-
Notifications
You must be signed in to change notification settings - Fork 0
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Upgrade scorecard version #1
Commits on Sep 13, 2023
-
🌱 Remove go.mod replaces (ossf#3440)
* remove old replace directives. Signed-off-by: Spencer Schrock <[email protected]> * Remove dgrijalva/jwt-go replace. Project now maintained at github.com/golang-jwt/jwt. So it's unused. Signed-off-by: Spencer Schrock <[email protected]> * remove replace on unused github.com/buger/jsonparser Signed-off-by: Spencer Schrock <[email protected]> * remove unused github.com/gorilla/handlers replace. Signed-off-by: Spencer Schrock <[email protected]> * remove unused github.com/miekg/dns Signed-off-by: Spencer Schrock <[email protected]> * remove unused github.com/ulikunitz/xz Signed-off-by: Spencer Schrock <[email protected]> * remove unused github.com/satori/go.uuid Signed-off-by: Spencer Schrock <[email protected]> * replace directive no longer needed for github.com/opencontainers/image-spec. Signed-off-by: Spencer Schrock <[email protected]> * potentially unneeded replace for github.com/emicklei/go-restful Signed-off-by: Spencer Schrock <[email protected]> * potentially unneeded replace for github.com/docker/distribution Signed-off-by: Spencer Schrock <[email protected]> --------- Signed-off-by: Spencer Schrock <[email protected]>
Configuration menu - View commit details
-
Copy full SHA for 60615ce - Browse repository at this point
Copy the full SHA 60615ceView commit details -
🌱 Bump actions/cache from 3.3.1 to 3.3.2 (ossf#3463)
Bumps [actions/cache](https://github.com/actions/cache) from 3.3.1 to 3.3.2. - [Release notes](https://github.com/actions/cache/releases) - [Changelog](https://github.com/actions/cache/blob/main/RELEASES.md) - [Commits](actions/cache@88522ab...704facf) --- updated-dependencies: - dependency-name: actions/cache dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Configuration menu - View commit details
-
Copy full SHA for d03ca5c - Browse repository at this point
Copy the full SHA d03ca5cView commit details -
🌱 Bump actions/upload-artifact from 3.1.2 to 3.1.3 (ossf#3459)
Bumps [actions/upload-artifact](https://github.com/actions/upload-artifact) from 3.1.2 to 3.1.3. - [Release notes](https://github.com/actions/upload-artifact/releases) - [Commits](actions/upload-artifact@0b7f8ab...a8a3f3a) --- updated-dependencies: - dependency-name: actions/upload-artifact dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Configuration menu - View commit details
-
Copy full SHA for 1bd5b42 - Browse repository at this point
Copy the full SHA 1bd5b42View commit details -
🌱 Bump actions/dependency-review-action from 3.0.8 to 3.1.0 (ossf#3461)
Bumps [actions/dependency-review-action](https://github.com/actions/dependency-review-action) from 3.0.8 to 3.1.0. - [Release notes](https://github.com/actions/dependency-review-action/releases) - [Commits](actions/dependency-review-action@f6fff72...6c5ccda) --- updated-dependencies: - dependency-name: actions/dependency-review-action dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Configuration menu - View commit details
-
Copy full SHA for 8a54672 - Browse repository at this point
Copy the full SHA 8a54672View commit details -
🌱 Bump tj-actions/changed-files from 39.0.0 to 39.0.2 (ossf#3470)
Bumps [tj-actions/changed-files](https://github.com/tj-actions/changed-files) from 39.0.0 to 39.0.2. - [Release notes](https://github.com/tj-actions/changed-files/releases) - [Changelog](https://github.com/tj-actions/changed-files/blob/main/HISTORY.md) - [Commits](tj-actions/changed-files@48566bb...6ee9cdc) --- updated-dependencies: - dependency-name: tj-actions/changed-files dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Configuration menu - View commit details
-
Copy full SHA for 0fcf4d9 - Browse repository at this point
Copy the full SHA 0fcf4d9View commit details -
🌱 Bump github.com/bradleyfalzon/ghinstallation/v2 (ossf#3467)
Bumps [github.com/bradleyfalzon/ghinstallation/v2](https://github.com/bradleyfalzon/ghinstallation) from 2.6.0 to 2.7.0. - [Release notes](https://github.com/bradleyfalzon/ghinstallation/releases) - [Commits](bradleyfalzon/ghinstallation@v2.6.0...v2.7.0) --- updated-dependencies: - dependency-name: github.com/bradleyfalzon/ghinstallation/v2 dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Configuration menu - View commit details
-
Copy full SHA for a51f0af - Browse repository at this point
Copy the full SHA a51f0afView commit details -
🌱 Bump cloud.google.com/go/bigquery from 1.54.0 to 1.55.0 (ossf#3471)
Bumps [cloud.google.com/go/bigquery](https://github.com/googleapis/google-cloud-go) from 1.54.0 to 1.55.0. - [Release notes](https://github.com/googleapis/google-cloud-go/releases) - [Changelog](https://github.com/googleapis/google-cloud-go/blob/main/CHANGES.md) - [Commits](googleapis/google-cloud-go@bigquery/v1.54.0...bigquery/v1.55.0) --- updated-dependencies: - dependency-name: cloud.google.com/go/bigquery dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Configuration menu - View commit details
-
Copy full SHA for 9c9c84b - Browse repository at this point
Copy the full SHA 9c9c84bView commit details
Commits on Sep 14, 2023
-
✨ Support Branch-Protection via GitHub Repository Rules (ossf#3354)
* repo rulesets via v4 api Signed-off-by: Peter Wagner <[email protected]> * good enough fnmatch implementation. Signed-off-by: Spencer Schrock <[email protected]> * good enough rulesMatchingBranch Signed-off-by: Peter Wagner <[email protected]> * apply matching repo rules to branch protection settings Signed-off-by: Peter Wagner <[email protected]> * rules: consider admins and require checks Signed-off-by: Peter Wagner <[email protected]> * non-structural chanages from PR feedback Signed-off-by: Peter Wagner <[email protected]> * fetch default branch name during repo rules query Signed-off-by: Peter Wagner <[email protected]> * Testing applyRepoRules Tests assume a single rule is being applied to a branch, which might be guarded by a legacy branch protection rule. I think this logic gets problematic when there are multiple rules overlaid on the same branch: the "the existing rules does not enforce for admins, but i do and therefore this branch now does" will give false-positives. Signed-off-by: Peter Wagner <[email protected]> * Test_applyRepoRules: builder and standardize names Signed-off-by: Peter Wagner <[email protected]> * attempt to upgrade/downgrade EnforceAdmins as each rule is applied Signed-off-by: Peter Wagner <[email protected]> * simplify enforce admin for now. Signed-off-by: Spencer Schrock <[email protected]> * handle merging pull request reviews Signed-off-by: Spencer Schrock <[email protected]> * handle merging check rules Signed-off-by: Spencer Schrock <[email protected]> * handle last push approval Signed-off-by: Spencer Schrock <[email protected]> * handle linear history Signed-off-by: Spencer Schrock <[email protected]> * use constants for github rule types. Signed-off-by: Spencer Schrock <[email protected]> * add status check test. Signed-off-by: Spencer Schrock <[email protected]> * add e2e test for repo rules. Signed-off-by: Spencer Schrock <[email protected]> * handle nil branch name data Signed-off-by: Spencer Schrock <[email protected]> * add tracking issue. Signed-off-by: Spencer Schrock <[email protected]> * fix precedence in if statement Signed-off-by: Spencer Schrock <[email protected]> * include repo rules in the check docs. Signed-off-by: Spencer Schrock <[email protected]> --------- Signed-off-by: Peter Wagner <[email protected]> Signed-off-by: Spencer Schrock <[email protected]> Co-authored-by: Spencer Schrock <[email protected]>
Configuration menu - View commit details
-
Copy full SHA for e515c2a - Browse repository at this point
Copy the full SHA e515c2aView commit details
Commits on Sep 16, 2023
-
🌱 workflows/stale: Update workflow to increase operations-per-run to …
…process more issues (ossf#3483) * Update workflow to increase operations per run to process more issues * 🌱 workflows/stale: Increased operations-per-run from default and reduced days to close stale issues
Configuration menu - View commit details
-
Copy full SHA for 4a0e3ff - Browse repository at this point
Copy the full SHA 4a0e3ffView commit details
Commits on Sep 18, 2023
-
Update URI() for GitLab repos. Add fuzzing test (ossf#3477)
Signed-off-by: Raghav Kaul <[email protected]>
Configuration menu - View commit details
-
Copy full SHA for f7f75d0 - Browse repository at this point
Copy the full SHA f7f75d0View commit details -
🐛 Print Info in Empty Repo Scans (ossf#3426)
* issue 2157 changes Signed-off-by: leec94 <[email protected]> * incorporated feedback Signed-off-by: leec94 <[email protected]> * making the linter happy Signed-off-by: leec94 <[email protected]> * changing to local variable, testing still not working Signed-off-by: leec94 <[email protected]> * update tests to ignore date Signed-off-by: leec94 <[email protected]> * ran through linter Signed-off-by: leec94 <[email protected]> * resolving suggestions Signed-off-by: leec94 <[email protected]> --------- Signed-off-by: leec94 <[email protected]>
Configuration menu - View commit details
-
Copy full SHA for 00f4d51 - Browse repository at this point
Copy the full SHA 00f4d51View commit details -
🌱 Bump goreleaser/goreleaser-action from 4.6.0 to 5.0.0 (ossf#3478)
Bumps [goreleaser/goreleaser-action](https://github.com/goreleaser/goreleaser-action) from 4.6.0 to 5.0.0. - [Release notes](https://github.com/goreleaser/goreleaser-action/releases) - [Commits](goreleaser/goreleaser-action@5fdedb9...7ec5c2b) --- updated-dependencies: - dependency-name: goreleaser/goreleaser-action dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Configuration menu - View commit details
-
Copy full SHA for 84b53a9 - Browse repository at this point
Copy the full SHA 84b53a9View commit details -
🌱 Bump github.com/go-git/go-git/v5 from 5.8.1 to 5.9.0 (ossf#3479)
Bumps [github.com/go-git/go-git/v5](https://github.com/go-git/go-git) from 5.8.1 to 5.9.0. - [Release notes](https://github.com/go-git/go-git/releases) - [Commits](go-git/go-git@v5.8.1...v5.9.0) --- updated-dependencies: - dependency-name: github.com/go-git/go-git/v5 dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Configuration menu - View commit details
-
Copy full SHA for 59da3b3 - Browse repository at this point
Copy the full SHA 59da3b3View commit details
Commits on Sep 19, 2023
-
🌱 Bump github.com/google/osv-scanner from 1.3.6 to 1.4.0 (ossf#3481)
Bumps [github.com/google/osv-scanner](https://github.com/google/osv-scanner) from 1.3.6 to 1.4.0. - [Release notes](https://github.com/google/osv-scanner/releases) - [Changelog](https://github.com/google/osv-scanner/blob/main/CHANGELOG.md) - [Commits](google/osv-scanner@v1.3.6...v1.4.0) --- updated-dependencies: - dependency-name: github.com/google/osv-scanner dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Configuration menu - View commit details
-
Copy full SHA for fdac84a - Browse repository at this point
Copy the full SHA fdac84aView commit details -
🌱 Bump tj-actions/changed-files from 39.0.2 to 39.1.0 (ossf#3488)
Bumps [tj-actions/changed-files](https://github.com/tj-actions/changed-files) from 39.0.2 to 39.1.0. - [Release notes](https://github.com/tj-actions/changed-files/releases) - [Changelog](https://github.com/tj-actions/changed-files/blob/main/HISTORY.md) - [Commits](tj-actions/changed-files@6ee9cdc...8e79ba7) --- updated-dependencies: - dependency-name: tj-actions/changed-files dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Configuration menu - View commit details
-
Copy full SHA for ac13ac7 - Browse repository at this point
Copy the full SHA ac13ac7View commit details -
📖 Add webviewer link (ossf#3490)
* Update README.md Add link to webviewer * Update faq.md Update webviewer link in FAQ * Update README.md Typo * Update faq.md Linebreak
Configuration menu - View commit details
-
Copy full SHA for 5c93fe6 - Browse repository at this point
Copy the full SHA 5c93fe6View commit details -
Configuration menu - View commit details
-
Copy full SHA for 893a472 - Browse repository at this point
Copy the full SHA 893a472View commit details -
🌱 Reduce confusion around codecov check status. (ossf#3492)
With our current upload setup, it will always show a drop of 6-7%. This is confusing to contributors, so make the check always pass. Also fixes the threshold for the patch coverage. Signed-off-by: Spencer Schrock <[email protected]>
Configuration menu - View commit details
-
Copy full SHA for 93edfbc - Browse repository at this point
Copy the full SHA 93edfbcView commit details -
📖 Add gitlab links to viewer example (ossf#3494)
* Update README.md Signed-off-by: olivekl <[email protected]> * Update faq.md Signed-off-by: olivekl <[email protected]> --------- Signed-off-by: olivekl <[email protected]>
Configuration menu - View commit details
-
Copy full SHA for fe7906f - Browse repository at this point
Copy the full SHA fe7906fView commit details
Commits on Sep 20, 2023
-
🐛 Fix npe for GitLab repos without license API data (ossf#3500)
Signed-off-by: Raghav Kaul <[email protected]>
Configuration menu - View commit details
-
Copy full SHA for 0ce62a8 - Browse repository at this point
Copy the full SHA 0ce62a8View commit details
Commits on Sep 21, 2023
-
🌱 Bump tj-actions/changed-files from 39.1.0 to 39.1.2 (ossf#3504)
Bumps [tj-actions/changed-files](https://github.com/tj-actions/changed-files) from 39.1.0 to 39.1.2. - [Release notes](https://github.com/tj-actions/changed-files/releases) - [Changelog](https://github.com/tj-actions/changed-files/blob/main/HISTORY.md) - [Commits](tj-actions/changed-files@8e79ba7...4196030) --- updated-dependencies: - dependency-name: tj-actions/changed-files dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Configuration menu - View commit details
-
Copy full SHA for 5a5a656 - Browse repository at this point
Copy the full SHA 5a5a656View commit details
Commits on Sep 25, 2023
-
🌱 Bump actions/checkout from 4.0.0 to 4.1.0 (ossf#3511)
Bumps [actions/checkout](https://github.com/actions/checkout) from 4.0.0 to 4.1.0. - [Release notes](https://github.com/actions/checkout/releases) - [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md) - [Commits](actions/checkout@3df4ab1...8ade135) --- updated-dependencies: - dependency-name: actions/checkout dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Configuration menu - View commit details
-
Copy full SHA for fa31d56 - Browse repository at this point
Copy the full SHA fa31d56View commit details -
✨ scdiff: add basic stats command to count scores by buckets (ossf#3458)
* wip Signed-off-by: Spencer Schrock <[email protected]> * output via tabwriter Signed-off-by: Spencer Schrock <[email protected]> * specify by check. Signed-off-by: Spencer Schrock <[email protected]> * Return aggregate score when unmarshalling. Signed-off-by: Spencer Schrock <[email protected]> * convert from score to bucket in one place. use aggregate score from func Signed-off-by: Spencer Schrock <[email protected]> * fix forgotten usage of ExperimentalFromJSON2 Signed-off-by: Spencer Schrock <[email protected]> * use sentinel errors. Signed-off-by: Spencer Schrock <[email protected]> * move counting to own func for testability Signed-off-by: Spencer Schrock <[email protected]> * remove unneeded fields from results for readability. Signed-off-by: Spencer Schrock <[email protected]> * add test for parse errors. Signed-off-by: Spencer Schrock <[email protected]> * share max result size for any bufio.Scanner which reads results. Signed-off-by: Spencer Schrock <[email protected]> * add basic overall test for calcing stats. Signed-off-by: Spencer Schrock <[email protected]> * make missing file argument generic. Signed-off-by: Spencer Schrock <[email protected]> * validate min args with cobra. Signed-off-by: Spencer Schrock <[email protected]> --------- Signed-off-by: Spencer Schrock <[email protected]>
Configuration menu - View commit details
-
Copy full SHA for 7626a05 - Browse repository at this point
Copy the full SHA 7626a05View commit details -
🌱 Switch test import to remove gotest.tools dependency. (ossf#3501)
Signed-off-by: Spencer Schrock <[email protected]>
Configuration menu - View commit details
-
Copy full SHA for fd12f6a - Browse repository at this point
Copy the full SHA fd12f6aView commit details -
🐛 Set repo commit SHA in results after fetching successfully. (ossf#3514
) Signed-off-by: Spencer Schrock <[email protected]>
Configuration menu - View commit details
-
Copy full SHA for bbd673c - Browse repository at this point
Copy the full SHA bbd673cView commit details -
🌱 Don't close stale issues explicitly (ossf#3513)
Issues are still getting closed after ossf#3493. I assume there's a default value being used somewhere. Signed-off-by: Spencer Schrock <[email protected]>
Configuration menu - View commit details
-
Copy full SHA for 6aa3bcc - Browse repository at this point
Copy the full SHA 6aa3bccView commit details -
✨ Move "EnforcesAdmins" to tier 5 Branch-Protection (ossf#3502)
* Remove EnforceAdmins from tier 1. Scores in some tests either increase to 3, or 4, since EnfroceAdmins no longer keeps them in tier 1. The number of Debug, Info, and Warn messages will decrease by 1 per branch, since we're no longer logging them. Signed-off-by: Spencer Schrock <[email protected]> * move enforce admins to tier 5. Signed-off-by: Spencer Schrock <[email protected]> --------- Signed-off-by: Spencer Schrock <[email protected]>
Configuration menu - View commit details
-
Copy full SHA for 8752511 - Browse repository at this point
Copy the full SHA 8752511View commit details -
🐛 Pinned-Dependencies: only score detected ecosystems (ossf#3436)
* feat: Define if dependency is pinned or unpinned Add a field Pinned to Dependency structure. Update to save Dependencies pinned and unpinned. Not only unpinned ones. All download then run executions are considered unpinned. Because there is no remediation to pin them. For package manager downloads: add early return if there are no commands, separate package manager identification (go, npm, choco, pip) from decision if installation is pinned or unpinned. Change Go case "go get -d -v" considered pinned, to any Go installations containing "-d" to be considered pinned. Signed-off-by: Gabriela Gutierrez <[email protected]> * refactor: Convert diff var types to pointer We need to add a new conversion of boolean to pointer. Currently, we had string and int conversions named asPointer but not used in the same file. In order to know when we are using which conversion and considering bool and string would have to be used in the same file, it was needed to differentiate the method names. New method names are asIntPointer, asStringPointer and soon asBoolPointer. Signed-off-by: Gabriela Gutierrez <[email protected]> * fix: Pinned Dependency field type Field needs to be a pointer to work when accessing values on evaluation. Signed-off-by: Gabriela Gutierrez <[email protected]> * feat: Count pinned and unpinned deps We're changing the ecossystems result structure. The result structure previously stored if the ecossystem is fully pinned or not. The new result structure can tell how many dependencies of that ecossystem were found and how many were pinned. This change is necessary to ignore not applicable ecossystems on the final aggregated score. When iterating the dependencies, now we go through pinned and unpinned dependencies, not only unpinned, and in each iteration we update the result. We kept the behavior of only log warnings for unpinned dependencies. Signed-off-by: Gabriela Gutierrez <[email protected]> * feat: Flag not applicable ecossystems If no dependencies of an ecossystem are found, it results in an inconclusive score (-1). As in other checks, this means here that the ecossystem scoring is not applicable in this case. At the same time, we are keep the scoring criteria the same. If all dependencies are pinned, it results in maximum score (10) and if 1 or more dependencies are unpinned, it results in a minimum score (0) for that ecossystem. GitHub workflow cases are handled differently but the idea is the same. We are also adding a log to know when an ecossystem was not found. Signed-off-by: Gabriela Gutierrez <[email protected]> * feat: Score only applicable ecossystems Signed-off-by: Gabriela Gutierrez <[email protected]> * feat: If no dependencies then create inconclusive score Signed-off-by: Gabriela Gutierrez <[email protected]> * test: GitHub Actions score and logs Change test from `createReturnValuesForGitHubActionsWorkflowPinned` function to `createReturnForIsGitHubActionsWorkflowPinned` wrapper function so we can test logs. We have adjusted the existing test cases and included new test cases. Signed-off-by: Gabriela Gutierrez <[email protected]> * test: Pinned dependencies score Break "various warnings" tests into smaller tests for pinned and unpinned dependencies and how they react to warn and debug messages. Plus add tests for how the score is affected when all dependencies are pinned, when no dependencies are pinned, when there are no dependencies, and partial dependencies pinned. Also, how dependencies unpinned in 1 or multiple ecossystems affect the warn messages, add one unpinned case for each ecossystem to see if they are being detected and separate the download then run 2 possible cases, there are currently scoring and logging wrong due to a bug. Signed-off-by: Gabriela Gutierrez <[email protected]> * test: Ecossystems score and logs Signed-off-by: Gabriela Gutierrez <[email protected]> * test: Remove deleted maxScore function test When we changed the scoring method to ignore not applicable scores, we removed the normalization of inconclusive scores to 0. The normalization was done by `maxScore` function, that was deleted in the process. Signed-off-by: Gabriela Gutierrez <[email protected]> * test: Adding GitHub Actions dependencies to result Signed-off-by: Gabriela Gutierrez <[email protected]> * test: Update GitHub Actions result Signed-off-by: Gabriela Gutierrez <[email protected]> * test: Update pip installs result Signed-off-by: Gabriela Gutierrez <[email protected]> * fix: Handle if nuget dependency is pinned or unpinned Signed-off-by: Gabriela Gutierrez <[email protected]> * tests: Fix check warnings for unpinned dependencies Signed-off-by: Gabriela Gutierrez <[email protected]> * fix: Linter errors Signed-off-by: Gabriela Gutierrez <[email protected]> * fix: GitHub Actions pinned log If, for example, you have GitHub-owned actions and none Third-party actions, you should receive a "no Third-party actions found" log and don't receive a "all Third-party actions are pinned" log. At the same time, you deserve the score of pinning Third-party to complement the GitHub-owned score. Signed-off-by: Gabriela Gutierrez <[email protected]> * test: Fix "ossf-tests/scorecard-check-pinned-dependencies-e2e" The repo being tested, `ossf-tests/scorecard-check-pinned-dependencies-e2e`, has no Third-party actions only GitHub-owned actions, that are unpinned, no npm installs, multiple go installs all pinned, and all other dependencies types are unpinned. This gives us 8 for actionScore, -1 for npm score, 10 for goScore, and 0 for all other scores. Previously the total score was 28/7 =~ 4, and now the total score is 18/6 =~ 3. The number of logs remain the same. The "all Third-party actions are pinned" will be replaced by "no Third-party actions found", which is a more realistic info and same thing for npm installs. Signed-off-by: Gabriela Gutierrez <[email protected]> * Revert rename `asPointer` to `asStringPointer` Signed-off-by: Gabriela Gutierrez <[email protected]> * fix: Handle deps with parsing error and undefined pinning When a dependency has a parsing error it ends up with a `Msg` field. In this case, the dependency should not count in the final score, so we should not `updatePinningResults` in this case. Also, to continue with the evaluation calculation, we need to make sure the dependencies have a `Pinned` state. Here we are adding this validation for it along with a debug log. Signed-off-by: Gabriela Gutierrez <[email protected]> * test: Delete unecessary test We already have separate test for if 1 unpinned dependency shows a warn message, and 2 cases for when dependencies have errors and show a debug message. Signed-off-by: Gabriela Gutierrez <[email protected]> * test: Add missing dep Location cases Signed-off-by: Gabriela Gutierrez <[email protected]> * fix: Simplify Dockerfile pinned as name logic Signed-off-by: Gabriela Gutierrez <[email protected]> * fix: If ecossystem is not found show debug log If ecossystem is not found show debug log, not info log. This affects the tests, all not found ecossystems will "move" from info logs to debug logs. We are also complementing the `all dependencies pinned` and `all dependencies unpinned` cases so we have the max score case and the min score case using all kinds of dependencies. Signed-off-by: Gabriela Gutierrez <[email protected]> * test: Fix e2e tests and more unit tests Signed-off-by: Gabriela Gutierrez <[email protected]> * feat: Iterate all dependency types for final score Now we iterate all existing dependency types in the final score. This will fix the problem of new ecossystems not being count in the final score because we needed to update the evaluation part. This also fixes the problem of download then run being counted twice for the score. Now, we only have debug logs when there are errors with the dependency metadata. That means we don't log anymore when dependencies of an ecossystem are not found. We changed the info log format when dependencies are all pinned. We simplified the calculation of the