mirror of
https://github.com/ossf/scorecard.git
synced 2024-09-11 08:55:27 +03:00
6cae56f02b
149 Commits
| Author | SHA1 | Message | Date | |
|---|---|---|---|---|
Spencer Schrock
|
20ec42c2b5
|
⚠️ Make all ScorecardResult format options pointers (#4151)
* make format options pointers Callers can pass in a nil pointer to use the default values. This is also consistent with AsProbe which already used a pointer. Signed-off-by: Spencer Schrock <sschrock@google.com> * remove unused FJSON format Signed-off-by: Spencer Schrock <sschrock@google.com> --------- Signed-off-by: Spencer Schrock <sschrock@google.com> |
||
aklevans
|
0448565ab9
|
🐛 Use direct endpoint instead of search to find repository URL from npm database (#4118)
* Update endpoint used when getting repo from npm to solve #3166 Signed-off-by: aklevans <alexklevans@gmail.com> * Update test files to account for endpoint change when getting repo from npm Signed-off-by: aklevans <alexklevans@gmail.com> * Fix linter issues Signed-off-by: aklevans <alexklevans@gmail.com> * Added unit tests for #3166 and #2441 Signed-off-by: aklevans <alexklevans@gmail.com> * fix linter issues and reduce mock json output in package_manager_test to only include necessary data Signed-off-by: aklevans <alexklevans@gmail.com> * fix linter issues in package_managers.go Signed-off-by: aklevans <alexklevans@gmail.com> * convert windows line breaks to linux Signed-off-by: aklevans <alexklevans@gmail.com> * reduce test case size, still has windows line breaks Signed-off-by: aklevans <alexklevans@gmail.com> * Fix unit tests Signed-off-by: aklevans <alexklevans@gmail.com> * attempt linter fix Signed-off-by: aklevans <alexklevans@gmail.com> * Fix linter issues stemming from windows line breaks Signed-off-by: aklevans <alexklevans@gmail.com> * Remove magic number and rename variable to be more accurate Signed-off-by: aklevans <alexklevans@gmail.com> --------- Signed-off-by: aklevans <alexklevans@gmail.com> Signed-off-by: aklevans <105876795+aklevans@users.noreply.github.com> |
||
Raghav Kaul
|
77dce6fbef
|
⚠️ Add ProjectPackageVersions to raw data collection (#4104)
* add projectpackageversions to signed releases raw results Signed-off-by: Raghav Kaul <raghavkaul+github@google.com> * add mocks Signed-off-by: Raghav Kaul <raghavkaul+github@google.com> * update Signed-off-by: Raghav Kaul <raghavkaul+github@google.com> * fix tests Signed-off-by: Raghav Kaul <raghavkaul+github@google.com> * rename Signed-off-by: Raghav Kaul <raghavkaul+github@google.com> * Update runScorecard Signed-off-by: Raghav Kaul <raghavkaul+github@google.com> * pass depsdevclient to scdiff Signed-off-by: Raghav Kaul <raghavkaul+github@google.com> * error handling Signed-off-by: Raghav Kaul <raghavkaul+github@google.com> * make Host() return domain only Signed-off-by: Raghav Kaul <raghavkaul+github@google.com> * lint Signed-off-by: Raghav Kaul <raghavkaul+github@google.com> * address cr comments Signed-off-by: Raghav Kaul <raghavkaul+github@google.com> --------- Signed-off-by: Raghav Kaul <raghavkaul+github@google.com> |
||
|
Raghav Kaul
|
32b5963766
|
⚠️ Add projectclient to cli and cron, update runscorecard (#4096)
Signed-off-by: Raghav Kaul <raghavkaul+github@google.com> |
||
Gabriela Gutierrez
|
8789bbbbfc
|
⚠️ Add initial Maintainers Annotation parsing (#3905)
* feat: Get maintainers annotation from repo This commits adds functionality to read a scorecard.yml file from a repository and parse it to get the maintainers annotation. It introduces the concepts of exemptions, annotations, annotated checks, and annotation reasons. Signed-off-by: Gabriela Gutierrez <gabigutierrez@google.com> * feat: Hand off maintainers annotation for SARIF Hnad off maintainers annotation to SARIF formatting so it can decide to skip or not skip checks when creating the output. Signed-off-by: Gabriela Gutierrez <gabigutierrez@google.com> * feat: If check is annotated, skip in SARIF output Signed-off-by: Gabriela Gutierrez <gabigutierrez@google.com> * feat: Add other annotation reasons Signed-off-by: Gabriela Gutierrez <gabigutierrez@google.com> * feat: Add options to show maintainers annotations in output Signed-off-by: Gabriela Gutierrez <gabigutierrez@google.com> * feat: Output maintainers annotations in JSON Signed-off-by: Gabriela Gutierrez <gabigutierrez@google.com> * fix: Remove unnecessary maintainers annotation param in SARIF Signed-off-by: Gabriela Gutierrez <gabigutierrez@google.com> * feat: Output maintainers annotations in string default result This commit changes how data is appended to the table rows. Previously, we defined the table columns size and added information to each index. To avoid complicating the calculation of the index now that we are adding another optional column, the data is appended to the row as needed. Also, the maintainers annotation was chosen to be displayed as last column to give space for Scorecard official reasoning and documentation to appear first. Signed-off-by: Gabriela Gutierrez <gabigutierrez@google.com> * feat: Ignore annotation if check has max score Signed-off-by: Gabriela Gutierrez <gabigutierrez@google.com> * doc: Add documentation for maintainers annotation Introduce what flag should be used to show maintainers annotation and how to configure maintainers annotation for your repository. Signed-off-by: Gabriela Gutierrez <gabigutierrez@google.com> * refactor: A maintainers annotation obj can verify if a check is exempted Signed-off-by: Gabriela Gutierrez <gabigutierrez@google.com> * refactor: Get annotations function can be private Signed-off-by: Gabriela Gutierrez <gabigutierrez@google.com> * refactor: Find scorecard.yml file in the repository's root Change to "GetFileContent" method since we're looking for a specific file instead of using "OnMatchingFileContentDo" method that looks files with a specific content. This also removes the dependency from "checks/fileparser". This is necessary to move "IsCheckExempted" to checker. Signed-off-by: Gabriela Gutierrez <gabigutierrez@google.com> * fix: A check should know if it's exempted or not Moving the verification "IsCheckExempted" from maintainers_annotation package to checker package. This way a check result will define, consulting maintainers annotation, if it is exempted or not. Signed-off-by: Gabriela Gutierrez <gabigutierrez@google.com> * fix: Maintainers annotation can only be used in experimental mode Signed-off-by: Gabriela Gutierrez <gabigutierrez@google.com> * fix: Ignore if scorecard.yml does not exist Signed-off-by: Gabriela Gutierrez <gabigutierrez@google.com> * fix: Remove unnecessary maintainers annotation param Signed-off-by: Gabriela Gutierrez <gabigutierrez@google.com> * docs: Move complete mantainers annotation doc to feature folder Signed-off-by: Gabriela Gutierrez <gabigutierrez@google.com> * fix: Error logs Signed-off-by: Gabriela Gutierrez <gabigutierrez@google.com> * refactor: Rename AnnotationReason to Reason Avoid repetition in variable references. Signed-off-by: Gabriela Gutierrez <gabigutierrez@google.com> * refactor: Reason documentation Redo reason documentation as a switch case to be called when necessary instead of defining a global map. Another reason to redo this logic as switch is that switch should be more performatic then instantiating a local map. Signed-off-by: Gabriela Gutierrez <gabigutierrez@google.com> * refactor: Rename ScorecardYml to ScorecardConfig This is a better generic name to reference Scorecard configuration file and leave the file format for the implementation. Signed-off-by: Gabriela Gutierrez <gabigutierrez@google.com> * fix: Check name comparison The EqualFold comparison is already case insensitive. Signed-off-by: Gabriela Gutierrez <gabigutierrez@google.com> * refactor: Rename maintainers