ossf/scorecard
1
1
Fork 0
mirror of https://github.com/ossf/scorecard.git synced 2024-09-19 13:07:17 +03:00
Code Issues Actions 2 Packages Projects Releases Wiki Activity
1,137 Commits 36 Branches 42 Tags 436 MiB
6930c3ab3b
Commit Graph

1137 Commits

This Branch
This Branch
All Branches
Author SHA1 Message Date
Chris McGehee
7a6eb2812a
Not considering an issue as having activity if closed recently (#1531) 
- The person who opened the issue can close it, so an issue closing does not indicate activity by a maintainer.
 2022-01-25 21:59:03 -08:00
Stephen Augustus (he/him)
16c0d375d6
🌱 CODEOWNERS: Add Stephen Augustus (justaugustus) as maintainer (#1530) 
* CODEOWNERS: Simplify maintainers

.github/workflows/* CODEOWNERS are effectively maintainers, but
with the current configuration, they are not being automatically
tagged for review for other file changes.

Here we simplify to `*`, in preparation for adding additional
maintainers.

(Maintainers have also been alpha-sorted.)

Signed-off-by: Stephen Augustus <foo@auggie.dev>

* CODEOWNERS: Add Stephen Augustus (justaugustus) as maintainer

Signed-off-by: Stephen Augustus <foo@auggie.dev>
 2022-01-25 20:33:27 -08:00
naveen
e774015194 🌱 Unit tests for Fuzzing 
Unit tests checks for fuzzing.

https://github.com/ossf/scorecard/issues/986
Signed-off-by: naveen <172697+naveensrinivasan@users.noreply.github.com>
 2022-01-25 14:08:59 -06:00
Stephen Augustus (he/him)
41adfe7f34
⚠️ log: Initial logr/logrusr implementation (#1516) 
* log: Initial logr/logrusr implementation

Signed-off-by: Stephen Augustus <foo@auggie.dev>

* log: Update references to `log.Logger`

Signed-off-by: Stephen Augustus <foo@auggie.dev>

* go.mod: Minor reorganization of `replace`s

...to prevent automatic updates from getting added to the smaller
section.

Signed-off-by: Stephen Augustus <foo@auggie.dev>
 2022-01-25 11:17:46 -06:00
dependabot[bot]
da116d3b25 🌱 Bump cloud.google.com/go/bigquery from 1.26.0 to 1.27.0 
Bumps [cloud.google.com/go/bigquery](https://github.com/googleapis/google-cloud-go) from 1.26.0 to 1.27.0.
- [Release notes](https://github.com/googleapis/google-cloud-go/releases)
- [Changelog](https://github.com/googleapis/google-cloud-go/blob/main/CHANGES.md)
- [Commits](https://github.com/googleapis/google-cloud-go/compare/spanner/v1.26.0...spanner/v1.27.0)

---
updated-dependencies:
- dependency-name: cloud.google.com/go/bigquery
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
 2022-01-25 10:11:08 -06:00
dependabot[bot]
19a73a4696 🌱 Bump ossf/scorecard-action from 1.0.1 to 1.0.2 
Bumps [ossf/scorecard-action](https://github.com/ossf/scorecard-action) from 1.0.1 to 1.0.2.
- [Release notes](https://github.com/ossf/scorecard-action/releases)
- [Commits](e3e75cf2ff...c8416b0b2b)

---
updated-dependencies:
- dependency-name: ossf/scorecard-action
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
 2022-01-25 06:33:45 -06:00
naveen
d4d81a01df 🌱 Unit tests dependency_update_tool 
Unit tests dependency_update_tool
https://github.com/ossf/scorecard/issues/986

Signed-off-by: naveen <172697+naveensrinivasan@users.noreply.github.com>
 2022-01-24 21:38:02 -06:00
Chris McGehee
b6cba86f72
🐛 Issue activity only counts if done by a maintainer (#1515) 
* Issue activity only counts if done by a maintainer

