66 Commits

Author	SHA1	Message	Date
Raghav Kaul	256d5a3b50	🌱 Add script to set up probe boilerplate (#3948) ... * Add script Signed-off-by: Raghav Kaul <raghavkaul+github@google.com> * script -> go Signed-off-by: Raghav Kaul <raghavkaul+github@google.com> * v4 -> v5 Signed-off-by: Raghav Kaul <raghavkaul+github@google.com> * update Signed-off-by: Raghav Kaul <raghavkaul+github@google.com> * update Signed-off-by: Raghav Kaul <raghavkaul+github@google.com> --------- Signed-off-by: Raghav Kaul <raghavkaul+github@google.com>	2024-05-08 17:58:02 +00:00
Spencer Schrock	b9c1f3fc7a	🐛 fix signed-releases lookback limit precedence (#4060) ... * switch signed-releases lookback limit precedence if the 6th release had no assets, the lookback limit exit condition was being skipped. This led to scenarios where too many releases were being considered by the Signed-Releases check. https://github.com/ossf/scorecard/issues/4059 Signed-off-by: Spencer Schrock <sschrock@google.com> * make exit condition stronger any release after the lookback should be skipped Signed-off-by: Spencer Schrock <sschrock@google.com> --------- Signed-off-by: Spencer Schrock <sschrock@google.com>	2024-05-02 10:43:13 -07:00
Spencer Schrock	71aed951f9	✨ allow probes to collect their own data from repo clients (#4052) ... * introduce independent probe implementations rather than rely on checks collecting raw data, independent probes collect their own raw data using the underlying repo client present in the check request. Signed-off-by: Spencer Schrock <sschrock@google.com> * add test Signed-off-by: Spencer Schrock <sschrock@google.com> --------- Signed-off-by: Spencer Schrock <sschrock@google.com>	2024-04-25 18:23:54 +00:00
Spencer Schrock	0b9dfb656f	⚠️ Replace v4 module references with v5 (#4027) ... Signed-off-by: Spencer Schrock <sschrock@google.com>	2024-04-12 14:51:50 -07:00
Spencer Schrock	f4c3025998	🐛 Token-Permissions: use same text for read token details as write token details (#4025) ... * use same text for read token details as write token details This was an unintentional regression from v4.13.1 Signed-off-by: Spencer Schrock <sschrock@google.com> * deal with linter warning Signed-off-by: Spencer Schrock <sschrock@google.com> --------- Signed-off-by: Spencer Schrock <sschrock@google.com>	2024-04-12 10:07:46 -07:00
Felix Hoeborn	21d53ce28c	✨ Added probe for permissive licenses (#3838) ... * Added check for permissive licenses Signed-off-by: Felix Hoeborn <f.hoeborn@gmail.com> * Regenerated docs and added more permissive licenses to check Signed-off-by: Felix Hoeborn <f.hoeborn@gmail.com> * Added e2e tests Signed-off-by: Felix Hoeborn <f.hoeborn@gmail.com> * Corrected copyright dates and missing newlines Signed-off-by: Felix Hoeborn <f.hoeborn@gmail.com> * Corrected copyright dates Signed-off-by: Felix Hoeborn <f.hoeborn@gmail.com> * Adjustments after review Signed-off-by: Felix Hoeborn <f.hoeborn@gmail.com> * Added file location in case a permissive license was found and adjusted tests Signed-off-by: Felix Hoeborn <f.hoeborn@gmail.com> * Removed code for check, adjusted probe code to be invocated independently Signed-off-by: Felix Hoeborn <f.hoeborn@gmail.com> * add remediate on outcome detail Signed-off-by: Spencer Schrock <sschrock@google.com> * avoid memory aliasing Signed-off-by: Spencer Schrock <sschrock@google.com> --------- Signed-off-by: Felix Hoeborn <f.hoeborn@gmail.com> Signed-off-by: Felix Hoeborn <98820380+fhoeborn@users.noreply.github.com> Signed-off-by: Spencer Schrock <sschrock@google.com> Co-authored-by: Spencer Schrock <sschrock@google.com>	2024-04-11 23:07:35 -07:00
Spencer Schrock	96452d99ab	📖 Review and update some probe documentation (#4023) ... * polish some probe yaml definitions Signed-off-by: Spencer Schrock <sschrock@google.com> * update references to probe naming and outcomes now that #3654 is addressed, the naming restrictions can be relaxed. Signed-off-by: Spencer Schrock <sschrock@google.com> --------- Signed-off-by: Spencer Schrock <sschrock@google.com>	2024-04-11 22:08:55 -07:00
Spencer Schrock	856419158a	🌱 migrate code review check to probes (#3979) ... * initial conversion Signed-off-by: Spencer Schrock <sschrock@google.com> * appease the linter Signed-off-by: Spencer Schrock <sschrock@google.com> * cleanup outcomes from positive/negative to true/false conversion Signed-off-by: Spencer Schrock <sschrock@google.com> --------- Signed-off-by: Spencer Schrock <sschrock@google.com>	2024-04-10 15:43:12 -07:00
Spencer Schrock	99a6dc4ea2	🌱 Ensure Token-Permission and Branch-Protection probes use exported value keys (#3977) ... * use exported value keys for token permissions Signed-off-by: Spencer Schrock <sschrock@google.com> * convert required reviewer count to use exported value key Signed-off-by: Spencer Schrock <sschrock@google.com> --------- Signed-off-by: Spencer Schrock <sschrock@google.com>	2024-04-10 14:40:55 -07:00
Spencer Schrock	6b071eddeb	⚠️ Allow probes to specify their own bad outcomes (#4020) ... * merge probe and finding packages No one interacts with the probes directly, and having them in the same package helps with follow up commits Signed-off-by: Spencer Schrock <sschrock@google.com> * add extra field to indicate the outcome a probe should show remediation for Signed-off-by: Spencer Schrock <sschrock@google.com> * start all probes with remediate on 'False' Signed-off-by: Spencer Schrock <sschrock@google.com> * make OutcomeTrue bad for hasOSVVulnerabilities Signed-off-by: Spencer Schrock <sschrock@google.com> * nest outcome trigger under remediation in yaml Signed-off-by: Spencer Schrock <sschrock@google.com> * invert outcomes for dangerous workflow probes Signed-off-by: Spencer Schrock <sschrock@google.com> * rename notArchived probe to archived with the swap, the true outcome is now the bad outcome. Signed-off-by: Spencer Schrock <sschrock@google.com> * rename notCreatedRecently probe to createRecently with the rename, the true outcome is now bad Signed-off-by: Spencer Schrock <sschrock@google.com> * switch binary artifact probes so detecting binaries is a true outcome Signed-off-by: Spencer Schrock <sschrock@google.com> * appease the linter Signed-off-by: Spencer Schrock <sschrock@google.com> * dont export probe type we can always make it public again later Signed-off-by: Spencer Schrock <sschrock@google.com> --------- Signed-off-by: Spencer Schrock <sschrock@google.com>	2024-04-10 14:12:53 -07:00
Spencer Schrock	775fc97e3d	⚠️ remove rule.Remediation and switch users to probe.Remediation (#3978) ... probes were initially called rules, so deleted rule and switched usages to probe. Signed-off-by: Spencer Schrock <sschrock@google.com>	2024-04-09 13:28:15 -07:00
Spencer Schrock	b577d79c96	⚠️ Replace Positive and Negative outcomes with True and False (#4017) ... * rename positive to true Signed-off-by: Spencer Schrock <sschrock@google.com> * rename negative to false Signed-off-by: Spencer Schrock <sschrock@google.com> --------- Signed-off-by: Spencer Schrock <sschrock@google.com>	2024-04-08 15:36:11 -07:00
Spencer Schrock	ba4fb1b94b	⚠️ Switch Outcome type to string (#4006) ... * convert outcome constants to strings Originally, these were introduced as ints to enable ordering between them. Today, I don't see the value in doing that, and it makes the output less readable. Signed-off-by: Spencer Schrock <sschrock@google.com> * explicitly mention negative outcome for some tests previously, OutcomeNegative had the integer value of 0. So some tests didnt specify the outcome and happened to pass due to the zero value. This also fixes the tests names while I was here. Signed-off-by: Spencer Schrock <sschrock@google.com> * match expected probe output with new string values this change demonstrates the reason for this PR. Human readable outcomes are good! Signed-off-by: Spencer Schrock <sschrock@google.com> --------- Signed-off-by: Spencer Schrock <sschrock@google.com>	2024-04-08 16:31:39 +00:00
Spencer Schrock	46eea0eeaf	🌱 Fix pinsDependencies outcomes (#3961) ... * switch no dependencies to OutcomeNotApplicable OutcomeNotApplicable is what we've been using for cases where there are no occurences of X. Previously this outcome was used for this probe to handle some error cases, but OutcomeError is currently being used. Existing callers were moved to OutcomeNotSupported. Signed-off-by: Spencer Schrock <sschrock@google.com> * deduplicate location setting checker.File.Location() is nil safe, so this should work when we have a location or not Signed-off-by: Spencer Schrock <sschrock@google.com> * update outcome descriptions Signed-off-by: Spencer Schrock <sschrock@google.com> * simplify OutcomeNotSupported logging path Signed-off-by: Spencer Schrock <sschrock@google.com> * add tests for no deps and processing errors Signed-off-by: Spencer Schrock <sschrock@google.com> --------- Signed-off-by: Spencer Schrock <sschrock@google.com>	2024-03-29 21:58:28 +00:00
Spencer Schrock	46bb36ab10	🌱 Combine Dependency-Update-Tool probes into one (#3981) ... * add single probe for dependencyUpdateToolConfigured probe Signed-off-by: Spencer Schrock <sschrock@google.com> * delete individual update tool probes Signed-off-by: Spencer Schrock <sschrock@google.com> * use new update tool probe in evaluation Signed-off-by: Spencer Schrock <sschrock@google.com> * fix dependency update tool tests The old test names were unclear, and didn't cover all supported tools. Additionally the warn count changed since there's only one probe now, instead of 3. Signed-off-by: Spencer Schrock <sschrock@google.com> * clarify test name Signed-off-by: Spencer Schrock <sschrock@google.com> --------- Signed-off-by: Spencer Schrock <sschrock@google.com>	2024-03-28 15:18:56 -07:00
Spencer Schrock	11e859fc58	🌱 Combine hasLicenseFile and hasLicenseFileAtTopDir probes (#3955) ... * delete hasLicenseFileAtTopDir probe Signed-off-by: Spencer Schrock <sschrock@google.com> * increase value of having a license the old split was 6 for having a license and 3 for having it in the expected location but 1.5 years later, and there is still no other way we detect it. So it was effectively worth 9 points. This change makes it actually worth 9 points. Signed-off-by: Spencer Schrock <sschrock@google.com> * simplify logging and scoring Signed-off-by: Spencer Schrock <sschrock@google.com> * ensure license findings have locations Signed-off-by: Spencer Schrock <sschrock@google.com> * update tests to reflect new logging Signed-off-by: Spencer Schrock <sschrock@google.com> * match existing detail better Signed-off-by: Spencer Schrock <sschrock@google.com> --------- Signed-off-by: Spencer Schrock <sschrock@google.com>	2024-03-26 18:27:57 +00:00
Diogo Teles Sant'Anna	376ee1f4d3	⚠️ rename fields on Branch Protection Pull Request rules (#3879) ... Signed-off-by: Diogo Teles Sant'Anna <diogoteles@google.com>	2024-03-25 11:16:59 -07:00
