* 🌱 Bump github.com/goreleaser/goreleaser in /tools (#3238)
Bumps [github.com/goreleaser/goreleaser](https://github.com/goreleaser/goreleaser) from 1.18.2 to 1.19.1.
- [Release notes](https://github.com/goreleaser/goreleaser/releases)
- [Changelog](https://github.com/goreleaser/goreleaser/blob/main/.goreleaser.yaml)
- [Commits](https://github.com/goreleaser/goreleaser/compare/v1.18.2...v1.19.1)
---
updated-dependencies:
- dependency-name: github.com/goreleaser/goreleaser
dependency-type: direct:production
update-type: version-update:semver-minor
...
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Signed-off-by: André Backman <andre.backman@nokia.com>
* begin implementing probe: minTwoCodeReviewers
Signed-off-by: André Backman <andre.backman@nokia.com>
* print raw results
Signed-off-by: André Backman <andre.backman@nokia.com>
* print raw results
Signed-off-by: André Backman <andre.backman@nokia.com>
* print raw results
Signed-off-by: André Backman <andre.backman@nokia.com>
* rename probe directory: minimumCodeReviewers
Signed-off-by: André Backman <andre.backman@nokia.com>
* rename probe CodeReviewers
Signed-off-by: André Backman <andre.backman@nokia.com>
* rename import for CodeReviewers probe
Signed-off-by: André Backman <andre.backman@nokia.com>
* update code reviewers definition
Signed-off-by: André Backman <andre.backman@nokia.com>
* update code reviewers implementation; fixed embed FS usage
Signed-off-by: André Backman <andre.backman@nokia.com>
* printing all findings, work out where to concatenate them
Signed-off-by: André Backman <andre.backman@nokia.com>
* concatenated findings to one single finding, outcome is based on the least found unique reviewers
Signed-off-by: André Backman <andre.backman@nokia.com>
* refactored uniqueCodeReviewers probe, needs more error checks
Signed-off-by: André Backman <andre.backman@nokia.com>
* add error handling for cases of non-existant author and/or reviewer logins
Signed-off-by: André Backman <andre.backman@nokia.com>
* add error handling for cases of non-existant author and/or reviewer logins
Signed-off-by: André Backman <andre.backman@nokia.com>
* rename probe
Signed-off-by: André Backman <andre.backman@nokia.com>
* update codeReviewTwoReviewers definition
Signed-off-by: André Backman <andre.backman@nokia.com>
* rename unique code reviewers probe
Signed-off-by: André Backman <andre.backman@nokia.com>
* implement codeApproved probe, validation of reviews needs fixing
Signed-off-by: André Backman <andre.backman@nokia.com>
* update codeApproved probe, validation of reviews needs fixing
Signed-off-by: André Backman <andre.backman@nokia.com>
* working version of codeApproved probe
Signed-off-by: André Backman <andre.backman@nokia.com>
* codeReviewed probe implemented
Signed-off-by: André Backman <andre.backman@nokia.com>
* clean up comments, add imports, run all probes
Signed-off-by: André Backman <andre.backman@nokia.com>
* update license comments
Signed-off-by: André Backman <andre.backman@nokia.com>
* Update def.yml license
Signed-off-by: André Backman <88145164+andrelmbackman@users.noreply.github.com>
* Update def.yml license
Signed-off-by: André Backman <88145164+andrelmbackman@users.noreply.github.com>
* Update def.yml license
Signed-off-by: André Backman <88145164+andrelmbackman@users.noreply.github.com>
* Update impl.go license
Signed-off-by: André Backman <88145164+andrelmbackman@users.noreply.github.com>
* Update impl.go license to Apache 2
Signed-off-by: André Backman <88145164+andrelmbackman@users.noreply.github.com>
* Update impl.go license to Apache 2
Signed-off-by: André Backman <88145164+andrelmbackman@users.noreply.github.com>
* Update code_review.go license
Signed-off-by: André Backman <88145164+andrelmbackman@users.noreply.github.com>
* Update entries.go; CodeReviewChecks now called CodeReview
Signed-off-by: André Backman <88145164+andrelmbackman@users.noreply.github.com>
* Update impl.go, refactor codeReviewTwoReviewers; moved utility functions into impl.go
Signed-off-by: André Backman <88145164+andrelmbackman@users.noreply.github.com>
* Delete code_review.go utilities
moved utility functions to the impl.go they are used in
Signed-off-by: André Backman <88145164+andrelmbackman@users.noreply.github.com>
* rename probe
Signed-off-by: André Backman <andre.backman@nokia.com>
* update codeReviewTwoReviewers definition
Signed-off-by: André Backman <andre.backman@nokia.com>
* implement codeApproved probe, validation of reviews needs fixing
Signed-off-by: André Backman <andre.backman@nokia.com>
* update codeApproved probe, validation of reviews needs fixing
Signed-off-by: André Backman <andre.backman@nokia.com>
* working version of codeApproved probe
Signed-off-by: André Backman <andre.backman@nokia.com>
* codeReviewed probe implemented
Signed-off-by: André Backman <andre.backman@nokia.com>
* clean up comments, add imports, run all probes
Signed-off-by: André Backman <andre.backman@nokia.com>
* update license comments
Signed-off-by: André Backman <andre.backman@nokia.com>
* update license comments
Signed-off-by: André Backman <andre.backman@nokia.com>
* 🌱 Included unit tests (#3242)
- Included unit tests
Signed-off-by: naveensrinivasan <172697+naveensrinivasan@users.noreply.github.com>
Signed-off-by: André Backman <andre.backman@nokia.com>
* 🌱 Bump golang.org/x/text from 0.10.0 to 0.11.0 (#3243)
Bumps [golang.org/x/text](https://github.com/golang/text) from 0.10.0 to 0.11.0.
- [Release notes](https://github.com/golang/text/releases)
- [Commits](https://github.com/golang/text/compare/v0.10.0...v0.11.0)
---
updated-dependencies:
- dependency-name: golang.org/x/text
dependency-type: direct:production
update-type: version-update:semver-minor
...
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Signed-off-by: André Backman <andre.backman@nokia.com>
* 🌱 Bump golang.org/x/oauth2 from 0.9.0 to 0.10.0 (#3244)
Bumps [golang.org/x/oauth2](https://github.com/golang/oauth2) from 0.9.0 to 0.10.0.
- [Commits](https://github.com/golang/oauth2/compare/v0.9.0...v0.10.0)
---
updated-dependencies:
- dependency-name: golang.org/x/oauth2
dependency-type: direct:production
update-type: version-update:semver-minor
...
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Signed-off-by: André Backman <andre.backman@nokia.com>
* 📖 Update Branch-Protection admin and non-admin requirements (#2772)
* docs: Branch protection admin-only requirements
Signed-off-by: Gabriela Gutierrez <gabigutierrez@google.com>
* docs: Branch protection requirements by tier
Signed-off-by: Gabriela Gutierrez <gabigutierrez@google.com>
* docs: How get a perfect score in branch protection
Signed-off-by: Gabriela Gutierrez <gabigutierrez@google.com>
* docs: Fix local images ref in doc
Signed-off-by: Gabriela Gutierrez <gabigutierrez@google.com>
* docs: Fix typo
Co-authored-by: Pedro Nacht <pedro.k.night@gmail.com>
Signed-off-by: Gabriela Gutierrez <gabigutierrez@google.com>
* docs: Fix check specific table of contents
Signed-off-by: Gabriela Gutierrez <gabigutierrez@google.com>
* fix: Code owners setting is non admin
Signed-off-by: Gabriela Gutierrez <gabigutierrez@google.com>
* docs: Fix branch protection applied not only to main branch
Signed-off-by: Gabriela Gutierrez <gabigutierrez@google.com>
* docs: Add alt text for images
Signed-off-by: Gabriela Gutierrez <gabigutierrez@google.com>
* docs: You can get a perfect score with non admin access
Signed-off-by: Gabriela Gutierrez <gabigutierrez@google.com>
* docs: update max tier scores
Signed-off-by: Gabriela Gutierrez <gabigutierrez@google.com>
* docs: update tier 1 max points explanation
Signed-off-by: Gabriela Gutierrez <gabigutierrez@google.com>
* docs: Move changes to internal checks doc
Move changes done in docs/checks.md to docs/checks/internal/checks.yaml.
Signed-off-by: Gabriela Gutierrez <gabigutierrez@google.com>
* docs: Revert changes on checks doc
Signed-off-by: Gabriela Gutierrez <gabigutierrez@google.com>
* docs: Fix admin settings evaluated on branch protection
Signed-off-by: Gabriela Gutierrez <gabigutierrez@google.com>
* docs: Change branch protection model status checks
Signed-off-by: Gabriela Gutierrez <gabigutierrez@google.com>
* docs: Change tiers score to expected score
The expected score for the code to output is 3/10 for Tier 1 case and 7/10 for Tier 3 case. The scoring issue will be reported as bug.
Signed-off-by: Gabriela Gutierrez <gabigutierrez@google.com>
* docs: Fix Tier 3 score
Signed-off-by: Gabriela Gutierrez <gabigutierrez@google.com>
---------
Signed-off-by: Gabriela Gutierrez <gabigutierrez@google.com>
Co-authored-by: Pedro Nacht <pedro.k.night@gmail.com>
Signed-off-by: André Backman <andre.backman@nokia.com>
* 🌱 Linter workflow cleanup (#3247)
* Fix linter timeout by renaming deprecated deadline.
