Commit Graph

2495 Commits

Author SHA1 Message Date
Chris Swan
16b675953a
📖 Add .sigstore bundles to Signed-Releases docs (#3922)
Signed-off-by: Chris Swan <478926+cpswan@users.noreply.github.com>
2024-03-05 09:57:59 -08:00
Spencer Schrock
d55dbd12e6
⚠️ Switch RepoClient file access to io.ReadCloser (#3912)
* change file access method to io.ReadCloser

callers don't always need the full file.
large files are slow and can cause crashes.

Signed-off-by: Spencer Schrock <sschrock@google.com>

* switch tests to hardcoded readers

Previously they returned bytes or strings, which have corresponding NewReader types.
Since they don't need to be closed, io.NopCloser works well to give them a fake Close.

Signed-off-by: Spencer Schrock <sschrock@google.com>

* switch tests which called os.ReadFile to os.Open

os.File fufills io.ReadCloser, so this is an easy change

Signed-off-by: Spencer Schrock <sschrock@google.com>

* break tarball tests into two steps: reader and read

The rest of the test was kept the same to minimize the change.

Signed-off-by: Spencer Schrock <sschrock@google.com>

* ossfuzz doesn't implement GetFileReader

Signed-off-by: Spencer Schrock <sschrock@google.com>

* appease linter during refactor

Signed-off-by: Spencer Schrock <sschrock@google.com>

* switch git client to new method

add check which ensures git client fulfills the interface

Signed-off-by: Spencer Schrock <sschrock@google.com>

---------

Signed-off-by: Spencer Schrock <sschrock@google.com>
2024-03-04 17:37:50 -08:00
dependabot[bot]
90a3708b19
🌱 Bump the github-actions group with 2 updates (#3911)
Bumps the github-actions group with 2 updates: [actions/cache](https://github.com/actions/cache) and [actions/download-artifact](https://github.com/actions/download-artifact).


Updates `actions/cache` from 4.0.0 to 4.0.1
- [Release notes](https://github.com/actions/cache/releases)
- [Changelog](https://github.com/actions/cache/blob/main/RELEASES.md)
- [Commits](13aacd865c...ab5e6d0c87)

Updates `actions/download-artifact` from 4.1.2 to 4.1.4
- [Release notes](https://github.com/actions/download-artifact/releases)
- [Commits](eaceaf801f...c850b930e6)

---
updated-dependencies:
- dependency-name: actions/cache
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: github-actions
- dependency-name: actions/download-artifact
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: github-actions
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2024-03-04 09:48:54 -08:00
dependabot[bot]
ae4822eac6
🌱 Bump cloud.google.com/go/pubsub from 1.36.1 to 1.36.2 (#3909)
Bumps [cloud.google.com/go/pubsub](https://github.com/googleapis/google-cloud-go) from 1.36.1 to 1.36.2.
- [Release notes](https://github.com/googleapis/google-cloud-go/releases)
- [Changelog](https://github.com/googleapis/google-cloud-go/blob/main/CHANGES.md)
- [Commits](https://github.com/googleapis/google-cloud-go/compare/pubsub/v1.36.1...pubsub/v1.36.2)

---
updated-dependencies:
- dependency-name: cloud.google.com/go/pubsub
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2024-03-01 10:55:52 -06:00
afmarcum
60eec25c8c
🌱 Update stale.yml, issue template label references (#3907)
Signed-off-by: afmarcum <138055109+afmarcum@users.noreply.github.com>
2024-02-29 14:18:25 -08:00
dependabot[bot]
e7da5b10c8
🌱 Bump github.com/xanzy/go-gitlab from 0.97.0 to 0.98.0 (#3901)
Bumps [github.com/xanzy/go-gitlab](https://github.com/xanzy/go-gitlab) from 0.97.0 to 0.98.0.
- [Changelog](https://github.com/xanzy/go-gitlab/blob/main/releases_test.go)
- [Commits](https://github.com/xanzy/go-gitlab/compare/v0.97.0...v0.98.0)

---
updated-dependencies:
- dependency-name: github.com/xanzy/go-gitlab
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2024-02-29 10:11:03 -08:00
afmarcum
5a96bddb3a
📖 Update README slack badge (#3906)
Signed-off-by: afmarcum <138055109+afmarcum@users.noreply.github.com>
2024-02-28 22:07:30 +00:00
AdamKorcz
4daefb64ae
🌱 Add branch protection probe evaluation (#3759)
* 🌱 Add branch protection evaluation

Signed-off-by: Adam Korczynski <adam@adalogics.com>

* make helper for getting the branchName

Signed-off-by: Adam Korczynski <adam@adalogics.com>

* move check for branch name

Signed-off-by: Adam Korczynski <adam@adalogics.com>

* define size of slice

Signed-off-by: Adam Korczynski <adam@adalogics.com>

* add probe for protected branches.

Signed-off-by: Adam Korczynski <adam@adalogics.com>

* change 'basicNonAdminProtection' to 'deleteAndForcePushProtection'

Signed-off-by: Adam Korczynski <adam@adalogics.com>

* fix markdown in text field in def.yml

Signed-off-by: Adam Korczynski <adam@adalogics.com>

* remove duplicate conditional

Signed-off-by: Adam Korczynski <adam@adalogics.com>

* remove redundant 'protected' value from 'requiresCodeOwnersReview' probe

Signed-off-by: Adam Korczynski <adam@adalogics.com>

* remove protected values from probes

Signed-off-by: Adam Korczynski <adam@adalogics.com>

* Bring back negative outcome in case of 0 codeowners files

Signed-off-by: Adam Korczynski <adam@adalogics.com>

* log based on whether branches are protected

Signed-off-by: Adam Korczynski <adam@adalogics.com>

* remove unnecessary test

Signed-off-by: Adam Korczynski <adam@adalogics.com>

* debug failing tests

Signed-off-by: Adam Korczynski <adam@adalogics.com>

* Fix failing tests

Signed-off-by: Adam Korczynski <adam@adalogics.com>

* rename test

Signed-off-by: Adam Korczynski <adam@adalogics.com>

* update to with latest upstream changes

Signed-off-by: AdamKorcz <adam@adalogics.com>

* fix linting issues

Signed-off-by: AdamKorcz <adam@adalogics.com>

* remove tests that represent impossible scenarios

Signed-off-by: AdamKorcz <adam@adalogics.com>

* remove protected finding value

This was discussed previously, but accidentally reverted

Signed-off-by: Spencer Schrock <sschrock@google.com>

* Revert "debug failing tests"

This reverts commit 00acf66ea6.

Signed-off-by: Spencer Schrock <sschrock@google.com>

* use branchName key for branch name

Signed-off-by: Spencer Schrock <sschrock@google.com>

* include number of reviews in INFO

this was previously included by the old evaluation code

Signed-off-by: Spencer Schrock <sschrock@google.com>

* reduce info count by 1

requiring codeowners without a corresponding file used to give 1 INFO and 1 WARN
now it only gives 1 WARN

Signed-off-by: Spencer Schrock <sschrock@google.com>

---------

Signed-off-by: Adam Korczynski <adam@adalogics.com>
Signed-off-by: AdamKorcz <adam@adalogics.com>
Signed-off-by: Spencer Schrock <sschrock@google.com>
Co-authored-by: Spencer Schrock <sschrock@google.com>
2024-02-28 13:37:29 -08:00
afmarcum
4ae4ba246c
📖 Update contributor ladder to reduce duration requirements (#3899)
📖 Update contributor ladder to reduce duration requirements

Signed-off-by: afmarcum <138055109+afmarcum@users.noreply.github.com>
2024-02-27 10:51:19 -08:00
AdamKorcz
299948eeed
🌱 Convert pinned dependencies to probe (#3829)
* 🌱 Convert pinned dependencies to probe

Signed-off-by: Adam Korczynski <adam@adalogics.com>

* add more tests

Signed-off-by: Adam Korczynski <adam@adalogics.com>

* add checks unit test

Signed-off-by: Adam Korczynski <adam@adalogics.com>

* fix year in probe header and add mising test file

Signed-off-by: Adam Korczynski <adam@adalogics.com>

* Change usage of ValidateTestReturn

Signed-off-by: Adam Korczynski <adam@adalogics.com>

* rename test

Signed-off-by: Adam Korczynski <adam@adalogics.com>

* change 'pinned' to 'unpinned' in test name

Signed-off-by: Adam Korczynski <adam@adalogics.com>

* export 'depTypeKey'

Signed-off-by: Adam Korczynski <adam@adalogics.com>

* Do not copy test Dockerfile

Signed-off-by: Adam Korczynski <adam@adalogics.com>

* rename test

Signed-off-by: Adam Korczynski <adam@adalogics.com>

* Rebase and bring back 'Test_generateOwnerToDisplay'

Signed-off-by: Adam Korczynski <adam@adalogics.com>

* Use API to create finding

Signed-off-by: AdamKorcz <adam@adalogics.com>

* one more change to how the probe creates a finding

Signed-off-by: AdamKorcz <adam@adalogics.com>

---------

Signed-off-by: Adam Korczynski <adam@adalogics.com>
Signed-off-by: AdamKorcz <adam@adalogics.com>
2024-02-26 18:09:26 +00:00
dependabot[bot]
cac416eade
🌱 Bump github.com/rhysd/actionlint from 1.6.26 to 1.6.27 (#3900)
Bumps [github.com/rhysd/actionlint](https://github.com/rhysd/actionlint) from 1.6.26 to 1.6.27.
- [Release notes](https://github.com/rhysd/actionlint/releases)
- [Changelog](https://github.com/rhysd/actionlint/blob/main/CHANGELOG.md)
- [Commits](https://github.com/rhysd/actionlint/compare/v1.6.26...v1.6.27)

---
updated-dependencies:
- dependency-name: github.com/rhysd/actionlint
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2024-02-26 10:00:22 -08:00
dependabot[bot]
6d693bbc60
🌱 Bump github.com/google/ko from 0.15.1 to 0.15.2 in /tools (#3895)
Bumps [github.com/google/ko](https://github.com/google/ko) from 0.15.1 to 0.15.2.
- [Release notes](https://github.com/google/ko/releases)
- [Changelog](https://github.com/ko-build/ko/blob/main/.goreleaser.yml)
- [Commits](https://github.com/google/ko/compare/v0.15.1...v0.15.2)

---
updated-dependencies:
- dependency-name: github.com/google/ko
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: Raghav Kaul <8695110+raghavkaul@users.noreply.github.com>
2024-02-23 20:03:11 +00:00
Spencer Schrock
c7f6efe816
🌱 use ValidateTestReturn for Code-Review tests (#3897)
* check code review log messages, not just score

By using ValidateTestReturn, we can get more actionable failure messages

Signed-off-by: Spencer Schrock <sschrock@google.com>

* simplify error checking

Signed-off-by: Spencer Schrock <sschrock@google.com>

---------

Signed-off-by: Spencer Schrock <sschrock@google.com>
2024-02-23 10:34:47 -08:00
dependabot[bot]
b972699842
🌱 Bump the github-actions group with 1 update (#3896)
Bumps the github-actions group with 1 update: [actions/dependency-review-action](https://github.com/actions/dependency-review-action).


