>
* Addressed review comments to remove the dependency on the path in the filename from the code and introduced FileSize to checker.File type and removed the SecurityContentLength which was used to hold that information for the new security policy assessment
Signed-off-by: Scott Hissam <shissam@gmail.com>
* restored reporting full security policy path and filename for policies found in the org level repos
Signed-off-by: Scott Hissam <shissam@gmail.com>
* Resolved conflicts in checks.yaml for documentation
Signed-off-by: Scott Hissam <shissam@gmail.com>
* ✨ CLI for scorecard-attestor (#2309)
* Reorganize
Signed-off-by: Raghav Kaul <raghavkaul@google.com>
* Working commit
Signed-off-by: Raghav Kaul <raghavkaul@google.com>
* Compile with local scorecard; go mod tidy
Signed-off-by: Raghav Kaul <raghavkaul@google.com>
* Add signing code
Heavily borrowed from https://github.com/grafeas/kritis/blob/master/cmd/kritis/signer/main.go
Signed-off-by: Raghav Kaul <raghavkaul@google.com>
* Update deps
* Naming
* Makefile
Signed-off-by: Raghav Kaul <raghavkaul@google.com>
* Edit license, add lint.yml
Signed-off-by: Raghav Kaul <raghavkaul@google.com>
* checks: go mod tidy, license
Signed-off-by: Raghav Kaul <raghavkaul@google.com>
* Address PR comments
* Split into checker/signer files
* Naming convention
Signed-off-by: Raghav Kaul <raghavkaul@google.com>
* License, remove golangci.yml
Signed-off-by: Raghav Kaul <raghavkaul@google.com>
* Address PR comments
* Use cobra
Signed-off-by: Raghav Kaul <raghavkaul@google.com>
* Add tests for root command
Signed-off-by: Raghav Kaul <raghavkaul@google.com>
* Filter out checks that aren't needed for policy evaluation
Signed-off-by: Raghav Kaul <raghavkaul@google.com>
* Add `make` targets for attestor; submit coverage stats
Signed-off-by: Raghav Kaul <raghavkaul@google.com>
* Improvements
* Use sclog instead of glog
* Remove unneeded subcommands
* Formatting
Signed-off-by: Raghav Kaul <raghavkaul@google.com>
* Flags: Make note-name constant and fix messaging
Signed-off-by: Raghav Kaul <raghavkaul@google.com>
* Remove SupportedRequestTypes
Signed-off-by: Raghav Kaul <raghavkaul@google.com>
* go mod tidy
Signed-off-by: Raghav Kaul <raghavkaul@google.com>
* go mod tidy, makefile
Signed-off-by: Raghav Kaul <raghavkaul@google.com>
* Fix GH actions run
Signed-off-by: Raghav Kaul <raghavkaul@google.com>
Signed-off-by: Raghav Kaul <raghavkaul@google.com>
Signed-off-by: Scott Hissam <shissam@gmail.com>
* removed whitespace before stanza for Run attestor e2e
Signed-off-by: Scott Hissam <shissam@gmail.com>
* resolved code review and doc review comments
Signed-off-by: Scott Hissam <shissam@gmail.com>
* repaired the link for the maintainer's guide for supporting the coordinated vulnerability disclosure guidelines
Signed-off-by: Scott Hissam <shissam@gmail.com>
Signed-off-by: Scott Hissam <shissam@gmail.com>
Signed-off-by: latortuga71 <christopheralonso1@gmail.com>
* :seedling: Bump github/codeql-action from 2.1.30 to 2.1.31 (#2431)
Bumps [github/codeql-action](https://github.com/github/codeql-action) from 2.1.30 to 2.1.31.
- [Release notes](https://github.com/github/codeql-action/releases)
- [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md)
- [Commits](https://github.com/github/codeql-action/compare/18fe527fa8b29f134bb91f32f1a5dc5abb15ed7f...c3b6fce4ee2ca25bc1066aa3bf73962fda0e8898)
---
updated-dependencies:
- dependency-name: github/codeql-action
dependency-type: direct:production
update-type: version-update:semver-patch
...
Signed-off-by: dependabot[bot] <support@github.com>
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Signed-off-by: latortuga71 <christopheralonso1@gmail.com>
* enable more performant isText (#2433)
Signed-off-by: Spencer Schrock <sschrock@google.com>
Signed-off-by: Spencer Schrock <sschrock@google.com>
Signed-off-by: latortuga71 <christopheralonso1@gmail.com>
* modified tests,InitRepo Function, Added GetCommitDepth Function to Client Interface
Signed-off-by: latortuga71 <christopheralonso1@gmail.com>
* removed getcommitdepth function
Signed-off-by: latortuga71 <christopheralonso1@gmail.com>
* added TODO
Signed-off-by: latortuga71 <christopheralonso1@gmail.com>
* :seedling: Bump github.com/onsi/ginkgo/v2 from 2.4.0 to 2.5.0 in /tools (#2436)
Bumps [github.com/onsi/ginkgo/v2](https://github.com/onsi/ginkgo) from 2.4.0 to 2.5.0.
- [Release notes](https://github.com/onsi/ginkgo/releases)
- [Changelog](https://github.com/onsi/ginkgo/blob/master/CHANGELOG.md)
- [Commits](https://github.com/onsi/ginkgo/compare/v2.4.0...v2.5.0)
---
updated-dependencies:
- dependency-name: github.com/onsi/ginkgo/v2
dependency-type: direct:production
update-type: version-update:semver-minor
...
Signed-off-by: dependabot[bot] <support@github.com>
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Signed-off-by: latortuga71 <christopheralonso1@gmail.com>
* :seedling: Bump github.com/onsi/ginkgo/v2 from 2.4.0 to 2.5.0
Bumps [github.com/onsi/ginkgo/v2](https://github.com/onsi/ginkgo) from 2.4.0 to 2.5.0.
- [Release notes](https://github.com/onsi/ginkgo/releases)
- [Changelog](https://github.com/onsi/ginkgo/blob/master/CHANGELOG.md)
- [Commits](https://github.com/onsi/ginkgo/compare/v2.4.0...v2.5.0)
---
updated-dependencies:
- dependency-name: github.com/onsi/ginkgo/v2
dependency-type: direct:production
update-type: version-update:semver-minor
...
Signed-off-by: dependabot[bot] <support@github.com>
Signed-off-by: latortuga71 <christopheralonso1@gmail.com>
* 🌱 Code Review: treat merging a PR as code review (#2413)
* Merges on Github count as a code review by the maintainer
Signed-off-by: Raghav Kaul <raghavkaul@google.com>
* Update Raw Results
* More detailed information for Changesets
* If there's no Revision ID, use the Commit SHA instead
Signed-off-by: Raghav Kaul <raghavkaul@google.com>
* Check that pull request had atleast one reviewer that wasn't its author
* Add field for Pull Request Merged-By to Github and Gitlab
* Note, this check can be bypassed if an author opens a PR with other
people's commits
Signed-off-by: Raghav Kaul <raghavkaul@google.com>
Signed-off-by: Raghav Kaul <raghavkaul@google.com>
Signed-off-by: latortuga71 <christopheralonso1@gmail.com>
* Trivial: Fix typo (exepted -> expected) (#2440)
Signed-off-by: Michael Scovetta <michael.scovetta@microsoft.com>
Signed-off-by: Michael Scovetta <michael.scovetta@microsoft.com>
Signed-off-by: latortuga71 <christopheralonso1@gmail.com>
* :seedling: Bump step-security/harden-runner from 1.5.0 to 2.0.0 (#2443)
Bumps [step-security/harden-runner](https://github.com/step-security/harden-runner) from 1.5.0 to 2.0.0.
- [Release notes](https://github.com/step-security/harden-runner/releases)
- [Commits](https://github.com/step-security/harden-runner/compare/2e205a28d0e1da00c5f53b161f4067b052c61f34...ebacdc22ef6c2cfb85ee5ded8f2e640f4c776dd5)
---
updated-dependencies:
- dependency-name: step-security/harden-runner
dependency-type: direct:production
update-type: version-update:semver-major
...
Signed-off-by: dependabot[bot] <support@github.com>
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Signed-off-by: latortuga71 <christopheralonso1@gmail.com>
* 🌱 cron: support reading prefix from file for controller input files (7/n) (#2445)
* add prefix marker file to config
Signed-off-by: Spencer Schrock <sschrock@google.com>
* Read the new config values, if they exist.
Signed-off-by: Spencer Schrock <sschrock@google.com>
* Add function to fetch prefix file config value.
Signed-off-by: Spencer Schrock <sschrock@google.com>
* Read prefix file if prefix not set.
Signed-off-by: Spencer Schrock <sschrock@google.com>
* Add tests to verify how List works with various prefixes
Signed-off-by: Spencer Schrock <sschrock@google.com>
* Add tests for getPrefix
Signed-off-by: Spencer Schrock <sschrock@google.com>
* Remove panics from iterator helper functions
Signed-off-by: Spencer Schrock <sschrock@google.com>
Signed-off-by: Spencer Schrock <sschrock@google.com>
Signed-off-by: latortuga71 <christopheralonso1@gmail.com>
* Detect SECURITY.markdown in addition to SECURITY.md (#2447)
GitHub probably supports many more file extensions for Markdown
files, but at the very least, `.md` and `.markdown` have been
standardized in RFC 7763.
Signed-off-by: favonia <favonia@gmail.com>
Signed-off-by: favonia <favonia@gmail.com>
Signed-off-by: latortuga71 <christopheralonso1@gmail.com>
* Add Pinned-Dependency, Vulnerability, and Code-Review checks to attestor (#2430)
Signed-off-by: Raghav Kaul <raghavkaul@google.com>
Signed-off-by: Raghav Kaul <raghavkaul@google.com>
Signed-off-by: latortuga71 <christopheralonso1@gmail.com>
* :seedling: cron: expose the stackdriver prefix as a config variable so it can be changed. (#2446)
* Expose the stackdriver prefix as a config variable so it can be changed.
Signed-off-by: Caleb Brown <calebbrown@google.com>
* fix linter warning
Signed-off-by: Caleb Brown <calebbrown@google.com>
Signed-off-by: Caleb Brown <calebbrown@google.com>
Co-authored-by: Spencer Schrock <sschrock@google.com>
Signed-off-by: latortuga71 <christopheralonso1@gmail.com>
* Only write to the rawBucket if the value exists. (#2451)
Signed-off-by: Caleb Brown <calebbrown@google.com>
Signed-off-by: Caleb Brown <calebbrown@google.com>
Signed-off-by: latortuga71 <christopheralonso1@gmail.com>
* :seedling: Bump golang.org/x/tools from 0.2.0 to 0.3.0 (#2448)
* :seedling: Bump golang.org/x/tools from 0.2.0 to 0.3.0
Bumps [golang.org/x/tools](https://github.com/golang/tools) from 0.2.0 to 0.3.0.
- [Release notes](https://github.com/golang/tools/releases)
- [Commits](https://github.com/golang/tools/compare/v0.2.0...v0.3.0)
---
updated-dependencies:
- dependency-name: golang.org/x/tools
dependency-type: direct:production
update-type: version-update:semver-minor
...
Signed-off-by: dependabot[bot] <support@github.com>
* bump attestor modules
Signed-off-by: Spencer Schrock <sschrock@google.com>
Signed-off-by: dependabot[bot] <support@github.com>
Signed-off-by: Spencer Schrock <sschrock@google.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: Spencer Schrock <sschrock@google.com>
Signed-off-by: latortuga71 <christopheralonso1@gmail.com>
* Move cron monitoring to a non-internal location. (#2453)
This allows external workers (e.g. criticality_score) to use the same
monitoring code.
Signed-off-by: Caleb Brown <calebbrown@google.com>
Signed-off-by: Caleb Brown <calebbrown@google.com>
Signed-off-by: latortuga71 <christopheralonso1@gmail.com>
* :seedling: Bump actions/dependency-review-action from 2.5.1 to 3.0.0 (#2455)
Bumps [actions/dependency-review-action](https://github.com/actions/dependency-review-action) from 2.5.1 to 3.0.0.
- [Release notes](https://github.com/actions/dependency-review-action/releases)
- [Commits](https://github.com/actions/dependency-review-action/compare/0efb1d1d84fc9633afcdaad14c485cbbc90ef46c...30d582111533d59ab793fd9f971817241654f3ec)
---
updated-dependencies:
- dependency-name: actions/dependency-review-action
dependency-type: direct:production
update-type: version-update:semver-major
...
Signed-off-by: dependabot[bot] <support@github.com>
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Signed-off-by: latortuga71 <christopheralonso1@gmail.com>
* 🌱 [cron] generalize some of the transfer logic so it is easy to build new transfer agents (#2454)
* Generalize the transfer logic so it is easy to build new transfer agents
This change moves code that reads shards and produces summaries into the
data package so that it can be reused to create new transfer agents,
similar to the BigQuery transfer agent in cron/internal/bq.
Signed-off-by: Caleb Brown <calebbrown@google.com>
* Lint fix and commentary.
Signed-off-by: Caleb Brown <calebbrown@google.com>
Signed-off-by: Caleb Brown <calebbrown@google.com>
Signed-off-by: latortuga71 <christopheralonso1@gmail.com>
* :seedling: Bump github.com/google/addlicense in /tools (#2459)
Bumps [github.com/google/addlicense](https://github.com/google/addlicense) from 1.0.0 to 1.1.0.
- [Release notes](https://github.com/google/addlicense/releases)
- [Changelog](https://github.com/google/addlicense/blob/master/.goreleaser.yaml)
- [Commits](https://github.com/google/addlicense/compare/v1.0.0...v1.1.0)
---
updated-dependencies:
- dependency-name: github.com/google/addlicense
dependency-type: direct:production
update-type: version-update:semver-minor
...
Signed-off-by: dependabot[bot] <support@github.com>
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Signed-off-by: latortuga71 <christopheralonso1@gmail.com>
* :seedling: Bump github.com/google/go-containerregistry
Bumps [github.com/google/go-containerregistry](https://github.com/google/go-containerregistry) from 0.12.0 to 0.12.1.
- [Release notes](https://github.com/google/go-containerregistry/releases)
- [Changelog](https://github.com/google/go-containerregistry/blob/main/.goreleaser.yml)
- [Commits](https://github.com/google/go-containerregistry/compare/v0.12.0...v0.12.1)
---
updated-dependencies:
- dependency-name: github.com/google/go-containerregistry
dependency-type: direct:production
update-type: version-update:semver-patch
...
Signed-off-by: dependabot[bot] <support@github.com>
Signed-off-by: latortuga71 <christopheralonso1@gmail.com>
* go mod tidy
Signed-off-by: Spencer Schrock <sschrock@google.com>
Signed-off-by: latortuga71 <christopheralonso1@gmail.com>
* Added <= instead of == incase negative int is passed
Signed-off-by: latortuga71 <christopheralonso1@gmail.com>
* missed test fix
Signed-off-by: latortuga71 <christopheralonso1@gmail.com>
Signed-off-by: dependabot[bot] <support@github.com>
Signed-off-by: latortuga71 <christopheralonso1@gmail.com>
Signed-off-by: Raghav Kaul <raghavkaul@google.com>
Signed-off-by: Spencer Schrock <sschrock@google.com>
Signed-off-by: Scott Hissam <shissam@gmail.com>
Signed-off-by: Michael Scovetta <michael.scovetta@microsoft.com>
Signed-off-by: favonia <favonia@gmail.com>
Signed-off-by: Caleb Brown <calebbrown@google.com>
Signed-off-by: Latortuga <42878263+latortuga71@users.noreply.github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: raghavkaul <8695110+raghavkaul@users.noreply.github.com>
Co-authored-by: Spencer Schrock <sschrock@google.com>
Co-authored-by: scott hissam <shissam@users.noreply.github.com>
Co-authored-by: Michael Scovetta <michael.scovetta@microsoft.com>
Co-authored-by: favonia <favonia@gmail.com>
Co-authored-by: Caleb Brown <calebbrown@google.com>
2022-11-22 19:11:36 +03:00
|
|
|
err = repoClient.InitRepo(repo, clients.HeadSHA, 0)
|
2022-02-08 06:03:36 +03:00
|
|
|
Expect(err).Should(BeNil())
|
|
|
|
|
|
|
|
req := checker.CheckRequest{
|
|
|
|
Ctx: context.Background(),
|
|
|
|
RepoClient: repoClient,
|
|
|
|
Repo: repo,
|
|
|
|
Dlogger: &dl,
|
|
|
|
}
|
|
|
|
expected := scut.TestReturn{
|
|
|
|
Error: nil,
|
:bug: Pinned-Dependencies: only score detected ecosystems (#3436)
* feat: Define if dependency is pinned or unpinned
Add a field Pinned to Dependency structure.
Update to save Dependencies pinned and unpinned. Not only unpinned ones.
All download then run executions are considered unpinned. Because there is no remediation to pin them.
For package manager downloads: add early return if there are no commands, separate package manager identification (go, npm, choco, pip) from decision if installation is pinned or unpinned.
Change Go case "go get -d -v" considered pinned, to any Go installations containing "-d" to be considered pinned.
Signed-off-by: Gabriela Gutierrez <gabigutierrez@google.com>
* refactor: Convert diff var types to pointer
We need to add a new conversion of boolean to pointer. Currently, we had string and int conversions named asPointer but not used in the same file. In order to know when we are using which conversion and considering bool and string would have to be used in the same file, it was needed to differentiate the method names. New method names are asIntPointer, asStringPointer and soon asBoolPointer.
Signed-off-by: Gabriela Gutierrez <gabigutierrez@google.com>
* fix: Pinned Dependency field type
Field needs to be a pointer to work when accessing values on evaluation.
Signed-off-by: Gabriela Gutierrez <gabigutierrez@google.com>
* feat: Count pinned and unpinned deps
We're changing the ecossystems result structure. The result structure previously stored if the ecossystem is fully pinned or not. The new result structure can tell how many dependencies of that ecossystem were found and how many were pinned. This change is necessary to ignore not applicable ecossystems on the final aggregated score. When iterating the dependencies, now we go through pinned and unpinned dependencies, not only unpinned, and in each iteration we update the result. We kept the behavior of only log warnings for unpinned dependencies.
Signed-off-by: Gabriela Gutierrez <gabigutierrez@google.com>
* feat: Flag not applicable ecossystems
If no dependencies of an ecossystem are found, it results in an inconclusive score (-1). As in other checks, this means here that the ecossystem scoring is not applicable in this case. At the same time, we are keep the scoring criteria the same. If all dependencies are pinned, it results in maximum score (10) and if 1 or more dependencies are unpinned, it results in a minimum score (0) for that ecossystem. GitHub workflow cases are handled differently but the idea is the same. We are also adding a log to know when an ecossystem was not found.
Signed-off-by: Gabriela Gutierrez <gabigutierrez@google.com>
* feat: Score only applicable ecossystems
Signed-off-by: Gabriela Gutierrez <gabigutierrez@google.com>
* feat: If no dependencies then create inconclusive score
Signed-off-by: Gabriela Gutierrez <gabigutierrez@google.com>
* test: GitHub Actions score and logs
Change test from `createReturnValuesForGitHubActionsWorkflowPinned` function to `createReturnForIsGitHubActionsWorkflowPinned` wrapper function so we can test logs. We have adjusted the existing test cases and included new test cases.
Signed-off-by: Gabriela Gutierrez <gabigutierrez@google.com>
* test: Pinned dependencies score
Break "various warnings" tests into smaller tests for pinned and unpinned dependencies and how they react to warn and debug messages. Plus add tests for how the score is affected when all dependencies are pinned, when no dependencies are pinned, when there are no dependencies, and partial dependencies pinned. Also, how dependencies unpinned in 1 or multiple ecossystems affect the warn messages, add one unpinned case for each ecossystem to see if they are being detected and separate the download then run 2 possible cases, there are currently scoring and logging wrong due to a bug.
Signed-off-by: Gabriela Gutierrez <gabigutierrez@google.com>
* test: Ecossystems score and logs
Signed-off-by: Gabriela Gutierrez <gabigutierrez@google.com>
* test: Remove deleted maxScore function test
When we changed the scoring method to ignore not applicable scores, we removed the normalization of inconclusive scores to 0. The normalization was done by `maxScore` function, that was deleted in the process.
