ossf/scorecard
1
1
Fork 0
mirror of https://github.com/ossf/scorecard.git synced 2024-09-19 21:18:09 +03:00
Code Issues Actions 1 Packages Projects Releases Wiki Activity
316 Commits 36 Branches 42 Tags 436 MiB
158c2cdbde
Commit Graph

316 Commits

This Branch
This Branch
All Branches
Author SHA1 Message Date
Oliver Chang
158c2cdbde
Fix typo in scorecard date format. (#353) 2021-04-21 21:16:26 -07:00
Azeem Shaikh
bd3eff1fcf
Cron job uses line-delimited JSON (#344) 
*  Refactor to reduce code duplication

* 

* Move lib/ back to checker/

* Move lib/ back to checker/

* Move lib/ back to checker/

* Address PR comments.

* Addressing PR comments.

* Separate out ReposURL nito repos/

* Add TODO in gitcache module.

* Add RepoRequest/Response types.

* Avoid printing `ShouldRetry` and `Error` in output JSON.

* Fix JSON output.

* Simplify cmd package.

* Make cron/ a package instead of module.

* Fix TODO.

* Remove binary file.

* go.mod file.

* go.mod updates.

* Refactor cron to use in-memory JSON.

* Fix JSON output.

* Fix go.mod

* Address PR comments.

* Change %w -> %v.

* Address PR comments.

* Fix err.

Co-authored-by: Azeem Shaikh <azeems@google.com>
 2021-04-19 12:49:51 -07:00
Chris McGehee
06993b72ce
🐛 Fix linting issues (1 of n) (#348) 
* Fix lint issues: whitespace linter

* Fix lint issues: wrapcheck linter

* Fix lint issues: errcheck linter

* Fix lint issues: paralleltest linter

* Fix lint issues: gocritic linter
Most changes from this commit are from passing checker.CheckResult by reference and not by value. gocritic identified that as a huge parameter.
gocritic also prefers regexp.MustCompile over Compile when the pattern is a const
 2021-04-19 12:18:34 -07:00
Oliver Chang
df27afd3b3
Make checks documentation machine readable. (#345) 
*  Make checks documentation machine readable.

Make checks.yaml as a machine and human readable source of truth of
checks documentation.

A tiny Python script is also added to generate checks.json and checks.md
from this file.

* move checks scripts and files
 2021-04-16 11:15:56 -07:00
naveen
1d3821e08c 🌱 Fix concurrent cronjob execution 
* With the increased scans the cronjob is running longer than expected
which was causing the multiple jobs to be executing concurrently.

* Changed the concurrent policy to "Forbid" to avoid it.
 2021-04-14 09:35:26 -05:00
Naveen
8e352e408a
🌱 Included make targets for update binary (#340) 
* Include the build and go mod verify targets to the update binary.
 2021-04-13 01:36:45 +00:00
naveen
9397708318 Handle vendored repos dependency 
*Handle vendored repos for go dependency

* Add additional repositories for projects.txt
 2021-04-12 15:50:10 -05:00
Naveen
f02df30b61
Included dependency parsing for go (#337) 
* Included dependency parsing of go.mod files.
* Parse vanity URL in go.mod to add dependencies
* Updated dependencies for scorecard and cosign based on the vanity URL's.
 2021-04-10 12:21:51 -05:00
Azeem Shaikh
a58818d258
🌱 : Reduce code duplication for follow-up cron refactoring (#338) 
*  Refactor to reduce code duplication

* 

* Move lib/ back to checker/

* Move lib/ back to checker/

* Move lib/ back to checker/

* Address PR comments.

* Addressing PR comments.

* Avoid printing `ShouldRetry` and `Error` in output JSON.

* Fix JSON output.

Co-authored-by: Azeem Shaikh <azeems@google.com>
 2021-04-10 07:26:56 -05:00
naveen
6aad826067 🌱 Included dependencies for k8s 
* Included the k8s dependencies.
 2021-04-08 14:17:56 -05:00
naveen
c2236f68f8 🌱 Updated commit message for dependabot 
* Updated commit message to have 🌱 prefix in dependabot PR.
 2021-04-08 14:13:44 -05:00
dependabot[bot]
4b997019d5 Bump github.com/onsi/ginkgo from 1.16.0 to 1.16.1 in /gitcache 
Bumps [github.com/onsi/ginkgo](https://github.com/onsi/ginkgo) from 1.16.0 to 1.16.1.
- [Release notes](https://github.com/onsi/ginkgo/releases)
- [Changelog](https://github.com/onsi/ginkgo/blob/master/CHANGELOG.md)
- [Commits](https://github.com/onsi/ginkgo/compare/v1.16.0...v1.16.1)

