* 🌱 Additional e2e clients/githubrepo/checkruns.go
- Add `net/http` and `github.com/google/go-github/v38/github` imports
- Add a test for `listCheckRunsForRef` with valid ref
- Add a test for `listCheckRunsForRef` with invalid ref
Signed-off-by: naveensrinivasan <172697+naveensrinivasan@users.noreply.github.com>
* Based on code review comments
Signed-off-by: naveensrinivasan <172697+naveensrinivasan@users.noreply.github.com>
* Some tweaks
Signed-off-by: naveensrinivasan <172697+naveensrinivasan@users.noreply.github.com>
---------
Signed-off-by: naveensrinivasan <172697+naveensrinivasan@users.noreply.github.com>
* feat: Added yaml file that contains the full, flattened gitlab ci/cd contents
Signed-off-by: Robison, Jim B <jim.b.robison@lmco.com>
* refactor: Updated to meet linting failures
Signed-off-by: Robison, Jim B <jim.b.robison@lmco.com>
* refactor: Updated filename for flattened gitlab
Signed-off-by: Robison, Jim B <jim.b.robison@lmco.com>
* refactor: Updated to include the generated, flattened ci yaml in the file listing
Signed-off-by: Robison, Jim B <jim.b.robison@lmco.com>
* refactor: Updated the apiFunction to be part of the handler
Signed-off-by: Robison, Jim B <jim.b.robison@lmco.com>
* refactor: Moved packaging collection to be a repoClient specific sub-package
Signed-off-by: Robison, Jim B <jim.b.robison@lmco.com>
* feat: Added path for gitlab projects, including a basic search for lines containing nuget, poetry, twine publishes
Signed-off-by: Robison, Jim B <jim.b.robison@lmco.com>
* test: Added tests for gitlab packaging finders
Signed-off-by: Robison, Jim B <jim.b.robison@lmco.com>
* test: Added more tests for parsing through the client and grouping packaging data
Signed-off-by: Robison, Jim B <jim.b.robison@lmco.com>
* refactor: Utilizing existing mock objects to prevent race condition exception
Signed-off-by: Robison, Jim B <jim.b.robison@lmco.com>
* refactor: Addressed linting errors
Signed-off-by: Robison, Jim B <jim.b.robison@lmco.com>
* test: Updated expectation for log message
Signed-off-by: Robison, Jim B <jim.b.robison@lmco.com>
* refactor: Reverted back to the original error
Signed-off-by: Robison, Jim B <jim.b.robison@lmco.com>
---------
Signed-off-by: Robison, Jim B <jim.b.robison@lmco.com>
Co-authored-by: raghavkaul <8695110+raghavkaul@users.noreply.github.com>
- Add a test for getting the default branch
- Add tests for getting and querying a branch
- Add an error check for non-existent branch
- Add an error check for non-HEAD query
Signed-off-by: naveensrinivasan <172697+naveensrinivasan@users.noreply.github.com>
* Recover from osv-scanner panics.
This allows us to give an inconclusive score instead of crashing.
Signed-off-by: Spencer Schrock <sschrock@google.com>
* Bump osv-scanner to include performance increase.
https://github.com/google/osv-scanner/pull/346
Signed-off-by: Spencer Schrock <sschrock@google.com>
---------
Signed-off-by: Spencer Schrock <sschrock@google.com>
* Add make targets and E2E test target for GitLab only
Signed-off-by: Raghav Kaul <raghavkaul@google.com>
* Add GitLab support to RepoClient
Signed-off-by: Raghav Kaul <raghavkaul@google.com>
* Build
* Make target for e2e-gitlab-token
* Only run Gitlab tests in CI that don't require a token
Signed-off-by: Raghav Kaul <raghavkaul@google.com>
* Add tests
Signed-off-by: Raghav Kaul <raghavkaul@google.com>
* Remove spurious printf
Signed-off-by: Raghav Kaul <raghavkaul@google.com>
* 🐛 Check OSS Fuzz build file for Fuzzing check (#2719)
* Check OSS-Fuzz using project list
Signed-off-by: Spencer Schrock <sschrock@google.com>
* Use clients.RepoClient interface to perform the new OSS Fuzz check
Signed-off-by: Spencer Schrock <sschrock@google.com>
* wip: add eager client for better repeated lookup of projects
Signed-off-by: Spencer Schrock <sschrock@google.com>
* Split lazy and eager behavior into different implementations.
Signed-off-by: Spencer Schrock <sschrock@google.com>
* Add tests and benchmarks
Signed-off-by: Spencer Schrock <sschrock@google.com>
* Switch to always parsing JSON to determine if a project is present. The other approach of looking for a substring match would lead to false positives.
