ossf/scorecard
1
1
Fork 0
mirror of https://github.com/ossf/scorecard.git synced 2024-11-04 03:52:31 +03:00
Code Issues Actions 1 Packages Projects Releases Wiki Activity
1,382 Commits 36 Branches 42 Tags 438 MiB
3b7c46f779
Commit Graph

417 Commits

Author SHA1 Message Date
laurentsimon
fd8731481f
Update score for branch protection with levels (#1287) 
* draft

* draft2

* fix

* fix

* fix

* test

* linter

* comments

* comment

* update doc

* comments
 2021-11-20 01:42:21 +00:00
Evgeny Vereshchagin
9d2976592f
Signed-Releases: really look for *.sign files (#1298) 
With this patch applied projects like dracut pass the check:
```
  "checks": [
    {
      "details": [
        "Debug: GitHub release found: 055",
        "Info: signed release artifact: dracut-055.tar.sign: https://api.github.com/repos/dracutdevs/dracut/releases/assets/37635937",
        "Debug: GitHub release found: 054",
        "Info: signed release artifact: dracut-054.tar.sign: https://api.github.com/repos/dracutdevs/dracut/releases/assets/36958052",
        "Debug: GitHub release found: 053",
        "Info: signed release artifact: dracut-053.tar.sign: https://api.github.com/repos/dracutdevs/dracut/releases/assets/32484038",
        "Debug: GitHub release found: 052",
        "Info: signed release artifact: dracut-052.tar.sign: https://api.github.com/repos/dracutdevs/dracut/releases/assets/32130796",
        "Debug: GitHub release found: 051",
        "Info: signed release artifact: dracut-051.tar.sign: https://api.github.com/repos/dracutdevs/dracut/releases/assets/31933850"
      ],
      "score": 10,
      "reason": "5 out of 5 artifacts are signed -- score normalized to 10",
      "name": "Signed-Releases",
```
 2021-11-20 00:55:08 +00:00
asraa
730076fab1
🐛 fix dangerous workflow test and workflow parsing (#1283) 
* fix dangerous workflow

Signed-off-by: Asra Ali <asraa@google.com>

* check if removing label comment fixes

Signed-off-by: Asra Ali <asraa@google.com>

Co-authored-by: Azeem Shaikh <azeemshaikh38@gmail.com>
 2021-11-20 00:16:02 +00:00
Azeem Shaikh
e15e7b1ca5
More nilptr issues (#1296) 
Co-authored-by: Azeem Shaikh <azeems@google.com>
 2021-11-18 05:27:06 +00:00
Azeem Shaikh
8fae5b10bd
Fix more nil-ptr dereferences (#1295) 
Co-authored-by: Azeem Shaikh <azeems@google.com>
 2021-11-17 20:00:40 +00:00
Azeem Shaikh
2375ae2812
Add a OssFuzzRepoClient (#1280) 
Co-authored-by: Azeem Shaikh <azeems@google.com>
 2021-11-17 03:04:37 +00:00
Azeem Shaikh
0b32cc3138
Fix broken e2e tests (#1291) 
Co-authored-by: Azeem Shaikh <azeems@google.com>
 2021-11-17 02:41:25 +00:00
Evgeny Vereshchagin
0bd575641d
Binary-Artifacts: no longer complain about ".bin" files (#1288) 
Those files most likely contain binary data used by tests for
example. It should be safe to remove this because executables
disguised as ".bin" files will still be caught and flagged by scorecard
before it even have a chance to look at extensions.

It should address https://github.com/ossf/scorecard/issues/1256
 2021-11-17 01:08:25 +00:00
laurentsimon
cc4949465b
[Check split]: Binary-Artifacts (#1244) 
* split binary artifact check

* fix

* missing file

* comments

* linter

* fix

* comments

* linter
 2021-11-16 19:57:14 +00:00
Chris McGehee
4bd24b8291
Including line number: Dockerfile FROM not pinned (#1258) 
Co-authored-by: laurentsimon <64505099+laurentsimon@users.noreply.github.com>
 2021-11-16 18:28:51 +00:00
laurentsimon
86835fcfd6
🐛 Fix branch protection results (#1252) 
* fix

* fix

* doc

* fix

* comment

* update tests

* fix

* fixes

* fix

* disable tests temp

* score change

* fix

* comments

* docs
 2021-11-16 17:27:27 +00:00
laurentsimon
4502dfb557
Reduce false positives in Token-Permissions for contents permission (#1253) 
* fix

* tests
 2021-11-16 03:03:54 +00:00
laurentsimon
63e3b92466
fix (#1277) 2021-11-15 21:42:25 +00:00
asraa
1050b1cd60
Add dangerous workflow check with untrusted code checkout pattern (#1168) 
* add dangerous workflow check with untrusted code checkout pattern

Signed-off-by: Asra Ali <asraa@google.com>

* update

Signed-off-by: Asra Ali <asraa@google.com>

* add env var

Signed-off-by: Asra Ali <asraa@google.com>

* fix comment

Signed-off-by: Asra Ali <asraa@google.com>

* add repos git checks.yaml

Signed-off-by: Asra Ali <asraa@google.com>

* update checks.md

Signed-off-by: Asra Ali <asraa@google.com>

* address comments

Signed-off-by: Asra Ali <asraa@google.com>

* fix merge

Signed-off-by: Asra Ali <asraa@google.com>

* add delete

Signed-off-by: Asra Ali <asraa@google.com>

* update docs

Signed-off-by: Asra Ali <asraa@google.com>

Co-authored-by: Naveen <172697+naveensrinivasan@users.noreply.github.com>
 2021-11-15 20:18:10 +00:00
Azeem Shaikh
4dde356329
Fix nil-ptr dereference (#1269) 
Co-authored-by: Azeem Shaikh <azeems@google.com>
 2021-11-15 17:54:27 +00:00
Azeem Shaikh
6223b6620a
Add CIIClient interface (#1262) 
Co-authored-by: Azeem Shaikh <azeems@google.com>
 2021-11-15 02:46:41 +00:00
Evgeny Vereshchagin
d4904555b4
CI-Test: stop assuming either "statuses" or "check runs" are used (#1259) 
Projects with a lot of different CI services use both and the check
should take that into account so as not to report that PRs
like https://github.com/systemd/systemd/pull/21329
with 28 successful, 4 failing, and 2 neutral checks were merged
without any tests.