scores. We removed unused error returns. And now we only iterate existing ecossystems. If an ecossystem is not found we will not iterate it. Signed-off-by: Gabriela Gutierrez <[email protected]> * feat: Proportional score We count all pinned dependencies over the total found dependencies of all ecossystems for the final score. But, we still want to give low prioritity to GHA GitHub-owned dependencies over GHA third-party dependencies. That's why we are doing a weighted proportional score, all ecossystems have a normal weight of 10 but GHAs have a weight. If you only have GitHub-owned, it will count as 10, because GHA don't weight less then other ecossystems. Same for GHA third-party, if you only have GHA third-party, it will also count as 10, because GHAs don't weight less then other ecossystems. But if you have both GHA GitHub-owned and third-party, GitHub-owned count less then third-party. Trying to keep the same weight as before, GitHub-owned weights 8 and third-party weights 2. These weights will make the score be more penalized if you have unpinned third-party and less penalized if you have unpinned GitHub-owned. Signed-off-by: Gabriela Gutierrez <[email protected]> * fix: GHA weights in proportional score Signed-off-by: Gabriela Gutierrez <[email protected]> * test: Fix scores and logs checking Add new cases for GHA scores since it's weighted differently now. Remove `createReturnValues` test since the function was removed. Fix current tests to adjust number of logs since we don't log if all dependencies are pinned or not anymore. Fix partially pinned score. Signed-off-by: Gabriela Gutierrez <[email protected]> * test: Fix e2e test The repo being tested, `ossf-tests/scorecard-check-pinned-dependencies-e2e`, has no Third-party actions only GitHub-owned actions, that are unpinned, no npm installs, multiple go installs all pinned, and all other dependencies types are unpinned. This gives us 8 for GHA ecossytem, -1 for npm score, 10 for goScore, and 0 for all other scores. Previously the total score was 18/6 =~ 3. Now, we count 5/6 GitHub-owned GHA pinned, 23/36 containerImage pinned, 0/88 downloadThenRun pinned, 2/49 pipCommand pinned, 17/17 goCommand pinned. This results in 47/186 pinned dependencies which results in 2.5 score, that is rounded down to 2. Plus, the number of info was reduced since we don't log info for "all pinned dependencies in X ecossystem" anymore. Signed-off-by: Gabriela Gutierrez <[email protected]> * refactor: Rename to ProportionalScoreWeighted Signed-off-by: Gabriela Gutierrez <[email protected]> * refactor: Var declarations to create proportional score Signed-off-by: Gabriela Gutierrez <[email protected]> * fix: Remove unnecessary pointer Signed-off-by: Gabriela Gutierrez <[email protected]> * fix: Dependencies priority declaration Signed-off-by: Gabriela Gutierrez <[email protected]> * fix: Ecosystem spelling Signed-off-by: Gabriela Gutierrez <[email protected]> * fix: Handle 0 weight and 0 total when creating proportional weighted score Signed-off-by: Gabriela Gutierrez <[email protected]> * fix: Revert -d flag identification change Signed-off-by: Gabriela Gutierrez <[email protected]> * fix: npm ci command is npm download and is pinned Signed-off-by: Gabriela Gutierrez <[email protected]> * fix: Linter errors Signed-off-by: Gabriela Gutierrez <[email protected]> * fix: Unexport error variable to other packages Signed-off-by: Gabriela Gutierrez <[email protected]> * refactor: Simplify no score groups condition Signed-off-by: Gabriela Gutierrez <[email protected]> * feat: Log proportion of dependencies pinned Signed-off-by: Gabriela Gutierrez <[email protected]> * test: Fix unit tests to include info logs The number of info logs should be same number of identified ecossystems. GitHub-owned GitHubAction and third-party GitHubAction count as different ecossytems. Signed-off-by: Gabriela Gutierrez <[email protected]> * test: Fix e2e tests to include info logs The repo being tested, `ossf-tests/scorecard-check-pinned-dependencies-e2e`, has GitHub-owned GitHubActions, containerImage, downloadThenRun, pipCommand and goCommand dependencies. Therefore it will have 5 Info logs, one for each ecossystem. Signed-off-by: Gabriela Gutierrez <[email protected]> * fix: Linter error Signed-off-by: Gabriela Gutierrez <[email protected]> --------- Signed-off-by: Gabriela Gutierrez <[email protected]>
Configuration menu - View commit details
-
Copy full SHA for 052d89b - Browse repository at this point
Copy the full SHA 052d89bView commit details -
🌱 Bump github.com/onsi/ginkgo/v2 in /tools (ossf#3497)
Bumps [github.com/onsi/ginkgo/v2](https://github.com/onsi/ginkgo) from 2.12.0 to 2.12.1. - [Release notes](https://github.com/onsi/ginkgo/releases) - [Changelog](https://github.com/onsi/ginkgo/blob/master/CHANGELOG.md) - [Commits](onsi/ginkgo@v2.12.0...v2.12.1) --- updated-dependencies: - dependency-name: github.com/onsi/ginkgo/v2 dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Configuration menu - View commit details
-
Copy full SHA for 52463bd - Browse repository at this point
Copy the full SHA 52463bdView commit details -
🌱 Bump github.com/onsi/ginkgo/v2 from 2.12.0 to 2.12.1 (ossf#3496)
Bumps [github.com/onsi/ginkgo/v2](https://github.com/onsi/ginkgo) from 2.12.0 to 2.12.1. - [Release notes](https://github.com/onsi/ginkgo/releases) - [Changelog](https://github.com/onsi/ginkgo/blob/master/CHANGELOG.md) - [Commits](onsi/ginkgo@v2.12.0...v2.12.1) --- updated-dependencies: - dependency-name: github.com/onsi/ginkgo/v2 dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Configuration menu - View commit details
-
Copy full SHA for 7a94273 - Browse repository at this point
Copy the full SHA 7a94273View commit details
Commits on Sep 26, 2023
-
🌱 Bump github.com/xanzy/go-gitlab from 0.91.1 to 0.92.1 (ossf#3517)
Bumps [github.com/xanzy/go-gitlab](https://github.com/xanzy/go-gitlab) from 0.91.1 to 0.92.1. - [Changelog](https://github.com/xanzy/go-gitlab/blob/master/releases_test.go) - [Commits](xanzy/go-gitlab@v0.91.1...v0.92.1) --- updated-dependencies: - dependency-name: github.com/xanzy/go-gitlab dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Configuration menu - View commit details
-
Copy full SHA for 7034306 - Browse repository at this point
Copy the full SHA 7034306View commit details
Commits on Oct 2, 2023
-
📖 Update docs for Signed-Releases check (ossf#3469)
* Update docs for signed-releases Signed-off-by: Raghav Kaul <[email protected]> * update docs Signed-off-by: Raghav Kaul <[email protected]> --------- Signed-off-by: Raghav Kaul <[email protected]>
Configuration menu - View commit details
-
Copy full SHA for c738750 - Browse repository at this point
Copy the full SHA c738750View commit details -
🌱 Bump github.com/rhysd/actionlint from 1.6.15 to 1.6.26 (ossf#3489)
* bump actionlint. Signed-off-by: Spencer Schrock <[email protected]> * fix unit tests. Signed-off-by: Spencer Schrock <[email protected]> * include latest update. Signed-off-by: Spencer Schrock <[email protected]> --------- Signed-off-by: Spencer Schrock <[email protected]>
Configuration menu - View commit details
-
Copy full SHA for c061367 - Browse repository at this point
Copy the full SHA c061367View commit details
Commits on Oct 3, 2023
-
🌱 Bump github.com/onsi/gomega from 1.27.10 to 1.28.0 (ossf#3523)
Bumps [github.com/onsi/gomega](https://github.com/onsi/gomega) from 1.27.10 to 1.28.0. - [Release notes](https://github.com/onsi/gomega/releases) - [Changelog](https://github.com/onsi/gomega/blob/master/CHANGELOG.md) - [Commits](onsi/gomega@v1.27.10...v1.28.0) --- updated-dependencies: - dependency-name: github.com/onsi/gomega dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Configuration menu - View commit details
-
Copy full SHA for 86aed2c - Browse repository at this point
Copy the full SHA 86aed2cView commit details -
✨ Add --output argument to write results to file (ossf#3482)
* feat: Create output file argument Signed-off-by: Gabriela Gutierrez <[email protected]> * feat: Write results to output file Signed-off-by: Gabriela Gutierrez <[email protected]> * fix: Default results format output Print results headline to output, which may be a file. Signed-off-by: Gabriela Gutierrez <[email protected]> * feat: Log start and end of checks work to console Independent of the logs being output to console or a file, the information on which checks are running is still relevant. Now, we always log this info to the console. Signed-off-by: Gabriela Gutierrez <[email protected]> * test: Fix options unit tests Signed-off-by: Gabriela Gutierrez <[email protected]> * test: Output option content and shorthand Signed-off-by: Gabriela Gutierrez <[email protected]> * test: Output to file with correct format Signed-off-by: Gabriela Gutierrez <[email protected]> * test: Fix helper function with linter error Signed-off-by: Gabriela Gutierrez <[email protected]> * fix: Define output to console or file inside FormatResults Signed-off-by: Gabriela Gutierrez <[email protected]> * fix: Remove intermediate variable to define output Signed-off-by: Gabriela Gutierrez <[email protected]> * test: Fix error log Signed-off-by: Gabriela Gutierrez <[email protected]> * fix: Close output file before write results Signed-off-by: Gabriela Gutierrez <[email protected]> * test: Fix unit test Signed-off-by: Gabriela Gutierrez <[email protected]> * test: Fix remove file even if test fails Signed-off-by: Gabriela Gutierrez <[email protected]> * test: Fix fail test cases Fail test if cannot format results or cannot read real or expected outputs. Signed-off-by: Gabriela Gutierrez <[email protected]> * fix: Copyright notice year and license header spacing Signed-off-by: Gabriela Gutierrez <[email protected]> * fix: Rename Output to ResultsFile Signed-off-by: Gabriela Gutierrez <[email protected]> * fix: Linter errors Signed-off-by: Gabriela Gutierrez <[email protected]> * Revert "feat: Log start and end of checks work to console" This reverts commit c4a00a5. Signed-off-by: Gabriela Gutierrez <[email protected]> * fix: Print results headline in default format Signed-off-by: Gabriela Gutierrez <[email protected]> * test: Fix default format result test Signed-off-by: Gabriela Gutierrez <[email protected]> * fix: Close output only when it's file Signed-off-by: Gabriela Gutierrez <[email protected]> * fix: Linter error Signed-off-by: Gabriela Gutierrez <[email protected]> --------- Signed-off-by: Gabriela Gutierrez <[email protected]>
Configuration menu - View commit details
-
Copy full SHA for e81ec7e - Browse repository at this point
Copy the full SHA e81ec7eView commit details -
🌱 Bump step-security/harden-runner from 2.5.1 to 2.6.0 (ossf#3532)
Bumps [step-security/harden-runner](https://github.com/step-security/harden-runner) from 2.5.1 to 2.6.0. - [Release notes](https://github.com/step-security/harden-runner/releases) - [Commits](step-security/harden-runner@8ca2b8b...1b05615) --- updated-dependencies: - dependency-name: step-security/harden-runner dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Configuration menu - View commit details
-
Copy full SHA for 7161ec1 - Browse repository at this point
Copy the full SHA 7161ec1View commit details -
🌱 Bump tj-actions/changed-files from 39.1.2 to 39.2.1 (ossf#3531)
Bumps [tj-actions/changed-files](https://github.com/tj-actions/changed-files) from 39.1.2 to 39.2.1. - [Release notes](https://github.com/tj-actions/changed-files/releases) - [Changelog](https://github.com/tj-actions/changed-files/blob/main/HISTORY.md) - [Commits](tj-actions/changed-files@4196030...db153ba) --- updated-dependencies: - dependency-name: tj-actions/changed-files dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Configuration menu - View commit details
-
Copy full SHA for 2c25c46 - Browse repository at this point
Copy the full SHA 2c25c46View commit details
Commits on Oct 4, 2023
-
🌱 Fix race condition in output file test. (ossf#3533)
Signed-off-by: Spencer Schrock <[email protected]>
Configuration menu - View commit details
-
Copy full SHA for 7ad9de3 - Browse repository at this point
Copy the full SHA 7ad9de3View commit details -
📖 Fix documentation typos (ossf#3505)
* fix typo Signed-off-by: omahs <[email protected]> * fix typos Signed-off-by: omahs <[email protected]> * fix typo Signed-off-by: omahs <[email protected]> * fix typo Co-authored-by: Raghav Kaul <[email protected]> Signed-off-by: omahs <[email protected]> * fix typos Signed-off-by: omahs <[email protected]> --------- Signed-off-by: omahs <[email protected]>
Configuration menu - View commit details
-
Copy full SHA for 3785f9c - Browse repository at this point
Copy the full SHA 3785f9cView commit details -
✨ broaden job matcher for semantic release (ossf#3506)
* feat: broaden job matcher for semantic release Signed-off-by: secustor <[email protected]> * tests(checks/permissions): add tests for semantic release if using pnpm and yarn Signed-off-by: secustor <[email protected]> --------- Signed-off-by: secustor <[email protected]>
Configuration menu - View commit details
-
Copy full SHA for a9e2505 - Browse repository at this point
Copy the full SHA a9e2505View commit details -
🌱 Bump nick-invision/retry from 2.8.3 to 2.9.0 (ossf#3519)
Bumps [nick-invision/retry](https://github.com/nick-invision/retry) from 2.8.3 to 2.9.0. - [Release notes](https://github.com/nick-invision/retry/releases) - [Changelog](https://github.com/nick-fields/retry/blob/master/.releaserc.js) - [Commits](nick-fields/retry@943e742...1467290) --- updated-dependencies: - dependency-name: nick-invision/retry dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Configuration menu - View commit details
-
Copy full SHA for 7a1c8fe - Browse repository at this point
Copy the full SHA 7a1c8feView commit details -
🌱 Bump github.com/xanzy/go-gitlab from 0.92.1 to 0.92.3 (ossf#3528)
Bumps [github.com/xanzy/go-gitlab](https://github.com/xanzy/go-gitlab) from 0.92.1 to 0.92.3. - [Changelog](https://github.com/xanzy/go-gitlab/blob/master/releases_test.go) - [Commits](xanzy/go-gitlab@v0.92.1...v0.92.3) --- updated-dependencies: - dependency-name: github.com/xanzy/go-gitlab dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Configuration menu - View commit details
-
Copy full SHA for 3c27597 - Browse repository at this point
Copy the full SHA 3c27597View commit details -
🌱 Bump github.com/otiai10/copy from 1.12.0 to 1.14.0 (ossf#3527)
Bumps [github.com/otiai10/copy](https://github.com/otiai10/copy) from 1.12.0 to 1.14.0. - [Release notes](https://github.com/otiai10/copy/releases) - [Commits](otiai10/copy@v1.12.0...v1.14.0) --- updated-dependencies: - dependency-name: github.com/otiai10/copy dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Configuration menu - View commit details
-
Copy full SHA for 71078d8 - Browse repository at this point
Copy the full SHA 71078d8View commit details
Commits on Oct 5, 2023
-
🌱 Bump github.com/google/osv-scanner from 1.4.0 to 1.4.1 (ossf#3536)
Bumps [github.com/google/osv-scanner](https://github.com/google/osv-scanner) from 1.4.0 to 1.4.1. - [Release notes](https://github.com/google/osv-scanner/releases) - [Changelog](https://github.com/google/osv-scanner/blob/main/CHANGELOG.md) - [Commits](google/osv-scanner@v1.4.0...v1.4.1) --- updated-dependencies: - dependency-name: github.com/google/osv-scanner dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Configuration menu - View commit details
-
Copy full SHA for 5e05661 - Browse repository at this point
Copy the full SHA 5e05661View commit details -
🌱 Bump github.com/xanzy/go-gitlab from 0.92.3 to 0.93.0 (ossf#3537)
Bumps [github.com/xanzy/go-gitlab](https://github.com/xanzy/go-gitlab) from 0.92.3 to 0.93.0. - [Changelog](https://github.com/xanzy/go-gitlab/blob/master/releases_test.go) - [Commits](xanzy/go-gitlab@v0.92.3...v0.93.0) --- updated-dependencies: - dependency-name: github.com/xanzy/go-gitlab dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Configuration menu - View commit details
-
Copy full SHA for 64c491b - Browse repository at this point
Copy the full SHA 64c491bView commit details -
✨ scdiff: Limit generating results to specific checks (ossf#3535)
* accept checks arg when generating golden. Signed-off-by: Spencer Schrock <[email protected]> * dont shadow import Signed-off-by: Spencer Schrock <[email protected]> --------- Signed-off-by: Spencer Schrock <[email protected]>
Configuration menu - View commit details
-
Copy full SHA for e1d3abc - Browse repository at this point
Copy the full SHA e1d3abcView commit details
Commits on Oct 6, 2023
-
🌱 Add probe test utility (ossf#3541)
Signed-off-by: AdamKorcz <[email protected]>
Configuration menu - View commit details
-
Copy full SHA for 1c8f6a8 - Browse repository at this point
Copy the full SHA 1c8f6a8View commit details -
🌱 Sort fields of raw results alphabetically (ossf#3540)
Signed-off-by: AdamKorcz <[email protected]> Co-authored-by: laurentsimon <[email protected]>
Configuration menu - View commit details
-
Copy full SHA for 971f3e8 - Browse repository at this point
Copy the full SHA 971f3e8View commit details
Commits on Oct 9, 2023
-
🌱 Bump ossf/scorecard-action from 2.2.0 to 2.3.0 (ossf#3544)
Bumps [ossf/scorecard-action](https://github.com/ossf/scorecard-action) from 2.2.0 to 2.3.0. - [Release notes](https://github.com/ossf/scorecard-action/releases) - [Changelog](https://github.com/ossf/scorecard-action/blob/main/RELEASE.md) - [Commits](ossf/scorecard-action@08b4669...483ef80) --- updated-dependencies: - dependency-name: ossf/scorecard-action dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Configuration menu - View commit details
-
Copy full SHA for 5187087 - Browse repository at this point
Copy the full SHA 5187087View commit details -
🌱 Bump golang.org/x/oauth2 from 0.12.0 to 0.13.0 (ossf#3545)
Bumps [golang.org/x/oauth2](https://github.com/golang/oauth2) from 0.12.0 to 0.13.0. - [Commits](golang/oauth2@v0.12.0...v0.13.0) --- updated-dependencies: - dependency-name: golang.org/x/oauth2 dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Configuration menu - View commit details
-
Copy full SHA for 9619d4e - Browse repository at this point
Copy the full SHA 9619d4eView commit details -
🌱 Bump github.com/xanzy/go-gitlab from 0.93.0 to 0.93.1 (ossf#3546)
Bumps [github.com/xanzy/go-gitlab](https://github.com/xanzy/go-gitlab) from 0.93.0 to 0.93.1. - [Changelog](https://github.com/xanzy/go-gitlab/blob/master/releases_test.go) - [Commits](xanzy/go-gitlab@v0.93.0...v0.93.1) --- updated-dependencies: - dependency-name: github.com/xanzy/go-gitlab dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Configuration menu - View commit details
-
Copy full SHA for c2cf090 - Browse repository at this point
Copy the full SHA c2cf090View commit details -
🌱 Bump distroless/base from
27647a6
to29da700
and golang from `e……c457a2` to `e9ebfe9` (ossf#3548) * bump distroless. Signed-off-by: Spencer Schrock <[email protected]> * bump golang 1.21 Signed-off-by: Spencer Schrock <[email protected]> --------- Signed-off-by: Spencer Schrock <[email protected]>
Configuration menu - View commit details
-
Copy full SHA for 03060f2 - Browse repository at this point
Copy the full SHA 03060f2View commit details -
🌱 Bump cloud.google.com/go/bigquery from 1.55.0 to 1.56.0 (ossf#3538)
Bumps [cloud.google.com/go/bigquery](https://github.com/googleapis/google-cloud-go) from 1.55.0 to 1.56.0. - [Release notes](https://github.com/googleapis/google-cloud-go/releases) - [Changelog](https://github.com/googleapis/google-cloud-go/blob/main/CHANGES.md) - [Commits](googleapis/google-cloud-go@bigquery/v1.55.0...bigquery/v1.56.0) --- updated-dependencies: - dependency-name: cloud.google.com/go/bigquery dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Configuration menu - View commit details
-
Copy full SHA for 74c57cd - Browse repository at this point
Copy the full SHA 74c57cdView commit details -
🌱 Add OutcomeNotApplicable (ossf#3539)
Signed-off-by: AdamKorcz <[email protected]>
Configuration menu - View commit details
-
Copy full SHA for 034e6b2 - Browse repository at this point
Copy the full SHA 034e6b2View commit details -
✨ Add additional fuzzing probes (ossf#3473)
* Extend with additional fuzzing probes Signed-off-by: David Korczynski <[email protected]> * fix formatting Signed-off-by: David Korczynski <[email protected]> * cleanup formatting Signed-off-by: David Korczynski <[email protected]> * make skip testing optional Signed-off-by: David Korczynski <[email protected]> * address reviews Signed-off-by: David Korczynski <[email protected]> * add todo Signed-off-by: David Korczynski <[email protected]> * nit Signed-off-by: David Korczynski <[email protected]> * nit Signed-off-by: David Korczynski <[email protected]> * add swift fuzzing probe Signed-off-by: David Korczynski <[email protected]> * avoid changing OnMatchingFileContentDo Signed-off-by: David Korczynski <[email protected]> * nit Signed-off-by: David Korczynski <[email protected]> * undo matching file content extension Signed-off-by: David Korczynski <[email protected]> * nit: fix constant Signed-off-by: David Korczynski <[email protected]> * test all fileMatchPatterns per client Signed-off-by: David Korczynski <[email protected]> * fix test logging counts Signed-off-by: David Korczynski <[email protected]> * nit Signed-off-by: David Korczynski <[email protected]> --------- Signed-off-by: David Korczynski <[email protected]>
Configuration menu - View commit details
-
Copy full SHA for bd640f7 - Browse repository at this point
Copy the full SHA bd640f7View commit details
Commits on Oct 10, 2023
-
📖 fix "default" typo (ossf#3543)
Signed-off-by: guoguangwu <[email protected]>
Configuration menu - View commit details
-
Copy full SHA for 29aa5d2 - Browse repository at this point
Copy the full SHA 29aa5d2View commit details -
🌱 checks/raw: fix struct alignment linter issue (ossf#3550)
Signed-off-by: Spencer Schrock <[email protected]>
Configuration menu - View commit details
-
Copy full SHA for f2ce613 - Browse repository at this point
Copy the full SHA f2ce613View commit details
Commits on Oct 11, 2023
-
🌱 Add map to Finding (ossf#3558)
Signed-off-by: AdamKorcz <[email protected]>
Configuration menu - View commit details
-
Copy full SHA for 6c43301 - Browse repository at this point
Copy the full SHA 6c43301View commit details
Commits on Oct 12, 2023
-
🌱 Bump golang.org/x/net from 0.16.0 to 0.17.0 (ossf#3563)
Bumps [golang.org/x/net](https://github.com/golang/net) from 0.16.0 to 0.17.0. - [Commits](golang/net@v0.16.0...v0.17.0) --- updated-dependencies: - dependency-name: golang.org/x/net dependency-type: indirect ... Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Configuration menu - View commit details
-
Copy full SHA for bada658 - Browse repository at this point
Copy the full SHA bada658View commit details -
🌱 Bump golang.org/x/net from 0.14.0 to 0.17.0 in /tools (ossf#3562)
Bumps [golang.org/x/net](https://github.com/golang/net) from 0.14.0 to 0.17.0. - [Commits](golang/net@v0.14.0...v0.17.0) --- updated-dependencies: - dependency-name: golang.org/x/net dependency-type: indirect ... Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Configuration menu - View commit details
-
Copy full SHA for bb5fede - Browse repository at this point
Copy the full SHA bb5fedeView commit details -
🌱 Adding all Intel public GitHub repos (ossf#3556)
Signed-off-by: Ryan Ware <[email protected]>
Ryan Ware committedOct 12, 2023 Configuration menu - View commit details
-
Copy full SHA for 7cbc4b1 - Browse repository at this point
Copy the full SHA 7cbc4b1View commit details -
🌱 Bump github.com/onsi/ginkgo/v2 from 2.12.1 to 2.13.0 (ossf#3551)
Bumps [github.com/onsi/ginkgo/v2](https://github.com/onsi/ginkgo) from 2.12.1 to 2.13.0. - [Release notes](https://github.com/onsi/ginkgo/releases) - [Changelog](https://github.com/onsi/ginkgo/blob/master/CHANGELOG.md) - [Commits](onsi/ginkgo@v2.12.1...v2.13.0) --- updated-dependencies: - dependency-name: github.com/onsi/ginkgo/v2 dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Configuration menu - View commit details
-
Copy full SHA for 3b63938 - Browse repository at this point
Copy the full SHA 3b63938View commit details -
🌱 Bump github.com/onsi/ginkgo/v2 in /tools (ossf#3552)
Bumps [github.com/onsi/ginkgo/v2](https://github.com/onsi/ginkgo) from 2.12.1 to 2.13.0. - [Release notes](https://github.com/onsi/ginkgo/releases) - [Changelog](https://github.com/onsi/ginkgo/blob/master/CHANGELOG.md) - [Commits](onsi/ginkgo@v2.12.1...v2.13.0) --- updated-dependencies: - dependency-name: github.com/onsi/ginkgo/v2 dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Configuration menu - View commit details
-
Copy full SHA for 67431ba - Browse repository at this point
Copy the full SHA 67431baView commit details -
🌱 Bump github.com/google/go-cmp from 0.5.9 to 0.6.0 (ossf#3557)
Bumps [github.com/google/go-cmp](https://github.com/google/go-cmp) from 0.5.9 to 0.6.0. - [Release notes](https://github.com/google/go-cmp/releases) - [Commits](google/go-cmp@v0.5.9...v0.6.0) --- updated-dependencies: - dependency-name: github.com/google/go-cmp dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Configuration menu - View commit details
-
Copy full SHA for e5955d0 - Browse repository at this point
Copy the full SHA e5955d0View commit details -
🌱 Bump kubernetes-sigs/kubebuilder-release-tools (ossf#3553)
Bumps [kubernetes-sigs/kubebuilder-release-tools](https://github.com/kubernetes-sigs/kubebuilder-release-tools) from 0.3.0 to 0.4.0. - [Release notes](https://github.com/kubernetes-sigs/kubebuilder-release-tools/releases) - [Changelog](https://github.com/kubernetes-sigs/kubebuilder-release-tools/blob/master/RELEASE.md) - [Commits](kubernetes-sigs/kubebuilder-release-tools@4f3d108...d8367c2) --- updated-dependencies: - dependency-name: kubernetes-sigs/kubebuilder-release-tools dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Configuration menu - View commit details
