ossf/scorecard
1
1
Fork 0
mirror of https://github.com/ossf/scorecard.git synced 2024-11-04 03:52:31 +03:00
Code Issues Actions 1 Packages Projects Releases Wiki Activity
2,537 Commits 36 Branches 42 Tags 438 MiB
aeaee6099e
Commit Graph

44 Commits

Author SHA1 Message Date
AdamKorcz
5b0ae81d49
🌱 migrate token permission check to probes (#3816) 
* 🌱 migrate token permission check to probes

Signed-off-by: Adam Korczynski <adam@adalogics.com>

* combine seperate write-probes into two that combine them all

Signed-off-by: AdamKorcz <adam@adalogics.com>

* change write probes to read and write

Signed-off-by: AdamKorcz <adam@adalogics.com>

* minor nit

Signed-off-by: AdamKorcz <adam@adalogics.com>

* remove WritaAll probes

Signed-off-by: Adam Korczynski <adam@adalogics.com>

* Merge read-perm probe with job/top probes

Signed-off-by: Adam Korczynski <adam@adalogics.com>

* minor refactoring

Signed-off-by: Adam Korczynski <adam@adalogics.com>

* fix copy paste error

Signed-off-by: Adam Korczynski <adam@adalogics.com>

* fix linter issues and restructure code

Signed-off-by: Adam Korczynski <adam@adalogics.com>

* remove hasGitHubWorkflowPermissionNone probe

Signed-off-by: Adam Korczynski <adam@adalogics.com>

* Remove 'hasGitHubWorkflowPermissionUndeclared' probe

Signed-off-by: Adam Korczynski <adam@adalogics.com>

* bit of clean up

Signed-off-by: Adam Korczynski <adam@adalogics.com>

* reduce code complexity and remove comment

Signed-off-by: Adam Korczynski <adam@adalogics.com>

* simplify file location

Signed-off-by: Adam Korczynski <adam@adalogics.com>

* change probe text

Signed-off-by: Adam Korczynski <adam@adalogics.com>

* invert name of probe

Signed-off-by: Adam Korczynski <adam@adalogics.com>

* OutcomeNotApplicable -> OutcomeError

Signed-off-by: Adam Korczynski <adam@adalogics.com>

* OutcomeNotAvailable -> OutcomeNotApplicable

Signed-off-by: Adam Korczynski <adam@adalogics.com>

* more OutcomeNotAvailable -> OutcomeNotApplicable

Signed-off-by: Adam Korczynski <adam@adalogics.com>

* change name of 'notAvailableOrNotApplicable'

Signed-off-by: Adam Korczynski <adam@adalogics.com>

* fix linter issues

Signed-off-by: Adam Korczynski <adam@adalogics.com>

* add comments to remediation fields

Signed-off-by: Adam Korczynski <adam@adalogics.com>

* add check for nil-dereference

Signed-off-by: Adam Korczynski <adam@adalogics.com>

* remove the permissionLocation finding value

Signed-off-by: Adam Korczynski <adam@adalogics.com>

* rename checkAndLogNotAvailableOrNotApplicable to isBothUndeclaredAndNotAvailableOrNotApplicable

Signed-off-by: Adam Korczynski <adam@adalogics.com>

* use raw metadata for remediation output

Signed-off-by: Adam Korczynski <adam@adalogics.com>

* change 'branch' to 'defaultBranch'

Signed-off-by: Adam Korczynski <adam@adalogics.com>

* remove unused fields in rule Remediation

Signed-off-by: Adam Korczynski <adam@adalogics.com>

* fix remediation

Signed-off-by: Adam Korczynski <adam@adalogics.com>

* change 'metadata.defaultBranch' to 'metadata.repository.defaultBranch'

Signed-off-by: Adam Korczynski <adam@adalogics.com>

---------

Signed-off-by: Adam Korczynski <adam@adalogics.com>
Signed-off-by: AdamKorcz <adam@adalogics.com>
 2024-03-22 10:38:02 -07:00
laurentsimon
2ea140a3ee
Structured results for permissions (#2584) 
* update

