Spencer Schrock
5f7cea3637
🌱 Use new entrypoint for scdiff ( #4204 )
...
CodeQL / Analyze (go) (push) Waiting to run
CodeQL / Analyze (javascript) (push) Waiting to run
gitlab-tests / gitlab-integration-trusted (push) Waiting to run
golangci-lint / check-linter (push) Waiting to run
build / unit-test (push) Waiting to run
build / generate-mocks (push) Waiting to run
build / generate-docs (push) Waiting to run
build / build-proto (push) Waiting to run
build / ${{ matrix.target }} (build-add-script) (push) Blocked by required conditions
build / ${{ matrix.target }} (build-bq-transfer) (push) Blocked by required conditions
build / ${{ matrix.target }} (build-cii-worker) (push) Blocked by required conditions
build / ${{ matrix.target }} (build-controller) (push) Blocked by required conditions
build / ${{ matrix.target }} (build-github-server) (push) Blocked by required conditions
build / ${{ matrix.target }} (build-scorecard) (push) Blocked by required conditions
build / ${{ matrix.target }} (build-shuffler) (push) Blocked by required conditions
build / ${{ matrix.target }} (build-validate-script) (push) Blocked by required conditions
build / ${{ matrix.target }} (build-webhook) (push) Blocked by required conditions
build / ${{ matrix.target }} (build-worker) (push) Blocked by required conditions
build / validate-docs (push) Waiting to run
build / add-projects (push) Waiting to run
build / validate-projects (push) Waiting to run
build / license boilerplate check (push) Waiting to run
Scorecard analysis workflow / Scorecard analysis (push) Waiting to run
Signed-off-by: Spencer Schrock <sschrock@google.com>
2024-07-03 17:40:48 +00:00
Ryan Ware
1c448ee652
cron: Add 377 Intel-owned repositories ( #4206 )
...
gitlab-tests / gitlab-integration-trusted (push) Waiting to run
golangci-lint / check-linter (push) Waiting to run
build / unit-test (push) Waiting to run
build / generate-mocks (push) Waiting to run
build / generate-docs (push) Waiting to run
build / build-proto (push) Waiting to run
build / ${{ matrix.target }} (build-add-script) (push) Blocked by required conditions
build / ${{ matrix.target }} (build-bq-transfer) (push) Blocked by required conditions
build / ${{ matrix.target }} (build-cii-worker) (push) Blocked by required conditions
build / ${{ matrix.target }} (build-controller) (push) Blocked by required conditions
build / ${{ matrix.target }} (build-github-server) (push) Blocked by required conditions
build / ${{ matrix.target }} (build-scorecard) (push) Blocked by required conditions
build / ${{ matrix.target }} (build-shuffler) (push) Blocked by required conditions
build / ${{ matrix.target }} (build-validate-script) (push) Blocked by required conditions
build / ${{ matrix.target }} (build-webhook) (push) Blocked by required conditions
build / ${{ matrix.target }} (build-worker) (push) Blocked by required conditions
build / validate-docs (push) Waiting to run
build / add-projects (push) Waiting to run
build / validate-projects (push) Waiting to run
build / license boilerplate check (push) Waiting to run
Scorecard analysis workflow / Scorecard analysis (push) Waiting to run
CodeQL / Analyze (go) (push) Has been cancelled
CodeQL / Analyze (javascript) (push) Has been cancelled
Signed-off-by: Ryan Ware <ryan.ware@intel.com>
2024-07-02 23:27:18 -04:00
Spencer Schrock
6629b09746
🌱 Add lifecycle field to probes ( #4147 )
...