-
Copy full SHA for 16ace55 - Browse repository at this point
Copy the full SHA 16ace55View commit details -
🐛 Fix wrong quotes (ossf#3565)
Signed-off-by: AdamKorcz <[email protected]>
Configuration menu - View commit details
-
Copy full SHA for 05a1ead - Browse repository at this point
Copy the full SHA 05a1eadView commit details -
🌱 Add new outcome to UnmarshalYAML (ossf#3566)
Signed-off-by: AdamKorcz <[email protected]>
Configuration menu - View commit details
-
Copy full SHA for 8eaf0d7 - Browse repository at this point
Copy the full SHA 8eaf0d7View commit details
Commits on Oct 16, 2023
-
🐛 scdiff: fix generate cmd when no --checks arg provided. (ossf#3570)
Signed-off-by: Spencer Schrock <[email protected]>
Configuration menu - View commit details
-
Copy full SHA for b9bbb82 - Browse repository at this point
Copy the full SHA b9bbb82View commit details -
✨ scdiff: improve
compare
usability (ossf#3573)* fallback to cron style when parsing dates. The cron output was never updated in ossf#2712. In the interim, support both formats. Signed-off-by: Spencer Schrock <[email protected]> * continue on first diff, to highlight all differences. Signed-off-by: Spencer Schrock <[email protected]> * tests for date fallback. Signed-off-by: Spencer Schrock <[email protected]> --------- Signed-off-by: Spencer Schrock <[email protected]>
Configuration menu - View commit details
-
Copy full SHA for 63fff3c - Browse repository at this point
Copy the full SHA 63fff3cView commit details
Commits on Oct 19, 2023
-
✨ Add fast-check test runners integrations (ossf#3568)
Signed-off-by: Pierre Cavin <[email protected]>
Configuration menu - View commit details
-
Copy full SHA for f26ee46 - Browse repository at this point
Copy the full SHA f26ee46View commit details -
🌱 Bump github.com/bradleyfalzon/ghinstallation/v2 (ossf#3575)
Bumps [github.com/bradleyfalzon/ghinstallation/v2](https://github.com/bradleyfalzon/ghinstallation) from 2.7.0 to 2.8.0. - [Release notes](https://github.com/bradleyfalzon/ghinstallation/releases) - [Commits](bradleyfalzon/ghinstallation@v2.7.0...v2.8.0) --- updated-dependencies: - dependency-name: github.com/bradleyfalzon/ghinstallation/v2 dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Configuration menu - View commit details
-
Copy full SHA for 836c040 - Browse repository at this point
Copy the full SHA 836c040View commit details -
🌱 Bump tj-actions/changed-files from 39.2.1 to 39.2.3 (ossf#3577)
Bumps [tj-actions/changed-files](https://github.com/tj-actions/changed-files) from 39.2.1 to 39.2.3. - [Release notes](https://github.com/tj-actions/changed-files/releases) - [Changelog](https://github.com/tj-actions/changed-files/blob/main/HISTORY.md) - [Commits](tj-actions/changed-files@db153ba...95690f9) --- updated-dependencies: - dependency-name: tj-actions/changed-files dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Configuration menu - View commit details
-
Copy full SHA for 159c6c8 - Browse repository at this point
Copy the full SHA 159c6c8View commit details -
🌱 Bump github.com/google/ko from 0.14.1 to 0.15.0 in /tools (ossf#3578)
Bumps [github.com/google/ko](https://github.com/google/ko) from 0.14.1 to 0.15.0. - [Release notes](https://github.com/google/ko/releases) - [Changelog](https://github.com/ko-build/ko/blob/main/.goreleaser.yml) - [Commits](ko-build/ko@v0.14.1...v0.15.0) --- updated-dependencies: - dependency-name: github.com/google/ko dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Configuration menu - View commit details
-
Copy full SHA for 1c05571 - Browse repository at this point
Copy the full SHA 1c05571View commit details -
🌱 Bump actions/checkout from 4.1.0 to 4.1.1 (ossf#3580)
Bumps [actions/checkout](https://github.com/actions/checkout) from 4.1.0 to 4.1.1. - [Release notes](https://github.com/actions/checkout/releases) - [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md) - [Commits](actions/checkout@8ade135...b4ffde6) --- updated-dependencies: - dependency-name: actions/checkout dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Configuration menu - View commit details
-
Copy full SHA for 4b8066a - Browse repository at this point
Copy the full SHA 4b8066aView commit details
Commits on Oct 20, 2023
-
🐛 SAST detect new GitHub app slug for CodeQL (ossf#3591)
* Fix SAST no longer working for CodeQL The app slug for CodeQL appears to have changed from `github-advanced-security` to `github-code-scanning`, causing the SAST rule to false-negative on commits. Signed-off-by: martincostello <[email protected]> * Fix lint warning Fix lint warning. Signed-off-by: martincostello <[email protected]> --------- Signed-off-by: martincostello <[email protected]>
Configuration menu - View commit details
-
Copy full SHA for 49c0eed - Browse repository at this point
Copy the full SHA 49c0eedView commit details
Commits on Oct 23, 2023
-
🌱 enable the golangci-lint
bugs
preset (ossf#3583)* enable bugs preset Signed-off-by: Spencer Schrock <[email protected]> * fix noctx linter Signed-off-by: Spencer Schrock <[email protected]> * fix bodyclose linter Signed-off-by: Spencer Schrock <[email protected]> * fix contextcheck linter Signed-off-by: Spencer Schrock <[email protected]> * This ignores all existing cases of musttag linter complaints. This analyzer seems useful in the future, but some of this code is old and I don't want to change it for existing code now. Signed-off-by: Spencer Schrock <[email protected]> * ignore existing nilerr lints. This behavior is from the initial commit, and primarily affects metrics. Leaving as is, and hope to benefit from the linter in the future. Signed-off-by: Spencer Schrock <[email protected]> --------- Signed-off-by: Spencer Schrock <[email protected]>
Configuration menu - View commit details
-
Copy full SHA for d0cefa5 - Browse repository at this point
Copy the full SHA d0cefa5View commit details -
🌱 use forbidigo linter to prevent print statements (ossf#3585)
* enable forbidigo for print statements. include reasoning as message exposed to developer. Signed-off-by: Spencer Schrock <[email protected]> * remove or grant exceptions for existing print statements Signed-off-by: Spencer Schrock <[email protected]> * swap stdout to stderr Signed-off-by: Spencer Schrock <[email protected]> * separate msg from regex for better readability. Signed-off-by: Spencer Schrock <[email protected]> --------- Signed-off-by: Spencer Schrock <[email protected]>
Configuration menu - View commit details
-
Copy full SHA for 2d93196 - Browse repository at this point
Copy the full SHA 2d93196View commit details -
🐛 scanning gitlab private repositories (ossf#3596)
* fix: Run for gitlab private repos Signed-off-by: Gabriela Gutierrez <[email protected]> * test: gitlab repo is accessible Signed-off-by: Gabriela Gutierrez <[email protected]> * fix: linter error Signed-off-by: Gabriela Gutierrez <[email protected]> --------- Signed-off-by: Gabriela Gutierrez <[email protected]> Co-authored-by: Raghav Kaul <[email protected]>
Configuration menu - View commit details
-
Copy full SHA for ca5c404 - Browse repository at this point
Copy the full SHA ca5c404View commit details -
🌱 Bump github.com/xanzy/go-gitlab from 0.93.1 to 0.93.2 (ossf#3593)
Bumps [github.com/xanzy/go-gitlab](https://github.com/xanzy/go-gitlab) from 0.93.1 to 0.93.2. - [Changelog](https://github.com/xanzy/go-gitlab/blob/main/releases_test.go) - [Commits](xanzy/go-gitlab@v0.93.1...v0.93.2) --- updated-dependencies: - dependency-name: github.com/xanzy/go-gitlab dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Configuration menu - View commit details
-
Copy full SHA for 8959d3f - Browse repository at this point
Copy the full SHA 8959d3fView commit details -
🌱 Bump github.com/onsi/gomega from 1.28.0 to 1.28.1 (ossf#3597)
Bumps [github.com/onsi/gomega](https://github.com/onsi/gomega) from 1.28.0 to 1.28.1. - [Release notes](https://github.com/onsi/gomega/releases) - [Changelog](https://github.com/onsi/gomega/blob/master/CHANGELOG.md) - [Commits](onsi/gomega@v1.28.0...v1.28.1) --- updated-dependencies: - dependency-name: github.com/onsi/gomega dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Configuration menu - View commit details
-
Copy full SHA for 6fb5f8a - Browse repository at this point
Copy the full SHA 6fb5f8aView commit details -
🌱 add style linters: mirror, tenv, usestdlibvars (ossf#3586)
* fix tenv linter and bug with t.Parallel Signed-off-by: Spencer Schrock <[email protected]> * fix usestdlibvars linter Signed-off-by: Spencer Schrock <[email protected]> * fix mirror linter Signed-off-by: Spencer Schrock <[email protected]> --------- Signed-off-by: Spencer Schrock <[email protected]>
Configuration menu - View commit details
-
Copy full SHA for 2391edf - Browse repository at this point
Copy the full SHA 2391edfView commit details -
🌱 enable gomoddirectives linter. (ossf#3584)
Signed-off-by: Spencer Schrock <[email protected]>
Configuration menu - View commit details
-
Copy full SHA for 1c649cb - Browse repository at this point
Copy the full SHA 1c649cbView commit details -
🌱 enable style linter
errname
(ossf#3587)* enable errname linter Signed-off-by: Spencer Schrock <[email protected]> * convert publish err to custom error type. Signed-off-by: Spencer Schrock <[email protected]> * remove unused exported error. Signed-off-by: Spencer Schrock <[email protected]> * convert unsupported exporter type to custom error type. Signed-off-by: Spencer Schrock <[email protected]> * exempt public errors from linter. Signed-off-by: Spencer Schrock <[email protected]> * exempt cron config errors from linter. Signed-off-by: Spencer Schrock <[email protected]> --------- Signed-off-by: Spencer Schrock <[email protected]>
Configuration menu - View commit details
-
Copy full SHA for 5eca374 - Browse repository at this point
Copy the full SHA 5eca374View commit details -
🌱 remove unused osv helper tool. (ossf#3572)
This is a followup cleanup of d4b44e5 (ossf#2303). Signed-off-by: Spencer Schrock <[email protected]>
Configuration menu - View commit details
-
Copy full SHA for 25c414d - Browse repository at this point
Copy the full SHA 25c414dView commit details
Commits on Oct 24, 2023
-
🌱 Bump github.com/golangci/golangci-lint in /tools (ossf#3592)
Bumps [github.com/golangci/golangci-lint](https://github.com/golangci/golangci-lint) from 1.54.2 to 1.55.0. - [Release notes](https://github.com/golangci/golangci-lint/releases) - [Changelog](https://github.com/golangci/golangci-lint/blob/master/CHANGELOG.md) - [Commits](golangci/golangci-lint@v1.54.2...v1.55.0) --- updated-dependencies: - dependency-name: github.com/golangci/golangci-lint dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Configuration menu - View commit details
-
Copy full SHA for 52f950b - Browse repository at this point
Copy the full SHA 52f950bView commit details -
🌱 GitLab: track coverage for gitlab e2e tests (ossf#3601)
Signed-off-by: Raghav Kaul <[email protected]>
Configuration menu - View commit details
-
Copy full SHA for 622f104 - Browse repository at this point
Copy the full SHA 622f104View commit details -
🌱 Add license probe (ossf#3465)
* 🌱 Add license probe Signed-off-by: AdamKorcz <[email protected]> * [WIP] add two remaining license checks as probes Signed-off-by: AdamKorcz <[email protected]> * fix nits Signed-off-by: AdamKorcz <[email protected]> * Use Errorf in test Signed-off-by: AdamKorcz <[email protected]> * use zrunner Signed-off-by: AdamKorcz <[email protected]> * fix wrong return value Signed-off-by: AdamKorcz <[email protected]> * fix linting issues and remove empty default Signed-off-by: AdamKorcz <[email protected]> * fix double if statement Signed-off-by: AdamKorcz <[email protected]> * Remove struct field from test Signed-off-by: AdamKorcz <[email protected]> * Add test for nil-case of license files slice Signed-off-by: AdamKorcz <[email protected]> * rewrite multiple def.ymls Signed-off-by: AdamKorcz <[email protected]> * fix nits Signed-off-by: AdamKorcz <[email protected]> * Add unit test with multiple unapproved license files Signed-off-by: AdamKorcz <[email protected]> * Add link to approved license formats Signed-off-by: AdamKorcz <[email protected]> * fix linting Signed-off-by: AdamKorcz <[email protected]> * remove comment Signed-off-by: AdamKorcz <[email protected]> * preserve logging from original check Signed-off-by: AdamKorcz <[email protected]> * fix typo Signed-off-by: AdamKorcz <[email protected]> * remove redundant map manipulation Signed-off-by: AdamKorcz <[email protected]> * rename hasApproveLicense probe Signed-off-by: AdamKorcz <[email protected]> * Return OutcomeNotApplicable if hasFSFOrOSIApprovedLicense probe does not find a license Signed-off-by: AdamKorcz <[email protected]> * Include license file locations in log Signed-off-by: AdamKorcz <[email protected]> * fix linting issues Signed-off-by: AdamKorcz <[email protected]> * replace strings filtering with OutcomeNotApplicable in hasLicenseFileAtTopDir probe Signed-off-by: AdamKorcz <[email protected]> * Fix linter issue Signed-off-by: AdamKorcz <[email protected]> * Include location of found license files Signed-off-by: AdamKorcz <[email protected]> --------- Signed-off-by: AdamKorcz <[email protected]>
Configuration menu - View commit details
-
Copy full SHA for 0e3a523 - Browse repository at this point
Copy the full SHA 0e3a523View commit details -
🌱 convert packaging check to probe (ossf#3486)
* 🌱 convert packaging check to probe Signed-off-by: AdamKorcz <[email protected]> * amend text in def.yml Signed-off-by: AdamKorcz <[email protected]> * Correct short description in def.yml Signed-off-by: AdamKorcz <[email protected]> * log negative findings Signed-off-by: AdamKorcz <[email protected]> * rename probe Signed-off-by: AdamKorcz <[email protected]> * Fix the broken e2e test: The probe returned minimum score instead of inconclusive score which was not consistent with the previous scoring. This commit also removes the debug statements Signed-off-by: AdamKorcz <[email protected]> * change score text Signed-off-by: AdamKorcz <[email protected]> * include file details. process all packaging workflows Signed-off-by: AdamKorcz <[email protected]> --------- Signed-off-by: AdamKorcz <[email protected]>
Configuration menu - View commit details
-
Copy full SHA for 1aca1d9 - Browse repository at this point
Copy the full SHA 1aca1d9View commit details -
🌱 Add probe support for contributors metrics (ossf#3460)
* 🌱 Add probe support for contributors metrics Signed-off-by: AdamKorcz <[email protected]> * fix lint issues Signed-off-by: AdamKorcz <[email protected]> * change 'contributorsWith' to 'contributorsFrom' Signed-off-by: AdamKorcz <[email protected]> * change remediation difficulty Signed-off-by: AdamKorcz <[email protected]> * fix nits Signed-off-by: AdamKorcz <[email protected]> * Updates to checks and checks/evaluation Signed-off-by: AdamKorcz <[email protected]> * fix tests like in ossf#3409 Signed-off-by: AdamKorcz <[email protected]> * fix raw test Signed-off-by: AdamKorcz <[email protected]> * Update description in def.yml Signed-off-by: AdamKorcz <[email protected]> * move logic out of utils Signed-off-by: AdamKorcz <[email protected]> * add comment to consolidate unit test validation Signed-off-by: AdamKorcz <[email protected]> * change a couple of t.Fatal to t.Error Signed-off-by: AdamKorcz <[email protected]> * un-remove comment Signed-off-by: AdamKorcz <[email protected]> * remove map Signed-off-by: AdamKorcz <[email protected]> * fix typo Signed-off-by: AdamKorcz <[email protected]> * remove lint comment Signed-off-by: AdamKorcz <[email protected]> * fix incorrect -1/0 scoring Signed-off-by: AdamKorcz <[email protected]> * Do not specify 'Github' in def.yml Signed-off-by: AdamKorcz <[email protected]> * do not mention 'which companies' in def.yml Signed-off-by: AdamKorcz <[email protected]> * Rename tests Signed-off-by: AdamKorcz <[email protected]> * Use getRawResults and uncomment logging statement Signed-off-by: AdamKorcz <[email protected]> * Define return values of probe better Signed-off-by: AdamKorcz <[email protected]> * Use proportional score instead of min score Signed-off-by: AdamKorcz <[email protected]> * revert changed scoring Signed-off-by: AdamKorcz <[email protected]> * fix incorrect function name Signed-off-by: AdamKorcz <[email protected]> * remove utility function that finds non-positive outcomes Signed-off-by: AdamKorcz <[email protected]> * rebase with latest upstream main and fix linter issues Signed-off-by: AdamKorcz <[email protected]> * Log findings in one statements except a logging statements per finding Signed-off-by: AdamKorcz <[email protected]> * redefine conditional logic Signed-off-by: AdamKorcz <[email protected]> * rebase Signed-off-by: AdamKorcz <[email protected]> * remove unused function Signed-off-by: AdamKorcz <[email protected]> --------- Signed-off-by: AdamKorcz <[email protected]>
Configuration menu - View commit details
-
Copy full SHA for ae75bbb - Browse repository at this point
Copy the full SHA ae75bbbView commit details -
🌱 Fix linter issues caught by new linters in golangci-lint v1.55.0 (o…
…ssf#3603) * fix protogetter issues Signed-off-by: Spencer Schrock <[email protected]> * de-dupe property based fuzzer description Signed-off-by: Spencer Schrock <[email protected]> --------- Signed-off-by: Spencer Schrock <[email protected]>
Configuration menu - View commit details
-
Copy full SHA for 5f171ba - Browse repository at this point
Copy the full SHA 5f171baView commit details
Commits on Oct 25, 2023
-
remove sonatype lift (ossf#3605)
Signed-off-by: Spencer Schrock <[email protected]>
Configuration menu - View commit details
-
Copy full SHA for f2bbd0a - Browse repository at this point
Copy the full SHA f2bbd0aView commit details -
🌱 convert vulnerabilities check to probe (ossf#3487)
* 🌱 convert vulnerabilities check to probe Signed-off-by: AdamKorcz <[email protected]> * rename probe + nits Signed-off-by: AdamKorcz <[email protected]> * edit def.yml Signed-off-by: AdamKorcz <[email protected]> * Add vuln ID dynamically to def.yml Signed-off-by: AdamKorcz <[email protected]> * Elaborate the purpose of test data in unit test Signed-off-by: AdamKorcz <[email protected]> * Move logging out of loop and change logic of negativeFindings() Signed-off-by: AdamKorcz <[email protected]> * preserve number of vulns found in output Signed-off-by: AdamKorcz <[email protected]> * Preserve grouping of vulns Signed-off-by: AdamKorcz <[email protected]> * fix linter issues Signed-off-by: AdamKorcz <[email protected]> * Add remediation data Signed-off-by: AdamKorcz <[email protected]> * use checker.LogFindings() Signed-off-by: AdamKorcz <[email protected]> --------- Signed-off-by: AdamKorcz <[email protected]>
Configuration menu - View commit details
-
Copy full SHA for de022da - Browse repository at this point
Copy the full SHA de022daView commit details
Commits on Oct 27, 2023
-
✨ Add WithValues function to findings (ossf#3619)
* update Signed-off-by: laurentsimon <[email protected]> * update comment Signed-off-by: laurentsimon <[email protected]> * typo Signed-off-by: laurentsimon <[email protected]> --------- Signed-off-by: laurentsimon <[email protected]>
Configuration menu - View commit details
-
Copy full SHA for fa0e1c1 - Browse repository at this point
Copy the full SHA fa0e1c1View commit details -
CODEOWNERS: Support distribution of code reviews via team assignments (…
…ossf#3620) Individual maintainer assignments within CODEOWNERS mean that we cannot take advantage of GitHub code review distribution schemes for team review assignments. In this commit, we switch to team assignments within CODEOWNERS. A common complaint with this approach is that unless you are a part of the GitHub organization, you will not be able to view a team's membership/understand who the maintainers of a project are. To provide visibility into the maintainer list, we've added a MAINTAINERS.md here as well. Signed-off-by: Stephen Augustus <[email protected]>
Configuration menu - View commit details
-
Copy full SHA for b15b47a - Browse repository at this point
Copy the full SHA b15b47aView commit details -
🌱 Enable golangci-lint
test
presets (ossf#3594)* enable test preset Leaves some opinionated linters disabled with reasons. Signed-off-by: Spencer Schrock <[email protected]> * fix tparallel issues. Signed-off-by: Spencer Schrock <[email protected]> --------- Signed-off-by: Spencer Schrock <[email protected]>
Configuration menu - View commit details
-
Copy full SHA for 5f3a0e2 - Browse repository at this point
Copy the full SHA 5f3a0e2View commit details -
🌱 Bump google.golang.org/grpc from 1.57.0 to 1.57.1 (ossf#3611)
Bumps [google.golang.org/grpc](https://github.com/grpc/grpc-go) from 1.57.0 to 1.57.1. - [Release notes](https://github.com/grpc/grpc-go/releases) - [Commits](grpc/grpc-go@v1.57.0...v1.57.1) --- updated-dependencies: - dependency-name: google.golang.org/grpc dependency-type: indirect ... Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Configuration menu - View commit details
-
Copy full SHA for a3495dd - Browse repository at this point
Copy the full SHA a3495ddView commit details -
🌱 Bump google.golang.org/grpc from 1.58.2 to 1.58.3 in /tools (ossf#3612
) Bumps [google.golang.org/grpc](https://github.com/grpc/grpc-go) from 1.58.2 to 1.58.3. - [Release notes](https://github.com/grpc/grpc-go/releases) - [Commits](grpc/grpc-go@v1.58.2...v1.58.3) --- updated-dependencies: - dependency-name: google.golang.org/grpc dependency-type: indirect ... Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Configuration menu - View commit details
-
Copy full SHA for a372034 - Browse repository at this point
Copy the full SHA a372034View commit details -
🌱 Bump ossf/scorecard-action from 2.3.0 to 2.3.1 (ossf#3599)
Bumps [ossf/scorecard-action](https://github.com/ossf/scorecard-action) from 2.3.0 to 2.3.1. - [Release notes](https://github.com/ossf/scorecard-action/releases) - [Changelog](https://github.com/ossf/scorecard-action/blob/main/RELEASE.md) - [Commits](ossf/scorecard-action@483ef80...0864cf1) --- updated-dependencies: - dependency-name: ossf/scorecard-action dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Configuration menu - View commit details
-
Copy full SHA for 50d2466 - Browse repository at this point
Copy the full SHA 50d2466View commit details -
🌱 Bump github.com/google/osv-scanner from 1.4.1 to 1.4.2 (ossf#3608)
Bumps [github.com/google/osv-scanner](https://github.com/google/osv-scanner) from 1.4.1 to 1.4.2. - [Release notes](https://github.com/google/osv-scanner/releases) - [Changelog](https://github.com/google/osv-scanner/blob/main/CHANGELOG.md) - [Commits](google/osv-scanner@v1.4.1...v1.4.2) --- updated-dependencies: - dependency-name: github.com/google/osv-scanner dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Configuration menu - View commit details
-
Copy full SHA for f72b774 - Browse repository at this point
Copy the full SHA f72b774View commit details
Commits on Oct 28, 2023
-
🌱 Bump github.com/moby/buildkit from 0.12.2 to 0.12.3 (ossf#3589)
Bumps [github.com/moby/buildkit](https://github.com/moby/buildkit) from 0.12.2 to 0.12.3. - [Release notes](https://github.com/moby/buildkit/releases) - [Commits](moby/buildkit@v0.12.2...v0.12.3) --- updated-dependencies: - dependency-name: github.com/moby/buildkit dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Configuration menu - View commit details
-
Copy full SHA for ab7d364 - Browse repository at this point
Copy the full SHA ab7d364View commit details -
🌱 Bump github.com/golangci/golangci-lint in /tools (ossf#3613)
Bumps [github.com/golangci/golangci-lint](https://github.com/golangci/golangci-lint) from 1.55.0 to 1.55.1. - [Release notes](https://github.com/golangci/golangci-lint/releases) - [Changelog](https://github.com/golangci/golangci-lint/blob/master/CHANGELOG.md) - [Commits](golangci/golangci-lint@v1.55.0...v1.55.1) --- updated-dependencies: - dependency-name: github.com/golangci/golangci-lint dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Configuration menu - View commit details
-
Copy full SHA for 478f347 - Browse repository at this point
Copy the full SHA 478f347View commit details
Commits on Nov 1, 2023
-
🌱 Update stale workflow to exempt Structured Results milestone (ossf#…
…3634) * 🌱 Update stale workflow to exempt Structured Results milestone * Removed duplicate line, updated stale-pr-message, and removed custom stale labels
Configuration menu - View commit details
-
Copy full SHA for c52a170 - Browse repository at this point
Copy the full SHA c52a170View commit details -
🌱 Bump github.com/docker/docker (ossf#3627)
Bumps [github.com/docker/docker](https://github.com/docker/docker) from 24.0.4+incompatible to 24.0.7+incompatible. - [Release notes](https://github.com/docker/docker/releases) - [Commits](moby/moby@v24.0.4...v24.0.7) --- updated-dependencies: - dependency-name: github.com/docker/docker dependency-type: indirect ... Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Configuration menu - View commit details
-
Copy full SHA for 45c5c65 - Browse repository at this point
Copy the full SHA 45c5c65View commit details -
🌱 Bump github.com/docker/docker in /tools (ossf#3628)
Bumps [github.com/docker/docker](https://github.com/docker/docker) from 24.0.6+incompatible to 24.0.7+incompatible. - [Release notes](https://github.com/docker/docker/releases) - [Commits](moby/moby@v24.0.6...v24.0.7) --- updated-dependencies: - dependency-name: github.com/docker/docker dependency-type: indirect ... Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Configuration menu - View commit details
