ossf/scorecard
1
1
Fork 0
mirror of https://github.com/ossf/scorecard.git synced 2024-09-19 13:07:17 +03:00
Code Issues Actions 2 Packages Projects Releases Wiki Activity
1,298 Commits 36 Branches 42 Tags 436 MiB
44ad5f53ad
Commit Graph

1298 Commits

This Branch
This Branch
All Branches
Author SHA1 Message Date
godofredoc
a69e1d97d4
🌱 Add Dart and Flutter CI systems to CI tests check. (#1548) 
* Add Dart and Flutter CI systems to CI tests check.

The current check is looking at the github checks data to identify
whether a given PR ran tests. Flutter and Dart repos are failing the
check becuase their systems are not recognized as CI Systems.

Bug: https://github.com/ossf/scorecard/issues/1547

* Format file.
 2022-01-28 01:42:50 +00:00
laurentsimon
40a9d48c91
Link to responsible disclosure guidelines in Security-Policy remediation doc (#1545) 
* refer to repsonsible disclosure guidelines

* typo
 2022-01-27 17:21:34 -05:00
Naveen
17467c1f13
🌱 Unit tests for binary_artifact (#1512) 2022-01-27 12:25:50 -06:00
dependabot[bot]
15a204fe1d 🌱 Bump github.com/goreleaser/goreleaser in /tools 
Bumps [github.com/goreleaser/goreleaser](https://github.com/goreleaser/goreleaser) from 1.3.1 to 1.4.1.
- [Release notes](https://github.com/goreleaser/goreleaser/releases)
- [Changelog](https://github.com/goreleaser/goreleaser/blob/main/.goreleaser.yaml)
- [Commits](https://github.com/goreleaser/goreleaser/compare/v1.3.1...v1.4.1)

---
updated-dependencies:
- dependency-name: github.com/goreleaser/goreleaser
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
 2022-01-27 08:51:06 +00:00
dependabot[bot]
074ba5a109
🌱 Bump github.com/onsi/ginkgo from 1.16.4 to 1.16.5 in /tools (#1541) 2022-01-27 03:20:16 +00:00
dependabot[bot]
bd2171b53a
🌱 Bump github.com/golangci/golangci-lint from 1.42.1 to 1.44.0 in /tools (#1540) 2022-01-27 02:56:56 +00:00
dependabot[bot]
10a5c1ade5 🌱 Bump github.com/goreleaser/goreleaser in /tools 
Bumps [github.com/goreleaser/goreleaser](https://github.com/goreleaser/goreleaser) from 1.0.0 to 1.3.1.
- [Release notes](https://github.com/goreleaser/goreleaser/releases)
- [Changelog](https://github.com/goreleaser/goreleaser/blob/main/.goreleaser.yaml)
- [Commits](https://github.com/goreleaser/goreleaser/compare/v1.0.0...v1.3.1)

---
updated-dependencies:
- dependency-name: github.com/goreleaser/goreleaser
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
 2022-01-27 01:30:14 +00:00
dependabot[bot]
d2d9ff4b9d 🌱 Bump golang.org/x/tools from 0.1.8 to 0.1.9 
Bumps [golang.org/x/tools](https://github.com/golang/tools) from 0.1.8 to 0.1.9.
- [Release notes](https://github.com/golang/tools/releases)
- [Commits](https://github.com/golang/tools/compare/v0.1.8...v0.1.9)

---
updated-dependencies:
- dependency-name: golang.org/x/tools
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
 2022-01-27 01:06:45 +00:00
naveen
3d5a08d4fe 🌱 Included dependabot setting for tools 
Included dependabot setting for tools module to get updates.
 2022-01-26 18:20:31 -06:00
Azeem Shaikh
d50788f638
Add Slack channel badge (#1536) 
Adds a new badge pointing to our Slack channel.
 2022-01-26 22:48:28 +00:00
laurentsimon
5f9fff3b20
Separate check from policies for the Vulnerabilities check (#1532) 
* raw vulnerabilities seperation
* update year
* missing files
* tests
 2022-01-26 15:45:39 -05:00
Chris McGehee
7a6eb2812a
Not considering an issue as having activity if closed recently (#1531) 
- The person who opened the issue can close it, so an issue closing does not indicate activity by a maintainer.
 2022-01-25 21:59:03 -08:00
Stephen Augustus (he/him)
16c0d375d6
🌱 CODEOWNERS: Add Stephen Augustus (justaugustus) as maintainer (#1530) 
* CODEOWNERS: Simplify maintainers

.github/workflows/* CODEOWNERS are effectively maintainers, but
with the current configuration, they are not being automatically
tagged for review for other file changes.