Signed-off-by: Spencer Schrock <sschrock@google.com>
* Add eager constructor to surface status file errors sooner.
Signed-off-by: Spencer Schrock <sschrock@google.com>
* Switch existing users to new OSS Fuzz client
Signed-off-by: Spencer Schrock <sschrock@google.com>
* Mark old method as deprecated in the godoc
Signed-off-by: Spencer Schrock <sschrock@google.com>
* remove unused comment.
Signed-off-by: Spencer Schrock <sschrock@google.com>
* Use new OSS Fuzz client in e2e test.
Signed-off-by: Spencer Schrock <sschrock@google.com>
* fix typo.
Signed-off-by: Spencer Schrock <sschrock@google.com>
* Fix potential path bug with test server.
Signed-off-by: Spencer Schrock <sschrock@google.com>
* Force include the two JSON files which were being ignored by .gitignore
Signed-off-by: Spencer Schrock <sschrock@google.com>
* trim the status json file
Signed-off-by: Spencer Schrock <sschrock@google.com>
---------
Signed-off-by: Spencer Schrock <sschrock@google.com>
---------
Signed-off-by: Raghav Kaul <raghavkaul@google.com>
Signed-off-by: Spencer Schrock <sschrock@google.com>
Co-authored-by: Spencer Schrock <sschrock@google.com>
* Updates osv-scanner dependency to 1.2.0.
The 1.0 release changed the return value for osv-scanner to output an error
when vulnerabilities are found, modified to handle this error correctly.
Signed-off-by: Rex Pan <rexpan@google.com>
* Add some additional comments
Signed-off-by: Rex Pan <rexpan@google.com>
* Update osv-scanner to include SBOM and logging fixes
Signed-off-by: Rex Pan <rexpan@google.com>
---------
Signed-off-by: Rex Pan <rexpan@google.com>
* Update auth server to use GitHub App.
Signed-off-by: Spencer Schrock <sschrock@google.com>
* Update release worker to use GitHub App tokens directly, as a workaround for the auth server not supporting it.
Signed-off-by: Spencer Schrock <sschrock@google.com>
* Add Retry-After logic and stats.
Signed-off-by: Spencer Schrock <sschrock@google.com>
* Change retry-after logic to support any status code. Disable troublesome checks.
Signed-off-by: Spencer Schrock <sschrock@google.com>
* Use GitHub App Token instead of auth server.
Signed-off-by: Spencer Schrock <sschrock@google.com>
* Temporarily disable additional chhecks.
Signed-off-by: Spencer Schrock <sschrock@google.com>
* Disable github auth server as it doesn't work with the GitHub App Tokens.
Signed-off-by: Spencer Schrock <sschrock@google.com>
* Re-enable Fuzzing check in the release test.
Signed-off-by: Spencer Schrock <sschrock@google.com>
* Fix unit test for new check change.
Signed-off-by: Spencer Schrock <sschrock@google.com>
* Move opencensus stat to the ratelimit roundtripped.
Signed-off-by: Spencer Schrock <sschrock@google.com>
---------
Signed-off-by: Spencer Schrock <sschrock@google.com>
* Check OSS-Fuzz using project list
Signed-off-by: Spencer Schrock <sschrock@google.com>
* Use clients.RepoClient interface to perform the new OSS Fuzz check
Signed-off-by: Spencer Schrock <sschrock@google.com>
* wip: add eager client for better repeated lookup of projects
Signed-off-by: Spencer Schrock <sschrock@google.com>
* Split lazy and eager behavior into different implementations.
Signed-off-by: Spencer Schrock <sschrock@google.com>
* Add tests and benchmarks
Signed-off-by: Spencer Schrock <sschrock@google.com>
* Switch to always parsing JSON to determine if a project is present. The other approach of looking for a substring match would lead to false positives.
Signed-off-by: Spencer Schrock <sschrock@google.com>
* Add eager constructor to surface status file errors sooner.
Signed-off-by: Spencer Schrock <sschrock@google.com>
* Switch existing users to new OSS Fuzz client
Signed-off-by: Spencer Schrock <sschrock@google.com>
* Mark old method as deprecated in the godoc
Signed-off-by: Spencer Schrock <sschrock@google.com>
* remove unused comment.
Signed-off-by: Spencer Schrock <sschrock@google.com>
* Use new OSS Fuzz client in e2e test.
Signed-off-by: Spencer Schrock <sschrock@google.com>
* fix typo.
Signed-off-by: Spencer Schrock <sschrock@google.com>
* Fix potential path bug with test server.