* -Using pointer so that if Github API doesn't return a value for a field, it can be nil
- Updating AuthorAssociation to use an enum

Co-authored-by: Azeem Shaikh <azeemshaikh38@gmail.com>
 2022-01-24 16:12:54 +00:00
dependabot[bot]
5b9857650f 🌱 Bump github.com/onsi/gomega from 1.17.0 to 1.18.0 
Bumps [github.com/onsi/gomega](https://github.com/onsi/gomega) from 1.17.0 to 1.18.0.
- [Release notes](https://github.com/onsi/gomega/releases)
- [Changelog](https://github.com/onsi/gomega/blob/master/CHANGELOG.md)
- [Commits](https://github.com/onsi/gomega/compare/v1.17.0...v1.18.0)

---
updated-dependencies:
- dependency-name: github.com/onsi/gomega
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
 2022-01-24 07:03:31 -06:00
naveen
4122c793bc 🌱 Unit tests for binary artifacts 
Unit tests for binary artifacts.

https://github.com/ossf/scorecard/issues/986
 2022-01-23 22:59:36 -06:00
naveen
8a64075d5e 🌱 Fix the reflect.DeepEqual with google cmp 
Fix the reflect.DeepEqual with google cmp

Signed-off-by: naveen <172697+naveensrinivasan@users.noreply.github.com>
 2022-01-23 13:12:07 -06:00
naveen
66a91dd017 🌱 Unit tests for branch protection raw 
Unit tests for branch protection raw.
https://github.com/ossf/scorecard/issues/986.

Signed-off-by: naveen <172697+naveensrinivasan@users.noreply.github.com>
 2022-01-22 17:54:59 -06:00
naveen
ab16cdbbc2 🌱 Fix Vulns for containerd 2022-01-21 12:44:00 -06:00
naveen
90a0689dea 🌱 Unit test for fileparser 
https://github.com/ossf/scorecard/issues/986
 2022-01-21 12:23:11 -06:00
Hallgeir Holien
062e33ba29
📖 Dependabot config file link (#1498) 
* Dependabot config file link

It seems like dependabot.com is gone and the documentation of configuration file has now moved to https://docs.github.com/en/code-security/supply-chain-security/keeping-your-dependencies-updated-automatically/configuration-options-for-dependency-updates

* Updated dependabot docs link

Co-authored-by: Naveen <172697+naveensrinivasan@users.noreply.github.com>
 2022-01-21 08:12:22 -08:00
Stephen Augustus (he/him)
0d76deace2
go.mod: Update github.com/google/go-containerregistry to v0.8.0 (#1506) 
Signed-off-by: Stephen Augustus <foo@auggie.dev>
 2022-01-20 19:44:13 -08:00
Stephen Augustus (he/him)
13b78ab010
⚠️ Create a dedicated logging package to encapsulate calls to zap (#1502) 
* log: Init log package

Creates a wrapper around existing `zap.Logger` to make it easier
to replace/extend with scorecard logging.

Signed-off-by: Stephen Augustus <foo@auggie.dev>

* log: Replace instances of `zap.Logger` with `log.Logger`

Signed-off-by: Stephen Augustus <foo@auggie.dev>

* log: Add logic to parse `zapcore.Level`s as strings

Signed-off-by: Stephen Augustus <foo@auggie.dev>

* log: Express log levels

Signed-off-by: Stephen Augustus <foo@auggie.dev>

* log: Replace instances of `zapcore.Level` with `log.Level`

Signed-off-by: Stephen Augustus <foo@auggie.dev>

* log: Fixup comments for exported functions

Signed-off-by: Stephen Augustus <foo@auggie.dev>
 2022-01-20 15:57:39 -08:00
naveen
f4e9dfd602 🌱 Unit tests for binaryartifacts 
Unit tests for binaryartifacts
https://github.com/ossf/scorecard/issues/986

