mirror of
https://github.com/ossf/scorecard.git
synced 2024-09-21 05:57:42 +03:00
9440b761df
584 Commits
| Author | SHA1 | Message | Date | |
|---|---|---|---|---|
André Backman
|
9440b761df
|
✨ New probes: code-review (#3302)
* 🌱 Bump github.com/goreleaser/goreleaser in /tools (#3238) Bumps [github.com/goreleaser/goreleaser](https://github.com/goreleaser/goreleaser) from 1.18.2 to 1.19.1. - [Release notes](https://github.com/goreleaser/goreleaser/releases) - [Changelog](https://github.com/goreleaser/goreleaser/blob/main/.goreleaser.yaml) - [Commits](https://github.com/goreleaser/goreleaser/compare/v1.18.2...v1.19.1) --- updated-dependencies: - dependency-name: github.com/goreleaser/goreleaser dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Signed-off-by: André Backman <andre.backman@nokia.com> * begin implementing probe: minTwoCodeReviewers Signed-off-by: André Backman <andre.backman@nokia.com> * print raw results Signed-off-by: André Backman <andre.backman@nokia.com> * print raw results Signed-off-by: André Backman <andre.backman@nokia.com> * print raw results Signed-off-by: André Backman <andre.backman@nokia.com> * rename probe directory: minimumCodeReviewers Signed-off-by: André Backman <andre.backman@nokia.com> * rename probe CodeReviewers Signed-off-by: André Backman <andre.backman@nokia.com> * rename import for CodeReviewers probe Signed-off-by: André Backman <andre.backman@nokia.com> * update code reviewers definition Signed-off-by: André Backman <andre.backman@nokia.com> * update code reviewers implementation; fixed embed FS usage Signed-off-by: André Backman <andre.backman@nokia.com> * printing all findings, work out where to concatenate them Signed-off-by: André Backman <andre.backman@nokia.com> * concatenated findings to one single finding, outcome is based on the least found unique reviewers Signed-off-by: André Backman <andre.backman@nokia.com> * refactored uniqueCodeReviewers probe, needs more error checks Signed-off-by: André Backman <andre.backman@nokia.com> * add error handling for cases of non-existant author and/or reviewer logins Signed-off-by: André Backman <andre.backman@nokia.com> * add error handling for cases of non-existant author and/or reviewer logins Signed-off-by: André Backman <andre.backman@nokia.com> * rename probe Signed-off-by: André Backman <andre.backman@nokia.com> * update codeReviewTwoReviewers definition Signed-off-by: André Backman <andre.backman@nokia.com> * rename unique code reviewers probe Signed-off-by: André Backman <andre.backman@nokia.com> * implement codeApproved probe, validation of reviews needs fixing Signed-off-by: André Backman <andre.backman@nokia.com> * update codeApproved probe, validation of reviews needs fixing Signed-off-by: André Backman <andre.backman@nokia.com> * working version of codeApproved probe Signed-off-by: André Backman <andre.backman@nokia.com> * codeReviewed probe implemented Signed-off-by: André Backman <andre.backman@nokia.com> * clean up comments, add imports, run all probes Signed-off-by: André Backman <andre.backman@nokia.com> * update license comments Signed-off-by: André Backman <andre.backman@nokia.com> * Update def.yml license Signed-off-by: André Backman <88145164+andrelmbackman@users.noreply.github.com> * Update def.yml license Signed-off-by: André Backman <88145164+andrelmbackman@users.noreply.github.com> * Update def.yml license Signed-off-by: André Backman <88145164+andrelmbackman@users.noreply.github.com> * Update impl.go license Signed-off-by: André Backman <88145164+andrelmbackman@users.noreply.github.com> * Update impl.go license to Apache 2 Signed-off-by: André Backman <88145164+andrelmbackman@users.noreply.github.com> * Update impl.go license to Apache 2 Signed-off-by: André Backman <88145164+andrelmbackman@users.noreply.github.com> * Update code_review.go license Signed-off-by: André Backman <88145164+andrelmbackman@users.noreply.github.com> * Update entries.go; CodeReviewChecks now called CodeReview Signed-off-by: André Backman <88145164+andrelmbackman@users.noreply.github.com> * Update impl.go, refactor codeReviewTwoReviewers; moved utility functions into impl.go Signed-off-by: André Backman <88145164+andrelmbackman@users.noreply.github.com> * Delete code_review.go utilities moved utility functions to the impl.go they are used in Signed-off-by: André Backman <88145164+andrelmbackman@users.noreply.github.com> * rename probe Signed-off-by: André Backman <andre.backman@nokia.com> * update codeReviewTwoReviewers definition Signed-off-by: André Backman <andre.backman@nokia.com> * implement codeApproved probe, validation of reviews needs fixing Signed-off-by: André Backman <andre.backman@nokia.com> * update codeApproved probe, validation of reviews needs fixing Signed-off-by: André Backman <andre.backman@nokia.com> * working version of codeApproved probe Signed-off-by: André Backman <andre.backman@nokia.com> * codeReviewed probe implemented Signed-off-by: André Backman <andre.backman@nokia.com> * clean up comments, add imports, run all probes Signed-off-by: André Backman <andre.backman@nokia.com> * update license comments Signed-off-by: André Backman <andre.backman@nokia.com> * update license comments Signed-off-by: André Backman <andre.backman@nokia.com> * 🌱 Included unit tests (#3242) - Included unit tests Signed-off-by: naveensrinivasan <172697+naveensrinivasan@users.noreply.github.com> Signed-off-by: André Backman <andre.backman@nokia.com> * 🌱 Bump golang.org/x/text from 0.10.0 to 0.11.0 (#3243) Bumps [golang.org/x/text](https://github.com/golang/text) from 0.10.0 to 0.11.0. - [Release notes](https://github.com/golang/text/releases) - [Commits](https://github.com/golang/text/compare/v0.10.0...v0.11.0) --- updated-dependencies: - dependency-name: golang.org/x/text dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Signed-off-by: André Backman <andre.backman@nokia.com> * 🌱 Bump golang.org/x/oauth2 from 0.9.0 to 0.10.0 (#3244) Bumps [golang.org/x/oauth2](https://github.com/golang/oauth2) from 0.9.0 to 0.10.0. - [Commits](https://github.com/golang/oauth2/compare/v0.9.0...v0.10.0) --- updated-dependencies: - dependency-name: golang.org/x/oauth2 dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Signed-off-by: André Backman <andre.backman@nokia.com> * 📖 Update Branch-Protection admin and non-admin requirements (#2772) * docs: Branch protection admin-only requirements Signed-off-by: Gabriela Gutierrez <gabigutierrez@google.com> * docs: Branch protection requirements by tier Signed-off-by: Gabriela Gutierrez <gabigutierrez@google.com> * docs: How get a perfect score in branch protection Signed-off-by: Gabriela Gutierrez <gabigutierrez@google.com> * docs: Fix local images ref in doc Signed-off-by: Gabriela Gutierrez <gabigutierrez@google.com> * docs: Fix typo Co-authored-by: Pedro Nacht <pedro.k.night@gmail.com> Signed-off-by: Gabriela Gutierrez <gabigutierrez@google.com> * docs: Fix check specific table of contents Signed-off-by: Gabriela Gutierrez <gabigutierrez@google.com> * fix: Code owners setting is non admin Signed-off-by: Gabriela Gutierrez <gabigutierrez@google.com> * docs: Fix branch protection applied not only to main branch Signed-off-by: Gabriela Gutierrez <gabigutierrez@google.com> * docs: Add alt text for images Signed-off-by: Gabriela Gutierrez <gabigutierrez@google.com> * docs: You can get a perfect score with non admin access Signed-off-by: Gabriela Gutierrez <gabigutierrez@google.com> * docs: update max tier scores Signed-off-by: Gabriela Gutierrez <gabigutierrez@google.com> * docs: update tier 1 max points explanation Signed-off-by: Gabriela Gutierrez <gabigutierrez@google.com> * docs: Move changes to internal checks doc Move changes done in docs/checks.md to docs/checks/internal/checks.yaml. Signed-off-by: Gabriela Gutierrez <gabigutierrez@google.com> * docs: Revert changes on checks doc Signed-off-by: Gabriela Gutierrez <gabigutierrez@google.com> * docs: Fix admin settings evaluated on branch protection Signed-off-by: Gabriela Gutierrez <gabigutierrez@google.com> * docs: Change branch protection model status checks Signed-off-by: Gabriela Gutierrez <gabigutierrez@google.com> * docs: Change tiers score to expected score The expected score for the code to output is 3/10 for Tier 1 case and 7/10 for Tier 3 case. The scoring issue will be reported as bug. Signed-off-by: Gabriela Gutierrez <gabigutierrez@google.com> * docs: Fix Tier 3 score Signed-off-by: Gabriela Gutierrez <gabigutierrez@google.com> --------- Signed-off-by: Gabriela Gutierrez <gabigutierrez@google.com> Co-authored-by: Pedro Nacht <pedro.k.night@gmail.com> Signed-off-by: André Backman <andre.backman@nokia.com> * 🌱 Linter workflow cleanup (#3247) * Fix linter timeout by renaming deprecated deadline. Signed-off-by: Spencer Schrock <sschrock@google.com> * Disable depguard linter. As of golangci-lint v3.5.0, the depguard linter is complaining. We don't use a .depguard.yml file, so just disabling the linter. Signed-off-by: Spencer Schrock <sschrock@google.com> * Move linter into own workflow. Signed-off-by: Spencer Schrock <sschrock@google.com> * Fix bash command substitution. Signed-off-by: Spencer Schrock <sschrock@google.com> * Add harden runner. Signed-off-by: Spencer Schrock <sschrock@google.com> * switch names to existing linter job Signed-off-by: Spencer Schrock <sschrock@google.com> * Update golangci-lint to v1.53.3 Signed-off-by: Spencer Schrock <sschrock@google.com> --------- Signed-off-by: Spencer Schrock <sschrock@google.com> Signed-off-by: André Backman <andre.backman@nokia.com> * 🌱 Bump tj-actions/changed-files from 37.0.5 to 37.1.0 (#3253) Bumps [tj-actions/changed-files](https://github.com/tj-actions/changed-files) from 37.0.5 to 37.1.0. - [Release notes](https://github.com/tj-actions/changed-files/releases) - [Changelog](https://github.com/tj-actions/changed-files/blob/main/HISTORY.md) - [Commits]( |
||
Naveen
|
b3b40d0ebc
|
🌱 Fix struct size govet issues (#3787)
- Fixed the struct size govet issues. Signed-off-by: naveensrinivasan <172697+naveensrinivasan@users.noreply.github.com> |
||
Spencer Schrock
|
8c21a49352
|
🌱 use a single source of truth for fuzzer names (#3786)
Signed-off-by: Spencer Schrock <sschrock@google.com> |
||
Jürgen Kreileder
|
e15264d9c8
|
🐛 Refactor Dockerfile validation code to handle here-documents (#3774)
* Refactor Dockerfile validation code to handle here-documents Refactors the `validateDockerfileInsecureDownloads` function to handle Dockerfiles that contain here-documents. This implementation handles the basic use-case, namely shell commands. It does not manage other interpreters that are specified through a she-bang, such as python. Fixes https://github.com/ossf/scorecard/issues/3335 Signed-off-by: Jürgen Kreileder <jk@blackdown.de> * Add test for empty run command case in validateDockerfileInsecureDownloads() Signed-off-by: Jürgen Kreileder <jk@blackdown.de> * Simplify end line calculation in validateDockerfileInsecureDownloads() Signed-off-by: Jürgen Kreileder <jk@blackdown.de> * Document why we have a python test case here Signed-off-by: Jürgen Kreileder <jk@blackdown.de> --------- Signed-off-by: Jürgen Kreileder <jk@blackdown.de> |
||
AdamKorcz
|
f41f8f4740
|
🌱 refactor permissions (#3693)
* 🌱 refactor permissions
Signed-off-by: Adam Korczynski <adam@adalogics.com>
* change 'PermissionLocation' to 'PermissionLocationType'
Signed-off-by: Adam Korczynski <adam@adalogics.com>
* remove redundant length check
Signed-off-by: Adam Korczynski <adam@adalogics.com>
* return nil instead of findings in case of an error
Signed-off-by: Adam Korczynski <adam@adalogics.com>
* use OutcomeError instead of OutcomeNegative in case of PermissionLevelUnknown
Signed-off-by: Adam Korczynski <adam@adalogics.com>
* Fix lint issue
Signed-off-by: Adam Korczynski <adam@adalogics.com>
* change 'CreateInconclusiveResult' to 'CreateRuntimeErrorResult'
Signed-off-by: Adam Korczynski <adam@adalogics.com>
* add comment to wrapped error
Signed-off-by: Adam Korczynski <adam@adalogics.com>
* unexport enum values
Signed-off-by: Adam Korczynski <adam@adalogics.com>
* fix wrapped error
Signed-off-by: Adam Korczynski <adam@adalogics.com>
---------
Signed-off-by: Adam Korczynski <adam@adalogics.com>
|
||
Edgar Ramírez Mondragón
|
0e8e57dc3e
|
Support .sigstore bundles to check for signed releases (#3772)
Signed-off-by: Edgar Ramírez Mondragón <edgarrm358@gmail.com> |
||
|
Spencer Schrock
|
55b6b7686d
|
🌱 Use const keys for SAST and Pinned-Dependencies probe Values map (#3767)
* use const key for pinned-dependencies value map * use const key for sast value map --------- Signed-off-by: Spencer Schrock <sschrock@google.com> |
||
|
Spencer Schrock
|
658a77b501
|
🐛 ensure Signed-Releases only scores 5 releases (#3768)
* limit releasesHaveProvenance probe to 5 releases and check in evaluation code too Signed-off-by: Spencer Schrock <sschrock@google.com> * add tests Signed-off-by: Spencer Schrock <sschrock@google.com> --------- Signed-off-by: Spencer Schrock <sschrock@google.com> |
||
DavidKorczynski
|
99c455bf9d
|
🌱 SAST: dedupe and add Pysa and Qodana probe (#3743)
* Add SAST Pysa probe Signed-off-by: David Korczynski <david@adalogics.com> * Add Pysa positive unit test Signed-off-by: David Korczynski <david@adalogics.com> * Add Qodana as well Signed-off-by: David Korczynski <david@adalogics.com> * fix some styling Signed-off-by: David Korczynski <david@adalogics.com> * fix some messaging Signed-off-by: David Korczynski <david@adalogics.com> * checks: raw: sast: dedup by way of regex Ref: https://github.com/ossf/scorecard/issues/3745 Signed-off-by: David Korczynski <david@adalogics.com> * deduplicate SAST score checker Signed-off-by: David Korczynski <david@adalogics.com> * fix styling Signed-off-by: David Korczynski <david@adalogics.com> * fix styling Signed-off-by: David Korczynski <david@adalogics.com> * Rename variables appropriately Signed-off-by: David Korczynski <david@adalogics.com> * fix error message Signed-off-by: David Korczynski <david@adalogics.com> * rename useRegex to usesRegex and add comment Signed-off-by: David Korczynski <david@adalogics.com> * Force regex to compile Signed-off-by: David Korczynski <david@adalogics.com> --------- Signed-off-by: David Korczynski <david@adalogics.com> |
||
|
Naveen
|
1177c3c525
|
🐛 Fix signed release error for empty gitlab repo (#3753)
* 🐛 Fix signed release error for empty gitlab repo
- Fixed the issue where an empty gitlab repo is causing this error.
