ossf/scorecard
1
1
Fork 0
mirror of https://github.com/ossf/scorecard.git synced 2024-09-11 00:45:36 +03:00
Code Issues Actions 6 Packages Projects Releases Wiki Activity
1,382 Commits 34 Branches 42 Tags 435 MiB
3b7c46f779
Commit Graph

1382 Commits

This Branch
This Branch
All Branches
Author SHA1 Message Date
dependabot[bot]
a69fda734d 🌱 Bump actions/cache from 2.1.7 to 3 
Bumps [actions/cache](https://github.com/actions/cache) from 2.1.7 to 3.
- [Release notes](https://github.com/actions/cache/releases)
- [Commits](937d244753...4b0cf6cc46)

---
updated-dependencies:
- dependency-name: actions/cache
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
 2022-03-22 10:48:03 -05:00
dependabot[bot]
d51e004a13 🌱 Bump google.golang.org/protobuf in /tools 
Bumps [google.golang.org/protobuf](https://github.com/protocolbuffers/protobuf-go) from 1.27.1 to 1.28.0.
- [Release notes](https://github.com/protocolbuffers/protobuf-go/releases)
- [Changelog](https://github.com/protocolbuffers/protobuf-go/blob/master/release.bash)
- [Commits](https://github.com/protocolbuffers/protobuf-go/compare/v1.27.1...v1.28.0)

---
updated-dependencies:
- dependency-name: google.golang.org/protobuf
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
 2022-03-22 10:04:26 -05:00
laurentsimon
06efb4a71c
Update BQ table name for raw results (#1759) 
* Update name

* comments
 2022-03-21 23:50:45 +00:00
laurentsimon
1094680a0f
🐛 Fix schemas from https://github.com/ossf/scorecard/pull/1758 (#1760) 
* Fix schemas

* updates

* updates
 2022-03-21 21:03:26 +00:00
laurentsimon
ee623e5445
Add schema for the raw JSON (#1758) 2022-03-21 13:08:50 -07:00
Naveen
1c61acd325 Update main.yml 2022-03-21 09:00:27 -05:00
Naveen
8fd286d225 Update stale.yml 2022-03-21 09:00:27 -05:00
naveensrinivasan
76d3e10536 🌱 Restrict egress on github actions 
Signed-off-by: naveensrinivasan <172697+naveensrinivasan@users.noreply.github.com>
 2022-03-21 09:00:27 -05:00
dependabot[bot]
0c76ae35ab 🌱 Bump distroless/base in /cron/controller 
Bumps distroless/base from `02f6671` to `792dfe7`.

---
updated-dependencies:
- dependency-name: distroless/base
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
 2022-03-21 06:12:34 -05:00
dependabot[bot]
64893b84a9 🌱 Bump step-security/harden-runner from 1.4.0 to 1.4.1 
Bumps [step-security/harden-runner](https://github.com/step-security/harden-runner) from 1.4.0 to 1.4.1.
- [Release notes](https://github.com/step-security/harden-runner/releases)
- [Commits](bdb12b622a...9b0655f430)

---
updated-dependencies:
- dependency-name: step-security/harden-runner
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
 2022-03-21 04:44:28 -05:00
laurentsimon
b1ab16e80f
Add raw results to cron scans (#1741) 
* draft

* updates

* updates

* updates

* updates

* updates

* comments

* comments

* comments

* comments

* comments

* comments
 2022-03-18 19:05:14 -07:00
dependabot[bot]
d5893c226f 🌱 Bump distroless/base from 02f6671 to 792dfe7 
Bumps distroless/base from `02f6671` to `792dfe7`.

---
updated-dependencies:
- dependency-name: distroless/base
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
 2022-03-18 09:59:25 -05:00
dependabot[bot]
9e9e5a9392 🌱 Bump distroless/base in /cron/webhook 
Bumps distroless/base from `02f6671` to `792dfe7`.

---
updated-dependencies:
- dependency-name: distroless/base
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
 2022-03-18 09:39:11 -05:00
dependabot[bot]
8f6df49de8 🌱 Bump github.com/go-logr/logr from 1.2.2 to 1.2.3 
Bumps [github.com/go-logr/logr](https://github.com/go-logr/logr) from 1.2.2 to 1.2.3.
- [Release notes](https://github.com/go-logr/logr/releases)
- [Changelog](https://github.com/go-logr/logr/blob/master/CHANGELOG.md)
- [Commits](https://github.com/go-logr/logr/compare/v1.2.2...v1.2.3)

---
updated-dependencies:
- dependency-name: github.com/go-logr/logr
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
 2022-03-18 09:06:22 -05:00
dependabot[bot]
23921a6cc5 🌱 Bump distroless/base in /cron/worker 
Bumps distroless/base from `02f6671` to `792dfe7`.