Signed-off-by: Spencer Schrock <sschrock@google.com>
* Force include the two JSON files which were being ignored by .gitignore
Signed-off-by: Spencer Schrock <sschrock@google.com>
* trim the status json file
Signed-off-by: Spencer Schrock <sschrock@google.com>
---------
Signed-off-by: Spencer Schrock <sschrock@google.com>
* Improve OSV scanning integration (squashed)
Signed-off-by: Rex P <rexpan@google.com>
* Add support for grouping vulnerabilities and aliases
Signed-off-by: Rex P <rexpan@google.com>
* Updated documentation, spit vulnerability output to multiple warnings
Signed-off-by: Rex P <rexpan@google.com>
* Updated documentation, spit vulnerability output to multiple warnings
Signed-off-by: Rex P <rexpan@google.com>
* Add its own codebase into docs
Signed-off-by: Rex P <rexpan@google.com>
* Update scorecard test to not prevent known vulns
Signed-off-by: Rex P <rexpan@google.com>
Signed-off-by: Rex P <rexpan@google.com>
Co-authored-by: laurentsimon <64505099+laurentsimon@users.noreply.github.com>
* ✨ Improved Security Policy Check (#2137)
* Examines and awards points for linked content (URLs / Emails)
* Examines and awards points for hints of disclosure and vulnerability practices
* Examines and awards points for hints of elaboration of timelines
Signed-off-by: Scott Hissam <shissam@gmail.com>
* Repaired Security Policy to correctly use linked content length for evaluation
Signed-off-by: Scott Hissam <shissam@gmail.com>
* gofmt'ed changes
Signed-off-by: Scott Hissam <shissam@gmail.com>
* Repaired the case in the evaluation which was too sensitive to content length over the length of the linked content for urls and emails
Signed-off-by: Scott Hissam <shissam@gmail.com>
* added unit test cases for the new content-based Security Policy checks
Signed-off-by: Scott Hissam <shissam@gmail.com>
* reverted the direct (mistaken) change to checks.md and updated the checks.yaml for generate-docs
Signed-off-by: Scott Hissam <shissam@gmail.com>
* ✨ Improved Security Policy Check (#2137) (revisted based on comments)
* replaced reason strings with log.Info & log.Warn (as seen in --show-details)
* internal assertion check for nil (*pinfo) and empty pfile
* internal switched to FileTypeText over FileTypeSource
* internal implement type SecurityPolicyInformationType/SecurityPolicyInformation revised SecurityPolicyData to support only one file
* revised expected unit-test results and revised unit-test to reflect the new SecurityPolicyData type
Signed-off-by: Scott Hissam <shissam@gmail.com>
* revised the score value based on observation of one *or more* url(s) or one email(s) found; unit tests update accordingly
Signed-off-by: Scott Hissam <shissam@gmail.com>
* revised the score value based on observation of one *or more* url(s) or one email(s) found; unit tests update accordingly
Signed-off-by: Scott Hissam <shissam@gmail.com>
* revised the score value based on observation of one *or more* url(s) or one email(s) found; e2e tests update accordingly
Signed-off-by: Scott Hissam <shissam@gmail.com>
* Addressed PR comments; added telemetry for policy hits in security policy file to track hits by line number
Signed-off-by: Scott Hissam <shissam@gmail.com>
* Resolved merge conflict with checks.yaml
Signed-off-by: Scott Hissam <shissam@gmail.com>
* updated raw results to emit all the raw information for the new security policy check
Signed-off-by: Scott Hissam <shissam@gmail.com>
* Resolved merge conflicts and lint errors with json_raw_results.go
Signed-off-by: Scott Hissam <shissam@gmail.com>
* Addressed review comments to reorganize security policy data struct to support the potential for multiple security policy files.