Here we simplify to `*`, in preparation for adding additional
maintainers.

(Maintainers have also been alpha-sorted.)

Signed-off-by: Stephen Augustus <foo@auggie.dev>

* CODEOWNERS: Add Stephen Augustus (justaugustus) as maintainer

Signed-off-by: Stephen Augustus <foo@auggie.dev>
 2022-01-25 20:33:27 -08:00
naveen
e774015194 🌱 Unit tests for Fuzzing 
Unit tests checks for fuzzing.

https://github.com/ossf/scorecard/issues/986
Signed-off-by: naveen <172697+naveensrinivasan@users.noreply.github.com>
 2022-01-25 14:08:59 -06:00
Stephen Augustus (he/him)
41adfe7f34
⚠️ log: Initial logr/logrusr implementation (#1516) 
* log: Initial logr/logrusr implementation

Signed-off-by: Stephen Augustus <foo@auggie.dev>

* log: Update references to `log.Logger`

Signed-off-by: Stephen Augustus <foo@auggie.dev>

* go.mod: Minor reorganization of `replace`s

...to prevent automatic updates from getting added to the smaller
section.

Signed-off-by: Stephen Augustus <foo@auggie.dev>
 2022-01-25 11:17:46 -06:00
dependabot[bot]
da116d3b25 🌱 Bump cloud.google.com/go/bigquery from 1.26.0 to 1.27.0 
Bumps [cloud.google.com/go/bigquery](https://github.com/googleapis/google-cloud-go) from 1.26.0 to 1.27.0.
- [Release notes](https://github.com/googleapis/google-cloud-go/releases)
- [Changelog](https://github.com/googleapis/google-cloud-go/blob/main/CHANGES.md)
- [Commits](https://github.com/googleapis/google-cloud-go/compare/spanner/v1.26.0...spanner/v1.27.0)

---
updated-dependencies:
- dependency-name: cloud.google.com/go/bigquery
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
 2022-01-25 10:11:08 -06:00
dependabot[bot]
19a73a4696 🌱 Bump ossf/scorecard-action from 1.0.1 to 1.0.2 
Bumps [ossf/scorecard-action](https://github.com/ossf/scorecard-action) from 1.0.1 to 1.0.2.
- [Release notes](https://github.com/ossf/scorecard-action/releases)
- [Commits](e3e75cf2ff...c8416b0b2b)

---
updated-dependencies:
- dependency-name: ossf/scorecard-action
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
 2022-01-25 06:33:45 -06:00
naveen
d4d81a01df 🌱 Unit tests dependency_update_tool 
Unit tests dependency_update_tool
https://github.com/ossf/scorecard/issues/986

Signed-off-by: naveen <172697+naveensrinivasan@users.noreply.github.com>
 2022-01-24 21:38:02 -06:00
Chris McGehee
b6cba86f72
🐛 Issue activity only counts if done by a maintainer (#1515) 
* Issue activity only counts if done by a maintainer

* -Using pointer so that if Github API doesn't return a value for a field, it can be nil
- Updating AuthorAssociation to use an enum

Co-authored-by: Azeem Shaikh <azeemshaikh38@gmail.com>
 2022-01-24 16:12:54 +00:00
dependabot[bot]
5b9857650f 🌱 Bump github.com/onsi/gomega from 1.17.0 to 1.18.0 
Bumps [github.com/onsi/gomega](https://github.com/onsi/gomega) from 1.17.0 to 1.18.0.
- [Release notes](https://github.com/onsi/gomega/releases)
- [Changelog](https://github.com/onsi/gomega/blob/master/CHANGELOG.md)
- [Commits](https://github.com/onsi/gomega/compare/v1.17.0...v1.18.0)

---
updated-dependencies:
- dependency-name: github.com/onsi/gomega
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
 2022-01-24 07:03:31 -06:00
naveen
4122c793bc 🌱 Unit tests for binary artifacts 
Unit tests for binary artifacts.

https://github.com/ossf/scorecard/issues/986
 2022-01-23 22:59:36 -06:00
naveen
8a64075d5e 🌱 Fix the reflect.DeepEqual with google cmp 
Fix the reflect.DeepEqual with google cmp

Signed-off-by: naveen <172697+naveensrinivasan@users.noreply.github.com>
 2022-01-23 13:12:07 -06:00
naveen
66a91dd017 🌱 Unit tests for branch protection raw 
Unit tests for branch protection raw.
https://github.com/ossf/scorecard/issues/986.