---
updated-dependencies:
- dependency-name: distroless/base
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
 2022-03-18 08:54:35 -05:00
dependabot[bot]
a496d8ca87 🌱 Bump cloud.google.com/go/bigquery from 1.29.0 to 1.30.0 
Bumps [cloud.google.com/go/bigquery](https://github.com/googleapis/google-cloud-go) from 1.29.0 to 1.30.0.
- [Release notes](https://github.com/googleapis/google-cloud-go/releases)
- [Changelog](https://github.com/googleapis/google-cloud-go/blob/main/CHANGES.md)
- [Commits](https://github.com/googleapis/google-cloud-go/compare/spanner/v1.29.0...spanner/v1.30.0)

---
updated-dependencies:
- dependency-name: cloud.google.com/go/bigquery
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
 2022-03-17 12:01:45 -05:00
Azeem Shaikh
a3f4b05bbf
Pass in specific commit-SHA in cron job (#1739) 
Co-authored-by: Azeem Shaikh <azeems@google.com>
 2022-03-16 22:53:51 +00:00
naveensrinivasan
ba78d0aa59 Unit test for CLI options 
- Initial tests for CLI options.
 2022-03-16 16:33:31 -05:00
Azeem Shaikh
dc302bde4d Enable CI-Tests to run as commit-based check 2022-03-16 16:20:21 -05:00
Naveen
c8acf3645f
🌱 .github: Audit CodeQL egress with harden-runner (#1728) 2022-03-15 16:14:03 +00:00
dependabot[bot]
c8af71cf35 🌱 Bump crazy-max/ghaction-import-gpg from 4.2.0 to 4.3.0 
Bumps [crazy-max/ghaction-import-gpg](https://github.com/crazy-max/ghaction-import-gpg) from 4.2.0 to 4.3.0.
- [Release notes](https://github.com/crazy-max/ghaction-import-gpg/releases)
- [Changelog](https://github.com/crazy-max/ghaction-import-gpg/blob/master/CHANGELOG.md)
- [Commits](b7c9a01276...4d58d49bfe)

---
updated-dependencies:
- dependency-name: crazy-max/ghaction-import-gpg
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
 2022-03-15 05:11:38 -05:00
dependabot[bot]
3f73d69acd 🌱 Bump github.com/rhysd/actionlint from 1.6.9 to 1.6.10 
Bumps [github.com/rhysd/actionlint](https://github.com/rhysd/actionlint) from 1.6.9 to 1.6.10.
- [Release notes](https://github.com/rhysd/actionlint/releases)
- [Changelog](https://github.com/rhysd/actionlint/blob/main/CHANGELOG.md)
- [Commits](https://github.com/rhysd/actionlint/compare/v1.6.9...v1.6.10)

---
updated-dependencies:
- dependency-name: github.com/rhysd/actionlint
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
 2022-03-14 06:32:30 -05:00
dependabot[bot]
2df9d088f2 🌱 Bump github.com/goreleaser/goreleaser in /tools 
Bumps [github.com/goreleaser/goreleaser](https://github.com/goreleaser/goreleaser) from 1.6.1 to 1.6.3.
- [Release notes](https://github.com/goreleaser/goreleaser/releases)
- [Changelog](https://github.com/goreleaser/goreleaser/blob/main/.goreleaser.yaml)
- [Commits](https://github.com/goreleaser/goreleaser/compare/v1.6.1...v1.6.3)

---
updated-dependencies:
- dependency-name: github.com/goreleaser/goreleaser
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
 2022-03-14 06:18:25 -05:00
naveensrinivasan
7d1795384c Fixed the path of the generated mock files. 
Signed-off-by: naveensrinivasan <172697+naveensrinivasan@users.noreply.github.com>
 2022-03-11 09:55:24 -06:00
naveensrinivasan
1995bc3b9c 🌱 Refactor to make it testable 
- Related to https://github.com/ossf/scorecard/issues/1568

Signed-off-by: naveensrinivasan <172697+naveensrinivasan@users.noreply.github.com>
 2022-03-11 09:55:24 -06:00
dependabot[bot]
f2a132a430 🌱 Bump github.com/spf13/cobra from 1.3.0 to 1.4.0 
Bumps [github.com/spf13/cobra](https://github.com/spf13/cobra) from 1.3.0 to 1.4.0.
- [Release notes](https://github.com/spf13/cobra/releases)
- [Changelog](https://github.com/spf13/cobra/blob/master/CHANGELOG.md)
- [Commits](https://github.com/spf13/cobra/compare/v1.3.0...v1.4.0)