Signed-off-by: Spencer Schrock <sschrock@google.com>
* Disable depguard linter.
As of golangci-lint v3.5.0, the depguard linter is complaining. We don't use a .depguard.yml file, so just disabling the linter.
Signed-off-by: Spencer Schrock <sschrock@google.com>
* Move linter into own workflow.
Signed-off-by: Spencer Schrock <sschrock@google.com>
* Fix bash command substitution.
Signed-off-by: Spencer Schrock <sschrock@google.com>
* Add harden runner.
Signed-off-by: Spencer Schrock <sschrock@google.com>
* switch names to existing linter job
Signed-off-by: Spencer Schrock <sschrock@google.com>
* Update golangci-lint to v1.53.3
Signed-off-by: Spencer Schrock <sschrock@google.com>
---------
Signed-off-by: Spencer Schrock <sschrock@google.com>
Signed-off-by: André Backman <andre.backman@nokia.com>
* 🌱 Bump tj-actions/changed-files from 37.0.5 to 37.1.0 (#3253)
Bumps [tj-actions/changed-files](https://github.com/tj-actions/changed-files) from 37.0.5 to 37.1.0.
- [Release notes](https://github.com/tj-actions/changed-files/releases)
- [Changelog](https://github.com/tj-actions/changed-files/blob/main/HISTORY.md)
- [Commits](54849deb96...87e23c4c79)
---
updated-dependencies:
- dependency-name: tj-actions/changed-files
dependency-type: direct:production
update-type: version-update:semver-minor
...
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Signed-off-by: André Backman <andre.backman@nokia.com>
* 🌱 Bump github.com/goreleaser/goreleaser in /tools (#3252)
Bumps [github.com/goreleaser/goreleaser](https://github.com/goreleaser/goreleaser) from 1.19.1 to 1.19.2.
- [Release notes](https://github.com/goreleaser/goreleaser/releases)
- [Changelog](https://github.com/goreleaser/goreleaser/blob/main/.goreleaser.yaml)
- [Commits](https://github.com/goreleaser/goreleaser/compare/v1.19.1...v1.19.2)
---
updated-dependencies:
- dependency-name: github.com/goreleaser/goreleaser
dependency-type: direct:production
update-type: version-update:semver-patch
...
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Signed-off-by: André Backman <andre.backman@nokia.com>
* 🌱 Bump golang.org/x/tools from 0.10.0 to 0.11.0
Bumps [golang.org/x/tools](https://github.com/golang/tools) from 0.10.0 to 0.11.0.
- [Release notes](https://github.com/golang/tools/releases)
- [Commits](https://github.com/golang/tools/compare/v0.10.0...v0.11.0)
---
updated-dependencies:
- dependency-name: golang.org/x/tools
dependency-type: direct:production
update-type: version-update:semver-minor
...
Signed-off-by: dependabot[bot] <support@github.com>
Signed-off-by: André Backman <andre.backman@nokia.com>
* 🌱 Improve rate limit handling in roundtripper (#3237)
- Add rate limit testing and handling functionality
- Add tests for successful response and Retry-After header set scenarios
Signed-off-by: naveensrinivasan <172697+naveensrinivasan@users.noreply.github.com>
Signed-off-by: André Backman <andre.backman@nokia.com>
* 🌱 Bump tj-actions/changed-files from 37.1.0 to 37.1.1 (#3259)
Bumps [tj-actions/changed-files](https://github.com/tj-actions/changed-files) from 37.1.0 to 37.1.1.
- [Release notes](https://github.com/tj-actions/changed-files/releases)
- [Changelog](https://github.com/tj-actions/changed-files/blob/main/HISTORY.md)
- [Commits](87e23c4c79...1f20fb83f0)
---
updated-dependencies:
- dependency-name: tj-actions/changed-files
dependency-type: direct:production
update-type: version-update:semver-patch
...
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Signed-off-by: André Backman <andre.backman@nokia.com>
* 🌱 Bump github.com/bradleyfalzon/ghinstallation/v2 (#3260)
Bumps [github.com/bradleyfalzon/ghinstallation/v2](https://github.com/bradleyfalzon/ghinstallation) from 2.5.0 to 2.6.0.
- [Release notes](https://github.com/bradleyfalzon/ghinstallation/releases)
- [Commits](https://github.com/bradleyfalzon/ghinstallation/compare/v2.5.0...v2.6.0)
---
updated-dependencies:
- dependency-name: github.com/bradleyfalzon/ghinstallation/v2
dependency-type: direct:production
update-type: version-update:semver-minor
...
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Signed-off-by: André Backman <andre.backman@nokia.com>
* 🌱Add urls for opentelemetry, micrometer and new relic to weekly cron (#3248)
* add urls for opentelemetry and micrometer
Signed-off-by: Ajmal Kottilingal <ajmal.kottilingal@transferwise.com>
* add jakarta-activation url
Signed-off-by: Ajmal Kottilingal <ajmal.kottilingal@transferwise.com>
* adding json-path
Signed-off-by: Ajmal Kottilingal <ajmal.kottilingal@transferwise.com>
* fix uing make
Signed-off-by: Ajmal Kottilingal <ajmal.kottilingal@transferwise.com>
---------
Signed-off-by: Ajmal Kottilingal <ajmal.kottilingal@transferwise.com>
Signed-off-by: André Backman <andre.backman@nokia.com>
* 🐛 Add npm installs to Pinned-Dependencies score (#2960)
* feat: Add npm install to pinned dependencies score
Signed-off-by: Gabriela Gutierrez <gabigutierrez@google.com>
* test: Fix pinned dependencies evaluation tests
Considering the new npm installs dependencies in Pinned-Dependencies score, there are some changes. Now, all tests generate one more Info log for "npm installs are all pinned". Also, for "various wanrings" test, the total score has to weight now 6 scores instead of 5. The new score counts 10 for actionScore, 0 for dockerFromScore, 0 for dockerDownloadScore, 0 for scriptScore, 0 for pipScore and 10 for npm score, which gives us 20/6~=3.
Signed-off-by: Gabriela Gutierrez <gabigutierrez@google.com>
* test: Fix pinned dependencies e2e tests
Considering the new npm installs dependencies in Pinned-Dependencies score, there are some changes. The repo being tested, ossf-tests/scorecard-check-pinned-dependencies-e2e, has third-party GitHub actions pinned, no npm installs, and all other dependencies types are unpinned. This gives us 8 for actionScore, 10 for npmScore and 0 for all other scores. Previously the total score was 8/5~=1, and now the total score is 18/6=3. Also, since there are no npm installs, there's one more Info log for "npm installs are pinned".
Signed-off-by: Gabriela Gutierrez <gabigutierrez@google.com>
* test: Fix typo
Signed-off-by: Gabriela Gutierrez <gabigutierrez@google.com>
* test: Unpinned npm install score
When having one unpinned npm install and all other dependencies pinned, the score should be 50/6~=8. Also, it should raise 1 warning for the unpinned npm install, 6 infos saying the other dependency types are pinned (2 for GHAs, 2 for dockerfile image and downdloads, 1 for script downdloads and 1 for pip installs), and 0 debug logs since the npm install dependency does not have an error message.
Signed-off-by: Gabriela Gutierrez <gabigutierrez@google.com>
* test: Undefined npm install score
When an error happens to parse a npm install dependency, the error/debug message is saved in "Msg" field. In this case, we were not able to define if the npm install is pinned or not. This dependency is classified as pinned undefined. We treat such cases as pinned cases, so it logs as Info that npm installs are all pinned and counts the score as 10. Then, the final score makes it to 10 as well. Since it logs the error/debug message, the Debug log goes to 1.
Signed-off-by: Gabriela Gutierrez <gabigutierrez@google.com>
* test: Fix typo
Signed-off-by: Gabriela Gutierrez <gabigutierrez@google.com>
* test: Fix "validate various warnings and info" test
Considering the new npm installs dependencies in Pinned-Dependencies score, there are some changes. Now, all tests generate one more Info log for "npm installs are all pinned". Also, this test total score has to weight now 6 scores instead of 5. The new score counts 10 for actionScore, 0 for dockerFromScore, 0 for dockerDownloadScore, 0 for scriptScore, 0 for pipScore and 10 for npm score, which gives us 20/6~=3.
Signed-off-by: Gabriela Gutierrez <gabigutierrez@google.com>
* fix: npm dependencies pinned log
Signed-off-by: Gabriela Gutierrez <gabigutierrez@google.com>
* test: Remove test of error when parsing an npm dependency
Signed-off-by: Gabriela Gutierrez <gabigutierrez@google.com>
---------
Signed-off-by: Gabriela Gutierrez <gabigutierrez@google.com>
Signed-off-by: André Backman <andre.backman@nokia.com>
* 🌱 Bump github.com/moby/buildkit from 0.11.6 to 0.12.0 (#3264)
Bumps [github.com/moby/buildkit](https://github.com/moby/buildkit) from 0.11.6 to 0.12.0.