annotation folder/file to config Signed-off-by: Gabriela Gutierrez <gabigutierrez@google.com> * refactor: Rename and simplify parsing the config Signed-off-by: Gabriela Gutierrez <gabigutierrez@google.com> * refactor: Check parses its reasons Signed-off-by: Gabriela Gutierrez <gabigutierrez@google.com> * fix: Is check exempted Fix config struture renaming and collect all annotation reasons for a check. Don't stop in the first annotation that the check is exempted. Signed-off-by: Gabriela Gutierrez <gabigutierrez@google.com> * refactor: Rename maintainers annotation to annotations Renaming flags, function params, docs and fixing config renamings. Signed-off-by: Gabriela Gutierrez <gabigutierrez@google.com> * refactor: Separate annotations content from config parsing Signed-off-by: Gabriela Gutierrez <gabigutierrez@google.com> * fix: Omit empty annotations in JSON results Signed-off-by: Gabriela Gutierrez <gabigutierrez@google.com> * refactor: Read config file content Signed-off-by: Gabriela Gutierrez <gabigutierrez@google.com> * refactor: JSON2 result options Signed-off-by: Gabriela Gutierrez <gabigutierrez@google.com> * refactor: String result options Signed-off-by: Gabriela Gutierrez <gabigutierrez@google.com> * test: Mock GetFileReader Signed-off-by: Gabriela Gutierrez <gabigutierrez@google.com> * test: Annotation on Binary-Artifacts check Signed-off-by: Gabriela Gutierrez <gabigutierrez@google.com> * feat: Validate annotated checks Signed-off-by: Gabriela Gutierrez <gabigutierrez@google.com> * test: Annotating all checks Signed-off-by: Gabriela Gutierrez <gabigutierrez@google.com> * feat: Validate annotated reasons Signed-off-by: Gabriela Gutierrez <gabigutierrez@google.com> * test: Annotating all reasons Signed-off-by: Gabriela Gutierrez <gabigutierrez@google.com> * test: Multiple annotations Signed-off-by: Gabriela Gutierrez <gabigutierrez@google.com> * test: Binary-Artifacts exempted for testing Signed-off-by: Gabriela Gutierrez <gabigutierrez@google.com> * test: Binary-Artifacts not exempted Signed-off-by: Gabriela Gutierrez <gabigutierrez@google.com> * test: No checks exempted Signed-off-by: Gabriela Gutierrez <gabigutierrez@google.com> * test: Exemption is outdated Signed-off-by: Gabriela Gutierrez <gabigutierrez@google.com> * test: Improve reasons error comparison Signed-off-by: Gabriela Gutierrez <gabigutierrez@google.com> * test: Multiple exemption reasons in a single annotation Signed-off-by: Gabriela Gutierrez <gabigutierrez@google.com> * test: Multiple exemption reasons across annotations Signed-off-by: Gabriela Gutierrez <gabigutierrez@google.com> * fix: cmd show annotations flag doc Signed-off-by: Gabriela Gutierrez <gabigutierrez@google.com> * test: Add show annotations flag Signed-off-by: Gabriela Gutierrez <gabigutierrez@google.com> * fix: Remove unnecessary function Signed-off-by: Gabriela Gutierrez <gabigutierrez@google.com> * test: Annotations string format Signed-off-by: Gabriela Gutierrez <gabigutierrez@google.com> * test: Annotations json format Signed-off-by: Gabriela Gutierrez <gabigutierrez@google.com> * fix: Linter fallthrough Signed-off-by: Gabriela Gutierrez <gabigutierrez@google.com> * fix: Linter imports Signed-off-by: Gabriela Gutierrez <gabigutierrez@google.com> * fix: Linter unnecessart struct type declaration Signed-off-by: Gabriela Gutierrez <gabigutierrez@google.com> * fix: Linter append combine Signed-off-by: Gabriela Gutierrez <gabigutierrez@google.com> * fix: Linter struct memory Signed-off-by: Gabriela Gutierrez <gabigutierrez@google.com> * fix: Linter improve error msg in run scorecard Signed-off-by: Gabriela Gutierrez <gabigutierrez@google.com> * fix: Linter dynamic errors Signed-off-by: Gabriela Gutierrez <gabigutierrez@google.com> * docs: Disable security alerts on SARIF output Signed-off-by: Gabriela Gutierrez <gabigutierrez@google.com> * docs: Redirect to configuration doc on main README Signed-off-by: Gabriela Gutierrez <gabigutierrez@google.com> * test: Invalid check in annotations Signed-off-by: Gabriela Gutierrez <gabigutierrez@google.com> * test: Invalid reason in annotations Signed-off-by: Gabriela Gutierrez <gabigutierrez@google.com> * test: Exempt check on SARIF output clears runs Signed-off-by: Gabriela Gutierrez <gabigutierrez@google.com> * test: Add check1 annotations json Signed-off-by: Gabriela Gutierrez <gabigutierrez@google.com> * fix: On parse error return empty config file not a "dirty" one Signed-off-by: Gabriela Gutierrez <gabigutierrez@google.com> * fix: On parse config error continue execution We log the error to the user but continue execution with empty config. Signed-off-by: Gabriela Gutierrez <gabigutierrez@google.com> * fix: Merge conflics importing rules Signed-off-by: Gabriela Gutierrez <gabigutierrez@google.com> * fix: Readd is experimental enabled method This method is necessary to validate if experimental feature is enabled so it can activate show annotations feature. Signed-off-by: Gabriela Gutierrez <gabigutierrez@google.com> * feat: Wrap config parse under experimental flag Signed-off-by: Gabriela Gutierrez <gabigutierrez@google.com> * fix unit test by removing unused mock call Signed-off-by: Spencer Schrock <sschrock@google.com> --------- Signed-off-by: Gabriela Gutierrez <gabigutierrez@google.com> |
||
Case Wylie
|
39e968dceb
|
⚠️ errors in ErrXXX format (#4040)
Signed-off-by: Case Wylie <cmwylie19@defenseunicorns.com> |
||
|
Spencer Schrock
|
0b9dfb656f
|
⚠️ Replace v4 module references with v5 (#4027)
Signed-off-by: Spencer Schrock <sschrock@google.com> |
||
dependabot[bot]
|
bf18c27508
|
🌱 Bump github.com/golangci/golangci-lint from 1.56.2 to 1.57.1 in /tools (#3966)
* 🌱 Bump github.com/golangci/golangci-lint in /tools Bumps [github.com/golangci/golangci-lint](https://github.com/golangci/golangci-lint) from 1.56.2 to 1.57.1. - [Release notes](https://github.com/golangci/golangci-lint/releases) - [Changelog](https://github.com/golangci/golangci-lint/blob/master/CHANGELOG.md) - [Commits](https://github.com/golangci/golangci-lint/compare/v1.56.2...v1.57.1) --- updated-dependencies: - dependency-name: github.com/golangci/golangci-lint dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> * remove unused wrapcheck nolint directives wrapcheck v2.8.3 includes a fix for false positives in func literals. Signed-off-by: Spencer Schrock <sschrock@google.com> * satisfy assignOp gocritic linter Signed-off-by: Spencer Schrock <sschrock@google.com> * convert const regex to MustCompile included at package level to ensure regex compiles at build time. These could stay as func regexes if desired, but we'd need test coverage for the piper code so we know we wont panic Signed-off-by: Spencer Schrock <sschrock@google.com> * satisfy unslice linter Signed-off-by: Spencer Schrock <sschrock@google.com> * satisfy wrapperFunc linter This seems like a nice readability change anyway Signed-off-by: Spencer Schrock <sschrock@google.com> --------- Signed-off-by: dependabot[bot] <support@github.com> Signed-off-by: Spencer Schrock <sschrock@google.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: Spencer Schrock <sschrock@google.com> |
||
|
dependabot[bot]
|
b31449017e
|
🌱 Bump github.com/golangci/golangci-lint from 1.55.2 to 1.56.1 in /tools (#3867)
* 🌱 Bump github.com/golangci/golangci-lint in /tools Bumps [github.com/golangci/golangci-lint](https://github.com/golangci/golangci-lint) from 1.55.2 to 1.56.1. - [Release notes](https://github.com/golangci/golangci-lint/releases) - [Changelog](https://github.com/golangci/golangci-lint/blob/master/CHANGELOG.md) - [Commits](https://github.com/golangci/golangci-lint/compare/v1.55.2...v1.56.1) --- updated-dependencies: - dependency-name: github.com/golangci/golangci-lint dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> * autofix linter errors with make fix-linter Signed-off-by: Spencer Schrock <sschrock@google.com> * move musttag nolint directives to encode location this was changed in v0.8.0 of the musttag linter. Signed-off-by: Spencer Schrock <sschrock@google.com> --------- Signed-off-by: dependabot[bot] <support@github.com> Signed-off-by: Spencer Schrock <sschrock@google.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: Spencer Schrock <sschrock@google.com> |