AdamKorcz	5b0ae81d49	🌱 migrate token permission check to probes (#3816) ... * 🌱 migrate token permission check to probes Signed-off-by: Adam Korczynski <adam@adalogics.com> * combine seperate write-probes into two that combine them all Signed-off-by: AdamKorcz <adam@adalogics.com> * change write probes to read and write Signed-off-by: AdamKorcz <adam@adalogics.com> * minor nit Signed-off-by: AdamKorcz <adam@adalogics.com> * remove WritaAll probes Signed-off-by: Adam Korczynski <adam@adalogics.com> * Merge read-perm probe with job/top probes Signed-off-by: Adam Korczynski <adam@adalogics.com> * minor refactoring Signed-off-by: Adam Korczynski <adam@adalogics.com> * fix copy paste error Signed-off-by: Adam Korczynski <adam@adalogics.com> * fix linter issues and restructure code Signed-off-by: Adam Korczynski <adam@adalogics.com> * remove hasGitHubWorkflowPermissionNone probe Signed-off-by: Adam Korczynski <adam@adalogics.com> * Remove 'hasGitHubWorkflowPermissionUndeclared' probe Signed-off-by: Adam Korczynski <adam@adalogics.com> * bit of clean up Signed-off-by: Adam Korczynski <adam@adalogics.com> * reduce code complexity and remove comment Signed-off-by: Adam Korczynski <adam@adalogics.com> * simplify file location Signed-off-by: Adam Korczynski <adam@adalogics.com> * change probe text Signed-off-by: Adam Korczynski <adam@adalogics.com> * invert name of probe Signed-off-by: Adam Korczynski <adam@adalogics.com> * OutcomeNotApplicable -> OutcomeError Signed-off-by: Adam Korczynski <adam@adalogics.com> * OutcomeNotAvailable -> OutcomeNotApplicable Signed-off-by: Adam Korczynski <adam@adalogics.com> * more OutcomeNotAvailable -> OutcomeNotApplicable Signed-off-by: Adam Korczynski <adam@adalogics.com> * change name of 'notAvailableOrNotApplicable' Signed-off-by: Adam Korczynski <adam@adalogics.com> * fix linter issues Signed-off-by: Adam Korczynski <adam@adalogics.com> * add comments to remediation fields Signed-off-by: Adam Korczynski <adam@adalogics.com> * add check for nil-dereference Signed-off-by: Adam Korczynski <adam@adalogics.com> * remove the permissionLocation finding value Signed-off-by: Adam Korczynski <adam@adalogics.com> * rename checkAndLogNotAvailableOrNotApplicable to isBothUndeclaredAndNotAvailableOrNotApplicable Signed-off-by: Adam Korczynski <adam@adalogics.com> * use raw metadata for remediation output Signed-off-by: Adam Korczynski <adam@adalogics.com> * change 'branch' to 'defaultBranch' Signed-off-by: Adam Korczynski <adam@adalogics.com> * remove unused fields in rule Remediation Signed-off-by: Adam Korczynski <adam@adalogics.com> * fix remediation Signed-off-by: Adam Korczynski <adam@adalogics.com> * change 'metadata.defaultBranch' to 'metadata.repository.defaultBranch' Signed-off-by: Adam Korczynski <adam@adalogics.com> --------- Signed-off-by: Adam Korczynski <adam@adalogics.com> Signed-off-by: AdamKorcz <adam@adalogics.com>	2024-03-22 10:38:02 -07:00
Spencer Schrock	b3ad602a59	🌱 Add probe registration mechanism (#3876) ... * add basic probe registration function Signed-off-by: Spencer Schrock <sschrock@google.com> * ignore probes which call init to register the probe Signed-off-by: Spencer Schrock <sschrock@google.com> * redefine probeimpl to avoid circular imports Signed-off-by: Spencer Schrock <sschrock@google.com> * register all probes Signed-off-by: Spencer Schrock <sschrock@google.com> * experiment with a probe struct Signed-off-by: Spencer Schrock <sschrock@google.com> * make check name constants Signed-off-by: Spencer Schrock <sschrock@google.com> * convert branch protection probes Signed-off-by: Spencer Schrock <sschrock@google.com> * convert binary artifact probes Signed-off-by: Spencer Schrock <sschrock@google.com> * convert cii probe Signed-off-by: Spencer Schrock <sschrock@google.com> * convert ci test probe Signed-off-by: Spencer Schrock <sschrock@google.com> * convert code review probes Signed-off-by: Spencer Schrock <sschrock@google.com> * convert contributor probe Signed-off-by: Spencer Schrock <sschrock@google.com> * convert dangerous workflow probe Signed-off-by: Spencer Schrock <sschrock@google.com> * convert dep update tool probes Signed-off-by: Spencer Schrock <sschrock@google.com> * convert fuzzing probes Signed-off-by: Spencer Schrock <sschrock@google.com> * convert license probes Signed-off-by: Spencer Schrock <sschrock@google.com> * convert maintained probes Signed-off-by: Spencer Schrock <sschrock@google.com> * convert packaging probe Signed-off-by: Spencer Schrock <sschrock@google.com> * convert sast probes Signed-off-by: Spencer Schrock <sschrock@google.com> * convert security policy probes Signed-off-by: Spencer Schrock <sschrock@google.com> * convert signed releases probes Signed-off-by: Spencer Schrock <sschrock@google.com> * convert vuln probe Signed-off-by: Spencer Schrock <sschrock@google.com> * try using probe registration data Signed-off-by: Spencer Schrock <sschrock@google.com> * blank import unused probe Signed-off-by: Spencer Schrock <sschrock@google.com> * add uncategorized group Signed-off-by: Spencer Schrock <sschrock@google.com> * ensure All list is up-to-date Signed-off-by: Spencer Schrock <sschrock@google.com> * add reason behind uncategorized group Signed-off-by: Spencer Schrock <sschrock@google.com> * fix linter yaml parse error Signed-off-by: Spencer Schrock <sschrock@google.com> * fix linter Signed-off-by: Spencer Schrock <sschrock@google.com> * add webhook data Signed-off-by: Spencer Schrock <sschrock@google.com> * convert probe registration to Must pattern Signed-off-by: Spencer Schrock <sschrock@google.com> * add registration for new probes Signed-off-by: Spencer Schrock <sschrock@google.com> * add missing license header Signed-off-by: Spencer Schrock <sschrock@google.com> * revert changing wrapcheck linter config Signed-off-by: Spencer Schrock <sschrock@google.com> * use error func which doesnt need wrapped Signed-off-by: Spencer Schrock <sschrock@google.com> * add test for probe registration Signed-off-by: Spencer Schrock <sschrock@google.com> * restore trailing newline Signed-off-by: Spencer Schrock <sschrock@google.com> * order probe category list Signed-off-by: Spencer Schrock <sschrock@google.com> --------- Signed-off-by: Spencer Schrock <sschrock@google.com>	2024-03-19 13:10:11 -07:00
Spencer Schrock	f1e703f500	🌱 Combine fuzzing probes (#3877) ... * single fuzz probe boilerplate Signed-off-by: Spencer Schrock <sschrock@google.com> * initial implementation Signed-off-by: Spencer Schrock <sschrock@google.com> * connect fuzzing probe to eval code Signed-off-by: Spencer Schrock <sschrock@google.com> * include fuzzer name as tool Signed-off-by: Spencer Schrock <sschrock@google.com> * connect to probes flag Signed-off-by: Spencer Schrock <sschrock@google.com> * remove old probes from list Signed-off-by: Spencer Schrock <sschrock@google.com> * remove old probes Signed-off-by: Spencer Schrock <sschrock@google.com> * fix failing test Signed-off-by: Spencer Schrock <sschrock@google.com> * add tool value to test Signed-off-by: Spencer Schrock <sschrock@google.com> * add fuzz tool helper Signed-off-by: Spencer Schrock <sschrock@google.com> * specify supported tools Signed-off-by: Spencer Schrock <sschrock@google.com> * update e2e test Signed-off-by: Spencer Schrock <sschrock@google.com> * check for no raw data Signed-off-by: Spencer Schrock <sschrock@google.com> * add basic tests Signed-off-by: Spencer Schrock <sschrock@google.com> * add test to ensure fuzzer location is propagated Signed-off-by: Spencer Schrock <sschrock@google.com> * expand detailed tests to include other info like tool value Signed-off-by: Spencer Schrock <sschrock@google.com> --------- Signed-off-by: Spencer Schrock <sschrock@google.com>	2024-03-11 02:50:45 +00:00
Spencer Schrock	e9af90c97c	🌱 Cleanup codeApproved outcomes and semantics (#3902) ... * tidy probe documentation Signed-off-by: Spencer Schrock <sschrock@google.com> * export probe name Signed-off-by: Spencer Schrock <sschrock@google.com> * check for no raw data Signed-off-by: Spencer Schrock <sschrock@google.com> * return OutcomeNotApplicable when no changesets are present Signed-off-by: Spencer Schrock <sschrock@google.com> * extract approved logic and return errors as OutcomeError Signed-off-by: Spencer Schrock <sschrock@google.com> * simplify finding creation Signed-off-by: Spencer Schrock <sschrock@google.com> * add clarifying comment for skipping bot changes Signed-off-by: Spencer Schrock <sschrock@google.com> * only bot commits results in OutcomeNotApplicable Signed-off-by: Spencer Schrock <sschrock@google.com> * move no changeset code back to where it was originally Signed-off-by: Spencer Schrock <sschrock@google.com> * include ratio of approved/total as values count the number of approved vs unapproved changesets Signed-off-by: Spencer Schrock <sschrock@google.com> * ensure unreviewed bot PRs always give negative outcome Signed-off-by: Spencer Schrock <sschrock@google.com> * use common outcome test code Signed-off-by: Spencer Schrock <sschrock@google.com> * fix linter Signed-off-by: Spencer Schrock <sschrock@google.com> * mention dependabot in probe description Signed-off-by: Spencer Schrock <sschrock@google.com> --------- Signed-off-by: Spencer Schrock <sschrock@google.com>	2024-03-05 21:57:23 +00:00
AdamKorcz	4daefb64ae	🌱 Add branch protection probe evaluation (#3759) ... * 🌱 Add branch protection evaluation Signed-off-by: Adam Korczynski <adam@adalogics.com> * make helper for getting the branchName Signed-off-by: Adam Korczynski <adam@adalogics.com> * move check for branch name Signed-off-by: Adam Korczynski <adam@adalogics.com> * define size of slice Signed-off-by: Adam Korczynski <adam@adalogics.com> * add probe for protected branches. Signed-off-by: Adam Korczynski <adam@adalogics.com> * change 'basicNonAdminProtection' to 'deleteAndForcePushProtection' Signed-off-by: Adam Korczynski <adam@adalogics.com> * fix markdown in text field in def.yml Signed-off-by: Adam Korczynski <adam@adalogics.com> * remove duplicate conditional Signed-off-by: Adam Korczynski <adam@adalogics.com> * remove redundant 'protected' value from 'requiresCodeOwnersReview' probe Signed-off-by: Adam Korczynski <adam@adalogics.com> * remove protected values from probes Signed-off-by: Adam Korczynski <adam@adalogics.com> * Bring back negative outcome in case of 0 codeowners files Signed-off-by: Adam Korczynski <adam@adalogics.com> * log based on whether branches are protected Signed-off-by: Adam Korczynski <adam@adalogics.com> * remove unnecessary test Signed-off-by: Adam Korczynski <adam@adalogics.com> * debug failing tests Signed-off-by: Adam Korczynski <adam@adalogics.com> * Fix failing tests Signed-off-by: Adam Korczynski <adam@adalogics.com> * rename test Signed-off-by: Adam Korczynski <adam@adalogics.com> * update to with latest upstream changes Signed-off-by: AdamKorcz <adam@adalogics.com> * fix linting issues Signed-off-by: AdamKorcz <adam@adalogics.com> * remove tests that represent impossible scenarios Signed-off-by: AdamKorcz <adam@adalogics.com> * remove protected finding value This was discussed previously, but accidentally reverted Signed-off-by: Spencer Schrock <sschrock@google.com> * Revert "debug failing tests" This reverts commit 00acf66ea6. Signed-off-by: Spencer Schrock <sschrock@google.com> * use branchName key for branch name Signed-off-by: Spencer Schrock <sschrock@google.com> * include number of reviews in INFO this was previously included by the old evaluation code Signed-off-by: Spencer Schrock <sschrock@google.com> * reduce info count by 1 requiring codeowners without a corresponding file used to give 1 INFO and 1 WARN now it only gives 1 WARN Signed-off-by: Spencer Schrock <sschrock@google.com> --------- Signed-off-by: Adam Korczynski <adam@adalogics.com> Signed-off-by: AdamKorcz <adam@adalogics.com> Signed-off-by: Spencer Schrock <sschrock@google.com> Co-authored-by: Spencer Schrock <sschrock@google.com>	2024-02-28 13:37:29 -08:00
AdamKorcz	299948eeed	🌱 Convert pinned dependencies to probe (#3829) ... * 🌱 Convert pinned dependencies to probe Signed-off-by: Adam Korczynski <adam@adalogics.com> * add more tests Signed-off-by: Adam Korczynski <adam@adalogics.com> * add checks unit test Signed-off-by: Adam Korczynski <adam@adalogics.com> * fix year in probe header and add mising test file Signed-off-by: Adam Korczynski <adam@adalogics.com> * Change usage of ValidateTestReturn Signed-off-by: Adam Korczynski <adam@adalogics.com> * rename test Signed-off-by: Adam Korczynski <adam@adalogics.com> * change 'pinned' to 'unpinned' in test name Signed-off-by: Adam Korczynski <adam@adalogics.com> * export 'depTypeKey' Signed-off-by: Adam Korczynski <adam@adalogics.com> * Do not copy test Dockerfile Signed-off-by: Adam Korczynski <adam@adalogics.com> * rename test Signed-off-by: Adam Korczynski <adam@adalogics.com> * Rebase and bring back 'Test_generateOwnerToDisplay' Signed-off-by: Adam Korczynski <adam@adalogics.com> * Use API to create finding Signed-off-by: AdamKorcz <adam@adalogics.com> * one more change to how the probe creates a finding Signed-off-by: AdamKorcz <adam@adalogics.com> --------- Signed-off-by: Adam Korczynski <adam@adalogics.com> Signed-off-by: AdamKorcz <adam@adalogics.com>	2024-02-26 18:09:26 +00:00