Without this patch `scorecard` says that 5 out 30 PRs were merged
without running tests:
```
        "Debug: CI test found: pr: 21299, context: ci/semaphoreci/pr: Debian autopkgtest (LXC): 472a52d22b",
        "Debug: CI test found: pr: 21300, context: ci/semaphoreci/pr: Debian autopkgtest (LXC): cf35602cbc",
        "Debug: CI test found: pr: 21301, context: ci/semaphoreci/pr: Debian autopkgtest (LXC): 13b7b8bd73",
        "Debug: CI test found: pr: 21302, context: ci/semaphoreci/pr: Debian autopkgtest (LXC): dfa4876c41",
        "Debug: CI test found: pr: 21304, context: ci/semaphoreci/pr: Debian autopkgtest (LXC): 01f6c450b6",
        "Debug: CI test found: pr: 21305, context: ci/semaphoreci/pr: Debian autopkgtest (LXC): 547f97d571",
        "Debug: CI test found: pr: 21310, context: ci/semaphoreci/pr: Debian autopkgtest (LXC): 0078bbb232",
        "Debug: CI test found: pr: 21312, context: ci/semaphoreci/pr: Debian autopkgtest (LXC): df8a8240d3",
        "Debug: merged PR without CI test: 21313",
        "Debug: CI test found: pr: 21314, context: ci/semaphoreci/pr: Debian autopkgtest (LXC): a942a27840",
        "Debug: CI test found: pr: 21316, context: ci/semaphoreci/pr: Debian autopkgtest (LXC): 3fec0e6cbf",
        "Debug: CI test found: pr: 21318, context: ci/semaphoreci/pr: Debian autopkgtest (LXC): db4f0788c5",
        "Debug: CI test found: pr: 21320, context: ci/semaphoreci/pr: Debian autopkgtest (LXC): 875afa02fa",
        "Debug: CI test found: pr: 21321, context: ci/semaphoreci/pr: Debian autopkgtest (LXC): a55277b889",
        "Debug: CI test found: pr: 21324, context: ci/semaphoreci/pr: Debian autopkgtest (LXC): b9df4a2b20",
        "Debug: merged PR without CI test: 21325",
        "Debug: CI test found: pr: 21327, context: ci/semaphoreci/pr: Debian autopkgtest (LXC): 44ddfb922f",
        "Debug: CI test found: pr: 21328, context: ci/semaphoreci/pr: Debian autopkgtest (LXC): 5e034d4d32",
        "Debug: merged PR without CI test: 21329",
        "Debug: CI test found: pr: 21330, context: ci/semaphoreci/pr: Debian autopkgtest (LXC): 4df52c20f4",
        "Debug: CI test found: pr: 21331, context: ci/semaphoreci/pr: Debian autopkgtest (LXC): 5dd57a00d5",
        "Debug: merged PR without CI test: 21332",
        "Debug: CI test found: pr: 21333, context: ci/semaphoreci/pr: Debian autopkgtest (LXC): e0c311b1aa",
        "Debug: CI test found: pr: 21334, context: ci/semaphoreci/pr: Debian autopkgtest (LXC): 55caae6a78",
        "Debug: CI test found: pr: 21335, context: ci/semaphoreci/pr: Debian autopkgtest (LXC): f1d467af25",
        "Debug: merged PR without CI test: 21337",
        "Debug: CI test found: pr: 21341, context: ci/semaphoreci/pr: Debian autopkgtest (LXC): 17f8d8f9b4",
        "Debug: CI test found: pr: 21342, context: ci/semaphoreci/pr: Debian autopkgtest (LXC): 38ac3ab10a",
        "Debug: CI test found: pr: 21347, context: ci/semaphoreci/pr: Debian autopkgtest (LXC): 4f8c9645df",
        "Debug: CI test found: pr: 21349, context: ci/semaphoreci/pr: Debian autopkgtest (LXC): 502e2b4b9e"
```
With this patch:
```
        "Debug: CI test found: pr: 21299, context: ci/semaphoreci/pr: Debian autopkgtest (LXC): 472a52d22b",
        "Debug: CI test found: pr: 21300, context: ci/semaphoreci/pr: Debian autopkgtest (LXC): cf35602cbc",
        "Debug: CI test found: pr: 21301, context: ci/semaphoreci/pr: Debian autopkgtest (LXC): 13b7b8bd73",
        "Debug: CI test found: pr: 21302, context: ci/semaphoreci/pr: Debian autopkgtest (LXC): dfa4876c41",
        "Debug: CI test found: pr: 21304, context: ci/semaphoreci/pr: Debian autopkgtest (LXC): 01f6c450b6",
        "Debug: CI test found: pr: 21305, context: ci/semaphoreci/pr: Debian autopkgtest (LXC): 547f97d571",
        "Debug: CI test found: pr: 21310, context: ci/semaphoreci/pr: Debian autopkgtest (LXC): 0078bbb232",
        "Debug: CI test found: pr: 21312, context: ci/semaphoreci/pr: Debian autopkgtest (LXC): df8a8240d3",
        "Debug: CI test found: pr: 21313, context: github-actions: https://api.github.com/repos/systemd/systemd/check-runs/4191612395",
        "Debug: CI test found: pr: 21314, context: ci/semaphoreci/pr: Debian autopkgtest (LXC): a942a27840",
        "Debug: CI test found: pr: 21316, context: ci/semaphoreci/pr: Debian autopkgtest (LXC): 3fec0e6cbf",
        "Debug: CI test found: pr: 21318, context: ci/semaphoreci/pr: Debian autopkgtest (LXC): db4f0788c5",
        "Debug: CI test found: pr: 21320, context: ci/semaphoreci/pr: Debian autopkgtest (LXC): 875afa02fa",
        "Debug: CI test found: pr: 21321, context: ci/semaphoreci/pr: Debian autopkgtest (LXC): a55277b889",
        "Debug: CI test found: pr: 21324, context: ci/semaphoreci/pr: Debian autopkgtest (LXC): b9df4a2b20",
        "Debug: CI test found: pr: 21325, context: github-actions: https://api.github.com/repos/systemd/systemd/check-runs/4191237494",
        "Debug: CI test found: pr: 21327, context: ci/semaphoreci/pr: Debian autopkgtest (LXC): 44ddfb922f",
        "Debug: CI test found: pr: 21328, context: ci/semaphoreci/pr: Debian autopkgtest (LXC): 5e034d4d32",
        "Debug: CI test found: pr: 21329, context: github-actions: https://api.github.com/repos/systemd/systemd/check-runs/4192198481",
        "Debug: CI test found: pr: 21330, context: ci/semaphoreci/pr: Debian autopkgtest (LXC): 4df52c20f4",
        "Debug: CI test found: pr: 21331, context: ci/semaphoreci/pr: Debian autopkgtest (LXC): 5dd57a00d5",
        "Debug: CI test found: pr: 21332, context: github-actions: https://api.github.com/repos/systemd/systemd/check-runs/4192365458",
        "Debug: CI test found: pr: 21333, context: ci/semaphoreci/pr: Debian autopkgtest (LXC): e0c311b1aa",
        "Debug: CI test found: pr: 21334, context: ci/semaphoreci/pr: Debian autopkgtest (LXC): 55caae6a78",
        "Debug: CI test found: pr: 21335, context: ci/semaphoreci/pr: Debian autopkgtest (LXC): f1d467af25",
        "Debug: CI test found: pr: 21337, context: github-actions: https://api.github.com/repos/systemd/systemd/check-runs/4197451714",
        "Debug: CI test found: pr: 21341, context: ci/semaphoreci/pr: Debian autopkgtest (LXC): 17f8d8f9b4",
        "Debug: CI test found: pr: 21342, context: ci/semaphoreci/pr: Debian autopkgtest (LXC): 38ac3ab10a",
        "Debug: CI test found: pr: 21347, context: ci/semaphoreci/pr: Debian autopkgtest (LXC): 4f8c9645df",
        "Debug: CI test found: pr: 21349, context: ci/semaphoreci/pr: Debian autopkgtest (LXC): 502e2b4b9e"
```

Co-authored-by: Naveen <172697+naveensrinivasan@users.noreply.github.com>
 2021-11-14 16:03:18 -08:00
Azeem Shaikh
51de6b6e5d
Check for issue activity in Maintained (#1251) 
Co-authored-by: Azeem Shaikh <azeems@google.com>
 2021-11-12 22:16:22 +00:00
Eng Zer Jun
177502552a
🌱 Move from io/ioutil to io and os packages (#1250) 
The io/ioutil package has been deprecated as of Go 1.16, see
https://golang.org/doc/go1.16#ioutil. This commit replaces the existing
io/ioutil functions with their new definitions in io and os packages.