Signed-off-by: naveen <172697+naveensrinivasan@users.noreply.github.com>
 2022-01-20 15:20:54 -06:00
dependabot[bot]
5777826e57 🌱 Bump github.com/google/go-cmp from 0.5.6 to 0.5.7 
Bumps [github.com/google/go-cmp](https://github.com/google/go-cmp) from 0.5.6 to 0.5.7.
- [Release notes](https://github.com/google/go-cmp/releases)
- [Commits](https://github.com/google/go-cmp/compare/v0.5.6...v0.5.7)

---
updated-dependencies:
- dependency-name: github.com/google/go-cmp
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
 2022-01-20 11:18:48 -06:00
naveen
026d98edf8 🌱 Included e2e coverage for codecov 2022-01-19 19:41:03 -06:00
naveen
c3589e8080 📖 Updated codecov badge 2022-01-19 18:42:39 -06:00
naveen
2dcdbcd32b 🌱 Track code coverage 
Track code coverage
https://github.com/ossf/scorecard/issues/986

Signed-off-by: naveen <172697+naveensrinivasan@users.noreply.github.com>
 2022-01-19 16:29:31 -06:00
naveen
9973bdeb60 Unit tests for dependency update 
Unit tests for dependency update.

https://github.com/ossf/scorecard/issues/986

Signed-off-by: naveen <172697+naveensrinivasan@users.noreply.github.com>
 2022-01-19 15:34:07 -06:00
Azeem Shaikh
96ea22eac5
Add and use compressed Scorecard logos (#1492) 
Co-authored-by: Azeem Shaikh <azeems@google.com>
 2022-01-19 18:08:35 +00:00
Azeem Shaikh
fc87431507
Add exemption to stale issue workflow (#1486) 
Co-authored-by: Azeem Shaikh <azeems@google.com>
 2022-01-18 14:45:35 -06:00
dependabot[bot]
b8e054ba9e 🌱 Bump goreleaser/goreleaser-action from 2.8.0 to 2.8.1 
Bumps [goreleaser/goreleaser-action](https://github.com/goreleaser/goreleaser-action) from 2.8.0 to 2.8.1.
- [Release notes](https://github.com/goreleaser/goreleaser-action/releases)
- [Commits](5df302e5e9...79d4afbba1)

---
updated-dependencies:
- dependency-name: goreleaser/goreleaser-action
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
 2022-01-17 19:23:17 -06:00
dependabot[bot]
4837262895 🌱 Bump ossf/scorecard-action from 1.0.0 to 1.0.1 
Bumps [ossf/scorecard-action](https://github.com/ossf/scorecard-action) from 1.0.0 to 1.0.1.
- [Release notes](https://github.com/ossf/scorecard-action/releases)
- [Commits](005020cb6a...e3e75cf2ff)

---
updated-dependencies:
- dependency-name: ossf/scorecard-action
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
 2022-01-17 09:07:59 -06:00
Naveen
5d3f198380
Unit test for SAST (#1482) 
Addresses https://github.com/ossf/scorecard/issues/435
 2022-01-15 12:22:59 -08:00
olivekl
c60b66bbc8
📖 Olivekl v4 doc updates (#1481) 
* Create scorecards-analysis.yml

* Update README.md

Move Public Data section
Add placeholders for new installation organization, TODOs for public data section

* Update README.md

Remove outdated public data scoring system paragraph

* Update README.md

Add explanation of Scorecard Action install option and link out

* Update README.md

Add sentence introducing CLI installation section; move all heading down a level for that section