Spencer Schrock	c1563e1966	🌱 Combine SAST probes into single probe (#3874) ... * check logger counts for SAST tests previously, we only checked the result score. test failures with this method dont produce as actionable feedback. Signed-off-by: Spencer Schrock <sschrock@google.com> * clarify test names and score constants used Signed-off-by: Spencer Schrock <sschrock@google.com> * add generic sastToolConfigured probe switch over the evaluation code to using the single probe with tool value. Signed-off-by: Spencer Schrock <sschrock@google.com> * remove old probes Signed-off-by: Spencer Schrock <sschrock@google.com> * add tests Signed-off-by: Spencer Schrock <sschrock@google.com> * experiment with one readme Signed-off-by: Spencer Schrock <sschrock@google.com> * appease linter Signed-off-by: Spencer Schrock <sschrock@google.com> * remove colon from yaml which led to parse errors Signed-off-by: Spencer Schrock <sschrock@google.com> * polish documentation details Signed-off-by: Spencer Schrock <sschrock@google.com> --------- Signed-off-by: Spencer Schrock <sschrock@google.com>	2024-02-15 11:32:35 -08:00
AdamKorcz	6fc7d4c061	✨ Add probe metadata about supported ecosystems (#3797) ... * 🌱 Add probe metadata about supported ecosystems Signed-off-by: Adam Korczynski <adam@adalogics.com> * Add metadata for the rest of the probes Signed-off-by: Adam Korczynski <adam@adalogics.com> * fix wrong formatting Signed-off-by: Adam Korczynski <adam@adalogics.com> * remove oss-fuzz, osv, cii_blob, cii_http clients Signed-off-by: Adam Korczynski <adam@adalogics.com> * add github and gitlab clients for 2 probes Signed-off-by: Adam Korczynski <adam@adalogics.com> --------- Signed-off-by: Adam Korczynski <adam@adalogics.com>	2024-02-08 10:20:07 -08:00
Spencer Schrock	ca944e8169	🌱 Change finding Values to map[string]string (#3837) ... * make values map string -> string Signed-off-by: Spencer Schrock <sschrock@google.com> * fixup branch protection probes Signed-off-by: Spencer Schrock <sschrock@google.com> * fix sast probe Signed-off-by: Spencer Schrock <sschrock@google.com> * fix signed-releases probes Signed-off-by: Spencer Schrock <sschrock@google.com> * fix maintained probes Signed-off-by: Spencer Schrock <sschrock@google.com> * fix cii-best-practices probes Signed-off-by: Spencer Schrock <sschrock@google.com> * fix cii-best-practices eval Signed-off-by: Spencer Schrock <sschrock@google.com> * fix signed-releases eval Signed-off-by: Spencer Schrock <sschrock@google.com> * fix sast eval Signed-off-by: Spencer Schrock <sschrock@google.com> * fix maintained eval Signed-off-by: Spencer Schrock <sschrock@google.com> * fix permissions eval Signed-off-by: Spencer Schrock <sschrock@google.com> * appease the linter Signed-off-by: Spencer Schrock <sschrock@google.com> * standardize maintained key names Signed-off-by: Spencer Schrock <sschrock@google.com> * set lookback days value regardless of outcome Signed-off-by: Spencer Schrock <sschrock@google.com> --------- Signed-off-by: Spencer Schrock <sschrock@google.com>	2024-02-07 10:55:16 -08:00
Josh Soref	3b948257fc	📖 Fix spelling (#3804) ... * spelling: accurate Signed-off-by: Josh Soref <2119212+jsoref@users.noreply.github.com> * spelling: administrator Signed-off-by: Josh Soref <2119212+jsoref@users.noreply.github.com> * spelling: analyze Signed-off-by: Josh Soref <2119212+jsoref@users.noreply.github.com> * spelling: andtwenty Signed-off-by: Josh Soref <2119212+jsoref@users.noreply.github.com> * spelling: ascii Signed-off-by: Josh Soref <2119212+jsoref@users.noreply.github.com> * spelling: association Signed-off-by: Josh Soref <2119212+jsoref@users.noreply.github.com> * spelling: at least Signed-off-by: Josh Soref <2119212+jsoref@users.noreply.github.com> * spelling: attestor Signed-off-by: Josh Soref <2119212+jsoref@users.noreply.github.com> * spelling: barbaric Signed-off-by: Josh Soref <2119212+jsoref@users.noreply.github.com> * spelling: bucket Signed-off-by: Josh Soref <2119212+jsoref@users.noreply.github.com> * spelling: by Signed-off-by: Josh Soref <2119212+jsoref@users.noreply.github.com> * spelling: can Signed-off-by: Josh Soref <2119212+jsoref@users.noreply.github.com> * spelling: case-insensitive Signed-off-by: Josh Soref <2119212+jsoref@users.noreply.github.com> * spelling: case-sensitive Signed-off-by: Josh Soref <2119212+jsoref@users.noreply.github.com> * spelling: checking Signed-off-by: Josh Soref <2119212+jsoref@users.noreply.github.com> * spelling: command-line Signed-off-by: Josh Soref <2119212+jsoref@users.noreply.github.com> * spelling: commit Signed-off-by: Josh Soref <2119212+jsoref@users.noreply.github.com> * spelling: committed Signed-off-by: Josh Soref <2119212+jsoref@users.noreply.github.com> * spelling: conclusion Signed-off-by: Josh Soref <2119212+jsoref@users.noreply.github.com> * spelling: corresponding Signed-off-by: Josh Soref <2119212+jsoref@users.noreply.github.com> * spelling: created Signed-off-by: Josh Soref <2119212+jsoref@users.noreply.github.com> * spelling: dataset Signed-off-by: Josh Soref <2119212+jsoref@users.noreply.github.com> * spelling: default Signed-off-by: Josh Soref <2119212+jsoref@users.noreply.github.com> * spelling: defines Signed-off-by: Josh Soref <2119212+jsoref@users.noreply.github.com> * spelling: dependabot Signed-off-by: Josh Soref <2119212+jsoref@users.noreply.github.com> * spelling: dependency Signed-off-by: Josh Soref <2119212+jsoref@users.noreply.github.com> * spelling: depending Signed-off-by: Josh Soref <2119212+jsoref@users.noreply.github.com> * spelling: desired Signed-off-by: Josh Soref <2119212+jsoref@users.noreply.github.com> * spelling: different Signed-off-by: Josh Soref <2119212+jsoref@users.noreply.github.com> * spelling: disclose Signed-off-by: Josh Soref <2119212+jsoref@users.noreply.github.com> * spelling: download Signed-off-by: Josh Soref <2119212+jsoref@users.noreply.github.com> * spelling: each Signed-off-by: Josh Soref <2119212+jsoref@users.noreply.github.com> * spelling: enforce Signed-off-by: Josh Soref <2119212+jsoref@users.noreply.github.com> * spelling: every time Signed-off-by: Josh Soref <2119212+jsoref@users.noreply.github.com> * spelling: exist Signed-off-by: Josh Soref <2119212+jsoref@users.noreply.github.com> * spelling: existing Signed-off-by: Josh Soref <2119212+jsoref@users.noreply.github.com> * spelling: fields Signed-off-by: Josh Soref <2119212+jsoref@users.noreply.github.com> * spelling: files Signed-off-by: Josh Soref <2119212+jsoref@users.noreply.github.com> * spelling: for Signed-off-by: Josh Soref <2119212+jsoref@users.noreply.github.com> * spelling: force-push Signed-off-by: Josh Soref <2119212+jsoref@users.noreply.github.com> * spelling: github Signed-off-by: Josh Soref <2119212+jsoref@users.noreply.github.com> * spelling: gitlab Signed-off-by: Josh Soref <2119212+jsoref@users.noreply.github.com> * spelling: ignoreed Signed-off-by: Josh Soref <2119212+jsoref@users.noreply.github.com> * spelling: implementation Signed-off-by: Josh Soref <2119212+jsoref@users.noreply.github.com> * spelling: implements Signed-off-by: Josh Soref <2119212+jsoref@users.noreply.github.com> * spelling: increase Signed-off-by: Josh Soref <2119212+jsoref@users.noreply.github.com> * spelling: indicates Signed-off-by: Josh Soref <2119212+jsoref@users.noreply.github.com> * spelling: initialized Signed-off-by: Josh Soref <2119212+jsoref@users.noreply.github.com> * spelling: instructions Signed-off-by: Josh Soref <2119212+jsoref@users.noreply.github.com> * spelling: invalid Signed-off-by: Josh Soref <2119212+jsoref@users.noreply.github.com> * spelling: marshal Signed-off-by: Josh Soref <2119212+jsoref@users.noreply.github.com> * spelling: match Signed-off-by: Josh Soref <2119212+jsoref@users.noreply.github.com> * spelling: name Signed-off-by: Josh Soref <2119212+jsoref@users.noreply.github.com> * spelling: nonexistent Signed-off-by: Josh Soref <2119212+jsoref@users.noreply.github.com> * spelling: organization Signed-off-by: Josh Soref <2119212+jsoref@users.noreply.github.com> * spelling: package Signed-off-by: Josh Soref <2119212+jsoref@users.noreply.github.com> * spelling: provenance Signed-off-by: Josh Soref <2119212+jsoref@users.noreply.github.com> * spelling: query Signed-off-by: Josh Soref <2119212+jsoref@users.noreply.github.com> * spelling: readers Signed-off-by: Josh Soref <2119212+jsoref@users.noreply.github.com> * spelling: receive Signed-off-by: Josh Soref <2119212+jsoref@users.noreply.github.com> * spelling: registered Signed-off-by: Josh Soref <2119212+jsoref@users.noreply.github.com> * spelling: remediate Signed-off-by: Josh Soref <2119212+jsoref@users.noreply.github.com> * spelling: representation Signed-off-by: Josh Soref <2119212+jsoref@users.noreply.github.com> * spelling: requests Signed-off-by: Josh Soref <2119212+jsoref@users.noreply.github.com> * spelling: requires Signed-off-by: Josh Soref <2119212+jsoref@users.noreply.github.com> * spelling: return Signed-off-by: Josh Soref <2119212+jsoref@users.noreply.github.com> * spelling: scorecard Signed-off-by: Josh Soref <2119212+jsoref@users.noreply.github.com> * spelling: separator Signed-off-by: Josh Soref <2119212+jsoref@users.noreply.github.com> * spelling: serialization Signed-off-by: Josh Soref <2119212+jsoref@users.noreply.github.com> * spelling: sign up Signed-off-by: Josh Soref <2119212+jsoref@users.noreply.github.com> * spelling: specifications Signed-off-by: Josh Soref <2119212+jsoref@users.noreply.github.com> * spelling: specified Signed-off-by: Josh Soref <2119212+jsoref@users.noreply.github.com> * spelling: success Signed-off-by: Josh Soref <2119212+jsoref@users.noreply.github.com> * spelling: successfully Signed-off-by: Josh Soref <2119212+jsoref@users.noreply.github.com> * spelling: the Signed-off-by: Josh Soref <2119212+jsoref@users.noreply.github.com> * spelling: their Signed-off-by: Josh Soref <2119212+jsoref@users.noreply.github.com> * spelling: twenty Signed-off-by: Josh Soref <2119212+jsoref@users.noreply.github.com> * spelling: unexpected Signed-off-by: Josh Soref <2119212+jsoref@users.noreply.github.com> * spelling: unused Signed-off-by: Josh Soref <2119212+jsoref@users.noreply.github.com> * spelling: unverified Signed-off-by: Josh Soref <2119212+jsoref@users.noreply.github.com> * spelling: validate Signed-off-by: Josh Soref <2119212+jsoref@users.noreply.github.com> * spelling: vendor Signed-off-by: Josh Soref <2119212+jsoref@users.noreply.github.com> * spelling: vulnerabilities Signed-off-by: Josh Soref <2119212+jsoref@users.noreply.github.com> * spelling: vulns Signed-off-by: Josh Soref <2119212+jsoref@users.noreply.github.com> * spelling: will Signed-off-by: Josh Soref <2119212+jsoref@users.noreply.github.com> * spelling: without Signed-off-by: Josh Soref <2119212+jsoref@users.noreply.github.com> * spelling: workflow Signed-off-by: Josh Soref <2119212+jsoref@users.noreply.github.com> * spelling: workflows Signed-off-by: Josh Soref <2119212+jsoref@users.noreply.github.com> --------- Signed-off-by: Josh Soref <2119212+jsoref@users.noreply.github.com>	2024-01-26 23:08:26 +00:00
