mirror of
https://github.com/ossf/scorecard.git
synced 2024-08-15 11:20:30 +03:00
main
37 Commits
| Author | SHA1 | Message | Date | |
|---|---|---|---|---|
Raghav Kaul
|
bfaa9febc2
|
✨ probe: releases with verified provenance (#4141)
* add projectpackageversions to signed releases raw results Signed-off-by: Raghav Kaul <raghavkaul+github@google.com> * finding: add NewNot* helpers, fix error msg Signed-off-by: Raghav Kaul <raghavkaul+github@google.com> * probe: releasesHaveVerifiedProvenance Signed-off-by: Raghav Kaul <raghavkaul+github@google.com> * logging Signed-off-by: Raghav Kaul <raghavkaul+github@google.com> * fix tests and lint Signed-off-by: Raghav Kaul <raghavkaul+github@google.com> * address comments Signed-off-by: Raghav Kaul <raghavkaul+github@google.com> * remove unused Signed-off-by: Raghav Kaul <raghavkaul+github@google.com> * fix merge conflict Signed-off-by: Raghav Kaul <raghavkaul+github@google.com> --------- Signed-off-by: Raghav Kaul <raghavkaul+github@google.com> |
||
Allen Shearin
|
8de90207bc
|
✨ Add experimental check for published SBOM (#3903)
* Sbom check MVP Signed-off-by: Allen Shearin <allen.p.shearin@gmail.com> * PR suggestion fixes Signed-off-by: Allen Shearin <allen.p.shearin@gmail.com> * fix line length Signed-off-by: Allen Shearin <allen.p.shearin@gmail.com> * update gitlab client to check 20 latest pipelines in default branch Signed-off-by: Allen Shearin <allen.p.shearin@gmail.com> * correct issues Signed-off-by: Allen Shearin <allen.p.shearin@gmail.com> * add unit tests for sbom client code Signed-off-by: Allen Shearin <allen.p.shearin@gmail.com> * probe name alignment, updated evaluation tests Signed-off-by: Allen Shearin <allen.p.shearin@gmail.com> * consolidate probes, reuse available data sources Signed-off-by: Allen Shearin <allen.p.shearin@gmail.com> * add autogen doc update Signed-off-by: Allen Shearin <allen.p.shearin@gmail.com> * address PR comments, remove CI/CD check code Signed-off-by: Allen Shearin <allen.p.shearin@gmail.com> * update unit tests Signed-off-by: Allen Shearin <allen.p.shearin@gmail.com> * fix linting errors Signed-off-by: Allen Shearin <allen.p.shearin@gmail.com> * revert unnecessary changes, correct check documentation Signed-off-by: Allen Shearin <allen.p.shearin@gmail.com> * address PR comments Signed-off-by: Allen Shearin <allen.p.shearin@gmail.com> * move release lookback to data collection side Signed-off-by: Allen Shearin <allen.p.shearin@gmail.com> --------- Signed-off-by: Allen Shearin <allen.p.shearin@gmail.com> |
||
Spencer Schrock
|
71aed951f9
|
✨ allow probes to collect their own data from repo clients (#4052)
* introduce independent probe implementations rather than rely on checks collecting raw data, independent probes collect their own raw data using the underlying repo client present in the check request. Signed-off-by: Spencer Schrock <sschrock@google.com> * add test Signed-off-by: Spencer Schrock <sschrock@google.com> --------- Signed-off-by: Spencer Schrock <sschrock@google.com> |
||
|
Spencer Schrock
|
0b9dfb656f
|
⚠️ Replace v4 module references with v5 (#4027)
Signed-off-by: Spencer Schrock <sschrock@google.com> |
||
Felix Hoeborn
|
21d53ce28c
|
✨ Added probe for permissive licenses (#3838)
* Added check for permissive licenses Signed-off-by: Felix Hoeborn <f.hoeborn@gmail.com> * Regenerated docs and added more permissive licenses to check Signed-off-by: Felix Hoeborn <f.hoeborn@gmail.com> * Added e2e tests Signed-off-by: Felix Hoeborn <f.hoeborn@gmail.com> * Corrected copyright dates and missing newlines Signed-off-by: Felix Hoeborn <f.hoeborn@gmail.com> * Corrected copyright dates Signed-off-by: Felix Hoeborn <f.hoeborn@gmail.com> * Adjustments after review Signed-off-by: Felix Hoeborn <f.hoeborn@gmail.com> * Added file location in case a permissive license was found and adjusted tests Signed-off-by: Felix Hoeborn <f.hoeborn@gmail.com> * Removed code for check, adjusted probe code to be invocated independently Signed-off-by: Felix Hoeborn <f.hoeborn@gmail.com> * add remediate on outcome detail Signed-off-by: Spencer Schrock <sschrock@google.com> * avoid memory aliasing Signed-off-by: Spencer Schrock <sschrock@google.com> --------- Signed-off-by: Felix Hoeborn <f.hoeborn@gmail.com> Signed-off-by: Felix Hoeborn <98820380+fhoeborn@users.noreply.github.com> Signed-off-by: Spencer Schrock <sschrock@google.com> Co-authored-by: Spencer Schrock <sschrock@google.com> |
||
|
Spencer Schrock
|
856419158a
|
🌱 migrate code review check to probes (#3979)
* initial conversion Signed-off-by: Spencer Schrock <sschrock@google.com> * appease the linter Signed-off-by: Spencer Schrock <sschrock@google.com> * cleanup outcomes from positive/negative to true/false conversion Signed-off-by: Spencer Schrock <sschrock@google.com> --------- Signed-off-by: Spencer Schrock <sschrock@google.com> |
||
|
Spencer Schrock
|
6b071eddeb
|
⚠️ Allow probes to specify their own bad outcomes (#4020)
* merge probe and finding packages No one interacts with the probes directly, and having them in the same package helps with follow up commits Signed-off-by: Spencer Schrock <sschrock@google.com> * add extra field to indicate the outcome a probe should show remediation for Signed-off-by: Spencer Schrock <sschrock@google.com> * start all probes with remediate on 'False' Signed-off-by: Spencer Schrock <sschrock@google.com> * make OutcomeTrue bad for hasOSVVulnerabilities Signed-off-by: Spencer Schrock <sschrock@google.com> * nest outcome trigger under remediation in yaml Signed-off-by: Spencer Schrock <sschrock@google.com> * invert outcomes for dangerous workflow probes Signed-off-by: Spencer Schrock <sschrock@google.com> * rename notArchived probe to archived with the swap, the true outcome is now the bad outcome. Signed-off-by: Spencer Schrock <sschrock@google.com> * rename notCreatedRecently probe to createRecently with the rename, the true outcome is now bad Signed-off-by: Spencer Schrock <sschrock@google.com> * switch binary artifact probes so detecting binaries is a true outcome Signed-off-by: Spencer Schrock <sschrock@google.com> * appease the linter Signed-off-by: Spencer Schrock <sschrock@google.com> * dont export probe type we can always make it public again later Signed-off-by: Spencer Schrock <sschrock@google.com> --------- Signed-off-by: Spencer Schrock <sschrock@google.com> |
||
|
Spencer Schrock
|
46bb36ab10
|
🌱 Combine Dependency-Update-Tool probes into one (#3981)
* add single probe for dependencyUpdateToolConfigured probe Signed-off-by: Spencer Schrock <sschrock@google.com> * delete individual update tool probes Signed-off-by: Spencer Schrock <sschrock@google.com> * use new update tool probe in evaluation Signed-off-by: Spencer Schrock <sschrock@google.com> * fix dependency update tool tests The old test names were unclear, and didn't cover all supported tools. Additionally the warn count changed since there's only one probe now, instead of 3. Signed-off-by: Spencer Schrock <sschrock@google.com> * clarify test name Signed-off-by: Spencer Schrock <sschrock@google.com> --------- Signed-off-by: Spencer Schrock <sschrock@google.com> |
||
|
Spencer Schrock
|
11e859fc58
|
🌱 Combine hasLicenseFile and hasLicenseFileAtTopDir probes (#3955)
* delete hasLicenseFileAtTopDir probe Signed-off-by: Spencer Schrock <sschrock@google.com> * increase value of having a license the old split was 6 for having a license and 3 for having it in the expected location but 1.5 years later, and there is still no other way we detect it. So it was effectively worth 9 points. This change makes it actually worth 9 points. Signed-off-by: Spencer Schrock <sschrock@google.com> * simplify logging and scoring Signed-off-by: Spencer Schrock <sschrock@google.com> * ensure license findings have locations Signed-off-by: Spencer Schrock <sschrock@google.com> * update tests to reflect new logging Signed-off-by: Spencer Schrock <sschrock@google.com> * match existing detail better Signed-off-by: Spencer Schrock <sschrock@google.com> --------- Signed-off-by: Spencer Schrock <sschrock@google.com> |
||
AdamKorcz
|
5b0ae81d49
|