* Update README.md

Fix typo

* Update README.md

Remove comma

* Delete scorecards-analysis.yml file

Co-authored-by: Azeem Shaikh <azeemshaikh38@gmail.com>
 2022-01-14 20:46:30 +00:00
Azeem Shaikh
b6272c79e1
Fix scorecard version in Scorecard Docker images (#1480) 
Co-authored-by: Azeem Shaikh <azeems@google.com>
 2022-01-14 11:34:22 -08:00
dependabot[bot]
361fbd0fc9 🌱 Bump ossf/scorecard-action from 0.0.2 to 1.0.0 
Bumps [ossf/scorecard-action](https://github.com/ossf/scorecard-action) from 0.0.2 to 1.0.0.
- [Release notes](https://github.com/ossf/scorecard-action/releases)
- [Commits](5f4e3145c8...005020cb6a)

---
updated-dependencies:
- dependency-name: ossf/scorecard-action
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
 2022-01-14 07:45:26 -06:00
dependabot[bot]
b1fec4d1fd 🌱 Bump github.com/bradleyfalzon/ghinstallation/v2 
Bumps [github.com/bradleyfalzon/ghinstallation/v2](https://github.com/bradleyfalzon/ghinstallation) from 2.0.3 to 2.0.4.
- [Release notes](https://github.com/bradleyfalzon/ghinstallation/releases)
- [Commits](https://github.com/bradleyfalzon/ghinstallation/compare/v2.0.3...v2.0.4)

---
updated-dependencies:
- dependency-name: github.com/bradleyfalzon/ghinstallation/v2
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
 2022-01-13 19:15:52 -06:00
naveen
f7b329e830 Unit test for all_checks 
Addresses https://github.com/ossf/scorecard/issues/435

Signed-off-by: naveen <172697+naveensrinivasan@users.noreply.github.com>
 2022-01-12 17:24:38 -06:00
naveen
77103694fb Unit test for securitypolicy 
https://github.com/ossf/scorecard/issues/435

Signed-off-by: naveen <172697+naveensrinivasan@users.noreply.github.com>
 2022-01-12 16:33:24 -06:00
naveen
f31d824a5e 🌱 Unit tests for code review 
Unit tests for code review check.

Signed-off-by: naveen <172697+naveensrinivasan@users.noreply.github.com>
 2022-01-12 15:35:09 -06:00
Azeem Shaikh
696553be2d
Fix linter issues (#1472) 
Co-authored-by: Azeem Shaikh <azeems@google.com>
 2022-01-12 20:34:16 +00:00
Azeem Shaikh
f2c57d2590 Migrate to v4 2022-01-12 14:12:09 -06:00
Azeem Shaikh
61a0124407
Enable Dangerous-Workflow & License checks for v4 (#1471) 
Co-authored-by: Azeem Shaikh <azeems@google.com>
 2022-01-12 16:27:03 +00:00
laurentsimon
531561c8f4
npm install-test support (#1468) 2022-01-12 11:34:19 +11:00
laurentsimon
460d34aa2d
Change filename when no file is available (#1445) 
* change filename when no file is available

* fixes

* e2e tests

* update message

* comment
 2022-01-11 23:29:47 +00:00
dependabot[bot]
cf063194bc 🌱 Bump mvdan.cc/sh/v3 from 3.4.0 to 3.4.2 
Bumps [mvdan.cc/sh/v3](https://github.com/mvdan/sh) from 3.4.0 to 3.4.2.
- [Release notes](https://github.com/mvdan/sh/releases)
- [Changelog](https://github.com/mvdan/sh/blob/v3.4.2/CHANGELOG.md)
- [Commits](https://github.com/mvdan/sh/compare/v3.4.0...v3.4.2)

---
updated-dependencies:
- dependency-name: mvdan.cc/sh/v3
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
 2022-01-11 16:19:11 -06:00
naveen
ad5ffab313 Unit tests for CI_Tests 
Implemented Unit tests for CI_Tests

