ossf/scorecard
1
1
Fork 0
mirror of https://github.com/ossf/scorecard.git synced 2024-09-19 21:18:09 +03:00
Code Issues Actions 1 Packages Projects Releases Wiki Activity
1,005 Commits 36 Branches 42 Tags 436 MiB
cf71c9539c
Commit Graph

1005 Commits

This Branch
This Branch
All Branches
Author SHA1 Message Date
David A. Wheeler
a5a6a30cec
README.md: Add hyperlinks to docs/checks.md (#1008) 
This modifies README.md to add hyperlinks
directly to each of the details in `docs/checks.md`.
That way, people who want to know more about a specific check
can jump immediately to that information.

Signed-off-by: David A. Wheeler <dwheeler@dwheeler.com>
 2021-09-13 18:38:16 +00:00
laurentsimon
b0fab3fa43
code (#1006) 
Co-authored-by: Naveen <172697+naveensrinivasan@users.noreply.github.com>
 2021-09-13 16:35:50 +00:00
dependabot[bot]
4c4fb61d51
🌱 Bump cloud.google.com/go/pubsub from 1.16.0 to 1.17.0 (#992) 
Bumps [cloud.google.com/go/pubsub](https://github.com/googleapis/google-cloud-go) from 1.16.0 to 1.17.0.
- [Release notes](https://github.com/googleapis/google-cloud-go/releases)
- [Changelog](https://github.com/googleapis/google-cloud-go/blob/master/CHANGES.md)
- [Commits](https://github.com/googleapis/google-cloud-go/compare/pubsub/v1.16.0...pubsub/v1.17.0)

---
updated-dependencies:
- dependency-name: cloud.google.com/go/pubsub
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>

Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: Azeem Shaikh <azeemshaikh38@gmail.com>
 2021-09-13 14:57:32 +00:00
Nanik
0590b03338
change message to make it more easier for user (#1003) 
to understand.

* reword the message

* add test for testing the mssage
 2021-09-13 07:33:40 -07:00
David A. Wheeler
ba53081aeb
Tweak "pinned dependency" discussion (#999) 
* Tweak "pinned dependency" discussion

The Pinned-Dependency discussion has a number of problems.

First, it doesn't even define the term. Let's fix that.

Next, it *WAY* oversells what
pinned dependencies can do for you. All they do is fix the
dependency. They don't really prevent compromised dependencies;
if you pin an already-compromised dependency, you make it worse,
because now you don't automatically update to the corrected
dependency if there was a later non-malicious version.
It often slows automated security updates, so they can actually
cause a *reduction* in security (since most updates *fix*
security vulnerabilities instead of introducing a compromise).

In particular, pinned dependencies are usually a *good* idea for
applications but you should NOT pin dependencies in libraries.
If a library pins to a version, and the library is only updated
1/year, and the ecosystem requires only 1 version of a library
(true for practically all except JavaScript), users can't update any
dependencies more than 1/year (and in practice they'll never be aligned).
At least a hint of the downsides of pinning should be admitted here.
For a larger discussion, see, for example,
https://docs.google.com/document/d/1x_VrNtXCup75qA3glDd2fQOB2TakldwjKZ6pXaAjAfg/edit#

A better argument for pinning is the reproducibility it brings
when using pinning inside an application. I suggest focusing on
that first.

Pinned dependencies are still typically a good idea for applications,
but they should NOT be oversold.

Signed-off-by: David A. Wheeler <dwheeler@dwheeler.com>

* Note GitHub's dependency graph

This is mentioned in the README, but those details should really
be here in the detailed documentation, not in the whole-project README.

Signed-off-by: David A. Wheeler <dwheeler@dwheeler.com>

* Minor grammar fixes

Signed-off-by: David A. Wheeler <dwheeler@dwheeler.com>

* Note that pinned-dependencies should only apply to apps

The scorecard project only intends to enforce pinned
dependencies on applications (not libraries), as
noted here:
https://github.com/ossf/scorecard/issues/689

However, that's not documented in docs/checks.md!

This commit makes it clear that this is *intended* to
only apply to applications. It also notes that it's not
possible for an automated tool to always categorize software
correctly (especially when a project is both).