Signed-off-by: Gabriela Gutierrez <gabigutierrez@google.com>
* test: Adding GitHub Actions dependencies to result
Signed-off-by: Gabriela Gutierrez <gabigutierrez@google.com>
* test: Update GitHub Actions result
Signed-off-by: Gabriela Gutierrez <gabigutierrez@google.com>
* test: Update pip installs result
Signed-off-by: Gabriela Gutierrez <gabigutierrez@google.com>
* fix: Handle if nuget dependency is pinned or unpinned
Signed-off-by: Gabriela Gutierrez <gabigutierrez@google.com>
* tests: Fix check warnings for unpinned dependencies
Signed-off-by: Gabriela Gutierrez <gabigutierrez@google.com>
* fix: Linter errors
Signed-off-by: Gabriela Gutierrez <gabigutierrez@google.com>
* fix: GitHub Actions pinned log
If, for example, you have GitHub-owned actions and none Third-party actions, you should receive a "no Third-party actions found" log and don't receive a "all Third-party actions are pinned" log. At the same time, you deserve the score of pinning Third-party to complement the GitHub-owned score.
Signed-off-by: Gabriela Gutierrez <gabigutierrez@google.com>
* test: Fix "ossf-tests/scorecard-check-pinned-dependencies-e2e"
The repo being tested, `ossf-tests/scorecard-check-pinned-dependencies-e2e`, has no Third-party actions only GitHub-owned actions, that are unpinned, no npm installs, multiple go installs all pinned, and all other dependencies types are unpinned. This gives us 8 for actionScore, -1 for npm score, 10 for goScore, and 0 for all other scores. Previously the total score was 28/7 =~ 4, and now the total score is 18/6 =~ 3. The number of logs remain the same. The "all Third-party actions are pinned" will be replaced by "no Third-party actions found", which is a more realistic info and same thing for npm installs.
Signed-off-by: Gabriela Gutierrez <gabigutierrez@google.com>
* Revert rename `asPointer` to `asStringPointer`
Signed-off-by: Gabriela Gutierrez <gabigutierrez@google.com>
* fix: Handle deps with parsing error and undefined pinning
When a dependency has a parsing error it ends up with a `Msg` field. In this case, the dependency should not count in the final score, so we should not `updatePinningResults` in this case. Also, to continue with the evaluation calculation, we need to make sure the dependencies have a `Pinned` state. Here we are adding this validation for it along with a debug log.
Signed-off-by: Gabriela Gutierrez <gabigutierrez@google.com>
* test: Delete unecessary test
We already have separate test for if 1 unpinned dependency shows a warn message, and 2 cases for when dependencies have errors and show a debug message.
Signed-off-by: Gabriela Gutierrez <gabigutierrez@google.com>
* test: Add missing dep Location cases
Signed-off-by: Gabriela Gutierrez <gabigutierrez@google.com>
* fix: Simplify Dockerfile pinned as name logic
Signed-off-by: Gabriela Gutierrez <gabigutierrez@google.com>
* fix: If ecossystem is not found show debug log
If ecossystem is not found show debug log, not info log. This affects the tests, all not found ecossystems will "move" from info logs to debug logs. We are also complementing the `all dependencies pinned` and `all dependencies unpinned` cases so we have the max score case and the min score case using all kinds of dependencies.
Signed-off-by: Gabriela Gutierrez <gabigutierrez@google.com>
* test: Fix e2e tests and more unit tests
Signed-off-by: Gabriela Gutierrez <gabigutierrez@google.com>
* feat: Iterate all dependency types for final score
Now we iterate all existing dependency types in the final score. This will fix the problem of new ecossystems not being count in the final score because we needed to update the evaluation part. This also fixes the problem of download then run being counted twice for the score. Now, we only have debug logs when there are errors with the dependency metadata. That means we don't log anymore when dependencies of an ecossystem are not found. We changed the info log format when dependencies are all pinned. We simplified the calculation of the scores. We removed unused error returns. And now we only iterate existing ecossystems. If an ecossystem is not found we will not iterate it.
Signed-off-by: Gabriela Gutierrez <gabigutierrez@google.com>
* feat: Proportional score
We count all pinned dependencies over the total found dependencies of all ecossystems for the final score. But, we still want to give low prioritity to GHA GitHub-owned dependencies over GHA third-party dependencies. That's why we are doing a weighted proportional score, all ecossystems have a normal weight of 10 but GHAs have a weight. If you only have GitHub-owned, it will count as 10, because GHA don't weight less then other ecossystems. Same for GHA third-party, if you only have GHA third-party, it will also count as 10, because GHAs don't weight less then other ecossystems. But if you have both GHA GitHub-owned and third-party, GitHub-owned count less then third-party. Trying to keep the same weight as before, GitHub-owned weights 8 and third-party weights 2. These weights will make the score be more penalized if you have unpinned third-party and less penalized if you have unpinned GitHub-owned.
Signed-off-by: Gabriela Gutierrez <gabigutierrez@google.com>
* fix: GHA weights in proportional score
Signed-off-by: Gabriela Gutierrez <gabigutierrez@google.com>
* test: Fix scores and logs checking
Add new cases for GHA scores since it's weighted differently now. Remove `createReturnValues` test since the function was removed. Fix current tests to adjust number of logs since we don't log if all dependencies are pinned or not anymore. Fix partially pinned score.
Signed-off-by: Gabriela Gutierrez <gabigutierrez@google.com>
* test: Fix e2e test
The repo being tested, `ossf-tests/scorecard-check-pinned-dependencies-e2e`, has no Third-party actions only GitHub-owned actions, that are unpinned, no npm installs, multiple go installs all pinned, and all other dependencies types are unpinned. This gives us 8 for GHA ecossytem, -1 for npm score, 10 for goScore, and 0 for all other scores. Previously the total score was 18/6 =~ 3. Now, we count 5/6 GitHub-owned GHA pinned, 23/36 containerImage pinned, 0/88 downloadThenRun pinned, 2/49 pipCommand pinned, 17/17 goCommand pinned. This results in 47/186 pinned dependencies which results in 2.5 score, that is rounded down to 2. Plus, the number of info was reduced since we don't log info for "all pinned dependencies in X ecossystem" anymore.
Signed-off-by: Gabriela Gutierrez <gabigutierrez@google.com>
* refactor: Rename to ProportionalScoreWeighted
Signed-off-by: Gabriela Gutierrez <gabigutierrez@google.com>
* refactor: Var declarations to create proportional score
Signed-off-by: Gabriela Gutierrez <gabigutierrez@google.com>
* fix: Remove unnecessary pointer
Signed-off-by: Gabriela Gutierrez <gabigutierrez@google.com>
* fix: Dependencies priority declaration
Signed-off-by: Gabriela Gutierrez <gabigutierrez@google.com>
* fix: Ecosystem spelling
Signed-off-by: Gabriela Gutierrez <gabigutierrez@google.com>
* fix: Handle 0 weight and 0 total when creating proportional weighted score
Signed-off-by: Gabriela Gutierrez <gabigutierrez@google.com>
* fix: Revert -d flag identification change
Signed-off-by: Gabriela Gutierrez <gabigutierrez@google.com>
* fix: npm ci command is npm download and is pinned
Signed-off-by: Gabriela Gutierrez <gabigutierrez@google.com>
* fix: Linter errors
Signed-off-by: Gabriela Gutierrez <gabigutierrez@google.com>
* fix: Unexport error variable to other packages
Signed-off-by: Gabriela Gutierrez <gabigutierrez@google.com>
* refactor: Simplify no score groups condition
Signed-off-by: Gabriela Gutierrez <gabigutierrez@google.com>
* feat: Log proportion of dependencies pinned
Signed-off-by: Gabriela Gutierrez <gabigutierrez@google.com>
* test: Fix unit tests to include info logs
The number of info logs should be same number of identified ecossystems. GitHub-owned GitHubAction and third-party GitHubAction count as different ecossytems.
Signed-off-by: Gabriela Gutierrez <gabigutierrez@google.com>
* test: Fix e2e tests to include info logs
The repo being tested, `ossf-tests/scorecard-check-pinned-dependencies-e2e`, has GitHub-owned GitHubActions, containerImage, downloadThenRun, pipCommand and goCommand dependencies. Therefore it will have 5 Info logs, one for each ecossystem.
Signed-off-by: Gabriela Gutierrez <gabigutierrez@google.com>
* fix: Linter error
Signed-off-by: Gabriela Gutierrez <gabigutierrez@google.com>
---------
Signed-off-by: Gabriela Gutierrez <gabigutierrez@google.com>
2023-09-25 23:07:19 +03:00
|
|
|
Score: 2,
|
2022-02-08 06:03:36 +03:00
|
|
|
NumberOfWarn: 139,
|
:bug: Pinned-Dependencies: only score detected ecosystems (#3436)
* feat: Define if dependency is pinned or unpinned
Add a field Pinned to Dependency structure.
Update to save Dependencies pinned and unpinned. Not only unpinned ones.
All download then run executions are considered unpinned. Because there is no remediation to pin them.
For package manager downloads: add early return if there are no commands, separate package manager identification (go, npm, choco, pip) from decision if installation is pinned or unpinned.
Change Go case "go get -d -v" considered pinned, to any Go installations containing "-d" to be considered pinned.
Signed-off-by: Gabriela Gutierrez <gabigutierrez@google.com>
* refactor: Convert diff var types to pointer
We need to add a new conversion of boolean to pointer. Currently, we had string and int conversions named asPointer but not used in the same file. In order to know when we are using which conversion and considering bool and string would have to be used in the same file, it was needed to differentiate the method names. New method names are asIntPointer, asStringPointer and soon asBoolPointer.
Signed-off-by: Gabriela Gutierrez <gabigutierrez@google.com>
* fix: Pinned Dependency field type
Field needs to be a pointer to work when accessing values on evaluation.
Signed-off-by: Gabriela Gutierrez <gabigutierrez@google.com>
* feat: Count pinned and unpinned deps
We're changing the ecossystems result structure. The result structure previously stored if the ecossystem is fully pinned or not. The new result structure can tell how many dependencies of that ecossystem were found and how many were pinned. This change is necessary to ignore not applicable ecossystems on the final aggregated score. When iterating the dependencies, now we go through pinned and unpinned dependencies, not only unpinned, and in each iteration we update the result. We kept the behavior of only log warnings for unpinned dependencies.
Signed-off-by: Gabriela Gutierrez <gabigutierrez@google.com>
* feat: Flag not applicable ecossystems
If no dependencies of an ecossystem are found, it results in an inconclusive score (-1). As in other checks, this means here that the ecossystem scoring is not applicable in this case. At the same time, we are keep the scoring criteria the same. If all dependencies are pinned, it results in maximum score (10) and if 1 or more dependencies are unpinned, it results in a minimum score (0) for that ecossystem. GitHub workflow cases are handled differently but the idea is the same. We are also adding a log to know when an ecossystem was not found.
Signed-off-by: Gabriela Gutierrez <gabigutierrez@google.com>
* feat: Score only applicable ecossystems
Signed-off-by: Gabriela Gutierrez <gabigutierrez@google.com>
* feat: If no dependencies then create inconclusive score
Signed-off-by: Gabriela Gutierrez <gabigutierrez@google.com>
* test: GitHub Actions score and logs
Change test from `createReturnValuesForGitHubActionsWorkflowPinned` function to `createReturnForIsGitHubActionsWorkflowPinned` wrapper function so we can test logs. We have adjusted the existing test cases and included new test cases.
Signed-off-by: Gabriela Gutierrez <gabigutierrez@google.com>
* test: Pinned dependencies score
Break "various warnings" tests into smaller tests for pinned and unpinned dependencies and how they react to warn and debug messages. Plus add tests for how the score is affected when all dependencies are pinned, when no dependencies are pinned, when there are no dependencies, and partial dependencies pinned. Also, how dependencies unpinned in 1 or multiple ecossystems affect the warn messages, add one unpinned case for each ecossystem to see if they are being detected and separate the download then run 2 possible cases, there are currently scoring and logging wrong due to a bug.
Signed-off-by: Gabriela Gutierrez <gabigutierrez@google.com>
* test: Ecossystems score and logs
Signed-off-by: Gabriela Gutierrez <gabigutierrez@google.com>
* test: Remove deleted maxScore function test
When we changed the scoring method to ignore not applicable scores, we removed the normalization of inconclusive scores to 0. The normalization was done by `maxScore` function, that was deleted in the process.
Signed-off-by: Gabriela Gutierrez <gabigutierrez@google.com>
* test: Adding GitHub Actions dependencies to result
Signed-off-by: Gabriela Gutierrez <gabigutierrez@google.com>
* test: Update GitHub Actions result
Signed-off-by: Gabriela Gutierrez <gabigutierrez@google.com>
* test: Update pip installs result
Signed-off-by: Gabriela Gutierrez <gabigutierrez@google.com>
* fix: Handle if nuget dependency is pinned or unpinned
Signed-off-by: Gabriela Gutierrez <gabigutierrez@google.com>
* tests: Fix check warnings for unpinned dependencies
Signed-off-by: Gabriela Gutierrez <gabigutierrez@google.com>
* fix: Linter errors
Signed-off-by: Gabriela Gutierrez <gabigutierrez@google.com>
* fix: GitHub Actions pinned log
If, for example, you have GitHub-owned actions and none Third-party actions, you should receive a "no Third-party actions found" log and don't receive a "all Third-party actions are pinned" log. At the same time, you deserve the score of pinning Third-party to complement the GitHub-owned score.
Signed-off-by: Gabriela Gutierrez <gabigutierrez@google.com>
* test: Fix "ossf-tests/scorecard-check-pinned-dependencies-e2e"
The repo being tested, `ossf-tests/scorecard-check-pinned-dependencies-e2e`, has no Third-party actions only GitHub-owned actions, that are unpinned, no npm installs, multiple go installs all pinned, and all other dependencies types are unpinned. This gives us 8 for actionScore, -1 for npm score, 10 for goScore, and 0 for all other scores. Previously the total score was 28/7 =~ 4, and now the total score is 18/6 =~ 3. The number of logs remain the same. The "all Third-party actions are pinned" will be replaced by "no Third-party actions found", which is a more realistic info and same thing for npm installs.
Signed-off-by: Gabriela Gutierrez <gabigutierrez@google.com>
* Revert rename `asPointer` to `asStringPointer`
Signed-off-by: Gabriela Gutierrez <gabigutierrez@google.com>
* fix: Handle deps with parsing error and undefined pinning
When a dependency has a parsing error it ends up with a `Msg` field. In this case, the dependency should not count in the final score, so we should not `updatePinningResults` in this case. Also, to continue with the evaluation calculation, we need to make sure the dependencies have a `Pinned` state. Here we are adding this validation for it along with a debug log.
Signed-off-by: Gabriela Gutierrez <gabigutierrez@google.com>
* test: Delete unecessary test
We already have separate test for if 1 unpinned dependency shows a warn message, and 2 cases for when dependencies have errors and show a debug message.
Signed-off-by: Gabriela Gutierrez <gabigutierrez@google.com>
* test: Add missing dep Location cases
Signed-off-by: Gabriela Gutierrez <gabigutierrez@google.com>
* fix: Simplify Dockerfile pinned as name logic
Signed-off-by: Gabriela Gutierrez <gabigutierrez@google.com>
* fix: If ecossystem is not found show debug log
If ecossystem is not found show debug log, not info log. This affects the tests, all not found ecossystems will "move" from info logs to debug logs. We are also complementing the `all dependencies pinned` and `all dependencies unpinned` cases so we have the max score case and the min score case using all kinds of dependencies.
Signed-off-by: Gabriela Gutierrez <gabigutierrez@google.com>
* test: Fix e2e tests and more unit tests
Signed-off-by: Gabriela Gutierrez <gabigutierrez@google.com>
* feat: Iterate all dependency types for final score
Now we iterate all existing dependency types in the final score. This will fix the problem of new ecossystems not being count in the final score because we needed to update the evaluation part. This also fixes the problem of download then run being counted twice for the score. Now, we only have debug logs when there are errors with the dependency metadata. That means we don't log anymore when dependencies of an ecossystem are not found. We changed the info log format when dependencies are all pinned. We simplified the calculation of the scores. We removed unused error returns. And now we only iterate existing ecossystems. If an ecossystem is not found we will not iterate it.
Signed-off-by: Gabriela Gutierrez <gabigutierrez@google.com>
* feat: Proportional score
We count all pinned dependencies over the total found dependencies of all ecossystems for the final score. But, we still want to give low prioritity to GHA GitHub-owned dependencies over GHA third-party dependencies. That's why we are doing a weighted proportional score, all ecossystems have a normal weight of 10 but GHAs have a weight. If you only have GitHub-owned, it will count as 10, because GHA don't weight less then other ecossystems. Same for GHA third-party, if you only have GHA third-party, it will also count as 10, because GHAs don't weight less then other ecossystems. But if you have both GHA GitHub-owned and third-party, GitHub-owned count less then third-party. Trying to keep the same weight as before, GitHub-owned weights 8 and third-party weights 2. These weights will make the score be more penalized if you have unpinned third-party and less penalized if you have unpinned GitHub-owned.
Signed-off-by: Gabriela Gutierrez <gabigutierrez@google.com>
* fix: GHA weights in proportional score
Signed-off-by: Gabriela Gutierrez <gabigutierrez@google.com>
* test: Fix scores and logs checking
Add new cases for GHA scores since it's weighted differently now. Remove `createReturnValues` test since the function was removed. Fix current tests to adjust number of logs since we don't log if all dependencies are pinned or not anymore. Fix partially pinned score.
Signed-off-by: Gabriela Gutierrez <gabigutierrez@google.com>
* test: Fix e2e test
The repo being tested, `ossf-tests/scorecard-check-pinned-dependencies-e2e`, has no Third-party actions only GitHub-owned actions, that are unpinned, no npm installs, multiple go installs all pinned, and all other dependencies types are unpinned. This gives us 8 for GHA ecossytem, -1 for npm score, 10 for goScore, and 0 for all other scores. Previously the total score was 18/6 =~ 3. Now, we count 5/6 GitHub-owned GHA pinned, 23/36 containerImage pinned, 0/88 downloadThenRun pinned, 2/49 pipCommand pinned, 17/17 goCommand pinned. This results in 47/186 pinned dependencies which results in 2.5 score, that is rounded down to 2. Plus, the number of info was reduced since we don't log info for "all pinned dependencies in X ecossystem" anymore.
Signed-off-by: Gabriela Gutierrez <gabigutierrez@google.com>
* refactor: Rename to ProportionalScoreWeighted
Signed-off-by: Gabriela Gutierrez <gabigutierrez@google.com>
* refactor: Var declarations to create proportional score
Signed-off-by: Gabriela Gutierrez <gabigutierrez@google.com>
* fix: Remove unnecessary pointer
Signed-off-by: Gabriela Gutierrez <gabigutierrez@google.com>
* fix: Dependencies priority declaration
Signed-off-by: Gabriela Gutierrez <gabigutierrez@google.com>
* fix: Ecosystem spelling
Signed-off-by: Gabriela Gutierrez <gabigutierrez@google.com>
* fix: Handle 0 weight and 0 total when creating proportional weighted score
Signed-off-by: Gabriela Gutierrez <gabigutierrez@google.com>
* fix: Revert -d flag identification change
Signed-off-by: Gabriela Gutierrez <gabigutierrez@google.com>
* fix: npm ci command is npm download and is pinned
Signed-off-by: Gabriela Gutierrez <gabigutierrez@google.com>
* fix: Linter errors
Signed-off-by: Gabriela Gutierrez <gabigutierrez@google.com>
* fix: Unexport error variable to other packages
Signed-off-by: Gabriela Gutierrez <gabigutierrez@google.com>
* refactor: Simplify no score groups condition
Signed-off-by: Gabriela Gutierrez <gabigutierrez@google.com>
* feat: Log proportion of dependencies pinned
Signed-off-by: Gabriela Gutierrez <gabigutierrez@google.com>
* test: Fix unit tests to include info logs
The number of info logs should be same number of identified ecossystems. GitHub-owned GitHubAction and third-party GitHubAction count as different ecossytems.