Signed-off-by: laurentsimon <laurentsimon@google.com>

* update

Signed-off-by: laurentsimon <laurentsimon@google.com>

* update

Signed-off-by: laurentsimon <laurentsimon@google.com>

* update

Signed-off-by: laurentsimon <laurentsimon@google.com>

* update

Signed-off-by: laurentsimon <laurentsimon@google.com>

* update

Signed-off-by: laurentsimon <laurentsimon@google.com>

* update

Signed-off-by: laurentsimon <laurentsimon@google.com>

* update

Signed-off-by: laurentsimon <laurentsimon@google.com>

* update

Signed-off-by: laurentsimon <laurentsimon@google.com>

* update

Signed-off-by: laurentsimon <laurentsimon@google.com>

* update

Signed-off-by: laurentsimon <laurentsimon@google.com>

* update

Signed-off-by: laurentsimon <laurentsimon@google.com>

* update

Signed-off-by: laurentsimon <laurentsimon@google.com>

* update

Signed-off-by: laurentsimon <laurentsimon@google.com>

* Update checks/evaluation/permissions/GitHubWorkflowPermissionsTopNoWrite.yml

Co-authored-by: Joyce <joycebrumu.u@gmail.com>
Signed-off-by: laurentsimon <64505099+laurentsimon@users.noreply.github.com>

* update

Signed-off-by: laurentsimon <laurentsimon@google.com>

* Update checks/evaluation/permissions/GitHubWorkflowPermissionsStepsNoWrite.yml

Co-authored-by: Joyce <joycebrumu.u@gmail.com>
Signed-off-by: laurentsimon <64505099+laurentsimon@users.noreply.github.com>

* Update checks/evaluation/permissions/GitHubWorkflowPermissionsStepsNoWrite.yml

Co-authored-by: Joyce <joycebrumu.u@gmail.com>
Signed-off-by: laurentsimon <64505099+laurentsimon@users.noreply.github.com>

* Update checks/evaluation/permissions/GitHubWorkflowPermissionsStepsNoWrite.yml

Co-authored-by: Joyce <joycebrumu.u@gmail.com>
Signed-off-by: laurentsimon <64505099+laurentsimon@users.noreply.github.com>

* update

Signed-off-by: laurentsimon <laurentsimon@google.com>

* update

Signed-off-by: laurentsimon <laurentsimon@google.com>

* update

Signed-off-by: laurentsimon <laurentsimon@google.com>

* update

Signed-off-by: laurentsimon <laurentsimon@google.com>

* update

Signed-off-by: laurentsimon <laurentsimon@google.com>

* update

Signed-off-by: laurentsimon <laurentsimon@google.com>

* update

Signed-off-by: laurentsimon <laurentsimon@google.com>

* update

Signed-off-by: laurentsimon <laurentsimon@google.com>

* update

Signed-off-by: laurentsimon <laurentsimon@google.com>

* update

Signed-off-by: laurentsimon <laurentsimon@google.com>

* update

Signed-off-by: laurentsimon <laurentsimon@google.com>

* update

Signed-off-by: laurentsimon <laurentsimon@google.com>

* update

Signed-off-by: laurentsimon <laurentsimon@google.com>

* update

Signed-off-by: laurentsimon <laurentsimon@google.com>

* update

Signed-off-by: laurentsimon <laurentsimon@google.com>

* update

Signed-off-by: laurentsimon <laurentsimon@google.com>

---------

Signed-off-by: laurentsimon <laurentsimon@google.com>
Signed-off-by: laurentsimon <64505099+laurentsimon@users.noreply.github.com>
Co-authored-by: Joyce <joycebrumu.u@gmail.com>
 2023-01-30 18:41:36 -08:00
Arnaud J Le Hors
2169bc44c7
Use new project name in Copyright notices (#2505) 
Signed-off-by: Arnaud J Le Hors <lehors@us.ibm.com>

Signed-off-by: Arnaud J Le Hors <lehors@us.ibm.com>
 2022-12-01 15:08:48 -08:00
Spencer Schrock
6dcfde9299
🐛 Fix remediation text when Scorecard is run multiple times within a program (#2168) 
* quick fix for wrong info in remediation text

* add test for old, incorrect  behavior

* Rename Setup to New
 2022-08-17 16:10:49 -05:00
laurentsimon
838f62f65a
Add raw results for Token-Permissions (#1912) 
* draft

* update

* update

* draft

* updates

* update

* update

* update

* update

* update

* update

* update

* update

* e2e test for empty repo

* update

* rename structure

* update
 2022-07-15 21:48:50 +00:00
laurentsimon
3957460c2b
update (#2011) 2022-06-29 10:10:15 -07:00
laurentsimon
608da94aaf
Raw results for Packaging check (#1913) 
* update

* update

* update

* update

* update

* update

* update

* updates

* update

* update

* update

* update

* update

* update

* comments
 2022-06-01 16:41:20 +00:00
laurentsimon
0f30f4eec7
Make permission check aware of GH Pages Action (#1902) 
* update