🌱 migrate token permission check to probes (#3816)
* 🌱 migrate token permission check to probes
Signed-off-by: Adam Korczynski <adam@adalogics.com>
* combine seperate write-probes into two that combine them all
Signed-off-by: AdamKorcz <adam@adalogics.com>
* change write probes to read and write
Signed-off-by: AdamKorcz <adam@adalogics.com>
* minor nit
Signed-off-by: AdamKorcz <adam@adalogics.com>
* remove WritaAll probes
Signed-off-by: Adam Korczynski <adam@adalogics.com>
* Merge read-perm probe with job/top probes
Signed-off-by: Adam Korczynski <adam@adalogics.com>
* minor refactoring
Signed-off-by: Adam Korczynski <adam@adalogics.com>
* fix copy paste error
Signed-off-by: Adam Korczynski <adam@adalogics.com>
* fix linter issues and restructure code
Signed-off-by: Adam Korczynski <adam@adalogics.com>
* remove hasGitHubWorkflowPermissionNone probe
Signed-off-by: Adam Korczynski <adam@adalogics.com>
* Remove 'hasGitHubWorkflowPermissionUndeclared' probe
Signed-off-by: Adam Korczynski <adam@adalogics.com>
* bit of clean up
Signed-off-by: Adam Korczynski <adam@adalogics.com>
* reduce code complexity and remove comment
Signed-off-by: Adam Korczynski <adam@adalogics.com>
* simplify file location
Signed-off-by: Adam Korczynski <adam@adalogics.com>
* change probe text
Signed-off-by: Adam Korczynski <adam@adalogics.com>
* invert name of probe
Signed-off-by: Adam Korczynski <adam@adalogics.com>
* OutcomeNotApplicable -> OutcomeError
Signed-off-by: Adam Korczynski <adam@adalogics.com>
* OutcomeNotAvailable -> OutcomeNotApplicable
Signed-off-by: Adam Korczynski <adam@adalogics.com>
* more OutcomeNotAvailable -> OutcomeNotApplicable
Signed-off-by: Adam Korczynski <adam@adalogics.com>
* change name of 'notAvailableOrNotApplicable'
Signed-off-by: Adam Korczynski <adam@adalogics.com>
* fix linter issues
Signed-off-by: Adam Korczynski <adam@adalogics.com>
* add comments to remediation fields
Signed-off-by: Adam Korczynski <adam@adalogics.com>
* add check for nil-dereference
Signed-off-by: Adam Korczynski <adam@adalogics.com>
* remove the permissionLocation finding value
Signed-off-by: Adam Korczynski <adam@adalogics.com>
* rename checkAndLogNotAvailableOrNotApplicable to isBothUndeclaredAndNotAvailableOrNotApplicable
Signed-off-by: Adam Korczynski <adam@adalogics.com>
* use raw metadata for remediation output
Signed-off-by: Adam Korczynski <adam@adalogics.com>
* change 'branch' to 'defaultBranch'
Signed-off-by: Adam Korczynski <adam@adalogics.com>
* remove unused fields in rule Remediation
Signed-off-by: Adam Korczynski <adam@adalogics.com>
* fix remediation
Signed-off-by: Adam Korczynski <adam@adalogics.com>
* change 'metadata.defaultBranch' to 'metadata.repository.defaultBranch'
Signed-off-by: Adam Korczynski <adam@adalogics.com>
---------
Signed-off-by: Adam Korczynski <adam@adalogics.com>
Signed-off-by: AdamKorcz <adam@adalogics.com>
|
||
|
Spencer Schrock
|
b3ad602a59
|
🌱 Add probe registration mechanism (#3876)
* add basic probe registration function Signed-off-by: Spencer Schrock <sschrock@google.com> * ignore probes which call init to register the probe Signed-off-by: Spencer Schrock <sschrock@google.com> * redefine probeimpl to avoid circular imports Signed-off-by: Spencer Schrock <sschrock@google.com> * register all probes Signed-off-by: Spencer Schrock <sschrock@google.com> * experiment with a probe struct Signed-off-by: Spencer Schrock <sschrock@google.com> * make check name constants Signed-off-by: Spencer Schrock <sschrock@google.com> * convert branch protection probes Signed-off-by: Spencer Schrock <sschrock@google.com> * convert binary artifact probes Signed-off-by: Spencer Schrock <sschrock@google.com> * convert cii probe Signed-off-by: Spencer Schrock <sschrock@google.com> * convert ci test probe Signed-off-by: Spencer Schrock <sschrock@google.com> * convert code review probes Signed-off-by: Spencer Schrock <sschrock@google.com> * convert contributor probe Signed-off-by: Spencer Schrock <sschrock@google.com> * convert dangerous workflow probe Signed-off-by: Spencer Schrock <sschrock@google.com> * convert dep update tool probes Signed-off-by: Spencer Schrock <sschrock@google.com> * convert fuzzing probes Signed-off-by: Spencer Schrock <sschrock@google.com> * convert license probes Signed-off-by: Spencer Schrock <sschrock@google.com> * convert maintained probes Signed-off-by: Spencer Schrock <sschrock@google.com> * convert packaging probe Signed-off-by: Spencer Schrock <sschrock@google.com> * convert sast probes Signed-off-by: Spencer Schrock <sschrock@google.com> * convert security policy probes Signed-off-by: Spencer Schrock <sschrock@google.com> * convert signed releases probes Signed-off-by: Spencer Schrock <sschrock@google.com> * convert vuln probe Signed-off-by: Spencer Schrock <sschrock@google.com> * try using probe registration data Signed-off-by: Spencer Schrock <sschrock@google.com> * blank import unused probe Signed-off-by: Spencer Schrock <sschrock@google.com> * add uncategorized group Signed-off-by: Spencer Schrock <sschrock@google.com> * ensure All list is up-to-date Signed-off-by: Spencer Schrock <sschrock@google.com> * add reason behind uncategorized group Signed-off-by: Spencer Schrock <sschrock@google.com> * fix linter yaml parse error Signed-off-by: Spencer Schrock <sschrock@google.com> * fix linter Signed-off-by: Spencer Schrock <sschrock@google.com> * add webhook data Signed-off-by: Spencer Schrock <sschrock@google.com> * convert probe registration to Must pattern Signed-off-by: Spencer Schrock <sschrock@google.com> * add registration for new probes Signed-off-by: Spencer Schrock <sschrock@google.com> * add missing license header Signed-off-by: Spencer Schrock <sschrock@google.com> * revert changing wrapcheck linter config Signed-off-by: Spencer Schrock <sschrock@google.com> * use error func which doesnt need wrapped Signed-off-by: Spencer Schrock <sschrock@google.com> * add test for probe registration Signed-off-by: Spencer Schrock <sschrock@google.com> * restore trailing newline Signed-off-by: Spencer Schrock <sschrock@google.com> * order probe category list Signed-off-by: Spencer Schrock <sschrock@google.com> --------- Signed-off-by: Spencer Schrock <sschrock@google.com> |
||
|
Spencer Schrock
|
f1e703f500
|
🌱 Combine fuzzing probes (#3877)
* single fuzz probe boilerplate Signed-off-by: Spencer Schrock <sschrock@google.com> * initial implementation Signed-off-by: Spencer Schrock <sschrock@google.com> * connect fuzzing probe to eval code Signed-off-by: Spencer Schrock <sschrock@google.com> * include fuzzer name as tool Signed-off-by: Spencer Schrock <sschrock@google.com> * connect to probes flag Signed-off-by: Spencer Schrock <sschrock@google.com> * remove old probes from list Signed-off-by: Spencer Schrock <sschrock@google.com> * remove old probes Signed-off-by: Spencer Schrock <sschrock@google.com> * fix failing test Signed-off-by: Spencer Schrock <sschrock@google.com> * add tool value to test Signed-off-by: Spencer Schrock <sschrock@google.com> * add fuzz tool helper Signed-off-by: Spencer Schrock <sschrock@google.com> * specify supported tools Signed-off-by: Spencer Schrock <sschrock@google.com> * update e2e test Signed-off-by: Spencer Schrock <sschrock@google.com> * check for no raw data Signed-off-by: Spencer Schrock <sschrock@google.com> * add basic tests Signed-off-by: Spencer Schrock <sschrock@google.com> * add test to ensure fuzzer location is propagated Signed-off-by: Spencer Schrock <sschrock@google.com> * expand detailed tests to include other info like tool value Signed-off-by: Spencer Schrock <sschrock@google.com> --------- Signed-off-by: Spencer Schrock <sschrock@google.com> |
||
|
AdamKorcz
|
4daefb64ae
|
🌱 Add branch protection probe evaluation (#3759)
* 🌱 Add branch protection evaluation
Signed-off-by: Adam Korczynski <adam@adalogics.com>
* make helper for getting the branchName
Signed-off-by: Adam Korczynski <adam@adalogics.com>
* move check for branch name
Signed-off-by: Adam Korczynski <adam@adalogics.com>
* define size of slice
Signed-off-by: Adam Korczynski <adam@adalogics.com>
* add probe for protected branches.