-
Copy full SHA for faffac6 - Browse repository at this point
Copy the full SHA faffac6View commit details -
🌱 Bump github.com/go-logr/logr from 1.2.4 to 1.3.0 (ossf#3622)
Bumps [github.com/go-logr/logr](https://github.com/go-logr/logr) from 1.2.4 to 1.3.0. - [Release notes](https://github.com/go-logr/logr/releases) - [Changelog](https://github.com/go-logr/logr/blob/master/CHANGELOG.md) - [Commits](go-logr/logr@v1.2.4...v1.3.0) --- updated-dependencies: - dependency-name: github.com/go-logr/logr dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Configuration menu - View commit details
-
Copy full SHA for dac01db - Browse repository at this point
Copy the full SHA dac01dbView commit details -
🌱 Bump github.com/go-git/go-git/v5 from 5.9.0 to 5.10.0 (ossf#3623)
Bumps [github.com/go-git/go-git/v5](https://github.com/go-git/go-git) from 5.9.0 to 5.10.0. - [Release notes](https://github.com/go-git/go-git/releases) - [Commits](go-git/go-git@v5.9.0...v5.10.0) --- updated-dependencies: - dependency-name: github.com/go-git/go-git/v5 dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Configuration menu - View commit details
-
Copy full SHA for 1b2c4cf - Browse repository at this point
Copy the full SHA 1b2c4cfView commit details -
🌱 Bump github.com/onsi/gomega from 1.28.1 to 1.29.0 (ossf#3624)
Bumps [github.com/onsi/gomega](https://github.com/onsi/gomega) from 1.28.1 to 1.29.0. - [Release notes](https://github.com/onsi/gomega/releases) - [Changelog](https://github.com/onsi/gomega/blob/master/CHANGELOG.md) - [Commits](onsi/gomega@v1.28.1...v1.29.0) --- updated-dependencies: - dependency-name: github.com/onsi/gomega dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Configuration menu - View commit details
-
Copy full SHA for 3cce5ad - Browse repository at this point
Copy the full SHA 3cce5adView commit details
Commits on Nov 2, 2023
-
🌱 Bump cloud.google.com/go/bigquery from 1.56.0 to 1.57.1 (ossf#3638)
Bumps [cloud.google.com/go/bigquery](https://github.com/googleapis/google-cloud-go) from 1.56.0 to 1.57.1. - [Release notes](https://github.com/googleapis/google-cloud-go/releases) - [Changelog](https://github.com/googleapis/google-cloud-go/blob/main/CHANGES.md) - [Commits](googleapis/google-cloud-go@bigquery/v1.56.0...bigquery/v1.57.1) --- updated-dependencies: - dependency-name: cloud.google.com/go/bigquery dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Configuration menu - View commit details
-
Copy full SHA for b0c782a - Browse repository at this point
Copy the full SHA b0c782aView commit details
Commits on Nov 3, 2023
-
🐛 remove probe remediations from detail string (ossf#3642)
For now, this is just producing very long detail strings. Probably negatively affecting cron results Signed-off-by: Spencer Schrock <[email protected]>
Configuration menu - View commit details
-
Copy full SHA for 70c8e05 - Browse repository at this point
Copy the full SHA 70c8e05View commit details
Commits on Nov 6, 2023
-
🌱 Bump github.com/spf13/cobra from 1.7.0 to 1.8.0 (ossf#3644)
Bumps [github.com/spf13/cobra](https://github.com/spf13/cobra) from 1.7.0 to 1.8.0. - [Release notes](https://github.com/spf13/cobra/releases) - [Commits](spf13/cobra@v1.7.0...v1.8.0) --- updated-dependencies: - dependency-name: github.com/spf13/cobra dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Configuration menu - View commit details
-
Copy full SHA for d0610fe - Browse repository at this point
Copy the full SHA d0610feView commit details -
🌱 Convert Dangerous Workflow check to probes (ossf#3521)
* 🌱 Convert Dangerous Workflow check to probes Signed-off-by: AdamKorcz <[email protected]> * remove hasAnyWorkflows probe Signed-off-by: AdamKorcz <[email protected]> * combine two conditionals into one Signed-off-by: AdamKorcz <[email protected]> * preserve logging from original evaluation Signed-off-by: AdamKorcz <[email protected]> * rebase Signed-off-by: AdamKorcz <[email protected]> --------- Signed-off-by: AdamKorcz <[email protected]>
Configuration menu - View commit details
-
Copy full SHA for f422f69 - Browse repository at this point
Copy the full SHA f422f69View commit details
Commits on Nov 7, 2023
-
🌱 Convert SAST check to probes (ossf#3571)
* Convert SAST checks to probes Signed-off-by: AdamKorcz <[email protected]> * Update checks/evaluation/sast.go Co-authored-by: Raghav Kaul <[email protected]> Signed-off-by: AdamKorcz <[email protected]> * preserve file info when logging positive Sonar findings Signed-off-by: AdamKorcz <[email protected]> * rebase Signed-off-by: AdamKorcz <[email protected]> * Remove warning logging Signed-off-by: AdamKorcz <[email protected]> * add outcome and message to finding on the same line Signed-off-by: AdamKorcz <[email protected]> * codeql workflow -> codeql action Signed-off-by: AdamKorcz <[email protected]> * 'the Sonar' -> 'Sonar' in probe def.yml Signed-off-by: AdamKorcz <[email protected]> * fix typo Signed-off-by: AdamKorcz <[email protected]> * Change how probe creates location Signed-off-by: AdamKorcz <[email protected]> * Change names of values Signed-off-by: AdamKorcz <[email protected]> * change 'SAST tool detected: xx' to 'SAST tool installed: xx' Signed-off-by: AdamKorcz <[email protected]> * make text in probe def.yml easier to read Signed-off-by: AdamKorcz <[email protected]> * Change 'to' to 'two' Signed-off-by: AdamKorcz <[email protected]> * Minor change Signed-off-by: AdamKorcz <[email protected]> --------- Signed-off-by: AdamKorcz <[email protected]> Signed-off-by: AdamKorcz <[email protected]> Co-authored-by: Raghav Kaul <[email protected]>
Configuration menu - View commit details
-
Copy full SHA for 47e04c1 - Browse repository at this point
Copy the full SHA 47e04c1View commit details -
🌱 Bump github.com/google/osv-scanner from 1.4.2 to 1.4.3 (ossf#3639)
Bumps [github.com/google/osv-scanner](https://github.com/google/osv-scanner) from 1.4.2 to 1.4.3. - [Release notes](https://github.com/google/osv-scanner/releases) - [Changelog](https://github.com/google/osv-scanner/blob/main/CHANGELOG.md) - [Commits](google/osv-scanner@v1.4.2...v1.4.3) --- updated-dependencies: - dependency-name: github.com/google/osv-scanner dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Configuration menu - View commit details
-
Copy full SHA for fbffff1 - Browse repository at this point
Copy the full SHA fbffff1View commit details
Commits on Nov 8, 2023
-
🌱 Bump golang.org/x/text from 0.13.0 to 0.14.0 (ossf#3643)
Bumps [golang.org/x/text](https://github.com/golang/text) from 0.13.0 to 0.14.0. - [Release notes](https://github.com/golang/text/releases) - [Commits](golang/text@v0.13.0...v0.14.0) --- updated-dependencies: - dependency-name: golang.org/x/text dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Configuration menu - View commit details
-
Copy full SHA for 77fa8c8 - Browse repository at this point
Copy the full SHA 77fa8c8View commit details -
🌱 Bump github.com/golangci/golangci-lint in /tools (ossf#3645)
Bumps [github.com/golangci/golangci-lint](https://github.com/golangci/golangci-lint) from 1.55.1 to 1.55.2. - [Release notes](https://github.com/golangci/golangci-lint/releases) - [Changelog](https://github.com/golangci/golangci-lint/blob/master/CHANGELOG.md) - [Commits](golangci/golangci-lint@v1.55.1...v1.55.2) --- updated-dependencies: - dependency-name: github.com/golangci/golangci-lint dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Configuration menu - View commit details
-
Copy full SHA for e16d3e3 - Browse repository at this point
Copy the full SHA e16d3e3View commit details -
🐛 Pinned-Dependencies continues on error (ossf#3515)
* Continue on error detecting OS Signed-off-by: Pedro Kaj Kjellerup Nacht <[email protected]> * Add tests for error detecting OS Signed-off-by: Pedro Kaj Kjellerup Nacht <[email protected]> * Add ElementError to identify elements that errored Signed-off-by: Pedro Kaj Kjellerup Nacht <[email protected]> * Add Incomplete field to PinningDependenciesData Will store all errors handled during analysis, which may lead to incomplete results. Signed-off-by: Pedro Kaj Kjellerup Nacht <[email protected]> * Register job steps that errored out Signed-off-by: Pedro Kaj Kjellerup Nacht <[email protected]> * Add tests that incomplete steps are caught Signed-off-by: Pedro Kaj Kjellerup Nacht <[email protected]> * Add warnings to details about incomplete steps Signed-off-by: Pedro Kaj Kjellerup Nacht <[email protected]> * Add tests that incomplete steps generate warnings Signed-off-by: Pedro Kaj Kjellerup Nacht <[email protected]> * Register shell files skipped due to parser errors Signed-off-by: Pedro Kaj Kjellerup Nacht <[email protected]> * Add tests showing when parser errors affect analysis Dockerfile pinning is not affected. Everything in a 'broken' Dockerfile RUN block is ignored Everything in a 'broken' shell script is ignored testdata/script-invalid.sh modified to demonstrate the above Signed-off-by: Pedro Kaj Kjellerup Nacht <[email protected]> * Incomplete results logged as Info, not Warn Signed-off-by: Pedro Kaj Kjellerup Nacht <[email protected]> * Remove `Type` from logging of incomplete results Signed-off-by: Pedro Kaj Kjellerup Nacht <[email protected]> * Update tests after rebase Signed-off-by: Pedro Kaj Kjellerup Nacht <[email protected]> * Add Unwrap for ElementError, improve its docs Signed-off-by: Pedro Kaj Kjellerup Nacht <[email protected]> * Add ElementError case to evaluation unit test Signed-off-by: Pedro Kaj Kjellerup Nacht <[email protected]> * Move ElementError to checker/raw_result checker/raw_result defines types used to describe analysis results. ElementError is meant to describe potential flaws in the analysis and is therefore a sort of analysis result itself. Signed-off-by: Pedro Kaj Kjellerup Nacht <[email protected]> * Use finding.Location for ElementError.Element Signed-off-by: Pedro Kaj Kjellerup Nacht <[email protected]> * Use an ElementError for script parser errors Signed-off-by: Pedro Kaj Kjellerup Nacht <[email protected]> * Replace .Incomplete []error with .ProcessingErrors []ElementError Signed-off-by: Pedro Kaj Kjellerup Nacht <[email protected]> * Adopt from reviewer comments - Replace ElementError's `Element *finding.Location` with `Location finding.Location` - Rename ErrorJobOSParsing to ErrJobOSParsing to satisfy linter - Fix unit test Signed-off-by: Pedro Kaj Kjellerup Nacht <[email protected]> --------- Signed-off-by: Pedro Kaj Kjellerup Nacht <[email protected]>
Configuration menu - View commit details
-
Copy full SHA for 6d35c86 - Browse repository at this point
Copy the full SHA 6d35c86View commit details -
🌱 Bump actions/dependency-review-action from 3.1.0 to 3.1.2 (ossf#3653)
Bumps [actions/dependency-review-action](https://github.com/actions/dependency-review-action) from 3.1.0 to 3.1.2. - [Release notes](https://github.com/actions/dependency-review-action/releases) - [Commits](actions/dependency-review-action@6c5ccda...fde92ac) --- updated-dependencies: - dependency-name: actions/dependency-review-action dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Configuration menu - View commit details
-
Copy full SHA for e12e537 - Browse repository at this point
Copy the full SHA e12e537View commit details -
🌱 Bump kubernetes-sigs/kubebuilder-release-tools (ossf#3637)
Bumps [kubernetes-sigs/kubebuilder-release-tools](https://github.com/kubernetes-sigs/kubebuilder-release-tools) from 0.4.0 to 0.4.2. - [Release notes](https://github.com/kubernetes-sigs/kubebuilder-release-tools/releases) - [Changelog](https://github.com/kubernetes-sigs/kubebuilder-release-tools/blob/master/RELEASE.md) - [Commits](kubernetes-sigs/kubebuilder-release-tools@d8367c2...3c34113) --- updated-dependencies: - dependency-name: kubernetes-sigs/kubebuilder-release-tools dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Configuration menu - View commit details
-
Copy full SHA for 6de7eba - Browse repository at this point
Copy the full SHA 6de7ebaView commit details
Commits on Nov 9, 2023
-
🌱 Bump tj-actions/changed-files from 39.2.3 to 40.1.1 (ossf#3657)
Bumps [tj-actions/changed-files](https://github.com/tj-actions/changed-files) from 39.2.3 to 40.1.1. - [Release notes](https://github.com/tj-actions/changed-files/releases) - [Changelog](https://github.com/tj-actions/changed-files/blob/main/HISTORY.md) - [Commits](tj-actions/changed-files@95690f9...25ef392) --- updated-dependencies: - dependency-name: tj-actions/changed-files dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Configuration menu - View commit details
-
Copy full SHA for e123f4c - Browse repository at this point
Copy the full SHA e123f4cView commit details -
🌱 Bump sigstore/cosign-installer from 3.1.2 to 3.2.0 (ossf#3651)
Bumps [sigstore/cosign-installer](https://github.com/sigstore/cosign-installer) from 3.1.2 to 3.2.0. - [Release notes](https://github.com/sigstore/cosign-installer/releases) - [Commits](sigstore/cosign-installer@11086d2...1fc5bd3) --- updated-dependencies: - dependency-name: sigstore/cosign-installer dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Configuration menu - View commit details
-
Copy full SHA for 5bfe68d - Browse repository at this point
Copy the full SHA 5bfe68dView commit details -
🌱 Bump slsa-framework/slsa-verifier from 2.4.0 to 2.4.1 (ossf#3652)
Bumps [slsa-framework/slsa-verifier](https://github.com/slsa-framework/slsa-verifier) from 2.4.0 to 2.4.1. - [Release notes](https://github.com/slsa-framework/slsa-verifier/releases) - [Changelog](https://github.com/slsa-framework/slsa-verifier/blob/main/RELEASE.md) - [Commits](slsa-framework/slsa-verifier@v2.4.0...v2.4.1) --- updated-dependencies: - dependency-name: slsa-framework/slsa-verifier dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Configuration menu - View commit details
-
Copy full SHA for 694d563 - Browse repository at this point
Copy the full SHA 694d563View commit details -
🌱 Bump github.com/onsi/gomega from 1.29.0 to 1.30.0 (ossf#3659)
Bumps [github.com/onsi/gomega](https://github.com/onsi/gomega) from 1.29.0 to 1.30.0. - [Release notes](https://github.com/onsi/gomega/releases) - [Changelog](https://github.com/onsi/gomega/blob/master/CHANGELOG.md) - [Commits](onsi/gomega@v1.29.0...v1.30.0) --- updated-dependencies: - dependency-name: github.com/onsi/gomega dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Configuration menu - View commit details
-
Copy full SHA for 0fc8296 - Browse repository at this point
Copy the full SHA 0fc8296View commit details -
🌱 speedup slowest e2e tests (ossf#3656)
* switch ossfuzz test to smaller repo tensorflow/tensorflow is huge, and this causes the test to take forever. locally this reduces the test time from 17 to 2.4 seconds Signed-off-by: Spencer Schrock <[email protected]> * reuse scorecard results for scorecard attestor policies previously this test took 27 seconds locally, and now takes 8. which is split across 3 subtests: good repos: 1s bad repos: 5s code review policies: 2s Signed-off-by: Spencer Schrock <[email protected]> --------- Signed-off-by: Spencer Schrock <[email protected]>
Configuration menu - View commit details
-
Copy full SHA for 2c959b7 - Browse repository at this point
Copy the full SHA 2c959b7View commit details -
🌱 Add dependency remediation in raw results instead of at log time (o…
…ssf#3632) * 🌱 Add dependency remediation in raw results instead of at log time Signed-off-by: AdamKorcz <[email protected]> * add unit test Signed-off-by: AdamKorcz <[email protected]> * add unit test Signed-off-by: AdamKorcz <[email protected]> * return error Signed-off-by: AdamKorcz <[email protected]> * use pointer to dependency Signed-off-by: AdamKorcz <[email protected]> * check for errors in test Signed-off-by: AdamKorcz <[email protected]> * Return nil if repo client returns an error from unsupported feature Signed-off-by: AdamKorcz <[email protected]> * revert error checking Signed-off-by: AdamKorcz <[email protected]> * revert returning nil is unsupported feature Signed-off-by: AdamKorcz <[email protected]> * Fix wrong test name Signed-off-by: AdamKorcz <[email protected]> * only create remediation when required Signed-off-by: AdamKorcz <[email protected]> * remove remediation helper function Signed-off-by: AdamKorcz <[email protected]> --------- Signed-off-by: AdamKorcz <[email protected]> Signed-off-by: Spencer Schrock <[email protected]>
Configuration menu - View commit details
-
Copy full SHA for b3d1a5a - Browse repository at this point
Copy the full SHA b3d1a5aView commit details
Commits on Nov 10, 2023
-
🌱 configure dependabot to group (most) GitHub actions weekly (ossf#3655)
actions which influence the build/release process are excluded. dependabot will send individual updates for those. Signed-off-by: Spencer Schrock <[email protected]>
Configuration menu - View commit details
-
Copy full SHA for 934f170 - Browse repository at this point
Copy the full SHA 934f170View commit details
Commits on Nov 13, 2023
-
⚠️ Remove OneFuzz from fuzzing checks (ossf#3666)This is removed because OneFuzz has been archived https://github.com/microsoft/onefuzz Signed-off-by: David Korczynski <[email protected]>
Configuration menu - View commit details
-
Copy full SHA for 87c2d3c - Browse repository at this point
Copy the full SHA 87c2d3cView commit details -
🌱 Bump github.com/sigstore/cosign/v2 from 2.1.1 to 2.2.1 in /tools (o…
…ssf#3660) * 🌱 Bump github.com/sigstore/cosign/v2 in /tools Bumps [github.com/sigstore/cosign/v2](https://github.com/sigstore/cosign) from 2.1.1 to 2.2.1. - [Release notes](https://github.com/sigstore/cosign/releases) - [Changelog](https://github.com/sigstore/cosign/blob/main/CHANGELOG.md) - [Commits](sigstore/cosign@v2.1.1...v2.2.1) --- updated-dependencies: - dependency-name: github.com/sigstore/cosign/v2 dependency-type: indirect ... Signed-off-by: dependabot[bot] <[email protected]> * bump actions/dependency-review-action to v3.1.3 This PR is incompatible with v3.1.2 due to some of the modules being updated. See https://www.github.com/actions/dependency-review-action/issues/613 Signed-off-by: Spencer Schrock <[email protected]> --------- Signed-off-by: dependabot[bot] <[email protected]> Signed-off-by: Spencer Schrock <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: Spencer Schrock <[email protected]>
Configuration menu - View commit details
-
Copy full SHA for 6dffe65 - Browse repository at this point
Copy the full SHA 6dffe65View commit details -
🌱 bump project minimum Go version to go1.21 (ossf#3661)
* upgrade go.mod to 1.21 Signed-off-by: Spencer Schrock <[email protected]> * use slices from stdlib Signed-off-by: Spencer Schrock <[email protected]> * use max/min builtins Signed-off-by: Spencer Schrock <[email protected]> * multierrors possibly spin this off into its own PR Signed-off-by: Spencer Schrock <[email protected]> * dont call rand.Seed As of Go 1.20, the generator is seeded randomly at startup. https://pkg.go.dev/math/rand#Seed Signed-off-by: Spencer Schrock <[email protected]> * update minimum Go version in documentation Signed-off-by: Spencer Schrock <[email protected]> --------- Signed-off-by: Spencer Schrock <[email protected]>
Configuration menu - View commit details
-
Copy full SHA for a4ee314 - Browse repository at this point
Copy the full SHA a4ee314View commit details
Commits on Nov 15, 2023
-
✨ Add commit depth support for GitLab (ossf#3672)
* feat: Integrated paging to allow for querying based on the --commit-depth value provided Signed-off-by: Allen Shearin <[email protected]> * fix: rework git commits changes for readability Signed-off-by: Allen Shearin <[email protected]> * fix: add additional commit depth test Signed-off-by: Allen Shearin <[email protected]> --------- Signed-off-by: Allen Shearin <[email protected]>
Configuration menu - View commit details
-
Copy full SHA for 14f864b - Browse repository at this point
Copy the full SHA 14f864bView commit details -
🌱 Bump github.com/xanzy/go-gitlab from 0.93.2 to 0.94.0 (ossf#3674)
Bumps [github.com/xanzy/go-gitlab](https://github.com/xanzy/go-gitlab) from 0.93.2 to 0.94.0. - [Changelog](https://github.com/xanzy/go-gitlab/blob/main/releases_test.go) - [Commits](xanzy/go-gitlab@v0.93.2...v0.94.0) --- updated-dependencies: - dependency-name: github.com/xanzy/go-gitlab dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Configuration menu - View commit details
-
Copy full SHA for 8ac1b43 - Browse repository at this point
Copy the full SHA 8ac1b43View commit details -
🌱 Bump github.com/onsi/ginkgo/v2 in /tools (ossf#3668)
Bumps [github.com/onsi/ginkgo/v2](https://github.com/onsi/ginkgo) from 2.13.0 to 2.13.1. - [Release notes](https://github.com/onsi/ginkgo/releases) - [Changelog](https://github.com/onsi/ginkgo/blob/master/CHANGELOG.md) - [Commits](onsi/ginkgo@v2.13.0...v2.13.1) --- updated-dependencies: - dependency-name: github.com/onsi/ginkgo/v2 dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Configuration menu - View commit details
-
Copy full SHA for 6541b0d - Browse repository at this point
Copy the full SHA 6541b0dView commit details -
🌱 update CI-Tests e2e to reflect 30 commits (ossf#3676)
14f864b not only fixed the --commit-depth option, but also fixed the default commit depth for GitLab repos. Previously GitLab repos looked back 20 commits because that was GitLab's default for the commits API. Now, GitLab repos look back 30 commits, so the proportions of this e2e test changed. Signed-off-by: Spencer Schrock <[email protected]>
Configuration menu - View commit details
-
Copy full SHA for ea626de - Browse repository at this point
Copy the full SHA ea626deView commit details -
🌱 scdiff: Add workflow to run
scdiff
against PRs on demand (ossf#3640)* wip Signed-off-by: Spencer Schrock <[email protected]> * try to use jq without quotes Signed-off-by: Spencer Schrock <[email protected]> * try to make file another way. Signed-off-by: Spencer Schrock <[email protected]> * try using homedir Signed-off-by: Spencer Schrock <[email protected]> * add github token to env Signed-off-by: Spencer Schrock <[email protected]> * add link to workflow run Signed-off-by: Spencer Schrock <[email protected]> * make comment its own job Signed-off-by: Spencer Schrock <[email protected]> * fix typo in job context Signed-off-by: Spencer Schrock <[email protected]> * typo part 2 Signed-off-by: Spencer Schrock <[email protected]> * use github-script to get PR SHAs. Signed-off-by: Spencer Schrock <[email protected]> * need to go through one more type to get to API response. Signed-off-by: Spencer Schrock <[email protected]> * temporarily use monitor action to see the required permissions Signed-off-by: Spencer Schrock <[email protected]> * spacing is hard Signed-off-by: Spencer Schrock <[email protected]> * remove monitor and apply minimal permissions the read-all at the top might be too broad, but the monitor doesnt support graphql so best we can do for now. Signed-off-by: Spencer Schrock <[email protected]> * try to set the checks Signed-off-by: Spencer Schrock <[email protected]> * read the comment body Signed-off-by: Spencer Schrock <[email protected]> * try to get around regex syntax error? Signed-off-by: Spencer Schrock <[email protected]> * quote comment body Signed-off-by: Spencer Schrock <[email protected]> * we want to pass an empty string to the args Signed-off-by: Spencer Schrock <[email protected]> * fix the regex string Signed-off-by: Spencer Schrock <[email protected]> * rest of repo has upgraded Signed-off-by: Spencer Schrock <[email protected]> * seed 15 repos to analyze to start with Signed-off-by: Spencer Schrock <[email protected]> * support gitlab repos in scdiff Signed-off-by: Spencer Schrock <[email protected]> * rename pr step to config we also need the checks to run, so update the name to reflect that Signed-off-by: Spencer Schrock <[email protected]> * switch from default token to a PAT By default, the GitHub Action token gets 1000 req/hour. If running all checks, the before/after each take about 1100 of core quota A PAT grants 5000/hr so the 2200 required should be fine if used infrequently. Ideally, the caller will always pass the check they care about into the command Signed-off-by: Spencer Schrock <[email protected]> * escape comment body with bash Signed-off-by: Spencer Schrock <[email protected]> * setup go manually Signed-off-by: Spencer Schrock <[email protected]> * don't need to run on comment delete Signed-off-by: Spencer Schrock <[email protected]> * limit scdiff to individuals with repo access Signed-off-by: Spencer Schrock <[email protected]> --------- Signed-off-by: Spencer Schrock <[email protected]>
Configuration menu - View commit details
-
Copy full SHA for 288319a - Browse repository at this point
Copy the full SHA 288319aView commit details -
🌱 enable
nolintlint
linter and fix violations (ossf#3650)* enable nolintlint Signed-off-by: Spencer Schrock <[email protected]> * first chunk of fixing nolintlint Signed-off-by: Spencer Schrock <[email protected]> * second chunk of fixing nolintlint Signed-off-by: Spencer Schrock <[email protected]> * third chunk of fixing nolintlint Signed-off-by: Spencer Schrock <[email protected]> * fourth chunk of fixing nolintlint Signed-off-by: Spencer Schrock <[email protected]> * include reason for the specific linter config Signed-off-by: Spencer Schrock <[email protected]> * fifth chunk of fixing nolintlint Signed-off-by: Spencer Schrock <[email protected]> * fix linter errors that are somehow still triggering Signed-off-by: Spencer Schrock <[email protected]> --------- Signed-off-by: Spencer Schrock <[email protected]>
Configuration menu - View commit details
-
Copy full SHA for 92470de - Browse repository at this point
Copy the full SHA 92470deView commit details
Commits on Nov 16, 2023
-
🐛 Ignore unpinned dependencies in Dockerfiles in vendored directories (…