Signed-off-by: Eng Zer Jun <zerjun@eta-hd.com>

Co-authored-by: laurentsimon <64505099+laurentsimon@users.noreply.github.com>
 2021-11-12 19:34:46 +00:00
Azeem Shaikh
c8d2a51375
Ignore nil values in Branch-Protection check (#1243) 
Co-authored-by: Azeem Shaikh <azeems@google.com>
 2021-11-12 19:11:06 +00:00
Azeem Shaikh
ab2bb205d4
Fix nil-ptr access bug (#1248) 
Co-authored-by: Azeem Shaikh <azeems@google.com>
 2021-11-12 16:51:41 +00:00
Evgeny Vereshchagin
46611eac5d Security-Policy: really look for the security policy 
It was tested with the systemd project where the security policy
is kept in docs/SECURITY.md. Without this patch `scorecard`
says that the security policy can't be found.
 2021-11-11 10:08:27 -06:00
laurentsimon
795505fd7f
Remove isScorecardRepo (#1236) 
* remove isScorecardRepo

* linter

* linter

Co-authored-by: Naveen <172697+naveensrinivasan@users.noreply.github.com>
 2021-11-10 20:13:12 +00:00
Evgeny Vereshchagin
5524c9717b
SAST: no longer skip "neutral" checks (#1237) 
Some SASTs like LGTM don't analyze PRs where code hasn't been changed,
which leads to their status being "neutral" there.

It's a follow up to https://github.com/ossf/scorecard/pull/1232#issuecomment-965552702

I'm not sure what to do about one-offs like the one
mentioned in https://github.com/ossf/scorecard/pull/1232#issuecomment-965585962
that shouldn't affect the aggregate score but it can probably
be fixed later.
 2021-11-10 19:49:02 +00:00
Evgeny Vereshchagin
6a2fb2edc2
Add LGTM to the SAST check (#1232) 
According to https://github.com/apps/lgtm-com
"LGTM is a code analysis platform for identifying vulnerabilities early and preventing
them from reaching production". It's used by `systemd`, `lxc` and a lot of other large
open source projects. The check is
still kind of broken in the sense that it fails to detect
projects where every PR is analyzed by LGTM before getting merged
but it's better than nothing I guess.

Co-authored-by: Naveen <172697+naveensrinivasan@users.noreply.github.com>
 2021-11-10 10:09:11 -08:00
Chris McGehee
3dc507b9e1 Using library to parse github workflows 2021-11-08 17:00:40 -06:00
Chris McGehee
f319aca82d Moving github worflow parsing to its own file 2021-11-08 17:00:40 -06:00
Chris McGehee
2006be1819 🐛 Token permission check was failing on non-yaml files 2021-11-04 06:19:10 -05:00
Oliver Chang
d3796f29b1
Add ClusterFuzzLite to Fuzzing check. (#1166) 
* Add ClusterFuzzLite to Fuzzing check.

Check for the existence of ".clusterfuzzlite/Dockerfile".

Fixes #1148.

* comment

Co-authored-by: Naveen <172697+naveensrinivasan@users.noreply.github.com>
 2021-10-29 22:33:17 -07:00
Azeem Shaikh
c73c5628ea
Fix GitHub workflows failing (#1172) 
Co-authored-by: Azeem Shaikh <azeems@google.com>
Co-authored-by: laurentsimon <64505099+laurentsimon@users.noreply.github.com>
 2021-10-28 18:42:55 +00:00
laurentsimon
4cca9b4960
Implement local repo client for local folders (#1146) 
* draft

* draft

* docker file

* error

* fix

* fix

* bug

* comments

* missing merge

* fix

* merge issue

* fix

* validate format early

* comments

* fix

* fixes

* uncomment

* gate code for v4 code

* draft

* draft 2

* fix security-policy check

* fix

* merge fixes

* fixes

* fixes

* fixes

* fixes

* mock repo

* linter

* comments

* unit tests

* comments
 2021-10-28 18:30:02 +00:00
Azeem Shaikh
0ba864e9c2
Avoid panic in code (#1171) 
Co-authored-by: Azeem Shaikh <azeems@google.com>
 2021-10-27 12:24:02 -07:00
Chris McGehee
faab6969d6 Improve formatting, readability 2021-10-25 17:36:37 -05:00
Chris McGehee
c13783a040 🐛 Fixing parsing for Github workflow when matrix is an expression 2021-10-25 17:36:37 -05:00
naveen
54f1429eaa 🌱 Fixed typo administrator 
Fixed typo administrator.
 2021-10-23 16:29:32 -05:00
laurentsimon
950e0e3d2d
Add support for file-based repo URIs (#1113) 
* draft

* draft

* docker file

* error

* fix

* fix

* fixa

* bug

* comments

* missing merge

* fix

* fix rebase

* merge issue

* fix

* validate format early

* fix

* fix2

* comments

* fix
 2021-10-21 20:08:56 +00:00
Azeem Shaikh
96140f9646
Add exponential backoff to CII badge check (#1147) 
Co-authored-by: Azeem Shaikh <azeems@google.com>
 2021-10-20 18:13:17 +00:00
Azeem Shaikh
b8eba248ac
Improve logging messages (#1140) 
Co-authored-by: Azeem Shaikh <azeems@google.com>
 2021-10-18 15:08:15 -07:00
Chris McGehee
cf9399aad4
🐛 Fixing parsing errors for github workflows (#1131) 2021-10-14 08:16:22 -07:00
Naveen
6c1c789dc5
🌱 v3 upgrade changes (#1118) 
v3 go.mod changes
 2021-10-07 18:16:01 -05:00
Read Sprabery
98f77eea5b
Detect unverified installs of npm packages (#1043) 
Co-authored-by: Naveen <172697+naveensrinivasan@users.noreply.github.com>
 2021-09-30 19:40:04 +00:00
laurentsimon
7e73875acb
update msg (#1086) 2021-09-29 00:39:04 +00:00
olivekl
47319e2841
Update write.md (#1084) 
Fix broken link: errors/errors.md 
Replace checks/frozen_deps.go with checks/pinned_dependencies.go

Co-authored-by: Azeem Shaikh <azeemshaikh38@gmail.com>
 2021-09-28 20:41:47 +00:00
Azeem Shaikh
00741115ae
Fix CodeReview bug (#1058) 
Co-authored-by: Azeem Shaikh <azeems@google.com>
 2021-09-24 03:56:50 +00:00
laurentsimon
0686ed2ba0
🐛 Fix invalid code review (#1055) 
* fix bug

* fix

* comments

* fix

* fixes
 2021-09-23 21:17:32 +00:00
laurentsimon
b9daae1c0c
🐛 Update message for Code-Review (#1054) 
* update msg

* fix
 2021-09-22 21:09:44 +00:00
Chris McGehee
90332a9cb9
🌱 Add counting of shell parsing errors (#1026) 
* Add counting of shell parsing errors

* Use existing CheckErrors metric instead

Co-authored-by: Azeem Shaikh <azeemshaikh38@gmail.com>
 2021-09-22 14:46:29 +00:00
naveen
e1a6e7dcad 📖 Fixed the docs for dependabot 2021-09-16 10:25:31 -05:00
naveen
9e81b5f25e 📖 Fixed the dependabot check message 
Fixed the dependabot warning message.
https://github.com/ossf/scorecard/issues/1028
 2021-09-16 10:08:51 -05:00
laurentsimon
b0fab3fa43
code (#1006) 
Co-authored-by: Naveen <172697+naveensrinivasan@users.noreply.github.com>
 2021-09-13 16:35:50 +00:00
Nanik
0590b03338
change message to make it more easier for user (#1003) 
to understand.