`Error: check runtime error: Signed-Releases: internal error: could not get release name
2023/12/27 18:07:19 error during command execution: check runtime error: Signed-Releases: internal error: could not get release name
exit status 1`
Signed-off-by: naveensrinivasan <172697+naveensrinivasan@users.noreply.github.com>
* Fixes based on review.
Signed-off-by: naveensrinivasan <172697+naveensrinivasan@users.noreply.github.com>
* Fixed codereview changes.
Signed-off-by: naveensrinivasan <172697+naveensrinivasan@users.noreply.github.com>
---------
Signed-off-by: naveensrinivasan <172697+naveensrinivasan@users.noreply.github.com>
|
||
|
Naveen
|
9986f709d4
|
🐛 Update token permissions check and scoring (#3755)
- Update message for when no tokens are found [checks/evaluation/permissions/permissions.go] - Change the message for when no tokens are found from "no github tokens found" to "no tokens found" Signed-off-by: naveensrinivasan <172697+naveensrinivasan@users.noreply.github.com> |
||
|
Spencer Schrock
|
69bb742f12
|
🐛 Dependency-Update-Tool: ignore search commit data for repo clients which dont support it (#3756)
The primary data is the configuration files and the search commit data is just extra, so better to return some data than no data in this case. Signed-off-by: Spencer Schrock <sschrock@google.com> |
||
|
DavidKorczynski
|
2ef20f17fb
|
🌱 SAST: add Snyk probe (#3689)
* SAST: add Snyk probe Adds Snyk's GitHub action (https://github.com/snyk/actions) as a probe. Signed-off-by: David Korczynski <david@adalogics.com> * nit Signed-off-by: David Korczynski <david@adalogics.com> * e2e: adjust sast test to additional probe Signed-off-by: David Korczynski <david@adalogics.com> * checks: sast: nit, fix e2e test Signed-off-by: DavidKorczynski <david@adalogics.com> * Add test with positive outcome Signed-off-by: David Korczynski <david@adalogics.com> * fix comment Signed-off-by: David Korczynski <david@adalogics.com> * sast: snyk: add workflow test Signed-off-by: David Korczynski <david@adalogics.com> * address review Signed-off-by: David Korczynski <david@adalogics.com> * sast: adjust snyk to be the same with sonar Signed-off-by: David Korczynski <david@adalogics.com> * provide path to WF file Signed-off-by: David Korczynski <david@adalogics.com> * adjust path for finding Signed-off-by: David Korczynski <david@adalogics.com> * use prefix rather than contains Signed-off-by: David Korczynski <david@adalogics.com> --------- Signed-off-by: David Korczynski <david@adalogics.com> Signed-off-by: DavidKorczynski <david@adalogics.com> |
||
|
AdamKorcz
|
2c20be03cb
|
convert Signed Releases to probes (#3610)
* convert Signed Releases to probes Signed-off-by: AdamKorcz <adam@adalogics.com> * Specify that probe is for Github and Gitlab only Signed-off-by: AdamKorcz <adam@adalogics.com> * use in loop instead of Signed-off-by: AdamKorcz <adam@adalogics.com> * fix linter issues Signed-off-by: AdamKorcz <adam@adalogics.com> * fix more linter issues Signed-off-by: AdamKorcz <adam@adalogics.com> * specify Github and Gitlab in provenance def.yml Signed-off-by: AdamKorcz <adam@adalogics.com> * Add link to slsa-github-generator Signed-off-by: AdamKorcz <adam@adalogics.com> * Add instructions on signing with Cosign Signed-off-by: AdamKorcz <adam@adalogics.com> * refactor evaluation Signed-off-by: Adam Korczynski <adam@adalogics.com> * debug failing integration test Signed-off-by: Adam Korczynski <adam@adalogics.com> * remove unused nolints Signed-off-by: Adam Korczynski <adam@adalogics.com> * expose release name asset names in finding values Signed-off-by: Adam Korczynski <adam@adalogics.com> * fix failed integration test Signed-off-by: Adam Korczynski <adam@adalogics.com> * remove 'totalReleases' value from findings Signed-off-by: Adam Korczynski <adam@adalogics.com> * remove left-over cases of "totalReleases" values in findings Signed-off-by: Adam Korczynski <adam@adalogics.com> * remove remaining totalReleases values Signed-off-by: Adam Korczynski <adam@adalogics.com> * use const probe names instead of hard-coded strings Signed-off-by: Adam Korczynski <adam@adalogics.com> * remove totalReleases from test helper arguments Signed-off-by: Adam Korczynski <adam@adalogics.com> * merge test helpers Signed-off-by: Adam Korczynski <adam@adalogics.com> --------- Signed-off-by: AdamKorcz <adam@adalogics.com> Signed-off-by: Adam Korczynski <adam@adalogics.com> |
||
|
Spencer Schrock
|
d03c8cbb43
|
🐛 revert making RequiredPullRequestReviews a pointer (#3728)
* revert the change which made RequiredPullRequestReviews a pointer While the current approach works with the tiered scoring, it wont work for probes or if we remove tiers. Making the struct nil to signal that PRs aren't required hides some of the data we do have. This is especially problematic for repo rules, where we can infer all settings by what we see or dont see. Signed-off-by: Spencer Schrock <sschrock@google.com> * add helper to deref pointers Signed-off-by: Spencer Schrock <sschrock@google.com> * clarify comments and keep code consistent Signed-off-by: Spencer Schrock <sschrock@google.com> --------- Signed-off-by: Spencer Schrock <sschrock@google.com> |
||
Diogo Teles Sant'Anna
|
db7b6e70af
|
✨ branch protection: requiring PRs gives partial credit (#3499)
* feat(branch-protection): consider if project requires PRs prior to make changes As discussed at the issue #2727, we're adding the "require PRs prior to make changes" as another requirement to tier 2. In addition to that, we're changing the weight of the tier 2 requirements so that "requiring 1 reviewer" has weight 2, while the other tier 2 requirements have weight 1 Signed-off-by: Diogo Teles Sant'Anna <diogoteles@google.com> * test(branch-protection): increment and adapt testing 1. Adapt previous test cases to consider that now we'll have an aditional Info log telling that the project requires PRs to make changes. 