From 8c9e552f68e5fd070692b8376ac51d2e8a7f0aaa Mon Sep 17 00:00:00 2001 From: Avishay Balter Date: Fri, 16 Jun 2023 02:13:41 +0300 Subject: [PATCH] =?UTF-8?q?=E2=9C=A8=20add=20--nuget=20package=20manager?= =?UTF-8?q?=20flag=20(#3020)?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit * add nuget package manager Signed-off-by: Avishay * fix pat test messages (#2987) * also fix pat tests Signed-off-by: Raghav Kaul Signed-off-by: Avishay * :seedling: Bump slsa-framework/slsa-github-generator from 1.5.0 to 1.6.0 Bumps [slsa-framework/slsa-github-generator](https://github.com/slsa-framework/slsa-github-generator) from 1.5.0 to 1.6.0. - [Release notes](https://github.com/slsa-framework/slsa-github-generator/releases) - [Changelog](https://github.com/slsa-framework/slsa-github-generator/blob/main/CHANGELOG.md) - [Commits](https://github.com/slsa-framework/slsa-github-generator/compare/v1.5.0...v1.6.0) --- updated-dependencies: - dependency-name: slsa-framework/slsa-github-generator dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] Signed-off-by: Avishay * :seedling: Bump cloud.google.com/go/bigquery from 1.51.1 to 1.51.2 (#2984) Bumps [cloud.google.com/go/bigquery](https://github.com/googleapis/google-cloud-go) from 1.51.1 to 1.51.2. - [Release notes](https://github.com/googleapis/google-cloud-go/releases) - [Changelog](https://github.com/googleapis/google-cloud-go/blob/main/CHANGES.md) - [Commits](https://github.com/googleapis/google-cloud-go/compare/bigquery/v1.51.1...bigquery/v1.51.2) --- updated-dependencies: - dependency-name: cloud.google.com/go/bigquery dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Signed-off-by: Avishay * :seedling: Bump golang.org/x/tools from 0.9.0 to 0.9.1 Bumps [golang.org/x/tools](https://github.com/golang/tools) from 0.9.0 to 0.9.1. - [Release notes](https://github.com/golang/tools/releases) - [Commits](https://github.com/golang/tools/compare/v0.9.0...v0.9.1) --- updated-dependencies: - dependency-name: golang.org/x/tools dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Signed-off-by: Avishay * :bug: Update osv-scanner dependency to include Vulnerabilities check fixes (#2981) * Update osv-scanner dependency to include Vulnerabilities check fixes Signed-off-by: Laurent Savaëte * Run go mod tidy Signed-off-by: Laurent Savaëte --------- Signed-off-by: Laurent Savaëte Signed-off-by: Avishay * :seedling: Bump github.com/docker/distribution in /tools (#2993) Bumps [github.com/docker/distribution](https://github.com/docker/distribution) from 2.8.1+incompatible to 2.8.2+incompatible. - [Release notes](https://github.com/docker/distribution/releases) - [Commits](https://github.com/docker/distribution/compare/v2.8.1...v2.8.2) --- updated-dependencies: - dependency-name: github.com/docker/distribution dependency-type: indirect ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Signed-off-by: Avishay * 🌱 Gitlab: e2e test fixes in main (#2992) * test secret chagnes Signed-off-by: Raghav Kaul * update score Signed-off-by: Raghav Kaul * address cr comments Signed-off-by: Raghav Kaul * update Signed-off-by: Raghav Kaul --------- Signed-off-by: Raghav Kaul Signed-off-by: Avishay * :seedling: Unit tests log/log.go (#2980) - Add unit tests for the log package - Add Apache License to log_test.go Signed-off-by: naveensrinivasan <172697+naveensrinivasan@users.noreply.github.com> Signed-off-by: Avishay * :seedling: Bump github.com/cloudflare/circl in /tools (#2995) Bumps [github.com/cloudflare/circl](https://github.com/cloudflare/circl) from 1.2.0 to 1.3.3. - [Release notes](https://github.com/cloudflare/circl/releases) - [Commits](https://github.com/cloudflare/circl/compare/v1.2.0...v1.3.3) --- updated-dependencies: - dependency-name: github.com/cloudflare/circl dependency-type: indirect ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Signed-off-by: Avishay * :sparkles: Add releasing workflow for semantic-release (#2989) Signed-off-by: Matt Travi Signed-off-by: Avishay * :seedling: Bump slsa-framework/slsa-verifier from 2.2.0 to 2.3.0 Bumps [slsa-framework/slsa-verifier](https://github.com/slsa-framework/slsa-verifier) from 2.2.0 to 2.3.0. - [Release notes](https://github.com/slsa-framework/slsa-verifier/releases) - [Changelog](https://github.com/slsa-framework/slsa-verifier/blob/main/RELEASE.md) - [Commits](https://github.com/slsa-framework/slsa-verifier/compare/v2.2.0...v2.3.0) --- updated-dependencies: - dependency-name: slsa-framework/slsa-verifier dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] Signed-off-by: Avishay * :seedling: Bump github.com/cloudflare/circl from 1.1.0 to 1.3.3 (#2994) Bumps [github.com/cloudflare/circl](https://github.com/cloudflare/circl) from 1.1.0 to 1.3.3. - [Release notes](https://github.com/cloudflare/circl/releases) - [Commits](https://github.com/cloudflare/circl/compare/v1.1.0...v1.3.3) --- updated-dependencies: - dependency-name: github.com/cloudflare/circl dependency-type: indirect ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Signed-off-by: Avishay * :seedling: Additional e2e clients/githubrepo/checkruns.go (#2934) * :seedling: Additional e2e clients/githubrepo/checkruns.go - Add `net/http` and `github.com/google/go-github/v38/github` imports - Add a test for `listCheckRunsForRef` with valid ref - Add a test for `listCheckRunsForRef` with invalid ref Signed-off-by: naveensrinivasan <172697+naveensrinivasan@users.noreply.github.com> * Based on code review comments Signed-off-by: naveensrinivasan <172697+naveensrinivasan@users.noreply.github.com> * Some tweaks Signed-off-by: naveensrinivasan <172697+naveensrinivasan@users.noreply.github.com> --------- Signed-off-by: naveensrinivasan <172697+naveensrinivasan@users.noreply.github.com> Signed-off-by: Avishay * :seedling: E2E for clients/githubrepo/contributors.go (#2939) * :seedling: E2E for clients/githubrepo/contributors.go - Add an end-to-end test for `contributorsHandler` Signed-off-by: naveensrinivasan <172697+naveensrinivasan@users.noreply.github.com> * Fixed based on code review comments. Signed-off-by: naveensrinivasan <172697+naveensrinivasan@users.noreply.github.com> * Fixed codereview comment. Signed-off-by: naveensrinivasan <172697+naveensrinivasan@users.noreply.github.com> --------- Signed-off-by: naveensrinivasan <172697+naveensrinivasan@users.noreply.github.com> Signed-off-by: Avishay * :book: Clarify that AI/ML doesn't count as human code review (#2953) * Clarify that AI/ML doesn't count as human code review Add this clarification per the Scorecards Zoom call meeting today (2023-05-04). Signed-off-by: David A. Wheeler * Tweaked per review Signed-off-by: David A. Wheeler --------- Signed-off-by: David A. Wheeler Signed-off-by: Avishay * :seedling: Bump golang from `31a8f92` to `685a22e` in /cron/internal/cii Bumps golang from `31a8f92` to `685a22e`. --- updated-dependencies: - dependency-name: golang dependency-type: direct:production ... Signed-off-by: dependabot[bot] Signed-off-by: Avishay * :seedling: Bump golang in /cron/internal/controller Bumps golang from `31a8f92` to `685a22e`. --- updated-dependencies: - dependency-name: golang dependency-type: direct:production ... Signed-off-by: dependabot[bot] Signed-off-by: Avishay * :seedling: Bump golang in /cron/internal/worker Bumps golang from `31a8f92` to `685a22e`. --- updated-dependencies: - dependency-name: golang dependency-type: direct:production ... Signed-off-by: dependabot[bot] Signed-off-by: Avishay * :seedling: Bump golang in /clients/githubrepo/roundtripper/tokens/server Bumps golang from `31a8f92` to `685a22e`. --- updated-dependencies: - dependency-name: golang dependency-type: direct:production ... Signed-off-by: dependabot[bot] Signed-off-by: Avishay * :seedling: Bump golang from `31a8f92` to `685a22e` Bumps golang from `31a8f92` to `685a22e`. --- updated-dependencies: - dependency-name: golang dependency-type: direct:production ... Signed-off-by: dependabot[bot] Signed-off-by: Avishay * :seedling: Bump golang from `31a8f92` to `685a22e` in /cron/internal/bq Bumps golang from `31a8f92` to `685a22e`. --- updated-dependencies: - dependency-name: golang dependency-type: direct:production ... Signed-off-by: dependabot[bot] Signed-off-by: Avishay * :seedling: Bump golang in /cron/internal/webhook Bumps golang from `31a8f92` to `685a22e`. --- updated-dependencies: - dependency-name: golang dependency-type: direct:production ... Signed-off-by: dependabot[bot] Signed-off-by: Avishay * Clarify AI/ML not human code review - in .yml file (#3012) This clarifies that AI/ML doesn't count as human code review. This was earlier done in #2953 but that didn't modify the relevant .yml file - this does. Signed-off-by: David A. Wheeler Signed-off-by: Avishay * :seedling: Bump golang.org/x/oauth2 from 0.7.0 to 0.8.0 (#3005) Bumps [golang.org/x/oauth2](https://github.com/golang/oauth2) from 0.7.0 to 0.8.0. - [Commits](https://github.com/golang/oauth2/compare/v0.7.0...v0.8.0) --- updated-dependencies: - dependency-name: golang.org/x/oauth2 dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Signed-off-by: Avishay * :seedling: Unit tests for checks/raw/maintained.go (#2996) - Add tests and checks for the `Maintained` function - Add checks for `IsArchived`, `ListCommits`, `ListIssues`, and `GetCreatedAt` Signed-off-by: naveensrinivasan <172697+naveensrinivasan@users.noreply.github.com> Signed-off-by: Avishay * :seedling: Bump github.com/onsi/ginkgo/v2 from 2.9.4 to 2.9.5 in /tools Bumps [github.com/onsi/ginkgo/v2](https://github.com/onsi/ginkgo) from 2.9.4 to 2.9.5. - [Release notes](https://github.com/onsi/ginkgo/releases) - [Changelog](https://github.com/onsi/ginkgo/blob/master/CHANGELOG.md) - [Commits](https://github.com/onsi/ginkgo/compare/v2.9.4...v2.9.5) --- updated-dependencies: - dependency-name: github.com/onsi/ginkgo/v2 dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Signed-off-by: Avishay * :seedling: Bump actions/setup-go from 4.0.0 to 4.0.1 Bumps [actions/setup-go](https://github.com/actions/setup-go) from 4.0.0 to 4.0.1. - [Release notes](https://github.com/actions/setup-go/releases) - [Commits](https://github.com/actions/setup-go/compare/4d34df0c2316fe8122ab82dc22947d607c0c91f9...fac708d6674e30b6ba41289acaab6d4b75aa0753) --- updated-dependencies: - dependency-name: actions/setup-go dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Signed-off-by: Avishay * :seedling: Bump codecov/codecov-action from 3.1.3 to 3.1.4 Bumps [codecov/codecov-action](https://github.com/codecov/codecov-action) from 3.1.3 to 3.1.4. - [Release notes](https://github.com/codecov/codecov-action/releases) - [Changelog](https://github.com/codecov/codecov-action/blob/main/CHANGELOG.md) - [Commits](https://github.com/codecov/codecov-action/compare/894ff025c7b54547a9a2a1e9f228beae737ad3c2...eaaf4bedf32dbdc6b720b63067d99c4d77d6047d) --- updated-dependencies: - dependency-name: codecov/codecov-action dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Signed-off-by: Avishay * :seedling: Unit tests for Policy.go (#3003) - Included tests for policy.go Signed-off-by: naveensrinivasan <172697+naveensrinivasan@users.noreply.github.com> Signed-off-by: Avishay * :seedling: Bump github.com/onsi/ginkgo/v2 from 2.9.4 to 2.9.5 Bumps [github.com/onsi/ginkgo/v2](https://github.com/onsi/ginkgo) from 2.9.4 to 2.9.5. - [Release notes](https://github.com/onsi/ginkgo/releases) - [Changelog](https://github.com/onsi/ginkgo/blob/master/CHANGELOG.md) - [Commits](https://github.com/onsi/ginkgo/compare/v2.9.4...v2.9.5) --- updated-dependencies: - dependency-name: github.com/onsi/ginkgo/v2 dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Signed-off-by: Avishay * :seedling: Bump sigstore/cosign-installer from 3.0.3 to 3.0.4 Bumps [sigstore/cosign-installer](https://github.com/sigstore/cosign-installer) from 3.0.3 to 3.0.4. - [Release notes](https://github.com/sigstore/cosign-installer/releases) - [Commits](https://github.com/sigstore/cosign-installer/compare/204a51a57a74d190b284a0ce69b44bc37201f343...03d0fecf172873164a163bbc64bed0f3bf114ed7) --- updated-dependencies: - dependency-name: sigstore/cosign-installer dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Signed-off-by: Avishay * :seedling: Bump github.com/google/go-containerregistry (#3025) Bumps [github.com/google/go-containerregistry](https://github.com/google/go-containerregistry) from 0.15.1 to 0.15.2. - [Release notes](https://github.com/google/go-containerregistry/releases) - [Changelog](https://github.com/google/go-containerregistry/blob/main/.goreleaser.yml) - [Commits](https://github.com/google/go-containerregistry/compare/v0.15.1...v0.15.2) --- updated-dependencies: - dependency-name: github.com/google/go-containerregistry dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Signed-off-by: Avishay * :seedling: Bump github.com/sirupsen/logrus from 1.9.0 to 1.9.1 Bumps [github.com/sirupsen/logrus](https://github.com/sirupsen/logrus) from 1.9.0 to 1.9.1. - [Release notes](https://github.com/sirupsen/logrus/releases) - [Changelog](https://github.com/sirupsen/logrus/blob/master/CHANGELOG.md) - [Commits](https://github.com/sirupsen/logrus/compare/v1.9.0...v1.9.1) --- updated-dependencies: - dependency-name: github.com/sirupsen/logrus dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Signed-off-by: Avishay * :seedling: Included e2e tests for push to main (#2951) - Update trigger for integration tests to enable running on `push` and `pull_request` on the `main` branch Signed-off-by: naveensrinivasan <172697+naveensrinivasan@users.noreply.github.com> Signed-off-by: Avishay * :seedling: Included directories that don't require coverage (#3002) - Included directories that don't require coverage. Signed-off-by: naveensrinivasan <172697+naveensrinivasan@users.noreply.github.com> Signed-off-by: Avishay * :seedling: Unit tests for checks/raw/contributors.go (#2998) - Add tests and fix casing for Contributors function in checks/raw/contributors_test.go Signed-off-by: naveensrinivasan <172697+naveensrinivasan@users.noreply.github.com> Signed-off-by: Avishay * ✨ GitLab: Code Review check (#2764) * Add GitLab support for Code-Review check Signed-off-by: Raghav Kaul * Remove spurious printf Signed-off-by: Raghav Kaul * Working commit Signed-off-by: Raghav Kaul * update Signed-off-by: Raghav Kaul * update Signed-off-by: Raghav Kaul * e2e test Signed-off-by: Raghav Kaul * update: test coverage Signed-off-by: Raghav Kaul --------- Signed-off-by: Raghav Kaul Signed-off-by: Avishay * gitlab: license check (#2834) Signed-off-by: Raghav Kaul Signed-off-by: Avishay * :seedling: Bump github.com/sirupsen/logrus from 1.9.1 to 1.9.2 (#3031) Bumps [github.com/sirupsen/logrus](https://github.com/sirupsen/logrus) from 1.9.1 to 1.9.2. - [Release notes](https://github.com/sirupsen/logrus/releases) - [Changelog](https://github.com/sirupsen/logrus/blob/master/CHANGELOG.md) - [Commits](https://github.com/sirupsen/logrus/compare/v1.9.1...v1.9.2) --- updated-dependencies: - dependency-name: github.com/sirupsen/logrus dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Signed-off-by: Avishay * :seedling: Bump github.com/google/osv-scanner Bumps [github.com/google/osv-scanner](https://github.com/google/osv-scanner) from 1.3.3-0.20230509011216-baae1796eeea to 1.3.3. - [Release notes](https://github.com/google/osv-scanner/releases) - [Changelog](https://github.com/google/osv-scanner/blob/main/CHANGELOG.md) - [Commits](https://github.com/google/osv-scanner/commits/v1.3.3) --- updated-dependencies: - dependency-name: github.com/google/osv-scanner dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Signed-off-by: Avishay * :seedling: Bump sigstore/cosign-installer from 3.0.4 to 3.0.5 (#3029) Bumps [sigstore/cosign-installer](https://github.com/sigstore/cosign-installer) from 3.0.4 to 3.0.5. - [Release notes](https://github.com/sigstore/cosign-installer/releases) - [Commits](https://github.com/sigstore/cosign-installer/compare/03d0fecf172873164a163bbc64bed0f3bf114ed7...dd6b2e2b610a11fd73dd187a43d57cc1394e35f9) --- updated-dependencies: - dependency-name: sigstore/cosign-installer dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Signed-off-by: Avishay * :seedling: Bump arduino/setup-protoc from 1.1.2 to 1.2.0 Bumps [arduino/setup-protoc](https://github.com/arduino/setup-protoc) from 1.1.2 to 1.2.0. - [Release notes](https://github.com/arduino/setup-protoc/releases) - [Commits](https://github.com/arduino/setup-protoc/compare/64c0c85d18e984422218383b81c52f8b077404d3...4b3578161eece2eb20a9dfd84bb8ed105e684dba) --- updated-dependencies: - dependency-name: arduino/setup-protoc dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] Signed-off-by: Avishay * :sparkles: Add support for github GHES (#2999) * :sparkles: adding support for github GHES Signed-off-by: Niket Patel * fix: lint and cleanup Signed-off-by: Niket Patel * fix: flaky test Signed-off-by: Niket Patel * fix: address missing host Signed-off-by: Niket Patel * fix: lint error Signed-off-by: Niket Patel * :seedling: Additional e2e clients/githubrepo/checkruns.go (#2934) * :seedling: Additional e2e clients/githubrepo/checkruns.go - Add `net/http` and `github.com/google/go-github/v38/github` imports - Add a test for `listCheckRunsForRef` with valid ref - Add a test for `listCheckRunsForRef` with invalid ref Signed-off-by: naveensrinivasan <172697+naveensrinivasan@users.noreply.github.com> * Based on code review comments Signed-off-by: naveensrinivasan <172697+naveensrinivasan@users.noreply.github.com> * Some tweaks Signed-off-by: naveensrinivasan <172697+naveensrinivasan@users.noreply.github.com> --------- Signed-off-by: naveensrinivasan <172697+naveensrinivasan@users.noreply.github.com> Signed-off-by: Niket Patel * :seedling: E2E for clients/githubrepo/contributors.go (#2939) * :seedling: E2E for clients/githubrepo/contributors.go - Add an end-to-end test for `contributorsHandler` Signed-off-by: naveensrinivasan <172697+naveensrinivasan@users.noreply.github.com> * Fixed based on code review comments. Signed-off-by: naveensrinivasan <172697+naveensrinivasan@users.noreply.github.com> * Fixed codereview comment. Signed-off-by: naveensrinivasan <172697+naveensrinivasan@users.noreply.github.com> --------- Signed-off-by: naveensrinivasan <172697+naveensrinivasan@users.noreply.github.com> Signed-off-by: Niket Patel * chore: add GHES instructions Signed-off-by: Niket Patel * refact: use test setenv Signed-off-by: Niket Patel * fix: corp unit test Signed-off-by: Niket Patel --------- Signed-off-by: Niket Patel Signed-off-by: naveensrinivasan <172697+naveensrinivasan@users.noreply.github.com> Signed-off-by: Niket Patel Co-authored-by: Naveen <172697+naveensrinivasan@users.noreply.github.com> Co-authored-by: raghavkaul <8695110+raghavkaul@users.noreply.github.com> Signed-off-by: Avishay * Change Facilitators to Maintainers (#3039) Not sure what the old facilitators table was for. Current list of Maintainers is always in CODEOWNERS. Meaning of "Maintainers" still is not defined, and should be a part of an upcoming contributor ladder. Signed-off-by: Jeff Mendoza Signed-off-by: Avishay * :bug: Gitlab: Commit/Commitor Exceptions (#3026) * feat: Added paging for contributor/users against gitlab projects Signed-off-by: Robison, Jim B * refactor: Updated the bot flag for unmatched users Signed-off-by: Robison, Jim B * fix: Not all commit users are in the git registry instance Signed-off-by: Robison, Jim B * fix: Skipping check if the email is empty, as well as if the "email" doesn't contain a "." char. Signed-off-by: Robison, Jim B * fix: Updated to allow for commits with PRs to be accounted/added to the client.commits Signed-off-by: Robison, Jim B * refactor: Updated to prevent linting issue regarding nested if's Signed-off-by: Robison, Jim B * test: Adding coverage for commits and contributors for gitlab Signed-off-by: Robison, Jim B * refactor: Moved queries from the client to their own functions Signed-off-by: Robison, Jim B * bug: Need to pass the ProjectID value to the contributor query Signed-off-by: Robison, Jim B * bug: Updating project title versus projectID values for api querying Signed-off-by: Robison, Jim B * test: Updated tests to match expected property set for projectID Signed-off-by: Robison, Jim B * revert: Reverted based on feedback during review Signed-off-by: Robison, Jim B --------- Signed-off-by: Robison, Jim B Signed-off-by: Avishay * :seedling: Bump github.com/onsi/gomega from 1.27.6 to 1.27.7 (#3040) Bumps [github.com/onsi/gomega](https://github.com/onsi/gomega) from 1.27.6 to 1.27.7. - [Release notes](https://github.com/onsi/gomega/releases) - [Changelog](https://github.com/onsi/gomega/blob/master/CHANGELOG.md) - [Commits](https://github.com/onsi/gomega/compare/v1.27.6...v1.27.7) --- updated-dependencies: - dependency-name: github.com/onsi/gomega dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Signed-off-by: Avishay * :book: Make all StepSecurity app endpoint references consistent (#3042) Signed-off-by: Ashish Kurmi Signed-off-by: Avishay * 📖 Update checks.md to show the benefit of >=2 reviewers (#3013) * Update checks.yaml instead of cehcks.md Signed-off-by: Joyce * feat: generate checks.md Signed-off-by: Joyce Brum --------- Signed-off-by: Joyce Signed-off-by: Joyce Brum Signed-off-by: Avishay * :seedling: Improve workflow pinning remediation tests (#3021) - Add 3 tests for workflow pinning remediation [remediation/remediations_test.go] - Add 3 tests for workflow pinning remediation Signed-off-by: naveensrinivasan <172697+naveensrinivasan@users.noreply.github.com> Signed-off-by: Avishay * :seedling: E2E tests for clients/githubrepo/languages_e2e_test.go (#3000) * :seedling: E2E tests for clients/githubrepo/languages_e2e_test.go - Included e2e tests for clients/githubrepo/languages_e2e_test.go Signed-off-by: naveensrinivasan <172697+naveensrinivasan@users.noreply.github.com> * Fixed the token type check. Signed-off-by: naveensrinivasan <172697+naveensrinivasan@users.noreply.github.com> --------- Signed-off-by: naveensrinivasan <172697+naveensrinivasan@users.noreply.github.com> Signed-off-by: Naveen <172697+naveensrinivasan@users.noreply.github.com> Signed-off-by: Avishay * :seedling: Unit tests for pkg/json_raw_results (#3044) * :seedling: Unit tests for pkg/json_raw_results.go - Unit tests for pkg/json_raw_results.go Signed-off-by: naveensrinivasan <172697+naveensrinivasan@users.noreply.github.com> * Additional tests Signed-off-by: naveensrinivasan <172697+naveensrinivasan@users.noreply.github.com> --------- Signed-off-by: naveensrinivasan <172697+naveensrinivasan@users.noreply.github.com> Signed-off-by: Avishay * ✨ [experimental] Add probe code and support for Tool-Update-Dependency (#2944) * update Signed-off-by: laurentsimon * update Signed-off-by: laurentsimon * update Signed-off-by: laurentsimon * update Signed-off-by: laurentsimon * update Signed-off-by: laurentsimon * update Signed-off-by: laurentsimon * update Signed-off-by: laurentsimon * update Signed-off-by: laurentsimon --------- Signed-off-by: laurentsimon Signed-off-by: Avishay * add zoom link and agenda link (#3050) Signed-off-by: Amanda L Martin Signed-off-by: Avishay * :seedling: Run E2E PAT test for push to main (#3046) - Add E2E PAT tests for push to main. Signed-off-by: naveensrinivasan <172697+naveensrinivasan@users.noreply.github.com> Signed-off-by: Avishay * Update main.yml (#3054) -Fixed the YAML indenting issue. Signed-off-by: Naveen <172697+naveensrinivasan@users.noreply.github.com> Signed-off-by: Avishay * only run e2e pat on push (#3056) Signed-off-by: Spencer Schrock Signed-off-by: Avishay * :seedling: Bump github.com/go-git/go-git/v5 from 5.6.1 to 5.7.0 (#3057) Bumps [github.com/go-git/go-git/v5](https://github.com/go-git/go-git) from 5.6.1 to 5.7.0. - [Release notes](https://github.com/go-git/go-git/releases) - [Commits](https://github.com/go-git/go-git/compare/v5.6.1...v5.7.0) --- updated-dependencies: - dependency-name: github.com/go-git/go-git/v5 dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Signed-off-by: Avishay * :book: :ghost: fix anchor link to the code review section (#3058) * fix anchor link to code-review in checks.yaml Signed-off-by: dasfreak Signed-off-by: Marc Ohm * generate checks.md Signed-off-by: Marc Ohm --------- Signed-off-by: dasfreak Signed-off-by: Marc Ohm Signed-off-by: Avishay * 🐛 Gitlab: Tests (#3027) * fix tests Signed-off-by: Raghav Kaul * use projectID instead of project where applicable Signed-off-by: Raghav Kaul * pass ref as listcommitoption Signed-off-by: Raghav Kaul * update tests * CI-Tests: check if score > 0. pull request client is limited and can't go back to arbitrary pull requests. CI-Tests don't run on forks, so this can't be pinned either. But, for active repositories, we typically expect *some* tests to be run Signed-off-by: Raghav Kaul * fix commitshandler commitSHA tests Signed-off-by: Raghav Kaul * update tests Signed-off-by: Raghav Kaul --------- Signed-off-by: Raghav Kaul Signed-off-by: raghavkaul <8695110+raghavkaul@users.noreply.github.com> Signed-off-by: Avishay * :seedling: Bump github.com/goreleaser/nfpm/v2 in /tools (#3060) Bumps [github.com/goreleaser/nfpm/v2](https://github.com/goreleaser/nfpm) from 2.28.0 to 2.29.0. - [Release notes](https://github.com/goreleaser/nfpm/releases) - [Changelog](https://github.com/goreleaser/nfpm/blob/main/.goreleaser.yml) - [Commits](https://github.com/goreleaser/nfpm/compare/v2.28.0...v2.29.0) --- updated-dependencies: - dependency-name: github.com/goreleaser/nfpm/v2 dependency-type: indirect ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Signed-off-by: Avishay * ✨ Gitlab: Add projects to cron (#2936) * cron: add gitlab projects * support gitlab client * simplify gitlab detection Signed-off-by: Raghav Kaul * fix MakeGitlabRepo * shortcut when repo url is github.com * fixes add-projects, validate-projects Signed-off-by: Raghav Kaul * Move gitlab repos to release controller Signed-off-by: Raghav Kaul * Add csv headers Signed-off-by: Raghav Kaul * Use gitlab.WithBaseURL Signed-off-by: Raghav Kaul * formatting & logging Signed-off-by: Raghav Kaul * remove spurious test Signed-off-by: Raghav Kaul * consolidate logic Signed-off-by: Raghav Kaul * Turn on experimental flag Signed-off-by: Raghav Kaul * Add projects Signed-off-by: Raghav Kaul * Update client Signed-off-by: Raghav Kaul * update Signed-off-by: Raghav Kaul * update Signed-off-by: Raghav Kaul * update Signed-off-by: Raghav Kaul * update Signed-off-by: Raghav Kaul --------- Signed-off-by: Raghav Kaul Signed-off-by: Avishay * :seedling: Simplify caching in docker workflow (#3061) Signed-off-by: Spencer Schrock Signed-off-by: Avishay * :seedling: Bump github/codeql-action from 2.3.3 to 2.3.4 (#3064) Bumps [github/codeql-action](https://github.com/github/codeql-action) from 2.3.3 to 2.3.4. - [Release notes](https://github.com/github/codeql-action/releases) - [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md) - [Commits](https://github.com/github/codeql-action/compare/29b1f65c5e92e24fe6b6647da1eaabe529cec70f...f0e3dfb30302f8a0881bb509b044e0de4f6ef589) --- updated-dependencies: - dependency-name: github/codeql-action dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Signed-off-by: Avishay * :seedling: Bump cloud.google.com/go/pubsub from 1.30.1 to 1.31.0 (#3065) Bumps [cloud.google.com/go/pubsub](https://github.com/googleapis/google-cloud-go) from 1.30.1 to 1.31.0. - [Release notes](https://github.com/googleapis/google-cloud-go/releases) - [Changelog](https://github.com/googleapis/google-cloud-go/blob/main/CHANGES.md) - [Commits](https://github.com/googleapis/google-cloud-go/compare/pubsub/v1.30.1...pubsub/v1.31.0) --- updated-dependencies: - dependency-name: cloud.google.com/go/pubsub dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Signed-off-by: Avishay * 🐛 gitlab: cron (#3070) Signed-off-by: Raghav Kaul Signed-off-by: Avishay * :seedling: Bump github/codeql-action from 2.3.4 to 2.3.5 (#3072) Bumps [github/codeql-action](https://github.com/github/codeql-action) from 2.3.4 to 2.3.5. - [Release notes](https://github.com/github/codeql-action/releases) - [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md) - [Commits](https://github.com/github/codeql-action/compare/f0e3dfb30302f8a0881bb509b044e0de4f6ef589...0225834cc549ee0ca93cb085b92954821a145866) --- updated-dependencies: - dependency-name: github/codeql-action dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Signed-off-by: Avishay * :seedling: Bump tj-actions/changed-files from 35.9.2 to 36.0.3 (#3071) Bumps [tj-actions/changed-files](https://github.com/tj-actions/changed-files) from 35.9.2 to 36.0.3. - [Release notes](https://github.com/tj-actions/changed-files/releases) - [Changelog](https://github.com/tj-actions/changed-files/blob/main/HISTORY.md) - [Commits](https://github.com/tj-actions/changed-files/compare/b2d17f51244a144849c6b37a3a6791b98a51d86f...25eaddf37ae893cec889065e9a60439c8af6f089) --- updated-dependencies: - dependency-name: tj-actions/changed-files dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Signed-off-by: Avishay * 🐛 Gitlab status updates (#3052) * doc: Updating gitlab support validation status Signed-off-by: Robison, Jim B * bug: Updated logic for gitlab to prevent exceptions based on releases Signed-off-by: Robison, Jim B * test: Added initial tests for gitlab branches Signed-off-by: Robison, Jim B * doc: Updated general README Signed-off-by: Robison, Jim B * refactor: Cleaned up the query for pipelines to be focused on the commitID Signed-off-by: Robison, Jim B * feat: Allowed for a non-graphql method of retrieving MRs associated to a commit Signed-off-by: Robison, Jim B * doc: Updated status for the CI-Tests Signed-off-by: Robison, Jim B * bug: Updated the host url for graphql querying. This enabled the removal of the code added for handling empty returns when executing against a non-gitlab.com repository. Signed-off-by: Robison, Jim B --------- Signed-off-by: Robison, Jim B Co-authored-by: Raghav Kaul <8695110+raghavkaul@users.noreply.github.com> Signed-off-by: Avishay * :seedling: Bump github.com/sigstore/rekor from 1.1.1 to 1.2.0 in /tools (#3079) Bumps [github.com/sigstore/rekor](https://github.com/sigstore/rekor) from 1.1.1 to 1.2.0. - [Release notes](https://github.com/sigstore/rekor/releases) - [Changelog](https://github.com/sigstore/rekor/blob/main/CHANGELOG.md) - [Commits](https://github.com/sigstore/rekor/compare/v1.1.1...v1.2.0) --- updated-dependencies: - dependency-name: github.com/sigstore/rekor dependency-type: indirect ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Signed-off-by: Avishay * get nuget latest version from registration URL Signed-off-by: Avishay * better coverage Signed-off-by: Avishay * sign Signed-off-by: Avishay * fix tests Signed-off-by: Avishay * more tests Signed-off-by: Avishay * client tests Signed-off-by: Avishay * lint Signed-off-by: Avishay * Apply suggestions from code review Co-authored-by: Joel Verhagen Signed-off-by: Avishay Balter Signed-off-by: Avishay * :seedling: Bump golang from `685a22e` to `690e413` (#3080) Bumps golang from `685a22e` to `690e413`. --- updated-dependencies: - dependency-name: golang dependency-type: direct:production ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Signed-off-by: Avishay * :seedling: Bump golang from `685a22e` to `690e413` in /cron/internal/cii Bumps golang from `685a22e` to `690e413`. --- updated-dependencies: - dependency-name: golang dependency-type: direct:production ... Signed-off-by: dependabot[bot] Signed-off-by: Avishay * :seedling: Bump golang in /cron/internal/controller Bumps golang from `685a22e` to `690e413`. --- updated-dependencies: - dependency-name: golang dependency-type: direct:production ... Signed-off-by: dependabot[bot] Signed-off-by: Avishay * :seedling: Bump golang in /cron/internal/worker Bumps