scorecard

mirror of https://github.com/ossf/scorecard.git synced 2024-08-16 03:40:31 +03:00

Author	SHA1	Message	Date
Spencer Schrock	6629b09746	🌱 Add lifecycle field to probes (#4147 ) Some checks are pending CodeQL / Analyze (go) (push) Waiting to run Details CodeQL / Analyze (javascript) (push) Waiting to run Details gitlab-tests / gitlab-integration-trusted (push) Waiting to run Details golangci-lint / check-linter (push) Waiting to run Details build / unit-test (push) Waiting to run Details build / generate-mocks (push) Waiting to run Details build / generate-docs (push) Waiting to run Details build / build-proto (push) Waiting to run Details build / ${{ matrix.target }} (build-add-script) (push) Blocked by required conditions Details build / ${{ matrix.target }} (build-bq-transfer) (push) Blocked by required conditions Details build / ${{ matrix.target }} (build-cii-worker) (push) Blocked by required conditions Details build / ${{ matrix.target }} (build-controller) (push) Blocked by required conditions Details build / ${{ matrix.target }} (build-github-server) (push) Blocked by required conditions Details build / ${{ matrix.target }} (build-scorecard) (push) Blocked by required conditions Details build / ${{ matrix.target }} (build-shuffler) (push) Blocked by required conditions Details build / ${{ matrix.target }} (build-validate-script) (push) Blocked by required conditions Details build / ${{ matrix.target }} (build-webhook) (push) Blocked by required conditions Details build / ${{ matrix.target }} (build-worker) (push) Blocked by required conditions Details build / validate-docs (push) Waiting to run Details build / add-projects (push) Waiting to run Details build / validate-projects (push) Waiting to run Details build / license boilerplate check (push) Waiting to run Details Scorecard analysis workflow / Scorecard analysis (push) Waiting to run Details * add lifecycle field to probe yaml definitions Signed-off-by: Spencer Schrock <sschrock@google.com> * classify existing probes Some are listed as stable if they're not expected to change, others are listed as experimental if there are still expected changes. Signed-off-by: Spencer Schrock <sschrock@google.com> * add lifecycle to probe readme Signed-off-by: Spencer Schrock <sschrock@google.com> * fix linter Signed-off-by: Spencer Schrock <sschrock@google.com> * add lifecycle for new probe Signed-off-by: Spencer Schrock <sschrock@google.com> * add probe lifecycle to documentation Signed-off-by: Spencer Schrock <sschrock@google.com> --------- Signed-off-by: Spencer Schrock <sschrock@google.com>	2024-07-02 17:11:19 +00:00
Raghav Kaul	28337f13b1	🌱 maintainer annotations: improve annotation file validation (#4162 ) * validate check names against full list Signed-off-by: Raghav Kaul <raghavkaul+github@google.com> * tests: close file Signed-off-by: Raghav Kaul <raghavkaul+github@google.com> * update Signed-off-by: Raghav Kaul <raghavkaul+github@google.com> * make private Signed-off-by: Raghav Kaul <raghavkaul+github@google.com> * Restructure imports Signed-off-by: Raghav Kaul <raghavkaul+github@google.com> * update Signed-off-by: Raghav Kaul <raghavkaul+github@google.com> --------- Signed-off-by: Raghav Kaul <raghavkaul+github@google.com>	2024-07-02 15:40:34 +00:00
Spencer Schrock	0b9dfb656f	⚠️ Replace v4 module references with v5 (#4027 ) Signed-off-by: Spencer Schrock <sschrock@google.com>	2024-04-12 14:51:50 -07:00
Spencer Schrock	6b071eddeb	⚠️ Allow probes to specify their own bad outcomes (#4020 ) * merge probe and finding packages No one interacts with the probes directly, and having them in the same package helps with follow up commits Signed-off-by: Spencer Schrock <sschrock@google.com> * add extra field to indicate the outcome a probe should show remediation for Signed-off-by: Spencer Schrock <sschrock@google.com> * start all probes with remediate on 'False' Signed-off-by: Spencer Schrock <sschrock@google.com> * make OutcomeTrue bad for hasOSVVulnerabilities Signed-off-by: Spencer Schrock <sschrock@google.com> * nest outcome trigger under remediation in yaml Signed-off-by: Spencer Schrock <sschrock@google.com> * invert