mirror of
https://github.com/ossf/scorecard.git
synced 2024-10-05 13:17:08 +03:00
main
632 Commits
| Author | SHA1 | Message | Date | |
|---|---|---|---|---|
Avishay Balter
|
41f91ed862
|
✨ Support Nuget Pinned Dependency with RestoreLockedMode attribute (#4351)
* Support restorelockedmode dev (#9) Support pinning dependency in .NET using lockfile by declaring the RestoreLockedMode attribute in csproj Co-authored-by: Liam Moat <contact@liammoat.com> Co-authored-by: Ioana A <Ioana37@users.noreply.github.com> Co-authored-by: Mélanie Guittet <meguittet@users.noreply.github.com> Signed-off-by: balteraivshay <avishay.balter@gmail.com> * fixing PR checks and adding tests Signed-off-by: balteraivshay <avishay.balter@gmail.com> * move csproj to fileparser Signed-off-by: balteraivshay <avishay.balter@gmail.com> * internal error Signed-off-by: balteraivshay <avishay.balter@gmail.com> * fix using error Signed-off-by: balteraivshay <avishay.balter@gmail.com> Signed-off-by: balteraivshay <avishay.balter@gmail.com> * PR fixes Signed-off-by: balteraivshay <avishay.balter@gmail.com> * fix test Signed-off-by: balteraivshay <avishay.balter@gmail.com> * fix pr %e comment Signed-off-by: balteraivshay <avishay.balter@gmail.com> * fix PR comments Signed-off-by: balteraivshay <avishay.balter@gmail.com> * Co-authored-by: Ioana A <Ioana37@users.noreply.github.com> Signed-off-by: balteraivshay <avishay.balter@gmail.com> * merge main Signed-off-by: balteraivshay <avishay.balter@gmail.com> * pr comments Signed-off-by: balteraivshay <avishay.balter@gmail.com> * fix last comments Signed-off-by: balteraivshay <avishay.balter@gmail.com> --------- Signed-off-by: balteraivshay <avishay.balter@gmail.com> Co-authored-by: Liam Moat <contact@liammoat.com> Co-authored-by: Ioana A <Ioana37@users.noreply.github.com> Co-authored-by: Mélanie Guittet <meguittet@users.noreply.github.com> |
||
lelia
|
4e9b1a012f
|
✨ Update SPDX license list, source for license data (#4323)
* Update SPDX license list, source for license data Signed-off-by: lelia <le1ia@me.com> * Fix typo found by golangci-lint Signed-off-by: lelia <le1ia@me.com> * Fix alphabetization to conform with existing sort logic Signed-off-by: lelia <le1ia@me.com> * Reintroduce comment for using curl cmd Signed-off-by: lelia <le1ia@me.com> --------- Signed-off-by: lelia <le1ia@me.com> |
||
dependabot[bot]
|
d8ba4268bf
|
🌱 Bump github.com/golangci/golangci-lint from 1.59.1 to 1.60.1 in /tools (#4301)
Some checks failed
CodeQL / Analyze (go) (push) Has been cancelled
CodeQL / Analyze (javascript) (push) Has been cancelled
gitlab-tests / gitlab-integration-trusted (push) Has been cancelled
golangci-lint / check-linter (push) Has been cancelled
build / unit-test (push) Has been cancelled
build / generate-mocks (push) Has been cancelled
build / generate-docs (push) Has been cancelled
build / build-proto (push) Has been cancelled
build / validate-docs (push) Has been cancelled
build / add-projects (push) Has been cancelled
build / validate-projects (push) Has been cancelled
build / license boilerplate check (push) Has been cancelled
Scorecard analysis workflow / Scorecard analysis (push) Has been cancelled
build / ${{ matrix.target }} (build-add-script) (push) Has been cancelled
build / ${{ matrix.target }} (build-bq-transfer) (push) Has been cancelled
build / ${{ matrix.target }} (build-cii-worker) (push) Has been cancelled
build / ${{ matrix.target }} (build-controller) (push) Has been cancelled
build / ${{ matrix.target }} (build-github-server) (push) Has been cancelled
build / ${{ matrix.target }} (build-scorecard) (push) Has been cancelled
build / ${{ matrix.target }} (build-shuffler) (push) Has been cancelled
build / ${{ matrix.target }} (build-validate-script) (push) Has been cancelled
build / ${{ matrix.target }} (build-webhook) (push) Has been cancelled
build / ${{ matrix.target }} (build-worker) (push) Has been cancelled
|
||
|
Avishay Balter
|
78115dedad
|
✨ Add support for Nuget restore (#4157)
* Nuget lock file support
Signed-off-by: balteraivshay <avishay.balter@gmail.com>
* fix shell download
Signed-off-by: balteraivshay <avishay.balter@gmail.com>
* Revert "fix shell download"
This reverts commit
|
||
Raghav Kaul
|
bfaa9febc2
|
✨ probe: releases with verified provenance (#4141)
* add projectpackageversions to signed releases raw results Signed-off-by: Raghav Kaul <raghavkaul+github@google.com> * finding: add NewNot* helpers, fix error msg Signed-off-by: Raghav Kaul <raghavkaul+github@google.com> * probe: releasesHaveVerifiedProvenance Signed-off-by: Raghav Kaul <raghavkaul+github@google.com> * logging Signed-off-by: Raghav Kaul <raghavkaul+github@google.com> * fix tests and lint Signed-off-by: Raghav Kaul <raghavkaul+github@google.com> * address comments Signed-off-by: Raghav Kaul <raghavkaul+github@google.com> * remove unused Signed-off-by: Raghav Kaul <raghavkaul+github@google.com> * fix merge conflict Signed-off-by: Raghav Kaul <raghavkaul+github@google.com> --------- Signed-off-by: Raghav Kaul <raghavkaul+github@google.com> |
||
Spencer Schrock
|
9cd1fb868d
|
🐛 fix Unlicense detection (#4145)
* fix unlicense detection The code previously had some special logic for handling the Unlicense SPDX identifier. While this worked for local file detection, it broke detection for SPDX identifiers provided by the forge. This change moves the logic to the part of the code concerned with local file detection, so both work now. Signed-off-by: Spencer Schrock <sschrock@google.com> * remove part of comment which is no longer relevant Signed-off-by: Spencer Schrock <sschrock@google.com> --------- Signed-off-by: Spencer Schrock <sschrock@google.com> |
||
Arnout Engelen
|
bf4002489a
|
✨ detect sbt ci-release packaging workflows (#4135)
Signed-off-by: Arnout Engelen <arnout@bzzt.net> |
||
|
Raghav Kaul
|
77dce6fbef
|
⚠️ Add ProjectPackageVersions to raw data collection (#4104)
* add projectpackageversions to signed releases raw results Signed-off-by: Raghav Kaul <raghavkaul+github@google.com> * add mocks Signed-off-by: Raghav Kaul <raghavkaul+github@google.com> * update Signed-off-by: Raghav Kaul <raghavkaul+github@google.com> * fix tests Signed-off-by: Raghav Kaul <raghavkaul+github@google.com> * rename Signed-off-by: Raghav Kaul <raghavkaul+github@google.com> * Update runScorecard Signed-off-by: Raghav Kaul <raghavkaul+github@google.com> * pass depsdevclient to scdiff Signed-off-by: Raghav Kaul <raghavkaul+github@google.com> * error handling Signed-off-by: Raghav Kaul <raghavkaul+github@google.com> * make Host() return domain only Signed-off-by: Raghav Kaul <raghavkaul+github@google.com> * lint Signed-off-by: Raghav Kaul <raghavkaul+github@google.com> * address cr comments Signed-off-by: Raghav Kaul <raghavkaul+github@google.com> --------- Signed-off-by: Raghav Kaul <raghavkaul+github@google.com> |
||
|
Arnout Engelen
|
7e6a09e474
|
🐛 fix Docker remediations for unpinned GHA dependencies (#4131)
* 🐛 fix Docker remediations for unpinned GHA dependencies Previously, as both the check for unpinned dependencies in GitHub Actions and the check for unpinned Docker dependencies contribute to d.Dependencies, the loop that created remediations for Docker dependencies would also create try to create Docker remediations for the unpinned GitHub Actions dependencies. This could get really slow, especially when scanning a repo with many GitHub Actions such as https://github.com/apache/beam. Signed-off-by: Arnout Engelen <arnout@bzzt.net> * 🌱 Small refactor and test for remediations Signed-off-by: Arnout Engelen <arnout@bzzt.net> * 🌱 make test data more realistic Signed-off-by: Arnout Engelen <arnout@bzzt.net> --------- Signed-off-by: Arnout Engelen <arnout@bzzt.net> |