…ossf#3675) * 🐛 Ignore unpinned dependencies in Dockerfiles in vendored directories Signed-off-by: AdamKorcz <[email protected]> * remove unnecessary check Signed-off-by: AdamKorcz <[email protected]> --------- Signed-off-by: AdamKorcz <[email protected]>
Configuration menu - View commit details
-
Copy full SHA for be0b915 - Browse repository at this point
Copy the full SHA be0b915View commit details
Commits on Nov 17, 2023
-
🌱 Migrate Maintained check to probes (ossf#3507)
* 🌱 Migrate Maintained check to probes Signed-off-by: AdamKorcz <[email protected]> * fix typos Signed-off-by: AdamKorcz <[email protected]> * rename 'archived' probe to 'notArchvied Signed-off-by: AdamKorcz <[email protected]> * remove part of comment Signed-off-by: AdamKorcz <[email protected]> * fix typo Signed-off-by: AdamKorcz <[email protected]> * log negative findings Signed-off-by: AdamKorcz <[email protected]> * log non positive findings if repo was created less than 90 days ago Signed-off-by: AdamKorcz <[email protected]> * rename probe from 'activityOnIssuesByCollaboratorsMembersOrOwnersInLast90Days' to 'issueActivityByProjectMember' Signed-off-by: AdamKorcz <[email protected]> * change probe descriptions Signed-off-by: AdamKorcz <[email protected]> * rename 'wasCreatedInLast90Days' probe to 'notCreatedInLast90Days' Signed-off-by: AdamKorcz <[email protected]> * Add tests with zero issues Signed-off-by: AdamKorcz <[email protected]> * use values instead of returning multiple findings Signed-off-by: AdamKorcz <[email protected]> * return negative findings instead of non-positive Signed-off-by: AdamKorcz <[email protected]> * correct 'notCreatedInLast90Days' probe definition Signed-off-by: AdamKorcz <[email protected]> * make nested conditionals a single line Signed-off-by: AdamKorcz <[email protected]> * make nested conditionals a single line Signed-off-by: AdamKorcz <[email protected]> * change var name 'issuesUpdatedWithinThreshold' to 'numberOfIssuesUpdatedWithinThreshold' Signed-off-by: AdamKorcz <[email protected]> * rename 'notCreatedInLast90Days' to 'notCreatedRecently' Signed-off-by: AdamKorcz <[email protected]> * explain 'commitsWithinThreshold' in probe definition Signed-off-by: AdamKorcz <[email protected]> * rename 'commitsInLast90Days' to 'hasRecentCommits'" -s Signed-off-by: AdamKorcz <[email protected]> * fix linter issues Signed-off-by: AdamKorcz <[email protected]> * define 'numberOfIssuesUpdatedWithinThreshold' Signed-off-by: AdamKorcz <[email protected]> --------- Signed-off-by: AdamKorcz <[email protected]>
Configuration menu - View commit details
-
Copy full SHA for 1c3d9eb - Browse repository at this point
Copy the full SHA 1c3d9ebView commit details -
🌱 allow contributors to call scdiff workflow (ossf#3683)
also removes the edited trigger. codecov posts 3 times on each PR, which causes this action to trigger 3x. It is skipped though, so not a huge deal. Signed-off-by: Spencer Schrock <[email protected]>
Configuration menu - View commit details
-
Copy full SHA for 82692a8 - Browse repository at this point
Copy the full SHA 82692a8View commit details
Commits on Nov 18, 2023
-
🌱 Bump github.com/google/ko from 0.15.0 to 0.15.1 in /tools (ossf#3682)
Bumps [github.com/google/ko](https://github.com/google/ko) from 0.15.0 to 0.15.1. - [Release notes](https://github.com/google/ko/releases) - [Changelog](https://github.com/ko-build/ko/blob/main/.goreleaser.yml) - [Commits](ko-build/ko@v0.15.0...v0.15.1) --- updated-dependencies: - dependency-name: github.com/google/ko dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Configuration menu - View commit details
-
Copy full SHA for 0f0808a - Browse repository at this point
Copy the full SHA 0f0808aView commit details -
🌱 Bump golang.org/x/oauth2 from 0.13.0 to 0.14.0 (ossf#3658)
Bumps [golang.org/x/oauth2](https://github.com/golang/oauth2) from 0.13.0 to 0.14.0. - [Commits](golang/oauth2@v0.13.0...v0.14.0) --- updated-dependencies: - dependency-name: golang.org/x/oauth2 dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Configuration menu - View commit details
-
Copy full SHA for a0dfec2 - Browse repository at this point
Copy the full SHA a0dfec2View commit details -
🌱 Bump github.com/onsi/ginkgo/v2 from 2.13.0 to 2.13.1 (ossf#3669)
Bumps [github.com/onsi/ginkgo/v2](https://github.com/onsi/ginkgo) from 2.13.0 to 2.13.1. - [Release notes](https://github.com/onsi/ginkgo/releases) - [Changelog](https://github.com/onsi/ginkgo/blob/master/CHANGELOG.md) - [Commits](onsi/ginkgo@v2.13.0...v2.13.1) --- updated-dependencies: - dependency-name: github.com/onsi/ginkgo/v2 dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Configuration menu - View commit details
-
Copy full SHA for 0276a7c - Browse repository at this point
Copy the full SHA 0276a7cView commit details
Commits on Nov 20, 2023
-
🌱 Bump the github-actions group with 2 updates (ossf#3686)
Bumps the github-actions group with 2 updates: [step-security/harden-runner](https://github.com/step-security/harden-runner) and [actions/github-script](https://github.com/actions/github-script). Updates `step-security/harden-runner` from 2.6.0 to 2.6.1 - [Release notes](https://github.com/step-security/harden-runner/releases) - [Commits](step-security/harden-runner@1b05615...eb238b5) Updates `actions/github-script` from 6.4.1 to 7.0.1 - [Release notes](https://github.com/actions/github-script/releases) - [Commits](actions/github-script@d7906e4...60a0d83) --- updated-dependencies: - dependency-name: step-security/harden-runner dependency-type: direct:production update-type: version-update:semver-patch dependency-group: github-actions - dependency-name: actions/github-script dependency-type: direct:production update-type: version-update:semver-major dependency-group: github-actions ... Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Configuration menu - View commit details
-
Copy full SHA for 76878e5 - Browse repository at this point
Copy the full SHA 76878e5View commit details -
🐛 add retry loop to graphQL commit queries which timeout on large git…
…hub repos (ossf#3680) * try to always paginate in the event of timeouts, make our pagination smaller Signed-off-by: Spencer Schrock <[email protected]> * add retry test Signed-off-by: Spencer Schrock <[email protected]> --------- Signed-off-by: Spencer Schrock <[email protected]>
Configuration menu - View commit details
-
Copy full SHA for 1a17bb8 - Browse repository at this point
Copy the full SHA 1a17bb8View commit details
Commits on Nov 27, 2023
-
🌱 refactor pinned dependencies (ossf#3667)
* 🌱 refactor pinned dependencies Signed-off-by: AdamKorcz <[email protected]> * remove remediation from test Signed-off-by: AdamKorcz <[email protected]> --------- Signed-off-by: AdamKorcz <[email protected]>
Configuration menu - View commit details
-
Copy full SHA for f8198b0 - Browse repository at this point
Copy the full SHA f8198b0View commit details -
🌱 fix script injection (ossf#3695)
Thanks to @AdnaneKhan for the report. * start with reporter patch * use env variable for bash step too Signed-off-by: Spencer Schrock <[email protected]> --------- Signed-off-by: Spencer Schrock <[email protected]>
Configuration menu - View commit details
-
Copy full SHA for 84bd607 - Browse repository at this point
Copy the full SHA 84bd607View commit details
Commits on Nov 28, 2023
-
🌱 Bump github.com/go-git/go-git/v5 from 5.10.0 to 5.10.1 (ossf#3698)
Bumps [github.com/go-git/go-git/v5](https://github.com/go-git/go-git) from 5.10.0 to 5.10.1. - [Release notes](https://github.com/go-git/go-git/releases) - [Commits](go-git/go-git@v5.10.0...v5.10.1) --- updated-dependencies: - dependency-name: github.com/go-git/go-git/v5 dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Configuration menu - View commit details
-
Copy full SHA for 04ea8be - Browse repository at this point
Copy the full SHA 04ea8beView commit details -
🌱 make maintained values keys constants (ossf#3700)
Signed-off-by: Adam Korczynski <[email protected]> Co-authored-by: Raghav Kaul <[email protected]>
Configuration menu - View commit details
-
Copy full SHA for 6857320 - Browse repository at this point
Copy the full SHA 6857320View commit details -
🌱 convert CII Best Practices check to probes (ossf#3520)
* 🌱 convert CII Best Practices check to probes Signed-off-by: AdamKorcz <[email protected]> * change 'NOT' to 'not' Signed-off-by: AdamKorcz <[email protected]> * Change wording in probes Signed-off-by: AdamKorcz <[email protected]> * add links to text Signed-off-by: AdamKorcz <[email protected]> * fix typo Signed-off-by: AdamKorcz <[email protected]> * Edit text in def.yml Signed-off-by: AdamKorcz <[email protected]> * remove hasBadgeNotFound probe Signed-off-by: AdamKorcz <[email protected]> * remove 'that' from text Signed-off-by: AdamKorcz <[email protected]> * use CreateMinScoreResult instead of CreateResultWithScore Signed-off-by: AdamKorcz <[email protected]> * use MaxResultScore instead of maxScore Signed-off-by: AdamKorcz <[email protected]> * return CreateRuntimeErrorResult sooner rather than later Signed-off-by: AdamKorcz <[email protected]> * Combine probes into one Signed-off-by: Adam Korczynski <[email protected]> * remove minScore variable Signed-off-by: Adam Korczynski <[email protected]> * remove 'hasInProgressBadge' probe Signed-off-by: Adam Korczynski <[email protected]> * make badge levels global variables Signed-off-by: Adam Korczynski <[email protected]> * return -1 for unsupported badge Signed-off-by: Adam Korczynski <[email protected]> * change text for unknown and unsupported badges Signed-off-by: Adam Korczynski <[email protected]> --------- Signed-off-by: AdamKorcz <[email protected]> Signed-off-by: Adam Korczynski <[email protected]>
Configuration menu - View commit details
-
Copy full SHA for 9b5d762 - Browse repository at this point
Copy the full SHA 9b5d762View commit details -
🌱 Bump golang.org/x/oauth2 from 0.14.0 to 0.15.0 (ossf#3697)
Bumps [golang.org/x/oauth2](https://github.com/golang/oauth2) from 0.14.0 to 0.15.0. - [Commits](golang/oauth2@v0.14.0...v0.15.0) --- updated-dependencies: - dependency-name: golang.org/x/oauth2 dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Configuration menu - View commit details
-
Copy full SHA for fea2f45 - Browse repository at this point
Copy the full SHA fea2f45View commit details -
Signed-off-by: Adam Korczynski <[email protected]>
Configuration menu - View commit details
-
Copy full SHA for 3cbafa9 - Browse repository at this point
Copy the full SHA 3cbafa9View commit details
Commits on Nov 29, 2023
-
🌱 Bump github.com/onsi/ginkgo/v2 from 2.13.1 to 2.13.2 (ossf#3704)
Bumps [github.com/onsi/ginkgo/v2](https://github.com/onsi/ginkgo) from 2.13.1 to 2.13.2. - [Release notes](https://github.com/onsi/ginkgo/releases) - [Changelog](https://github.com/onsi/ginkgo/blob/master/CHANGELOG.md) - [Commits](onsi/ginkgo@v2.13.1...v2.13.2) --- updated-dependencies: - dependency-name: github.com/onsi/ginkgo/v2 dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Configuration menu - View commit details
-
Copy full SHA for 0e7e58a - Browse repository at this point
Copy the full SHA 0e7e58aView commit details -
📖 Add beginner's guide to scorecard checks docs (ossf#3617)
* -Added beginner's guide to scorecard checks doc -Edited README to link to the beginner's guide Signed-off-by: ariathaker <[email protected]> * Update beginner-checks.md Incorporating Spencer's edits. Signed-off-by: ariathaker <[email protected]> Signed-off-by: ariathaker <[email protected]> * Update docs/beginner-checks.md Co-authored-by: olivekl <[email protected]> Signed-off-by: ariathaker <[email protected]> Signed-off-by: ariathaker <[email protected]> * Update docs/beginner-checks.md Co-authored-by: olivekl <[email protected]> Signed-off-by: ariathaker <[email protected]> Signed-off-by: ariathaker <[email protected]> * Update docs/beginner-checks.md Co-authored-by: olivekl <[email protected]> Signed-off-by: ariathaker <[email protected]> Signed-off-by: ariathaker <[email protected]> * Update docs/beginner-checks.md Co-authored-by: olivekl <[email protected]> Signed-off-by: ariathaker <[email protected]> Signed-off-by: ariathaker <[email protected]> * Update docs/beginner-checks.md Co-authored-by: olivekl <[email protected]> Signed-off-by: ariathaker <[email protected]> Signed-off-by: ariathaker <[email protected]> * Update docs/beginner-checks.md Co-authored-by: olivekl <[email protected]> Signed-off-by: ariathaker <[email protected]> Signed-off-by: ariathaker <[email protected]> * Update beginner-checks.md Signed-off-by: ariathaker <[email protected]> Signed-off-by: ariathaker <[email protected]> * Update beginner-checks.md Signed-off-by: ariathaker <[email protected]> * Update beginner-checks.md Signed-off-by: ariathaker <[email protected]> * Update beginner-checks.md Signed-off-by: ariathaker <[email protected]> * Update beginner-checks.md Signed-off-by: ariathaker <[email protected]> --------- Signed-off-by: ariathaker <[email protected]> Signed-off-by: ariathaker <[email protected]> Co-authored-by: olivekl <[email protected]>
Configuration menu - View commit details
-
Copy full SHA for ce0b54e - Browse repository at this point
Copy the full SHA ce0b54eView commit details
Commits on Nov 30, 2023
-
🐛 Trust pinned GitHub download URLs (ossf#3694)
* Trust pinned GitHub download URLs Trust files that are downloaded from `raw.githubusercontent.com` where the file's ref is a Git SHA and therefore immutable. Resolves ossf#3339. Signed-off-by: martincostello <[email protected]> * Move logic to function - Add `hasUnpinnedURLs` function. - Add test cases for different URLs. Signed-off-by: martincostello <[email protected]> * Fix formatting Appease the linter. Signed-off-by: martincostello <[email protected]> * Suppress lint warnings Suppress warning on three long URLs. Signed-off-by: martincostello <[email protected]> * Address peer review Address peer review feedback. Signed-off-by: martincostello <[email protected]> * Fix lint warning Fix lint warning. Signed-off-by: martincostello <[email protected]>
Configuration menu - View commit details
-
Copy full SHA for 0c40e14 - Browse repository at this point
Copy the full SHA 0c40e14View commit details -
🌱 Bump github.com/google/go-containerregistry (ossf#3708)
Bumps [github.com/google/go-containerregistry](https://github.com/google/go-containerregistry) from 0.16.1 to 0.17.0. - [Release notes](https://github.com/google/go-containerregistry/releases) - [Changelog](https://github.com/google/go-containerregistry/blob/main/.goreleaser.yml) - [Commits](google/go-containerregistry@v0.16.1...v0.17.0) --- updated-dependencies: - dependency-name: github.com/google/go-containerregistry dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Configuration menu - View commit details
-
Copy full SHA for 4d1621b - Browse repository at this point
Copy the full SHA 4d1621bView commit details
Commits on Dec 4, 2023
-
🌱 Disable more style linters for test files (ossf#3707)
* disable lll linter for test files * disable goerr113 linter for tests * disable wrapcheck linter for tests * fix easy linter issues in tests --------- Signed-off-by: Spencer Schrock <[email protected]>
Configuration menu - View commit details
-
Copy full SHA for 1625b0c - Browse repository at this point
Copy the full SHA 1625b0cView commit details -
🌱 re-enable paralleltest linter (ossf#3705)
Signed-off-by: Spencer Schrock <[email protected]>
Configuration menu - View commit details
-
Copy full SHA for d882fc7 - Browse repository at this point
Copy the full SHA d882fc7View commit details -
🐛 Parse Gitlab Status fields to align w/Github Status and Conclusion (o…
…ssf#3706) * fix: parse gitlab pipeline status to their GitHub equivalent Signed-off-by: Allen Shearin <[email protected]> * change completed string to const Signed-off-by: Allen Shearin <[email protected]> --------- Signed-off-by: Allen Shearin <[email protected]>
Configuration menu - View commit details
-
Copy full SHA for e4fc815 - Browse repository at this point
Copy the full SHA e4fc815View commit details -
🌱 Bump github.com/onsi/ginkgo/v2 in /tools (ossf#3703)
Bumps [github.com/onsi/ginkgo/v2](https://github.com/onsi/ginkgo) from 2.13.1 to 2.13.2. - [Release notes](https://github.com/onsi/ginkgo/releases) - [Changelog](https://github.com/onsi/ginkgo/blob/master/CHANGELOG.md) - [Commits](onsi/ginkgo@v2.13.1...v2.13.2) --- updated-dependencies: - dependency-name: github.com/onsi/ginkgo/v2 dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Configuration menu - View commit details
-
Copy full SHA for 7656dc7 - Browse repository at this point
Copy the full SHA 7656dc7View commit details -
🌱 Bump github.com/moby/buildkit from 0.12.3 to 0.12.4 (ossf#3710)
Bumps [github.com/moby/buildkit](https://github.com/moby/buildkit) from 0.12.3 to 0.12.4. - [Release notes](https://github.com/moby/buildkit/releases) - [Commits](moby/buildkit@v0.12.3...v0.12.4) --- updated-dependencies: - dependency-name: github.com/moby/buildkit dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Configuration menu - View commit details
-
Copy full SHA for 483cc31 - Browse repository at this point
Copy the full SHA 483cc31View commit details
Commits on Dec 5, 2023
-
🌱 convert binary artifact check to probe (ossf#3508)
* 🌱 convert binary artifact check to probe Signed-off-by: AdamKorcz <[email protected]> * Reword motivation Signed-off-by: AdamKorcz <[email protected]> * remove unused variable in test Signed-off-by: AdamKorcz <[email protected]> * remove positiveOutcome() and length check Signed-off-by: AdamKorcz <[email protected]> * fix wrong check name Signed-off-by: AdamKorcz <[email protected]> * Split into two probes: One with and one without gradle-wrappers Signed-off-by: AdamKorcz <[email protected]> * Add description about what Scorecard considers a verified binary Signed-off-by: Adam Korczynski <[email protected]> * change 'trusted' to 'verified' Signed-off-by: Adam Korczynski <[email protected]> * remove nil check Signed-off-by: Adam Korczynski <[email protected]> * remove filtering Signed-off-by: Adam Korczynski <[email protected]> * use const scores in tests Signed-off-by: Adam Korczynski <[email protected]> * rename test Signed-off-by: Adam Korczynski <[email protected]> * add sanity check in loop Signed-off-by: Adam Korczynski <[email protected]> * rename binary file const Signed-off-by: Adam Korczynski <[email protected]> --------- Signed-off-by: AdamKorcz <[email protected]> Signed-off-by: Adam Korczynski <[email protected]>
Configuration menu - View commit details
-
Copy full SHA for cb721a8 - Browse repository at this point
Copy the full SHA cb721a8View commit details -
remove ununsed directives (ossf#3713)
Signed-off-by: Spencer Schrock <[email protected]>
Configuration menu - View commit details
-
Copy full SHA for c089856 - Browse repository at this point
Copy the full SHA c089856View commit details -
🌱 convert Webhook check to probes (ossf#3522)
* 🌱 convert Webhook check to probes Signed-off-by: AdamKorcz <[email protected]> * Add test + nits Signed-off-by: AdamKorcz <[email protected]> * replace probe with OutcomeNotApplicable Signed-off-by: AdamKorcz <[email protected]> * return one finding per webhook Signed-off-by: Adam Korczynski <[email protected]> * change wording in def.yml Signed-off-by: Adam Korczynski <[email protected]> * change wording in def.yml and checks.md Signed-off-by: Adam Korczynski <[email protected]> * remove unused struct in test Signed-off-by: Adam Korczynski <[email protected]> * align checks.md with checks.yaml Signed-off-by: Adam Korczynski <[email protected]> * bring back experimental for webhooks Signed-off-by: Adam Korczynski <[email protected]> * change 'token' to 'secret' in probe Signed-off-by: Adam Korczynski <[email protected]> * use checker.MinResultScore instead of 0 Signed-off-by: Adam Korczynski <[email protected]> * Change test name Signed-off-by: Adam Korczynski <[email protected]> * use checker.MinResultScore instead of 0 Signed-off-by: Adam Korczynski <[email protected]> * fix typo Signed-off-by: Adam Korczynski <[email protected]> * Use checker.MaxResultScore instead of 10 Signed-off-by: Adam Korczynski <[email protected]> * rename probe Signed-off-by: Adam Korczynski <[email protected]> * remove the 'totalWebhooks' value from findings Signed-off-by: Adam Korczynski <[email protected]> --------- Signed-off-by: AdamKorcz <[email protected]> Signed-off-by: Adam Korczynski <[email protected]>
Configuration menu - View commit details
-
Copy full SHA for ec36916 - Browse repository at this point
Copy the full SHA ec36916View commit details -
🌱 Bump the github-actions group with 3 updates (ossf#3715)
Bumps the github-actions group with 3 updates: [actions/dependency-review-action](https://github.com/actions/dependency-review-action), [tj-actions/changed-files](https://github.com/tj-actions/changed-files) and [kubernetes-sigs/kubebuilder-release-tools](https://github.com/kubernetes-sigs/kubebuilder-release-tools). Updates `actions/dependency-review-action` from 3.1.3 to 3.1.4 - [Release notes](https://github.com/actions/dependency-review-action/releases) - [Commits](actions/dependency-review-action@7bbfa03...01bc870) Updates `tj-actions/changed-files` from 40.1.1 to 40.2.1 - [Release notes](https://github.com/tj-actions/changed-files/releases) - [Changelog](https://github.com/tj-actions/changed-files/blob/main/HISTORY.md) - [Commits](tj-actions/changed-files@25ef392...1c93849) Updates `kubernetes-sigs/kubebuilder-release-tools` from 0.4.2 to 0.4.3 - [Release notes](https://github.com/kubernetes-sigs/kubebuilder-release-tools/releases) - [Changelog](https://github.com/kubernetes-sigs/kubebuilder-release-tools/blob/master/RELEASE.md) - [Commits](kubernetes-sigs/kubebuilder-release-tools@3c34113...012269a) --- updated-dependencies: - dependency-name: actions/dependency-review-action dependency-type: direct:production update-type: version-update:semver-patch dependency-group: github-actions - dependency-name: tj-actions/changed-files dependency-type: direct:production update-type: version-update:semver-minor dependency-group: github-actions - dependency-name: kubernetes-sigs/kubebuilder-release-tools dependency-type: direct:production update-type: version-update:semver-patch dependency-group: github-actions ... Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Configuration menu - View commit details
-
Copy full SHA for 320ce05 - Browse repository at this point
Copy the full SHA 320ce05View commit details
Commits on Dec 6, 2023
-
🌱 Pinned dependencies: create findings from processing errors (ossf#3711
) * 🌱 refactor pinned dependencies Signed-off-by: AdamKorcz <[email protected]> * remove remediation from test Signed-off-by: AdamKorcz <[email protected]> * 🌱 create findings from processing errors Signed-off-by: Adam Korczynski <[email protected]> * correct style of loop Signed-off-by: Adam Korczynski <[email protected]> --------- Signed-off-by: AdamKorcz <[email protected]> Signed-off-by: Adam Korczynski <[email protected]>
Configuration menu - View commit details
-
Copy full SHA for 6ea9c8d - Browse repository at this point
Copy the full SHA 6ea9c8dView commit details -
🌱 Bump github.com/google/osv-scanner from 1.4.3 to 1.5.0 (ossf#3716)
Bumps [github.com/google/osv-scanner](https://github.com/google/osv-scanner) from 1.4.3 to 1.5.0. - [Release notes](https://github.com/google/osv-scanner/releases) - [Changelog](https://github.com/google/osv-scanner/blob/main/CHANGELOG.md) - [Commits](google/osv-scanner@v1.4.3...v1.5.0) --- updated-dependencies: - dependency-name: github.com/google/osv-scanner dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Configuration menu - View commit details
-
Copy full SHA for 5dc03b7 - Browse repository at this point
Copy the full SHA 5dc03b7View commit details
Commits on Dec 11, 2023
-
🌱 convert CI-Tests check to probes (ossf#3621)
* 🌱 convert CITest check to probes Signed-off-by: AdamKorcz <[email protected]> * fix lint issues Signed-off-by: Adam Korczynski <[email protected]> * debug failing integration test Signed-off-by: Adam Korczynski <[email protected]> * Add negative outcome to test Signed-off-by: Adam Korczynski <[email protected]> * remove 'totalTested' and 'totalMerged' values from findings Signed-off-by: Adam Korczynski <[email protected]> * Log at debug level Signed-off-by: Adam Korczynski <[email protected]> --------- Signed-off-by: AdamKorcz <[email protected]> Signed-off-by: Adam Korczynski <[email protected]>
Configuration menu - View commit details
-
Copy full SHA for 30ef6b1 - Browse repository at this point
Copy the full SHA 30ef6b1View commit details
Commits on Dec 12, 2023
-
✨ branch protection: requiring PRs gives partial credit (ossf#3499)