---
updated-dependencies:
- dependency-name: github.com/spf13/cobra
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
 2022-03-11 09:29:05 -06:00
naveensrinivasan
e303a1b8fd 🌱 Ignore mock clients for code coverage 
- Ignoring mock clients for code coverage tracking.
 2022-03-09 14:21:20 -06:00
naveensrinivasan
35d31562a0 🌱 Unit tests for pinned_dependencies 
- Additional tests for pinned_dependencies
https://github.com/ossf/scorecard/issues/986
 2022-03-09 09:53:21 -06:00
stm9
c10a6ae0f0
Update README.md (#1716) 
Updated instructions on how to access public BigQuery dataset in section [public-data] (https://github.com/ossf/scorecard/edit/main/README.md#public-data)

Co-authored-by: Azeem Shaikh <azeemshaikh38@gmail.com>
 2022-03-08 15:44:38 +00:00
dependabot[bot]
eb258163ea 🌱 Bump cloud.google.com/go/pubsub from 1.18.0 to 1.19.0 
Bumps [cloud.google.com/go/pubsub](https://github.com/googleapis/google-cloud-go) from 1.18.0 to 1.19.0.
- [Release notes](https://github.com/googleapis/google-cloud-go/releases)
- [Changelog](https://github.com/googleapis/google-cloud-go/blob/main/CHANGES.md)
- [Commits](https://github.com/googleapis/google-cloud-go/compare/pubsub/v1.18.0...pubsub/v1.19.0)

---
updated-dependencies:
- dependency-name: cloud.google.com/go/pubsub
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
 2022-03-08 06:02:44 -05:00
laurentsimon
e128c3de82
allow empty committer (#1714) 2022-03-07 21:25:54 +00:00
Chris McGehee
c1761a8936 Only download repo tarball when necessary 
Previously, this was downloading the tarball for github.com/google/oss-fuzz every time scorecard was run
 2022-03-07 11:52:20 -05:00
dependabot[bot]
0268747d6d 🌱 Bump github.com/goreleaser/goreleaser in /tools 
Bumps [github.com/goreleaser/goreleaser](https://github.com/goreleaser/goreleaser) from 1.5.0 to 1.6.1.
- [Release notes](https://github.com/goreleaser/goreleaser/releases)
- [Changelog](https://github.com/goreleaser/goreleaser/blob/main/.goreleaser.yaml)
- [Commits](https://github.com/goreleaser/goreleaser/compare/v1.5.0...v1.6.1)

---
updated-dependencies:
- dependency-name: github.com/goreleaser/goreleaser
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
 2022-03-07 05:29:32 -05:00
naveensrinivasan
4b9f0389c6 🌱 Fix for CVE-2022-23648 
- Fix for https://github.com/advisories/GHSA-crp2-qrr5-8pq7
 2022-03-06 17:08:11 -05:00
Azeem Shaikh
241b0f4b4d
Mark License, Security-Policy as commit-based (#1711) 
Co-authored-by: Azeem Shaikh <azeems@google.com>
 2022-03-04 11:24:06 -06:00
laurentsimon
3c92dec81b
🐛 Add GitHub committer verification (#1695) 
* Add GitHub committer verification and fix empty reviewers

* update comment

* linter

* comments
 2022-03-03 18:04:05 +00:00
dependabot[bot]
57b4664c71 🌱 Bump cloud.google.com/go/bigquery from 1.28.0 to 1.29.0 
Bumps [cloud.google.com/go/bigquery](https://github.com/googleapis/google-cloud-go) from 1.28.0 to 1.29.0.
- [Release notes](https://github.com/googleapis/google-cloud-go/releases)
- [Changelog](https://github.com/googleapis/google-cloud-go/blob/main/CHANGES.md)
- [Commits](https://github.com/googleapis/google-cloud-go/compare/spanner/v1.28.0...spanner/v1.29.0)

---
updated-dependencies:
- dependency-name: cloud.google.com/go/bigquery
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
 2022-03-03 07:10:50 -06:00
naveensrinivasan
4904b317ac 🌱 additional tests for github_workflow 
- Additional tests for github_workflow
 2022-03-02 20:36:34 -06:00
Stephen Augustus (he/him)
3070b3ca1b
cmd: Allow new scorecard to be instantiated with options (#1703) 
* cmd: Allow new scorecard commands to be instantiated with options
* options: Default flags to struct field values
* options: Use constants for flag names
* options: Simplify SARIF check