Signed-off-by: Gabriela Gutierrez <gabigutierrez@google.com>
* test: Fix e2e tests to include info logs
The repo being tested, `ossf-tests/scorecard-check-pinned-dependencies-e2e`, has GitHub-owned GitHubActions, containerImage, downloadThenRun, pipCommand and goCommand dependencies. Therefore it will have 5 Info logs, one for each ecossystem.
Signed-off-by: Gabriela Gutierrez <gabigutierrez@google.com>
* fix: Linter error
Signed-off-by: Gabriela Gutierrez <gabigutierrez@google.com>
---------
Signed-off-by: Gabriela Gutierrez <gabigutierrez@google.com>
2023-09-25 23:07:19 +03:00
|
|
|
NumberOfInfo: 5,
|
2022-02-08 06:03:36 +03:00
|
|
|
NumberOfDebug: 0,
|
|
|
|
}
|
2022-06-07 00:31:22 +03:00
|
|
|
result := checks.PinningDependencies(&req)
|
2024-01-30 23:40:41 +03:00
|
|
|
scut.ValidateTestReturn(GinkgoTB(), "dependencies check", &expected, &result, &dl)
|
2022-02-08 06:03:36 +03:00
|
|
|
Expect(repoClient.Close()).Should(BeNil())
|
|
|
|
})
|
|
|
|
It("Should return dependencies check at commit", func() {
|
|
|
|
dl := scut.TestDetailLogger{}
|
|
|
|
repo, err := githubrepo.MakeGithubRepo("ossf-tests/scorecard-check-pinned-dependencies-e2e")
|
|
|
|
Expect(err).Should(BeNil())
|
|
|
|
repoClient := githubrepo.CreateGithubRepoClient(context.Background(), logger)
|
✨ Commit depth feature (#2407)
* :seedling: Bump actions/dependency-review-action from 2.4.1 to 2.5.1
Bumps [actions/dependency-review-action](https://github.com/actions/dependency-review-action) from 2.4.1 to 2.5.1.
- [Release notes](https://github.com/actions/dependency-review-action/releases)
- [Commits](https://github.com/actions/dependency-review-action/compare/9c96258789e5d9e85fe4ca86115ba4cc62b780cf...0efb1d1d84fc9633afcdaad14c485cbbc90ef46c)
---
updated-dependencies:
- dependency-name: actions/dependency-review-action
dependency-type: direct:production
update-type: version-update:semver-minor
...
Signed-off-by: dependabot[bot] <support@github.com>
Signed-off-by: latortuga71 <christopheralonso1@gmail.com>
* commit_depth feature
Signed-off-by: latortuga71 <christopheralonso1@gmail.com>
* added more descriptive comments, changed numberofcommits variable name, moved paging for commits into seperate function.
small changes
Signed-off-by: latortuga71 <christopheralonso1@gmail.com>
linter
Signed-off-by: latortuga71 <christopheralonso1@gmail.com>
* added unit tests
Signed-off-by: latortuga71 <christopheralonso1@gmail.com>
added test in e2e
Signed-off-by: latortuga71 <christopheralonso1@gmail.com>
* :seedling: Bump github.com/spf13/cobra from 1.6.0 to 1.6.1 (#2397)
Bumps [github.com/spf13/cobra](https://github.com/spf13/cobra) from 1.6.0 to 1.6.1.
- [Release notes](https://github.com/spf13/cobra/releases)
- [Commits](https://github.com/spf13/cobra/compare/v1.6.0...v1.6.1)
---
updated-dependencies:
- dependency-name: github.com/spf13/cobra
dependency-type: direct:production
update-type: version-update:semver-patch
...
Signed-off-by: dependabot[bot] <support@github.com>
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Signed-off-by: latortuga71 <christopheralonso1@gmail.com>
* :seedling: Bump github.com/onsi/ginkgo/v2 from 2.1.6 to 2.4.0
Bumps [github.com/onsi/ginkgo/v2](https://github.com/onsi/ginkgo) from 2.1.6 to 2.4.0.
- [Release notes](https://github.com/onsi/ginkgo/releases)
- [Changelog](https://github.com/onsi/ginkgo/blob/master/CHANGELOG.md)
- [Commits](https://github.com/onsi/ginkgo/compare/v2.1.6...v2.4.0)
---
updated-dependencies:
- dependency-name: github.com/onsi/ginkgo/v2
dependency-type: direct:production
update-type: version-update:semver-minor
...
Signed-off-by: dependabot[bot] <support@github.com>
Signed-off-by: latortuga71 <christopheralonso1@gmail.com>
* :seedling: Bump cloud.google.com/go/pubsub from 1.25.1 to 1.26.0
Bumps [cloud.google.com/go/pubsub](https://github.com/googleapis/google-cloud-go) from 1.25.1 to 1.26.0.
- [Release notes](https://github.com/googleapis/google-cloud-go/releases)
- [Changelog](https://github.com/googleapis/google-cloud-go/blob/main/CHANGES.md)
- [Commits](https://github.com/googleapis/google-cloud-go/compare/pubsub/v1.25.1...pubsub/v1.26.0)
---
updated-dependencies:
- dependency-name: cloud.google.com/go/pubsub
dependency-type: direct:production
update-type: version-update:semver-minor
...
Signed-off-by: dependabot[bot] <support@github.com>
Signed-off-by: latortuga71 <christopheralonso1@gmail.com>
* :seedling: Bump github.com/xanzy/go-gitlab from 0.73.1 to 0.74.0
Bumps [github.com/xanzy/go-gitlab](https://github.com/xanzy/go-gitlab) from 0.73.1 to 0.74.0.
- [Release notes](https://github.com/xanzy/go-gitlab/releases)
- [Changelog](https://github.com/xanzy/go-gitlab/blob/master/releases_test.go)
- [Commits](https://github.com/xanzy/go-gitlab/compare/v0.73.1...v0.74.0)
---
updated-dependencies:
- dependency-name: github.com/xanzy/go-gitlab
dependency-type: direct:production
update-type: version-update:semver-minor
...
Signed-off-by: dependabot[bot] <support@github.com>
Signed-off-by: latortuga71 <christopheralonso1@gmail.com>
* :seedling: Bump github.com/onsi/gomega from 1.20.2 to 1.23.0 (#2409)
Bumps [github.com/onsi/gomega](https://github.com/onsi/gomega) from 1.20.2 to 1.23.0.
- [Release notes](https://github.com/onsi/gomega/releases)
- [Changelog](https://github.com/onsi/gomega/blob/master/CHANGELOG.md)
- [Commits](https://github.com/onsi/gomega/compare/v1.20.2...v1.23.0)
---
updated-dependencies:
- dependency-name: github.com/onsi/gomega
dependency-type: direct:production
update-type: version-update:semver-minor
...
Signed-off-by: dependabot[bot] <support@github.com>
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Signed-off-by: latortuga71 <christopheralonso1@gmail.com>
* :seedling: Bump github.com/onsi/ginkgo/v2 from 2.1.6 to 2.4.0 in /tools
Bumps [github.com/onsi/ginkgo/v2](https://github.com/onsi/ginkgo) from 2.1.6 to 2.4.0.
- [Release notes](https://github.com/onsi/ginkgo/releases)
- [Changelog](https://github.com/onsi/ginkgo/blob/master/CHANGELOG.md)
- [Commits](https://github.com/onsi/ginkgo/compare/v2.1.6...v2.4.0)
---
updated-dependencies:
- dependency-name: github.com/onsi/ginkgo/v2
dependency-type: direct:production
update-type: version-update:semver-minor
...
Signed-off-by: dependabot[bot] <support@github.com>
Signed-off-by: latortuga71 <christopheralonso1@gmail.com>
* :seedling: Bump github.com/golangci/golangci-lint in /tools
Bumps [github.com/golangci/golangci-lint](https://github.com/golangci/golangci-lint) from 1.50.0 to 1.50.1.
- [Release notes](https://github.com/golangci/golangci-lint/releases)
- [Changelog](https://github.com/golangci/golangci-lint/blob/master/CHANGELOG.md)
- [Commits](https://github.com/golangci/golangci-lint/compare/v1.50.0...v1.50.1)
---
updated-dependencies:
- dependency-name: github.com/golangci/golangci-lint
dependency-type: direct:production
update-type: version-update:semver-patch
...
Signed-off-by: dependabot[bot] <support@github.com>
Signed-off-by: latortuga71 <christopheralonso1@gmail.com>
* :seedling: Bump goreleaser/goreleaser-action from 2.9.1 to 3.2.0 (#2363)
Bumps [goreleaser/goreleaser-action](https://github.com/goreleaser/goreleaser-action) from 2.9.1 to 3.2.0.
- [Release notes](https://github.com/goreleaser/goreleaser-action/releases)
- [Commits](https://github.com/goreleaser/goreleaser-action/compare/b953231f81b8dfd023c58e0854a721e35037f28b...b508e2e3ef3b19d4e4146d4f8fb3ba9db644a757)
---
updated-dependencies:
- dependency-name: goreleaser/goreleaser-action
dependency-type: direct:production
update-type: version-update:semver-major
...
Signed-off-by: dependabot[bot] <support@github.com>
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Signed-off-by: latortuga71 <christopheralonso1@gmail.com>
* :seedling: Bump github.com/goreleaser/goreleaser in /tools (#2373)
Bumps [github.com/goreleaser/goreleaser](https://github.com/goreleaser/goreleaser) from 1.11.5 to 1.12.3.
- [Release notes](https://github.com/goreleaser/goreleaser/releases)
- [Changelog](https://github.com/goreleaser/goreleaser/blob/main/.goreleaser.yaml)
- [Commits](https://github.com/goreleaser/goreleaser/compare/v1.11.5...v1.12.3)
---
updated-dependencies:
- dependency-name: github.com/goreleaser/goreleaser
dependency-type: direct:production
update-type: version-update:semver-minor
...
Signed-off-by: dependabot[bot] <support@github.com>
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Signed-off-by: latortuga71 <christopheralonso1@gmail.com>
* ✨ CLI for scorecard-attestor (#2309)
* Reorganize
Signed-off-by: Raghav Kaul <raghavkaul@google.com>
* Working commit
Signed-off-by: Raghav Kaul <raghavkaul@google.com>
* Compile with local scorecard; go mod tidy
Signed-off-by: Raghav Kaul <raghavkaul@google.com>
* Add signing code
Heavily borrowed from https://github.com/grafeas/kritis/blob/master/cmd/kritis/signer/main.go
Signed-off-by: Raghav Kaul <raghavkaul@google.com>
* Update deps
* Naming
* Makefile
Signed-off-by: Raghav Kaul <raghavkaul@google.com>
* Edit license, add lint.yml
Signed-off-by: Raghav Kaul <raghavkaul@google.com>
* checks: go mod tidy, license
Signed-off-by: Raghav Kaul <raghavkaul@google.com>
* Address PR comments
* Split into checker/signer files
* Naming convention
Signed-off-by: Raghav Kaul <raghavkaul@google.com>
* License, remove golangci.yml
Signed-off-by: Raghav Kaul <raghavkaul@google.com>
* Address PR comments
* Use cobra
Signed-off-by: Raghav Kaul <raghavkaul@google.com>
* Add tests for root command
Signed-off-by: Raghav Kaul <raghavkaul@google.com>
* Filter out checks that aren't needed for policy evaluation
Signed-off-by: Raghav Kaul <raghavkaul@google.com>
* Add `make` targets for attestor; submit coverage stats
Signed-off-by: Raghav Kaul <raghavkaul@google.com>
* Improvements
* Use sclog instead of glog
* Remove unneeded subcommands
* Formatting
Signed-off-by: Raghav Kaul <raghavkaul@google.com>
* Flags: Make note-name constant and fix messaging
Signed-off-by: Raghav Kaul <raghavkaul@google.com>
* Remove SupportedRequestTypes
Signed-off-by: Raghav Kaul <raghavkaul@google.com>
* go mod tidy
Signed-off-by: Raghav Kaul <raghavkaul@google.com>
* go mod tidy, makefile
Signed-off-by: Raghav Kaul <raghavkaul@google.com>
* Fix GH actions run
Signed-off-by: Raghav Kaul <raghavkaul@google.com>
Signed-off-by: Raghav Kaul <raghavkaul@google.com>
Signed-off-by: latortuga71 <christopheralonso1@gmail.com>
* fix workflow (#2417)
Signed-off-by: Spencer Schrock <sschrock@google.com>
Signed-off-by: Spencer Schrock <sschrock@google.com>
Signed-off-by: latortuga71 <christopheralonso1@gmail.com>
* Bump scorecard-action (#2416)
Signed-off-by: Spencer Schrock <sschrock@google.com>
Signed-off-by: Spencer Schrock <sschrock@google.com>
Signed-off-by: latortuga71 <christopheralonso1@gmail.com>
* Fail unit-test job if codecov upload fails (#2415)
Signed-off-by: Spencer Schrock <sschrock@google.com>
Signed-off-by: Spencer Schrock <sschrock@google.com>
Signed-off-by: latortuga71 <christopheralonso1@gmail.com>
* 🌱 Enable comparison for alternative isText implementation (#2414)
* use more performant IsText
Signed-off-by: Spencer Schrock <sschrock@google.com>
* AB test isText implementations
Signed-off-by: Spencer Schrock <sschrock@google.com>
* Add comparison env var to release test.
Signed-off-by: Spencer Schrock <sschrock@google.com>
* go mod tidy for attestor
Signed-off-by: Spencer Schrock <sschrock@google.com>
Signed-off-by: Spencer Schrock <sschrock@google.com>
Signed-off-by: latortuga71 <christopheralonso1@gmail.com>
* 🐛 modify alternative isText to accept carriage returns (#2421)
* modify IsText from golang.org/x/tools/godoc/util to accept carriage returns.
Signed-off-by: Spencer Schrock <sschrock@google.com>
* add TODO reminder to cleanup after release tests
Signed-off-by: Spencer Schrock <sschrock@google.com>
Signed-off-by: Spencer Schrock <sschrock@google.com>
Signed-off-by: latortuga71 <christopheralonso1@gmail.com>
* :seedling: Bump github.com/onsi/gomega from 1.23.0 to 1.24.0
Bumps [github.com/onsi/gomega](https://github.com/onsi/gomega) from 1.23.0 to 1.24.0.
- [Release notes](https://github.com/onsi/gomega/releases)
- [Changelog](https://github.com/onsi/gomega/blob/master/CHANGELOG.md)
- [Commits](https://github.com/onsi/gomega/compare/v1.23.0...v1.24.0)
---
updated-dependencies:
- dependency-name: github.com/onsi/gomega
dependency-type: direct:production
update-type: version-update:semver-minor
...
Signed-off-by: dependabot[bot] <support@github.com>
Signed-off-by: latortuga71 <christopheralonso1@gmail.com>
* :seedling: Bump github/codeql-action from 2.1.29 to 2.1.30
Bumps [github/codeql-action](https://github.com/github/codeql-action) from 2.1.29 to 2.1.30.
- [Release notes](https://github.com/github/codeql-action/releases)
- [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md)
- [Commits](https://github.com/github/codeql-action/compare/ec3cf9c605b848da5f1e41e8452719eb1ccfb9a6...18fe527fa8b29f134bb91f32f1a5dc5abb15ed7f)
---
updated-dependencies:
- dependency-name: github/codeql-action
dependency-type: direct:production
update-type: version-update:semver-patch
...
Signed-off-by: dependabot[bot] <support@github.com>
Signed-off-by: latortuga71 <christopheralonso1@gmail.com>
* revert failing unit-test on ci error (#2422)
Signed-off-by: Spencer Schrock <sschrock@google.com>
Signed-off-by: Spencer Schrock <sschrock@google.com>
Signed-off-by: latortuga71 <christopheralonso1@gmail.com>
* :sparkles: Improved Security Policy Check (#2195)
* :sparkles: Improved Security Policy Check (#2137)
* Examines and awards points for linked content (URLs / Emails)
* Examines and awards points for hints of disclosure and vulnerability practices
* Examines and awards points for hints of elaboration of timelines
Signed-off-by: Scott Hissam <shissam@gmail.com>
* Repaired Security Policy to correctly use linked content length for evaluation
Signed-off-by: Scott Hissam <shissam@gmail.com>
* gofmt'ed changes
Signed-off-by: Scott Hissam <shissam@gmail.com>
* Repaired the case in the evaluation which was too sensitive to content length over the length of the linked content for urls and emails
Signed-off-by: Scott Hissam <shissam@gmail.com>
* added unit test cases for the new content-based Security Policy checks
Signed-off-by: Scott Hissam <shissam@gmail.com>
* reverted the direct (mistaken) change to checks.md and updated the checks.yaml for generate-docs
Signed-off-by: Scott Hissam <shissam@gmail.com>
* :sparkles: Improved Security Policy Check (#2137) (revisted based on comments)
* replaced reason strings with log.Info & log.Warn (as seen in --show-details)
* internal assertion check for nil (*pinfo) and empty pfile
* internal switched to FileTypeText over FileTypeSource
* internal implement type SecurityPolicyInformationType/SecurityPolicyInformation revised SecurityPolicyData to support only one file
* revised expected unit-test results and revised unit-test to reflect the new SecurityPolicyData type
Signed-off-by: Scott Hissam <shissam@gmail.com>
* revised the score value based on observation of one *or more* url(s) or one email(s) found; unit tests update accordingly
Signed-off-by: Scott Hissam <shissam@gmail.com>
* revised the score value based on observation of one *or more* url(s) or one email(s) found; unit tests update accordingly
Signed-off-by: Scott Hissam <shissam@gmail.com>
* revised the score value based on observation of one *or more* url(s) or one email(s) found; e2e tests update accordingly
Signed-off-by: Scott Hissam <shissam@gmail.com>
* Addressed PR comments; added telemetry for policy hits in security policy file to track hits by line number
Signed-off-by: Scott Hissam <shissam@gmail.com>
* Resolved merge conflict with checks.yaml
Signed-off-by: Scott Hissam <shissam@gmail.com>
* updated raw results to emit all the raw information for the new security policy check
Signed-off-by: Scott Hissam <shissam@gmail.com>
* Resolved merge conflicts and lint errors with json_raw_results.go
Signed-off-by: Scott Hissam <shissam@gmail.com>
* Addressed review comments to reorganize security policy data struct to support the potential for multiple security policy files.