Signed-off-by: Adam Korczynski <adam@adalogics.com>
* change 'basicNonAdminProtection' to 'deleteAndForcePushProtection'
Signed-off-by: Adam Korczynski <adam@adalogics.com>
* fix markdown in text field in def.yml
Signed-off-by: Adam Korczynski <adam@adalogics.com>
* remove duplicate conditional
Signed-off-by: Adam Korczynski <adam@adalogics.com>
* remove redundant 'protected' value from 'requiresCodeOwnersReview' probe
Signed-off-by: Adam Korczynski <adam@adalogics.com>
* remove protected values from probes
Signed-off-by: Adam Korczynski <adam@adalogics.com>
* Bring back negative outcome in case of 0 codeowners files
Signed-off-by: Adam Korczynski <adam@adalogics.com>
* log based on whether branches are protected
Signed-off-by: Adam Korczynski <adam@adalogics.com>
* remove unnecessary test
Signed-off-by: Adam Korczynski <adam@adalogics.com>
* debug failing tests
Signed-off-by: Adam Korczynski <adam@adalogics.com>
* Fix failing tests
Signed-off-by: Adam Korczynski <adam@adalogics.com>
* rename test
Signed-off-by: Adam Korczynski <adam@adalogics.com>
* update to with latest upstream changes
Signed-off-by: AdamKorcz <adam@adalogics.com>
* fix linting issues
Signed-off-by: AdamKorcz <adam@adalogics.com>
* remove tests that represent impossible scenarios
Signed-off-by: AdamKorcz <adam@adalogics.com>
* remove protected finding value
This was discussed previously, but accidentally reverted
Signed-off-by: Spencer Schrock <sschrock@google.com>
* Revert "debug failing tests"
This reverts commit
|
||
|
AdamKorcz
|
299948eeed
|
🌱 Convert pinned dependencies to probe (#3829)
* 🌱 Convert pinned dependencies to probe
Signed-off-by: Adam Korczynski <adam@adalogics.com>
* add more tests
Signed-off-by: Adam Korczynski <adam@adalogics.com>
* add checks unit test
Signed-off-by: Adam Korczynski <adam@adalogics.com>
* fix year in probe header and add mising test file
Signed-off-by: Adam Korczynski <adam@adalogics.com>
* Change usage of ValidateTestReturn
Signed-off-by: Adam Korczynski <adam@adalogics.com>
* rename test
Signed-off-by: Adam Korczynski <adam@adalogics.com>
* change 'pinned' to 'unpinned' in test name
Signed-off-by: Adam Korczynski <adam@adalogics.com>
* export 'depTypeKey'
Signed-off-by: Adam Korczynski <adam@adalogics.com>
* Do not copy test Dockerfile
Signed-off-by: Adam Korczynski <adam@adalogics.com>
* rename test
Signed-off-by: Adam Korczynski <adam@adalogics.com>
* Rebase and bring back 'Test_generateOwnerToDisplay'
Signed-off-by: Adam Korczynski <adam@adalogics.com>
* Use API to create finding
Signed-off-by: AdamKorcz <adam@adalogics.com>
* one more change to how the probe creates a finding
Signed-off-by: AdamKorcz <adam@adalogics.com>
---------
Signed-off-by: Adam Korczynski <adam@adalogics.com>
Signed-off-by: AdamKorcz <adam@adalogics.com>
|
||
|
Spencer Schrock
|
c1563e1966
|
🌱 Combine SAST probes into single probe (#3874)
* check logger counts for SAST tests previously, we only checked the result score. test failures with this method dont produce as actionable feedback. Signed-off-by: Spencer Schrock <sschrock@google.com> * clarify test names and score constants used Signed-off-by: Spencer Schrock <sschrock@google.com> * add generic sastToolConfigured probe switch over the evaluation code to using the single probe with tool value. Signed-off-by: Spencer Schrock <sschrock@google.com> * remove old probes Signed-off-by: Spencer Schrock <sschrock@google.com> * add tests Signed-off-by: Spencer Schrock <sschrock@google.com> * experiment with one readme Signed-off-by: Spencer Schrock <sschrock@google.com> * appease linter Signed-off-by: Spencer Schrock <sschrock@google.com> * remove colon from yaml which led to parse errors Signed-off-by: Spencer Schrock <sschrock@google.com> * polish documentation details Signed-off-by: Spencer Schrock <sschrock@google.com> --------- Signed-off-by: Spencer Schrock <sschrock@google.com> |
||
André Backman
|
9440b761df
|
✨ New probes: code-review (#3302)
* 🌱 Bump github.com/goreleaser/goreleaser in /tools (#3238) Bumps [github.com/goreleaser/goreleaser](https://github.com/goreleaser/goreleaser) from 1.18.2 to 1.19.1. - [Release notes](https://github.com/goreleaser/goreleaser/releases) - [Changelog](https://github.com/goreleaser/goreleaser/blob/main/.goreleaser.yaml) - [Commits](https://github.com/goreleaser/goreleaser/compare/v1.18.2...v1.19.1) --- updated-dependencies: - dependency-name: github.com/goreleaser/goreleaser dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Signed-off-by: André Backman <andre.backman@nokia.com> * begin implementing probe: minTwoCodeReviewers Signed-off-by: André Backman <andre.backman@nokia.com> * print raw results Signed-off-by: André Backman <andre.backman@nokia.com> * print raw results Signed-off-by: André Backman <andre.backman@nokia.com> * print raw results Signed-off-by: André Backman <andre.backman@nokia.com> * rename probe directory: minimumCodeReviewers Signed-off-by: André Backman <andre.backman@nokia.com> * rename probe CodeReviewers Signed-off-by: André Backman <andre.backman@nokia.com> * rename import for CodeReviewers probe Signed-off-by: André Backman <andre.backman@nokia.com> * update code reviewers definition Signed-off-by: André Backman <andre.backman@nokia.com> * update code reviewers implementation; fixed embed FS usage Signed-off-by: André Backman <andre.backman@nokia.com> * printing all findings, work out where to concatenate them Signed-off-by: André Backman <andre.backman@nokia.com> * concatenated findings to one single finding, outcome is based on the least found unique reviewers Signed-off-by: André Backman <andre.backman@nokia.com> * refactored uniqueCodeReviewers probe, needs more error checks Signed-off-by: André Backman <andre.backman@nokia.com> * add error handling for cases of non-existant author and/or reviewer logins Signed-off-by: André Backman <andre.backman@nokia.com> * add error handling for cases of non-existant author and/or reviewer logins Signed-off-by: André Backman <andre.backman@nokia.com> * rename probe Signed-off-by: André Backman <andre.backman@nokia.com> * update codeReviewTwoReviewers definition Signed-off-by: André Backman <andre.backman@nokia.com> * rename unique code reviewers probe Signed-off-by: André Backman <andre.backman@nokia.com> * implement codeApproved probe, validation of reviews needs fixing Signed-off-by: André Backman <andre.backman@nokia.com> * update codeApproved probe, validation of reviews needs fixing Signed-off-by: André Backman <andre.backman@nokia.com> * working version of codeApproved probe Signed-off-by: André Backman <andre.backman@nokia.com> * codeReviewed probe implemented Signed-off-by: André Backman <andre.backman@nokia.com> * clean up comments, add imports, run all probes Signed-off-by: André Backman <andre.backman@nokia.com> * update license comments Signed-off-by: André Backman <andre.backman@nokia.com> * Update def.yml license Signed-off-by: André Backman <88145164+andrelmbackman@users.noreply.github.com> * Update def.yml license Signed-off-by: André Backman <88145164+andrelmbackman@users.noreply.github.com> * Update def.yml license Signed-off-by: André Backman <88145164+andrelmbackman@users.noreply.github.com> * Update impl.go license Signed-off-by: André Backman <88145164+andrelmbackman@users.noreply.github.com> * Update impl.go license to Apache 2 Signed-off-by: André Backman <88145164+andrelmbackman@users.noreply.github.com> * Update impl.go license to Apache 2 Signed-off-by: André Backman <88145164+andrelmbackman@users.noreply.github.com> * Update code_review.go license Signed-off-by: André Backman <88145164+andrelmbackman@users.noreply.github.com> * Update entries.go; CodeReviewChecks now called CodeReview Signed-off-by: André Backman <88145164+andrelmbackman@users.noreply.github.com> * Update impl.go, refactor codeReviewTwoReviewers; moved utility functions into impl.go Signed-off-by: André Backman <88145164+andrelmbackman@users.noreply.github.com> * Delete code_review.go utilities moved utility functions to the impl.go they are used in Signed-off-by: André Backman <88145164+andrelmbackman@users.noreply.github.com> * rename probe Signed-off-by: André Backman <andre.backman@nokia.com> * update codeReviewTwoReviewers definition Signed-off-by: André Backman <andre.backman@nokia.com> * implement codeApproved probe, validation of reviews needs fixing Signed-off-by: André Backman <andre.backman@nokia.com> * update codeApproved probe, validation of reviews needs fixing Signed-off-by: André Backman <andre.backman@nokia.com> * working version of codeApproved probe Signed-off-by: André Backman <andre.backman@nokia.com> * codeReviewed probe implemented Signed-off-by: André Backman <andre.backman@nokia.com> * clean up comments, add imports, run all probes Signed-off-by: André Backman <andre.backman@nokia.com> * update license comments Signed-off-by: André Backman <andre.backman@nokia.com> * update license comments Signed-off-by: André Backman <andre.backman@nokia.com> * 🌱 Included unit tests (#3242) - Included unit tests Signed-off-by: naveensrinivasan <172697+naveensrinivasan@users.noreply.github.com> Signed-off-by: André Backman <andre.backman@nokia.com> * 🌱 Bump golang.org/x/text from 0.10.0 to 0.11.0 (#3243) Bumps [golang.org/x/text](https://github.com/golang/text) from 0.10.0 to 0.11.0. - [Release notes](https://github.com/golang/text/releases) - [Commits](https://github.com/golang/text/compare/v0.10.0...v0.11.0) --- updated-dependencies: - dependency-name: golang.org/x/text dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Signed-off-by: André Backman <andre.backman@nokia.com> * 🌱 Bump golang.org/x/oauth2 from 0.9.0 to 0.10.0 (#3244) Bumps [golang.org/x/oauth2](https://github.com/golang/oauth2) from 0.9.0 to 0.10.0. - [Commits](https://github.com/golang/oauth2/compare/v0.9.0...v0.10.0) --- updated-dependencies: - dependency-name: golang.org/x/oauth2 dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Signed-off-by: André Backman <andre.backman@nokia.com> * 📖 Update Branch-Protection admin and non-admin requirements (#2772) * docs: Branch protection admin-only requirements Signed-off-by: Gabriela Gutierrez <gabigutierrez@google.com> * docs: Branch protection requirements by tier Signed-off-by: Gabriela Gutierrez <gabigutierrez@google.com> * docs: How get a perfect score in branch protection Signed-off-by: Gabriela Gutierrez <gabigutierrez@google.com> * docs: Fix local images ref in doc Signed-off-by: Gabriela Gutierrez <gabigutierrez@google.com> * docs: Fix typo Co-authored-by: Pedro Nacht <pedro.k.night@gmail.com> Signed-off-by: Gabriela Gutierrez <gabigutierrez@google.com> * docs: Fix check specific table of contents Signed-off-by: Gabriela Gutierrez <gabigutierrez@google.com> * fix: Code owners setting is non admin Signed-off-by: Gabriela Gutierrez <gabigutierrez@google.com> * docs: Fix branch protection applied not only to main branch Signed-off-by: Gabriela Gutierrez <gabigutierrez@google.com> * docs: Add alt text for images Signed-off-by: Gabriela Gutierrez <gabigutierrez@google.com> * docs: You can get a perfect score with non admin access Signed-off-by: Gabriela Gutierrez <gabigutierrez@google.com> * docs: update max tier scores Signed-off-by: Gabriela Gutierrez <gabigutierrez@google.com> * docs: update tier 1 max points explanation Signed-off-by: Gabriela Gutierrez <gabigutierrez@google.com> * docs: Move changes to internal checks doc Move changes done in docs/checks.md to docs/checks/internal/checks.yaml. Signed-off-by: Gabriela Gutierrez <gabigutierrez@google.com> * docs: Revert changes on checks doc Signed-off-by: Gabriela Gutierrez <gabigutierrez@google.com> * docs: Fix admin settings evaluated on branch protection Signed-off-by: Gabriela Gutierrez <gabigutierrez@google.com> * docs: Change branch protection model status checks Signed-off-by: Gabriela Gutierrez <gabigutierrez@google.com> * docs: Change tiers score to expected score The expected score for the code to output is 3/10 for Tier 1 case and 7/10 for Tier 3 case. The scoring issue will be reported as bug. Signed-off-by: Gabriela Gutierrez <gabigutierrez@google.com> * docs: Fix Tier 3 score Signed-off-by: Gabriela Gutierrez <gabigutierrez@google.com> --------- Signed-off-by: Gabriela Gutierrez <gabigutierrez@google.com> Co-authored-by: Pedro Nacht <pedro.k.night@gmail.com> Signed-off-by: André Backman <andre.backman@nokia.com> * 🌱 Linter workflow cleanup (#3247) * Fix linter timeout by renaming deprecated deadline. Signed-off-by: Spencer Schrock <sschrock@google.com> * Disable depguard linter. As of golangci-lint v3.5.0, the depguard linter is complaining. We don't use a .depguard.yml file, so just disabling the linter. Signed-off-by: Spencer Schrock <sschrock@google.com> * Move linter into own workflow. Signed-off-by: Spencer Schrock <sschrock@google.com> * Fix bash command substitution. Signed-off-by: Spencer Schrock <sschrock@google.com> * Add harden runner. Signed-off-by: Spencer Schrock <sschrock@google.com> * switch names to existing linter job Signed-off-by: Spencer Schrock <sschrock@google.com> * Update golangci-lint to v1.53.3 Signed-off-by: Spencer Schrock <sschrock@google.com> --------- Signed-off-by: Spencer Schrock <sschrock@google.com> Signed-off-by: André Backman <andre.backman@nokia.com> * 🌱 Bump tj-actions/changed-files from 37.0.5 to 37.1.0 (#3253) Bumps [tj-actions/changed-files](https://github.com/tj-actions/changed-files) from 37.0.5 to 37.1.0. - [Release notes](https://github.com/tj-actions/changed-files/releases) - [Changelog](https://github.com/tj-actions/changed-files/blob/main/HISTORY.md) - [Commits]( |
||
DavidKorczynski
|
99c455bf9d
|
🌱 SAST: dedupe and add Pysa and Qodana probe (#3743)