Signed-off-by: naveen <172697+naveensrinivasan@users.noreply.github.com>
 2022-01-22 17:54:59 -06:00
naveen
ab16cdbbc2 🌱 Fix Vulns for containerd 2022-01-21 12:44:00 -06:00
naveen
90a0689dea 🌱 Unit test for fileparser 
https://github.com/ossf/scorecard/issues/986
 2022-01-21 12:23:11 -06:00
Hallgeir Holien
062e33ba29
📖 Dependabot config file link (#1498) 
* Dependabot config file link

It seems like dependabot.com is gone and the documentation of configuration file has now moved to https://docs.github.com/en/code-security/supply-chain-security/keeping-your-dependencies-updated-automatically/configuration-options-for-dependency-updates

* Updated dependabot docs link

Co-authored-by: Naveen <172697+naveensrinivasan@users.noreply.github.com>
 2022-01-21 08:12:22 -08:00
Stephen Augustus (he/him)
0d76deace2
go.mod: Update github.com/google/go-containerregistry to v0.8.0 (#1506) 
Signed-off-by: Stephen Augustus <foo@auggie.dev>
 2022-01-20 19:44:13 -08:00
Stephen Augustus (he/him)
13b78ab010
⚠️ Create a dedicated logging package to encapsulate calls to zap (#1502) 
* log: Init log package

Creates a wrapper around existing `zap.Logger` to make it easier
to replace/extend with scorecard logging.

Signed-off-by: Stephen Augustus <foo@auggie.dev>

* log: Replace instances of `zap.Logger` with `log.Logger`

Signed-off-by: Stephen Augustus <foo@auggie.dev>

* log: Add logic to parse `zapcore.Level`s as strings

Signed-off-by: Stephen Augustus <foo@auggie.dev>

* log: Express log levels

Signed-off-by: Stephen Augustus <foo@auggie.dev>

* log: Replace instances of `zapcore.Level` with `log.Level`

Signed-off-by: Stephen Augustus <foo@auggie.dev>

* log: Fixup comments for exported functions

Signed-off-by: Stephen Augustus <foo@auggie.dev>
 2022-01-20 15:57:39 -08:00
naveen
f4e9dfd602 🌱 Unit tests for binaryartifacts 
Unit tests for binaryartifacts
https://github.com/ossf/scorecard/issues/986

Signed-off-by: naveen <172697+naveensrinivasan@users.noreply.github.com>
 2022-01-20 15:20:54 -06:00
dependabot[bot]
5777826e57 🌱 Bump github.com/google/go-cmp from 0.5.6 to 0.5.7 
Bumps [github.com/google/go-cmp](https://github.com/google/go-cmp) from 0.5.6 to 0.5.7.
- [Release notes](https://github.com/google/go-cmp/releases)
- [Commits](https://github.com/google/go-cmp/compare/v0.5.6...v0.5.7)

---
updated-dependencies:
- dependency-name: github.com/google/go-cmp
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
 2022-01-20 11:18:48 -06:00
naveen
026d98edf8 🌱 Included e2e coverage for codecov 2022-01-19 19:41:03 -06:00
naveen
c3589e8080 📖 Updated codecov badge 2022-01-19 18:42:39 -06:00
naveen
2dcdbcd32b 🌱 Track code coverage 
Track code coverage
https://github.com/ossf/scorecard/issues/986

Signed-off-by: naveen <172697+naveensrinivasan@users.noreply.github.com>
 2022-01-19 16:29:31 -06:00
naveen
9973bdeb60 Unit tests for dependency update 
Unit tests for dependency update.

https://github.com/ossf/scorecard/issues/986

Signed-off-by: naveen <172697+naveensrinivasan@users.noreply.github.com>
 2022-01-19 15:34:07 -06:00
Azeem Shaikh
96ea22eac5
Add and use compressed Scorecard logos (#1492) 
Co-authored-by: Azeem Shaikh <azeems@google.com>
 2022-01-19 18:08:35 +00:00
Azeem Shaikh
fc87431507
Add exemption to stale issue workflow (#1486) 
Co-authored-by: Azeem Shaikh <azeems@google.com>
 2022-01-18 14:45:35 -06:00
dependabot[bot]
b8e054ba9e 🌱 Bump goreleaser/goreleaser-action from 2.8.0 to 2.8.1 
Bumps [goreleaser/goreleaser-action](https://github.com/goreleaser/goreleaser-action) from 2.8.0 to 2.8.1.
- [Release notes](https://github.com/goreleaser/goreleaser-action/releases)
- [Commits](5df302e5e9...79d4afbba1)

