dependabot[bot]
1faca4943d
🌱 Bump google.golang.org/protobuf from 1.34.1 to 1.34.2 ( #4169 )
2024-06-12 17:58:59 +00:00
Max Mehl
fcdc63b1ba
📖 Improve the REUSE parts of the License check ( #4155 )
...
* clarify that link leads to specification, not REUSE in general
Signed-off-by: Max Mehl <mail@mehl.mx>
* fix LICENSES directory name
Signed-off-by: Max Mehl <mail@mehl.mx>
* clarify that tool also looks into LICENSES directory
Signed-off-by: Max Mehl <mail@mehl.mx>
* generate checks.md
Signed-off-by: Max Mehl <mail@mehl.mx>
---------
Signed-off-by: Max Mehl <mail@mehl.mx>
2024-06-12 16:19:35 +00:00
dependabot[bot]
fde26a0ef4
🌱 Bump github.com/moby/buildkit from 0.13.2 to 0.14.0 ( #4168 )
2024-06-12 16:07:16 +00:00
Spencer Schrock
6d8f701a9d
⚠️ Simplify RunScorecard with functional optionals ( #4106 )
...
* add options for other clients
Signed-off-by: Spencer Schrock <sschrock@google.com>
* set clients to defaults if not provided?
Signed-off-by: Spencer Schrock <sschrock@google.com>
* fix shadowing
Signed-off-by: Spencer Schrock <sschrock@google.com>
* call the underlying run function
Signed-off-by: Spencer Schrock <sschrock@google.com>
* add package client
Signed-off-by: Spencer Schrock <sschrock@google.com>
* run all checks if no checks or probes provided
Signed-off-by: Spencer Schrock <sschrock@google.com>
* add WithProbes option
Signed-off-by: Spencer Schrock <sschrock@google.com>
* make github repo type public
Signed-off-by: Spencer Schrock <sschrock@google.com>
* make gitlab repo type public
Signed-off-by: Spencer Schrock <sschrock@google.com>
* make local repo type public
Signed-off-by: Spencer Schrock <sschrock@google.com>
* switch WithChecks to accepting []string
Signed-off-by: Spencer Schrock <sschrock@google.com>
* fix linter
Signed-off-by: Spencer Schrock <sschrock@google.com>
* fix linter
Signed-off-by: Spencer Schrock <sschrock@google.com>
---------
Signed-off-by: Spencer Schrock <sschrock@google.com>
2024-06-10 15:59:29 -07:00
dependabot[bot]
2ed7e5e9fa
🌱 Bump github.com/golangci/golangci-lint from 1.59.0 to 1.59.1 in /tools ( #4161 )
2024-06-10 20:55:48 +00:00
Spencer Schrock
20ec42c2b5
⚠️ Make all ScorecardResult format options pointers ( #4151 )
...
* make format options pointers
Callers can pass in a nil pointer to use the default values.
This is also consistent with AsProbe which already used a pointer.
Signed-off-by: Spencer Schrock <sschrock@google.com>
* remove unused FJSON format
Signed-off-by: Spencer Schrock <sschrock@google.com>
---------
Signed-off-by: Spencer Schrock <sschrock@google.com>
2024-06-10 20:32:20 +00:00
Raghav Kaul
f591fbb551
🌱 maintainer annotations: search for config ( #4152 )
...
* search for annotation file
Signed-off-by: Raghav Kaul <raghavkaul+github@google.com>
* search for config file
Signed-off-by: Raghav Kaul <raghavkaul+github@google.com>
* address cr: logging + tests
Signed-off-by: Raghav Kaul <raghavkaul+github@google.com>
---------
Signed-off-by: Raghav Kaul <raghavkaul+github@google.com>
2024-06-10 19:58:11 +00:00
dependabot[bot]
91532e12d1
🌱 Bump golang from 1.22.3 to 1.22.4 ( #4160 )
...
* 🌱 Bump golang from 1.22.3 to 1.22.4
Bumps golang from 1.22.3 to 1.22.4.
---
updated-dependencies:
- dependency-name: golang
dependency-type: direct:production
update-type: version-update:semver-patch
...