- [Release notes](https://github.com/moby/buildkit/releases)
- [Commits](https://github.com/moby/buildkit/compare/v0.11.6...v0.12.0)
---
updated-dependencies:
- dependency-name: github.com/moby/buildkit
dependency-type: direct:production
update-type: version-update:semver-minor
...
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Signed-off-by: André Backman <andre.backman@nokia.com>
* Ack linter warning and add tracking issue. (#3263)
Signed-off-by: Spencer Schrock <sschrock@google.com>
Signed-off-by: André Backman <andre.backman@nokia.com>
* 🐛 Forgive job-level permissions (#3162)
* Forgive all job-level permissions
Signed-off-by: Pedro Kaj Kjellerup Nacht <pnacht@google.com>
* Update tests
Signed-off-by: Pedro Kaj Kjellerup Nacht <pnacht@google.com>
* Replace magic number
Signed-off-by: Pedro Kaj Kjellerup Nacht <pnacht@google.com>
* Rename test
Signed-off-by: Pedro Kaj Kjellerup Nacht <pnacht@google.com>
* Test that multiple job-level permissions are forgiven
Signed-off-by: Pedro Kaj Kjellerup Nacht <pnacht@google.com>
* Drop unused permissionIsPresent
Signed-off-by: Pedro Kaj Kjellerup Nacht <pnacht@google.com>
* Update documentation
Signed-off-by: Pedro Kaj Kjellerup Nacht <pnacht@google.com>
* Modify score descriptions
Signed-off-by: Pedro Kaj Kjellerup Nacht <pnacht@google.com>
* Document warning for job-level permissions
Signed-off-by: Pedro Kaj Kjellerup Nacht <pnacht@google.com>
* List job-level permissions that get WARNed
Signed-off-by: Pedro Kaj Kjellerup Nacht <pnacht@google.com>
---------
Signed-off-by: Pedro Kaj Kjellerup Nacht <pnacht@google.com>
Signed-off-by: André Backman <andre.backman@nokia.com>
* 🐛 Fix typo (#3267)
Signed-off-by: Eugene Kliuchnikov <eustas@google.com>
Signed-off-by: André Backman <andre.backman@nokia.com>
* 📖 Suggest new score viewer on badge documentation (#3268)
* docs(readme): suggest new score viewer on badge documentation
Signed-off-by: Diogo Teles Sant'Anna <diogoteles@google.com>
* docs(readme): add link to ossf blogpost about the badge
Signed-off-by: Diogo Teles Sant'Anna <diogoteles@google.com>
* docs: update badge of our own README to the new viewer
Signed-off-by: Diogo Teles Sant'Anna <diogoteles@google.com>
---------
Signed-off-by: Diogo Teles Sant'Anna <diogoteles@google.com>
Signed-off-by: André Backman <andre.backman@nokia.com>
* 🌱 Bump tj-actions/changed-files from 37.1.1 to 37.1.2 (#3266)
Bumps [tj-actions/changed-files](https://github.com/tj-actions/changed-files) from 37.1.1 to 37.1.2.
- [Release notes](https://github.com/tj-actions/changed-files/releases)
- [Changelog](https://github.com/tj-actions/changed-files/blob/main/HISTORY.md)
- [Commits](1f20fb83f0...2a968ff601)
---
updated-dependencies:
- dependency-name: tj-actions/changed-files
dependency-type: direct:production
update-type: version-update:semver-patch
...
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Signed-off-by: André Backman <andre.backman@nokia.com>
* 🌱 Update the cover profile for e2e (#3271)
- Update the cover profile for e2e
Signed-off-by: naveensrinivasan <172697+naveensrinivasan@users.noreply.github.com>
Signed-off-by: André Backman <andre.backman@nokia.com>
* 🌱 Improve e2e workflow tests (#3273)
- Add e2e test for workflow runs
- Retrieve successful runs of the scorecard-analysis.yml workflow
Signed-off-by: naveensrinivasan <172697+naveensrinivasan@users.noreply.github.com>
Signed-off-by: André Backman <andre.backman@nokia.com>
* 🌱 Excluded dependabot from codecov (#3272)
- Exclude dependabot from codecov job in main.yml
[.github/workflows/main.yml]
- Exclude dependabot from codecov job
Signed-off-by: naveensrinivasan <172697+naveensrinivasan@users.noreply.github.com>
Signed-off-by: André Backman <andre.backman@nokia.com>
* 🌱 Increase test coverage for searching commits (#3276)
- Add an e2e test for searching commits by author
- Search commits by author `dependabot[bot]` and expect results
Signed-off-by: naveensrinivasan <172697+naveensrinivasan@users.noreply.github.com>
Signed-off-by: André Backman <andre.backman@nokia.com>
* 🐛 Fix Branch-Protection scoring (#3251)
* fix: Verify if branch is required to be up to date before merge
Signed-off-by: Gabriela Gutierrez <gabigutierrez@google.com>
* docs: Comment tracking GraphQL bug
Signed-off-by: Gabriela Gutierrez <gabigutierrez@google.com>
* fix: Add validation if pointers are not null before accessing the values
Signed-off-by: Gabriela Gutierrez <gabigutierrez@google.com>
* fix: Delete debug log file
Signed-off-by: Gabriela Gutierrez <gabigutierrez@google.com>
---------
Signed-off-by: Gabriela Gutierrez <gabigutierrez@google.com>
Signed-off-by: André Backman <andre.backman@nokia.com>
* ✨ scdiff: generate cmd skeleton (#3275)
* add scdiff root command
Signed-off-by: Spencer Schrock <sschrock@google.com>
* Add generate boilerplate.
Signed-off-by: Spencer Schrock <sschrock@google.com>
* get rid of init
Signed-off-by: Spencer Schrock <sschrock@google.com>
* read newline delimitted repo file
Signed-off-by: Spencer Schrock <sschrock@google.com>
* Run scorecard and echo results.
Signed-off-by: Spencer Schrock <sschrock@google.com>
* add license
Signed-off-by: Spencer Schrock <sschrock@google.com>
* add basic runner tests.
Signed-off-by: Spencer Schrock <sschrock@google.com>
* Add Runner comment.
Signed-off-by: Spencer Schrock <sschrock@google.com>
* switch to using scorecard logger.
Signed-off-by: Spencer Schrock <sschrock@google.com>
* linter fix
Signed-off-by: Spencer Schrock <sschrock@google.com>
---------
Signed-off-by: Spencer Schrock <sschrock@google.com>
Signed-off-by: André Backman <andre.backman@nokia.com>
* 🌱 Delete unused project-update functionality. (#3269)
Signed-off-by: Spencer Schrock <sschrock@google.com>
Signed-off-by: André Backman <andre.backman@nokia.com>
* 🌱 Bump tj-actions/changed-files from 37.1.2 to 37.3.0 (#3280)
Bumps [tj-actions/changed-files](https://github.com/tj-actions/changed-files) from 37.1.2 to 37.3.0.
- [Release notes](https://github.com/tj-actions/changed-files/releases)
- [Changelog](https://github.com/tj-actions/changed-files/blob/main/HISTORY.md)
- [Commits](2a968ff601...39283171ce)
---
updated-dependencies:
- dependency-name: tj-actions/changed-files
dependency-type: direct:production
update-type: version-update:semver-minor
...
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Signed-off-by: André Backman <andre.backman@nokia.com>
* 🌱 Bump github.com/google/osv-scanner from 1.3.5 to 1.3.6 (#3281)
Bumps [github.com/google/osv-scanner](https://github.com/google/osv-scanner) from 1.3.5 to 1.3.6.
- [Release notes](https://github.com/google/osv-scanner/releases)
- [Changelog](https://github.com/google/osv-scanner/blob/main/CHANGELOG.md)
- [Commits](https://github.com/google/osv-scanner/compare/v1.3.5...v1.3.6)
---
updated-dependencies:
- dependency-name: github.com/google/osv-scanner
dependency-type: direct:production
update-type: version-update:semver-patch
...
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Signed-off-by: André Backman <andre.backman@nokia.com>
* 🌱 Bump gocloud.dev from 0.30.0 to 0.32.0 (#3284)
Bumps [gocloud.dev](https://github.com/google/go-cloud) from 0.30.0 to 0.32.0.
- [Release notes](https://github.com/google/go-cloud/releases)
- [Commits](https://github.com/google/go-cloud/compare/v0.30.0...v0.32.0)
---
updated-dependencies:
- dependency-name: gocloud.dev
dependency-type: direct:production
update-type: version-update:semver-minor
...
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Signed-off-by: André Backman <andre.backman@nokia.com>
* 🌱 Include attestor Dockerfile in CI and dependabot updates (#3285)
Signed-off-by: Spencer Schrock <sschrock@google.com>
Signed-off-by: André Backman <andre.backman@nokia.com>
* 🌱 Bump tj-actions/changed-files from 37.3.0 to 37.4.0
Bumps [tj-actions/changed-files](https://github.com/tj-actions/changed-files) from 37.3.0 to 37.4.0.
- [Release notes](https://github.com/tj-actions/changed-files/releases)
- [Changelog](https://github.com/tj-actions/changed-files/blob/main/HISTORY.md)
- [Commits](39283171ce...de0eba3279)
---
updated-dependencies:
- dependency-name: tj-actions/changed-files
dependency-type: direct:production
update-type: version-update:semver-minor
...