* feat(branch-protection): consider if project requires PRs prior to make changes As discussed at the issue ossf#2727, we're adding the "require PRs prior to make changes" as another requirement to tier 2. In addition to that, we're changing the weight of the tier 2 requirements so that "requiring 1 reviewer" has weight 2, while the other tier 2 requirements have weight 1 Signed-off-by: Diogo Teles Sant'Anna <[email protected]> * test(branch-protection): increment and adapt testing 1. Adapt previous test cases to consider that now we'll have an aditional Info log telling that the project requires PRs to make changes. 2. Add more cases to test relevant use cases on the tier 2 level of branch protection Signed-off-by: Diogo Teles Sant'Anna <[email protected]> * docs(branch-protection-check): adapt check description to consider requirement of require PRs to make changes It adds the new tier 2 requirement, but also specify that the "require at least 1 reviewer" will have doubled weight. Signed-off-by: Diogo Teles Sant'Anna <[email protected]> * refactor(branch-protection-check): avoid duplicate funcions and enhance readability Made some nice-to-have improvements on project readability, making it easier easier to understand how the branch-protection score is computed. Also unified 8 different functions that were doing basically the same thing. Signed-off-by: Diogo Teles Sant'Anna <[email protected]> * feat(branch-protection): standardize values received on evaluation Previously, at the evaluation part of branch protetion, the values nil and false or zero were sort of interchangeble. This commit changes the code to set as nil only the data that could not be retrieved from github -- all the others would have values as false, zero, true, etc Signed-off-by: Diogo Teles Sant'Anna <[email protected]> * test(github-client): adapt and add tests to check if nil values are coherent 1. Add new test to evaluate how we're interpreting a rule with all checkboxes unchecked (most shouldn't be nil) 2. Adapt existent tests to expect non-nil values for unchecked checkboxes Signed-off-by: Diogo Teles Sant'Anna <[email protected]> * feat(client-github): avoid reusing bool pointers Changes some pieces of code to prefer using pointers of bool instantiated independently. If reusing bool pointers, at some piece of code the value of the bool could inadvertently changed and it would change the value of all other fields reusing that pointer. Signed-off-by: Diogo Teles Sant'Anna <[email protected]> * feat(branch-protection): enhance evaluation if scorecard was run by admin At the evaluation step we were using some non untrusted fieldds of the resposte to evaluate if Scorecard was run as admin or not. Now we're using a field provided directly from the client file. Signed-off-by: Diogo Teles Sant'Anna <[email protected]> * test(branch-protection): adapt testings to say if they have admin info or not After last commit, the client will tell the evaluation files if Scorecard was run by administrator or not (i.e., if we have all the infos). This commit adapts the testings to also provide this info. Signed-off-by: Diogo Teles Sant'Anna <[email protected]> * test(e2e-branch-protection): adapt number of logs after changes - 2 warns (for 'last push approval' and 'codeowners review' disabled) were added because now those informations come as 'not-nil' at the evaluation part. - 1 info was added to say that PRs are required to make changes - 1 debug was removed because it said that we couldn't retrieve 'last push approval' information, but we actually can. It was just incorrectly set as nil Signed-off-by: Diogo Teles Sant'Anna <[email protected]> * Revert the 2 commits with changes around how Scorecard detects admin run Reverts commit 64c3521 and commit e2662b7. Both had chances around using clients/branch.go scructur to store the information of whether Scorecard was being run by admin or not. We decided to not change this structure for this purpose. Signed-off-by: Diogo Teles Sant'Anna <[email protected]> * refactor(branch-protection): change data structure to use pointer instead of value At clients.BranchProtectionRule struct, changing RequiredPullRequestReviews to be a pointer instead of a struct value. This will allow the usage of the nil value of this structure to mean that we can't say if the repository requires reviews or not. Signed-off-by: Diogo Teles Sant'Anna <[email protected]> * feat(branch-protection): use nil pointer on reviewers struct to mean we don't know if they require PRs The nil value of the struct RequiredPullRequestReviews will now mean that we can't tell whether the project requires PRs to make changes or not. When we get this case, we're printing a debug informing that we don't have this data, but also printing a warn saying that they don't require reviews, because that will be true at this case. Signed-off-by: Diogo Teles Sant'Anna <[email protected]> * test(branch-protection): if we're setting the reviewers struct to nil when needed Signed-off-by: Diogo Teles Sant'Anna <[email protected]> * doc(branch-protection): add code comment explaining different weight on tier 2 scores Signed-off-by: Diogo Teles Sant'Anna <[email protected]> * refactor(branch-protection): avoid duplicate if branches on reviewers num comparation Signed-off-by: Diogo Teles Sant'Anna <[email protected]> * docs(branch-protection): clarify commentings around data structure Signed-off-by: Diogo Teles Sant'Anna <[email protected]> * refactor: clean code on parsing GitHub BP data Signed-off-by: Diogo Teles Sant'Anna <[email protected]> * feat(branch-protection): ressignify the nil PullRequestReviewRule to mean PR not required Adapt translation of data from GitHub API, now for our internal data modeling, having a nil PullRequestReviewRule structure will mean that PRs are not required on the repo (can also mean we don't have data to ensure that). It also changes the order of the calls of copyNonAdminSettings and copyAdminSettings to make the first one be called first. This eases the code because the PullRequestReviewRule can be always instantiated at this function. Signed-off-by: Diogo Teles Sant'Anna <[email protected]> * test(branch-protection): ensure we translate GitHub BP data as expected Ensure we're correctly translating GitHub data from the old Branch Protection config. Signed-off-by: Diogo Teles Sant'Anna <[email protected]> * feat(branch-protection): adapt score evaluation after 2efeee6 Signed-off-by: Diogo Teles Sant'Anna <[email protected]> * test(branch-protection): adapt testings to changes of last commits Signed-off-by: Diogo Teles Sant'Anna <[email protected]> * docs(branch-protection): add TODO comments pointing refactor opportunities Signed-off-by: Diogo Teles Sant'Anna <[email protected]> * fix: avoid penalyzing non-admin for dismissStaleReview Signed-off-by: Diogo Teles Sant'Anna <[email protected]> * fix(branch-protection): prevent false value from API field to become nil When translating the API results, if the specific field `DismissesStaleReviews` had a false value, it was not being initiated in our data model and was remaining nil. Signed-off-by: Diogo Teles Sant'Anna <[email protected]> * refactor: clarify different weight on first reviewer Signed-off-by: Diogo Teles Sant'Anna <[email protected]> * refactor: enhance clarity of loggings and comments Signed-off-by: Diogo Teles Sant'Anna <[email protected]> * test(branch-protection): new test to cover different rules affecting same branch Signed-off-by: Diogo Teles Sant'Anna <[email protected]> * docs(branch-protection): change requirements ordering to keep admin ones together Signed-off-by: Diogo Teles Sant'Anna <[email protected]> * refactor(branch-protection): simplify auxiliary function Signed-off-by: Diogo Teles Sant'Anna <[email protected]> * refactor(branch-protection): fix code format to linter requirements Signed-off-by: Diogo Teles Sant'Anna <[email protected]> * refactor(branch-protection): avoid unnecessary initializations and rename function Signed-off-by: Diogo Teles Sant'Anna <[email protected]> * test(branch-protection): adapt test that was forgotten on commit 6858790 Signed-off-by: Diogo Teles Sant'Anna <[email protected]> * refactor(branch-protection): use enums to represent tiers Signed-off-by: Diogo Teles Sant'Anna <[email protected]> * refactor(branch-protection): remove nil fields of struct initialization when they dont contribute for clarification Signed-off-by: Diogo Teles Sant'Anna <[email protected]> * refactor(branch-protection): simplify functions by using generics Signed-off-by: Diogo Teles Sant'Anna <[email protected]> * docs(branch-protection): update docs after generate-docs run Signed-off-by: Diogo Teles Sant'Anna <[email protected]> * fix(branch-protection): fix duplicated line on code Signed-off-by: Diogo Teles Sant'Anna <[email protected]> * fix(branch-protection): stop exporting Tier enum Signed-off-by: Diogo Teles Sant'Anna <[email protected]> * refactor(branch-protection): changing unchanged var to const Signed-off-by: Diogo Teles Sant'Anna <[email protected]> * test(branch-protection): Rename test and adapt it to be consistent with its purpose I also changed the test to not require PRs, as it's how it is when a new GitHub Branch Protection config is created. The changes on the loggings numbers are due to: 1. A warning for not having DismissStaleReviews became a debug 2. Removed the warning we had for not requiring CodeOwners 3. Have a new warning for not requiring PRe Signed-off-by: Diogo Teles Sant'Anna <[email protected]> --------- Signed-off-by: Diogo Teles Sant'Anna <[email protected]>
Configuration menu - View commit details
-
Copy full SHA for db7b6e7 - Browse repository at this point
Copy the full SHA db7b6e7View commit details -
🌱 Add probes to main call (ossf#3688)
* 🌱 Add probes to main call Signed-off-by: AdamKorcz <[email protected]> * fix linter issues Signed-off-by: AdamKorcz <[email protected]> * add test Signed-off-by: AdamKorcz <[email protected]> * add test coverage Signed-off-by: AdamKorcz <[email protected]> * remove Signed-off-by: Adam Korczynski <[email protected]> * WIP Signed-off-by: Adam Korczynski <[email protected]> * change comment for 'ExperimentalRunProbes' Signed-off-by: Adam Korczynski <[email protected]> * fix linter issues Signed-off-by: Adam Korczynski <[email protected]> * make only one in root.go Signed-off-by: Adam Korczynski <[email protected]> * relocate printing of output Signed-off-by: Adam Korczynski <[email protected]> * remove FormatPJSON Signed-off-by: Adam Korczynski <[email protected]> * reduce complexity of rootCmd Signed-off-by: Adam Korczynski <[email protected]> * assign findings in runEnabledProbes Signed-off-by: Adam Korczynski <[email protected]> * change name of probe map Signed-off-by: Adam Korczynski <[email protected]> * unwrap error Signed-off-by: Adam Korczynski <[email protected]> --------- Signed-off-by: AdamKorcz <[email protected]> Signed-off-by: Adam Korczynski <[email protected]>
Configuration menu - View commit details
-
Copy full SHA for 3ce1daa - Browse repository at this point
Copy the full SHA 3ce1daaView commit details -
🌱 Use backlog and "help wanted" labels on issues/PRs to keep stale-bo…
…t away (ossf#3690) * Use "never stale" tag on issues/PRs to keep stale-bot away Signed-off-by: Pedro Kaj Kjellerup Nacht <[email protected]> * Replace 'never stale' with 'icebox', 'help wanted' Signed-off-by: Pedro Kaj Kjellerup Nacht <[email protected]> * Replace "icebox,help needed" with "backlog,help wanted" Signed-off-by: Pedro Kaj Kjellerup Nacht <[email protected]> --------- Signed-off-by: Pedro Kaj Kjellerup Nacht <[email protected]>
Configuration menu - View commit details
-
Copy full SHA for 663e1a9 - Browse repository at this point
Copy the full SHA 663e1a9View commit details
Commits on Dec 13, 2023
-
🐛 revert making RequiredPullRequestReviews a pointer (ossf#3728)
* revert the change which made RequiredPullRequestReviews a pointer While the current approach works with the tiered scoring, it wont work for probes or if we remove tiers. Making the struct nil to signal that PRs aren't required hides some of the data we do have. This is especially problematic for repo rules, where we can infer all settings by what we see or dont see. Signed-off-by: Spencer Schrock <[email protected]> * add helper to deref pointers Signed-off-by: Spencer Schrock <[email protected]> * clarify comments and keep code consistent Signed-off-by: Spencer Schrock <[email protected]> --------- Signed-off-by: Spencer Schrock <[email protected]>
Configuration menu - View commit details
-
Copy full SHA for d03c8cb - Browse repository at this point
Copy the full SHA d03c8cbView commit details -
convert Signed Releases to probes (ossf#3610)
* convert Signed Releases to probes Signed-off-by: AdamKorcz <[email protected]> * Specify that probe is for Github and Gitlab only Signed-off-by: AdamKorcz <[email protected]> * use in loop instead of Signed-off-by: AdamKorcz <[email protected]> * fix linter issues Signed-off-by: AdamKorcz <[email protected]> * fix more linter issues Signed-off-by: AdamKorcz <[email protected]> * specify Github and Gitlab in provenance def.yml Signed-off-by: AdamKorcz <[email protected]> * Add link to slsa-github-generator Signed-off-by: AdamKorcz <[email protected]> * Add instructions on signing with Cosign Signed-off-by: AdamKorcz <[email protected]> * refactor evaluation Signed-off-by: Adam Korczynski <[email protected]> * debug failing integration test Signed-off-by: Adam Korczynski <[email protected]> * remove unused nolints Signed-off-by: Adam Korczynski <[email protected]> * expose release name asset names in finding values Signed-off-by: Adam Korczynski <[email protected]> * fix failed integration test Signed-off-by: Adam Korczynski <[email protected]> * remove 'totalReleases' value from findings Signed-off-by: Adam Korczynski <[email protected]> * remove left-over cases of "totalReleases" values in findings Signed-off-by: Adam Korczynski <[email protected]> * remove remaining totalReleases values Signed-off-by: Adam Korczynski <[email protected]> * use const probe names instead of hard-coded strings Signed-off-by: Adam Korczynski <[email protected]> * remove totalReleases from test helper arguments Signed-off-by: Adam Korczynski <[email protected]> * merge test helpers Signed-off-by: Adam Korczynski <[email protected]> --------- Signed-off-by: AdamKorcz <[email protected]> Signed-off-by: Adam Korczynski <[email protected]>
Configuration menu - View commit details
-
Copy full SHA for 2c20be0 - Browse repository at this point
Copy the full SHA 2c20be0View commit details -
🌱 Bump the github-actions group with 2 updates (ossf#3725)
Bumps the github-actions group with 2 updates: [tj-actions/changed-files](https://github.com/tj-actions/changed-files) and [actions/stale](https://github.com/actions/stale). Updates `tj-actions/changed-files` from 40.2.1 to 40.2.2 - [Release notes](https://github.com/tj-actions/changed-files/releases) - [Changelog](https://github.com/tj-actions/changed-files/blob/main/HISTORY.md) - [Commits](tj-actions/changed-files@1c93849...9454999) Updates `actions/stale` from 8.0.0 to 9.0.0 - [Release notes](https://github.com/actions/stale/releases) - [Changelog](https://github.com/actions/stale/blob/main/CHANGELOG.md) - [Commits](actions/stale@1160a22...28ca103) --- updated-dependencies: - dependency-name: tj-actions/changed-files dependency-type: direct:production update-type: version-update:semver-patch dependency-group: github-actions - dependency-name: actions/stale dependency-type: direct:production update-type: version-update:semver-major dependency-group: github-actions ... Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Configuration menu - View commit details
-
Copy full SHA for 39d1b33 - Browse repository at this point
Copy the full SHA 39d1b33View commit details -
🌱 fix rangeValCopy linter issues (ossf#3735)
Adding the Required field to PullRequestReviewRule made BranchRef slightly too big for the linter. This code isn't highly used, so just ignoring the inefficiency for now. Not sure why the staticcheck linter started complaining about the date error checking, but fixed it while I was here. Signed-off-by: Spencer Schrock <[email protected]>
Configuration menu - View commit details
-
Copy full SHA for eefb6bf - Browse repository at this point
Copy the full SHA eefb6bfView commit details
Commits on Dec 14, 2023
-
🌱 Bump github.com/go-git/go-git/v5 from 5.10.1 to 5.11.0 (ossf#3723)
Bumps [github.com/go-git/go-git/v5](https://github.com/go-git/go-git) from 5.10.1 to 5.11.0. - [Release notes](https://github.com/go-git/go-git/releases) - [Commits](go-git/go-git@v5.10.1...v5.11.0) --- updated-dependencies: - dependency-name: github.com/go-git/go-git/v5 dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Configuration menu - View commit details
-
Copy full SHA for d5900ed - Browse repository at this point
Copy the full SHA d5900edView commit details
Commits on Dec 18, 2023
-
📖 fixup transposition typos in remediation package (ossf#3734)
Signed-off-by: Dave Worth <[email protected]>
Configuration menu - View commit details
-
Copy full SHA for f4bf574 - Browse repository at this point
Copy the full SHA f4bf574View commit details -
🌱 differentiate between refs and sha gitab (ossf#3729)
* fix: differentiate between refs and sha gitab listcheckrunsforref Signed-off-by: Allen Shearin <[email protected]> * address pr comments Signed-off-by: Allen Shearin <[email protected]> * style: move gitlab call to one line Signed-off-by: Allen Shearin <[email protected]> * update gitlab api comments Signed-off-by: Allen Shearin <[email protected]> --------- Signed-off-by: Allen Shearin <[email protected]>
Configuration menu - View commit details
-
Copy full SHA for df7d888 - Browse repository at this point
Copy the full SHA df7d888View commit details
Commits on Dec 19, 2023
-
🌱 Bump golang.org/x/crypto from 0.16.0 to 0.17.0 (ossf#3742)
Bumps [golang.org/x/crypto](https://github.com/golang/crypto) from 0.16.0 to 0.17.0. - [Commits](golang/crypto@v0.16.0...v0.17.0) --- updated-dependencies: - dependency-name: golang.org/x/crypto dependency-type: indirect ... Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Configuration menu - View commit details
-
Copy full SHA for 21bbe80 - Browse repository at this point
Copy the full SHA 21bbe80View commit details -
🌱 SAST: add Snyk probe (ossf#3689)
* SAST: add Snyk probe Adds Snyk's GitHub action (https://github.com/snyk/actions) as a probe. Signed-off-by: David Korczynski <[email protected]> * nit Signed-off-by: David Korczynski <[email protected]> * e2e: adjust sast test to additional probe Signed-off-by: David Korczynski <[email protected]> * checks: sast: nit, fix e2e test Signed-off-by: DavidKorczynski <[email protected]> * Add test with positive outcome Signed-off-by: David Korczynski <[email protected]> * fix comment Signed-off-by: David Korczynski <[email protected]> * sast: snyk: add workflow test Signed-off-by: David Korczynski <[email protected]> * address review Signed-off-by: David Korczynski <[email protected]> * sast: adjust snyk to be the same with sonar Signed-off-by: David Korczynski <[email protected]> * provide path to WF file Signed-off-by: David Korczynski <[email protected]> * adjust path for finding Signed-off-by: David Korczynski <[email protected]> * use prefix rather than contains Signed-off-by: David Korczynski <[email protected]> --------- Signed-off-by: David Korczynski <[email protected]> Signed-off-by: DavidKorczynski <[email protected]>
Configuration menu - View commit details
-
Copy full SHA for 2ef20f1 - Browse repository at this point
Copy the full SHA 2ef20f1View commit details
Commits on Dec 27, 2023
-
🌱 Bump golang.org/x/crypto from 0.15.0 to 0.17.0 in /tools (ossf#3741)
Bumps [golang.org/x/crypto](https://github.com/golang/crypto) from 0.15.0 to 0.17.0. - [Commits](golang/crypto@v0.15.0...v0.17.0) --- updated-dependencies: - dependency-name: golang.org/x/crypto dependency-type: indirect ... Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Configuration menu - View commit details
-
Copy full SHA for 4fafac9 - Browse repository at this point
Copy the full SHA 4fafac9View commit details -
🌱 Bump gocloud.dev from 0.34.0 to 0.35.0
Bumps [gocloud.dev](https://github.com/google/go-cloud) from 0.34.0 to 0.35.0. - [Release notes](https://github.com/google/go-cloud/releases) - [Commits](google/go-cloud@v0.34.0...v0.35.0) --- updated-dependencies: - dependency-name: gocloud.dev dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <[email protected]>
Configuration menu - View commit details
-
Copy full SHA for 12e4ff1 - Browse repository at this point
Copy the full SHA 12e4ff1View commit details -
🌱 Bump github.com/xanzy/go-gitlab from 0.94.0 to 0.95.2
Bumps [github.com/xanzy/go-gitlab](https://github.com/xanzy/go-gitlab) from 0.94.0 to 0.95.2. - [Changelog](https://github.com/xanzy/go-gitlab/blob/main/releases_test.go) - [Commits](xanzy/go-gitlab@v0.94.0...v0.95.2) --- updated-dependencies: - dependency-name: github.com/xanzy/go-gitlab dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <[email protected]>
Configuration menu - View commit details
-
Copy full SHA for c1a0557 - Browse repository at this point
Copy the full SHA c1a0557View commit details -
🌱 Add probes for Branch Protection (ossf#3691)
* 🌱 Add probes for Branch Protection Signed-off-by: AdamKorcz <[email protected]> * specify that Scorecard only considers default and releases branches Signed-off-by: Adam Korczynski <[email protected]> * reduce duplication in blocksDeleteOnBranches Signed-off-by: Adam Korczynski <[email protected]> * use helper to test for boolean values Signed-off-by: Adam Korczynski <[email protected]> * Fix typo, mention OutcomeNotAvailable Signed-off-by: Adam Korczynski <[email protected]> * fix typo and elaborate on effort Signed-off-by: Adam Korczynski <[email protected]> * fix typo. Specify which branches the probe considers Signed-off-by: Adam Korczynski <[email protected]> * Fix copy paste typo Signed-off-by: Adam Korczynski <[email protected]> * remove '/en' from url Signed-off-by: Adam Korczynski <[email protected]> * change effort from 'High' to 'Low' in the blocksForcePushOnBranches probe def Signed-off-by: Adam Korczynski <[email protected]> * fix remediation level Signed-off-by: Adam Korczynski <[email protected]> * Change probe package name Signed-off-by: Adam Korczynski <[email protected]> * improve probe definitions Signed-off-by: Adam Korczynski <[email protected]> * refactor test names Signed-off-by: Adam Korczynski <[email protected]> * Change motivation of two probes Signed-off-by: Adam Korczynski <[email protected]> * downgrade effort of runsStatusChecksBeforeMerging Signed-off-by: Adam Korczynski <[email protected]> * reduce complexity of blocksForcePushOnBranches Signed-off-by: Adam Korczynski <[email protected]> * simplify requiresCodeOwnersReview logic Signed-off-by: Adam Korczynski <[email protected]> * fix linter issues Signed-off-by: Adam Korczynski <[email protected]> * fix copy paste error Signed-off-by: Adam Korczynski <[email protected]> * differentiate trueMsg and falseMsg in requiresApproversForPullRequests Signed-off-by: Adam Korczynski <[email protected]> * fix text in requiresCodeOwnersReview Signed-off-by: Adam Korczynski <[email protected]> * change outcome in utils Signed-off-by: Adam Korczynski <[email protected]> * fix lint issues Signed-off-by: Adam Korczynski <[email protected]> * fix nit in text Signed-off-by: Adam Korczynski <[email protected]> * use standardized messages Signed-off-by: Adam Korczynski <[email protected]> * remove 'Uint32LargerThan0' Signed-off-by: Adam Korczynski <[email protected]> * Add number of required reviewers to values. Refactor to avoid nil-dereference Signed-off-by: Adam Korczynski <[email protected]> * fix nit log message Signed-off-by: Adam Korczynski <[email protected]> --------- Signed-off-by: AdamKorcz <[email protected]> Signed-off-by: Adam Korczynski <[email protected]>
Configuration menu - View commit details
-
Copy full SHA for 2e1059b - Browse repository at this point
Copy the full SHA 2e1059bView commit details
Commits on Dec 28, 2023
-
🌱 Bump actions/setup-go from 4.1.0 to 5.0.0 (ossf#3726)
Bumps [actions/setup-go](https://github.com/actions/setup-go) from 4.1.0 to 5.0.0. - [Release notes](https://github.com/actions/setup-go/releases) - [Commits](actions/setup-go@93397be...0c52d54) --- updated-dependencies: - dependency-name: actions/setup-go dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Configuration menu - View commit details
-
Copy full SHA for 6a226ce - Browse repository at this point
Copy the full SHA 6a226ceView commit details -
* 🐛 Fix nils - Fixed potential nils. Signed-off-by: naveensrinivasan <[email protected]> * Fixed code review comments. Signed-off-by: naveensrinivasan <[email protected]> --------- Signed-off-by: naveensrinivasan <[email protected]>
Configuration menu - View commit details
-
Copy full SHA for 2bad4e9 - Browse repository at this point
Copy the full SHA 2bad4e9View commit details -
🌱 Bump google.golang.org/protobuf from 1.31.0 to 1.32.0
Bumps google.golang.org/protobuf from 1.31.0 to 1.32.0. --- updated-dependencies: - dependency-name: google.golang.org/protobuf dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <[email protected]>
Configuration menu - View commit details
-
Copy full SHA for 0e8dad8 - Browse repository at this point
Copy the full SHA 0e8dad8View commit details -
🌱 Update Go version to 1.21 for tools (ossf#3754)
- Update go version from `1.19` to `1.21` [tools/go.mod] - Update go version from `1.19` to `1.21` Signed-off-by: naveensrinivasan <[email protected]>
Configuration menu - View commit details
-
Copy full SHA for 5d8767e - Browse repository at this point
Copy the full SHA 5d8767eView commit details -
🌱 Bump github.com/go-git/go-git/v5 in /tools (ossf#3749)
Bumps [github.com/go-git/go-git/v5](https://github.com/go-git/go-git) from 5.7.0 to 5.11.0. - [Release notes](https://github.com/go-git/go-git/releases) - [Commits](go-git/go-git@v5.7.0...v5.11.0) --- updated-dependencies: - dependency-name: github.com/go-git/go-git/v5 dependency-type: indirect ... Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Configuration menu - View commit details
-
Copy full SHA for 90792d9 - Browse repository at this point
Copy the full SHA 90792d9View commit details -
🌱 Bump github.com/jszwec/csvutil from 1.8.0 to 1.9.0 (ossf#3722)
Bumps [github.com/jszwec/csvutil](https://github.com/jszwec/csvutil) from 1.8.0 to 1.9.0. - [Release notes](https://github.com/jszwec/csvutil/releases) - [Commits](jszwec/csvutil@v1.8.0...v1.9.0) --- updated-dependencies: - dependency-name: github.com/jszwec/csvutil dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Configuration menu - View commit details