* Add SAST Pysa probe Signed-off-by: David Korczynski <david@adalogics.com> * Add Pysa positive unit test Signed-off-by: David Korczynski <david@adalogics.com> * Add Qodana as well Signed-off-by: David Korczynski <david@adalogics.com> * fix some styling Signed-off-by: David Korczynski <david@adalogics.com> * fix some messaging Signed-off-by: David Korczynski <david@adalogics.com> * checks: raw: sast: dedup by way of regex Ref: https://github.com/ossf/scorecard/issues/3745 Signed-off-by: David Korczynski <david@adalogics.com> * deduplicate SAST score checker Signed-off-by: David Korczynski <david@adalogics.com> * fix styling Signed-off-by: David Korczynski <david@adalogics.com> * fix styling Signed-off-by: David Korczynski <david@adalogics.com> * Rename variables appropriately Signed-off-by: David Korczynski <david@adalogics.com> * fix error message Signed-off-by: David Korczynski <david@adalogics.com> * rename useRegex to usesRegex and add comment Signed-off-by: David Korczynski <david@adalogics.com> * Force regex to compile Signed-off-by: David Korczynski <david@adalogics.com> --------- Signed-off-by: David Korczynski <david@adalogics.com> |
||
|
DavidKorczynski
|
2ef20f17fb
|
🌱 SAST: add Snyk probe (#3689)
* SAST: add Snyk probe Adds Snyk's GitHub action (https://github.com/snyk/actions) as a probe. Signed-off-by: David Korczynski <david@adalogics.com> * nit Signed-off-by: David Korczynski <david@adalogics.com> * e2e: adjust sast test to additional probe Signed-off-by: David Korczynski <david@adalogics.com> * checks: sast: nit, fix e2e test Signed-off-by: DavidKorczynski <david@adalogics.com> * Add test with positive outcome Signed-off-by: David Korczynski <david@adalogics.com> * fix comment Signed-off-by: David Korczynski <david@adalogics.com> * sast: snyk: add workflow test Signed-off-by: David Korczynski <david@adalogics.com> * address review Signed-off-by: David Korczynski <david@adalogics.com> * sast: adjust snyk to be the same with sonar Signed-off-by: David Korczynski <david@adalogics.com> * provide path to WF file Signed-off-by: David Korczynski <david@adalogics.com> * adjust path for finding Signed-off-by: David Korczynski <david@adalogics.com> * use prefix rather than contains Signed-off-by: David Korczynski <david@adalogics.com> --------- Signed-off-by: David Korczynski <david@adalogics.com> Signed-off-by: DavidKorczynski <david@adalogics.com> |
||
|
AdamKorcz
|
2c20be03cb
|
convert Signed Releases to probes (#3610)
* convert Signed Releases to probes Signed-off-by: AdamKorcz <adam@adalogics.com> * Specify that probe is for Github and Gitlab only Signed-off-by: AdamKorcz <adam@adalogics.com> * use in loop instead of Signed-off-by: AdamKorcz <adam@adalogics.com> * fix linter issues Signed-off-by: AdamKorcz <adam@adalogics.com> * fix more linter issues Signed-off-by: AdamKorcz <adam@adalogics.com> * specify Github and Gitlab in provenance def.yml Signed-off-by: AdamKorcz <adam@adalogics.com> * Add link to slsa-github-generator Signed-off-by: AdamKorcz <adam@adalogics.com> * Add instructions on signing with Cosign Signed-off-by: AdamKorcz <adam@adalogics.com> * refactor evaluation Signed-off-by: Adam Korczynski <adam@adalogics.com> * debug failing integration test Signed-off-by: Adam Korczynski <adam@adalogics.com> * remove unused nolints Signed-off-by: Adam Korczynski <adam@adalogics.com> * expose release name asset names in finding values Signed-off-by: Adam Korczynski <adam@adalogics.com> * fix failed integration test Signed-off-by: Adam Korczynski <adam@adalogics.com> * remove 'totalReleases' value from findings Signed-off-by: Adam Korczynski <adam@adalogics.com> * remove left-over cases of "totalReleases" values in findings Signed-off-by: Adam Korczynski <adam@adalogics.com> * remove remaining totalReleases values Signed-off-by: Adam Korczynski <adam@adalogics.com> * use const probe names instead of hard-coded strings Signed-off-by: Adam Korczynski <adam@adalogics.com> * remove totalReleases from test helper arguments Signed-off-by: Adam Korczynski <adam@adalogics.com> * merge test helpers Signed-off-by: Adam Korczynski <adam@adalogics.com> --------- Signed-off-by: AdamKorcz <adam@adalogics.com> Signed-off-by: Adam Korczynski <adam@adalogics.com> |
||
|
AdamKorcz
|
3ce1daa74a
|
🌱 Add probes to main call (#3688)
* 🌱 Add probes to main call
Signed-off-by: AdamKorcz <adam@adalogics.com>
* fix linter issues
Signed-off-by: AdamKorcz <adam@adalogics.com>
* add test
Signed-off-by: AdamKorcz <adam@adalogics.com>
* add test coverage
Signed-off-by: AdamKorcz <adam@adalogics.com>
* remove
Signed-off-by: Adam Korczynski <adam@adalogics.com>
* WIP
Signed-off-by: Adam Korczynski <adam@adalogics.com>
* change comment for 'ExperimentalRunProbes'
Signed-off-by: Adam Korczynski <adam@adalogics.com>
* fix linter issues
Signed-off-by: Adam Korczynski <adam@adalogics.com>
* make only one in root.go
Signed-off-by: Adam Korczynski <adam@adalogics.com>
* relocate printing of output
Signed-off-by: Adam Korczynski <adam@adalogics.com>
* remove FormatPJSON
Signed-off-by: Adam Korczynski <adam@adalogics.com>
* reduce complexity of rootCmd
Signed-off-by: Adam Korczynski <adam@adalogics.com>
* assign findings in runEnabledProbes
Signed-off-by: Adam Korczynski <adam@adalogics.com>
* change name of probe map
Signed-off-by: Adam Korczynski <adam@adalogics.com>
* unwrap error
Signed-off-by: Adam Korczynski <adam@adalogics.com>
---------
Signed-off-by: AdamKorcz <adam@adalogics.com>
Signed-off-by: Adam Korczynski <adam@adalogics.com>
|
||
|
AdamKorcz
|
30ef6b1026
|
🌱 convert CI-Tests check to probes (#3621)
* 🌱 convert CITest check to probes
Signed-off-by: AdamKorcz <adam@adalogics.com>
* fix lint issues
Signed-off-by: Adam Korczynski <adam@adalogics.com>
* debug failing integration test
Signed-off-by: Adam Korczynski <adam@adalogics.com>
* Add negative outcome to test
Signed-off-by: Adam Korczynski <adam@adalogics.com>
* remove 'totalTested' and 'totalMerged' values from findings
Signed-off-by: Adam Korczynski <adam@adalogics.com>
* Log at debug level
Signed-off-by: Adam Korczynski <adam@adalogics.com>
---------
Signed-off-by: AdamKorcz <adam@adalogics.com>
Signed-off-by: Adam Korczynski <adam@adalogics.com>
|
||
|
AdamKorcz
|
ec36916c10
|
🌱 convert Webhook check to probes (#3522)
* 🌱 convert Webhook check to probes
Signed-off-by: AdamKorcz <adam@adalogics.com>
* Add test + nits
Signed-off-by: AdamKorcz <adam@adalogics.com>
* replace probe with OutcomeNotApplicable
Signed-off-by: AdamKorcz <adam@adalogics.com>
* return one finding per webhook
Signed-off-by: Adam Korczynski <adam@adalogics.com>
* change wording in def.yml
Signed-off-by: Adam Korczynski <adam@adalogics.com>
* change wording in def.yml and checks.md
Signed-off-by: Adam Korczynski <adam@adalogics.com>
* remove unused struct in test
Signed-off-by: Adam Korczynski <adam@adalogics.com>