Signed-off-by: dependabot[bot] <support@github.com>
Signed-off-by: André Backman <andre.backman@nokia.com>
* 🌱 Bump google-appengine/debian11 in /attestor
Bumps google-appengine/debian11 from `fed7dd5` to `97dc4fb`.
---
updated-dependencies:
- dependency-name: google-appengine/debian11
dependency-type: direct:production
...
Signed-off-by: dependabot[bot] <support@github.com>
Signed-off-by: André Backman <andre.backman@nokia.com>
* 🌱 Bump github.com/xanzy/go-gitlab from 0.86.0 to 0.88.0
Bumps [github.com/xanzy/go-gitlab](https://github.com/xanzy/go-gitlab) from 0.86.0 to 0.88.0.
- [Changelog](https://github.com/xanzy/go-gitlab/blob/master/releases_test.go)
- [Commits](https://github.com/xanzy/go-gitlab/compare/v0.86.0...v0.88.0)
---
updated-dependencies:
- dependency-name: github.com/xanzy/go-gitlab
dependency-type: direct:production
update-type: version-update:semver-minor
...
Signed-off-by: dependabot[bot] <support@github.com>
Signed-off-by: André Backman <andre.backman@nokia.com>
* 🌱 Use a matrix for docker image building (#3290)
* working matrix.
Signed-off-by: Spencer Schrock <sschrock@google.com>
* Remove unneeded env vars. Add comments.
Signed-off-by: Spencer Schrock <sschrock@google.com>
* minor syntax change.
Signed-off-by: Spencer Schrock <sschrock@google.com>
---------
Signed-off-by: Spencer Schrock <sschrock@google.com>
Signed-off-by: André Backman <andre.backman@nokia.com>
* 🌱 Improve e2e workflow tests (#3282)
- Ensure that only head queries are supported in workflow tests
- Add a test to detect when a non-existent workflow file is used
[e2e/workflow_test.go]
- Add a test to check that only head queries are supported
- Add a test to check that a non-existent workflow file returns an error
Signed-off-by: naveensrinivasan <172697+naveensrinivasan@users.noreply.github.com>
Signed-off-by: André Backman <andre.backman@nokia.com>
* 🌱 Use a matrix for when building binaries in main.yml (#3291)
* Use matrix for build jobs.
Signed-off-by: Spencer Schrock <sschrock@google.com>
* These build targets dont seem to need protoc.
This lets us save the API quota.
Signed-off-by: Spencer Schrock <sschrock@google.com>
---------
Signed-off-by: Spencer Schrock <sschrock@google.com>
Signed-off-by: André Backman <andre.backman@nokia.com>
* 🌱 Fix hanging docker jobs for doc only changes. (#3292)
Signed-off-by: Spencer Schrock <sschrock@google.com>
Signed-off-by: André Backman <andre.backman@nokia.com>
* 📖 Add contributor ladder (#3246)
* Add contributor ladder
Signed-off-by: Pedro Kaj Kjellerup Nacht <pnacht@google.com>
* Clarify sponsorship
Signed-off-by: Pedro Kaj Kjellerup Nacht <pnacht@google.com>
* Hope for retirement warning
Signed-off-by: Pedro Kaj Kjellerup Nacht <pnacht@google.com>
* 1 maintainer can sponsor a community member
Signed-off-by: Pedro Kaj Kjellerup Nacht <pnacht@google.com>
* Apply suggestions from code review
Co-authored-by: Raghav Kaul <8695110+raghavkaul@users.noreply.github.com>
Signed-off-by: Pedro Nacht <pedro.k.night@gmail.com>
---------
Signed-off-by: Pedro Kaj Kjellerup Nacht <pnacht@google.com>
Signed-off-by: Pedro Nacht <pedro.k.night@gmail.com>
Signed-off-by: André Backman <andre.backman@nokia.com>
* 🌱 Consolidate GitLab e2e workflows. (#3278)
* Move gitlab to different workflow to parallelize.
Signed-off-by: Spencer Schrock <sschrock@google.com>
* Add missing versions.
Signed-off-by: Spencer Schrock <sschrock@google.com>
---------
Signed-off-by: Spencer Schrock <sschrock@google.com>
Signed-off-by: André Backman <andre.backman@nokia.com>
* 🌱 Add separate cache for long-running tests (#3293)
* Add separate cache for unit tests.
Signed-off-by: Spencer Schrock <sschrock@google.com>
* share cache with gitlab tests too.
Signed-off-by: Spencer Schrock <sschrock@google.com>
* share cache with github integration tests.
Signed-off-by: Spencer Schrock <sschrock@google.com>
* explicitly download modules in unit test job
Signed-off-by: Spencer Schrock <sschrock@google.com>
* checkout needs to be before the go.mod is read.
Signed-off-by: Spencer Schrock <sschrock@google.com>
* checkout needs to be before the go.sum files are hashed.
Signed-off-by: Spencer Schrock <sschrock@google.com>
---------
Signed-off-by: Spencer Schrock <sschrock@google.com>
Signed-off-by: André Backman <andre.backman@nokia.com>
* 🌱 Bump github.com/go-git/go-git/v5 from 5.7.0 to 5.8.0 (#3297)
Bumps [github.com/go-git/go-git/v5](https://github.com/go-git/go-git) from 5.7.0 to 5.8.0.
- [Release notes](https://github.com/go-git/go-git/releases)
- [Commits](https://github.com/go-git/go-git/compare/v5.7.0...v5.8.0)
---
updated-dependencies:
- dependency-name: github.com/go-git/go-git/v5
dependency-type: direct:production
update-type: version-update:semver-minor
...
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Signed-off-by: André Backman <andre.backman@nokia.com>
* 🌱 Bump github.com/onsi/gomega from 1.27.8 to 1.27.9 (#3298)
Bumps [github.com/onsi/gomega](https://github.com/onsi/gomega) from 1.27.8 to 1.27.9.
- [Release notes](https://github.com/onsi/gomega/releases)
- [Changelog](https://github.com/onsi/gomega/blob/master/CHANGELOG.md)
- [Commits](https://github.com/onsi/gomega/compare/v1.27.8...v1.27.9)
---
updated-dependencies:
- dependency-name: github.com/onsi/gomega
dependency-type: direct:production
update-type: version-update:semver-patch
...
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Signed-off-by: André Backman <andre.backman@nokia.com>
* 🌱 Improve search commit e2e tests (#3295)
- Add 2 tests for searching commits in e2e/searchCommits_test.go
- Fix errors in e2e/searchCommits_test.go when not using HEAD or when user does not exist
[e2e/searchCommits_test.go]
- Add 2 tests for searching commits
- Fix error when not using HEAD
- Fix error when user does not exist
Signed-off-by: naveensrinivasan <172697+naveensrinivasan@users.noreply.github.com>
Signed-off-by: André Backman <andre.backman@nokia.com>
* 📖 update docs for webhooks documentation (#3299)
* update docs for webhooks documentation
Signed-off-by: leec94 <leec94@bu.edu>
* change webhook severity in readme
Signed-off-by: leec94 <leec94@bu.edu>
---------
Signed-off-by: leec94 <leec94@bu.edu>
Signed-off-by: André Backman <andre.backman@nokia.com>
* 🌱 Unit tests OSSFuzz client (#3301)
* 🌱 Unit tests OSSFuzz client
- Included tests for IsArchived, LocalPath, ListFiles, GetFileContent, GetBranch, GetDefaultBranch, GetOrgRepoClient, GetDefaultBranchName, ListCommits, ListIssues, ListReleases, ListContributors, ListSuccessfulWorkflowRuns, ListCheckRunsForRef, ListStatuses, ListWebhooks, SearchCommits, Close, ListProgrammingLanguages,
Signed-off-by: naveensrinivasan <172697+naveensrinivasan@users.noreply.github.com>
* Improve OSSFuzz client tests
[clients/ossfuzz/client_test.go]
- Add a test for the `GetCreatedAt` method
- Fix the `URI` method to return the correct value
Signed-off-by: naveensrinivasan <172697+naveensrinivasan@users.noreply.github.com>
---------
Signed-off-by: naveensrinivasan <172697+naveensrinivasan@users.noreply.github.com>
Signed-off-by: André Backman <andre.backman@nokia.com>
* 🌱 Ensure check markdown is kept in sync with source yaml. (#3300)
* Ensure check markdown is kept in sync with check yaml.
Signed-off-by: Spencer Schrock <sschrock@google.com>
* change generate-docs target to detect changes to docs/checks.md directly.