||
|
Arnout Engelen
|
2855274aab
|
✨ Recognize scala-steward as dependency update tool (#4130)
* ✨ Recognize scala-steward as dependency update tool Signed-off-by: Arnout Engelen <arnout@bzzt.net> * ✨ also recognize scala-steward.conf in subdirectories Signed-off-by: Arnout Engelen <arnout@bzzt.net> * 🌱 add scala-steward to README Signed-off-by: Arnout Engelen <arnout@bzzt.net> --------- Signed-off-by: Arnout Engelen <arnout@bzzt.net> |
||
Allen Shearin
|
8de90207bc
|
✨ Add experimental check for published SBOM (#3903)
* Sbom check MVP Signed-off-by: Allen Shearin <allen.p.shearin@gmail.com> * PR suggestion fixes Signed-off-by: Allen Shearin <allen.p.shearin@gmail.com> * fix line length Signed-off-by: Allen Shearin <allen.p.shearin@gmail.com> * update gitlab client to check 20 latest pipelines in default branch Signed-off-by: Allen Shearin <allen.p.shearin@gmail.com> * correct issues Signed-off-by: Allen Shearin <allen.p.shearin@gmail.com> * add unit tests for sbom client code Signed-off-by: Allen Shearin <allen.p.shearin@gmail.com> * probe name alignment, updated evaluation tests Signed-off-by: Allen Shearin <allen.p.shearin@gmail.com> * consolidate probes, reuse available data sources Signed-off-by: Allen Shearin <allen.p.shearin@gmail.com> * add autogen doc update Signed-off-by: Allen Shearin <allen.p.shearin@gmail.com> * address PR comments, remove CI/CD check code Signed-off-by: Allen Shearin <allen.p.shearin@gmail.com> * update unit tests Signed-off-by: Allen Shearin <allen.p.shearin@gmail.com> * fix linting errors Signed-off-by: Allen Shearin <allen.p.shearin@gmail.com> * revert unnecessary changes, correct check documentation Signed-off-by: Allen Shearin <allen.p.shearin@gmail.com> * address PR comments Signed-off-by: Allen Shearin <allen.p.shearin@gmail.com> * move release lookback to data collection side Signed-off-by: Allen Shearin <allen.p.shearin@gmail.com> --------- Signed-off-by: Allen Shearin <allen.p.shearin@gmail.com> |
||
|
dependabot[bot]
|
0082cad776
|
🌱 Bump github.com/golangci/golangci-lint from 1.57.2 to 1.58.1 in /tools (#4108) | ||
|
Spencer Schrock
|
7ce8609469
|
🐛 Support renamed gradle verification action and callers which pin to hash (#4097)
* Support renamed gradle verification action From gradle/wrapper-validation-action's readme: "As of v3 this action has been superceded by gradle/actions/wrapper-validation" Also support actions pinned to a hash. Signed-off-by: Spencer Schrock <sschrock@google.com> * remove unneeded dependency Signed-off-by: Spencer Schrock <sschrock@google.com> --------- Signed-off-by: Spencer Schrock <sschrock@google.com> |
||
|
Spencer Schrock
|
250690511d
|
🐛 Code-Review: change phabricator regex to allow URLs (#4086)
The old regex used \w which only allowed [0-9A-Za-z_], however most projects use full URLs with phabricator (e.g. https://reviews.foo.org/D###). This led to errors parsing the revisions, where "https" was seen as the revision, leading to an underreporting of code review practices. The new regex focuses on the D#### part and uses it as the revision. Signed-off-by: Spencer Schrock <sschrock@google.com> |
||
S. E. Elder
|
a788a3830d
|
🌱 Update Binary-Artifacts and License checks (#4079)
* replaced localRepoClient with mockRepoClient Signed-off-by: seelder <seelder@ncsu.edu> * Update binary_artifact_test.go to use scut Updated the test to use scut. Updated the test data to use scut, including adding NumberOfInfo and NumberOfWarn for each test case Signed-off-by: seelder <seelder@ncsu.edu> * Update license_test to use gomock First attempt at updating license_test to use gomock instead of localDir. Note: localDir currently has a TODO for implementing ListLicenses. It returns an UnsupportedFeatures error, which is then handled in checks/raw/license. This first attempt replicates that existing behavior. Signed-off-by: seelder <seelder@ncsu.edu> * Update license_test documentation Clarified why the mock simply throws an error Signed-off-by: seelder <seelder@ncsu.edu> * Fixed linting error in license_test Signed-off-by: seelder <seelder@ncsu.edu> --------- Signed-off-by: seelder <seelder@ncsu.edu> |
||
Case Wylie
|
39e968dceb
|
⚠️ errors in ErrXXX format (#4040)
Signed-off-by: Case Wylie <cmwylie19@defenseunicorns.com> |
||
|
Spencer Schrock
|
0b9dfb656f
|
⚠️ Replace v4 module references with v5 (#4027)
Signed-off-by: Spencer Schrock <sschrock@google.com> |
||
|
Spencer Schrock
|
f4c3025998
|
🐛 Token-Permissions: use same text for read token details as write token details (#4025)
* use same text for read token details as write token details This was an unintentional regression from v4.13.1 Signed-off-by: Spencer Schrock <sschrock@google.com> * deal with linter warning Signed-off-by: Spencer Schrock <sschrock@google.com> --------- Signed-off-by: Spencer Schrock <sschrock@google.com> |
||
|
Spencer Schrock
|
d8b26d974f
|
🐛 Signed-Releases: dont warn about signatures if provenance present (#4024)
* reduce number of findings to 1 per probe per release having different findings for different release artifacts isnt how the probe works and it makes the whole thing very noisy Signed-off-by: Spencer Schrock <sschrock@google.com> * dont log lack of signature if we have provenance reduce test warn counts for cases where there is provenance but no signature Signed-off-by: Spencer Schrock <sschrock@google.com> --------- Signed-off-by: Spencer Schrock <sschrock@google.com> |
||
|
Spencer Schrock
|
856419158a
|
🌱 migrate code review check to probes (#3979)
* initial conversion Signed-off-by: Spencer Schrock <sschrock@google.com> * appease the linter Signed-off-by: Spencer Schrock <sschrock@google.com> * cleanup outcomes from positive/negative to true/false conversion Signed-off-by: Spencer Schrock <sschrock@google.com> --------- Signed-off-by: Spencer Schrock <sschrock@google.com> |
||
|
Spencer Schrock
|
99a6dc4ea2
|
🌱 Ensure Token-Permission and Branch-Protection probes use exported value keys (#3977)
* use exported value keys for token permissions Signed-off-by: Spencer Schrock <sschrock@google.com> * convert required reviewer count to use exported value key Signed-off-by: Spencer Schrock <sschrock@google.com> --------- Signed-off-by: Spencer Schrock <sschrock@google.com> |
||
|
Spencer Schrock
|
6b071eddeb
|
⚠️ Allow probes to specify their own bad outcomes (#4020)
* merge probe and finding packages No one interacts with the probes directly, and having them in the same package helps with follow up commits Signed-off-by: Spencer Schrock <sschrock@google.com> * add extra field to indicate the outcome a probe should show remediation for Signed-off-by: Spencer Schrock <sschrock@google.com> * start all probes with remediate on 'False' Signed-off-by: Spencer Schrock <sschrock@google.com> * make OutcomeTrue bad for hasOSVVulnerabilities Signed-off-by: Spencer Schrock <sschrock@google.com> * nest outcome trigger under remediation in yaml Signed-off-by: Spencer Schrock <sschrock@google.com> * invert outcomes for dangerous workflow probes Signed-off-by: Spencer Schrock <sschrock@google.com> * rename notArchived probe to archived with the swap, the true outcome is now the bad outcome. Signed-off-by: Spencer Schrock <sschrock@google.com> * rename notCreatedRecently probe to createRecently with the rename, the true outcome is now bad Signed-off-by: Spencer Schrock <sschrock@google.com> * switch binary artifact probes so detecting binaries is a true outcome Signed-off-by: Spencer Schrock <sschrock@google.com> * appease the linter Signed-off-by: Spencer Schrock <sschrock@google.com> * dont export probe type we can always make it public again later Signed-off-by: Spencer Schrock <sschrock@google.com> --------- Signed-off-by: Spencer Schrock <sschrock@google.com> |