2. Add more cases to test relevant use cases on the tier 2 level of branch protection Signed-off-by: Diogo Teles Sant'Anna <diogoteles@google.com> * docs(branch-protection-check): adapt check description to consider requirement of require PRs to make changes It adds the new tier 2 requirement, but also specify that the "require at least 1 reviewer" will have doubled weight. Signed-off-by: Diogo Teles Sant'Anna <diogoteles@google.com> * refactor(branch-protection-check): avoid duplicate funcions and enhance readability Made some nice-to-have improvements on project readability, making it easier easier to understand how the branch-protection score is computed. Also unified 8 different functions that were doing basically the same thing. Signed-off-by: Diogo Teles Sant'Anna <diogoteles@google.com> * feat(branch-protection): standardize values received on evaluation Previously, at the evaluation part of branch protetion, the values nil and false or zero were sort of interchangeble. This commit changes the code to set as nil only the data that could not be retrieved from github -- all the others would have values as false, zero, true, etc Signed-off-by: Diogo Teles Sant'Anna <diogoteles@google.com> * test(github-client): adapt and add tests to check if nil values are coherent 1. Add new test to evaluate how we're interpreting a rule with all checkboxes unchecked (most shouldn't be nil) 2. Adapt existent tests to expect non-nil values for unchecked checkboxes Signed-off-by: Diogo Teles Sant'Anna <diogoteles@google.com> * feat(client-github): avoid reusing bool pointers Changes some pieces of code to prefer using pointers of bool instantiated independently. If reusing bool pointers, at some piece of code the value of the bool could inadvertently changed and it would change the value of all other fields reusing that pointer. Signed-off-by: Diogo Teles Sant'Anna <diogoteles@google.com> * feat(branch-protection): enhance evaluation if scorecard was run by admin At the evaluation step we were using some non untrusted fieldds of the resposte to evaluate if Scorecard was run as admin or not. Now we're using a field provided directly from the client file. Signed-off-by: Diogo Teles Sant'Anna <diogoteles@google.com> * test(branch-protection): adapt testings to say if they have admin info or not After last commit, the client will tell the evaluation files if Scorecard was run by administrator or not (i.e., if we have all the infos). This commit adapts the testings to also provide this info. Signed-off-by: Diogo Teles Sant'Anna <diogoteles@google.com> * test(e2e-branch-protection): adapt number of logs after changes - 2 warns (for 'last push approval' and 'codeowners review' disabled) were added because now those informations come as 'not-nil' at the evaluation part. - 1 info was added to say that PRs are required to make changes - 1 debug was removed because it said that we couldn't retrieve 'last push approval' information, but we actually can. It was just incorrectly set as nil Signed-off-by: Diogo Teles Sant'Anna <diogoteles@google.com> * Revert the 2 commits with changes around how Scorecard detects admin run Reverts commit 64c3521d89a6493e0d8c7527aa011f98c3e35719 and commit e2662b7173ef90b44b2d72c37614230440e8a919. Both had chances around using clients/branch.go scructur to store the information of whether Scorecard was being run by admin or not. We decided to not change this structure for this purpose. Signed-off-by: Diogo Teles Sant'Anna <diogoteles@google.com> * refactor(branch-protection): change data structure to use pointer instead of value At clients.BranchProtectionRule struct, changing RequiredPullRequestReviews to be a pointer instead of a struct value. This will allow the usage of the nil value of this structure to mean that we can't say if the repository requires reviews or not. Signed-off-by: Diogo Teles Sant'Anna <diogoteles@google.com> * feat(branch-protection): use nil pointer on reviewers struct to mean we don't know if they require PRs The nil value of the struct RequiredPullRequestReviews will now mean that we can't tell whether the project requires PRs to make changes or not. When we get this case, we're printing a debug informing that we don't have this data, but also printing a warn saying that they don't require reviews, because that will be true at this case. Signed-off-by: Diogo Teles Sant'Anna <diogoteles@google.com> * test(branch-protection): if we're setting the reviewers struct to nil when needed Signed-off-by: Diogo Teles Sant'Anna <diogoteles@google.com> * doc(branch-protection): add code comment explaining different weight on tier 2 scores Signed-off-by: Diogo Teles Sant'Anna <diogoteles@google.com> * refactor(branch-protection): avoid duplicate if branches on reviewers num comparation Signed-off-by: Diogo Teles Sant'Anna <diogoteles@google.com> * docs(branch-protection): clarify commentings around data structure Signed-off-by: Diogo Teles Sant'Anna <diogoteles@google.com> * refactor: clean code on parsing GitHub BP data Signed-off-by: Diogo Teles Sant'Anna <diogoteles@google.com> * feat(branch-protection): ressignify the nil PullRequestReviewRule to mean PR not required Adapt translation of data from GitHub API, now for our internal data modeling, having a nil PullRequestReviewRule structure will mean that PRs are not required on the repo (can also mean we don't have data to ensure that). It also changes the order of the calls of copyNonAdminSettings and copyAdminSettings to make the first one be called first. This eases the code because the PullRequestReviewRule can be always instantiated at this function. Signed-off-by: Diogo Teles Sant'Anna <diogoteles@google.com> * test(branch-protection): ensure we translate GitHub BP data as expected Ensure we're correctly translating GitHub data from the old Branch Protection config. Signed-off-by: Diogo Teles Sant'Anna <diogoteles@google.com> * feat(branch-protection): adapt score evaluation after |
||
|
AdamKorcz
|
30ef6b1026
|
🌱 convert CI-Tests check to probes (#3621)
* 🌱 convert CITest check to probes
Signed-off-by: AdamKorcz <adam@adalogics.com>
* fix lint issues
Signed-off-by: Adam Korczynski <adam@adalogics.com>
* debug failing integration test
Signed-off-by: Adam Korczynski <adam@adalogics.com>
* Add negative outcome to test
Signed-off-by: Adam Korczynski <adam@adalogics.com>
* remove 'totalTested' and 'totalMerged' values from findings
Signed-off-by: Adam Korczynski <adam@adalogics.com>
* Log at debug level
Signed-off-by: Adam Korczynski <adam@adalogics.com>
---------
Signed-off-by: AdamKorcz <adam@adalogics.com>
Signed-off-by: Adam Korczynski <adam@adalogics.com>
|
||
|
AdamKorcz
|
6ea9c8d2a2
|
🌱 Pinned dependencies: create findings from processing errors (#3711)
* 🌱 refactor pinned dependencies Signed-off-by: AdamKorcz <adam@adalogics.com> * remove remediation from test Signed-off-by: AdamKorcz <adam@adalogics.com> * 🌱 create findings from processing errors Signed-off-by: Adam Korczynski <adam@adalogics.com> * correct style of loop Signed-off-by: Adam Korczynski <adam@adalogics.com> --------- Signed-off-by: AdamKorcz <adam@adalogics.com> Signed-off-by: Adam Korczynski <adam@adalogics.com> |
||
|
AdamKorcz
|
ec36916c10
|
🌱 convert Webhook check to probes (#3522)
* 🌱 convert Webhook check to probes
Signed-off-by: AdamKorcz <adam@adalogics.com>
* Add test + nits
Signed-off-by: AdamKorcz <adam@adalogics.com>
* replace probe with OutcomeNotApplicable
Signed-off-by: AdamKorcz <adam@adalogics.com>
* return one finding per webhook
Signed-off-by: Adam Korczynski <adam@adalogics.com>
* change wording in def.yml
Signed-off-by: Adam Korczynski <adam@adalogics.com>
* change wording in def.yml and checks.md
Signed-off-by: Adam Korczynski <adam@adalogics.com>