outcomes for dangerous workflow probes Signed-off-by: Spencer Schrock <sschrock@google.com> * rename notArchived probe to archived with the swap, the true outcome is now the bad outcome. Signed-off-by: Spencer Schrock <sschrock@google.com> * rename notCreatedRecently probe to createRecently with the rename, the true outcome is now bad Signed-off-by: Spencer Schrock <sschrock@google.com> * switch binary artifact probes so detecting binaries is a true outcome Signed-off-by: Spencer Schrock <sschrock@google.com> * appease the linter Signed-off-by: Spencer Schrock <sschrock@google.com> * dont export probe type we can always make it public again later Signed-off-by: Spencer Schrock <sschrock@google.com> --------- Signed-off-by: Spencer Schrock <sschrock@google.com>	2024-04-10 14:12:53 -07:00
Spencer Schrock	b577d79c96	⚠️ Replace Positive and Negative outcomes with True and False (#4017 ) * rename positive to true Signed-off-by: Spencer Schrock <sschrock@google.com> * rename negative to false Signed-off-by: Spencer Schrock <sschrock@google.com> --------- Signed-off-by: Spencer Schrock <sschrock@google.com>	2024-04-08 15:36:11 -07:00
Spencer Schrock	b3ad602a59	🌱 Add probe registration mechanism (#3876 ) * add basic probe registration function Signed-off-by: Spencer Schrock <sschrock@google.com> * ignore probes which call init to register the probe Signed-off-by: Spencer Schrock <sschrock@google.com> * redefine probeimpl to avoid circular imports Signed-off-by: Spencer Schrock <sschrock@google.com> * register all probes Signed-off-by: Spencer Schrock <sschrock@google.com> * experiment with a probe struct Signed-off-by: Spencer Schrock <sschrock@google.com> * make check name constants Signed-off-by: Spencer Schrock <sschrock@google.com> * convert branch protection probes Signed-off-by: Spencer Schrock <sschrock@google.com> * convert binary artifact probes Signed-off-by: Spencer Schrock <sschrock@google.com> * convert cii probe Signed-off-by: Spencer Schrock <sschrock@google.com> * convert ci test probe Signed-off-by: Spencer Schrock <sschrock@google.com> * convert code review probes Signed-off-by: Spencer Schrock <sschrock@google.com> * convert contributor probe Signed-off-by: Spencer Schrock <sschrock@google.com> * convert dangerous workflow probe Signed-off-by: Spencer Schrock <sschrock@google.com> * convert dep update tool probes Signed-off-by: Spencer Schrock <sschrock@google.com> * convert fuzzing probes Signed-off-by: Spencer Schrock <sschrock@google.com> * convert license probes Signed-off-by: Spencer Schrock <sschrock@google.com> * convert maintained probes Signed-off-by: Spencer Schrock <sschrock@google.com> * convert packaging probe Signed-off-by: Spencer Schrock <sschrock@google.com> * convert sast probes Signed-off-by: Spencer Schrock <sschrock@google.com> * convert security policy probes Signed-off-by: Spencer Schrock <sschrock@google.com> * convert signed releases probes Signed-off-by: Spencer Schrock <sschrock@google.com> * convert vuln probe Signed-off-by: Spencer Schrock <sschrock@google.com> * try using probe registration data Signed-off-by: Spencer Schrock <sschrock@google.com> * blank import unused probe Signed-off-by: Spencer Schrock <sschrock@google.com> * add uncategorized group Signed-off-by: Spencer Schrock <sschrock@google.com> * ensure All list is up-to-date Signed-off-by: Spencer Schrock <sschrock@google.com> * add reason behind uncategorized group Signed-off-by: Spencer Schrock <sschrock@google.com> * fix linter yaml parse error Signed-off-by: Spencer Schrock <sschrock@google.com> * fix linter Signed-off-by: Spencer Schrock <sschrock@google.com> * add webhook data Signed-off-by: Spencer Schrock <sschrock@google.com> * convert probe registration to Must pattern Signed-off-by: Spencer Schrock <sschrock@google.com> * add registration for new probes Signed-off-by: Spencer Schrock <sschrock@google.com> * add missing license header Signed-off-by: Spencer Schrock <sschrock@google.com> * revert changing wrapcheck linter config Signed-off-by: Spencer Schrock <sschrock@google.com> * use error func which doesnt need wrapped Signed-off-by: Spencer Schrock <sschrock@google.com> * add test for probe registration Signed-off-by: Spencer Schrock <sschrock@google.com> * restore trailing newline Signed-off-by: Spencer Schrock <sschrock@google.com> * order probe category list Signed-off-by: Spencer Schrock <sschrock@google.com> --------- Signed-off-by: Spencer Schrock <sschrock@google.com>	2024-03-19 13:10:11 -07:00