André Backman	9440b761df	✨ New probes: code-review (#3302) ... * 🌱 Bump github.com/goreleaser/goreleaser in /tools (#3238) Bumps [github.com/goreleaser/goreleaser](https://github.com/goreleaser/goreleaser) from 1.18.2 to 1.19.1. - [Release notes](https://github.com/goreleaser/goreleaser/releases) - [Changelog](https://github.com/goreleaser/goreleaser/blob/main/.goreleaser.yaml) - [Commits](https://github.com/goreleaser/goreleaser/compare/v1.18.2...v1.19.1) --- updated-dependencies: - dependency-name: github.com/goreleaser/goreleaser dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Signed-off-by: André Backman <andre.backman@nokia.com> * begin implementing probe: minTwoCodeReviewers Signed-off-by: André Backman <andre.backman@nokia.com> * print raw results Signed-off-by: André Backman <andre.backman@nokia.com> * print raw results Signed-off-by: André Backman <andre.backman@nokia.com> * print raw results Signed-off-by: André Backman <andre.backman@nokia.com> * rename probe directory: minimumCodeReviewers Signed-off-by: André Backman <andre.backman@nokia.com> * rename probe CodeReviewers Signed-off-by: André Backman <andre.backman@nokia.com> * rename import for CodeReviewers probe Signed-off-by: André Backman <andre.backman@nokia.com> * update code reviewers definition Signed-off-by: André Backman <andre.backman@nokia.com> * update code reviewers implementation; fixed embed FS usage Signed-off-by: André Backman <andre.backman@nokia.com> * printing all findings, work out where to concatenate them Signed-off-by: André Backman <andre.backman@nokia.com> * concatenated findings to one single finding, outcome is based on the least found unique reviewers Signed-off-by: André Backman <andre.backman@nokia.com> * refactored uniqueCodeReviewers probe, needs more error checks Signed-off-by: André Backman <andre.backman@nokia.com> * add error handling for cases of non-existant author and/or reviewer logins Signed-off-by: André Backman <andre.backman@nokia.com> * add error handling for cases of non-existant author and/or reviewer logins Signed-off-by: André Backman <andre.backman@nokia.com> * rename probe Signed-off-by: André Backman <andre.backman@nokia.com> * update codeReviewTwoReviewers definition Signed-off-by: André Backman <andre.backman@nokia.com> * rename unique code reviewers probe Signed-off-by: André Backman <andre.backman@nokia.com> * implement codeApproved probe, validation of reviews needs fixing Signed-off-by: André Backman <andre.backman@nokia.com> * update codeApproved probe, validation of reviews needs fixing Signed-off-by: André Backman <andre.backman@nokia.com> * working version of codeApproved probe Signed-off-by: André Backman <andre.backman@nokia.com> * codeReviewed probe implemented Signed-off-by: André Backman <andre.backman@nokia.com> * clean up comments, add imports, run all probes Signed-off-by: André Backman <andre.backman@nokia.com> * update license comments Signed-off-by: André Backman <andre.backman@nokia.com> * Update def.yml license Signed-off-by: André Backman <88145164+andrelmbackman@users.noreply.github.com> * Update def.yml license Signed-off-by: André Backman <88145164+andrelmbackman@users.noreply.github.com> * Update def.yml license Signed-off-by: André Backman <88145164+andrelmbackman@users.noreply.github.com> * Update impl.go license Signed-off-by: André Backman <88145164+andrelmbackman@users.noreply.github.com> * Update impl.go license to Apache 2 Signed-off-by: André Backman <88145164+andrelmbackman@users.noreply.github.com> * Update impl.go license to Apache 2 Signed-off-by: André Backman <88145164+andrelmbackman@users.noreply.github.com> * Update code_review.go license Signed-off-by: André Backman <88145164+andrelmbackman@users.noreply.github.com> * Update entries.go; CodeReviewChecks now called CodeReview Signed-off-by: André Backman <88145164+andrelmbackman@users.noreply.github.com> * Update impl.go, refactor codeReviewTwoReviewers; moved utility functions into impl.go Signed-off-by: André Backman <88145164+andrelmbackman@users.noreply.github.com> * Delete code_review.go utilities moved utility functions to the impl.go they are used in Signed-off-by: André Backman <88145164+andrelmbackman@users.noreply.github.com> * rename probe Signed-off-by: André Backman <andre.backman@nokia.com> * update codeReviewTwoReviewers definition Signed-off-by: André Backman <andre.backman@nokia.com> * implement codeApproved probe, validation of reviews needs fixing Signed-off-by: André Backman <andre.backman@nokia.com> * update codeApproved probe, validation of reviews needs fixing Signed-off-by: André Backman <andre.backman@nokia.com> * working version of codeApproved probe Signed-off-by: André Backman <andre.backman@nokia.com> * codeReviewed probe implemented Signed-off-by: André Backman <andre.backman@nokia.com> * clean up comments, add imports, run all probes Signed-off-by: André Backman <andre.backman@nokia.com> * update license comments Signed-off-by: André Backman <andre.backman@nokia.com> * update license comments Signed-off-by: André Backman <andre.backman@nokia.com> * 🌱 Included unit tests (#3242) - Included unit tests Signed-off-by: naveensrinivasan <172697+naveensrinivasan@users.noreply.github.com> Signed-off-by: André Backman <andre.backman@nokia.com> * 🌱 Bump golang.org/x/text from 0.10.0 to 0.11.0 (#3243) Bumps [golang.org/x/text](https://github.com/golang/text) from 0.10.0 to 0.11.0. - [Release notes](https://github.com/golang/text/releases) - [Commits](https://github.com/golang/text/compare/v0.10.0...v0.11.0) --- updated-dependencies: - dependency-name: golang.org/x/text dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Signed-off-by: André Backman <andre.backman@nokia.com> * 🌱 Bump golang.org/x/oauth2 from 0.9.0 to 0.10.0 (#3244) Bumps [golang.org/x/oauth2](https://github.com/golang/oauth2) from 0.9.0 to 0.10.0. - [Commits](https://github.com/golang/oauth2/compare/v0.9.0...v0.10.0) --- updated-dependencies: - dependency-name: golang.org/x/oauth2 dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Signed-off-by: André Backman <andre.backman@nokia.com> * 📖 Update Branch-Protection admin and non-admin requirements (#2772) * docs: Branch protection admin-only requirements Signed-off-by: Gabriela Gutierrez <gabigutierrez@google.com> * docs: Branch protection requirements by tier Signed-off-by: Gabriela Gutierrez <gabigutierrez@google.com> * docs: How get a perfect score in branch protection Signed-off-by: Gabriela Gutierrez <gabigutierrez@google.com> * docs: Fix local images ref in doc Signed-off-by: Gabriela Gutierrez <gabigutierrez@google.com> * docs: Fix typo Co-authored-by: Pedro Nacht <pedro.k.night@gmail.com> Signed-off-by: Gabriela Gutierrez <gabigutierrez@google.com> * docs: Fix check specific table of contents Signed-off-by: Gabriela Gutierrez <gabigutierrez@google.com> * fix: Code owners setting is non admin Signed-off-by: Gabriela Gutierrez <gabigutierrez@google.com> * docs: Fix branch protection applied not only to main branch Signed-off-by: Gabriela Gutierrez <gabigutierrez@google.com> * docs: Add alt text for images Signed-off-by: Gabriela Gutierrez <gabigutierrez@google.com> * docs: You can get a perfect score with non admin access Signed-off-by: Gabriela Gutierrez <gabigutierrez@google.com> * docs: update max tier scores Signed-off-by: Gabriela Gutierrez <gabigutierrez@google.com> * docs: update tier 1 max points explanation Signed-off-by: Gabriela Gutierrez <gabigutierrez@google.com> * docs: Move changes to internal checks doc Move changes done in docs/checks.md to docs/checks/internal/checks.yaml. Signed-off-by: Gabriela Gutierrez <gabigutierrez@google.com> * docs: Revert changes on checks doc Signed-off-by: Gabriela Gutierrez <gabigutierrez@google.com> * docs: Fix admin settings evaluated on branch protection Signed-off-by: Gabriela Gutierrez <gabigutierrez@google.com> * docs: Change branch protection model status checks Signed-off-by: Gabriela Gutierrez <gabigutierrez@google.com> * docs: Change tiers score to expected score The expected score for the code to output is 3/10 for Tier 1 case and 7/10 for Tier 3 case. The scoring issue will be reported as bug. Signed-off-by: Gabriela Gutierrez <gabigutierrez@google.com> * docs: Fix Tier 3 score Signed-off-by: Gabriela Gutierrez <gabigutierrez@google.com> --------- Signed-off-by: Gabriela Gutierrez <gabigutierrez@google.com> Co-authored-by: Pedro Nacht <pedro.k.night@gmail.com> Signed-off-by: André Backman <andre.backman@nokia.com> * 🌱 Linter workflow cleanup (#3247) * Fix linter timeout by renaming deprecated deadline. Signed-off-by: Spencer Schrock <sschrock@google.com> * Disable depguard linter. As of golangci-lint v3.5.0, the depguard linter is complaining. We don't use a .depguard.yml file, so just disabling the linter. Signed-off-by: Spencer Schrock <sschrock@google.com> * Move linter into own workflow. Signed-off-by: Spencer Schrock <sschrock@google.com> * Fix bash command substitution. Signed-off-by: Spencer Schrock <sschrock@google.com> * Add harden runner. Signed-off-by: Spencer Schrock <sschrock@google.com> * switch names to existing linter job Signed-off-by: Spencer Schrock <sschrock@google.com> * Update golangci-lint to v1.53.3 Signed-off-by: Spencer Schrock <sschrock@google.com> --------- Signed-off-by: Spencer Schrock <sschrock@google.com> Signed-off-by: André Backman <andre.backman@nokia.com> * 🌱 Bump tj-actions/changed-files from 37.0.5 to 37.1.0 (#3253) Bumps [tj-actions/changed-files](https://github.com/tj-actions/changed-files) from 37.0.5 to 37.1.0. - [Release notes](https://github.com/tj-actions/changed-files/releases) - [Changelog](https://github.com/tj-actions/changed-files/blob/main/HISTORY.md) - [Commits](54849deb96...87e23c4c79) --- updated-dependencies: - dependency-name: tj-actions/changed-files dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Signed-off-by: André Backman <andre.backman@nokia.com> * 🌱 Bump github.com/goreleaser/goreleaser in /tools (#3252) Bumps [github.com/goreleaser/goreleaser](https://github.com/goreleaser/goreleaser) from 1.19.1 to 1.19.2. - [Release notes](https://github.com/goreleaser/goreleaser/releases) - [Changelog](https://github.com/goreleaser/goreleaser/blob/main/.goreleaser.yaml) - [Commits](https://github.com/goreleaser/goreleaser/compare/v1.19.1...v1.19.2) --- updated-dependencies: - dependency-name: github.com/goreleaser/goreleaser dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Signed-off-by: André Backman <andre.backman@nokia.com> * 🌱 Bump golang.org/x/tools from 0.10.0 to 0.11.0 Bumps [golang.org/x/tools](https://github.com/golang/tools) from 0.10.0 to 0.11.0. - [Release notes](https://github.com/golang/tools/releases) - [Commits](https://github.com/golang/tools/compare/v0.10.0...v0.11.0) --- updated-dependencies: - dependency-name: golang.org/x/tools dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> Signed-off-by: André Backman <andre.backman@nokia.com> * 🌱 Improve rate limit handling in roundtripper (#3237) - Add rate limit testing and handling functionality - Add tests for successful response and Retry-After header set scenarios Signed-off-by: naveensrinivasan <172697+naveensrinivasan@users.noreply.github.com> Signed-off-by: André Backman <andre.backman@nokia.com> * 🌱 Bump tj-actions/changed-files from 37.1.0 to 37.1.1 (#3259) Bumps [tj-actions/changed-files](https://github.com/tj-actions/changed-files) from 37.1.0 to 37.1.1. - [Release notes](https://github.com/tj-actions/changed-files/releases) - [Changelog](https://github.com/tj-actions/changed-files/blob/main/HISTORY.md) - [Commits](87e23c4c79...1f20fb83f0) --- updated-dependencies: - dependency-name: tj-actions/changed-files dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Signed-off-by: André Backman <andre.backman@nokia.com> * 🌱 Bump github.com/bradleyfalzon/ghinstallation/v2 (#3260) Bumps [github.com/bradleyfalzon/ghinstallation/v2](https://github.com/bradleyfalzon/ghinstallation) from 2.5.0 to 2.6.0. - [Release