* align checks.md with checks.yaml
Signed-off-by: Adam Korczynski <adam@adalogics.com>
* bring back experimental for webhooks
Signed-off-by: Adam Korczynski <adam@adalogics.com>
* change 'token' to 'secret' in probe
Signed-off-by: Adam Korczynski <adam@adalogics.com>
* use checker.MinResultScore instead of 0
Signed-off-by: Adam Korczynski <adam@adalogics.com>
* Change test name
Signed-off-by: Adam Korczynski <adam@adalogics.com>
* use checker.MinResultScore instead of 0
Signed-off-by: Adam Korczynski <adam@adalogics.com>
* fix typo
Signed-off-by: Adam Korczynski <adam@adalogics.com>
* Use checker.MaxResultScore instead of 10
Signed-off-by: Adam Korczynski <adam@adalogics.com>
* rename probe
Signed-off-by: Adam Korczynski <adam@adalogics.com>
* remove the 'totalWebhooks' value from findings
Signed-off-by: Adam Korczynski <adam@adalogics.com>
---------
Signed-off-by: AdamKorcz <adam@adalogics.com>
Signed-off-by: Adam Korczynski <adam@adalogics.com>
|
||
|
AdamKorcz
|
cb721a8526
|
🌱 convert binary artifact check to probe (#3508)
* 🌱 convert binary artifact check to probe
Signed-off-by: AdamKorcz <adam@adalogics.com>
* Reword motivation
Signed-off-by: AdamKorcz <adam@adalogics.com>
* remove unused variable in test
Signed-off-by: AdamKorcz <adam@adalogics.com>
* remove positiveOutcome() and length check
Signed-off-by: AdamKorcz <adam@adalogics.com>
* fix wrong check name
Signed-off-by: AdamKorcz <adam@adalogics.com>
* Split into two probes: One with and one without gradle-wrappers
Signed-off-by: AdamKorcz <adam@adalogics.com>
* Add description about what Scorecard considers a verified binary
Signed-off-by: Adam Korczynski <adam@adalogics.com>
* change 'trusted' to 'verified'
Signed-off-by: Adam Korczynski <adam@adalogics.com>
* remove nil check
Signed-off-by: Adam Korczynski <adam@adalogics.com>
* remove filtering
Signed-off-by: Adam Korczynski <adam@adalogics.com>
* use const scores in tests
Signed-off-by: Adam Korczynski <adam@adalogics.com>
* rename test
Signed-off-by: Adam Korczynski <adam@adalogics.com>
* add sanity check in loop
Signed-off-by: Adam Korczynski <adam@adalogics.com>
* rename binary file const
Signed-off-by: Adam Korczynski <adam@adalogics.com>
---------
Signed-off-by: AdamKorcz <adam@adalogics.com>
Signed-off-by: Adam Korczynski <adam@adalogics.com>
|
||
|
AdamKorcz
|
9b5d762a7d
|
🌱 convert CII Best Practices check to probes (#3520)
* 🌱 convert CII Best Practices check to probes
Signed-off-by: AdamKorcz <adam@adalogics.com>
* change 'NOT' to 'not'
Signed-off-by: AdamKorcz <adam@adalogics.com>
* Change wording in probes
Signed-off-by: AdamKorcz <adam@adalogics.com>
* add links to text
Signed-off-by: AdamKorcz <adam@adalogics.com>
* fix typo
Signed-off-by: AdamKorcz <adam@adalogics.com>
* Edit text in def.yml
Signed-off-by: AdamKorcz <adam@adalogics.com>
* remove hasBadgeNotFound probe
Signed-off-by: AdamKorcz <adam@adalogics.com>
* remove 'that' from text
Signed-off-by: AdamKorcz <adam@adalogics.com>
* use CreateMinScoreResult instead of CreateResultWithScore
Signed-off-by: AdamKorcz <adam@adalogics.com>
* use MaxResultScore instead of maxScore
Signed-off-by: AdamKorcz <adam@adalogics.com>
* return CreateRuntimeErrorResult sooner rather than later
Signed-off-by: AdamKorcz <adam@adalogics.com>
* Combine probes into one
Signed-off-by: Adam Korczynski <adam@adalogics.com>
* remove minScore variable
Signed-off-by: Adam Korczynski <adam@adalogics.com>
* remove 'hasInProgressBadge' probe
Signed-off-by: Adam Korczynski <adam@adalogics.com>
* make badge levels global variables
Signed-off-by: Adam Korczynski <adam@adalogics.com>
* return -1 for unsupported badge
Signed-off-by: Adam Korczynski <adam@adalogics.com>
* change text for unknown and unsupported badges
Signed-off-by: Adam Korczynski <adam@adalogics.com>
---------
Signed-off-by: AdamKorcz <adam@adalogics.com>
Signed-off-by: Adam Korczynski <adam@adalogics.com>
|
||
|
AdamKorcz
|
1c3d9eb6e7
|
🌱 Migrate Maintained check to probes (#3507)
* 🌱 Migrate Maintained check to probes
Signed-off-by: AdamKorcz <adam@adalogics.com>
* fix typos
Signed-off-by: AdamKorcz <adam@adalogics.com>
* rename 'archived' probe to 'notArchvied
Signed-off-by: AdamKorcz <adam@adalogics.com>
* remove part of comment
Signed-off-by: AdamKorcz <adam@adalogics.com>
* fix typo
Signed-off-by: AdamKorcz <adam@adalogics.com>
* log negative findings
Signed-off-by: AdamKorcz <adam@adalogics.com>
* log non positive findings if repo was created less than 90 days ago
Signed-off-by: AdamKorcz <adam@adalogics.com>
* rename probe from 'activityOnIssuesByCollaboratorsMembersOrOwnersInLast90Days' to 'issueActivityByProjectMember'
Signed-off-by: AdamKorcz <adam@adalogics.com>
* change probe descriptions
Signed-off-by: AdamKorcz <adam@adalogics.com>
* rename 'wasCreatedInLast90Days' probe to 'notCreatedInLast90Days'
Signed-off-by: AdamKorcz <adam@adalogics.com>
* Add tests with zero issues
Signed-off-by: AdamKorcz <adam@adalogics.com>
* use values instead of returning multiple findings
Signed-off-by: AdamKorcz <adam@adalogics.com>
* return negative findings instead of non-positive
Signed-off-by: AdamKorcz <adam@adalogics.com>
* correct 'notCreatedInLast90Days' probe definition
Signed-off-by: AdamKorcz <adam@adalogics.com>
* make nested conditionals a single line
Signed-off-by: AdamKorcz <adam@adalogics.com>
* make nested conditionals a single line
Signed-off-by: AdamKorcz <adam@adalogics.com>
* change var name 'issuesUpdatedWithinThreshold' to 'numberOfIssuesUpdatedWithinThreshold'
Signed-off-by: AdamKorcz <adam@adalogics.com>
* rename 'notCreatedInLast90Days' to 'notCreatedRecently'
Signed-off-by: AdamKorcz <adam@adalogics.com>
* explain 'commitsWithinThreshold' in probe definition
Signed-off-by: AdamKorcz <adam@adalogics.com>
* rename 'commitsInLast90Days' to 'hasRecentCommits'" -s
Signed-off-by: AdamKorcz <adam@adalogics.com>
* fix linter issues
Signed-off-by: AdamKorcz <adam@adalogics.com>
* define 'numberOfIssuesUpdatedWithinThreshold'
Signed-off-by: AdamKorcz <adam@adalogics.com>
---------
Signed-off-by: AdamKorcz <adam@adalogics.com>
|
||
|
DavidKorczynski
|
87c2d3c1da
|
⚠️ Remove OneFuzz from fuzzing checks (#3666)
This is removed because OneFuzz has been archived https://github.com/microsoft/onefuzz Signed-off-by: David Korczynski <david@adalogics.com> |
||
|
AdamKorcz
|
47e04c102a
|
🌱 Convert SAST check to probes (#3571)