||
|
Spencer Schrock
|
a220b48096
|
⚠️ Delegate logging decisions to the checks instead of a helper (#4019)
* add func to log single finding at caller specified level. This may not be the final form, we may support want to support passing a map of probe+outcome to level mappings. Signed-off-by: Spencer Schrock <sschrock@google.com> * switch dependency update tool check off LogFindings For now, we only use one probe so logging is simple. Signed-off-by: Spencer Schrock <sschrock@google.com> * switch fuzzing check off LogFindings Signed-off-by: Spencer Schrock <sschrock@google.com> * switch packaging check off LogFindings Signed-off-by: Spencer Schrock <sschrock@google.com> * switch security policy check off LogFindings This changes the logging of an error state, but it's not one we expect to see. Signed-off-by: Spencer Schrock <sschrock@google.com> * switch signed releases off LogFindings Signed-off-by: Spencer Schrock <sschrock@google.com> * switch license check off LogFindings Signed-off-by: Spencer Schrock <sschrock@google.com> * switch vuln check off LogFindings Signed-off-by: Spencer Schrock <sschrock@google.com> * switch maintained check off logfindings and delete it Signed-off-by: Spencer Schrock <sschrock@google.com> * dont log lack of commit or issue activity scdiff caught a lot of new details being generated. So going to try removing them Signed-off-by: Spencer Schrock <sschrock@google.com> --------- Signed-off-by: Spencer Schrock <sschrock@google.com> |
||
|
Spencer Schrock
|
775fc97e3d
|
⚠️ remove rule.Remediation and switch users to probe.Remediation (#3978)
probes were initially called rules, so deleted rule and switched usages to probe. Signed-off-by: Spencer Schrock <sschrock@google.com> |
||
|
Spencer Schrock
|
b577d79c96
|
⚠️ Replace Positive and Negative outcomes with True and False (#4017)
* rename positive to true Signed-off-by: Spencer Schrock <sschrock@google.com> * rename negative to false Signed-off-by: Spencer Schrock <sschrock@google.com> --------- Signed-off-by: Spencer Schrock <sschrock@google.com> |
||
|
Spencer Schrock
|
76a9b0470a
|
⚠️ Only include probes which ran for probe format (#3991)
* add findings to check results struct these dont make it to the JSON output format as theyre not copied to the jsonCheckResultV2 struct in AsJSON2() Signed-off-by: Spencer Schrock <sschrock@google.com> * populate CheckResult findings It would be nice if the evaluation functions did this for us, but would require changes to theCreate*ScoreResult functions. It was simpler just to set it in one place at the check level. Signed-off-by: Spencer Schrock <sschrock@google.com> --------- Signed-off-by: Spencer Schrock <sschrock@google.com> |
||
|
Spencer Schrock
|
46eea0eeaf
|
🌱 Fix pinsDependencies outcomes (#3961)
* switch no dependencies to OutcomeNotApplicable OutcomeNotApplicable is what we've been using for cases where there are no occurences of X. Previously this outcome was used for this probe to handle some error cases, but OutcomeError is currently being used. Existing callers were moved to OutcomeNotSupported. Signed-off-by: Spencer Schrock <sschrock@google.com> * deduplicate location setting checker.File.Location() is nil safe, so this should work when we have a location or not Signed-off-by: Spencer Schrock <sschrock@google.com> * update outcome descriptions Signed-off-by: Spencer Schrock <sschrock@google.com> * simplify OutcomeNotSupported logging path Signed-off-by: Spencer Schrock <sschrock@google.com> * add tests for no deps and processing errors Signed-off-by: Spencer Schrock <sschrock@google.com> --------- Signed-off-by: Spencer Schrock <sschrock@google.com> |
||
|
Spencer Schrock
|
46bb36ab10
|
🌱 Combine Dependency-Update-Tool probes into one (#3981)
* add single probe for dependencyUpdateToolConfigured probe Signed-off-by: Spencer Schrock <sschrock@google.com> * delete individual update tool probes Signed-off-by: Spencer Schrock <sschrock@google.com> * use new update tool probe in evaluation Signed-off-by: Spencer Schrock <sschrock@google.com> * fix dependency update tool tests The old test names were unclear, and didn't cover all supported tools. Additionally the warn count changed since there's only one probe now, instead of 3. Signed-off-by: Spencer Schrock <sschrock@google.com> * clarify test name Signed-off-by: Spencer Schrock <sschrock@google.com> --------- Signed-off-by: Spencer Schrock <sschrock@google.com> |
||
|
Spencer Schrock
|
11e859fc58
|
🌱 Combine hasLicenseFile and hasLicenseFileAtTopDir probes (#3955)
* delete hasLicenseFileAtTopDir probe Signed-off-by: Spencer Schrock <sschrock@google.com> * increase value of having a license the old split was 6 for having a license and 3 for having it in the expected location but 1.5 years later, and there is still no other way we detect it. So it was effectively worth 9 points. This change makes it actually worth 9 points. Signed-off-by: Spencer Schrock <sschrock@google.com> * simplify logging and scoring Signed-off-by: Spencer Schrock <sschrock@google.com> * ensure license findings have locations Signed-off-by: Spencer Schrock <sschrock@google.com> * update tests to reflect new logging Signed-off-by: Spencer Schrock <sschrock@google.com> * match existing detail better Signed-off-by: Spencer Schrock <sschrock@google.com> --------- Signed-off-by: Spencer Schrock <sschrock@google.com> |
||
|
dependabot[bot]
|
bf18c27508
|
🌱 Bump github.com/golangci/golangci-lint from 1.56.2 to 1.57.1 in /tools (#3966)
* 🌱 Bump github.com/golangci/golangci-lint in /tools Bumps [github.com/golangci/golangci-lint](https://github.com/golangci/golangci-lint) from 1.56.2 to 1.57.1. - [Release notes](https://github.com/golangci/golangci-lint/releases) - [Changelog](https://github.com/golangci/golangci-lint/blob/master/CHANGELOG.md) - [Commits](https://github.com/golangci/golangci-lint/compare/v1.56.2...v1.57.1) --- updated-dependencies: - dependency-name: github.com/golangci/golangci-lint dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> * remove unused wrapcheck nolint directives wrapcheck v2.8.3 includes a fix for false positives in func literals. Signed-off-by: Spencer Schrock <sschrock@google.com> * satisfy assignOp gocritic linter Signed-off-by: Spencer Schrock <sschrock@google.com> * convert const regex to MustCompile included at package level to ensure regex compiles at build time. These could stay as func regexes if desired, but we'd need test coverage for the piper code so we know we wont panic Signed-off-by: Spencer Schrock <sschrock@google.com> * satisfy unslice linter Signed-off-by: Spencer Schrock <sschrock@google.com> * satisfy wrapperFunc linter This seems like a nice readability change anyway Signed-off-by: Spencer Schrock <sschrock@google.com> --------- Signed-off-by: dependabot[bot] <support@github.com> Signed-off-by: Spencer Schrock <sschrock@google.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: Spencer Schrock <sschrock@google.com> |
||
Diogo Teles Sant'Anna
|
376ee1f4d3
|
⚠️ rename fields on Branch Protection Pull Request rules (#3879)
Signed-off-by: Diogo Teles Sant'Anna <diogoteles@google.com> |
||
AdamKorcz
|
5b0ae81d49
|
🌱 migrate token permission check to probes (#3816)
* 🌱 migrate token permission check to probes
Signed-off-by: Adam Korczynski <adam@adalogics.com>
* combine seperate write-probes into two that combine them all