Signed-off-by: David A. Wheeler <dwheeler@dwheeler.com>

Co-authored-by: laurentsimon <64505099+laurentsimon@users.noreply.github.com>
 2021-09-12 23:55:39 +00:00
dependabot[bot]
cc044ca05f
🌱 Bump go.uber.org/zap from 1.19.0 to 1.19.1 (#993) 
Bumps [go.uber.org/zap](https://github.com/uber-go/zap) from 1.19.0 to 1.19.1.
- [Release notes](https://github.com/uber-go/zap/releases)
- [Changelog](https://github.com/uber-go/zap/blob/master/CHANGELOG.md)
- [Commits](https://github.com/uber-go/zap/compare/v1.19.0...v1.19.1)

---
updated-dependencies:
- dependency-name: go.uber.org/zap
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>

Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: Naveen <172697+naveensrinivasan@users.noreply.github.com>
 2021-09-12 16:14:20 -04:00
Azeem Shaikh
bc37c74b28
Remove Owner/Repo strings from CheckRequest (#997) 
Co-authored-by: Azeem Shaikh <azeems@google.com>
 2021-09-10 10:13:14 -07:00
Azeem Shaikh
e730e911e6
sce.Create -> sce.WithMessage for wrapcheck (#995) 
Co-authored-by: Azeem Shaikh <azeems@google.com>
 2021-09-10 15:50:33 +00:00
Azeem Shaikh
1cb8c06001
Bug in Makefile generate-docs (#996) 
Co-authored-by: Azeem Shaikh <azeems@google.com>
 2021-09-10 15:26:27 +00:00
laurentsimon
d6174dbe59
semantic version (#991) 2021-09-10 07:13:17 -07:00
Naveen
af24ed4d7f
🌱 Included codeql check for GitHub Actions (#988) 
Included codeql check for GitHub actions https://github.com/ossf/scorecard/issues/987
 2021-09-09 23:02:11 +00:00
laurentsimon
870db56814
Cleanup documentation code (#981) 
* draft 1

* unit tests

* fix

* fixes

* fix

* mod

* comments

* fixes

* rename

* fix

* linter
 2021-09-09 22:09:39 +00:00
Nanik
1da121da29
Give low importance to github-owned actions (#802) (#906) 
* Different calculation between github and non-github actions

* Add test case for different kind of github and non-github action

* Modify existing test as score calculation has changed
 2021-09-09 12:16:31 -07:00
naveen
576447a45b 🌱 Fix the jwt finding 
* This fixes the JWT finding CVE-2020-26160
 2021-09-08 11:17:40 -05:00
olivekl
924d4d5da9
📖 Update README.md (#976) 
* Update README.md

Minor fixes for clarity.

* Update README.md

* Update README.md

Reinstating "Understanding Scorecard Results" paragraph after accidental deletion.

* Update README.md

Delete test phrase ("DELETE THIS")

Co-authored-by: Azeem Shaikh <azeemshaikh38@gmail.com>
 2021-09-08 08:22:25 -07:00
naveen
2b15b1353b 🌱 Moving tools dependencies to separate go.mod 
* Moving the tools dependencies to a separate go.mod to reduce the
dependencies on scorecard.

* This is also increases the security posture by having less dependencies
on the main go.mod
 2021-09-07 18:23:41 -05:00
Chris McGehee
1c7ba79435
🐛 Github workflow steps run on Windows should default to pwsh as its shell (#877) 
* Github workflow steps run on Windows should default to pwsh as its shell

* Style change from PR feedback

* Fixing linter error

* MR feedback: simplifying code

* Moving consts to top of file

Co-authored-by: laurentsimon <64505099+laurentsimon@users.noreply.github.com>
Co-authored-by: Azeem Shaikh <azeemshaikh38@gmail.com>
Co-authored-by: Naveen <172697+naveensrinivasan@users.noreply.github.com>
 2021-09-07 09:09:20 -07:00
Naveen
a3d63bf324
🌱 Updated actions permission for codeql (#964) 
* Updated the actions permissions for codeql from write to specific
  settings. https://github.com/ossf/scorecard/issues/942
 2021-09-07 08:52:14 -07:00
dependabot[bot]
942c4cfc25
🌱 Bump crazy-max/ghaction-import-gpg from 3.2.0 to 4 (#971) 
Bumps [crazy-max/ghaction-import-gpg](https://github.com/crazy-max/ghaction-import-gpg) from 3.2.0 to 4.
- [Release notes](https://github.com/crazy-max/ghaction-import-gpg/releases)
- [Changelog](https://github.com/crazy-max/ghaction-import-gpg/blob/master/CHANGELOG.md)
- [Commits](1c6a9e9d35...8c43807e82)

---
updated-dependencies:
- dependency-name: crazy-max/ghaction-import-gpg
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>

Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
 2021-09-07 15:24:51 +00:00
dependabot[bot]
0aa4305c61
🌱 Bump github.com/golangci/golangci-lint from 1.42.0 to 1.42.1 (#973) 
Bumps [github.com/golangci/golangci-lint](https://github.com/golangci/golangci-lint) from 1.42.0 to 1.42.1.
- [Release notes](https://github.com/golangci/golangci-lint/releases)
- [Changelog](https://github.com/golangci/golangci-lint/blob/master/CHANGELOG.md)
- [Commits](https://github.com/golangci/golangci-lint/compare/v1.42.0...v1.42.1)

---
updated-dependencies:
- dependency-name: github.com/golangci/golangci-lint
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>

Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: Naveen <172697+naveensrinivasan@users.noreply.github.com>
 2021-09-07 14:59:22 +00:00
neil465
5476b878bd
Removed unnecessary linters (#969) 
* gomnd
* prealloc
* dupl
 2021-09-07 10:45:12 -04:00
dependabot[bot]
f2209240a7 🌱 Bump distroless/base in /cron/worker 
Bumps distroless/base from `19d927c` to `a74f307`.

---
updated-dependencies:
- dependency-name: distroless/base
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
 2021-09-06 12:28:54 -05:00
Chris McGehee
29b7bd3885 Parsing GitHub Workflows should only happen on yaml files 2021-09-06 10:51:33 -05:00
Naveen
2ae8910579
📖 Fixed the deadlink to the documentation (#963) 
Fixed the deadlink to the documentation
 2021-09-04 19:21:31 +00:00
neil465
fda87a45bb Fixed typo reepo to repo 2021-09-04 10:53:19 -05:00
dependabot[bot]
f55b86d662
🌱 Bump peter-evans/slash-command-dispatch from 2.2.1 to 2.3.0 (#955) 
Bumps [peter-evans/slash-command-dispatch](https://github.com/peter-evans/slash-command-dispatch) from 2.2.1 to 2.3.0.
- [Release notes](https://github.com/peter-evans/slash-command-dispatch/releases)
- [Commits](fc430081ad...40877f718d)

---
updated-dependencies:
- dependency-name: peter-evans/slash-command-dispatch
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>

Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
 2021-09-03 16:39:23 +00:00
dependabot[bot]
e30d9e5bbc
🌱 Bump gocloud.dev from 0.23.0 to 0.24.0 (#956) 
Bumps [gocloud.dev](https://github.com/google/go-cloud) from 0.23.0 to 0.24.0.
- [Release notes](https://github.com/google/go-cloud/releases)
- [Commits](https://github.com/google/go-cloud/compare/v0.23.0...v0.24.0)

---
updated-dependencies:
- dependency-name: gocloud.dev
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>

Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
 2021-09-03 15:46:28 +00:00
dependabot[bot]
b847d54c66
🌱 Bump distroless/base in /cron/controller (#961) 
Bumps distroless/base from `19d927c` to `a74f307`.

---
updated-dependencies:
- dependency-name: distroless/base
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>

Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: Azeem Shaikh <azeemshaikh38@gmail.com>
 2021-09-03 15:27:17 +00:00
nathan-415
062075823c
Updated go get to go install (#953) 
Based on recommendations from the `go` tool.
```
go get: installing executables with 'go get' in module mode is deprecated.
	Use 'go install pkg@version' instead.
	For more information, see https://golang.org/doc/go-get-install-deprecation
	or run 'go help get' or 'go help install'.
```

Co-authored-by: Naveen <172697+naveensrinivasan@users.noreply.github.com>
 2021-09-03 15:09:32 +00:00
Azeem Shaikh
7b912e8903
Return DefaultBranch as part of ListBranches (#960) 
Co-authored-by: Azeem Shaikh <azeems@google.com>
 2021-09-03 14:40:32 +00:00
Azeem Shaikh
830c4f57db
100k cron job repos (#958) 
Co-authored-by: Azeem Shaikh <azeems@google.com>
 2021-09-02 19:31:55 +00:00
Azeem Shaikh
afe5b40567
Make RepoClient as default interface for Scorecard (#951) 
Co-authored-by: Azeem Shaikh <azeems@google.com>
 2021-09-02 02:32:26 +00:00
flying-cow
1434977ac0 :sparkling: Upgraded to go 1.17 2021-09-01 18:31:44 -04:00
Azeem Shaikh
eceb577b84
Add and use RepoClient API for ListStatuses (#949) 
Co-authored-by: Azeem Shaikh <azeems@google.com>
 2021-09-01 18:34:58 +00:00
Azeem Shaikh
eb2b3b2185
Add RepoClient API for ListCheckRunsForRef (#948) 
Co-authored-by: Azeem Shaikh <azeems@google.com>
 2021-09-01 17:43:53 +00:00
laurentsimon
8f5e742e20
Improve JSON format (#934) 
* support for verison

* fix

* fix

* linter

* typo

* fix
 2021-09-01 17:29:40 +00:00
dependabot[bot]
b5e4c7797b
🌱 Bump distroless/base from 19d927c to a74f307 (#945) 
Bumps distroless/base from `19d927c` to `a74f307`.