* reword the message

* add test for testing the mssage
 2021-09-13 07:33:40 -07:00
Azeem Shaikh
bc37c74b28
Remove Owner/Repo strings from CheckRequest (#997) 
Co-authored-by: Azeem Shaikh <azeems@google.com>
 2021-09-10 10:13:14 -07:00
Azeem Shaikh
e730e911e6
sce.Create -> sce.WithMessage for wrapcheck (#995) 
Co-authored-by: Azeem Shaikh <azeems@google.com>
 2021-09-10 15:50:33 +00:00
Nanik
1da121da29
Give low importance to github-owned actions (#802) (#906) 
* Different calculation between github and non-github actions

* Add test case for different kind of github and non-github action

* Modify existing test as score calculation has changed
 2021-09-09 12:16:31 -07:00
Chris McGehee
1c7ba79435
🐛 Github workflow steps run on Windows should default to pwsh as its shell (#877) 
* Github workflow steps run on Windows should default to pwsh as its shell

* Style change from PR feedback

* Fixing linter error

* MR feedback: simplifying code

* Moving consts to top of file

Co-authored-by: laurentsimon <64505099+laurentsimon@users.noreply.github.com>
Co-authored-by: Azeem Shaikh <azeemshaikh38@gmail.com>
Co-authored-by: Naveen <172697+naveensrinivasan@users.noreply.github.com>
 2021-09-07 09:09:20 -07:00
neil465
5476b878bd
Removed unnecessary linters (#969) 
* gomnd
* prealloc
* dupl
 2021-09-07 10:45:12 -04:00
Chris McGehee
29b7bd3885 Parsing GitHub Workflows should only happen on yaml files 2021-09-06 10:51:33 -05:00
Azeem Shaikh
afe5b40567
Make RepoClient as default interface for Scorecard (#951) 
Co-authored-by: Azeem Shaikh <azeems@google.com>
 2021-09-02 02:32:26 +00:00
Azeem Shaikh
eceb577b84
Add and use RepoClient API for ListStatuses (#949) 
Co-authored-by: Azeem Shaikh <azeems@google.com>
 2021-09-01 18:34:58 +00:00
Azeem Shaikh
eb2b3b2185
Add RepoClient API for ListCheckRunsForRef (#948) 
Co-authored-by: Azeem Shaikh <azeems@google.com>
 2021-09-01 17:43:53 +00:00
Azeem Shaikh
99b9c91570
Use RepoClient API for Packaging check (#940) 
Co-authored-by: Azeem Shaikh <azeems@google.com>
 2021-09-01 01:05:34 +00:00
Azeem Shaikh
d6ba2cd6ac
Fix #890 (#938) 
Co-authored-by: Azeem Shaikh <azeems@google.com>
 2021-08-30 20:26:11 -07:00
Azeem Shaikh
e305a94e4f
Use ListReleases API for BranchProtection check (#937) 
Co-authored-by: Azeem Shaikh <azeems@google.com>
 2021-08-30 17:52:08 -07:00
Azeem Shaikh
9a1978a051
Use RefUpdateRule in BranchProtection check (#936) 
Co-authored-by: Azeem Shaikh <azeems@google.com>
 2021-08-30 23:14:42 +00:00
Azeem Shaikh
d9f5209803
Update test utils (#933) 
Co-authored-by: Azeem Shaikh <azeems@google.com>
 2021-08-30 14:12:57 -07:00
Chris McGehee
dbb23450e5
Add line number to unpinned dependency: GitHub workflow "uses" field (#821) 
* Display line number for github workflow "uses" field

* Adding test for line numbers

* Updating comment

* Updating this log message to use SARIF format

Co-authored-by: laurentsimon <64505099+laurentsimon@users.noreply.github.com>
 2021-08-30 17:03:45 +00:00
Azeem Shaikh
37696aceb3
Create and use MockRepoClient in unit tests (#922) 
Co-authored-by: Azeem Shaikh <azeems@google.com>
 2021-08-26 19:48:39 +00:00
laurentsimon
9eb7929ebc
🐛 Address friction logs' comments (#899) 
* fixes

* fix

* fix

* fixes

* doc

* missing file

* fixes

* comments

* typo
 2021-08-25 21:02:23 +00:00
Azeem Shaikh
2d65ab4f0c
Remove ErrRepoUnavailable (#908) 
Co-authored-by: Azeem Shaikh <azeems@google.com>
 2021-08-25 09:33:59 -07:00
Azeem Shaikh
8cf95c46e4
Use singleton pattern for OSS-Fuzz (#902) 
Co-authored-by: Azeem Shaikh <azeems@google.com>
 2021-08-25 03:28:49 +00:00
Azeem Shaikh
41d0ce38c4
Replace errors.As with Is (#901) 
Co-authored-by: Azeem Shaikh <azeems@google.com>
 2021-08-25 01:03:45 +00:00
Azeem Shaikh
46a655d405
Fixes for Branch Protection (#900) 
Co-authored-by: Azeem Shaikh <azeems@google.com>
 2021-08-25 00:04:17 +00:00
laurentsimon
6403eb1382
Transition Packaging, SAST, Security-policy, Signed-releases check to the new structured detail format (#887) 
* move checks to new format

* fix

* comments

* fix

* comments
 2021-08-24 01:44:06 +00:00
laurentsimon
b731f450b9
Transition Vulnerabilities, Permissions, CI-Tests, Dependency-Update-Tool, Code-Reviews to structured details (#889) 
* move other checks togit add -u

* more checks

* fixes
 2021-08-24 00:54:22 +00:00
laurentsimon
d1de6cf513
support v3 (#883) 2021-08-23 18:48:29 +00:00
Chris McGehee
c54d77b0d7
🐛 Only validate shell scripts supported by our parser (#862) 
* Only validate shell scripts supported by our parser

* Updating tests, code quality

Co-authored-by: Abhishek Arya <inferno@chromium.org>
 2021-08-19 08:18:45 -07:00
Azeem Shaikh
13ef9dd7e0
Use RepoClient.Search API in SAST check (#857) 
Co-authored-by: Azeem Shaikh <azeems@google.com>
 2021-08-16 17:34:10 +00:00
laurentsimon
b3a3f7e217
SARIF 2: add short description to checks.yml (#848) 
* short desc

* validate new field

* typos

* comments

* fixed
 2021-08-16 15:42:55 +00:00
Azeem Shaikh
42ee430332
Use RepoClient API for Fuzzing (#855) 
Co-authored-by: Azeem Shaikh <azeems@google.com>
 2021-08-14 00:34:40 +00:00
Azeem Shaikh
8baaaa4cf8
Use RepoClient API for Contributors check (#854) 
Co-authored-by: Azeem Shaikh <azeems@google.com>
 2021-08-13 18:13:43 +00:00
Azeem Shaikh
b7ddc9ac93
Update go-github version for consistency (#852) 
Co-authored-by: Azeem Shaikh <azeems@google.com>
 2021-08-13 00:43:22 +00:00
Azeem Shaikh
d4701c4a4e
Delete Signed-Tags check from Scorecard (#851) 
Co-authored-by: Azeem Shaikh <azeems@google.com>
 2021-08-12 22:26:50 +00:00
Azeem Shaikh
3f9431d08c
Update SignedReleases to use RepoClient API (#844) 
Co-authored-by: Azeem Shaikh <azeems@google.com>
 2021-08-12 20:46:06 +00:00
asraa
cc312f2d1d
feature: branch protection without admin token (#823) 
* branch protection without admin permission

