✨ add --nuget package manager flag (#3020)

* add nuget package manager Signed-off-by: Avishay <avishay.balter@gmail.com> * fix pat test messages (#2987) * also fix pat tests Signed-off-by: Raghav Kaul <raghavkaul@google.com> Signed-off-by: Avishay <avishay.balter@gmail.com> * 🌱 Bump slsa-framework/slsa-github-generator from 1.5.0 to 1.6.0 Bumps [slsa-framework/slsa-github-generator](https://github.com/slsa-framework/slsa-github-generator) from 1.5.0 to 1.6.0. - [Release notes](https://github.com/slsa-framework/slsa-github-generator/releases) - [Changelog](https://github.com/slsa-framework/slsa-github-generator/blob/main/CHANGELOG.md) - [Commits](https://github.com/slsa-framework/slsa-github-generator/compare/v1.5.0...v1.6.0) --- updated-dependencies: - dependency-name: slsa-framework/slsa-github-generator dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> Signed-off-by: Avishay <avishay.balter@gmail.com> * 🌱 Bump cloud.google.com/go/bigquery from 1.51.1 to 1.51.2 (#2984) Bumps [cloud.google.com/go/bigquery](https://github.com/googleapis/google-cloud-go) from 1.51.1 to 1.51.2. - [Release notes](https://github.com/googleapis/google-cloud-go/releases) - [Changelog](https://github.com/googleapis/google-cloud-go/blob/main/CHANGES.md) - [Commits](https://github.com/googleapis/google-cloud-go/compare/bigquery/v1.51.1...bigquery/v1.51.2) --- updated-dependencies: - dependency-name: cloud.google.com/go/bigquery dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Signed-off-by: Avishay <avishay.balter@gmail.com> * 🌱 Bump golang.org/x/tools from 0.9.0 to 0.9.1 Bumps [golang.org/x/tools](https://github.com/golang/tools) from 0.9.0 to 0.9.1. - [Release notes](https://github.com/golang/tools/releases) - [Commits](https://github.com/golang/tools/compare/v0.9.0...v0.9.1) --- updated-dependencies: - dependency-name: golang.org/x/tools dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Signed-off-by: Avishay <avishay.balter@gmail.com> * 🐛 Update osv-scanner dependency to include Vulnerabilities check fixes (#2981) * Update osv-scanner dependency to include Vulnerabilities check fixes Signed-off-by: Laurent Savaëte <laurent@where.tf> * Run go mod tidy Signed-off-by: Laurent Savaëte <laurent@where.tf> --------- Signed-off-by: Laurent Savaëte <laurent@where.tf> Signed-off-by: Avishay <avishay.balter@gmail.com> * 🌱 Bump github.com/docker/distribution in /tools (#2993) Bumps [github.com/docker/distribution](https://github.com/docker/distribution) from 2.8.1+incompatible to 2.8.2+incompatible. - [Release notes](https://github.com/docker/distribution/releases) - [Commits](https://github.com/docker/distribution/compare/v2.8.1...v2.8.2) --- updated-dependencies: - dependency-name: github.com/docker/distribution dependency-type: indirect ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Signed-off-by: Avishay <avishay.balter@gmail.com> * 🌱 Gitlab: e2e test fixes in main (#2992) * test secret chagnes Signed-off-by: Raghav Kaul <raghavkaul@google.com> * update score Signed-off-by: Raghav Kaul <raghavkaul@google.com> * address cr comments Signed-off-by: Raghav Kaul <raghavkaul@google.com> * update Signed-off-by: Raghav Kaul <raghavkaul@google.com> --------- Signed-off-by: Raghav Kaul <raghavkaul@google.com> Signed-off-by: Avishay <avishay.balter@gmail.com> * 🌱 Unit tests log/log.go (#2980) - Add unit tests for the log package - Add Apache License to log_test.go Signed-off-by: naveensrinivasan <172697+naveensrinivasan@users.noreply.github.com> Signed-off-by: Avishay <avishay.balter@gmail.com> * 🌱 Bump github.com/cloudflare/circl in /tools (#2995) Bumps [github.com/cloudflare/circl](https://github.com/cloudflare/circl) from 1.2.0 to 1.3.3. - [Release notes](https://github.com/cloudflare/circl/releases) - [Commits](https://github.com/cloudflare/circl/compare/v1.2.0...v1.3.3) --- updated-dependencies: - dependency-name: github.com/cloudflare/circl dependency-type: indirect ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Signed-off-by: Avishay <avishay.balter@gmail.com> * ✨ Add releasing workflow for semantic-release (#2989) Signed-off-by: Matt Travi <programmer@travi.org> Signed-off-by: Avishay <avishay.balter@gmail.com> * 🌱 Bump slsa-framework/slsa-verifier from 2.2.0 to 2.3.0 Bumps [slsa-framework/slsa-verifier](https://github.com/slsa-framework/slsa-verifier) from 2.2.0 to 2.3.0. - [Release notes](https://github.com/slsa-framework/slsa-verifier/releases) - [Changelog](https://github.com/slsa-framework/slsa-verifier/blob/main/RELEASE.md) - [Commits](https://github.com/slsa-framework/slsa-verifier/compare/v2.2.0...v2.3.0) --- updated-dependencies: - dependency-name: slsa-framework/slsa-verifier dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> Signed-off-by: Avishay <avishay.balter@gmail.com> * 🌱 Bump github.com/cloudflare/circl from 1.1.0 to 1.3.3 (#2994) Bumps [github.com/cloudflare/circl](https://github.com/cloudflare/circl) from 1.1.0 to 1.3.3. - [Release notes](https://github.com/cloudflare/circl/releases) - [Commits](https://github.com/cloudflare/circl/compare/v1.1.0...v1.3.3) --- updated-dependencies: - dependency-name: github.com/cloudflare/circl dependency-type: indirect ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Signed-off-by: Avishay <avishay.balter@gmail.com> * 🌱 Additional e2e clients/githubrepo/checkruns.go (#2934) * 🌱 Additional e2e clients/githubrepo/checkruns.go - Add `net/http` and `github.com/google/go-github/v38/github` imports - Add a test for `listCheckRunsForRef` with valid ref - Add a test for `listCheckRunsForRef` with invalid ref Signed-off-by: naveensrinivasan <172697+naveensrinivasan@users.noreply.github.com> * Based on code review comments Signed-off-by: naveensrinivasan <172697+naveensrinivasan@users.noreply.github.com> * Some tweaks Signed-off-by: naveensrinivasan <172697+naveensrinivasan@users.noreply.github.com> --------- Signed-off-by: naveensrinivasan <172697+naveensrinivasan@users.noreply.github.com> Signed-off-by: Avishay <avishay.balter@gmail.com> * 🌱 E2E for clients/githubrepo/contributors.go (#2939) * 🌱 E2E for clients/githubrepo/contributors.go - Add an end-to-end test for `contributorsHandler` Signed-off-by: naveensrinivasan <172697+naveensrinivasan@users.noreply.github.com> * Fixed based on code review comments. Signed-off-by: naveensrinivasan <172697+naveensrinivasan@users.noreply.github.com> * Fixed codereview comment. Signed-off-by: naveensrinivasan <172697+naveensrinivasan@users.noreply.github.com> --------- Signed-off-by: naveensrinivasan <172697+naveensrinivasan@users.noreply.github.com> Signed-off-by: Avishay <avishay.balter@gmail.com> * 📖 Clarify that AI/ML doesn't count as human code review (#2953) * Clarify that AI/ML doesn't count as human code review Add this clarification per the Scorecards Zoom call meeting today (2023-05-04). Signed-off-by: David A. Wheeler <dwheeler@dwheeler.com> * Tweaked per review Signed-off-by: David A. Wheeler <dwheeler@dwheeler.com> --------- Signed-off-by: David A. Wheeler <dwheeler@dwheeler.com> Signed-off-by: Avishay <avishay.balter@gmail.com> * 🌱 Bump golang from `31a8f92` to `685a22e` in /cron/internal/cii Bumps golang from `31a8f92` to `685a22e`. --- updated-dependencies: - dependency-name: golang dependency-type: direct:production ... Signed-off-by: dependabot[bot] <support@github.com> Signed-off-by: Avishay <avishay.balter@gmail.com> * 🌱 Bump golang in /cron/internal/controller Bumps golang from `31a8f92` to `685a22e`. --- updated-dependencies: - dependency-name: golang dependency-type: direct:production ... Signed-off-by: dependabot[bot] <support@github.com> Signed-off-by: Avishay <avishay.balter@gmail.com> * 🌱 Bump golang in /cron/internal/worker Bumps golang from `31a8f92` to `685a22e`. --- updated-dependencies: - dependency-name: golang dependency-type: direct:production ... Signed-off-by: dependabot[bot] <support@github.com> Signed-off-by: Avishay <avishay.balter@gmail.com> * 🌱 Bump golang in /clients/githubrepo/roundtripper/tokens/server Bumps golang from `31a8f92` to `685a22e`. --- updated-dependencies: - dependency-name: golang dependency-type: direct:production ... Signed-off-by: dependabot[bot] <support@github.com> Signed-off-by: Avishay <avishay.balter@gmail.com> * 🌱 Bump golang from `31a8f92` to `685a22e` Bumps golang from `31a8f92` to `685a22e`. --- updated-dependencies: - dependency-name: golang dependency-type: direct:production ... Signed-off-by: dependabot[bot] <support@github.com> Signed-off-by: Avishay <avishay.balter@gmail.com> * 🌱 Bump golang from `31a8f92` to `685a22e` in /cron/internal/bq Bumps golang from `31a8f92` to `685a22e`. --- updated-dependencies: - dependency-name: golang dependency-type: direct:production ... Signed-off-by: dependabot[bot] <support@github.com> Signed-off-by: Avishay <avishay.balter@gmail.com> * 🌱 Bump golang in /cron/internal/webhook Bumps golang from `31a8f92` to `685a22e`. --- updated-dependencies: - dependency-name: golang dependency-type: direct:production ... Signed-off-by: dependabot[bot] <support@github.com> Signed-off-by: Avishay <avishay.balter@gmail.com> * Clarify AI/ML not human code review - in .yml file (#3012) This clarifies that AI/ML doesn't count as human code review. This was earlier done in #2953 but that didn't modify the relevant .yml file - this does. Signed-off-by: David A. Wheeler <dwheeler@dwheeler.com> Signed-off-by: Avishay <avishay.balter@gmail.com> * 🌱 Bump golang.org/x/oauth2 from 0.7.0 to 0.8.0 (#3005) Bumps [golang.org/x/oauth2](https://github.com/golang/oauth2) from 0.7.0 to 0.8.0. - [Commits](https://github.com/golang/oauth2/compare/v0.7.0...v0.8.0) --- updated-dependencies: - dependency-name: golang.org/x/oauth2 dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Signed-off-by: Avishay <avishay.balter@gmail.com> * 🌱 Unit tests for checks/raw/maintained.go (#2996) - Add tests and checks for the `Maintained` function - Add checks for `IsArchived`, `ListCommits`, `ListIssues`, and `GetCreatedAt` Signed-off-by: naveensrinivasan <172697+naveensrinivasan@users.noreply.github.com> Signed-off-by: Avishay <avishay.balter@gmail.com> * 🌱 Bump github.com/onsi/ginkgo/v2 from 2.9.4 to 2.9.5 in /tools Bumps [github.com/onsi/ginkgo/v2](https://github.com/onsi/ginkgo) from 2.9.4 to 2.9.5. - [Release notes](https://github.com/onsi/ginkgo/releases) - [Changelog](https://github.com/onsi/ginkgo/blob/master/CHANGELOG.md) - [Commits](https://github.com/onsi/ginkgo/compare/v2.9.4...v2.9.5) --- updated-dependencies: - dependency-name: github.com/onsi/ginkgo/v2 dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Signed-off-by: Avishay <avishay.balter@gmail.com> * 🌱 Bump actions/setup-go from 4.0.0 to 4.0.1 Bumps [actions/setup-go](https://github.com/actions/setup-go) from 4.0.0 to 4.0.1. - [Release notes](https://github.com/actions/setup-go/releases) - [Commits](4d34df0c23...fac708d667) --- updated-dependencies: - dependency-name: actions/setup-go dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Signed-off-by: Avishay <avishay.balter@gmail.com> * 🌱 Bump codecov/codecov-action from 3.1.3 to 3.1.4 Bumps [codecov/codecov-action](https://github.com/codecov/codecov-action) from 3.1.3 to 3.1.4. - [Release notes](https://github.com/codecov/codecov-action/releases) - [Changelog](https://github.com/codecov/codecov-action/blob/main/CHANGELOG.md) - [Commits](894ff025c7...eaaf4bedf3) --- updated-dependencies: - dependency-name: codecov/codecov-action dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Signed-off-by: Avishay <avishay.balter@gmail.com> * 🌱 Unit tests for Policy.go (#3003) - Included tests for policy.go Signed-off-by: naveensrinivasan <172697+naveensrinivasan@users.noreply.github.com> Signed-off-by: Avishay <avishay.balter@gmail.com> * 🌱 Bump github.com/onsi/ginkgo/v2 from 2.9.4 to 2.9.5 Bumps [github.com/onsi/ginkgo/v2](https://github.com/onsi/ginkgo) from 2.9.4 to 2.9.5. - [Release notes](https://github.com/onsi/ginkgo/releases) - [Changelog](https://github.com/onsi/ginkgo/blob/master/CHANGELOG.md) - [Commits](https://github.com/onsi/ginkgo/compare/v2.9.4...v2.9.5) --- updated-dependencies: - dependency-name: github.com/onsi/ginkgo/v2 dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Signed-off-by: Avishay <avishay.balter@gmail.com> * 🌱 Bump sigstore/cosign-installer from 3.0.3 to 3.0.4 Bumps [sigstore/cosign-installer](https://github.com/sigstore/cosign-installer) from 3.0.3 to 3.0.4. - [Release notes](https://github.com/sigstore/cosign-installer/releases) - [Commits](204a51a57a...03d0fecf17) --- updated-dependencies: - dependency-name: sigstore/cosign-installer dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Signed-off-by: Avishay <avishay.balter@gmail.com> * 🌱 Bump github.com/google/go-containerregistry (#3025) Bumps [github.com/google/go-containerregistry](https://github.com/google/go-containerregistry) from 0.15.1 to 0.15.2. - [Release notes](https://github.com/google/go-containerregistry/releases) - [Changelog](https://github.com/google/go-containerregistry/blob/main/.goreleaser.yml) - [Commits](https://github.com/google/go-containerregistry/compare/v0.15.1...v0.15.2) --- updated-dependencies: - dependency-name: github.com/google/go-containerregistry dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Signed-off-by: Avishay <avishay.balter@gmail.com> * 🌱 Bump github.com/sirupsen/logrus from 1.9.0 to 1.9.1 Bumps [github.com/sirupsen/logrus](https://github.com/sirupsen/logrus) from 1.9.0 to 1.9.1. - [Release notes](https://github.com/sirupsen/logrus/releases) - [Changelog](https://github.com/sirupsen/logrus/blob/master/CHANGELOG.md) - [Commits](https://github.com/sirupsen/logrus/compare/v1.9.0...v1.9.1) --- updated-dependencies: - dependency-name: github.com/sirupsen/logrus dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Signed-off-by: Avishay <avishay.balter@gmail.com> * 🌱 Included e2e tests for push to main (#2951) - Update trigger for integration tests to enable running on `push` and `pull_request` on the `main` branch Signed-off-by: naveensrinivasan <172697+naveensrinivasan@users.noreply.github.com> Signed-off-by: Avishay <avishay.balter@gmail.com> * 🌱 Included directories that don't require coverage (#3002) - Included directories that don't require coverage. Signed-off-by: naveensrinivasan <172697+naveensrinivasan@users.noreply.github.com> Signed-off-by: Avishay <avishay.balter@gmail.com> * 🌱 Unit tests for checks/raw/contributors.go (#2998) - Add tests and fix casing for Contributors function in checks/raw/contributors_test.go Signed-off-by: naveensrinivasan <172697+naveensrinivasan@users.noreply.github.com> Signed-off-by: Avishay <avishay.balter@gmail.com> * ✨ GitLab: Code Review check (#2764) * Add GitLab support for Code-Review check Signed-off-by: Raghav Kaul <raghavkaul@google.com> * Remove spurious printf Signed-off-by: Raghav Kaul <raghavkaul@google.com> * Working commit Signed-off-by: Raghav Kaul <raghavkaul@google.com> * update Signed-off-by: Raghav Kaul <raghavkaul@google.com> * update Signed-off-by: Raghav Kaul <raghavkaul@google.com> * e2e test Signed-off-by: Raghav Kaul <raghavkaul@google.com> * update: test coverage Signed-off-by: Raghav Kaul <raghavkaul@google.com> --------- Signed-off-by: Raghav Kaul <raghavkaul@google.com> Signed-off-by: Avishay <avishay.balter@gmail.com> * gitlab: license check (#2834) Signed-off-by: Raghav Kaul <raghavkaul@google.com> Signed-off-by: Avishay <avishay.balter@gmail.com> * 🌱 Bump github.com/sirupsen/logrus from 1.9.1 to 1.9.2 (#3031) Bumps [github.com/sirupsen/logrus](https://github.com/sirupsen/logrus) from 1.9.1 to 1.9.2. - [Release notes](https://github.com/sirupsen/logrus/releases) - [Changelog](https://github.com/sirupsen/logrus/blob/master/CHANGELOG.md) - [Commits](https://github.com/sirupsen/logrus/compare/v1.9.1...v1.9.2) --- updated-dependencies: - dependency-name: github.com/sirupsen/logrus dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Signed-off-by: Avishay <avishay.balter@gmail.com> * 🌱 Bump github.com/google/osv-scanner Bumps [github.com/google/osv-scanner](https://github.com/google/osv-scanner) from 1.3.3-0.20230509011216-baae1796eeea to 1.3.3. - [Release notes](https://github.com/google/osv-scanner/releases) - [Changelog](https://github.com/google/osv-scanner/blob/main/CHANGELOG.md) - [Commits](https://github.com/google/osv-scanner/commits/v1.3.3) --- updated-dependencies: - dependency-name: github.com/google/osv-scanner dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Signed-off-by: Avishay <avishay.balter@gmail.com> * 🌱 Bump sigstore/cosign-installer from 3.0.4 to 3.0.5 (#3029) Bumps [sigstore/cosign-installer](https://github.com/sigstore/cosign-installer) from 3.0.4 to 3.0.5. - [Release notes](https://github.com/sigstore/cosign-installer/releases) - [Commits](03d0fecf17...dd6b2e2b61) --- updated-dependencies: - dependency-name: sigstore/cosign-installer dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Signed-off-by: Avishay <avishay.balter@gmail.com> * 🌱 Bump arduino/setup-protoc from 1.1.2 to 1.2.0 Bumps [arduino/setup-protoc](https://github.com/arduino/setup-protoc) from 1.1.2 to 1.2.0. - [Release notes](https://github.com/arduino/setup-protoc/releases) - [Commits](64c0c85d18...4b3578161e) --- updated-dependencies: - dependency-name: arduino/setup-protoc dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> Signed-off-by: Avishay <avishay.balter@gmail.com> * ✨ Add support for github GHES (#2999) * ✨ adding support for github GHES Signed-off-by: Niket Patel <patelniket@gmail.com> * fix: lint and cleanup Signed-off-by: Niket Patel <patelniket@gmail.com> * fix: flaky test Signed-off-by: Niket Patel <patelniket@gmail.com> * fix: address missing host Signed-off-by: Niket Patel <patelniket@gmail.com> * fix: lint error Signed-off-by: Niket Patel <patelniket@gmail.com> * 🌱 Additional e2e clients/githubrepo/checkruns.go (#2934) * 🌱 Additional e2e clients/githubrepo/checkruns.go - Add `net/http` and `github.com/google/go-github/v38/github` imports - Add a test for `listCheckRunsForRef` with valid ref - Add a test for `listCheckRunsForRef` with invalid ref Signed-off-by: naveensrinivasan <172697+naveensrinivasan@users.noreply.github.com> * Based on code review comments Signed-off-by: naveensrinivasan <172697+naveensrinivasan@users.noreply.github.com> * Some tweaks Signed-off-by: naveensrinivasan <172697+naveensrinivasan@users.noreply.github.com> --------- Signed-off-by: naveensrinivasan <172697+naveensrinivasan@users.noreply.github.com> Signed-off-by: Niket Patel <patelniket@gmail.com> * 🌱 E2E for clients/githubrepo/contributors.go (#2939) * 🌱 E2E for clients/githubrepo/contributors.go - Add an end-to-end test for `contributorsHandler` Signed-off-by: naveensrinivasan <172697+naveensrinivasan@users.noreply.github.com> * Fixed based on code review comments. Signed-off-by: naveensrinivasan <172697+naveensrinivasan@users.noreply.github.com> * Fixed codereview comment. Signed-off-by: naveensrinivasan <172697+naveensrinivasan@users.noreply.github.com> --------- Signed-off-by: naveensrinivasan <172697+naveensrinivasan@users.noreply.github.com> Signed-off-by: Niket Patel <patelniket@gmail.com> * chore: add GHES instructions Signed-off-by: Niket Patel <patelniket@gmail.com> * refact: use test setenv Signed-off-by: Niket Patel <patelniket@gmail.com> * fix: corp unit test Signed-off-by: Niket Patel <patelniket@gmail.com> --------- Signed-off-by: Niket Patel <patelniket@gmail.com> Signed-off-by: naveensrinivasan <172697+naveensrinivasan@users.noreply.github.com> Signed-off-by: Niket Patel <patelniketm@users.noreply.github.com> Co-authored-by: Naveen <172697+naveensrinivasan@users.noreply.github.com> Co-authored-by: raghavkaul <8695110+raghavkaul@users.noreply.github.com> Signed-off-by: Avishay <avishay.balter@gmail.com> * Change Facilitators to Maintainers (#3039) Not sure what the old facilitators table was for. Current list of Maintainers is always in CODEOWNERS. Meaning of "Maintainers" still is not defined, and should be a part of an upcoming contributor ladder. Signed-off-by: Jeff Mendoza <jlm@jlm.name> Signed-off-by: Avishay <avishay.balter@gmail.com> * 🐛 Gitlab: Commit/Commitor Exceptions (#3026) * feat: Added paging for contributor/users against gitlab projects Signed-off-by: Robison, Jim B <jim.b.robison@lmco.com> * refactor: Updated the bot flag for unmatched users Signed-off-by: Robison, Jim B <jim.b.robison@lmco.com> * fix: Not all commit users are in the git registry instance Signed-off-by: Robison, Jim B <jim.b.robison@lmco.com> * fix: Skipping check if the email is empty, as well as if the "email" doesn't contain a "." char. Signed-off-by: Robison, Jim B <jim.b.robison@lmco.com> * fix: Updated to allow for commits with PRs to be accounted/added to the client.commits Signed-off-by: Robison, Jim B <jim.b.robison@lmco.com> * refactor: Updated to prevent linting issue regarding nested if's Signed-off-by: Robison, Jim B <jim.b.robison@lmco.com> * test: Adding coverage for commits and contributors for gitlab Signed-off-by: Robison, Jim B <jim.b.robison@lmco.com> * refactor: Moved queries from the client to their own functions Signed-off-by: Robison, Jim B <jim.b.robison@lmco.com> * bug: Need to pass the ProjectID value to the contributor query Signed-off-by: Robison, Jim B <jim.b.robison@lmco.com> * bug: Updating project title versus projectID values for api querying Signed-off-by: Robison, Jim B <jim.b.robison@lmco.com> * test: Updated tests to match expected property set for projectID Signed-off-by: Robison, Jim B <jim.b.robison@lmco.com> * revert: Reverted based on feedback during review Signed-off-by: Robison, Jim B <jim.b.robison@lmco.com> --------- Signed-off-by: Robison, Jim B <jim.b.robison@lmco.com> Signed-off-by: Avishay <avishay.balter@gmail.com> * 🌱 Bump github.com/onsi/gomega from 1.27.6 to 1.27.7 (#3040) Bumps [github.com/onsi/gomega](https://github.com/onsi/gomega) from 1.27.6 to 1.27.7. - [Release notes](https://github.com/onsi/gomega/releases) - [Changelog](https://github.com/onsi/gomega/blob/master/CHANGELOG.md) - [Commits](https://github.com/onsi/gomega/compare/v1.27.6...v1.27.7) --- updated-dependencies: - dependency-name: github.com/onsi/gomega dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Signed-off-by: Avishay <avishay.balter@gmail.com> * 📖 Make all StepSecurity app endpoint references consistent (#3042) Signed-off-by: Ashish Kurmi <akurmi@stepsecurity.io> Signed-off-by: Avishay <avishay.balter@gmail.com> * 📖 Update checks.md to show the benefit of >=2 reviewers (#3013) * Update checks.yaml instead of cehcks.md Signed-off-by: Joyce <joycebrum@google.com> * feat: generate checks.md Signed-off-by: Joyce Brum <joycebrum@google.com> --------- Signed-off-by: Joyce <joycebrum@google.com> Signed-off-by: Joyce Brum <joycebrum@google.com> Signed-off-by: Avishay <avishay.balter@gmail.com> * 🌱 Improve workflow pinning remediation tests (#3021) - Add 3 tests for workflow pinning remediation [remediation/remediations_test.go] - Add 3 tests for workflow pinning remediation Signed-off-by: naveensrinivasan <172697+naveensrinivasan@users.noreply.github.com> Signed-off-by: Avishay <avishay.balter@gmail.com> * 🌱 E2E tests for clients/githubrepo/languages_e2e_test.go (#3000) * 🌱 E2E tests for clients/githubrepo/languages_e2e_test.go - Included e2e tests for clients/githubrepo/languages_e2e_test.go Signed-off-by: naveensrinivasan <172697+naveensrinivasan@users.noreply.github.com> * Fixed the token type check. Signed-off-by: naveensrinivasan <172697+naveensrinivasan@users.noreply.github.com> --------- Signed-off-by: naveensrinivasan <172697+naveensrinivasan@users.noreply.github.com> Signed-off-by: Naveen <172697+naveensrinivasan@users.noreply.github.com> Signed-off-by: Avishay <avishay.balter@gmail.com> * 🌱 Unit tests for pkg/json_raw_results (#3044) * 🌱 Unit tests for pkg/json_raw_results.go - Unit tests for pkg/json_raw_results.go Signed-off-by: naveensrinivasan <172697+naveensrinivasan@users.noreply.github.com> * Additional tests Signed-off-by: naveensrinivasan <172697+naveensrinivasan@users.noreply.github.com> --------- Signed-off-by: naveensrinivasan <172697+naveensrinivasan@users.noreply.github.com> Signed-off-by: Avishay <avishay.balter@gmail.com> * ✨ [experimental] Add probe code and support for Tool-Update-Dependency (#2944) * update Signed-off-by: laurentsimon <laurentsimon@google.com> * update Signed-off-by: laurentsimon <laurentsimon@google.com> * update Signed-off-by: laurentsimon <laurentsimon@google.com> * update Signed-off-by: laurentsimon <laurentsimon@google.com> * update Signed-off-by: laurentsimon <laurentsimon@google.com> * update Signed-off-by: laurentsimon <laurentsimon@google.com> * update Signed-off-by: laurentsimon <laurentsimon@google.com> * update Signed-off-by: laurentsimon <laurentsimon@google.com> --------- Signed-off-by: laurentsimon <laurentsimon@google.com> Signed-off-by: Avishay <avishay.balter@gmail.com> * add zoom link and agenda link (#3050) Signed-off-by: Amanda L Martin <hythloda@gmail.com> Signed-off-by: Avishay <avishay.balter@gmail.com> * 🌱 Run E2E PAT test for push to main (#3046) - Add E2E PAT tests for push to main. Signed-off-by: naveensrinivasan <172697+naveensrinivasan@users.noreply.github.com> Signed-off-by: Avishay <avishay.balter@gmail.com> * Update main.yml (#3054) -Fixed the YAML indenting issue. Signed-off-by: Naveen <172697+naveensrinivasan@users.noreply.github.com> Signed-off-by: Avishay <avishay.balter@gmail.com> * only run e2e pat on push (#3056) Signed-off-by: Spencer Schrock <sschrock@google.com> Signed-off-by: Avishay <avishay.balter@gmail.com> * 🌱 Bump github.com/go-git/go-git/v5 from 5.6.1 to 5.7.0 (#3057) Bumps [github.com/go-git/go-git/v5](https://github.com/go-git/go-git) from 5.6.1 to 5.7.0. - [Release notes](https://github.com/go-git/go-git/releases) - [Commits](https://github.com/go-git/go-git/compare/v5.6.1...v5.7.0) --- updated-dependencies: - dependency-name: github.com/go-git/go-git/v5 dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Signed-off-by: Avishay <avishay.balter@gmail.com> * 📖 👻 fix anchor link to the code review section (#3058) * fix anchor link to code-review in checks.yaml Signed-off-by: dasfreak <dasfreak@users.noreply.github.com> Signed-off-by: Marc Ohm <dasfreak@users.noreply.github.com> * generate checks.md Signed-off-by: Marc Ohm <dasfreak@users.noreply.github.com> --------- Signed-off-by: dasfreak <dasfreak@users.noreply.github.com> Signed-off-by: Marc Ohm <dasfreak@users.noreply.github.com> Signed-off-by: Avishay <avishay.balter@gmail.com> * 🐛 Gitlab: Tests (#3027) * fix tests Signed-off-by: Raghav Kaul <raghavkaul@google.com> * use projectID instead of project where applicable Signed-off-by: Raghav Kaul <raghavkaul@google.com> * pass ref as listcommitoption Signed-off-by: Raghav Kaul <raghavkaul@google.com> * update tests * CI-Tests: check if score > 0. pull request client is limited and can't go back to arbitrary pull requests. CI-Tests don't run on forks, so this can't be pinned either. But, for active repositories, we typically expect *some* tests to be run Signed-off-by: Raghav Kaul <raghavkaul@google.com> * fix commitshandler commitSHA tests Signed-off-by: Raghav Kaul <raghavkaul@google.com> * update tests Signed-off-by: Raghav Kaul <raghavkaul@google.com> --------- Signed-off-by: Raghav Kaul <raghavkaul@google.com> Signed-off-by: raghavkaul <8695110+raghavkaul@users.noreply.github.com> Signed-off-by: Avishay <avishay.balter@gmail.com> * 🌱 Bump github.com/goreleaser/nfpm/v2 in /tools (#3060) Bumps [github.com/goreleaser/nfpm/v2](https://github.com/goreleaser/nfpm) from 2.28.0 to 2.29.0. - [Release notes](https://github.com/goreleaser/nfpm/releases) - [Changelog](https://github.com/goreleaser/nfpm/blob/main/.goreleaser.yml) - [Commits](https://github.com/goreleaser/nfpm/compare/v2.28.0...v2.29.0) --- updated-dependencies: - dependency-name: github.com/goreleaser/nfpm/v2 dependency-type: indirect ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Signed-off-by: Avishay <avishay.balter@gmail.com> * ✨ Gitlab: Add projects to cron (#2936) * cron: add gitlab projects * support gitlab client * simplify gitlab detection Signed-off-by: Raghav Kaul <raghavkaul@google.com> * fix MakeGitlabRepo * shortcut when repo url is github.com * fixes add-projects, validate-projects Signed-off-by: Raghav Kaul <raghavkaul@google.com> * Move gitlab repos to release controller Signed-off-by: Raghav Kaul <raghavkaul@google.com> * Add csv headers Signed-off-by: Raghav Kaul <raghavkaul@google.com> * Use gitlab.WithBaseURL Signed-off-by: Raghav Kaul <raghavkaul@google.com> * formatting & logging Signed-off-by: Raghav Kaul <raghavkaul@google.com> * remove spurious test Signed-off-by: Raghav Kaul <raghavkaul@google.com> * consolidate logic Signed-off-by: Raghav Kaul <raghavkaul@google.com> * Turn on experimental flag Signed-off-by: Raghav Kaul <raghavkaul@google.com> * Add projects Signed-off-by: Raghav Kaul <raghavkaul@google.com> * Update client Signed-off-by: Raghav Kaul <raghavkaul@google.com> * update Signed-off-by: Raghav Kaul <raghavkaul@google.com> * update Signed-off-by: Raghav Kaul <raghavkaul@google.com> * update Signed-off-by: Raghav Kaul <raghavkaul@google.com> * update Signed-off-by: Raghav Kaul <raghavkaul@google.com> --------- Signed-off-by: Raghav Kaul <raghavkaul@google.com> Signed-off-by: Avishay <avishay.balter@gmail.com> * 🌱 Simplify caching in docker workflow (#3061) Signed-off-by: Spencer Schrock <sschrock@google.com> Signed-off-by: Avishay <avishay.balter@gmail.com> * 🌱 Bump github/codeql-action from 2.3.3 to 2.3.4 (#3064) Bumps [github/codeql-action](https://github.com/github/codeql-action) from 2.3.3 to 2.3.4. - [Release notes](https://github.com/github/codeql-action/releases) - [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md) - [Commits](29b1f65c5e...f0e3dfb303) --- updated-dependencies: - dependency-name: github/codeql-action dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Signed-off-by: Avishay <avishay.balter@gmail.com> * 🌱 Bump cloud.google.com/go/pubsub from 1.30.1 to 1.31.0 (#3065) Bumps [cloud.google.com/go/pubsub](https://github.com/googleapis/google-cloud-go) from 1.30.1 to 1.31.0. - [Release notes](https://github.com/googleapis/google-cloud-go/releases) - [Changelog](https://github.com/googleapis/google-cloud-go/blob/main/CHANGES.md) - [Commits](https://github.com/googleapis/google-cloud-go/compare/pubsub/v1.30.1...pubsub/v1.31.0) --- updated-dependencies: - dependency-name: cloud.google.com/go/pubsub dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Signed-off-by: Avishay <avishay.balter@gmail.com> * 🐛 gitlab: cron (#3070) Signed-off-by: Raghav Kaul <raghavkaul@google.com> Signed-off-by: Avishay <avishay.balter@gmail.com> * 🌱 Bump github/codeql-action from 2.3.4 to 2.3.5 (#3072) Bumps [github/codeql-action](https://github.com/github/codeql-action) from 2.3.4 to 2.3.5. - [Release notes](https://github.com/github/codeql-action/releases) - [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md) - [Commits](f0e3dfb303...0225834cc5) --- updated-dependencies: - dependency-name: github/codeql-action dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Signed-off-by: Avishay <avishay.balter@gmail.com> * 🌱 Bump tj-actions/changed-files from 35.9.2 to 36.0.3 (#3071) Bumps [tj-actions/changed-files](https://github.com/tj-actions/changed-files) from 35.9.2 to 36.0.3. - [Release notes](https://github.com/tj-actions/changed-files/releases) - [Changelog](https://github.com/tj-actions/changed-files/blob/main/HISTORY.md) - [Commits](b2d17f5124...25eaddf37a) --- updated-dependencies: - dependency-name: tj-actions/changed-files dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Signed-off-by: Avishay <avishay.balter@gmail.com> * 🐛 Gitlab status updates (#3052) * doc: Updating gitlab support validation status Signed-off-by: Robison, Jim B <jim.b.robison@lmco.com> * bug: Updated logic for gitlab to prevent exceptions based on releases Signed-off-by: Robison, Jim B <jim.b.robison@lmco.com> * test: Added initial tests for gitlab branches Signed-off-by: Robison, Jim B <jim.b.robison@lmco.com> * doc: Updated general README Signed-off-by: Robison, Jim B <jim.b.robison@lmco.com> * refactor: Cleaned up the query for pipelines to be focused on the commitID Signed-off-by: Robison, Jim B <jim.b.robison@lmco.com> * feat: Allowed for a non-graphql method of retrieving MRs associated to a commit Signed-off-by: Robison, Jim B <jim.b.robison@lmco.com> * doc: Updated status for the CI-Tests Signed-off-by: Robison, Jim B <jim.b.robison@lmco.com> * bug: Updated the host url for graphql querying. This enabled the removal of the code added for handling empty returns when executing against a non-gitlab.com repository. Signed-off-by: Robison, Jim B <jim.b.robison@lmco.com> --------- Signed-off-by: Robison, Jim B <jim.b.robison@lmco.com> Co-authored-by: Raghav Kaul <8695110+raghavkaul@users.noreply.github.com> Signed-off-by: Avishay <avishay.balter@gmail.com> * 🌱 Bump github.com/sigstore/rekor from 1.1.1 to 1.2.0 in /tools (#3079) Bumps [github.com/sigstore/rekor](https://github.com/sigstore/rekor) from 1.1.1 to 1.2.0. - [Release notes](https://github.com/sigstore/rekor/releases) - [Changelog](https://github.com/sigstore/rekor/blob/main/CHANGELOG.md) - [Commits](https://github.com/sigstore/rekor/compare/v1.1.1...v1.2.0) --- updated-dependencies: - dependency-name: github.com/sigstore/rekor dependency-type: indirect ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Signed-off-by: Avishay <avishay.balter@gmail.com> * get nuget latest version from registration URL Signed-off-by: Avishay <avishay.balter@gmail.com> * better coverage Signed-off-by: Avishay <avishay.balter@gmail.com> * sign Signed-off-by: Avishay <avishay.balter@gmail.com> * fix tests Signed-off-by: Avishay <avishay.balter@gmail.com> * more tests Signed-off-by: Avishay <avishay.balter@gmail.com> * client tests Signed-off-by: Avishay <avishay.balter@gmail.com> * lint Signed-off-by: Avishay <avishay.balter@gmail.com> * Apply suggestions from code review Co-authored-by: Joel Verhagen <joel.verhagen@gmail.com> Signed-off-by: Avishay Balter <avishay.balter@gmail.com> Signed-off-by: Avishay <avishay.balter@gmail.com> * 🌱 Bump golang from `685a22e` to `690e413` (#3080) Bumps golang from `685a22e` to `690e413`. --- updated-dependencies: - dependency-name: golang dependency-type: direct:production ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Signed-off-by: Avishay <avishay.balter@gmail.com> * 🌱 Bump golang from `685a22e` to `690e413` in /cron/internal/cii Bumps golang from `685a22e` to `690e413`. --- updated-dependencies: - dependency-name: golang dependency-type: direct:production ... Signed-off-by: dependabot[bot] <support@github.com> Signed-off-by: Avishay <avishay.balter@gmail.com> * 🌱 Bump golang in /cron/internal/controller Bumps golang from `685a22e` to `690e413`. --- updated-dependencies: - dependency-name: golang dependency-type: direct:production ... Signed-off-by: dependabot[bot] <support@github.com> Signed-off-by: Avishay <avishay.balter@gmail.com> * 🌱 Bump golang in /cron/internal/worker Bumps golang from `685a22e` to `690e413`. --- updated-dependencies: - dependency-name: golang dependency-type: direct:production ... Signed-off-by: dependabot[bot] <support@github.com> Signed-off-by: Avishay <avishay.balter@gmail.com> * 🌱 Bump golang in /clients/githubrepo/roundtripper/tokens/server Bumps golang from `685a22e` to `690e413`. --- updated-dependencies: - dependency-name: golang dependency-type: direct:production ... Signed-off-by: dependabot[bot] <support@github.com> Signed-off-by: Avishay <avishay.balter@gmail.com> * 🌱 Bump golang in /cron/internal/webhook Bumps golang from `685a22e` to `690e413`. --- updated-dependencies: - dependency-name: golang dependency-type: direct:production ... Signed-off-by: dependabot[bot] <support@github.com> Signed-off-by: Avishay <avishay.balter@gmail.com> * 🌱 Bump golang from `685a22e` to `690e413` in /cron/internal/bq Bumps golang from `685a22e` to `690e413`. --- updated-dependencies: - dependency-name: golang dependency-type: direct:production ... Signed-off-by: dependabot[bot] <support@github.com> Signed-off-by: Avishay <avishay.balter@gmail.com> * 🌱 Bump arduino/setup-protoc from 1.2.0 to 1.3.0 (#3089) Bumps [arduino/setup-protoc](https://github.com/arduino/setup-protoc) from 1.2.0 to 1.3.0. - [Release