-
Copy full SHA for 3c93389 - Browse repository at this point
Copy the full SHA 3c93389View commit details -
🌱 Bump the github-actions group with 4 updates (ossf#3747)
Bumps the github-actions group with 4 updates: [tj-actions/changed-files](https://github.com/tj-actions/changed-files), [sigstore/cosign-installer](https://github.com/sigstore/cosign-installer), [actions/upload-artifact](https://github.com/actions/upload-artifact) and [actions/download-artifact](https://github.com/actions/download-artifact). Updates `tj-actions/changed-files` from 40.2.2 to 41.0.1 - [Release notes](https://github.com/tj-actions/changed-files/releases) - [Changelog](https://github.com/tj-actions/changed-files/blob/main/HISTORY.md) - [Commits](tj-actions/changed-files@9454999...716b1e1) Updates `sigstore/cosign-installer` from 3.2.0 to 3.3.0 - [Release notes](https://github.com/sigstore/cosign-installer/releases) - [Commits](sigstore/cosign-installer@1fc5bd3...9614fae) Updates `actions/upload-artifact` from 3.1.3 to 4.0.0 - [Release notes](https://github.com/actions/upload-artifact/releases) - [Commits](actions/upload-artifact@a8a3f3a...c7d193f) Updates `actions/download-artifact` from 3.0.2 to 4.1.0 - [Release notes](https://github.com/actions/download-artifact/releases) - [Commits](actions/download-artifact@9bc31d5...f44cd7b) --- updated-dependencies: - dependency-name: tj-actions/changed-files dependency-type: direct:production update-type: version-update:semver-major dependency-group: github-actions - dependency-name: sigstore/cosign-installer dependency-type: direct:production update-type: version-update:semver-minor dependency-group: github-actions - dependency-name: actions/upload-artifact dependency-type: direct:production update-type: version-update:semver-major dependency-group: github-actions - dependency-name: actions/download-artifact dependency-type: direct:production update-type: version-update:semver-major dependency-group: github-actions ... Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Configuration menu - View commit details
-
Copy full SHA for c90e0bb - Browse repository at this point
Copy the full SHA c90e0bbView commit details
Commits on Dec 29, 2023
-
🌱 Bump github.com/go-logr/logr from 1.3.0 to 1.4.1 (ossf#3758)
Bumps [github.com/go-logr/logr](https://github.com/go-logr/logr) from 1.3.0 to 1.4.1. - [Release notes](https://github.com/go-logr/logr/releases) - [Changelog](https://github.com/go-logr/logr/blob/master/CHANGELOG.md) - [Commits](go-logr/logr@v1.3.0...v1.4.1) --- updated-dependencies: - dependency-name: github.com/go-logr/logr dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Configuration menu - View commit details
-
Copy full SHA for 9b5de80 - Browse repository at this point
Copy the full SHA 9b5de80View commit details -
🐛 Dependency-Update-Tool: ignore search commit data for repo clients …
…which dont support it (ossf#3756) The primary data is the configuration files and the search commit data is just extra, so better to return some data than no data in this case. Signed-off-by: Spencer Schrock <[email protected]>
Configuration menu - View commit details
-
Copy full SHA for 69bb742 - Browse repository at this point
Copy the full SHA 69bb742View commit details
Commits on Dec 30, 2023
-
🐛 Update token permissions check and scoring (ossf#3755)
- Update message for when no tokens are found [checks/evaluation/permissions/permissions.go] - Change the message for when no tokens are found from "no github tokens found" to "no tokens found" Signed-off-by: naveensrinivasan <[email protected]>
Configuration menu - View commit details
-
Copy full SHA for 9986f70 - Browse repository at this point
Copy the full SHA 9986f70View commit details -
🌱 Bump github.com/goreleaser/goreleaser in /tools
Bumps [github.com/goreleaser/goreleaser](https://github.com/goreleaser/goreleaser) from 1.20.0 to 1.23.0. - [Release notes](https://github.com/goreleaser/goreleaser/releases) - [Changelog](https://github.com/goreleaser/goreleaser/blob/main/.goreleaser.yaml) - [Commits](goreleaser/goreleaser@v1.20.0...v1.23.0) --- updated-dependencies: - dependency-name: github.com/goreleaser/goreleaser dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <[email protected]>
Configuration menu - View commit details
-
Copy full SHA for a34f0bf - Browse repository at this point
Copy the full SHA a34f0bfView commit details -
🐛 Fix signed release error for empty gitlab repo (ossf#3753)
* 🐛 Fix signed release error for empty gitlab repo - Fixed the issue where an empty gitlab repo is causing this error. `Error: check runtime error: Signed-Releases: internal error: could not get release name 2023/12/27 18:07:19 error during command execution: check runtime error: Signed-Releases: internal error: could not get release name exit status 1` Signed-off-by: naveensrinivasan <[email protected]> * Fixes based on review. Signed-off-by: naveensrinivasan <[email protected]> * Fixed codereview changes. Signed-off-by: naveensrinivasan <[email protected]> --------- Signed-off-by: naveensrinivasan <[email protected]>
Configuration menu - View commit details
-
Copy full SHA for 1177c3c - Browse repository at this point
Copy the full SHA 1177c3cView commit details
Commits on Jan 1, 2024
-
🌱 Bump gocloud.dev from 0.35.0 to 0.36.0 (ossf#3751)
Bumps [gocloud.dev](https://github.com/google/go-cloud) from 0.35.0 to 0.36.0. - [Release notes](https://github.com/google/go-cloud/releases) - [Commits](google/go-cloud@v0.35.0...v0.36.0) --- updated-dependencies: - dependency-name: gocloud.dev dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Configuration menu - View commit details
-
Copy full SHA for 04340ee - Browse repository at this point
Copy the full SHA 04340eeView commit details -
🌱 Bump google.golang.org/protobuf in /tools
Bumps google.golang.org/protobuf from 1.31.0 to 1.32.0. --- updated-dependencies: - dependency-name: google.golang.org/protobuf dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <[email protected]>
Configuration menu - View commit details
-
Copy full SHA for 6c2a266 - Browse repository at this point
Copy the full SHA 6c2a266View commit details
Commits on Jan 2, 2024
-
🌱 SAST: dedupe and add Pysa and Qodana probe (ossf#3743)
* Add SAST Pysa probe Signed-off-by: David Korczynski <[email protected]> * Add Pysa positive unit test Signed-off-by: David Korczynski <[email protected]> * Add Qodana as well Signed-off-by: David Korczynski <[email protected]> * fix some styling Signed-off-by: David Korczynski <[email protected]> * fix some messaging Signed-off-by: David Korczynski <[email protected]> * checks: raw: sast: dedup by way of regex Ref: ossf#3745 Signed-off-by: David Korczynski <[email protected]> * deduplicate SAST score checker Signed-off-by: David Korczynski <[email protected]> * fix styling Signed-off-by: David Korczynski <[email protected]> * fix styling Signed-off-by: David Korczynski <[email protected]> * Rename variables appropriately Signed-off-by: David Korczynski <[email protected]> * fix error message Signed-off-by: David Korczynski <[email protected]> * rename useRegex to usesRegex and add comment Signed-off-by: David Korczynski <[email protected]> * Force regex to compile Signed-off-by: David Korczynski <[email protected]> --------- Signed-off-by: David Korczynski <[email protected]>
Configuration menu - View commit details
-
Copy full SHA for 99c455b - Browse repository at this point
Copy the full SHA 99c455bView commit details -
📖 Update README with zoom meeting info (ossf#3739)
* update zoom meeting info Signed-off-by: leec94 <[email protected]> * feedback Signed-off-by: leec94 <[email protected]> * correcting zoom and calendar links Signed-off-by: leec94 <[email protected]> --------- Signed-off-by: leec94 <[email protected]>
Configuration menu - View commit details
-
Copy full SHA for da6d7ec - Browse repository at this point
Copy the full SHA da6d7ecView commit details
Commits on Jan 3, 2024
-
📖 document scdiff in the release process (ossf#3730)
* document scdiff in the release process Signed-off-by: Spencer Schrock <[email protected]> * add TOC entry Signed-off-by: Spencer Schrock <[email protected]> * add files to .gitignore we dont want people following the instructions to commit the files accidentally Signed-off-by: Spencer Schrock <[email protected]> --------- Signed-off-by: Spencer Schrock <[email protected]>
Configuration menu - View commit details
-
Copy full SHA for 2bad6e7 - Browse repository at this point
Copy the full SHA 2bad6e7View commit details -
🐛 ensure Signed-Releases only scores 5 releases (ossf#3768)
* limit releasesHaveProvenance probe to 5 releases and check in evaluation code too Signed-off-by: Spencer Schrock <[email protected]> * add tests Signed-off-by: Spencer Schrock <[email protected]> --------- Signed-off-by: Spencer Schrock <[email protected]>
Configuration menu - View commit details
-
Copy full SHA for 658a77b - Browse repository at this point
Copy the full SHA 658a77bView commit details
Commits on Jan 4, 2024
-
🐛 handle gitlab repos with no commits (ossf#3731)
* fix: handle gitlab repos with no commits Signed-off-by: Allen Shearin <[email protected]> * fix: gitlab listcommits tests, remove else in commit array length check Signed-off-by: Allen Shearin <[email protected]> * rename test file, remove unneeded test Signed-off-by: Allen Shearin <[email protected]> --------- Signed-off-by: Allen Shearin <[email protected]>
Configuration menu - View commit details
-
Copy full SHA for 141ac4d - Browse repository at this point
Copy the full SHA 141ac4dView commit details -
🌱 Use const keys for SAST and Pinned-Dependencies probe Values map (o…
…ssf#3767) * use const key for pinned-dependencies value map * use const key for sast value map --------- Signed-off-by: Spencer Schrock <[email protected]>
Configuration menu - View commit details
-
Copy full SHA for 55b6b76 - Browse repository at this point
Copy the full SHA 55b6b76View commit details
Commits on Jan 5, 2024
-
Support
.sigstore
bundles to check for signed releases (ossf#3772)Signed-off-by: Edgar Ramírez Mondragón <[email protected]>
Configuration menu - View commit details
-
Copy full SHA for 0e8e57d - Browse repository at this point
Copy the full SHA 0e8e57dView commit details -
🌱 cron: add two additional replicas (ossf#3721)
the cron has witnessed a roughly 15% reduction in repo throughput, this is partly due to increased osv.dev latency, increasing the Vulnerabilities check. the pinned-dependencies check has also increased after 6d35c86. Signed-off-by: Spencer Schrock <[email protected]>
Configuration menu - View commit details
-
Copy full SHA for b1d3121 - Browse repository at this point
Copy the full SHA b1d3121View commit details -
🐛 Fix OSV URI in probe remediation text (ossf#3770)
* add space after link the period (and possibly what came after it) was being interpreted as part of the link. Signed-off-by: Spencer Schrock <[email protected]> * only use one ID in the osv.dev link Signed-off-by: Spencer Schrock <[email protected]> * add/fix tests Signed-off-by: Spencer Schrock <[email protected]> * make the remediation tests less fragile this test would need to be fixed every time the phrasing is fixed. by looking for substrings, we make this less likely to need changed. Signed-off-by: Spencer Schrock <[email protected]> * move len check before any finding creation small efficiency gain since the finding is discarded. Signed-off-by: Spencer Schrock <[email protected]> --------- Signed-off-by: Spencer Schrock <[email protected]>
Configuration menu - View commit details
-
Copy full SHA for 7a4c1bd - Browse repository at this point
Copy the full SHA 7a4c1bdView commit details
Commits on Jan 7, 2024
-
🌱 Included additional method to git client (ossf#3761)
* 🌱 Included additional method to git client - Included additional methods to satisfy the local git client Signed-off-by: naveensrinivasan <[email protected]> * Code review comments. Signed-off-by: naveensrinivasan <[email protected]> * Fixed the incorrect gitlab test config. Signed-off-by: naveensrinivasan <[email protected]> * Fixed code review comments. Signed-off-by: naveensrinivasan <[email protected]> --------- Signed-off-by: naveensrinivasan <[email protected]>
Configuration menu - View commit details
-
Copy full SHA for a4148d9 - Browse repository at this point
Copy the full SHA a4148d9View commit details
Commits on Jan 8, 2024
-
🌱 Bump the github-actions group with 1 update (ossf#3775)
Bumps the github-actions group with 1 update: [actions/dependency-review-action](https://github.com/actions/dependency-review-action). Updates `actions/dependency-review-action` from 3.1.4 to 3.1.5 - [Release notes](https://github.com/actions/dependency-review-action/releases) - [Commits](actions/dependency-review-action@01bc870...c74b580) --- updated-dependencies: - dependency-name: actions/dependency-review-action dependency-type: direct:production update-type: version-update:semver-patch dependency-group: github-actions ... Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Configuration menu - View commit details
-
Copy full SHA for 6f31d2d - Browse repository at this point
Copy the full SHA 6f31d2dView commit details -
🌱 Bump github.com/bradleyfalzon/ghinstallation/v2 (ossf#3776)
Bumps [github.com/bradleyfalzon/ghinstallation/v2](https://github.com/bradleyfalzon/ghinstallation) from 2.8.0 to 2.9.0. - [Release notes](https://github.com/bradleyfalzon/ghinstallation/releases) - [Commits](bradleyfalzon/ghinstallation@v2.8.0...v2.9.0) --- updated-dependencies: - dependency-name: github.com/bradleyfalzon/ghinstallation/v2 dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Configuration menu - View commit details
-
Copy full SHA for 9468390 - Browse repository at this point
Copy the full SHA 9468390View commit details -
🌱 Bump github.com/cloudflare/circl from 1.3.3 to 1.3.7 (ossf#3778)
Bumps [github.com/cloudflare/circl](https://github.com/cloudflare/circl) from 1.3.3 to 1.3.7. - [Release notes](https://github.com/cloudflare/circl/releases) - [Commits](cloudflare/circl@v1.3.3...v1.3.7) --- updated-dependencies: - dependency-name: github.com/cloudflare/circl dependency-type: indirect ... Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Configuration menu - View commit details
-
Copy full SHA for b3fcc0e - Browse repository at this point
Copy the full SHA b3fcc0eView commit details -
🌱 Bump github.com/cloudflare/circl in /tools
Bumps [github.com/cloudflare/circl](https://github.com/cloudflare/circl) from 1.3.5 to 1.3.7. - [Release notes](https://github.com/cloudflare/circl/releases) - [Commits](cloudflare/circl@v1.3.5...v1.3.7) --- updated-dependencies: - dependency-name: github.com/cloudflare/circl dependency-type: indirect ... Signed-off-by: dependabot[bot] <[email protected]>
Configuration menu - View commit details
-
Copy full SHA for 62457a7 - Browse repository at this point
Copy the full SHA 62457a7View commit details -
🌱 Added URL from GitHub Actions marketplace (ossf#3732)
Signed-off-by: manishtiwari25 <[email protected]>
Configuration menu - View commit details
-
Copy full SHA for fdf3fb2 - Browse repository at this point
Copy the full SHA fdf3fb2View commit details
Commits on Jan 9, 2024
-
🌱 Add some more projects to be scanned in the cron (ossf#3764)
Signed-off-by: Jeremy Katz <[email protected]>
Configuration menu - View commit details
-
Copy full SHA for 45425b6 - Browse repository at this point
Copy the full SHA 45425b6View commit details -
🌱 refactor permissions (ossf#3693)
* 🌱 refactor permissions Signed-off-by: Adam Korczynski <[email protected]> * change 'PermissionLocation' to 'PermissionLocationType' Signed-off-by: Adam Korczynski <[email protected]> * remove redundant length check Signed-off-by: Adam Korczynski <[email protected]> * return nil instead of findings in case of an error Signed-off-by: Adam Korczynski <[email protected]> * use OutcomeError instead of OutcomeNegative in case of PermissionLevelUnknown Signed-off-by: Adam Korczynski <[email protected]> * Fix lint issue Signed-off-by: Adam Korczynski <[email protected]> * change 'CreateInconclusiveResult' to 'CreateRuntimeErrorResult' Signed-off-by: Adam Korczynski <[email protected]> * add comment to wrapped error Signed-off-by: Adam Korczynski <[email protected]> * unexport enum values Signed-off-by: Adam Korczynski <[email protected]> * fix wrapped error Signed-off-by: Adam Korczynski <[email protected]> --------- Signed-off-by: Adam Korczynski <[email protected]>
Configuration menu - View commit details
-
Copy full SHA for f41f8f4 - Browse repository at this point
Copy the full SHA f41f8f4View commit details
Commits on Jan 10, 2024
-
🌱 Bump golang.org/x/oauth2 from 0.15.0 to 0.16.0 (ossf#3781)
Bumps [golang.org/x/oauth2](https://github.com/golang/oauth2) from 0.15.0 to 0.16.0. - [Commits](golang/oauth2@v0.15.0...v0.16.0) --- updated-dependencies: - dependency-name: golang.org/x/oauth2 dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Configuration menu - View commit details
-
Copy full SHA for 1917fc8 - Browse repository at this point
Copy the full SHA 1917fc8View commit details -
🌱 Switch probe tests to helper func (ossf#3782)
* simplify test helper to verify finding outcomes Signed-off-by: Spencer Schrock <[email protected]> * switch existing callers to helper func Signed-off-by: Spencer Schrock <[email protected]> * remove TODO comments Signed-off-by: Spencer Schrock <[email protected]> * fixup doc string Signed-off-by: Spencer Schrock <[email protected]> --------- Signed-off-by: Spencer Schrock <[email protected]>
Configuration menu - View commit details
-
Copy full SHA for c59e93b - Browse repository at this point
Copy the full SHA c59e93bView commit details -
📖 Clarify lack of 2FA check in README.md (ossf#3784)
Update docs on 2FA Closes ossf#7 Signed-off-by: Raghav Kaul <[email protected]>
Configuration menu - View commit details
-
Copy full SHA for 6c345f1 - Browse repository at this point
Copy the full SHA 6c345f1View commit details -
🐛 Refactor Dockerfile validation code to handle here-documents (ossf#…
…3774) * Refactor Dockerfile validation code to handle here-documents Refactors the `validateDockerfileInsecureDownloads` function to handle Dockerfiles that contain here-documents. This implementation handles the basic use-case, namely shell commands. It does not manage other interpreters that are specified through a she-bang, such as python. Fixes ossf#3335 Signed-off-by: Jürgen Kreileder <[email protected]> * Add test for empty run command case in validateDockerfileInsecureDownloads() Signed-off-by: Jürgen Kreileder <[email protected]> * Simplify end line calculation in validateDockerfileInsecureDownloads() Signed-off-by: Jürgen Kreileder <[email protected]> * Document why we have a python test case here Signed-off-by: Jürgen Kreileder <[email protected]> --------- Signed-off-by: Jürgen Kreileder <[email protected]>
Configuration menu - View commit details
-
Copy full SHA for e15264d - Browse repository at this point
Copy the full SHA e15264dView commit details
Commits on Jan 11, 2024
-
🌱 use a single source of truth for fuzzer names (ossf#3786)
Signed-off-by: Spencer Schrock <[email protected]>
Configuration menu - View commit details
-
Copy full SHA for 8c21a49 - Browse repository at this point
Copy the full SHA 8c21a49View commit details -
🌱 add the rest of Metal3 repos to the project list (ossf#3783)
Adding the rest of the Metal3 repos to the project list. Signed-off-by: Tuomo Tanskanen <[email protected]>
Configuration menu - View commit details
-
Copy full SHA for c48cd15 - Browse repository at this point
Copy the full SHA c48cd15View commit details -
🌱 Fix struct size govet issues (ossf#3787)
- Fixed the struct size govet issues. Signed-off-by: naveensrinivasan <[email protected]>
Configuration menu - View commit details
-
Copy full SHA for b3b40d0 - Browse repository at this point
Copy the full SHA b3b40d0View commit details
Commits on Jan 13, 2024
-
🌱 Bump github.com/onsi/ginkgo/v2 from 2.13.2 to 2.14.0 (ossf#3789)
Bumps [github.com/onsi/ginkgo/v2](https://github.com/onsi/ginkgo) from 2.13.2 to 2.14.0. - [Release notes](https://github.com/onsi/ginkgo/releases) - [Changelog](https://github.com/onsi/ginkgo/blob/master/CHANGELOG.md) - [Commits](onsi/ginkgo@v2.13.2...v2.14.0) --- updated-dependencies: - dependency-name: github.com/onsi/ginkgo/v2 dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Configuration menu - View commit details
-
Copy full SHA for a3321e2 - Browse repository at this point
Copy the full SHA a3321e2View commit details -
🌱 Bump github.com/onsi/ginkgo/v2 in /tools
Bumps [github.com/onsi/ginkgo/v2](https://github.com/onsi/ginkgo) from 2.13.2 to 2.14.0. - [Release notes](https://github.com/onsi/ginkgo/releases) - [Changelog](https://github.com/onsi/ginkgo/blob/master/CHANGELOG.md) - [Commits](onsi/ginkgo@v2.13.2...v2.14.0) --- updated-dependencies: - dependency-name: github.com/onsi/ginkgo/v2 dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <[email protected]>
Configuration menu - View commit details
-
Copy full SHA for 497b851 - Browse repository at this point
Copy the full SHA 497b851View commit details
Commits on Jan 15, 2024
-
🌱 Bump the github-actions group with 4 updates (ossf#3794)
Bumps the github-actions group with 4 updates: [tj-actions/changed-files](https://github.com/tj-actions/changed-files), [actions/cache](https://github.com/actions/cache), [actions/upload-artifact](https://github.com/actions/upload-artifact) and [actions/download-artifact](https://github.com/actions/download-artifact). Updates `tj-actions/changed-files` from 41.0.1 to 41.1.1 - [Release notes](https://github.com/tj-actions/changed-files/releases) - [Changelog](https://github.com/tj-actions/changed-files/blob/main/HISTORY.md) - [Commits](tj-actions/changed-files@716b1e1...62f4729) Updates `actions/cache` from 3.3.2 to 3.3.3 - [Release notes](https://github.com/actions/cache/releases) - [Changelog](https://github.com/actions/cache/blob/main/RELEASES.md) - [Commits](actions/cache@704facf...e12d46a) Updates `actions/upload-artifact` from 4.0.0 to 4.1.0 - [Release notes](https://github.com/actions/upload-artifact/releases) - [Commits](actions/upload-artifact@c7d193f...1eb3cb2) Updates `actions/download-artifact` from 4.1.0 to 4.1.1 - [Release notes](https://github.com/actions/download-artifact/releases) - [Commits](actions/download-artifact@f44cd7b...6b208ae) --- updated-dependencies: - dependency-name: tj-actions/changed-files dependency-type: direct:production update-type: version-update:semver-minor dependency-group: github-actions - dependency-name: actions/cache dependency-type: direct:production update-type: version-update:semver-patch dependency-group: github-actions - dependency-name: actions/upload-artifact dependency-type: direct:production update-type: version-update:semver-minor dependency-group: github-actions - dependency-name: actions/download-artifact dependency-type: direct:production update-type: version-update:semver-patch dependency-group: github-actions ... Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Configuration menu - View commit details
-
Copy full SHA for 8ac9ca1 - Browse repository at this point
Copy the full SHA 8ac9ca1View commit details
Commits on Jan 16, 2024
-
🌱 Change the chan to write only (ossf#3793)
- changed the channel to write only Signed-off-by: naveensrinivasan <[email protected]>
Configuration menu - View commit details
-
Copy full SHA for 21edf40 - Browse repository at this point
Copy the full SHA 21edf40View commit details
Commits on Jan 17, 2024
-
🌱 Bump github.com/google/osv-scanner from 1.5.0 to 1.6.0 (ossf#3800)
Bumps [github.com/google/osv-scanner](https://github.com/google/osv-scanner) from 1.5.0 to 1.6.0. - [Release notes](https://github.com/google/osv-scanner/releases) - [Changelog](https://github.com/google/osv-scanner/blob/main/CHANGELOG.md) - [Commits](google/osv-scanner@v1.5.0...v1.6.0) --- updated-dependencies: - dependency-name: github.com/google/osv-scanner dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Configuration menu - View commit details
-
Copy full SHA for 4a2dfa9 - Browse repository at this point
Copy the full SHA 4a2dfa9View commit details -
🌱 Fixed field alignment (ossf#3799)
- Fixed field alignment Signed-off-by: naveensrinivasan <[email protected]>
Configuration menu - View commit details
-
Copy full SHA for f1d7a62 - Browse repository at this point
Copy the full SHA f1d7a62View commit details
Commits on Jan 18, 2024
-
🌱 Bump github.com/onsi/ginkgo/v2 from 2.14.0 to 2.15.0 (ossf#3807)
Bumps [github.com/onsi/ginkgo/v2](https://github.com/onsi/ginkgo) from 2.14.0 to 2.15.0. - [Release notes](https://github.com/onsi/ginkgo/releases) - [Changelog](https://github.com/onsi/ginkgo/blob/master/CHANGELOG.md) - [Commits](onsi/ginkgo@v2.14.0...v2.15.0) --- updated-dependencies: - dependency-name: github.com/onsi/ginkgo/v2 dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Configuration menu - View commit details
-
Copy full SHA for 8a78cb7 - Browse repository at this point
Copy the full SHA 8a78cb7View commit details
Commits on Jan 19, 2024
-
🌱 Bump cloud.google.com/go/bigquery from 1.57.1 to 1.58.0 (ossf#3811)
Bumps [cloud.google.com/go/bigquery](https://github.com/googleapis/google-cloud-go) from 1.57.1 to 1.58.0. - [Release notes](https://github.com/googleapis/google-cloud-go/releases) - [Changelog](https://github.com/googleapis/google-cloud-go/blob/main/CHANGES.md) - [Commits](googleapis/google-cloud-go@bigquery/v1.57.1...bigquery/v1.58.0) --- updated-dependencies: - dependency-name: cloud.google.com/go/bigquery dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Configuration menu - View commit details
-