||
Josh Soref
|
3b948257fc
|
📖 Fix spelling (#3804)
* spelling: accurate Signed-off-by: Josh Soref <2119212+jsoref@users.noreply.github.com> * spelling: administrator Signed-off-by: Josh Soref <2119212+jsoref@users.noreply.github.com> * spelling: analyze Signed-off-by: Josh Soref <2119212+jsoref@users.noreply.github.com> * spelling: andtwenty Signed-off-by: Josh Soref <2119212+jsoref@users.noreply.github.com> * spelling: ascii Signed-off-by: Josh Soref <2119212+jsoref@users.noreply.github.com> * spelling: association Signed-off-by: Josh Soref <2119212+jsoref@users.noreply.github.com> * spelling: at least Signed-off-by: Josh Soref <2119212+jsoref@users.noreply.github.com> * spelling: attestor Signed-off-by: Josh Soref <2119212+jsoref@users.noreply.github.com> * spelling: barbaric Signed-off-by: Josh Soref <2119212+jsoref@users.noreply.github.com> * spelling: bucket Signed-off-by: Josh Soref <2119212+jsoref@users.noreply.github.com> * spelling: by Signed-off-by: Josh Soref <2119212+jsoref@users.noreply.github.com> * spelling: can Signed-off-by: Josh Soref <2119212+jsoref@users.noreply.github.com> * spelling: case-insensitive Signed-off-by: Josh Soref <2119212+jsoref@users.noreply.github.com> * spelling: case-sensitive Signed-off-by: Josh Soref <2119212+jsoref@users.noreply.github.com> * spelling: checking Signed-off-by: Josh Soref <2119212+jsoref@users.noreply.github.com> * spelling: command-line Signed-off-by: Josh Soref <2119212+jsoref@users.noreply.github.com> * spelling: commit Signed-off-by: Josh Soref <2119212+jsoref@users.noreply.github.com> * spelling: committed Signed-off-by: Josh Soref <2119212+jsoref@users.noreply.github.com> * spelling: conclusion Signed-off-by: Josh Soref <2119212+jsoref@users.noreply.github.com> * spelling: corresponding Signed-off-by: Josh Soref <2119212+jsoref@users.noreply.github.com> * spelling: created Signed-off-by: Josh Soref <2119212+jsoref@users.noreply.github.com> * spelling: dataset Signed-off-by: Josh Soref <2119212+jsoref@users.noreply.github.com> * spelling: default Signed-off-by: Josh Soref <2119212+jsoref@users.noreply.github.com> * spelling: defines Signed-off-by: Josh Soref <2119212+jsoref@users.noreply.github.com> * spelling: dependabot Signed-off-by: Josh Soref <2119212+jsoref@users.noreply.github.com> * spelling: dependency Signed-off-by: Josh Soref <2119212+jsoref@users.noreply.github.com> * spelling: depending Signed-off-by: Josh Soref <2119212+jsoref@users.noreply.github.com> * spelling: desired Signed-off-by: Josh Soref <2119212+jsoref@users.noreply.github.com> * spelling: different Signed-off-by: Josh Soref <2119212+jsoref@users.noreply.github.com> * spelling: disclose Signed-off-by: Josh Soref <2119212+jsoref@users.noreply.github.com> * spelling: download Signed-off-by: Josh Soref <2119212+jsoref@users.noreply.github.com> * spelling: each Signed-off-by: Josh Soref <2119212+jsoref@users.noreply.github.com> * spelling: enforce Signed-off-by: Josh Soref <2119212+jsoref@users.noreply.github.com> * spelling: every time Signed-off-by: Josh Soref <2119212+jsoref@users.noreply.github.com> * spelling: exist Signed-off-by: Josh Soref <2119212+jsoref@users.noreply.github.com> * spelling: existing Signed-off-by: Josh Soref <2119212+jsoref@users.noreply.github.com> * spelling: fields Signed-off-by: Josh Soref <2119212+jsoref@users.noreply.github.com> * spelling: files Signed-off-by: Josh Soref <2119212+jsoref@users.noreply.github.com> * spelling: for Signed-off-by: Josh Soref <2119212+jsoref@users.noreply.github.com> * spelling: force-push Signed-off-by: Josh Soref <2119212+jsoref@users.noreply.github.com> * spelling: github Signed-off-by: Josh Soref <2119212+jsoref@users.noreply.github.com> * spelling: gitlab Signed-off-by: Josh Soref <2119212+jsoref@users.noreply.github.com> * spelling: ignoreed Signed-off-by: Josh Soref <2119212+jsoref@users.noreply.github.com> * spelling: implementation Signed-off-by: Josh Soref <2119212+jsoref@users.noreply.github.com> * spelling: implements Signed-off-by: Josh Soref <2119212+jsoref@users.noreply.github.com> * spelling: increase Signed-off-by: Josh Soref <2119212+jsoref@users.noreply.github.com> * spelling: indicates Signed-off-by: Josh Soref <2119212+jsoref@users.noreply.github.com> * spelling: initialized Signed-off-by: Josh Soref <2119212+jsoref@users.noreply.github.com> * spelling: instructions Signed-off-by: Josh Soref <2119212+jsoref@users.noreply.github.com> * spelling: invalid Signed-off-by: Josh Soref <2119212+jsoref@users.noreply.github.com> * spelling: marshal Signed-off-by: Josh Soref <2119212+jsoref@users.noreply.github.com> * spelling: match Signed-off-by: Josh Soref <2119212+jsoref@users.noreply.github.com> * spelling: name Signed-off-by: Josh Soref <2119212+jsoref@users.noreply.github.com> * spelling: nonexistent Signed-off-by: Josh Soref <2119212+jsoref@users.noreply.github.com> * spelling: organization Signed-off-by: Josh Soref <2119212+jsoref@users.noreply.github.com> * spelling: package Signed-off-by: Josh Soref <2119212+jsoref@users.noreply.github.com> * spelling: provenance Signed-off-by: Josh Soref <2119212+jsoref@users.noreply.github.com> * spelling: query Signed-off-by: Josh Soref <2119212+jsoref@users.noreply.github.com> * spelling: readers Signed-off-by: Josh Soref <2119212+jsoref@users.noreply.github.com> * spelling: receive Signed-off-by: Josh Soref <2119212+jsoref@users.noreply.github.com> * spelling: registered Signed-off-by: Josh Soref <2119212+jsoref@users.noreply.github.com> * spelling: remediate Signed-off-by: Josh Soref <2119212+jsoref@users.noreply.github.com> * spelling: representation Signed-off-by: Josh Soref <2119212+jsoref@users.noreply.github.com> * spelling: requests Signed-off-by: Josh Soref <2119212+jsoref@users.noreply.github.com> * spelling: requires Signed-off-by: Josh Soref <2119212+jsoref@users.noreply.github.com> * spelling: return Signed-off-by: Josh Soref <2119212+jsoref@users.noreply.github.com> * spelling: scorecard Signed-off-by: Josh Soref <2119212+jsoref@users.noreply.github.com> * spelling: separator Signed-off-by: Josh Soref <2119212+jsoref@users.noreply.github.com> * spelling: serialization Signed-off-by: Josh Soref <2119212+jsoref@users.noreply.github.com> * spelling: sign up Signed-off-by: Josh Soref <2119212+jsoref@users.noreply.github.com> * spelling: specifications Signed-off-by: Josh Soref <2119212+jsoref@users.noreply.github.com> * spelling: specified Signed-off-by: Josh Soref <2119212+jsoref@users.noreply.github.com> * spelling: success Signed-off-by: Josh Soref <2119212+jsoref@users.noreply.github.com> * spelling: successfully Signed-off-by: Josh Soref <2119212+jsoref@users.noreply.github.com> * spelling: the Signed-off-by: Josh Soref <2119212+jsoref@users.noreply.github.com> * spelling: their Signed-off-by: Josh Soref <2119212+jsoref@users.noreply.github.com> * spelling: twenty Signed-off-by: Josh Soref <2119212+jsoref@users.noreply.github.com> * spelling: unexpected Signed-off-by: Josh Soref <2119212+jsoref@users.noreply.github.com> * spelling: unused Signed-off-by: Josh Soref <2119212+jsoref@users.noreply.github.com> * spelling: unverified Signed-off-by: Josh Soref <2119212+jsoref@users.noreply.github.com> * spelling: validate Signed-off-by: Josh Soref <2119212+jsoref@users.noreply.github.com> * spelling: vendor Signed-off-by: Josh Soref <2119212+jsoref@users.noreply.github.com> * spelling: vulnerabilities Signed-off-by: Josh Soref <2119212+jsoref@users.noreply.github.com> * spelling: vulns Signed-off-by: Josh Soref <2119212+jsoref@users.noreply.github.com> * spelling: will Signed-off-by: Josh Soref <2119212+jsoref@users.noreply.github.com> * spelling: without Signed-off-by: Josh Soref <2119212+jsoref@users.noreply.github.com> * spelling: workflow Signed-off-by: Josh Soref <2119212+jsoref@users.noreply.github.com> * spelling: workflows Signed-off-by: Josh Soref <2119212+jsoref@users.noreply.github.com> --------- Signed-off-by: Josh Soref <2119212+jsoref@users.noreply.github.com> |
