scorecard

mirror of https://github.com/ossf/scorecard.git synced 2024-11-05 05:17:00 +03:00

Author	SHA1	Message	Date
Spencer Schrock	7ce8609469	🐛 Support renamed gradle verification action and callers which pin to hash (#4097 ) * Support renamed gradle verification action From gradle/wrapper-validation-action's readme: "As of v3 this action has been superceded by gradle/actions/wrapper-validation" Also support actions pinned to a hash. Signed-off-by: Spencer Schrock <sschrock@google.com> * remove unneeded dependency Signed-off-by: Spencer Schrock <sschrock@google.com> --------- Signed-off-by: Spencer Schrock <sschrock@google.com>	2024-05-09 18:27:34 +00:00
Spencer Schrock	0b9dfb656f	⚠️ Replace v4 module references with v5 (#4027 ) Signed-off-by: Spencer Schrock <sschrock@google.com>	2024-04-12 14:51:50 -07:00
Spencer Schrock	d55dbd12e6	⚠️ Switch RepoClient file access to io.ReadCloser (#3912 ) * change file access method to io.ReadCloser callers don't always need the full file. large files are slow and can cause crashes. Signed-off-by: Spencer Schrock <sschrock@google.com> * switch tests to hardcoded readers Previously they returned bytes or strings, which have corresponding NewReader types. Since they don't need to be closed, io.NopCloser works well to give them a fake Close. Signed-off-by: Spencer Schrock <sschrock@google.com> * switch tests which called os.ReadFile to os.Open os.File fufills io.ReadCloser, so this is an easy change Signed-off-by: Spencer Schrock <sschrock@google.com> * break tarball tests into two steps: reader and read The rest of the test was kept the same to minimize the change. Signed-off-by: Spencer Schrock <sschrock@google.com> * ossfuzz doesn't implement GetFileReader Signed-off-by: Spencer Schrock <sschrock@google.com> * appease linter during refactor Signed-off-by: Spencer Schrock <sschrock@google.com> * switch git client to new method add check which ensures git client fulfills the interface Signed-off-by: Spencer Schrock <sschrock@google.com> --------- Signed-off-by: Spencer Schrock <sschrock@google.com>	2024-03-04 17:37:50 -08:00
Josh Soref	3b948257fc	📖 Fix spelling (#3804 ) * spelling: accurate Signed-off-by: Josh Soref <2119212+jsoref@users.noreply.github.com> * spelling: administrator Signed-off-by: Josh Soref <2119212+jsoref@users.noreply.github.com> * spelling: analyze Signed-off-by: Josh Soref <2119212+jsoref@users.noreply.github.com> * spelling: andtwenty Signed-off-by: Josh Soref <2119212+jsoref@users.noreply.github.com> * spelling: ascii Signed-off-by: Josh Soref <2119212+jsoref@users.noreply.github.com> * spelling: association Signed-off-by: Josh Soref <2119212+jsoref@users.noreply.github.com> * spelling: at least Signed-off-by: Josh Soref <2119212+jsoref@users.noreply.github.com> * spelling: attestor Signed-off-by: Josh Soref <2119212+jsoref@users.noreply.github.com> * spelling: barbaric Signed-off-by: Josh Soref <2119212+jsoref@users.noreply.github.com> * spelling: bucket Signed-off-by: Josh Soref <2119212+jsoref@users.noreply.github.com> * spelling: by Signed-off-by: Josh Soref <2119212+jsoref@users.noreply.github.com> * spelling: can Signed-off-by: Josh Soref <2119212+jsoref@users.noreply.github.com> * spelling: case-insensitive Signed-off-by: Josh Soref <2119212+jsoref@users.noreply.github.com> * spelling: case-sensitive Signed-off-by: Josh Soref <2119212+jsoref@users.noreply.github.com> * spelling: checking Signed-off-by: Josh Soref <2119212+jsoref@users.noreply.github.com> * spelling: command-line Signed-off-by: Josh Soref <2119212+jsoref@users.noreply.github.com> * spelling: commit Signed-off-by: Josh Soref <2119212+jsoref@users.noreply.github.com> * spelling: committed Signed-off-by: Josh Soref <2119212+jsoref@users.noreply.github.com> * spelling: conclusion Signed-off-by: Josh Soref <2119212+jsoref@users.noreply.github.com> * spelling: corresponding Signed-off-by: Josh Soref <2119212+jsoref@users.noreply.github.com> * spelling: created Signed-off-by: Josh Soref <2119212+jsoref@users.noreply.github.com> * spelling: dataset Signed-off-by: Josh Soref <2119212+jsoref@users.noreply.github.com> * spelling: default Signed-off-by: Josh Soref <2119212+jsoref@users.noreply.github.com> * spelling: defines Signed-off-by: Josh Soref <2119212+jsoref@users.noreply.github.com> * spelling: dependabot Signed-off-by: Josh Soref <2119212+jsoref@users.noreply.github.com> * spelling: dependency Signed-off-by: Josh Soref <2119212+jsoref@users.noreply.github.com> * spelling: depending Signed-off-by: Josh Soref <2119212+jsoref@users.noreply.github.com> * spelling: desired Signed-off-by: Josh Soref <2119212+jsoref@users.noreply.github.com> * spelling: different Signed-off-by: Josh Soref <2119212+jsoref@users.noreply.github.com> * spelling: disclose Signed-off-by: Josh Soref <2119212+jsoref@users.noreply.github.com> * spelling: download Signed-off-by: Josh Soref <2119212+jsoref@users.noreply.github.com> * spelling: each Signed-off-by: Josh Soref <2119212+jsoref@users.noreply.github.com> * spelling: enforce Signed-off-by: Josh Soref <2119212+jsoref@users.noreply.github.com> * spelling: every time Signed-off-by: Josh Soref <2119212+jsoref@users.noreply.github.com> * spelling: exist Signed-off-by: Josh Soref <2119212+jsoref@users.noreply.github.com> * spelling: existing Signed-off-by: Josh Soref <2119212+jsoref@users.noreply.github.com> * spelling: fields Signed-off-by: Josh Soref <2119212+jsoref@users.noreply.github.com> * spelling: files Signed-off-by: Josh Soref <2119212+jsoref@users.noreply.github.com> * spelling: for Signed-off-by: Josh Soref <2119212+jsoref@users.noreply.github.com> * spelling: force-push Signed-off-by: Josh Soref <2119212+jsoref@users.noreply.github.com> * spelling: github Signed-off-by: Josh Soref <2119212+jsoref@users.noreply.github.com> * spelling: gitlab Signed-off-by: Josh Soref <2119212+jsoref@users.noreply.github.com> * spelling: ignoreed Signed-off-by: Josh Soref <2119212+jsoref@users.noreply.github.com> * spelling: implementation Signed-off-by: Josh Soref <2119212+jsoref@users.noreply.github.com> * spelling: implements Signed-off-by: Josh Soref <2119212+jsoref@users.noreply.github.com> * spelling: increase Signed-off-by: Josh Soref <2119212+jsoref@users.noreply.github.com> * spelling: indicates Signed-off-by: Josh Soref <2119212+jsoref@users.noreply.github.com> * spelling: initialized Signed-off-by: Josh Soref <2119212+jsoref@users.noreply.github.com> * spelling: instructions Signed-off-by: Josh Soref <2119212+jsoref@users.noreply.github.com> * spelling: invalid Signed-off-by: Josh Soref <2119212+jsoref@users.noreply.github.com> * spelling: marshal Signed-off-by: Josh Soref <2119212+jsoref@users.noreply.github.com> * spelling: match Signed-off-by: Josh Soref <2119212+jsoref@users.noreply.github.com> * spelling: name Signed-off-by: Josh Soref <2119212+jsoref@users.noreply.github.com> * spelling: nonexistent Signed-off-by: Josh Soref <2119212+jsoref@users.noreply.github.com> * spelling: organization Signed-off-by: Josh Soref <2119212+jsoref@users.noreply.github.com> * spelling: package Signed-off-by: Josh Soref <2119212+jsoref@users.noreply.github.com> * spelling: provenance Signed-off-by: Josh Soref <2119212+jsoref@users.noreply.github.com> * spelling: query