notes](https://github.com/bradleyfalzon/ghinstallation/releases) - [Commits](https://github.com/bradleyfalzon/ghinstallation/compare/v2.5.0...v2.6.0) --- updated-dependencies: - dependency-name: github.com/bradleyfalzon/ghinstallation/v2 dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Signed-off-by: André Backman <andre.backman@nokia.com> * 🌱Add urls for opentelemetry, micrometer and new relic to weekly cron (#3248) * add urls for opentelemetry and micrometer Signed-off-by: Ajmal Kottilingal <ajmal.kottilingal@transferwise.com> * add jakarta-activation url Signed-off-by: Ajmal Kottilingal <ajmal.kottilingal@transferwise.com> * adding json-path Signed-off-by: Ajmal Kottilingal <ajmal.kottilingal@transferwise.com> * fix uing make Signed-off-by: Ajmal Kottilingal <ajmal.kottilingal@transferwise.com> --------- Signed-off-by: Ajmal Kottilingal <ajmal.kottilingal@transferwise.com> Signed-off-by: André Backman <andre.backman@nokia.com> * 🐛 Add npm installs to Pinned-Dependencies score (#2960) * feat: Add npm install to pinned dependencies score Signed-off-by: Gabriela Gutierrez <gabigutierrez@google.com> * test: Fix pinned dependencies evaluation tests Considering the new npm installs dependencies in Pinned-Dependencies score, there are some changes. Now, all tests generate one more Info log for "npm installs are all pinned". Also, for "various wanrings" test, the total score has to weight now 6 scores instead of 5. The new score counts 10 for actionScore, 0 for dockerFromScore, 0 for dockerDownloadScore, 0 for scriptScore, 0 for pipScore and 10 for npm score, which gives us 20/6~=3. Signed-off-by: Gabriela Gutierrez <gabigutierrez@google.com> * test: Fix pinned dependencies e2e tests Considering the new npm installs dependencies in Pinned-Dependencies score, there are some changes. The repo being tested, ossf-tests/scorecard-check-pinned-dependencies-e2e, has third-party GitHub actions pinned, no npm installs, and all other dependencies types are unpinned. This gives us 8 for actionScore, 10 for npmScore and 0 for all other scores. Previously the total score was 8/5~=1, and now the total score is 18/6=3. Also, since there are no npm installs, there's one more Info log for "npm installs are pinned". Signed-off-by: Gabriela Gutierrez <gabigutierrez@google.com> * test: Fix typo Signed-off-by: Gabriela Gutierrez <gabigutierrez@google.com> * test: Unpinned npm install score When having one unpinned npm install and all other dependencies pinned, the score should be 50/6~=8. Also, it should raise 1 warning for the unpinned npm install, 6 infos saying the other dependency types are pinned (2 for GHAs, 2 for dockerfile image and downdloads, 1 for script downdloads and 1 for pip installs), and 0 debug logs since the npm install dependency does not have an error message. Signed-off-by: Gabriela Gutierrez <gabigutierrez@google.com> * test: Undefined npm install score When an error happens to parse a npm install dependency, the error/debug message is saved in "Msg" field. In this case, we were not able to define if the npm install is pinned or not. This dependency is classified as pinned undefined. We treat such cases as pinned cases, so it logs as Info that npm installs are all pinned and counts the score as 10. Then, the final score makes it to 10 as well. Since it logs the error/debug message, the Debug log goes to 1. Signed-off-by: Gabriela Gutierrez <gabigutierrez@google.com> * test: Fix typo Signed-off-by: Gabriela Gutierrez <gabigutierrez@google.com> * test: Fix "validate various warnings and info" test Considering the new npm installs dependencies in Pinned-Dependencies score, there are some changes. Now, all tests generate one more Info log for "npm installs are all pinned". Also, this test total score has to weight now 6 scores instead of 5. The new score counts 10 for actionScore, 0 for dockerFromScore, 0 for dockerDownloadScore, 0 for scriptScore, 0 for pipScore and 10 for npm score, which gives us 20/6~=3. Signed-off-by: Gabriela Gutierrez <gabigutierrez@google.com> * fix: npm dependencies pinned log Signed-off-by: Gabriela Gutierrez <gabigutierrez@google.com> * test: Remove test of error when parsing an npm dependency Signed-off-by: Gabriela Gutierrez <gabigutierrez@google.com> --------- Signed-off-by: Gabriela Gutierrez <gabigutierrez@google.com> Signed-off-by: André Backman <andre.backman@nokia.com> * 🌱 Bump github.com/moby/buildkit from 0.11.6 to 0.12.0 (#3264) Bumps [github.com/moby/buildkit](https://github.com/moby/buildkit) from 0.11.6 to 0.12.0. - [Release notes](https://github.com/moby/buildkit/releases) - [Commits](https://github.com/moby/buildkit/compare/v0.11.6...v0.12.0) --- updated-dependencies: - dependency-name: github.com/moby/buildkit dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Signed-off-by: André Backman <andre.backman@nokia.com> * Ack linter warning and add tracking issue. (#3263) Signed-off-by: Spencer Schrock <sschrock@google.com> Signed-off-by: André Backman <andre.backman@nokia.com> * 🐛 Forgive job-level permissions (#3162) * Forgive all job-level permissions Signed-off-by: Pedro Kaj Kjellerup Nacht <pnacht@google.com> * Update tests Signed-off-by: Pedro Kaj Kjellerup Nacht <pnacht@google.com> * Replace magic number Signed-off-by: Pedro Kaj Kjellerup Nacht <pnacht@google.com> * Rename test Signed-off-by: Pedro Kaj Kjellerup Nacht <pnacht@google.com> * Test that multiple job-level permissions are forgiven Signed-off-by: Pedro Kaj Kjellerup Nacht <pnacht@google.com> * Drop unused permissionIsPresent Signed-off-by: Pedro Kaj Kjellerup Nacht <pnacht@google.com> * Update documentation Signed-off-by: Pedro Kaj Kjellerup Nacht <pnacht@google.com> * Modify score descriptions Signed-off-by: Pedro Kaj Kjellerup Nacht <pnacht@google.com> * Document warning for job-level permissions Signed-off-by: Pedro Kaj Kjellerup Nacht <pnacht@google.com> * List job-level permissions that get WARNed Signed-off-by: Pedro Kaj Kjellerup Nacht <pnacht@google.com> --------- Signed-off-by: Pedro Kaj Kjellerup Nacht <pnacht@google.com> Signed-off-by: André Backman <andre.backman@nokia.com> * 🐛 Fix typo (#3267) Signed-off-by: Eugene Kliuchnikov <eustas@google.com> Signed-off-by: André Backman <andre.backman@nokia.com> * 📖 Suggest new score viewer on badge documentation (#3268) * docs(readme): suggest new score viewer on badge documentation Signed-off-by: Diogo Teles Sant'Anna <diogoteles@google.com> * docs(readme): add link to ossf blogpost about the badge Signed-off-by: Diogo Teles Sant'Anna <diogoteles@google.com> * docs: update badge of our own README to the new viewer Signed-off-by: Diogo Teles Sant'Anna <diogoteles@google.com> --------- Signed-off-by: Diogo Teles Sant'Anna <diogoteles@google.com> Signed-off-by: André Backman <andre.backman@nokia.com> * 🌱 Bump tj-actions/changed-files from 37.1.1 to 37.1.2 (#3266) Bumps [tj-actions/changed-files](https://github.com/tj-actions/changed-files) from 37.1.1 to 37.1.2. - [Release notes](https://github.com/tj-actions/changed-files/releases) - [Changelog](https://github.com/tj-actions/changed-files/blob/main/HISTORY.md) - [Commits](1f20fb83f0...2a968ff601) --- updated-dependencies: - dependency-name: tj-actions/changed-files dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Signed-off-by: André Backman <andre.backman@nokia.com> * 🌱 Update the cover profile for e2e (#3271) - Update the cover profile for e2e Signed-off-by: naveensrinivasan <172697+naveensrinivasan@users.noreply.github.com> Signed-off-by: André Backman <andre.backman@nokia.com> * 🌱 Improve e2e workflow tests (#3273) - Add e2e test for workflow runs - Retrieve successful runs of the scorecard-analysis.yml workflow Signed-off-by: naveensrinivasan <172697+naveensrinivasan@users.noreply.github.com> Signed-off-by: André Backman <andre.backman@nokia.com> * 🌱 Excluded dependabot from codecov (#3272) - Exclude dependabot from codecov job in main.yml [.github/workflows/main.yml] - Exclude dependabot from codecov job Signed-off-by: naveensrinivasan <172697+naveensrinivasan@users.noreply.github.com> Signed-off-by: André Backman <andre.backman@nokia.com> * 🌱 Increase test coverage for searching commits (#3276) - Add an e2e test for searching commits by author - Search commits by author `dependabot[bot]` and expect results Signed-off-by: naveensrinivasan <172697+naveensrinivasan@users.noreply.github.com> Signed-off-by: André Backman <andre.backman@nokia.com> * 🐛 Fix Branch-Protection scoring (#3251) * fix: Verify if branch is required to be up to date before merge Signed-off-by: Gabriela Gutierrez <gabigutierrez@google.com> * docs: Comment tracking GraphQL bug Signed-off-by: Gabriela Gutierrez <gabigutierrez@google.com> * fix: Add validation if pointers are not null before accessing the values Signed-off-by: Gabriela Gutierrez <gabigutierrez@google.com> * fix: Delete debug log file Signed-off-by: Gabriela Gutierrez <gabigutierrez@google.com> --------- Signed-off-by: Gabriela Gutierrez <gabigutierrez@google.com> Signed-off-by: André Backman <andre.backman@nokia.com> * ✨ scdiff: generate cmd skeleton (#3275) * add scdiff root command Signed-off-by: Spencer Schrock <sschrock@google.com> * Add generate boilerplate. Signed-off-by: Spencer Schrock <sschrock@google.com> * get rid of init Signed-off-by: Spencer Schrock <sschrock@google.com> * read newline delimitted repo file Signed-off-by: Spencer Schrock <sschrock@google.com> * Run scorecard and echo results. Signed-off-by: Spencer Schrock <sschrock@google.com> * add license Signed-off-by: Spencer Schrock <sschrock@google.com> * add basic runner tests. Signed-off-by: Spencer Schrock <sschrock@google.com> * Add Runner comment. Signed-off-by: Spencer Schrock <sschrock@google.com> * switch to using scorecard logger. Signed-off-by: Spencer Schrock <sschrock@google.com> * linter fix Signed-off-by: Spencer Schrock <sschrock@google.com> --------- Signed-off-by: Spencer Schrock <sschrock@google.com> Signed-off-by: André Backman <andre.backman@nokia.com> * 🌱 Delete unused project-update functionality. (#3269) Signed-off-by: Spencer Schrock <sschrock@google.com> Signed-off-by: André Backman <andre.backman@nokia.com> * 🌱 Bump tj-actions/changed-files from 37.1.2 to 37.3.0 (#3280) Bumps [tj-actions/changed-files](https://github.com/tj-actions/changed-files) from 37.1.2 to 37.3.0. - [Release notes](https://github.com/tj-actions/changed-files/releases) - [Changelog](https://github.com/tj-actions/changed-files/blob/main/HISTORY.md) - [Commits](2a968ff601...39283171ce) --- updated-dependencies: - dependency-name: tj-actions/changed-files dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Signed-off-by: André Backman <andre.backman@nokia.com> * 🌱 Bump github.com/google/osv-scanner from 1.3.5 to 1.3.6 (#3281) Bumps [github.com/google/osv-scanner](https://github.com/google/osv-scanner) from 1.3.5 to 1.3.6. - [Release notes](https://github.com/google/osv-scanner/releases) - [Changelog](https://github.com/google/osv-scanner/blob/main/CHANGELOG.md) - [Commits](https://github.com/google/osv-scanner/compare/v1.3.5...v1.3.6) --- updated-dependencies: - dependency-name: github.com/google/osv-scanner dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Signed-off-by: André Backman <andre.backman@nokia.com> * 🌱 Bump gocloud.dev from 0.30.0 to 0.32.0 (#3284) Bumps [gocloud.dev](https://github.com/google/go-cloud) from 0.30.0 to 0.32.0. - [Release notes](https://github.com/google/go-cloud/releases) - [Commits](https://github.com/google/go-cloud/compare/v0.30.0...v0.32.0) --- updated-dependencies: - dependency-name: gocloud.dev dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Signed-off-by: André Backman <andre.backman@nokia.com> * 🌱 Include attestor Dockerfile in CI and dependabot updates (#3285) Signed-off-by: Spencer Schrock <sschrock@google.com> Signed-off-by: André Backman <andre.backman@nokia.com> * 🌱 Bump tj-actions/changed-files