* update

* update
 2022-05-11 20:41:37 -05:00
laurentsimon
8c97d46a36
Add custom remediation for workflow permissions/pinned dependencies (#1885) 
* draft

* update

* updates

* updates

* updates

* updates

* updates

* updates
 2022-05-06 12:52:30 -07:00
dependabot[bot]
66b3d8ce5c
🌱 Bump github.com/golangci/golangci-lint from 1.44.2 to 1.45.0 in /tools (#1757) 
* 🌱 Bump github.com/golangci/golangci-lint in /tools

Bumps [github.com/golangci/golangci-lint](https://github.com/golangci/golangci-lint) from 1.44.2 to 1.45.0.
- [Release notes](https://github.com/golangci/golangci-lint/releases)
- [Changelog](https://github.com/golangci/golangci-lint/blob/master/CHANGELOG.md)
- [Commits](https://github.com/golangci/golangci-lint/compare/v1.44.2...v1.45.0)

---
updated-dependencies:
- dependency-name: github.com/golangci/golangci-lint
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>

* golangci-lint: Surface and fix as many lint warnings automatically

Signed-off-by: Stephen Augustus <foo@auggie.dev>

* generated: Run golangci-lint with `fix: true`

Signed-off-by: Stephen Augustus <foo@auggie.dev>

Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: Stephen Augustus <foo@auggie.dev>
 2022-03-23 02:23:39 +00:00
Chris McGehee
76105194da
📖 Adding missing documentation for Token-Permissions (#1656) 
* Adding missing documentation for Token-Permissions

* Make documentation for `actions` more accurate

Co-authored-by: Naveen <172697+naveensrinivasan@users.noreply.github.com>
Co-authored-by: laurentsimon <64505099+laurentsimon@users.noreply.github.com>
 2022-02-25 22:47:11 +00:00
Chris McGehee
808941a4c2
Token-Permissions, Allow contents: write permission only for jobs that are releasing (#1663) 
* Token-Permissions, distinguish contents/package

Allowing `contents: write` permission only for jobs that are releasing
jobs, not just packaging jobs.
 2022-02-23 00:23:07 +00:00
Azeem Shaikh
e41f8595cb
Generalize CheckFileContent functions (#1670) 
Co-authored-by: Azeem Shaikh <azeems@google.com>
 2022-02-22 17:40:34 -06:00
Azeem Shaikh
2b206dc365
Remove Version field from LogMessage (#1640) 
Co-authored-by: Azeem Shaikh <azeems@google.com>
 2022-02-15 18:26:06 +00:00
Azeem Shaikh
2e3e505a8c
Simplify DetailLogger interface (#1628) 
Co-authored-by: Azeem Shaikh <azeems@google.com>
 2022-02-11 15:48:58 -08:00
Azeem Shaikh
6930c3ab3b
Add support for commit-based Scorecard (#1613) 
Co-authored-by: Azeem Shaikh <azeems@google.com>
 2022-02-07 19:03:36 -08:00
Azeem Shaikh
1c95237e4a
Only run allowed checks in different modes (#1579) 
Co-authored-by: Azeem Shaikh <azeems@google.com>
 2022-02-07 16:49:49 -08:00
naveen
f7b329e830 Unit test for all_checks 
Addresses https://github.com/ossf/scorecard/issues/435

Signed-off-by: naveen <172697+naveensrinivasan@users.noreply.github.com>
 2022-01-12 17:24:38 -06:00
Azeem Shaikh
f2c57d2590 Migrate to v4 2022-01-12 14:12:09 -06:00
laurentsimon
993e9c1010
update msg (#1457) 2022-01-10 22:22:39 +00:00
laurentsimon
df3d50df76
🐛 Fix score calculation for multiple files (#1401) 
* multi file support

* fix multi-files permissions

* change name

* add tests

* use struct for files

* comments

* comment
 2021-12-16 23:16:02 +00:00
Chris McGehee
f991fee32d
Adding line numbers for rest of Token-Permessions (and by extension, (#1381) 
Packaging)
 2021-12-14 04:14:35 +00:00
laurentsimon
6e013cf67d
Token-Permission: Allow top level permissions not defined if all run level permissions are (#1356) 
* doc

* allow non defined top level

* fix

* e2e fix

* linter
 2021-12-08 01:18:28 +00:00
Chris McGehee
38b5199e9e
🐛 Adding line numbers to token-permissions and a couple other places (#1363) 
* Adding line numbers to token-permissions and a couple other places

* Fix deadlink for security policy

Signed-off-by: Batuhan Apaydın <batuhan.apaydin@trendyol.com>
Co-authored-by: Furkan Türkal <furkan.turkal@trendyol.com>