||
AdamKorcz
|
3ce1daa74a
|
🌱 Add probes to main call (#3688)
* 🌱 Add probes to main call
Signed-off-by: AdamKorcz <adam@adalogics.com>
* fix linter issues
Signed-off-by: AdamKorcz <adam@adalogics.com>
* add test
Signed-off-by: AdamKorcz <adam@adalogics.com>
* add test coverage
Signed-off-by: AdamKorcz <adam@adalogics.com>
* remove
Signed-off-by: Adam Korczynski <adam@adalogics.com>
* WIP
Signed-off-by: Adam Korczynski <adam@adalogics.com>
* change comment for 'ExperimentalRunProbes'
Signed-off-by: Adam Korczynski <adam@adalogics.com>
* fix linter issues
Signed-off-by: Adam Korczynski <adam@adalogics.com>
* make only one in root.go
Signed-off-by: Adam Korczynski <adam@adalogics.com>
* relocate printing of output
Signed-off-by: Adam Korczynski <adam@adalogics.com>
* remove FormatPJSON
Signed-off-by: Adam Korczynski <adam@adalogics.com>
* reduce complexity of rootCmd
Signed-off-by: Adam Korczynski <adam@adalogics.com>
* assign findings in runEnabledProbes
Signed-off-by: Adam Korczynski <adam@adalogics.com>
* change name of probe map
Signed-off-by: Adam Korczynski <adam@adalogics.com>
* unwrap error
Signed-off-by: Adam Korczynski <adam@adalogics.com>
---------
Signed-off-by: AdamKorcz <adam@adalogics.com>
Signed-off-by: Adam Korczynski <adam@adalogics.com>
|
||
|
Spencer Schrock
|
d882fc73e1
|
🌱 re-enable paralleltest linter (#3705)
Signed-off-by: Spencer Schrock <sschrock@google.com> |
||
|
Spencer Schrock
|
1625b0c578
|
🌱 Disable more style linters for test files (#3707)
* disable lll linter for test files * disable goerr113 linter for tests * disable wrapcheck linter for tests * fix easy linter issues in tests --------- Signed-off-by: Spencer Schrock <sschrock@google.com> |
||
|
Spencer Schrock
|
92470deac3
|
🌱 enable nolintlint linter and fix violations (#3650)
* enable nolintlint Signed-off-by: Spencer Schrock <sschrock@google.com> * first chunk of fixing nolintlint Signed-off-by: Spencer Schrock <sschrock@google.com> * second chunk of fixing nolintlint Signed-off-by: Spencer Schrock <sschrock@google.com> * third chunk of fixing nolintlint Signed-off-by: Spencer Schrock <sschrock@google.com> * fourth chunk of fixing nolintlint Signed-off-by: Spencer Schrock <sschrock@google.com> * include reason for the specific linter config Signed-off-by: Spencer Schrock <sschrock@google.com> * fifth chunk of fixing nolintlint Signed-off-by: Spencer Schrock <sschrock@google.com> * fix linter errors that are somehow still triggering Signed-off-by: Spencer Schrock <sschrock@google.com> --------- Signed-off-by: Spencer Schrock <sschrock@google.com> |
||
|
Spencer Schrock
|
288319ad12
|
🌱 scdiff: Add workflow to run scdiff against PRs on demand (#3640)
* wip Signed-off-by: Spencer Schrock <sschrock@google.com> * try to use jq without quotes Signed-off-by: Spencer Schrock <sschrock@google.com> * try to make file another way. Signed-off-by: Spencer Schrock <sschrock@google.com> * try using homedir Signed-off-by: Spencer Schrock <sschrock@google.com> * add github token to env Signed-off-by: Spencer Schrock <sschrock@google.com> * add link to workflow run Signed-off-by: Spencer Schrock <sschrock@google.com> * make comment its own job Signed-off-by: Spencer Schrock <sschrock@google.com> * fix typo in job context Signed-off-by: Spencer Schrock <sschrock@google.com> * typo part 2 Signed-off-by: Spencer Schrock <sschrock@google.com> * use github-script to get PR SHAs. Signed-off-by: Spencer Schrock <sschrock@google.com> * need to go through one more type to get to API response. Signed-off-by: Spencer Schrock <sschrock@google.com> * temporarily use monitor action to see the required permissions Signed-off-by: Spencer Schrock <sschrock@google.com> * spacing is hard Signed-off-by: Spencer Schrock <sschrock@google.com> * remove monitor and apply minimal permissions the read-all at the top might be too broad, but the monitor doesnt support graphql so best we can do for now. Signed-off-by: Spencer Schrock <sschrock@google.com> * try to set the checks Signed-off-by: Spencer Schrock <sschrock@google.com> * read the comment body Signed-off-by: Spencer Schrock <sschrock@google.com> * try to get around regex syntax error? Signed-off-by: Spencer Schrock <sschrock@google.com> * quote comment body Signed-off-by: Spencer Schrock <sschrock@google.com> * we want to pass an empty string to the args Signed-off-by: Spencer Schrock <sschrock@google.com> * fix the regex string Signed-off-by: Spencer Schrock <sschrock@google.com> * rest of repo has upgraded Signed-off-by: Spencer Schrock <sschrock@google.com> * seed 15 repos to analyze to start with Signed-off-by: Spencer Schrock <sschrock@google.com> * support gitlab repos in scdiff Signed-off-by: Spencer Schrock <sschrock@google.com> * rename pr step to config we also need the checks to run, so update the name to reflect that Signed-off-by: Spencer Schrock <sschrock@google.com> * switch from default token to a PAT By default, the GitHub Action token gets 1000 req/hour. If running all checks, the before/after each take about 1100 of core quota A PAT grants 5000/hr so the 2200 required should be fine if used infrequently. Ideally, the caller will always pass the check they care about into the command Signed-off-by: Spencer Schrock <sschrock@google.com> * escape comment body with bash Signed-off-by: Spencer Schrock <sschrock@google.com> * setup go manually Signed-off-by: Spencer Schrock <sschrock@google.com> * don't need to run on comment delete Signed-off-by: Spencer Schrock <sschrock@google.com> * limit scdiff to individuals with repo access Signed-off-by: Spencer Schrock <sschrock@google.com> --------- Signed-off-by: Spencer Schrock <sschrock@google.com> |
||
|
Spencer Schrock
|
a4ee3147a6
|
🌱 bump project minimum Go version to go1.21 (#3661)
* upgrade go.mod to 1.21 Signed-off-by: Spencer Schrock <sschrock@google.com> * use slices from stdlib Signed-off-by: Spencer Schrock <sschrock@google.com> * use max/min builtins Signed-off-by: Spencer Schrock <sschrock@google.com> * multierrors possibly spin this off into its own PR Signed-off-by: Spencer Schrock <sschrock@google.com> * dont call rand.Seed As of Go 1.20, the generator is seeded randomly at startup. https://pkg.go.dev/math/rand#Seed Signed-off-by: Spencer Schrock <sschrock@google.com> * update minimum Go version in documentation Signed-off-by: Spencer Schrock <sschrock@google.com> --------- Signed-off-by: Spencer Schrock <sschrock@google.com> |
||
|
Spencer Schrock
|
2391edfbe1
|
🌱 add style linters: mirror, tenv, usestdlibvars (#3586)
* fix tenv linter and bug with t.Parallel Signed-off-by: Spencer Schrock <sschrock@google.com> * fix usestdlibvars linter Signed-off-by: Spencer Schrock <sschrock@google.com> * fix mirror linter Signed-off-by: Spencer Schrock <sschrock@google.com> --------- Signed-off-by: Spencer Schrock <sschrock@google.com> |
||
|
Spencer Schrock
|
2d9319601e
|
🌱 use forbidigo linter to prevent print statements (#3585)