Signed-off-by: Josh Soref <2119212+jsoref@users.noreply.github.com> * spelling: readers Signed-off-by: Josh Soref <2119212+jsoref@users.noreply.github.com> * spelling: receive Signed-off-by: Josh Soref <2119212+jsoref@users.noreply.github.com> * spelling: registered Signed-off-by: Josh Soref <2119212+jsoref@users.noreply.github.com> * spelling: remediate Signed-off-by: Josh Soref <2119212+jsoref@users.noreply.github.com> * spelling: representation Signed-off-by: Josh Soref <2119212+jsoref@users.noreply.github.com> * spelling: requests Signed-off-by: Josh Soref <2119212+jsoref@users.noreply.github.com> * spelling: requires Signed-off-by: Josh Soref <2119212+jsoref@users.noreply.github.com> * spelling: return Signed-off-by: Josh Soref <2119212+jsoref@users.noreply.github.com> * spelling: scorecard Signed-off-by: Josh Soref <2119212+jsoref@users.noreply.github.com> * spelling: separator Signed-off-by: Josh Soref <2119212+jsoref@users.noreply.github.com> * spelling: serialization Signed-off-by: Josh Soref <2119212+jsoref@users.noreply.github.com> * spelling: sign up Signed-off-by: Josh Soref <2119212+jsoref@users.noreply.github.com> * spelling: specifications Signed-off-by: Josh Soref <2119212+jsoref@users.noreply.github.com> * spelling: specified Signed-off-by: Josh Soref <2119212+jsoref@users.noreply.github.com> * spelling: success Signed-off-by: Josh Soref <2119212+jsoref@users.noreply.github.com> * spelling: successfully Signed-off-by: Josh Soref <2119212+jsoref@users.noreply.github.com> * spelling: the Signed-off-by: Josh Soref <2119212+jsoref@users.noreply.github.com> * spelling: their Signed-off-by: Josh Soref <2119212+jsoref@users.noreply.github.com> * spelling: twenty Signed-off-by: Josh Soref <2119212+jsoref@users.noreply.github.com> * spelling: unexpected Signed-off-by: Josh Soref <2119212+jsoref@users.noreply.github.com> * spelling: unused Signed-off-by: Josh Soref <2119212+jsoref@users.noreply.github.com> * spelling: unverified Signed-off-by: Josh Soref <2119212+jsoref@users.noreply.github.com> * spelling: validate Signed-off-by: Josh Soref <2119212+jsoref@users.noreply.github.com> * spelling: vendor Signed-off-by: Josh Soref <2119212+jsoref@users.noreply.github.com> * spelling: vulnerabilities Signed-off-by: Josh Soref <2119212+jsoref@users.noreply.github.com> * spelling: vulns Signed-off-by: Josh Soref <2119212+jsoref@users.noreply.github.com> * spelling: will Signed-off-by: Josh Soref <2119212+jsoref@users.noreply.github.com> * spelling: without Signed-off-by: Josh Soref <2119212+jsoref@users.noreply.github.com> * spelling: workflow Signed-off-by: Josh Soref <2119212+jsoref@users.noreply.github.com> * spelling: workflows Signed-off-by: Josh Soref <2119212+jsoref@users.noreply.github.com> --------- Signed-off-by: Josh Soref <2119212+jsoref@users.noreply.github.com>	2024-01-26 23:08:26 +00:00
AdamKorcz	cb721a8526	🌱 convert binary artifact check to probe (#3508 ) * 🌱 convert binary artifact check to probe Signed-off-by: AdamKorcz <adam@adalogics.com> * Reword motivation Signed-off-by: AdamKorcz <adam@adalogics.com> * remove unused variable in test Signed-off-by: AdamKorcz <adam@adalogics.com> * remove positiveOutcome() and length check Signed-off-by: AdamKorcz <adam@adalogics.com> * fix wrong check name Signed-off-by: AdamKorcz <adam@adalogics.com> * Split into two probes: One with and one without gradle-wrappers Signed-off-by: AdamKorcz <adam@adalogics.com> * Add description about what Scorecard considers a verified binary Signed-off-by: Adam Korczynski <adam@adalogics.com> * change 'trusted' to 'verified' Signed-off-by: Adam Korczynski <adam@adalogics.com> * remove