Signed-off-by: AdamKorcz <adam@adalogics.com>
* change write probes to read and write
Signed-off-by: AdamKorcz <adam@adalogics.com>
* minor nit
Signed-off-by: AdamKorcz <adam@adalogics.com>
* remove WritaAll probes
Signed-off-by: Adam Korczynski <adam@adalogics.com>
* Merge read-perm probe with job/top probes
Signed-off-by: Adam Korczynski <adam@adalogics.com>
* minor refactoring
Signed-off-by: Adam Korczynski <adam@adalogics.com>
* fix copy paste error
Signed-off-by: Adam Korczynski <adam@adalogics.com>
* fix linter issues and restructure code
Signed-off-by: Adam Korczynski <adam@adalogics.com>
* remove hasGitHubWorkflowPermissionNone probe
Signed-off-by: Adam Korczynski <adam@adalogics.com>
* Remove 'hasGitHubWorkflowPermissionUndeclared' probe
Signed-off-by: Adam Korczynski <adam@adalogics.com>
* bit of clean up
Signed-off-by: Adam Korczynski <adam@adalogics.com>
* reduce code complexity and remove comment
Signed-off-by: Adam Korczynski <adam@adalogics.com>
* simplify file location
Signed-off-by: Adam Korczynski <adam@adalogics.com>
* change probe text
Signed-off-by: Adam Korczynski <adam@adalogics.com>
* invert name of probe
Signed-off-by: Adam Korczynski <adam@adalogics.com>
* OutcomeNotApplicable -> OutcomeError
Signed-off-by: Adam Korczynski <adam@adalogics.com>
* OutcomeNotAvailable -> OutcomeNotApplicable
Signed-off-by: Adam Korczynski <adam@adalogics.com>
* more OutcomeNotAvailable -> OutcomeNotApplicable
Signed-off-by: Adam Korczynski <adam@adalogics.com>
* change name of 'notAvailableOrNotApplicable'
Signed-off-by: Adam Korczynski <adam@adalogics.com>
* fix linter issues
Signed-off-by: Adam Korczynski <adam@adalogics.com>
* add comments to remediation fields
Signed-off-by: Adam Korczynski <adam@adalogics.com>
* add check for nil-dereference
Signed-off-by: Adam Korczynski <adam@adalogics.com>
* remove the permissionLocation finding value
Signed-off-by: Adam Korczynski <adam@adalogics.com>
* rename checkAndLogNotAvailableOrNotApplicable to isBothUndeclaredAndNotAvailableOrNotApplicable
Signed-off-by: Adam Korczynski <adam@adalogics.com>
* use raw metadata for remediation output
Signed-off-by: Adam Korczynski <adam@adalogics.com>
* change 'branch' to 'defaultBranch'
Signed-off-by: Adam Korczynski <adam@adalogics.com>
* remove unused fields in rule Remediation
Signed-off-by: Adam Korczynski <adam@adalogics.com>
* fix remediation
Signed-off-by: Adam Korczynski <adam@adalogics.com>
* change 'metadata.defaultBranch' to 'metadata.repository.defaultBranch'
Signed-off-by: Adam Korczynski <adam@adalogics.com>
---------
Signed-off-by: Adam Korczynski <adam@adalogics.com>
Signed-off-by: AdamKorcz <adam@adalogics.com>
|
||
|
Spencer Schrock
|
8791d483e9
|
🌱 Cleanup branch protection tests (#3932)
* switch to helper func done using a find/replace regex Signed-off-by: Spencer Schrock <sschrock@google.com> * use constants for branch names Signed-off-by: Spencer Schrock <sschrock@google.com> * replace branch name with constants Signed-off-by: Spencer Schrock <sschrock@google.com> * handle findings with values needed Signed-off-by: Spencer Schrock <sschrock@google.com> * use requiresApproversForPullRequests constants Signed-off-by: Spencer Schrock <sschrock@google.com> * shorter to just use main instead of a const Signed-off-by: Spencer Schrock <sschrock@google.com> --------- Signed-off-by: Spencer Schrock <sschrock@google.com> |
||
|
Spencer Schrock
|
f1e703f500
|
🌱 Combine fuzzing probes (#3877)
* single fuzz probe boilerplate Signed-off-by: Spencer Schrock <sschrock@google.com> * initial implementation Signed-off-by: Spencer Schrock <sschrock@google.com> * connect fuzzing probe to eval code Signed-off-by: Spencer Schrock <sschrock@google.com> * include fuzzer name as tool Signed-off-by: Spencer Schrock <sschrock@google.com> * connect to probes flag Signed-off-by: Spencer Schrock <sschrock@google.com> * remove old probes from list Signed-off-by: Spencer Schrock <sschrock@google.com> * remove old probes Signed-off-by: Spencer Schrock <sschrock@google.com> * fix failing test Signed-off-by: Spencer Schrock <sschrock@google.com> * add tool value to test Signed-off-by: Spencer Schrock <sschrock@google.com> * add fuzz tool helper Signed-off-by: Spencer Schrock <sschrock@google.com> * specify supported tools Signed-off-by: Spencer Schrock <sschrock@google.com> * update e2e test Signed-off-by: Spencer Schrock <sschrock@google.com> * check for no raw data Signed-off-by: Spencer Schrock <sschrock@google.com> * add basic tests Signed-off-by: Spencer Schrock <sschrock@google.com> * add test to ensure fuzzer location is propagated Signed-off-by: Spencer Schrock <sschrock@google.com> * expand detailed tests to include other info like tool value Signed-off-by: Spencer Schrock <sschrock@google.com> --------- Signed-off-by: Spencer Schrock <sschrock@google.com> |
||
|
Spencer Schrock
|
f401d794df
|
🐛 Avoid reading every file searching for sonar configs (#3929)
* use reader instead of contents if the filename doesn't match we don't use the file content. Signed-off-by: Spencer Schrock <sschrock@google.com> * compare bytes to avoid allocations we don't save the line, just the offset. using the bytes versions avoids allocating new strings Signed-off-by: Spencer Schrock <sschrock@google.com> --------- Signed-off-by: Spencer Schrock <sschrock@google.com> |
||
|
Spencer Schrock
|
c77939291b
|
🐛 Limit Binary Artifact file reads to first 1024 bytes (#3923)
* add OnMatchingFileReaderDo Signed-off-by: Spencer Schrock <sschrock@google.com> * switch binary artifact to using reader Signed-off-by: Spencer Schrock <sschrock@google.com> --------- Signed-off-by: Spencer Schrock <sschrock@google.com> |
||
|
Spencer Schrock
|
0a6b06a89c
|
🐛 Branch-Protection: use debug message when unsure if PRs are required (#3917)
warning when the data isn't available isn't intended. Signed-off-by: Spencer Schrock <sschrock@google.com> |
||
|
Spencer Schrock
|
d55dbd12e6
|
⚠️ Switch RepoClient file access to io.ReadCloser (#3912)
* change file access method to io.ReadCloser callers don't always need the full file. large files are slow and can cause crashes. Signed-off-by: Spencer Schrock <sschrock@google.com> * switch tests to hardcoded readers Previously they returned bytes or strings, which have corresponding NewReader types. Since they don't need to be closed, io.NopCloser works well to give them a fake Close. Signed-off-by: Spencer Schrock <sschrock@google.com> * switch tests which called os.ReadFile to os.Open os.File fufills io.ReadCloser, so this is an easy change Signed-off-by: Spencer Schrock <sschrock@google.com> * break tarball tests into two steps: reader and read The rest of the test was kept the same to minimize the change. Signed-off-by: Spencer Schrock <sschrock@google.com> * ossfuzz doesn't implement GetFileReader Signed-off-by: Spencer Schrock <sschrock@google.com> * appease linter during refactor Signed-off-by: Spencer Schrock <sschrock@google.com> * switch git client to new method add check which ensures git client fulfills the interface Signed-off-by: Spencer Schrock <sschrock@google.com> --------- Signed-off-by: Spencer Schrock <sschrock@google.com> |
||
|
AdamKorcz
|
4daefb64ae
|
🌱 Add branch protection probe evaluation (#3759)
* 🌱 Add branch protection evaluation
Signed-off-by: Adam Korczynski <adam@adalogics.com>
* make helper for getting the branchName
Signed-off-by: Adam Korczynski <adam@adalogics.com>
* move check for branch name
Signed-off-by: Adam Korczynski <adam@adalogics.com>
* define size of slice
Signed-off-by: Adam Korczynski <adam@adalogics.com>
* add probe for protected branches.