golang from `685a22e` to `690e413`. --- updated-dependencies: - dependency-name: golang dependency-type: direct:production ... Signed-off-by: dependabot[bot] Signed-off-by: Avishay * :seedling: Bump golang in /clients/githubrepo/roundtripper/tokens/server Bumps golang from `685a22e` to `690e413`. --- updated-dependencies: - dependency-name: golang dependency-type: direct:production ... Signed-off-by: dependabot[bot] Signed-off-by: Avishay * :seedling: Bump golang in /cron/internal/webhook Bumps golang from `685a22e` to `690e413`. --- updated-dependencies: - dependency-name: golang dependency-type: direct:production ... Signed-off-by: dependabot[bot] Signed-off-by: Avishay * :seedling: Bump golang from `685a22e` to `690e413` in /cron/internal/bq Bumps golang from `685a22e` to `690e413`. --- updated-dependencies: - dependency-name: golang dependency-type: direct:production ... Signed-off-by: dependabot[bot] Signed-off-by: Avishay * :seedling: Bump arduino/setup-protoc from 1.2.0 to 1.3.0 (#3089) Bumps [arduino/setup-protoc](https://github.com/arduino/setup-protoc) from 1.2.0 to 1.3.0. - [Release notes](https://github.com/arduino/setup-protoc/releases) - [Commits](https://github.com/arduino/setup-protoc/compare/4b3578161eece2eb20a9dfd84bb8ed105e684dba...149f6c87b92550901b26acd1632e11c3662e381f) --- updated-dependencies: - dependency-name: arduino/setup-protoc dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Signed-off-by: Avishay * :seedling: Bump tj-actions/changed-files from 36.0.3 to 36.0.9 (#3088) Bumps [tj-actions/changed-files](https://github.com/tj-actions/changed-files) from 36.0.3 to 36.0.9. - [Release notes](https://github.com/tj-actions/changed-files/releases) - [Changelog](https://github.com/tj-actions/changed-files/blob/main/HISTORY.md) - [Commits](https://github.com/tj-actions/changed-files/compare/25eaddf37ae893cec889065e9a60439c8af6f089...cf4fe8759a45edd76ed6215da3529d2dbd2a3c68) --- updated-dependencies: - dependency-name: tj-actions/changed-files dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Signed-off-by: Avishay * pr iteration 2 Signed-off-by: Avishay * pr iteration 3 Signed-off-by: Avishay * switch security policy e2e test to ossf-tests repo. (#3090) tensorflow/tensorflow is huge and was slowing down tests. Also removed the rust e2e tests because they're already present as unit tests. Signed-off-by: Spencer Schrock Signed-off-by: Avishay * :seedling: Bump github.com/onsi/ginkgo/v2 from 2.9.5 to 2.9.7 in /tools (#3094) Bumps [github.com/onsi/ginkgo/v2](https://github.com/onsi/ginkgo) from 2.9.5 to 2.9.7. - [Release notes](https://github.com/onsi/ginkgo/releases) - [Changelog](https://github.com/onsi/ginkgo/blob/master/CHANGELOG.md) - [Commits](https://github.com/onsi/ginkgo/compare/v2.9.5...v2.9.7) --- updated-dependencies: - dependency-name: github.com/onsi/ginkgo/v2 dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Signed-off-by: Avishay * :seedling: Bump github.com/onsi/ginkgo/v2 from 2.9.5 to 2.9.7 (#3093) Bumps [github.com/onsi/ginkgo/v2](https://github.com/onsi/ginkgo) from 2.9.5 to 2.9.7. - [Release notes](https://github.com/onsi/ginkgo/releases) - [Changelog](https://github.com/onsi/ginkgo/blob/master/CHANGELOG.md) - [Commits](https://github.com/onsi/ginkgo/compare/v2.9.5...v2.9.7) --- updated-dependencies: - dependency-name: github.com/onsi/ginkgo/v2 dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Signed-off-by: Avishay * :seedling: Bump actions/dependency-review-action from 3.0.4 to 3.0.6 (#3104) Bumps [actions/dependency-review-action](https://github.com/actions/dependency-review-action) from 3.0.4 to 3.0.6. - [Release notes](https://github.com/actions/dependency-review-action/releases) - [Commits](https://github.com/actions/dependency-review-action/compare/f46c48ed6d4f1227fb2d9ea62bf6bcbed315589e...1360a344ccb0ab6e9475edef90ad2f46bf8003b1) --- updated-dependencies: - dependency-name: actions/dependency-review-action dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Signed-off-by: Avishay * :seedling: Bump tj-actions/changed-files from 36.0.9 to 36.0.12 (#3108) Bumps [tj-actions/changed-files](https://github.com/tj-actions/changed-files) from 36.0.9 to 36.0.12. - [Release notes](https://github.com/tj-actions/changed-files/releases) - [Changelog](https://github.com/tj-actions/changed-files/blob/main/HISTORY.md) - [Commits](https://github.com/tj-actions/changed-files/compare/cf4fe8759a45edd76ed6215da3529d2dbd2a3c68...5978e5a2df95ef20cde627d4acb5edd1f87ba46a) --- updated-dependencies: - dependency-name: tj-actions/changed-files dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Signed-off-by: Avishay * :seedling: Bump github.com/xanzy/go-gitlab from 0.83.0 to 0.84.0 (#3106) Bumps [github.com/xanzy/go-gitlab](https://github.com/xanzy/go-gitlab) from 0.83.0 to 0.84.0. - [Changelog](https://github.com/xanzy/go-gitlab/blob/master/releases_test.go) - [Commits](https://github.com/xanzy/go-gitlab/compare/v0.83.0...v0.84.0) --- updated-dependencies: - dependency-name: github.com/xanzy/go-gitlab dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Signed-off-by: Avishay * :seedling: Bump golang.org/x/tools from 0.9.1 to 0.9.2 Bumps [golang.org/x/tools](https://github.com/golang/tools) from 0.9.1 to 0.9.2. - [Release notes](https://github.com/golang/tools/releases) - [Commits](https://github.com/golang/tools/compare/v0.9.1...v0.9.2) --- updated-dependencies: - dependency-name: golang.org/x/tools dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Signed-off-by: Avishay * ✨ GitLab: enable more checks in cron (#3097) * Enable checks * Binary-Artifacts * Code-Review * License * Vulnerabilities Signed-off-by: Raghav Kaul * Enable more checks * CII Best Practices * Fuzzing * Maintained * Packaging * Pinned-Dependencies * Signed-Releases Signed-off-by: Raghav Kaul * update repo name Signed-off-by: Raghav Kaul --------- Signed-off-by: Raghav Kaul Signed-off-by: Avishay * :book: agenda link change (#3111) Signed-off-by: Amanda L Martin Signed-off-by: Avishay * :seedling: Bump github/codeql-action from 2.3.5 to 2.3.6 (#3112) Bumps [github/codeql-action](https://github.com/github/codeql-action) from 2.3.5 to 2.3.6. - [Release notes](https://github.com/github/codeql-action/releases) - [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md) - [Commits](https://github.com/github/codeql-action/compare/0225834cc549ee0ca93cb085b92954821a145866...83f0fe6c4988d98a455712a27f0255212bba9bd4) --- updated-dependencies: - dependency-name: github/codeql-action dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Signed-off-by: Avishay * :seedling: Bump tj-actions/changed-files from 36.0.12 to 36.0.15 (#3116) Bumps [tj-actions/changed-files](https://github.com/tj-actions/changed-files) from 36.0.12 to 36.0.15. - [Release notes](https://github.com/tj-actions/changed-files/releases) - [Changelog](https://github.com/tj-actions/changed-files/blob/main/HISTORY.md) - [Commits](https://github.com/tj-actions/changed-files/compare/5978e5a2df95ef20cde627d4acb5edd1f87ba46a...5d2fcdb4cbef720a52f49fd05d8c7edd18a64758) --- updated-dependencies: - dependency-name: tj-actions/changed-files dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Signed-off-by: Avishay * :seedling: Bump golang.org/x/tools from 0.9.2 to 0.9.3 Bumps [golang.org/x/tools](https://github.com/golang/tools) from 0.9.2 to 0.9.3. - [Release notes](https://github.com/golang/tools/releases) - [Commits](https://github.com/golang/tools/compare/v0.9.2...v0.9.3) --- updated-dependencies: - dependency-name: golang.org/x/tools dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Signed-off-by: Avishay * :seedling: Unit tests for option (#3109) - Add flags for repo, local, commit, log level, NPM, PyPI, RubyGems, metadata, show details, checks to run, policy file, and format - Add tests for checks to run and format flags Signed-off-by: naveensrinivasan <172697+naveensrinivasan@users.noreply.github.com> Signed-off-by: Avishay * 🌱 GitLab: add gitlab auth token to cron worker env (#3117) Signed-off-by: Raghav Kaul Signed-off-by: Avishay * Don't run pat e2e on dependabot merges (#3119) Signed-off-by: Raghav Kaul Signed-off-by: Avishay * ✨ Detect fast-check PBT library for fuzz section (#3073) * ✨ Detect fast-check PBT library for fuzz section As suggested at https://github.com/ossf/scorecard/issues/2792#issuecomment-1562007596, we add support for the detection of fast-check as a possible fuzzing solution. I also adapted the documentation related to fuzzing accordingly. Signed-off-by: Nicolas DUBIEN * Typo Signed-off-by: Nicolas DUBIEN * Update missing md files Signed-off-by: Nicolas DUBIEN --------- Signed-off-by: Nicolas DUBIEN Signed-off-by: Avishay * :seedling: temporarily disable failing e2e tests so we don't block all PRs. (#3130) Signed-off-by: Spencer Schrock Signed-off-by: Avishay * pr comments Signed-off-by: Avishay * :seedling: Bump github.com/sirupsen/logrus from 1.9.2 to 1.9.3 (#3121) Bumps [github.com/sirupsen/logrus](https://github.com/sirupsen/logrus) from 1.9.2 to 1.9.3. - [Release notes](https://github.com/sirupsen/logrus/releases) - [Changelog](https://github.com/sirupsen/logrus/blob/master/CHANGELOG.md) - [Commits](https://github.com/sirupsen/logrus/compare/v1.9.2...v1.9.3) --- updated-dependencies: - dependency-name: github.com/sirupsen/logrus dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Signed-off-by: Avishay * i:seedling: Ignore all pb files for test (#3127) - Update .codecov.yml to ignore additional files Signed-off-by: naveensrinivasan <172697+naveensrinivasan@users.noreply.github.com> Signed-off-by: Avishay * :seedling: Deprecate dependencydiff package and add access token requirement (#3125) - Deprecate the `dependencydiff` package and the `GetDependencyDiffResults` function - Add a line to the `.codecov.yml` to ignore the `dependencydiff` package Signed-off-by: naveensrinivasan <172697+naveensrinivasan@users.noreply.github.com> Signed-off-by: Avishay * ✨ [experimental] Support for new `--format probe` (#3048) * update Signed-off-by: laurentsimon * update Signed-off-by: laurentsimon * update Signed-off-by: laurentsimon * update Signed-off-by: laurentsimon * update Signed-off-by: laurentsimon * update Signed-off-by: laurentsimon * update Signed-off-by: laurentsimon * update Signed-off-by: laurentsimon * update Signed-off-by: laurentsimon * update Signed-off-by: laurentsimon * update Signed-off-by: laurentsimon * update Signed-off-by: laurentsimon * update Signed-off-by: laurentsimon * update Signed-off-by: laurentsimon * update Signed-off-by: laurentsimon * update Signed-off-by: laurentsimon * update Signed-off-by: laurentsimon --------- Signed-off-by: laurentsimon Signed-off-by: Avishay * :seedling: Bump distroless/base (#3122) Bumps distroless/base from `10985f0` to `c623859`. --- updated-dependencies: - dependency-name: distroless/base dependency-type: direct:production ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Signed-off-by: Avishay * :seedling: Ignore deprecation warning for dependencydiff tests. (#3136) Signed-off-by: Spencer Schrock Signed-off-by: Avishay * :seedling: Bump tj-actions/changed-files from 36.0.15 to 36.0.18 Bumps [tj-actions/changed-files](https://github.com/tj-actions/changed-files) from 36.0.15 to 36.0.18. - [Release notes](https://github.com/tj-actions/changed-files/releases) - [Changelog](https://github.com/tj-actions/changed-files/blob/main/HISTORY.md) - [Commits](https://github.com/tj-actions/changed-files/compare/5d2fcdb4cbef720a52f49fd05d8c7edd18a64758...07e0177b72d3640efced741cae32f9861eee1367) --- updated-dependencies: - dependency-name: tj-actions/changed-files dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Signed-off-by: Avishay * :seedling: Bump github.com/onsi/ginkgo/v2 from 2.9.7 to 2.10.0 in /tools (#3135) Bumps [github.com/onsi/ginkgo/v2](https://github.com/onsi/ginkgo) from 2.9.7 to 2.10.0. - [Release notes](https://github.com/onsi/ginkgo/releases) - [Changelog](https://github.com/onsi/ginkgo/blob/master/CHANGELOG.md) - [Commits](https://github.com/onsi/ginkgo/compare/v2.9.7...v2.10.0) --- updated-dependencies: - dependency-name: github.com/onsi/ginkgo/v2 dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Signed-off-by: Avishay * :seedling: Bump github.com/google/osv-scanner from 1.3.3 to 1.3.4 Bumps [github.com/google/osv-scanner](https://github.com/google/osv-scanner) from 1.3.3 to 1.3.4. - [Release notes](https://github.com/google/osv-scanner/releases) - [Changelog](https://github.com/google/osv-scanner/blob/main/CHANGELOG.md) - [Commits](https://github.com/google/osv-scanner/compare/v1.3.3...v1.3.4) --- updated-dependencies: - dependency-name: github.com/google/osv-scanner dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Signed-off-by: Avishay * :seedling: Bump github.com/onsi/ginkgo/v2 from 2.9.7 to 2.10.0 Bumps [github.com/onsi/ginkgo/v2](https://github.com/onsi/ginkgo) from 2.9.7 to 2.10.0. - [Release notes](https://github.com/onsi/ginkgo/releases) - [Changelog](https://github.com/onsi/ginkgo/blob/master/CHANGELOG.md) - [Commits](https://github.com/onsi/ginkgo/compare/v2.9.7...v2.10.0) --- updated-dependencies: - dependency-name: github.com/onsi/ginkgo/v2 dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] Signed-off-by: Avishay * :seedling: Bump github.com/onsi/gomega from 1.27.7 to 1.27.8 Bumps [github.com/onsi/gomega](https://github.com/onsi/gomega) from 1.27.7 to 1.27.8. - [Release notes](https://github.com/onsi/gomega/releases) - [Changelog](https://github.com/onsi/gomega/blob/master/CHANGELOG.md) - [Commits](https://github.com/onsi/gomega/compare/v1.27.7...v1.27.8) --- updated-dependencies: - dependency-name: github.com/onsi/gomega dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Signed-off-by: Avishay * :seedling: Bump slsa-framework/slsa-github-generator from 1.6.0 to 1.7.0 (#3139) Bumps [slsa-framework/slsa-github-generator](https://github.com/slsa-framework/slsa-github-generator) from 1.6.0 to 1.7.0. - [Release notes](https://github.com/slsa-framework/slsa-github-generator/releases) - [Changelog](https://github.com/slsa-framework/slsa-github-generator/blob/main/CHANGELOG.md) - [Commits](https://github.com/slsa-framework/slsa-github-generator/compare/v1.6.0...v1.7.0) --- updated-dependencies: - dependency-name: slsa-framework/slsa-github-generator dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Signed-off-by: Avishay * :seedling: Increase test coverage for finding outcomes (#3142) * Increase test coverage for finding outcomes - Add tests for Outcome UnmarshalYAML function in `finding/finding_test.go` Signed-off-by: naveensrinivasan <172697+naveensrinivasan@users.noreply.github.com> * Updates based on Codereview - Update `Outcome` variable in `finding/finding_test.go` - Add `t.Parallel()` for test parallelization - Add comparison using `cmp.Diff` to test for mismatches - Update test cases for various outcomes Signed-off-by: naveensrinivasan <172697+naveensrinivasan@users.noreply.github.com> --------- Signed-off-by: naveensrinivasan <172697+naveensrinivasan@users.noreply.github.com> Signed-off-by: Avishay * :seedling: Bump tj-actions/changed-files from 36.0.18 to 36.1.0 (#3143) Bumps [tj-actions/changed-files](https://github.com/tj-actions/changed-files) from 36.0.18 to 36.1.0. - [Release notes](https://github.com/tj-actions/changed-files/releases) - [Changelog](https://github.com/tj-actions/changed-files/blob/main/HISTORY.md) - [Commits](https://github.com/tj-actions/changed-files/compare/07e0177b72d3640efced741cae32f9861eee1367...fb20f4d24890fadc539505b1746d260504b213d0) --- updated-dependencies: - dependency-name: tj-actions/changed-files dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Signed-off-by: Avishay * :seedling: Re-enable skipped e2e tests. Switch to smaller code review repo. (#3144) * re-enable skipped ci test Signed-off-by: Spencer Schrock * re-enable skipped attestor test. switch to ossf-tests