Signed-off-by: Asra Ali <asraa@google.com>

* handle other errors

Signed-off-by: Asra Ali <asraa@google.com>

* fix lint

Signed-off-by: Asra Ali <asraa@google.com>

Co-authored-by: Naveen <172697+naveensrinivasan@users.noreply.github.com>
 2021-08-12 15:54:28 +00:00
Azeem Shaikh
eeb563be10
Update SAST and CITest with Repoclient API (#842) 
Co-authored-by: Azeem Shaikh <azeems@google.com>
 2021-08-12 08:27:48 +10:00
Mark J. Cox
20370f782a
🐛 Look for organisation default .github security.md files in all the locations they are allowed to be in (#837) 
* The default community health files for an organisation can be in one of
three places, but the current check only looked in one of them. Expand
the check to all three places as per
https://docs.github.com/en/communities/setting-up-your-project-for-healthy-contributions/creating-a-default-community-health-file

This fixes scorecards failing to pick up the default Apache policy
https://github.com/apache/.github/blob/main/.github/SECURITY.md

Signed-off-by: Mark J. Cox <mark@awe.com>

* Wrap don't use a long line

* Follow the hint in the failure and run "gofmt -s" on it
 2021-08-11 10:53:04 -07:00
laurentsimon
d821ea27ec
improve token permission (#811) 
* sarif action

* update
 2021-08-05 17:10:34 +00:00
laurentsimon
e4f3ede843
fix/enhance pinned-dependencies (#806) 
* commit

* e2e tests

* typo
 2021-08-03 23:32:34 +00:00
laurentsimon
b2b37161f3
Improve token permission check (#800) 
* draft

* draft 2

* draft3

* fix e2e

* comment

* comment

* check codeql

* missing files

* comments

* nit

* update msg

* msg

* nit

* nit

* msg

* e2e

* update doc
 2021-08-03 00:56:45 +00:00
Azeem Shaikh
30bb11965a
Update Packaging check to use new APIs (#796) 
Co-authored-by: Azeem Shaikh <azeems@google.com>
 2021-08-02 17:17:38 +00:00
laurentsimon
1bee125ab3
fix message (#798) 2021-08-02 16:00:22 +00:00
Azeem Shaikh
6368c25f54
More linter issues (#794) 
Co-authored-by: Azeem Shaikh <azeems@google.com>
 2021-08-01 03:42:14 +00:00
Azeem Shaikh
83e9f52501
Enable revive linters which are used in google3 (#793) 
Co-authored-by: Azeem Shaikh <azeems@google.com>
 2021-07-31 22:31:34 +00:00
laurentsimon
29594d4294
change signature of FileIfExist and FileContent (#787) 
* draft

* add pinning

* remove functions

* typo

* commment

* name
 2021-07-30 15:09:52 +00:00
laurentsimon
b35cbdcdcf
Make Branch-Protection score more granular (#777) 
* commit

* uni tests

* full score

* typos

* update msg

* remove function

* comments

* linter

* comments
 2021-07-30 01:54:19 +00:00
laurentsimon
c48fe4f9ed
Make Token-Permission check more granular (#773) 
* draft

* add tests

* add e2e2 tests

* typos

* typo

* fixes

* linter

* use named value

* comments

* comment
 2021-07-30 00:13:01 +00:00
Azeem Shaikh
1d1e799f84
Add ListCommits and IsArchived API (#772) 
Co-authored-by: Azeem Shaikh <azeems@google.com>
 2021-07-29 14:18:58 -07:00
Azeem Shaikh
1e6d99eb20
Remove PullRequest check (#771) 
Co-authored-by: Azeem Shaikh <azeems@google.com>
 2021-07-29 20:58:36 +00:00
Azeem Shaikh
59e14eef80
Add validation for checks.yaml (#781) 
Co-authored-by: Azeem Shaikh <azeems@google.com>
 2021-07-29 20:29:12 +00:00
Azeem Shaikh
df89767c35
Fix bug in SecurityPolicy (#761) 
Co-authored-by: Azeem Shaikh <azeems@google.com>
 2021-07-29 20:09:56 +00:00
laurentsimon
8432a82bc4
Add e2e tests using dedicated repo for pinned-dependencies check (#766) 
* fix

* e2e

* add e2e test from dedicated repo

* e2e update

* linter

* merge
 2021-07-29 11:55:25 -07:00
laurentsimon
578c71b03e
text (#776) 2021-07-28 15:49:28 -07:00
laurentsimon
24955d62a0
text change (#775) 2021-07-28 14:34:20 -07:00
evalphobia
a4f7d4b5b4
🐛 Fix panic error when RequiredPullRequestReviews is nil (#768) 
* Fix panic error when RequiredPullRequestReviews is nil

* add test
 2021-07-28 09:57:26 -04:00
laurentsimon
9edfe2a292
rename Frozen-Deps to Pinned-Dependencies (#765) 
* fix

* more tests

* e2e

* comments

* change name

* linnter

* rename

* lint
 2021-07-27 16:32:24 -07:00
laurentsimon
b8825d8e34
sast cleanup (#760) 
* cleanup

* typo

* typos

* linter

* comments

* msg

* score

* comments
 2021-07-27 16:16:44 +00:00
laurentsimon
c044105e33
rename var (#756) 
* rename var

* linter
 2021-07-26 17:24:34 -07:00
laurentsimon
2ffeff2dad
cleanup (#758) 2021-07-27 08:45:56 +10:00
laurentsimon
a004ffb107
cleanup Frozen-Deps MakeResultAnd (#742) 
* draft

* fixes

* commi 1

* delete file

* clean

* clean 2

* linter

* fix score

* handle err

* in-proress score

* fixes
 2021-07-26 22:02:46 +00:00
laurentsimon
8128f9fe68
divide by 0 (#755) 2021-07-26 21:37:17 +00:00
Naveen
4d7fb5d748
🌱 Fix the go.mod with v2 upgrade (#716) 
The go.mod and the related files weren't t updated with the v2 upgrade.

https://github.com/ossf/scorecard/issues/711

This fix will address the issue.
 2021-07-26 13:01:25 -05:00
Azeem Shaikh
9bf1cdc9ce
Update ListFiles API to return error (#746) 
Co-authored-by: Azeem Shaikh <azeems@google.com>
 2021-07-25 17:47:36 -07:00
Azeem Shaikh
7c133bc767
Create APIs for MergedPRs and DefaultBranch (#745) 
Co-authored-by: Azeem Shaikh <azeems@google.com>
 2021-07-25 17:37:14 -07:00
laurentsimon
37d13c2972
Code-Review cleanup (#740) 
* sast cleanup

* code-review cleanup

* typo

* merge fix
 2021-07-22 23:12:53 +00:00
laurentsimon
f021326e1f
catch error (#736) 2021-07-22 22:00:12 +00:00
laurentsimon
a34e326151
sast cleanup (#739) 
* sast cleanup

* comments
 2021-07-22 18:03:31 +00:00
laurentsimon
89c8e2af31
[migration to score] 7: CI-Test, CII Best practices, security policy file (#733) 
* ci, cii, sec file

* linter

* check doc

* typo

* fix

* comments

* linter

* fix sast

* fix score calc
 2021-07-22 15:37:31 +00:00
laurentsimon
ae33db624e
[migration to score] 6: signed tags, signed release, PR, fuzzing (#732) 
* yaml file

* sort checks

* comments

* signed tags

* signed release, PR, fuzzing

* typo
 2021-07-21 18:10:47 -07:00
laurentsimon
3e95796de3
update yaml file (#730) 
* yaml file

* sort checks

* comments

* vuln, sast

* doc update

* fix

* comments
 2021-07-21 22:32:28 +00:00
laurentsimon
886d03cfdf
description of checks migrated (#726) 
* yaml file