* enable forbidigo for print statements. include reasoning as message exposed to developer. Signed-off-by: Spencer Schrock <sschrock@google.com> * remove or grant exceptions for existing print statements Signed-off-by: Spencer Schrock <sschrock@google.com> * swap stdout to stderr Signed-off-by: Spencer Schrock <sschrock@google.com> * separate msg from regex for better readability. Signed-off-by: Spencer Schrock <sschrock@google.com> --------- Signed-off-by: Spencer Schrock <sschrock@google.com> |
||
|
Spencer Schrock
|
d0cefa519a
|
🌱 enable the golangci-lint bugs preset (#3583)
* enable bugs preset Signed-off-by: Spencer Schrock <sschrock@google.com> * fix noctx linter Signed-off-by: Spencer Schrock <sschrock@google.com> * fix bodyclose linter Signed-off-by: Spencer Schrock <sschrock@google.com> * fix contextcheck linter Signed-off-by: Spencer Schrock <sschrock@google.com> * This ignores all existing cases of musttag linter complaints. This analyzer seems useful in the future, but some of this code is old and I don't want to change it for existing code now. Signed-off-by: Spencer Schrock <sschrock@google.com> * ignore existing nilerr lints. This behavior is from the initial commit, and primarily affects metrics. Leaving as is, and hope to benefit from the linter in the future. Signed-off-by: Spencer Schrock <sschrock@google.com> --------- Signed-off-by: Spencer Schrock <sschrock@google.com> |
||
|
Spencer Schrock
|
63fff3c840
|
✨ scdiff: improve compare usability (#3573)
* fallback to cron style when parsing dates. The cron output was never updated in #2712. In the interim, support both formats. Signed-off-by: Spencer Schrock <sschrock@google.com> * continue on first diff, to highlight all differences. Signed-off-by: Spencer Schrock <sschrock@google.com> * tests for date fallback. Signed-off-by: Spencer Schrock <sschrock@google.com> --------- Signed-off-by: Spencer Schrock <sschrock@google.com> |
||
|
Spencer Schrock
|
b9bbb8236c
|
🐛 scdiff: fix generate cmd when no --checks arg provided. (#3570)
Signed-off-by: Spencer Schrock <sschrock@google.com> |
||
|
Spencer Schrock
|
e1d3abc7fd
|
✨ scdiff: Limit generating results to specific checks (#3535)
* accept checks arg when generating golden. Signed-off-by: Spencer Schrock <sschrock@google.com> * dont shadow import Signed-off-by: Spencer Schrock <sschrock@google.com> --------- Signed-off-by: Spencer Schrock <sschrock@google.com> |
||
|
Spencer Schrock
|
7626a05313
|
✨ scdiff: add basic stats command to count scores by buckets (#3458)
* wip Signed-off-by: Spencer Schrock <sschrock@google.com> * output via tabwriter Signed-off-by: Spencer Schrock <sschrock@google.com> * specify by check. Signed-off-by: Spencer Schrock <sschrock@google.com> * Return aggregate score when unmarshalling. Signed-off-by: Spencer Schrock <sschrock@google.com> * convert from score to bucket in one place. use aggregate score from func Signed-off-by: Spencer Schrock <sschrock@google.com> * fix forgotten usage of ExperimentalFromJSON2 Signed-off-by: Spencer Schrock <sschrock@google.com> * use sentinel errors. Signed-off-by: Spencer Schrock <sschrock@google.com> * move counting to own func for testability Signed-off-by: Spencer Schrock <sschrock@google.com> * remove unneeded fields from results for readability. Signed-off-by: Spencer Schrock <sschrock@google.com> * add test for parse errors. Signed-off-by: Spencer Schrock <sschrock@google.com> * share max result size for any bufio.Scanner which reads results. Signed-off-by: Spencer Schrock <sschrock@google.com> * add basic overall test for calcing stats. Signed-off-by: Spencer Schrock <sschrock@google.com> * make missing file argument generic. Signed-off-by: Spencer Schrock <sschrock@google.com> * validate min args with cobra. Signed-off-by: Spencer Schrock <sschrock@google.com> --------- Signed-off-by: Spencer Schrock <sschrock@google.com> |
||
|
Spencer Schrock
|
b0a96fe9e3
|
✨ scdiff: add basic compare functionality (#3363)
* Add unmarshall func. Signed-off-by: Spencer Schrock <sschrock@google.com> * try to parse the details too. Signed-off-by: Spencer Schrock <sschrock@google.com> * Compare skeleton. Signed-off-by: Spencer Schrock <sschrock@google.com> * add basic comparison func. Signed-off-by: Spencer Schrock <sschrock@google.com> * make normalize exported. Signed-off-by: Spencer Schrock <sschrock@google.com> * split compare to separate func. Signed-off-by: Spencer Schrock <sschrock@google.com> * Add experimental diff output. Signed-off-by: Spencer Schrock <sschrock@google.com> * clarify expected format. Signed-off-by: Spencer Schrock <sschrock@google.com> * Handle multiple repo results in files. Signed-off-by: Spencer Schrock <sschrock@google.com> * add tests for compare. Signed-off-by: Spencer Schrock <sschrock@google.com> * clean up result loading logic. Signed-off-by: Spencer Schrock <sschrock@google.com> * add doc comments for advancescanners. Signed-off-by: Spencer Schrock <sschrock@google.com> * clarify file error string. Signed-off-by: Spencer Schrock <sschrock@google.com> * add high level instructions for the command. Signed-off-by: Spencer Schrock <sschrock@google.com> --------- Signed-off-by: Spencer Schrock <sschrock@google.com> |
||
joshgc
|
9a844abbba
|
✨ Increase PyPI parsing flexibility (#3423)
* Make PyPI parsing more flexible to find any github or gitlab url, and hope its unique Signed-off-by: Josh Cogan <joshgc@google.com> * Refactor the addRepo to not pass around a mutable object. Tweak a test to support gitlab better Signed-off-by: Josh Cogan <joshgc@google.com> * Ignore users called sponsors for github repos. Remove the set and just check there is a single valid url Signed-off-by: Josh Cogan <joshgc@google.com> * Remove unneeded variables and code Signed-off-by: Josh Cogan <joshgc@google.com> * Reducing indentation Signed-off-by: Josh Cogan <joshgc@google.com> * Make github url path parts case insensitive and use more explicit suffix filter to remove .git Signed-off-by: Josh Cogan <joshgc@google.com> * Appease the linter--may its wisdown never wane. Signed-off-by: Josh Cogan <joshgc@google.com> * CamelCase -> camelCase to prevent export Signed-off-by: Josh Cogan <joshgc@google.com> * Add test and allowance for gitlab to also be case insensitive Signed-off-by: Josh Cogan <joshgc@google.com> * hub vs lab typo Signed-off-by: Josh Cogan <joshgc@google.com> --------- Signed-off-by: Josh Cogan <joshgc@google.com> |
||
|
Spencer Schrock
|
9aefbba150
|
✨ scdiff: add output flag to generate (#3341)
* Write to file if --output specified. Signed-off-by: Spencer Schrock <sschrock@google.com> * add tests for generate. Signed-off-by: Spencer Schrock <sschrock@google.com> * Keep the file stuff in the cobra command. Signed-off-by: Spencer Schrock <sschrock@google.com> * add doc to generate. Signed-off-by: Spencer Schrock <sschrock@google.com> * fix linter, parallelize test. Signed-off-by: Spencer Schrock <sschrock@google.com> * Add tracking issue. Signed-off-by: Spencer Schrock <sschrock@google.com> --------- Signed-off-by: Spencer Schrock <sschrock@google.com> |
||
|
Spencer Schrock
|
b829961fff
|
✨ scdiff: normalize scorecard results (#3294)
* Normalize results. Signed-off-by: Spencer Schrock <sschrock@google.com> * add tests for standardized output format Signed-off-by: Spencer Schrock <sschrock@google.com> * move comment to proper place. Signed-off-by: Spencer Schrock <sschrock@google.com> * add comment about pretty print. Signed-off-by: Spencer Schrock <sschrock@google.com> * format test can be parallel. Signed-off-by: Spencer Schrock <sschrock@google.com> * Add normalize nil test. Signed-off-by: Spencer Schrock <sschrock@google.com> --------- Signed-off-by: Spencer Schrock <sschrock@google.com> |
||
|
Spencer Schrock
|
8d865ff041
|
✨ scdiff: generate cmd skeleton (#3275)