Signed-off-by: Scott Hissam <shissam@gmail.com>
* Added logic to the security policy to process multiple security policy files only after future improvements to aggregating scoring across such files are designed. For now the security policy behaves as originally designed to stop once one of the expected policy files are found in the repo
Signed-off-by: Scott Hissam <shissam@gmail.com>
* added comments regarding the capacity to support multiple policy files and removed unneeded break statements in the code
Signed-off-by: Scott Hissam <shissam@gmail.com>
* Addressed review comments to remove the dependency on the path in the filename from the code and introduced FileSize to checker.File type and removed the SecurityContentLength which was used to hold that information for the new security policy assessment
Signed-off-by: Scott Hissam <shissam@gmail.com>
* restored reporting full security policy path and filename for policies found in the org level repos
Signed-off-by: Scott Hissam <shissam@gmail.com>
* Resolved conflicts in checks.yaml for documentation
Signed-off-by: Scott Hissam <shissam@gmail.com>
* ✨ CLI for scorecard-attestor (#2309)
* Reorganize
Signed-off-by: Raghav Kaul <raghavkaul@google.com>
* Working commit
Signed-off-by: Raghav Kaul <raghavkaul@google.com>
* Compile with local scorecard; go mod tidy
Signed-off-by: Raghav Kaul <raghavkaul@google.com>
* Add signing code
Heavily borrowed from https://github.com/grafeas/kritis/blob/master/cmd/kritis/signer/main.go
Signed-off-by: Raghav Kaul <raghavkaul@google.com>
* Update deps
* Naming
* Makefile
Signed-off-by: Raghav Kaul <raghavkaul@google.com>
* Edit license, add lint.yml
Signed-off-by: Raghav Kaul <raghavkaul@google.com>
* checks: go mod tidy, license
Signed-off-by: Raghav Kaul <raghavkaul@google.com>
* Address PR comments
* Split into checker/signer files
* Naming convention
Signed-off-by: Raghav Kaul <raghavkaul@google.com>
* License, remove golangci.yml
Signed-off-by: Raghav Kaul <raghavkaul@google.com>
* Address PR comments
* Use cobra
Signed-off-by: Raghav Kaul <raghavkaul@google.com>
* Add tests for root command
Signed-off-by: Raghav Kaul <raghavkaul@google.com>
* Filter out checks that aren't needed for policy evaluation
Signed-off-by: Raghav Kaul <raghavkaul@google.com>
* Add `make` targets for attestor; submit coverage stats
Signed-off-by: Raghav Kaul <raghavkaul@google.com>
* Improvements
* Use sclog instead of glog
* Remove unneeded subcommands
* Formatting
Signed-off-by: Raghav Kaul <raghavkaul@google.com>
* Flags: Make note-name constant and fix messaging
Signed-off-by: Raghav Kaul <raghavkaul@google.com>
* Remove SupportedRequestTypes
Signed-off-by: Raghav Kaul <raghavkaul@google.com>
* go mod tidy
Signed-off-by: Raghav Kaul <raghavkaul@google.com>
* go mod tidy, makefile
Signed-off-by: Raghav Kaul <raghavkaul@google.com>
* Fix GH actions run
Signed-off-by: Raghav Kaul <raghavkaul@google.com>
Signed-off-by: Raghav Kaul <raghavkaul@google.com>
Signed-off-by: Scott Hissam <shissam@gmail.com>
* removed whitespace before stanza for Run attestor e2e
Signed-off-by: Scott Hissam <shissam@gmail.com>
* resolved code review and doc review comments
Signed-off-by: Scott Hissam <shissam@gmail.com>
* repaired the link for the maintainer's guide for supporting the coordinated vulnerability disclosure guidelines
Signed-off-by: Scott Hissam <shissam@gmail.com>
Signed-off-by: Scott Hissam <shissam@gmail.com>
Signed-off-by: latortuga71 <christopheralonso1@gmail.com>
* :seedling: Bump github/codeql-action from 2.1.30 to 2.1.31 (#2431)
Bumps [github/codeql-action](https://github.com/github/codeql-action) from 2.1.30 to 2.1.31.
- [Release notes](https://github.com/github/codeql-action/releases)
- [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md)
- [Commits](https://github.com/github/codeql-action/compare/18fe527fa8b29f134bb91f32f1a5dc5abb15ed7f...c3b6fce4ee2ca25bc1066aa3bf73962fda0e8898)
---
updated-dependencies:
- dependency-name: github/codeql-action
dependency-type: direct:production
update-type: version-update:semver-patch
...
Signed-off-by: dependabot[bot] <support@github.com>
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Signed-off-by: latortuga71 <christopheralonso1@gmail.com>
* enable more performant isText (#2433)
Signed-off-by: Spencer Schrock <sschrock@google.com>
Signed-off-by: Spencer Schrock <sschrock@google.com>
Signed-off-by: latortuga71 <christopheralonso1@gmail.com>
* modified tests,InitRepo Function, Added GetCommitDepth Function to Client Interface
Signed-off-by: latortuga71 <christopheralonso1@gmail.com>
* removed getcommitdepth function
Signed-off-by: latortuga71 <christopheralonso1@gmail.com>
* added TODO
Signed-off-by: latortuga71 <christopheralonso1@gmail.com>
* :seedling: Bump github.com/onsi/ginkgo/v2 from 2.4.0 to 2.5.0 in /tools (#2436)
Bumps [github.com/onsi/ginkgo/v2](https://github.com/onsi/ginkgo) from 2.4.0 to 2.5.0.
- [Release notes](https://github.com/onsi/ginkgo/releases)
- [Changelog](https://github.com/onsi/ginkgo/blob/master/CHANGELOG.md)
- [Commits](https://github.com/onsi/ginkgo/compare/v2.4.0...v2.5.0)
---
updated-dependencies:
- dependency-name: github.com/onsi/ginkgo/v2
dependency-type: direct:production
update-type: version-update:semver-minor
...
Signed-off-by: dependabot[bot] <support@github.com>
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Signed-off-by: latortuga71 <christopheralonso1@gmail.com>
* :seedling: Bump github.com/onsi/ginkgo/v2 from 2.4.0 to 2.5.0
Bumps [github.com/onsi/ginkgo/v2](https://github.com/onsi/ginkgo) from 2.4.0 to 2.5.0.
- [Release notes](https://github.com/onsi/ginkgo/releases)
- [Changelog](https://github.com/onsi/ginkgo/blob/master/CHANGELOG.md)
- [Commits](https://github.com/onsi/ginkgo/compare/v2.4.0...v2.5.0)
---
updated-dependencies:
- dependency-name: github.com/onsi/ginkgo/v2
dependency-type: direct:production
update-type: version-update:semver-minor
...
Signed-off-by: dependabot[bot] <support@github.com>
Signed-off-by: latortuga71 <christopheralonso1@gmail.com>
* 🌱 Code Review: treat merging a PR as code review (#2413)
* Merges on Github count as a code review by the maintainer
Signed-off-by: Raghav Kaul <raghavkaul@google.com>
* Update Raw Results
* More detailed information for Changesets
* If there's no Revision ID, use the Commit SHA instead
Signed-off-by: Raghav Kaul <raghavkaul@google.com>
* Check that pull request had atleast one reviewer that wasn't its author
* Add field for Pull Request Merged-By to Github and Gitlab
* Note, this check can be bypassed if an author opens a PR with other
people's commits
Signed-off-by: Raghav Kaul <raghavkaul@google.com>
Signed-off-by: Raghav Kaul <raghavkaul@google.com>
Signed-off-by: latortuga71 <christopheralonso1@gmail.com>
* Trivial: Fix typo (exepted -> expected) (#2440)
Signed-off-by: Michael Scovetta <michael.scovetta@microsoft.com>
Signed-off-by: Michael Scovetta <michael.scovetta@microsoft.com>
Signed-off-by: latortuga71 <christopheralonso1@gmail.com>
* :seedling: Bump step-security/harden-runner from 1.5.0 to 2.0.0 (#2443)
Bumps [step-security/harden-runner](https://github.com/step-security/harden-runner) from 1.5.0 to 2.0.0.
- [Release notes](https://github.com/step-security/harden-runner/releases)
- [Commits](https://github.com/step-security/harden-runner/compare/2e205a28d0e1da00c5f53b161f4067b052c61f34...ebacdc22ef6c2cfb85ee5ded8f2e640f4c776dd5)
---
updated-dependencies:
- dependency-name: step-security/harden-runner
dependency-type: direct:production
update-type: version-update:semver-major
...
Signed-off-by: dependabot[bot] <support@github.com>
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Signed-off-by: latortuga71 <christopheralonso1@gmail.com>
* 🌱 cron: support reading prefix from file for controller input files (7/n) (#2445)
* add prefix marker file to config
Signed-off-by: Spencer Schrock <sschrock@google.com>
* Read the new config values, if they exist.
Signed-off-by: Spencer Schrock <sschrock@google.com>
* Add function to fetch prefix file config value.
Signed-off-by: Spencer Schrock <sschrock@google.com>
* Read prefix file if prefix not set.
Signed-off-by: Spencer Schrock <sschrock@google.com>
* Add tests to verify how List works with various prefixes
Signed-off-by: Spencer Schrock <sschrock@google.com>
* Add tests for getPrefix
Signed-off-by: Spencer Schrock <sschrock@google.com>
* Remove panics from iterator helper functions
Signed-off-by: Spencer Schrock <sschrock@google.com>
Signed-off-by: Spencer Schrock <sschrock@google.com>
Signed-off-by: latortuga71 <christopheralonso1@gmail.com>
* Detect SECURITY.markdown in addition to SECURITY.md (#2447)
GitHub probably supports many more file extensions for Markdown
files, but at the very least, `.md` and `.markdown` have been
standardized in RFC 7763.
Signed-off-by: favonia <favonia@gmail.com>
Signed-off-by: favonia <favonia@gmail.com>
Signed-off-by: latortuga71 <christopheralonso1@gmail.com>
* Add Pinned-Dependency, Vulnerability, and Code-Review checks to attestor (#2430)
Signed-off-by: Raghav Kaul <raghavkaul@google.com>
Signed-off-by: Raghav Kaul <raghavkaul@google.com>
Signed-off-by: latortuga71 <christopheralonso1@gmail.com>
* :seedling: cron: expose the stackdriver prefix as a config variable so it can be changed. (#2446)
* Expose the stackdriver prefix as a config variable so it can be changed.
Signed-off-by: Caleb Brown <calebbrown@google.com>
* fix linter warning
Signed-off-by: Caleb Brown <calebbrown@google.com>
Signed-off-by: Caleb Brown <calebbrown@google.com>
Co-authored-by: Spencer Schrock <sschrock@google.com>
Signed-off-by: latortuga71 <christopheralonso1@gmail.com>
* Only write to the rawBucket if the value exists. (#2451)
Signed-off-by: Caleb Brown <calebbrown@google.com>
Signed-off-by: Caleb Brown <calebbrown@google.com>
Signed-off-by: latortuga71 <christopheralonso1@gmail.com>
* :seedling: Bump golang.org/x/tools from 0.2.0 to 0.3.0 (#2448)
* :seedling: Bump golang.org/x/tools from 0.2.0 to 0.3.0
Bumps [golang.org/x/tools](https://github.com/golang/tools) from 0.2.0 to 0.3.0.
- [Release notes](https://github.com/golang/tools/releases)
- [Commits](https://github.com/golang/tools/compare/v0.2.0...v0.3.0)
---
updated-dependencies:
- dependency-name: golang.org/x/tools
dependency-type: direct:production
update-type: version-update:semver-minor
...
Signed-off-by: dependabot[bot] <support@github.com>
* bump attestor modules
Signed-off-by: Spencer Schrock <sschrock@google.com>
Signed-off-by: dependabot[bot] <support@github.com>
Signed-off-by: Spencer Schrock <sschrock@google.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: Spencer Schrock <sschrock@google.com>
Signed-off-by: latortuga71 <christopheralonso1@gmail.com>
* Move cron monitoring to a non-internal location. (#2453)
This allows external workers (e.g. criticality_score) to use the same
monitoring code.
Signed-off-by: Caleb Brown <calebbrown@google.com>
Signed-off-by: Caleb Brown <calebbrown@google.com>
Signed-off-by: latortuga71 <christopheralonso1@gmail.com>
* :seedling: Bump actions/dependency-review-action from 2.5.1 to 3.0.0 (#2455)
Bumps [actions/dependency-review-action](https://github.com/actions/dependency-review-action) from 2.5.1 to 3.0.0.
- [Release notes](https://github.com/actions/dependency-review-action/releases)
- [Commits](https://github.com/actions/dependency-review-action/compare/0efb1d1d84fc9633afcdaad14c485cbbc90ef46c...30d582111533d59ab793fd9f971817241654f3ec)
---
updated-dependencies:
- dependency-name: actions/dependency-review-action
dependency-type: direct:production
update-type: version-update:semver-major
...
Signed-off-by: dependabot[bot] <support@github.com>
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Signed-off-by: latortuga71 <christopheralonso1@gmail.com>
* 🌱 [cron] generalize some of the transfer logic so it is easy to build new transfer agents (#2454)
* Generalize the transfer logic so it is easy to build new transfer agents
This change moves code that reads shards and produces summaries into the
data package so that it can be reused to create new transfer agents,
similar to the BigQuery transfer agent in cron/internal/bq.
Signed-off-by: Caleb Brown <calebbrown@google.com>
* Lint fix and commentary.
Signed-off-by: Caleb Brown <calebbrown@google.com>
Signed-off-by: Caleb Brown <calebbrown@google.com>
Signed-off-by: latortuga71 <christopheralonso1@gmail.com>
* :seedling: Bump github.com/google/addlicense in /tools (#2459)
Bumps [github.com/google/addlicense](https://github.com/google/addlicense) from 1.0.0 to 1.1.0.
- [Release notes](https://github.com/google/addlicense/releases)
- [Changelog](https://github.com/google/addlicense/blob/master/.goreleaser.yaml)
- [Commits](https://github.com/google/addlicense/compare/v1.0.0...v1.1.0)
---
updated-dependencies:
- dependency-name: github.com/google/addlicense
dependency-type: direct:production
update-type: version-update:semver-minor
...
Signed-off-by: dependabot[bot] <support@github.com>
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Signed-off-by: latortuga71 <christopheralonso1@gmail.com>
* :seedling: Bump github.com/google/go-containerregistry
Bumps [github.com/google/go-containerregistry](https://github.com/google/go-containerregistry) from 0.12.0 to 0.12.1.
- [Release notes](https://github.com/google/go-containerregistry/releases)
- [Changelog](https://github.com/google/go-containerregistry/blob/main/.goreleaser.yml)
- [Commits](https://github.com/google/go-containerregistry/compare/v0.12.0...v0.12.1)
---
updated-dependencies:
- dependency-name: github.com/google/go-containerregistry
dependency-type: direct:production
update-type: version-update:semver-patch
...
Signed-off-by: dependabot[bot] <support@github.com>
Signed-off-by: latortuga71 <christopheralonso1@gmail.com>
* go mod tidy
Signed-off-by: Spencer Schrock <sschrock@google.com>
Signed-off-by: latortuga71 <christopheralonso1@gmail.com>
* Added <= instead of == incase negative int is passed
Signed-off-by: latortuga71 <christopheralonso1@gmail.com>
* missed test fix
Signed-off-by: latortuga71 <christopheralonso1@gmail.com>
Signed-off-by: dependabot[bot] <support@github.com>
Signed-off-by: latortuga71 <christopheralonso1@gmail.com>
Signed-off-by: Raghav Kaul <raghavkaul@google.com>
Signed-off-by: Spencer Schrock <sschrock@google.com>
Signed-off-by: Scott Hissam <shissam@gmail.com>
Signed-off-by: Michael Scovetta <michael.scovetta@microsoft.com>
Signed-off-by: favonia <favonia@gmail.com>
Signed-off-by: Caleb Brown <calebbrown@google.com>
Signed-off-by: Latortuga <42878263+latortuga71@users.noreply.github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: raghavkaul <8695110+raghavkaul@users.noreply.github.com>
Co-authored-by: Spencer Schrock <sschrock@google.com>
Co-authored-by: scott hissam <shissam@users.noreply.github.com>
Co-authored-by: Michael Scovetta <michael.scovetta@microsoft.com>
Co-authored-by: favonia <favonia@gmail.com>
Co-authored-by: Caleb Brown <calebbrown@google.com>
2022-11-22 19:11:36 +03:00
|
|
|
err = repoClient.InitRepo(repo, "c8bfd7cf04ea7af741e1d07af98fabfcc1b6ffb1", 0)
|
2021-06-22 20:55:59 +03:00
|
|
|
Expect(err).Should(BeNil())
|
|
|
|
|
2021-07-21 19:21:43 +03:00
|
|
|
req := checker.CheckRequest{
|
2021-09-02 05:32:26 +03:00
|
|
|
Ctx: context.Background(),
|
|
|
|
RepoClient: repoClient,
|
2021-09-10 20:13:14 +03:00
|
|
|
Repo: repo,
|
2021-09-02 05:32:26 +03:00
|
|
|
Dlogger: &dl,
|
2021-07-21 19:21:43 +03:00
|
|
|
}
|
|
|
|
expected := scut.TestReturn{
|
2021-08-31 00:12:57 +03:00
|
|
|
Error: nil,
|
:bug: Pinned-Dependencies: only score detected ecosystems (#3436)
* feat: Define if dependency is pinned or unpinned
Add a field Pinned to Dependency structure.
Update to save Dependencies pinned and unpinned. Not only unpinned ones.
All download then run executions are considered unpinned. Because there is no remediation to pin them.
For package manager downloads: add early return if there are no commands, separate package manager identification (go, npm, choco, pip) from decision if installation is pinned or unpinned.
Change Go case "go get -d -v" considered pinned, to any Go installations containing "-d" to be considered pinned.
Signed-off-by: Gabriela Gutierrez <gabigutierrez@google.com>
* refactor: Convert diff var types to pointer
We need to add a new conversion of boolean to pointer. Currently, we had string and int conversions named asPointer but not used in the same file. In order to know when we are using which conversion and considering bool and string would have to be used in the same file, it was needed to differentiate the method names. New method names are asIntPointer, asStringPointer and soon asBoolPointer.
Signed-off-by: Gabriela Gutierrez <gabigutierrez@google.com>
* fix: Pinned Dependency field type
Field needs to be a pointer to work when accessing values on evaluation.
Signed-off-by: Gabriela Gutierrez <gabigutierrez@google.com>
* feat: Count pinned and unpinned deps
We're changing the ecossystems result structure. The result structure previously stored if the ecossystem is fully pinned or not. The new result structure can tell how many dependencies of that ecossystem were found and how many were pinned. This change is necessary to ignore not applicable ecossystems on the final aggregated score. When iterating the dependencies, now we go through pinned and unpinned dependencies, not only unpinned, and in each iteration we update the result. We kept the behavior of only log warnings for unpinned dependencies.
Signed-off-by: Gabriela Gutierrez <gabigutierrez@google.com>
* feat: Flag not applicable ecossystems
If no dependencies of an ecossystem are found, it results in an inconclusive score (-1). As in other checks, this means here that the ecossystem scoring is not applicable in this case. At the same time, we are keep the scoring criteria the same. If all dependencies are pinned, it results in maximum score (10) and if 1 or more dependencies are unpinned, it results in a minimum score (0) for that ecossystem. GitHub workflow cases are handled differently but the idea is the same. We are also adding a log to know when an ecossystem was not found.
Signed-off-by: Gabriela Gutierrez <gabigutierrez@google.com>
* feat: Score only applicable ecossystems
Signed-off-by: Gabriela Gutierrez <gabigutierrez@google.com>
* feat: If no dependencies then create inconclusive score
Signed-off-by: Gabriela Gutierrez <gabigutierrez@google.com>
* test: GitHub Actions score and logs
Change test from `createReturnValuesForGitHubActionsWorkflowPinned` function to `createReturnForIsGitHubActionsWorkflowPinned` wrapper function so we can test logs. We have adjusted the existing test cases and included new test cases.
Signed-off-by: Gabriela Gutierrez <gabigutierrez@google.com>
* test: Pinned dependencies score
Break "various warnings" tests into smaller tests for pinned and unpinned dependencies and how they react to warn and debug messages. Plus add tests for how the score is affected when all dependencies are pinned, when no dependencies are pinned, when there are no dependencies, and partial dependencies pinned. Also, how dependencies unpinned in 1 or multiple ecossystems affect the warn messages, add one unpinned case for each ecossystem to see if they are being detected and separate the download then run 2 possible cases, there are currently scoring and logging wrong due to a bug.
Signed-off-by: Gabriela Gutierrez <gabigutierrez@google.com>
* test: Ecossystems score and logs
Signed-off-by: Gabriela Gutierrez <gabigutierrez@google.com>
* test: Remove deleted maxScore function test
When we changed the scoring method to ignore not applicable scores, we removed the normalization of inconclusive scores to 0. The normalization was done by `maxScore` function, that was deleted in the process.
Signed-off-by: Gabriela Gutierrez <gabigutierrez@google.com>
* test: Adding GitHub Actions dependencies to result
Signed-off-by: Gabriela Gutierrez <gabigutierrez@google.com>
* test: Update GitHub Actions result
Signed-off-by: Gabriela Gutierrez <gabigutierrez@google.com>
* test: Update pip installs result
Signed-off-by: Gabriela Gutierrez <gabigutierrez@google.com>
* fix: Handle if nuget dependency is pinned or unpinned
Signed-off-by: Gabriela Gutierrez <gabigutierrez@google.com>
* tests: Fix check warnings for unpinned dependencies
Signed-off-by: Gabriela Gutierrez <gabigutierrez@google.com>
* fix: Linter errors
Signed-off-by: Gabriela Gutierrez <gabigutierrez@google.com>
* fix: GitHub Actions pinned log
If, for example, you have GitHub-owned actions and none Third-party actions, you should receive a "no Third-party actions found" log and don't receive a "all Third-party actions are pinned" log. At the same time, you deserve the score of pinning Third-party to complement the GitHub-owned score.