Signed-off-by: dependabot[bot] <support@github.com>
* bump the other dockerfiles
Signed-off-by: Spencer Schrock <sschrock@google.com>
---------
Signed-off-by: dependabot[bot] <support@github.com>
Signed-off-by: Spencer Schrock <sschrock@google.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: Spencer Schrock <sschrock@google.com>
2024-06-10 17:08:56 +00:00
dependabot[bot]
397ca510b4
🌱 Bump the github-actions group across 1 directory with 3 updates ( #4159 )
...
Bumps the github-actions group with 3 updates in the / directory: [step-security/harden-runner](https://github.com/step-security/harden-runner ), [github/codeql-action](https://github.com/github/codeql-action ) and [actions/dependency-review-action](https://github.com/actions/dependency-review-action ).
Updates `step-security/harden-runner` from 2.8.0 to 2.8.1
- [Release notes](https://github.com/step-security/harden-runner/releases )
- [Commits](f086349bfa...17d0e2bd7dhttps://github.com/github/codeql-action/releases )
- [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md )
- [Commits](9fdb3e4972...2e230e8fe0https://github.com/actions/dependency-review-action/releases )
- [Commits](0c155c5e85...72eb03d02c
2024-06-10 12:51:30 -04:00
Raghav Kaul
bfaa9febc2
✨ probe: releases with verified provenance ( #4141 )
...
* add projectpackageversions to signed releases raw results
Signed-off-by: Raghav Kaul <raghavkaul+github@google.com>
* finding: add NewNot* helpers, fix error msg
Signed-off-by: Raghav Kaul <raghavkaul+github@google.com>
* probe: releasesHaveVerifiedProvenance
Signed-off-by: Raghav Kaul <raghavkaul+github@google.com>
* logging
Signed-off-by: Raghav Kaul <raghavkaul+github@google.com>
* fix tests and lint
Signed-off-by: Raghav Kaul <raghavkaul+github@google.com>
* address comments
Signed-off-by: Raghav Kaul <raghavkaul+github@google.com>
* remove unused
Signed-off-by: Raghav Kaul <raghavkaul+github@google.com>
* fix merge conflict
Signed-off-by: Raghav Kaul <raghavkaul+github@google.com>
---------
Signed-off-by: Raghav Kaul <raghavkaul+github@google.com>
2024-06-07 10:15:20 -07:00
Spencer Schrock
9cd1fb868d
🐛 fix Unlicense detection ( #4145 )
...
* fix unlicense detection
The code previously had some special logic for handling the Unlicense SPDX
identifier. While this worked for local file detection, it broke detection for
SPDX identifiers provided by the forge. This change moves the logic to the part
of the code concerned with local file detection, so both work now.
Signed-off-by: Spencer Schrock <sschrock@google.com>
* remove part of comment which is no longer relevant
Signed-off-by: Spencer Schrock <sschrock@google.com>
---------
Signed-off-by: Spencer Schrock <sschrock@google.com>
2024-06-06 18:01:49 +00:00
Arnout Engelen
3da6db56c9
✨ announce where results are written ( #4132 )
...
Before this change, when running with '-o foo' the output would end
with:
```
RESULTS
-------
```
This was rather confusing. There's of course many ways to make this more
clear, this commit adds a log line announcing where the output is
written to:
```
RESULTS
-------
Writing to foo
```
Signed-off-by: Arnout Engelen <arnout@bzzt.net>
2024-06-06 10:42:19 -07:00
dependabot[bot]
7e7e2f5818
🌱 Bump github.com/onsi/ginkgo/v2 in /tools ( #4149 )
2024-06-06 17:24:52 +00:00
dependabot[bot]
bc1c2e6995
🌱 Bump golang.org/x/oauth2 from 0.20.0 to 0.21.0 ( #4148 )
2024-06-06 17:14:20 +00:00
Spencer Schrock
8a3cbbb3ba
⚠️ remove dependencydiff functionality ( #4146 )
...