Signed-off-by: dependabot[bot] <support@github.com>
 2021-04-08 10:52:04 -05:00
dependabot[bot]
fc0eac922a Bump github.com/onsi/ginkgo from 1.16.0 to 1.16.1 
Bumps [github.com/onsi/ginkgo](https://github.com/onsi/ginkgo) from 1.16.0 to 1.16.1.
- [Release notes](https://github.com/onsi/ginkgo/releases)
- [Changelog](https://github.com/onsi/ginkgo/blob/master/CHANGELOG.md)
- [Commits](https://github.com/onsi/ginkgo/compare/v1.16.0...v1.16.1)

Signed-off-by: dependabot[bot] <support@github.com>
 2021-04-08 09:27:08 -05:00
dependabot[bot]
f8fdccb478 Bump github.com/onsi/ginkgo from 1.15.2 to 1.16.0 in /gitcache 
Bumps [github.com/onsi/ginkgo](https://github.com/onsi/ginkgo) from 1.15.2 to 1.16.0.
- [Release notes](https://github.com/onsi/ginkgo/releases)
- [Changelog](https://github.com/onsi/ginkgo/blob/master/CHANGELOG.md)
- [Commits](https://github.com/onsi/ginkgo/compare/v1.15.2...v1.16.0)

Signed-off-by: dependabot[bot] <support@github.com>
 2021-04-05 12:22:30 -05:00
dependabot[bot]
e0cd796b7f Bump github.com/onsi/ginkgo from 1.15.2 to 1.16.0 
Bumps [github.com/onsi/ginkgo](https://github.com/onsi/ginkgo) from 1.15.2 to 1.16.0.
- [Release notes](https://github.com/onsi/ginkgo/releases)
- [Changelog](https://github.com/onsi/ginkgo/blob/master/CHANGELOG.md)
- [Commits](https://github.com/onsi/ginkgo/compare/v1.15.2...v1.16.0)

Signed-off-by: dependabot[bot] <support@github.com>
 2021-04-05 12:12:04 -05:00
asraa
8a5f9a8ea7
zero pad dates (#328) 
Signed-off-by: Asra Ali <asraa@google.com>
 2021-04-05 07:57:37 -07:00
Abhishek Arya
f15a6bfbf0
Dont retry and log http get failures. (#324) 2021-04-04 10:24:14 -07:00
Asra Ali
ed8d5801bc Add updater to collect deps in project files and add to projects.txt 
Signed-off-by: Asra Ali <asraa@google.com>
 2021-04-02 12:57:57 -05:00
dependabot[bot]
3f70d82ce0 Bump golang from 1.16.2 to 1.16.3 
Bumps golang from 1.16.2 to 1.16.3.

Signed-off-by: dependabot[bot] <support@github.com>
 2021-04-02 12:03:43 -05:00
nathannaveen
f5185e4bd6 🌱 included copyright headers. 2021-04-01 21:36:10 -05:00
naveen
6d9463bf60 🌱 Upgrade golang docker container 
Golang docker container upgrade.
 2021-04-01 19:43:30 -05:00
Chris McGehee
7432e5e6f9 using make targets in docker builds 2021-03-30 14:12:24 -04:00
dependabot[bot]
8ef259d250 Bump github.com/go-git/go-git/v5 from 5.2.0 to 5.3.0 in /gitcache 
Bumps [github.com/go-git/go-git/v5](https://github.com/go-git/go-git) from 5.2.0 to 5.3.0.
- [Release notes](https://github.com/go-git/go-git/releases)
- [Commits](https://github.com/go-git/go-git/compare/v5.2.0...v5.3.0)

Signed-off-by: dependabot[bot] <support@github.com>
 2021-03-30 13:04:31 -04:00
naveen
2f62126a3e 🐛 Fix docker buildx syntax 
The docker build syntax was in incorrect location which was causing the
builds to fail.

https://github.com/docker/buildx/issues/348#issuecomment-709155842
 2021-03-29 23:59:21 -04:00
Naveen
3e4432ceea Update PULL_REQUEST_TEMPLATE.md 2021-03-24 17:11:02 -04:00
Naveen
0e5b8e63f2 Eating your own dog food 
Eating your own dog food
 2021-03-22 18:00:20 -04:00
naveen
775a83a2f7 🌱 update dependabot for cron and scripts 
The cron and scripts are based on go.mod. The dependabot settings are
updated to watch those folders.
 2021-03-22 11:50:01 -04:00
naveen
7622cea5a6 🌱 updated the makefile to include scripts and cron 
Updated the makefile to include scripts and cron.
 2021-03-22 11:42:18 -04:00
naveen
688dc5e6c7 Refactor cron job 
* Refactored cron job from shell script to go.
* Included metadata to the projects.txt for envoy
* Included checks for duplicate item in projects.txt
* Sorted the projects.txt so that it is easier for someone to look for a
project
 2021-03-21 22:31:07 -04:00
naveen
52e742cce9 📖 Instructions on PR process 
* Included instructions in the PR process.
 2021-03-21 11:11:30 -04:00
naveen
ba42e1ab7b 🌱 Changed cron to run everyday 
With the latest fix for roundrobin token usage, the cron can run
everyday.
 2021-03-19 11:50:26 -04:00
Asra Ali
7a2675532a add envoy deps statically 
Signed-off-by: Asra Ali <asraa@google.com>
 2021-03-19 10:07:33 -04:00
Naveen
1a81741624
🌱Remove branch protection check from cron (#290) 
The branch protection check needs an admin access to the repository. All
of the checks from cron would fail and uses another call to the API.