Updates `actions/dependency-review-action` from 4.0.0 to 4.1.3
- [Release notes](https://github.com/actions/dependency-review-action/releases)
- [Commits](4901385134...9129d7d40b)

---
updated-dependencies:
- dependency-name: actions/dependency-review-action
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: github-actions
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2024-02-22 18:51:29 +00:00
Spencer Schrock
4f4b44d08a
🌱 Use git diff instead of external action for changed files (#3894)
* Use git diff instead of third party action.

Signed-off-by: Spencer Schrock <sschrock@google.com>

* clarify approach

Signed-off-by: Spencer Schrock <sschrock@google.com>

---------

Signed-off-by: Spencer Schrock <sschrock@google.com>
2024-02-22 10:07:06 -08:00
dependabot[bot]
54690b41ae
🌱 Bump github.com/golangci/golangci-lint in /tools (#3878)
Bumps [github.com/golangci/golangci-lint](https://github.com/golangci/golangci-lint) from 1.56.1 to 1.56.2.
- [Release notes](https://github.com/golangci/golangci-lint/releases)
- [Changelog](https://github.com/golangci/golangci-lint/blob/master/CHANGELOG.md)
- [Commits](https://github.com/golangci/golangci-lint/compare/v1.56.1...v1.56.2)

---
updated-dependencies:
- dependency-name: github.com/golangci/golangci-lint
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2024-02-16 10:55:38 -08:00
Spencer Schrock
c1563e1966
🌱 Combine SAST probes into single probe (#3874)
* check logger counts for SAST tests

previously, we only checked the result score.
test failures with this method dont produce as actionable feedback.

Signed-off-by: Spencer Schrock <sschrock@google.com>

* clarify test names and score constants used

Signed-off-by: Spencer Schrock <sschrock@google.com>

* add generic sastToolConfigured probe

switch over the evaluation code to using the single probe with tool value.

Signed-off-by: Spencer Schrock <sschrock@google.com>

* remove old probes

Signed-off-by: Spencer Schrock <sschrock@google.com>

* add tests

Signed-off-by: Spencer Schrock <sschrock@google.com>

* experiment with one readme

Signed-off-by: Spencer Schrock <sschrock@google.com>

* appease linter

Signed-off-by: Spencer Schrock <sschrock@google.com>

* remove colon from yaml which led to parse errors

Signed-off-by: Spencer Schrock <sschrock@google.com>

* polish documentation details

Signed-off-by: Spencer Schrock <sschrock@google.com>

---------

Signed-off-by: Spencer Schrock <sschrock@google.com>
2024-02-15 11:32:35 -08:00
dependabot[bot]
e39802a370
🌱 Bump cloud.google.com/go/bigquery from 1.59.0 to 1.59.1 (#3875)
Bumps [cloud.google.com/go/bigquery](https://github.com/googleapis/google-cloud-go) from 1.59.0 to 1.59.1.
- [Release notes](https://github.com/googleapis/google-cloud-go/releases)
- [Changelog](https://github.com/googleapis/google-cloud-go/blob/main/CHANGES.md)
- [Commits](https://github.com/googleapis/google-cloud-go/compare/bigquery/v1.59.0...bigquery/v1.59.1)

---
updated-dependencies:
- dependency-name: cloud.google.com/go/bigquery
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2024-02-13 11:35:58 -08:00
Spencer Schrock
68d8d93f82
🌱 use ValidateTestReturn for SAST tests (#3872)
* check logger counts for SAST tests

previously, we only checked the result score.
test failures with this method dont produce as actionable feedback.

Signed-off-by: Spencer Schrock <sschrock@google.com>

* clarify test names and score constants used

Signed-off-by: Spencer Schrock <sschrock@google.com>

---------

Signed-off-by: Spencer Schrock <sschrock@google.com>
2024-02-13 17:36:02 +00:00
dependabot[bot]
9b65bde9a6
🌱 Bump the github-actions group with 1 update (#3870)
Bumps the github-actions group with 1 update: [golangci/golangci-lint-action](https://github.com/golangci/golangci-lint-action).


Updates `golangci/golangci-lint-action` from 3.7.0 to 4.0.0
- [Release notes](https://github.com/golangci/golangci-lint-action/releases)
- [Commits](3a91952989...3cfe3a4abb)

---
updated-dependencies:
- dependency-name: golangci/golangci-lint-action
  dependency-type: direct:production
  update-type: version-update:semver-major
  dependency-group: github-actions
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2024-02-13 15:42:00 +00:00
dependabot[bot]
ec5c81f890
🌱 Bump mvdan.cc/sh/v3 from 3.7.0 to 3.8.0 (#3871)
Bumps [mvdan.cc/sh/v3](https://github.com/mvdan/sh) from 3.7.0 to 3.8.0.
- [Release notes](https://github.com/mvdan/sh/releases)
- [Changelog](https://github.com/mvdan/sh/blob/master/CHANGELOG.md)
- [Commits](https://github.com/mvdan/sh/compare/v3.7.0...v3.8.0)

---
updated-dependencies:
- dependency-name: mvdan.cc/sh/v3
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2024-02-12 10:43:24 -06:00
dependabot[bot]
b31449017e
🌱 Bump github.com/golangci/golangci-lint from 1.55.2 to 1.56.1 in /tools (#3867)
* 🌱 Bump github.com/golangci/golangci-lint in /tools

Bumps [github.com/golangci/golangci-lint](https://github.com/golangci/golangci-lint) from 1.55.2 to 1.56.1.
- [Release notes](https://github.com/golangci/golangci-lint/releases)
- [Changelog](https://github.com/golangci/golangci-lint/blob/master/CHANGELOG.md)
- [Commits](https://github.com/golangci/golangci-lint/compare/v1.55.2...v1.56.1)

---
updated-dependencies:
- dependency-name: github.com/golangci/golangci-lint
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>

* autofix linter errors with make fix-linter

Signed-off-by: Spencer Schrock <sschrock@google.com>

* move musttag nolint directives to encode location

this was changed in v0.8.0 of the musttag linter.

Signed-off-by: Spencer Schrock <sschrock@google.com>

---------

Signed-off-by: dependabot[bot] <support@github.com>
Signed-off-by: Spencer Schrock <sschrock@google.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: Spencer Schrock <sschrock@google.com>
2024-02-09 10:53:24 -08:00
dependabot[bot]
e211d37a54
🌱 Bump golang.org/x/oauth2 from 0.16.0 to 0.17.0 (#3868)
Bumps [golang.org/x/oauth2](https://github.com/golang/oauth2) from 0.16.0 to 0.17.0.
- [Commits](https://github.com/golang/oauth2/compare/v0.16.0...v0.17.0)

---
updated-dependencies:
- dependency-name: golang.org/x/oauth2
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2024-02-09 10:20:48 -06:00
AdamKorcz
6fc7d4c061
Add probe metadata about supported ecosystems (#3797)
* 🌱 Add probe metadata about supported ecosystems

Signed-off-by: Adam Korczynski <adam@adalogics.com>

* Add metadata for the rest of the probes

Signed-off-by: Adam Korczynski <adam@adalogics.com>

* fix wrong formatting

Signed-off-by: Adam Korczynski <adam@adalogics.com>

* remove oss-fuzz, osv, cii_blob, cii_http clients

Signed-off-by: Adam Korczynski <adam@adalogics.com>

* add github and gitlab clients for 2 probes

Signed-off-by: Adam Korczynski <adam@adalogics.com>

---------

Signed-off-by: Adam Korczynski <adam@adalogics.com>
2024-02-08 10:20:07 -08:00
Spencer Schrock
208f45c418
🌱 Add more projects to be scanned by cron (#3863)
Signed-off-by: Spencer Schrock <sschrock@google.com>
2024-02-07 13:28:07 -08:00
dependabot[bot]
fb3edd9d63
🌱 Bump the github-actions group with 6 updates (#3860)
Bumps the github-actions group with 6 updates:

| Package | From | To |
| --- | --- | --- |
| [step-security/harden-runner](https://github.com/step-security/harden-runner) | `2.6.1` | `2.7.0` |
| [nick-invision/retry](https://github.com/nick-invision/retry) | `2.9.0` | `3.0.0` |
| [codecov/codecov-action](https://github.com/codecov/codecov-action) | `3.1.5` | `3.1.6` |
| [sigstore/cosign-installer](https://github.com/sigstore/cosign-installer) | `3.3.0` | `3.4.0` |
| [actions/upload-artifact](https://github.com/actions/upload-artifact) | `4.3.0` | `4.3.1` |
| [actions/download-artifact](https://github.com/actions/download-artifact) | `4.1.1` | `4.1.2` |


Updates `step-security/harden-runner` from 2.6.1 to 2.7.0
- [Release notes](https://github.com/step-security/harden-runner/releases)
- [Commits](eb238b55ef...63c24ba6bd)

Updates `nick-invision/retry` from 2.9.0 to 3.0.0
- [Release notes](https://github.com/nick-invision/retry/releases)
- [Changelog](https://github.com/nick-fields/retry/blob/master/.releaserc.js)
- [Commits](14672906e6...7152eba30c)

Updates `codecov/codecov-action` from 3.1.5 to 3.1.6
- [Release notes](https://github.com/codecov/codecov-action/releases)
- [Changelog](https://github.com/codecov/codecov-action/blob/main/CHANGELOG.md)
- [Commits](4fe8c5f003...ab904c41d6)

Updates `sigstore/cosign-installer` from 3.3.0 to 3.4.0
- [Release notes](https://github.com/sigstore/cosign-installer/releases)
- [Commits](9614fae9e5...e1523de757)

Updates `actions/upload-artifact` from 4.3.0 to 4.3.1
- [Release notes](https://github.com/actions/upload-artifact/releases)
- [Commits](26f96dfa69...5d5d22a312)

Updates `actions/download-artifact` from 4.1.1 to 4.1.2
- [Release notes](https://github.com/actions/download-artifact/releases)
- [Commits](6b208ae046...eaceaf801f)

---
updated-dependencies:
- dependency-name: step-security/harden-runner
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: github-actions
- dependency-name: nick-invision/retry
  dependency-type: direct:production
  update-type: version-update:semver-major
  dependency-group: github-actions
- dependency-name: codecov/codecov-action
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: github-actions
- dependency-name: sigstore/cosign-installer
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: github-actions
- dependency-name: actions/upload-artifact
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: github-actions
- dependency-name: actions/download-artifact
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: github-actions
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2024-02-07 12:21:56 -08:00
Spencer Schrock
64d330790d
🌱 Update Go toolchain to 1.22 (#3859)
* update workflows to use go 1.22

Signed-off-by: Spencer Schrock <sschrock@google.com>

* update tools go.mod to 1.22.

no one imports this, so we can bump it now and
avoid issues in the future where we need to upgrade.