Signed-off-by: Spencer Schrock <sschrock@google.com>
2024-06-06 09:47:06 -07:00
dependabot[bot]
b4d6ee469c
🌱 Bump github.com/bradleyfalzon/ghinstallation/v2 ( #4137 )
2024-06-05 18:13:00 +00:00
dependabot[bot]
eea94f5d01
🌱 Bump github.com/rhysd/actionlint from 1.7.0 to 1.7.1 ( #4138 )
2024-06-05 18:00:32 +00:00
dependabot[bot]
936efa9fff
🌱 Bump golang.org/x/text from 0.15.0 to 0.16.0 ( #4142 )
2024-06-05 17:44:34 +00:00
aklevans
0448565ab9
🐛 Use direct endpoint instead of search to find repository URL from npm database ( #4118 )
...
* Update endpoint used when getting repo from npm to solve #3166
Signed-off-by: aklevans <alexklevans@gmail.com>
* Update test files to account for endpoint change when getting repo from npm
Signed-off-by: aklevans <alexklevans@gmail.com>
* Fix linter issues
Signed-off-by: aklevans <alexklevans@gmail.com>
* Added unit tests for #3166 and #2441
Signed-off-by: aklevans <alexklevans@gmail.com>
* fix linter issues and reduce mock json output in package_manager_test to only include necessary data
Signed-off-by: aklevans <alexklevans@gmail.com>
* fix linter issues in package_managers.go
Signed-off-by: aklevans <alexklevans@gmail.com>
* convert windows line breaks to linux
Signed-off-by: aklevans <alexklevans@gmail.com>
* reduce test case size, still has windows line breaks
Signed-off-by: aklevans <alexklevans@gmail.com>
* Fix unit tests
Signed-off-by: aklevans <alexklevans@gmail.com>
* attempt linter fix
Signed-off-by: aklevans <alexklevans@gmail.com>
* Fix linter issues stemming from windows line breaks
Signed-off-by: aklevans <alexklevans@gmail.com>
* Remove magic number and rename variable to be more accurate
Signed-off-by: aklevans <alexklevans@gmail.com>
---------
Signed-off-by: aklevans <alexklevans@gmail.com>
Signed-off-by: aklevans <105876795+aklevans@users.noreply.github.com>
2024-06-05 10:15:29 -07:00
dependabot[bot]
36d8ad7a60
🌱 Bump github.com/google/osv-scanner from 1.7.3 to 1.7.4 ( #4139 )
...
Bumps [github.com/google/osv-scanner](https://github.com/google/osv-scanner ) from 1.7.3 to 1.7.4.
- [Release notes](https://github.com/google/osv-scanner/releases )
- [Changelog](https://github.com/google/osv-scanner/blob/main/CHANGELOG.md )
- [Commits](https://github.com/google/osv-scanner/compare/v1.7.3...v1.7.4 )
---
updated-dependencies:
- dependency-name: github.com/google/osv-scanner
dependency-type: direct:production
update-type: version-update:semver-patch
...
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2024-06-04 11:25:36 -07:00
Arnout Engelen
bf4002489a
✨ detect sbt ci-release packaging workflows ( #4135 )
...
Signed-off-by: Arnout Engelen <arnout@bzzt.net>
2024-06-01 14:30:41 -04:00
dependabot[bot]
867f511cd0
🌱 Bump github.com/goreleaser/goreleaser in /tools ( #4122 )
2024-06-01 18:16:47 +00:00
dependabot[bot]
6cbe95c52e
🌱 Bump github.com/golangci/golangci-lint in /tools ( #4125 )
2024-06-01 17:00:20 +00:00
dependabot[bot]
02f72e0582
🌱 Bump github.com/onsi/ginkgo/v2 from 2.17.3 to 2.19.0 ( #4126 )
2024-05-30 23:03:52 +00:00
Raghav Kaul
77dce6fbef
⚠️ Add ProjectPackageVersions to raw data collection ( #4104 )
...