This will reduce usage of the API.
 2021-03-19 07:27:09 -04:00
naveen
8427362772 🌱 verifier to generate release notes 
The verifier helps release notes generation.
https://github.com/kubernetes-sigs/kubebuilder-release-tools

https://github.com/kubernetes-sigs/kubebuilder-release-tools/blob/master/verify/main.go
 2021-03-18 12:19:06 -04:00
naveen
5b9991e3c4 chore - remove debug log for roundtripper 
Remove the debug log for the roundtripper which is flooding.
 2021-03-18 10:49:13 -04:00
Naveen
7ff09db2ed
Fix-Using Roundrobin tokens across multiple calls (#284) 
The GitHub tokens are picked from a list for each call using Roundrobin approach.
 2021-03-17 21:41:29 +00:00
dependabot[bot]
8333f1e328 Bump github.com/onsi/ginkgo from 1.15.1 to 1.15.2 
Bumps [github.com/onsi/ginkgo](https://github.com/onsi/ginkgo) from 1.15.1 to 1.15.2.
- [Release notes](https://github.com/onsi/ginkgo/releases)
- [Changelog](https://github.com/onsi/ginkgo/blob/master/CHANGELOG.md)
- [Commits](https://github.com/onsi/ginkgo/compare/v1.15.1...v1.15.2)

Signed-off-by: dependabot[bot] <support@github.com>
 2021-03-17 15:18:13 -04:00
dependabot[bot]
5b4723b13e Bump github.com/onsi/ginkgo from 1.15.1 to 1.15.2 in /gitcache 
Bumps [github.com/onsi/ginkgo](https://github.com/onsi/ginkgo) from 1.15.1 to 1.15.2.
- [Release notes](https://github.com/onsi/ginkgo/releases)
- [Changelog](https://github.com/onsi/ginkgo/blob/master/CHANGELOG.md)
- [Commits](https://github.com/onsi/ginkgo/compare/v1.15.1...v1.15.2)

Signed-off-by: dependabot[bot] <support@github.com>
 2021-03-17 08:59:32 -04:00
naveen
c62e667f7c Docs - Included instructions for deploying cron 
Included instructions for deployment of the k8s cron job for the daily
score.
 2021-03-16 10:15:14 -04:00
naveen
27ec7fff8d Docs - Updated the docs for cron 
Included a section within the CONTRIBUTING.md about the dailyscore and
cron job.
 2021-03-15 12:38:58 -04:00
Naveen
4b4d0f0a01
Fix - out of memory error for large repository (#276) 
The httpcache client caches everything in memory and if the repository
is large then the process gets evicted with oom.

Changed the implementation to use the standard http client to fetch the
tarball.
 2021-03-14 21:50:17 -04:00
NirmalaY12
6a224d1693 Update projects.txt 
Scan on github.com/mwiede/jsch
 2021-03-14 21:37:18 -04:00
naveen
88de2df279 Feat-Use synk to check cron-job security settings 
Use synk to check for cron-job yaml for secuity misconfiguration.
 2021-03-12 21:03:29 -05:00
naveen
3489c83404 Feat - Include synk check for k8s yaml 
Synk has set of rules to validate the k8s yaml for insecure
configuration.

This action will validate the k8s yaml for insecure configuration.
 2021-03-12 20:56:00 -05:00
naveen
3d6b080241 Doc - Included gitcache documentation 
Included documentation for gitcache.
 2021-03-12 19:24:29 -05:00
naveen
0eaa4ff3d0 Fix - Made the results.json wellformed from cron 
Fixed the results.json to be wellformed from the cron job.

Changed the docker image from gsutil to cloudsdk:slim to `sed` binary
which is being used with the cron.sh
 2021-03-11 21:58:54 -05:00
naveen
b8768a0eb3 Fix - Set resource limits for the cron pod 2021-03-11 12:03:14 -05:00
Naveen
cccf74cb60
Fix - yaml string quotes. (#266) 
The `yaml` string was missing quotes.
 2021-03-11 16:06:46 +00:00
naveen
2978ae550a Fix - signed-tags e2e tests. 
The signed tags e2e tests were failing because apache/airflow pushed
tags without signing.

Changed from apache/airflow to bitcoin/bitcoin.
 2021-03-11 10:59:03 -05:00
naveen
cb94f06642 Fix - cron included caching settings 
Included caching settings for the cron job.
 2021-03-10 12:33:14 -05:00