* add scdiff root command Signed-off-by: Spencer Schrock <sschrock@google.com> * Add generate boilerplate. Signed-off-by: Spencer Schrock <sschrock@google.com> * get rid of init Signed-off-by: Spencer Schrock <sschrock@google.com> * read newline delimitted repo file Signed-off-by: Spencer Schrock <sschrock@google.com> * Run scorecard and echo results. Signed-off-by: Spencer Schrock <sschrock@google.com> * add license Signed-off-by: Spencer Schrock <sschrock@google.com> * add basic runner tests. Signed-off-by: Spencer Schrock <sschrock@google.com> * Add Runner comment. Signed-off-by: Spencer Schrock <sschrock@google.com> * switch to using scorecard logger. Signed-off-by: Spencer Schrock <sschrock@google.com> * linter fix Signed-off-by: Spencer Schrock <sschrock@google.com> --------- Signed-off-by: Spencer Schrock <sschrock@google.com> |
||
Avishay Balter
|
8c9e552f68
|
✨ add --nuget package manager flag (#3020)
* add nuget package manager Signed-off-by: Avishay <avishay.balter@gmail.com> * fix pat test messages (#2987) * also fix pat tests Signed-off-by: Raghav Kaul <raghavkaul@google.com> Signed-off-by: Avishay <avishay.balter@gmail.com> * 🌱 Bump slsa-framework/slsa-github-generator from 1.5.0 to 1.6.0 Bumps [slsa-framework/slsa-github-generator](https://github.com/slsa-framework/slsa-github-generator) from 1.5.0 to 1.6.0. - [Release notes](https://github.com/slsa-framework/slsa-github-generator/releases) - [Changelog](https://github.com/slsa-framework/slsa-github-generator/blob/main/CHANGELOG.md) - [Commits](https://github.com/slsa-framework/slsa-github-generator/compare/v1.5.0...v1.6.0) --- updated-dependencies: - dependency-name: slsa-framework/slsa-github-generator dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> Signed-off-by: Avishay <avishay.balter@gmail.com> * 🌱 Bump cloud.google.com/go/bigquery from 1.51.1 to 1.51.2 (#2984) Bumps [cloud.google.com/go/bigquery](https://github.com/googleapis/google-cloud-go) from 1.51.1 to 1.51.2. - [Release notes](https://github.com/googleapis/google-cloud-go/releases) - [Changelog](https://github.com/googleapis/google-cloud-go/blob/main/CHANGES.md) - [Commits](https://github.com/googleapis/google-cloud-go/compare/bigquery/v1.51.1...bigquery/v1.51.2) --- updated-dependencies: - dependency-name: cloud.google.com/go/bigquery dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Signed-off-by: Avishay <avishay.balter@gmail.com> * 🌱 Bump golang.org/x/tools from 0.9.0 to 0.9.1 Bumps [golang.org/x/tools](https://github.com/golang/tools) from 0.9.0 to 0.9.1. - [Release notes](https://github.com/golang/tools/releases) - [Commits](https://github.com/golang/tools/compare/v0.9.0...v0.9.1) --- updated-dependencies: - dependency-name: golang.org/x/tools dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Signed-off-by: Avishay <avishay.balter@gmail.com> * 🐛 Update osv-scanner dependency to include Vulnerabilities check fixes (#2981) * Update osv-scanner dependency to include Vulnerabilities check fixes Signed-off-by: Laurent Savaëte <laurent@where.tf> * Run go mod tidy Signed-off-by: Laurent Savaëte <laurent@where.tf> --------- Signed-off-by: Laurent Savaëte <laurent@where.tf> Signed-off-by: Avishay <avishay.balter@gmail.com> * 🌱 Bump github.com/docker/distribution in /tools (#2993) Bumps [github.com/docker/distribution](https://github.com/docker/distribution) from 2.8.1+incompatible to 2.8.2+incompatible. - [Release notes](https://github.com/docker/distribution/releases) - [Commits](https://github.com/docker/distribution/compare/v2.8.1...v2.8.2) --- updated-dependencies: - dependency-name: github.com/docker/distribution dependency-type: indirect ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Signed-off-by: Avishay <avishay.balter@gmail.com> * 🌱 Gitlab: e2e test fixes in main (#2992) * test secret chagnes Signed-off-by: Raghav Kaul <raghavkaul@google.com> * update score Signed-off-by: Raghav Kaul <raghavkaul@google.com> * address cr comments Signed-off-by: Raghav Kaul <raghavkaul@google.com> * update Signed-off-by: Raghav Kaul <raghavkaul@google.com> --------- Signed-off-by: Raghav Kaul <raghavkaul@google.com> Signed-off-by: Avishay <avishay.balter@gmail.com> * 🌱 Unit tests log/log.go (#2980) - Add unit tests for the log package - Add Apache License to log_test.go Signed-off-by: naveensrinivasan <172697+naveensrinivasan@users.noreply.github.com> Signed-off-by: Avishay <avishay.balter@gmail.com> * 🌱 Bump github.com/cloudflare/circl in /tools (#2995) Bumps [github.com/cloudflare/circl](https://github.com/cloudflare/circl) from 1.2.0 to 1.3.3. - [Release notes](https://github.com/cloudflare/circl/releases) - [Commits](https://github.com/cloudflare/circl/compare/v1.2.0...v1.3.3) --- updated-dependencies: - dependency-name: github.com/cloudflare/circl dependency-type: indirect ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Signed-off-by: Avishay <avishay.balter@gmail.com> * ✨ Add releasing workflow for semantic-release (#2989) Signed-off-by: Matt Travi <programmer@travi.org> Signed-off-by: Avishay <avishay.balter@gmail.com> * 🌱 Bump slsa-framework/slsa-verifier from 2.2.0 to 2.3.0 Bumps [slsa-framework/slsa-verifier](https://github.com/slsa-framework/slsa-verifier) from 2.2.0 to 2.3.0. - [Release notes](https://github.com/slsa-framework/slsa-verifier/releases) - [Changelog](https://github.com/slsa-framework/slsa-verifier/blob/main/RELEASE.md) - [Commits](https://github.com/slsa-framework/slsa-verifier/compare/v2.2.0...v2.3.0) --- updated-dependencies: - dependency-name: slsa-framework/slsa-verifier dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> Signed-off-by: Avishay <avishay.balter@gmail.com> * 🌱 Bump github.com/cloudflare/circl from 1.1.0 to 1.3.3 (#2994) Bumps [github.com/cloudflare/circl](https://github.com/cloudflare/circl) from 1.1.0 to 1.3.3. - [Release notes](https://github.com/cloudflare/circl/releases) - [Commits](https://github.com/cloudflare/circl/compare/v1.1.0...v1.3.3) --- updated-dependencies: - dependency-name: github.com/cloudflare/circl dependency-type: indirect ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Signed-off-by: Avishay <avishay.balter@gmail.com> * 🌱 Additional e2e clients/githubrepo/checkruns.go (#2934) * 🌱 Additional e2e clients/githubrepo/checkruns.go - Add `net/http` and `github.com/google/go-github/v38/github` imports - Add a test for `listCheckRunsForRef` with valid ref - Add a test for `listCheckRunsForRef` with invalid ref Signed-off-by: naveensrinivasan <172697+naveensrinivasan@users.noreply.github.com> * Based on code review comments Signed-off-by: naveensrinivasan <172697+naveensrinivasan@users.noreply.github.com> * Some tweaks Signed-off-by: naveensrinivasan <172697+naveensrinivasan@users.noreply.github.com> --------- Signed-off-by: naveensrinivasan <172697+naveensrinivasan@users.noreply.github.com> Signed-off-by: Avishay <avishay.balter@gmail.com> * 🌱 E2E for clients/githubrepo/contributors.go (#2939) * 🌱 E2E for clients/githubrepo/contributors.go - Add an end-to-end test for `contributorsHandler` Signed-off-by: naveensrinivasan <172697+naveensrinivasan@users.noreply.github.com> * Fixed based on code review comments. Signed-off-by: naveensrinivasan <172697+naveensrinivasan@users.noreply.github.com> * Fixed codereview comment. Signed-off-by: naveensrinivasan <172697+naveensrinivasan@users.noreply.github.com> --------- Signed-off-by: naveensrinivasan <172697+naveensrinivasan@users.noreply.github.com> Signed-off-by: Avishay <avishay.balter@gmail.com> * 📖 Clarify that AI/ML doesn't count as human code review (#2953) * Clarify that AI/ML doesn't count as human code review Add this clarification per the Scorecards Zoom call meeting today (2023-05-04). Signed-off-by: David A. Wheeler <dwheeler@dwheeler.com> * Tweaked per review Signed-off-by: David A. Wheeler <dwheeler@dwheeler.com> --------- Signed-off-by: David A. Wheeler <dwheeler@dwheeler.com> Signed-off-by: Avishay <avishay.balter@gmail.com> * 🌱 Bump golang from `31a8f92` to `685a22e` in /cron/internal/cii Bumps golang from `31a8f92` to `685a22e`. --- updated-dependencies: - dependency-name: golang dependency-type: direct:production ... Signed-off-by: dependabot[bot] <support@github.com> Signed-off-by: Avishay <avishay.balter@gmail.com> * 🌱 Bump golang in /cron/internal/controller Bumps golang from `31a8f92` to `685a22e`. --- updated-dependencies: - dependency-name: golang dependency-type: direct:production ... Signed-off-by: dependabot[bot] <support@github.com> Signed-off-by: Avishay <avishay.balter@gmail.com> * 🌱 Bump golang in /cron/internal/worker Bumps golang from `31a8f92` to `685a22e`. --- updated-dependencies: - dependency-name: golang dependency-type: direct:production ... Signed-off-by: dependabot[bot] <support@github.com> Signed-off-by: Avishay <avishay.balter@gmail.com> * 🌱 Bump golang in /clients/githubrepo/roundtripper/tokens/server Bumps golang from `31a8f92` to `685a22e`. --- updated-dependencies: - dependency-name: golang dependency-type: direct:production ... Signed-off-by: dependabot[bot] <support@github.com> Signed-off-by: Avishay <avishay.balter@gmail.com> * 🌱 Bump golang from `31a8f92` to `685a22e` Bumps golang from `31a8f92` to `685a22e`. --- updated-dependencies: - dependency-name: golang dependency-type: direct:production ... Signed-off-by: dependabot[bot] <support@github.com> Signed-off-by: Avishay <avishay.balter@gmail.com> * 🌱 Bump golang from `31a8f92` to `685a22e` in /cron/internal/bq Bumps golang from `31a8f92` to `685a22e`. --- updated-dependencies: - dependency-name: golang dependency-type: direct:production ... Signed-off-by: dependabot[bot] <support@github.com> Signed-off-by: Avishay <avishay.balter@gmail.com> * 🌱 Bump golang in /cron/internal/webhook Bumps golang from `31a8f92` to `685a22e`. --- updated-dependencies: - dependency-name: golang dependency-type: direct:production ... Signed-off-by: dependabot[bot] <support@github.com> Signed-off-by: Avishay <avishay.balter@gmail.com> * Clarify AI/ML not human code review - in .yml file (#3012) This clarifies that AI/ML doesn't count as human code review. This was earlier done in #2953 but that didn't modify the relevant .yml file - this does. Signed-off-by: David A. Wheeler <dwheeler@dwheeler.com> Signed-off-by: Avishay <avishay.balter@gmail.com> * 🌱 Bump golang.org/x/oauth2 from 0.7.0 to 0.8.0 (#3005) Bumps [golang.org/x/oauth2](https://github.com/golang/oauth2) from 0.7.0 to 0.8.0. - [Commits](https://github.com/golang/oauth2/compare/v0.7.0...v0.8.0) --- updated-dependencies: - dependency-name: golang.org/x/oauth2 dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Signed-off-by: Avishay <avishay.balter@gmail.com> * 🌱 Unit tests for checks/raw/maintained.go (#2996) - Add tests and checks for the `Maintained` function - Add checks for `IsArchived`, `ListCommits`, `ListIssues`, and `GetCreatedAt` Signed-off-by: naveensrinivasan <172697+naveensrinivasan@users.noreply.github.com> Signed-off-by: Avishay <avishay.balter@gmail.com> * 🌱 Bump github.com/onsi/ginkgo/v2 from 2.9.4 to 2.9.5 in /tools Bumps [github.com/onsi/ginkgo/v2](https://github.com/onsi/ginkgo) from 2.9.4 to 2.9.5. - [Release notes](https://github.com/onsi/ginkgo/releases) - [Changelog](https://github.com/onsi/ginkgo/blob/master/CHANGELOG.md) - [Commits](https://github.com/onsi/ginkgo/compare/v2.9.4...v2.9.5) --- updated-dependencies: - dependency-name: github.com/onsi/ginkgo/v2 dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Signed-off-by: Avishay <avishay.balter@gmail.com> * 🌱 Bump actions/setup-go from 4.0.0 to 4.0.1 Bumps [actions/setup-go](https://github.com/actions/setup-go) from 4.0.0 to 4.0.1. - [Release notes](https://github.com/actions/setup-go/releases) - [Commits]( |
||
laurentsimon
|
ed556949d8
|
✨ Support for GitHub's internal integration (#2773)
* update Signed-off-by: laurentsimon <laurentsimon@google.com> * update Signed-off-by: laurentsimon <laurentsimon@google.com> * update Signed-off-by: laurentsimon <laurentsimon@google.com> * update Signed-off-by: laurentsimon <laurentsimon@google.com> * update Signed-off-by: laurentsimon <laurentsimon@google.com> * update Signed-off-by: laurentsimon <laurentsimon@google.com> --------- Signed-off-by: laurentsimon <laurentsimon@google.com> |
||
|
Spencer Schrock
|
61866a06c9
|
🐛 Check OSS Fuzz build file for Fuzzing check (#2719)
* Check OSS-Fuzz using project list Signed-off-by: Spencer Schrock <sschrock@google.com> * Use clients.RepoClient interface to perform the new OSS Fuzz check Signed-off-by: Spencer Schrock <sschrock@google.com> * wip: add eager client for better repeated lookup of projects Signed-off-by: Spencer Schrock <sschrock@google.com> * Split lazy and eager behavior into different implementations. Signed-off-by: Spencer Schrock <sschrock@google.com> * Add tests and benchmarks Signed-off-by: Spencer Schrock <sschrock@google.com> * Switch to always parsing JSON to determine if a project is present. The other approach of looking for a substring match would lead to false positives. Signed-off-by: Spencer Schrock <sschrock@google.com> * Add eager constructor to surface status file errors sooner. Signed-off-by: Spencer Schrock <sschrock@google.com> * Switch existing users to new OSS Fuzz client Signed-off-by: Spencer Schrock <sschrock@google.com> * Mark old method as deprecated in the godoc Signed-off-by: Spencer Schrock <sschrock@google.com> * remove unused comment. Signed-off-by: Spencer Schrock <sschrock@google.com> * Use new OSS Fuzz client in e2e test. Signed-off-by: Spencer Schrock <sschrock@google.com> * fix typo. Signed-off-by: Spencer Schrock <sschrock@google.com> * Fix potential path bug with test server. Signed-off-by: Spencer Schrock <sschrock@google.com> * Force include the two JSON files which were being ignored by .gitignore Signed-off-by: Spencer Schrock <sschrock@google.com> * trim the status json file Signed-off-by: Spencer Schrock <sschrock@google.com> --------- Signed-off-by: Spencer Schrock <sschrock@google.com> |
||
|
laurentsimon
|
61077863b4
|
🐛 license check accumulates results (#2534)
* update Signed-off-by: laurentsimon <laurentsimon@google.com> * update Signed-off-by: laurentsimon <laurentsimon@google.com> Signed-off-by: laurentsimon <laurentsimon@google.com> |
||
Arnaud J Le Hors
|
2169bc44c7
|
Use new project name in Copyright notices (#2505)
Signed-off-by: Arnaud J Le Hors <lehors@us.ibm.com> Signed-off-by: Arnaud J Le Hors <lehors@us.ibm.com> |
||
|
Arnaud J Le Hors
|
c3f4e31c28
|
📖 Use scorecard (singular) consistently (#2428)
* Use scorecard (singular) consistently * Use OpenSSF instead of Security in name and add FAQ entry |
||
Latortuga
|
f9f910d437
|
✨ Commit depth feature (#2407)
* 🌱 Bump actions/dependency-review-action from 2.4.1 to 2.5.1 Bumps [actions/dependency-review-action](https://github.com/actions/dependency-review-action) from 2.4.1 to 2.5.1. - [Release notes](https://github.com/actions/dependency-review-action/releases) - [Commits]( |
||
Azeem Shaikh
|
a6983edf6e
|
Fix failing linters (#2281)
Signed-off-by: Azeem Shaikh <azeemshaikh38@gmail.com> Signed-off-by: Azeem Shaikh <azeemshaikh38@gmail.com> |
||
|
Spencer Schrock
|
d6bef98844
|
Wrap check errors with distinct error for scorecard-action to ignore. (#2250)
Signed-off-by: Spencer Schrock <sschrock@google.com> Signed-off-by: Spencer Schrock <sschrock@google.com> |
||
Naveen
|
10b6052acf
|
🌱 Upgrade to go 1.18 (#2143)
* 🌱 Upgrade to go 1.18
- Upgrade to go 1.18
- Updated the deps to avoid critical CVE's
Signed-off-by: naveensrinivasan <172697+naveensrinivasan@users.noreply.github.com>
* Updated dockerfile.