Signed-off-by: Gabriela Gutierrez <gabigutierrez@google.com>
* test: Fix "ossf-tests/scorecard-check-pinned-dependencies-e2e"
The repo being tested, `ossf-tests/scorecard-check-pinned-dependencies-e2e`, has no Third-party actions only GitHub-owned actions, that are unpinned, no npm installs, multiple go installs all pinned, and all other dependencies types are unpinned. This gives us 8 for actionScore, -1 for npm score, 10 for goScore, and 0 for all other scores. Previously the total score was 28/7 =~ 4, and now the total score is 18/6 =~ 3. The number of logs remain the same. The "all Third-party actions are pinned" will be replaced by "no Third-party actions found", which is a more realistic info and same thing for npm installs.
Signed-off-by: Gabriela Gutierrez <gabigutierrez@google.com>
* Revert rename `asPointer` to `asStringPointer`
Signed-off-by: Gabriela Gutierrez <gabigutierrez@google.com>
* fix: Handle deps with parsing error and undefined pinning
When a dependency has a parsing error it ends up with a `Msg` field. In this case, the dependency should not count in the final score, so we should not `updatePinningResults` in this case. Also, to continue with the evaluation calculation, we need to make sure the dependencies have a `Pinned` state. Here we are adding this validation for it along with a debug log.
Signed-off-by: Gabriela Gutierrez <gabigutierrez@google.com>
* test: Delete unecessary test
We already have separate test for if 1 unpinned dependency shows a warn message, and 2 cases for when dependencies have errors and show a debug message.
Signed-off-by: Gabriela Gutierrez <gabigutierrez@google.com>
* test: Add missing dep Location cases
Signed-off-by: Gabriela Gutierrez <gabigutierrez@google.com>
* fix: Simplify Dockerfile pinned as name logic
Signed-off-by: Gabriela Gutierrez <gabigutierrez@google.com>
* fix: If ecossystem is not found show debug log
If ecossystem is not found show debug log, not info log. This affects the tests, all not found ecossystems will "move" from info logs to debug logs. We are also complementing the `all dependencies pinned` and `all dependencies unpinned` cases so we have the max score case and the min score case using all kinds of dependencies.
Signed-off-by: Gabriela Gutierrez <gabigutierrez@google.com>
* test: Fix e2e tests and more unit tests
Signed-off-by: Gabriela Gutierrez <gabigutierrez@google.com>
* feat: Iterate all dependency types for final score
Now we iterate all existing dependency types in the final score. This will fix the problem of new ecossystems not being count in the final score because we needed to update the evaluation part. This also fixes the problem of download then run being counted twice for the score. Now, we only have debug logs when there are errors with the dependency metadata. That means we don't log anymore when dependencies of an ecossystem are not found. We changed the info log format when dependencies are all pinned. We simplified the calculation of the scores. We removed unused error returns. And now we only iterate existing ecossystems. If an ecossystem is not found we will not iterate it.
Signed-off-by: Gabriela Gutierrez <gabigutierrez@google.com>
* feat: Proportional score
We count all pinned dependencies over the total found dependencies of all ecossystems for the final score. But, we still want to give low prioritity to GHA GitHub-owned dependencies over GHA third-party dependencies. That's why we are doing a weighted proportional score, all ecossystems have a normal weight of 10 but GHAs have a weight. If you only have GitHub-owned, it will count as 10, because GHA don't weight less then other ecossystems. Same for GHA third-party, if you only have GHA third-party, it will also count as 10, because GHAs don't weight less then other ecossystems. But if you have both GHA GitHub-owned and third-party, GitHub-owned count less then third-party. Trying to keep the same weight as before, GitHub-owned weights 8 and third-party weights 2. These weights will make the score be more penalized if you have unpinned third-party and less penalized if you have unpinned GitHub-owned.
Signed-off-by: Gabriela Gutierrez <gabigutierrez@google.com>
* fix: GHA weights in proportional score
Signed-off-by: Gabriela Gutierrez <gabigutierrez@google.com>
* test: Fix scores and logs checking
Add new cases for GHA scores since it's weighted differently now. Remove `createReturnValues` test since the function was removed. Fix current tests to adjust number of logs since we don't log if all dependencies are pinned or not anymore. Fix partially pinned score.
Signed-off-by: Gabriela Gutierrez <gabigutierrez@google.com>
* test: Fix e2e test
The repo being tested, `ossf-tests/scorecard-check-pinned-dependencies-e2e`, has no Third-party actions only GitHub-owned actions, that are unpinned, no npm installs, multiple go installs all pinned, and all other dependencies types are unpinned. This gives us 8 for GHA ecossytem, -1 for npm score, 10 for goScore, and 0 for all other scores. Previously the total score was 18/6 =~ 3. Now, we count 5/6 GitHub-owned GHA pinned, 23/36 containerImage pinned, 0/88 downloadThenRun pinned, 2/49 pipCommand pinned, 17/17 goCommand pinned. This results in 47/186 pinned dependencies which results in 2.5 score, that is rounded down to 2. Plus, the number of info was reduced since we don't log info for "all pinned dependencies in X ecossystem" anymore.
Signed-off-by: Gabriela Gutierrez <gabigutierrez@google.com>
* refactor: Rename to ProportionalScoreWeighted
Signed-off-by: Gabriela Gutierrez <gabigutierrez@google.com>
* refactor: Var declarations to create proportional score
Signed-off-by: Gabriela Gutierrez <gabigutierrez@google.com>
* fix: Remove unnecessary pointer
Signed-off-by: Gabriela Gutierrez <gabigutierrez@google.com>
* fix: Dependencies priority declaration
Signed-off-by: Gabriela Gutierrez <gabigutierrez@google.com>
* fix: Ecosystem spelling
Signed-off-by: Gabriela Gutierrez <gabigutierrez@google.com>
* fix: Handle 0 weight and 0 total when creating proportional weighted score
Signed-off-by: Gabriela Gutierrez <gabigutierrez@google.com>
* fix: Revert -d flag identification change
Signed-off-by: Gabriela Gutierrez <gabigutierrez@google.com>
* fix: npm ci command is npm download and is pinned
Signed-off-by: Gabriela Gutierrez <gabigutierrez@google.com>
* fix: Linter errors
Signed-off-by: Gabriela Gutierrez <gabigutierrez@google.com>
* fix: Unexport error variable to other packages
Signed-off-by: Gabriela Gutierrez <gabigutierrez@google.com>
* refactor: Simplify no score groups condition
Signed-off-by: Gabriela Gutierrez <gabigutierrez@google.com>
* feat: Log proportion of dependencies pinned
Signed-off-by: Gabriela Gutierrez <gabigutierrez@google.com>
* test: Fix unit tests to include info logs
The number of info logs should be same number of identified ecossystems. GitHub-owned GitHubAction and third-party GitHubAction count as different ecossytems.
Signed-off-by: Gabriela Gutierrez <gabigutierrez@google.com>
* test: Fix e2e tests to include info logs
The repo being tested, `ossf-tests/scorecard-check-pinned-dependencies-e2e`, has GitHub-owned GitHubActions, containerImage, downloadThenRun, pipCommand and goCommand dependencies. Therefore it will have 5 Info logs, one for each ecossystem.
Signed-off-by: Gabriela Gutierrez <gabigutierrez@google.com>
* fix: Linter error
Signed-off-by: Gabriela Gutierrez <gabigutierrez@google.com>
---------
Signed-off-by: Gabriela Gutierrez <gabigutierrez@google.com>
2023-09-25 23:07:19 +03:00
|
|
|
Score: 2,
|
2022-01-06 03:13:53 +03:00
|
|
|
NumberOfWarn: 139,
|
:bug: Pinned-Dependencies: only score detected ecosystems (#3436)
* feat: Define if dependency is pinned or unpinned
Add a field Pinned to Dependency structure.
Update to save Dependencies pinned and unpinned. Not only unpinned ones.
All download then run executions are considered unpinned. Because there is no remediation to pin them.
For package manager downloads: add early return if there are no commands, separate package manager identification (go, npm, choco, pip) from decision if installation is pinned or unpinned.
Change Go case "go get -d -v" considered pinned, to any Go installations containing "-d" to be considered pinned.
Signed-off-by: Gabriela Gutierrez <gabigutierrez@google.com>
* refactor: Convert diff var types to pointer
We need to add a new conversion of boolean to pointer. Currently, we had string and int conversions named asPointer but not used in the same file. In order to know when we are using which conversion and considering bool and string would have to be used in the same file, it was needed to differentiate the method names. New method names are asIntPointer, asStringPointer and soon asBoolPointer.
Signed-off-by: Gabriela Gutierrez <gabigutierrez@google.com>
* fix: Pinned Dependency field type
Field needs to be a pointer to work when accessing values on evaluation.
Signed-off-by: Gabriela Gutierrez <gabigutierrez@google.com>
* feat: Count pinned and unpinned deps
We're changing the ecossystems result structure. The result structure previously stored if the ecossystem is fully pinned or not. The new result structure can tell how many dependencies of that ecossystem were found and how many were pinned. This change is necessary to ignore not applicable ecossystems on the final aggregated score. When iterating the dependencies, now we go through pinned and unpinned dependencies, not only unpinned, and in each iteration we update the result. We kept the behavior of only log warnings for unpinned dependencies.
Signed-off-by: Gabriela Gutierrez <gabigutierrez@google.com>
* feat: Flag not applicable ecossystems
If no dependencies of an ecossystem are found, it results in an inconclusive score (-1). As in other checks, this means here that the ecossystem scoring is not applicable in this case. At the same time, we are keep the scoring criteria the same. If all dependencies are pinned, it results in maximum score (10) and if 1 or more dependencies are unpinned, it results in a minimum score (0) for that ecossystem. GitHub workflow cases are handled differently but the idea is the same. We are also adding a log to know when an ecossystem was not found.
Signed-off-by: Gabriela Gutierrez <gabigutierrez@google.com>
* feat: Score only applicable ecossystems
Signed-off-by: Gabriela Gutierrez <gabigutierrez@google.com>
* feat: If no dependencies then create inconclusive score
Signed-off-by: Gabriela Gutierrez <gabigutierrez@google.com>
* test: GitHub Actions score and logs
Change test from `createReturnValuesForGitHubActionsWorkflowPinned` function to `createReturnForIsGitHubActionsWorkflowPinned` wrapper function so we can test logs. We have adjusted the existing test cases and included new test cases.
Signed-off-by: Gabriela Gutierrez <gabigutierrez@google.com>
* test: Pinned dependencies score
Break "various warnings" tests into smaller tests for pinned and unpinned dependencies and how they react to warn and debug messages. Plus add tests for how the score is affected when all dependencies are pinned, when no dependencies are pinned, when there are no dependencies, and partial dependencies pinned. Also, how dependencies unpinned in 1 or multiple ecossystems affect the warn messages, add one unpinned case for each ecossystem to see if they are being detected and separate the download then run 2 possible cases, there are currently scoring and logging wrong due to a bug.
Signed-off-by: Gabriela Gutierrez <gabigutierrez@google.com>
* test: Ecossystems score and logs
Signed-off-by: Gabriela Gutierrez <gabigutierrez@google.com>
* test: Remove deleted maxScore function test
When we changed the scoring method to ignore not applicable scores, we removed the normalization of inconclusive scores to 0. The normalization was done by `maxScore` function, that was deleted in the process.
Signed-off-by: Gabriela Gutierrez <gabigutierrez@google.com>
* test: Adding GitHub Actions dependencies to result
Signed-off-by: Gabriela Gutierrez <gabigutierrez@google.com>
* test: Update GitHub Actions result
Signed-off-by: Gabriela Gutierrez <gabigutierrez@google.com>
* test: Update pip installs result
Signed-off-by: Gabriela Gutierrez <gabigutierrez@google.com>
* fix: Handle if nuget dependency is pinned or unpinned
Signed-off-by: Gabriela Gutierrez <gabigutierrez@google.com>
* tests: Fix check warnings for unpinned dependencies
Signed-off-by: Gabriela Gutierrez <gabigutierrez@google.com>
* fix: Linter errors
Signed-off-by: Gabriela Gutierrez <gabigutierrez@google.com>
* fix: GitHub Actions pinned log
If, for example, you have GitHub-owned actions and none Third-party actions, you should receive a "no Third-party actions found" log and don't receive a "all Third-party actions are pinned" log. At the same time, you deserve the score of pinning Third-party to complement the GitHub-owned score.
Signed-off-by: Gabriela Gutierrez <gabigutierrez@google.com>
* test: Fix "ossf-tests/scorecard-check-pinned-dependencies-e2e"
The repo being tested, `ossf-tests/scorecard-check-pinned-dependencies-e2e`, has no Third-party actions only GitHub-owned actions, that are unpinned, no npm installs, multiple go installs all pinned, and all other dependencies types are unpinned. This gives us 8 for actionScore, -1 for npm score, 10 for goScore, and 0 for all other scores. Previously the total score was 28/7 =~ 4, and now the total score is 18/6 =~ 3. The number of logs remain the same. The "all Third-party actions are pinned" will be replaced by "no Third-party actions found", which is a more realistic info and same thing for npm installs.
Signed-off-by: Gabriela Gutierrez <gabigutierrez@google.com>
* Revert rename `asPointer` to `asStringPointer`
Signed-off-by: Gabriela Gutierrez <gabigutierrez@google.com>
* fix: Handle deps with parsing error and undefined pinning
When a dependency has a parsing error it ends up with a `Msg` field. In this case, the dependency should not count in the final score, so we should not `updatePinningResults` in this case. Also, to continue with the evaluation calculation, we need to make sure the dependencies have a `Pinned` state. Here we are adding this validation for it along with a debug log.
Signed-off-by: Gabriela Gutierrez <gabigutierrez@google.com>
* test: Delete unecessary test
We already have separate test for if 1 unpinned dependency shows a warn message, and 2 cases for when dependencies have errors and show a debug message.
Signed-off-by: Gabriela Gutierrez <gabigutierrez@google.com>
* test: Add missing dep Location cases
Signed-off-by: Gabriela Gutierrez <gabigutierrez@google.com>
* fix: Simplify Dockerfile pinned as name logic
Signed-off-by: Gabriela Gutierrez <gabigutierrez@google.com>
* fix: If ecossystem is not found show debug log
If ecossystem is not found show debug log, not info log. This affects the tests, all not found ecossystems will "move" from info logs to debug logs. We are also complementing the `all dependencies pinned` and `all dependencies unpinned` cases so we have the max score case and the min score case using all kinds of dependencies.
Signed-off-by: Gabriela Gutierrez <gabigutierrez@google.com>
* test: Fix e2e tests and more unit tests
Signed-off-by: Gabriela Gutierrez <gabigutierrez@google.com>
* feat: Iterate all dependency types for final score
Now we iterate all existing dependency types in the final score. This will fix the problem of new ecossystems not being count in the final score because we needed to update the evaluation part. This also fixes the problem of download then run being counted twice for the score. Now, we only have debug logs when there are errors with the dependency metadata. That means we don't log anymore when dependencies of an ecossystem are not found. We changed the info log format when dependencies are all pinned. We simplified the calculation of the scores. We removed unused error returns. And now we only iterate existing ecossystems. If an ecossystem is not found we will not iterate it.
Signed-off-by: Gabriela Gutierrez <gabigutierrez@google.com>
* feat: Proportional score
We count all pinned dependencies over the total found dependencies of all ecossystems for the final score. But, we still want to give low prioritity to GHA GitHub-owned dependencies over GHA third-party dependencies. That's why we are doing a weighted proportional score, all ecossystems have a normal weight of 10 but GHAs have a weight. If you only have GitHub-owned, it will count as 10, because GHA don't weight less then other ecossystems. Same for GHA third-party, if you only have GHA third-party, it will also count as 10, because GHAs don't weight less then other ecossystems. But if you have both GHA GitHub-owned and third-party, GitHub-owned count less then third-party. Trying to keep the same weight as before, GitHub-owned weights 8 and third-party weights 2. These weights will make the score be more penalized if you have unpinned third-party and less penalized if you have unpinned GitHub-owned.
Signed-off-by: Gabriela Gutierrez <gabigutierrez@google.com>
* fix: GHA weights in proportional score
Signed-off-by: Gabriela Gutierrez <gabigutierrez@google.com>
* test: Fix scores and logs checking
Add new cases for GHA scores since it's weighted differently now. Remove `createReturnValues` test since the function was removed. Fix current tests to adjust number of logs since we don't log if all dependencies are pinned or not anymore. Fix partially pinned score.
Signed-off-by: Gabriela Gutierrez <gabigutierrez@google.com>
* test: Fix e2e test
The repo being tested, `ossf-tests/scorecard-check-pinned-dependencies-e2e`, has no Third-party actions only GitHub-owned actions, that are unpinned, no npm installs, multiple go installs all pinned, and all other dependencies types are unpinned. This gives us 8 for GHA ecossytem, -1 for npm score, 10 for goScore, and 0 for all other scores. Previously the total score was 18/6 =~ 3. Now, we count 5/6 GitHub-owned GHA pinned, 23/36 containerImage pinned, 0/88 downloadThenRun pinned, 2/49 pipCommand pinned, 17/17 goCommand pinned. This results in 47/186 pinned dependencies which results in 2.5 score, that is rounded down to 2. Plus, the number of info was reduced since we don't log info for "all pinned dependencies in X ecossystem" anymore.
Signed-off-by: Gabriela Gutierrez <gabigutierrez@google.com>
* refactor: Rename to ProportionalScoreWeighted
Signed-off-by: Gabriela Gutierrez <gabigutierrez@google.com>
* refactor: Var declarations to create proportional score
Signed-off-by: Gabriela Gutierrez <gabigutierrez@google.com>
* fix: Remove unnecessary pointer
Signed-off-by: Gabriela Gutierrez <gabigutierrez@google.com>
* fix: Dependencies priority declaration
Signed-off-by: Gabriela Gutierrez <gabigutierrez@google.com>
* fix: Ecosystem spelling
Signed-off-by: Gabriela Gutierrez <gabigutierrez@google.com>
* fix: Handle 0 weight and 0 total when creating proportional weighted score
Signed-off-by: Gabriela Gutierrez <gabigutierrez@google.com>
* fix: Revert -d flag identification change
Signed-off-by: Gabriela Gutierrez <gabigutierrez@google.com>
* fix: npm ci command is npm download and is pinned
Signed-off-by: Gabriela Gutierrez <gabigutierrez@google.com>
* fix: Linter errors
Signed-off-by: Gabriela Gutierrez <gabigutierrez@google.com>
* fix: Unexport error variable to other packages
Signed-off-by: Gabriela Gutierrez <gabigutierrez@google.com>
* refactor: Simplify no score groups condition
Signed-off-by: Gabriela Gutierrez <gabigutierrez@google.com>
* feat: Log proportion of dependencies pinned
Signed-off-by: Gabriela Gutierrez <gabigutierrez@google.com>
* test: Fix unit tests to include info logs
The number of info logs should be same number of identified ecossystems. GitHub-owned GitHubAction and third-party GitHubAction count as different ecossytems.
Signed-off-by: Gabriela Gutierrez <gabigutierrez@google.com>
* test: Fix e2e tests to include info logs
The repo being tested, `ossf-tests/scorecard-check-pinned-dependencies-e2e`, has GitHub-owned GitHubActions, containerImage, downloadThenRun, pipCommand and goCommand dependencies. Therefore it will have 5 Info logs, one for each ecossystem.