notes](https://github.com/arduino/setup-protoc/releases) - [Commits](4b3578161e...149f6c87b9) --- updated-dependencies: - dependency-name: arduino/setup-protoc dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Signed-off-by: Avishay <avishay.balter@gmail.com> * 🌱 Bump tj-actions/changed-files from 36.0.3 to 36.0.9 (#3088) Bumps [tj-actions/changed-files](https://github.com/tj-actions/changed-files) from 36.0.3 to 36.0.9. - [Release notes](https://github.com/tj-actions/changed-files/releases) - [Changelog](https://github.com/tj-actions/changed-files/blob/main/HISTORY.md) - [Commits](25eaddf37a...cf4fe8759a) --- updated-dependencies: - dependency-name: tj-actions/changed-files dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Signed-off-by: Avishay <avishay.balter@gmail.com> * pr iteration 2 Signed-off-by: Avishay <avishay.balter@gmail.com> * pr iteration 3 Signed-off-by: Avishay <avishay.balter@gmail.com> * switch security policy e2e test to ossf-tests repo. (#3090) tensorflow/tensorflow is huge and was slowing down tests. Also removed the rust e2e tests because they're already present as unit tests. Signed-off-by: Spencer Schrock <sschrock@google.com> Signed-off-by: Avishay <avishay.balter@gmail.com> * 🌱 Bump github.com/onsi/ginkgo/v2 from 2.9.5 to 2.9.7 in /tools (#3094) Bumps [github.com/onsi/ginkgo/v2](https://github.com/onsi/ginkgo) from 2.9.5 to 2.9.7. - [Release notes](https://github.com/onsi/ginkgo/releases) - [Changelog](https://github.com/onsi/ginkgo/blob/master/CHANGELOG.md) - [Commits](https://github.com/onsi/ginkgo/compare/v2.9.5...v2.9.7) --- updated-dependencies: - dependency-name: github.com/onsi/ginkgo/v2 dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Signed-off-by: Avishay <avishay.balter@gmail.com> * 🌱 Bump github.com/onsi/ginkgo/v2 from 2.9.5 to 2.9.7 (#3093) Bumps [github.com/onsi/ginkgo/v2](https://github.com/onsi/ginkgo) from 2.9.5 to 2.9.7. - [Release notes](https://github.com/onsi/ginkgo/releases) - [Changelog](https://github.com/onsi/ginkgo/blob/master/CHANGELOG.md) - [Commits](https://github.com/onsi/ginkgo/compare/v2.9.5...v2.9.7) --- updated-dependencies: - dependency-name: github.com/onsi/ginkgo/v2 dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Signed-off-by: Avishay <avishay.balter@gmail.com> * 🌱 Bump actions/dependency-review-action from 3.0.4 to 3.0.6 (#3104) Bumps [actions/dependency-review-action](https://github.com/actions/dependency-review-action) from 3.0.4 to 3.0.6. - [Release notes](https://github.com/actions/dependency-review-action/releases) - [Commits](f46c48ed6d...1360a344cc) --- updated-dependencies: - dependency-name: actions/dependency-review-action dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Signed-off-by: Avishay <avishay.balter@gmail.com> * 🌱 Bump tj-actions/changed-files from 36.0.9 to 36.0.12 (#3108) Bumps [tj-actions/changed-files](https://github.com/tj-actions/changed-files) from 36.0.9 to 36.0.12. - [Release notes](https://github.com/tj-actions/changed-files/releases) - [Changelog](https://github.com/tj-actions/changed-files/blob/main/HISTORY.md) - [Commits](cf4fe8759a...5978e5a2df) --- updated-dependencies: - dependency-name: tj-actions/changed-files dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Signed-off-by: Avishay <avishay.balter@gmail.com> * 🌱 Bump github.com/xanzy/go-gitlab from 0.83.0 to 0.84.0 (#3106) Bumps [github.com/xanzy/go-gitlab](https://github.com/xanzy/go-gitlab) from 0.83.0 to 0.84.0. - [Changelog](https://github.com/xanzy/go-gitlab/blob/master/releases_test.go) - [Commits](https://github.com/xanzy/go-gitlab/compare/v0.83.0...v0.84.0) --- updated-dependencies: - dependency-name: github.com/xanzy/go-gitlab dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Signed-off-by: Avishay <avishay.balter@gmail.com> * 🌱 Bump golang.org/x/tools from 0.9.1 to 0.9.2 Bumps [golang.org/x/tools](https://github.com/golang/tools) from 0.9.1 to 0.9.2. - [Release notes](https://github.com/golang/tools/releases) - [Commits](https://github.com/golang/tools/compare/v0.9.1...v0.9.2) --- updated-dependencies: - dependency-name: golang.org/x/tools dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Signed-off-by: Avishay <avishay.balter@gmail.com> * ✨ GitLab: enable more checks in cron (#3097) * Enable checks * Binary-Artifacts * Code-Review * License * Vulnerabilities Signed-off-by: Raghav Kaul <raghavkaul@google.com> * Enable more checks * CII Best Practices * Fuzzing * Maintained * Packaging * Pinned-Dependencies * Signed-Releases Signed-off-by: Raghav Kaul <raghavkaul@google.com> * update repo name Signed-off-by: Raghav Kaul <raghavkaul@google.com> --------- Signed-off-by: Raghav Kaul <raghavkaul@google.com> Signed-off-by: Avishay <avishay.balter@gmail.com> * 📖 agenda link change (#3111) Signed-off-by: Amanda L Martin <hythloda@gmail.com> Signed-off-by: Avishay <avishay.balter@gmail.com> * 🌱 Bump github/codeql-action from 2.3.5 to 2.3.6 (#3112) Bumps [github/codeql-action](https://github.com/github/codeql-action) from 2.3.5 to 2.3.6. - [Release notes](https://github.com/github/codeql-action/releases) - [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md) - [Commits](0225834cc5...83f0fe6c49) --- updated-dependencies: - dependency-name: github/codeql-action dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Signed-off-by: Avishay <avishay.balter@gmail.com> * 🌱 Bump tj-actions/changed-files from 36.0.12 to 36.0.15 (#3116) Bumps [tj-actions/changed-files](https://github.com/tj-actions/changed-files) from 36.0.12 to 36.0.15. - [Release notes](https://github.com/tj-actions/changed-files/releases) - [Changelog](https://github.com/tj-actions/changed-files/blob/main/HISTORY.md) - [Commits](5978e5a2df...5d2fcdb4cb) --- updated-dependencies: - dependency-name: tj-actions/changed-files dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Signed-off-by: Avishay <avishay.balter@gmail.com> * 🌱 Bump golang.org/x/tools from 0.9.2 to 0.9.3 Bumps [golang.org/x/tools](https://github.com/golang/tools) from 0.9.2 to 0.9.3. - [Release notes](https://github.com/golang/tools/releases) - [Commits](https://github.com/golang/tools/compare/v0.9.2...v0.9.3) --- updated-dependencies: - dependency-name: golang.org/x/tools dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Signed-off-by: Avishay <avishay.balter@gmail.com> * 🌱 Unit tests for option (#3109) - Add flags for repo, local, commit, log level, NPM, PyPI, RubyGems, metadata, show details, checks to run, policy file, and format - Add tests for checks to run and format flags Signed-off-by: naveensrinivasan <172697+naveensrinivasan@users.noreply.github.com> Signed-off-by: Avishay <avishay.balter@gmail.com> * 🌱 GitLab: add gitlab auth token to cron worker env (#3117) Signed-off-by: Raghav Kaul <raghavkaul@google.com> Signed-off-by: Avishay <avishay.balter@gmail.com> * Don't run pat e2e on dependabot merges (#3119) Signed-off-by: Raghav Kaul <raghavkaul@google.com> Signed-off-by: Avishay <avishay.balter@gmail.com> * ✨ Detect fast-check PBT library for fuzz section (#3073) * ✨ Detect fast-check PBT library for fuzz section As suggested at https://github.com/ossf/scorecard/issues/2792#issuecomment-1562007596, we add support for the detection of fast-check as a possible fuzzing solution. I also adapted the documentation related to fuzzing accordingly. Signed-off-by: Nicolas DUBIEN <github@dubien.org> * Typo Signed-off-by: Nicolas DUBIEN <github@dubien.org> * Update missing md files Signed-off-by: Nicolas DUBIEN <github@dubien.org> --------- Signed-off-by: Nicolas DUBIEN <github@dubien.org> Signed-off-by: Avishay <avishay.balter@gmail.com> * 🌱 temporarily disable failing e2e tests so we don't block all PRs. (#3130) Signed-off-by: Spencer Schrock <sschrock@google.com> Signed-off-by: Avishay <avishay.balter@gmail.com> * pr comments Signed-off-by: Avishay <avishay.balter@gmail.com> * 🌱 Bump github.com/sirupsen/logrus from 1.9.2 to 1.9.3 (#3121) Bumps [github.com/sirupsen/logrus](https://github.com/sirupsen/logrus) from 1.9.2 to 1.9.3. - [Release notes](https://github.com/sirupsen/logrus/releases) - [Changelog](https://github.com/sirupsen/logrus/blob/master/CHANGELOG.md) - [Commits](https://github.com/sirupsen/logrus/compare/v1.9.2...v1.9.3) --- updated-dependencies: - dependency-name: github.com/sirupsen/logrus dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Signed-off-by: Avishay <avishay.balter@gmail.com> * i🌱 Ignore all pb files for test (#3127) - Update .codecov.yml to ignore additional files Signed-off-by: naveensrinivasan <172697+naveensrinivasan@users.noreply.github.com> Signed-off-by: Avishay <avishay.balter@gmail.com> * 🌱 Deprecate dependencydiff package and add access token requirement (#3125) - Deprecate the `dependencydiff` package and the `GetDependencyDiffResults` function - Add a line to the `.codecov.yml` to ignore the `dependencydiff` package Signed-off-by: naveensrinivasan <172697+naveensrinivasan@users.noreply.github.com> Signed-off-by: Avishay <avishay.balter@gmail.com> * ✨ [experimental] Support for new `--format probe` (#3048) * update Signed-off-by: laurentsimon <laurentsimon@google.com> * update Signed-off-by: laurentsimon <laurentsimon@google.com> * update Signed-off-by: laurentsimon <laurentsimon@google.com> * update Signed-off-by: laurentsimon <laurentsimon@google.com> * update Signed-off-by: laurentsimon <laurentsimon@google.com> * update Signed-off-by: laurentsimon <laurentsimon@google.com> * update Signed-off-by: laurentsimon <laurentsimon@google.com> * update Signed-off-by: laurentsimon <laurentsimon@google.com> * update Signed-off-by: laurentsimon <laurentsimon@google.com> * update Signed-off-by: laurentsimon <laurentsimon@google.com> * update Signed-off-by: laurentsimon <laurentsimon@google.com> * update Signed-off-by: laurentsimon <laurentsimon@google.com> * update Signed-off-by: laurentsimon <laurentsimon@google.com> * update Signed-off-by: laurentsimon <laurentsimon@google.com> * update Signed-off-by: laurentsimon <laurentsimon@google.com> * update Signed-off-by: laurentsimon <laurentsimon@google.com> * update Signed-off-by: laurentsimon <laurentsimon@google.com> --------- Signed-off-by: laurentsimon <laurentsimon@google.com> Signed-off-by: Avishay <avishay.balter@gmail.com> * 🌱 Bump distroless/base (#3122) Bumps distroless/base from `10985f0` to `c623859`. --- updated-dependencies: - dependency-name: distroless/base dependency-type: direct:production ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Signed-off-by: Avishay <avishay.balter@gmail.com> * 🌱 Ignore deprecation warning for dependencydiff tests. (#3136) Signed-off-by: Spencer Schrock <sschrock@google.com> Signed-off-by: Avishay <avishay.balter@gmail.com> * 🌱 Bump tj-actions/changed-files from 36.0.15 to 36.0.18 Bumps [tj-actions/changed-files](https://github.com/tj-actions/changed-files) from 36.0.15 to 36.0.18. - [Release notes](https://github.com/tj-actions/changed-files/releases) - [Changelog](https://github.com/tj-actions/changed-files/blob/main/HISTORY.md) - [Commits](5d2fcdb4cb...07e0177b72) --- updated-dependencies: - dependency-name: tj-actions/changed-files dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Signed-off-by: Avishay <avishay.balter@gmail.com> * 🌱 Bump github.com/onsi/ginkgo/v2 from 2.9.7 to 2.10.0 in /tools (#3135) Bumps [github.com/onsi/ginkgo/v2](https://github.com/onsi/ginkgo) from 2.9.7 to 2.10.0. - [Release notes](https://github.com/onsi/ginkgo/releases) - [Changelog](https://github.com/onsi/ginkgo/blob/master/CHANGELOG.md) - [Commits](https://github.com/onsi/ginkgo/compare/v2.9.7...v2.10.0) --- updated-dependencies: - dependency-name: github.com/onsi/ginkgo/v2 dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Signed-off-by: Avishay <avishay.balter@gmail.com> * 🌱 Bump github.com/google/osv-scanner from 1.3.3 to 1.3.4 Bumps [github.com/google/osv-scanner](https://github.com/google/osv-scanner) from 1.3.3 to 1.3.4. - [Release notes](https://github.com/google/osv-scanner/releases) - [Changelog](https://github.com/google/osv-scanner/blob/main/CHANGELOG.md) - [Commits](https://github.com/google/osv-scanner/compare/v1.3.3...v1.3.4) --- updated-dependencies: - dependency-name: github.com/google/osv-scanner dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Signed-off-by: Avishay <avishay.balter@gmail.com> * 🌱 Bump github.com/onsi/ginkgo/v2 from 2.9.7 to 2.10.0 Bumps [github.com/onsi/ginkgo/v2](https://github.com/onsi/ginkgo) from 2.9.7 to 2.10.0. - [Release notes](https://github.com/onsi/ginkgo/releases) - [Changelog](https://github.com/onsi/ginkgo/blob/master/CHANGELOG.md) - [Commits](https://github.com/onsi/ginkgo/compare/v2.9.7...v2.10.0) --- updated-dependencies: - dependency-name: github.com/onsi/ginkgo/v2 dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> Signed-off-by: Avishay <avishay.balter@gmail.com> * 🌱 Bump github.com/onsi/gomega from 1.27.7 to 1.27.8 Bumps [github.com/onsi/gomega](https://github.com/onsi/gomega) from 1.27.7 to 1.27.8. - [Release notes](https://github.com/onsi/gomega/releases) - [Changelog](https://github.com/onsi/gomega/blob/master/CHANGELOG.md) - [Commits](https://github.com/onsi/gomega/compare/v1.27.7...v1.27.8) --- updated-dependencies: - dependency-name: github.com/onsi/gomega dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Signed-off-by: Avishay <avishay.balter@gmail.com> * 🌱 Bump slsa-framework/slsa-github-generator from 1.6.0 to 1.7.0 (#3139) Bumps [slsa-framework/slsa-github-generator](https://github.com/slsa-framework/slsa-github-generator) from 1.6.0 to 1.7.0. - [Release notes](https://github.com/slsa-framework/slsa-github-generator/releases) - [Changelog](https://github.com/slsa-framework/slsa-github-generator/blob/main/CHANGELOG.md) - [Commits](https://github.com/slsa-framework/slsa-github-generator/compare/v1.6.0...v1.7.0) --- updated-dependencies: - dependency-name: slsa-framework/slsa-github-generator dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Signed-off-by: Avishay <avishay.balter@gmail.com> * 🌱 Increase test coverage for finding outcomes (#3142) * Increase test coverage for finding outcomes - Add tests for Outcome UnmarshalYAML function in `finding/finding_test.go` Signed-off-by: naveensrinivasan <172697+naveensrinivasan@users.noreply.github.com> * Updates based on Codereview - Update `Outcome` variable in `finding/finding_test.go` - Add `t.Parallel()` for test parallelization - Add comparison using `cmp.Diff` to test for mismatches - Update test cases for various outcomes Signed-off-by: naveensrinivasan <172697+naveensrinivasan@users.noreply.github.com> --------- Signed-off-by: naveensrinivasan <172697+naveensrinivasan@users.noreply.github.com> Signed-off-by: Avishay <avishay.balter@gmail.com> * 🌱 Bump tj-actions/changed-files from 36.0.18 to 36.1.0 (#3143) Bumps [tj-actions/changed-files](https://github.com/tj-actions/changed-files) from 36.0.18 to 36.1.0. - [Release notes](https://github.com/tj-actions/changed-files/releases) - [Changelog](https://github.com/tj-actions/changed-files/blob/main/HISTORY.md) - [Commits](07e0177b72...fb20f4d248) --- updated-dependencies: - dependency-name: tj-actions/changed-files dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Signed-off-by: Avishay <avishay.balter@gmail.com> * 🌱 Re-enable skipped e2e tests. Switch to smaller code review repo. (#3144) * re-enable skipped ci test Signed-off-by: Spencer Schrock <sschrock@google.com> * re-enable skipped attestor test. switch to ossf-tests repo Signed-off-by: Spencer Schrock <sschrock@google.com> * remove extra policies from tests that only look at code review. Signed-off-by: Spencer Schrock <sschrock@google.com> * remove unneeded policies from binary artifact tests. Signed-off-by: Spencer Schrock <sschrock@google.com> --------- Signed-off-by: Spencer Schrock <sschrock@google.com> Signed-off-by: Avishay <avishay.balter@gmail.com> * add license header Signed-off-by: Avishay <avishay.balter@gmail.com> * pr comments Signed-off-by: Avishay <avishay.balter@gmail.com> * making the packages internal Signed-off-by: Avishay <avishay.balter@gmail.com> * generate mocks Signed-off-by: Avishay <avishay.balter@gmail.com> --------- Signed-off-by: Avishay <avishay.balter@gmail.com> Signed-off-by: Avishay Balter <avishay.balter@gmail.com>
2024-08-16 11:50:37 +03:00 · 2023-06-16 02:13:41 +03:00 · 2023-06-16 02:13:41 +03:00 · 8c9e552f68
commit 8c9e552f68
parent f928748c0e
42 changed files with 1946 additions and 88 deletions
--- a/10
+++ b/10
@ -139,7 +139,8 @@ generate-mocks: clients/mockclients/repo_client.go \
 	clients/mockclients/repo.go \
 	clients/mockclients/cii_client.go \
 	checks/mockclients/vulnerabilities.go \
-	cmd/packagemanager_mockclient.go
+	cmd/internal/packagemanager/packagemanager_mockclient.go \
+	cmd/internal/nuget/nuget_mockclient.go
 clients/mockclients/repo_client.go: clients/repo_client.go | $(MOCKGEN)
 	# Generating MockRepoClient
 	$(MOCKGEN) -source=clients/repo_client.go -destination=clients/mockclients/repo_client.go -package=mockrepo -copyright_file=clients/mockclients/license.txt
@ -152,9 +153,12 @@ clients/mockclients/cii_client.go: clients/cii_client.go | $(MOCKGEN)
 checks/mockclients/vulnerabilities.go: clients/vulnerabilities.go | $(MOCKGEN)
 	# Generating MockCIIClient
 	$(MOCKGEN) -source=clients/vulnerabilities.go -destination=clients/mockclients/vulnerabilities.go -package=mockrepo -copyright_file=clients/mockclients/license.txt
-cmd/packagemanager_mockclient.go: cmd/packagemanager_client.go | $(MOCKGEN)
+cmd/internal/packagemanager/packagemanager_mockclient.go: cmd/internal/packagemanager/client.go | $(MOCKGEN)
 	# Generating MockPackageManagerClient
-	$(MOCKGEN) -source=cmd/packagemanager_client.go -destination=cmd/packagemanager_mockclient.go -package=cmd -copyright_file=clients/mockclients/license.txt
+	$(MOCKGEN) -source=cmd/internal/packagemanager/client.go -destination=cmd/internal/packagemanager/packagemanager_mockclient.go -package=packagemanager -copyright_file=clients/mockclients/license.txt
+cmd/internal/nuget/nuget_mockclient.go: cmd/internal/nuget/client.go | $(MOCKGEN)
+	# Generating MockNugetClient
+	$(MOCKGEN) -source=cmd/internal/nuget/client.go -destination=cmd/internal/nuget/nuget_mockclient.go -package=nuget -copyright_file=clients/mockclients/license.txt