* remove unused struct in test
Signed-off-by: Adam Korczynski <adam@adalogics.com>
* align checks.md with checks.yaml
Signed-off-by: Adam Korczynski <adam@adalogics.com>
* bring back experimental for webhooks
Signed-off-by: Adam Korczynski <adam@adalogics.com>
* change 'token' to 'secret' in probe
Signed-off-by: Adam Korczynski <adam@adalogics.com>
* use checker.MinResultScore instead of 0
Signed-off-by: Adam Korczynski <adam@adalogics.com>
* Change test name
Signed-off-by: Adam Korczynski <adam@adalogics.com>
* use checker.MinResultScore instead of 0
Signed-off-by: Adam Korczynski <adam@adalogics.com>
* fix typo
Signed-off-by: Adam Korczynski <adam@adalogics.com>
* Use checker.MaxResultScore instead of 10
Signed-off-by: Adam Korczynski <adam@adalogics.com>
* rename probe
Signed-off-by: Adam Korczynski <adam@adalogics.com>
* remove the 'totalWebhooks' value from findings
Signed-off-by: Adam Korczynski <adam@adalogics.com>
---------
Signed-off-by: AdamKorcz <adam@adalogics.com>
Signed-off-by: Adam Korczynski <adam@adalogics.com>
|
||
|
Spencer Schrock
|
c089856d5f
|
remove ununsed directives (#3713)
Signed-off-by: Spencer Schrock <sschrock@google.com> |
||
|
AdamKorcz
|
cb721a8526
|
🌱 convert binary artifact check to probe (#3508)
* 🌱 convert binary artifact check to probe
Signed-off-by: AdamKorcz <adam@adalogics.com>
* Reword motivation
Signed-off-by: AdamKorcz <adam@adalogics.com>
* remove unused variable in test
Signed-off-by: AdamKorcz <adam@adalogics.com>
* remove positiveOutcome() and length check
Signed-off-by: AdamKorcz <adam@adalogics.com>
* fix wrong check name
Signed-off-by: AdamKorcz <adam@adalogics.com>
* Split into two probes: One with and one without gradle-wrappers
Signed-off-by: AdamKorcz <adam@adalogics.com>
* Add description about what Scorecard considers a verified binary
Signed-off-by: Adam Korczynski <adam@adalogics.com>
* change 'trusted' to 'verified'
Signed-off-by: Adam Korczynski <adam@adalogics.com>
* remove nil check
Signed-off-by: Adam Korczynski <adam@adalogics.com>
* remove filtering
Signed-off-by: Adam Korczynski <adam@adalogics.com>
* use const scores in tests
Signed-off-by: Adam Korczynski <adam@adalogics.com>
* rename test
Signed-off-by: Adam Korczynski <adam@adalogics.com>
* add sanity check in loop
Signed-off-by: Adam Korczynski <adam@adalogics.com>
* rename binary file const
Signed-off-by: Adam Korczynski <adam@adalogics.com>
---------
Signed-off-by: AdamKorcz <adam@adalogics.com>
Signed-off-by: Adam Korczynski <adam@adalogics.com>
|
||
|
Spencer Schrock
|
d882fc73e1
|
🌱 re-enable paralleltest linter (#3705)
Signed-off-by: Spencer Schrock <sschrock@google.com> |
||
|
Spencer Schrock
|
1625b0c578
|
🌱 Disable more style linters for test files (#3707)
* disable lll linter for test files * disable goerr113 linter for tests * disable wrapcheck linter for tests * fix easy linter issues in tests --------- Signed-off-by: Spencer Schrock <sschrock@google.com> |
||
Martin Costello
|
0c40e14b75
|
🐛 Trust pinned GitHub download URLs (#3694)
* Trust pinned GitHub download URLs Trust files that are downloaded from `raw.githubusercontent.com` where the file's ref is a Git SHA and therefore immutable. Resolves #3339. Signed-off-by: martincostello <martin@martincostello.com> * Move logic to function - Add `hasUnpinnedURLs` function. - Add test cases for different URLs. Signed-off-by: martincostello <martin@martincostello.com> * Fix formatting Appease the linter. Signed-off-by: martincostello <martin@martincostello.com> * Suppress lint warnings Suppress warning on three long URLs. Signed-off-by: martincostello <martin@martincostello.com> * Address peer review Address peer review feedback. Signed-off-by: martincostello <martin@martincostello.com> * Fix lint warning Fix lint warning. Signed-off-by: martincostello <martin@martincostello.com> |
||
|
AdamKorcz
|
9b5d762a7d
|
🌱 convert CII Best Practices check to probes (#3520)
* 🌱 convert CII Best Practices check to probes
Signed-off-by: AdamKorcz <adam@adalogics.com>
* change 'NOT' to 'not'
Signed-off-by: AdamKorcz <adam@adalogics.com>
* Change wording in probes
Signed-off-by: AdamKorcz <adam@adalogics.com>
* add links to text
Signed-off-by: AdamKorcz <adam@adalogics.com>
* fix typo
Signed-off-by: AdamKorcz <adam@adalogics.com>
* Edit text in def.yml
Signed-off-by: AdamKorcz <adam@adalogics.com>
* remove hasBadgeNotFound probe
Signed-off-by: AdamKorcz <adam@adalogics.com>
* remove 'that' from text
Signed-off-by: AdamKorcz <adam@adalogics.com>
* use CreateMinScoreResult instead of CreateResultWithScore
Signed-off-by: AdamKorcz <adam@adalogics.com>
* use MaxResultScore instead of maxScore
Signed-off-by: AdamKorcz <adam@adalogics.com>
* return CreateRuntimeErrorResult sooner rather than later
Signed-off-by: AdamKorcz <adam@adalogics.com>
* Combine probes into one
Signed-off-by: Adam Korczynski <adam@adalogics.com>
* remove minScore variable
Signed-off-by: Adam Korczynski <adam@adalogics.com>
* remove 'hasInProgressBadge' probe
Signed-off-by: Adam Korczynski <adam@adalogics.com>
* make badge levels global variables
Signed-off-by: Adam Korczynski <adam@adalogics.com>
* return -1 for unsupported badge
Signed-off-by: Adam Korczynski <adam@adalogics.com>
* change text for unknown and unsupported badges
Signed-off-by: Adam Korczynski <adam@adalogics.com>
---------
Signed-off-by: AdamKorcz <adam@adalogics.com>
Signed-off-by: Adam Korczynski <adam@adalogics.com>
|
||
|
AdamKorcz
|
68573209d6
|
🌱 make maintained values keys constants (#3700)
Signed-off-by: Adam Korczynski <adam@adalogics.com> Co-authored-by: Raghav Kaul <8695110+raghavkaul@users.noreply.github.com> |
||
|
AdamKorcz
|
f8198b0621
|
🌱 refactor pinned dependencies (#3667)
* 🌱 refactor pinned dependencies
Signed-off-by: AdamKorcz <adam@adalogics.com>
* remove remediation from test
Signed-off-by: AdamKorcz <adam@adalogics.com>
---------
Signed-off-by: AdamKorcz <adam@adalogics.com>
|
||
|
AdamKorcz
|
1c3d9eb6e7
|
🌱 Migrate Maintained check to probes (#3507)
* 🌱 Migrate Maintained check to probes
Signed-off-by: AdamKorcz <adam@adalogics.com>
* fix typos
Signed-off-by: AdamKorcz <adam@adalogics.com>
* rename 'archived' probe to 'notArchvied
Signed-off-by: AdamKorcz <adam@adalogics.com>
* remove part of comment
Signed-off-by: AdamKorcz <adam@adalogics.com>
* fix typo
Signed-off-by: AdamKorcz <adam@adalogics.com>
* log negative findings
Signed-off-by: AdamKorcz <adam@adalogics.com>
* log non positive findings if repo was created less than 90 days ago
Signed-off-by: AdamKorcz <adam@adalogics.com>
* rename probe from 'activityOnIssuesByCollaboratorsMembersOrOwnersInLast90Days' to 'issueActivityByProjectMember'
Signed-off-by: AdamKorcz <adam@adalogics.com>
* change probe descriptions
Signed-off-by: AdamKorcz <adam@adalogics.com>
* rename 'wasCreatedInLast90Days' probe to 'notCreatedInLast90Days'
