* Support renamed gradle verification action
From gradle/wrapper-validation-action's readme:
"As of v3 this action has been superceded by
gradle/actions/wrapper-validation"
Also support actions pinned to a hash.
Signed-off-by: Spencer Schrock <sschrock@google.com>
* remove unneeded dependency
Signed-off-by: Spencer Schrock <sschrock@google.com>
---------
Signed-off-by: Spencer Schrock <sschrock@google.com>
We still run into the 429 GCS responses due to the lower limits on the same file.
All of the projects without a repo_url are being mapped to the same
object and leading to rate limiting.
"Maximum rate of writes to the same object name: One write per second"
https://cloud.google.com/storage/quotas#objects
Signed-off-by: Spencer Schrock <sschrock@google.com>
We are getting connection reset requests from bestpractices.dev and 429
errors from our GCS bucket for too many writes. The GCS limit (1000 QPS)
is much higher, so just use the bestpractices.dev limit of 1 QPS.
https://github.com/coreinfrastructure/best-practices-badge/blob/main/docs/api.md
The construct was taken from https://go.dev/wiki/RateLimiting which "works well
for rates up to tens of operations per second."
Signed-off-by: Spencer Schrock <sschrock@google.com>
The old regex used \w which only allowed [0-9A-Za-z_], however most
projects use full URLs with phabricator (e.g.
https://reviews.foo.org/D###). This led to errors parsing the revisions,
where "https" was seen as the revision, leading to an underreporting of
code review practices.
The new regex focuses on the D#### part and uses it as the revision.
Signed-off-by: Spencer Schrock <sschrock@google.com>
* replaced localRepoClient with mockRepoClient
Signed-off-by: seelder <seelder@ncsu.edu>
* Update binary_artifact_test.go to use scut
Updated the test to use scut. Updated the test data to use scut, including adding NumberOfInfo and NumberOfWarn for each test case
Signed-off-by: seelder <seelder@ncsu.edu>
* Update license_test to use gomock
First attempt at updating license_test to use gomock instead of localDir.
Note: localDir currently has a TODO for implementing ListLicenses. It returns an UnsupportedFeatures error, which is then handled in checks/raw/license. This first attempt replicates that existing behavior.
Signed-off-by: seelder <seelder@ncsu.edu>
* Update license_test documentation
Clarified why the mock simply throws an error
Signed-off-by: seelder <seelder@ncsu.edu>
* Fixed linting error in license_test
Signed-off-by: seelder <seelder@ncsu.edu>
---------
Signed-off-by: seelder <seelder@ncsu.edu>
* switch signed-releases lookback limit precedence
if the 6th release had no assets, the lookback limit exit condition was
being skipped. This led to scenarios where too many releases were being
considered by the Signed-Releases check.
https://github.com/ossf/scorecard/issues/4059
Signed-off-by: Spencer Schrock <sschrock@google.com>
* make exit condition stronger
any release after the lookback should be skipped
Signed-off-by: Spencer Schrock <sschrock@google.com>
---------
Signed-off-by: Spencer Schrock <sschrock@google.com>
* introduce independent probe implementations
rather than rely on checks collecting raw data, independent probes
collect their own raw data using the underlying repo client present in
the check request.
Signed-off-by: Spencer Schrock <sschrock@google.com>
* add test
Signed-off-by: Spencer Schrock <sschrock@google.com>
---------
Signed-off-by: Spencer Schrock <sschrock@google.com>
* feat: Get maintainers annotation from repo
This commits adds functionality to read a scorecard.yml file from a repository and parse it to get the maintainers annotation. It introduces the concepts of exemptions, annotations, annotated checks, and annotation reasons.
Signed-off-by: Gabriela Gutierrez <gabigutierrez@google.com>
* feat: Hand off maintainers annotation for SARIF
Hnad off maintainers annotation to SARIF formatting so it can decide to skip or not skip checks when creating the output.