CodeQL / Analyze (go) (push) Waiting to run
CodeQL / Analyze (javascript) (push) Waiting to run
gitlab-tests / gitlab-integration-trusted (push) Waiting to run
golangci-lint / check-linter (push) Waiting to run
build / unit-test (push) Waiting to run
build / generate-mocks (push) Waiting to run
build / generate-docs (push) Waiting to run
build / build-proto (push) Waiting to run
build / ${{ matrix.target }} (build-add-script) (push) Blocked by required conditions
build / ${{ matrix.target }} (build-bq-transfer) (push) Blocked by required conditions
build / ${{ matrix.target }} (build-cii-worker) (push) Blocked by required conditions
build / ${{ matrix.target }} (build-controller) (push) Blocked by required conditions
build / ${{ matrix.target }} (build-github-server) (push) Blocked by required conditions
build / ${{ matrix.target }} (build-scorecard) (push) Blocked by required conditions
build / ${{ matrix.target }} (build-shuffler) (push) Blocked by required conditions
build / ${{ matrix.target }} (build-validate-script) (push) Blocked by required conditions
build / ${{ matrix.target }} (build-webhook) (push) Blocked by required conditions
build / ${{ matrix.target }} (build-worker) (push) Blocked by required conditions
build / validate-docs (push) Waiting to run
build / add-projects (push) Waiting to run
build / validate-projects (push) Waiting to run
build / license boilerplate check (push) Waiting to run
Scorecard analysis workflow / Scorecard analysis (push) Waiting to run
* add lifecycle field to probe yaml definitions
Signed-off-by: Spencer Schrock <sschrock@google.com>
* classify existing probes
Some are listed as stable if they're not expected to change,
others are listed as experimental if there are still expected changes.
Signed-off-by: Spencer Schrock <sschrock@google.com>
* add lifecycle to probe readme
Signed-off-by: Spencer Schrock <sschrock@google.com>
* fix linter
Signed-off-by: Spencer Schrock <sschrock@google.com>
* add lifecycle for new probe
Signed-off-by: Spencer Schrock <sschrock@google.com>
* add probe lifecycle to documentation
Signed-off-by: Spencer Schrock <sschrock@google.com>
---------
Signed-off-by: Spencer Schrock <sschrock@google.com>
2024-07-02 17:11:19 +00:00
Raghav Kaul
28337f13b1
🌱 maintainer annotations: improve annotation file validation ( #4162 )
...
* validate check names against full list
Signed-off-by: Raghav Kaul <raghavkaul+github@google.com>
* tests: close file
Signed-off-by: Raghav Kaul <raghavkaul+github@google.com>
* update
Signed-off-by: Raghav Kaul <raghavkaul+github@google.com>
* make private
Signed-off-by: Raghav Kaul <raghavkaul+github@google.com>
* Restructure imports
Signed-off-by: Raghav Kaul <raghavkaul+github@google.com>
* update
Signed-off-by: Raghav Kaul <raghavkaul+github@google.com>
---------
Signed-off-by: Raghav Kaul <raghavkaul+github@google.com>
2024-07-02 15:40:34 +00:00
dependabot[bot]
9f9afa0c30
🌱 Bump github.com/google/osv-scanner from 1.7.4 to 1.8.1 ( #4198 )
CodeQL / Analyze (go) (push) Waiting to run
CodeQL / Analyze (javascript) (push) Waiting to run
gitlab-tests / gitlab-integration-trusted (push) Waiting to run
golangci-lint / check-linter (push) Waiting to run
build / unit-test (push) Waiting to run
build / generate-mocks (push) Waiting to run
build / generate-docs (push) Waiting to run
build / build-proto (push) Waiting to run
build / ${{ matrix.target }} (build-add-script) (push) Blocked by required conditions
build / ${{ matrix.target }} (build-bq-transfer) (push) Blocked by required conditions
build / ${{ matrix.target }} (build-cii-worker) (push) Blocked by required conditions
build / ${{ matrix.target }} (build-controller) (push) Blocked by required conditions
build / ${{ matrix.target }} (build-github-server) (push) Blocked by required conditions