* Convert SAST checks to probes Signed-off-by: AdamKorcz <adam@adalogics.com> * Update checks/evaluation/sast.go Co-authored-by: Raghav Kaul <8695110+raghavkaul@users.noreply.github.com> Signed-off-by: AdamKorcz <44787359+AdamKorcz@users.noreply.github.com> * preserve file info when logging positive Sonar findings Signed-off-by: AdamKorcz <adam@adalogics.com> * rebase Signed-off-by: AdamKorcz <adam@adalogics.com> * Remove warning logging Signed-off-by: AdamKorcz <adam@adalogics.com> * add outcome and message to finding on the same line Signed-off-by: AdamKorcz <adam@adalogics.com> * codeql workflow -> codeql action Signed-off-by: AdamKorcz <adam@adalogics.com> * 'the Sonar' -> 'Sonar' in probe def.yml Signed-off-by: AdamKorcz <adam@adalogics.com> * fix typo Signed-off-by: AdamKorcz <adam@adalogics.com> * Change how probe creates location Signed-off-by: AdamKorcz <adam@adalogics.com> * Change names of values Signed-off-by: AdamKorcz <adam@adalogics.com> * change 'SAST tool detected: xx' to 'SAST tool installed: xx' Signed-off-by: AdamKorcz <adam@adalogics.com> * make text in probe def.yml easier to read Signed-off-by: AdamKorcz <adam@adalogics.com> * Change 'to' to 'two' Signed-off-by: AdamKorcz <adam@adalogics.com> * Minor change Signed-off-by: AdamKorcz <adam@adalogics.com> --------- Signed-off-by: AdamKorcz <adam@adalogics.com> Signed-off-by: AdamKorcz <44787359+AdamKorcz@users.noreply.github.com> Co-authored-by: Raghav Kaul <8695110+raghavkaul@users.noreply.github.com> |
||
|
AdamKorcz
|
f422f692fe
|
🌱 Convert Dangerous Workflow check to probes (#3521)
* 🌱 Convert Dangerous Workflow check to probes
Signed-off-by: AdamKorcz <adam@adalogics.com>
* remove hasAnyWorkflows probe
Signed-off-by: AdamKorcz <adam@adalogics.com>
* combine two conditionals into one
Signed-off-by: AdamKorcz <adam@adalogics.com>
* preserve logging from original evaluation
Signed-off-by: AdamKorcz <adam@adalogics.com>
* rebase
Signed-off-by: AdamKorcz <adam@adalogics.com>
---------
Signed-off-by: AdamKorcz <adam@adalogics.com>
|
||
|
AdamKorcz
|
de022dacc4
|
🌱 convert vulnerabilities check to probe (#3487)
* 🌱 convert vulnerabilities check to probe
Signed-off-by: AdamKorcz <adam@adalogics.com>
* rename probe + nits
Signed-off-by: AdamKorcz <adam@adalogics.com>
* edit def.yml
Signed-off-by: AdamKorcz <adam@adalogics.com>
* Add vuln ID dynamically to def.yml
Signed-off-by: AdamKorcz <adam@adalogics.com>
* Elaborate the purpose of test data in unit test
Signed-off-by: AdamKorcz <adam@adalogics.com>
* Move logging out of loop and change logic of negativeFindings()
Signed-off-by: AdamKorcz <adam@adalogics.com>
* preserve number of vulns found in output
Signed-off-by: AdamKorcz <adam@adalogics.com>
* Preserve grouping of vulns
Signed-off-by: AdamKorcz <adam@adalogics.com>
* fix linter issues
Signed-off-by: AdamKorcz <adam@adalogics.com>
* Add remediation data
Signed-off-by: AdamKorcz <adam@adalogics.com>
* use checker.LogFindings()
Signed-off-by: AdamKorcz <adam@adalogics.com>
---------
Signed-off-by: AdamKorcz <adam@adalogics.com>
|
||
|
Spencer Schrock
|
f2bbd0af62
|
remove sonatype lift (#3605)
Signed-off-by: Spencer Schrock <sschrock@google.com> |
||
|
AdamKorcz
|
ae75bbb70e
|
🌱 Add probe support for contributors metrics (#3460)
* 🌱 Add probe support for contributors metrics Signed-off-by: AdamKorcz <adam@adalogics.com> * fix lint issues Signed-off-by: AdamKorcz <adam@adalogics.com> * change 'contributorsWith' to 'contributorsFrom' Signed-off-by: AdamKorcz <adam@adalogics.com> * change remediation difficulty Signed-off-by: AdamKorcz <adam@adalogics.com> * fix nits Signed-off-by: AdamKorcz <adam@adalogics.com> * Updates to checks and checks/evaluation Signed-off-by: AdamKorcz <adam@adalogics.com> * fix tests like in #3409 Signed-off-by: AdamKorcz <adam@adalogics.com> * fix raw test Signed-off-by: AdamKorcz <adam@adalogics.com> * Update description in def.yml Signed-off-by: AdamKorcz <adam@adalogics.com> * move logic out of utils Signed-off-by: AdamKorcz <adam@adalogics.com> * add comment to consolidate unit test validation Signed-off-by: AdamKorcz <adam@adalogics.com> * change a couple of t.Fatal to t.Error Signed-off-by: AdamKorcz <adam@adalogics.com> * un-remove comment Signed-off-by: AdamKorcz <adam@adalogics.com> * remove map Signed-off-by: AdamKorcz <adam@adalogics.com> * fix typo Signed-off-by: AdamKorcz <adam@adalogics.com> * remove lint comment Signed-off-by: AdamKorcz <adam@adalogics.com> * fix incorrect -1/0 scoring Signed-off-by: AdamKorcz <adam@adalogics.com> * Do not specify 'Github' in def.yml Signed-off-by: AdamKorcz <adam@adalogics.com> * do not mention 'which companies' in def.yml Signed-off-by: AdamKorcz <adam@adalogics.com> * Rename tests Signed-off-by: AdamKorcz <adam@adalogics.com> * Use getRawResults and uncomment logging statement Signed-off-by: AdamKorcz <adam@adalogics.com> * Define return values of probe better Signed-off-by: AdamKorcz <adam@adalogics.com> * Use proportional score instead of min score Signed-off-by: AdamKorcz <adam@adalogics.com> * revert changed scoring Signed-off-by: AdamKorcz <adam@adalogics.com> * fix incorrect function name Signed-off-by: AdamKorcz <adam@adalogics.com> * remove utility function that finds non-positive outcomes Signed-off-by: AdamKorcz <adam@adalogics.com> * rebase with latest upstream main and fix linter issues Signed-off-by: AdamKorcz <adam@adalogics.com> * Log findings in one statements except a logging statements per finding Signed-off-by: AdamKorcz <adam@adalogics.com> * redefine conditional logic Signed-off-by: AdamKorcz <adam@adalogics.com> * rebase Signed-off-by: AdamKorcz <adam@adalogics.com> * remove unused function Signed-off-by: AdamKorcz <adam@adalogics.com> --------- Signed-off-by: AdamKorcz <adam@adalogics.com> |
||
|
AdamKorcz
|
1aca1d9445
|
🌱 convert packaging check to probe (#3486)
* 🌱 convert packaging check to probe
Signed-off-by: AdamKorcz <adam@adalogics.com>
* amend text in def.yml
Signed-off-by: AdamKorcz <adam@adalogics.com>
* Correct short description in def.yml
Signed-off-by: AdamKorcz <adam@adalogics.com>
* log negative findings
Signed-off-by: AdamKorcz <adam@adalogics.com>
* rename probe
Signed-off-by: AdamKorcz <adam@adalogics.com>
* Fix the broken e2e test: The probe returned minimum score instead of inconclusive score which was not consistent with the previous scoring. This commit also removes the debug statements
Signed-off-by: AdamKorcz <adam@adalogics.com>
* change score text
Signed-off-by: AdamKorcz <adam@adalogics.com>
* include file details. process all packaging workflows
Signed-off-by: AdamKorcz <adam@adalogics.com>
---------
Signed-off-by: AdamKorcz <adam@adalogics.com>
|
||
|
AdamKorcz
|
0e3a5233ae
|
🌱 Add license probe (#3465)
* 🌱 Add license probe
Signed-off-by: AdamKorcz <adam@adalogics.com>
* [WIP] add two remaining license checks as probes
Signed-off-by: AdamKorcz <adam@adalogics.com>
* fix nits
Signed-off-by: AdamKorcz <adam@adalogics.com>
* Use Errorf in test
Signed-off-by: AdamKorcz <adam@adalogics.com>
* use zrunner
Signed-off-by: AdamKorcz <adam@adalogics.com>
* fix wrong return value
Signed-off-by: AdamKorcz <adam@adalogics.com>
* fix linting issues and remove empty default
Signed-off-by: AdamKorcz <adam@adalogics.com>
* fix double if statement
Signed-off-by: AdamKorcz <adam@adalogics.com>