Signed-off-by: Gabriela Gutierrez <gabigutierrez@google.com>
* feat: If check is annotated, skip in SARIF output
Signed-off-by: Gabriela Gutierrez <gabigutierrez@google.com>
* feat: Add other annotation reasons
Signed-off-by: Gabriela Gutierrez <gabigutierrez@google.com>
* feat: Add options to show maintainers annotations in output
Signed-off-by: Gabriela Gutierrez <gabigutierrez@google.com>
* feat: Output maintainers annotations in JSON
Signed-off-by: Gabriela Gutierrez <gabigutierrez@google.com>
* fix: Remove unnecessary maintainers annotation param in SARIF
Signed-off-by: Gabriela Gutierrez <gabigutierrez@google.com>
* feat: Output maintainers annotations in string default result
This commit changes how data is appended to the table rows. Previously, we defined the table columns size and added information to each index. To avoid complicating the calculation of the index now that we are adding another optional column, the data is appended to the row as needed.
Also, the maintainers annotation was chosen to be displayed as last column to give space for Scorecard official reasoning and documentation to appear first.
Signed-off-by: Gabriela Gutierrez <gabigutierrez@google.com>
* feat: Ignore annotation if check has max score
Signed-off-by: Gabriela Gutierrez <gabigutierrez@google.com>
* doc: Add documentation for maintainers annotation
Introduce what flag should be used to show maintainers annotation and how to configure maintainers annotation for your repository.
Signed-off-by: Gabriela Gutierrez <gabigutierrez@google.com>
* refactor: A maintainers annotation obj can verify if a check is exempted
Signed-off-by: Gabriela Gutierrez <gabigutierrez@google.com>
* refactor: Get annotations function can be private
Signed-off-by: Gabriela Gutierrez <gabigutierrez@google.com>
* refactor: Find scorecard.yml file in the repository's root
Change to "GetFileContent" method since we're looking for a specific file instead of using "OnMatchingFileContentDo" method that looks files with a specific content.
This also removes the dependency from "checks/fileparser". This is necessary to move "IsCheckExempted" to checker.
Signed-off-by: Gabriela Gutierrez <gabigutierrez@google.com>
* fix: A check should know if it's exempted or not
Moving the verification "IsCheckExempted" from maintainers_annotation package to checker package. This way a check result will define, consulting maintainers annotation, if it is exempted or not.
Signed-off-by: Gabriela Gutierrez <gabigutierrez@google.com>
* fix: Maintainers annotation can only be used in experimental mode
Signed-off-by: Gabriela Gutierrez <gabigutierrez@google.com>
* fix: Ignore if scorecard.yml does not exist
Signed-off-by: Gabriela Gutierrez <gabigutierrez@google.com>
* fix: Remove unnecessary maintainers annotation param
Signed-off-by: Gabriela Gutierrez <gabigutierrez@google.com>
* docs: Move complete mantainers annotation doc to feature folder
Signed-off-by: Gabriela Gutierrez <gabigutierrez@google.com>
* fix: Error logs
Signed-off-by: Gabriela Gutierrez <gabigutierrez@google.com>
* refactor: Rename AnnotationReason to Reason
Avoid repetition in variable references.
Signed-off-by: Gabriela Gutierrez <gabigutierrez@google.com>
* refactor: Reason documentation
Redo reason documentation as a switch case to be called when necessary instead of defining a global map. Another reason to redo this logic as switch is that switch should be more performatic then instantiating a local map.
Signed-off-by: Gabriela Gutierrez <gabigutierrez@google.com>
* refactor: Rename ScorecardYml to ScorecardConfig
This is a better generic name to reference Scorecard configuration file and leave the file format for the implementation.
Signed-off-by: Gabriela Gutierrez <gabigutierrez@google.com>
* fix: Check name comparison
The EqualFold comparison is already case insensitive.
Signed-off-by: Gabriela Gutierrez <gabigutierrez@google.com>
* refactor: Rename maintainers annotation folder/file to config
Signed-off-by: Gabriela Gutierrez <gabigutierrez@google.com>
* refactor: Rename and simplify parsing the config
Signed-off-by: Gabriela Gutierrez <gabigutierrez@google.com>
* refactor: Check parses its reasons
Signed-off-by: Gabriela Gutierrez <gabigutierrez@google.com>
* fix: Is check exempted
Fix config struture renaming and collect all annotation reasons for a check. Don't stop in the first annotation that the check is exempted.
Signed-off-by: Gabriela Gutierrez <gabigutierrez@google.com>
* refactor: Rename maintainers annotation to annotations
Renaming flags, function params, docs and fixing config renamings.