---
updated-dependencies:
- dependency-name: distroless/base
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>

Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: Azeem Shaikh <azeemshaikh38@gmail.com>
 2021-09-01 10:15:03 -07:00
dependabot[bot]
992775e641
🌱 Bump distroless/base in /cron/webhook (#946) 
Bumps distroless/base from `19d927c` to `a74f307`.

---
updated-dependencies:
- dependency-name: distroless/base
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>

Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: Azeem Shaikh <azeemshaikh38@gmail.com>
 2021-09-01 16:26:27 +00:00
dependabot[bot]
dcbf7528a7
🌱 Bump cloud.google.com/go/bigquery from 1.21.0 to 1.22.0 (#939) 
Bumps [cloud.google.com/go/bigquery](https://github.com/googleapis/google-cloud-go) from 1.21.0 to 1.22.0.
- [Release notes](https://github.com/googleapis/google-cloud-go/releases)
- [Changelog](https://github.com/googleapis/google-cloud-go/blob/master/CHANGES.md)
- [Commits](https://github.com/googleapis/google-cloud-go/compare/spanner/v1.21.0...spanner/v1.22.0)

---
updated-dependencies:
- dependency-name: cloud.google.com/go/bigquery
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>

Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: Naveen <172697+naveensrinivasan@users.noreply.github.com>
Co-authored-by: Azeem Shaikh <azeemshaikh38@gmail.com>
 2021-09-01 16:14:12 +00:00
Azeem Shaikh
dcbfb3ccd2
Fix syntax bug in CloudBuild YAML (#947) 
Co-authored-by: Azeem Shaikh <azeems@google.com>
 2021-09-01 14:35:25 +00:00
Azeem Shaikh
df2acb47e2
Add COMMIT_SHA to Scorecard docker image (#944) 
Co-authored-by: Azeem Shaikh <azeems@google.com>
 2021-09-01 13:28:07 +10:00
Azeem Shaikh
d6b601298c
Specify fractions instead of percentage (#943) 
Co-authored-by: Azeem Shaikh <azeems@google.com>
 2021-09-01 01:23:07 +00:00
Azeem Shaikh
99b9c91570
Use RepoClient API for Packaging check (#940) 
Co-authored-by: Azeem Shaikh <azeems@google.com>
 2021-09-01 01:05:34 +00:00
laurentsimon
bb6e010dc1
Decouple scorecard json from cron json (#941) 
* decouple

* linnter
 2021-08-31 15:27:29 -07:00
dependabot[bot]
001ba670bb 🌱 Bump github.com/jszwec/csvutil from 1.5.0 to 1.5.1 
Bumps [github.com/jszwec/csvutil](https://github.com/jszwec/csvutil) from 1.5.0 to 1.5.1.
- [Release notes](https://github.com/jszwec/csvutil/releases)
- [Commits](https://github.com/jszwec/csvutil/compare/v1.5.0...v1.5.1)

---
updated-dependencies:
- dependency-name: github.com/jszwec/csvutil
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
 2021-08-31 08:06:06 -04:00
Azeem Shaikh
d6ba2cd6ac
Fix #890 (#938) 
Co-authored-by: Azeem Shaikh <azeems@google.com>
 2021-08-30 20:26:11 -07:00
Azeem Shaikh
e305a94e4f
Use ListReleases API for BranchProtection check (#937) 
Co-authored-by: Azeem Shaikh <azeems@google.com>
 2021-08-30 17:52:08 -07:00
Azeem Shaikh
9a1978a051
Use RefUpdateRule in BranchProtection check (#936) 
Co-authored-by: Azeem Shaikh <azeems@google.com>
 2021-08-30 23:14:42 +00:00
Azeem Shaikh
d9f5209803
Update test utils (#933) 
Co-authored-by: Azeem Shaikh <azeems@google.com>
 2021-08-30 14:12:57 -07:00
Chris McGehee
dbb23450e5
Add line number to unpinned dependency: GitHub workflow "uses" field (#821) 
* Display line number for github workflow "uses" field

* Adding test for line numbers

* Updating comment

* Updating this log message to use SARIF format

Co-authored-by: laurentsimon <64505099+laurentsimon@users.noreply.github.com>
 2021-08-30 17:03:45 +00:00