AdamKorcz	4daefb64ae	🌱 Add branch protection probe evaluation (#3759 ) * 🌱 Add branch protection evaluation Signed-off-by: Adam Korczynski <adam@adalogics.com> * make helper for getting the branchName Signed-off-by: Adam Korczynski <adam@adalogics.com> * move check for branch name Signed-off-by: Adam Korczynski <adam@adalogics.com> * define size of slice Signed-off-by: Adam Korczynski <adam@adalogics.com> * add probe for protected branches. Signed-off-by: Adam Korczynski <adam@adalogics.com> * change 'basicNonAdminProtection' to 'deleteAndForcePushProtection' Signed-off-by: Adam Korczynski <adam@adalogics.com> * fix markdown in text field in def.yml Signed-off-by: Adam Korczynski <adam@adalogics.com> * remove duplicate conditional Signed-off-by: Adam Korczynski <adam@adalogics.com> * remove redundant 'protected' value from 'requiresCodeOwnersReview' probe Signed-off-by: Adam Korczynski <adam@adalogics.com> * remove protected values from probes Signed-off-by: Adam Korczynski <adam@adalogics.com> * Bring back negative outcome in case of 0 codeowners files Signed-off-by: Adam Korczynski <adam@adalogics.com> * log based on whether branches are protected Signed-off-by: Adam Korczynski <adam@adalogics.com> * remove unnecessary test Signed-off-by: Adam Korczynski <adam@adalogics.com> * debug failing tests Signed-off-by: Adam Korczynski <adam@adalogics.com> * Fix failing tests Signed-off-by: Adam Korczynski <adam@adalogics.com> * rename test Signed-off-by: Adam Korczynski <adam@adalogics.com> * update to with latest upstream changes Signed-off-by: AdamKorcz <adam@adalogics.com> * fix linting issues Signed-off-by: AdamKorcz <adam@adalogics.com> * remove tests that represent impossible scenarios Signed-off-by: AdamKorcz <adam@adalogics.com> * remove protected finding value This was discussed previously, but accidentally reverted Signed-off-by: Spencer Schrock <sschrock@google.com> * Revert "debug failing tests" This reverts commit `00acf66ea6`. Signed-off-by: Spencer Schrock <sschrock@google.com> * use branchName key for branch name Signed-off-by: Spencer Schrock <sschrock@google.com> * include number of reviews in INFO this was previously included by the old evaluation code Signed-off-by: Spencer Schrock <sschrock@google.com> * reduce info count by 1 requiring codeowners without a corresponding file used to give 1 INFO and 1 WARN now it only gives 1 WARN Signed-off-by: Spencer Schrock <sschrock@google.com> --------- Signed-off-by: Adam Korczynski <adam@adalogics.com> Signed-off-by: AdamKorcz <adam@adalogics.com> Signed-off-by: Spencer Schrock <sschrock@google.com> Co-authored-by: Spencer Schrock <sschrock@google.com>	2024-02-28 13:37:29 -08:00
AdamKorcz	6fc7d4c061	✨ Add probe metadata about supported ecosystems (#3797 ) * 🌱 Add probe metadata about supported ecosystems Signed-off-by: Adam Korczynski <adam@adalogics.com> * Add metadata for the rest of the probes Signed-off-by: Adam Korczynski <adam@adalogics.com> * fix wrong formatting Signed-off-by: Adam Korczynski <adam@adalogics.com> * remove oss-fuzz, osv, cii_blob, cii_http clients Signed-off-by: Adam Korczynski <adam@adalogics.com> * add github and gitlab clients for 2 probes Signed-off-by: Adam Korczynski <adam@adalogics.com> --------- Signed-off-by: Adam Korczynski <adam@adalogics.com>	2024-02-08 10:20:07 -08:00