build / ${{ matrix.target }} (build-scorecard) (push) Blocked by required conditions
build / ${{ matrix.target }} (build-shuffler) (push) Blocked by required conditions
build / ${{ matrix.target }} (build-validate-script) (push) Blocked by required conditions
build / ${{ matrix.target }} (build-webhook) (push) Blocked by required conditions
build / ${{ matrix.target }} (build-worker) (push) Blocked by required conditions
build / validate-docs (push) Waiting to run
build / add-projects (push) Waiting to run
build / validate-projects (push) Waiting to run
build / license boilerplate check (push) Waiting to run
Scorecard analysis workflow / Scorecard analysis (push) Waiting to run
2024-07-01 19:21:16 +00:00
dependabot[bot]
76a04bfe40
🌱 Bump github.com/xanzy/go-gitlab from 0.105.0 to 0.106.0 ( #4197 )
2024-06-27 17:11:41 +00:00
dependabot[bot]
842d550727
🌱 Bump github.com/goreleaser/goreleaser/v2 in /tools ( #4199 )
2024-06-27 16:58:18 +00:00
dependabot[bot]
c187c076a0
🌱 Bump cloud.google.com/go/pubsub from 1.38.0 to 1.40.0 ( #4196 )
2024-06-26 23:05:42 +00:00
dependabot[bot]
13c4485000
🌱 Bump github.com/moby/buildkit from 0.14.0 to 0.14.1 ( #4187 )
2024-06-26 22:49:24 +00:00
dependabot[bot]
c4e1f70113
🌱 Bump github.com/spf13/cobra from 1.8.0 to 1.8.1 ( #4183 )
2024-06-26 21:26:18 +00:00
dependabot[bot]
89d94606a1
🌱 Bump the github-actions group across 1 directory with 3 updates ( #4190 )
...
Bumps the github-actions group with 3 updates in the / directory: [actions/checkout](https://github.com/actions/checkout ), [github/codeql-action](https://github.com/github/codeql-action ) and [ko-build/setup-ko](https://github.com/ko-build/setup-ko ).
Updates `actions/checkout` from 4.1.6 to 4.1.7
- [Release notes](https://github.com/actions/checkout/releases )
- [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md )
- [Commits](a5ac7e51b4...692973e3d9
)
Updates `github/codeql-action` from 3.25.8 to 3.25.10
- [Release notes](https://github.com/github/codeql-action/releases )
- [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md )
- [Commits](2e230e8fe0...23acc5c183
)
Updates `ko-build/setup-ko` from 0.6 to 0.7
- [Release notes](https://github.com/ko-build/setup-ko/releases )
- [Commits](ace48d7935...3aebd0597d
)
---
updated-dependencies:
- dependency-name: actions/checkout
dependency-type: direct:production
update-type: version-update:semver-patch
dependency-group: github-actions
- dependency-name: github/codeql-action
dependency-type: direct:production
update-type: version-update:semver-patch
dependency-group: github-actions
- dependency-name: ko-build/setup-ko
dependency-type: direct:production
update-type: version-update:semver-minor
dependency-group: github-actions
...
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2024-06-26 21:01:56 +00:00
dependabot[bot]
7918d83743
🌱 Bump chainguard/static from 110b691
to 68b8855
( #4179 )
...
Bumps chainguard/static from `110b691` to `68b8855`.
---
updated-dependencies:
- dependency-name: chainguard/static
dependency-type: direct:production
...
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2024-06-26 20:08:08 +00:00
dependabot[bot]
309b48b9fd
🌱 Bump github.com/hashicorp/go-retryablehttp ( #4195 )
2024-06-25 23:16:48 +00:00
dependabot[bot]
a93626e540
🌱 Bump github.com/hashicorp/go-retryablehttp in /tools ( #4193 )
2024-06-25 22:41:02 +00:00
dependabot[bot]
6cae56f02b
🌱 Bump goreleaser/goreleaser-action from 5.1.0 to 6.0.0 ( #4158 )
...
* 🌱 Bump goreleaser/goreleaser-action from 5.1.0 to 6.0.0
Bumps [goreleaser/goreleaser-action](https://github.com/goreleaser/goreleaser-action ) from 5.1.0 to 6.0.0.
- [Release notes](https://github.com/goreleaser/goreleaser-action/releases )
- [Commits](5742e2a039...286f3b13b1
)
---
updated-dependencies:
- dependency-name: goreleaser/goreleaser-action
dependency-type: direct:production
update-type: version-update:semver-major
...