from 37.3.0 to 37.4.0 Bumps [tj-actions/changed-files](https://github.com/tj-actions/changed-files) from 37.3.0 to 37.4.0. - [Release notes](https://github.com/tj-actions/changed-files/releases) - [Changelog](https://github.com/tj-actions/changed-files/blob/main/HISTORY.md) - [Commits](39283171ce...de0eba3279) --- updated-dependencies: - dependency-name: tj-actions/changed-files dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> Signed-off-by: André Backman <andre.backman@nokia.com> * 🌱 Bump google-appengine/debian11 in /attestor Bumps google-appengine/debian11 from `fed7dd5` to `97dc4fb`. --- updated-dependencies: - dependency-name: google-appengine/debian11 dependency-type: direct:production ... Signed-off-by: dependabot[bot] <support@github.com> Signed-off-by: André Backman <andre.backman@nokia.com> * 🌱 Bump github.com/xanzy/go-gitlab from 0.86.0 to 0.88.0 Bumps [github.com/xanzy/go-gitlab](https://github.com/xanzy/go-gitlab) from 0.86.0 to 0.88.0. - [Changelog](https://github.com/xanzy/go-gitlab/blob/master/releases_test.go) - [Commits](https://github.com/xanzy/go-gitlab/compare/v0.86.0...v0.88.0) --- updated-dependencies: - dependency-name: github.com/xanzy/go-gitlab dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> Signed-off-by: André Backman <andre.backman@nokia.com> * 🌱 Use a matrix for docker image building (#3290) * working matrix. Signed-off-by: Spencer Schrock <sschrock@google.com> * Remove unneeded env vars. Add comments. Signed-off-by: Spencer Schrock <sschrock@google.com> * minor syntax change. Signed-off-by: Spencer Schrock <sschrock@google.com> --------- Signed-off-by: Spencer Schrock <sschrock@google.com> Signed-off-by: André Backman <andre.backman@nokia.com> * 🌱 Improve e2e workflow tests (#3282) - Ensure that only head queries are supported in workflow tests - Add a test to detect when a non-existent workflow file is used [e2e/workflow_test.go] - Add a test to check that only head queries are supported - Add a test to check that a non-existent workflow file returns an error Signed-off-by: naveensrinivasan <172697+naveensrinivasan@users.noreply.github.com> Signed-off-by: André Backman <andre.backman@nokia.com> * 🌱 Use a matrix for when building binaries in main.yml (#3291) * Use matrix for build jobs. Signed-off-by: Spencer Schrock <sschrock@google.com> * These build targets dont seem to need protoc. This lets us save the API quota. Signed-off-by: Spencer Schrock <sschrock@google.com> --------- Signed-off-by: Spencer Schrock <sschrock@google.com> Signed-off-by: André Backman <andre.backman@nokia.com> * 🌱 Fix hanging docker jobs for doc only changes. (#3292) Signed-off-by: Spencer Schrock <sschrock@google.com> Signed-off-by: André Backman <andre.backman@nokia.com> * 📖 Add contributor ladder (#3246) * Add contributor ladder Signed-off-by: Pedro Kaj Kjellerup Nacht <pnacht@google.com> * Clarify sponsorship Signed-off-by: Pedro Kaj Kjellerup Nacht <pnacht@google.com> * Hope for retirement warning Signed-off-by: Pedro Kaj Kjellerup Nacht <pnacht@google.com> * 1 maintainer can sponsor a community member Signed-off-by: Pedro Kaj Kjellerup Nacht <pnacht@google.com> * Apply suggestions from code review Co-authored-by: Raghav Kaul <8695110+raghavkaul@users.noreply.github.com> Signed-off-by: Pedro Nacht <pedro.k.night@gmail.com> --------- Signed-off-by: Pedro Kaj Kjellerup Nacht <pnacht@google.com> Signed-off-by: Pedro Nacht <pedro.k.night@gmail.com> Signed-off-by: André Backman <andre.backman@nokia.com> * 🌱 Consolidate GitLab e2e workflows. (#3278) * Move gitlab to different workflow to parallelize. Signed-off-by: Spencer Schrock <sschrock@google.com> * Add missing versions. Signed-off-by: Spencer Schrock <sschrock@google.com> --------- Signed-off-by: Spencer Schrock <sschrock@google.com> Signed-off-by: André Backman <andre.backman@nokia.com> * 🌱 Add separate cache for long-running tests (#3293) * Add separate cache for unit tests. Signed-off-by: Spencer Schrock <sschrock@google.com> * share cache with gitlab tests too. Signed-off-by: Spencer Schrock <sschrock@google.com> * share cache with github integration tests. Signed-off-by: Spencer Schrock <sschrock@google.com> * explicitly download modules in unit test job Signed-off-by: Spencer Schrock <sschrock@google.com> * checkout needs to be before the go.mod is read. Signed-off-by: Spencer Schrock <sschrock@google.com> * checkout needs to be before the go.sum files are hashed. Signed-off-by: Spencer Schrock <sschrock@google.com> --------- Signed-off-by: Spencer Schrock <sschrock@google.com> Signed-off-by: André Backman <andre.backman@nokia.com> * 🌱 Bump github.com/go-git/go-git/v5 from 5.7.0 to 5.8.0 (#3297) Bumps [github.com/go-git/go-git/v5](https://github.com/go-git/go-git) from 5.7.0 to 5.8.0. - [Release notes](https://github.com/go-git/go-git/releases) - [Commits](https://github.com/go-git/go-git/compare/v5.7.0...v5.8.0) --- updated-dependencies: - dependency-name: github.com/go-git/go-git/v5 dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Signed-off-by: André Backman <andre.backman@nokia.com> * 🌱 Bump github.com/onsi/gomega from 1.27.8 to 1.27.9 (#3298) Bumps [github.com/onsi/gomega](https://github.com/onsi/gomega) from 1.27.8 to 1.27.9. - [Release notes](https://github.com/onsi/gomega/releases) - [Changelog](https://github.com/onsi/gomega/blob/master/CHANGELOG.md) - [Commits](https://github.com/onsi/gomega/compare/v1.27.8...v1.27.9) --- updated-dependencies: - dependency-name: github.com/onsi/gomega dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Signed-off-by: André Backman <andre.backman@nokia.com> * 🌱 Improve search commit e2e tests (#3295) - Add 2 tests for searching commits in e2e/searchCommits_test.go - Fix errors in e2e/searchCommits_test.go when not using HEAD or when user does not exist [e2e/searchCommits_test.go] - Add 2 tests for searching commits - Fix error when not using HEAD - Fix error when user does not exist Signed-off-by: naveensrinivasan <172697+naveensrinivasan@users.noreply.github.com> Signed-off-by: André Backman <andre.backman@nokia.com> * 📖 update docs for webhooks documentation (#3299) * update docs for webhooks documentation Signed-off-by: leec94 <leec94@bu.edu> * change webhook severity in readme Signed-off-by: leec94 <leec94@bu.edu> --------- Signed-off-by: leec94 <leec94@bu.edu> Signed-off-by: André Backman <andre.backman@nokia.com> * 🌱 Unit tests OSSFuzz client (#3301) * 🌱 Unit tests OSSFuzz client - Included tests for IsArchived, LocalPath, ListFiles, GetFileContent, GetBranch, GetDefaultBranch, GetOrgRepoClient, GetDefaultBranchName, ListCommits, ListIssues, ListReleases, ListContributors, ListSuccessfulWorkflowRuns, ListCheckRunsForRef, ListStatuses, ListWebhooks, SearchCommits, Close, ListProgrammingLanguages, Signed-off-by: naveensrinivasan <172697+naveensrinivasan@users.noreply.github.com> * Improve OSSFuzz client tests [clients/ossfuzz/client_test.go] - Add a test for the `GetCreatedAt` method - Fix the `URI` method to return the correct value Signed-off-by: naveensrinivasan <172697+naveensrinivasan@users.noreply.github.com> --------- Signed-off-by: naveensrinivasan <172697+naveensrinivasan@users.noreply.github.com> Signed-off-by: André Backman <andre.backman@nokia.com> * 🌱 Ensure check markdown is kept in sync with source yaml. (#3300) * Ensure check markdown is kept in sync with check yaml. Signed-off-by: Spencer Schrock <sschrock@google.com> * change generate-docs target to detect changes to docs/checks.md directly. Signed-off-by: Spencer Schrock <sschrock@google.com> --------- Signed-off-by: Spencer Schrock <sschrock@google.com> Signed-off-by: André Backman <andre.backman@nokia.com> * Update def.yml license Signed-off-by: André Backman <88145164+andrelmbackman@users.noreply.github.com> Signed-off-by: André Backman <andre.backman@nokia.com> * Update def.yml license Signed-off-by: André Backman <88145164+andrelmbackman@users.noreply.github.com> Signed-off-by: André Backman <andre.backman@nokia.com> * Update def.yml license Signed-off-by: André Backman <88145164+andrelmbackman@users.noreply.github.com> Signed-off-by: André Backman <andre.backman@nokia.com> * Update code_review.go license Signed-off-by: André Backman <88145164+andrelmbackman@users.noreply.github.com> Signed-off-by: André Backman <andre.backman@nokia.com> * Update entries.go; CodeReviewChecks now called CodeReview Signed-off-by: André Backman <88145164+andrelmbackman@users.noreply.github.com> Signed-off-by: André Backman <andre.backman@nokia.com> * refactor codeReviewTwoReviewers; moved utility functions into impl.go Signed-off-by: André Backman <andre.backman@nokia.com> * Update impl.go, refactor codeReviewTwoReviewers; moved utility functions into impl.go Signed-off-by: André Backman <88145164+andrelmbackman@users.noreply.github.com> * Update go.mod, aligned imports Signed-off-by: André Backman <88145164+andrelmbackman@users.noreply.github.com> * update license comments Signed-off-by: André Backman <andre.backman@nokia.com> * update license comments Signed-off-by: André Backman <andre.backman@nokia.com> * change EOL = CRLF to LF Signed-off-by: André Backman <andre.backman@nokia.com> * add error handling in case of no changesets Signed-off-by: André Backman <andre.backman@nokia.com> * completed tests for code-review probes Signed-off-by: André Backman <andre.backman@nokia.com> * update codeReview probes and utils Signed-off-by: André Backman <andre.backman@nokia.com> * fixed some lint errors, check for more Signed-off-by: André Backman <andre.backman@nokia.com> * fixed lint issues Signed-off-by: André Backman <andre.backman@nokia.com> * fix lint errors Signed-off-by: André Backman <andre.backman@nokia.com> * add test for multiple reviews with only one unique reviewer Signed-off-by: André Backman <andre.backman@nokia.com> * simplify func uniqueReviewers, use map[string]bool Signed-off-by: André Backman <andre.backman@nokia.com> * fix linting error Signed-off-by: André Backman <andre.backman@nokia.com> * moved probe tests to their own function Signed-off-by: André Backman <andre.backman@nokia.com> * fix comment syntax Signed-off-by: André Backman <andre.backman@nokia.com> * gci-ed files to fix linter errors Signed-off-by: André Backman <andre.backman@nokia.com> * implement change to skip bot-authored changesets that are reviewed/approved Signed-off-by: André Backman <andre.backman@nokia.com> * rewrite finding message Signed-off-by: André Backman <andre.backman@nokia.com> * fix output message; do not count the number of approved bot-authored changesets Signed-off-by: André Backman <andre.backman@nokia.com> * fix typos Signed-off-by: André Backman <andre.backman@nokia.com> * moved probe tests to their corresponding location Signed-off-by: André Backman <andrebackmann@gmail.com> * removed redundant probe codeReviewed Signed-off-by: André Backman <andrebackmann@gmail.com> * Update probes/codeApproved/def.yml Co-authored-by: Raghav Kaul <8695110+raghavkaul@users.noreply.github.com> Signed-off-by: jitsengupta17 <145664639+jitsengupta17@users.noreply.github.com> * Update probes/codeApproved/def.yml Co-authored-by: Raghav Kaul <8695110+raghavkaul@users.noreply.github.com> Signed-off-by: jitsengupta17 <145664639+jitsengupta17@users.noreply.github.com> * Update probes/codeApproved/def.yml Co-authored-by: Raghav Kaul <8695110+raghavkaul@users.noreply.github.com> Signed-off-by: jitsengupta17 <145664639+jitsengupta17@users.noreply.github.com> * Update probes/codeApproved/def.yml Co-authored-by: Raghav Kaul <8695110+raghavkaul@users.noreply.github.com> Signed-off-by: jitsengupta17 <145664639+jitsengupta17@users.noreply.github.com> * Update probes/codeApproved/def.yml Co-authored-by: Raghav Kaul <8695110+raghavkaul@users.noreply.github.com> Signed-off-by: jitsengupta17 <145664639+jitsengupta17@users.noreply.github.com> * Update probes/codeReviewOneReviewers/def.yml Co-authored-by: Raghav Kaul <8695110+raghavkaul@users.noreply.github.com> Signed-off-by: jitsengupta17 <145664639+jitsengupta17@users.noreply.github.com> * Lint Signed-off-by: Raghav Kaul <raghavkaul@google.com> --------- Signed-off-by: dependabot[bot] <support@github.com> Signed-off-by: André Backman <andre.backman@nokia.com> Signed-off-by: André Backman <88145164+andrelmbackman@users.noreply.github.com> Signed-off-by: naveensrinivasan <172697+naveensrinivasan@users.noreply.github.com> Signed-off-by: Gabriela Gutierrez <gabigutierrez@google.com> Signed-off-by: Spencer Schrock <sschrock@google.com> Signed-off-by: Ajmal Kottilingal <ajmal.kottilingal@transferwise.com> Signed-off-by: Pedro Kaj Kjellerup Nacht <pnacht@google.com> Signed-off-by: Eugene Kliuchnikov <eustas@google.com> Signed-off-by: Diogo Teles Sant'Anna <diogoteles@google.com> Signed-off-by: Pedro Nacht <pedro.k.night@gmail.com> Signed-off-by: leec94 <leec94@bu.edu> Signed-off-by: André Backman <andrebackmann@gmail.com> Signed-off-by: jitsengupta17 <145664639+jitsengupta17@users.noreply.github.com> Signed-off-by: Raghav Kaul <raghavkaul@google.