nil check Signed-off-by: Adam Korczynski <adam@adalogics.com> * remove filtering Signed-off-by: Adam Korczynski <adam@adalogics.com> * use const scores in tests Signed-off-by: Adam Korczynski <adam@adalogics.com> * rename test Signed-off-by: Adam Korczynski <adam@adalogics.com> * add sanity check in loop Signed-off-by: Adam Korczynski <adam@adalogics.com> * rename binary file const Signed-off-by: Adam Korczynski <adam@adalogics.com> --------- Signed-off-by: AdamKorcz <adam@adalogics.com> Signed-off-by: Adam Korczynski <adam@adalogics.com>	2023-12-05 00:24:16 -08:00
Spencer Schrock	d882fc73e1	🌱 re-enable paralleltest linter (#3705 ) Signed-off-by: Spencer Schrock <sschrock@google.com>	2023-12-04 02:25:03 +00:00
Spencer Schrock	eba10dffd5	✨ Support Binary-Artifacts check again for local repos (#3415 ) * invert workflow check and explain early exit. Signed-off-by: Spencer Schrock <sschrock@google.com> * make workflow run validation optional. Signed-off-by: Spencer Schrock <sschrock@google.com> * mark binary artifacts as local file friendly. Signed-off-by: Spencer Schrock <sschrock@google.com> * add test for gradle wrapper without workflow run support Signed-off-by: Spencer Schrock <sschrock@google.com> * fix policy tests and make their names more clear. Signed-off-by: Spencer Schrock <sschrock@google.com> --------- Signed-off-by: Spencer Schrock <sschrock@google.com>	2023-08-23 10:25:26 -07:00
Gabriela Gutierrez	be695d10dc	🐛 Add wasm files as binary artifacts (#2548 ) * fix: Add wasm files to binary check Signed-off-by: Gabriela Gutierrez <gabigutierrez@google.com> * test: Add wasm to binary check Signed-off-by: Gabriela Gutierrez <gabigutierrez@google.com> * chore: Automatic projects update Signed-off-by: Gabriela Gutierrez <gabigutierrez@google.com> * Revert "chore: Automatic projects update" This reverts commit 99fb2af9b4172c974cca19e7b7f587c1cbbeed3a. Signed-off-by: Gabriela Gutierrez <gabigutierrez@google.com> Signed-off-by: Gabriela Gutierrez <gabigutierrez@google.com>	2023-01-06 13:16:30 -06:00
Arnaud J Le Hors	2169bc44c7	Use new project name in Copyright notices (#2505 ) Signed-off-by: Arnaud J Le Hors <lehors@us.ibm.com> Signed-off-by: Arnaud J Le Hors <lehors@us.ibm.com>	2022-12-01 15:08:48 -08:00
Ethan Davis	4a15760da7	Don't error on workflow parse failure in Binary-Artifacts (#2170 )	2022-08-19 03:44:18 +00:00
Ethan Davis	dd8fbc07e7	✨ Binary artifact exception for gradle-wrapper.jar when using validation action (#2039 ) * implement binary artifacts exception for validated gradle-wrapper.jar files * add tests for binary artifact gradle wrapper verification exception * fix issues for linter * expect added jar in TestBinaryArtifacts Jar file test * improve readability of raw/binary_artifact * Binary-Artifact request types no longer includes FileBased * add version requirement capability to gradle action check * Refactor exception from checks/raw to checks/evaluation * remove unnecessary len(files) * flatten application of exception by moving to another function * revert refactor to checks/evaluation * flatten removal of validated wrappers * create fileExists function Co-authored-by: laurentsimon <64505099+laurentsimon@users.noreply.github.com>	2022-07-18 18:42:32 +00:00
Ethan Davis	6a032a3019	✨ Check for Mach-O binaries in Binary Artifacts (#2000 )	2022-06-23 08:54:55 -07:00
laurentsimon	74ea0f4266	🐛 Fix .lib false positives in binary artifacts (#1879 ) * ignore printable files * updates * e2e tests * e2e fix * comments	2022-05-03 13:31:51 -07:00
Naveen	17467c1f13	🌱 Unit tests for binary_artifact (#1512 )	2022-01-27 12:25:50 -06:00

14 Commits