Signed-off-by: Adam Korczynski <adam@adalogics.com>
* change 'basicNonAdminProtection' to 'deleteAndForcePushProtection'
Signed-off-by: Adam Korczynski <adam@adalogics.com>
* fix markdown in text field in def.yml
Signed-off-by: Adam Korczynski <adam@adalogics.com>
* remove duplicate conditional
Signed-off-by: Adam Korczynski <adam@adalogics.com>
* remove redundant 'protected' value from 'requiresCodeOwnersReview' probe
Signed-off-by: Adam Korczynski <adam@adalogics.com>
* remove protected values from probes
Signed-off-by: Adam Korczynski <adam@adalogics.com>
* Bring back negative outcome in case of 0 codeowners files
Signed-off-by: Adam Korczynski <adam@adalogics.com>
* log based on whether branches are protected
Signed-off-by: Adam Korczynski <adam@adalogics.com>
* remove unnecessary test
Signed-off-by: Adam Korczynski <adam@adalogics.com>
* debug failing tests
Signed-off-by: Adam Korczynski <adam@adalogics.com>
* Fix failing tests
Signed-off-by: Adam Korczynski <adam@adalogics.com>
* rename test
Signed-off-by: Adam Korczynski <adam@adalogics.com>
* update to with latest upstream changes
Signed-off-by: AdamKorcz <adam@adalogics.com>
* fix linting issues
Signed-off-by: AdamKorcz <adam@adalogics.com>
* remove tests that represent impossible scenarios
Signed-off-by: AdamKorcz <adam@adalogics.com>
* remove protected finding value
This was discussed previously, but accidentally reverted
Signed-off-by: Spencer Schrock <sschrock@google.com>
* Revert "debug failing tests"
This reverts commit
|
||
|
AdamKorcz
|
299948eeed
|
🌱 Convert pinned dependencies to probe (#3829)
* 🌱 Convert pinned dependencies to probe
Signed-off-by: Adam Korczynski <adam@adalogics.com>
* add more tests
Signed-off-by: Adam Korczynski <adam@adalogics.com>
* add checks unit test
Signed-off-by: Adam Korczynski <adam@adalogics.com>
* fix year in probe header and add mising test file
Signed-off-by: Adam Korczynski <adam@adalogics.com>
* Change usage of ValidateTestReturn
Signed-off-by: Adam Korczynski <adam@adalogics.com>
* rename test
Signed-off-by: Adam Korczynski <adam@adalogics.com>
* change 'pinned' to 'unpinned' in test name
Signed-off-by: Adam Korczynski <adam@adalogics.com>
* export 'depTypeKey'
Signed-off-by: Adam Korczynski <adam@adalogics.com>
* Do not copy test Dockerfile
Signed-off-by: Adam Korczynski <adam@adalogics.com>
* rename test
Signed-off-by: Adam Korczynski <adam@adalogics.com>
* Rebase and bring back 'Test_generateOwnerToDisplay'
Signed-off-by: Adam Korczynski <adam@adalogics.com>
* Use API to create finding
Signed-off-by: AdamKorcz <adam@adalogics.com>
* one more change to how the probe creates a finding
Signed-off-by: AdamKorcz <adam@adalogics.com>
---------
Signed-off-by: Adam Korczynski <adam@adalogics.com>
Signed-off-by: AdamKorcz <adam@adalogics.com>
|
||
|
Spencer Schrock
|
c7f6efe816
|
🌱 use ValidateTestReturn for Code-Review tests (#3897)
* check code review log messages, not just score By using ValidateTestReturn, we can get more actionable failure messages Signed-off-by: Spencer Schrock <sschrock@google.com> * simplify error checking Signed-off-by: Spencer Schrock <sschrock@google.com> --------- Signed-off-by: Spencer Schrock <sschrock@google.com> |
||
|
Spencer Schrock
|
c1563e1966
|
🌱 Combine SAST probes into single probe (#3874)
* check logger counts for SAST tests previously, we only checked the result score. test failures with this method dont produce as actionable feedback. Signed-off-by: Spencer Schrock <sschrock@google.com> * clarify test names and score constants used Signed-off-by: Spencer Schrock <sschrock@google.com> * add generic sastToolConfigured probe switch over the evaluation code to using the single probe with tool value. Signed-off-by: Spencer Schrock <sschrock@google.com> * remove old probes Signed-off-by: Spencer Schrock <sschrock@google.com> * add tests Signed-off-by: Spencer Schrock <sschrock@google.com> * experiment with one readme Signed-off-by: Spencer Schrock <sschrock@google.com> * appease linter Signed-off-by: Spencer Schrock <sschrock@google.com> * remove colon from yaml which led to parse errors Signed-off-by: Spencer Schrock <sschrock@google.com> * polish documentation details Signed-off-by: Spencer Schrock <sschrock@google.com> --------- Signed-off-by: Spencer Schrock <sschrock@google.com> |
||
|
Spencer Schrock
|
68d8d93f82
|
🌱 use ValidateTestReturn for SAST tests (#3872)
* check logger counts for SAST tests previously, we only checked the result score. test failures with this method dont produce as actionable feedback. Signed-off-by: Spencer Schrock <sschrock@google.com> * clarify test names and score constants used Signed-off-by: Spencer Schrock <sschrock@google.com> --------- Signed-off-by: Spencer Schrock <sschrock@google.com> |
||
|
dependabot[bot]
|
b31449017e
|
🌱 Bump github.com/golangci/golangci-lint from 1.55.2 to 1.56.1 in /tools (#3867)
* 🌱 Bump github.com/golangci/golangci-lint in /tools Bumps [github.com/golangci/golangci-lint](https://github.com/golangci/golangci-lint) from 1.55.2 to 1.56.1. - [Release notes](https://github.com/golangci/golangci-lint/releases) - [Changelog](https://github.com/golangci/golangci-lint/blob/master/CHANGELOG.md) - [Commits](https://github.com/golangci/golangci-lint/compare/v1.55.2...v1.56.1) --- updated-dependencies: - dependency-name: github.com/golangci/golangci-lint dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> * autofix linter errors with make fix-linter Signed-off-by: Spencer Schrock <sschrock@google.com> * move musttag nolint directives to encode location this was changed in v0.8.0 of the musttag linter. Signed-off-by: Spencer Schrock <sschrock@google.com> --------- Signed-off-by: dependabot[bot] <support@github.com> Signed-off-by: Spencer Schrock <sschrock@google.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: Spencer Schrock <sschrock@google.com> |
||
|
Spencer Schrock
|
ca944e8169
|
🌱 Change finding Values to map[string]string (#3837)