Signed-off-by: Spencer Schrock <sschrock@google.com>

* bump docker files

Signed-off-by: Spencer Schrock <sschrock@google.com>

---------

Signed-off-by: Spencer Schrock <sschrock@google.com>
2024-02-07 11:36:37 -08:00
Spencer Schrock
ca944e8169
🌱 Change finding Values to map[string]string (#3837)
* make values map string -> string

Signed-off-by: Spencer Schrock <sschrock@google.com>

* fixup branch protection probes

Signed-off-by: Spencer Schrock <sschrock@google.com>

* fix sast probe

Signed-off-by: Spencer Schrock <sschrock@google.com>

* fix signed-releases probes

Signed-off-by: Spencer Schrock <sschrock@google.com>

* fix maintained probes

Signed-off-by: Spencer Schrock <sschrock@google.com>

* fix cii-best-practices probes

Signed-off-by: Spencer Schrock <sschrock@google.com>

* fix cii-best-practices eval

Signed-off-by: Spencer Schrock <sschrock@google.com>

* fix signed-releases eval

Signed-off-by: Spencer Schrock <sschrock@google.com>

* fix sast eval

Signed-off-by: Spencer Schrock <sschrock@google.com>

* fix maintained eval

Signed-off-by: Spencer Schrock <sschrock@google.com>

* fix permissions eval

Signed-off-by: Spencer Schrock <sschrock@google.com>

* appease the linter

Signed-off-by: Spencer Schrock <sschrock@google.com>

* standardize maintained key names

Signed-off-by: Spencer Schrock <sschrock@google.com>

* set lookback days value regardless of outcome

Signed-off-by: Spencer Schrock <sschrock@google.com>

---------

Signed-off-by: Spencer Schrock <sschrock@google.com>
2024-02-07 10:55:16 -08:00
dependabot[bot]
fb7739049b
🌱 Bump cloud.google.com/go/bigquery from 1.58.0 to 1.59.0 (#3858)
Bumps [cloud.google.com/go/bigquery](https://github.com/googleapis/google-cloud-go) from 1.58.0 to 1.59.0.
- [Release notes](https://github.com/googleapis/google-cloud-go/releases)
- [Changelog](https://github.com/googleapis/google-cloud-go/blob/main/CHANGES.md)
- [Commits](https://github.com/googleapis/google-cloud-go/compare/bigquery/v1.58.0...bigquery/v1.59.0)

---
updated-dependencies:
- dependency-name: cloud.google.com/go/bigquery
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2024-02-07 08:53:46 -06:00
dependabot[bot]
ccf2553bef
🌱 Bump arduino/setup-protoc from 1.3.0 to 3.0.0 (#3853)
* 🌱 Bump arduino/setup-protoc from 1.3.0 to 3.0.0

Bumps [arduino/setup-protoc](https://github.com/arduino/setup-protoc) from 1.3.0 to 3.0.0.
- [Release notes](https://github.com/arduino/setup-protoc/releases)
- [Commits](149f6c87b9...c65c819552)

---
updated-dependencies:
- dependency-name: arduino/setup-protoc
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>

* use vMINOR.PATCH for protoc version

As of arduino/setup-protoc v2, this is the only supported format.
Version 21.6 was used as the majority of the *pb.go files have a header
which says "// protoc v3.21.6".

Signed-off-by: Spencer Schrock <sschrock@google.com>

---------

Signed-off-by: dependabot[bot] <support@github.com>
Signed-off-by: Spencer Schrock <sschrock@google.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: Spencer Schrock <sschrock@google.com>
2024-02-06 21:40:01 +00:00
Spencer Schrock
a762812285
🌱 Add tests for probe output format (#3841)
* rename probe format file

Signed-off-by: Spencer Schrock <sschrock@google.com>

* add option parameter to probe result output function

the ability to pretty print will help write a test function

Signed-off-by: Spencer Schrock <sschrock@google.com>

* add test func

Signed-off-by: Spencer Schrock <sschrock@google.com>

* add docstring

Signed-off-by: Spencer Schrock <sschrock@google.com>

* clarify test. add another finding

Signed-off-by: Spencer Schrock <sschrock@google.com>

* force add the test file

Signed-off-by: Spencer Schrock <sschrock@google.com>

---------

Signed-off-by: Spencer Schrock <sschrock@google.com>
2024-02-06 20:19:17 +00:00
dependabot[bot]
5a0356b1a9
🌱 Bump github.com/goreleaser/goreleaser in /tools (#3854)
Bumps [github.com/goreleaser/goreleaser](https://github.com/goreleaser/goreleaser) from 1.23.0 to 1.24.0.
- [Release notes](https://github.com/goreleaser/goreleaser/releases)
- [Changelog](https://github.com/goreleaser/goreleaser/blob/main/.goreleaser.yaml)
- [Commits](https://github.com/goreleaser/goreleaser/compare/v1.23.0...v1.24.0)

---
updated-dependencies:
- dependency-name: github.com/goreleaser/goreleaser
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2024-02-06 18:57:44 +00:00
dependabot[bot]
dec01999f5
🌱 Bump github.com/xanzy/go-gitlab from 0.96.0 to 0.97.0 (#3846)
Bumps [github.com/xanzy/go-gitlab](https://github.com/xanzy/go-gitlab) from 0.96.0 to 0.97.0.
- [Changelog](https://github.com/xanzy/go-gitlab/blob/main/releases_test.go)
- [Commits](https://github.com/xanzy/go-gitlab/compare/v0.96.0...v0.97.0)

---
updated-dependencies:
- dependency-name: github.com/xanzy/go-gitlab
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2024-02-06 10:53:59 -06:00
dependabot[bot]
b21a350f50
🌱 Bump github.com/jszwec/csvutil from 1.9.0 to 1.10.0 (#3845)
Bumps [github.com/jszwec/csvutil](https://github.com/jszwec/csvutil) from 1.9.0 to 1.10.0.
- [Release notes](https://github.com/jszwec/csvutil/releases)
- [Commits](https://github.com/jszwec/csvutil/compare/v1.9.0...v1.10.0)

---
updated-dependencies:
- dependency-name: github.com/jszwec/csvutil
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2024-02-05 11:58:45 -06:00
afmarcum
b03bd230e2
📖 Update Readme Slack references (#3839)
Signed-off-by: afmarcum <138055109+afmarcum@users.noreply.github.com>
2024-02-02 10:22:31 -08:00
dependabot[bot]
c4cbd1a15c
🌱 Bump cloud.google.com/go/pubsub from 1.35.0 to 1.36.1 (#3833)
Bumps [cloud.google.com/go/pubsub](https://github.com/googleapis/google-cloud-go) from 1.35.0 to 1.36.1.
- [Release notes](https://github.com/googleapis/google-cloud-go/releases)
- [Changelog](https://github.com/googleapis/google-cloud-go/blob/main/CHANGES.md)
- [Commits](https://github.com/googleapis/google-cloud-go/compare/pubsub/v1.35.0...pubsub/v1.36.1)

---
updated-dependencies:
- dependency-name: cloud.google.com/go/pubsub
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2024-02-02 11:47:55 -06:00
dependabot[bot]
db86b8bfe4
🌱 Bump github.com/moby/buildkit from 0.12.4 to 0.12.5 (#3836)
Bumps [github.com/moby/buildkit](https://github.com/moby/buildkit) from 0.12.4 to 0.12.5.
- [Release notes](https://github.com/moby/buildkit/releases)
- [Commits](https://github.com/moby/buildkit/compare/v0.12.4...v0.12.5)

---
updated-dependencies:
- dependency-name: github.com/moby/buildkit
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2024-02-01 11:36:11 +01:00
dependabot[bot]
6f816c80bc
🌱 Bump github.com/google/osv-scanner from 1.6.1 to 1.6.2 (#3834)
* 🌱 Bump github.com/google/osv-scanner from 1.6.1 to 1.6.2

Bumps [github.com/google/osv-scanner](https://github.com/google/osv-scanner) from 1.6.1 to 1.6.2.
- [Release notes](https://github.com/google/osv-scanner/releases)
- [Changelog](https://github.com/google/osv-scanner/blob/main/CHANGELOG.md)
- [Commits](https://github.com/google/osv-scanner/compare/v1.6.1...v1.6.2)

---
updated-dependencies:
- dependency-name: github.com/google/osv-scanner
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>

* specify go patch version

go mod tidy requires this. I was able to delete the toolchain directive,
and it wasn't added back.

Signed-off-by: Spencer Schrock <sschrock@google.com>

* bump dockerfiles to 1.21.6 so the build works

Signed-off-by: Spencer Schrock <sschrock@google.com>

* bump go version used in codeql workflow

github runners currently use Go 1.20 by default,
which doesn't understand 1.21.x format.

Signed-off-by: Spencer Schrock <sschrock@google.com>

---------

Signed-off-by: dependabot[bot] <support@github.com>
Signed-off-by: Spencer Schrock <sschrock@google.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: Spencer Schrock <sschrock@google.com>
2024-01-31 18:54:06 +00:00
Spencer Schrock
e10dbb1531
🐛 Support self-hosted GitLab instances where base URL has a path component (#3819)
* Add GL_HOST env flag

Self-hosted instances which dont use a subdomain result in broken API links.
This change may not be finished, but is intended to evaluate the solution.

Previously, self hosted instances where the instance is part of the path (foo.com/gitlab/owner/repo)
would have their API base URL registered as foo.com/api/v4/ instead of foo.com/gitlab/api/v4/

Signed-off-by: Spencer Schrock <sschrock@google.com>

* include token in gitlab project probe

Signed-off-by: Spencer Schrock <sschrock@google.com>

* consider GL_HOST when parsing gitlab repo urls

Signed-off-by: Spencer Schrock <sschrock@google.com>

* remove unneeded GL_HOST parsing

now that repoURL_parse handles GL_HOST, we dont need it elsewhere.

Signed-off-by: Spencer Schrock <sschrock@google.com>

* cleanup

Signed-off-by: Spencer Schrock <sschrock@google.com>

* mention GL_HOST in readme

Signed-off-by: Spencer Schrock <sschrock@google.com>

* fix linter

Signed-off-by: Spencer Schrock <sschrock@google.com>

* handle GL_HOST without scheme

Signed-off-by: Spencer Schrock <sschrock@google.com>

* move api-less check earlier

if we can avoid an API call, do it.

Signed-off-by: Spencer Schrock <sschrock@google.com>

* try listing projects with and without auth token

Signed-off-by: Spencer Schrock <sschrock@google.com>

* fix linter

Signed-off-by: Spencer Schrock <sschrock@google.com>

* revert passing token to list projects

the simpler the better

Signed-off-by: Spencer Schrock <sschrock@google.com>

---------

Signed-off-by: Spencer Schrock <sschrock@google.com>
2024-01-31 10:04:41 -08:00
Spencer Schrock
83ff808f0d
🌱 Enhance test output and management in ValidateTestReturn (#3810)
* test failures should print the details they receive

this makes debugging failing tests easier.

Signed-off-by: Spencer Schrock <sschrock@google.com>

* use GinkgoTB so the test helpers work instead of panicing

Signed-off-by: Spencer Schrock <sschrock@google.com>

* ValidateTestReturn will fail the test directly, no need for the bool return

Signed-off-by: Spencer Schrock <sschrock@google.com>

* clarify diff details

Signed-off-by: Spencer Schrock <sschrock@google.com>

---------

Signed-off-by: Spencer Schrock <sschrock@google.com>
2024-01-30 12:40:41 -08:00
dependabot[bot]
19047e8ab4
🌱 Bump github.com/google/go-containerregistry (#3828)
Bumps [github.com/google/go-containerregistry](https://github.com/google/go-containerregistry) from 0.18.0 to 0.19.0.
- [Release notes](https://github.com/google/go-containerregistry/releases)
- [Changelog](https://github.com/google/go-containerregistry/blob/main/.goreleaser.yml)
- [Commits](https://github.com/google/go-containerregistry/compare/v0.18.0...v0.19.0)

---
updated-dependencies:
- dependency-name: github.com/google/go-containerregistry
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2024-01-30 10:15:32 -06:00
dependabot[bot]
a25f108f4b
🌱 Bump the github-actions group with 3 updates (#3825)
Bumps the github-actions group with 3 updates: [tj-actions/changed-files](https://github.com/tj-actions/changed-files), [codecov/codecov-action](https://github.com/codecov/codecov-action) and [actions/upload-artifact](https://github.com/actions/upload-artifact).