Signed-off-by: AdamKorcz <adam@adalogics.com>
* Add tests with zero issues
Signed-off-by: AdamKorcz <adam@adalogics.com>
* use values instead of returning multiple findings
Signed-off-by: AdamKorcz <adam@adalogics.com>
* return negative findings instead of non-positive
Signed-off-by: AdamKorcz <adam@adalogics.com>
* correct 'notCreatedInLast90Days' probe definition
Signed-off-by: AdamKorcz <adam@adalogics.com>
* make nested conditionals a single line
Signed-off-by: AdamKorcz <adam@adalogics.com>
* make nested conditionals a single line
Signed-off-by: AdamKorcz <adam@adalogics.com>
* change var name 'issuesUpdatedWithinThreshold' to 'numberOfIssuesUpdatedWithinThreshold'
Signed-off-by: AdamKorcz <adam@adalogics.com>
* rename 'notCreatedInLast90Days' to 'notCreatedRecently'
Signed-off-by: AdamKorcz <adam@adalogics.com>
* explain 'commitsWithinThreshold' in probe definition
Signed-off-by: AdamKorcz <adam@adalogics.com>
* rename 'commitsInLast90Days' to 'hasRecentCommits'" -s
Signed-off-by: AdamKorcz <adam@adalogics.com>
* fix linter issues
Signed-off-by: AdamKorcz <adam@adalogics.com>
* define 'numberOfIssuesUpdatedWithinThreshold'
Signed-off-by: AdamKorcz <adam@adalogics.com>
---------
Signed-off-by: AdamKorcz <adam@adalogics.com>
|
||
|
AdamKorcz
|
be0b915f76
|
🐛 Ignore unpinned dependencies in Dockerfiles in vendored directories (#3675)
* 🐛 Ignore unpinned dependencies in Dockerfiles in vendored directories
Signed-off-by: AdamKorcz <adam@adalogics.com>
* remove unnecessary check
Signed-off-by: AdamKorcz <adam@adalogics.com>
---------
Signed-off-by: AdamKorcz <adam@adalogics.com>
|
||
|
Spencer Schrock
|
92470deac3
|
🌱 enable nolintlint linter and fix violations (#3650)
* enable nolintlint Signed-off-by: Spencer Schrock <sschrock@google.com> * first chunk of fixing nolintlint Signed-off-by: Spencer Schrock <sschrock@google.com> * second chunk of fixing nolintlint Signed-off-by: Spencer Schrock <sschrock@google.com> * third chunk of fixing nolintlint Signed-off-by: Spencer Schrock <sschrock@google.com> * fourth chunk of fixing nolintlint Signed-off-by: Spencer Schrock <sschrock@google.com> * include reason for the specific linter config Signed-off-by: Spencer Schrock <sschrock@google.com> * fifth chunk of fixing nolintlint Signed-off-by: Spencer Schrock <sschrock@google.com> * fix linter errors that are somehow still triggering Signed-off-by: Spencer Schrock <sschrock@google.com> --------- Signed-off-by: Spencer Schrock <sschrock@google.com> |
||
|
Spencer Schrock
|
a4ee3147a6
|
🌱 bump project minimum Go version to go1.21 (#3661)
* upgrade go.mod to 1.21 Signed-off-by: Spencer Schrock <sschrock@google.com> * use slices from stdlib Signed-off-by: Spencer Schrock <sschrock@google.com> * use max/min builtins Signed-off-by: Spencer Schrock <sschrock@google.com> * multierrors possibly spin this off into its own PR Signed-off-by: Spencer Schrock <sschrock@google.com> * dont call rand.Seed As of Go 1.20, the generator is seeded randomly at startup. https://pkg.go.dev/math/rand#Seed Signed-off-by: Spencer Schrock <sschrock@google.com> * update minimum Go version in documentation Signed-off-by: Spencer Schrock <sschrock@google.com> --------- Signed-off-by: Spencer Schrock <sschrock@google.com> |
||
|
DavidKorczynski
|
87c2d3c1da
|
⚠️ Remove OneFuzz from fuzzing checks (#3666)
This is removed because OneFuzz has been archived https://github.com/microsoft/onefuzz Signed-off-by: David Korczynski <david@adalogics.com> |
||
|
AdamKorcz
|
b3d1a5ac45
|
🌱 Add dependency remediation in raw results instead of at log time (#3632)
* 🌱 Add dependency remediation in raw results instead of at log time
Signed-off-by: AdamKorcz <adam@adalogics.com>
* add unit test
Signed-off-by: AdamKorcz <adam@adalogics.com>
* add unit test
Signed-off-by: AdamKorcz <adam@adalogics.com>
* return error
Signed-off-by: AdamKorcz <adam@adalogics.com>
* use pointer to dependency
Signed-off-by: AdamKorcz <adam@adalogics.com>
* check for errors in test
Signed-off-by: AdamKorcz <adam@adalogics.com>
* Return nil if repo client returns an error from unsupported feature
Signed-off-by: AdamKorcz <adam@adalogics.com>
* revert error checking
Signed-off-by: AdamKorcz <adam@adalogics.com>
* revert returning nil is unsupported feature
Signed-off-by: AdamKorcz <adam@adalogics.com>
* Fix wrong test name
Signed-off-by: AdamKorcz <adam@adalogics.com>
* only create remediation when required
Signed-off-by: AdamKorcz <adam@adalogics.com>
* remove remediation helper function
Signed-off-by: AdamKorcz <adam@adalogics.com>
---------
Signed-off-by: AdamKorcz <adam@adalogics.com>
Signed-off-by: Spencer Schrock <sschrock@google.com>
|
||
Pedro Kaj Kjellerup Nacht
|
6d35c865e6
|
🐛 Pinned-Dependencies continues on error (#3515)
* Continue on error detecting OS Signed-off-by: Pedro Kaj Kjellerup Nacht <pnacht@google.com> * Add tests for error detecting OS Signed-off-by: Pedro Kaj Kjellerup Nacht <pnacht@google.com> * Add ElementError to identify elements that errored Signed-off-by: Pedro Kaj Kjellerup Nacht <pnacht@google.com> * Add Incomplete field to PinningDependenciesData Will store all errors handled during analysis, which may lead to incomplete results. Signed-off-by: Pedro Kaj Kjellerup Nacht <pnacht@google.com> * Register job steps that errored out Signed-off-by: Pedro Kaj Kjellerup Nacht <pnacht@google.com> * Add tests that incomplete steps are caught Signed-off-by: Pedro Kaj Kjellerup Nacht <pnacht@google.com> * Add warnings to details about incomplete steps Signed-off-by: Pedro Kaj Kjellerup Nacht <pnacht@google.com> * Add tests that incomplete steps generate warnings Signed-off-by: Pedro Kaj Kjellerup Nacht <pnacht@google.com> * Register shell files skipped due to parser errors Signed-off-by: Pedro Kaj Kjellerup Nacht <pnacht@google.com> * Add tests showing when parser errors affect analysis Dockerfile pinning is not affected. Everything in a 'broken' Dockerfile RUN block is ignored Everything in a 'broken' shell script is ignored testdata/script-invalid.sh modified to demonstrate the above Signed-off-by: Pedro Kaj Kjellerup Nacht <pnacht@google.com> * Incomplete results logged as Info, not Warn Signed-off-by: Pedro Kaj Kjellerup Nacht <pnacht@google.com> * Remove `Type` from logging of incomplete results Signed-off-by: Pedro Kaj Kjellerup Nacht <pnacht@google.com> * Update tests after rebase Signed-off-by: Pedro Kaj Kjellerup Nacht <pnacht@google.com> * Add Unwrap for ElementError, improve its docs Signed-off-by: Pedro Kaj Kjellerup Nacht <pnacht@google.com> * Add ElementError case to evaluation unit test Signed-off-by: Pedro Kaj Kjellerup Nacht <pnacht@google.com> * Move ElementError to checker/raw_result checker/raw_result defines types used to describe analysis results. ElementError is meant to describe potential flaws in the analysis and is therefore a sort of analysis result itself. Signed-off-by: Pedro Kaj Kjellerup Nacht <pnacht@google.com> * Use finding.Location for ElementError.Element Signed-off-by: Pedro Kaj Kjellerup Nacht <pnacht@google.com> * Use an ElementError for script parser errors Signed-off-by: Pedro Kaj Kjellerup Nacht <pnacht@google.com> * Replace .Incomplete []error with .ProcessingErrors []ElementError Signed-off-by: Pedro Kaj Kjellerup Nacht <pnacht@google.com> * Adopt from reviewer comments - Replace ElementError's `Element *finding.Location` with `Location finding.Location` - Rename ErrorJobOSParsing to ErrJobOSParsing to satisfy linter - Fix unit test Signed-off-by: Pedro Kaj Kjellerup Nacht <pnacht@google.com> --------- Signed-off-by: Pedro Kaj Kjellerup Nacht <pnacht@google.com> |