Signed-off-by: dependabot[bot] <support@github.com>
* use --clean instead of --rm-dist
https: //goreleaser.com/deprecations#-rm-dist
Signed-off-by: Spencer Schrock <sschrock@google.com>
* the skip arguments were combined into --skip
https://goreleaser.com/deprecations/#-skip
Signed-off-by: Spencer Schrock <sschrock@google.com>
* update config for v2
Signed-off-by: Spencer Schrock <sschrock@google.com>
* use goreleaser v2 tooling for makefile
Signed-off-by: Spencer Schrock <sschrock@google.com>
---------
Signed-off-by: dependabot[bot] <support@github.com>
Signed-off-by: Spencer Schrock <sschrock@google.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: Spencer Schrock <sschrock@google.com>
Co-authored-by: Stephen Augustus <justaugustus@users.noreply.github.com>
2024-06-25 22:30:41 +00:00
Spencer Schrock
0d57c0224a
📖 Generate probe markdown documentation ( #4184 )
...
* generate probe markdown documentation
Walks the various probes def.yaml files and puts them in a single
markdown document. This doesn't currently include the remediation, but
neither does the existing checks.md document either.
In order to avoid duplicating yaml definitions, this existing ones were
moved to an internal directory so they can be reused.
Signed-off-by: Spencer Schrock <sschrock@google.com>
* fix linter
Signed-off-by: Spencer Schrock <sschrock@google.com>
* add probe doc generation to Makefile
Note: There is no validate-docs step for the probes code, as the
def.yml fields are validated elsewhere currently in the unit tests.
Signed-off-by: Spencer Schrock <sschrock@google.com>
* fix license for new yaml package
Signed-off-by: Spencer Schrock <sschrock@google.com>
---------
Signed-off-by: Spencer Schrock <sschrock@google.com>
2024-06-20 21:05:06 +00:00
dependabot[bot]
5d08c1cc11
🌱 Bump github.com/google/go-containerregistry from 0.19.1 to 0.19.2 ( #4182 )
...
* 🌱 Bump github.com/google/go-containerregistry
Bumps [github.com/google/go-containerregistry](https://github.com/google/go-containerregistry ) from 0.19.1 to 0.19.2.
- [Release notes](https://github.com/google/go-containerregistry/releases )
- [Changelog](https://github.com/google/go-containerregistry/blob/main/.goreleaser.yml )
- [Commits](https://github.com/google/go-containerregistry/compare/v0.19.1...v0.19.2 )
---
updated-dependencies:
- dependency-name: github.com/google/go-containerregistry
dependency-type: direct:production
update-type: version-update:semver-patch
...
Signed-off-by: dependabot[bot] <support@github.com>
* update
Signed-off-by: Raghav Kaul <raghavkaul+github@google.com>
---------
Signed-off-by: dependabot[bot] <support@github.com>
Signed-off-by: Raghav Kaul <raghavkaul+github@google.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: Raghav Kaul <raghavkaul+github@google.com>
2024-06-17 12:04:39 -04:00
Spencer Schrock
da0f2b4ebc
🐛 keep SARIF runs and rules for exempted checks, only skip the results. ( #4153 )
...
* keep runs and rules for exempted checks, only skip the results.
Signed-off-by: Spencer Schrock <sschrock@google.com>
* update test
Signed-off-by: Spencer Schrock <sschrock@google.com>
---------
Signed-off-by: Spencer Schrock <sschrock@google.com>
2024-06-14 23:21:56 +00:00
Zxilly
5ef9831b91
🌱 add stack info to osv-scanner error ( #4172 )
...
* add stack info to osv-scanner error
Signed-off-by: Zxilly <zxilly@outlook.com>
* print error stack to stderr
Signed-off-by: Zxilly <zxilly@outlook.com>
* follow the lint rule
Signed-off-by: Zxilly <zxilly@outlook.com>
---------
Signed-off-by: Zxilly <zxilly@outlook.com>
2024-06-14 16:02:21 -07:00
Naveen
c7821b633c
✨ move to cgr base image ( #4113 )
...
- Move the static cgr.dev base image as it has less foot print and zero
vuln.