* add projectpackageversions to signed releases raw results
Signed-off-by: Raghav Kaul <raghavkaul+github@google.com>
* add mocks
Signed-off-by: Raghav Kaul <raghavkaul+github@google.com>
* update
Signed-off-by: Raghav Kaul <raghavkaul+github@google.com>
* fix tests
Signed-off-by: Raghav Kaul <raghavkaul+github@google.com>
* rename
Signed-off-by: Raghav Kaul <raghavkaul+github@google.com>
* Update runScorecard
Signed-off-by: Raghav Kaul <raghavkaul+github@google.com>
* pass depsdevclient to scdiff
Signed-off-by: Raghav Kaul <raghavkaul+github@google.com>
* error handling
Signed-off-by: Raghav Kaul <raghavkaul+github@google.com>
* make Host() return domain only
Signed-off-by: Raghav Kaul <raghavkaul+github@google.com>
* lint
Signed-off-by: Raghav Kaul <raghavkaul+github@google.com>
* address cr comments
Signed-off-by: Raghav Kaul <raghavkaul+github@google.com>
---------
Signed-off-by: Raghav Kaul <raghavkaul+github@google.com>
2024-05-30 16:00:36 -04:00
Arnout Engelen
7e6a09e474
🐛 fix Docker remediations for unpinned GHA dependencies ( #4131 )
...
* 🐛 fix Docker remediations for unpinned GHA dependencies
Previously, as both the check for unpinned dependencies in
GitHub Actions and the check for unpinned Docker dependencies
contribute to d.Dependencies, the loop that created remediations
for Docker dependencies would also create try to create Docker
remediations for the unpinned GitHub Actions dependencies.
This could get really slow, especially when scanning a repo
with many GitHub Actions such as https://github.com/apache/beam .
Signed-off-by: Arnout Engelen <arnout@bzzt.net>
* 🌱 Small refactor and test for remediations
Signed-off-by: Arnout Engelen <arnout@bzzt.net>
* 🌱 make test data more realistic
Signed-off-by: Arnout Engelen <arnout@bzzt.net>
---------
Signed-off-by: Arnout Engelen <arnout@bzzt.net>
2024-05-30 18:46:22 +00:00
Arnout Engelen
2855274aab
✨ Recognize scala-steward as dependency update tool ( #4130 )
...
* ✨ Recognize scala-steward as dependency update tool
Signed-off-by: Arnout Engelen <arnout@bzzt.net>
* ✨ also recognize scala-steward.conf in subdirectories
Signed-off-by: Arnout Engelen <arnout@bzzt.net>
* 🌱 add scala-steward to README
Signed-off-by: Arnout Engelen <arnout@bzzt.net>
---------
Signed-off-by: Arnout Engelen <arnout@bzzt.net>
2024-05-30 17:57:19 +00:00
Arnout Engelen
6b49140bbf
🌱 avoid assumptions about versions in tests ( #4134 )
...
For example NixOS builds and tests scorecards in an environment that
sets the version, which would make this test fail as it currently
assumes the version is unset when running tests.
Signed-off-by: Arnout Engelen <arnout@bzzt.net>
2024-05-30 13:02:55 +00:00
Stephen Augustus
16ed8a68aa
docs: Add repository guidelines e.g., for project donations ( #4123 )
...
Signed-off-by: Stephen Augustus <foo@auggie.dev>
2024-05-30 12:40:14 +00:00
Stephen Augustus
5447253ff1
MAINTAINERS: Add details on the OpenSSF Scorecard Steering Committee ( #4129 )
...
Signed-off-by: Stephen Augustus <foo@auggie.dev>
2024-05-29 15:35:28 +00:00
dependabot[bot]
465add2acb
🌱 Bump the github-actions group with 2 updates ( #4127 )
...
Bumps the github-actions group with 2 updates: [step-security/harden-runner](https://github.com/step-security/harden-runner ) and [github/codeql-action](https://github.com/github/codeql-action ).
Updates `step-security/harden-runner` from 2.7.1 to 2.8.0
- [Release notes](https://github.com/step-security/harden-runner/releases )
- [Commits](a4aa98b93c...f086349bfahttps://github.com/github/codeql-action/releases )
- [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md )
- [Commits](b7cec75265...9fdb3e4972
2024-05-29 08:23:28 -07:00
dependabot[bot]
d99ae690a9
🌱 Bump github.com/go-logr/logr from 1.4.1 to 1.4.2 ( #4120 )
...
updated-dependencies:
- dependency-name: github.com/go-logr/logr
dependency-type: direct:production
update-type: version-update:semver-patch
...