* Updating formatting

Co-authored-by: Batuhan Apaydın <batuhan.apaydin@trendyol.com>
Co-authored-by: Furkan Türkal <furkan.turkal@trendyol.com>
 2021-12-06 10:05:52 -06:00
laurentsimon
cc4949465b
[Check split]: Binary-Artifacts (#1244) 
* split binary artifact check

* fix

* missing file

* comments

* linter

* fix

* comments

* linter
 2021-11-16 19:57:14 +00:00
laurentsimon
4502dfb557
Reduce false positives in Token-Permissions for contents permission (#1253) 
* fix

* tests
 2021-11-16 03:03:54 +00:00
Chris McGehee
3dc507b9e1 Using library to parse github workflows 2021-11-08 17:00:40 -06:00
Chris McGehee
f319aca82d Moving github worflow parsing to its own file 2021-11-08 17:00:40 -06:00
Chris McGehee
2006be1819 🐛 Token permission check was failing on non-yaml files 2021-11-04 06:19:10 -05:00
Naveen
6c1c789dc5
🌱 v3 upgrade changes (#1118) 
v3 go.mod changes
 2021-10-07 18:16:01 -05:00
Azeem Shaikh
e730e911e6
sce.Create -> sce.WithMessage for wrapcheck (#995) 
Co-authored-by: Azeem Shaikh <azeems@google.com>
 2021-09-10 15:50:33 +00:00
laurentsimon
6403eb1382
Transition Packaging, SAST, Security-policy, Signed-releases check to the new structured detail format (#887) 
* move checks to new format

* fix

* comments

* fix

* comments
 2021-08-24 01:44:06 +00:00
laurentsimon
b731f450b9
Transition Vulnerabilities, Permissions, CI-Tests, Dependency-Update-Tool, Code-Reviews to structured details (#889) 
* move other checks togit add -u

* more checks

* fixes
 2021-08-24 00:54:22 +00:00
laurentsimon
d821ea27ec
improve token permission (#811) 
* sarif action

* update
 2021-08-05 17:10:34 +00:00
laurentsimon
b2b37161f3
Improve token permission check (#800) 
* draft

* draft 2

* draft3

* fix e2e

* comment

* comment

* check codeql

* missing files

* comments

* nit

* update msg

* msg

* nit

* nit

* msg

* e2e

* update doc
 2021-08-03 00:56:45 +00:00
Azeem Shaikh
83e9f52501
Enable revive linters which are used in google3 (#793) 
Co-authored-by: Azeem Shaikh <azeems@google.com>
 2021-07-31 22:31:34 +00:00
laurentsimon
29594d4294
change signature of FileIfExist and FileContent (#787) 
* draft

* add pinning

* remove functions

* typo

* commment

* name
 2021-07-30 15:09:52 +00:00
laurentsimon
c48fe4f9ed
Make Token-Permission check more granular (#773) 
* draft

* add tests

* add e2e2 tests

* typos

* typo

* fixes

* linter

* use named value

* comments

* comment
 2021-07-30 00:13:01 +00:00
Naveen
4d7fb5d748
🌱 Fix the go.mod with v2 upgrade (#716) 
The go.mod and the related files weren't t updated with the v2 upgrade.

https://github.com/ossf/scorecard/issues/711

This fix will address the issue.
 2021-07-26 13:01:25 -05:00
Azeem Shaikh
9bf1cdc9ce
Update ListFiles API to return error (#746) 
Co-authored-by: Azeem Shaikh <azeems@google.com>
 2021-07-25 17:47:36 -07:00
laurentsimon
c741335683
[migration to score] 3: branch protection, frozen-deps, token permissions (#719) 
* details-1

* nits

* typo

* commments

* dependabot and binary artifacts checks

* typo

* linter

* missing errors.go

* linter

* merge fix

* branch protection, frozen-deps, token permissions

* linter

* linter
 2021-07-21 09:21:43 -07:00
laurentsimon
2c9a05c721
cleanup for token doc and code (#552) 
* cleanup

* comment
 2021-06-07 18:01:18 +00:00
laurentsimon
d528b6e626
Cleanup code for github tokens #534 (#539) 
* missed comments

* comments
 2021-06-04 00:12:56 +00:00
laurentsimon
37d979f79b
check for read-only permissions of github token (#534) 
* check for read-only permissions of github token

* linter

* linter

* doc

* comments

* commments

* fix

* generate checks.mg

* update license

* linter

* comments

* license

* linter

* missing file

* linter

* license

* cleanup
 2021-06-03 16:30:37 -07:00