||
|
AdamKorcz
|
47e04c102a
|
🌱 Convert SAST check to probes (#3571)
* Convert SAST checks to probes Signed-off-by: AdamKorcz <adam@adalogics.com> * Update checks/evaluation/sast.go Co-authored-by: Raghav Kaul <8695110+raghavkaul@users.noreply.github.com> Signed-off-by: AdamKorcz <44787359+AdamKorcz@users.noreply.github.com> * preserve file info when logging positive Sonar findings Signed-off-by: AdamKorcz <adam@adalogics.com> * rebase Signed-off-by: AdamKorcz <adam@adalogics.com> * Remove warning logging Signed-off-by: AdamKorcz <adam@adalogics.com> * add outcome and message to finding on the same line Signed-off-by: AdamKorcz <adam@adalogics.com> * codeql workflow -> codeql action Signed-off-by: AdamKorcz <adam@adalogics.com> * 'the Sonar' -> 'Sonar' in probe def.yml Signed-off-by: AdamKorcz <adam@adalogics.com> * fix typo Signed-off-by: AdamKorcz <adam@adalogics.com> * Change how probe creates location Signed-off-by: AdamKorcz <adam@adalogics.com> * Change names of values Signed-off-by: AdamKorcz <adam@adalogics.com> * change 'SAST tool detected: xx' to 'SAST tool installed: xx' Signed-off-by: AdamKorcz <adam@adalogics.com> * make text in probe def.yml easier to read Signed-off-by: AdamKorcz <adam@adalogics.com> * Change 'to' to 'two' Signed-off-by: AdamKorcz <adam@adalogics.com> * Minor change Signed-off-by: AdamKorcz <adam@adalogics.com> --------- Signed-off-by: AdamKorcz <adam@adalogics.com> Signed-off-by: AdamKorcz <44787359+AdamKorcz@users.noreply.github.com> Co-authored-by: Raghav Kaul <8695110+raghavkaul@users.noreply.github.com> |
||
|
AdamKorcz
|
f422f692fe
|
🌱 Convert Dangerous Workflow check to probes (#3521)
* 🌱 Convert Dangerous Workflow check to probes
Signed-off-by: AdamKorcz <adam@adalogics.com>
* remove hasAnyWorkflows probe
Signed-off-by: AdamKorcz <adam@adalogics.com>
* combine two conditionals into one
Signed-off-by: AdamKorcz <adam@adalogics.com>
* preserve logging from original evaluation
Signed-off-by: AdamKorcz <adam@adalogics.com>
* rebase
Signed-off-by: AdamKorcz <adam@adalogics.com>
---------
Signed-off-by: AdamKorcz <adam@adalogics.com>
|
||
|
Spencer Schrock
|
5f3a0e2092
|
🌱 Enable golangci-lint test presets (#3594)
* enable test preset Leaves some opinionated linters disabled with reasons. Signed-off-by: Spencer Schrock <sschrock@google.com> * fix tparallel issues. Signed-off-by: Spencer Schrock <sschrock@google.com> --------- Signed-off-by: Spencer Schrock <sschrock@google.com> |
||
|
AdamKorcz
|
de022dacc4
|
🌱 convert vulnerabilities check to probe (#3487)
* 🌱 convert vulnerabilities check to probe
Signed-off-by: AdamKorcz <adam@adalogics.com>
* rename probe + nits
Signed-off-by: AdamKorcz <adam@adalogics.com>
* edit def.yml
Signed-off-by: AdamKorcz <adam@adalogics.com>
* Add vuln ID dynamically to def.yml
Signed-off-by: AdamKorcz <adam@adalogics.com>
* Elaborate the purpose of test data in unit test
Signed-off-by: AdamKorcz <adam@adalogics.com>
* Move logging out of loop and change logic of negativeFindings()
Signed-off-by: AdamKorcz <adam@adalogics.com>
* preserve number of vulns found in output
Signed-off-by: AdamKorcz <adam@adalogics.com>
* Preserve grouping of vulns
Signed-off-by: AdamKorcz <adam@adalogics.com>
* fix linter issues
Signed-off-by: AdamKorcz <adam@adalogics.com>
* Add remediation data
Signed-off-by: AdamKorcz <adam@adalogics.com>
* use checker.LogFindings()
Signed-off-by: AdamKorcz <adam@adalogics.com>
---------
Signed-off-by: AdamKorcz <adam@adalogics.com>
|
||
|
Spencer Schrock
|
f2bbd0af62
|
remove sonatype lift (#3605)
Signed-off-by: Spencer Schrock <sschrock@google.com> |
||
|
Spencer Schrock
|
5f171ba0be
|
🌱 Fix linter issues caught by new linters in golangci-lint v1.55.0 (#3603)
* fix protogetter issues Signed-off-by: Spencer Schrock <sschrock@google.com> * de-dupe property based fuzzer description Signed-off-by: Spencer Schrock <sschrock@google.com> --------- Signed-off-by: Spencer Schrock <sschrock@google.com> |
||
|
AdamKorcz
|
ae75bbb70e
|
🌱 Add probe support for contributors metrics (#3460)
* 🌱 Add probe support for contributors metrics Signed-off-by: AdamKorcz <adam@adalogics.com> * fix lint issues Signed-off-by: AdamKorcz <adam@adalogics.com> * change 'contributorsWith' to 'contributorsFrom' Signed-off-by: AdamKorcz <adam@adalogics.com> * change remediation difficulty Signed-off-by: AdamKorcz <adam@adalogics.com> * fix nits Signed-off-by: AdamKorcz <adam@adalogics.com> * Updates to checks and checks/evaluation Signed-off-by: AdamKorcz <adam@adalogics.com> * fix tests like in #3409 Signed-off-by: AdamKorcz <adam@adalogics.com> * fix raw test Signed-off-by: AdamKorcz <adam@adalogics.com> * Update description in def.yml Signed-off-by: AdamKorcz <adam@adalogics.com> * move logic out of utils Signed-off-by: AdamKorcz <adam@adalogics.com> * add comment to consolidate unit test validation Signed-off-by: AdamKorcz <adam@adalogics.com> * change a couple of t.Fatal to t.Error Signed-off-by: AdamKorcz <adam@adalogics.com> * un-remove comment Signed-off-by: AdamKorcz <adam@adalogics.com> * remove map Signed-off-by: AdamKorcz <adam@adalogics.com> * fix typo Signed-off-by: AdamKorcz <adam@adalogics.com> * remove lint comment Signed-off-by: AdamKorcz <adam@adalogics.com> * fix incorrect -1/0 scoring Signed-off-by: AdamKorcz <adam@adalogics.com> * Do not specify 'Github' in def.yml Signed-off-by: AdamKorcz <adam@adalogics.com> * do not mention 'which companies' in def.yml Signed-off-by: AdamKorcz <adam@adalogics.com> * Rename tests Signed-off-by: AdamKorcz <adam@adalogics.com> * Use getRawResults and uncomment logging statement Signed-off-by: AdamKorcz <adam@adalogics.com> * Define return values of probe better Signed-off-by: AdamKorcz <adam@adalogics.com> * Use proportional score instead of min score Signed-off-by: AdamKorcz <adam@adalogics.com> * revert changed scoring Signed-off-by: AdamKorcz <adam@adalogics.com> * fix incorrect function name Signed-off-by: AdamKorcz <adam@adalogics.com> * remove utility function that finds non-positive outcomes Signed-off-by: AdamKorcz <adam@adalogics.com> * rebase with latest upstream main and fix linter issues Signed-off-by: AdamKorcz <adam@adalogics.com> * Log findings in one statements except a logging statements per finding Signed-off-by: AdamKorcz <adam@adalogics.com> * redefine conditional logic Signed-off-by: AdamKorcz <adam@adalogics.com> * rebase Signed-off-by: AdamKorcz <adam@adalogics.com> * remove unused function Signed-off-by: AdamKorcz <adam@adalogics.com> --------- Signed-off-by: AdamKorcz <adam@adalogics.com> |