 generate-docs: ## Generates docs
 generate-docs: validate-docs docs/checks.md
--- a/README.md
+++ b/README.md
@ -420,7 +420,7 @@ scorecard --repo=org/repo

 ##### Using a Package manager

-For projects in the `--npm`, `--pypi`, or `--rubygems` ecosystems, you have the
+For projects in the `--npm`, `--pypi`, `--rubygems`, or `--nuget` ecosystems, you have the
 option to run Scorecard using a package manager. Provide the package name to
 run the checks on the corresponding GitHub source code.

--- a/cmd/internal/nuget/client.go
+++ b/cmd/internal/nuget/client.go
@ -0,0 +1,275 @@
+// Copyright 2020 OpenSSF Scorecard Authors
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//      http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+// Package nuget implements Nuget API client.
+package nuget
+
+import (
+	"encoding/json"
+	"encoding/xml"
+	"fmt"
+	"io"
+	"net/http"
+	"regexp"
+	"strings"
+
+	"golang.org/x/exp/slices"
+
+	pmc "github.com/ossf/scorecard/v4/cmd/internal/packagemanager"
+	sce "github.com/ossf/scorecard/v4/errors"
+)
+
+type indexResults struct {
+	Resources []indexResult `json:"resources"`
+}
+
+func (n indexResults) findResourceByType(resultType string) (string, error) {
+	resourceIndex := slices.IndexFunc(n.Resources,
+		func(n indexResult) bool { return n.Type == resultType })
+	if resourceIndex == -1 {
+		return "", sce.WithMessage(sce.ErrScorecardInternal,
+			fmt.Sprintf("failed to find %v URI at nuget index json", resultType))
+	}
+
+	return n.Resources[resourceIndex].ID, nil
+}
+
+type indexResult struct {
+	ID   string `json:"@id"`
+	Type string `json:"@type"`
+}
+
+type packageRegistrationCatalogRoot struct {
+	Pages []packageRegistrationCatalogPage `json:"items"`
+}
+
+func (n packageRegistrationCatalogRoot) latestVersion(manager pmc.Client) (string, error) {
+	for pageIndex := len(n.Pages) - 1; pageIndex >= 0; pageIndex-- {
+		page := n.Pages[pageIndex]
+		if page.Packages == nil {
+			err := decodeResponseFromClient(func() (*http.Response, error) {
+				//nolint: wrapcheck
+				return manager.GetURI(page.ID)
+			},
+				func(rc io.ReadCloser) error {
+					//nolint: wrapcheck
+					return json.NewDecoder(rc).Decode(&page)
+				}, "nuget package registration page")
+			if err != nil {
+				return "", err
+			}
+		}
+		for packageIndex := len(page.Packages) - 1; packageIndex >= 0; packageIndex-- {
+			base, preReleaseSuffix := parseNugetSemVer(page.Packages[packageIndex].Entry.Version)
+			// skipping non listed and pre-releases
+			if page.Packages[packageIndex].Entry.Listed && len(strings.TrimSpace(preReleaseSuffix)) == 0 {
+				return base, nil
+			}
+		}
+	}
+	return "", sce.WithMessage(sce.ErrScorecardInternal, "failed to get a listed version for package")
+}
+
+type packageRegistrationCatalogPage struct {
+	ID       string                           `json:"@id"`
+	Packages []packageRegistrationCatalogItem `json:"items"`
+}
+
+type packageRegistrationCatalogItem struct {
+	Entry packageRegistrationCatalogEntry `json:"catalogEntry"`
+}
+
+type packageRegistrationCatalogEntry struct {
+	Version string `json:"version"`
+	Listed  bool   `json:"listed"`
+}
+
+func (e *packageRegistrationCatalogEntry) UnmarshalJSON(text []byte) error {
+	type Alias packageRegistrationCatalogEntry
+	aux := Alias{
+		Listed: true, // set the default value before parsing JSON
+	}
+	if err := json.Unmarshal(text, &aux); err != nil {
+		return fmt.Errorf("failed to unmarshal json: %w", err)
+	}
+	*e = packageRegistrationCatalogEntry(aux)
+	return nil
+}
+
+type packageNuspec struct {
+	XMLName  xml.Name       `xml:"package"`
+	Metadata nuspecMetadata `xml:"metadata"`
+}
+
+func (p *packageNuspec) projectURL(packageName string) (string, error) {
+	for _, projectURL := range []string{p.Metadata.Repository.URL, p.Metadata.ProjectURL} {
+		projectURL = strings.TrimSpace(projectURL)
+		if projectURL != "" && isSupportedProjectURL(projectURL) {
+			projectURL = strings.TrimSuffix(projectURL, "/")
+			projectURL = strings.TrimSuffix(projectURL, ".git")
+			return projectURL, nil
+		}
+	}
+	return "", sce.WithMessage(sce.ErrScorecardInternal,
+		fmt.Sprintf("source repo is not defined for nuget package %v", packageName))
+}
+
+type nuspecMetadata struct {
+	XMLName    xml.Name         `xml:"metadata"`
+	ProjectURL string           `xml:"projectUrl"`
+	Repository nuspecRepository `xml:"repository"`
+}
+
+type nuspecRepository struct {
+	XMLName xml.Name `xml:"repository"`
+	URL     string   `xml:"url,attr"`
+}
+
+type Client interface {
+	GitRepositoryByPackageName(packageName string) (string, error)
+}
+
+type NugetClient struct {
+	Manager pmc.Client
+}
+
+func (c NugetClient) GitRepositoryByPackageName(packageName string) (string, error) {
+	packageBaseURL, registrationBaseURL, err := c.baseUrls()
+	if err != nil {
+		return "", err
+	}
+
+	packageSpec, err := c.packageSpec(packageBaseURL, registrationBaseURL, packageName)
+	if err != nil {
+		return "", err
+	}
+
+	packageURL, err := packageSpec.projectURL(packageName)
+	if err != nil {
+		return "", err
+	}
+	return packageURL, nil
+}
+
+func (c *NugetClient) packageSpec(packageBaseURL, registrationBaseURL, packageName string) (packageNuspec, error) {
+	lowerCasePackageName := strings.ToLower(packageName)
+	lastPackageVersion, err := c.latestListedVersion(registrationBaseURL,
+		lowerCasePackageName)
+	if err != nil {
+		return packageNuspec{}, err
+	}
+	packageSpecResults := &packageNuspec{}
+	err = decodeResponseFromClient(func() (*http.Response, error) {
+		//nolint: wrapcheck
+		return c.Manager.Get(
+			packageBaseURL+"%[1]v/"+lastPackageVersion+"/%[1]v.nuspec", lowerCasePackageName)
+	},
+		func(rc io.ReadCloser) error {
+			//nolint: wrapcheck
+			return xml.NewDecoder(rc).Decode(packageSpecResults)
+		}, "nuget package spec")
+
+	if err != nil {
+		return packageNuspec{}, err
+	}
+	if packageSpecResults.Metadata == (nuspecMetadata{}) {
+		return packageNuspec{}, sce.WithMessage(sce.ErrScorecardInternal,
+			"Nuget nuspec xml Metadata is empty")
+	}
+	return *packageSpecResults, nil
+}
+
+func (c *NugetClient) baseUrls() (string, string, error) {
+	indexURL := "https://api.nuget.org/v3/index.json"
+	indexResults := &indexResults{}
+	err := decodeResponseFromClient(func() (*http.Response, error) {
+		//nolint: wrapcheck
+		return c.Manager.GetURI(indexURL)
+	},
+		func(rc io.ReadCloser) error {
+			//nolint: wrapcheck
+			return json.NewDecoder(rc).Decode(indexResults)
+		}, "nuget index json")
+	if err != nil {
+		return "", "", err
+	}
+	packageBaseURL, err := indexResults.findResourceByType("PackageBaseAddress/3.0.0")
+	if err != nil {
+		return "", "", err
+	}
+	registrationBaseURL, err := indexResults.findResourceByType("RegistrationsBaseUrl/3.6.0")
+	if err != nil {
+		return "", "", err
+	}
+	return packageBaseURL, registrationBaseURL, nil
+}
+
+// Gets the latest listed nuget version of a package, based on the protocol defined at
+// https://learn.microsoft.com/en-us/nuget/api/package-base-address-resource#enumerate-package-versions
+func (c *NugetClient) latestListedVersion(baseURL, packageName string) (string, error) {
+	packageRegistrationCatalogRoot := &packageRegistrationCatalogRoot{}
+	err := decodeResponseFromClient(func() (*http.Response, error) {
+		//nolint: wrapcheck
+		return c.Manager.Get(baseURL+"%s/index.json", packageName)
+	},
+		func(rc io.ReadCloser) error {
+			//nolint: wrapcheck
+			return json.NewDecoder(rc).Decode(packageRegistrationCatalogRoot)
+		}, "nuget package registration index json")
+	if err != nil {
+		return "", err
+	}
+	return packageRegistrationCatalogRoot.latestVersion(c.Manager)
+}
+
+func isSupportedProjectURL(projectURL string) bool {
+	pattern := `^(?:https?://)?(?:www\.)?(?:github|gitlab)\.com/([A-Za-z0-9_\.-]+)/([A-Za-z0-9_\./-]+)$`
+	regex := regexp.MustCompile(pattern)
+	return regex.MatchString(projectURL)
+}
+
+// Nuget semver diverges from Semantic Versioning.
+// This method returns the Nuget represntation of version and pre release strings.
+// nolint: lll // long URL
+// more info: https://learn.microsoft.com/en-us/nuget/concepts/package-versioning#where-nugetversion-diverges-from-semantic-versioning
+func parseNugetSemVer(versionString string) (base, preReleaseSuffix string) {
+	metadataAndVersion := strings.Split(versionString, "+")
+	prereleaseAndVersions := strings.Split(metadataAndVersion[0], "-")
+	if len(prereleaseAndVersions) == 1 {
+		return prereleaseAndVersions[0], ""
+	}
+	return prereleaseAndVersions[0], prereleaseAndVersions[1]
+}
+
+func decodeResponseFromClient(getFunc func() (*http.Response, error),
+	decodeFunc func(io.ReadCloser) error, name string,
+) error {
+	response, err := getFunc()
+	if err != nil {
+		return sce.WithMessage(sce.ErrScorecardInternal,
+			fmt.Sprintf("failed to get %s: %v", name, err))
+	}
+	if response.StatusCode != http.StatusOK {
+		return sce.WithMessage(sce.ErrScorecardInternal,
+			fmt.Sprintf("failed to get %s with status: %v", name, response.Status))
+	}
+	defer response.Body.Close()
+
+	err = decodeFunc(response.Body)
+	if err != nil {
+		return sce.WithMessage(sce.ErrScorecardInternal,
+			fmt.Sprintf("failed to parse %s: %v", name, err))
+	}
+	return nil
+}
--- a/cmd/internal/nuget/client_test.go
+++ b/cmd/internal/nuget/client_test.go
@ -0,0 +1,623 @@
+// Copyright 2020 OpenSSF Scorecard Authors
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//      http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+// Package nuget implements Nuget API client.
+package nuget
+
+import (
+	"bytes"
+	"errors"
+	"fmt"
+	"io"
+	"net/http"
+	"os"
+	"strings"
+	"testing"
+
+	"github.com/golang/mock/gomock"
+	"golang.org/x/exp/slices"
+
+	pmc "github.com/ossf/scorecard/v4/cmd/internal/packagemanager"
+)
+
+type resultPackagePage struct {
+	url      string
+	response string
+}
+type nugetTestArgs struct {
+	inputPackageName               string
+	expectedPackageName            string
+	resultIndex                    string
+	resultPackageRegistrationIndex string
+	resultPackageSpec              string
+	version                        string
+	resultPackageRegistrationPages []resultPackagePage
+}
+type nugetTest struct {
+	name    string
+	want    string
+	args    nugetTestArgs
+	wantErr bool
+}
+
+func Test_fetchGitRepositoryFromNuget(t *testing.T) {
+	t.Parallel()
+
+	tests := []nugetTest{
+		{
+			name: "find latest version in single page",
+
+			args: nugetTestArgs{
+				inputPackageName:               "nuget-package",
+				resultIndex:                    "index.json",
+				resultPackageRegistrationIndex: "package_registration_index_single.json",
+				resultPackageRegistrationPages: []resultPackagePage{},
+				resultPackageSpec:              "package_spec.xml",
+				version:                        "4.0.1",
+			},
+			want:    "https://github.com/foo/foo.net",
+			wantErr: false,
+		},
+		{
+			name: "find by lowercase package name",
+
+			args: nugetTestArgs{
+				inputPackageName:               "Nuget-Package",
+				expectedPackageName:            "nuget-package",
+				resultIndex:                    "index.json",
+				resultPackageRegistrationIndex: "package_registration_index_single.json",
+				resultPackageRegistrationPages: []resultPackagePage{},
+				resultPackageSpec:              "package_spec.xml",
+				version:                        "4.0.1",
+			},
+			want:    "https://github.com/foo/foo.net",
+			wantErr: false,
+		},
+		{
+			name: "find and remove trailing slash",
+
+			args: nugetTestArgs{
+				inputPackageName:               "Nuget-Package",
+				expectedPackageName:            "nuget-package",
+				resultIndex:                    "index.json",
+				resultPackageRegistrationIndex: "package_registration_index_single.json",
+				resultPackageRegistrationPages: []resultPackagePage{},
+				resultPackageSpec:              "package_spec_trailing_slash.xml",
+				version:                        "4.0.1",
+			},
+			want:    "https://github.com/foo/foo.net",
+			wantErr: false,
+		},
+		{
+			name: "find and remove git ending",
+
+			args: nugetTestArgs{
+				inputPackageName:               "nuget-package",
+				resultIndex:                    "index.json",
+				resultPackageRegistrationIndex: "package_registration_index_single.json",
+				resultPackageRegistrationPages: []resultPackagePage{},
+				resultPackageSpec:              "package_spec_git_ending.xml",
+				version:                        "4.0.1",
+			},
+			want:    "https://github.com/foo/foo.net",
+			wantErr: false,
+		},
+		{
+			name: "find and handle four digit version",
+
+			args: nugetTestArgs{
+				inputPackageName:               "nuget-package",
+				resultIndex:                    "index.json",
+				resultPackageRegistrationIndex: "package_registration_index_four_digit_version.json",
+				resultPackageRegistrationPages: []resultPackagePage{},
+				resultPackageSpec:              "package_spec_four_digit_version.xml",
+				version:                        "1.60.0.2981",
+			},
+			want:    "https://github.com/foo/foo.net",
+			wantErr: false,
+		},
+		{
+			name: "skip semver metadata",
+
+			args: nugetTestArgs{
+				inputPackageName:               "nuget-package",
+				resultIndex:                    "index.json",
+				resultPackageRegistrationIndex: "package_registration_index_metadata_version.json",
+				resultPackageRegistrationPages: []resultPackagePage{},
+				resultPackageSpec:              "package_spec.xml",
+				version:                        "4.0.1",
+			},
+			want:    "https://github.com/foo/foo.net",
+			wantErr: false,
+		},
+		{
+			name: "skip pre release",
+
+			args: nugetTestArgs{
+				inputPackageName:               "nuget-package",
+				resultIndex:                    "index.json",
+				resultPackageRegistrationIndex: "package_registration_index_pre_release_version.json",
+				resultPackageRegistrationPages: []resultPackagePage{},
+				resultPackageSpec:              "package_spec.xml",
+				version:                        "4.0.1",
+			},
+			want:    "https://github.com/foo/foo.net",
+			wantErr: false,
+		},
+		{
+			name: "skip pre release and metadata",
+
+			args: nugetTestArgs{
+				inputPackageName:               "nuget-package",
+				resultIndex:                    "index.json",
+				resultPackageRegistrationIndex: "package_registration_index_pre_release_and_metadata_version.json",
+				resultPackageRegistrationPages: []resultPackagePage{},
+				resultPackageSpec:              "package_spec.xml",
+				version:                        "4.0.1",
+			},
+			want:    "https://github.com/foo/foo.net",
+			wantErr: false,
+		},
+		{
+			name: "find in project url if repository missing",
+
+			args: nugetTestArgs{
+				inputPackageName:               "nuget-package",
+				resultIndex:                    "index.json",
+				resultPackageRegistrationIndex: "package_registration_index_single.json",
+				resultPackageRegistrationPages: []resultPackagePage{},
+				resultPackageSpec:              "package_spec_project_url.xml",
+				version:                        "4.0.1",
+			},
+			want:    "https://github.com/foo/foo.net",
+			wantErr: false,
+		},
+		{
+			name: "get github project url without git ending",
+
+			args: nugetTestArgs{
+				inputPackageName:               "nuget-package",
+				resultIndex:                    "index.json",
+				resultPackageRegistrationIndex: "package_registration_index_single.json",
+				resultPackageRegistrationPages: []resultPackagePage{},
+				resultPackageSpec:              "package_spec_project_url_git_ending.xml",
+				version:                        "4.0.1",
+			},
+			want:    "https://github.com/foo/foo.net",
+			wantErr: false,
+		},
+		{
+			name: "get gitlab project url if repository url missing",
+
+			args: nugetTestArgs{
+				inputPackageName:               "nuget-package",
+				resultIndex:                    "index.json",
+				resultPackageRegistrationIndex: "package_registration_index_single.json",
+				resultPackageRegistrationPages: []resultPackagePage{},
+				resultPackageSpec:              "package_spec_project_url_gitlab.xml",
+				version:                        "4.0.1",
+			},
+			want:    "https://gitlab.com/foo/foo.net",
+			wantErr: false,
+		},
+		{
+			name: "error if project url is not gitlab or github",
+
+			args: nugetTestArgs{
+				inputPackageName:               "nuget-package",
+				resultIndex:                    "index.json",
+				resultPackageRegistrationIndex: "package_registration_index_single.json",
+				resultPackageRegistrationPages: []resultPackagePage{},
+				resultPackageSpec:              "package_spec_project_url_not_supported.xml",
+				version:                        "4.0.1",
+			},
+			want:    "internal error: source repo is not defined for nuget package nuget-package",
+			wantErr: true,
+		},
+		{
+			name: "find latest version in first of multiple pages",
+
+			args: nugetTestArgs{
+				inputPackageName:               "nuget-package",
+				resultIndex:                    "index.json",
+				resultPackageRegistrationIndex: "package_registration_index_multiple.json",
+				resultPackageRegistrationPages: []resultPackagePage{},
+				resultPackageSpec:              "package_spec.xml",
+				version:                        "4.0.1",
+			},
+			want:    "https://github.com/foo/foo.net",
+			wantErr: false,
+		},
+		{
+			name: "find latest version in first of multiple remote pages",
+
+			args: nugetTestArgs{
+				inputPackageName:               "nuget-package",
+				resultIndex:                    "index.json",
+				resultPackageRegistrationIndex: "package_registration_index_multiple_remote.json",
+				resultPackageRegistrationPages: []resultPackagePage{
+					{
+						url:      "https://api.nuget.org/v3/registration5-semver1/Foo.NET/page1/index.json",
+						response: "package_registration_page_one.json",
+					},
+					{
+						url:      "https://api.nuget.org/v3/registration5-semver1/Foo.NET/page2/index.json",
+						response: "package_registration_page_two.json",
+					},
+				},
+				resultPackageSpec: "package_spec.xml",
+				version:           "4.0.1",
+			},
+			want:    "https://github.com/foo/foo.net",
+			wantErr: false,
+		},
+		{
+			name: "find latest version in last of multiple pages",
+
+			args: nugetTestArgs{
+				inputPackageName:               "nuget-package",
+				resultIndex:                    "index.json",
+				resultPackageRegistrationIndex: "package_registration_index_multiple_last.json",
+				resultPackageRegistrationPages: []resultPackagePage{},
+				resultPackageSpec:              "package_spec.xml",
+				version:                        "4.0.1",
+			},
+			want:    "https://github.com/foo/foo.net",
+			wantErr: false,
+		},
+		{
+			name: "find latest version in last of remote multiple pages",
+
+			args: nugetTestArgs{
+				inputPackageName:               "nuget-package",
+				resultIndex:                    "index.json",
+				resultPackageRegistrationIndex: "package_registration_index_multiple_remote.json",
+				resultPackageRegistrationPages: []resultPackagePage{
+					{
+						url:      "https://api.nuget.org/v3/registration5-semver1/Foo.NET/page1/index.json",
+						response: "package_registration_page_one.json",
+					},
+					{
+						url:      "https://api.nuget.org/v3/registration5-semver1/Foo.NET/page2/index.json",
+						response: "package_registration_page_two_not_listed.json",
+					},
+				},
+				resultPackageSpec: "package_spec.xml",