Signed-off-by: naveensrinivasan <172697+naveensrinivasan@users.noreply.github.com>
2024-06-14 16:09:44 +00:00
Zxilly
fc09963047
🐛 fix: correct sarif json schema url ( #4170 )
...
Signed-off-by: Zxilly <zxilly@outlook.com>
2024-06-13 10:26:36 -07:00
dependabot[bot]
e23b8ad91f
🌱 Bump github.com/Azure/azure-sdk-for-go/sdk/azidentity ( #4166 )
2024-06-12 20:26:39 +00:00
Raghav Kaul
ed272eab2c
📖 Docs: Maintainer annotations ( #4165 )
...
* update docs
Signed-off-by: Raghav Kaul <raghavkaul+github@google.com>
* reword
Signed-off-by: Raghav Kaul <raghavkaul+github@google.com>
* update
Signed-off-by: Raghav Kaul <raghavkaul+github@google.com>
---------
Signed-off-by: Raghav Kaul <raghavkaul+github@google.com>
2024-06-12 14:30:01 -04:00
Spencer Schrock
157948d4f0
🌱 Hide maintainer annotation implementation details ( #4167 )
...
* make validation func private
Signed-off-by: Spencer Schrock <sschrock@google.com>
* hide config validation sentinel errors
Signed-off-by: Spencer Schrock <sschrock@google.com>
---------
Signed-off-by: Spencer Schrock <sschrock@google.com>
2024-06-12 18:16:13 +00:00
dependabot[bot]
1faca4943d
🌱 Bump google.golang.org/protobuf from 1.34.1 to 1.34.2 ( #4169 )
2024-06-12 17:58:59 +00:00
Max Mehl
fcdc63b1ba
📖 Improve the REUSE parts of the License check ( #4155 )
...
* clarify that link leads to specification, not REUSE in general
Signed-off-by: Max Mehl <mail@mehl.mx>
* fix LICENSES directory name
Signed-off-by: Max Mehl <mail@mehl.mx>
* clarify that tool also looks into LICENSES directory
Signed-off-by: Max Mehl <mail@mehl.mx>
* generate checks.md
Signed-off-by: Max Mehl <mail@mehl.mx>
---------
Signed-off-by: Max Mehl <mail@mehl.mx>
2024-06-12 16:19:35 +00:00
dependabot[bot]
fde26a0ef4
🌱 Bump github.com/moby/buildkit from 0.13.2 to 0.14.0 ( #4168 )
2024-06-12 16:07:16 +00:00
Spencer Schrock
6d8f701a9d
⚠️ Simplify RunScorecard with functional optionals ( #4106 )
...
* add options for other clients
Signed-off-by: Spencer Schrock <sschrock@google.com>
* set clients to defaults if not provided?
Signed-off-by: Spencer Schrock <sschrock@google.com>
* fix shadowing
Signed-off-by: Spencer Schrock <sschrock@google.com>
* call the underlying run function
Signed-off-by: Spencer Schrock <sschrock@google.com>
* add package client
Signed-off-by: Spencer Schrock <sschrock@google.com>
* run all checks if no checks or probes provided
Signed-off-by: Spencer Schrock <sschrock@google.com>
* add WithProbes option
Signed-off-by: Spencer Schrock <sschrock@google.com>
* make github repo type public
Signed-off-by: Spencer Schrock <sschrock@google.com>
* make gitlab repo type public
Signed-off-by: Spencer Schrock <sschrock@google.com>
* make local repo type public
Signed-off-by: Spencer Schrock <sschrock@google.com>
* switch WithChecks to accepting []string
Signed-off-by: Spencer Schrock <sschrock@google.com>
* fix linter
Signed-off-by: Spencer Schrock <sschrock@google.com>
* fix linter
Signed-off-by: Spencer Schrock <sschrock@google.com>
---------
Signed-off-by: Spencer Schrock <sschrock@google.com>
2024-06-10 15:59:29 -07:00
dependabot[bot]
2ed7e5e9fa
🌱 Bump github.com/golangci/golangci-lint from 1.59.0 to 1.59.1 in /tools ( #4161 )
2024-06-10 20:55:48 +00:00
Spencer Schrock
20ec42c2b5
⚠️ Make all ScorecardResult format options pointers ( #4151 )
...