---
updated-dependencies:
- dependency-name: goreleaser/goreleaser-action
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
 2022-01-17 19:23:17 -06:00
dependabot[bot]
4837262895 🌱 Bump ossf/scorecard-action from 1.0.0 to 1.0.1 
Bumps [ossf/scorecard-action](https://github.com/ossf/scorecard-action) from 1.0.0 to 1.0.1.
- [Release notes](https://github.com/ossf/scorecard-action/releases)
- [Commits](005020cb6a...e3e75cf2ff)

---
updated-dependencies:
- dependency-name: ossf/scorecard-action
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
 2022-01-17 09:07:59 -06:00
Naveen
5d3f198380
Unit test for SAST (#1482) 
Addresses https://github.com/ossf/scorecard/issues/435
 2022-01-15 12:22:59 -08:00
olivekl
c60b66bbc8
📖 Olivekl v4 doc updates (#1481) 
* Create scorecards-analysis.yml

* Update README.md

Move Public Data section
Add placeholders for new installation organization, TODOs for public data section

* Update README.md

Remove outdated public data scoring system paragraph

* Update README.md

Add explanation of Scorecard Action install option and link out

* Update README.md

Add sentence introducing CLI installation section; move all heading down a level for that section

* Update README.md

Fix typo

* Update README.md

Remove comma

* Delete scorecards-analysis.yml file

Co-authored-by: Azeem Shaikh <azeemshaikh38@gmail.com>
 2022-01-14 20:46:30 +00:00
Azeem Shaikh
b6272c79e1
Fix scorecard version in Scorecard Docker images (#1480) 
Co-authored-by: Azeem Shaikh <azeems@google.com>
 2022-01-14 11:34:22 -08:00
dependabot[bot]
361fbd0fc9 🌱 Bump ossf/scorecard-action from 0.0.2 to 1.0.0 
Bumps [ossf/scorecard-action](https://github.com/ossf/scorecard-action) from 0.0.2 to 1.0.0.
- [Release notes](https://github.com/ossf/scorecard-action/releases)
- [Commits](5f4e3145c8...005020cb6a)

---
updated-dependencies:
- dependency-name: ossf/scorecard-action
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
 2022-01-14 07:45:26 -06:00
dependabot[bot]
b1fec4d1fd 🌱 Bump github.com/bradleyfalzon/ghinstallation/v2 
Bumps [github.com/bradleyfalzon/ghinstallation/v2](https://github.com/bradleyfalzon/ghinstallation) from 2.0.3 to 2.0.4.
- [Release notes](https://github.com/bradleyfalzon/ghinstallation/releases)
- [Commits](https://github.com/bradleyfalzon/ghinstallation/compare/v2.0.3...v2.0.4)

---
updated-dependencies:
- dependency-name: github.com/bradleyfalzon/ghinstallation/v2
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
 2022-01-13 19:15:52 -06:00
naveen
f7b329e830 Unit test for all_checks 
Addresses https://github.com/ossf/scorecard/issues/435

Signed-off-by: naveen <172697+naveensrinivasan@users.noreply.github.com>
 2022-01-12 17:24:38 -06:00
naveen
77103694fb Unit test for securitypolicy 
https://github.com/ossf/scorecard/issues/435

Signed-off-by: naveen <172697+naveensrinivasan@users.noreply.github.com>
 2022-01-12 16:33:24 -06:00
naveen
f31d824a5e 🌱 Unit tests for code review 
Unit tests for code review check.

Signed-off-by: naveen <172697+naveensrinivasan@users.noreply.github.com>
 2022-01-12 15:35:09 -06:00
Azeem Shaikh
696553be2d
Fix linter issues (#1472) 
Co-authored-by: Azeem Shaikh <azeems@google.com>
 2022-01-12 20:34:16 +00:00
Azeem Shaikh
f2c57d2590 Migrate to v4 2022-01-12 14:12:09 -06:00
Azeem Shaikh
61a0124407
Enable Dangerous-Workflow & License checks for v4 (#1471) 
Co-authored-by: Azeem Shaikh <azeems@google.com>
 2022-01-12 16:27:03 +00:00
laurentsimon
531561c8f4
npm install-test support (#1468) 2022-01-12 11:34:19 +11:00