Signed-off-by: Spencer Schrock <sschrock@google.com>
---------
Signed-off-by: Spencer Schrock <sschrock@google.com>
Signed-off-by: André Backman <andre.backman@nokia.com>
* Update def.yml license
Signed-off-by: André Backman <88145164+andrelmbackman@users.noreply.github.com>
Signed-off-by: André Backman <andre.backman@nokia.com>
* Update def.yml license
Signed-off-by: André Backman <88145164+andrelmbackman@users.noreply.github.com>
Signed-off-by: André Backman <andre.backman@nokia.com>
* Update def.yml license
Signed-off-by: André Backman <88145164+andrelmbackman@users.noreply.github.com>
Signed-off-by: André Backman <andre.backman@nokia.com>
* Update code_review.go license
Signed-off-by: André Backman <88145164+andrelmbackman@users.noreply.github.com>
Signed-off-by: André Backman <andre.backman@nokia.com>
* Update entries.go; CodeReviewChecks now called CodeReview
Signed-off-by: André Backman <88145164+andrelmbackman@users.noreply.github.com>
Signed-off-by: André Backman <andre.backman@nokia.com>
* refactor codeReviewTwoReviewers; moved utility functions into impl.go
Signed-off-by: André Backman <andre.backman@nokia.com>
* Update impl.go, refactor codeReviewTwoReviewers; moved utility functions into impl.go
Signed-off-by: André Backman <88145164+andrelmbackman@users.noreply.github.com>
* Update go.mod, aligned imports
Signed-off-by: André Backman <88145164+andrelmbackman@users.noreply.github.com>
* update license comments
Signed-off-by: André Backman <andre.backman@nokia.com>
* update license comments
Signed-off-by: André Backman <andre.backman@nokia.com>
* change EOL = CRLF to LF
Signed-off-by: André Backman <andre.backman@nokia.com>
* add error handling in case of no changesets
Signed-off-by: André Backman <andre.backman@nokia.com>
* completed tests for code-review probes
Signed-off-by: André Backman <andre.backman@nokia.com>
* update codeReview probes and utils
Signed-off-by: André Backman <andre.backman@nokia.com>
* fixed some lint errors, check for more
Signed-off-by: André Backman <andre.backman@nokia.com>
* fixed lint issues
Signed-off-by: André Backman <andre.backman@nokia.com>
* fix lint errors
Signed-off-by: André Backman <andre.backman@nokia.com>
* add test for multiple reviews with only one unique reviewer
Signed-off-by: André Backman <andre.backman@nokia.com>
* simplify func uniqueReviewers, use map[string]bool
Signed-off-by: André Backman <andre.backman@nokia.com>
* fix linting error
Signed-off-by: André Backman <andre.backman@nokia.com>
* moved probe tests to their own function
Signed-off-by: André Backman <andre.backman@nokia.com>
* fix comment syntax
Signed-off-by: André Backman <andre.backman@nokia.com>
* gci-ed files to fix linter errors
Signed-off-by: André Backman <andre.backman@nokia.com>
* implement change to skip bot-authored changesets that are reviewed/approved
Signed-off-by: André Backman <andre.backman@nokia.com>
* rewrite finding message
Signed-off-by: André Backman <andre.backman@nokia.com>
* fix output message; do not count the number of approved bot-authored changesets
Signed-off-by: André Backman <andre.backman@nokia.com>
* fix typos
Signed-off-by: André Backman <andre.backman@nokia.com>
* moved probe tests to their corresponding location
Signed-off-by: André Backman <andrebackmann@gmail.com>
* removed redundant probe codeReviewed
Signed-off-by: André Backman <andrebackmann@gmail.com>
* Update probes/codeApproved/def.yml
Co-authored-by: Raghav Kaul <8695110+raghavkaul@users.noreply.github.com>
Signed-off-by: jitsengupta17 <145664639+jitsengupta17@users.noreply.github.com>
* Update probes/codeApproved/def.yml
Co-authored-by: Raghav Kaul <8695110+raghavkaul@users.noreply.github.com>
Signed-off-by: jitsengupta17 <145664639+jitsengupta17@users.noreply.github.com>
* Update probes/codeApproved/def.yml
Co-authored-by: Raghav Kaul <8695110+raghavkaul@users.noreply.github.com>
Signed-off-by: jitsengupta17 <145664639+jitsengupta17@users.noreply.github.com>
* Update probes/codeApproved/def.yml
Co-authored-by: Raghav Kaul <8695110+raghavkaul@users.noreply.github.com>
Signed-off-by: jitsengupta17 <145664639+jitsengupta17@users.noreply.github.com>
* Update probes/codeApproved/def.yml
Co-authored-by: Raghav Kaul <8695110+raghavkaul@users.noreply.github.com>
Signed-off-by: jitsengupta17 <145664639+jitsengupta17@users.noreply.github.com>
* Update probes/codeReviewOneReviewers/def.yml
Co-authored-by: Raghav Kaul <8695110+raghavkaul@users.noreply.github.com>
Signed-off-by: jitsengupta17 <145664639+jitsengupta17@users.noreply.github.com>
* Lint
Signed-off-by: Raghav Kaul <raghavkaul@google.com>
---------
Signed-off-by: dependabot[bot] <support@github.com>
Signed-off-by: André Backman <andre.backman@nokia.com>
Signed-off-by: André Backman <88145164+andrelmbackman@users.noreply.github.com>
Signed-off-by: naveensrinivasan <172697+naveensrinivasan@users.noreply.github.com>
Signed-off-by: Gabriela Gutierrez <gabigutierrez@google.com>
Signed-off-by: Spencer Schrock <sschrock@google.com>
Signed-off-by: Ajmal Kottilingal <ajmal.kottilingal@transferwise.com>
Signed-off-by: Pedro Kaj Kjellerup Nacht <pnacht@google.com>
Signed-off-by: Eugene Kliuchnikov <eustas@google.com>
Signed-off-by: Diogo Teles Sant'Anna <diogoteles@google.com>
Signed-off-by: Pedro Nacht <pedro.k.night@gmail.com>
Signed-off-by: leec94 <leec94@bu.edu>
Signed-off-by: André Backman <andrebackmann@gmail.com>
Signed-off-by: jitsengupta17 <145664639+jitsengupta17@users.noreply.github.com>
Signed-off-by: Raghav Kaul <raghavkaul@google.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: André Backman <andre.backman@nokia.com>
Co-authored-by: Naveen <172697+naveensrinivasan@users.noreply.github.com>
Co-authored-by: Gabriela Gutierrez <gabigutierrez@google.com>
Co-authored-by: Pedro Nacht <pedro.k.night@gmail.com>
Co-authored-by: Spencer Schrock <sschrock@google.com>
Co-authored-by: Ajmal Kottilingal <90693406+ajmalab@users.noreply.github.com>
Co-authored-by: Pedro Nacht <pnacht@google.com>
Co-authored-by: Eugene Kliuchnikov <eustas@google.com>
Co-authored-by: Diogo Teles Sant'Anna <diogoteles@google.com>
Co-authored-by: Caroline <leec94@bu.edu>
Co-authored-by: jitsengupta17 <145664639+jitsengupta17@users.noreply.github.com>
Co-authored-by: Raghav Kaul <8695110+raghavkaul@users.noreply.github.com>
Co-authored-by: gowriNSN <143079242+gowriNSN@users.noreply.github.com>
Co-authored-by: Raghav Kaul <raghavkaul@google.com>
* Refactor Dockerfile validation code to handle here-documents
Refactors the `validateDockerfileInsecureDownloads` function to handle
Dockerfiles that contain here-documents. This implementation handles the
basic use-case, namely shell commands. It does not manage other
interpreters that are specified through a she-bang, such as python.
Fixes https://github.com/ossf/scorecard/issues/3335
Signed-off-by: Jürgen Kreileder <jk@blackdown.de>
* Add test for empty run command case in validateDockerfileInsecureDownloads()
Signed-off-by: Jürgen Kreileder <jk@blackdown.de>
* Simplify end line calculation in validateDockerfileInsecureDownloads()
Signed-off-by: Jürgen Kreileder <jk@blackdown.de>
* Document why we have a python test case here
Signed-off-by: Jürgen Kreileder <jk@blackdown.de>
---------
Signed-off-by: Jürgen Kreileder <jk@blackdown.de>
* 🌱 refactor permissions
Signed-off-by: Adam Korczynski <adam@adalogics.com>
* change 'PermissionLocation' to 'PermissionLocationType'
Signed-off-by: Adam Korczynski <adam@adalogics.com>
* remove redundant length check
Signed-off-by: Adam Korczynski <adam@adalogics.com>
* return nil instead of findings in case of an error
Signed-off-by: Adam Korczynski <adam@adalogics.com>
* use OutcomeError instead of OutcomeNegative in case of PermissionLevelUnknown
Signed-off-by: Adam Korczynski <adam@adalogics.com>
* Fix lint issue
Signed-off-by: Adam Korczynski <adam@adalogics.com>
* change 'CreateInconclusiveResult' to 'CreateRuntimeErrorResult'
Signed-off-by: Adam Korczynski <adam@adalogics.com>
* add comment to wrapped error
Signed-off-by: Adam Korczynski <adam@adalogics.com>
* unexport enum values
Signed-off-by: Adam Korczynski <adam@adalogics.com>
* fix wrapped error
Signed-off-by: Adam Korczynski <adam@adalogics.com>
---------
Signed-off-by: Adam Korczynski <adam@adalogics.com>
* Add SAST Pysa probe
Signed-off-by: David Korczynski <david@adalogics.com>
* Add Pysa positive unit test
Signed-off-by: David Korczynski <david@adalogics.com>
* Add Qodana as well
Signed-off-by: David Korczynski <david@adalogics.com>
* fix some styling
Signed-off-by: David Korczynski <david@adalogics.com>
* fix some messaging
Signed-off-by: David Korczynski <david@adalogics.com>
* checks: raw: sast: dedup by way of regex
Ref: https://github.com/ossf/scorecard/issues/3745
Signed-off-by: David Korczynski <david@adalogics.com>
* deduplicate SAST score checker
Signed-off-by: David Korczynski <david@adalogics.com>
* fix styling
Signed-off-by: David Korczynski <david@adalogics.com>
* fix styling
Signed-off-by: David Korczynski <david@adalogics.com>
* Rename variables appropriately
Signed-off-by: David Korczynski <david@adalogics.com>
* fix error message
Signed-off-by: David Korczynski <david@adalogics.com>
* rename useRegex to usesRegex and add comment
Signed-off-by: David Korczynski <david@adalogics.com>
* Force regex to compile
Signed-off-by: David Korczynski <david@adalogics.com>
---------
Signed-off-by: David Korczynski <david@adalogics.com>
* 🐛 Fix signed release error for empty gitlab repo
- Fixed the issue where an empty gitlab repo is causing this error.
