* Refactor Dockerfile validation code to handle here-documents
Refactors the `validateDockerfileInsecureDownloads` function to handle
Dockerfiles that contain here-documents. This implementation handles the
basic use-case, namely shell commands. It does not manage other
interpreters that are specified through a she-bang, such as python.
Fixes https://github.com/ossf/scorecard/issues/3335
Signed-off-by: Jürgen Kreileder <jk@blackdown.de>
* Add test for empty run command case in validateDockerfileInsecureDownloads()
Signed-off-by: Jürgen Kreileder <jk@blackdown.de>
* Simplify end line calculation in validateDockerfileInsecureDownloads()
Signed-off-by: Jürgen Kreileder <jk@blackdown.de>
* Document why we have a python test case here
Signed-off-by: Jürgen Kreileder <jk@blackdown.de>
---------
Signed-off-by: Jürgen Kreileder <jk@blackdown.de>
* 🌱 refactor permissions
Signed-off-by: Adam Korczynski <adam@adalogics.com>
* change 'PermissionLocation' to 'PermissionLocationType'
Signed-off-by: Adam Korczynski <adam@adalogics.com>
* remove redundant length check
Signed-off-by: Adam Korczynski <adam@adalogics.com>
* return nil instead of findings in case of an error
Signed-off-by: Adam Korczynski <adam@adalogics.com>
* use OutcomeError instead of OutcomeNegative in case of PermissionLevelUnknown
Signed-off-by: Adam Korczynski <adam@adalogics.com>
* Fix lint issue
Signed-off-by: Adam Korczynski <adam@adalogics.com>
* change 'CreateInconclusiveResult' to 'CreateRuntimeErrorResult'
Signed-off-by: Adam Korczynski <adam@adalogics.com>
* add comment to wrapped error
Signed-off-by: Adam Korczynski <adam@adalogics.com>
* unexport enum values
Signed-off-by: Adam Korczynski <adam@adalogics.com>
* fix wrapped error
Signed-off-by: Adam Korczynski <adam@adalogics.com>
---------
Signed-off-by: Adam Korczynski <adam@adalogics.com>
* add space after link
the period (and possibly what came after it) was being interpreted as part of the link.
Signed-off-by: Spencer Schrock <sschrock@google.com>
* only use one ID in the osv.dev link
Signed-off-by: Spencer Schrock <sschrock@google.com>
* add/fix tests
Signed-off-by: Spencer Schrock <sschrock@google.com>
* make the remediation tests less fragile
this test would need to be fixed every time the phrasing is fixed.
by looking for substrings, we make this less likely to need changed.
Signed-off-by: Spencer Schrock <sschrock@google.com>
* move len check before any finding creation
small efficiency gain since the finding is discarded.
Signed-off-by: Spencer Schrock <sschrock@google.com>
---------
Signed-off-by: Spencer Schrock <sschrock@google.com>
the cron has witnessed a roughly 15% reduction in repo throughput,
this is partly due to increased osv.dev latency, increasing the Vulnerabilities check.
the pinned-dependencies check has also increased after 6d35c865e6.
Signed-off-by: Spencer Schrock <sschrock@google.com>
* fix: handle gitlab repos with no commits
Signed-off-by: Allen Shearin <allen.p.shearin@gmail.com>
* fix: gitlab listcommits tests, remove else in commit array length check
Signed-off-by: Allen Shearin <allen.p.shearin@gmail.com>
* rename test file, remove unneeded test
Signed-off-by: Allen Shearin <allen.p.shearin@gmail.com>
---------
Signed-off-by: Allen Shearin <allen.p.shearin@gmail.com>
* document scdiff in the release process
Signed-off-by: Spencer Schrock <sschrock@google.com>
* add TOC entry
Signed-off-by: Spencer Schrock <sschrock@google.com>
* add files to .gitignore
we dont want people following the instructions to commit the files accidentally
Signed-off-by: Spencer Schrock <sschrock@google.com>
---------
Signed-off-by: Spencer Schrock <sschrock@google.com>
* Add SAST Pysa probe
Signed-off-by: David Korczynski <david@adalogics.com>
* Add Pysa positive unit test
Signed-off-by: David Korczynski <david@adalogics.com>
* Add Qodana as well
Signed-off-by: David Korczynski <david@adalogics.com>
* fix some styling
Signed-off-by: David Korczynski <david@adalogics.com>
* fix some messaging
Signed-off-by: David Korczynski <david@adalogics.com>
* checks: raw: sast: dedup by way of regex
Ref: https://github.com/ossf/scorecard/issues/3745
Signed-off-by: David Korczynski <david@adalogics.com>
* deduplicate SAST score checker
Signed-off-by: David Korczynski <david@adalogics.com>
* fix styling
Signed-off-by: David Korczynski <david@adalogics.com>
* fix styling
Signed-off-by: David Korczynski <david@adalogics.com>
* Rename variables appropriately
Signed-off-by: David Korczynski <david@adalogics.com>
* fix error message
Signed-off-by: David Korczynski <david@adalogics.com>
* rename useRegex to usesRegex and add comment
Signed-off-by: David Korczynski <david@adalogics.com>
* Force regex to compile
Signed-off-by: David Korczynski <david@adalogics.com>
---------
Signed-off-by: David Korczynski <david@adalogics.com>
* 🐛 Fix signed release error for empty gitlab repo
- Fixed the issue where an empty gitlab repo is causing this error.