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2024-05-23 18:36:17 -04:00
dependabot[bot]
98ec491a88
🌱 Bump golang from b1e05e2 to f43c6f0 in /attestor ( #4115 )
...
Bumps golang from `b1e05e2` to `f43c6f0`.
---
updated-dependencies:
- dependency-name: golang
dependency-type: direct:production
update-type: version-update:semver-patch
...
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: Raghav Kaul <8695110+raghavkaul@users.noreply.github.com>
2024-05-20 21:25:07 +00:00
dependabot[bot]
72d60412a0
🌱 Bump actions/checkout in the github-actions group ( #4116 )
...
Bumps the github-actions group with 1 update: [actions/checkout](https://github.com/actions/checkout ).
Updates `actions/checkout` from 4.1.5 to 4.1.6
- [Release notes](https://github.com/actions/checkout/releases )
- [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md )
- [Commits](44c2b7a8a4...a5ac7e51b4
2024-05-20 17:15:02 -04:00
dependabot[bot]
7ba6e548f8
🌱 Bump github.com/goreleaser/goreleaser in /tools ( #4110 )
2024-05-17 22:19:32 +00:00
Peter Somogyvari
fd2342c0c4
🌱 fix(cron/internal/data): rename Cactus to Cacti ( #4111 )
...
A couple of years back we've renamed the Hyperledger Cactus project to
Hyperledger Cacti and I wanted to make sure that this is reflected in
the OpenSSF reports.
There is no other change code change.
Signed-off-by: Peter Somogyvari <peter.somogyvari@accenture.com>
2024-05-17 21:48:12 +00:00
Allen Shearin
8de90207bc
✨ Add experimental check for published SBOM ( #3903 )
...
* Sbom check MVP
Signed-off-by: Allen Shearin <allen.p.shearin@gmail.com>
* PR suggestion fixes
Signed-off-by: Allen Shearin <allen.p.shearin@gmail.com>
* fix line length
Signed-off-by: Allen Shearin <allen.p.shearin@gmail.com>
* update gitlab client to check 20 latest pipelines in default branch
Signed-off-by: Allen Shearin <allen.p.shearin@gmail.com>
* correct issues
Signed-off-by: Allen Shearin <allen.p.shearin@gmail.com>
* add unit tests for sbom client code
Signed-off-by: Allen Shearin <allen.p.shearin@gmail.com>
* probe name alignment, updated evaluation tests
Signed-off-by: Allen Shearin <allen.p.shearin@gmail.com>
* consolidate probes, reuse available data sources
Signed-off-by: Allen Shearin <allen.p.shearin@gmail.com>
* add autogen doc update
Signed-off-by: Allen Shearin <allen.p.shearin@gmail.com>
* address PR comments, remove CI/CD check code
Signed-off-by: Allen Shearin <allen.p.shearin@gmail.com>
* update unit tests
Signed-off-by: Allen Shearin <allen.p.shearin@gmail.com>
* fix linting errors
Signed-off-by: Allen Shearin <allen.p.shearin@gmail.com>
* revert unnecessary changes, correct check documentation
Signed-off-by: Allen Shearin <allen.p.shearin@gmail.com>
* address PR comments
Signed-off-by: Allen Shearin <allen.p.shearin@gmail.com>
* move release lookback to data collection side
Signed-off-by: Allen Shearin <allen.p.shearin@gmail.com>
---------
Signed-off-by: Allen Shearin <allen.p.shearin@gmail.com>
2024-05-17 18:16:54 +00:00
dependabot[bot]
956d7c3895
🌱 Bump sigs.k8s.io/release-utils from 0.8.1 to 0.8.2 ( #4107 )
2024-05-15 17:14:00 +00:00
dependabot[bot]
0082cad776
🌱 Bump github.com/golangci/golangci-lint from 1.57.2 to 1.58.1 in /tools ( #4108 )
2024-05-15 16:58:27 +00:00
dependabot[bot]
4a078cac8e
🌱 Bump github.com/onsi/ginkgo/v2 in /tools ( #4109 )
2024-05-15 16:45:36 +00:00
dependabot[bot]
6f9a512296
🌱 Bump github.com/rhysd/actionlint from 1.6.27 to 1.7.0 ( #4100 )
2024-05-14 19:43:41 +00:00
dependabot[bot]
d40ecbacb3
🌱 Bump github.com/onsi/ginkgo/v2 from 2.17.2 to 2.17.3 ( #4091 )
2024-05-14 19:26:15 +00:00
dependabot[bot]
665e9c48e8
🌱 Bump github.com/google/osv-scanner from 1.7.2 to 1.7.3 ( #4101 )
...