Updates `tj-actions/changed-files` from 42.0.0 to 42.0.2
- [Release notes](https://github.com/tj-actions/changed-files/releases)
- [Changelog](https://github.com/tj-actions/changed-files/blob/main/HISTORY.md)
- [Commits](ae82ed4ae0...90a06d6ba9)

Updates `codecov/codecov-action` from 3.1.4 to 3.1.5
- [Release notes](https://github.com/codecov/codecov-action/releases)
- [Changelog](https://github.com/codecov/codecov-action/blob/main/CHANGELOG.md)
- [Commits](eaaf4bedf3...4fe8c5f003)

Updates `actions/upload-artifact` from 4.2.0 to 4.3.0
- [Release notes](https://github.com/actions/upload-artifact/releases)
- [Commits](694cdabd8b...26f96dfa69)

---
updated-dependencies:
- dependency-name: tj-actions/changed-files
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: github-actions
- dependency-name: codecov/codecov-action
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: github-actions
- dependency-name: actions/upload-artifact
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: github-actions
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2024-01-29 11:07:53 -08:00
Spencer Schrock
301208ce76
dependency-update-tool: detect GitLab Renovate config files (#3823)
also organize the list in order of appearance on website.
this makes it easier to compare.

Signed-off-by: Spencer Schrock <sschrock@google.com>
2024-01-29 10:05:26 -08:00
Josh Soref
3b948257fc
📖 Fix spelling (#3804)
* spelling: accurate

Signed-off-by: Josh Soref <2119212+jsoref@users.noreply.github.com>

* spelling: administrator

Signed-off-by: Josh Soref <2119212+jsoref@users.noreply.github.com>

* spelling: analyze

Signed-off-by: Josh Soref <2119212+jsoref@users.noreply.github.com>

* spelling: andtwenty

Signed-off-by: Josh Soref <2119212+jsoref@users.noreply.github.com>

* spelling: ascii

Signed-off-by: Josh Soref <2119212+jsoref@users.noreply.github.com>

* spelling: association

Signed-off-by: Josh Soref <2119212+jsoref@users.noreply.github.com>

* spelling: at least

Signed-off-by: Josh Soref <2119212+jsoref@users.noreply.github.com>

* spelling: attestor

Signed-off-by: Josh Soref <2119212+jsoref@users.noreply.github.com>

* spelling: barbaric

Signed-off-by: Josh Soref <2119212+jsoref@users.noreply.github.com>

* spelling: bucket

Signed-off-by: Josh Soref <2119212+jsoref@users.noreply.github.com>

* spelling: by

Signed-off-by: Josh Soref <2119212+jsoref@users.noreply.github.com>

* spelling: can

Signed-off-by: Josh Soref <2119212+jsoref@users.noreply.github.com>

* spelling: case-insensitive

Signed-off-by: Josh Soref <2119212+jsoref@users.noreply.github.com>

* spelling: case-sensitive

Signed-off-by: Josh Soref <2119212+jsoref@users.noreply.github.com>

* spelling: checking

Signed-off-by: Josh Soref <2119212+jsoref@users.noreply.github.com>

* spelling: command-line

Signed-off-by: Josh Soref <2119212+jsoref@users.noreply.github.com>

* spelling: commit

Signed-off-by: Josh Soref <2119212+jsoref@users.noreply.github.com>

* spelling: committed

Signed-off-by: Josh Soref <2119212+jsoref@users.noreply.github.com>

* spelling: conclusion

Signed-off-by: Josh Soref <2119212+jsoref@users.noreply.github.com>

* spelling: corresponding

Signed-off-by: Josh Soref <2119212+jsoref@users.noreply.github.com>

* spelling: created

Signed-off-by: Josh Soref <2119212+jsoref@users.noreply.github.com>

* spelling: dataset

Signed-off-by: Josh Soref <2119212+jsoref@users.noreply.github.com>

* spelling: default

Signed-off-by: Josh Soref <2119212+jsoref@users.noreply.github.com>

* spelling: defines

Signed-off-by: Josh Soref <2119212+jsoref@users.noreply.github.com>

* spelling: dependabot

Signed-off-by: Josh Soref <2119212+jsoref@users.noreply.github.com>

* spelling: dependency

Signed-off-by: Josh Soref <2119212+jsoref@users.noreply.github.com>

* spelling: depending

Signed-off-by: Josh Soref <2119212+jsoref@users.noreply.github.com>

* spelling: desired

Signed-off-by: Josh Soref <2119212+jsoref@users.noreply.github.com>

* spelling: different

Signed-off-by: Josh Soref <2119212+jsoref@users.noreply.github.com>

* spelling: disclose

Signed-off-by: Josh Soref <2119212+jsoref@users.noreply.github.com>

* spelling: download

Signed-off-by: Josh Soref <2119212+jsoref@users.noreply.github.com>

* spelling: each

Signed-off-by: Josh Soref <2119212+jsoref@users.noreply.github.com>

* spelling: enforce

Signed-off-by: Josh Soref <2119212+jsoref@users.noreply.github.com>

* spelling: every time

Signed-off-by: Josh Soref <2119212+jsoref@users.noreply.github.com>

* spelling: exist

Signed-off-by: Josh Soref <2119212+jsoref@users.noreply.github.com>

* spelling: existing

Signed-off-by: Josh Soref <2119212+jsoref@users.noreply.github.com>

* spelling: fields

Signed-off-by: Josh Soref <2119212+jsoref@users.noreply.github.com>

* spelling: files

Signed-off-by: Josh Soref <2119212+jsoref@users.noreply.github.com>

* spelling: for

Signed-off-by: Josh Soref <2119212+jsoref@users.noreply.github.com>

* spelling: force-push

Signed-off-by: Josh Soref <2119212+jsoref@users.noreply.github.com>

* spelling: github

Signed-off-by: Josh Soref <2119212+jsoref@users.noreply.github.com>

* spelling: gitlab

Signed-off-by: Josh Soref <2119212+jsoref@users.noreply.github.com>

* spelling: ignoreed

Signed-off-by: Josh Soref <2119212+jsoref@users.noreply.github.com>

* spelling: implementation

Signed-off-by: Josh Soref <2119212+jsoref@users.noreply.github.com>

* spelling: implements

Signed-off-by: Josh Soref <2119212+jsoref@users.noreply.github.com>

* spelling: increase

Signed-off-by: Josh Soref <2119212+jsoref@users.noreply.github.com>

* spelling: indicates

Signed-off-by: Josh Soref <2119212+jsoref@users.noreply.github.com>

* spelling: initialized

Signed-off-by: Josh Soref <2119212+jsoref@users.noreply.github.com>

* spelling: instructions

Signed-off-by: Josh Soref <2119212+jsoref@users.noreply.github.com>

* spelling: invalid

Signed-off-by: Josh Soref <2119212+jsoref@users.noreply.github.com>

* spelling: marshal

Signed-off-by: Josh Soref <2119212+jsoref@users.noreply.github.com>

* spelling: match

Signed-off-by: Josh Soref <2119212+jsoref@users.noreply.github.com>

* spelling: name

Signed-off-by: Josh Soref <2119212+jsoref@users.noreply.github.com>

* spelling: nonexistent

Signed-off-by: Josh Soref <2119212+jsoref@users.noreply.github.com>

* spelling: organization

Signed-off-by: Josh Soref <2119212+jsoref@users.noreply.github.com>

* spelling: package

Signed-off-by: Josh Soref <2119212+jsoref@users.noreply.github.com>

* spelling: provenance

Signed-off-by: Josh Soref <2119212+jsoref@users.noreply.github.com>

* spelling: query

Signed-off-by: Josh Soref <2119212+jsoref@users.noreply.github.com>

* spelling: readers

Signed-off-by: Josh Soref <2119212+jsoref@users.noreply.github.com>

* spelling: receive

Signed-off-by: Josh Soref <2119212+jsoref@users.noreply.github.com>

* spelling: registered

Signed-off-by: Josh Soref <2119212+jsoref@users.noreply.github.com>

* spelling: remediate

Signed-off-by: Josh Soref <2119212+jsoref@users.noreply.github.com>

* spelling: representation

Signed-off-by: Josh Soref <2119212+jsoref@users.noreply.github.com>

* spelling: requests

Signed-off-by: Josh Soref <2119212+jsoref@users.noreply.github.com>

* spelling: requires

Signed-off-by: Josh Soref <2119212+jsoref@users.noreply.github.com>

* spelling: return

Signed-off-by: Josh Soref <2119212+jsoref@users.noreply.github.com>

* spelling: scorecard

Signed-off-by: Josh Soref <2119212+jsoref@users.noreply.github.com>

* spelling: separator

Signed-off-by: Josh Soref <2119212+jsoref@users.noreply.github.com>

* spelling: serialization

Signed-off-by: Josh Soref <2119212+jsoref@users.noreply.github.com>

* spelling: sign up

Signed-off-by: Josh Soref <2119212+jsoref@users.noreply.github.com>

* spelling: specifications

Signed-off-by: Josh Soref <2119212+jsoref@users.noreply.github.com>

* spelling: specified

Signed-off-by: Josh Soref <2119212+jsoref@users.noreply.github.com>

* spelling: success

Signed-off-by: Josh Soref <2119212+jsoref@users.noreply.github.com>

* spelling: successfully

Signed-off-by: Josh Soref <2119212+jsoref@users.noreply.github.com>

* spelling: the

Signed-off-by: Josh Soref <2119212+jsoref@users.noreply.github.com>

* spelling: their

Signed-off-by: Josh Soref <2119212+jsoref@users.noreply.github.com>

* spelling: twenty

Signed-off-by: Josh Soref <2119212+jsoref@users.noreply.github.com>

* spelling: unexpected

Signed-off-by: Josh Soref <2119212+jsoref@users.noreply.github.com>

* spelling: unused

Signed-off-by: Josh Soref <2119212+jsoref@users.noreply.github.com>

* spelling: unverified

Signed-off-by: Josh Soref <2119212+jsoref@users.noreply.github.com>

* spelling: validate

Signed-off-by: Josh Soref <2119212+jsoref@users.noreply.github.com>

* spelling: vendor

Signed-off-by: Josh Soref <2119212+jsoref@users.noreply.github.com>

* spelling: vulnerabilities

Signed-off-by: Josh Soref <2119212+jsoref@users.noreply.github.com>

* spelling: vulns

Signed-off-by: Josh Soref <2119212+jsoref@users.noreply.github.com>

* spelling: will

Signed-off-by: Josh Soref <2119212+jsoref@users.noreply.github.com>

* spelling: without

Signed-off-by: Josh Soref <2119212+jsoref@users.noreply.github.com>

* spelling: workflow

Signed-off-by: Josh Soref <2119212+jsoref@users.noreply.github.com>

* spelling: workflows

Signed-off-by: Josh Soref <2119212+jsoref@users.noreply.github.com>

---------

Signed-off-by: Josh Soref <2119212+jsoref@users.noreply.github.com>
2024-01-26 23:08:26 +00:00
lelia
da3e5ad3cf
🌱 Add active cisco-open projects to cronjob (#3822)
Signed-off-by: lelia <le1ia@me.com>
2024-01-26 14:52:18 -08:00
André Backman
9440b761df
New probes: code-review (#3302)
* 🌱 Bump github.com/goreleaser/goreleaser in /tools (#3238)