repo Signed-off-by: Spencer Schrock * remove extra policies from tests that only look at code review. Signed-off-by: Spencer Schrock * remove unneeded policies from binary artifact tests. Signed-off-by: Spencer Schrock --------- Signed-off-by: Spencer Schrock Signed-off-by: Avishay * add license header Signed-off-by: Avishay * pr comments Signed-off-by: Avishay * making the packages internal Signed-off-by: Avishay * generate mocks Signed-off-by: Avishay --------- Signed-off-by: Avishay Signed-off-by: Avishay Balter --- Makefile | 10 +- README.md | 2 +- cmd/internal/nuget/client.go | 275 ++++++++ cmd/internal/nuget/client_test.go | 623 ++++++++++++++++++ cmd/internal/nuget/nuget_mockclient.go | 64 ++ cmd/internal/nuget/testdata/index.json | 15 + .../testdata/index_bad_package_base.json | 15 + .../testdata/index_bad_registration_base.json | 15 + ...age_registration_index_all_not_listed.json | 33 + ...egistration_index_default_listed_true.json | 32 + ...registration_index_four_digit_version.json | 33 + ...kage_registration_index_marshal_error.json | 33 + ...e_registration_index_metadata_version.json | 33 + .../package_registration_index_multiple.json | 60 ++ ...kage_registration_index_multiple_last.json | 60 ++ ...ge_registration_index_multiple_remote.json | 16 + ...ndex_pre_release_and_metadata_version.json | 33 + ...egistration_index_pre_release_version.json | 33 + .../package_registration_index_single.json | 33 + ...ge_registration_index_with_not_listed.json | 33 + .../package_registration_page_one.json | 27 + .../package_registration_page_two.json | 27 + ...kage_registration_page_two_not_listed.json | 27 + cmd/internal/nuget/testdata/package_spec.xml | 9 + .../nuget/testdata/package_spec_error.xml | 7 + .../package_spec_four_digit_version.xml | 9 + .../testdata/package_spec_git_ending.xml | 9 + .../testdata/package_spec_project_url.xml | 8 + .../package_spec_project_url_git_ending.xml | 8 + .../package_spec_project_url_gitlab.xml | 8 + ...package_spec_project_url_not_supported.xml | 8 + .../testdata/package_spec_trailing_slash.xml | 9 + .../packagemanager/client.go} | 23 +- cmd/internal/packagemanager/client_test.go | 131 ++++ .../packagemanager_mockclient.go | 80 +++ cmd/package_managers.go | 30 +- cmd/package_managers_test.go | 71 +- cmd/packagemanager_mockclient.go | 65 -- cmd/root.go | 7 +- options/flags.go | 10 + options/options.go | 6 +- options/options_test.go | 4 +- 42 files changed, 1946 insertions(+), 88 deletions(-) create mode 100644 cmd/internal/nuget/client.go create mode 100644 cmd/internal/nuget/client_test.go create mode 100644 cmd/internal/nuget/nuget_mockclient.go create mode 100644 cmd/internal/nuget/testdata/index.json create mode 100644 cmd/internal/nuget/testdata/index_bad_package_base.json create mode 100644 cmd/internal/nuget/testdata/index_bad_registration_base.json create mode 100644 cmd/internal/nuget/testdata/package_registration_index_all_not_listed.json create mode 100644 cmd/internal/nuget/testdata/package_registration_index_default_listed_true.json create mode 100644 cmd/internal/nuget/testdata/package_registration_index_four_digit_version.json create mode 100644 cmd/internal/nuget/testdata/package_registration_index_marshal_error.json create mode 100644 cmd/internal/nuget/testdata/package_registration_index_metadata_version.json create mode 100644 cmd/internal/nuget/testdata/package_registration_index_multiple.json create mode 100644 cmd/internal/nuget/testdata/package_registration_index_multiple_last.json create mode 100644 cmd/internal/nuget/testdata/package_registration_index_multiple_remote.json create mode 100644 cmd/internal/nuget/testdata/package_registration_index_pre_release_and_metadata_version.json create mode 100644 cmd/internal/nuget/testdata/package_registration_index_pre_release_version.json create mode 100644 cmd/internal/nuget/testdata/package_registration_index_single.json create mode 100644 cmd/internal/nuget/testdata/package_registration_index_with_not_listed.json create mode 100644 cmd/internal/nuget/testdata/package_registration_page_one.json create mode 100644 cmd/internal/nuget/testdata/package_registration_page_two.json create mode 100644 cmd/internal/nuget/testdata/package_registration_page_two_not_listed.json create mode 100644 cmd/internal/nuget/testdata/package_spec.xml create mode 100644 cmd/internal/nuget/testdata/package_spec_error.xml create mode 100644 cmd/internal/nuget/testdata/package_spec_four_digit_version.xml create mode 100644 cmd/internal/nuget/testdata/package_spec_git_ending.xml create mode 100644 cmd/internal/nuget/testdata/package_spec_project_url.xml create mode 100644 cmd/internal/nuget/testdata/package_spec_project_url_git_ending.xml create mode 100644 cmd/internal/nuget/testdata/package_spec_project_url_gitlab.xml create mode 100644 cmd/internal/nuget/testdata/package_spec_project_url_not_supported.xml create mode 100644 cmd/internal/nuget/testdata/package_spec_trailing_slash.xml rename cmd/{packagemanager_client.go => internal/packagemanager/client.go} (58%) create mode 100644 cmd/internal/packagemanager/client_test.go create mode 100644 cmd/internal/packagemanager/packagemanager_mockclient.go delete mode 100644 cmd/packagemanager_mockclient.go diff --git a/Makefile b/Makefile index 1e4880f0..fb27d9d3 100644 --- a/Makefile +++ b/Makefile @@ -139,7 +139,8 @@ generate-mocks: clients/mockclients/repo_client.go \ clients/mockclients/repo.go \ clients/mockclients/cii_client.go \ checks/mockclients/vulnerabilities.go \ - cmd/packagemanager_mockclient.go + cmd/internal/packagemanager/packagemanager_mockclient.go \ + cmd/internal/nuget/nuget_mockclient.go clients/mockclients/repo_client.go: clients/repo_client.go | $(MOCKGEN) # Generating MockRepoClient $(MOCKGEN) -source=clients/repo_client.go -destination=clients/mockclients/repo_client.go -package=mockrepo -copyright_file=clients/mockclients/license.txt @@ -152,9 +153,12 @@ clients/mockclients/cii_client.go: clients/cii_client.go | $(MOCKGEN) checks/mockclients/vulnerabilities.go: clients/vulnerabilities.go | $(MOCKGEN) # Generating MockCIIClient $(MOCKGEN) -source=clients/vulnerabilities.go -destination=clients/mockclients/vulnerabilities.go -package=mockrepo -copyright_file=clients/mockclients/license.txt -cmd/packagemanager_mockclient.go: cmd/packagemanager_client.go | $(MOCKGEN) +cmd/internal/packagemanager/packagemanager_mockclient.go: cmd/internal/packagemanager/client.go | $(MOCKGEN) # Generating MockPackageManagerClient - $(MOCKGEN) -source=cmd/packagemanager_client.go -destination=cmd/packagemanager_mockclient.go -package=cmd -copyright_file=clients/mockclients/license.txt + $(MOCKGEN) -source=cmd/internal/packagemanager/client.go -destination=cmd/internal/packagemanager/packagemanager_mockclient.go -package=packagemanager -copyright_file=clients/mockclients/license.txt +cmd/internal/nuget/nuget_mockclient.go: cmd/internal/nuget/client.go | $(MOCKGEN) + # Generating MockNugetClient + $(MOCKGEN) -source=cmd/internal/nuget/client.go -destination=cmd/internal/nuget/nuget_mockclient.go -package=nuget -copyright_file=clients/mockclients/license.txt generate-docs: ## Generates docs generate-docs: validate-docs docs/checks.md diff --git a/README.md b/README.md index 2055a475..0201b8fb 100644 --- a/README.md +++ b/README.md @@ -420,7 +420,7 @@ scorecard --repo=org/repo ##### Using a Package manager -For projects in the `--npm`, `--pypi`, or `--rubygems` ecosystems, you have the +For projects in the `--npm`, `--pypi`, `--rubygems`, or `--nuget` ecosystems, you have the option to run Scorecard using a package manager. Provide the package name to run the checks on the corresponding GitHub source code. diff --git a/cmd/internal/nuget/client.go b/cmd/internal/nuget/client.go new file mode 100644 index 00000000..deb3d863 --- /dev/null +++ b/cmd/internal/nuget/client.go @@ -0,0 +1,275 @@ +// Copyright 2020 OpenSSF Scorecard Authors +// +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. + +// Package nuget implements Nuget API client. +package nuget + +import ( + "encoding/json" + "encoding/xml" + "fmt" + "io" + "net/http" + "regexp" + "strings" + + "golang.org/x/exp/slices" + + pmc "github.com/ossf/scorecard/v4/cmd/internal/packagemanager" + sce "github.com/ossf/scorecard/v4/errors" +) + +type indexResults struct { + Resources []indexResult `json:"resources"` +} + +func (n indexResults) findResourceByType(resultType string) (string, error) { + resourceIndex := slices.IndexFunc(n.Resources, + func(n indexResult) bool { return n.Type == resultType }) + if resourceIndex == -1 { + return "", sce.WithMessage(sce.ErrScorecardInternal, + fmt.Sprintf("failed to find %v URI at nuget index json", resultType)) + } + + return n.Resources[resourceIndex].ID, nil +} + +type indexResult struct { + ID string `json:"@id"` + Type string `json:"@type"` +} + +type packageRegistrationCatalogRoot struct { + Pages []packageRegistrationCatalogPage `json:"items"` +} + +func (n packageRegistrationCatalogRoot) latestVersion(manager pmc.Client) (string, error) { + for pageIndex := len(n.Pages) - 1; pageIndex >= 0; pageIndex-- { + page := n.Pages[pageIndex] + if page.Packages == nil { + err := decodeResponseFromClient(func() (*http.Response, error) { + //nolint: wrapcheck + return manager.GetURI(page.ID) + }, + func(rc io.ReadCloser) error { + //nolint: wrapcheck + return json.NewDecoder(rc).Decode(&page) + }, "nuget package registration page") + if err != nil { + return "", err + } + } + for packageIndex := len(page.Packages) - 1; packageIndex >= 0; packageIndex-- { + base, preReleaseSuffix := parseNugetSemVer(page.Packages[packageIndex].Entry.Version) + // skipping non listed and pre-releases + if page.Packages[packageIndex].Entry.Listed && len(strings.TrimSpace(preReleaseSuffix)) == 0 { + return base, nil + } + } + } + return "", sce.WithMessage(sce.ErrScorecardInternal, "failed to get a listed version for package") +} + +type packageRegistrationCatalogPage struct { + ID string `json:"@id"` + Packages []packageRegistrationCatalogItem `json:"items"` +} + +type packageRegistrationCatalogItem struct { + Entry packageRegistrationCatalogEntry `json:"catalogEntry"` +} + +type packageRegistrationCatalogEntry struct { + Version string `json:"version"` + Listed bool `json:"listed"` +} + +func (e *packageRegistrationCatalogEntry) UnmarshalJSON(text []byte) error { + type Alias packageRegistrationCatalogEntry + aux := Alias{ + Listed: true, // set the default value before parsing JSON + } + if err := json.Unmarshal(text, &aux); err != nil { + return fmt.Errorf("failed to unmarshal json: %w", err) + } + *e = packageRegistrationCatalogEntry(aux) + return nil +} + +type packageNuspec struct { + XMLName xml.Name `xml:"package"` + Metadata nuspecMetadata `xml:"metadata"` +} + +func (p *packageNuspec) projectURL(packageName string) (string, error) { + for _, projectURL := range []string{p.Metadata.Repository.URL, p.Metadata.ProjectURL} { + projectURL = strings.TrimSpace(projectURL) + if projectURL != "" && isSupportedProjectURL(projectURL) { + projectURL = strings.TrimSuffix(projectURL, "/") + projectURL = strings.TrimSuffix(projectURL, ".git") + return projectURL, nil + } + } + return "", sce.WithMessage(sce.ErrScorecardInternal, + fmt.Sprintf("source repo is not defined for nuget package %v", packageName)) +} + +type nuspecMetadata struct { + XMLName xml.Name `xml:"metadata"` + ProjectURL string `xml:"projectUrl"` + Repository nuspecRepository `xml:"repository"` +} + +type nuspecRepository struct { + XMLName xml.Name `xml:"repository"` + URL string `xml:"url,attr"` +} + +type Client interface { + GitRepositoryByPackageName(packageName string) (string, error) +} + +type NugetClient struct { + Manager pmc.Client +} + +func (c NugetClient) GitRepositoryByPackageName(packageName string) (string, error) { + packageBaseURL, registrationBaseURL, err := c.baseUrls() + if err != nil { + return "", err + } + + packageSpec, err := c.packageSpec(packageBaseURL, registrationBaseURL, packageName) + if err != nil { + return "", err + } + + packageURL, err := packageSpec.projectURL(packageName) + if err != nil { + return "", err + } + return packageURL, nil +} + +func (c *NugetClient) packageSpec(packageBaseURL, registrationBaseURL, packageName string) (packageNuspec, error) { + lowerCasePackageName := strings.ToLower(packageName) + lastPackageVersion, err := c.latestListedVersion(registrationBaseURL, + lowerCasePackageName) + if err != nil { + return packageNuspec{}, err + } + packageSpecResults := &packageNuspec{} + err = decodeResponseFromClient(func() (*http.Response, error) { + //nolint: wrapcheck + return c.Manager.Get( + packageBaseURL+"%[1]v/"+lastPackageVersion+"/%[1]v.nuspec", lowerCasePackageName) + }, + func(rc io.ReadCloser) error { + //nolint: wrapcheck + return xml.NewDecoder(rc).Decode(packageSpecResults) + }, "nuget package spec") + + if err != nil { + return packageNuspec{}, err + } + if packageSpecResults.Metadata == (nuspecMetadata{}) { + return packageNuspec{}, sce.WithMessage(sce.ErrScorecardInternal, + "Nuget nuspec xml Metadata is empty") + } + return *packageSpecResults, nil +} + +func (c *NugetClient) baseUrls() (string, string, error) { + indexURL := "https://api.nuget.org/v3/index.json" + indexResults := &indexResults{} + err := decodeResponseFromClient(func() (*http.Response, error) { + //nolint: wrapcheck + return c.Manager.GetURI(indexURL) + }, + func(rc io.ReadCloser) error { + //nolint: wrapcheck + return json.NewDecoder(rc).Decode(indexResults) + }, "nuget index json") + if err != nil { + return "", "", err + } + packageBaseURL, err := indexResults.findResourceByType("PackageBaseAddress/3.0.0") + if err != nil { + return "", "", err + } + registrationBaseURL, err := indexResults.findResourceByType("RegistrationsBaseUrl/3.6.0") + if err != nil { + return "", "", err + } + return packageBaseURL, registrationBaseURL, nil +} + +// Gets the latest listed nuget version of a package, based on the protocol defined at +// https://learn.microsoft.com/en-us/nuget/api/package-base-address-resource#enumerate-package-versions +func (c *NugetClient) latestListedVersion(baseURL, packageName string) (string, error) { + packageRegistrationCatalogRoot := &packageRegistrationCatalogRoot{} + err := decodeResponseFromClient(func() (*http.Response, error) { + //nolint: wrapcheck + return c.Manager.Get(baseURL+"%s/index.json", packageName) + }, + func(rc io.ReadCloser) error { + //nolint: wrapcheck + return json.NewDecoder(rc).Decode(packageRegistrationCatalogRoot) + }, "nuget package registration index json") + if err != nil { + return "", err + } + return packageRegistrationCatalogRoot.latestVersion(c.Manager) +} + +func isSupportedProjectURL(projectURL string) bool { + pattern := `^(?:https?://)?(?:www\.)?(?:github|gitlab)\.com/([A-Za-z0-9_\.