* 🌱 Bump github.com/google/osv-scanner from 1.7.2 to 1.7.3
Bumps [github.com/google/osv-scanner](https://github.com/google/osv-scanner ) from 1.7.2 to 1.7.3.
- [Release notes](https://github.com/google/osv-scanner/releases )
- [Changelog](https://github.com/google/osv-scanner/blob/main/CHANGELOG.md )
- [Commits](https://github.com/google/osv-scanner/compare/v1.7.2...v1.7.3 )
---
updated-dependencies:
- dependency-name: github.com/google/osv-scanner
dependency-type: direct:production
update-type: version-update:semver-patch
...
Signed-off-by: dependabot[bot] <support@github.com>
* remove toolchain directive and run go mod tidy
Signed-off-by: Spencer Schrock <sschrock@google.com>
---------
Signed-off-by: dependabot[bot] <support@github.com>
Signed-off-by: Spencer Schrock <sschrock@google.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: Spencer Schrock <sschrock@google.com>
2024-05-14 17:58:15 +00:00
dependabot[bot]
840f30c7c3
🌱 Bump goreleaser/goreleaser-action from 5.0.0 to 5.1.0 ( #4103 )
...
* 🌱 Bump goreleaser/goreleaser-action from 5.0.0 to 5.1.0
Bumps [goreleaser/goreleaser-action](https://github.com/goreleaser/goreleaser-action ) from 5.0.0 to 5.1.0.
- [Release notes](https://github.com/goreleaser/goreleaser-action/releases )
- [Commits](7ec5c2b0c6...5742e2a039
2024-05-14 10:36:59 -07:00
dependabot[bot]
6815161e15
🌱 Bump the github-actions group across 1 directory with 3 updates ( #4105 )
2024-05-13 20:31:43 +00:00
Raghav Kaul
32b5963766
⚠️ Add projectclient to cli and cron, update runscorecard ( #4096 )
...
Signed-off-by: Raghav Kaul <raghavkaul+github@google.com>
2024-05-13 11:59:46 -04:00
dependabot[bot]
db720cc870
🌱 Bump google.golang.org/protobuf from 1.34.0 to 1.34.1 ( #4092 )
2024-05-10 21:21:27 +00:00
dependabot[bot]
c11d89bfe6
🌱 Bump distroless/base from 29da700 to e238d40 ( #4064 )
2024-05-10 19:42:53 +00:00
dependabot[bot]
5a59357658
🌱 Bump github.com/xanzy/go-gitlab from 0.103.0 to 0.105.0 ( #4099 )
2024-05-10 18:33:13 +00:00
dependabot[bot]
9e9de6ac06
🌱 Bump golang from 1.22.2 to 1.22.3 ( #4098 )
...
* 🌱 Bump golang from 1.22.2 to 1.22.3
Bumps golang from 1.22.2 to 1.22.3.
---
updated-dependencies:
- dependency-name: golang
dependency-type: direct:production
update-type: version-update:semver-patch
...
Signed-off-by: dependabot[bot] <support@github.com>
* bump the other 7 dockerfiles
Signed-off-by: Spencer Schrock <sschrock@google.com>
---------
Signed-off-by: dependabot[bot] <support@github.com>
Signed-off-by: Spencer Schrock <sschrock@google.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: Spencer Schrock <sschrock@google.com>
2024-05-10 18:08:39 +00:00