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: André Backman <andre.backman@nokia.com> Co-authored-by: Naveen <172697+naveensrinivasan@users.noreply.github.com> Co-authored-by: Gabriela Gutierrez <gabigutierrez@google.com> Co-authored-by: Pedro Nacht <pedro.k.night@gmail.com> Co-authored-by: Spencer Schrock <sschrock@google.com> Co-authored-by: Ajmal Kottilingal <90693406+ajmalab@users.noreply.github.com> Co-authored-by: Pedro Nacht <pnacht@google.com> Co-authored-by: Eugene Kliuchnikov <eustas@google.com> Co-authored-by: Diogo Teles Sant'Anna <diogoteles@google.com> Co-authored-by: Caroline <leec94@bu.edu> Co-authored-by: jitsengupta17 <145664639+jitsengupta17@users.noreply.github.com> Co-authored-by: Raghav Kaul <8695110+raghavkaul@users.noreply.github.com> Co-authored-by: gowriNSN <143079242+gowriNSN@users.noreply.github.com> Co-authored-by: Raghav Kaul <raghavkaul@google.com>	2024-01-26 19:24:56 +00:00
AdamKorcz	1a1d9b175c	📖 Add documentation about probes and contributing (#3762) ... * 📖 Add documentation about probes and contributing Signed-off-by: Adam Korczynski <adam@adalogics.com> * change 'subdirectory' to 'directory' Signed-off-by: Adam Korczynski <adam@adalogics.com> * fix 'golangci' typo Signed-off-by: Adam Korczynski <adam@adalogics.com> * Added 'make fix-linter' to Makefile Signed-off-by: Adam Korczynski <adam@adalogics.com> * Move commands to their own table Signed-off-by: Adam Korczynski <adam@adalogics.com> * change 'problem' to 'supply-chain security risk' Signed-off-by: Adam Korczynski <adam@adalogics.com> * Add sentence about what a finding is Signed-off-by: Adam Korczynski <adam@adalogics.com> * remove sentence about running make rule locally Signed-off-by: Adam Korczynski <adam@adalogics.com> * change 'supply-chain security risk' to 'heuristic' Signed-off-by: Adam Korczynski <adam@adalogics.com> * Modify text on where to set remediation data Signed-off-by: Adam Korczynski <adam@adalogics.com> * Add example Signed-off-by: Adam Korczynski <adam@adalogics.com> * add line about discussing changes to the score in a GitHub issue Signed-off-by: Adam Korczynski <adam@adalogics.com> --------- Signed-off-by: Adam Korczynski <adam@adalogics.com>	2024-01-23 11:32:59 -08:00
Spencer Schrock	8c21a49352	🌱 use a single source of truth for fuzzer names (#3786) ... Signed-off-by: Spencer Schrock <sschrock@google.com>	2024-01-10 16:40:20 -08:00
Spencer Schrock	c59e93b9b2	🌱 Switch probe tests to helper func (#3782) ... * simplify test helper to verify finding outcomes Signed-off-by: Spencer Schrock <sschrock@google.com> * switch existing callers to helper func Signed-off-by: Spencer Schrock <sschrock@google.com> * remove TODO comments Signed-off-by: Spencer Schrock <sschrock@google.com> * fixup doc string Signed-off-by: Spencer Schrock <sschrock@google.com> --------- Signed-off-by: Spencer Schrock <sschrock@google.com>	2024-01-10 10:00:04 -08:00
Spencer Schrock	7a4c1bdaff	🐛 Fix OSV URI in probe remediation text (#3770) ... * add space after link the period (and possibly what came after it) was being interpreted as part of the link. Signed-off-by: Spencer Schrock <sschrock@google.com> * only use one ID in the osv.dev link Signed-off-by: Spencer Schrock <sschrock@google.com> * add/fix tests Signed-off-by: Spencer Schrock <sschrock@google.com> * make the remediation tests less fragile this test would need to be fixed every time the phrasing is fixed. by looking for substrings, we make this less likely to need changed. Signed-off-by: Spencer Schrock <sschrock@google.com> * move len check before any finding creation small efficiency gain since the finding is discarded. Signed-off-by: Spencer Schrock <sschrock@google.com> --------- Signed-off-by: Spencer Schrock <sschrock@google.com>	2024-01-05 14:02:29 -08:00
Edgar Ramírez Mondragón	0e8e57dc3e	Support .sigstore bundles to check for signed releases (#3772) ... Signed-off-by: Edgar Ramírez Mondragón <edgarrm358@gmail.com>	2024-01-05 08:35:46 -08:00
Spencer Schrock	55b6b7686d	🌱 Use const keys for SAST and Pinned-Dependencies probe Values map (#3767) ... * use const key for pinned-dependencies value map * use const key for sast value map --------- Signed-off-by: Spencer Schrock <sschrock@google.com>	2024-01-04 19:52:35 +00:00
Spencer Schrock	658a77b501	🐛 ensure Signed-Releases only scores 5 releases (#3768) ... * limit releasesHaveProvenance probe to 5 releases and check in evaluation code too Signed-off-by: Spencer Schrock <sschrock@google.com> * add tests Signed-off-by: Spencer Schrock <sschrock@google.com> --------- Signed-off-by: Spencer Schrock <sschrock@google.com>	2024-01-03 14:58:43 -08:00
DavidKorczynski	99c455bf9d	🌱 SAST: dedupe and add Pysa and Qodana probe (#3743) ... * Add SAST Pysa probe Signed-off-by: David Korczynski <david@adalogics.com> * Add Pysa positive unit test Signed-off-by: David Korczynski <david@adalogics.com> * Add Qodana as well Signed-off-by: David Korczynski <david@adalogics.com> * fix some styling Signed-off-by: David Korczynski <david@adalogics.com> * fix some messaging Signed-off-by: David Korczynski <david@adalogics.com> * checks: raw: sast: dedup by way of regex Ref: https://github.com/ossf/scorecard/issues/3745 Signed-off-by: David Korczynski <david@adalogics.com> * deduplicate SAST score checker Signed-off-by: David Korczynski <david@adalogics.com> * fix styling Signed-off-by: David Korczynski <david@adalogics.com> * fix styling Signed-off-by: David Korczynski <david@adalogics.com> * Rename variables appropriately Signed-off-by: David Korczynski <david@adalogics.com> * fix error message Signed-off-by: David Korczynski <david@adalogics.com> * rename useRegex to usesRegex and add comment Signed-off-by: David Korczynski <david@adalogics.com> * Force regex to compile Signed-off-by: David Korczynski <david@adalogics.com> --------- Signed-off-by: David Korczynski <david@adalogics.com>	2024-01-02 17:23:47 +00:00
AdamKorcz	2e1059bb76	🌱 Add probes for Branch Protection (#3691) ... * 🌱 Add probes for Branch Protection Signed-off-by: AdamKorcz <adam@adalogics.com> * specify that Scorecard only considers default and releases branches Signed-off-by: Adam Korczynski <adam@adalogics.com> * reduce duplication in blocksDeleteOnBranches Signed-off-by: Adam Korczynski <adam@adalogics.com> * use helper to test for boolean values Signed-off-by: Adam Korczynski <adam@adalogics.com> * Fix typo, mention OutcomeNotAvailable Signed-off-by: Adam Korczynski <adam@adalogics.com> * fix typo and elaborate on effort Signed-off-by: Adam Korczynski <adam@adalogics.com> * fix typo. Specify which branches the probe considers Signed-off-by: Adam Korczynski <adam@adalogics.com> * Fix copy paste typo Signed-off-by: Adam Korczynski <adam@adalogics.com> * remove '/en' from url Signed-off-by: Adam Korczynski <adam@adalogics.com> * change effort from 'High' to 'Low' in the blocksForcePushOnBranches probe def Signed-off-by: Adam Korczynski <adam@adalogics.com> * fix remediation level Signed-off-by: Adam Korczynski <adam@adalogics.com> * Change probe package name Signed-off-by: Adam Korczynski <adam@adalogics.com> * improve probe definitions Signed-off-by: Adam Korczynski <adam@adalogics.com> * refactor test names Signed-off-by: Adam Korczynski <adam@adalogics.com> * Change motivation of two probes Signed-off-by: Adam Korczynski <adam@adalogics.com> * downgrade effort of runsStatusChecksBeforeMerging Signed-off-by: Adam Korczynski <adam@adalogics.com> * reduce complexity of blocksForcePushOnBranches Signed-off-by: Adam Korczynski <adam@adalogics.com> * simplify requiresCodeOwnersReview logic Signed-off-by: Adam Korczynski <adam@adalogics.com> * fix linter issues Signed-off-by: Adam Korczynski <adam@adalogics.com> * fix copy paste error Signed-off-by: Adam Korczynski <adam@adalogics.com> * differentiate trueMsg and falseMsg in requiresApproversForPullRequests Signed-off-by: Adam Korczynski <adam@adalogics.com> * fix text in requiresCodeOwnersReview Signed-off-by: Adam Korczynski <adam@adalogics.com> * change outcome in utils Signed-off-by: Adam Korczynski <adam@adalogics.com> * fix lint issues Signed-off-by: Adam Korczynski <adam@adalogics.com> * fix nit in text Signed-off-by: Adam Korczynski <adam@adalogics.com> * use standardized messages Signed-off-by: Adam Korczynski <adam@adalogics.com> * remove 'Uint32LargerThan0' Signed-off-by: Adam Korczynski <adam@adalogics.com> * Add number of required reviewers to values. Refactor to avoid nil-dereference Signed-off-by: Adam Korczynski <adam@adalogics.com> * fix nit log message Signed-off-by: Adam Korczynski <adam@adalogics.com> --------- Signed-off-by: AdamKorcz <adam@adalogics.com> Signed-off-by: Adam Korczynski <adam@adalogics.com>	2023-12-27 22:33:06 +00:00
DavidKorczynski	2ef20f17fb	🌱 SAST: add Snyk probe (#3689) ... * SAST: add Snyk probe Adds Snyk's GitHub action (https://github.com/snyk/actions) as a probe. Signed-off-by: David Korczynski <david@adalogics.com> * nit Signed-off-by: David Korczynski <david@adalogics.com> * e2e: adjust sast test to additional probe Signed-off-by: David Korczynski <david@adalogics.com> * checks: sast: nit, fix e2e test Signed-off-by: DavidKorczynski <david@adalogics.com> * Add test with positive outcome Signed-off-by: David Korczynski <david@adalogics.com> * fix comment Signed-off-by: David Korczynski <david@adalogics.com> * sast: snyk: add workflow test Signed-off-by: David Korczynski <david@adalogics.com> * address review Signed-off-by: David Korczynski <david@adalogics.com> * sast: adjust snyk to be the same with sonar Signed-off-by: David Korczynski <david@adalogics.com> * provide path to WF file Signed-off-by: David Korczynski <david@adalogics.com> * adjust path for finding Signed-off-by: David Korczynski <david@adalogics.com> * use prefix rather than contains Signed-off-by: David Korczynski <david@adalogics.com> --------- Signed-off-by: David Korczynski <david@adalogics.com> Signed-off-by: DavidKorczynski <david@adalogics.com>	2023-12-18 22:20:47 -05:00