Bumps [github.com/goreleaser/goreleaser](https://github.com/goreleaser/goreleaser) from 1.18.2 to 1.19.1.
- [Release notes](https://github.com/goreleaser/goreleaser/releases)
- [Changelog](https://github.com/goreleaser/goreleaser/blob/main/.goreleaser.yaml)
- [Commits](https://github.com/goreleaser/goreleaser/compare/v1.18.2...v1.19.1)

---
updated-dependencies:
- dependency-name: github.com/goreleaser/goreleaser
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Signed-off-by: André Backman <andre.backman@nokia.com>

* begin implementing probe: minTwoCodeReviewers

Signed-off-by: André Backman <andre.backman@nokia.com>

* print raw results

Signed-off-by: André Backman <andre.backman@nokia.com>

* print raw results

Signed-off-by: André Backman <andre.backman@nokia.com>

* print raw results

Signed-off-by: André Backman <andre.backman@nokia.com>

* rename probe directory: minimumCodeReviewers

Signed-off-by: André Backman <andre.backman@nokia.com>

* rename probe CodeReviewers

Signed-off-by: André Backman <andre.backman@nokia.com>

* rename import for CodeReviewers probe

Signed-off-by: André Backman <andre.backman@nokia.com>

* update code reviewers definition

Signed-off-by: André Backman <andre.backman@nokia.com>

* update code reviewers implementation; fixed embed FS usage

Signed-off-by: André Backman <andre.backman@nokia.com>

* printing all findings, work out where to concatenate them

Signed-off-by: André Backman <andre.backman@nokia.com>

* concatenated findings to one single finding, outcome is based on the least found unique reviewers

Signed-off-by: André Backman <andre.backman@nokia.com>

* refactored uniqueCodeReviewers probe, needs more error checks

Signed-off-by: André Backman <andre.backman@nokia.com>

* add error handling for cases of non-existant author and/or reviewer logins

Signed-off-by: André Backman <andre.backman@nokia.com>

* add error handling for cases of non-existant author and/or reviewer logins

Signed-off-by: André Backman <andre.backman@nokia.com>

* rename probe

Signed-off-by: André Backman <andre.backman@nokia.com>

* update codeReviewTwoReviewers definition

Signed-off-by: André Backman <andre.backman@nokia.com>

* rename unique code reviewers probe

Signed-off-by: André Backman <andre.backman@nokia.com>

* implement codeApproved probe, validation of reviews needs fixing

Signed-off-by: André Backman <andre.backman@nokia.com>

* update codeApproved probe, validation of reviews needs fixing

Signed-off-by: André Backman <andre.backman@nokia.com>

* working version of codeApproved probe

Signed-off-by: André Backman <andre.backman@nokia.com>

* codeReviewed probe implemented

Signed-off-by: André Backman <andre.backman@nokia.com>

* clean up comments, add imports, run all probes

Signed-off-by: André Backman <andre.backman@nokia.com>

* update license comments

Signed-off-by: André Backman <andre.backman@nokia.com>

* Update def.yml license

Signed-off-by: André Backman <88145164+andrelmbackman@users.noreply.github.com>

* Update def.yml license

Signed-off-by: André Backman <88145164+andrelmbackman@users.noreply.github.com>

* Update def.yml license

Signed-off-by: André Backman <88145164+andrelmbackman@users.noreply.github.com>

* Update impl.go license

Signed-off-by: André Backman <88145164+andrelmbackman@users.noreply.github.com>

* Update impl.go license to Apache 2

Signed-off-by: André Backman <88145164+andrelmbackman@users.noreply.github.com>

* Update impl.go license to Apache 2

Signed-off-by: André Backman <88145164+andrelmbackman@users.noreply.github.com>

* Update code_review.go license

Signed-off-by: André Backman <88145164+andrelmbackman@users.noreply.github.com>

* Update entries.go; CodeReviewChecks now called CodeReview

Signed-off-by: André Backman <88145164+andrelmbackman@users.noreply.github.com>

* Update impl.go, refactor codeReviewTwoReviewers; moved utility functions into impl.go

Signed-off-by: André Backman <88145164+andrelmbackman@users.noreply.github.com>

* Delete code_review.go utilities

moved utility functions to the impl.go they are used in

Signed-off-by: André Backman <88145164+andrelmbackman@users.noreply.github.com>

* rename probe

Signed-off-by: André Backman <andre.backman@nokia.com>

* update codeReviewTwoReviewers definition

Signed-off-by: André Backman <andre.backman@nokia.com>

* implement codeApproved probe, validation of reviews needs fixing

Signed-off-by: André Backman <andre.backman@nokia.com>

* update codeApproved probe, validation of reviews needs fixing

Signed-off-by: André Backman <andre.backman@nokia.com>

* working version of codeApproved probe

Signed-off-by: André Backman <andre.backman@nokia.com>

* codeReviewed probe implemented

Signed-off-by: André Backman <andre.backman@nokia.com>

* clean up comments, add imports, run all probes

Signed-off-by: André Backman <andre.backman@nokia.com>

* update license comments

Signed-off-by: André Backman <andre.backman@nokia.com>

* update license comments

Signed-off-by: André Backman <andre.backman@nokia.com>

* 🌱 Included unit tests (#3242)

- Included unit tests

Signed-off-by: naveensrinivasan <172697+naveensrinivasan@users.noreply.github.com>
Signed-off-by: André Backman <andre.backman@nokia.com>

* 🌱 Bump golang.org/x/text from 0.10.0 to 0.11.0 (#3243)

Bumps [golang.org/x/text](https://github.com/golang/text) from 0.10.0 to 0.11.0.
- [Release notes](https://github.com/golang/text/releases)
- [Commits](https://github.com/golang/text/compare/v0.10.0...v0.11.0)

---
updated-dependencies:
- dependency-name: golang.org/x/text
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Signed-off-by: André Backman <andre.backman@nokia.com>

* 🌱 Bump golang.org/x/oauth2 from 0.9.0 to 0.10.0 (#3244)

Bumps [golang.org/x/oauth2](https://github.com/golang/oauth2) from 0.9.0 to 0.10.0.
- [Commits](https://github.com/golang/oauth2/compare/v0.9.0...v0.10.0)

---
updated-dependencies:
- dependency-name: golang.org/x/oauth2
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Signed-off-by: André Backman <andre.backman@nokia.com>

* 📖 Update Branch-Protection admin and non-admin requirements (#2772)

* docs: Branch protection admin-only requirements

Signed-off-by: Gabriela Gutierrez <gabigutierrez@google.com>

* docs: Branch protection requirements by tier

Signed-off-by: Gabriela Gutierrez <gabigutierrez@google.com>

* docs: How get a perfect score in branch protection

Signed-off-by: Gabriela Gutierrez <gabigutierrez@google.com>

* docs: Fix local images ref in doc

Signed-off-by: Gabriela Gutierrez <gabigutierrez@google.com>

* docs: Fix typo

Co-authored-by: Pedro Nacht <pedro.k.night@gmail.com>
Signed-off-by: Gabriela Gutierrez <gabigutierrez@google.com>

* docs: Fix check specific table of contents

Signed-off-by: Gabriela Gutierrez <gabigutierrez@google.com>

* fix: Code owners setting is non admin

Signed-off-by: Gabriela Gutierrez <gabigutierrez@google.com>

* docs: Fix branch protection applied not only to main branch

Signed-off-by: Gabriela Gutierrez <gabigutierrez@google.com>

* docs: Add alt text for images

Signed-off-by: Gabriela Gutierrez <gabigutierrez@google.com>

* docs: You can get a perfect score with non admin access

Signed-off-by: Gabriela Gutierrez <gabigutierrez@google.com>

* docs: update max tier scores

Signed-off-by: Gabriela Gutierrez <gabigutierrez@google.com>

* docs: update tier 1 max points explanation

Signed-off-by: Gabriela Gutierrez <gabigutierrez@google.com>

* docs: Move changes to internal checks doc

Move changes done in docs/checks.md to docs/checks/internal/checks.yaml.

Signed-off-by: Gabriela Gutierrez <gabigutierrez@google.com>

* docs: Revert changes on checks doc

Signed-off-by: Gabriela Gutierrez <gabigutierrez@google.com>

* docs: Fix admin settings evaluated on branch protection

Signed-off-by: Gabriela Gutierrez <gabigutierrez@google.com>

* docs: Change branch protection model status checks

Signed-off-by: Gabriela Gutierrez <gabigutierrez@google.com>

* docs: Change tiers score to expected score

The expected score for the code to output is 3/10 for Tier 1 case and 7/10 for Tier 3 case. The scoring issue will be reported as bug.

Signed-off-by: Gabriela Gutierrez <gabigutierrez@google.com>

* docs: Fix Tier 3 score

Signed-off-by: Gabriela Gutierrez <gabigutierrez@google.com>

---------

Signed-off-by: Gabriela Gutierrez <gabigutierrez@google.com>
Co-authored-by: Pedro Nacht <pedro.k.night@gmail.com>
Signed-off-by: André Backman <andre.backman@nokia.com>

* 🌱 Linter workflow cleanup (#3247)

* Fix linter timeout by renaming deprecated deadline.

Signed-off-by: Spencer Schrock <sschrock@google.com>

* Disable depguard linter.

As of golangci-lint v3.5.0, the depguard linter is complaining. We don't use a .depguard.yml file, so just disabling the linter.

Signed-off-by: Spencer Schrock <sschrock@google.com>

* Move linter into own workflow.

Signed-off-by: Spencer Schrock <sschrock@google.com>

* Fix bash command substitution.

Signed-off-by: Spencer Schrock <sschrock@google.com>

* Add harden runner.