`Error: check runtime error: Signed-Releases: internal error: could not get release name
2023/12/27 18:07:19 error during command execution: check runtime error: Signed-Releases: internal error: could not get release name
exit status 1`
Signed-off-by: naveensrinivasan <172697+naveensrinivasan@users.noreply.github.com>
* Fixes based on review.
Signed-off-by: naveensrinivasan <172697+naveensrinivasan@users.noreply.github.com>
* Fixed codereview changes.
Signed-off-by: naveensrinivasan <172697+naveensrinivasan@users.noreply.github.com>
---------
Signed-off-by: naveensrinivasan <172697+naveensrinivasan@users.noreply.github.com>
- Update message for when no tokens are found
[checks/evaluation/permissions/permissions.go]
- Change the message for when no tokens are found from "no github tokens found" to "no tokens found"
Signed-off-by: naveensrinivasan <172697+naveensrinivasan@users.noreply.github.com>
The primary data is the configuration files and the search commit data
is just extra, so better to return some data than no data in this case.
Signed-off-by: Spencer Schrock <sschrock@google.com>
* SAST: add Snyk probe
Adds Snyk's GitHub action (https://github.com/snyk/actions) as a probe.
Signed-off-by: David Korczynski <david@adalogics.com>
* nit
Signed-off-by: David Korczynski <david@adalogics.com>
* e2e: adjust sast test to additional probe
Signed-off-by: David Korczynski <david@adalogics.com>
* checks: sast: nit, fix e2e test
Signed-off-by: DavidKorczynski <david@adalogics.com>
* Add test with positive outcome
Signed-off-by: David Korczynski <david@adalogics.com>
* fix comment
Signed-off-by: David Korczynski <david@adalogics.com>
* sast: snyk: add workflow test
Signed-off-by: David Korczynski <david@adalogics.com>
* address review
Signed-off-by: David Korczynski <david@adalogics.com>
* sast: adjust snyk to be the same with sonar
Signed-off-by: David Korczynski <david@adalogics.com>
* provide path to WF file
Signed-off-by: David Korczynski <david@adalogics.com>
* adjust path for finding
Signed-off-by: David Korczynski <david@adalogics.com>
* use prefix rather than contains
Signed-off-by: David Korczynski <david@adalogics.com>
---------
Signed-off-by: David Korczynski <david@adalogics.com>
Signed-off-by: DavidKorczynski <david@adalogics.com>
* convert Signed Releases to probes
Signed-off-by: AdamKorcz <adam@adalogics.com>
* Specify that probe is for Github and Gitlab only
Signed-off-by: AdamKorcz <adam@adalogics.com>
* use in loop instead of
Signed-off-by: AdamKorcz <adam@adalogics.com>
* fix linter issues
Signed-off-by: AdamKorcz <adam@adalogics.com>
* fix more linter issues
Signed-off-by: AdamKorcz <adam@adalogics.com>
* specify Github and Gitlab in provenance def.yml
Signed-off-by: AdamKorcz <adam@adalogics.com>
* Add link to slsa-github-generator
Signed-off-by: AdamKorcz <adam@adalogics.com>
* Add instructions on signing with Cosign
Signed-off-by: AdamKorcz <adam@adalogics.com>
* refactor evaluation
Signed-off-by: Adam Korczynski <adam@adalogics.com>
* debug failing integration test
Signed-off-by: Adam Korczynski <adam@adalogics.com>
* remove unused nolints
Signed-off-by: Adam Korczynski <adam@adalogics.com>
* expose release name asset names in finding values
Signed-off-by: Adam Korczynski <adam@adalogics.com>
* fix failed integration test
Signed-off-by: Adam Korczynski <adam@adalogics.com>
* remove 'totalReleases' value from findings
Signed-off-by: Adam Korczynski <adam@adalogics.com>
* remove left-over cases of "totalReleases" values in findings
Signed-off-by: Adam Korczynski <adam@adalogics.com>
* remove remaining totalReleases values
Signed-off-by: Adam Korczynski <adam@adalogics.com>
* use const probe names instead of hard-coded strings
Signed-off-by: Adam Korczynski <adam@adalogics.com>
* remove totalReleases from test helper arguments
Signed-off-by: Adam Korczynski <adam@adalogics.com>
* merge test helpers
Signed-off-by: Adam Korczynski <adam@adalogics.com>
---------
Signed-off-by: AdamKorcz <adam@adalogics.com>
Signed-off-by: Adam Korczynski <adam@adalogics.com>
* revert the change which made RequiredPullRequestReviews a pointer
While the current approach works with the tiered scoring,
it wont work for probes or if we remove tiers. Making the struct nil to
signal that PRs aren't required hides some of the data we do have.
This is especially problematic for repo rules, where we can infer all
settings by what we see or dont see.
Signed-off-by: Spencer Schrock <sschrock@google.com>
* add helper to deref pointers
Signed-off-by: Spencer Schrock <sschrock@google.com>
* clarify comments and keep code consistent
Signed-off-by: Spencer Schrock <sschrock@google.com>
---------
Signed-off-by: Spencer Schrock <sschrock@google.com>
* feat(branch-protection): consider if project requires PRs prior to make changes
As discussed at the issue #2727, we're adding the "require PRs prior
to make changes" as another requirement to tier 2. In addition to that,
we're changing the weight of the tier 2 requirements so that
"requiring 1 reviewer" has weight 2, while the other tier 2 requirements
have weight 1
Signed-off-by: Diogo Teles Sant'Anna <diogoteles@google.com>
* test(branch-protection): increment and adapt testing
1. Adapt previous test cases to consider that now we'll have an aditional
Info log telling that the project requires PRs to make changes.
2. Add more cases to test relevant use cases on the tier 2 level of
branch protection
Signed-off-by: Diogo Teles Sant'Anna <diogoteles@google.com>
* docs(branch-protection-check): adapt check description to consider requirement of require PRs to make changes
It adds the new tier 2 requirement, but also specify that the
"require at least 1 reviewer" will have doubled weight.
Signed-off-by: Diogo Teles Sant'Anna <diogoteles@google.com>
* refactor(branch-protection-check): avoid duplicate funcions and enhance readability
Made some nice-to-have improvements on project readability,
making it easier easier to understand how the branch-protection
score is computed. Also unified 8 different functions that were
doing basically the same thing.
Signed-off-by: Diogo Teles Sant'Anna <diogoteles@google.com>
* feat(branch-protection): standardize values received on evaluation
Previously, at the evaluation part of branch protetion, the
values nil and false or zero were sort of interchangeble. This commit
changes the code to set as nil only the data that could not be retrieved
from github -- all the others would have values as false, zero, true, etc
Signed-off-by: Diogo Teles Sant'Anna <diogoteles@google.com>
* test(github-client): adapt and add tests to check if nil values are coherent
1. Add new test to evaluate how we're interpreting a rule with all
checkboxes unchecked (most shouldn't be nil)
2. Adapt existent tests to expect non-nil values for unchecked
checkboxes
Signed-off-by: Diogo Teles Sant'Anna <diogoteles@google.com>
* feat(client-github): avoid reusing bool pointers
Changes some pieces of code to prefer using pointers of
bool instantiated independently. If reusing bool pointers, at some piece
of code the value of the bool could inadvertently changed and it would change the
value of all other fields reusing that pointer.
Signed-off-by: Diogo Teles Sant'Anna <diogoteles@google.com>
* feat(branch-protection): enhance evaluation if scorecard was run by admin
At the evaluation step we were using some non untrusted fieldds of the
resposte to evaluate if Scorecard was run as admin or not. Now we're
using a field provided directly from the client file.
Signed-off-by: Diogo Teles Sant'Anna <diogoteles@google.com>
* test(branch-protection): adapt testings to say if they have admin info or not
After last commit, the client will tell the evaluation files if
Scorecard was run by administrator or not (i.e., if we have all the
infos). This commit adapts the testings to also provide this info.
Signed-off-by: Diogo Teles Sant'Anna <diogoteles@google.com>
* test(e2e-branch-protection): adapt number of logs after changes
- 2 warns (for 'last push approval' and 'codeowners review' disabled) were added because now those informations come as 'not-nil' at the evaluation part.