Signed-off-by: Gabriela Gutierrez <gabigutierrez@google.com>
* refactor: Separate annotations content from config parsing
Signed-off-by: Gabriela Gutierrez <gabigutierrez@google.com>
* fix: Omit empty annotations in JSON results
Signed-off-by: Gabriela Gutierrez <gabigutierrez@google.com>
* refactor: Read config file content
Signed-off-by: Gabriela Gutierrez <gabigutierrez@google.com>
* refactor: JSON2 result options
Signed-off-by: Gabriela Gutierrez <gabigutierrez@google.com>
* refactor: String result options
Signed-off-by: Gabriela Gutierrez <gabigutierrez@google.com>
* test: Mock GetFileReader
Signed-off-by: Gabriela Gutierrez <gabigutierrez@google.com>
* test: Annotation on Binary-Artifacts check
Signed-off-by: Gabriela Gutierrez <gabigutierrez@google.com>
* feat: Validate annotated checks
Signed-off-by: Gabriela Gutierrez <gabigutierrez@google.com>
* test: Annotating all checks
Signed-off-by: Gabriela Gutierrez <gabigutierrez@google.com>
* feat: Validate annotated reasons
Signed-off-by: Gabriela Gutierrez <gabigutierrez@google.com>
* test: Annotating all reasons
Signed-off-by: Gabriela Gutierrez <gabigutierrez@google.com>
* test: Multiple annotations
Signed-off-by: Gabriela Gutierrez <gabigutierrez@google.com>
* test: Binary-Artifacts exempted for testing
Signed-off-by: Gabriela Gutierrez <gabigutierrez@google.com>
* test: Binary-Artifacts not exempted
Signed-off-by: Gabriela Gutierrez <gabigutierrez@google.com>
* test: No checks exempted
Signed-off-by: Gabriela Gutierrez <gabigutierrez@google.com>
* test: Exemption is outdated
Signed-off-by: Gabriela Gutierrez <gabigutierrez@google.com>
* test: Improve reasons error comparison
Signed-off-by: Gabriela Gutierrez <gabigutierrez@google.com>
* test: Multiple exemption reasons in a single annotation
Signed-off-by: Gabriela Gutierrez <gabigutierrez@google.com>
* test: Multiple exemption reasons across annotations
Signed-off-by: Gabriela Gutierrez <gabigutierrez@google.com>
* fix: cmd show annotations flag doc
Signed-off-by: Gabriela Gutierrez <gabigutierrez@google.com>
* test: Add show annotations flag
Signed-off-by: Gabriela Gutierrez <gabigutierrez@google.com>
* fix: Remove unnecessary function
Signed-off-by: Gabriela Gutierrez <gabigutierrez@google.com>
* test: Annotations string format
Signed-off-by: Gabriela Gutierrez <gabigutierrez@google.com>
* test: Annotations json format
Signed-off-by: Gabriela Gutierrez <gabigutierrez@google.com>
* fix: Linter fallthrough
Signed-off-by: Gabriela Gutierrez <gabigutierrez@google.com>
* fix: Linter imports
Signed-off-by: Gabriela Gutierrez <gabigutierrez@google.com>
* fix: Linter unnecessart struct type declaration
Signed-off-by: Gabriela Gutierrez <gabigutierrez@google.com>
* fix: Linter append combine
Signed-off-by: Gabriela Gutierrez <gabigutierrez@google.com>
* fix: Linter struct memory
Signed-off-by: Gabriela Gutierrez <gabigutierrez@google.com>
* fix: Linter improve error msg in run scorecard
Signed-off-by: Gabriela Gutierrez <gabigutierrez@google.com>
* fix: Linter dynamic errors
Signed-off-by: Gabriela Gutierrez <gabigutierrez@google.com>
* docs: Disable security alerts on SARIF output
Signed-off-by: Gabriela Gutierrez <gabigutierrez@google.com>
* docs: Redirect to configuration doc on main README
Signed-off-by: Gabriela Gutierrez <gabigutierrez@google.com>
* test: Invalid check in annotations
Signed-off-by: Gabriela Gutierrez <gabigutierrez@google.com>
* test: Invalid reason in annotations
Signed-off-by: Gabriela Gutierrez <gabigutierrez@google.com>
* test: Exempt check on SARIF output clears runs
Signed-off-by: Gabriela Gutierrez <gabigutierrez@google.com>
* test: Add check1 annotations json
Signed-off-by: Gabriela Gutierrez <gabigutierrez@google.com>
* fix: On parse error return empty config file not a "dirty" one
Signed-off-by: Gabriela Gutierrez <gabigutierrez@google.com>
* fix: On parse config error continue execution
We log the error to the user but continue execution with empty config.