* make format options pointers
Callers can pass in a nil pointer to use the default values.
This is also consistent with AsProbe which already used a pointer.
Signed-off-by: Spencer Schrock <sschrock@google.com>
* remove unused FJSON format
Signed-off-by: Spencer Schrock <sschrock@google.com>
---------
Signed-off-by: Spencer Schrock <sschrock@google.com>
2024-06-10 20:32:20 +00:00
Raghav Kaul
f591fbb551
🌱 maintainer annotations: search for config ( #4152 )
...
* search for annotation file
Signed-off-by: Raghav Kaul <raghavkaul+github@google.com>
* search for config file
Signed-off-by: Raghav Kaul <raghavkaul+github@google.com>
* address cr: logging + tests
Signed-off-by: Raghav Kaul <raghavkaul+github@google.com>
---------
Signed-off-by: Raghav Kaul <raghavkaul+github@google.com>
2024-06-10 19:58:11 +00:00
dependabot[bot]
91532e12d1
🌱 Bump golang from 1.22.3 to 1.22.4 ( #4160 )
...
* 🌱 Bump golang from 1.22.3 to 1.22.4
Bumps golang from 1.22.3 to 1.22.4.
---
updated-dependencies:
- dependency-name: golang
dependency-type: direct:production
update-type: version-update:semver-patch
...
Signed-off-by: dependabot[bot] <support@github.com>
* bump the other dockerfiles
Signed-off-by: Spencer Schrock <sschrock@google.com>
---------
Signed-off-by: dependabot[bot] <support@github.com>
Signed-off-by: Spencer Schrock <sschrock@google.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: Spencer Schrock <sschrock@google.com>
2024-06-10 17:08:56 +00:00
dependabot[bot]
397ca510b4
🌱 Bump the github-actions group across 1 directory with 3 updates ( #4159 )
...
Bumps the github-actions group with 3 updates in the / directory: [step-security/harden-runner](https://github.com/step-security/harden-runner ), [github/codeql-action](https://github.com/github/codeql-action ) and [actions/dependency-review-action](https://github.com/actions/dependency-review-action ).
Updates `step-security/harden-runner` from 2.8.0 to 2.8.1
- [Release notes](https://github.com/step-security/harden-runner/releases )
- [Commits](f086349bfa...17d0e2bd7d
)
Updates `github/codeql-action` from 3.25.6 to 3.25.8
- [Release notes](https://github.com/github/codeql-action/releases )
- [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md )
- [Commits](9fdb3e4972...2e230e8fe0
)
Updates `actions/dependency-review-action` from 4.3.2 to 4.3.3
- [Release notes](https://github.com/actions/dependency-review-action/releases )
- [Commits](0c155c5e85...72eb03d02c
)
---
updated-dependencies:
- dependency-name: step-security/harden-runner
dependency-type: direct:production
update-type: version-update:semver-patch
dependency-group: github-actions
- dependency-name: github/codeql-action
dependency-type: direct:production
update-type: version-update:semver-patch
dependency-group: github-actions
- dependency-name: actions/dependency-review-action
dependency-type: direct:production
update-type: version-update:semver-patch
dependency-group: github-actions
...
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2024-06-10 12:51:30 -04:00
Raghav Kaul
bfaa9febc2
✨ probe: releases with verified provenance ( #4141 )
...
* add projectpackageversions to signed releases raw results
Signed-off-by: Raghav Kaul <raghavkaul+github@google.com>
* finding: add NewNot* helpers, fix error msg
Signed-off-by: Raghav Kaul <raghavkaul+github@google.com>
* probe: releasesHaveVerifiedProvenance
Signed-off-by: Raghav Kaul <raghavkaul+github@google.com>
* logging
Signed-off-by: Raghav Kaul <raghavkaul+github@google.com>
* fix tests and lint
Signed-off-by: Raghav Kaul <raghavkaul+github@google.com>
* address comments
Signed-off-by: Raghav Kaul <raghavkaul+github@google.com>
* remove unused
Signed-off-by: Raghav Kaul <raghavkaul+github@google.com>
* fix merge conflict
Signed-off-by: Raghav Kaul <raghavkaul+github@google.com>
---------
Signed-off-by: Raghav Kaul <raghavkaul+github@google.com>
2024-06-07 10:15:20 -07:00
Spencer Schrock
9cd1fb868d
🐛 fix Unlicense detection ( #4145 )
...