Signed-off-by: naveensrinivasan <172697+naveensrinivasan@users.noreply.github.com>
* Fixed the linter issues.
Signed-off-by: naveensrinivasan <172697+naveensrinivasan@users.noreply.github.com>
* Fixed the CVE dependencies
Signed-off-by: naveensrinivasan <172697+naveensrinivasan@users.noreply.github.com>
* Rmoved the cache which is changing between 1.17 and 1.18
Signed-off-by: naveensrinivasan <172697+naveensrinivasan@users.noreply.github.com>
* Rmoved the cache which is changing between 1.17 and 1.18
Signed-off-by: naveensrinivasan <172697+naveensrinivasan@users.noreply.github.com>
* Updated ko to latest
Signed-off-by: naveensrinivasan <172697+naveensrinivasan@users.noreply.github.com>
* Fixed linter issue.
Signed-off-by: naveensrinivasan <172697+naveensrinivasan@users.noreply.github.com>
* Fixed linter issue.
Signed-off-by: naveensrinivasan <172697+naveensrinivasan@users.noreply.github.com>
Signed-off-by: naveensrinivasan <172697+naveensrinivasan@users.noreply.github.com>
|
||
|
Spencer Schrock
|
8de962e91d
|
✨ Scorecard returns a non-zero exit code if any check has a runtime error (#2133)
* return a non-zero exit code if any check has a runtime error * Fix existing usage of runtime vs inconclusive errors |
||
|
Spencer Schrock
|
2fa6bc2885
|
🌱 Limit access to registered checks (#2134)
* Limit access to registered checks except through GetAll() and GetAllForEnvironment() * Switch names to GetAll and GetAllWithExperimental. Change webhook check to use SCORECARD_EXPERIMENTAL Co-authored-by: Azeem Shaikh <azeemshaikh38@gmail.com> |
||
|
Arnaud J Le Hors
|
6d79817e3b
|
📖 Fix command Usage (#1814)
This changes the cmd Usage text to accurately represents the
supported syntax:
Usage:
./scorecard (--repo=<repo> | --local=<folder> | --{npm,pypi,rubygems}=<package_name>)
[--checks=check1,...] [--show-details] [flags]
...
--repo string repository to check (valid inputs: "owner/repo", "github.com/owner/repo", "https://github.com/owner/repo")
...
Signed-off-by: Arnaud J Le Hors <lehors@us.ibm.com>
|
||
|
laurentsimon
|
815de5c351
|
Propagate error in log (#1875) | ||
|
dependabot[bot]
|
66b3d8ce5c
|
🌱 Bump github.com/golangci/golangci-lint from 1.44.2 to 1.45.0 in /tools (#1757)
* 🌱 Bump github.com/golangci/golangci-lint in /tools Bumps [github.com/golangci/golangci-lint](https://github.com/golangci/golangci-lint) from 1.44.2 to 1.45.0. - [Release notes](https://github.com/golangci/golangci-lint/releases) - [Changelog](https://github.com/golangci/golangci-lint/blob/master/CHANGELOG.md) - [Commits](https://github.com/golangci/golangci-lint/compare/v1.44.2...v1.45.0) --- updated-dependencies: - dependency-name: github.com/golangci/golangci-lint dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> * golangci-lint: Surface and fix as many lint warnings automatically Signed-off-by: Stephen Augustus <foo@auggie.dev> * generated: Run golangci-lint with `fix: true` Signed-off-by: Stephen Augustus <foo@auggie.dev> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: Stephen Augustus <foo@auggie.dev> |
||
|
laurentsimon
|
b1ab16e80f
|
✨ Add raw results to cron scans (#1741)
* draft * updates * updates * updates * updates * updates * comments * comments * comments * comments * comments * comments |
||
|
naveensrinivasan
|
7d1795384c |
Fixed the path of the generated mock files.
Signed-off-by: naveensrinivasan <172697+naveensrinivasan@users.noreply.github.com> |
||
|
naveensrinivasan
|
1995bc3b9c |
🌱 Refactor to make it testable
- Related to https://github.com/ossf/scorecard/issues/1568 Signed-off-by: naveensrinivasan <172697+naveensrinivasan@users.noreply.github.com> |
||
Stephen Augustus (he/him)
|
3070b3ca1b
|
✨ cmd: Allow new scorecard to be instantiated with options (#1703)
* cmd: Allow new scorecard commands to be instantiated with options * options: Default flags to struct field values * options: Use constants for flag names * options: Simplify SARIF check Signed-off-by: Stephen Augustus <foo@auggie.dev> |
||
|
Stephen Augustus (he/him)
|
84cdc8cbec
|
✨ cmd: Refactor to make importable (#1696)
* cmd: Refactor to make importable * options: Add support for parsing via environment variables * options: Support setting feature flags via option * cmd: Replace `version` with sigs.k8s.io/release-utils/version * cmd: Move option validation into pre-run function Signed-off-by: Stephen Augustus <foo@auggie.dev> |
||
|
Stephen Augustus (he/him)
|
7956ff4fe7
|
✨ Miscellaneous refactors to ease downstream consumption (#1645)
* checker: Add `NewLogger` constructor for `DetailLogger` impl * checker: Add `NewRunner` constructor for `Runner` * cmd: Update to use refactored packages * cmd: Move command flags and validation into an `options` package * cmd: Move client accessors to `githubrepo` package * cmd: Move policy and enabled checks to `policy` package * cmd: Move results formatting to `format` package * checker: Prefer `Set` prefixes for setters * checker: Use `DetailLogger` return value for `NewLogger()` * checker: Add `GetClients` accessor * Move `FormatResults` to `pkg/` * checks: Add getter for all checks Signed-off-by: Stephen Augustus <foo@auggie.dev> |
||
|
Azeem Shaikh
|
674146ca3c
|
Make verbosity levels case insensitive (#1650)
Co-authored-by: Azeem Shaikh <azeems@google.com> |