Signed-off-by: Gabriela Gutierrez <gabigutierrez@google.com>
* fix: Merge conflics importing rules
Signed-off-by: Gabriela Gutierrez <gabigutierrez@google.com>
* fix: Readd is experimental enabled method
This method is necessary to validate if experimental feature is enabled so it can activate show annotations feature.
Signed-off-by: Gabriela Gutierrez <gabigutierrez@google.com>
* feat: Wrap config parse under experimental flag
Signed-off-by: Gabriela Gutierrez <gabigutierrez@google.com>
* fix unit test by removing unused mock call
Signed-off-by: Spencer Schrock <sschrock@google.com>
---------
Signed-off-by: Gabriela Gutierrez <gabigutierrez@google.com>
* remove experimental gate from probe format
Also delete finding and structured results formats as they weren't used
Signed-off-by: Spencer Schrock <sschrock@google.com>
* rename method which writes probe format
Signed-off-by: Spencer Schrock <sschrock@google.com>
* remove unused code for linter
Signed-off-by: Spencer Schrock <sschrock@google.com>
---------
Signed-off-by: Spencer Schrock <sschrock@google.com>
* use same text for read token details as write token details
This was an unintentional regression from v4.13.1
Signed-off-by: Spencer Schrock <sschrock@google.com>
* deal with linter warning
Signed-off-by: Spencer Schrock <sschrock@google.com>
---------
Signed-off-by: Spencer Schrock <sschrock@google.com>
* reduce number of findings to 1 per probe per release
having different findings for different release artifacts isnt how the
probe works and it makes the whole thing very noisy
Signed-off-by: Spencer Schrock <sschrock@google.com>
* dont log lack of signature if we have provenance
reduce test warn counts for cases where there is provenance but no signature
Signed-off-by: Spencer Schrock <sschrock@google.com>
---------
Signed-off-by: Spencer Schrock <sschrock@google.com>
* Added check for permissive licenses
Signed-off-by: Felix Hoeborn <f.hoeborn@gmail.com>
* Regenerated docs and added more permissive licenses to check
Signed-off-by: Felix Hoeborn <f.hoeborn@gmail.com>
* Added e2e tests
Signed-off-by: Felix Hoeborn <f.hoeborn@gmail.com>
* Corrected copyright dates and missing newlines
Signed-off-by: Felix Hoeborn <f.hoeborn@gmail.com>
* Corrected copyright dates
Signed-off-by: Felix Hoeborn <f.hoeborn@gmail.com>
* Adjustments after review
Signed-off-by: Felix Hoeborn <f.hoeborn@gmail.com>
* Added file location in case a permissive license was found and adjusted tests
Signed-off-by: Felix Hoeborn <f.hoeborn@gmail.com>
* Removed code for check, adjusted probe code to be invocated independently
Signed-off-by: Felix Hoeborn <f.hoeborn@gmail.com>
* add remediate on outcome detail
Signed-off-by: Spencer Schrock <sschrock@google.com>
* avoid memory aliasing
Signed-off-by: Spencer Schrock <sschrock@google.com>
---------
Signed-off-by: Felix Hoeborn <f.hoeborn@gmail.com>
Signed-off-by: Felix Hoeborn <98820380+fhoeborn@users.noreply.github.com>
Signed-off-by: Spencer Schrock <sschrock@google.com>
Co-authored-by: Spencer Schrock <sschrock@google.com>
* polish some probe yaml definitions
Signed-off-by: Spencer Schrock <sschrock@google.com>
* update references to probe naming and outcomes
now that #3654 is addressed, the naming restrictions can be relaxed.
Signed-off-by: Spencer Schrock <sschrock@google.com>
---------
Signed-off-by: Spencer Schrock <sschrock@google.com>