Signed-off-by: Gabriela Gutierrez <gabigutierrez@google.com>
* fix: Linter error
Signed-off-by: Gabriela Gutierrez <gabigutierrez@google.com>
---------
Signed-off-by: Gabriela Gutierrez <gabigutierrez@google.com>
2023-09-25 23:07:19 +03:00
|
|
|
NumberOfInfo: 5,
|
2021-07-21 19:21:43 +03:00
|
|
|
NumberOfDebug: 0,
|
2021-05-17 23:03:39 +03:00
|
|
|
}
|
2022-06-07 00:31:22 +03:00
|
|
|
result := checks.PinningDependencies(&req)
|
2024-01-30 23:40:41 +03:00
|
|
|
scut.ValidateTestReturn(GinkgoTB(), "dependencies check", &expected, &result, &dl)
|
2021-11-15 06:53:01 +03:00
|
|
|
Expect(repoClient.Close()).Should(BeNil())
|
2021-01-15 23:18:43 +03:00
|
|
|
})
|
2022-04-02 03:21:25 +03:00
|
|
|
It("Should return dependencies check for a local repoClient", func() {
|
|
|
|
dl := scut.TestDetailLogger{}
|
|
|
|
|
2022-09-21 21:14:58 +03:00
|
|
|
tmpDir, err := os.MkdirTemp("", "")
|
2022-04-02 03:21:25 +03:00
|
|
|
Expect(err).Should(BeNil())
|
|
|
|
defer os.RemoveAll(tmpDir)
|
|
|
|
|
|
|
|
_, e := git.PlainClone(tmpDir, false, &git.CloneOptions{
|
|
|
|
URL: "http://github.com/ossf-tests/scorecard-check-pinned-dependencies-e2e",
|
|
|
|
})
|
|
|
|
Expect(e).Should(BeNil())
|
|
|
|
|
|
|
|
repo, err := localdir.MakeLocalDirRepo(tmpDir)
|
|
|
|
Expect(err).Should(BeNil())
|
|
|
|
|
|
|
|
x := localdir.CreateLocalDirClient(context.Background(), logger)
|
✨ Commit depth feature (#2407)
* :seedling: Bump actions/dependency-review-action from 2.4.1 to 2.5.1
Bumps [actions/dependency-review-action](https://github.com/actions/dependency-review-action) from 2.4.1 to 2.5.1.
- [Release notes](https://github.com/actions/dependency-review-action/releases)
- [Commits](https://github.com/actions/dependency-review-action/compare/9c96258789e5d9e85fe4ca86115ba4cc62b780cf...0efb1d1d84fc9633afcdaad14c485cbbc90ef46c)
---
updated-dependencies:
- dependency-name: actions/dependency-review-action
dependency-type: direct:production
update-type: version-update:semver-minor
...
Signed-off-by: dependabot[bot] <support@github.com>
Signed-off-by: latortuga71 <christopheralonso1@gmail.com>
* commit_depth feature
Signed-off-by: latortuga71 <christopheralonso1@gmail.com>
* added more descriptive comments, changed numberofcommits variable name, moved paging for commits into seperate function.
small changes
Signed-off-by: latortuga71 <christopheralonso1@gmail.com>
linter
Signed-off-by: latortuga71 <christopheralonso1@gmail.com>
* added unit tests
Signed-off-by: latortuga71 <christopheralonso1@gmail.com>
added test in e2e
Signed-off-by: latortuga71 <christopheralonso1@gmail.com>
* :seedling: Bump github.com/spf13/cobra from 1.6.0 to 1.6.1 (#2397)
Bumps [github.com/spf13/cobra](https://github.com/spf13/cobra) from 1.6.0 to 1.6.1.
- [Release notes](https://github.com/spf13/cobra/releases)
- [Commits](https://github.com/spf13/cobra/compare/v1.6.0...v1.6.1)
---
updated-dependencies:
- dependency-name: github.com/spf13/cobra
dependency-type: direct:production
update-type: version-update:semver-patch
...
Signed-off-by: dependabot[bot] <support@github.com>
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Signed-off-by: latortuga71 <christopheralonso1@gmail.com>
* :seedling: Bump github.com/onsi/ginkgo/v2 from 2.1.6 to 2.4.0
Bumps [github.com/onsi/ginkgo/v2](https://github.com/onsi/ginkgo) from 2.1.6 to 2.4.0.
- [Release notes](https://github.com/onsi/ginkgo/releases)
- [Changelog](https://github.com/onsi/ginkgo/blob/master/CHANGELOG.md)
- [Commits](https://github.com/onsi/ginkgo/compare/v2.1.6...v2.4.0)
---
updated-dependencies:
- dependency-name: github.com/onsi/ginkgo/v2
dependency-type: direct:production
update-type: version-update:semver-minor
...
Signed-off-by: dependabot[bot] <support@github.com>
Signed-off-by: latortuga71 <christopheralonso1@gmail.com>
* :seedling: Bump cloud.google.com/go/pubsub from 1.25.1 to 1.26.0
Bumps [cloud.google.com/go/pubsub](https://github.com/googleapis/google-cloud-go) from 1.25.1 to 1.26.0.
- [Release notes](https://github.com/googleapis/google-cloud-go/releases)
- [Changelog](https://github.com/googleapis/google-cloud-go/blob/main/CHANGES.md)
- [Commits](https://github.com/googleapis/google-cloud-go/compare/pubsub/v1.25.1...pubsub/v1.26.0)
---
updated-dependencies:
- dependency-name: cloud.google.com/go/pubsub
dependency-type: direct:production
update-type: version-update:semver-minor
...
Signed-off-by: dependabot[bot] <support@github.com>
Signed-off-by: latortuga71 <christopheralonso1@gmail.com>
* :seedling: Bump github.com/xanzy/go-gitlab from 0.73.1 to 0.74.0
Bumps [github.com/xanzy/go-gitlab](https://github.com/xanzy/go-gitlab) from 0.73.1 to 0.74.0.
- [Release notes](https://github.com/xanzy/go-gitlab/releases)
- [Changelog](https://github.com/xanzy/go-gitlab/blob/master/releases_test.go)
- [Commits](https://github.com/xanzy/go-gitlab/compare/v0.73.1...v0.74.0)
---
updated-dependencies:
- dependency-name: github.com/xanzy/go-gitlab
dependency-type: direct:production
update-type: version-update:semver-minor
...
Signed-off-by: dependabot[bot] <support@github.com>
Signed-off-by: latortuga71 <christopheralonso1@gmail.com>
* :seedling: Bump github.com/onsi/gomega from 1.20.2 to 1.23.0 (#2409)
Bumps [github.com/onsi/gomega](https://github.com/onsi/gomega) from 1.20.2 to 1.23.0.
- [Release notes](https://github.com/onsi/gomega/releases)
- [Changelog](https://github.com/onsi/gomega/blob/master/CHANGELOG.md)
- [Commits](https://github.com/onsi/gomega/compare/v1.20.2...v1.23.0)
---
updated-dependencies:
- dependency-name: github.com/onsi/gomega
dependency-type: direct:production
update-type: version-update:semver-minor
...
Signed-off-by: dependabot[bot] <support@github.com>
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Signed-off-by: latortuga71 <christopheralonso1@gmail.com>
* :seedling: Bump github.com/onsi/ginkgo/v2 from 2.1.6 to 2.4.0 in /tools
Bumps [github.com/onsi/ginkgo/v2](https://github.com/onsi/ginkgo) from 2.1.6 to 2.4.0.
- [Release notes](https://github.com/onsi/ginkgo/releases)
- [Changelog](https://github.com/onsi/ginkgo/blob/master/CHANGELOG.md)
- [Commits](https://github.com/onsi/ginkgo/compare/v2.1.6...v2.4.0)
---
updated-dependencies:
- dependency-name: github.com/onsi/ginkgo/v2
dependency-type: direct:production
update-type: version-update:semver-minor
...
Signed-off-by: dependabot[bot] <support@github.com>
Signed-off-by: latortuga71 <christopheralonso1@gmail.com>
* :seedling: Bump github.com/golangci/golangci-lint in /tools
Bumps [github.com/golangci/golangci-lint](https://github.com/golangci/golangci-lint) from 1.50.0 to 1.50.1.
- [Release notes](https://github.com/golangci/golangci-lint/releases)
- [Changelog](https://github.com/golangci/golangci-lint/blob/master/CHANGELOG.md)
- [Commits](https://github.com/golangci/golangci-lint/compare/v1.50.0...v1.50.1)
---
updated-dependencies:
- dependency-name: github.com/golangci/golangci-lint
dependency-type: direct:production
update-type: version-update:semver-patch
...
Signed-off-by: dependabot[bot] <support@github.com>
Signed-off-by: latortuga71 <christopheralonso1@gmail.com>
* :seedling: Bump goreleaser/goreleaser-action from 2.9.1 to 3.2.0 (#2363)
Bumps [goreleaser/goreleaser-action](https://github.com/goreleaser/goreleaser-action) from 2.9.1 to 3.2.0.
- [Release notes](https://github.com/goreleaser/goreleaser-action/releases)
- [Commits](https://github.com/goreleaser/goreleaser-action/compare/b953231f81b8dfd023c58e0854a721e35037f28b...b508e2e3ef3b19d4e4146d4f8fb3ba9db644a757)
---
updated-dependencies:
- dependency-name: goreleaser/goreleaser-action
dependency-type: direct:production
update-type: version-update:semver-major
...
Signed-off-by: dependabot[bot] <support@github.com>
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Signed-off-by: latortuga71 <christopheralonso1@gmail.com>
* :seedling: Bump github.com/goreleaser/goreleaser in /tools (#2373)
Bumps [github.com/goreleaser/goreleaser](https://github.com/goreleaser/goreleaser) from 1.11.5 to 1.12.3.
- [Release notes](https://github.com/goreleaser/goreleaser/releases)
- [Changelog](https://github.com/goreleaser/goreleaser/blob/main/.goreleaser.yaml)
- [Commits](https://github.com/goreleaser/goreleaser/compare/v1.11.5...v1.12.3)
---
updated-dependencies:
- dependency-name: github.com/goreleaser/goreleaser
dependency-type: direct:production
update-type: version-update:semver-minor
...
Signed-off-by: dependabot[bot] <support@github.com>
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Signed-off-by: latortuga71 <christopheralonso1@gmail.com>
* ✨ CLI for scorecard-attestor (#2309)
* Reorganize
Signed-off-by: Raghav Kaul <raghavkaul@google.com>
* Working commit
Signed-off-by: Raghav Kaul <raghavkaul@google.com>
* Compile with local scorecard; go mod tidy
Signed-off-by: Raghav Kaul <raghavkaul@google.com>
* Add signing code
Heavily borrowed from https://github.com/grafeas/kritis/blob/master/cmd/kritis/signer/main.go
Signed-off-by: Raghav Kaul <raghavkaul@google.com>
* Update deps
* Naming
* Makefile
Signed-off-by: Raghav Kaul <raghavkaul@google.com>
* Edit license, add lint.yml
Signed-off-by: Raghav Kaul <raghavkaul@google.com>
* checks: go mod tidy, license
Signed-off-by: Raghav Kaul <raghavkaul@google.com>
* Address PR comments
* Split into checker/signer files
* Naming convention
Signed-off-by: Raghav Kaul <raghavkaul@google.com>
* License, remove golangci.yml
Signed-off-by: Raghav Kaul <raghavkaul@google.com>
* Address PR comments
* Use cobra
Signed-off-by: Raghav Kaul <raghavkaul@google.com>
* Add tests for root command
Signed-off-by: Raghav Kaul <raghavkaul@google.com>
* Filter out checks that aren't needed for policy evaluation
Signed-off-by: Raghav Kaul <raghavkaul@google.com>
* Add `make` targets for attestor; submit coverage stats
Signed-off-by: Raghav Kaul <raghavkaul@google.com>
* Improvements
* Use sclog instead of glog
* Remove unneeded subcommands
* Formatting
Signed-off-by: Raghav Kaul <raghavkaul@google.com>
* Flags: Make note-name constant and fix messaging
Signed-off-by: Raghav Kaul <raghavkaul@google.com>
* Remove SupportedRequestTypes
Signed-off-by: Raghav Kaul <raghavkaul@google.com>
* go mod tidy
Signed-off-by: Raghav Kaul <raghavkaul@google.com>
* go mod tidy, makefile
Signed-off-by: Raghav Kaul <raghavkaul@google.com>
* Fix GH actions run
Signed-off-by: Raghav Kaul <raghavkaul@google.com>
Signed-off-by: Raghav Kaul <raghavkaul@google.com>
Signed-off-by: latortuga71 <christopheralonso1@gmail.com>
* fix workflow (#2417)
Signed-off-by: Spencer Schrock <sschrock@google.com>
Signed-off-by: Spencer Schrock <sschrock@google.com>
Signed-off-by: latortuga71 <christopheralonso1@gmail.com>
* Bump scorecard-action (#2416)
Signed-off-by: Spencer Schrock <sschrock@google.com>
Signed-off-by: Spencer Schrock <sschrock@google.com>
Signed-off-by: latortuga71 <christopheralonso1@gmail.com>
* Fail unit-test job if codecov upload fails (#2415)
Signed-off-by: Spencer Schrock <sschrock@google.com>
Signed-off-by: Spencer Schrock <sschrock@google.com>
Signed-off-by: latortuga71 <christopheralonso1@gmail.com>
* 🌱 Enable comparison for alternative isText implementation (#2414)
* use more performant IsText
Signed-off-by: Spencer Schrock <sschrock@google.com>
* AB test isText implementations
Signed-off-by: Spencer Schrock <sschrock@google.com>
* Add comparison env var to release test.
Signed-off-by: Spencer Schrock <sschrock@google.com>
* go mod tidy for attestor
Signed-off-by: Spencer Schrock <sschrock@google.com>
Signed-off-by: Spencer Schrock <sschrock@google.com>
Signed-off-by: latortuga71 <christopheralonso1@gmail.com>
* 🐛 modify alternative isText to accept carriage returns (#2421)
* modify IsText from golang.org/x/tools/godoc/util to accept carriage returns.
Signed-off-by: Spencer Schrock <sschrock@google.com>
* add TODO reminder to cleanup after release tests
Signed-off-by: Spencer Schrock <sschrock@google.com>
Signed-off-by: Spencer Schrock <sschrock@google.com>
Signed-off-by: latortuga71 <christopheralonso1@gmail.com>
* :seedling: Bump github.com/onsi/gomega from 1.23.0 to 1.24.0
Bumps [github.com/onsi/gomega](https://github.com/onsi/gomega) from 1.23.0 to 1.24.0.
- [Release notes](https://github.com/onsi/gomega/releases)
- [Changelog](https://github.com/onsi/gomega/blob/master/CHANGELOG.md)
- [Commits](https://github.com/onsi/gomega/compare/v1.23.0...v1.24.0)
---
updated-dependencies:
- dependency-name: github.com/onsi/gomega
dependency-type: direct:production
update-type: version-update:semver-minor
...
Signed-off-by: dependabot[bot] <support@github.com>
Signed-off-by: latortuga71 <christopheralonso1@gmail.com>
* :seedling: Bump github/codeql-action from 2.1.29 to 2.1.30
Bumps [github/codeql-action](https://github.com/github/codeql-action) from 2.1.29 to 2.1.30.
- [Release notes](https://github.com/github/codeql-action/releases)
- [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md)
- [Commits](https://github.com/github/codeql-action/compare/ec3cf9c605b848da5f1e41e8452719eb1ccfb9a6...18fe527fa8b29f134bb91f32f1a5dc5abb15ed7f)
---
updated-dependencies:
- dependency-name: github/codeql-action
dependency-type: direct:production
update-type: version-update:semver-patch
...
Signed-off-by: dependabot[bot] <support@github.com>
Signed-off-by: latortuga71 <christopheralonso1@gmail.com>
* revert failing unit-test on ci error (#2422)
Signed-off-by: Spencer Schrock <sschrock@google.com>
Signed-off-by: Spencer Schrock <sschrock@google.com>
Signed-off-by: latortuga71 <christopheralonso1@gmail.com>
* :sparkles: Improved Security Policy Check (#2195)
* :sparkles: Improved Security Policy Check (#2137)
* Examines and awards points for linked content (URLs / Emails)
* Examines and awards points for hints of disclosure and vulnerability practices
* Examines and awards points for hints of elaboration of timelines
Signed-off-by: Scott Hissam <shissam@gmail.com>
* Repaired Security Policy to correctly use linked content length for evaluation
Signed-off-by: Scott Hissam <shissam@gmail.com>
* gofmt'ed changes
Signed-off-by: Scott Hissam <shissam@gmail.com>
* Repaired the case in the evaluation which was too sensitive to content length over the length of the linked content for urls and emails
Signed-off-by: Scott Hissam <shissam@gmail.com>
* added unit test cases for the new content-based Security Policy checks
Signed-off-by: Scott Hissam <shissam@gmail.com>
* reverted the direct (mistaken) change to checks.md and updated the checks.yaml for generate-docs
Signed-off-by: Scott Hissam <shissam@gmail.com>
* :sparkles: Improved Security Policy Check (#2137) (revisted based on comments)
* replaced reason strings with log.Info & log.Warn (as seen in --show-details)
* internal assertion check for nil (*pinfo) and empty pfile
* internal switched to FileTypeText over FileTypeSource
* internal implement type SecurityPolicyInformationType/SecurityPolicyInformation revised SecurityPolicyData to support only one file
* revised expected unit-test results and revised unit-test to reflect the new SecurityPolicyData type
Signed-off-by: Scott Hissam <shissam@gmail.com>
* revised the score value based on observation of one *or more* url(s) or one email(s) found; unit tests update accordingly
Signed-off-by: Scott Hissam <shissam@gmail.com>
* revised the score value based on observation of one *or more* url(s) or one email(s) found; unit tests update accordingly
Signed-off-by: Scott Hissam <shissam@gmail.com>
* revised the score value based on observation of one *or more* url(s) or one email(s) found; e2e tests update accordingly
Signed-off-by: Scott Hissam <shissam@gmail.com>
* Addressed PR comments; added telemetry for policy hits in security policy file to track hits by line number
Signed-off-by: Scott Hissam <shissam@gmail.com>
* Resolved merge conflict with checks.yaml
Signed-off-by: Scott Hissam <shissam@gmail.com>
* updated raw results to emit all the raw information for the new security policy check
Signed-off-by: Scott Hissam <shissam@gmail.com>
* Resolved merge conflicts and lint errors with json_raw_results.go
Signed-off-by: Scott Hissam <shissam@gmail.com>
* Addressed review comments to reorganize security policy data struct to support the potential for multiple security policy files.