+				version:           "3.5.2",
+			},
+			want:    "https://github.com/foo/foo.net",
+			wantErr: false,
+		},
+		{
+			name: "find latest version with default listed value true",
+
+			args: nugetTestArgs{
+				inputPackageName:               "nuget-package",
+				resultIndex:                    "index.json",
+				resultPackageRegistrationIndex: "package_registration_index_default_listed_true.json",
+				resultPackageRegistrationPages: []resultPackagePage{},
+				resultPackageSpec:              "package_spec.xml",
+				version:                        "4.0.1",
+			},
+			want:    "https://github.com/foo/foo.net",
+			wantErr: false,
+		},
+		{
+			name: "skip not listed versions",
+
+			args: nugetTestArgs{
+				inputPackageName:               "nuget-package",
+				resultIndex:                    "index.json",
+				resultPackageRegistrationIndex: "package_registration_index_with_not_listed.json",
+				resultPackageRegistrationPages: []resultPackagePage{},
+				resultPackageSpec:              "package_spec.xml",
+				version:                        "3.5.8",
+			},
+			want:    "https://github.com/foo/foo.net",
+			wantErr: false,
+		},
+		{
+			name: "error if no listed version",
+
+			args: nugetTestArgs{
+				inputPackageName:               "nuget-package",
+				resultIndex:                    "index.json",
+				resultPackageRegistrationIndex: "package_registration_index_all_not_listed.json",
+				resultPackageRegistrationPages: []resultPackagePage{},
+				resultPackageSpec:              "",
+				version:                        "",
+			},
+			want:    "internal error: failed to get a listed version for package",
+			wantErr: true,
+		},
+		{
+			name: "error no index",
+
+			args: nugetTestArgs{
+				inputPackageName:               "nuget-package",
+				resultIndex:                    "",
+				resultPackageRegistrationIndex: "",
+				resultPackageRegistrationPages: []resultPackagePage{},
+				resultPackageSpec:              "",
+			},
+			want:    "internal error: failed to get nuget index json: error",
+			wantErr: true,
+		},
+		{
+			name: "error bad index",
+
+			args: nugetTestArgs{
+				inputPackageName:               "nuget-package",
+				resultIndex:                    "text",
+				resultPackageRegistrationIndex: "",
+				resultPackageRegistrationPages: []resultPackagePage{},
+				resultPackageSpec:              "",
+			},
+			want:    "internal error: failed to parse nuget index json: invalid character 'e' in literal true (expecting 'r')",
+			wantErr: true,
+		},
+		{
+			name: "error package registration index",
+
+			args: nugetTestArgs{
+				inputPackageName:               "nuget-package",
+				resultIndex:                    "index.json",
+				resultPackageRegistrationIndex: "",
+				resultPackageRegistrationPages: []resultPackagePage{},
+				resultPackageSpec:              "",
+			},
+			want:    "internal error: failed to get nuget package registration index json: error",
+			wantErr: true,
+		},
+		{
+			name: "error bad package index",
+
+			args: nugetTestArgs{
+				inputPackageName:               "nuget-package",
+				resultIndex:                    "index.json",
+				resultPackageRegistrationIndex: "text",
+				resultPackageRegistrationPages: []resultPackagePage{},
+				resultPackageSpec:              "",
+			},
+			//nolint
+			want:    "internal error: failed to parse nuget package registration index json: invalid character 'e' in literal true (expecting 'r')",
+			wantErr: true,
+		},
+		{
+			name: "error package registration page",
+			args: nugetTestArgs{
+				inputPackageName:               "nuget-package",
+				resultIndex:                    "index.json",
+				resultPackageRegistrationIndex: "package_registration_index_multiple_remote.json",
+				resultPackageRegistrationPages: []resultPackagePage{
+					{
+						url:      "https://api.nuget.org/v3/registration5-semver1/Foo.NET/page1/index.json",
+						response: "",
+					},
+					{
+						url:      "https://api.nuget.org/v3/registration5-semver1/Foo.NET/page2/index.json",
+						response: "",
+					},
+				},
+				resultPackageSpec: "",
+			},
+			want:    "internal error: failed to get nuget package registration page: error",
+			wantErr: true,
+		},
+		{
+			name: "error in package spec",
+			args: nugetTestArgs{
+				inputPackageName:               "nuget-package",
+				resultIndex:                    "index.json",
+				resultPackageRegistrationIndex: "package_registration_index_single.json",
+				resultPackageRegistrationPages: []resultPackagePage{},
+				resultPackageSpec:              "",
+				version:                        "4.0.1",
+			},
+			want:    "internal error: failed to get nuget package spec: error",
+			wantErr: true,
+		},
+		{
+			name: "error bad package spec",
+
+			args: nugetTestArgs{
+				inputPackageName:               "nuget-package",
+				resultIndex:                    "index.json",
+				resultPackageRegistrationIndex: "package_registration_index_multiple_remote.json",
+				resultPackageRegistrationPages: []resultPackagePage{
+					{
+						url:      "https://api.nuget.org/v3/registration5-semver1/Foo.NET/page2/index.json",
+						response: "text",
+					},
+				},
+				resultPackageSpec: "",
+			},
+			//nolint
+			want:    "internal error: failed to parse nuget package registration page: invalid character 'e' in literal true (expecting 'r')",
+			wantErr: true,
+		},
+		{
+			name: "error package spec",
+			args: nugetTestArgs{
+				inputPackageName:               "nuget-package",
+				resultIndex:                    "index.json",
+				resultPackageRegistrationIndex: "package_registration_index_single.json",
+				resultPackageRegistrationPages: []resultPackagePage{},
+				resultPackageSpec:              "text",
+				version:                        "4.0.1",
+			},
+			want:    "internal error: failed to parse nuget package spec: EOF",
+			wantErr: true,
+		},
+		{
+			name: "bad remote package page",
+
+			args: nugetTestArgs{
+				inputPackageName:               "nuget-package",
+				resultIndex:                    "index.json",
+				resultPackageRegistrationIndex: "package_registration_index_multiple_remote.json",
+				resultPackageRegistrationPages: []resultPackagePage{
+					{
+						url:      "https://api.nuget.org/v3/registration5-semver1/Foo.NET/index.json#page/1",
+						response: "text",
+					},
+				},
+				resultPackageSpec: "",
+			},
+			want:    "internal error: failed to get nuget package registration page: error",
+			wantErr: true,
+		},
+		{
+			name: "error no registration url",
+			args: nugetTestArgs{
+				inputPackageName:               "nuget-package",
+				resultIndex:                    "index_bad_registration_base.json",
+				resultPackageRegistrationIndex: "",
+				resultPackageRegistrationPages: []resultPackagePage{},
+				resultPackageSpec:              "",
+				version:                        "4.0.1",
+			},
+			want:    "internal error: failed to find RegistrationsBaseUrl/3.6.0 URI at nuget index json",
+			wantErr: true,
+		},
+		{
+			name: "error no package base url",
+			args: nugetTestArgs{
+				inputPackageName:               "nuget-package",
+				resultIndex:                    "index_bad_package_base.json",
+				resultPackageRegistrationIndex: "",
+				resultPackageRegistrationPages: []resultPackagePage{},
+				resultPackageSpec:              "",
+				version:                        "4.0.1",
+			},
+			want:    "internal error: failed to find PackageBaseAddress/3.0.0 URI at nuget index json",
+			wantErr: true,
+		},
+		{
+			name: "error marhsal entry",
+			args: nugetTestArgs{
+				inputPackageName:               "nuget-package",
+				resultIndex:                    "index.json",
+				resultPackageRegistrationIndex: "package_registration_index_marshal_error.json",
+				resultPackageRegistrationPages: []resultPackagePage{},
+				resultPackageSpec:              "",
+				version:                        "",
+			},
+			//nolint
+			want:    "internal error: failed to parse nuget package registration index json: failed to unmarshal json: json: cannot unmarshal number into Go struct field Alias.listed of type bool",
+			wantErr: true,
+		},
+		{
+			name: "empty package spec",
+			args: nugetTestArgs{
+				inputPackageName:               "nuget-package",
+				resultIndex:                    "index.json",
+				resultPackageRegistrationIndex: "package_registration_index_single.json",
+				resultPackageRegistrationPages: []resultPackagePage{},
+				resultPackageSpec:              "package_spec_error.xml",
+				version:                        "4.0.1",
+			},
+			want:    "internal error: source repo is not defined for nuget package nuget-package",
+			wantErr: true,
+		},
+	}
+
+	for _, tt := range tests {
+		tt := tt
+		t.Run(tt.name, func(t *testing.T) {
+			t.Parallel()
+			ctrl := gomock.NewController(t)
+			p := pmc.NewMockClient(ctrl)
+			p.EXPECT().GetURI(gomock.Any()).
+				DoAndReturn(func(url string) (*http.Response, error) {
+					return nugetIndexOrPageTestResults(url, &tt)
+				}).AnyTimes()
+			expectedPackageName := tt.args.expectedPackageName
+			if strings.TrimSpace(expectedPackageName) == "" {
+				expectedPackageName = tt.args.inputPackageName
+			}
+
+			p.EXPECT().Get(gomock.Any(), expectedPackageName).
+				DoAndReturn(func(url, inputPackageName string) (*http.Response, error) {
+					return nugetPackageIndexAndSpecResponse(t, url, &tt)
+				}).AnyTimes()
+			client := NugetClient{Manager: p}
+			got, err := client.GitRepositoryByPackageName(tt.args.inputPackageName)
+			if err != nil {
+				if !tt.wantErr {
+					t.Errorf("fetchGitRepositoryFromNuget() error = %v, wantErr %v", err, tt.wantErr)
+					return
+				}
+				if err.Error() != tt.want {
+					t.Errorf("fetchGitRepositoryFromNuget() err.Error() = %v, wanted %v", err.Error(), tt.want)
+					return
+				}
+				return
+			}
+
+			if got != tt.want {
+				t.Errorf("fetchGitRepositoryFromNuget() = %v, want %v", got, tt.want)
+			}
+		})
+	}
+}
+
+func nugetIndexOrPageTestResults(url string, test *nugetTest) (*http.Response, error) {
+	if url == "https://api.nuget.org/v3/index.json" {
+		return testResult(test.wantErr, test.args.resultIndex)
+	}
+	urlResponseIndex := slices.IndexFunc(test.args.resultPackageRegistrationPages,
+		func(page resultPackagePage) bool { return page.url == url })
+	if urlResponseIndex == -1 {
+		//nolint
+		return nil, errors.New("error")
+	}
+	page := test.args.resultPackageRegistrationPages[urlResponseIndex]
+	return testResult(test.wantErr, page.response)
+}
+
+func nugetPackageIndexAndSpecResponse(t *testing.T, url string, test *nugetTest) (*http.Response, error) {
+	t.Helper()
+	if strings.HasSuffix(url, "index.json") {
+		return testResult(test.wantErr, test.args.resultPackageRegistrationIndex)
+	} else if strings.HasSuffix(url, ".nuspec") {
+		if strings.Contains(url, fmt.Sprintf("/%v/", test.args.version)) {
+			return testResult(test.wantErr, test.args.resultPackageSpec)
+		}
+		t.Errorf("fetchGitRepositoryFromNuget() version = %v, expected version = %v", url, test.args.version)
+	}
+	//nolint
+	return nil, errors.New("error")
+}
+
+func testResult(wantErr bool, responseFileName string) (*http.Response, error) {
+	if wantErr && responseFileName == "" {
+		//nolint
+		return nil, errors.New("error")
+	}
+	if wantErr && responseFileName == "text" {
+		return &http.Response{
+			StatusCode: 200,
+			Body:       io.NopCloser(bytes.NewBufferString("text")),
+		}, nil
+	}
+	content, err := os.ReadFile("./testdata/" + responseFileName)
+	if err != nil {
+		return nil, fmt.Errorf("%w", err)
+	}
+	return &http.Response{
+		StatusCode: 200,
+		Body:       io.NopCloser(bytes.NewBufferString(string(content))),
+	}, nil
+}
--- a/cmd/internal/nuget/nuget_mockclient.go
+++ b/cmd/internal/nuget/nuget_mockclient.go
@ -0,0 +1,64 @@
+// Copyright 2021 OpenSSF Scorecard Authors
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//      http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+//
+
+// Code generated by MockGen. DO NOT EDIT.
+// Source: cmd/internal/nuget/client.go
+
+// Package nuget is a generated GoMock package.
+package nuget
+
+import (
+	reflect "reflect"
+
+	gomock "github.com/golang/mock/gomock"
+)
+
+// MockClient is a mock of Client interface.
+type MockClient struct {
+	ctrl     *gomock.Controller
+	recorder *MockClientMockRecorder
+}
+
+// MockClientMockRecorder is the mock recorder for MockClient.
+type MockClientMockRecorder struct {
+	mock *MockClient
+}
+
+// NewMockClient creates a new mock instance.
+func NewMockClient(ctrl *gomock.Controller) *MockClient {
+	mock := &MockClient{ctrl: ctrl}
+	mock.recorder = &MockClientMockRecorder{mock}
+	return mock
+}
+
+// EXPECT returns an object that allows the caller to indicate expected use.
+func (m *MockClient) EXPECT() *MockClientMockRecorder {
+	return m.recorder
+}
+
+// GitRepositoryByPackageName mocks base method.
+func (m *MockClient) GitRepositoryByPackageName(packageName string) (string, error) {
+	m.ctrl.T.Helper()
+	ret := m.ctrl.Call(m, "GitRepositoryByPackageName", packageName)
+	ret0, _ := ret[0].(string)
+	ret1, _ := ret[1].(error)
+	return ret0, ret1
+}
+
+// GitRepositoryByPackageName indicates an expected call of GitRepositoryByPackageName.
+func (mr *MockClientMockRecorder) GitRepositoryByPackageName(packageName interface{}) *gomock.Call {
+	mr.mock.ctrl.T.Helper()
+	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "GitRepositoryByPackageName", reflect.TypeOf((*MockClient)(nil).GitRepositoryByPackageName), packageName)
+}
--- a/cmd/internal/nuget/testdata/index.json
+++ b/cmd/internal/nuget/testdata/index.json
@ -0,0 +1,15 @@
+{
+  "version": "3.0.0",
+  "resources": [
+    {
+      "@id": "https://api.nuget.org/v3-flatcontainer/",
+      "@type": "PackageBaseAddress/3.0.0",
+      "comment": "Base URL of where NuGet packages are stored"
+    },
+    {
+      "@id": "https://api.nuget.org/v3/registration5-gz-semver1/",
+      "@type": "RegistrationsBaseUrl/3.6.0",
+      "comment": "Base URL of Azure storage where NuGet package registration info."
+    }
+  ]
+}
--- a/cmd/internal/nuget/testdata/index_bad_package_base.json
+++ b/cmd/internal/nuget/testdata/index_bad_package_base.json
@ -0,0 +1,15 @@
+{
+  "version": "3.0.0",
+  "resources": [
+    {
+      "@id": "https://api.nuget.org/v3-flatcontainer/",
+      "@type": "PackageBaseAddress/3.1.0",
+      "comment": "Base URL of where NuGet packages are stored, in the format ..."
+    },
+    {
+      "@id": "https://api.nuget.org/v3/registration5-gz-semver1/",
+      "@type": "RegistrationsBaseUrl/3.6.0",
+      "comment": "Base URL of Azure storage where NuGet package registration info."
+    }
+  ]
+}
--- a/cmd/internal/nuget/testdata/index_bad_registration_base.json
+++ b/cmd/internal/nuget/testdata/index_bad_registration_base.json
@ -0,0 +1,15 @@
+{
+  "version": "3.0.0",
+  "resources": [
+    {
+      "@id": "https://api.nuget.org/v3-flatcontainer/",
+      "@type": "PackageBaseAddress/3.0.0",
+      "comment": "Base URL of where NuGet packages are stored, in the format ..."
+    },
+    {
+      "@id": "https://api.nuget.org/v3/registration5-gz-semver1/",
+      "@type": "RegistrationsBaseUrl/3.2.0",
+      "comment": "Base URL of Azure storage where NuGet package registration info."
+    }
+  ]
+}
--- a/cmd/internal/nuget/testdata/package_registration_index_all_not_listed.json
+++ b/cmd/internal/nuget/testdata/package_registration_index_all_not_listed.json
@ -0,0 +1,33 @@
+{
+  "@id": "https://api.nuget.org/v3/registration5-semver1/Foo.NET/index.json",
+  "count": 1,
+  "items": [
+    {
+      "@id": "https://api.nuget.org/v3/registration5-semver1/Foo.NET/index.json#page/1",
+      "@type": "catalog:CatalogPage",
+      "count": 2,
+      "items": [
+        {
+          "@id": "https://api.nuget.org/v3/registration5-semver1/Foo.NET/3.5.8.json",
+          "@type": "Package",
+          "catalogEntry": {
+            "@id": "https://api.nuget.org/v3/catalog0/data/2022.12.08.16.43.03/Foo.NET.3.5.8.json",
+            "@type": "PackageDetails",
+            "listed": false,
+            "version": "3.5.8"
+          }
+        },
+        {
+          "@id": "https://api.nuget.org/v3/registration5-semver1/Foo.NET/4.0.1.json",
+          "@type": "Package",
+          "catalogEntry": {
+            "@id": "https://api.nuget.org/v3/catalog0/data/2022.12.08.16.43.03/Foo.NET.4.0.1.json",
+            "@type": "PackageDetails",
+            "listed": false,
+            "version": "4.0.1"
+          }
+        }
+      ]
+    }
+  ]
+}
--- a/cmd/internal/nuget/testdata/package_registration_index_default_listed_true.json
+++ b/cmd/internal/nuget/testdata/package_registration_index_default_listed_true.json
@ -0,0 +1,32 @@
+{
+  "@id": "https://api.nuget.org/v3/registration5-semver1/Foo.NET/index.json",
+  "count": 1,
+  "items": [
+    {
+      "@id": "https://api.nuget.org/v3/registration5-semver1/Foo.NET/index.json#page/1",
+      "@type": "catalog:CatalogPage",
+      "count": 2,
+      "items": [
+        {
+          "@id": "https://api.nuget.org/v3/registration5-semver1/Foo.NET/3.5.8.json",
+          "@type": "Package",
+          "catalogEntry": {
+            "@id": "https://api.nuget.org/v3/catalog0/data/2022.12.08.16.43.03/Foo.NET.3.5.8.json",
+            "@type": "PackageDetails",
+            "listed": true,
+            "version": "3.5.8"
+          }
+        },
+        {
+          "@id": "https://api.nuget.org/v3/registration5-semver1/Foo.NET/4.0.1.json",
+          "@type": "Package",
+          "catalogEntry": {
+            "@id": "https://api.nuget.org/v3/catalog0/data/2022.12.08.16.43.03/Foo.NET.4.0.1.json",
+            "@type": "PackageDetails",
+            "version": "4.0.1"
+          }
+        }
+      ]
+    }
+  ]
+}
--- a/cmd/internal/nuget/testdata/package_registration_index_four_digit_version.json
+++ b/cmd/internal/nuget/testdata/package_registration_index_four_digit_version.json
@ -0,0 +1,33 @@
+{
+  "@id": "https://api.nuget.org/v3/registration5-semver1/Foo.NET/index.json",
+  "count": 1,
+  "items": [
+    {
+      "@id": "https://api.nuget.org/v3/registration5-semver1/Foo.NET/index.json#page/1",
+      "@type": "catalog:CatalogPage",
+      "count": 2,
+      "items": [
+        {
+          "@id": "https://api.nuget.org/v3/registration5-semver1/Foo.NET/3.5.8.json",
+          "@type": "Package",
+          "catalogEntry": {
+            "@id": "https://api.nuget.org/v3/catalog0/data/2022/Foo.NET.3.5.8.json",
+            "@type": "PackageDetails",
+            "listed": true,
+            "version": "3.5.8"
+          }
+        },
+        {
+          "@id": "https://api.nuget.org/v3/registration5-semver1/Foo.NET/1.60.0.2981.json",
+          "@type": "Package",
+          "catalogEntry": {
+            "@id": "https://api.nuget.org/v3/catalog0/data/2022/Foo.NET.1.60.0.2981.json",
+            "@type": "PackageDetails",
+            "listed": true,
+            "version": "1.60.0.2981+metadata"
+          }
+        }
+      ]
+    }
+  ]
+}
--- a/cmd/internal/nuget/testdata/package_registration_index_marshal_error.json
+++ b/cmd/internal/nuget/testdata/package_registration_index_marshal_error.json
@ -0,0 +1,33 @@
+{
+  "@id": "https://api.nuget.org/v3/registration5-semver1/Foo.NET/index.json",
+  "count": 1,
+  "items": [
+    {
+      "@id": "https://api.nuget.org/v3/registration5-semver1/Foo.NET/index.json#page/1",