-]+)/([A-Za-z0-9_\./-]+)$` + regex := regexp.MustCompile(pattern) + return regex.MatchString(projectURL) +} + +// Nuget semver diverges from Semantic Versioning. +// This method returns the Nuget represntation of version and pre release strings. +// nolint: lll // long URL +// more info: https://learn.microsoft.com/en-us/nuget/concepts/package-versioning#where-nugetversion-diverges-from-semantic-versioning +func parseNugetSemVer(versionString string) (base, preReleaseSuffix string) { + metadataAndVersion := strings.Split(versionString, "+") + prereleaseAndVersions := strings.Split(metadataAndVersion[0], "-") + if len(prereleaseAndVersions) == 1 { + return prereleaseAndVersions[0], "" + } + return prereleaseAndVersions[0], prereleaseAndVersions[1] +} + +func decodeResponseFromClient(getFunc func() (*http.Response, error), + decodeFunc func(io.ReadCloser) error, name string, +) error { + response, err := getFunc() + if err != nil { + return sce.WithMessage(sce.ErrScorecardInternal, + fmt.Sprintf("failed to get %s: %v", name, err)) + } + if response.StatusCode != http.StatusOK { + return sce.WithMessage(sce.ErrScorecardInternal, + fmt.Sprintf("failed to get %s with status: %v", name, response.Status)) + } + defer response.Body.Close() + + err = decodeFunc(response.Body) + if err != nil { + return sce.WithMessage(sce.ErrScorecardInternal, + fmt.Sprintf("failed to parse %s: %v", name, err)) + } + return nil +} diff --git a/cmd/internal/nuget/client_test.go b/cmd/internal/nuget/client_test.go new file mode 100644 index 00000000..bb5f8c2c --- /dev/null +++ b/cmd/internal/nuget/client_test.go @@ -0,0 +1,623 @@ +// Copyright 2020 OpenSSF Scorecard Authors +// +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. + +// Package nuget implements Nuget API client. +package nuget + +import ( + "bytes" + "errors" + "fmt" + "io" + "net/http" + "os" + "strings" + "testing" + + "github.com/golang/mock/gomock" + "golang.org/x/exp/slices" + + pmc "github.com/ossf/scorecard/v4/cmd/internal/packagemanager" +) + +type resultPackagePage struct { + url string + response string +} +type nugetTestArgs struct { + inputPackageName string + expectedPackageName string + resultIndex string + resultPackageRegistrationIndex string + resultPackageSpec string + version string + resultPackageRegistrationPages []resultPackagePage +} +type nugetTest struct { + name string + want string + args nugetTestArgs + wantErr bool +} + +func Test_fetchGitRepositoryFromNuget(t *testing.T) { + t.Parallel() + + tests := []nugetTest{ + { + name: "find latest version in single page", + + args: nugetTestArgs{ + inputPackageName: "nuget-package", + resultIndex: "index.json", + resultPackageRegistrationIndex: "package_registration_index_single.json", + resultPackageRegistrationPages: []resultPackagePage{}, + resultPackageSpec: "package_spec.xml", + version: "4.0.1", + }, + want: "https://github.com/foo/foo.net", + wantErr: false, + }, + { + name: "find by lowercase package name", + + args: nugetTestArgs{ + inputPackageName: "Nuget-Package", + expectedPackageName: "nuget-package", + resultIndex: "index.json", + resultPackageRegistrationIndex: "package_registration_index_single.json", + resultPackageRegistrationPages: []resultPackagePage{}, + resultPackageSpec: "package_spec.xml", + version: "4.0.1", + }, + want: "https://github.com/foo/foo.net", + wantErr: false, + }, + { + name: "find and remove trailing slash", + + args: nugetTestArgs{ + inputPackageName: "Nuget-Package", + expectedPackageName: "nuget-package", + resultIndex: "index.json", + resultPackageRegistrationIndex: "package_registration_index_single.json", + resultPackageRegistrationPages: []resultPackagePage{}, + resultPackageSpec: "package_spec_trailing_slash.xml", + version: "4.0.1", + }, + want: "https://github.com/foo/foo.net", + wantErr: false, + }, + { + name: "find and remove git ending", + + args: nugetTestArgs{ + inputPackageName: "nuget-package", + resultIndex: "index.json", + resultPackageRegistrationIndex: "package_registration_index_single.json", + resultPackageRegistrationPages: []resultPackagePage{}, + resultPackageSpec: "package_spec_git_ending.xml", + version: "4.0.1", + }, + want: "https://github.com/foo/foo.net", + wantErr: false, + }, + { + name: "find and handle four digit version", + + args: nugetTestArgs{ + inputPackageName: "nuget-package", + resultIndex: "index.json", + resultPackageRegistrationIndex: "package_registration_index_four_digit_version.json", + resultPackageRegistrationPages: []resultPackagePage{}, + resultPackageSpec: "package_spec_four_digit_version.xml", + version: "1.60.0.2981", + }, + want: "https://github.com/foo/foo.net", + wantErr: false, + }, + { + name: "skip semver metadata", + + args: nugetTestArgs{ + inputPackageName: "nuget-package", + resultIndex: "index.json", + resultPackageRegistrationIndex: "package_registration_index_metadata_version.json", + resultPackageRegistrationPages: []resultPackagePage{}, + resultPackageSpec: "package_spec.xml", + version: "4.0.1", + }, + want: "https://github.com/foo/foo.net", + wantErr: false, + }, + { + name: "skip pre release", + + args: nugetTestArgs{ + inputPackageName: "nuget-package", + resultIndex: "index.json", + resultPackageRegistrationIndex: "package_registration_index_pre_release_version.json", + resultPackageRegistrationPages: []resultPackagePage{}, + resultPackageSpec: "package_spec.xml", + version: "4.0.1", + }, + want: "https://github.com/foo/foo.net", + wantErr: false, + }, + { + name: "skip pre release and metadata", + + args: nugetTestArgs{ + inputPackageName: "nuget-package", + resultIndex: "index.json", + resultPackageRegistrationIndex: "package_registration_index_pre_release_and_metadata_version.json", + resultPackageRegistrationPages: []resultPackagePage{}, + resultPackageSpec: "package_spec.xml", + version: "4.0.1", + }, + want: "https://github.com/foo/foo.net", + wantErr: false, + }, + { + name: "find in project url if repository missing", + + args: nugetTestArgs{ + inputPackageName: "nuget-package", + resultIndex: "index.json", + resultPackageRegistrationIndex: "package_registration_index_single.json", + resultPackageRegistrationPages: []resultPackagePage{}, + resultPackageSpec: "package_spec_project_url.xml", + version: "4.0.1", + }, + want: "https://github.com/foo/foo.net", + wantErr: false, + }, + { + name: "get github project url without git ending", + + args: nugetTestArgs{ + inputPackageName: "nuget-package", + resultIndex: "index.json", + resultPackageRegistrationIndex: "package_registration_index_single.json", + resultPackageRegistrationPages: []resultPackagePage{}, + resultPackageSpec: "package_spec_project_url_git_ending.xml", + version: "4.0.1", + }, + want: "https://github.com/foo/foo.net", + wantErr: false, + }, + { + name: "get gitlab project url if repository url missing", + + args: nugetTestArgs{ + inputPackageName: "nuget-package", + resultIndex: "index.json", + resultPackageRegistrationIndex: "package_registration_index_single.json", + resultPackageRegistrationPages: []resultPackagePage{}, + resultPackageSpec: "package_spec_project_url_gitlab.xml", + version: "4.0.1", + }, + want: "https://gitlab.com/foo/foo.net", + wantErr: false, + }, + { + name: "error if project url is not gitlab or github", + + args: nugetTestArgs{ + inputPackageName: "nuget-package", + resultIndex: "index.json", + resultPackageRegistrationIndex: "package_registration_index_single.json", + resultPackageRegistrationPages: []resultPackagePage{}, + resultPackageSpec: "package_spec_project_url_not_supported.xml", + version: "4.0.1", + }, + want: "internal error: source repo is not defined for nuget package nuget-package", + wantErr: true, + }, + { + name: "find latest version in first of multiple pages", + + args: nugetTestArgs{ + inputPackageName: "nuget-package", + resultIndex: "index.json", + resultPackageRegistrationIndex: "package_registration_index_multiple.json", + resultPackageRegistrationPages: []resultPackagePage{}, + resultPackageSpec: "package_spec.xml", + version: "4.0.1", + }, + want: "https://github.com/foo/foo.net", + wantErr: false, + }, + { + name: "find latest version in first of multiple remote pages", + + args: nugetTestArgs{ + inputPackageName: "nuget-package", + resultIndex: "index.json", + resultPackageRegistrationIndex: "package_registration_index_multiple_remote.json", + resultPackageRegistrationPages: []resultPackagePage{ + { + url: "https://api.nuget.org/v3/registration5-semver1/Foo.NET/page1/index.json", + response: "package_registration_page_one.json", + }, + { + url: "https://api.nuget.org/v3/registration5-semver1/Foo.NET/page2/index.json", + response: "package_registration_page_two.json", + }, + }, + resultPackageSpec: "package_spec.xml", + version: "4.0.1", + }, + want: "https://github.com/foo/foo.net", + wantErr: false, + }, + { + name: "find latest version in last of multiple pages", + + args: nugetTestArgs{ + inputPackageName: "nuget-package", + resultIndex: "index.json", + resultPackageRegistrationIndex: "package_registration_index_multiple_last.json", + resultPackageRegistrationPages: []resultPackagePage{}, + resultPackageSpec: "package_spec.xml", + version: "4.0.1", + }, + want: "https://github.com/foo/foo.net", + wantErr: false, + }, + { + name: "find latest version in last of remote multiple pages", + + args: nugetTestArgs{ + inputPackageName: "nuget-package", + resultIndex: "index.json", + resultPackageRegistrationIndex: "package_registration_index_multiple_remote.json", + resultPackageRegistrationPages: []resultPackagePage{ + { + url: "https://api.nuget.org/v3/registration5-semver1/Foo.NET/page1/index.json", + response: "package_registration_page_one.json", + }, + { + url: "https://api.nuget.org/v3/registration5-semver1/Foo.NET/page2/index.json", + response: "package_registration_page_two_not_listed.json", + }, + }, + resultPackageSpec: "package_spec.xml", + version: "3.5.2", + }, + want: "https://github.com/foo/foo.net", + wantErr: false, + }, + { + name: "find latest version with default listed value true", + + args: nugetTestArgs{ + inputPackageName: "nuget-package", + resultIndex: "index.json", + resultPackageRegistrationIndex: "package_registration_index_default_listed_true.json", + resultPackageRegistrationPages: []resultPackagePage{}, + resultPackageSpec: "package_spec.xml", + version: "4.0.1", + }, + want: "https://github.com/foo/foo.net", + wantErr: false, + }, + { + name: "skip not listed versions", + + args: nugetTestArgs{ + inputPackageName: "nuget-package", + resultIndex: "index.json", + resultPackageRegistrationIndex: "package_registration_index_with_not_listed.json", + resultPackageRegistrationPages: []resultPackagePage{}, + resultPackageSpec: "package_spec.xml", + version: "3.5.8", + }, + want: "https://github.com/foo/foo.net", + wantErr: false, + }, + { + name: "error if no listed version", + + args: nugetTestArgs{ + inputPackageName: "nuget-package", + resultIndex: "index.json", + resultPackageRegistrationIndex: "package_registration_index_all_not_listed.json", + resultPackageRegistrationPages: []resultPackagePage{}, + resultPackageSpec: "", + version: "", + }, + want: "internal error: failed to get a listed version for package", + wantErr: true, + }, + { + name: "error no index", + + args: nugetTestArgs{ + inputPackageName: "nuget-package", + resultIndex: "", + resultPackageRegistrationIndex: "", + resultPackageRegistrationPages: []resultPackagePage{}, + resultPackageSpec: "", + }, + want: "internal error: failed to get nuget index json: error", + wantErr: true, + }, + { + name: "error bad index", + + args: nugetTestArgs{ + inputPackageName: "nuget-package", + resultIndex: "text", + resultPackageRegistrationIndex: "", + resultPackageRegistrationPages: []resultPackagePage{}, + resultPackageSpec: "", + }, + want: "internal error: failed to parse nuget index json: invalid character 'e' in literal true (expecting 'r')", + wantErr: true, + }, + { + name: "error package registration index", + + args: nugetTestArgs{ + inputPackageName: "nuget-package", + resultIndex: "index.json", + resultPackageRegistrationIndex: "", + resultPackageRegistrationPages: []resultPackagePage{}, + resultPackageSpec: "", + }, + want: "internal error: failed to get nuget package registration index json: error", + wantErr: true, + }, + { + name: "error bad package index", + + args: nugetTestArgs{ + inputPackageName: "nuget-package", + resultIndex: "index.json", + resultPackageRegistrationIndex: "text", + resultPackageRegistrationPages: []resultPackagePage{}, + resultPackageSpec: "", + }, + //nolint + want: "internal error: failed to parse nuget package registration index json: invalid character 'e' in literal true (expecting 'r')", + wantErr: true, + }, + { + name: "error package registration page", + args: nugetTestArgs{ + inputPackageName: "nuget-package", + resultIndex: "index.json", + resultPackageRegistrationIndex: "package_registration_index_multiple_remote.json", + resultPackageRegistrationPages: []resultPackagePage{ + { + url: "https://api.nuget.org/v3/registration5-semver1/Foo.NET/page1/index.json", + response: "", + }, + { + url: "https://api.nuget.org/v3/registration5-semver1/Foo.NET/page2/index.json", + response: "", + }, + }, + resultPackageSpec: "", + }, + want: "internal error: failed to get nuget package registration page: error", + wantErr: true, + }, + { + name: "error in package spec", + args: nugetTestArgs{ + inputPackageName: "nuget-package", + resultIndex: "index.json", + resultPackageRegistrationIndex: "package_registration_index_single.json", + resultPackageRegistrationPages: []resultPackagePage{}, + resultPackageSpec: "", + version: "4.0.1", + }, + want: "internal error: failed to get nuget package spec: error", + wantErr: true, + }, + { + name: "error bad package spec", + + args: nugetTestArgs{ + inputPackageName: "nuget-package", + resultIndex: "index.json", + resultPackageRegistrationIndex: "package_registration_index_multiple_remote.json", + resultPackageRegistrationPages: []resultPackagePage{ + { + url: "https://api.nuget.org/v3/registration5-semver1/Foo.NET/page2/index.json", + response: "text", + }, + }, + resultPackageSpec: "", + }, + //nolint + want: "internal error: failed to parse nuget package registration page: invalid character 'e' in literal true (expecting 'r')", + wantErr: true, + }, + { + name: "error package spec", + args: nugetTestArgs{ + inputPackageName: "nuget-package", + resultIndex: "index.json", + resultPackageRegistrationIndex: "package_registration_index_single.json", + resultPackageRegistrationPages: []resultPackagePage{}, + resultPackageSpec: "text", + version: "4.0.1", + }, + want: "internal error: failed to parse nuget package spec: EOF", + wantErr: true, + }, + { + name: "bad remote package page", + + args: nugetTestArgs{ + inputPackageName: "nuget-package", + resultIndex: "index.json", + resultPackageRegistrationIndex: "package_registration_index_multiple_remote.json", + resultPackageRegistrationPages: []resultPackagePage{ + { + url: "https://api.nuget.org/v3/registration5-semver1/Foo.NET/index.json#page/1", + response: "text", + }, + }, + resultPackageSpec: "", + }, + want: "internal error: failed to get nuget package registration page: error", + wantErr: true, + }, + { + name: "error no registration url", + args: nugetTestArgs{ + inputPackageName: "nuget-package", + resultIndex: "index_bad_registration_base.json", + resultPackageRegistrationIndex: "", + resultPackageRegistrationPages: []resultPackagePage{}, + resultPackageSpec: "", + version: "4.0.1", + }, + want: "internal error: failed to find RegistrationsBaseUrl/3.6.0 URI at nuget index json", + wantErr: true, + }, + { + name: "error no package base url", + args: nugetTestArgs{ + inputPackageName: "nuget-package", + resultIndex: "index_bad_package_base.json", + resultPackageRegistrationIndex: "", + resultPackageRegistrationPages: []resultPackagePage{}, + resultPackageSpec: "", + version: "4.0.1", + }, + want: "internal error: failed to find PackageBaseAddress/3.0.0 URI at nuget index json", + wantErr: true, + }, + { + name: "error marhsal entry", + args: nugetTestArgs{ + inputPackageName: "nuget-package", + resultIndex: "index.json", + resultPackageRegistrationIndex: "package_registration_index_marshal_error.json", + resultPackageRegistrationPages: []resultPackagePage{}, + resultPackageSpec: "", + version: "", + }, + //nolint + want: "internal error: failed to parse nuget package registration index json: failed to unmarshal json: json: cannot unmarshal number into Go struct field Alias.listed of type bool", + wantErr: true, + }, + { + name: "empty package spec", + args: nugetTestArgs{ + inputPackageName: "nuget-package", + resultIndex: "index.json", + resultPackageRegistrationIndex: "package_registration_index_single.json", + resultPackageRegistrationPages: []resultPackagePage{}, + resultPackageSpec: "package_spec_error.xml", + version: "4.0.1", + }, + want: "internal error: source repo is not defined for nuget package nuget-package", + wantErr: true, + }, + } + + for _, tt := range tests { + tt := tt + t.Run(tt.name, func(t *testing.T) { + t.Parallel() + ctrl := gomock.NewController(t) + p := pmc.NewMockClient(ctrl) + p.EXPECT().GetURI(gomock.Any()). + DoAndReturn(func(url string) (*http.Response, error) { + return nugetIndexOrPageTestResults(url, &tt) + }).AnyTimes() + expectedPackageName := tt.args.expectedPackageName + if strings.TrimSpace(expectedPackageName) == "" { + expectedPackageName = tt.args.inputPackageName + } + + p.EXPECT().Get(gomock.Any(), expectedPackageName). + DoAndReturn(func(url, inputPackageName string) (*http.Response, error) { + return nugetPackageIndexAndSpecResponse(t, url, &tt) + }).AnyTimes() + client := NugetClient{Manager: p} + got, err := client.GitRepositoryByPackageName(tt.args.inputPackageName) + if err != nil { + if !tt.wantErr { + t.Errorf("fetchGitRepositoryFromNuget() error = %v, wantErr %v", err, tt.wantErr) + return + } + if err.Error() != tt.want { + t.Errorf("fetchGitRepositoryFromNuget() err.Error() = %v, wanted %v", err.Error(), tt.want) + return + } + return + } + + if got != tt.want { + t.Errorf("fetchGitRepositoryFromNuget() = %v, want %v", got, tt.want) + } + }) + } +} + +func nugetIndexOrPageTestResults(url string, test *nugetTest) (*http.Response, error) { + if url == "https://api.nuget.org/v3/index.json" { + return testResult(test.wantErr, test.args.resultIndex) + } + urlResponseIndex := slices.IndexFunc(test.args.resultPackageRegistrationPages, + func(page resultPackagePage) bool { return page.url == url }) + if urlResponseIndex == -1 { + //nolint + return nil, errors.New("error") + } + page := test.args.resultPackageRegistrationPages[urlResponseIndex] + return testResult(test.wantErr, page.response) +} + +func nugetPackageIndexAndSpecResponse(t *testing.T, url string, test *nugetTest) (*http.Response, error) { + t.Helper() + if strings.HasSuffix(url, "index.json") { + return testResult(test.wantErr, test.args.resultPackageRegistrationIndex) + } else if strings.HasSuffix(url, ".nuspec") { + if strings.Contains(url, fmt.Sprintf("/%v/", test.args.version)) { + return testResult(test.wantErr, test.args.resultPackageSpec) + } + t.Errorf("fetchGitRepositoryFromNuget() version = %v, expected version = %v", url, test.args.version) + } + //nolint + return nil, errors.New("error") +} + +func testResult(wantErr bool, responseFileName string) (*http.Response, error) { + if wantErr && responseFileName == "" { + //nolint + return nil, errors.New("error") + } + if wantErr && responseFileName == "text" { + return &http.Response{ + StatusCode: 200, + Body: io.NopCloser(bytes.NewBufferString("text")), + }, nil + } + content, err := os.ReadFile("./testdata/" + responseFileName) + if err != nil { + return nil, fmt.Errorf("%w", err) + } + return &http.Response{ + StatusCode: 200, + Body: io.NopCloser(bytes.NewBufferString(string(content))), + }, nil +} diff --git a/cmd/internal/nuget/nuget_mockclient.go b/cmd/internal/nuget/nuget_mockclient.go new file mode 100644 index 00000000..b02a9968 --- /dev/null +++ b/cmd/internal/nuget/nuget_mockclient.go @@ -0,0 +1,64 @@ +// Copyright 2021 OpenSSF Scorecard Authors +// +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. +// + +// Code generated by MockGen. DO NOT EDIT. +// Source: cmd/internal/nuget/client.go + +// Package nuget is a generated GoMock package. +package nuget + +import ( + reflect "reflect" + + gomock "github.com/golang/mock/gomock" +) + +// MockClient is a mock of Client interface. +type MockClient struct { + ctrl *gomock.Controller + recorder *MockClientMockRecorder +} + +// MockClientMockRecorder is the mock recorder for MockClient. +type MockClientMockRecorder struct { + mock *MockClient +} + +// NewMockClient creates a new mock instance. +func NewMockClient(ctrl *gomock.Controller) *MockClient { + mock := &MockClient{ctrl: ctrl} + mock.recorder = &MockClientMockRecorder{mock} + return mock +} + +// EXPECT returns an object that allows the caller to indicate expected use. +func (m *MockClient) EXPECT() *MockClientMockRecorder { + return m.recorder +} + +// GitRepositoryByPackageName mocks base method. +func (m *MockClient) GitRepositoryByPackageName(packageName string) (string, error) { + m.ctrl.T.Helper() + ret := m.ctrl.Call(m, "GitRepositoryByPackageName", packageName) + ret0, _ := ret[0].(string) + ret1, _ := ret[1].(error) + return ret0, ret1 +} + +// GitRepositoryByPackageName indicates an expected call of GitRepositoryByPackageName. +func (mr *MockClientMockRecorder) GitRepositoryByPackageName(packageName interface{}) *gomock.Call { + mr.mock.ctrl.T.Helper() + return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "GitRepositoryByPackageName", reflect.TypeOf((*MockClient)(nil).GitRepositoryByPackageName), packageName) +} diff --git a/cmd/internal/nuget/testdata/index.json b/cmd/internal/nuget/testdata/index.json new file mode 100644 index 00000000..0229bf48 --- /dev/null +++ b/cmd/internal/nuget/testdata/index.json @@ -0,0 +1,15 @@ +{ + "version": "3.0.0", + "resources": [ + { + "@id": "https://api.nuget.org/v3-flatcontainer/", + "@type": "PackageBaseAddress/3.0.0", + "comment": "Base URL of where NuGet packages are stored" + }, + { + "@id": "https://api.nuget.org/v3/registration5-gz-semver1/", + "@type": "RegistrationsBaseUrl/3.6.0", + "comment": "Base URL of Azure storage where NuGet package registration info." + } + ] +} diff --git a/cmd/internal/nuget/testdata/index_bad_package_base.json b/cmd/internal/nuget/testdata/index_bad_package_base.json new file mode 100644 index 00000000..466aebc8 --- /dev/null +++ b/cmd/internal/nuget/testdata/index_bad_package_base.json @@ -0,0 +1,15 @@ +{ + "version": "3.0.0", + "resources": [ + { + "@id": "https://api.nuget.org/v3-flatcontainer/", + "@type": "PackageBaseAddress/3.1.0", + "comment": "Base URL of where NuGet packages are stored, in the format ..." + }, + { + "@id": "https://api.nuget.org/v3/registration5-gz-semver1/", + "@type": "RegistrationsBaseUrl/3.6.0", + "comment": "Base URL of Azure storage where NuGet package registration info." + } + ] +} diff --git a/cmd/internal/nuget/testdata/index_bad_registration_base.json b/cmd/internal/nuget/testdata/index_bad_registration_base.json new file mode 100644 index 00000000..3b0612a8 --- /dev/null +++ b/cmd/internal/nuget/testdata/index_bad_registration_base.json @@ -0,0 +1,15 @@ +{ + "version": "3.0.0", + "resources": [ + { + "@id": "https://api.nuget.org/v3-flatcontainer/", + "@type": "PackageBaseAddress/3.0.0", + "comment": "Base URL of where NuGet packages are stored, in the format ..." + }, + { + "@id": "https://api.nuget.org/v3/registration5-gz-semver1/", + "@type": "RegistrationsBaseUrl/3.2.0", + "comment": "Base URL of Azure storage where NuGet package registration info." + } + ] +} diff --git a/cmd/internal/nuget/testdata/package_registration_index_all_not_listed.json b/cmd/internal/nuget/testdata/package_registration_index_all_not_listed.json new file mode 100644 index 00000000..dd6f0c52 --- /dev/null +++ b/cmd/internal/nuget/testdata/package_registration_index_all_not_listed.json @@ -0,0 +1,33 @@ +{ + "@id": "https://api.nuget.org/v3/registration5-semver1/Foo.NET/index.json", + "count": 1, + "items": [ + { + "@id": "https://api.nuget.org/v3/registration5-semver1/Foo.NET/index.json#page/1", + "@type": "catalog:CatalogPage", + "count": 2, + "items": [ + { + "@id": "https://api.nuget.org/v3/registration5-semver1/Foo.NET/3.5.8.json", + "@type": "Package", + "catalogEntry": { + "@id": "https://api.nuget.org/v3/catalog0/data/2022.12.08.16.43.03/Foo.NET.3.5.8.json", + "@type": "PackageDetails", + "listed": false, + "version": "3.5.8" + } + }, + { + "@id": "https://api.nuget.org/v3/registration5-semver1/Foo.NET/4.0.1.json", + "@type": "Package", + "catalogEntry": { + "@id": "https://api.nuget.org/v3/catalog0/data/2022.12.08.16.43.03/Foo.NET.4.0.1.json", + "@type": "PackageDetails", + "listed": false, + "version": "4.0.1" + } + } + ] + } + ] +} diff --git a/cmd/internal/nuget/testdata/package_registration_index_default_listed_true.json b/cmd/internal/nuget/testdata/package_registration_index_default_listed_true.json new file mode 100644 index 00000000..759aebd1 --- /dev/null +++ b/cmd/internal/nuget/testdata/package_registration_index_default_listed_true.json @@ -0,0 +1,32 @@ +{ + "@id": "https://api.nuget.org/v3/registration5-semver1/Foo.NET/index.json", + "count": 1, + "items": [ + { + "@id": "https://api.nuget.org/v3/registration5-semver1/Foo.NET/index.json#page/1", + "@type": "catalog:CatalogPage", + "count": 2, + "items": [ + { + "@id": "https://api.nuget.org/v3/registration5-semver1/Foo.NET/3.5.8.json", + "@type": "Package", + "catalogEntry": { + "@id": "https://api.nuget.org/v3/catalog0/data/2022.12.08.16.43.03/Foo.NET.3.5.8.json", + "@type": "PackageDetails", + "listed": true, + "version": "3.5.8" + } + }, + { + "@id": "https://api.nuget.org/v3/registration5-semver1/Foo.NET/4.0.1.json", + "@type": "Package", + "catalogEntry": { + "@id": "https://api.nuget.org/v3/catalog0/data/2022.12.08.16.43.03/Foo.NET.4.0.1.json", + "@type": "PackageDetails", + "version": "4.0.1" + } + } + ] + } + ] +} diff --git a/cmd/internal/nuget/testdata/package_registration_index_four_digit_version.json b/cmd/internal/nuget/testdata/package_registration_index_four_digit_version.json new file mode 100644 index 00000000..5832accd --- /dev/null +++ b/cmd/internal/nuget/testdata/package_registration_index_four_digit_version.json @@ -0,0 +1,33 @@ +{ + "@id": "https://api.nuget.org/v3/registration5-semver1/Foo.NET/index.json", + "count": 1, + "items": [ + { + "@id": "https://api.nuget.org/v3/registration5-semver1/Foo.NET/index.json#page/1", + "@type": "catalog:CatalogPage", + "count": 2, + "items": [ + { + "@id": "https://api.nuget.org/v3/registration5-semver1/Foo.NET/3.5.8.json", + "@type": "Package", + "catalogEntry": { + "@id": "https://api.nuget.org/v3/catalog0/data/2022/Foo.NET.3.5.8.json", + "@type": "PackageDetails", + "listed": true, + "version": "3.5.8" + } + }, + { + "@id": "https://api.nuget.org/v3/registration5-semver1/Foo.NET/1.60.0.2981.json", + "@type": "Package", + "catalogEntry": { + "@id": "https://api.nuget.org/v3/catalog0/data/2022/Foo.NET.1.60.0.2981.json", + "@type": "PackageDetails", + "listed": true, + "version": "1.60.0.2981+metadata" + } + } + ] + } + ] +} diff --git a/cmd/internal/nuget/testdata/package_registration_index_marshal_error.json b/cmd/internal/nuget/testdata/package_registration_index_marshal_error.json new file mode 100644 index 00000000..41d34fcd --- /dev/null +++ b/cmd/internal/nuget/testdata/package_registration_index_marshal_error.json @@ -0,0 +1,33 @@ +{ + "@id": "https://api.nuget.org/v3/registration5-semver1/Foo.NET/index.json", + "count": 1, + "items": [ + { + "@id": "https://api.nuget.org/v3/registration5-semver1/Foo.NET/index.json#page/1", + "@type": "catalog:CatalogPage", + "count": 2, + "items": [ + { + "@id": "https://api.nuget.org/v3/registration5-semver1/Foo.NET/3.5.8.json", + "@type": "Package", + "catalogEntry": { + "@id": "https://api.nuget.org/v3/catalog0/data/2022.12.08.16.43.03/Foo.NET.3.5.8.json", + "@type": "PackageDetails", + "listed": 123, + "version": "3.5.8" + } + }, + { + "@id": "https://api.nuget.org/v3/registration5-semver1/Foo.NET/4.0.1.json", + "@type": "Package", + "catalogEntry": { + "@id": "https://api.nuget.org/v3/catalog0/data/2022.12.08.16.43.03/Foo.NET.4.0.1.json", + "@type": "PackageDetails", + "listed": true, + "version": "4.0.1" + } + } + ] + } + ] +} diff --git a/cmd/internal/nuget/testdata/package_registration_index_metadata_version.json b/cmd/internal/nuget/testdata/package_registration_index_metadata_version.json new file mode 100644 index 00000000..3450f7e2 --- /dev/null +++ b/cmd/internal/nuget/testdata/package_registration_index_metadata_version.json @@ -0,0 +1,33 @@ +{ + "@id": "https://api.nuget.org/v3/registration5-semver1/Foo.NET/index.json", + "count": 1, + "items": [ + { + "@id": "https://api.nuget.org/v3/registration5-semver1/Foo.NET/index.json#page/1", + "@type": "catalog:CatalogPage", + "count": 2, + "items": [ + { + "@id": "https://api.nuget.org/v3/registration5-semver1/Foo.NET/3.5.8.json", + "@type": "Package", + "catalogEntry": { + "@id": "https://api.nuget.org/v3/catalog0/data/2022.12.08.16.43.03/Foo.NET.3.5.8.json", + "@type": "PackageDetails", + "listed": true, + "version": "3.5.8" + } + }, + { + "@id": "https://api.nuget.org/v3/registration5-semver1/Foo.NET/4.0.1.json", + "@type": "Package", + "catalogEntry": { + "@id": "https://api.nuget.org/v3/catalog0/data/2022.12.08.16.43.03/Foo.NET.4.0.1.json", + "@type": "PackageDetails", + "listed": true, + "version": "4.0.1+metadata" + } + } + ] + } + ] +} diff --git a/cmd/internal/nuget/testdata/package_registration_index_multiple.json b/cmd/internal/nuget/testdata/package_registration_index_multiple.json new file mode 100644 index 00000000..4955d0c4 --- /dev/null +++ b/cmd/internal/nuget/testdata/package_registration_index_multiple.json @@ -0,0 +1,60 @@ +{ + "@id": "https://api.nuget.org/v3/registration5-semver1/Foo.NET/index.json", + "count": 2, + "items": [ + { + "@id": "https://api.nuget.org/v3/registration5-semver1/Foo.NET/index.json#page/1", + "@type": "catalog:CatalogPage", + "count": 2, + "items": [ + { + "@id": "https://api.nuget.org/v3/registration5-semver1/Foo.NET/3.5.1.json", + "@type": "Package", + "catalogEntry": { + "@id": "https://api.nuget.org/v3/catalog0/data/2022.12.08.16.43.03/Foo.NET.3.5.1.json", + "@type": "PackageDetails", + "listed": true, + "version": "3.5.1" + } + }, + { + "@id": "https://api.nuget.org/v3/registration5-semver1/Foo.NET/3.5.2.json", + "@type": "Package", + "catalogEntry": { + "@id": "https://api.nuget.org/v3/catalog0/data/2022.12.08.16.43.03/Foo.NET.3.5.2.json", + "@type": "PackageDetails", + "listed": true, + "version": "3.5.2" + } + } + ] + }, + { + "@id": "https://api.nuget.org/v3/registration5-semver1/Foo.NET/index.json#page/2", + "@type": "catalog:CatalogPage", + "count": 2, + "items": [ + { + "@id": "https://api.nuget.org/v3/registration5-semver1/Foo.NET/3.5.8.json", + "@type": "Package", + "catalogEntry": { + "@id": "https://api.nuget.org/v3/catalog0/data/2022.12.08.16.43.03/Foo.NET.3.5.8.json", + "@type": "PackageDetails", + "listed": true, + "version": "3.5.8" + } + }, + { + "@id": "https://api.nuget.org/v3/registration5-semver1/Foo.NET/4.0.1.json", + "@type": "Package", + "catalogEntry": { + "@id": "https://api.nuget.org/v3/catalog0/data/2022.12.08.16.43.03/Foo.NET.4.0.1.json", + "@type": "PackageDetails", + "listed": true, + "version": "4.0.1" + } + } + ] + } + ] +} diff --git a/cmd/internal/nuget/testdata/package_registration_index_multiple_last.json b/cmd/internal/nuget/testdata/package_registration_index_multiple_last.json new file mode 100644 index 00000000..5108054d --- /dev/null +++ b/cmd/internal/nuget/testdata/package_registration_index_multiple_last.json @@ -0,0 +1,60 @@ +{ + "@id": "https://api.nuget.org/v3/registration5-semver1/Foo.NET/index.json", + "count": 2, + "items": [ + { + "@id": "https://api.nuget.org/v3/registration5-semver1/Foo.NET/index.json#page/1", + "@type": "catalog:CatalogPage", + "count": 2, + "items": [ + { + "@id": "https://api.nuget.org/v3/registration5-semver1/Foo.NET/3.5.8.json", + "@type": "Package", + "catalogEntry": { + "@id": "https://api.nuget.org/v3/catalog0/data/2022.12.08.16.43.03/Foo.NET.3.5.8.json", + "@type": "PackageDetails", + "listed": true, + "version": "3.5.8" + } + }, + { + "@id": "https://api.nuget.org/v3/registration5-semver1/Foo.NET/4.0.1.json", + "@type": "Package", + "catalogEntry": { + "@id": "https://api.nuget.org/v3/catalog0/data/2022.12.08.16.43.03/Foo.NET.4.0.1.json", + "@type": "PackageDetails", + "listed": true, + "version": "4.0.1" + } + } + ] + }, + { + "@id": "https://api.nuget.org/v3/registration5-semver1/Foo.NET/index.json#page/2", + "@type": "catalog:CatalogPage", + "count": 2, + "items": [ + { + "@id": "https://api.nuget.org/v3/registration5-semver1/Foo.NET/4.1.json", + "@type": "Package", + "catalogEntry": { + "@id": "https://api.nuget.org/v3/catalog0/data/2022.12.08.16.43.03/Foo.NET.4.1.json", + "@type": "PackageDetails", + "listed": false, + "version": "4.1" + } + }, + { + "@id": "https://api.nuget.org/v3/registration5-semver1/Foo.NET/4.2.json", + "@type": "Package", + "catalogEntry": { + "@id": "https://api.nuget.org/v3/catalog0/data/2022.12.08.16.43.03/Foo.NET.4.2.json", + "@type": "PackageDetails", + "listed": false, + "version": "4.2" + } + } + ] + } + ] +} diff --git a/cmd/internal/nuget/testdata/package_registration_index_multiple_remote.json b/cmd/internal/nuget/testdata/package_registration_index_multiple_remote.json new file mode 100644 index 00000000..a9981079 --- /dev/null +++ b/cmd/internal/nuget/testdata/package_registration_index_multiple_remote.json @@ -0,0 +1,16 @@ +{ + "@id": "https://api.nuget.org/v3/registration5-semver1/Foo.NET/index.json", + "count": 2, + "items": [ + { + "@id": "https://api.nuget.org/v3/registration5-semver1/Foo.NET/page1/index.json", + "@type": "catalog:CatalogPage", + "count": 2 + }, + { + "@id": "https://api.nuget.org/v3/registration5-semver1/Foo.NET/page2/index.json", + "@type": "catalog:CatalogPage", + "count": 2 + } + ] +} diff --git a/cmd/internal/nuget/testdata/package_registration_index_pre_release_and_metadata_version.json b/cmd/internal/nuget/testdata/package_registration_index_pre_release_and_metadata_version.json new file mode 100644 index 00000000..8568e13a --- /dev/null +++ b/cmd/internal/nuget/testdata/package_registration_index_pre_release_and_metadata_version.json @@ -0,0 +1,33 @@ +{ + "@id": "https://api.nuget.org/v3/registration5-semver1/Foo.NET/index.json", + "count": 1, + "items": [ + { + "@id": "https://api.nuget.org/v3/registration5-semver1/Foo.NET/index.json#page/1", + "@type": "catalog:CatalogPage", + "count": 2, + "items": [ + { + "@id": "https://api.nuget.org/v3/registration5-semver1/Foo.NET/3.5.8.json", + "@type": "Package", + "catalogEntry": { + "@id": "https://api.nuget.org/v3/catalog0/data/2022.12.08.16.43.03/Foo.NET.3.5.8.json", + "@type": "PackageDetails", + "listed": true, + "version": "4.0.1+metadata" + } + }, + { + "@id": "https://api.nuget.org/v3/registration5-semver1/Foo.NET/4.0.1.json", + "@type": "Package", + "catalogEntry": { + "@id": "https://api.nuget.org/v3/catalog0/data/2022.12.08.16.43.03/Foo.NET.4.0.1.json", + "@type": "PackageDetails", + "listed": true, + "version": "4.0.1-beta+meta" + } + } + ] + } + ] +} diff --git a/cmd/internal/nuget/testdata/package_registration_index_pre_release_version.json b/cmd/internal/nuget/testdata/package_registration_index_pre_release_version.json new file mode 100644 index 00000000..829faa87 --- /dev/null +++ b/cmd/internal/nuget/testdata/package_registration_index_pre_release_version.json @@ -0,0 +1,33 @@ +{ + "@id": "https://api.nuget.org/v3/registration5-semver1/Foo.NET/index.json", + "count": 1, + "items": [ + { + "@id": "https://api.nuget.org/v3/registration5-semver1/Foo.NET/index.json#page/1", + "@type": "catalog:CatalogPage", + "count": 2, + "items": [ + { + "@id": "https://api.nuget.org/v3/registration5-semver1/Foo.NET/3.5.8.json", + "@type": "Package", + "catalogEntry": { + "@id": "https://api.nuget.org/v3/catalog0/data/2022.12.08.16.43.03/Foo.NET.3.5.8.json", + "@type": "PackageDetails", + "listed": true, + "version": "4.0.1" + } + }, + { + "@id": "https://api.nuget.org/v3/registration5-semver1/Foo.NET/4.0.1.json", + "@type": "Package", + "catalogEntry": { + "@id": "https://api.nuget.org/v3/catalog0/data/2022.12.08.16.43.03/Foo.NET.4.0.1.json", + "@type": "PackageDetails", + "listed": true, + "version": "4.0.1-beta" + } + } + ] + } + ] +} diff --git a/cmd/internal/nuget/testdata/package_registration_index_single.json b/cmd/internal/nuget/testdata/package_registration_index_single.json new file mode 100644 index 00000000..4a45baaa --- /dev/null +++ b/cmd/internal/nuget/testdata/package_registration_index_single.json @@ -0,0 +1,33 @@ +{ + "@id": "https://api.nuget.org/v3/c-semver1/Foo.NET/index.json", + "count": 1, + "items": [ + { + "@id": "https://api.nuget.org/v3/registration5-semver1/Foo.NET/index.json#page/1", + "@type": "catalog:CatalogPage", + "count": 2, + "items": [ + { + "@id": "https://api.nuget.org/v3/registration5-semver1/Foo.NET/3.5.8.json", + "@type": "Package", + "catalogEntry": { + "@id": "https://api.nuget.org/v3/catalog0/data/2022.12.08.16.43.03/Foo.NET.3.5.8.json", + "@type": "PackageDetails", + "listed": true, + "version": "3.5.8" + } + }, + { + "@id": "https://api.nuget.org/v3/registration5-semver1/Foo.NET/4.0.1.json", + "@type": "Package", + "catalogEntry": { + "@id": "https://api.nuget.org/v3/catalog0/data/2022.12.08.16.43.03/Foo.NET.4.0.1.json", + "@type": "PackageDetails", + "listed": true, + "version": "4.0.1" + } + } + ] + } + ] +} diff --git a/cmd/internal/nuget/testdata/package_registration_index_with_not_listed.json b/cmd/internal/nuget/testdata/package_registration_index_with_not_listed.json new file mode 100644 index 00000000..4303fc2a --- /dev/null +++ b/cmd/internal/nuget/testdata/package_registration_index_with_not_listed.json @@ -0,0 +1,33 @@ +{ + "@id": "https://api.nuget.org/v3/registration5-semver1/Foo.NET/index.json", + "count": 1, + "items": [ + { + "@id": "https://api.nuget.org/v3/registration5-semver1/Foo.NET/index.json#page/1", + "@type": "catalog:CatalogPage", + "count": 2, + "items": [ + { + "@id": "https://api.nuget.org/v3/registration5-semver1/Foo.NET/3.5.8.json", + "@type": "Package", + "catalogEntry": { + "@id": "https://api.nuget.org/v3/catalog0/data/2022.12.08.16.43.03/Foo.NET.3.5.8.json", + "@type": "PackageDetails", + "listed": true, + "version": "3.5.8" + } + }, + { + "@id": "https://api.nuget.org/v3/registration5-semver1/Foo.NET/4.0.1.json", + "@type": "Package", + "catalogEntry": { + "@id": "https://api.nuget.org/v3/catalog0/data/2022.12.08.16.43.03/Foo.NET.4.0.1.json", + "@type": "PackageDetails", + "listed": false, + "version": "4.0.1" + } + } + ] + } + ] +} diff --git a/cmd/internal/nuget/testdata/package_registration_page_one.json b/cmd/internal/nuget/testdata/package_registration_page_one.json new file mode 100644 index 00000000..2043abb9 --- /dev/null +++ b/cmd/internal/nuget/testdata/package_registration_page_one.json @@ -0,0 +1,27 @@ +{ + "@id": "https://api.nuget.org/v3/registration5-semver1/Foo.NET/index.json#page/1", + "@type": "catalog:CatalogPage", + "count": 2, + "items": [ + { + "@id": "https://api.nuget.org/v3/registration5-semver1/Foo.NET/3.5.1.json", + "@type": "Package", + "catalogEntry": { + "@id": "https://api.nuget.org/v3/catalog0/data/2022.12.08.16.43.03/Foo.NET.3.5.1.json", + "@type": "PackageDetails", + "listed": true, + "version": "3.5.1" + } + }, + { + "@id": "https://api.nuget.org/v3/registration5-semver1/Foo.NET/3.5.2.json", + "@type": "Package", + "catalogEntry": { + "@id": "https://api.nuget.org/v3/catalog0/data/2022.12.08.16.43.03/Foo.NET.3.5.2.json", + "@type": "PackageDetails", + "listed": true, + "version": "3.5.2" + } + } + ] +} diff --git a/cmd/internal/nuget/testdata/package_registration_page_two.json b/cmd/internal/nuget/testdata/package_registration_page_two.json new file mode 100644 index 00000000..0a7b7aca --- /dev/null +++ b/cmd/internal/nuget/testdata/package_registration_page_two.json @@ -0,0 +1,27 @@ +{ + "@id": "https://api.nuget.org/v3/registration5-semver1/Foo.NET/index.json#page/2", + "@type": "catalog:CatalogPage", + "count": 2, + "items": [ + { + "@id": "https://api.nuget.org/v3/registration5-semver1/Foo.NET/3.5.8.json", + "@type": "Package", + "catalogEntry": { + "@id": "https://api.nuget.org/v3/catalog0/data/2022.12.08.16.43.03/Foo.NET.3.5.8.json", + "@type": "PackageDetails", + "listed": true, + "version": "3.5.8" + } + }, + { + "@id": "https://api.nuget.org/v3/registration5-semver1/Foo.NET/4.0.1.json", + "@type": "Package", + "catalogEntry": { + "@id": "https://api.nuget.org/v3/catalog0/data/2022.12.08.16.43.03/Foo.NET.4.0.1.json", + "@type": "PackageDetails", + "listed": true, + "version": "4.0.1" + } + } + ] +} diff --git a/cmd/internal/nuget/testdata/package_registration_page_two_not_listed.json b/cmd/internal/nuget/testdata/package_registration_page_two_not_listed.json new file mode 100644 index 00000000..9c925466 --- /dev/null +++ b/cmd/internal/nuget/testdata/package_registration_page_two_not_listed.json @@ -0,0 +1,27 @@ +{ + "@id": "https://api.nuget.org/v3/registration5-semver1/Foo.NET/index.json#page/2", + "@type": "catalog:CatalogPage", + "count": 2, + "items": [ + { + "@id": "https://api.nuget.org/v3/registration5-semver1/Foo.NET/4.1.json", + "@type": "Package", + "catalogEntry": { + "@id": "https://api.nuget.org/v3/catalog0/data/2022.12.08.16.43.03/Foo.NET.4.1.json", + "@type": "PackageDetails", + "listed": false, + "version": "4.1" + } + }, + { + "@id": "https://api.nuget.org/v3/registration5-semver1/Foo.NET/4.2.json", + "@type": "Package", + "catalogEntry": { + "@id": "https://api.nuget.org/v3/catalog0/data/2022.12.08.16.43.03/Foo.NET.4.2.json", + "@type": "PackageDetails", + "listed": false, + "version": "4.2" + } + } + ] +} diff --git a/cmd/internal/nuget/testdata/package_spec.xml b/cmd/internal/nuget/testdata/package_spec.xml new file mode 100644 index 00000000..1ef5fa4c --- /dev/null +++ b/cmd/internal/nuget/testdata/package_spec.xml @@ -0,0 +1,9 @@ + + + Foo + 4.0.1 + Foo.NET + + foo + + \ No newline at end of file diff --git a/cmd/internal/nuget/testdata/package_spec_error.xml b/cmd/internal/nuget/testdata/package_spec_error.xml new file mode 100644 index 00000000..4de5c445 --- /dev/null +++ b/cmd/internal/nuget/testdata/package_spec_error.xml @@ -0,0 +1,7 @@ + + + Foo + 4.0.1 + Foo.NET + + \ No newline at end of file diff --git a/cmd/internal/nuget/testdata/package_spec_four_digit_version.xml b/cmd/internal/nuget/testdata/package_spec_four_digit_version.xml new file mode 100644 index 00000000..d93c743d --- /dev/null +++ b/cmd/internal/nuget/testdata/package_spec_four_digit_version.xml @@ -0,0 +1,9 @@ + + + Foo + 1.60.0.2981+metadat + Foo.NET + + foo + + \ No newline at end of file diff --git a/cmd/internal/nuget/testdata/package_spec_git_ending.xml b/cmd/internal/nuget/testdata/package_spec_git_ending.xml new file mode 100644 index 00000000..006c4d74 --- /dev/null +++ b/cmd/internal/nuget/testdata/package_spec_git_ending.xml @@ -0,0 +1,9 @@ + + + Foo + 4.0.1 + Foo.NET + + foo + + \ No newline at end of file diff --git a/cmd/internal/nuget/testdata/package_spec_project_url.xml b/cmd/internal/nuget/testdata/package_spec_project_url.xml new file mode 100644 index 00000000..9124d683 --- /dev/null +++ b/cmd/internal/nuget/testdata/package_spec_project_url.xml @@ -0,0 +1,8 @@ + + + Foo + 4.0.1 + Foo.NET + https://github.com/foo/foo.net + + \ No newline at end of file diff --git a/cmd/internal/nuget/testdata/package_spec_project_url_git_ending.xml b/cmd/internal/nuget/testdata/package_spec_project_url_git_ending.xml new file mode 100644 index 00000000..ba4c5129 --- /dev/null +++ b/cmd/internal/nuget/testdata/package_spec_project_url_git_ending.xml @@ -0,0 +1,8 @@ + + + Foo + 4.0.1 + Foo.NET + https://github.com/foo/foo.net.git + + \ No newline at end of file diff --git a/cmd/internal/nuget/testdata/package_spec_project_url_gitlab.xml b/cmd/internal/nuget/testdata/package_spec_project_url_gitlab.xml new file mode 100644 index 00000000..94643d50 --- /dev/null +++ b/cmd/internal/nuget/testdata/package_spec_project_url_gitlab.xml @@ -0,0 +1,8 @@ + + + Foo + 4.0.1 + Foo.NET + https://gitlab.com/foo/foo.net + + \ No newline at end of file diff --git a/cmd/internal/nuget/testdata/package_spec_project_url_not_supported.xml b/cmd/internal/nuget/testdata/package_spec_project_url_not_supported.xml new file mode 100644 index 00000000..ba94b9a8 --- /dev/null +++ b/cmd/internal/nuget/testdata/package_spec_project_url_not_supported.xml @@ -0,0 +1,8 @@ + + + Foo + 4.0.1 + Foo.NET + https://myserver.com/foo/foo.net + + \ No newline at end of file diff --git a/cmd/internal/nuget/testdata/package_spec_trailing_slash.xml b/cmd/internal/nuget/testdata/package_spec_trailing_slash.xml new file mode 100644 index 00000000..61b3f4cc --- /dev/null +++ b/cmd/internal/nuget/testdata/package_spec_trailing_slash.xml @@ -0,0 +1,9 @@ + + + Foo + 4.0.1 + Foo.NET + + foo + + \ No newline at end of file diff --git a/cmd/packagemanager_client.go b/cmd/internal/packagemanager/client.go similarity index 58% rename from cmd/packagemanager_client.go rename to cmd/internal/packagemanager/client.go index f453d22c..5e3ee1f0 100644 --- a/cmd/packagemanager_client.go +++ b/cmd/internal/packagemanager/client.go @@ -12,7 +12,8 @@ // See the License for the specific language governing permissions and // limitations under the License. -package cmd +// Package packagemanager implements a packagemanager client +package packagemanager import ( "fmt" @@ -20,18 +21,30 @@ import ( "time" ) -type packageManagerClient interface { +type Client interface { Get(URI string, packagename string) (*http.Response, error) + + GetURI(URI string) (*http.Response, error) } -type packageManager struct{} +type PackageManagerClient struct{} // nolint: noctx -func (c *packageManager) Get(url, packageName string) (*http.Response, error) { +func (c *PackageManagerClient) Get(url, packageName string) (*http.Response, error) { + return c.getRemoteURL(fmt.Sprintf(url, packageName)) +} + +// nolint: noctx +func (c *PackageManagerClient) GetURI(url string) (*http.Response, error) { + return c.getRemoteURL(url) +} + +// nolint: noctx +func (c *PackageManagerClient) getRemoteURL(url string) (*http.Response, error) { const timeout = 10 client := &http.Client{ Timeout: timeout * time.Second, } //nolint - return client.Get(fmt.Sprintf(url, packageName)) + return client.Get(url) } diff --git a/cmd/internal/packagemanager/client_test.go b/cmd/internal/packagemanager/client_test.go new file mode 100644 index 00000000..97d9c915 --- /dev/null +++ b/cmd/internal/packagemanager/client_test.go @@ -0,0 +1,131 @@ +// Copyright 2020 OpenSSF Scorecard Authors +// +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. + +// Package packagemanager implements a packagemanager client +package packagemanager + +import ( + "io" + "net/http" + "net/http/httptest" + "testing" +) + +func Test_GetURI_calls_client_get_with_input(t *testing.T) { + t.Parallel() + type args struct { + inputURL string + } + tests := []struct { + name string + args args + wantURL string + wantResponse string + }{ + { + name: "GetURI_input_is_the_same_as_get_uri", + + args: args{ + inputURL: "test", + }, + wantURL: "/test", + wantResponse: "test", + }, + } + for _, tt := range tests { + tt := tt + t.Run(tt.name, func(t *testing.T) { + t.Parallel() + server := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) { + if r.URL.Path != tt.wantURL { + t.Errorf("Expected to request '%s', got: %s", tt.wantURL, r.URL.Path) + } + // nolint + w.WriteHeader(http.StatusOK) + // nolint + w.Write([]byte(tt.wantResponse)) + })) + defer server.Close() + client := PackageManagerClient{} + got, err := client.GetURI(server.URL + "/" + tt.args.inputURL) + if err != nil { + t.Errorf("Test_GetURI_calls_client_get_with_input() error in Get= %v", err) + return + } + body, err := io.ReadAll(got.Body) + if err != nil { + t.Errorf("Test_GetURI_calls_client_get_with_input() error in ReadAll= %v", err) + return + } + if string(body) != tt.wantResponse { + t.Errorf("GetURI() = %v, want %v", got, tt.wantResponse) + } + }) + } +} + +func Test_Get_calls_client_get_with_input(t *testing.T) { + t.Parallel() + type args struct { + inputURL string + packageName string + } + tests := []struct { + name string + args args + wantURL string + wantResponse string + }{ + { + name: "Get_input_adds_package_name_for_get_uri", + + args: args{ + inputURL: "test-%s-test", + packageName: "test_package", + }, + wantURL: "/test-test_package-test", + wantResponse: "test", + }, + } + for _, tt := range tests { + tt := tt + t.Run(tt.name, func(t *testing.T) { + t.Parallel() + server := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) { + if r.URL.Path != tt.wantURL { + t.Errorf("Expected to request '%s', got: %s", tt.wantURL, r.URL.Path) + } + // nolint + w.WriteHeader(http.StatusOK) + // nolint + w.Write([]byte(tt.wantResponse)) + })) + defer server.Close() + client := PackageManagerClient{} + got, err := client.Get(server.URL+"/"+tt.args.inputURL, tt.args.packageName) + if err != nil { + t.Errorf("Test_Get_calls_client_get_with_input() error in Get = %v", err) + return + } + body, err := io.ReadAll(got.Body) + if err != nil { + t.Errorf("Test_Get_calls_client_get_with_input() error in ReadAll = %v", err) + return + } + if string(body) != tt.wantResponse { + t.Errorf("GetURI() = %v, want %v", got, tt.wantResponse) + } + }) + } +} diff --git a/cmd/internal/packagemanager/packagemanager_mockclient.go b/cmd/internal/packagemanager/packagemanager_mockclient.go new file mode 100644 index 00000000..9c723466 --- /dev/null +++ b/cmd/internal/packagemanager/packagemanager_mockclient.go @@ -0,0 +1,80 @@ +// Copyright 2021 OpenSSF Scorecard Authors +// +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. +// + +// Code generated by MockGen. DO NOT EDIT. +// Source: cmd/internal/packagemanager/client.go + +// Package packagemanager is a generated GoMock package. +package packagemanager + +import ( + http "net/http" + reflect "reflect" + + gomock "github.com/golang/mock/gomock" +) + +// MockClient is a mock of Client interface. +type MockClient struct { + ctrl *gomock.Controller + recorder *MockClientMockRecorder +} + +// MockClientMockRecorder is the mock recorder for MockClient. +type MockClientMockRecorder struct { + mock *MockClient +} + +// NewMockClient creates a new mock instance. +func NewMockClient(ctrl *gomock.Controller) *MockClient { + mock := &MockClient{ctrl: ctrl} + mock.recorder = &MockClientMockRecorder{mock} + return mock +} + +// EXPECT returns an object that allows the caller to indicate expected use. +func (m *MockClient) EXPECT() *MockClientMockRecorder { + return m.recorder +} + +// Get mocks base method. +func (m *MockClient) Get(URI, packagename string) (*http.Response, error) { + m.ctrl.T.Helper() + ret := m.ctrl.Call(m, "Get", URI, packagename) + ret0, _ := ret[0].(*http.Response) + ret1, _ := ret[1].(error) + return ret0, ret1 +} + +// Get indicates an expected call of Get. +func (mr *MockClientMockRecorder) Get(URI, packagename interface{}) *gomock.Call { + mr.mock.ctrl.T.Helper() + return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "Get", reflect.TypeOf((*MockClient)(nil).Get), URI, packagename) +} + +// GetURI mocks base method. +func (m *MockClient) GetURI(URI string) (*http.Response, error) { + m.ctrl.T.Helper() + ret := m.ctrl.Call(m, "GetURI", URI) + ret0, _ := ret[0].(*http.Response) + ret1, _ := ret[1].(error) + return ret0, ret1 +} + +// GetURI indicates an expected call of GetURI. +func (mr *MockClientMockRecorder) GetURI(URI interface{}) *gomock.Call { + mr.mock.ctrl.T.Helper() + return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "GetURI", reflect.TypeOf((*MockClient)(nil).GetURI), URI) +} diff --git a/cmd/package_managers.go b/cmd/package_managers.go index a18ecbd2..67b4ab88 100644 --- a/cmd/package_managers.go +++ b/cmd/package_managers.go @@ -19,6 +19,8 @@ import ( "encoding/json" "fmt" + ngt "github.com/ossf/scorecard/v4/cmd/internal/nuget" + pmc "github.com/ossf/scorecard/v4/cmd/internal/packagemanager" sce "github.com/ossf/scorecard/v4/errors" ) @@ -27,8 +29,8 @@ type packageMangerResponse struct { exists bool } -func fetchGitRepositoryFromPackageManagers(npm, pypi, rubygems string, - manager packageManagerClient, +func fetchGitRepositoryFromPackageManagers(npm, pypi, rubygems, nuget string, + manager pmc.Client, ) (packageMangerResponse, error) { if npm != "" { gitRepo, err := fetchGitRepositoryFromNPM(npm, manager) @@ -51,6 +53,14 @@ func fetchGitRepositoryFromPackageManagers(npm, pypi, rubygems string, associatedRepo: gitRepo, }, err } + if nuget != "" { + nugetClient := ngt.NugetClient{Manager: manager} + gitRepo, err := fetchGitRepositoryFromNuget(nuget, nugetClient) + return packageMangerResponse{ + exists: true, + associatedRepo: gitRepo, + }, err + } return packageMangerResponse{}, nil } @@ -78,7 +88,7 @@ type rubyGemsSearchResults struct { } // Gets the GitHub repository URL for the npm package. -func fetchGitRepositoryFromNPM(packageName string, packageManager packageManagerClient) (string, error) { +func fetchGitRepositoryFromNPM(packageName string, packageManager pmc.Client) (string, error) { npmSearchURL := "https://registry.npmjs.org/-/v1/search?text=%s&size=1" resp, err := packageManager.Get(npmSearchURL, packageName) if err != nil { @@ -99,7 +109,7 @@ func fetchGitRepositoryFromNPM(packageName string, packageManager packageManager } // Gets the GitHub repository URL for the pypi package. -func fetchGitRepositoryFromPYPI(packageName string, manager packageManagerClient) (string, error) { +func fetchGitRepositoryFromPYPI(packageName string, manager pmc.Client) (string, error) { pypiSearchURL := "https://pypi.org/pypi/%s/json" resp, err := manager.Get(pypiSearchURL, packageName) if err != nil { @@ -120,7 +130,7 @@ func fetchGitRepositoryFromPYPI(packageName string, manager packageManagerClient } // Gets the GitHub repository URL for the rubygems package. -func fetchGitRepositoryFromRubyGems(packageName string, manager packageManagerClient) (string, error) { +func fetchGitRepositoryFromRubyGems(packageName string, manager pmc.Client) (string, error) { rubyGemsSearchURL := "https://rubygems.org/api/v1/gems/%s.json" resp, err := manager.Get(rubyGemsSearchURL, packageName) if err != nil { @@ -138,3 +148,13 @@ func fetchGitRepositoryFromRubyGems(packageName string, manager packageManagerCl } return v.SourceCodeURI, nil } + +// Gets the GitHub repository URL for the nuget package. +func fetchGitRepositoryFromNuget(packageName string, nugetClient ngt.Client) (string, error) { + repositoryURI, err := nugetClient.GitRepositoryByPackageName(packageName) + if err != nil { + return "", sce.WithMessage(sce.ErrScorecardInternal, + fmt.Sprintf("could not find source repo for nuget package: %v", err)) + } + return repositoryURI, nil +} diff --git a/cmd/package_managers_test.go b/cmd/package_managers_test.go index b4e39810..fe5ff0bf 100644 --- a/cmd/package_managers_test.go +++ b/cmd/package_managers_test.go @@ -23,6 +23,9 @@ import ( "testing" "github.com/golang/mock/gomock" + + ngt "github.com/ossf/scorecard/v4/cmd/internal/nuget" + pmc "github.com/ossf/scorecard/v4/cmd/internal/packagemanager" ) func Test_fetchGitRepositoryFromNPM(t *testing.T) { @@ -133,7 +136,7 @@ func Test_fetchGitRepositoryFromNPM(t *testing.T) { t.Run(tt.name, func(t *testing.T) { t.Parallel() ctrl := gomock.NewController(t) - p := NewMockpackageManagerClient(ctrl) + p := pmc.NewMockClient(ctrl) p.EXPECT().Get(gomock.Any(), tt.args.packageName). DoAndReturn(func(url, packageName string) (*http.Response, error) { if tt.wantErr && tt.args.result == "" { @@ -413,7 +416,7 @@ func Test_fetchGitRepositoryFromPYPI(t *testing.T) { t.Run(tt.name, func(t *testing.T) { t.Parallel() ctrl := gomock.NewController(t) - p := NewMockpackageManagerClient(ctrl) + p := pmc.NewMockClient(ctrl) p.EXPECT().Get(gomock.Any(), tt.args.packageName). DoAndReturn(func(url, packageName string) (*http.Response, error) { if tt.wantErr && tt.args.result == "" { @@ -682,7 +685,7 @@ func Test_fetchGitRepositoryFromRubyGems(t *testing.T) { t.Run(tt.name, func(t *testing.T) { t.Parallel() ctrl := gomock.NewController(t) - p := NewMockpackageManagerClient(ctrl) + p := pmc.NewMockClient(ctrl) p.EXPECT().Get(gomock.Any(), tt.args.packageName). DoAndReturn(func(url, packageName string) (*http.Response, error) { if tt.wantErr && tt.args.result == "" { @@ -706,3 +709,65 @@ func Test_fetchGitRepositoryFromRubyGems(t *testing.T) { }) } } + +func Test_fetchGitRepositoryFromNuget(t *testing.T) { + t.Parallel() + type args struct { + packageName string + result string + } + tests := []struct { + name string + args args + want string + wantErr bool + }{ + { + name: "Return repository from nuget client", + //nolint + args: args{ + packageName: "nuget-package", + //nolint + result: "nuget", + }, + want: "nuget", + wantErr: false, + }, + { + name: "Error from nuget client", + //nolint + args: args{ + packageName: "nuget-package", + //nolint + result: "", + }, + want: "", + wantErr: true, + }, + } + for _, tt := range tests { + tt := tt + t.Run(tt.name, func(t *testing.T) { + t.Parallel() + ctrl := gomock.NewController(t) + n := ngt.NewMockClient(ctrl) + n.EXPECT().GitRepositoryByPackageName(tt.args.packageName). + DoAndReturn(func(packageName string) (string, error) { + if tt.wantErr && tt.args.result == "" { + //nolint + return "", errors.New("error") + } + + return tt.args.result, nil + }).AnyTimes() + got, err := fetchGitRepositoryFromNuget(tt.args.packageName, n) + if (err != nil) != tt.wantErr { + t.Errorf("fetchGitRepositoryFromNuget() error = %v, wantErr %v", err, tt.wantErr) + return + } + if got != tt.want { + t.Errorf("fetchGitRepositoryFromNuget() = %v, want %v", got, tt.want) + } + }) + } +} diff --git a/cmd/packagemanager_mockclient.go b/cmd/packagemanager_mockclient.go deleted file mode 100644 index 40cc49d3..00000000 --- a/cmd/packagemanager_mockclient.go +++ /dev/null @@ -1,65 +0,0 @@ -// Copyright 2021 OpenSSF Scorecard Authors -// -// Licensed under the Apache License, Version 2.0 (the "License"); -// you may not use this file except in compliance with the License. -// You may obtain a copy of the License at -// -// http://www.apache.org/licenses/LICENSE-2.0 -// -// Unless required by applicable law or agreed to in writing, software -// distributed under the License is distributed on an "AS IS" BASIS, -// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -// See the License for the specific language governing permissions and -// limitations under the License. -// - -// Code generated by MockGen. DO NOT EDIT. -// Source: cmd/packagemanager_client.go - -// Package cmd is a generated GoMock package. -package cmd - -import ( - http "net/http" - reflect "reflect" - - gomock "github.com/golang/mock/gomock" -) - -// MockpackageManagerClient is a mock of packageManagerClient interface. -type MockpackageManagerClient struct { - ctrl *gomock.Controller - recorder *MockpackageManagerClientMockRecorder -} - -// MockpackageManagerClientMockRecorder is the mock recorder for MockpackageManagerClient. -type MockpackageManagerClientMockRecorder struct { - mock *MockpackageManagerClient -} - -// NewMockpackageManagerClient creates a new mock instance. -func NewMockpackageManagerClient(ctrl *gomock.Controller) *MockpackageManagerClient { - mock := &MockpackageManagerClient{ctrl: ctrl} - mock.recorder = &MockpackageManagerClientMockRecorder{mock} - return mock -} - -// EXPECT returns an object that allows the caller to indicate expected use. -func (m *MockpackageManagerClient) EXPECT() *MockpackageManagerClientMockRecorder { - return m.recorder -} - -// Get mocks base method. -func (m *MockpackageManagerClient) Get(URI, packagename string) (*http.Response, error) { - m.ctrl.T.Helper() - ret := m.ctrl.Call(m, "Get", URI, packagename) - ret0, _ := ret[0].(*http.Response) - ret1, _ := ret[1].(error) - return ret0, ret1 -} - -// Get indicates an expected call of Get. -func (mr *MockpackageManagerClientMockRecorder) Get(URI, packagename interface{}) *gomock.Call { - mr.mock.ctrl.T.Helper() - return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "Get", reflect.TypeOf((*MockpackageManagerClient)(nil).Get), URI, packagename) -} diff --git a/cmd/root.go b/cmd/root.go index da4cd061..4dccf166 100644 --- a/cmd/root.go +++ b/cmd/root.go @@ -27,6 +27,7 @@ import ( "github.com/ossf/scorecard/v4/checker" "github.com/ossf/scorecard/v4/clients" + pmc "github.com/ossf/scorecard/v4/cmd/internal/packagemanager" docs "github.com/ossf/scorecard/v4/docs/checks" sce "github.com/ossf/scorecard/v4/errors" sclog "github.com/ossf/scorecard/v4/log" @@ -37,7 +38,7 @@ import ( const ( scorecardLong = "A program that shows the OpenSSF scorecard for an open source software." - scorecardUse = `./scorecard (--repo= | --local= | --{npm,pypi,rubygems}=) + scorecardUse = `./scorecard (--repo= | --local= | --{npm,pypi,rubygems,nuget}=) [--checks=check1,...] [--show-details]` scorecardShort = "OpenSSF Scorecard" ) @@ -72,9 +73,9 @@ func New(o *options.Options) *cobra.Command { // rootCmd runs scorecard checks given a set of arguments. func rootCmd(o *options.Options) error { - p := &packageManager{} + p := &pmc.PackageManagerClient{} // Set `repo` from package managers. - pkgResp, err := fetchGitRepositoryFromPackageManagers(o.NPM, o.PyPI, o.RubyGems, p) + pkgResp, err := fetchGitRepositoryFromPackageManagers(o.NPM, o.PyPI, o.RubyGems, o.Nuget, p) if err != nil { return fmt.Errorf("fetchGitRepositoryFromPackageManagers: %w", err) } diff --git a/options/flags.go b/options/flags.go index 66a48c2b..1652c9fd 100644 --- a/options/flags.go +++ b/options/flags.go @@ -45,6 +45,9 @@ const ( // FlagRubyGems is the flag name for specifying a RubyGems repository. FlagRubyGems = "rubygems" + // FlagNuget is the flag name for specifying a Nuget repository. + FlagNuget = "nuget" + // FlagMetadata is the flag name for specifying metadata for the project. FlagMetadata = "metadata" @@ -120,6 +123,13 @@ func (o *Options) AddFlags(cmd *cobra.Command) { "rubygems package to check, given that the rubygems package has a GitHub repository", ) + cmd.Flags().StringVar( + &o.Nuget, + FlagNuget, + o.Nuget, + "nuget package to check, given that the nuget package has a GitHub repository", + ) + cmd.Flags().StringSliceVar( &o.Metadata, FlagMetadata, diff --git a/options/options.go b/options/options.go index 164c356b..5be1fda1 100644 --- a/options/options.go +++ b/options/options.go @@ -37,6 +37,7 @@ type Options struct { NPM string PyPI string RubyGems string + Nuget string PolicyFile string // TODO(action): Add logic for writing results to file ResultsFile string @@ -113,7 +114,7 @@ var ( errPolicyFileNotSupported = errors.New("policy file is not supported yet") errRawOptionNotSupported = errors.New("raw option is not supported yet") errRepoOptionMustBeSet = errors.New( - "exactly one of `repo`, `npm`, `pypi`, `rubygems` or `local` must be set", + "exactly one of `repo`, `npm`, `pypi`, `rubygems`, `nuget` or `local` must be set", ) errSARIFNotSupported = errors.New("SARIF format is not supported yet") errValidate = errors.New("some options could not be validated") @@ -124,11 +125,12 @@ var ( func (o *Options) Validate() error { var errs []error - // Validate exactly one of `--repo`, `--npm`, `--pypi`, `--rubygems`, `--local` is enabled. + // Validate exactly one of `--repo`, `--npm`, `--pypi`, `--rubygems`, `--nuget`, `--local` is enabled. if boolSum(o.Repo != "", o.NPM != "", o.PyPI != "", o.RubyGems != "", + o.Nuget != "", o.Local != "") != 1 { errs = append( errs, diff --git a/options/options_test.go b/options/options_test.go index b69d5c35..8098e8eb 100644 --- a/options/options_test.go +++ b/options/options_test.go @@ -21,7 +21,7 @@ import ( ) // Cannot run parallel tests because of the ENV variables. -//nolint +// nolint func TestOptions_Validate(t *testing.T) { type fields struct { Repo string @@ -32,6 +32,7 @@ func TestOptions_Validate(t *testing.T) { NPM string PyPI string RubyGems string + Nuget string PolicyFile string ResultsFile string ChecksToRun []string @@ -99,6 +100,7 @@ func TestOptions_Validate(t *testing.T) { NPM: tt.fields.NPM, PyPI: tt.fields.PyPI, RubyGems: tt.fields.RubyGems, + Nuget: tt.fields.Nuget, PolicyFile: tt.fields.PolicyFile, ResultsFile: tt.fields.ResultsFile, ChecksToRun: tt.fields.ChecksToRun,