scorecard

mirror of https://github.com/ossf/scorecard.git synced 2024-10-05 21:27:52 +03:00

Author	SHA1	Message	Date
Spencer Schrock	6629b09746	🌱 Add lifecycle field to probes (#4147 ) Some checks are pending CodeQL / Analyze (go) (push) Waiting to run Details CodeQL / Analyze (javascript) (push) Waiting to run Details gitlab-tests / gitlab-integration-trusted (push) Waiting to run Details golangci-lint / check-linter (push) Waiting to run Details build / unit-test (push) Waiting to run Details build / generate-mocks (push) Waiting to run Details build / generate-docs (push) Waiting to run Details build / build-proto (push) Waiting to run Details build / ${{ matrix.target }} (build-add-script) (push) Blocked by required conditions Details build / ${{ matrix.target }} (build-bq-transfer) (push) Blocked by required conditions Details build / ${{ matrix.target }} (build-cii-worker) (push) Blocked by required conditions Details build / ${{ matrix.target }} (build-controller) (push) Blocked by required conditions Details build / ${{ matrix.target }} (build-github-server) (push) Blocked by required conditions Details build / ${{ matrix.target }} (build-scorecard) (push) Blocked by required conditions Details build / ${{ matrix.target }} (build-shuffler) (push) Blocked by required conditions Details build / ${{ matrix.target }} (build-validate-script) (push) Blocked by required conditions Details build / ${{ matrix.target }} (build-webhook) (push) Blocked by required conditions Details build / ${{ matrix.target }} (build-worker) (push) Blocked by required conditions Details build / validate-docs (push) Waiting to run Details build / add-projects (push) Waiting to run Details build / validate-projects (push) Waiting to run Details build / license boilerplate check (push) Waiting to run Details Scorecard analysis workflow / Scorecard analysis (push) Waiting to run Details * add lifecycle field to probe yaml definitions Signed-off-by: Spencer Schrock <sschrock@google.com> * classify existing probes Some are listed as stable if they're not expected to change, others are listed as experimental if there are still expected changes. Signed-off-by: Spencer Schrock <sschrock@google.com> * add lifecycle to probe readme Signed-off-by: Spencer Schrock <sschrock@google.com> * fix linter Signed-off-by: Spencer Schrock <sschrock@google.com> * add lifecycle for new probe Signed-off-by: Spencer Schrock <sschrock@google.com> * add probe lifecycle to documentation Signed-off-by: Spencer Schrock <sschrock@google.com> --------- Signed-off-by: Spencer Schrock <sschrock@google.com>	2024-07-02 17:11:19 +00:00
Raghav Kaul	28337f13b1	🌱 maintainer annotations: improve annotation file validation (#4162 ) * validate check names against full list Signed-off-by: Raghav Kaul <raghavkaul+github@google.com> * tests: close file Signed-off-by: Raghav Kaul <raghavkaul+github@google.com> * update Signed-off-by: Raghav Kaul <raghavkaul+github@google.com> * make private Signed-off-by: Raghav Kaul <raghavkaul+github@google.com> * Restructure imports Signed-off-by: Raghav Kaul <raghavkaul+github@google.com> * update Signed-off-by: Raghav Kaul <raghavkaul+github@google.com> --------- Signed-off-by: Raghav Kaul <raghavkaul+github@google.com>	2024-07-02 15:40:34 +00:00
Spencer Schrock	0b9dfb656f	⚠️ Replace v4 module references with v5 (#4027 ) Signed-off-by: Spencer Schrock <sschrock@google.com>	2024-04-12 14:51:50 -07:00
Spencer Schrock	96452d99ab	📖 Review and update some probe documentation (#4023 ) * polish some probe yaml definitions Signed-off-by: Spencer Schrock <sschrock@google.com> * update references to probe naming and outcomes now that #3654 is addressed, the naming restrictions can be relaxed. Signed-off-by: Spencer Schrock <sschrock@google.com> --------- Signed-off-by: Spencer Schrock <sschrock@google.com>	2024-04-11 22:08:55 -07:00