+      "@type": "catalog:CatalogPage",
+      "count": 2,
+      "items": [
+        {
+          "@id": "https://api.nuget.org/v3/registration5-semver1/Foo.NET/3.5.8.json",
+          "@type": "Package",
+          "catalogEntry": {
+            "@id": "https://api.nuget.org/v3/catalog0/data/2022.12.08.16.43.03/Foo.NET.3.5.8.json",
+            "@type": "PackageDetails",
+            "listed": 123,
+            "version": "3.5.8"
+          }
+        },
+        {
+          "@id": "https://api.nuget.org/v3/registration5-semver1/Foo.NET/4.0.1.json",
+          "@type": "Package",
+          "catalogEntry": {
+            "@id": "https://api.nuget.org/v3/catalog0/data/2022.12.08.16.43.03/Foo.NET.4.0.1.json",
+            "@type": "PackageDetails",
+            "listed": true,
+            "version": "4.0.1"
+          }
+        }
+      ]
+    }
+  ]
+}
--- a/cmd/internal/nuget/testdata/package_registration_index_metadata_version.json
+++ b/cmd/internal/nuget/testdata/package_registration_index_metadata_version.json
@ -0,0 +1,33 @@
+{
+  "@id": "https://api.nuget.org/v3/registration5-semver1/Foo.NET/index.json",
+  "count": 1,
+  "items": [
+    {
+      "@id": "https://api.nuget.org/v3/registration5-semver1/Foo.NET/index.json#page/1",
+      "@type": "catalog:CatalogPage",
+      "count": 2,
+      "items": [
+        {
+          "@id": "https://api.nuget.org/v3/registration5-semver1/Foo.NET/3.5.8.json",
+          "@type": "Package",
+          "catalogEntry": {
+            "@id": "https://api.nuget.org/v3/catalog0/data/2022.12.08.16.43.03/Foo.NET.3.5.8.json",
+            "@type": "PackageDetails",
+            "listed": true,
+            "version": "3.5.8"
+          }
+        },
+        {
+          "@id": "https://api.nuget.org/v3/registration5-semver1/Foo.NET/4.0.1.json",
+          "@type": "Package",
+          "catalogEntry": {
+            "@id": "https://api.nuget.org/v3/catalog0/data/2022.12.08.16.43.03/Foo.NET.4.0.1.json",
+            "@type": "PackageDetails",
+            "listed": true,
+            "version": "4.0.1+metadata"
+          }
+        }
+      ]
+    }
+  ]
+}
--- a/cmd/internal/nuget/testdata/package_registration_index_multiple.json
+++ b/cmd/internal/nuget/testdata/package_registration_index_multiple.json
@ -0,0 +1,60 @@
+{
+  "@id": "https://api.nuget.org/v3/registration5-semver1/Foo.NET/index.json",
+  "count": 2,
+  "items": [
+    {
+      "@id": "https://api.nuget.org/v3/registration5-semver1/Foo.NET/index.json#page/1",
+      "@type": "catalog:CatalogPage",
+      "count": 2,
+      "items": [
+        {
+          "@id": "https://api.nuget.org/v3/registration5-semver1/Foo.NET/3.5.1.json",
+          "@type": "Package",
+          "catalogEntry": {
+            "@id": "https://api.nuget.org/v3/catalog0/data/2022.12.08.16.43.03/Foo.NET.3.5.1.json",
+            "@type": "PackageDetails",
+            "listed": true,
+            "version": "3.5.1"
+          }
+        },
+        {
+          "@id": "https://api.nuget.org/v3/registration5-semver1/Foo.NET/3.5.2.json",
+          "@type": "Package",
+          "catalogEntry": {
+            "@id": "https://api.nuget.org/v3/catalog0/data/2022.12.08.16.43.03/Foo.NET.3.5.2.json",
+            "@type": "PackageDetails",
+            "listed": true,
+            "version": "3.5.2"
+          }
+        }
+      ]
+    },
+    {
+      "@id": "https://api.nuget.org/v3/registration5-semver1/Foo.NET/index.json#page/2",
+      "@type": "catalog:CatalogPage",
+      "count": 2,
+      "items": [
+        {
+          "@id": "https://api.nuget.org/v3/registration5-semver1/Foo.NET/3.5.8.json",
+          "@type": "Package",
+          "catalogEntry": {
+            "@id": "https://api.nuget.org/v3/catalog0/data/2022.12.08.16.43.03/Foo.NET.3.5.8.json",
+            "@type": "PackageDetails",
+            "listed": true,
+            "version": "3.5.8"
+          }
+        },
+        {
+          "@id": "https://api.nuget.org/v3/registration5-semver1/Foo.NET/4.0.1.json",
+          "@type": "Package",
+          "catalogEntry": {
+            "@id": "https://api.nuget.org/v3/catalog0/data/2022.12.08.16.43.03/Foo.NET.4.0.1.json",
+            "@type": "PackageDetails",
+            "listed": true,
+            "version": "4.0.1"
+          }
+        }
+      ]
+    }
+  ]
+}
--- a/cmd/internal/nuget/testdata/package_registration_index_multiple_last.json
+++ b/cmd/internal/nuget/testdata/package_registration_index_multiple_last.json
@ -0,0 +1,60 @@
+{
+  "@id": "https://api.nuget.org/v3/registration5-semver1/Foo.NET/index.json",
+  "count": 2,
+  "items": [
+    {
+      "@id": "https://api.nuget.org/v3/registration5-semver1/Foo.NET/index.json#page/1",
+      "@type": "catalog:CatalogPage",
+      "count": 2,
+      "items": [
+        {
+          "@id": "https://api.nuget.org/v3/registration5-semver1/Foo.NET/3.5.8.json",
+          "@type": "Package",
+          "catalogEntry": {
+            "@id": "https://api.nuget.org/v3/catalog0/data/2022.12.08.16.43.03/Foo.NET.3.5.8.json",
+            "@type": "PackageDetails",
+            "listed": true,
+            "version": "3.5.8"
+          }
+        },
+        {
+          "@id": "https://api.nuget.org/v3/registration5-semver1/Foo.NET/4.0.1.json",
+          "@type": "Package",
+          "catalogEntry": {
+            "@id": "https://api.nuget.org/v3/catalog0/data/2022.12.08.16.43.03/Foo.NET.4.0.1.json",
+            "@type": "PackageDetails",
+            "listed": true,
+            "version": "4.0.1"
+          }
+        }
+      ]
+    },
+    {
+      "@id": "https://api.nuget.org/v3/registration5-semver1/Foo.NET/index.json#page/2",
+      "@type": "catalog:CatalogPage",
+      "count": 2,
+      "items": [
+        {
+          "@id": "https://api.nuget.org/v3/registration5-semver1/Foo.NET/4.1.json",
+          "@type": "Package",
+          "catalogEntry": {
+            "@id": "https://api.nuget.org/v3/catalog0/data/2022.12.08.16.43.03/Foo.NET.4.1.json",
+            "@type": "PackageDetails",
+            "listed": false,
+            "version": "4.1"
+          }
+        },
+        {
+          "@id": "https://api.nuget.org/v3/registration5-semver1/Foo.NET/4.2.json",
+          "@type": "Package",
+          "catalogEntry": {
+            "@id": "https://api.nuget.org/v3/catalog0/data/2022.12.08.16.43.03/Foo.NET.4.2.json",
+            "@type": "PackageDetails",
+            "listed": false,
+            "version": "4.2"
+          }
+        }
+      ]
+    }
+  ]
+}
--- a/cmd/internal/nuget/testdata/package_registration_index_multiple_remote.json
+++ b/cmd/internal/nuget/testdata/package_registration_index_multiple_remote.json
@ -0,0 +1,16 @@
+{
+  "@id": "https://api.nuget.org/v3/registration5-semver1/Foo.NET/index.json",
+  "count": 2,
+  "items": [
+    {
+      "@id": "https://api.nuget.org/v3/registration5-semver1/Foo.NET/page1/index.json",
+      "@type": "catalog:CatalogPage",
+      "count": 2
+    },
+    {
+      "@id": "https://api.nuget.org/v3/registration5-semver1/Foo.NET/page2/index.json",
+      "@type": "catalog:CatalogPage",
+      "count": 2
+    }
+  ]
+}
--- a/cmd/internal/nuget/testdata/package_registration_index_pre_release_and_metadata_version.json
+++ b/cmd/internal/nuget/testdata/package_registration_index_pre_release_and_metadata_version.json
@ -0,0 +1,33 @@
+{
+  "@id": "https://api.nuget.org/v3/registration5-semver1/Foo.NET/index.json",
+  "count": 1,
+  "items": [
+    {
+      "@id": "https://api.nuget.org/v3/registration5-semver1/Foo.NET/index.json#page/1",
+      "@type": "catalog:CatalogPage",
+      "count": 2,
+      "items": [
+        {
+          "@id": "https://api.nuget.org/v3/registration5-semver1/Foo.NET/3.5.8.json",
+          "@type": "Package",
+          "catalogEntry": {
+            "@id": "https://api.nuget.org/v3/catalog0/data/2022.12.08.16.43.03/Foo.NET.3.5.8.json",
+            "@type": "PackageDetails",
+            "listed": true,
+            "version": "4.0.1+metadata"
+          }
+        },
+        {
+          "@id": "https://api.nuget.org/v3/registration5-semver1/Foo.NET/4.0.1.json",
+          "@type": "Package",
+          "catalogEntry": {
+            "@id": "https://api.nuget.org/v3/catalog0/data/2022.12.08.16.43.03/Foo.NET.4.0.1.json",
+            "@type": "PackageDetails",
+            "listed": true,
+            "version": "4.0.1-beta+meta"
+          }
+        }
+      ]
+    }
+  ]
+}
--- a/cmd/internal/nuget/testdata/package_registration_index_pre_release_version.json
+++ b/cmd/internal/nuget/testdata/package_registration_index_pre_release_version.json
@ -0,0 +1,33 @@
+{
+  "@id": "https://api.nuget.org/v3/registration5-semver1/Foo.NET/index.json",
+  "count": 1,
+  "items": [
+    {
+      "@id": "https://api.nuget.org/v3/registration5-semver1/Foo.NET/index.json#page/1",
+      "@type": "catalog:CatalogPage",
+      "count": 2,
+      "items": [
+        {
+          "@id": "https://api.nuget.org/v3/registration5-semver1/Foo.NET/3.5.8.json",
+          "@type": "Package",
+          "catalogEntry": {
+            "@id": "https://api.nuget.org/v3/catalog0/data/2022.12.08.16.43.03/Foo.NET.3.5.8.json",
+            "@type": "PackageDetails",
+            "listed": true,
+            "version": "4.0.1"
+          }
+        },
+        {
+          "@id": "https://api.nuget.org/v3/registration5-semver1/Foo.NET/4.0.1.json",
+          "@type": "Package",
+          "catalogEntry": {
+            "@id": "https://api.nuget.org/v3/catalog0/data/2022.12.08.16.43.03/Foo.NET.4.0.1.json",
+            "@type": "PackageDetails",
+            "listed": true,
+            "version": "4.0.1-beta"
+          }
+        }
+      ]
+    }
+  ]
+}
--- a/cmd/internal/nuget/testdata/package_registration_index_single.json
+++ b/cmd/internal/nuget/testdata/package_registration_index_single.json
@ -0,0 +1,33 @@
+{
+  "@id": "https://api.nuget.org/v3/c-semver1/Foo.NET/index.json",
+  "count": 1,
+  "items": [
+    {
+      "@id": "https://api.nuget.org/v3/registration5-semver1/Foo.NET/index.json#page/1",
+      "@type": "catalog:CatalogPage",
+      "count": 2,
+      "items": [
+        {
+          "@id": "https://api.nuget.org/v3/registration5-semver1/Foo.NET/3.5.8.json",
+          "@type": "Package",
+          "catalogEntry": {
+            "@id": "https://api.nuget.org/v3/catalog0/data/2022.12.08.16.43.03/Foo.NET.3.5.8.json",
+            "@type": "PackageDetails",
+            "listed": true,
+            "version": "3.5.8"
+          }
+        },
+        {
+          "@id": "https://api.nuget.org/v3/registration5-semver1/Foo.NET/4.0.1.json",
+          "@type": "Package",
+          "catalogEntry": {
+            "@id": "https://api.nuget.org/v3/catalog0/data/2022.12.08.16.43.03/Foo.NET.4.0.1.json",
+            "@type": "PackageDetails",
+            "listed": true,
+            "version": "4.0.1"
+          }
+        }
+      ]
+    }
+  ]
+}
--- a/cmd/internal/nuget/testdata/package_registration_index_with_not_listed.json
+++ b/cmd/internal/nuget/testdata/package_registration_index_with_not_listed.json
@ -0,0 +1,33 @@
+{
+  "@id": "https://api.nuget.org/v3/registration5-semver1/Foo.NET/index.json",
+  "count": 1,
+  "items": [
+    {
+      "@id": "https://api.nuget.org/v3/registration5-semver1/Foo.NET/index.json#page/1",
+      "@type": "catalog:CatalogPage",
+      "count": 2,
+      "items": [
+        {
+          "@id": "https://api.nuget.org/v3/registration5-semver1/Foo.NET/3.5.8.json",
+          "@type": "Package",
+          "catalogEntry": {
+            "@id": "https://api.nuget.org/v3/catalog0/data/2022.12.08.16.43.03/Foo.NET.3.5.8.json",
+            "@type": "PackageDetails",
+            "listed": true,
+            "version": "3.5.8"
+          }
+        },
+        {
+          "@id": "https://api.nuget.org/v3/registration5-semver1/Foo.NET/4.0.1.json",
+          "@type": "Package",
+          "catalogEntry": {
+            "@id": "https://api.nuget.org/v3/catalog0/data/2022.12.08.16.43.03/Foo.NET.4.0.1.json",
+            "@type": "PackageDetails",
+            "listed": false,
+            "version": "4.0.1"
+          }
+        }
+      ]
+    }
+  ]
+}
--- a/cmd/internal/nuget/testdata/package_registration_page_one.json
+++ b/cmd/internal/nuget/testdata/package_registration_page_one.json
@ -0,0 +1,27 @@
+{
+  "@id": "https://api.nuget.org/v3/registration5-semver1/Foo.NET/index.json#page/1",
+  "@type": "catalog:CatalogPage",
+  "count": 2,
+  "items": [
+    {
+      "@id": "https://api.nuget.org/v3/registration5-semver1/Foo.NET/3.5.1.json",
+      "@type": "Package",
+      "catalogEntry": {
+        "@id": "https://api.nuget.org/v3/catalog0/data/2022.12.08.16.43.03/Foo.NET.3.5.1.json",
+        "@type": "PackageDetails",
+        "listed": true,
+        "version": "3.5.1"
+      }
+    },
+    {
+      "@id": "https://api.nuget.org/v3/registration5-semver1/Foo.NET/3.5.2.json",
+      "@type": "Package",
+      "catalogEntry": {
+        "@id": "https://api.nuget.org/v3/catalog0/data/2022.12.08.16.43.03/Foo.NET.3.5.2.json",
+        "@type": "PackageDetails",
+        "listed": true,
+        "version": "3.5.2"
+      }
+    }
+  ]
+}
--- a/cmd/internal/nuget/testdata/package_registration_page_two.json
+++ b/cmd/internal/nuget/testdata/package_registration_page_two.json
@ -0,0 +1,27 @@
+{
+  "@id": "https://api.nuget.org/v3/registration5-semver1/Foo.NET/index.json#page/2",
+  "@type": "catalog:CatalogPage",
+  "count": 2,
+  "items": [
+    {
+      "@id": "https://api.nuget.org/v3/registration5-semver1/Foo.NET/3.5.8.json",
+      "@type": "Package",
+      "catalogEntry": {
+        "@id": "https://api.nuget.org/v3/catalog0/data/2022.12.08.16.43.03/Foo.NET.3.5.8.json",
+        "@type": "PackageDetails",
+        "listed": true,
+        "version": "3.5.8"
+      }
+    },
+    {
+      "@id": "https://api.nuget.org/v3/registration5-semver1/Foo.NET/4.0.1.json",
+      "@type": "Package",
+      "catalogEntry": {
+        "@id": "https://api.nuget.org/v3/catalog0/data/2022.12.08.16.43.03/Foo.NET.4.0.1.json",
+        "@type": "PackageDetails",
+        "listed": true,
+        "version": "4.0.1"
+      }
+    }
+  ]
+}
--- a/cmd/internal/nuget/testdata/package_registration_page_two_not_listed.json
+++ b/cmd/internal/nuget/testdata/package_registration_page_two_not_listed.json
@ -0,0 +1,27 @@
+{
+  "@id": "https://api.nuget.org/v3/registration5-semver1/Foo.NET/index.json#page/2",
+  "@type": "catalog:CatalogPage",
+  "count": 2,
+  "items": [
+    {
+      "@id": "https://api.nuget.org/v3/registration5-semver1/Foo.NET/4.1.json",
+      "@type": "Package",
+      "catalogEntry": {
+        "@id": "https://api.nuget.org/v3/catalog0/data/2022.12.08.16.43.03/Foo.NET.4.1.json",
+        "@type": "PackageDetails",
+        "listed": false,
+        "version": "4.1"
+      }
+    },
+    {
+      "@id": "https://api.nuget.org/v3/registration5-semver1/Foo.NET/4.2.json",
+      "@type": "Package",
+      "catalogEntry": {
+        "@id": "https://api.nuget.org/v3/catalog0/data/2022.12.08.16.43.03/Foo.NET.4.2.json",
+        "@type": "PackageDetails",
+        "listed": false,
+        "version": "4.2"
+      }
+    }
+  ]
+}
--- a/cmd/internal/nuget/testdata/package_spec.xml
+++ b/cmd/internal/nuget/testdata/package_spec.xml
@ -0,0 +1,9 @@
+<package xmlns="http://schemas.microsoft.com/packaging/2013/05/nuspec.xsd">
+	<metadata minClientVersion="2.12">
+		<id>Foo</id>
+		<version>4.0.1</version>
+		<title>Foo.NET</title>
+		<repository type="git" url="https://github.com/foo/foo.net" commit="123"/>
+		<projectUrl>foo</projectUrl>
+	</metadata>
+</package>
--- a/cmd/internal/nuget/testdata/package_spec_error.xml
+++ b/cmd/internal/nuget/testdata/package_spec_error.xml
@ -0,0 +1,7 @@
+<package xmlns="http://schemas.microsoft.com/packaging/2013/05/nuspec.xsd">
+	<metadata minClientVersion="2.12">
+		<id>Foo</id>
+		<version>4.0.1</version>
+		<title>Foo.NET</title>
+	</metadata>
+</package>
--- a/cmd/internal/nuget/testdata/package_spec_four_digit_version.xml
+++ b/cmd/internal/nuget/testdata/package_spec_four_digit_version.xml
@ -0,0 +1,9 @@
+<package xmlns="http://schemas.microsoft.com/packaging/2013/05/nuspec.xsd">
+	<metadata minClientVersion="2.12">
+		<id>Foo</id>
+		<version>1.60.0.2981+metadat</version>
+		<title>Foo.NET</title>
+		<repository type="git" url="https://github.com/foo/foo.net" commit="123"/>
+		<projectUrl>foo</projectUrl>
+	</metadata>
+</package>
--- a/cmd/internal/nuget/testdata/package_spec_git_ending.xml
+++ b/cmd/internal/nuget/testdata/package_spec_git_ending.xml
@ -0,0 +1,9 @@
+<package xmlns="http://schemas.microsoft.com/packaging/2013/05/nuspec.xsd">
+	<metadata minClientVersion="2.12">
+		<id>Foo</id>
+		<version>4.0.1</version>
+		<title>Foo.NET</title>
+		<repository type="git" url="https://github.com/foo/foo.net.git" commit="123"/>
+		<projectUrl>foo</projectUrl>
+	</metadata>
+</package>
--- a/cmd/internal/nuget/testdata/package_spec_project_url.xml
+++ b/cmd/internal/nuget/testdata/package_spec_project_url.xml
@ -0,0 +1,8 @@
+<package xmlns="http://schemas.microsoft.com/packaging/2013/05/nuspec.xsd">
+	<metadata minClientVersion="2.12">
+		<id>Foo</id>
+		<version>4.0.1</version>
+		<title>Foo.NET</title>
+		<projectUrl>https://github.com/foo/foo.net</projectUrl>
+	</metadata>
+</package>
--- a/cmd/internal/nuget/testdata/package_spec_project_url_git_ending.xml
+++ b/cmd/internal/nuget/testdata/package_spec_project_url_git_ending.xml
@ -0,0 +1,8 @@
+<package xmlns="http://schemas.microsoft.com/packaging/2013/05/nuspec.xsd">
+	<metadata minClientVersion="2.12">
+		<id>Foo</id>
+		<version>4.0.1</version>
+		<title>Foo.NET</title>
+		<projectUrl>https://github.com/foo/foo.net.git</projectUrl>
+	</metadata>
+</package>
--- a/cmd/internal/nuget/testdata/package_spec_project_url_gitlab.xml
+++ b/cmd/internal/nuget/testdata/package_spec_project_url_gitlab.xml
@ -0,0 +1,8 @@
+<package xmlns="http://schemas.microsoft.com/packaging/2013/05/nuspec.xsd">
+	<metadata minClientVersion="2.12">
+		<id>Foo</id>
+		<version>4.0.1</version>
+		<title>Foo.NET</title>
+		<projectUrl>https://gitlab.com/foo/foo.net</projectUrl>
+	</metadata>
+</package>
--- a/cmd/internal/nuget/testdata/package_spec_project_url_not_supported.xml
+++ b/cmd/internal/nuget/testdata/package_spec_project_url_not_supported.xml
@ -0,0 +1,8 @@
+<package xmlns="http://schemas.microsoft.com/packaging/2013/05/nuspec.xsd">
+	<metadata minClientVersion="2.12">
+		<id>Foo</id>
+		<version>4.0.1</version>
+		<title>Foo.NET</title>
+		<projectUrl>https://myserver.com/foo/foo.net</projectUrl>
+	</metadata>
+</package>
--- a/cmd/internal/nuget/testdata/package_spec_trailing_slash.xml
+++ b/cmd/internal/nuget/testdata/package_spec_trailing_slash.xml
@ -0,0 +1,9 @@
+<package xmlns="http://schemas.microsoft.com/packaging/2013/05/nuspec.xsd">
+	<metadata minClientVersion="2.12">
+		<id>Foo</id>
+		<version>4.0.1</version>
+		<title>Foo.NET</title>
+		<repository type="git" url="https://github.com/foo/foo.net/" commit="123"/>
+		<projectUrl>foo</projectUrl>
+	</metadata>
+</package>
--- a/cmd/internal/packagemanager/client.go
+++ b/cmd/internal/packagemanager/client.go
@ -12,7 +12,8 @@
 // See the License for the specific language governing permissions and
 // limitations under the License.