Signed-off-by: Scott Hissam <shissam@gmail.com>
* Added logic to the security policy to process multiple security policy files only after future improvements to aggregating scoring across such files are designed. For now the security policy behaves as originally designed to stop once one of the expected policy files are found in the repo
Signed-off-by: Scott Hissam <shissam@gmail.com>
* added comments regarding the capacity to support multiple policy files and removed unneeded break statements in the code
Signed-off-by: Scott Hissam <shissam@gmail.com>
* Addressed review comments to remove the dependency on the path in the filename from the code and introduced FileSize to checker.File type and removed the SecurityContentLength which was used to hold that information for the new security policy assessment
Signed-off-by: Scott Hissam <shissam@gmail.com>
* restored reporting full security policy path and filename for policies found in the org level repos
Signed-off-by: Scott Hissam <shissam@gmail.com>
* Resolved conflicts in checks.yaml for documentation
Signed-off-by: Scott Hissam <shissam@gmail.com>
* ✨ CLI for scorecard-attestor (#2309)
* Reorganize
Signed-off-by: Raghav Kaul <raghavkaul@google.com>
* Working commit
Signed-off-by: Raghav Kaul <raghavkaul@google.com>
* Compile with local scorecard; go mod tidy
Signed-off-by: Raghav Kaul <raghavkaul@google.com>
* Add signing code
Heavily borrowed from https://github.com/grafeas/kritis/blob/master/cmd/kritis/signer/main.go
Signed-off-by: Raghav Kaul <raghavkaul@google.com>
* Update deps
* Naming
* Makefile
Signed-off-by: Raghav Kaul <raghavkaul@google.com>
* Edit license, add lint.yml
Signed-off-by: Raghav Kaul <raghavkaul@google.com>
* checks: go mod tidy, license
Signed-off-by: Raghav Kaul <raghavkaul@google.com>
* Address PR comments
* Split into checker/signer files
* Naming convention
Signed-off-by: Raghav Kaul <raghavkaul@google.com>
* License, remove golangci.yml
Signed-off-by: Raghav Kaul <raghavkaul@google.com>
* Address PR comments
* Use cobra
Signed-off-by: Raghav Kaul <raghavkaul@google.com>
* Add tests for root command
Signed-off-by: Raghav Kaul <raghavkaul@google.com>
* Filter out checks that aren't needed for policy evaluation
Signed-off-by: Raghav Kaul <raghavkaul@google.com>
* Add `make` targets for attestor; submit coverage stats
Signed-off-by: Raghav Kaul <raghavkaul@google.com>
* Improvements
* Use sclog instead of glog
* Remove unneeded subcommands
* Formatting
Signed-off-by: Raghav Kaul <raghavkaul@google.com>
* Flags: Make note-name constant and fix messaging
Signed-off-by: Raghav Kaul <raghavkaul@google.com>
* Remove SupportedRequestTypes
Signed-off-by: Raghav Kaul <raghavkaul@google.com>
* go mod tidy
Signed-off-by: Raghav Kaul <raghavkaul@google.com>
* go mod tidy, makefile
Signed-off-by: Raghav Kaul <raghavkaul@google.com>
* Fix GH actions run
Signed-off-by: Raghav Kaul <raghavkaul@google.com>
Signed-off-by: Raghav Kaul <raghavkaul@google.com>
Signed-off-by: Scott Hissam <shissam@gmail.com>
* removed whitespace before stanza for Run attestor e2e
Signed-off-by: Scott Hissam <shissam@gmail.com>
* resolved code review and doc review comments
Signed-off-by: Scott Hissam <shissam@gmail.com>
* repaired the link for the maintainer's guide for supporting the coordinated vulnerability disclosure guidelines
Signed-off-by: Scott Hissam <shissam@gmail.com>
* initial implementation of https://github.com/ossf/scorecard/issues/1369#issuecomment-1304831531 to provide more license details
Signed-off-by: Scott Hissam <shissam@gmail.com>
* draft implementation to provide more information on license details
Signed-off-by: Scott Hissam <shissam@gmail.com>
* repaired a misspelling
Signed-off-by: Scott Hissam <shissam@gmail.com>
* Changed to handle http errors with 404 not found as being a non-error for not being able to find a license
Signed-off-by: Scott Hissam <shissam@gmail.com>
* Return an error status similar to other gitlab checks
Signed-off-by: Scott Hissam <shissam@gmail.com>
* add new raw licenses data
Signed-off-by: Scott Hissam <shissam@gmail.com>
* updated e2e test as new license check generates more info and warn as scores change as license file content is not parsed
Signed-off-by: Scott Hissam <shissam@gmail.com>
* added numerous more test filenames and a shouldFail boolean as some filenames will fail that do not meet checks.md rules
Signed-off-by: Scott Hissam <shissam@gmail.com>
* license check now, primarily, uses the GH API for checking licenses
Signed-off-by: Scott Hissam <shissam@gmail.com>
* updated local checker as new license check generates more info and warn as scores change as license file content is not parsed
Signed-off-by: Scott Hissam <shissam@gmail.com>
* added draft license gradation for scoring, add a map to OSI and FSF licenses, added GH API for retrieving repo license, revamp license filename matching when not using a repo API for detecting license files.
Signed-off-by: Scott Hissam <shissam@gmail.com>
* repaired race condition for case insensitive map, improved regex matching, moved licenses to raw, raw now mimics GH API return values for key, name, etc., updated unit tests and raw results accordingly
Signed-off-by: Scott Hissam <shissam@gmail.com>
* completed disambiguation of SPDX Identifiers and filename extensions, reworked some of the code comments, added map generation to TestLicense, added an additional mutex for the regex group identifier index, removed spurious prints, revised unit test accordingly, updated documentation.