* Remove struct field from test
Signed-off-by: AdamKorcz <adam@adalogics.com>
* Add test for nil-case of license files slice
Signed-off-by: AdamKorcz <adam@adalogics.com>
* rewrite multiple def.ymls
Signed-off-by: AdamKorcz <adam@adalogics.com>
* fix nits
Signed-off-by: AdamKorcz <adam@adalogics.com>
* Add unit test with multiple unapproved license files
Signed-off-by: AdamKorcz <adam@adalogics.com>
* Add link to approved license formats
Signed-off-by: AdamKorcz <adam@adalogics.com>
* fix linting
Signed-off-by: AdamKorcz <adam@adalogics.com>
* remove comment
Signed-off-by: AdamKorcz <adam@adalogics.com>
* preserve logging from original check
Signed-off-by: AdamKorcz <adam@adalogics.com>
* fix typo
Signed-off-by: AdamKorcz <adam@adalogics.com>
* remove redundant map manipulation
Signed-off-by: AdamKorcz <adam@adalogics.com>
* rename hasApproveLicense probe
Signed-off-by: AdamKorcz <adam@adalogics.com>
* Return OutcomeNotApplicable if hasFSFOrOSIApprovedLicense probe does not find a license
Signed-off-by: AdamKorcz <adam@adalogics.com>
* Include license file locations in log
Signed-off-by: AdamKorcz <adam@adalogics.com>
* fix linting issues
Signed-off-by: AdamKorcz <adam@adalogics.com>
* replace strings filtering with OutcomeNotApplicable in hasLicenseFileAtTopDir probe
Signed-off-by: AdamKorcz <adam@adalogics.com>
* Fix linter issue
Signed-off-by: AdamKorcz <adam@adalogics.com>
* Include location of found license files
Signed-off-by: AdamKorcz <adam@adalogics.com>
---------
Signed-off-by: AdamKorcz <adam@adalogics.com>
|
||
|
DavidKorczynski
|
bd640f72e9
|
✨ Add additional fuzzing probes (#3473)
* Extend with additional fuzzing probes Signed-off-by: David Korczynski <david@adalogics.com> * fix formatting Signed-off-by: David Korczynski <david@adalogics.com> * cleanup formatting Signed-off-by: David Korczynski <david@adalogics.com> * make skip testing optional Signed-off-by: David Korczynski <david@adalogics.com> * address reviews Signed-off-by: David Korczynski <david@adalogics.com> * add todo Signed-off-by: David Korczynski <david@adalogics.com> * nit Signed-off-by: David Korczynski <david@adalogics.com> * nit Signed-off-by: David Korczynski <david@adalogics.com> * add swift fuzzing probe Signed-off-by: David Korczynski <david@adalogics.com> * avoid changing OnMatchingFileContentDo Signed-off-by: David Korczynski <david@adalogics.com> * nit Signed-off-by: David Korczynski <david@adalogics.com> * undo matching file content extension Signed-off-by: David Korczynski <david@adalogics.com> * nit: fix constant Signed-off-by: David Korczynski <david@adalogics.com> * test all fileMatchPatterns per client Signed-off-by: David Korczynski <david@adalogics.com> * fix test logging counts Signed-off-by: David Korczynski <david@adalogics.com> * nit Signed-off-by: David Korczynski <david@adalogics.com> --------- Signed-off-by: David Korczynski <david@adalogics.com> |
||
laurentsimon
|
d177169ec2
|
✨ [experimental] Probe support for fuzzing check (#3230)
* update Signed-off-by: laurentsimon <laurentsimon@google.com> * update Signed-off-by: laurentsimon <laurentsimon@google.com> * update Signed-off-by: laurentsimon <laurentsimon@google.com> * update Signed-off-by: laurentsimon <laurentsimon@google.com> * update Signed-off-by: laurentsimon <laurentsimon@google.com> * update Signed-off-by: laurentsimon <laurentsimon@google.com> * update Signed-off-by: laurentsimon <laurentsimon@google.com> * update Signed-off-by: laurentsimon <laurentsimon@google.com> * update Signed-off-by: laurentsimon <laurentsimon@google.com> * comments Signed-off-by: laurentsimon <laurentsimon@google.com> * unit tests and linter Signed-off-by: laurentsimon <laurentsimon@google.com> * remove raw from check request in e2e tests Signed-off-by: laurentsimon <laurentsimon@google.com> * remove redundant finding check Signed-off-by: laurentsimon <laurentsimon@google.com> * typo Signed-off-by: laurentsimon <laurentsimon@google.com> * adress comments Signed-off-by: laurentsimon <laurentsimon@google.com> --------- Signed-off-by: laurentsimon <laurentsimon@google.com> |
||
|
laurentsimon
|
a8b255a224
|
✨ [experimental] Probe support for security policy check (#3241)
* update Signed-off-by: laurentsimon <laurentsimon@google.com> * update Signed-off-by: laurentsimon <laurentsimon@google.com> * update Signed-off-by: laurentsimon <laurentsimon@google.com> * update Signed-off-by: laurentsimon <laurentsimon@google.com> * update Signed-off-by: laurentsimon <laurentsimon@google.com> * update Signed-off-by: laurentsimon <laurentsimon@google.com> * update Signed-off-by: laurentsimon <laurentsimon@google.com> * update Signed-off-by: laurentsimon <laurentsimon@google.com> * update Signed-off-by: laurentsimon <laurentsimon@google.com> * update Signed-off-by: laurentsimon <laurentsimon@google.com> * update Signed-off-by: laurentsimon <laurentsimon@google.com> * update Signed-off-by: laurentsimon <laurentsimon@google.com> * update Signed-off-by: laurentsimon <laurentsimon@google.com> * fix unit tests Signed-off-by: laurentsimon <laurentsimon@google.com> * comments Signed-off-by: laurentsimon <laurentsimon@google.com> * compilation fix Signed-off-by: laurentsimon <laurentsimon@google.com> * missing file Signed-off-by: laurentsimon <laurentsimon@google.com> * missing file Signed-off-by: laurentsimon <laurentsimon@google.com> * update reason string Signed-off-by: laurentsimon <laurentsimon@google.com> * typo Signed-off-by: laurentsimon <laurentsimon@google.com> * fix unit tests Signed-off-by: laurentsimon <laurentsimon@google.com> * typo Signed-off-by: laurentsimon <laurentsimon@google.com> * unit tests and linnter Signed-off-by: laurentsimon <laurentsimon@google.com> * comments Signed-off-by: laurentsimon <laurentsimon@google.com> * comments Signed-off-by: laurentsimon <laurentsimon@google.com> * missing file Signed-off-by: laurentsimon <laurentsimon@google.com> * unit tests for probes Signed-off-by: laurentsimon <laurentsimon@google.com> * linter Signed-off-by: laurentsimon <laurentsimon@google.com> * revert FileSize change Signed-off-by: laurentsimon <laurentsimon@google.com> --------- Signed-off-by: laurentsimon <laurentsimon@google.com> |
||
|
laurentsimon
|
1a336d8087
|
✨ [experimental] Add probe code and support for Tool-Update-Dependency (#2944)
* update Signed-off-by: laurentsimon <laurentsimon@google.com> * update Signed-off-by: laurentsimon <laurentsimon@google.com> * update Signed-off-by: laurentsimon <laurentsimon@google.com> * update Signed-off-by: laurentsimon <laurentsimon@google.com> * update Signed-off-by: laurentsimon <laurentsimon@google.com> * update Signed-off-by: laurentsimon <laurentsimon@google.com> * update Signed-off-by: laurentsimon <laurentsimon@google.com> * update Signed-off-by: laurentsimon <laurentsimon@google.com> --------- Signed-off-by: laurentsimon <laurentsimon@google.com> |