-package cmd
+// Package packagemanager implements a packagemanager client
+package packagemanager

 import (
 	"fmt"
@ -20,18 +21,30 @@ import (
 	"time"
 )

-type packageManagerClient interface {
+type Client interface {
 	Get(URI string, packagename string) (*http.Response, error)
+
+	GetURI(URI string) (*http.Response, error)
 }

-type packageManager struct{}
+type PackageManagerClient struct{}

 // nolint: noctx
-func (c *packageManager) Get(url, packageName string) (*http.Response, error) {
+func (c *PackageManagerClient) Get(url, packageName string) (*http.Response, error) {
+	return c.getRemoteURL(fmt.Sprintf(url, packageName))
+}
+
+// nolint: noctx
+func (c *PackageManagerClient) GetURI(url string) (*http.Response, error) {
+	return c.getRemoteURL(url)
+}
+
+// nolint: noctx
+func (c *PackageManagerClient) getRemoteURL(url string) (*http.Response, error) {
 	const timeout = 10
 	client := &http.Client{
 		Timeout: timeout * time.Second,
 	}
 	//nolint
-	return client.Get(fmt.Sprintf(url, packageName))
+	return client.Get(url)
 }
--- a/cmd/internal/packagemanager/client_test.go
+++ b/cmd/internal/packagemanager/client_test.go
@ -0,0 +1,131 @@
+// Copyright 2020 OpenSSF Scorecard Authors
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//      http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+// Package packagemanager implements a packagemanager client
+package packagemanager
+
+import (
+	"io"
+	"net/http"
+	"net/http/httptest"
+	"testing"
+)
+
+func Test_GetURI_calls_client_get_with_input(t *testing.T) {
+	t.Parallel()
+	type args struct {
+		inputURL string
+	}
+	tests := []struct {
+		name         string
+		args         args
+		wantURL      string
+		wantResponse string
+	}{
+		{
+			name: "GetURI_input_is_the_same_as_get_uri",
+
+			args: args{
+				inputURL: "test",
+			},
+			wantURL:      "/test",
+			wantResponse: "test",
+		},
+	}
+	for _, tt := range tests {
+		tt := tt
+		t.Run(tt.name, func(t *testing.T) {
+			t.Parallel()
+			server := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+				if r.URL.Path != tt.wantURL {
+					t.Errorf("Expected to request '%s', got: %s", tt.wantURL, r.URL.Path)
+				}
+				// nolint
+				w.WriteHeader(http.StatusOK)
+				// nolint
+				w.Write([]byte(tt.wantResponse))
+			}))
+			defer server.Close()
+			client := PackageManagerClient{}
+			got, err := client.GetURI(server.URL + "/" + tt.args.inputURL)
+			if err != nil {
+				t.Errorf("Test_GetURI_calls_client_get_with_input() error in Get= %v", err)
+				return
+			}
+			body, err := io.ReadAll(got.Body)
+			if err != nil {
+				t.Errorf("Test_GetURI_calls_client_get_with_input() error in ReadAll= %v", err)
+				return
+			}
+			if string(body) != tt.wantResponse {
+				t.Errorf("GetURI() = %v, want %v", got, tt.wantResponse)
+			}
+		})
+	}
+}
+
+func Test_Get_calls_client_get_with_input(t *testing.T) {
+	t.Parallel()
+	type args struct {
+		inputURL    string
+		packageName string
+	}
+	tests := []struct {
+		name         string
+		args         args
+		wantURL      string
+		wantResponse string
+	}{
+		{
+			name: "Get_input_adds_package_name_for_get_uri",
+
+			args: args{
+				inputURL:    "test-%s-test",
+				packageName: "test_package",
+			},
+			wantURL:      "/test-test_package-test",
+			wantResponse: "test",
+		},
+	}
+	for _, tt := range tests {
+		tt := tt
+		t.Run(tt.name, func(t *testing.T) {
+			t.Parallel()
+			server := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+				if r.URL.Path != tt.wantURL {
+					t.Errorf("Expected to request '%s', got: %s", tt.wantURL, r.URL.Path)
+				}
+				// nolint
+				w.WriteHeader(http.StatusOK)
+				// nolint
+				w.Write([]byte(tt.wantResponse))
+			}))
+			defer server.Close()
+			client := PackageManagerClient{}
+			got, err := client.Get(server.URL+"/"+tt.args.inputURL, tt.args.packageName)
+			if err != nil {
+				t.Errorf("Test_Get_calls_client_get_with_input() error in Get = %v", err)
+				return
+			}
+			body, err := io.ReadAll(got.Body)
+			if err != nil {
+				t.Errorf("Test_Get_calls_client_get_with_input() error in ReadAll = %v", err)
+				return
+			}
+			if string(body) != tt.wantResponse {
+				t.Errorf("GetURI() = %v, want %v", got, tt.wantResponse)
+			}
+		})
+	}
+}
--- a/cmd/internal/packagemanager/packagemanager_mockclient.go
+++ b/cmd/internal/packagemanager/packagemanager_mockclient.go
@ -0,0 +1,80 @@
+// Copyright 2021 OpenSSF Scorecard Authors
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//      http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+//
+
+// Code generated by MockGen. DO NOT EDIT.
+// Source: cmd/internal/packagemanager/client.go
+
+// Package packagemanager is a generated GoMock package.
+package packagemanager
+
+import (
+	http "net/http"
+	reflect "reflect"
+
+	gomock "github.com/golang/mock/gomock"
+)
+
+// MockClient is a mock of Client interface.
+type MockClient struct {
+	ctrl     *gomock.Controller
+	recorder *MockClientMockRecorder
+}
+
+// MockClientMockRecorder is the mock recorder for MockClient.
+type MockClientMockRecorder struct {
+	mock *MockClient
+}
+
+// NewMockClient creates a new mock instance.
+func NewMockClient(ctrl *gomock.Controller) *MockClient {
+	mock := &MockClient{ctrl: ctrl}
+	mock.recorder = &MockClientMockRecorder{mock}
+	return mock
+}
+
+// EXPECT returns an object that allows the caller to indicate expected use.
+func (m *MockClient) EXPECT() *MockClientMockRecorder {
+	return m.recorder
+}
+
+// Get mocks base method.
+func (m *MockClient) Get(URI, packagename string) (*http.Response, error) {
+	m.ctrl.T.Helper()
+	ret := m.ctrl.Call(m, "Get", URI, packagename)
+	ret0, _ := ret[0].(*http.Response)
+	ret1, _ := ret[1].(error)
+	return ret0, ret1
+}
+
+// Get indicates an expected call of Get.
+func (mr *MockClientMockRecorder) Get(URI, packagename interface{}) *gomock.Call {
+	mr.mock.ctrl.T.Helper()
+	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "Get", reflect.TypeOf((*MockClient)(nil).Get), URI, packagename)
+}
+
+// GetURI mocks base method.
+func (m *MockClient) GetURI(URI string) (*http.Response, error) {
+	m.ctrl.T.Helper()
+	ret := m.ctrl.Call(m, "GetURI", URI)
+	ret0, _ := ret[0].(*http.Response)
+	ret1, _ := ret[1].(error)
+	return ret0, ret1
+}
+
+// GetURI indicates an expected call of GetURI.
+func (mr *MockClientMockRecorder) GetURI(URI interface{}) *gomock.Call {
+	mr.mock.ctrl.T.Helper()
+	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "GetURI", reflect.TypeOf((*MockClient)(nil).GetURI), URI)
+}
--- a/cmd/package_managers.go
+++ b/cmd/package_managers.go
@ -19,6 +19,8 @@ import (
 	"encoding/json"
 	"fmt"