* fix unlicense detection
The code previously had some special logic for handling the Unlicense SPDX
identifier. While this worked for local file detection, it broke detection for
SPDX identifiers provided by the forge. This change moves the logic to the part
of the code concerned with local file detection, so both work now.
Signed-off-by: Spencer Schrock <sschrock@google.com>
* remove part of comment which is no longer relevant
Signed-off-by: Spencer Schrock <sschrock@google.com>
---------
Signed-off-by: Spencer Schrock <sschrock@google.com>
2024-06-06 18:01:49 +00:00
Arnout Engelen
3da6db56c9
✨ announce where results are written ( #4132 )
...
Before this change, when running with '-o foo' the output would end
with:
```
RESULTS
-------
```
This was rather confusing. There's of course many ways to make this more
clear, this commit adds a log line announcing where the output is
written to:
```
RESULTS
-------
Writing to foo
```
Signed-off-by: Arnout Engelen <arnout@bzzt.net>
2024-06-06 10:42:19 -07:00
dependabot[bot]
7e7e2f5818
🌱 Bump github.com/onsi/ginkgo/v2 in /tools ( #4149 )
2024-06-06 17:24:52 +00:00
dependabot[bot]
bc1c2e6995
🌱 Bump golang.org/x/oauth2 from 0.20.0 to 0.21.0 ( #4148 )
2024-06-06 17:14:20 +00:00
Spencer Schrock
8a3cbbb3ba
⚠️ remove dependencydiff functionality ( #4146 )
...
Signed-off-by: Spencer Schrock <sschrock@google.com>
2024-06-06 09:47:06 -07:00
dependabot[bot]
b4d6ee469c
🌱 Bump github.com/bradleyfalzon/ghinstallation/v2 ( #4137 )
2024-06-05 18:13:00 +00:00
dependabot[bot]
eea94f5d01
🌱 Bump github.com/rhysd/actionlint from 1.7.0 to 1.7.1 ( #4138 )
2024-06-05 18:00:32 +00:00
dependabot[bot]
936efa9fff
🌱 Bump golang.org/x/text from 0.15.0 to 0.16.0 ( #4142 )
2024-06-05 17:44:34 +00:00
aklevans
0448565ab9
🐛 Use direct endpoint instead of search to find repository URL from npm database ( #4118 )
...
* Update endpoint used when getting repo from npm to solve #3166
Signed-off-by: aklevans <alexklevans@gmail.com>
* Update test files to account for endpoint change when getting repo from npm
Signed-off-by: aklevans <alexklevans@gmail.com>
* Fix linter issues
Signed-off-by: aklevans <alexklevans@gmail.com>
* Added unit tests for #3166 and #2441
Signed-off-by: aklevans <alexklevans@gmail.com>
* fix linter issues and reduce mock json output in package_manager_test to only include necessary data
Signed-off-by: aklevans <alexklevans@gmail.com>
* fix linter issues in package_managers.go
Signed-off-by: aklevans <alexklevans@gmail.com>
* convert windows line breaks to linux
Signed-off-by: aklevans <alexklevans@gmail.com>
* reduce test case size, still has windows line breaks
Signed-off-by: aklevans <alexklevans@gmail.com>
* Fix unit tests
Signed-off-by: aklevans <alexklevans@gmail.com>
* attempt linter fix
Signed-off-by: aklevans <alexklevans@gmail.com>
* Fix linter issues stemming from windows line breaks
Signed-off-by: aklevans <alexklevans@gmail.com>
* Remove magic number and rename variable to be more accurate
Signed-off-by: aklevans <alexklevans@gmail.com>
---------
Signed-off-by: aklevans <alexklevans@gmail.com>
Signed-off-by: aklevans <105876795+aklevans@users.noreply.github.com>
2024-06-05 10:15:29 -07:00
dependabot[bot]
36d8ad7a60
🌱 Bump github.com/google/osv-scanner from 1.7.3 to 1.7.4 ( #4139 )
...