* sort checks

* comments

* comments

* comments
 2021-07-21 20:54:57 +00:00
laurentsimon
53c056081b
[migration to score] 5: contributors, vulnerabilities, packaging and sast (#729) 
* contributors

* packaging

* vulnerabilities

* fix errors

* err

* errors
 2021-07-21 13:40:16 -07:00
laurentsimon
6f203e73b6
[migration to score] 4: active, fuzzing and code-review (#721) 
* details-1

* nits

* typo

* commments

* dependabot and binary artifacts checks

* typo

* linter

* missing errors.go

* linter

* merge fix

* active, fuzzing and code review checks

* e2e tests for fuzzing

* fixes
 2021-07-21 09:40:40 -07:00
laurentsimon
c741335683
[migration to score] 3: branch protection, frozen-deps, token permissions (#719) 
* details-1

* nits

* typo

* commments

* dependabot and binary artifacts checks

* typo

* linter

* missing errors.go

* linter

* merge fix

* branch protection, frozen-deps, token permissions

* linter

* linter
 2021-07-21 09:21:43 -07:00
laurentsimon
5e634c8945
[migration to score] 2: dependabot and binary artifact checks (#718) 
* details-1

* nits

* typo

* commments

* dependabot and binary artifacts checks

* typo

* linter

* missing errors.go

* linter

* merge fix

* dates
 2021-07-21 09:02:43 -07:00
laurentsimon
42115ed2e3
add errors file (#720) 2021-07-20 19:06:41 +00:00
laurentsimon
ab4bb60c9c
[migration to score] 1: create errors and new functions (#712) 
* details-1

* comment

* doc

* nits

* typo

* commments

* nit

* linter
 2021-07-20 11:36:35 -07:00
laurentsimon
3f2c0e6b6c
typos (#705) 2021-07-16 12:56:22 -07:00
laurentsimon
c46487bb7d
fixes (#704) 2021-07-16 12:34:23 -07:00
laurentsimon
b91658b322
packaging doc (#703) 2021-07-16 10:58:27 -07:00
laurentsimon
4cbb1a6062
Detect python -m pip pkg (#611) 
* commit 1

* fixes

* comments

* comments

* comment and fix

* comments

* add tests

* support double quote + fixes

* fix

* comments
 2021-07-09 00:48:36 +00:00
Azeem Shaikh
2c2432b9df
Fix some bugs (#659) 
Co-authored-by: Azeem Shaikh <azeems@google.com>
 2021-07-07 15:04:43 +00:00
Ben Moss
959b27e81f
Minor grammar/readability docs fix (#666) 2021-07-07 07:29:45 -07:00
naveen
aeead94680 Included security.rst as SecurityPolicy 
* Included security.rst as name check for security policy.
 2021-07-04 16:18:51 -05:00
Azeem Shaikh
08e934cbc2
Use GraphQL instead of REST to reduce token usage (#640) 
Co-authored-by: Azeem Shaikh <azeems@google.com>
 2021-07-01 15:32:57 -07:00
Azeem Shaikh
d81fd24246
Add ListFiles and GetFileContent APIs (#637) 
Co-authored-by: Azeem Shaikh <azeems@google.com>
 2021-06-30 23:49:49 -07:00
laurentsimon
dd1a412b85
Update readme (#634) 
* update readme

* comments
 2021-06-29 19:02:12 +00:00
dependabot[bot]
5dd7f118ae
🌱 Bump github.com/golangci/golangci-lint from 1.40.1 to 1.41.1 (#627) 
Bumps [github.com/golangci/golangci-lint](https://github.com/golangci/golangci-lint) from 1.40.1 to 1.41.1.
- [Release notes](https://github.com/golangci/golangci-lint/releases)
- [Changelog](https://github.com/golangci/golangci-lint/blob/master/CHANGELOG.md)
- [Commits](https://github.com/golangci/golangci-lint/compare/v1.40.1...v1.41.1)

---
updated-dependencies:
- dependency-name: github.com/golangci/golangci-lint
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>

Co-authored-by: Azeem Shaikh <azeems@google.com>
Co-authored-by: Azeem Shaikh <azeemshaikh38@gmail.com>
Co-authored-by: Naveen <172697+naveensrinivasan@users.noreply.github.com>
 2021-06-29 10:26:16 -07:00
Oliver Chang
34621504fb
Add a Vulnerabilities check. (#628) 
Uses OSV to check this.

Fixes #52.
 2021-06-29 03:09:40 +00:00
naveen
6aefe1b6ac 🌱 Fix broken e2e tests 
* Changed the path for the frozen deps to look for within the
.github/worworkflows path

* Included license check to tools.go

* Removed the hard reference to ginkgo within the integration.yml

* The above fixes will fix the broken tests for scorecard.

Repo: github.com/ossf/scorecard
Frozen-Deps: Fail 10
go modules found: go.mod
!! frozen-deps/fetch-execute - .github/workflows/integration.yml is fetching an non-pinned dependency 'go get github.com/onsi/ginkgo/ginkgo@v1.14.2'
!! frozen-deps/fetch-execute - .github/workflows/main.yml is fetching an non-pinned dependency 'go install github.com/google/addlicense@latest'
 2021-06-28 15:28:10 -05:00
laurentsimon
8960533b7b
check insecure downloads in github workflows (#610) 
* draft

* commit 2

* draft

* rem debug code

* typos

* fixes

* fix suffix

* draft

* fixes

* rem deb code

* share the github struct def

* typos

* linter

* linter

* fix

* comments
 2021-06-25 17:30:17 +00:00
laurentsimon
d84c04299d
wheel for python packages (#612) 2021-06-24 18:38:20 -07:00
laurentsimon
4b1c574420
Check for shell script's insecure download (#606) 
* draft

* commit 2

* debug code

* draft

* draft

* rem debug code

* fix return value

* rename function

* add license

* typos

* fixes

* fix suffix

* comments
 2021-06-24 17:24:14 +00:00
laurentsimon
ece69b2256
Support for package manager's unpinned downloads (#604) 
* comments

* rem debug code

* Unpinned downloads for 'go get' and 'pip install'

* updates

* debug code

* linter

* comments
 2021-06-24 16:06:25 +00:00
laurentsimon
3cd3e6ef71
🐛 Fiz truncated file extraction from tarball (#605) 
* fixes

* commments
 2021-06-23 21:48:27 +00:00
laurentsimon
d1d1eb2ecb
Support bash -c "CMD" for docker RUN downloads-then-exec (#600) 
* comments

* rem debug code

* debug cmd left

* linter

* typo

* add TODO

* comments
 2021-06-23 14:09:47 +00:00
laurentsimon
0ca1ace1f2
Check: detect downloads of scripts/binaries in docker's RUN (#584) 
* commit 1

* commit 2

* commit 3

* updates

* linter

* update year

* cleanup

* linter

* fix test files

* linter

* comments
 2021-06-21 18:45:15 +00:00
Naveen
3e1890fe35
Binary Artifact check (#563) 
* Implemented binary artifact checks
 2021-06-21 15:49:31 +00:00
Azeem Shaikh
7861478e1a
Add error handling to RunScorecard fn (#595) 
Co-authored-by: Azeem Shaikh <azeems@google.com>
 2021-06-20 23:31:10 -07:00
Azeem Shaikh
c41f068223
Fix cron worker OOM-ing (#590) 
Co-authored-by: Azeem Shaikh <azeems@google.com>
 2021-06-18 00:03:45 -07:00
Azeem Shaikh
0b62c58704
Add v0 of RepoClient interface (#587) 
Co-authored-by: Azeem Shaikh <azeems@google.com>
 2021-06-17 13:21:32 -07:00
asraa
ceef465b88
add release branch protection check (#554) 
* check release branch protection