Spencer Schrock	ca944e8169	🌱 Change finding Values to map[string]string (#3837 ) * make values map string -> string Signed-off-by: Spencer Schrock <sschrock@google.com> * fixup branch protection probes Signed-off-by: Spencer Schrock <sschrock@google.com> * fix sast probe Signed-off-by: Spencer Schrock <sschrock@google.com> * fix signed-releases probes Signed-off-by: Spencer Schrock <sschrock@google.com> * fix maintained probes Signed-off-by: Spencer Schrock <sschrock@google.com> * fix cii-best-practices probes Signed-off-by: Spencer Schrock <sschrock@google.com> * fix cii-best-practices eval Signed-off-by: Spencer Schrock <sschrock@google.com> * fix signed-releases eval Signed-off-by: Spencer Schrock <sschrock@google.com> * fix sast eval Signed-off-by: Spencer Schrock <sschrock@google.com> * fix maintained eval Signed-off-by: Spencer Schrock <sschrock@google.com> * fix permissions eval Signed-off-by: Spencer Schrock <sschrock@google.com> * appease the linter Signed-off-by: Spencer Schrock <sschrock@google.com> * standardize maintained key names Signed-off-by: Spencer Schrock <sschrock@google.com> * set lookback days value regardless of outcome Signed-off-by: Spencer Schrock <sschrock@google.com> --------- Signed-off-by: Spencer Schrock <sschrock@google.com>	2024-02-07 10:55:16 -08:00
Spencer Schrock	c59e93b9b2	🌱 Switch probe tests to helper func (#3782 ) * simplify test helper to verify finding outcomes Signed-off-by: Spencer Schrock <sschrock@google.com> * switch existing callers to helper func Signed-off-by: Spencer Schrock <sschrock@google.com> * remove TODO comments Signed-off-by: Spencer Schrock <sschrock@google.com> * fixup doc string Signed-off-by: Spencer Schrock <sschrock@google.com> --------- Signed-off-by: Spencer Schrock <sschrock@google.com>	2024-01-10 10:00:04 -08:00
AdamKorcz	2e1059bb76	🌱 Add probes for Branch Protection (#3691 ) * 🌱 Add probes for Branch Protection Signed-off-by: AdamKorcz <adam@adalogics.com> * specify that Scorecard only considers default and releases branches Signed-off-by: Adam Korczynski <adam@adalogics.com> * reduce duplication in blocksDeleteOnBranches Signed-off-by: Adam Korczynski <adam@adalogics.com> * use helper to test for boolean values Signed-off-by: Adam Korczynski <adam@adalogics.com> * Fix typo, mention OutcomeNotAvailable Signed-off-by: Adam Korczynski <adam@adalogics.com> * fix typo and elaborate on effort Signed-off-by: Adam Korczynski <adam@adalogics.com> * fix typo. Specify which branches the probe considers Signed-off-by: Adam Korczynski <adam@adalogics.com> * Fix copy paste typo Signed-off-by: Adam Korczynski <adam@adalogics.com> * remove '/en' from url Signed-off-by: Adam Korczynski <adam@adalogics.com> * change effort from 'High' to 'Low' in the blocksForcePushOnBranches probe def Signed-off-by: Adam Korczynski <adam@adalogics.com> * fix remediation level Signed-off-by: Adam Korczynski <adam@adalogics.com> * Change probe package name Signed-off-by: Adam Korczynski <adam@adalogics.com> * improve probe definitions Signed-off-by: Adam Korczynski <adam@adalogics.com> * refactor test names Signed-off-by: Adam Korczynski <adam@adalogics.com> * Change motivation of two probes Signed-off-by: Adam Korczynski <adam@adalogics.com> * downgrade effort of runsStatusChecksBeforeMerging Signed-off-by: Adam Korczynski <adam@adalogics.com> * reduce complexity of blocksForcePushOnBranches Signed-off-by: Adam Korczynski <adam@adalogics.com> * simplify requiresCodeOwnersReview logic Signed-off-by: Adam Korczynski <adam@adalogics.com> * fix linter issues Signed-off-by: Adam Korczynski <adam@adalogics.com> * fix copy paste error Signed-off-by: Adam Korczynski <adam@adalogics.com> * differentiate trueMsg and falseMsg in requiresApproversForPullRequests Signed-off-by: Adam Korczynski <adam@adalogics.com> * fix text in requiresCodeOwnersReview Signed-off-by: Adam Korczynski <adam@adalogics.com> * change outcome in utils Signed-off-by: Adam Korczynski <adam@adalogics.com> * fix lint issues Signed-off-by: Adam Korczynski <adam@adalogics.com> * fix nit in text Signed-off-by: Adam Korczynski <adam@adalogics.com> * use standardized messages Signed-off-by: Adam Korczynski <adam@adalogics.com> * remove 'Uint32LargerThan0' Signed-off-by: Adam Korczynski <adam@adalogics.com> * Add number of required reviewers to values. Refactor to avoid nil-dereference Signed-off-by: Adam Korczynski <adam@adalogics.com> * fix nit log message Signed-off-by: Adam Korczynski <adam@adalogics.com> --------- Signed-off-by: AdamKorcz <adam@adalogics.com> Signed-off-by: Adam Korczynski <adam@adalogics.com>	2023-12-27 22:33:06 +00:00

11 Commits