Signed-off-by: Spencer Schrock <sschrock@google.com>

* switch names to existing linter job

Signed-off-by: Spencer Schrock <sschrock@google.com>

* Update golangci-lint to v1.53.3

Signed-off-by: Spencer Schrock <sschrock@google.com>

---------

Signed-off-by: Spencer Schrock <sschrock@google.com>
Signed-off-by: André Backman <andre.backman@nokia.com>

* 🌱 Bump tj-actions/changed-files from 37.0.5 to 37.1.0 (#3253)

Bumps [tj-actions/changed-files](https://github.com/tj-actions/changed-files) from 37.0.5 to 37.1.0.
- [Release notes](https://github.com/tj-actions/changed-files/releases)
- [Changelog](https://github.com/tj-actions/changed-files/blob/main/HISTORY.md)
- [Commits](54849deb96...87e23c4c79)

---
updated-dependencies:
- dependency-name: tj-actions/changed-files
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Signed-off-by: André Backman <andre.backman@nokia.com>

* 🌱 Bump github.com/goreleaser/goreleaser in /tools (#3252)

Bumps [github.com/goreleaser/goreleaser](https://github.com/goreleaser/goreleaser) from 1.19.1 to 1.19.2.
- [Release notes](https://github.com/goreleaser/goreleaser/releases)
- [Changelog](https://github.com/goreleaser/goreleaser/blob/main/.goreleaser.yaml)
- [Commits](https://github.com/goreleaser/goreleaser/compare/v1.19.1...v1.19.2)

---
updated-dependencies:
- dependency-name: github.com/goreleaser/goreleaser
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Signed-off-by: André Backman <andre.backman@nokia.com>

* 🌱 Bump golang.org/x/tools from 0.10.0 to 0.11.0

Bumps [golang.org/x/tools](https://github.com/golang/tools) from 0.10.0 to 0.11.0.
- [Release notes](https://github.com/golang/tools/releases)
- [Commits](https://github.com/golang/tools/compare/v0.10.0...v0.11.0)

---
updated-dependencies:
- dependency-name: golang.org/x/tools
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
Signed-off-by: André Backman <andre.backman@nokia.com>

* 🌱 Improve rate limit handling in roundtripper (#3237)

- Add rate limit testing and handling functionality
- Add tests for successful response and Retry-After header set scenarios

Signed-off-by: naveensrinivasan <172697+naveensrinivasan@users.noreply.github.com>
Signed-off-by: André Backman <andre.backman@nokia.com>

* 🌱 Bump tj-actions/changed-files from 37.1.0 to 37.1.1 (#3259)

Bumps [tj-actions/changed-files](https://github.com/tj-actions/changed-files) from 37.1.0 to 37.1.1.
- [Release notes](https://github.com/tj-actions/changed-files/releases)
- [Changelog](https://github.com/tj-actions/changed-files/blob/main/HISTORY.md)
- [Commits](87e23c4c79...1f20fb83f0)

---
updated-dependencies:
- dependency-name: tj-actions/changed-files
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Signed-off-by: André Backman <andre.backman@nokia.com>

* 🌱 Bump github.com/bradleyfalzon/ghinstallation/v2 (#3260)

Bumps [github.com/bradleyfalzon/ghinstallation/v2](https://github.com/bradleyfalzon/ghinstallation) from 2.5.0 to 2.6.0.
- [Release notes](https://github.com/bradleyfalzon/ghinstallation/releases)
- [Commits](https://github.com/bradleyfalzon/ghinstallation/compare/v2.5.0...v2.6.0)

---
updated-dependencies:
- dependency-name: github.com/bradleyfalzon/ghinstallation/v2
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Signed-off-by: André Backman <andre.backman@nokia.com>

* 🌱Add urls for opentelemetry, micrometer and new relic to weekly cron (#3248)

* add urls for opentelemetry and micrometer

Signed-off-by: Ajmal Kottilingal <ajmal.kottilingal@transferwise.com>

* add jakarta-activation url

Signed-off-by: Ajmal Kottilingal <ajmal.kottilingal@transferwise.com>

* adding json-path

Signed-off-by: Ajmal Kottilingal <ajmal.kottilingal@transferwise.com>

* fix uing make

Signed-off-by: Ajmal Kottilingal <ajmal.kottilingal@transferwise.com>

---------

Signed-off-by: Ajmal Kottilingal <ajmal.kottilingal@transferwise.com>
Signed-off-by: André Backman <andre.backman@nokia.com>

* 🐛  Add npm installs to Pinned-Dependencies score (#2960)

* feat: Add npm install to pinned dependencies score

Signed-off-by: Gabriela Gutierrez <gabigutierrez@google.com>

* test: Fix pinned dependencies evaluation tests

Considering the new npm installs dependencies in Pinned-Dependencies score, there are some changes. Now, all tests generate one more Info log for "npm installs are all pinned". Also, for "various wanrings" test, the total score has to weight now 6 scores instead of 5. The new score counts 10 for actionScore, 0 for dockerFromScore, 0 for dockerDownloadScore, 0 for scriptScore, 0 for pipScore and 10 for npm score, which gives us 20/6~=3.

Signed-off-by: Gabriela Gutierrez <gabigutierrez@google.com>

* test: Fix pinned dependencies e2e tests

Considering the new npm installs dependencies in Pinned-Dependencies score, there are some changes. The repo being tested, ossf-tests/scorecard-check-pinned-dependencies-e2e, has third-party GitHub actions pinned, no npm installs, and all other dependencies types are unpinned. This gives us 8 for actionScore, 10 for npmScore and 0 for all other scores. Previously the total score was 8/5~=1, and now the total score is 18/6=3. Also, since there are no npm installs, there's one more Info log for "npm installs are pinned".

Signed-off-by: Gabriela Gutierrez <gabigutierrez@google.com>

* test: Fix typo

Signed-off-by: Gabriela Gutierrez <gabigutierrez@google.com>

* test: Unpinned npm install score

When having one unpinned npm install and all other dependencies pinned, the score should be 50/6~=8. Also, it should raise 1 warning for the unpinned npm install, 6 infos saying the other dependency types are pinned (2 for GHAs, 2 for dockerfile image and downdloads, 1 for script downdloads and 1 for pip installs), and 0 debug logs since the npm install dependency does not have an error message.

Signed-off-by: Gabriela Gutierrez <gabigutierrez@google.com>

* test: Undefined npm install score

When an error happens to parse a npm install dependency, the error/debug message is saved in "Msg" field. In this case, we were not able to define if the npm install is pinned or not. This dependency is classified as pinned undefined. We treat such cases as pinned cases, so it logs as Info that npm installs are all pinned and counts the score as 10. Then, the final score makes it to 10 as well. Since it logs the error/debug message, the Debug log goes to 1.

Signed-off-by: Gabriela Gutierrez <gabigutierrez@google.com>

* test: Fix typo

Signed-off-by: Gabriela Gutierrez <gabigutierrez@google.com>

* test: Fix "validate various warnings and info" test

Considering the new npm installs dependencies in Pinned-Dependencies score, there are some changes. Now, all tests generate one more Info log for "npm installs are all pinned". Also, this test total score has to weight now 6 scores instead of 5. The new score counts 10 for actionScore, 0 for dockerFromScore, 0 for dockerDownloadScore, 0 for scriptScore, 0 for pipScore and 10 for npm score, which gives us 20/6~=3.

Signed-off-by: Gabriela Gutierrez <gabigutierrez@google.com>

* fix: npm dependencies pinned log

Signed-off-by: Gabriela Gutierrez <gabigutierrez@google.com>

* test: Remove test of error when parsing an npm dependency

Signed-off-by: Gabriela Gutierrez <gabigutierrez@google.com>

---------

Signed-off-by: Gabriela Gutierrez <gabigutierrez@google.com>
Signed-off-by: André Backman <andre.backman@nokia.com>

* 🌱 Bump github.com/moby/buildkit from 0.11.6 to 0.12.0 (#3264)

Bumps [github.com/moby/buildkit](https://github.com/moby/buildkit) from 0.11.6 to 0.12.0.
- [Release notes](https://github.com/moby/buildkit/releases)
- [Commits](https://github.com/moby/buildkit/compare/v0.11.6...v0.12.0)

---
updated-dependencies:
- dependency-name: github.com/moby/buildkit
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Signed-off-by: André Backman <andre.backman@nokia.com>

* Ack linter warning and add tracking issue. (#3263)

Signed-off-by: Spencer Schrock <sschrock@google.com>
Signed-off-by: André Backman <andre.backman@nokia.com>

* 🐛 Forgive job-level permissions (#3162)

* Forgive all job-level permissions

Signed-off-by: Pedro Kaj Kjellerup Nacht <pnacht@google.com>

* Update tests

Signed-off-by: Pedro Kaj Kjellerup Nacht <pnacht@google.com>

* Replace magic number

Signed-off-by: Pedro Kaj Kjellerup Nacht <pnacht@google.com>

* Rename test

Signed-off-by: Pedro Kaj Kjellerup Nacht <pnacht@google.com>

* Test that multiple job-level permissions are forgiven

Signed-off-by: Pedro Kaj Kjellerup Nacht <pnacht@google.com>

* Drop unused permissionIsPresent

Signed-off-by: Pedro Kaj Kjellerup Nacht <pnacht@google.com>

* Update documentation

Signed-off-by: Pedro Kaj Kjellerup Nacht <pnacht@google.com>

* Modify score descriptions

Signed-off-by: Pedro Kaj Kjellerup Nacht <pnacht@google.com>

* Document warning for job-level permissions

Signed-off-by: Pedro Kaj Kjellerup Nacht <pnacht@google.com>

* List job-level permissions that get WARNed

Signed-off-by: Pedro Kaj Kjellerup Nacht <pnacht@google.com>

---------

Signed-off-by: Pedro Kaj Kjellerup Nacht <pnacht@google.com>
Signed-off-by: André Backman <andre.backman@nokia.com>

* 🐛 Fix typo (#3267)

Signed-off-by: Eugene Kliuchnikov <eustas@google.com>
Signed-off-by: André Backman <andre.backman@nokia.com>

* 📖  Suggest new score viewer on badge documentation (#3268)

* docs(readme): suggest new score viewer on badge documentation

Signed-off-by: Diogo Teles Sant'Anna <diogoteles@google.com>

* docs(readme): add link to ossf blogpost about the badge

Signed-off-by: Diogo Teles Sant'Anna <diogoteles@google.com>

* docs: update badge of our own README to the new viewer

Signed-off-by: Diogo Teles Sant'Anna <diogoteles@google.com>

---------

Signed-off-by: Diogo Teles Sant'Anna <diogoteles@google.com>
Signed-off-by: André Backman <andre.backman@nokia.com>

* 🌱 Bump tj-actions/changed-files from 37.1.1 to 37.1.2 (#3266)

Bumps [tj-actions/changed-files](https://github.com/tj-actions/changed-files) from 37.1.1 to 37.1.2.
- [Release notes](https://github.com/tj-actions/changed-files/releases)
- [Changelog](https://github.com/tj-actions/changed-files/blob/main/HISTORY.md)
- [Commits](1f20fb83f0...2a968ff601)

---
updated-dependencies:
- dependency-name: tj-actions/changed-files
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Signed-off-by: André Backman <andre.backman@nokia.com>

* 🌱 Update the cover profile for e2e (#3271)

- Update the cover profile for e2e

Signed-off-by: naveensrinivasan <172697+naveensrinivasan@users.noreply.github.com>
Signed-off-by: André Backman <andre.backman@nokia.com>

* 🌱 Improve e2e workflow tests (#3273)

- Add e2e test for workflow runs
- Retrieve successful runs of the scorecard-analysis.yml workflow

Signed-off-by: naveensrinivasan <172697+naveensrinivasan@users.noreply.github.com>
Signed-off-by: André Backman <andre.backman@nokia.com>

* 🌱 Excluded dependabot from codecov (#3272)

- Exclude dependabot from codecov job in main.yml

[.github/workflows/main.yml]
- Exclude dependabot from codecov job

Signed-off-by: naveensrinivasan <172697+naveensrinivasan@users.noreply.github.com>
Signed-off-by: André Backman <andre.backman@nokia.com>

* 🌱 Increase test coverage for searching commits (#3276)

- Add an e2e test for searching commits by author
- Search commits by author `dependabot[bot]` and expect results

Signed-off-by: naveensrinivasan <172697+naveensrinivasan@users.noreply.github.com>
Signed-off-by: André Backman <andre.backman@nokia.com>

* 🐛 Fix Branch-Protection scoring (#3251)

* fix: Verify if branch is required to be up to date before merge

Signed-off-by: Gabriela Gutierrez <gabigutierrez@google.com>

* docs: Comment tracking GraphQL bug

Signed-off-by: Gabriela Gutierrez <gabigutierrez@google.com>

* fix: Add validation if pointers are not null before accessing the values

Signed-off-by: Gabriela Gutierrez <gabigutierrez@google.com>

* fix: Delete debug log file

Signed-off-by: Gabriela Gutierrez <gabigutierrez@google.com>

---------

Signed-off-by: Gabriela Gutierrez <gabigutierrez@google.com>
Signed-off-by: André Backman <andre.backman@nokia.com>

*  scdiff: generate cmd skeleton (#3275)

* add scdiff root command

Signed-off-by: Spencer Schrock <sschrock@google.com>

* Add generate boilerplate.