`Error: check runtime error: Signed-Releases: internal error: could not get release name
2023/12/27 18:07:19 error during command execution: check runtime error: Signed-Releases: internal error: could not get release name
exit status 1`
Signed-off-by: naveensrinivasan <172697+naveensrinivasan@users.noreply.github.com>
* Fixes based on review.
Signed-off-by: naveensrinivasan <172697+naveensrinivasan@users.noreply.github.com>
* Fixed codereview changes.
Signed-off-by: naveensrinivasan <172697+naveensrinivasan@users.noreply.github.com>
---------
Signed-off-by: naveensrinivasan <172697+naveensrinivasan@users.noreply.github.com>
- Update message for when no tokens are found
[checks/evaluation/permissions/permissions.go]
- Change the message for when no tokens are found from "no github tokens found" to "no tokens found"
Signed-off-by: naveensrinivasan <172697+naveensrinivasan@users.noreply.github.com>
The primary data is the configuration files and the search commit data
is just extra, so better to return some data than no data in this case.
Signed-off-by: Spencer Schrock <sschrock@google.com>
- Update go version from `1.19` to `1.21`
[tools/go.mod]
- Update go version from `1.19` to `1.21`
Signed-off-by: naveensrinivasan <172697+naveensrinivasan@users.noreply.github.com>
* 🌱 Add probes for Branch Protection
Signed-off-by: AdamKorcz <adam@adalogics.com>
* specify that Scorecard only considers default and releases branches
Signed-off-by: Adam Korczynski <adam@adalogics.com>
* reduce duplication in blocksDeleteOnBranches
Signed-off-by: Adam Korczynski <adam@adalogics.com>
* use helper to test for boolean values
Signed-off-by: Adam Korczynski <adam@adalogics.com>
* Fix typo, mention OutcomeNotAvailable
Signed-off-by: Adam Korczynski <adam@adalogics.com>
* fix typo and elaborate on effort
Signed-off-by: Adam Korczynski <adam@adalogics.com>
* fix typo. Specify which branches the probe considers
Signed-off-by: Adam Korczynski <adam@adalogics.com>
* Fix copy paste typo
Signed-off-by: Adam Korczynski <adam@adalogics.com>
* remove '/en' from url
Signed-off-by: Adam Korczynski <adam@adalogics.com>
* change effort from 'High' to 'Low' in the blocksForcePushOnBranches probe def
Signed-off-by: Adam Korczynski <adam@adalogics.com>
* fix remediation level
Signed-off-by: Adam Korczynski <adam@adalogics.com>
* Change probe package name
Signed-off-by: Adam Korczynski <adam@adalogics.com>
* improve probe definitions
Signed-off-by: Adam Korczynski <adam@adalogics.com>
* refactor test names
Signed-off-by: Adam Korczynski <adam@adalogics.com>
* Change motivation of two probes
Signed-off-by: Adam Korczynski <adam@adalogics.com>
* downgrade effort of runsStatusChecksBeforeMerging
Signed-off-by: Adam Korczynski <adam@adalogics.com>
* reduce complexity of blocksForcePushOnBranches
Signed-off-by: Adam Korczynski <adam@adalogics.com>
* simplify requiresCodeOwnersReview logic
Signed-off-by: Adam Korczynski <adam@adalogics.com>
* fix linter issues
Signed-off-by: Adam Korczynski <adam@adalogics.com>
* fix copy paste error
Signed-off-by: Adam Korczynski <adam@adalogics.com>
* differentiate trueMsg and falseMsg in requiresApproversForPullRequests
Signed-off-by: Adam Korczynski <adam@adalogics.com>
* fix text in requiresCodeOwnersReview
Signed-off-by: Adam Korczynski <adam@adalogics.com>
* change outcome in utils
Signed-off-by: Adam Korczynski <adam@adalogics.com>
* fix lint issues
Signed-off-by: Adam Korczynski <adam@adalogics.com>
* fix nit in text
Signed-off-by: Adam Korczynski <adam@adalogics.com>
* use standardized messages
Signed-off-by: Adam Korczynski <adam@adalogics.com>
* remove 'Uint32LargerThan0'
Signed-off-by: Adam Korczynski <adam@adalogics.com>
* Add number of required reviewers to values. Refactor to avoid nil-dereference
Signed-off-by: Adam Korczynski <adam@adalogics.com>
* fix nit log message
Signed-off-by: Adam Korczynski <adam@adalogics.com>
---------
Signed-off-by: AdamKorcz <adam@adalogics.com>
Signed-off-by: Adam Korczynski <adam@adalogics.com>