AdamKorcz	2c20be03cb	convert Signed Releases to probes (#3610) ... * convert Signed Releases to probes Signed-off-by: AdamKorcz <adam@adalogics.com> * Specify that probe is for Github and Gitlab only Signed-off-by: AdamKorcz <adam@adalogics.com> * use in loop instead of Signed-off-by: AdamKorcz <adam@adalogics.com> * fix linter issues Signed-off-by: AdamKorcz <adam@adalogics.com> * fix more linter issues Signed-off-by: AdamKorcz <adam@adalogics.com> * specify Github and Gitlab in provenance def.yml Signed-off-by: AdamKorcz <adam@adalogics.com> * Add link to slsa-github-generator Signed-off-by: AdamKorcz <adam@adalogics.com> * Add instructions on signing with Cosign Signed-off-by: AdamKorcz <adam@adalogics.com> * refactor evaluation Signed-off-by: Adam Korczynski <adam@adalogics.com> * debug failing integration test Signed-off-by: Adam Korczynski <adam@adalogics.com> * remove unused nolints Signed-off-by: Adam Korczynski <adam@adalogics.com> * expose release name asset names in finding values Signed-off-by: Adam Korczynski <adam@adalogics.com> * fix failed integration test Signed-off-by: Adam Korczynski <adam@adalogics.com> * remove 'totalReleases' value from findings Signed-off-by: Adam Korczynski <adam@adalogics.com> * remove left-over cases of "totalReleases" values in findings Signed-off-by: Adam Korczynski <adam@adalogics.com> * remove remaining totalReleases values Signed-off-by: Adam Korczynski <adam@adalogics.com> * use const probe names instead of hard-coded strings Signed-off-by: Adam Korczynski <adam@adalogics.com> * remove totalReleases from test helper arguments Signed-off-by: Adam Korczynski <adam@adalogics.com> * merge test helpers Signed-off-by: Adam Korczynski <adam@adalogics.com> --------- Signed-off-by: AdamKorcz <adam@adalogics.com> Signed-off-by: Adam Korczynski <adam@adalogics.com>	2023-12-13 07:51:32 -08:00
AdamKorcz	3ce1daa74a	🌱 Add probes to main call (#3688) ... * 🌱 Add probes to main call Signed-off-by: AdamKorcz <adam@adalogics.com> * fix linter issues Signed-off-by: AdamKorcz <adam@adalogics.com> * add test Signed-off-by: AdamKorcz <adam@adalogics.com> * add test coverage Signed-off-by: AdamKorcz <adam@adalogics.com> * remove Signed-off-by: Adam Korczynski <adam@adalogics.com> * WIP Signed-off-by: Adam Korczynski <adam@adalogics.com> * change comment for 'ExperimentalRunProbes' Signed-off-by: Adam Korczynski <adam@adalogics.com> * fix linter issues Signed-off-by: Adam Korczynski <adam@adalogics.com> * make only one in root.go Signed-off-by: Adam Korczynski <adam@adalogics.com> * relocate printing of output Signed-off-by: Adam Korczynski <adam@adalogics.com> * remove FormatPJSON Signed-off-by: Adam Korczynski <adam@adalogics.com> * reduce complexity of rootCmd Signed-off-by: Adam Korczynski <adam@adalogics.com> * assign findings in runEnabledProbes Signed-off-by: Adam Korczynski <adam@adalogics.com> * change name of probe map Signed-off-by: Adam Korczynski <adam@adalogics.com> * unwrap error Signed-off-by: Adam Korczynski <adam@adalogics.com> --------- Signed-off-by: AdamKorcz <adam@adalogics.com> Signed-off-by: Adam Korczynski <adam@adalogics.com>	2023-12-12 09:38:50 -08:00
AdamKorcz	30ef6b1026	🌱 convert CI-Tests check to probes (#3621) ... * 🌱 convert CITest check to probes Signed-off-by: AdamKorcz <adam@adalogics.com> * fix lint issues Signed-off-by: Adam Korczynski <adam@adalogics.com> * debug failing integration test Signed-off-by: Adam Korczynski <adam@adalogics.com> * Add negative outcome to test Signed-off-by: Adam Korczynski <adam@adalogics.com> * remove 'totalTested' and 'totalMerged' values from findings Signed-off-by: Adam Korczynski <adam@adalogics.com> * Log at debug level Signed-off-by: Adam Korczynski <adam@adalogics.com> --------- Signed-off-by: AdamKorcz <adam@adalogics.com> Signed-off-by: Adam Korczynski <adam@adalogics.com>	2023-12-11 10:15:50 -08:00
AdamKorcz	ec36916c10	🌱 convert Webhook check to probes (#3522) ... * 🌱 convert Webhook check to probes Signed-off-by: AdamKorcz <adam@adalogics.com> * Add test + nits Signed-off-by: AdamKorcz <adam@adalogics.com> * replace probe with OutcomeNotApplicable Signed-off-by: AdamKorcz <adam@adalogics.com> * return one finding per webhook Signed-off-by: Adam Korczynski <adam@adalogics.com> * change wording in def.yml Signed-off-by: Adam Korczynski <adam@adalogics.com> * change wording in def.yml and checks.md Signed-off-by: Adam Korczynski <adam@adalogics.com> * remove unused struct in test Signed-off-by: Adam Korczynski <adam@adalogics.com> * align checks.md with checks.yaml Signed-off-by: Adam Korczynski <adam@adalogics.com> * bring back experimental for webhooks Signed-off-by: Adam Korczynski <adam@adalogics.com> * change 'token' to 'secret' in probe Signed-off-by: Adam Korczynski <adam@adalogics.com> * use checker.MinResultScore instead of 0 Signed-off-by: Adam Korczynski <adam@adalogics.com> * Change test name Signed-off-by: Adam Korczynski <adam@adalogics.com> * use checker.MinResultScore instead of 0 Signed-off-by: Adam Korczynski <adam@adalogics.com> * fix typo Signed-off-by: Adam Korczynski <adam@adalogics.com> * Use checker.MaxResultScore instead of 10 Signed-off-by: Adam Korczynski <adam@adalogics.com> * rename probe Signed-off-by: Adam Korczynski <adam@adalogics.com> * remove the 'totalWebhooks' value from findings Signed-off-by: Adam Korczynski <adam@adalogics.com> --------- Signed-off-by: AdamKorcz <adam@adalogics.com> Signed-off-by: Adam Korczynski <adam@adalogics.com>	2023-12-05 18:59:42 +00:00
AdamKorcz	cb721a8526	🌱 convert binary artifact check to probe (#3508) ... * 🌱 convert binary artifact check to probe Signed-off-by: AdamKorcz <adam@adalogics.com> * Reword motivation Signed-off-by: AdamKorcz <adam@adalogics.com> * remove unused variable in test Signed-off-by: AdamKorcz <adam@adalogics.com> * remove positiveOutcome() and length check Signed-off-by: AdamKorcz <adam@adalogics.com> * fix wrong check name Signed-off-by: AdamKorcz <adam@adalogics.com> * Split into two probes: One with and one without gradle-wrappers Signed-off-by: AdamKorcz <adam@adalogics.com> * Add description about what Scorecard considers a verified binary Signed-off-by: Adam Korczynski <adam@adalogics.com> * change 'trusted' to 'verified' Signed-off-by: Adam Korczynski <adam@adalogics.com> * remove nil check Signed-off-by: Adam Korczynski <adam@adalogics.com> * remove filtering Signed-off-by: Adam Korczynski <adam@adalogics.com> * use const scores in tests Signed-off-by: Adam Korczynski <adam@adalogics.com> * rename test Signed-off-by: Adam Korczynski <adam@adalogics.com> * add sanity check in loop Signed-off-by: Adam Korczynski <adam@adalogics.com> * rename binary file const Signed-off-by: Adam Korczynski <adam@adalogics.com> --------- Signed-off-by: AdamKorcz <adam@adalogics.com> Signed-off-by: Adam Korczynski <adam@adalogics.com>	2023-12-05 00:24:16 -08:00
Spencer Schrock	1625b0c578	🌱 Disable more style linters for test files (#3707) ... * disable lll linter for test files * disable goerr113 linter for tests * disable wrapcheck linter for tests * fix easy linter issues in tests --------- Signed-off-by: Spencer Schrock <sschrock@google.com>	2023-12-04 02:14:01 +00:00
AdamKorcz	3cbafa9012	📖 fix typo (#3699) ... Signed-off-by: Adam Korczynski <adam@adalogics.com>	2023-11-28 20:59:35 +00:00
AdamKorcz	9b5d762a7d	🌱 convert CII Best Practices check to probes (#3520) ... * 🌱 convert CII Best Practices check to probes Signed-off-by: AdamKorcz <adam@adalogics.com> * change 'NOT' to 'not' Signed-off-by: AdamKorcz <adam@adalogics.com> * Change wording in probes Signed-off-by: AdamKorcz <adam@adalogics.com> * add links to text Signed-off-by: AdamKorcz <adam@adalogics.com> * fix typo Signed-off-by: AdamKorcz <adam@adalogics.com> * Edit text in def.yml Signed-off-by: AdamKorcz <adam@adalogics.com> * remove hasBadgeNotFound probe Signed-off-by: AdamKorcz <adam@adalogics.com> * remove 'that' from text Signed-off-by: AdamKorcz <adam@adalogics.com> * use CreateMinScoreResult instead of CreateResultWithScore Signed-off-by: AdamKorcz <adam@adalogics.com> * use MaxResultScore instead of maxScore Signed-off-by: AdamKorcz <adam@adalogics.com> * return CreateRuntimeErrorResult sooner rather than later Signed-off-by: AdamKorcz <adam@adalogics.com> * Combine probes into one Signed-off-by: Adam Korczynski <adam@adalogics.com> * remove minScore variable Signed-off-by: Adam Korczynski <adam@adalogics.com> * remove 'hasInProgressBadge' probe Signed-off-by: Adam Korczynski <adam@adalogics.com> * make badge levels global variables Signed-off-by: Adam Korczynski <adam@adalogics.com> * return -1 for unsupported badge Signed-off-by: Adam Korczynski <adam@adalogics.com> * change text for unknown and unsupported badges Signed-off-by: Adam Korczynski <adam@adalogics.com> --------- Signed-off-by: AdamKorcz <adam@adalogics.com> Signed-off-by: Adam Korczynski <adam@adalogics.com>	2023-11-28 12:02:26 -08:00
AdamKorcz	68573209d6	🌱 make maintained values keys constants (#3700) ... Signed-off-by: Adam Korczynski <adam@adalogics.com> Co-authored-by: Raghav Kaul <8695110+raghavkaul@users.noreply.github.com>	2023-11-28 17:30:06 +00:00
AdamKorcz	1c3d9eb6e7	🌱 Migrate Maintained check to probes (#3507) ... * 🌱 Migrate Maintained check to probes Signed-off-by: AdamKorcz <adam@adalogics.com> * fix typos Signed-off-by: AdamKorcz <adam@adalogics.com> * rename 'archived' probe to 'notArchvied Signed-off-by: AdamKorcz <adam@adalogics.com> * remove part of comment Signed-off-by: AdamKorcz <adam@adalogics.com> * fix typo Signed-off-by: AdamKorcz <adam@adalogics.com> * log negative findings Signed-off-by: AdamKorcz <adam@adalogics.com> * log non positive findings if repo was created less than 90 days ago Signed-off-by: AdamKorcz <adam@adalogics.com> * rename probe from 'activityOnIssuesByCollaboratorsMembersOrOwnersInLast90Days' to 'issueActivityByProjectMember' Signed-off-by: AdamKorcz <adam@adalogics.com> * change probe descriptions Signed-off-by: AdamKorcz <adam@adalogics.com> * rename 'wasCreatedInLast90Days' probe to 'notCreatedInLast90Days' Signed-off-by: AdamKorcz <adam@adalogics.com> * Add tests with zero issues Signed-off-by: AdamKorcz <adam@adalogics.com> * use values instead of returning multiple findings Signed-off-by: AdamKorcz <adam@adalogics.com> * return negative findings instead of non-positive Signed-off-by: AdamKorcz <adam@adalogics.com> * correct 'notCreatedInLast90Days' probe definition Signed-off-by: AdamKorcz <adam@adalogics.com> * make nested conditionals a single line Signed-off-by: AdamKorcz <adam@adalogics.com> * make nested conditionals a single line Signed-off-by: AdamKorcz <adam@adalogics.com> * change var name 'issuesUpdatedWithinThreshold' to 'numberOfIssuesUpdatedWithinThreshold' Signed-off-by: AdamKorcz <adam@adalogics.com> * rename 'notCreatedInLast90Days' to 'notCreatedRecently' Signed-off-by: AdamKorcz <adam@adalogics.com> * explain 'commitsWithinThreshold' in probe definition Signed-off-by: AdamKorcz <adam@adalogics.com> * rename 'commitsInLast90Days' to 'hasRecentCommits'" -s Signed-off-by: AdamKorcz <adam@adalogics.com> * fix linter issues Signed-off-by: AdamKorcz <adam@adalogics.com> * define 'numberOfIssuesUpdatedWithinThreshold' Signed-off-by: AdamKorcz <adam@adalogics.com> --------- Signed-off-by: AdamKorcz <adam@adalogics.com>	2023-11-17 09:57:10 -08:00
Spencer Schrock	92470deac3	🌱 enable nolintlint linter and fix violations (#3650) ... * enable nolintlint Signed-off-by: Spencer Schrock <sschrock@google.com> * first chunk of fixing nolintlint Signed-off-by: Spencer Schrock <sschrock@google.com> * second chunk of fixing nolintlint Signed-off-by: Spencer Schrock <sschrock@google.com> * third chunk of fixing nolintlint Signed-off-by: Spencer Schrock <sschrock@google.com> * fourth chunk of fixing nolintlint Signed-off-by: Spencer Schrock <sschrock@google.com> * include reason for the specific linter config Signed-off-by: Spencer Schrock <sschrock@google.com> * fifth chunk of fixing nolintlint Signed-off-by: Spencer Schrock <sschrock@google.com> * fix linter errors that are somehow still triggering Signed-off-by: Spencer Schrock <sschrock@google.com> --------- Signed-off-by: Spencer Schrock <sschrock@google.com>	2023-11-15 11:44:28 -08:00
DavidKorczynski	87c2d3c1da	⚠️ Remove OneFuzz from fuzzing checks (#3666) ... This is removed because OneFuzz has been archived https://github.com/microsoft/onefuzz Signed-off-by: David Korczynski <david@adalogics.com>	2023-11-13 10:35:29 -08:00