* make values map string -> string Signed-off-by: Spencer Schrock <sschrock@google.com> * fixup branch protection probes Signed-off-by: Spencer Schrock <sschrock@google.com> * fix sast probe Signed-off-by: Spencer Schrock <sschrock@google.com> * fix signed-releases probes Signed-off-by: Spencer Schrock <sschrock@google.com> * fix maintained probes Signed-off-by: Spencer Schrock <sschrock@google.com> * fix cii-best-practices probes Signed-off-by: Spencer Schrock <sschrock@google.com> * fix cii-best-practices eval Signed-off-by: Spencer Schrock <sschrock@google.com> * fix signed-releases eval Signed-off-by: Spencer Schrock <sschrock@google.com> * fix sast eval Signed-off-by: Spencer Schrock <sschrock@google.com> * fix maintained eval Signed-off-by: Spencer Schrock <sschrock@google.com> * fix permissions eval Signed-off-by: Spencer Schrock <sschrock@google.com> * appease the linter Signed-off-by: Spencer Schrock <sschrock@google.com> * standardize maintained key names Signed-off-by: Spencer Schrock <sschrock@google.com> * set lookback days value regardless of outcome Signed-off-by: Spencer Schrock <sschrock@google.com> --------- Signed-off-by: Spencer Schrock <sschrock@google.com> |
||
|
Spencer Schrock
|
83ff808f0d
|
🌱 Enhance test output and management in ValidateTestReturn (#3810)
* test failures should print the details they receive this makes debugging failing tests easier. Signed-off-by: Spencer Schrock <sschrock@google.com> * use GinkgoTB so the test helpers work instead of panicing Signed-off-by: Spencer Schrock <sschrock@google.com> * ValidateTestReturn will fail the test directly, no need for the bool return Signed-off-by: Spencer Schrock <sschrock@google.com> * clarify diff details Signed-off-by: Spencer Schrock <sschrock@google.com> --------- Signed-off-by: Spencer Schrock <sschrock@google.com> |
||
|
Spencer Schrock
|
301208ce76
|
✨ dependency-update-tool: detect GitLab Renovate config files (#3823)
also organize the list in order of appearance on website. this makes it easier to compare. Signed-off-by: Spencer Schrock <sschrock@google.com> |
||
Josh Soref
|
3b948257fc
|
📖 Fix spelling (#3804)
* spelling: accurate Signed-off-by: Josh Soref <2119212+jsoref@users.noreply.github.com> * spelling: administrator Signed-off-by: Josh Soref <2119212+jsoref@users.noreply.github.com> * spelling: analyze Signed-off-by: Josh Soref <2119212+jsoref@users.noreply.github.com> * spelling: andtwenty Signed-off-by: Josh Soref <2119212+jsoref@users.noreply.github.com> * spelling: ascii Signed-off-by: Josh Soref <2119212+jsoref@users.noreply.github.com> * spelling: association Signed-off-by: Josh Soref <2119212+jsoref@users.noreply.github.com> * spelling: at least Signed-off-by: Josh Soref <2119212+jsoref@users.noreply.github.com> * spelling: attestor Signed-off-by: Josh Soref <2119212+jsoref@users.noreply.github.com> * spelling: barbaric Signed-off-by: Josh Soref <2119212+jsoref@users.noreply.github.com> * spelling: bucket Signed-off-by: Josh Soref <2119212+jsoref@users.noreply.github.com> * spelling: by Signed-off-by: Josh Soref <2119212+jsoref@users.noreply.github.com> * spelling: can Signed-off-by: Josh Soref <2119212+jsoref@users.noreply.github.com> * spelling: case-insensitive Signed-off-by: Josh Soref <2119212+jsoref@users.noreply.github.com> * spelling: case-sensitive Signed-off-by: Josh Soref <2119212+jsoref@users.noreply.github.com> * spelling: checking Signed-off-by: Josh Soref <2119212+jsoref@users.noreply.github.com> * spelling: command-line Signed-off-by: Josh Soref <2119212+jsoref@users.noreply.github.com> * spelling: commit Signed-off-by: Josh Soref <2119212+jsoref@users.noreply.github.com> * spelling: committed Signed-off-by: Josh Soref <2119212+jsoref@users.noreply.github.com> * spelling: conclusion Signed-off-by: Josh Soref <2119212+jsoref@users.noreply.github.com> * spelling: corresponding Signed-off-by: Josh Soref <2119212+jsoref@users.noreply.github.com> * spelling: created Signed-off-by: Josh Soref <2119212+jsoref@users.noreply.github.com> * spelling: dataset Signed-off-by: Josh Soref <2119212+jsoref@users.noreply.github.com> * spelling: default Signed-off-by: Josh Soref <2119212+jsoref@users.noreply.github.com> * spelling: defines Signed-off-by: Josh Soref <2119212+jsoref@users.noreply.github.com> * spelling: dependabot Signed-off-by: Josh Soref <2119212+jsoref@users.noreply.github.com> * spelling: dependency Signed-off-by: Josh Soref <2119212+jsoref@users.noreply.github.com> * spelling: depending Signed-off-by: Josh Soref <2119212+jsoref@users.noreply.github.com> * spelling: desired Signed-off-by: Josh Soref <2119212+jsoref@users.noreply.github.com> * spelling: different Signed-off-by: Josh Soref <2119212+jsoref@users.noreply.github.com> * spelling: disclose Signed-off-by: Josh Soref <2119212+jsoref@users.noreply.github.com> * spelling: download Signed-off-by: Josh Soref <2119212+jsoref@users.noreply.github.com> * spelling: each Signed-off-by: Josh Soref <2119212+jsoref@users.noreply.github.com> * spelling: enforce Signed-off-by: Josh Soref <2119212+jsoref@users.noreply.github.com> * spelling: every time Signed-off-by: Josh Soref <2119212+jsoref@users.noreply.github.com> * spelling: exist Signed-off-by: Josh Soref <2119212+jsoref@users.noreply.github.com> * spelling: existing Signed-off-by: Josh Soref <2119212+jsoref@users.noreply.github.com> * spelling: fields Signed-off-by: Josh Soref <2119212+jsoref@users.noreply.github.com> * spelling: files Signed-off-by: Josh Soref <2119212+jsoref@users.noreply.github.com> * spelling: for Signed-off-by: Josh Soref <2119212+jsoref@users.noreply.github.com> * spelling: force-push Signed-off-by: Josh Soref <2119212+jsoref@users.noreply.github.com> * spelling: github Signed-off-by: Josh Soref <2119212+jsoref@users.noreply.github.com> * spelling: gitlab Signed-off-by: Josh Soref <2119212+jsoref@users.noreply.github.com> * spelling: ignoreed Signed-off-by: Josh Soref <2119212+jsoref@users.noreply.github.com> * spelling: implementation Signed-off-by: Josh Soref <2119212+jsoref@users.noreply.github.com> * spelling: implements Signed-off-by: Josh Soref <2119212+jsoref@users.noreply.github.com> * spelling: increase Signed-off-by: Josh Soref <2119212+jsoref@users.noreply.github.com> * spelling: indicates Signed-off-by: Josh Soref <2119212+jsoref@users.noreply.github.com> * spelling: initialized Signed-off-by: Josh Soref <2119212+jsoref@users.noreply.github.com> * spelling: instructions Signed-off-by: Josh Soref <2119212+jsoref@users.noreply.github.com> * spelling: invalid Signed-off-by: Josh Soref <2119212+jsoref@users.noreply.github.com> * spelling: marshal Signed-off-by: Josh Soref <2119212+jsoref@users.noreply.github.com> * spelling: match Signed-off-by: Josh Soref <2119212+jsoref@users.noreply.github.com> * spelling: name Signed-off-by: Josh Soref <2119212+jsoref@users.noreply.github.com> * spelling: nonexistent Signed-off-by: Josh Soref <2119212+jsoref@users.noreply.github.com> * spelling: organization Signed-off-by: Josh Soref <2119212+jsoref@users.noreply.github.com> * spelling: package Signed-off-by: Josh Soref <2119212+jsoref@users.noreply.github.com> * spelling: provenance Signed-off-by: Josh Soref <2119212+jsoref@users.noreply.github.com> * spelling: query Signed-off-by: Josh Soref <2119212+jsoref@users.noreply.github.com> * spelling: readers Signed-off-by: Josh Soref <2119212+jsoref@users.noreply.github.com> * spelling: receive Signed-off-by: Josh Soref <2119212+jsoref@users.noreply.github.com> * spelling: registered Signed-off-by: Josh Soref <2119212+jsoref@users.noreply.github.com> * spelling: remediate Signed-off-by: Josh Soref <2119212+jsoref@users.noreply.github.com> * spelling: representation Signed-off-by: Josh Soref <2119212+jsoref@users.noreply.github.com> * spelling: requests Signed-off-by: Josh Soref <2119212+jsoref@users.noreply.github.com> * spelling: requires Signed-off-by: Josh Soref <2119212+jsoref@users.noreply.github.com> * spelling: return Signed-off-by: Josh Soref <2119212+jsoref@users.noreply.github.com> * spelling: scorecard Signed-off-by: Josh Soref <2119212+jsoref@users.noreply.github.com> * spelling: separator Signed-off-by: Josh Soref <2119212+jsoref@users.noreply.github.com> * spelling: serialization Signed-off-by: Josh Soref <2119212+jsoref@users.noreply.github.com> * spelling: sign up Signed-off-by: Josh Soref <2119212+jsoref@users.noreply.github.com> * spelling: specifications Signed-off-by: Josh Soref <2119212+jsoref@users.noreply.github.com> * spelling: specified Signed-off-by: Josh Soref <2119212+jsoref@users.noreply.github.com> * spelling: success Signed-off-by: Josh Soref <2119212+jsoref@users.noreply.github.com> * spelling: successfully Signed-off-by: Josh Soref <2119212+jsoref@users.noreply.github.com> * spelling: the Signed-off-by: Josh Soref <2119212+jsoref@users.noreply.github.com> * spelling: their Signed-off-by: Josh Soref <2119212+jsoref@users.noreply.github.com> * spelling: twenty Signed-off-by: Josh Soref <2119212+jsoref@users.noreply.github.com> * spelling: unexpected Signed-off-by: Josh Soref <2119212+jsoref@users.noreply.github.com> * spelling: unused Signed-off-by: Josh Soref <2119212+jsoref@users.noreply.github.com> * spelling: unverified Signed-off-by: Josh Soref <2119212+jsoref@users.noreply.github.com> * spelling: validate Signed-off-by: Josh Soref <2119212+jsoref@users.noreply.github.com> * spelling: vendor Signed-off-by: Josh Soref <2119212+jsoref@users.noreply.github.com> * spelling: vulnerabilities Signed-off-by: Josh Soref <2119212+jsoref@users.noreply.github.com> * spelling: vulns Signed-off-by: Josh Soref <2119212+jsoref@users.noreply.github.com> * spelling: will Signed-off-by: Josh Soref <2119212+jsoref@users.noreply.github.com> * spelling: without Signed-off-by: Josh Soref <2119212+jsoref@users.noreply.github.com> * spelling: workflow Signed-off-by: Josh Soref <2119212+jsoref@users.noreply.github.com> * spelling: workflows Signed-off-by: Josh Soref <2119212+jsoref@users.noreply.github.com> --------- Signed-off-by: Josh Soref <2119212+jsoref@users.noreply.github.com> |
||
André Backman
|
9440b761df
|
✨ New probes: code-review (#3302)
* 🌱 Bump github.com/goreleaser/goreleaser in /tools (#3238) Bumps [github.com/goreleaser/goreleaser](https://github.com/goreleaser/goreleaser) from 1.18.2 to 1.19.1. - [Release notes](https://github.com/goreleaser/goreleaser/releases) - [Changelog](https://github.com/goreleaser/goreleaser/blob/main/.goreleaser.yaml) - [Commits](https://github.com/goreleaser/goreleaser/compare/v1.18.2...v1.19.1) --- updated-dependencies: - dependency-name: github.com/goreleaser/goreleaser dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Signed-off-by: André Backman <andre.backman@nokia.com> * begin implementing probe: minTwoCodeReviewers Signed-off-by: André Backman <andre.backman@nokia.com> * print raw results Signed-off-by: André Backman <andre.backman@nokia.com> * print raw results Signed-off-by: André Backman <andre.backman@nokia.com> * print raw results Signed-off-by: André Backman <andre.backman@nokia.com> * rename probe directory: minimumCodeReviewers Signed-off-by: André Backman <andre.backman@nokia.com> * rename probe CodeReviewers Signed-off-by: André Backman <andre.backman@nokia.com> * rename import for CodeReviewers probe Signed-off-by: André Backman <andre.backman@nokia.com> * update code reviewers definition Signed-off-by: André Backman <andre.backman@nokia.com> * update code reviewers implementation; fixed embed FS usage Signed-off-by: André Backman <andre.backman@nokia.com> * printing all findings, work out where to concatenate them Signed-off-by: André Backman <andre.backman@nokia.com> * concatenated findings to one single finding, outcome is based on the least found unique reviewers Signed-off-by: André Backman <andre.backman@nokia.com> * refactored uniqueCodeReviewers probe, needs more error checks Signed-off-by: André Backman <andre.backman@nokia.com> * add error handling for cases of non-existant author and/or reviewer logins Signed-off-by: André Backman <andre.backman@nokia.com> * add error handling for cases of non-existant author and/or reviewer logins Signed-off-by: André Backman <andre.backman@nokia.com> * rename probe Signed-off-by: André Backman <andre.backman@nokia.com> * update codeReviewTwoReviewers definition Signed-off-by: André Backman <andre.backman@nokia.com> * rename unique code reviewers probe Signed-off-by: André Backman <andre.backman@nokia.com> * implement codeApproved probe, validation of reviews needs fixing Signed-off-by: André Backman <andre.backman@nokia.com> * update codeApproved probe, validation of reviews needs fixing Signed-off-by: André Backman <andre.backman@nokia.com> * working version of codeApproved probe Signed-off-by: André Backman <andre.backman@nokia.com> * codeReviewed probe implemented Signed-off-by: André Backman <andre.backman@nokia.com> * clean up comments, add imports, run all probes Signed-off-by: André Backman <andre.backman@nokia.com> * update license comments Signed-off-by: André Backman <andre.backman@nokia.com> * Update def.yml license Signed-off-by: André Backman <88145164+andrelmbackman@users.noreply.github.com> * Update def.yml license Signed-off-by: André Backman <88145164+andrelmbackman@users.noreply.github.com> * Update def.yml license Signed-off-by: André Backman <88145164+andrelmbackman@users.noreply.github.com> * Update impl.go license Signed-off-by: André Backman <88145164+andrelmbackman@users.noreply.github.com> * Update impl.go