Signed-off-by: Spencer Schrock <sschrock@google.com>

* get rid of init

Signed-off-by: Spencer Schrock <sschrock@google.com>

* read newline delimitted repo file

Signed-off-by: Spencer Schrock <sschrock@google.com>

* Run scorecard and echo results.

Signed-off-by: Spencer Schrock <sschrock@google.com>

* add license

Signed-off-by: Spencer Schrock <sschrock@google.com>

* add basic runner tests.

Signed-off-by: Spencer Schrock <sschrock@google.com>

* Add Runner comment.

Signed-off-by: Spencer Schrock <sschrock@google.com>

* switch to using scorecard logger.

Signed-off-by: Spencer Schrock <sschrock@google.com>

* linter fix

Signed-off-by: Spencer Schrock <sschrock@google.com>

---------

Signed-off-by: Spencer Schrock <sschrock@google.com>
Signed-off-by: André Backman <andre.backman@nokia.com>

* 🌱 Delete unused project-update functionality. (#3269)

Signed-off-by: Spencer Schrock <sschrock@google.com>
Signed-off-by: André Backman <andre.backman@nokia.com>

* 🌱 Bump tj-actions/changed-files from 37.1.2 to 37.3.0 (#3280)

Bumps [tj-actions/changed-files](https://github.com/tj-actions/changed-files) from 37.1.2 to 37.3.0.
- [Release notes](https://github.com/tj-actions/changed-files/releases)
- [Changelog](https://github.com/tj-actions/changed-files/blob/main/HISTORY.md)
- [Commits](2a968ff601...39283171ce)

---
updated-dependencies:
- dependency-name: tj-actions/changed-files
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Signed-off-by: André Backman <andre.backman@nokia.com>

* 🌱 Bump github.com/google/osv-scanner from 1.3.5 to 1.3.6 (#3281)

Bumps [github.com/google/osv-scanner](https://github.com/google/osv-scanner) from 1.3.5 to 1.3.6.
- [Release notes](https://github.com/google/osv-scanner/releases)
- [Changelog](https://github.com/google/osv-scanner/blob/main/CHANGELOG.md)
- [Commits](https://github.com/google/osv-scanner/compare/v1.3.5...v1.3.6)

---
updated-dependencies:
- dependency-name: github.com/google/osv-scanner
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Signed-off-by: André Backman <andre.backman@nokia.com>

* 🌱 Bump gocloud.dev from 0.30.0 to 0.32.0 (#3284)

Bumps [gocloud.dev](https://github.com/google/go-cloud) from 0.30.0 to 0.32.0.
- [Release notes](https://github.com/google/go-cloud/releases)
- [Commits](https://github.com/google/go-cloud/compare/v0.30.0...v0.32.0)

---
updated-dependencies:
- dependency-name: gocloud.dev
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Signed-off-by: André Backman <andre.backman@nokia.com>

* 🌱 Include attestor Dockerfile in CI and dependabot updates (#3285)

Signed-off-by: Spencer Schrock <sschrock@google.com>
Signed-off-by: André Backman <andre.backman@nokia.com>

* 🌱 Bump tj-actions/changed-files from 37.3.0 to 37.4.0

Bumps [tj-actions/changed-files](https://github.com/tj-actions/changed-files) from 37.3.0 to 37.4.0.
- [Release notes](https://github.com/tj-actions/changed-files/releases)
- [Changelog](https://github.com/tj-actions/changed-files/blob/main/HISTORY.md)
- [Commits](39283171ce...de0eba3279)

---
updated-dependencies:
- dependency-name: tj-actions/changed-files
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
Signed-off-by: André Backman <andre.backman@nokia.com>

* 🌱 Bump google-appengine/debian11 in /attestor

Bumps google-appengine/debian11 from `fed7dd5` to `97dc4fb`.

---
updated-dependencies:
- dependency-name: google-appengine/debian11
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
Signed-off-by: André Backman <andre.backman@nokia.com>

* 🌱 Bump github.com/xanzy/go-gitlab from 0.86.0 to 0.88.0

Bumps [github.com/xanzy/go-gitlab](https://github.com/xanzy/go-gitlab) from 0.86.0 to 0.88.0.
- [Changelog](https://github.com/xanzy/go-gitlab/blob/master/releases_test.go)
- [Commits](https://github.com/xanzy/go-gitlab/compare/v0.86.0...v0.88.0)

---
updated-dependencies:
- dependency-name: github.com/xanzy/go-gitlab
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
Signed-off-by: André Backman <andre.backman@nokia.com>

* 🌱 Use a matrix for docker image building (#3290)

* working matrix.

Signed-off-by: Spencer Schrock <sschrock@google.com>

* Remove unneeded env vars. Add comments.

Signed-off-by: Spencer Schrock <sschrock@google.com>

* minor syntax change.

Signed-off-by: Spencer Schrock <sschrock@google.com>

---------

Signed-off-by: Spencer Schrock <sschrock@google.com>
Signed-off-by: André Backman <andre.backman@nokia.com>

* 🌱 Improve e2e workflow tests (#3282)

- Ensure that only head queries are supported in workflow tests
- Add a test to detect when a non-existent workflow file is used

[e2e/workflow_test.go]
- Add a test to check that only head queries are supported
- Add a test to check that a non-existent workflow file returns an error

Signed-off-by: naveensrinivasan <172697+naveensrinivasan@users.noreply.github.com>
Signed-off-by: André Backman <andre.backman@nokia.com>

* 🌱 Use a matrix for when building binaries in main.yml (#3291)

* Use matrix for build jobs.

Signed-off-by: Spencer Schrock <sschrock@google.com>

* These build targets dont seem to need protoc.

This lets us save the API quota.

Signed-off-by: Spencer Schrock <sschrock@google.com>

---------

Signed-off-by: Spencer Schrock <sschrock@google.com>
Signed-off-by: André Backman <andre.backman@nokia.com>

* 🌱 Fix hanging docker jobs for doc only changes. (#3292)

Signed-off-by: Spencer Schrock <sschrock@google.com>
Signed-off-by: André Backman <andre.backman@nokia.com>

* 📖 Add contributor ladder (#3246)

* Add contributor ladder

Signed-off-by: Pedro Kaj Kjellerup Nacht <pnacht@google.com>

* Clarify sponsorship

Signed-off-by: Pedro Kaj Kjellerup Nacht <pnacht@google.com>

* Hope for retirement warning

Signed-off-by: Pedro Kaj Kjellerup Nacht <pnacht@google.com>

* 1 maintainer can sponsor a community member

Signed-off-by: Pedro Kaj Kjellerup Nacht <pnacht@google.com>

* Apply suggestions from code review

Co-authored-by: Raghav Kaul <8695110+raghavkaul@users.noreply.github.com>
Signed-off-by: Pedro Nacht <pedro.k.night@gmail.com>

---------

Signed-off-by: Pedro Kaj Kjellerup Nacht <pnacht@google.com>
Signed-off-by: Pedro Nacht <pedro.k.night@gmail.com>
Signed-off-by: André Backman <andre.backman@nokia.com>

* 🌱 Consolidate GitLab e2e workflows. (#3278)

* Move gitlab to different workflow to parallelize.

Signed-off-by: Spencer Schrock <sschrock@google.com>

* Add missing versions.

Signed-off-by: Spencer Schrock <sschrock@google.com>

---------

Signed-off-by: Spencer Schrock <sschrock@google.com>
Signed-off-by: André Backman <andre.backman@nokia.com>

* 🌱 Add separate cache for long-running tests (#3293)

* Add separate cache for unit tests.

Signed-off-by: Spencer Schrock <sschrock@google.com>

* share cache with gitlab tests too.

Signed-off-by: Spencer Schrock <sschrock@google.com>

* share cache with github integration tests.

Signed-off-by: Spencer Schrock <sschrock@google.com>

* explicitly download modules in unit test job

Signed-off-by: Spencer Schrock <sschrock@google.com>

* checkout needs to be before the go.mod is read.

Signed-off-by: Spencer Schrock <sschrock@google.com>

* checkout needs to be before the go.sum files are hashed.

Signed-off-by: Spencer Schrock <sschrock@google.com>

---------

Signed-off-by: Spencer Schrock <sschrock@google.com>
Signed-off-by: André Backman <andre.backman@nokia.com>

* 🌱 Bump github.com/go-git/go-git/v5 from 5.7.0 to 5.8.0 (#3297)

Bumps [github.com/go-git/go-git/v5](https://github.com/go-git/go-git) from 5.7.0 to 5.8.0.
- [Release notes](https://github.com/go-git/go-git/releases)
- [Commits](https://github.com/go-git/go-git/compare/v5.7.0...v5.8.0)

---
updated-dependencies:
- dependency-name: github.com/go-git/go-git/v5
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Signed-off-by: André Backman <andre.backman@nokia.com>

* 🌱 Bump github.com/onsi/gomega from 1.27.8 to 1.27.9 (#3298)

Bumps [github.com/onsi/gomega](https://github.com/onsi/gomega) from 1.27.8 to 1.27.9.
- [Release notes](https://github.com/onsi/gomega/releases)
- [Changelog](https://github.com/onsi/gomega/blob/master/CHANGELOG.md)
- [Commits](https://github.com/onsi/gomega/compare/v1.27.8...v1.27.9)

---
updated-dependencies:
- dependency-name: github.com/onsi/gomega
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Signed-off-by: André Backman <andre.backman@nokia.com>

* 🌱 Improve search commit e2e tests (#3295)

- Add 2 tests for searching commits in e2e/searchCommits_test.go
- Fix errors in e2e/searchCommits_test.go when not using HEAD or when user does not exist

[e2e/searchCommits_test.go]
- Add 2 tests for searching commits
- Fix error when not using HEAD
- Fix error when user does not exist

Signed-off-by: naveensrinivasan <172697+naveensrinivasan@users.noreply.github.com>
Signed-off-by: André Backman <andre.backman@nokia.com>

* 📖  update docs for webhooks documentation (#3299)

* update docs for webhooks documentation

Signed-off-by: leec94 <leec94@bu.edu>

* change webhook severity in readme

Signed-off-by: leec94 <leec94@bu.edu>

---------

Signed-off-by: leec94 <leec94@bu.edu>
Signed-off-by: André Backman <andre.backman@nokia.com>

* 🌱 Unit tests OSSFuzz client (#3301)

* 🌱 Unit tests OSSFuzz client

- Included tests for  IsArchived, LocalPath, ListFiles, GetFileContent, GetBranch, GetDefaultBranch, GetOrgRepoClient, GetDefaultBranchName, ListCommits, ListIssues, ListReleases, ListContributors, ListSuccessfulWorkflowRuns, ListCheckRunsForRef, ListStatuses, ListWebhooks, SearchCommits, Close, ListProgrammingLanguages,

Signed-off-by: naveensrinivasan <172697+naveensrinivasan@users.noreply.github.com>

* Improve OSSFuzz client tests

[clients/ossfuzz/client_test.go]
- Add a test for the `GetCreatedAt` method
- Fix the `URI` method to return the correct value

Signed-off-by: naveensrinivasan <172697+naveensrinivasan@users.noreply.github.com>

---------

Signed-off-by: naveensrinivasan <172697+naveensrinivasan@users.noreply.github.com>
Signed-off-by: André Backman <andre.backman@nokia.com>

* 🌱 Ensure check markdown is kept in sync with source yaml. (#3300)

* Ensure check markdown is kept in sync with check yaml.