+	ngt "github.com/ossf/scorecard/v4/cmd/internal/nuget"
+	pmc "github.com/ossf/scorecard/v4/cmd/internal/packagemanager"
 	sce "github.com/ossf/scorecard/v4/errors"
 )

@ -27,8 +29,8 @@ type packageMangerResponse struct {
 	exists         bool
 }

-func fetchGitRepositoryFromPackageManagers(npm, pypi, rubygems string,
-	manager packageManagerClient,
+func fetchGitRepositoryFromPackageManagers(npm, pypi, rubygems, nuget string,
+	manager pmc.Client,
 ) (packageMangerResponse, error) {
 	if npm != "" {
 		gitRepo, err := fetchGitRepositoryFromNPM(npm, manager)
@ -51,6 +53,14 @@ func fetchGitRepositoryFromPackageManagers(npm, pypi, rubygems string,
 			associatedRepo: gitRepo,
 		}, err
 	}
+	if nuget != "" {
+		nugetClient := ngt.NugetClient{Manager: manager}
+		gitRepo, err := fetchGitRepositoryFromNuget(nuget, nugetClient)
+		return packageMangerResponse{
+			exists:         true,
+			associatedRepo: gitRepo,
+		}, err
+	}

 	return packageMangerResponse{}, nil
 }
@ -78,7 +88,7 @@ type rubyGemsSearchResults struct {
 }

 // Gets the GitHub repository URL for the npm package.
-func fetchGitRepositoryFromNPM(packageName string, packageManager packageManagerClient) (string, error) {
+func fetchGitRepositoryFromNPM(packageName string, packageManager pmc.Client) (string, error) {
 	npmSearchURL := "https://registry.npmjs.org/-/v1/search?text=%s&size=1"
 	resp, err := packageManager.Get(npmSearchURL, packageName)
 	if err != nil {
@ -99,7 +109,7 @@ func fetchGitRepositoryFromNPM(packageName string, packageManager packageManager
 }

 // Gets the GitHub repository URL for the pypi package.
-func fetchGitRepositoryFromPYPI(packageName string, manager packageManagerClient) (string, error) {
+func fetchGitRepositoryFromPYPI(packageName string, manager pmc.Client) (string, error) {
 	pypiSearchURL := "https://pypi.org/pypi/%s/json"
 	resp, err := manager.Get(pypiSearchURL, packageName)
 	if err != nil {
@ -120,7 +130,7 @@ func fetchGitRepositoryFromPYPI(packageName string, manager packageManagerClient
 }

 // Gets the GitHub repository URL for the rubygems package.
-func fetchGitRepositoryFromRubyGems(packageName string, manager packageManagerClient) (string, error) {
+func fetchGitRepositoryFromRubyGems(packageName string, manager pmc.Client) (string, error) {
 	rubyGemsSearchURL := "https://rubygems.org/api/v1/gems/%s.json"
 	resp, err := manager.Get(rubyGemsSearchURL, packageName)
 	if err != nil {
@ -138,3 +148,13 @@ func fetchGitRepositoryFromRubyGems(packageName string, manager packageManagerCl
 	}
 	return v.SourceCodeURI, nil
 }
+
+// Gets the GitHub repository URL for the nuget package.
+func fetchGitRepositoryFromNuget(packageName string, nugetClient ngt.Client) (string, error) {
+	repositoryURI, err := nugetClient.GitRepositoryByPackageName(packageName)
+	if err != nil {
+		return "", sce.WithMessage(sce.ErrScorecardInternal,
+			fmt.Sprintf("could not find source repo for nuget package: %v", err))
+	}
+	return repositoryURI, nil
+}
--- a/cmd/package_managers_test.go
+++ b/cmd/package_managers_test.go
@ -23,6 +23,9 @@ import (
 	"testing"

 	"github.com/golang/mock/gomock"
+
+	ngt "github.com/ossf/scorecard/v4/cmd/internal/nuget"
+	pmc "github.com/ossf/scorecard/v4/cmd/internal/packagemanager"
 )

 func Test_fetchGitRepositoryFromNPM(t *testing.T) {
@ -133,7 +136,7 @@ func Test_fetchGitRepositoryFromNPM(t *testing.T) {
 		t.Run(tt.name, func(t *testing.T) {
 			t.Parallel()
 			ctrl := gomock.NewController(t)
-			p := NewMockpackageManagerClient(ctrl)
+			p := pmc.NewMockClient(ctrl)
 			p.EXPECT().Get(gomock.Any(), tt.args.packageName).
 				DoAndReturn(func(url, packageName string) (*http.Response, error) {
 					if tt.wantErr && tt.args.result == "" {
@ -413,7 +416,7 @@ func Test_fetchGitRepositoryFromPYPI(t *testing.T) {
 		t.Run(tt.name, func(t *testing.T) {
 			t.Parallel()
 			ctrl := gomock.NewController(t)
-			p := NewMockpackageManagerClient(ctrl)
+			p := pmc.NewMockClient(ctrl)
 			p.EXPECT().Get(gomock.Any(), tt.args.packageName).
 				DoAndReturn(func(url, packageName string) (*http.Response, error) {
 					if tt.wantErr && tt.args.result == "" {
@ -682,7 +685,7 @@ func Test_fetchGitRepositoryFromRubyGems(t *testing.T) {
 		t.Run(tt.name, func(t *testing.T) {
 			t.Parallel()
 			ctrl := gomock.NewController(t)
-			p := NewMockpackageManagerClient(ctrl)
+			p := pmc.NewMockClient(ctrl)
 			p.EXPECT().Get(gomock.Any(), tt.args.packageName).
 				DoAndReturn(func(url, packageName string) (*http.Response, error) {
 					if tt.wantErr && tt.args.result == "" {
@ -706,3 +709,65 @@ func Test_fetchGitRepositoryFromRubyGems(t *testing.T) {
 		})
 	}
 }
+
+func Test_fetchGitRepositoryFromNuget(t *testing.T) {
+	t.Parallel()
+	type args struct {
+		packageName string
+		result      string
+	}
+	tests := []struct {
+		name    string
+		args    args
+		want    string
+		wantErr bool
+	}{
+		{
+			name: "Return repository from nuget client",
+			//nolint
+			args: args{
+				packageName: "nuget-package",
+				//nolint
+				result: "nuget",
+			},
+			want:    "nuget",
+			wantErr: false,
+		},
+		{
+			name: "Error from nuget client",
+			//nolint
+			args: args{
+				packageName: "nuget-package",
+				//nolint
+				result: "",
+			},
+			want:    "",
+			wantErr: true,
+		},
+	}
+	for _, tt := range tests {
+		tt := tt
+		t.Run(tt.name, func(t *testing.T) {
+			t.Parallel()
+			ctrl := gomock.NewController(t)
+			n := ngt.NewMockClient(ctrl)
+			n.EXPECT().GitRepositoryByPackageName(tt.args.packageName).
+				DoAndReturn(func(packageName string) (string, error) {
+					if tt.wantErr && tt.args.result == "" {
+						//nolint
+						return "", errors.New("error")
+					}
+
+					return tt.args.result, nil
+				}).AnyTimes()
+			got, err := fetchGitRepositoryFromNuget(tt.args.packageName, n)
+			if (err != nil) != tt.wantErr {
+				t.Errorf("fetchGitRepositoryFromNuget() error = %v, wantErr %v", err, tt.wantErr)
+				return
+			}
+			if got != tt.want {
+				t.Errorf("fetchGitRepositoryFromNuget() = %v, want %v", got, tt.want)
+			}
+		})
+	}
+}
--- a/cmd/packagemanager_mockclient.go
+++ b/cmd/packagemanager_mockclient.go
@ -1,65 +0,0 @@
-// Copyright 2021 OpenSSF Scorecard Authors
-//
-// Licensed under the Apache License, Version 2.0 (the "License");
-// you may not use this file except in compliance with the License.
-// You may obtain a copy of the License at
-//
-//      http://www.apache.org/licenses/LICENSE-2.0
-//
-// Unless required by applicable law or agreed to in writing, software
-// distributed under the License is distributed on an "AS IS" BASIS,
-// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-// See the License for the specific language governing permissions and
-// limitations under the License.
-//
-
-// Code generated by MockGen. DO NOT EDIT.
-// Source: cmd/packagemanager_client.go
-
-// Package cmd is a generated GoMock package.
-package cmd
-
-import (
-	http "net/http"
-	reflect "reflect"
-
-	gomock "github.com/golang/mock/gomock"
-)
-
-// MockpackageManagerClient is a mock of packageManagerClient interface.
-type MockpackageManagerClient struct {
-	ctrl     *gomock.Controller
-	recorder *MockpackageManagerClientMockRecorder
-}
-
-// MockpackageManagerClientMockRecorder is the mock recorder for MockpackageManagerClient.
-type MockpackageManagerClientMockRecorder struct {
-	mock *MockpackageManagerClient
-}
-
-// NewMockpackageManagerClient creates a new mock instance.
-func NewMockpackageManagerClient(ctrl *gomock.Controller) *MockpackageManagerClient {
-	mock := &MockpackageManagerClient{ctrl: ctrl}
-	mock.recorder = &MockpackageManagerClientMockRecorder{mock}
-	return mock
-}
-
-// EXPECT returns an object that allows the caller to indicate expected use.
-func (m *MockpackageManagerClient) EXPECT() *MockpackageManagerClientMockRecorder {
-	return m.recorder
-}
-
-// Get mocks base method.
-func (m *MockpackageManagerClient) Get(URI, packagename string) (*http.Response, error) {
-	m.ctrl.T.Helper()
-	ret := m.ctrl.Call(m, "Get", URI, packagename)
-	ret0, _ := ret[0].(*http.Response)
-	ret1, _ := ret[1].(error)
-	return ret0, ret1
-}
-
-// Get indicates an expected call of Get.
-func (mr *MockpackageManagerClientMockRecorder) Get(URI, packagename interface{}) *gomock.Call {
-	mr.mock.ctrl.T.Helper()
-	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "Get", reflect.TypeOf((*MockpackageManagerClient)(nil).Get), URI, packagename)
-}
--- a/cmd/root.go
+++ b/cmd/root.go
@ -27,6 +27,7 @@ import (

 	"github.com/ossf/scorecard/v4/checker"
 	"github.com/ossf/scorecard/v4/clients"
+	pmc "github.com/ossf/scorecard/v4/cmd/internal/packagemanager"
 	docs "github.com/ossf/scorecard/v4/docs/checks"
 	sce "github.com/ossf/scorecard/v4/errors"
 	sclog "github.com/ossf/scorecard/v4/log"
@ -37,7 +38,7 @@ import (

 const (
 	scorecardLong = "A program that shows the OpenSSF scorecard for an open source software."
-	scorecardUse  = `./scorecard (--repo=<repo> | --local=<folder> | --{npm,pypi,rubygems}=<package_name>)
+	scorecardUse  = `./scorecard (--repo=<repo> | --local=<folder> | --{npm,pypi,rubygems,nuget}=<package_name>)
 	 [--checks=check1,...] [--show-details]`
 	scorecardShort = "OpenSSF Scorecard"
 )
@ -72,9 +73,9 @@ func New(o *options.Options) *cobra.Command {

 // rootCmd runs scorecard checks given a set of arguments.
 func rootCmd(o *options.Options) error {
-	p := &packageManager{}
+	p := &pmc.PackageManagerClient{}
 	// Set `repo` from package managers.
-	pkgResp, err := fetchGitRepositoryFromPackageManagers(o.NPM, o.PyPI, o.RubyGems, p)
+	pkgResp, err := fetchGitRepositoryFromPackageManagers(o.NPM, o.PyPI, o.RubyGems, o.Nuget, p)
 	if err != nil {
 		return fmt.Errorf("fetchGitRepositoryFromPackageManagers: %w", err)
 	}
--- a/options/flags.go
+++ b/options/flags.go
@ -45,6 +45,9 @@ const (
 	// FlagRubyGems is the flag name for specifying a RubyGems repository.
 	FlagRubyGems = "rubygems"

+	// FlagNuget is the flag name for specifying a Nuget repository.
+	FlagNuget = "nuget"
+
 	// FlagMetadata is the flag name for specifying metadata for the project.
 	FlagMetadata = "metadata"

@ -120,6 +123,13 @@ func (o *Options) AddFlags(cmd *cobra.Command) {
 		"rubygems package to check, given that the rubygems package has a GitHub repository",
 	)

+	cmd.Flags().StringVar(
+		&o.Nuget,
+		FlagNuget,
+		o.Nuget,
+		"nuget package to check, given that the nuget package has a GitHub repository",
+	)
+
 	cmd.Flags().StringSliceVar(
 		&o.Metadata,
 		FlagMetadata,
--- a/options/options.go
+++ b/options/options.go
@ -37,6 +37,7 @@ type Options struct {
 	NPM        string
 	PyPI       string
 	RubyGems   string
+	Nuget      string
 	PolicyFile string
 	// TODO(action): Add logic for writing results to file
 	ResultsFile string
@ -113,7 +114,7 @@ var (
 	errPolicyFileNotSupported          = errors.New("policy file is not supported yet")
 	errRawOptionNotSupported           = errors.New("raw option is not supported yet")
 	errRepoOptionMustBeSet             = errors.New(
-		"exactly one of `repo`, `npm`, `pypi`, `rubygems` or `local` must be set",
+		"exactly one of `repo`, `npm`, `pypi`, `rubygems`, `nuget` or `local` must be set",
 	)
 	errSARIFNotSupported = errors.New("SARIF format is not supported yet")
 	errValidate          = errors.New("some options could not be validated")
@ -124,11 +125,12 @@ var (
 func (o *Options) Validate() error {
 	var errs []error

-	// Validate exactly one of `--repo`, `--npm`, `--pypi`, `--rubygems`, `--local` is enabled.
+	// Validate exactly one of `--repo`, `--npm`, `--pypi`, `--rubygems`, `--nuget`, `--local` is enabled.
 	if boolSum(o.Repo != "",
 		o.NPM != "",
 		o.PyPI != "",
 		o.RubyGems != "",
+		o.Nuget != "",
 		o.Local != "") != 1 {
 		errs = append(
 			errs,
--- a/options/options_test.go
+++ b/options/options_test.go
@ -21,7 +21,7 @@ import (
 )

 // Cannot run parallel tests because of the ENV variables.
-//nolint
+// nolint
 func TestOptions_Validate(t *testing.T) {
 	type fields struct {
 		Repo              string
@ -32,6 +32,7 @@ func TestOptions_Validate(t *testing.T) {
 		NPM               string
 		PyPI              string
 		RubyGems          string
+		Nuget             string
 		PolicyFile        string
 		ResultsFile       string
 		ChecksToRun       []string
@ -99,6 +100,7 @@ func TestOptions_Validate(t *testing.T) {
 				NPM:               tt.fields.NPM,
 				PyPI:              tt.fields.PyPI,
 				RubyGems:          tt.fields.RubyGems,
+				Nuget:             tt.fields.Nuget,
 				PolicyFile:        tt.fields.PolicyFile,
 				ResultsFile:       tt.fields.ResultsFile,
 				ChecksToRun:       tt.fields.ChecksToRun,