- 1 info was added to say that PRs are required to make changes
- 1 debug was removed because it said that we couldn't retrieve 'last push approval' information, but we actually can. It was just incorrectly set as nil
Signed-off-by: Diogo Teles Sant'Anna <diogoteles@google.com>
* Revert the 2 commits with changes around how Scorecard detects admin run
Reverts commit 64c3521d89a6493e0d8c7527aa011f98c3e35719 and commit e2662b7173ef90b44b2d72c37614230440e8a919.
Both had chances around using clients/branch.go scructur to store the
information of whether Scorecard was being run by admin or not. We
decided to not change this structure for this purpose.
Signed-off-by: Diogo Teles Sant'Anna <diogoteles@google.com>
* refactor(branch-protection): change data structure to use pointer instead of value
At clients.BranchProtectionRule struct, changing
RequiredPullRequestReviews to be a pointer instead of a struct value.
This will allow the usage of the nil value of this structure to mean
that we can't say if the repository requires reviews or not.
Signed-off-by: Diogo Teles Sant'Anna <diogoteles@google.com>
* feat(branch-protection): use nil pointer on reviewers struct to mean
we don't know if they require PRs
The nil value of the struct RequiredPullRequestReviews will now mean
that we can't tell whether the project requires PRs to make changes or not.
When we get this case, we're printing a debug informing that we don't have
this data, but also printing a warn saying that they don't require
reviews, because that will be true at this case.
Signed-off-by: Diogo Teles Sant'Anna <diogoteles@google.com>
* test(branch-protection): if we're setting the reviewers struct to nil
when needed
Signed-off-by: Diogo Teles Sant'Anna <diogoteles@google.com>
* doc(branch-protection): add code comment explaining different weight on tier 2 scores
Signed-off-by: Diogo Teles Sant'Anna <diogoteles@google.com>
* refactor(branch-protection): avoid duplicate if branches on reviewers num comparation
Signed-off-by: Diogo Teles Sant'Anna <diogoteles@google.com>
* docs(branch-protection): clarify commentings around data structure
Signed-off-by: Diogo Teles Sant'Anna <diogoteles@google.com>
* refactor: clean code on parsing GitHub BP data
Signed-off-by: Diogo Teles Sant'Anna <diogoteles@google.com>
* feat(branch-protection): ressignify the nil PullRequestReviewRule to mean PR not required
Adapt translation of data from GitHub API, now for our internal data
modeling, having a nil PullRequestReviewRule structure will mean that
PRs are not required on the repo (can also mean we don't have data to
ensure that).
It also changes the order of the calls of copyNonAdminSettings and
copyAdminSettings to make the first one be called first. This eases the
code because the PullRequestReviewRule can be always instantiated at
this function.
Signed-off-by: Diogo Teles Sant'Anna <diogoteles@google.com>
* test(branch-protection): ensure we translate GitHub BP data as expected
Ensure we're correctly translating GitHub data from the old Branch
Protection config.
Signed-off-by: Diogo Teles Sant'Anna <diogoteles@google.com>
* feat(branch-protection): adapt score evaluation after 2efeee6512
Signed-off-by: Diogo Teles Sant'Anna <diogoteles@google.com>
* test(branch-protection): adapt testings to changes of last commits
Signed-off-by: Diogo Teles Sant'Anna <diogoteles@google.com>
* docs(branch-protection): add TODO comments pointing refactor opportunities
Signed-off-by: Diogo Teles Sant'Anna <diogoteles@google.com>
* fix: avoid penalyzing non-admin for dismissStaleReview
Signed-off-by: Diogo Teles Sant'Anna <diogoteles@google.com>
* fix(branch-protection): prevent false value from API field to become nil
When translating the API results, if the specific field `DismissesStaleReviews`
had a false value, it was not being initiated in our data model and was
remaining nil.
Signed-off-by: Diogo Teles Sant'Anna <diogoteles@google.com>
* refactor: clarify different weight on first reviewer
Signed-off-by: Diogo Teles Sant'Anna <diogoteles@google.com>
* refactor: enhance clarity of loggings and comments
Signed-off-by: Diogo Teles Sant'Anna <diogoteles@google.com>
* test(branch-protection): new test to cover different rules affecting same branch
Signed-off-by: Diogo Teles Sant'Anna <diogoteles@google.com>
* docs(branch-protection): change requirements ordering to keep admin ones together
Signed-off-by: Diogo Teles Sant'Anna <diogoteles@google.com>
* refactor(branch-protection): simplify auxiliary function
Signed-off-by: Diogo Teles Sant'Anna <diogoteles@google.com>
* refactor(branch-protection): fix code format to linter requirements
Signed-off-by: Diogo Teles Sant'Anna <diogoteles@google.com>
* refactor(branch-protection): avoid unnecessary initializations and rename function
Signed-off-by: Diogo Teles Sant'Anna <diogoteles@google.com>
* test(branch-protection): adapt test that was forgotten on commit 6858790a3e
Signed-off-by: Diogo Teles Sant'Anna <diogoteles@google.com>
* refactor(branch-protection): use enums to represent tiers
Signed-off-by: Diogo Teles Sant'Anna <diogoteles@google.com>
* refactor(branch-protection): remove nil fields of struct initialization when they dont contribute for clarification
Signed-off-by: Diogo Teles Sant'Anna <diogoteles@google.com>
* refactor(branch-protection): simplify functions by using generics
Signed-off-by: Diogo Teles Sant'Anna <diogoteles@google.com>
* docs(branch-protection): update docs after generate-docs run
Signed-off-by: Diogo Teles Sant'Anna <diogoteles@google.com>
* fix(branch-protection): fix duplicated line on code
Signed-off-by: Diogo Teles Sant'Anna <diogoteles@google.com>
* fix(branch-protection): stop exporting Tier enum
Signed-off-by: Diogo Teles Sant'Anna <diogoteles@google.com>
* refactor(branch-protection): changing unchanged var to const
Signed-off-by: Diogo Teles Sant'Anna <diogoteles@google.com>
* test(branch-protection): Rename test and adapt it to be consistent with its purpose
I also changed the test to not require PRs, as it's how it is when a new GitHub
Branch Protection config is created. The changes on the loggings numbers are due
to:
1. A warning for not having DismissStaleReviews became a debug
2. Removed the warning we had for not requiring CodeOwners
3. Have a new warning for not requiring PRe
Signed-off-by: Diogo Teles Sant'Anna <diogoteles@google.com>
---------
Signed-off-by: Diogo Teles Sant'Anna <diogoteles@google.com>
* 🌱 convert Webhook check to probes
Signed-off-by: AdamKorcz <adam@adalogics.com>
* Add test + nits
Signed-off-by: AdamKorcz <adam@adalogics.com>
* replace probe with OutcomeNotApplicable
Signed-off-by: AdamKorcz <adam@adalogics.com>
* return one finding per webhook
Signed-off-by: Adam Korczynski <adam@adalogics.com>
* change wording in def.yml
Signed-off-by: Adam Korczynski <adam@adalogics.com>
* change wording in def.yml and checks.md
Signed-off-by: Adam Korczynski <adam@adalogics.com>
* remove unused struct in test
Signed-off-by: Adam Korczynski <adam@adalogics.com>
* align checks.md with checks.yaml
Signed-off-by: Adam Korczynski <adam@adalogics.com>
* bring back experimental for webhooks
Signed-off-by: Adam Korczynski <adam@adalogics.com>
* change 'token' to 'secret' in probe
Signed-off-by: Adam Korczynski <adam@adalogics.com>
* use checker.MinResultScore instead of 0
Signed-off-by: Adam Korczynski <adam@adalogics.com>
* Change test name
Signed-off-by: Adam Korczynski <adam@adalogics.com>
* use checker.MinResultScore instead of 0
Signed-off-by: Adam Korczynski <adam@adalogics.com>
* fix typo
Signed-off-by: Adam Korczynski <adam@adalogics.com>
* Use checker.MaxResultScore instead of 10
Signed-off-by: Adam Korczynski <adam@adalogics.com>
* rename probe
Signed-off-by: Adam Korczynski <adam@adalogics.com>
* remove the 'totalWebhooks' value from findings
Signed-off-by: Adam Korczynski <adam@adalogics.com>
---------
Signed-off-by: AdamKorcz <adam@adalogics.com>
Signed-off-by: Adam Korczynski <adam@adalogics.com>
* 🌱 convert binary artifact check to probe
Signed-off-by: AdamKorcz <adam@adalogics.com>
* Reword motivation
Signed-off-by: AdamKorcz <adam@adalogics.com>
* remove unused variable in test
Signed-off-by: AdamKorcz <adam@adalogics.com>