Signed-off-by: Scott Hissam <shissam@gmail.com>
* removed repo Key from LicenseInformation as unneeded, changed attribution constants to be more meaningful, update documentation as necessary for changes
Signed-off-by: Scott Hissam <shissam@gmail.com>
Signed-off-by: Scott Hissam <shissam@gmail.com>
Signed-off-by: Raghav Kaul <raghavkaul@google.com>
Co-authored-by: raghavkaul <8695110+raghavkaul@users.noreply.github.com>
* Merges on Github count as a code review by the maintainer
Signed-off-by: Raghav Kaul <raghavkaul@google.com>
* Update Raw Results
* More detailed information for Changesets
* If there's no Revision ID, use the Commit SHA instead
Signed-off-by: Raghav Kaul <raghavkaul@google.com>
* Check that pull request had atleast one reviewer that wasn't its author
* Add field for Pull Request Merged-By to Github and Gitlab
* Note, this check can be bypassed if an author opens a PR with other
people's commits
Signed-off-by: Raghav Kaul <raghavkaul@google.com>
Signed-off-by: Raghav Kaul <raghavkaul@google.com>
* updated readme to reflect gitlab usage
* bugfixes after a good deal of testing
* removed unnecessary files from branch
* cleaning up my mess
* requested changes + unit tests
* style fixes
* updated readme to reflect gitlab usage
* bugfixes after a good deal of testing
* removed unnecessary files from branch
* cleaning up my mess
* requested changes + unit tests
* style fixes
* merge main into gitlab_support
* check-linter fixes
Signed-off-by: Nathaniel Wert <N8.Wert.B@gmail.com>
Co-authored-by: nathaniel.wert <nathaniel.wert@kudelskisecurity.com>
* 🌱 Upgrade to go 1.18
- Upgrade to go 1.18
- Updated the deps to avoid critical CVE's
Signed-off-by: naveensrinivasan <172697+naveensrinivasan@users.noreply.github.com>
* Updated dockerfile.
Signed-off-by: naveensrinivasan <172697+naveensrinivasan@users.noreply.github.com>
* Fixed the linter issues.
Signed-off-by: naveensrinivasan <172697+naveensrinivasan@users.noreply.github.com>
* Fixed the CVE dependencies
Signed-off-by: naveensrinivasan <172697+naveensrinivasan@users.noreply.github.com>
* Rmoved the cache which is changing between 1.17 and 1.18
Signed-off-by: naveensrinivasan <172697+naveensrinivasan@users.noreply.github.com>
* Rmoved the cache which is changing between 1.17 and 1.18
Signed-off-by: naveensrinivasan <172697+naveensrinivasan@users.noreply.github.com>
* Updated ko to latest
Signed-off-by: naveensrinivasan <172697+naveensrinivasan@users.noreply.github.com>
* Fixed linter issue.
Signed-off-by: naveensrinivasan <172697+naveensrinivasan@users.noreply.github.com>
* Fixed linter issue.
Signed-off-by: naveensrinivasan <172697+naveensrinivasan@users.noreply.github.com>
Signed-off-by: naveensrinivasan <172697+naveensrinivasan@users.noreply.github.com>
* Bugfix: Detect recently created Github repositories
Adjust the unweighted score -3 points if they were created in the last
90 days
* Address PR comments
* Address PR comments
* Make log message more urgent
* Add to raw results
* Zero 'Maintained' score if the repo is too new to evaluate
* Update docs
* Update maintained_test.go
* Fix lint error
* 🌱 Export Scorecards results for API
- Exporting the Scorecard results for the scorecard API.
- The code exports as result.json without the commit SHA and also with
the commit SHA.
* Some cleanup and tweaks.
* Some cleanup and tweaks.
* implement binary artifacts exception for validated gradle-wrapper.jar files
* add tests for binary artifact gradle wrapper verification exception
* fix issues for linter
* expect added jar in TestBinaryArtifacts Jar file test
* improve readability of raw/binary_artifact
* Binary-Artifact request types no longer includes FileBased
* add version requirement capability to gradle action check
* Refactor exception from checks/raw to checks/evaluation
* remove unnecessary len(files)
* flatten application of exception by moving to another function
* revert refactor to checks/evaluation
* flatten removal of validated wrappers
* create fileExists function
Co-authored-by: laurentsimon <64505099+laurentsimon@users.noreply.github.com>