Signed-off-by: naveen <172697+naveensrinivasan@users.noreply.github.com>
 2022-01-11 13:31:58 -06:00
dependabot[bot]
a72accca81 🌱 Bump github.com/h2non/filetype from 1.1.1 to 1.1.3 
Bumps [github.com/h2non/filetype](https://github.com/h2non/filetype) from 1.1.1 to 1.1.3.
- [Release notes](https://github.com/h2non/filetype/releases)
- [Changelog](https://github.com/h2non/filetype/blob/master/History.md)
- [Commits](https://github.com/h2non/filetype/compare/v1.1.1...v1.1.3)

---
updated-dependencies:
- dependency-name: github.com/h2non/filetype
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
 2022-01-11 12:48:03 -06:00
dependabot[bot]
bdeb8e7b5f 🌱 Bump github.com/spf13/cobra from 1.2.1 to 1.3.0 
Bumps [github.com/spf13/cobra](https://github.com/spf13/cobra) from 1.2.1 to 1.3.0.
- [Release notes](https://github.com/spf13/cobra/releases)
- [Changelog](https://github.com/spf13/cobra/blob/master/CHANGELOG.md)
- [Commits](https://github.com/spf13/cobra/compare/v1.2.1...v1.3.0)

---
updated-dependencies:
- dependency-name: github.com/spf13/cobra
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
 2022-01-11 12:21:09 -06:00
dependabot[bot]
17e1541e77
🌱 Bump go.uber.org/zap from 1.19.1 to 1.20.0 (#1464) 
Bumps [go.uber.org/zap](https://github.com/uber-go/zap) from 1.19.1 to 1.20.0.
- [Release notes](https://github.com/uber-go/zap/releases)
- [Changelog](https://github.com/uber-go/zap/blob/master/CHANGELOG.md)
- [Commits](https://github.com/uber-go/zap/compare/v1.19.1...v1.20.0)

---
updated-dependencies:
- dependency-name: go.uber.org/zap
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>

Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: Azeem Shaikh <azeemshaikh38@gmail.com>
 2022-01-11 17:55:48 +00:00
dependabot[bot]
98e5aad777
🌱 Bump cloud.google.com/go/bigquery from 1.24.0 to 1.26.0 (#1459) 
Bumps [cloud.google.com/go/bigquery](https://github.com/googleapis/google-cloud-go) from 1.24.0 to 1.26.0.
- [Release notes](https://github.com/googleapis/google-cloud-go/releases)
- [Changelog](https://github.com/googleapis/google-cloud-go/blob/main/CHANGES.md)
- [Commits](https://github.com/googleapis/google-cloud-go/compare/spanner/v1.24.0...spanner/v1.26.0)

---
updated-dependencies:
- dependency-name: cloud.google.com/go/bigquery
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>

Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
 2022-01-11 09:24:40 -08:00
dependabot[bot]
b3bca5ccb8 🌱 Bump golang.org/x/tools from 0.1.7 to 0.1.8 
Bumps [golang.org/x/tools](https://github.com/golang/tools) from 0.1.7 to 0.1.8.
- [Release notes](https://github.com/golang/tools/releases)
- [Commits](https://github.com/golang/tools/compare/v0.1.7...v0.1.8)

---
updated-dependencies:
- dependency-name: golang.org/x/tools
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
 2022-01-11 10:30:09 -06:00
dependabot[bot]
167f2cfbcc 🌱 Bump github.com/jszwec/csvutil from 1.5.1 to 1.6.0 
Bumps [github.com/jszwec/csvutil](https://github.com/jszwec/csvutil) from 1.5.1 to 1.6.0.
- [Release notes](https://github.com/jszwec/csvutil/releases)
- [Commits](https://github.com/jszwec/csvutil/compare/v1.5.1...v1.6.0)

---
updated-dependencies:
- dependency-name: github.com/jszwec/csvutil
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
 2022-01-11 09:35:56 -06:00
laurentsimon
b79b3c357c
Add startLine to sarif for binary files (#1458) 
* add line to sarif

* remove comments
 2022-01-10 17:48:20 -08:00
laurentsimon
993e9c1010
update msg (#1457) 2022-01-10 22:22:39 +00:00