Signed-off-by: Asra Ali <asraa@google.com>

* add documentation

Signed-off-by: Asra Ali <asraa@google.com>

* add tests

Signed-off-by: Asra Ali <asraa@google.com>

* fix test parallelization

Signed-off-by: Asra Ali <asraa@google.com>

* lint

Signed-off-by: Asra Ali <asraa@google.com>

* comments

Signed-off-by: Asra Ali <asraa@google.com>

* update

Signed-off-by: Asra Ali <asraa@google.com>

* address comments add TODO

Signed-off-by: Asra Ali <asraa@google.com>

* fix

Signed-off-by: Asra Ali <asraa@google.com>
 2021-06-15 16:37:27 +00:00
laurentsimon
2c9a05c721
cleanup for token doc and code (#552) 
* cleanup

* comment
 2021-06-07 18:01:18 +00:00
laurentsimon
7fe41b2a8a
update frozen dep doc (#546) 2021-06-04 16:51:41 +00:00
naveen
d177fdaf57 📖 Fix the docs for Automatic checks for dependency 
Fixed the docs for automatic checks for dependency
 2021-06-04 11:22:46 -04:00
Naveen
d00dd9c309
Automatic dependency update checks (#322) 
* Checks if the dependencies are automatically updated.
 2021-06-04 14:35:06 +00:00
laurentsimon
d528b6e626
Cleanup code for github tokens #534 (#539) 
* missed comments

* comments
 2021-06-04 00:12:56 +00:00
laurentsimon
37d979f79b
check for read-only permissions of github token (#534) 
* check for read-only permissions of github token

* linter

* linter

* doc

* comments

* commments

* fix

* generate checks.mg

* update license

* linter

* comments

* license

* linter

* missing file

* linter

* license

* cleanup
 2021-06-03 16:30:37 -07:00
Chris McGehee
524a187b31 Add new linter: errorlint 2021-05-30 13:12:42 -04:00
Azeem Shaikh
be8aa3d713
Export registered check names (#518) 
Co-authored-by: Azeem Shaikh <azeems@google.com>
 2021-05-27 14:54:34 -07:00
laurentsimon
70770e4501
Feat/deps msg (#513) 
* ignore testdata/ files

* fix

* comments

* typo

* more specific messages
 2021-05-26 17:54:37 -07:00
Chris McGehee
6b63f3f963
🌱 Fix lint issues: Replace golint with revive (#493) 
* Fix lint issues: Replace golint with revive
golint is deprecated and recommended to be replaced with revive

* Updating comments to be more accurate

* Updating comments again

Co-authored-by: Azeem Shaikh <azeemshaikh38@gmail.com>
 2021-05-24 11:34:33 -07:00
Chris McGehee
61ecad3151
Add new linter: gci (#498) 2021-05-23 20:51:52 -07:00
Chris McGehee
2e7a71fbf2
Fix lint issues: goerr113 linter (#491) 
Co-authored-by: Azeem Shaikh <azeemshaikh38@gmail.com>
 2021-05-22 12:36:47 -07:00
Chris McGehee
26d17907a6
Fix lint issues: stylecheck linter (#487) 
Co-authored-by: Naveen <172697+naveensrinivasan@users.noreply.github.com>
 2021-05-22 17:45:32 +00:00
Chris McGehee
35fece6491
Fix lint issues: lll linter (#486) 2021-05-22 17:29:18 +00:00
Chris McGehee
50f7ed8519
🌱Fix lint issues: gochecknoinits linter (#485) 
* Fix lint issues: gochecknoinits linter

* Fix lint issues: gochecknoinits linter
 2021-05-22 13:19:52 -04:00
Chris McGehee
f996065e40 Fix lint issues: gomnd linter 2021-05-22 01:09:09 -05:00
laurentsimon
eb0af441d1
[Frozen-deps]: Ignore testdata/ files (#481) 
* ignore testdata/ files

* fix

* comments

* typo

* fix

* typo
 2021-05-21 08:45:55 -07:00
laurentsimon
78933ac2f4 ignore scratch frm dockerfile imports 2021-05-20 13:23:27 -05:00
Chris McGehee
e75a9e19f9
Fix lint issues: govet linter (#478) 
Reordering fields reduces struct size in memory

Co-authored-by: Azeem Shaikh <azeemshaikh38@gmail.com>
 2021-05-19 23:38:58 -07:00
laurentsimon
ee3f290702
Add check for Docker dependency pinning by hash (#469) 
* check pinning in docker files

* Revert "check pinning in docker files"

This reverts commit c05a5007b1.

* check pinning in docker files

* Revert "check pinning in docker files"

This reverts commit c05a5007b1.

* check pinning in docker files

* Revert "check pinning in docker files"

This reverts commit c05a5007b1.

* check pinning in docker files

* Revert "check pinning in docker files"

This reverts commit c05a5007b1.

* check pinning in docker files

* Revert "check pinning in docker files"

This reverts commit c05a5007b1.

* check dependencies pinning in docker files

* check docker files hash pinning

* remove logging

* make keyword matches case-insensitive

* remove log

* update unit tests

* check fix

* check dependencies pinning in docker files

* check docker files hash pinning

* remove logging

* remove log

* check fix

* comment

* linter

* commments

* check pinning in docker files

* Revert "check pinning in docker files"

This reverts commit c05a5007b1.

* check pinning in docker files

* Revert "check pinning in docker files"

This reverts commit c05a5007b1.

* check pinning in docker files

* Revert "check pinning in docker files"

This reverts commit c05a5007b1.

* check dependencies pinning in docker files

* check docker files hash pinning

* check fix

* check dependencies pinning in docker files

* check docker files hash pinning

* remove logging

* make keyword matches case-insensitive

* remove log

* check fix

* comment

* commments

* comments

* check pinning in docker files

* Revert "check pinning in docker files"

This reverts commit c05a5007b1.

* check pinning in docker files

* Revert "check pinning in docker files"

This reverts commit c05a5007b1.

* check pinning in docker files

* Revert "check pinning in docker files"

This reverts commit c05a5007b1.

* check dependencies pinning in docker files

* check docker files hash pinning

* remove logging

* make keyword matches case-insensitive

* check fix

* check dependencies pinning in docker files

* check docker files hash pinning

* check fix

* commments

* comments

* comments

* comments

* update mod

* remove continue keyword

* linter

* linter

* linter

* comments

* cleanup

* linter

* typos

* typos
 2021-05-19 09:46:39 -07:00
Abhishek Arya
5f82d2b9c0
Add checks for workflow action pinning (#466) 
Patch by Laurent Simon <laurentsimon@google.com>

Co-authored-by: Laurent Simon <laurentsimon@google.com>
 2021-05-17 13:03:39 -07:00
laurentsimon
e46016d244
📖 Add more detailed doc for checks (#453) 
* More detailed doc

* comment
 2021-05-14 17:05:59 -07:00
Chris McGehee
fc82659e9c
🌱 Fix lint issues: gocognit linter (#433) 
* Fix lint issues: gocognit linter
Before refactoring, CITests had a cognitive complexity of 51
(the upper limit is 30)

* Fix lint issues: gocognit linter
Addressing feedback

* Fix lint issues: gocognit linter
Before refactoring IsBranchProtected had a complexity of 33 (upper limit is 30)

Co-authored-by: Naveen <172697+naveensrinivasan@users.noreply.github.com>
Co-authored-by: Azeem Shaikh <azeemshaikh38@gmail.com>
 2021-05-14 15:41:50 -04:00
Chris McGehee
3359f601cd Fix lint issues: nolintlint linter 
The nestif directive was not being used
 2021-05-13 09:31:56 -05:00
Chris McGehee
566f938364
Fix lint issues: dupl linter (#448) 
Co-authored-by: Naveen <172697+naveensrinivasan@users.noreply.github.com>
 2021-05-13 11:58:57 +00:00
laurentsimon
e616cc3161
❇️ Add sub-checks to Branch-Protection check (#436) 
* Add sub-checks to Branch-Protection check

* run gofumpt

* comments

* comments

* typo

* comments

* comments
 2021-05-11 18:26:27 -07:00
Laurent Simon
feafbf2610 Fix segfault issue #419 2021-05-07 20:30:22 -05:00
naveen
997b8f4a5d 📖 Update branch protection API 
* Included need for admin access to the branch protection api to work.