Spencer Schrock	6b071eddeb	⚠️ Allow probes to specify their own bad outcomes (#4020 ) * merge probe and finding packages No one interacts with the probes directly, and having them in the same package helps with follow up commits Signed-off-by: Spencer Schrock <sschrock@google.com> * add extra field to indicate the outcome a probe should show remediation for Signed-off-by: Spencer Schrock <sschrock@google.com> * start all probes with remediate on 'False' Signed-off-by: Spencer Schrock <sschrock@google.com> * make OutcomeTrue bad for hasOSVVulnerabilities Signed-off-by: Spencer Schrock <sschrock@google.com> * nest outcome trigger under remediation in yaml Signed-off-by: Spencer Schrock <sschrock@google.com> * invert outcomes for dangerous workflow probes Signed-off-by: Spencer Schrock <sschrock@google.com> * rename notArchived probe to archived with the swap, the true outcome is now the bad outcome. Signed-off-by: Spencer Schrock <sschrock@google.com> * rename notCreatedRecently probe to createRecently with the rename, the true outcome is now bad Signed-off-by: Spencer Schrock <sschrock@google.com> * switch binary artifact probes so detecting binaries is a true outcome Signed-off-by: Spencer Schrock <sschrock@google.com> * appease the linter Signed-off-by: Spencer Schrock <sschrock@google.com> * dont export probe type we can always make it public again later Signed-off-by: Spencer Schrock <sschrock@google.com> --------- Signed-off-by: Spencer Schrock <sschrock@google.com>	2024-04-10 14:12:53 -07:00
Spencer Schrock	b577d79c96	⚠️ Replace Positive and Negative outcomes with True and False (#4017 ) * rename positive to true Signed-off-by: Spencer Schrock <sschrock@google.com> * rename negative to false Signed-off-by: Spencer Schrock <sschrock@google.com> --------- Signed-off-by: Spencer Schrock <sschrock@google.com>	2024-04-08 15:36:11 -07:00
Spencer Schrock	b3ad602a59	🌱 Add probe registration mechanism (#3876 ) * add basic probe registration function Signed-off-by: Spencer Schrock <sschrock@google.com> * ignore probes which call init to register the probe Signed-off-by: Spencer Schrock <sschrock@google.com> * redefine probeimpl to avoid circular imports Signed-off-by: Spencer Schrock <sschrock@google.com> * register all probes Signed-off-by: Spencer Schrock <sschrock@google.com> * experiment with a probe struct Signed-off-by: Spencer Schrock <sschrock@google.com> * make check name constants Signed-off-by: Spencer Schrock <sschrock@google.com> * convert branch protection probes Signed-off-by: Spencer Schrock <sschrock@google.com> * convert binary artifact probes Signed-off-by: Spencer Schrock <sschrock@google.com> * convert cii probe Signed-off-by: Spencer Schrock <sschrock@google.com> * convert ci test probe Signed-off-by: Spencer Schrock <sschrock@google.com> * convert code review probes Signed-off-by: Spencer Schrock <sschrock@google.com> * convert contributor probe Signed-off-by: Spencer Schrock <sschrock@google.com> * convert dangerous workflow probe Signed-off-by: Spencer Schrock <sschrock@google.com> * convert dep update tool probes Signed-off-by: Spencer Schrock <sschrock@google.com> * convert fuzzing probes Signed-off-by: Spencer Schrock <sschrock@google.com> * convert license probes Signed-off-by: Spencer Schrock <sschrock@google.com> * convert maintained probes Signed-off-by: Spencer Schrock <sschrock@google.com> * convert packaging probe Signed-off-by: Spencer Schrock <sschrock@google.com> * convert sast probes Signed-off-by: Spencer Schrock <sschrock@google.com> * convert security policy probes Signed-off-by: Spencer Schrock <sschrock@google.com> * convert signed releases probes Signed-off-by: Spencer Schrock <sschrock@google.com> * convert vuln probe Signed-off-by: Spencer Schrock <sschrock@google.com> * try using probe registration data Signed-off-by: Spencer Schrock <sschrock@google.com> * blank import unused probe Signed-off-by: Spencer Schrock <sschrock@google.com> * add uncategorized group Signed-off-by: Spencer Schrock <sschrock@google.com> * ensure All list is up-to-date Signed-off-by: Spencer Schrock <sschrock@google.com> * add reason behind uncategorized group Signed-off-by: Spencer Schrock <sschrock@google.com> * fix linter yaml parse error Signed-off-by: Spencer Schrock <sschrock@google.com> * fix linter Signed-off-by: Spencer Schrock <sschrock@google.com> * add webhook data Signed-off-by: Spencer Schrock <sschrock@google.com> * convert probe registration to Must pattern Signed-off-by: Spencer Schrock <sschrock@google.com> * add registration for new probes Signed-off-by: Spencer Schrock <sschrock@google.com> * add missing license header Signed-off-by: Spencer Schrock <sschrock@google.com> * revert changing wrapcheck linter config Signed-off-by: Spencer Schrock <sschrock@google.com> * use error func which doesnt need wrapped Signed-off-by: Spencer Schrock <sschrock@google.com> * add test for probe registration Signed-off-by: Spencer Schrock <sschrock@google.com> * restore trailing newline Signed-off-by: Spencer Schrock <sschrock@google.com> * order probe category list Signed-off-by: Spencer Schrock <sschrock@google.com> --------- Signed-off-by: Spencer Schrock <sschrock@google.com>	2024-03-19 13:10:11 -07:00