Signed-off-by: Spencer Schrock <sschrock@google.com>

* change generate-docs target to detect changes to docs/checks.md directly.

Signed-off-by: Spencer Schrock <sschrock@google.com>

---------

Signed-off-by: Spencer Schrock <sschrock@google.com>
Signed-off-by: André Backman <andre.backman@nokia.com>

* Update def.yml license

Signed-off-by: André Backman <88145164+andrelmbackman@users.noreply.github.com>
Signed-off-by: André Backman <andre.backman@nokia.com>

* Update def.yml license

Signed-off-by: André Backman <88145164+andrelmbackman@users.noreply.github.com>
Signed-off-by: André Backman <andre.backman@nokia.com>

* Update def.yml license

Signed-off-by: André Backman <88145164+andrelmbackman@users.noreply.github.com>
Signed-off-by: André Backman <andre.backman@nokia.com>

* Update code_review.go license

Signed-off-by: André Backman <88145164+andrelmbackman@users.noreply.github.com>
Signed-off-by: André Backman <andre.backman@nokia.com>

* Update entries.go; CodeReviewChecks now called CodeReview

Signed-off-by: André Backman <88145164+andrelmbackman@users.noreply.github.com>
Signed-off-by: André Backman <andre.backman@nokia.com>

* refactor codeReviewTwoReviewers; moved utility functions into impl.go

Signed-off-by: André Backman <andre.backman@nokia.com>

* Update impl.go, refactor codeReviewTwoReviewers; moved utility functions into impl.go

Signed-off-by: André Backman <88145164+andrelmbackman@users.noreply.github.com>

* Update go.mod, aligned imports

Signed-off-by: André Backman <88145164+andrelmbackman@users.noreply.github.com>

* update license comments

Signed-off-by: André Backman <andre.backman@nokia.com>

* update license comments

Signed-off-by: André Backman <andre.backman@nokia.com>

* change EOL = CRLF to LF

Signed-off-by: André Backman <andre.backman@nokia.com>

* add error handling in case of no changesets

Signed-off-by: André Backman <andre.backman@nokia.com>

* completed tests for code-review probes

Signed-off-by: André Backman <andre.backman@nokia.com>

* update codeReview probes and utils

Signed-off-by: André Backman <andre.backman@nokia.com>

* fixed some lint errors, check for more

Signed-off-by: André Backman <andre.backman@nokia.com>

* fixed lint issues

Signed-off-by: André Backman <andre.backman@nokia.com>

* fix lint errors

Signed-off-by: André Backman <andre.backman@nokia.com>

* add test for multiple reviews with only one unique reviewer

Signed-off-by: André Backman <andre.backman@nokia.com>

* simplify func uniqueReviewers, use map[string]bool

Signed-off-by: André Backman <andre.backman@nokia.com>

* fix linting error

Signed-off-by: André Backman <andre.backman@nokia.com>

* moved probe tests to their own function

Signed-off-by: André Backman <andre.backman@nokia.com>

* fix comment syntax

Signed-off-by: André Backman <andre.backman@nokia.com>

* gci-ed files to fix linter errors

Signed-off-by: André Backman <andre.backman@nokia.com>

* implement change to skip bot-authored changesets that are reviewed/approved

Signed-off-by: André Backman <andre.backman@nokia.com>

* rewrite finding message

Signed-off-by: André Backman <andre.backman@nokia.com>

* fix output message; do not count the number of approved bot-authored changesets

Signed-off-by: André Backman <andre.backman@nokia.com>

* fix typos

Signed-off-by: André Backman <andre.backman@nokia.com>

* moved probe tests to their corresponding location

Signed-off-by: André Backman <andrebackmann@gmail.com>

* removed redundant probe codeReviewed

Signed-off-by: André Backman <andrebackmann@gmail.com>

* Update probes/codeApproved/def.yml

Co-authored-by: Raghav Kaul <8695110+raghavkaul@users.noreply.github.com>
Signed-off-by: jitsengupta17 <145664639+jitsengupta17@users.noreply.github.com>

* Update probes/codeApproved/def.yml

Co-authored-by: Raghav Kaul <8695110+raghavkaul@users.noreply.github.com>
Signed-off-by: jitsengupta17 <145664639+jitsengupta17@users.noreply.github.com>

* Update probes/codeApproved/def.yml

Co-authored-by: Raghav Kaul <8695110+raghavkaul@users.noreply.github.com>
Signed-off-by: jitsengupta17 <145664639+jitsengupta17@users.noreply.github.com>

* Update probes/codeApproved/def.yml

Co-authored-by: Raghav Kaul <8695110+raghavkaul@users.noreply.github.com>
Signed-off-by: jitsengupta17 <145664639+jitsengupta17@users.noreply.github.com>

* Update probes/codeApproved/def.yml

Co-authored-by: Raghav Kaul <8695110+raghavkaul@users.noreply.github.com>
Signed-off-by: jitsengupta17 <145664639+jitsengupta17@users.noreply.github.com>

* Update probes/codeReviewOneReviewers/def.yml

Co-authored-by: Raghav Kaul <8695110+raghavkaul@users.noreply.github.com>
Signed-off-by: jitsengupta17 <145664639+jitsengupta17@users.noreply.github.com>

* Lint

Signed-off-by: Raghav Kaul <raghavkaul@google.com>

---------

Signed-off-by: dependabot[bot] <support@github.com>
Signed-off-by: André Backman <andre.backman@nokia.com>
Signed-off-by: André Backman <88145164+andrelmbackman@users.noreply.github.com>
Signed-off-by: naveensrinivasan <172697+naveensrinivasan@users.noreply.github.com>
Signed-off-by: Gabriela Gutierrez <gabigutierrez@google.com>
Signed-off-by: Spencer Schrock <sschrock@google.com>
Signed-off-by: Ajmal Kottilingal <ajmal.kottilingal@transferwise.com>
Signed-off-by: Pedro Kaj Kjellerup Nacht <pnacht@google.com>
Signed-off-by: Eugene Kliuchnikov <eustas@google.com>
Signed-off-by: Diogo Teles Sant'Anna <diogoteles@google.com>
Signed-off-by: Pedro Nacht <pedro.k.night@gmail.com>
Signed-off-by: leec94 <leec94@bu.edu>
Signed-off-by: André Backman <andrebackmann@gmail.com>
Signed-off-by: jitsengupta17 <145664639+jitsengupta17@users.noreply.github.com>
Signed-off-by: Raghav Kaul <raghavkaul@google.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: André Backman <andre.backman@nokia.com>
Co-authored-by: Naveen <172697+naveensrinivasan@users.noreply.github.com>
Co-authored-by: Gabriela Gutierrez <gabigutierrez@google.com>
Co-authored-by: Pedro Nacht <pedro.k.night@gmail.com>
Co-authored-by: Spencer Schrock <sschrock@google.com>
Co-authored-by: Ajmal Kottilingal <90693406+ajmalab@users.noreply.github.com>
Co-authored-by: Pedro Nacht <pnacht@google.com>
Co-authored-by: Eugene Kliuchnikov <eustas@google.com>
Co-authored-by: Diogo Teles Sant'Anna <diogoteles@google.com>
Co-authored-by: Caroline <leec94@bu.edu>
Co-authored-by: jitsengupta17 <145664639+jitsengupta17@users.noreply.github.com>
Co-authored-by: Raghav Kaul <8695110+raghavkaul@users.noreply.github.com>
Co-authored-by: gowriNSN <143079242+gowriNSN@users.noreply.github.com>
Co-authored-by: Raghav Kaul <raghavkaul@google.com>
2024-01-26 19:24:56 +00:00
dependabot[bot]
1fad598220
🌱 Bump cloud.google.com/go/pubsub from 1.34.0 to 1.35.0 (#3820)
Bumps [cloud.google.com/go/pubsub](https://github.com/googleapis/google-cloud-go) from 1.34.0 to 1.35.0.
- [Release notes](https://github.com/googleapis/google-cloud-go/releases)
- [Changelog](https://github.com/googleapis/google-cloud-go/blob/main/CHANGES.md)
- [Commits](https://github.com/googleapis/google-cloud-go/compare/pubsub/v1.34.0...pubsub/v1.35.0)

---
updated-dependencies:
- dependency-name: cloud.google.com/go/pubsub
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2024-01-26 12:22:54 -06:00
dependabot[bot]
e61e7e6955
🌱 Bump github.com/xanzy/go-gitlab from 0.95.2 to 0.96.0 (#3814)
Bumps [github.com/xanzy/go-gitlab](https://github.com/xanzy/go-gitlab) from 0.95.2 to 0.96.0.
- [Changelog](https://github.com/xanzy/go-gitlab/blob/main/releases_test.go)
- [Commits](https://github.com/xanzy/go-gitlab/compare/v0.95.2...v0.96.0)

---
updated-dependencies:
- dependency-name: github.com/xanzy/go-gitlab
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2024-01-25 15:10:58 -06:00
dependabot[bot]
a021b23fbe
🌱 Bump github.com/google/go-containerregistry (#3808)
Bumps [github.com/google/go-containerregistry](https://github.com/google/go-containerregistry) from 0.17.0 to 0.18.0.
- [Release notes](https://github.com/google/go-containerregistry/releases)
- [Changelog](https://github.com/google/go-containerregistry/blob/main/.goreleaser.yml)
- [Commits](https://github.com/google/go-containerregistry/compare/v0.17.0...v0.18.0)

---
updated-dependencies:
- dependency-name: github.com/google/go-containerregistry
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2024-01-24 19:05:27 +00:00
dependabot[bot]
ce0905a858
🌱 Bump github.com/onsi/gomega from 1.30.0 to 1.31.1 (#3818)
Bumps [github.com/onsi/gomega](https://github.com/onsi/gomega) from 1.30.0 to 1.31.1.
- [Release notes](https://github.com/onsi/gomega/releases)
- [Changelog](https://github.com/onsi/gomega/blob/master/CHANGELOG.md)
- [Commits](https://github.com/onsi/gomega/compare/v1.30.0...v1.31.1)

---
updated-dependencies:
- dependency-name: github.com/onsi/gomega
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2024-01-24 11:28:42 -06:00