 * Fixes  #350
 2021-05-03 11:02:19 -05:00
naveen
09af32a993 Generate docs using go instead of python 
* Implemented the doc generation from python to go
 * Removed the need for json
 * Sorted the output of the generated markdown
 2021-05-02 19:46:07 -05:00
Chris McGehee
6a7142fe21 Fix lint issues: golint linter 2021-05-02 14:49:40 -05:00
Chris McGehee
c97b4e7b38 Fix lint issues: gofumpt linter 
The previous commit that made the gofumpt fixes caused a new lint
violation for the dupl linter. Since these are test cases, we will add
nolint for these.
 2021-05-02 13:18:19 -05:00
Chris McGehee
8402e6d9d0 Fix lint issues: gofumpt linter 2021-05-02 13:18:19 -05:00
Chris McGehee
83a0fbd5eb Fix lint issues: noctx linter 2021-05-02 11:59:39 -05:00
Chris McGehee
5151e8c301 Fix lint issues: nestif linter 2021-05-02 11:41:31 -05:00
Chris McGehee
4c6b500dea Fix lint issues: lll linter 2021-05-02 11:18:26 -05:00
Chris McGehee
87b5a6a922 Fix lint issues: godot linter 2021-05-02 11:14:01 -05:00
Chris McGehee
06993b72ce
🐛 Fix linting issues (1 of n) (#348) 
* Fix lint issues: whitespace linter

* Fix lint issues: wrapcheck linter

* Fix lint issues: errcheck linter

* Fix lint issues: paralleltest linter

* Fix lint issues: gocritic linter
Most changes from this commit are from passing checker.CheckResult by reference and not by value. gocritic identified that as a huge parameter.
gocritic also prefers regexp.MustCompile over Compile when the pattern is a const
 2021-04-19 12:18:34 -07:00
Oliver Chang
df27afd3b3
Make checks documentation machine readable. (#345) 
*  Make checks documentation machine readable.

Make checks.yaml as a machine and human readable source of truth of
checks documentation.

A tiny Python script is also added to generate checks.json and checks.md
from this file.

* move checks scripts and files
 2021-04-16 11:15:56 -07:00
Azeem Shaikh
a58818d258
🌱 : Reduce code duplication for follow-up cron refactoring (#338) 
*  Refactor to reduce code duplication

* 

* Move lib/ back to checker/

* Move lib/ back to checker/

* Move lib/ back to checker/

* Address PR comments.

* Addressing PR comments.

* Avoid printing `ShouldRetry` and `Error` in output JSON.

* Fix JSON output.

Co-authored-by: Azeem Shaikh <azeems@google.com>
 2021-04-10 07:26:56 -05:00
Naveen
4b4d0f0a01
Fix - out of memory error for large repository (#276) 
The httpcache client caches everything in memory and if the repository
is large then the process gets evicted with oom.

Changed the implementation to use the standard http client to fetch the
tarball.
 2021-03-14 21:50:17 -04:00
Edoardo Tenani
7f7c9fcb89
contributors: use go-github org API (#228) 
Replace direct call to HTTP URL with appropriate go-github API call.

Closes #175
 2021-03-01 16:24:18 -08:00
naveen
c2ff48dc59 feat-Reduced GitHub API calls for security check 
Reduced the number of calls to GitHub API from 16 to max of 2 calls.
Utilized tar ball to download and check for the contents of those files.
 2021-02-25 21:55:54 -05:00
nathannaveen
1a00062a09 Fix - golangci issues gomnd, goconst 
Fixed the golangci issues for gomnd and goconst.
Added ginkgo dependency in the makefile.
 2021-02-17 18:22:18 -05:00
Nathan
554ca76bfe Fix - golangci issues gomnd, goconst 
Fixed the golangci issues for gomnd and goconst.
Added ginkgo dependency in the makefile.
 2021-02-17 18:22:18 -05:00
Naveen
30d69310c6
Fix - Organization checks for members (#170) 
* Fix - Organization checks for members

* Fix - Turn off automatic releasenotes generation

Turn off automatic release notes for CII https://bestpractices.coreinfrastructure.org/

* Fix - Organization checks for members
 2021-02-14 10:46:14 -05:00
naveen
4bdc158018 Fix - packging workflow for docker push 2021-02-12 21:16:44 -05:00
Abhishek Arya
ad7cc4a951 Add colon before sha. 2021-02-12 14:26:54 -05:00
naveen
2ad8b35b91 Fixes - verifiedtag checks 
The reason the tags aren't working for certain repositories is that because the Lightweight Tags
vs Annotated Tags

>Basically, lightweight tags are just pointers to specific commits. No further information is saved;
on the other hand, annotated tags are regular objects, which have an author and a
date and can be referred because they have their own SHA key.

https://api.github.com/repos/ossf/scorecard/git/refs/tags

```
[
  {
    "ref": "refs/tags/v1.0.0",
    "node_id": "MDM6UmVmMzAyNjcwNzk3OnJlZnMvdGFncy92MS4wLjA=",
    "url": "https://api.github.com/repos/ossf/scorecard/git/refs/tags/v1.0.0",
    "object": {
      "sha": "87997ffb5724cb479223a08a2890c60b0ea4bfbd",
      "type": "commit",
      "url": "87997ffb57"
    }
  },
  {
    "ref": "refs/tags/v1.1.0",
    "node_id": "MDM6UmVmMzAyNjcwNzk3OnJlZnMvdGFncy92MS4xLjA=",
    "url": "https://api.github.com/repos/ossf/scorecard/git/refs/tags/v1.1.0",
    "object": {
      "sha": "f2c633854602cf0c8f33164a169fb0a8454bee01",
      "type": "tag",
      "url": "f2c6338546"
    }
  }
]
```
Annotated tags

https://api.github.com/repos/kubernetes/kubernetes/git/refs/tags

```
[
  {
    "ref": "refs/tags/v0.2",
    "node_id": "MDM6UmVmMjA1ODA0OTg6cmVmcy90YWdzL3YwLjI=",
    "url": "https://api.github.com/repos/kubernetes/kubernetes/git/refs/tags/v0.2",
    "object": {
      "sha": "64dbf9ae21dd0deb485f88b79b96eb35ca855138",
      "type": "tag",
      "url": "64dbf9ae21"
    }
  }
  ]
```

The look for the tag fails because of there isn't a tag object but only a commit object.
87997ffb57

fixes #107
 2021-02-12 14:26:54 -05:00
naveen
0d77d8938f Fix - tarball URL trailing slash 
Fixed the tarball URL trailing slash which was causing Frozen-Dep checks
to fail.
 2021-02-02 16:04:28 -05:00