||
|
AdamKorcz
|
1aca1d9445
|
🌱 convert packaging check to probe (#3486)
* 🌱 convert packaging check to probe
Signed-off-by: AdamKorcz <adam@adalogics.com>
* amend text in def.yml
Signed-off-by: AdamKorcz <adam@adalogics.com>
* Correct short description in def.yml
Signed-off-by: AdamKorcz <adam@adalogics.com>
* log negative findings
Signed-off-by: AdamKorcz <adam@adalogics.com>
* rename probe
Signed-off-by: AdamKorcz <adam@adalogics.com>
* Fix the broken e2e test: The probe returned minimum score instead of inconclusive score which was not consistent with the previous scoring. This commit also removes the debug statements
Signed-off-by: AdamKorcz <adam@adalogics.com>
* change score text
Signed-off-by: AdamKorcz <adam@adalogics.com>
* include file details. process all packaging workflows
Signed-off-by: AdamKorcz <adam@adalogics.com>
---------
Signed-off-by: AdamKorcz <adam@adalogics.com>
|
||
|
AdamKorcz
|
0e3a5233ae
|
🌱 Add license probe (#3465)
* 🌱 Add license probe
Signed-off-by: AdamKorcz <adam@adalogics.com>
* [WIP] add two remaining license checks as probes
Signed-off-by: AdamKorcz <adam@adalogics.com>
* fix nits
Signed-off-by: AdamKorcz <adam@adalogics.com>
* Use Errorf in test
Signed-off-by: AdamKorcz <adam@adalogics.com>
* use zrunner
Signed-off-by: AdamKorcz <adam@adalogics.com>
* fix wrong return value
Signed-off-by: AdamKorcz <adam@adalogics.com>
* fix linting issues and remove empty default
Signed-off-by: AdamKorcz <adam@adalogics.com>
* fix double if statement
Signed-off-by: AdamKorcz <adam@adalogics.com>
* Remove struct field from test
Signed-off-by: AdamKorcz <adam@adalogics.com>
* Add test for nil-case of license files slice
Signed-off-by: AdamKorcz <adam@adalogics.com>
* rewrite multiple def.ymls
Signed-off-by: AdamKorcz <adam@adalogics.com>
* fix nits
Signed-off-by: AdamKorcz <adam@adalogics.com>
* Add unit test with multiple unapproved license files
Signed-off-by: AdamKorcz <adam@adalogics.com>
* Add link to approved license formats
Signed-off-by: AdamKorcz <adam@adalogics.com>
* fix linting
Signed-off-by: AdamKorcz <adam@adalogics.com>
* remove comment
Signed-off-by: AdamKorcz <adam@adalogics.com>
* preserve logging from original check
Signed-off-by: AdamKorcz <adam@adalogics.com>
* fix typo
Signed-off-by: AdamKorcz <adam@adalogics.com>
* remove redundant map manipulation
Signed-off-by: AdamKorcz <adam@adalogics.com>
* rename hasApproveLicense probe
Signed-off-by: AdamKorcz <adam@adalogics.com>
* Return OutcomeNotApplicable if hasFSFOrOSIApprovedLicense probe does not find a license
Signed-off-by: AdamKorcz <adam@adalogics.com>
* Include license file locations in log
Signed-off-by: AdamKorcz <adam@adalogics.com>
* fix linting issues
Signed-off-by: AdamKorcz <adam@adalogics.com>
* replace strings filtering with OutcomeNotApplicable in hasLicenseFileAtTopDir probe
Signed-off-by: AdamKorcz <adam@adalogics.com>
* Fix linter issue
Signed-off-by: AdamKorcz <adam@adalogics.com>
* Include location of found license files
Signed-off-by: AdamKorcz <adam@adalogics.com>
---------
Signed-off-by: AdamKorcz <adam@adalogics.com>
|
||
|
Spencer Schrock
|
2391edfbe1
|
🌱 add style linters: mirror, tenv, usestdlibvars (#3586)
* fix tenv linter and bug with t.Parallel Signed-off-by: Spencer Schrock <sschrock@google.com> * fix usestdlibvars linter Signed-off-by: Spencer Schrock <sschrock@google.com> * fix mirror linter Signed-off-by: Spencer Schrock <sschrock@google.com> --------- Signed-off-by: Spencer Schrock <sschrock@google.com> |
||
|
Martin Costello
|
49c0eed3a4
|
🐛 SAST detect new GitHub app slug for CodeQL (#3591)
* Fix SAST no longer working for CodeQL The app slug for CodeQL appears to have changed from `github-advanced-security` to `github-code-scanning`, causing the SAST rule to false-negative on commits. Signed-off-by: martincostello <martin@martincostello.com> * Fix lint warning Fix lint warning. Signed-off-by: martincostello <martin@martincostello.com> --------- Signed-off-by: martincostello <martin@martincostello.com> |
||
Pierre Cavin
|
f26ee46812
|
✨ Add fast-check test runners integrations (#3568)
Signed-off-by: Pierre Cavin <me@sherlox.io> |
||
|
Spencer Schrock
|
f2ce613960
|
🌱 checks/raw: fix struct alignment linter issue (#3550)
Signed-off-by: Spencer Schrock <sschrock@google.com> |
||
|
DavidKorczynski
|
bd640f72e9
|
✨ Add additional fuzzing probes (#3473)
* Extend with additional fuzzing probes Signed-off-by: David Korczynski <david@adalogics.com> * fix formatting Signed-off-by: David Korczynski <david@adalogics.com> * cleanup formatting Signed-off-by: David Korczynski <david@adalogics.com> * make skip testing optional Signed-off-by: David Korczynski <david@adalogics.com> * address reviews Signed-off-by: David Korczynski <david@adalogics.com> * add todo Signed-off-by: David Korczynski <david@adalogics.com> * nit Signed-off-by: David Korczynski <david@adalogics.com> * nit Signed-off-by: David Korczynski <david@adalogics.com> * add swift fuzzing probe Signed-off-by: David Korczynski <david@adalogics.com> * avoid changing OnMatchingFileContentDo Signed-off-by: David Korczynski <david@adalogics.com> * nit Signed-off-by: David Korczynski <david@adalogics.com> * undo matching file content extension Signed-off-by: David Korczynski <david@adalogics.com> * nit: fix constant Signed-off-by: David Korczynski <david@adalogics.com> * test all fileMatchPatterns per client Signed-off-by: David Korczynski <david@adalogics.com> * fix test logging counts Signed-off-by: David Korczynski <david@adalogics.com> * nit Signed-off-by: David Korczynski <david@adalogics.com> --------- Signed-off-by: David Korczynski <david@adalogics.com> |
||
Sebastian Poxhofer
|
a9e25051dd
|
✨ broaden job matcher for semantic release (#3506)
* feat: broaden job matcher for semantic release Signed-off-by: secustor <sebastian@poxhofer.at> * tests(checks/permissions): add tests for semantic release if using pnpm and yarn Signed-off-by: secustor <sebastian@poxhofer.at> --------- Signed-off-by: secustor <sebastian@poxhofer.at> |
||
|
Spencer Schrock
|
c061367a8b
|
🌱 Bump github.com/rhysd/actionlint from 1.6.15 to 1.6.26 (#3489)
* bump actionlint. Signed-off-by: Spencer Schrock <sschrock@google.com> * fix unit tests. Signed-off-by: Spencer Schrock <sschrock@google.com> * include latest update. Signed-off-by: Spencer Schrock <sschrock@google.com> --------- Signed-off-by: Spencer Schrock <sschrock@google.com> |