Signed-off-by: Scott Hissam <shissam@gmail.com>
* Added logic to the security policy to process multiple security policy files only after future improvements to aggregating scoring across such files are designed. For now the security policy behaves as originally designed to stop once one of the expected policy files are found in the repo
Signed-off-by: Scott Hissam <shissam@gmail.com>
* added comments regarding the capacity to support multiple policy files and removed unneeded break statements in the code
Signed-off-by: Scott Hissam <shissam@gmail.com>
* Addressed review comments to remove the dependency on the path in the filename from the code and introduced FileSize to checker.File type and removed the SecurityContentLength which was used to hold that information for the new security policy assessment
Signed-off-by: Scott Hissam <shissam@gmail.com>
* restored reporting full security policy path and filename for policies found in the org level repos
Signed-off-by: Scott Hissam <shissam@gmail.com>
* Resolved conflicts in checks.yaml for documentation
Signed-off-by: Scott Hissam <shissam@gmail.com>
* ✨ CLI for scorecard-attestor (#2309)
* Reorganize
Signed-off-by: Raghav Kaul <raghavkaul@google.com>
* Working commit
Signed-off-by: Raghav Kaul <raghavkaul@google.com>
* Compile with local scorecard; go mod tidy
Signed-off-by: Raghav Kaul <raghavkaul@google.com>
* Add signing code
Heavily borrowed from https://github.com/grafeas/kritis/blob/master/cmd/kritis/signer/main.go
Signed-off-by: Raghav Kaul <raghavkaul@google.com>
* Update deps
* Naming
* Makefile
Signed-off-by: Raghav Kaul <raghavkaul@google.com>
* Edit license, add lint.yml
Signed-off-by: Raghav Kaul <raghavkaul@google.com>
* checks: go mod tidy, license
Signed-off-by: Raghav Kaul <raghavkaul@google.com>
* Address PR comments
* Split into checker/signer files
* Naming convention
Signed-off-by: Raghav Kaul <raghavkaul@google.com>
* License, remove golangci.yml
Signed-off-by: Raghav Kaul <raghavkaul@google.com>
* Address PR comments
* Use cobra
Signed-off-by: Raghav Kaul <raghavkaul@google.com>
* Add tests for root command
Signed-off-by: Raghav Kaul <raghavkaul@google.com>
* Filter out checks that aren't needed for policy evaluation
Signed-off-by: Raghav Kaul <raghavkaul@google.com>
* Add `make` targets for attestor; submit coverage stats
Signed-off-by: Raghav Kaul <raghavkaul@google.com>
* Improvements
* Use sclog instead of glog
* Remove unneeded subcommands
* Formatting
Signed-off-by: Raghav Kaul <raghavkaul@google.com>
* Flags: Make note-name constant and fix messaging
Signed-off-by: Raghav Kaul <raghavkaul@google.com>
* Remove SupportedRequestTypes
Signed-off-by: Raghav Kaul <raghavkaul@google.com>
* go mod tidy
Signed-off-by: Raghav Kaul <raghavkaul@google.com>
* go mod tidy, makefile
Signed-off-by: Raghav Kaul <raghavkaul@google.com>
* Fix GH actions run
Signed-off-by: Raghav Kaul <raghavkaul@google.com>
Signed-off-by: Raghav Kaul <raghavkaul@google.com>
Signed-off-by: Scott Hissam <shissam@gmail.com>
* removed whitespace before stanza for Run attestor e2e
Signed-off-by: Scott Hissam <shissam@gmail.com>
* resolved code review and doc review comments
Signed-off-by: Scott Hissam <shissam@gmail.com>
* repaired the link for the maintainer's guide for supporting the coordinated vulnerability disclosure guidelines
Signed-off-by: Scott Hissam <shissam@gmail.com>
Signed-off-by: Scott Hissam <shissam@gmail.com>
Signed-off-by: latortuga71 <christopheralonso1@gmail.com>
* :seedling: Bump github/codeql-action from 2.1.30 to 2.1.31 (#2431)
Bumps [github/codeql-action](https://github.com/github/codeql-action) from 2.1.30 to 2.1.31.
- [Release notes](https://github.com/github/codeql-action/releases)
- [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md)
- [Commits](https://github.com/github/codeql-action/compare/18fe527fa8b29f134bb91f32f1a5dc5abb15ed7f...c3b6fce4ee2ca25bc1066aa3bf73962fda0e8898)
---
updated-dependencies:
- dependency-name: github/codeql-action
dependency-type: direct:production
update-type: version-update:semver-patch
...
Signed-off-by: dependabot[bot] <support@github.com>
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Signed-off-by: latortuga71 <christopheralonso1@gmail.com>
* enable more performant isText (#2433)
Signed-off-by: Spencer Schrock <sschrock@google.com>
Signed-off-by: Spencer Schrock <sschrock@google.com>
Signed-off-by: latortuga71 <christopheralonso1@gmail.com>
* modified tests,InitRepo Function, Added GetCommitDepth Function to Client Interface
Signed-off-by: latortuga71 <christopheralonso1@gmail.com>
* removed getcommitdepth function
Signed-off-by: latortuga71 <christopheralonso1@gmail.com>
* added TODO
Signed-off-by: latortuga71 <christopheralonso1@gmail.com>
* :seedling: Bump github.com/onsi/ginkgo/v2 from 2.4.0 to 2.5.0 in /tools (#2436)
Bumps [github.com/onsi/ginkgo/v2](https://github.com/onsi/ginkgo) from 2.4.0 to 2.5.0.
- [Release notes](https://github.com/onsi/ginkgo/releases)
- [Changelog](https://github.com/onsi/ginkgo/blob/master/CHANGELOG.md)
- [Commits](https://github.com/onsi/ginkgo/compare/v2.4.0...v2.5.0)
---
updated-dependencies:
- dependency-name: github.com/onsi/ginkgo/v2
dependency-type: direct:production
update-type: version-update:semver-minor
...
Signed-off-by: dependabot[bot] <support@github.com>
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Signed-off-by: latortuga71 <christopheralonso1@gmail.com>
* :seedling: Bump github.com/onsi/ginkgo/v2 from 2.4.0 to 2.5.0
Bumps [github.com/onsi/ginkgo/v2](https://github.com/onsi/ginkgo) from 2.4.0 to 2.5.0.
- [Release notes](https://github.com/onsi/ginkgo/releases)
- [Changelog](https://github.com/onsi/ginkgo/blob/master/CHANGELOG.md)
- [Commits](https://github.com/onsi/ginkgo/compare/v2.4.0...v2.5.0)
---
updated-dependencies:
- dependency-name: github.com/onsi/ginkgo/v2
dependency-type: direct:production
update-type: version-update:semver-minor
...
Signed-off-by: dependabot[bot] <support@github.com>
Signed-off-by: latortuga71 <christopheralonso1@gmail.com>
* 🌱 Code Review: treat merging a PR as code review (#2413)
* Merges on Github count as a code review by the maintainer
Signed-off-by: Raghav Kaul <raghavkaul@google.com>
* Update Raw Results
* More detailed information for Changesets
* If there's no Revision ID, use the Commit SHA instead
Signed-off-by: Raghav Kaul <raghavkaul@google.com>
* Check that pull request had atleast one reviewer that wasn't its author
* Add field for Pull Request Merged-By to Github and Gitlab
* Note, this check can be bypassed if an author opens a PR with other
people's commits
Signed-off-by: Raghav Kaul <raghavkaul@google.com>
Signed-off-by: Raghav Kaul <raghavkaul@google.com>
Signed-off-by: latortuga71 <christopheralonso1@gmail.com>
* Trivial: Fix typo (exepted -> expected) (#2440)
Signed-off-by: Michael Scovetta <michael.scovetta@microsoft.com>
Signed-off-by: Michael Scovetta <michael.scovetta@microsoft.com>
Signed-off-by: latortuga71 <christopheralonso1@gmail.com>
* :seedling: Bump step-security/harden-runner from 1.5.0 to 2.0.0 (#2443)
Bumps [step-security/harden-runner](https://github.com/step-security/harden-runner) from 1.5.0 to 2.0.0.
- [Release notes](https://github.com/step-security/harden-runner/releases)
- [Commits](https://github.com/step-security/harden-runner/compare/2e205a28d0e1da00c5f53b161f4067b052c61f34...ebacdc22ef6c2cfb85ee5ded8f2e640f4c776dd5)
---
updated-dependencies:
- dependency-name: step-security/harden-runner
dependency-type: direct:production
update-type: version-update:semver-major
...
Signed-off-by: dependabot[bot] <support@github.com>
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Signed-off-by: latortuga71 <christopheralonso1@gmail.com>
* 🌱 cron: support reading prefix from file for controller input files (7/n) (#2445)
* add prefix marker file to config
Signed-off-by: Spencer Schrock <sschrock@google.com>
* Read the new config values, if they exist.
Signed-off-by: Spencer Schrock <sschrock@google.com>
* Add function to fetch prefix file config value.
Signed-off-by: Spencer Schrock <sschrock@google.com>
* Read prefix file if prefix not set.
Signed-off-by: Spencer Schrock <sschrock@google.com>
* Add tests to verify how List works with various prefixes
Signed-off-by: Spencer Schrock <sschrock@google.com>
* Add tests for getPrefix
Signed-off-by: Spencer Schrock <sschrock@google.com>
* Remove panics from iterator helper functions
Signed-off-by: Spencer Schrock <sschrock@google.com>
Signed-off-by: Spencer Schrock <sschrock@google.com>
Signed-off-by: latortuga71 <christopheralonso1@gmail.com>
* Detect SECURITY.markdown in addition to SECURITY.md (#2447)
GitHub probably supports many more file extensions for Markdown
files, but at the very least, `.md` and `.markdown` have been
standardized in RFC 7763.
Signed-off-by: favonia <favonia@gmail.com>
Signed-off-by: favonia <favonia@gmail.com>
Signed-off-by: latortuga71 <christopheralonso1@gmail.com>
* Add Pinned-Dependency, Vulnerability, and Code-Review checks to attestor (#2430)
Signed-off-by: Raghav Kaul <raghavkaul@google.com>
Signed-off-by: Raghav Kaul <raghavkaul@google.com>
Signed-off-by: latortuga71 <christopheralonso1@gmail.com>
* :seedling: cron: expose the stackdriver prefix as a config variable so it can be changed. (#2446)
* Expose the stackdriver prefix as a config variable so it can be changed.
Signed-off-by: Caleb Brown <calebbrown@google.com>
* fix linter warning
Signed-off-by: Caleb Brown <calebbrown@google.com>
Signed-off-by: Caleb Brown <calebbrown@google.com>
Co-authored-by: Spencer Schrock <sschrock@google.com>
Signed-off-by: latortuga71 <christopheralonso1@gmail.com>
* Only write to the rawBucket if the value exists. (#2451)
Signed-off-by: Caleb Brown <calebbrown@google.com>
Signed-off-by: Caleb Brown <calebbrown@google.com>
Signed-off-by: latortuga71 <christopheralonso1@gmail.com>
* :seedling: Bump golang.org/x/tools from 0.2.0 to 0.3.0 (#2448)
* :seedling: Bump golang.org/x/tools from 0.2.0 to 0.3.0
Bumps [golang.org/x/tools](https://github.com/golang/tools) from 0.2.0 to 0.3.0.
- [Release notes](https://github.com/golang/tools/releases)
- [Commits](https://github.com/golang/tools/compare/v0.2.0...v0.3.0)
---
updated-dependencies:
- dependency-name: golang.org/x/tools
dependency-type: direct:production
update-type: version-update:semver-minor
...
Signed-off-by: dependabot[bot] <support@github.com>
* bump attestor modules
Signed-off-by: Spencer Schrock <sschrock@google.com>
Signed-off-by: dependabot[bot] <support@github.com>
Signed-off-by: Spencer Schrock <sschrock@google.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: Spencer Schrock <sschrock@google.com>
Signed-off-by: latortuga71 <christopheralonso1@gmail.com>
* Move cron monitoring to a non-internal location. (#2453)
This allows external workers (e.g. criticality_score) to use the same
monitoring code.
Signed-off-by: Caleb Brown <calebbrown@google.com>
Signed-off-by: Caleb Brown <calebbrown@google.com>
Signed-off-by: latortuga71 <christopheralonso1@gmail.com>
* :seedling: Bump actions/dependency-review-action from 2.5.1 to 3.0.0 (#2455)
Bumps [actions/dependency-review-action](https://github.com/actions/dependency-review-action) from 2.5.1 to 3.0.0.
- [Release notes](https://github.com/actions/dependency-review-action/releases)
- [Commits](https://github.com/actions/dependency-review-action/compare/0efb1d1d84fc9633afcdaad14c485cbbc90ef46c...30d582111533d59ab793fd9f971817241654f3ec)
---
updated-dependencies:
- dependency-name: actions/dependency-review-action
dependency-type: direct:production
update-type: version-update:semver-major
...
Signed-off-by: dependabot[bot] <support@github.com>
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Signed-off-by: latortuga71 <christopheralonso1@gmail.com>
* 🌱 [cron] generalize some of the transfer logic so it is easy to build new transfer agents (#2454)
* Generalize the transfer logic so it is easy to build new transfer agents
This change moves code that reads shards and produces summaries into the
data package so that it can be reused to create new transfer agents,
similar to the BigQuery transfer agent in cron/internal/bq.
Signed-off-by: Caleb Brown <calebbrown@google.com>
* Lint fix and commentary.
Signed-off-by: Caleb Brown <calebbrown@google.com>
Signed-off-by: Caleb Brown <calebbrown@google.com>
Signed-off-by: latortuga71 <christopheralonso1@gmail.com>
* :seedling: Bump github.com/google/addlicense in /tools (#2459)
Bumps [github.com/google/addlicense](https://github.com/google/addlicense) from 1.0.0 to 1.1.0.
- [Release notes](https://github.com/google/addlicense/releases)
- [Changelog](https://github.com/google/addlicense/blob/master/.goreleaser.yaml)
- [Commits](https://github.com/google/addlicense/compare/v1.0.0...v1.1.0)
---
updated-dependencies:
- dependency-name: github.com/google/addlicense
dependency-type: direct:production
update-type: version-update:semver-minor
...
Signed-off-by: dependabot[bot] <support@github.com>
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Signed-off-by: latortuga71 <christopheralonso1@gmail.com>
* :seedling: Bump github.com/google/go-containerregistry
Bumps [github.com/google/go-containerregistry](https://github.com/google/go-containerregistry) from 0.12.0 to 0.12.1.
- [Release notes](https://github.com/google/go-containerregistry/releases)
- [Changelog](https://github.com/google/go-containerregistry/blob/main/.goreleaser.yml)
- [Commits](https://github.com/google/go-containerregistry/compare/v0.12.0...v0.12.1)
---
updated-dependencies:
- dependency-name: github.com/google/go-containerregistry
dependency-type: direct:production
update-type: version-update:semver-patch
...
Signed-off-by: dependabot[bot] <support@github.com>
Signed-off-by: latortuga71 <christopheralonso1@gmail.com>
* go mod tidy
Signed-off-by: Spencer Schrock <sschrock@google.com>
Signed-off-by: latortuga71 <christopheralonso1@gmail.com>
* Added <= instead of == incase negative int is passed
Signed-off-by: latortuga71 <christopheralonso1@gmail.com>
* missed test fix
Signed-off-by: latortuga71 <christopheralonso1@gmail.com>
Signed-off-by: dependabot[bot] <support@github.com>
Signed-off-by: latortuga71 <christopheralonso1@gmail.com>
Signed-off-by: Raghav Kaul <raghavkaul@google.com>
Signed-off-by: Spencer Schrock <sschrock@google.com>
Signed-off-by: Scott Hissam <shissam@gmail.com>
Signed-off-by: Michael Scovetta <michael.scovetta@microsoft.com>
Signed-off-by: favonia <favonia@gmail.com>
Signed-off-by: Caleb Brown <calebbrown@google.com>
Signed-off-by: Latortuga <42878263+latortuga71@users.noreply.github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: raghavkaul <8695110+raghavkaul@users.noreply.github.com>
Co-authored-by: Spencer Schrock <sschrock@google.com>
Co-authored-by: scott hissam <shissam@users.noreply.github.com>
Co-authored-by: Michael Scovetta <michael.scovetta@microsoft.com>
Co-authored-by: favonia <favonia@gmail.com>
Co-authored-by: Caleb Brown <calebbrown@google.com>
2022-11-22 19:11:36 +03:00
|
|
|
err = x.InitRepo(repo, clients.HeadSHA, 0)
|
2022-04-02 03:21:25 +03:00
|
|
|
Expect(err).Should(BeNil())
|
|
|
|
|
|
|
|
req := checker.CheckRequest{
|
|
|
|
Ctx: context.Background(),
|
|
|
|
RepoClient: x,
|
|
|
|
Repo: repo,
|
|
|
|
Dlogger: &dl,
|
|
|
|
}
|
|
|
|
expected := scut.TestReturn{
|
|
|
|
Error: nil,
|
:bug: Pinned-Dependencies: only score detected ecosystems (#3436)
* feat: Define if dependency is pinned or unpinned
Add a field Pinned to Dependency structure.
Update to save Dependencies pinned and unpinned. Not only unpinned ones.
All download then run executions are considered unpinned. Because there is no remediation to pin them.
For package manager downloads: add early return if there are no commands, separate package manager identification (go, npm, choco, pip) from decision if installation is pinned or unpinned.
Change Go case "go get -d -v" considered pinned, to any Go installations containing "-d" to be considered pinned.
Signed-off-by: Gabriela Gutierrez <gabigutierrez@google.com>
* refactor: Convert diff var types to pointer
We need to add a new conversion of boolean to pointer. Currently, we had string and int conversions named asPointer but not used in the same file. In order to know when we are using which conversion and considering bool and string would have to be used in the same file, it was needed to differentiate the method names. New method names are asIntPointer, asStringPointer and soon asBoolPointer.
Signed-off-by: Gabriela Gutierrez <gabigutierrez@google.com>
* fix: Pinned Dependency field type
Field needs to be a pointer to work when accessing values on evaluation.
Signed-off-by: Gabriela Gutierrez <gabigutierrez@google.com>
* feat: Count pinned and unpinned deps
We're changing the ecossystems result structure. The result structure previously stored if the ecossystem is fully pinned or not. The new result structure can tell how many dependencies of that ecossystem were found and how many were pinned. This change is necessary to ignore not applicable ecossystems on the final aggregated score. When iterating the dependencies, now we go through pinned and unpinned dependencies, not only unpinned, and in each iteration we update the result. We kept the behavior of only log warnings for unpinned dependencies.
Signed-off-by: Gabriela Gutierrez <gabigutierrez@google.com>
* feat: Flag not applicable ecossystems
If no dependencies of an ecossystem are found, it results in an inconclusive score (-1). As in other checks, this means here that the ecossystem scoring is not applicable in this case. At the same time, we are keep the scoring criteria the same. If all dependencies are pinned, it results in maximum score (10) and if 1 or more dependencies are unpinned, it results in a minimum score (0) for that ecossystem. GitHub workflow cases are handled differently but the idea is the same. We are also adding a log to know when an ecossystem was not found.
Signed-off-by: Gabriela Gutierrez <gabigutierrez@google.com>
* feat: Score only applicable ecossystems
Signed-off-by: Gabriela Gutierrez <gabigutierrez@google.com>
* feat: If no dependencies then create inconclusive score
Signed-off-by: Gabriela Gutierrez <gabigutierrez@google.com>
* test: GitHub Actions score and logs
Change test from `createReturnValuesForGitHubActionsWorkflowPinned` function to `createReturnForIsGitHubActionsWorkflowPinned` wrapper function so we can test logs. We have adjusted the existing test cases and included new test cases.
Signed-off-by: Gabriela Gutierrez <gabigutierrez@google.com>
* test: Pinned dependencies score
Break "various warnings" tests into smaller tests for pinned and unpinned dependencies and how they react to warn and debug messages. Plus add tests for how the score is affected when all dependencies are pinned, when no dependencies are pinned, when there are no dependencies, and partial dependencies pinned. Also, how dependencies unpinned in 1 or multiple ecossystems affect the warn messages, add one unpinned case for each ecossystem to see if they are being detected and separate the download then run 2 possible cases, there are currently scoring and logging wrong due to a bug.
Signed-off-by: Gabriela Gutierrez <gabigutierrez@google.com>
* test: Ecossystems score and logs
Signed-off-by: Gabriela Gutierrez <gabigutierrez@google.com>
* test: Remove deleted maxScore function test
When we changed the scoring method to ignore not applicable scores, we removed the normalization of inconclusive scores to 0. The normalization was done by `maxScore` function, that was deleted in the process.
Signed-off-by: Gabriela Gutierrez <gabigutierrez@google.com>
* test: Adding GitHub Actions dependencies to result
Signed-off-by: Gabriela Gutierrez <gabigutierrez@google.com>
* test: Update GitHub Actions result
Signed-off-by: Gabriela Gutierrez <gabigutierrez@google.com>
* test: Update pip installs result
Signed-off-by: Gabriela Gutierrez <gabigutierrez@google.com>
* fix: Handle if nuget dependency is pinned or unpinned
Signed-off-by: Gabriela Gutierrez <gabigutierrez@google.com>
* tests: Fix check warnings for unpinned dependencies
Signed-off-by: Gabriela Gutierrez <gabigutierrez@google.com>
* fix: Linter errors
Signed-off-by: Gabriela Gutierrez <gabigutierrez@google.com>
* fix: GitHub Actions pinned log
If, for example, you have GitHub-owned actions and none Third-party actions, you should receive a "no Third-party actions found" log and don't receive a "all Third-party actions are pinned" log. At the same time, you deserve the score of pinning Third-party to complement the GitHub-owned score.