* remove positiveOutcome() and length check
Signed-off-by: AdamKorcz <adam@adalogics.com>
* fix wrong check name
Signed-off-by: AdamKorcz <adam@adalogics.com>
* Split into two probes: One with and one without gradle-wrappers
Signed-off-by: AdamKorcz <adam@adalogics.com>
* Add description about what Scorecard considers a verified binary
Signed-off-by: Adam Korczynski <adam@adalogics.com>
* change 'trusted' to 'verified'
Signed-off-by: Adam Korczynski <adam@adalogics.com>
* remove nil check
Signed-off-by: Adam Korczynski <adam@adalogics.com>
* remove filtering
Signed-off-by: Adam Korczynski <adam@adalogics.com>
* use const scores in tests
Signed-off-by: Adam Korczynski <adam@adalogics.com>
* rename test
Signed-off-by: Adam Korczynski <adam@adalogics.com>
* add sanity check in loop
Signed-off-by: Adam Korczynski <adam@adalogics.com>
* rename binary file const
Signed-off-by: Adam Korczynski <adam@adalogics.com>
---------
Signed-off-by: AdamKorcz <adam@adalogics.com>
Signed-off-by: Adam Korczynski <adam@adalogics.com>
* 🌱 convert CII Best Practices check to probes
Signed-off-by: AdamKorcz <adam@adalogics.com>
* change 'NOT' to 'not'
Signed-off-by: AdamKorcz <adam@adalogics.com>
* Change wording in probes
Signed-off-by: AdamKorcz <adam@adalogics.com>
* add links to text
Signed-off-by: AdamKorcz <adam@adalogics.com>
* fix typo
Signed-off-by: AdamKorcz <adam@adalogics.com>
* Edit text in def.yml
Signed-off-by: AdamKorcz <adam@adalogics.com>
* remove hasBadgeNotFound probe
Signed-off-by: AdamKorcz <adam@adalogics.com>
* remove 'that' from text
Signed-off-by: AdamKorcz <adam@adalogics.com>
* use CreateMinScoreResult instead of CreateResultWithScore
Signed-off-by: AdamKorcz <adam@adalogics.com>
* use MaxResultScore instead of maxScore
Signed-off-by: AdamKorcz <adam@adalogics.com>
* return CreateRuntimeErrorResult sooner rather than later
Signed-off-by: AdamKorcz <adam@adalogics.com>
* Combine probes into one
Signed-off-by: Adam Korczynski <adam@adalogics.com>
* remove minScore variable
Signed-off-by: Adam Korczynski <adam@adalogics.com>
* remove 'hasInProgressBadge' probe
Signed-off-by: Adam Korczynski <adam@adalogics.com>
* make badge levels global variables
Signed-off-by: Adam Korczynski <adam@adalogics.com>
* return -1 for unsupported badge
Signed-off-by: Adam Korczynski <adam@adalogics.com>
* change text for unknown and unsupported badges
Signed-off-by: Adam Korczynski <adam@adalogics.com>
---------
Signed-off-by: AdamKorcz <adam@adalogics.com>
Signed-off-by: Adam Korczynski <adam@adalogics.com>
* upgrade go.mod to 1.21
Signed-off-by: Spencer Schrock <sschrock@google.com>
* use slices from stdlib
Signed-off-by: Spencer Schrock <sschrock@google.com>
* use max/min builtins
Signed-off-by: Spencer Schrock <sschrock@google.com>
* multierrors
possibly spin this off into its own PR
Signed-off-by: Spencer Schrock <sschrock@google.com>
* dont call rand.Seed
As of Go 1.20, the generator is seeded randomly at startup.
https://pkg.go.dev/math/rand#Seed
Signed-off-by: Spencer Schrock <sschrock@google.com>
* update minimum Go version in documentation
Signed-off-by: Spencer Schrock <sschrock@google.com>
---------
Signed-off-by: Spencer Schrock <sschrock@google.com>
* Continue on error detecting OS
Signed-off-by: Pedro Kaj Kjellerup Nacht <pnacht@google.com>
* Add tests for error detecting OS
Signed-off-by: Pedro Kaj Kjellerup Nacht <pnacht@google.com>
* Add ElementError to identify elements that errored
Signed-off-by: Pedro Kaj Kjellerup Nacht <pnacht@google.com>
* Add Incomplete field to PinningDependenciesData
Will store all errors handled during analysis, which may lead to incomplete results.
Signed-off-by: Pedro Kaj Kjellerup Nacht <pnacht@google.com>
* Register job steps that errored out
Signed-off-by: Pedro Kaj Kjellerup Nacht <pnacht@google.com>
* Add tests that incomplete steps are caught
Signed-off-by: Pedro Kaj Kjellerup Nacht <pnacht@google.com>
* Add warnings to details about incomplete steps
Signed-off-by: Pedro Kaj Kjellerup Nacht <pnacht@google.com>
* Add tests that incomplete steps generate warnings
Signed-off-by: Pedro Kaj Kjellerup Nacht <pnacht@google.com>
* Register shell files skipped due to parser errors
Signed-off-by: Pedro Kaj Kjellerup Nacht <pnacht@google.com>
* Add tests showing when parser errors affect analysis
Dockerfile pinning is not affected.
Everything in a 'broken' Dockerfile RUN block is ignored
Everything in a 'broken' shell script is ignored
testdata/script-invalid.sh modified to demonstrate the above
Signed-off-by: Pedro Kaj Kjellerup Nacht <pnacht@google.com>
* Incomplete results logged as Info, not Warn
Signed-off-by: Pedro Kaj Kjellerup Nacht <pnacht@google.com>
* Remove `Type` from logging of incomplete results
Signed-off-by: Pedro Kaj Kjellerup Nacht <pnacht@google.com>
* Update tests after rebase
Signed-off-by: Pedro Kaj Kjellerup Nacht <pnacht@google.com>
* Add Unwrap for ElementError, improve its docs
Signed-off-by: Pedro Kaj Kjellerup Nacht <pnacht@google.com>
* Add ElementError case to evaluation unit test
Signed-off-by: Pedro Kaj Kjellerup Nacht <pnacht@google.com>
* Move ElementError to checker/raw_result
checker/raw_result defines types used to describe analysis results.
ElementError is meant to describe potential flaws in the analysis
and is therefore a sort of analysis result itself.
Signed-off-by: Pedro Kaj Kjellerup Nacht <pnacht@google.com>
* Use finding.Location for ElementError.Element
Signed-off-by: Pedro Kaj Kjellerup Nacht <pnacht@google.com>
* Use an ElementError for script parser errors
Signed-off-by: Pedro Kaj Kjellerup Nacht <pnacht@google.com>
* Replace .Incomplete []error with .ProcessingErrors []ElementError
Signed-off-by: Pedro Kaj Kjellerup Nacht <pnacht@google.com>
* Adopt from reviewer comments
- Replace ElementError's `Element *finding.Location`
with `Location finding.Location`
- Rename ErrorJobOSParsing to ErrJobOSParsing to satisfy linter
- Fix unit test
Signed-off-by: Pedro Kaj Kjellerup Nacht <pnacht@google.com>
---------
Signed-off-by: Pedro Kaj Kjellerup Nacht <pnacht@google.com>
* 🌱 convert vulnerabilities check to probe
Signed-off-by: AdamKorcz <adam@adalogics.com>
* rename probe + nits
Signed-off-by: AdamKorcz <adam@adalogics.com>
* edit def.yml
Signed-off-by: AdamKorcz <adam@adalogics.com>
* Add vuln ID dynamically to def.yml
Signed-off-by: AdamKorcz <adam@adalogics.com>
* Elaborate the purpose of test data in unit test
Signed-off-by: AdamKorcz <adam@adalogics.com>
* Move logging out of loop and change logic of negativeFindings()
Signed-off-by: AdamKorcz <adam@adalogics.com>
* preserve number of vulns found in output
Signed-off-by: AdamKorcz <adam@adalogics.com>
* Preserve grouping of vulns
Signed-off-by: AdamKorcz <adam@adalogics.com>
* fix linter issues
Signed-off-by: AdamKorcz <adam@adalogics.com>
* Add remediation data
Signed-off-by: AdamKorcz <adam@adalogics.com>
* use checker.LogFindings()
Signed-off-by: AdamKorcz <adam@adalogics.com>
---------
Signed-off-by: AdamKorcz <adam@adalogics.com>
* 🌱 convert packaging check to probe
Signed-off-by: AdamKorcz <adam@adalogics.com>
* amend text in def.yml
Signed-off-by: AdamKorcz <adam@adalogics.com>
* Correct short description in def.yml
Signed-off-by: AdamKorcz <adam@adalogics.com>
* log negative findings
Signed-off-by: AdamKorcz <adam@adalogics.com>
* rename probe
Signed-off-by: AdamKorcz <adam@adalogics.com>
* Fix the broken e2e test: The probe returned minimum score instead of inconclusive score which was not consistent with the previous scoring. This commit also removes the debug statements
Signed-off-by: AdamKorcz <adam@adalogics.com>
* change score text
Signed-off-by: AdamKorcz <adam@adalogics.com>
* include file details. process all packaging workflows
Signed-off-by: AdamKorcz <adam@adalogics.com>
---------
Signed-off-by: AdamKorcz <adam@adalogics.com>
* Fix SAST no longer working for CodeQL
The app slug for CodeQL appears to have changed from `github-advanced-security` to `github-code-scanning`, causing the SAST rule to false-negative on commits.
Signed-off-by: martincostello <martin@martincostello.com>
* Fix lint warning
Fix lint warning.
Signed-off-by: martincostello <martin@martincostello.com>
---------
Signed-off-by: martincostello <martin@martincostello.com>