license to Apache 2 Signed-off-by: André Backman <88145164+andrelmbackman@users.noreply.github.com> * Update impl.go license to Apache 2 Signed-off-by: André Backman <88145164+andrelmbackman@users.noreply.github.com> * Update code_review.go license Signed-off-by: André Backman <88145164+andrelmbackman@users.noreply.github.com> * Update entries.go; CodeReviewChecks now called CodeReview Signed-off-by: André Backman <88145164+andrelmbackman@users.noreply.github.com> * Update impl.go, refactor codeReviewTwoReviewers; moved utility functions into impl.go Signed-off-by: André Backman <88145164+andrelmbackman@users.noreply.github.com> * Delete code_review.go utilities moved utility functions to the impl.go they are used in Signed-off-by: André Backman <88145164+andrelmbackman@users.noreply.github.com> * rename probe Signed-off-by: André Backman <andre.backman@nokia.com> * update codeReviewTwoReviewers definition Signed-off-by: André Backman <andre.backman@nokia.com> * implement codeApproved probe, validation of reviews needs fixing Signed-off-by: André Backman <andre.backman@nokia.com> * update codeApproved probe, validation of reviews needs fixing Signed-off-by: André Backman <andre.backman@nokia.com> * working version of codeApproved probe Signed-off-by: André Backman <andre.backman@nokia.com> * codeReviewed probe implemented Signed-off-by: André Backman <andre.backman@nokia.com> * clean up comments, add imports, run all probes Signed-off-by: André Backman <andre.backman@nokia.com> * update license comments Signed-off-by: André Backman <andre.backman@nokia.com> * update license comments Signed-off-by: André Backman <andre.backman@nokia.com> * 🌱 Included unit tests (#3242) - Included unit tests Signed-off-by: naveensrinivasan <172697+naveensrinivasan@users.noreply.github.com> Signed-off-by: André Backman <andre.backman@nokia.com> * 🌱 Bump golang.org/x/text from 0.10.0 to 0.11.0 (#3243) Bumps [golang.org/x/text](https://github.com/golang/text) from 0.10.0 to 0.11.0. - [Release notes](https://github.com/golang/text/releases) - [Commits](https://github.com/golang/text/compare/v0.10.0...v0.11.0) --- updated-dependencies: - dependency-name: golang.org/x/text dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Signed-off-by: André Backman <andre.backman@nokia.com> * 🌱 Bump golang.org/x/oauth2 from 0.9.0 to 0.10.0 (#3244) Bumps [golang.org/x/oauth2](https://github.com/golang/oauth2) from 0.9.0 to 0.10.0. - [Commits](https://github.com/golang/oauth2/compare/v0.9.0...v0.10.0) --- updated-dependencies: - dependency-name: golang.org/x/oauth2 dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Signed-off-by: André Backman <andre.backman@nokia.com> * 📖 Update Branch-Protection admin and non-admin requirements (#2772) * docs: Branch protection admin-only requirements Signed-off-by: Gabriela Gutierrez <gabigutierrez@google.com> * docs: Branch protection requirements by tier Signed-off-by: Gabriela Gutierrez <gabigutierrez@google.com> * docs: How get a perfect score in branch protection Signed-off-by: Gabriela Gutierrez <gabigutierrez@google.com> * docs: Fix local images ref in doc Signed-off-by: Gabriela Gutierrez <gabigutierrez@google.com> * docs: Fix typo Co-authored-by: Pedro Nacht <pedro.k.night@gmail.com> Signed-off-by: Gabriela Gutierrez <gabigutierrez@google.com> * docs: Fix check specific table of contents Signed-off-by: Gabriela Gutierrez <gabigutierrez@google.com> * fix: Code owners setting is non admin Signed-off-by: Gabriela Gutierrez <gabigutierrez@google.com> * docs: Fix branch protection applied not only to main branch Signed-off-by: Gabriela Gutierrez <gabigutierrez@google.com> * docs: Add alt text for images Signed-off-by: Gabriela Gutierrez <gabigutierrez@google.com> * docs: You can get a perfect score with non admin access Signed-off-by: Gabriela Gutierrez <gabigutierrez@google.com> * docs: update max tier scores Signed-off-by: Gabriela Gutierrez <gabigutierrez@google.com> * docs: update tier 1 max points explanation Signed-off-by: Gabriela Gutierrez <gabigutierrez@google.com> * docs: Move changes to internal checks doc Move changes done in docs/checks.md to docs/checks/internal/checks.yaml. Signed-off-by: Gabriela Gutierrez <gabigutierrez@google.com> * docs: Revert changes on checks doc Signed-off-by: Gabriela Gutierrez <gabigutierrez@google.com> * docs: Fix admin settings evaluated on branch protection Signed-off-by: Gabriela Gutierrez <gabigutierrez@google.com> * docs: Change branch protection model status checks Signed-off-by: Gabriela Gutierrez <gabigutierrez@google.com> * docs: Change tiers score to expected score The expected score for the code to output is 3/10 for Tier 1 case and 7/10 for Tier 3 case. The scoring issue will be reported as bug. Signed-off-by: Gabriela Gutierrez <gabigutierrez@google.com> * docs: Fix Tier 3 score Signed-off-by: Gabriela Gutierrez <gabigutierrez@google.com> --------- Signed-off-by: Gabriela Gutierrez <gabigutierrez@google.com> Co-authored-by: Pedro Nacht <pedro.k.night@gmail.com> Signed-off-by: André Backman <andre.backman@nokia.com> * 🌱 Linter workflow cleanup (#3247) * Fix linter timeout by renaming deprecated deadline. Signed-off-by: Spencer Schrock <sschrock@google.com> * Disable depguard linter. As of golangci-lint v3.5.0, the depguard linter is complaining. We don't use a .depguard.yml file, so just disabling the linter. Signed-off-by: Spencer Schrock <sschrock@google.com> * Move linter into own workflow. Signed-off-by: Spencer Schrock <sschrock@google.com> * Fix bash command substitution. Signed-off-by: Spencer Schrock <sschrock@google.com> * Add harden runner. Signed-off-by: Spencer Schrock <sschrock@google.com> * switch names to existing linter job Signed-off-by: Spencer Schrock <sschrock@google.com> * Update golangci-lint to v1.53.3 Signed-off-by: Spencer Schrock <sschrock@google.com> --------- Signed-off-by: Spencer Schrock <sschrock@google.com> Signed-off-by: André Backman <andre.backman@nokia.com> * 🌱 Bump tj-actions/changed-files from 37.0.5 to 37.1.0 (#3253) Bumps [tj-actions/changed-files](https://github.com/tj-actions/changed-files) from 37.0.5 to 37.1.0. - [Release notes](https://github.com/tj-actions/changed-files/releases) - [Changelog](https://github.com/tj-actions/changed-files/blob/main/HISTORY.md) - [Commits]( |
||
Naveen
|
b3b40d0ebc
|
🌱 Fix struct size govet issues (#3787)
- Fixed the struct size govet issues. Signed-off-by: naveensrinivasan <172697+naveensrinivasan@users.noreply.github.com> |