Signed-off-by: Gabriela Gutierrez <gabigutierrez@google.com>
* test: Fix "ossf-tests/scorecard-check-pinned-dependencies-e2e"
The repo being tested, `ossf-tests/scorecard-check-pinned-dependencies-e2e`, has no Third-party actions only GitHub-owned actions, that are unpinned, no npm installs, multiple go installs all pinned, and all other dependencies types are unpinned. This gives us 8 for actionScore, -1 for npm score, 10 for goScore, and 0 for all other scores. Previously the total score was 28/7 =~ 4, and now the total score is 18/6 =~ 3. The number of logs remain the same. The "all Third-party actions are pinned" will be replaced by "no Third-party actions found", which is a more realistic info and same thing for npm installs.
Signed-off-by: Gabriela Gutierrez <gabigutierrez@google.com>
* Revert rename `asPointer` to `asStringPointer`
Signed-off-by: Gabriela Gutierrez <gabigutierrez@google.com>
* fix: Handle deps with parsing error and undefined pinning
When a dependency has a parsing error it ends up with a `Msg` field. In this case, the dependency should not count in the final score, so we should not `updatePinningResults` in this case. Also, to continue with the evaluation calculation, we need to make sure the dependencies have a `Pinned` state. Here we are adding this validation for it along with a debug log.
Signed-off-by: Gabriela Gutierrez <gabigutierrez@google.com>
* test: Delete unecessary test
We already have separate test for if 1 unpinned dependency shows a warn message, and 2 cases for when dependencies have errors and show a debug message.
Signed-off-by: Gabriela Gutierrez <gabigutierrez@google.com>
* test: Add missing dep Location cases
Signed-off-by: Gabriela Gutierrez <gabigutierrez@google.com>
* fix: Simplify Dockerfile pinned as name logic
Signed-off-by: Gabriela Gutierrez <gabigutierrez@google.com>
* fix: If ecossystem is not found show debug log
If ecossystem is not found show debug log, not info log. This affects the tests, all not found ecossystems will "move" from info logs to debug logs. We are also complementing the `all dependencies pinned` and `all dependencies unpinned` cases so we have the max score case and the min score case using all kinds of dependencies.
Signed-off-by: Gabriela Gutierrez <gabigutierrez@google.com>
* test: Fix e2e tests and more unit tests
Signed-off-by: Gabriela Gutierrez <gabigutierrez@google.com>
* feat: Iterate all dependency types for final score
Now we iterate all existing dependency types in the final score. This will fix the problem of new ecossystems not being count in the final score because we needed to update the evaluation part. This also fixes the problem of download then run being counted twice for the score. Now, we only have debug logs when there are errors with the dependency metadata. That means we don't log anymore when dependencies of an ecossystem are not found. We changed the info log format when dependencies are all pinned. We simplified the calculation of the scores. We removed unused error returns. And now we only iterate existing ecossystems. If an ecossystem is not found we will not iterate it.
Signed-off-by: Gabriela Gutierrez <gabigutierrez@google.com>
* feat: Proportional score
We count all pinned dependencies over the total found dependencies of all ecossystems for the final score. But, we still want to give low prioritity to GHA GitHub-owned dependencies over GHA third-party dependencies. That's why we are doing a weighted proportional score, all ecossystems have a normal weight of 10 but GHAs have a weight. If you only have GitHub-owned, it will count as 10, because GHA don't weight less then other ecossystems. Same for GHA third-party, if you only have GHA third-party, it will also count as 10, because GHAs don't weight less then other ecossystems. But if you have both GHA GitHub-owned and third-party, GitHub-owned count less then third-party. Trying to keep the same weight as before, GitHub-owned weights 8 and third-party weights 2. These weights will make the score be more penalized if you have unpinned third-party and less penalized if you have unpinned GitHub-owned.
Signed-off-by: Gabriela Gutierrez <gabigutierrez@google.com>
* fix: GHA weights in proportional score
Signed-off-by: Gabriela Gutierrez <gabigutierrez@google.com>
* test: Fix scores and logs checking
Add new cases for GHA scores since it's weighted differently now. Remove `createReturnValues` test since the function was removed. Fix current tests to adjust number of logs since we don't log if all dependencies are pinned or not anymore. Fix partially pinned score.
Signed-off-by: Gabriela Gutierrez <gabigutierrez@google.com>
* test: Fix e2e test
The repo being tested, `ossf-tests/scorecard-check-pinned-dependencies-e2e`, has no Third-party actions only GitHub-owned actions, that are unpinned, no npm installs, multiple go installs all pinned, and all other dependencies types are unpinned. This gives us 8 for GHA ecossytem, -1 for npm score, 10 for goScore, and 0 for all other scores. Previously the total score was 18/6 =~ 3. Now, we count 5/6 GitHub-owned GHA pinned, 23/36 containerImage pinned, 0/88 downloadThenRun pinned, 2/49 pipCommand pinned, 17/17 goCommand pinned. This results in 47/186 pinned dependencies which results in 2.5 score, that is rounded down to 2. Plus, the number of info was reduced since we don't log info for "all pinned dependencies in X ecossystem" anymore.
Signed-off-by: Gabriela Gutierrez <gabigutierrez@google.com>
* refactor: Rename to ProportionalScoreWeighted
Signed-off-by: Gabriela Gutierrez <gabigutierrez@google.com>
* refactor: Var declarations to create proportional score
Signed-off-by: Gabriela Gutierrez <gabigutierrez@google.com>
* fix: Remove unnecessary pointer
Signed-off-by: Gabriela Gutierrez <gabigutierrez@google.com>
* fix: Dependencies priority declaration
Signed-off-by: Gabriela Gutierrez <gabigutierrez@google.com>
* fix: Ecosystem spelling
Signed-off-by: Gabriela Gutierrez <gabigutierrez@google.com>
* fix: Handle 0 weight and 0 total when creating proportional weighted score
Signed-off-by: Gabriela Gutierrez <gabigutierrez@google.com>
* fix: Revert -d flag identification change
Signed-off-by: Gabriela Gutierrez <gabigutierrez@google.com>
* fix: npm ci command is npm download and is pinned
Signed-off-by: Gabriela Gutierrez <gabigutierrez@google.com>
* fix: Linter errors
Signed-off-by: Gabriela Gutierrez <gabigutierrez@google.com>
* fix: Unexport error variable to other packages
Signed-off-by: Gabriela Gutierrez <gabigutierrez@google.com>
* refactor: Simplify no score groups condition
Signed-off-by: Gabriela Gutierrez <gabigutierrez@google.com>
* feat: Log proportion of dependencies pinned
Signed-off-by: Gabriela Gutierrez <gabigutierrez@google.com>
* test: Fix unit tests to include info logs
The number of info logs should be same number of identified ecossystems. GitHub-owned GitHubAction and third-party GitHubAction count as different ecossytems.
Signed-off-by: Gabriela Gutierrez <gabigutierrez@google.com>
* test: Fix e2e tests to include info logs
The repo being tested, `ossf-tests/scorecard-check-pinned-dependencies-e2e`, has GitHub-owned GitHubActions, containerImage, downloadThenRun, pipCommand and goCommand dependencies. Therefore it will have 5 Info logs, one for each ecossystem.
Signed-off-by: Gabriela Gutierrez <gabigutierrez@google.com>
* fix: Linter error
Signed-off-by: Gabriela Gutierrez <gabigutierrez@google.com>
---------
Signed-off-by: Gabriela Gutierrez <gabigutierrez@google.com>
2023-09-25 23:07:19 +03:00
|
|
|
Score: 2,
|
2022-04-02 03:21:25 +03:00
|
|
|
NumberOfWarn: 139,
|
:bug: Pinned-Dependencies: only score detected ecosystems (#3436)
* feat: Define if dependency is pinned or unpinned
Add a field Pinned to Dependency structure.
Update to save Dependencies pinned and unpinned. Not only unpinned ones.
All download then run executions are considered unpinned. Because there is no remediation to pin them.
For package manager downloads: add early return if there are no commands, separate package manager identification (go, npm, choco, pip) from decision if installation is pinned or unpinned.
Change Go case "go get -d -v" considered pinned, to any Go installations containing "-d" to be considered pinned.
Signed-off-by: Gabriela Gutierrez <gabigutierrez@google.com>
* refactor: Convert diff var types to pointer
We need to add a new conversion of boolean to pointer. Currently, we had string and int conversions named asPointer but not used in the same file. In order to know when we are using which conversion and considering bool and string would have to be used in the same file, it was needed to differentiate the method names. New method names are asIntPointer, asStringPointer and soon asBoolPointer.
Signed-off-by: Gabriela Gutierrez <gabigutierrez@google.com>
* fix: Pinned Dependency field type
Field needs to be a pointer to work when accessing values on evaluation.
Signed-off-by: Gabriela Gutierrez <gabigutierrez@google.com>
* feat: Count pinned and unpinned deps
We're changing the ecossystems result structure. The result structure previously stored if the ecossystem is fully pinned or not. The new result structure can tell how many dependencies of that ecossystem were found and how many were pinned. This change is necessary to ignore not applicable ecossystems on the final aggregated score. When iterating the dependencies, now we go through pinned and unpinned dependencies, not only unpinned, and in each iteration we update the result. We kept the behavior of only log warnings for unpinned dependencies.
Signed-off-by: Gabriela Gutierrez <gabigutierrez@google.com>
* feat: Flag not applicable ecossystems
If no dependencies of an ecossystem are found, it results in an inconclusive score (-1). As in other checks, this means here that the ecossystem scoring is not applicable in this case. At the same time, we are keep the scoring criteria the same. If all dependencies are pinned, it results in maximum score (10) and if 1 or more dependencies are unpinned, it results in a minimum score (0) for that ecossystem. GitHub workflow cases are handled differently but the idea is the same. We are also adding a log to know when an ecossystem was not found.
Signed-off-by: Gabriela Gutierrez <gabigutierrez@google.com>
* feat: Score only applicable ecossystems
Signed-off-by: Gabriela Gutierrez <gabigutierrez@google.com>
* feat: If no dependencies then create inconclusive score
Signed-off-by: Gabriela Gutierrez <gabigutierrez@google.com>
* test: GitHub Actions score and logs
Change test from `createReturnValuesForGitHubActionsWorkflowPinned` function to `createReturnForIsGitHubActionsWorkflowPinned` wrapper function so we can test logs. We have adjusted the existing test cases and included new test cases.
Signed-off-by: Gabriela Gutierrez <gabigutierrez@google.com>
* test: Pinned dependencies score
Break "various warnings" tests into smaller tests for pinned and unpinned dependencies and how they react to warn and debug messages. Plus add tests for how the score is affected when all dependencies are pinned, when no dependencies are pinned, when there are no dependencies, and partial dependencies pinned. Also, how dependencies unpinned in 1 or multiple ecossystems affect the warn messages, add one unpinned case for each ecossystem to see if they are being detected and separate the download then run 2 possible cases, there are currently scoring and logging wrong due to a bug.
Signed-off-by: Gabriela Gutierrez <gabigutierrez@google.com>
* test: Ecossystems score and logs
Signed-off-by: Gabriela Gutierrez <gabigutierrez@google.com>
* test: Remove deleted maxScore function test
When we changed the scoring method to ignore not applicable scores, we removed the normalization of inconclusive scores to 0. The normalization was done by `maxScore` function, that was deleted in the process.
Signed-off-by: Gabriela Gutierrez <gabigutierrez@google.com>
* test: Adding GitHub Actions dependencies to result
Signed-off-by: Gabriela Gutierrez <gabigutierrez@google.com>
* test: Update GitHub Actions result
Signed-off-by: Gabriela Gutierrez <gabigutierrez@google.com>
* test: Update pip installs result
Signed-off-by: Gabriela Gutierrez <gabigutierrez@google.com>
* fix: Handle if nuget dependency is pinned or unpinned
Signed-off-by: Gabriela Gutierrez <gabigutierrez@google.com>
* tests: Fix check warnings for unpinned dependencies
Signed-off-by: Gabriela Gutierrez <gabigutierrez@google.com>
* fix: Linter errors
Signed-off-by: Gabriela Gutierrez <gabigutierrez@google.com>
* fix: GitHub Actions pinned log
If, for example, you have GitHub-owned actions and none Third-party actions, you should receive a "no Third-party actions found" log and don't receive a "all Third-party actions are pinned" log. At the same time, you deserve the score of pinning Third-party to complement the GitHub-owned score.
Signed-off-by: Gabriela Gutierrez <gabigutierrez@google.com>
* test: Fix "ossf-tests/scorecard-check-pinned-dependencies-e2e"
The repo being tested, `ossf-tests/scorecard-check-pinned-dependencies-e2e`, has no Third-party actions only GitHub-owned actions, that are unpinned, no npm installs, multiple go installs all pinned, and all other dependencies types are unpinned. This gives us 8 for actionScore, -1 for npm score, 10 for goScore, and 0 for all other scores. Previously the total score was 28/7 =~ 4, and now the total score is 18/6 =~ 3. The number of logs remain the same. The "all Third-party actions are pinned" will be replaced by "no Third-party actions found", which is a more realistic info and same thing for npm installs.
Signed-off-by: Gabriela Gutierrez <gabigutierrez@google.com>
* Revert rename `asPointer` to `asStringPointer`
Signed-off-by: Gabriela Gutierrez <gabigutierrez@google.com>
* fix: Handle deps with parsing error and undefined pinning
When a dependency has a parsing error it ends up with a `Msg` field. In this case, the dependency should not count in the final score, so we should not `updatePinningResults` in this case. Also, to continue with the evaluation calculation, we need to make sure the dependencies have a `Pinned` state. Here we are adding this validation for it along with a debug log.
Signed-off-by: Gabriela Gutierrez <gabigutierrez@google.com>
* test: Delete unecessary test
We already have separate test for if 1 unpinned dependency shows a warn message, and 2 cases for when dependencies have errors and show a debug message.
Signed-off-by: Gabriela Gutierrez <gabigutierrez@google.com>
* test: Add missing dep Location cases
Signed-off-by: Gabriela Gutierrez <gabigutierrez@google.com>
* fix: Simplify Dockerfile pinned as name logic
Signed-off-by: Gabriela Gutierrez <gabigutierrez@google.com>
* fix: If ecossystem is not found show debug log
If ecossystem is not found show debug log, not info log. This affects the tests, all not found ecossystems will "move" from info logs to debug logs. We are also complementing the `all dependencies pinned` and `all dependencies unpinned` cases so we have the max score case and the min score case using all kinds of dependencies.
Signed-off-by: Gabriela Gutierrez <gabigutierrez@google.com>
* test: Fix e2e tests and more unit tests
Signed-off-by: Gabriela Gutierrez <gabigutierrez@google.com>
* feat: Iterate all dependency types for final score
Now we iterate all existing dependency types in the final score. This will fix the problem of new ecossystems not being count in the final score because we needed to update the evaluation part. This also fixes the problem of download then run being counted twice for the score. Now, we only have debug logs when there are errors with the dependency metadata. That means we don't log anymore when dependencies of an ecossystem are not found. We changed the info log format when dependencies are all pinned. We simplified the calculation of the scores. We removed unused error returns. And now we only iterate existing ecossystems. If an ecossystem is not found we will not iterate it.
Signed-off-by: Gabriela Gutierrez <gabigutierrez@google.com>
* feat: Proportional score
We count all pinned dependencies over the total found dependencies of all ecossystems for the final score. But, we still want to give low prioritity to GHA GitHub-owned dependencies over GHA third-party dependencies. That's why we are doing a weighted proportional score, all ecossystems have a normal weight of 10 but GHAs have a weight. If you only have GitHub-owned, it will count as 10, because GHA don't weight less then other ecossystems. Same for GHA third-party, if you only have GHA third-party, it will also count as 10, because GHAs don't weight less then other ecossystems. But if you have both GHA GitHub-owned and third-party, GitHub-owned count less then third-party. Trying to keep the same weight as before, GitHub-owned weights 8 and third-party weights 2. These weights will make the score be more penalized if you have unpinned third-party and less penalized if you have unpinned GitHub-owned.
Signed-off-by: Gabriela Gutierrez <gabigutierrez@google.com>
* fix: GHA weights in proportional score
Signed-off-by: Gabriela Gutierrez <gabigutierrez@google.com>
* test: Fix scores and logs checking
Add new cases for GHA scores since it's weighted differently now. Remove `createReturnValues` test since the function was removed. Fix current tests to adjust number of logs since we don't log if all dependencies are pinned or not anymore. Fix partially pinned score.
Signed-off-by: Gabriela Gutierrez <gabigutierrez@google.com>
* test: Fix e2e test
The repo being tested, `ossf-tests/scorecard-check-pinned-dependencies-e2e`, has no Third-party actions only GitHub-owned actions, that are unpinned, no npm installs, multiple go installs all pinned, and all other dependencies types are unpinned. This gives us 8 for GHA ecossytem, -1 for npm score, 10 for goScore, and 0 for all other scores. Previously the total score was 18/6 =~ 3. Now, we count 5/6 GitHub-owned GHA pinned, 23/36 containerImage pinned, 0/88 downloadThenRun pinned, 2/49 pipCommand pinned, 17/17 goCommand pinned. This results in 47/186 pinned dependencies which results in 2.5 score, that is rounded down to 2. Plus, the number of info was reduced since we don't log info for "all pinned dependencies in X ecossystem" anymore.
Signed-off-by: Gabriela Gutierrez <gabigutierrez@google.com>
* refactor: Rename to ProportionalScoreWeighted
Signed-off-by: Gabriela Gutierrez <gabigutierrez@google.com>
* refactor: Var declarations to create proportional score
Signed-off-by: Gabriela Gutierrez <gabigutierrez@google.com>
* fix: Remove unnecessary pointer
Signed-off-by: Gabriela Gutierrez <gabigutierrez@google.com>
* fix: Dependencies priority declaration
Signed-off-by: Gabriela Gutierrez <gabigutierrez@google.com>
* fix: Ecosystem spelling
Signed-off-by: Gabriela Gutierrez <gabigutierrez@google.com>
* fix: Handle 0 weight and 0 total when creating proportional weighted score
Signed-off-by: Gabriela Gutierrez <gabigutierrez@google.com>
* fix: Revert -d flag identification change
Signed-off-by: Gabriela Gutierrez <gabigutierrez@google.com>
* fix: npm ci command is npm download and is pinned
Signed-off-by: Gabriela Gutierrez <gabigutierrez@google.com>
* fix: Linter errors
Signed-off-by: Gabriela Gutierrez <gabigutierrez@google.com>
* fix: Unexport error variable to other packages
Signed-off-by: Gabriela Gutierrez <gabigutierrez@google.com>
* refactor: Simplify no score groups condition
Signed-off-by: Gabriela Gutierrez <gabigutierrez@google.com>
* feat: Log proportion of dependencies pinned
Signed-off-by: Gabriela Gutierrez <gabigutierrez@google.com>
* test: Fix unit tests to include info logs
The number of info logs should be same number of identified ecossystems. GitHub-owned GitHubAction and third-party GitHubAction count as different ecossytems.
Signed-off-by: Gabriela Gutierrez <gabigutierrez@google.com>
* test: Fix e2e tests to include info logs
The repo being tested, `ossf-tests/scorecard-check-pinned-dependencies-e2e`, has GitHub-owned GitHubActions, containerImage, downloadThenRun, pipCommand and goCommand dependencies. Therefore it will have 5 Info logs, one for each ecossystem.
Signed-off-by: Gabriela Gutierrez <gabigutierrez@google.com>
* fix: Linter error
Signed-off-by: Gabriela Gutierrez <gabigutierrez@google.com>
---------
Signed-off-by: Gabriela Gutierrez <gabigutierrez@google.com>
2023-09-25 23:07:19 +03:00
|
|
|
NumberOfInfo: 5,
|
2022-04-02 03:21:25 +03:00
|
|
|
NumberOfDebug: 0,
|
|
|
|
}
|
2022-06-07 00:31:22 +03:00
|
|
|
result := checks.PinningDependencies(&req)
|
2024-01-30 23:40:41 +03:00
|
|
|
scut.ValidateTestReturn(GinkgoTB(), "dependencies check", &expected, &result, &dl)
|
2022-04-02 03:21:25 +03:00
|
|
|
Expect(x.Close()).Should(BeNil())
|
|
|
|
})
|
2021-01-15 23:18:43 +03:00
|
|
|
})
|
|
|
|
})
|