Bumps [github.com/google/osv-scanner](https://github.com/google/osv-scanner ) from 1.7.3 to 1.7.4.
- [Release notes](https://github.com/google/osv-scanner/releases )
- [Changelog](https://github.com/google/osv-scanner/blob/main/CHANGELOG.md )
- [Commits](https://github.com/google/osv-scanner/compare/v1.7.3...v1.7.4 )
---
updated-dependencies:
- dependency-name: github.com/google/osv-scanner
dependency-type: direct:production
update-type: version-update:semver-patch
...
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2024-06-04 11:25:36 -07:00
Arnout Engelen
bf4002489a
✨ detect sbt ci-release
packaging workflows ( #4135 )
...
Signed-off-by: Arnout Engelen <arnout@bzzt.net>
2024-06-01 14:30:41 -04:00
dependabot[bot]
867f511cd0
🌱 Bump github.com/goreleaser/goreleaser in /tools ( #4122 )
2024-06-01 18:16:47 +00:00
dependabot[bot]
6cbe95c52e
🌱 Bump github.com/golangci/golangci-lint in /tools ( #4125 )
2024-06-01 17:00:20 +00:00
dependabot[bot]
02f72e0582
🌱 Bump github.com/onsi/ginkgo/v2 from 2.17.3 to 2.19.0 ( #4126 )
2024-05-30 23:03:52 +00:00
Raghav Kaul
77dce6fbef
⚠️ Add ProjectPackageVersions to raw data collection ( #4104 )
...
* add projectpackageversions to signed releases raw results
Signed-off-by: Raghav Kaul <raghavkaul+github@google.com>
* add mocks
Signed-off-by: Raghav Kaul <raghavkaul+github@google.com>
* update
Signed-off-by: Raghav Kaul <raghavkaul+github@google.com>
* fix tests
Signed-off-by: Raghav Kaul <raghavkaul+github@google.com>
* rename
Signed-off-by: Raghav Kaul <raghavkaul+github@google.com>
* Update runScorecard
Signed-off-by: Raghav Kaul <raghavkaul+github@google.com>
* pass depsdevclient to scdiff
Signed-off-by: Raghav Kaul <raghavkaul+github@google.com>
* error handling
Signed-off-by: Raghav Kaul <raghavkaul+github@google.com>
* make Host() return domain only
Signed-off-by: Raghav Kaul <raghavkaul+github@google.com>
* lint
Signed-off-by: Raghav Kaul <raghavkaul+github@google.com>
* address cr comments
Signed-off-by: Raghav Kaul <raghavkaul+github@google.com>
---------
Signed-off-by: Raghav Kaul <raghavkaul+github@google.com>
2024-05-30 16:00:36 -04:00
Arnout Engelen
7e6a09e474
🐛 fix Docker remediations for unpinned GHA dependencies ( #4131 )
...
* 🐛 fix Docker remediations for unpinned GHA dependencies
Previously, as both the check for unpinned dependencies in
GitHub Actions and the check for unpinned Docker dependencies
contribute to d.Dependencies, the loop that created remediations
for Docker dependencies would also create try to create Docker
remediations for the unpinned GitHub Actions dependencies.
This could get really slow, especially when scanning a repo
with many GitHub Actions such as https://github.com/apache/beam .
Signed-off-by: Arnout Engelen <arnout@bzzt.net>
* 🌱 Small refactor and test for remediations
Signed-off-by: Arnout Engelen <arnout@bzzt.net>
* 🌱 make test data more realistic
Signed-off-by: Arnout Engelen <arnout@bzzt.net>
---------
Signed-off-by: Arnout Engelen <arnout@bzzt.net>
2024-05-30 18:46:22 +00:00