AdamKorcz	6fc7d4c061	✨ Add probe metadata about supported ecosystems (#3797 ) * 🌱 Add probe metadata about supported ecosystems Signed-off-by: Adam Korczynski <adam@adalogics.com> * Add metadata for the rest of the probes Signed-off-by: Adam Korczynski <adam@adalogics.com> * fix wrong formatting Signed-off-by: Adam Korczynski <adam@adalogics.com> * remove oss-fuzz, osv, cii_blob, cii_http clients Signed-off-by: Adam Korczynski <adam@adalogics.com> * add github and gitlab clients for 2 probes Signed-off-by: Adam Korczynski <adam@adalogics.com> --------- Signed-off-by: Adam Korczynski <adam@adalogics.com>	2024-02-08 10:20:07 -08:00
Spencer Schrock	7a4c1bdaff	🐛 Fix OSV URI in probe remediation text (#3770 ) * add space after link the period (and possibly what came after it) was being interpreted as part of the link. Signed-off-by: Spencer Schrock <sschrock@google.com> * only use one ID in the osv.dev link Signed-off-by: Spencer Schrock <sschrock@google.com> * add/fix tests Signed-off-by: Spencer Schrock <sschrock@google.com> * make the remediation tests less fragile this test would need to be fixed every time the phrasing is fixed. by looking for substrings, we make this less likely to need changed. Signed-off-by: Spencer Schrock <sschrock@google.com> * move len check before any finding creation small efficiency gain since the finding is discarded. Signed-off-by: Spencer Schrock <sschrock@google.com> --------- Signed-off-by: Spencer Schrock <sschrock@google.com>	2024-01-05 14:02:29 -08:00
Spencer Schrock	1625b0c578	🌱 Disable more style linters for test files (#3707 ) * disable lll linter for test files * disable goerr113 linter for tests * disable wrapcheck linter for tests * fix easy linter issues in tests --------- Signed-off-by: Spencer Schrock <sschrock@google.com>	2023-12-04 02:14:01 +00:00
Spencer Schrock	92470deac3	🌱 enable `nolintlint` linter and fix violations (#3650 ) * enable nolintlint Signed-off-by: Spencer Schrock <sschrock@google.com> * first chunk of fixing nolintlint Signed-off-by: Spencer Schrock <sschrock@google.com> * second chunk of fixing nolintlint Signed-off-by: Spencer Schrock <sschrock@google.com> * third chunk of fixing nolintlint Signed-off-by: Spencer Schrock <sschrock@google.com> * fourth chunk of fixing nolintlint Signed-off-by: Spencer Schrock <sschrock@google.com> * include reason for the specific linter config Signed-off-by: Spencer Schrock <sschrock@google.com> * fifth chunk of fixing nolintlint Signed-off-by: Spencer Schrock <sschrock@google.com> * fix linter errors that are somehow still triggering Signed-off-by: Spencer Schrock <sschrock@google.com> --------- Signed-off-by: Spencer Schrock <sschrock@google.com>	2023-11-15 11:44:28 -08:00
AdamKorcz	de022dacc4	🌱 convert vulnerabilities check to probe (#3487 ) * 🌱 convert vulnerabilities check to probe Signed-off-by: AdamKorcz <adam@adalogics.com> * rename probe + nits Signed-off-by: AdamKorcz <adam@adalogics.com> * edit def.yml Signed-off-by: AdamKorcz <adam@adalogics.com> * Add vuln ID dynamically to def.yml Signed-off-by: AdamKorcz <adam@adalogics.com> * Elaborate the purpose of test data in unit test Signed-off-by: AdamKorcz <adam@adalogics.com> * Move logging out of loop and change logic of negativeFindings() Signed-off-by: AdamKorcz <adam@adalogics.com> * preserve number of vulns found in output Signed-off-by: AdamKorcz <adam@adalogics.com> * Preserve grouping of vulns Signed-off-by: AdamKorcz <adam@adalogics.com> * fix linter issues Signed-off-by: AdamKorcz <adam@adalogics.com> * Add remediation data Signed-off-by: AdamKorcz <adam@adalogics.com> * use checker.LogFindings() Signed-off-by: AdamKorcz <adam@adalogics.com> --------- Signed-off-by: AdamKorcz <adam@adalogics.com>	2023-10-25 10:02:24 -07:00

12 Commits