Signed-off-by: Stephen Augustus <foo@auggie.dev>
 2022-03-03 01:38:34 +00:00
laurentsimon
d192c8e3ac
Add score to SARIF for all results (#1694) 
* add score

* fix unit tests
 2022-03-02 17:06:47 -08:00
laurentsimon
3818dbe839
Update CODEOWNERS (#1701) 
@inferno-chromium asked to be removed because he's not actively reviewing PRs anymore and his inbox is being bombarded :-)

cc @inferno-chromium
 2022-03-02 16:21:38 +00:00
dependabot[bot]
189cdc5b9b 🌱 Bump actions/stale from 4.1.0 to 5 
Bumps [actions/stale](https://github.com/actions/stale) from 4.1.0 to 5.
- [Release notes](https://github.com/actions/stale/releases)
- [Changelog](https://github.com/actions/stale/blob/main/CHANGELOG.md)
- [Commits](7fb802b307...3cc1237663)

---
updated-dependencies:
- dependency-name: actions/stale
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
 2022-03-02 09:03:04 -06:00
dependabot[bot]
23819152f8 🌱 Bump crazy-max/ghaction-import-gpg from 4.1.0 to 4.2.0 
Bumps [crazy-max/ghaction-import-gpg](https://github.com/crazy-max/ghaction-import-gpg) from 4.1.0 to 4.2.0.
- [Release notes](https://github.com/crazy-max/ghaction-import-gpg/releases)
- [Changelog](https://github.com/crazy-max/ghaction-import-gpg/blob/master/CHANGELOG.md)
- [Commits](cb4264d331...b7c9a01276)

---
updated-dependencies:
- dependency-name: crazy-max/ghaction-import-gpg
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
 2022-03-02 08:10:27 -06:00
dependabot[bot]
13b9cc5212 🌱 Bump actions/checkout from 2.4.0 to 3 
Bumps [actions/checkout](https://github.com/actions/checkout) from 2.4.0 to 3.
- [Release notes](https://github.com/actions/checkout/releases)
- [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md)
- [Commits](ec3a7ce113...a12a3943b4)

---
updated-dependencies:
- dependency-name: actions/checkout
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
 2022-03-02 07:29:16 -06:00
Stephen Augustus (he/him)
84cdc8cbec
cmd: Refactor to make importable (#1696) 
* cmd: Refactor to make importable
* options: Add support for parsing via environment variables
* options: Support setting feature flags via option
* cmd: Replace `version` with sigs.k8s.io/release-utils/version
* cmd: Move option validation into pre-run function

Signed-off-by: Stephen Augustus <foo@auggie.dev>
 2022-03-01 21:18:44 -08:00
Azeem Shaikh
738b246fe9
Fix cmd panic (#1692) 
Co-authored-by: Azeem Shaikh <azeems@google.com>
 2022-03-01 20:17:24 +00:00
dependabot[bot]
837729418a 🌱 Bump goreleaser/goreleaser-action from 2.9.0 to 2.9.1 
Bumps [goreleaser/goreleaser-action](https://github.com/goreleaser/goreleaser-action) from 2.9.0 to 2.9.1.
- [Release notes](https://github.com/goreleaser/goreleaser-action/releases)
- [Commits](c127c9be61...b953231f81)

---
updated-dependencies:
- dependency-name: goreleaser/goreleaser-action
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
 2022-03-01 06:42:36 -06:00
dependabot[bot]
dd9ae7df99 🌱 Bump actions/setup-go from 2.2.0 to 3 
Bumps [actions/setup-go](https://github.com/actions/setup-go) from 2.2.0 to 3.
- [Release notes](https://github.com/actions/setup-go/releases)
- [Commits](bfdd3570ce...f6164bd8c8)

---
updated-dependencies:
- dependency-name: actions/setup-go
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
 2022-03-01 06:33:03 -06:00
naveensrinivasan
5e5abdcd09 🌱 Unit tests for github workflow 
- Unit tests for github workflow.
https://github.com/ossf/scorecard/issues/986
 2022-02-28 20:02:50 -06:00
Naveen
ddb0fe3f31
Changed jsonScorecardResultV2 type Public (#1682) 
*  Changed jsonScorecardResultV2 type Public

- Fixes https://github.com/ossf/scorecard/issues/1673

* Update pkg/json.go

Co-authored-by: Stephen Augustus (he/him) <justaugustus@users.noreply.github.com>

* Fixed the govet warning by including nolint

Fixed the govet linter warning by including  nolint.

Co-authored-by: Stephen Augustus (he/him) <justaugustus@users.noreply.github.com>
 2022-02-28 15:20:07 -05:00