Copy full SHA for 51f1732 - Browse repository at this point
Copy the full SHA 51f1732View commit details -
🐛 Handle osvscanner errors on projects with no dependencies (ossf#3803)
* handle osv errors for projects without packages Signed-off-by: Spencer Schrock <[email protected]> * make test parallel Signed-off-by: Spencer Schrock <[email protected]> --------- Signed-off-by: Spencer Schrock <[email protected]>
Configuration menu - View commit details
-
Copy full SHA for b556d93 - Browse repository at this point
Copy the full SHA b556d93View commit details -
✨ enforce check scores are between the min and max (ossf#3769)
* enforce check scores are between the min and max if the score is invalid, the Error field is set and the score is replaced with an inconclusive result score. Signed-off-by: Spencer Schrock <[email protected]> * exclude inconclusive result score Callers who want the score should use the CreateInconclusiveResult function. The goal is partly to enforce a consistent coding style, and partly to limit proportions which score to -1 accidentally. Signed-off-by: Spencer Schrock <[email protected]> --------- Signed-off-by: Spencer Schrock <[email protected]>
Configuration menu - View commit details
-
Copy full SHA for 0dcad3a - Browse repository at this point
Copy the full SHA 0dcad3aView commit details -
🌱 Enforce
make add-projects
for GitHub and GitLab repos (ossf#3780)* fail if add-projects not run Signed-off-by: Spencer Schrock <[email protected]> * add gitlab file to add-projects Signed-off-by: Spencer Schrock <[email protected]> * order gitlab projects with make add-projects Signed-off-by: Spencer Schrock <[email protected]> * simplify workflow job this binary doesn't need the build protos Signed-off-by: Spencer Schrock <[email protected]> --------- Signed-off-by: Spencer Schrock <[email protected]>
Configuration menu - View commit details
-
Copy full SHA for ee4e83a - Browse repository at this point
Copy the full SHA ee4e83aView commit details -
🌱 Bump github.com/onsi/ginkgo/v2 in /tools (ossf#3805)
Bumps [github.com/onsi/ginkgo/v2](https://github.com/onsi/ginkgo) from 2.14.0 to 2.15.0. - [Release notes](https://github.com/onsi/ginkgo/releases) - [Changelog](https://github.com/onsi/ginkgo/blob/master/CHANGELOG.md) - [Commits](onsi/ginkgo@v2.14.0...v2.15.0) --- updated-dependencies: - dependency-name: github.com/onsi/ginkgo/v2 dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Configuration menu - View commit details
-
Copy full SHA for efc5180 - Browse repository at this point
Copy the full SHA efc5180View commit details
Commits on Jan 20, 2024
-
🌱 Bump github.com/google/osv-scanner from 1.6.0 to 1.6.1 (ossf#3806)
Bumps [github.com/google/osv-scanner](https://github.com/google/osv-scanner) from 1.6.0 to 1.6.1. - [Release notes](https://github.com/google/osv-scanner/releases) - [Changelog](https://github.com/google/osv-scanner/blob/main/CHANGELOG.md) - [Commits](google/osv-scanner@v1.6.0...v1.6.1) --- updated-dependencies: - dependency-name: github.com/google/osv-scanner dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Configuration menu - View commit details
-
Copy full SHA for da216ed - Browse repository at this point
Copy the full SHA da216edView commit details
Commits on Jan 22, 2024
-
🌱 Bump the github-actions group with 4 updates (ossf#3815)
Bumps the github-actions group with 4 updates: [actions/dependency-review-action](https://github.com/actions/dependency-review-action), [tj-actions/changed-files](https://github.com/tj-actions/changed-files), [actions/cache](https://github.com/actions/cache) and [actions/upload-artifact](https://github.com/actions/upload-artifact). Updates `actions/dependency-review-action` from 3.1.5 to 4.0.0 - [Release notes](https://github.com/actions/dependency-review-action/releases) - [Commits](actions/dependency-review-action@c74b580...4901385) Updates `tj-actions/changed-files` from 41.1.1 to 42.0.0 - [Release notes](https://github.com/tj-actions/changed-files/releases) - [Changelog](https://github.com/tj-actions/changed-files/blob/main/HISTORY.md) - [Commits](tj-actions/changed-files@62f4729...ae82ed4) Updates `actions/cache` from 3.3.3 to 4.0.0 - [Release notes](https://github.com/actions/cache/releases) - [Changelog](https://github.com/actions/cache/blob/main/RELEASES.md) - [Commits](actions/cache@e12d46a...13aacd8) Updates `actions/upload-artifact` from 4.1.0 to 4.2.0 - [Release notes](https://github.com/actions/upload-artifact/releases) - [Commits](actions/upload-artifact@1eb3cb2...694cdab) --- updated-dependencies: - dependency-name: actions/dependency-review-action dependency-type: direct:production update-type: version-update:semver-major dependency-group: github-actions - dependency-name: tj-actions/changed-files dependency-type: direct:production update-type: version-update:semver-major dependency-group: github-actions - dependency-name: actions/cache dependency-type: direct:production update-type: version-update:semver-major dependency-group: github-actions - dependency-name: actions/upload-artifact dependency-type: direct:production update-type: version-update:semver-minor dependency-group: github-actions ... Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Configuration menu - View commit details
-
Copy full SHA for e41a3fe - Browse repository at this point
Copy the full SHA e41a3feView commit details
Commits on Jan 23, 2024
-
📖 Add documentation about probes and contributing (ossf#3762)
* 📖 Add documentation about probes and contributing Signed-off-by: Adam Korczynski <[email protected]> * change 'subdirectory' to 'directory' Signed-off-by: Adam Korczynski <[email protected]> * fix 'golangci' typo Signed-off-by: Adam Korczynski <[email protected]> * Added 'make fix-linter' to Makefile Signed-off-by: Adam Korczynski <[email protected]> * Move commands to their own table Signed-off-by: Adam Korczynski <[email protected]> * change 'problem' to 'supply-chain security risk' Signed-off-by: Adam Korczynski <[email protected]> * Add sentence about what a finding is Signed-off-by: Adam Korczynski <[email protected]> * remove sentence about running make rule locally Signed-off-by: Adam Korczynski <[email protected]> * change 'supply-chain security risk' to 'heuristic' Signed-off-by: Adam Korczynski <[email protected]> * Modify text on where to set remediation data Signed-off-by: Adam Korczynski <[email protected]> * Add example Signed-off-by: Adam Korczynski <[email protected]> * add line about discussing changes to the score in a GitHub issue Signed-off-by: Adam Korczynski <[email protected]> --------- Signed-off-by: Adam Korczynski <[email protected]>
Configuration menu - View commit details
-
Copy full SHA for 1a1d9b1 - Browse repository at this point
Copy the full SHA 1a1d9b1View commit details
Commits on Jan 24, 2024
-
🌱 Bump cloud.google.com/go/pubsub from 1.33.0 to 1.34.0 (ossf#3813)
Bumps [cloud.google.com/go/pubsub](https://github.com/googleapis/google-cloud-go) from 1.33.0 to 1.34.0. - [Release notes](https://github.com/googleapis/google-cloud-go/releases) - [Changelog](https://github.com/googleapis/google-cloud-go/blob/main/CHANGES.md) - [Commits](googleapis/google-cloud-go@pubsub/v1.33.0...pubsub/v1.34.0) --- updated-dependencies: - dependency-name: cloud.google.com/go/pubsub dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Configuration menu - View commit details
-
Copy full SHA for ba69f13 - Browse repository at this point
Copy the full SHA ba69f13View commit details -
🌱 Bump github.com/onsi/gomega from 1.30.0 to 1.31.1 (ossf#3818)
Bumps [github.com/onsi/gomega](https://github.com/onsi/gomega) from 1.30.0 to 1.31.1. - [Release notes](https://github.com/onsi/gomega/releases) - [Changelog](https://github.com/onsi/gomega/blob/master/CHANGELOG.md) - [Commits](onsi/gomega@v1.30.0...v1.31.1) --- updated-dependencies: - dependency-name: github.com/onsi/gomega dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Configuration menu - View commit details
-
Copy full SHA for ce0905a - Browse repository at this point
Copy the full SHA ce0905aView commit details -
🌱 Bump github.com/google/go-containerregistry (ossf#3808)
Bumps [github.com/google/go-containerregistry](https://github.com/google/go-containerregistry) from 0.17.0 to 0.18.0. - [Release notes](https://github.com/google/go-containerregistry/releases) - [Changelog](https://github.com/google/go-containerregistry/blob/main/.goreleaser.yml) - [Commits](google/go-containerregistry@v0.17.0...v0.18.0) --- updated-dependencies: - dependency-name: github.com/google/go-containerregistry dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Configuration menu - View commit details
-
Copy full SHA for a021b23 - Browse repository at this point
Copy the full SHA a021b23View commit details
Commits on Jan 25, 2024
-
🌱 Bump github.com/xanzy/go-gitlab from 0.95.2 to 0.96.0 (ossf#3814)
Bumps [github.com/xanzy/go-gitlab](https://github.com/xanzy/go-gitlab) from 0.95.2 to 0.96.0. - [Changelog](https://github.com/xanzy/go-gitlab/blob/main/releases_test.go) - [Commits](xanzy/go-gitlab@v0.95.2...v0.96.0) --- updated-dependencies: - dependency-name: github.com/xanzy/go-gitlab dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Configuration menu - View commit details
-
Copy full SHA for e61e7e6 - Browse repository at this point
Copy the full SHA e61e7e6View commit details
Commits on Jan 26, 2024
-
🌱 Bump cloud.google.com/go/pubsub from 1.34.0 to 1.35.0 (ossf#3820)
Bumps [cloud.google.com/go/pubsub](https://github.com/googleapis/google-cloud-go) from 1.34.0 to 1.35.0. - [Release notes](https://github.com/googleapis/google-cloud-go/releases) - [Changelog](https://github.com/googleapis/google-cloud-go/blob/main/CHANGES.md) - [Commits](googleapis/google-cloud-go@pubsub/v1.34.0...pubsub/v1.35.0) --- updated-dependencies: - dependency-name: cloud.google.com/go/pubsub dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Configuration menu - View commit details
-
Copy full SHA for 1fad598 - Browse repository at this point
Copy the full SHA 1fad598View commit details -
✨ New probes: code-review (ossf#3302)
* 🌱 Bump github.com/goreleaser/goreleaser in /tools (ossf#3238) Bumps [github.com/goreleaser/goreleaser](https://github.com/goreleaser/goreleaser) from 1.18.2 to 1.19.1. - [Release notes](https://github.com/goreleaser/goreleaser/releases) - [Changelog](https://github.com/goreleaser/goreleaser/blob/main/.goreleaser.yaml) - [Commits](goreleaser/goreleaser@v1.18.2...v1.19.1) --- updated-dependencies: - dependency-name: github.com/goreleaser/goreleaser dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Signed-off-by: André Backman <[email protected]> * begin implementing probe: minTwoCodeReviewers Signed-off-by: André Backman <[email protected]> * print raw results Signed-off-by: André Backman <[email protected]> * print raw results Signed-off-by: André Backman <[email protected]> * print raw results Signed-off-by: André Backman <[email protected]> * rename probe directory: minimumCodeReviewers Signed-off-by: André Backman <[email protected]> * rename probe CodeReviewers Signed-off-by: André Backman <[email protected]> * rename import for CodeReviewers probe Signed-off-by: André Backman <[email protected]> * update code reviewers definition Signed-off-by: André Backman <[email protected]> * update code reviewers implementation; fixed embed FS usage Signed-off-by: André Backman <[email protected]> * printing all findings, work out where to concatenate them Signed-off-by: André Backman <[email protected]> * concatenated findings to one single finding, outcome is based on the least found unique reviewers Signed-off-by: André Backman <[email protected]> * refactored uniqueCodeReviewers probe, needs more error checks Signed-off-by: André Backman <[email protected]> * add error handling for cases of non-existant author and/or reviewer logins Signed-off-by: André Backman <[email protected]> * add error handling for cases of non-existant author and/or reviewer logins Signed-off-by: André Backman <[email protected]> * rename probe Signed-off-by: André Backman <[email protected]> * update codeReviewTwoReviewers definition Signed-off-by: André Backman <[email protected]> * rename unique code reviewers probe Signed-off-by: André Backman <[email protected]> * implement codeApproved probe, validation of reviews needs fixing Signed-off-by: André Backman <[email protected]> * update codeApproved probe, validation of reviews needs fixing Signed-off-by: André Backman <[email protected]> * working version of codeApproved probe Signed-off-by: André Backman <[email protected]> * codeReviewed probe implemented Signed-off-by: André Backman <[email protected]> * clean up comments, add imports, run all probes Signed-off-by: André Backman <[email protected]> * update license comments Signed-off-by: André Backman <[email protected]> * Update def.yml license Signed-off-by: André Backman <[email protected]> * Update def.yml license Signed-off-by: André Backman <[email protected]> * Update def.yml license Signed-off-by: André Backman <[email protected]> * Update impl.go license Signed-off-by: André Backman <[email protected]> * Update impl.go license to Apache 2 Signed-off-by: André Backman <[email protected]> * Update impl.go license to Apache 2 Signed-off-by: André Backman <[email protected]> * Update code_review.go license Signed-off-by: André Backman <[email protected]> * Update entries.go; CodeReviewChecks now called CodeReview Signed-off-by: André Backman <[email protected]> * Update impl.go, refactor codeReviewTwoReviewers; moved utility functions into impl.go Signed-off-by: André Backman <[email protected]> * Delete code_review.go utilities moved utility functions to the impl.go they are used in Signed-off-by: André Backman <[email protected]> * rename probe Signed-off-by: André Backman <[email protected]> * update codeReviewTwoReviewers definition Signed-off-by: André Backman <[email protected]> * implement codeApproved probe, validation of reviews needs fixing Signed-off-by: André Backman <[email protected]> * update codeApproved probe, validation of reviews needs fixing Signed-off-by: André Backman <[email protected]> * working version of codeApproved probe Signed-off-by: André Backman <[email protected]> * codeReviewed probe implemented Signed-off-by: André Backman <[email protected]> * clean up comments, add imports, run all probes Signed-off-by: André Backman <[email protected]> * update license comments Signed-off-by: André Backman <[email protected]> * update license comments Signed-off-by: André Backman <[email protected]> * 🌱 Included unit tests (ossf#3242) - Included unit tests Signed-off-by: naveensrinivasan <[email protected]> Signed-off-by: André Backman <[email protected]> * 🌱 Bump golang.org/x/text from 0.10.0 to 0.11.0 (ossf#3243) Bumps [golang.org/x/text](https://github.com/golang/text) from 0.10.0 to 0.11.0. - [Release notes](https://github.com/golang/text/releases) - [Commits](golang/text@v0.10.0...v0.11.0) --- updated-dependencies: - dependency-name: golang.org/x/text dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Signed-off-by: André Backman <[email protected]> * 🌱 Bump golang.org/x/oauth2 from 0.9.0 to 0.10.0 (ossf#3244) Bumps [golang.org/x/oauth2](https://github.com/golang/oauth2) from 0.9.0 to 0.10.0. - [Commits](golang/oauth2@v0.9.0...v0.10.0) --- updated-dependencies: - dependency-name: golang.org/x/oauth2 dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Signed-off-by: André Backman <[email protected]> * 📖 Update Branch-Protection admin and non-admin requirements (ossf#2772) * docs: Branch protection admin-only requirements Signed-off-by: Gabriela Gutierrez <[email protected]> * docs: Branch protection requirements by tier Signed-off-by: Gabriela Gutierrez <[email protected]> * docs: How get a perfect score in branch protection Signed-off-by: Gabriela Gutierrez <[email protected]> * docs: Fix local images ref in doc Signed-off-by: Gabriela Gutierrez <[email protected]> * docs: Fix typo Co-authored-by: Pedro Nacht <[email protected]> Signed-off-by: Gabriela Gutierrez <[email protected]> * docs: Fix check specific table of contents Signed-off-by: Gabriela Gutierrez <[email protected]> * fix: Code owners setting is non admin Signed-off-by: Gabriela Gutierrez <[email protected]> * docs: Fix branch protection applied not only to main branch Signed-off-by: Gabriela Gutierrez <[email protected]> * docs: Add alt text for images Signed-off-by: Gabriela Gutierrez <[email protected]> * docs: You can get a perfect score with non admin access Signed-off-by: Gabriela Gutierrez <[email protected]> * docs: update max tier scores Signed-off-by: Gabriela Gutierrez <[email protected]> * docs: update tier 1 max points explanation Signed-off-by: Gabriela Gutierrez <[email protected]> * docs: Move changes to internal checks doc Move changes done in docs/checks.md to docs/checks/internal/checks.yaml. Signed-off-by: Gabriela Gutierrez <[email protected]> * docs: Revert changes on checks doc Signed-off-by: Gabriela Gutierrez <[email protected]> * docs: Fix admin settings evaluated on branch protection Signed-off-by: Gabriela Gutierrez <[email protected]> * docs: Change branch protection model status checks Signed-off-by: Gabriela Gutierrez <[email protected]> * docs: Change tiers score to expected score The expected score for the code to output is 3/10 for Tier 1 case and 7/10 for Tier 3 case. The scoring issue will be reported as bug. Signed-off-by: Gabriela Gutierrez <[email protected]> * docs: Fix Tier 3 score Signed-off-by: Gabriela Gutierrez <[email protected]> --------- Signed-off-by: Gabriela Gutierrez <[email protected]> Co-authored-by: Pedro Nacht <[email protected]> Signed-off-by: André Backman <[email protected]> * 🌱 Linter workflow cleanup (ossf#3247) * Fix linter timeout by renaming deprecated deadline. Signed-off-by: Spencer Schrock <[email protected]> * Disable depguard linter. As of golangci-lint v3.5.0, the depguard linter is complaining. We don't use a .depguard.yml file, so just disabling the linter. Signed-off-by: Spencer Schrock <[email protected]> * Move linter into own workflow. Signed-off-by: Spencer Schrock <[email protected]> * Fix bash command substitution. Signed-off-by: Spencer Schrock <[email protected]> * Add harden runner. Signed-off-by: Spencer Schrock <[email protected]> * switch names to existing linter job Signed-off-by: Spencer Schrock <[email protected]> * Update golangci-lint to v1.53.3 Signed-off-by: Spencer Schrock <[email protected]> --------- Signed-off-by: Spencer Schrock <[email protected]> Signed-off-by: André Backman <[email protected]> * 🌱 Bump tj-actions/changed-files from 37.0.5 to 37.1.0 (ossf#3253) Bumps [tj-actions/changed-files](https://github.com/tj-actions/changed-files) from 37.0.5 to 37.1.0. - [Release notes](https://github.com/tj-actions/changed-files/releases) - [Changelog](https://github.com/tj-actions/changed-files/blob/main/HISTORY.md) - [Commits](tj-actions/changed-files@54849de...87e23c4) --- updated-dependencies: - dependency-name: tj-actions/changed-files dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Signed-off-by: André Backman <[email protected]> * 🌱 Bump github.com/goreleaser/goreleaser in /tools (ossf#3252) Bumps [github.com/goreleaser/goreleaser](https://github.com/goreleaser/goreleaser) from 1.19.1 to 1.19.2. - [Release notes](https://github.com/goreleaser/goreleaser/releases) - [Changelog](https://github.com/goreleaser/goreleaser/blob/main/.goreleaser.yaml) - [Commits](goreleaser/goreleaser@v1.19.1...v1.19.2) --- updated-dependencies: - dependency-name: github.com/goreleaser/goreleaser dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Signed-off-by: André Backman <[email protected]> * 🌱 Bump golang.org/x/tools from 0.10.0 to 0.11.0 Bumps [golang.org/x/tools](https://github.com/golang/tools) from 0.10.0 to 0.11.0. - [Release notes](https://github.com/golang/tools/releases) - [Commits](golang/tools@v0.10.0...v0.11.0) --- updated-dependencies: - dependency-name: golang.org/x/tools dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <[email protected]> Signed-off-by: André Backman <[email protected]> * 🌱 Improve rate limit handling in roundtripper (ossf#3237) - Add rate limit testing and handling functionality - Add tests for successful response and Retry-After header set scenarios Signed-off-by: naveensrinivasan <[email protected]> Signed-off-by: André Backman <[email protected]> * 🌱 Bump tj-actions/changed-files from 37.1.0 to 37.1.1 (ossf#3259) Bumps [tj-actions/changed-files](https://github.com/tj-actions/changed-files) from 37.1.0 to 37.1.1. - [Release notes](https://github.com/tj-actions/changed-files/releases) - [Changelog](https://github.com/tj-actions/changed-files/blob/main/HISTORY.md) - [Commits](tj-actions/changed-files@87e23c4...1f20fb8) --- updated-dependencies: - dependency-name: tj-actions/changed-files dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Signed-off-by: André Backman <[email protected]> * 🌱 Bump github.com/bradleyfalzon/ghinstallation/v2 (ossf#3260) Bumps [github.com/bradleyfalzon/ghinstallation/v2](https://github.com/bradleyfalzon/ghinstallation) from 2.5.0 to 2.6.0. - [Release notes](https://github.com/bradleyfalzon/ghinstallation/releases) - [Commits](bradleyfalzon/ghinstallation@v2.5.0...v2.6.0) --- updated-dependencies: - dependency-name: github.com/bradleyfalzon/ghinstallation/v2 dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Signed-off-by: André Backman <[email protected]> * 🌱Add urls for opentelemetry, micrometer and new relic to weekly cron (ossf#3248) * add urls for opentelemetry and micrometer Signed-off-by: Ajmal Kottilingal <[email protected]> * add jakarta-activation url Signed-off-by: Ajmal Kottilingal <[email protected]> * adding json-path Signed-off-by: Ajmal Kottilingal <[email protected]> * fix uing make Signed-off-by: Ajmal Kottilingal <[email protected]> --------- Signed-off-by: Ajmal Kottilingal <[email protected]> Signed-off-by: André Backman <[email protected]> * 🐛 Add npm installs to Pinned-Dependencies score (ossf#2960) * feat: Add npm install to pinned dependencies score Signed-off-by: Gabriela Gutierrez <[email protected]> * test: Fix pinned dependencies evaluation tests Considering the new npm installs dependencies in Pinned-Dependencies score, there are some changes. Now, all tests generate one more Info log for "npm installs are all pinned". Also, for "various wanrings" test, the total score has to weight now 6 scores instead of 5. The new score counts 10 for actionScore, 0 for dockerFromScore, 0 for dockerDownloadScore, 0 for scriptScore, 0 for pipScore and 10 for npm score, which gives us 20/6~=3. Signed-off-by: Gabriela Gutierrez <[email protected]> * test: Fix pinned dependencies e2e tests Considering the new npm installs dependencies in Pinned-Dependencies score, there are some changes. The repo being tested, ossf-tests/scorecard-check-pinned-dependencies-e2e, has third-party GitHub actions pinned, no npm installs, and all other dependencies types are unpinned. This gives us 8 for actionScore, 10 for npmScore and 0 for all other scores. Previously the total score was 8/5~=1, and now the total score is 18/6=3. Also, since there are no npm installs, there's one more Info log for "npm installs are pinned". Signed-off-by: Gabriela Gutierrez <[email protected]> * test: Fix typo Signed-off-by: Gabriela Gutierrez <[email protected]> * test: Unpinned npm install score When having one unpinned npm install and all other dependencies pinned, the score should be 50/6~=8. Also, it should raise 1 warning for the unpinned npm install, 6 infos saying the other dependency types are pinned (2 for GHAs, 2 for dockerfile image and downdloads, 1 for script downdloads and 1 for pip installs), and 0 debug logs since the npm install dependency does not have an error message. Signed-off-by: Gabriela Gutierrez <[email protected]> * test: Undefined npm install score When an error happens to parse a npm install dependency, the error/debug message is saved in "Msg" field. In this case, we were not able to define if the npm install is pinned or not. This dependency is classified as pinned undefined. We treat such cases as pinned cases, so it logs as Info that npm installs are all pinned and counts the score as 10. Then, the final score makes it to 10 as well. Since it logs the error/debug message, the Debug log goes to 1. Signed-off-by: Gabriela Gutierrez <[email protected]> * test: Fix typo Signed-off-by: Gabriela Gutierrez <[email protected]> * test: Fix "validate various warnings and info" test Considering the new npm installs dependencies in Pinned-Dependencies score, there are some changes. Now, all tests generate one more Info log for "npm installs are all pinned". Also, this test total score has to weight now 6 scores instead of 5. The new score counts 10 for actionScore, 0 for dockerFromScore, 0 for dockerDownloadScore, 0 for scriptScore, 0 for pipScore and 10 for npm score, which gives us 20/6~=3. Signed-off-by: Gabriela Gutierrez <[email protected]> * fix: npm dependencies pinned log Signed-off-by: Gabriela Gutierrez <[email protected]> * test: Remove test of error when parsing an npm dependency Signed-off-by: Gabriela Gutierrez <[email protected]> --------- Signed-off-by: Gabriela Gutierrez <[email protected]> Signed-off-by: André Backman <[email protected]> * 🌱 Bump github.com/moby/buildkit from 0.11.6 to 0.12.0 (ossf#3264) Bumps [github.com/moby/buildkit](https://github.com/moby/buildkit) from 0.11.6 to 0.12.0. - [Release notes](https://github.com/moby/buildkit/releases) - [Commits](moby/buildkit@v0.11.6...v0.12.0) --- updated-dependencies: - dependency-name: github.com/moby/buildkit dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Signed-off-by: André Backman <[email protected]> * Ack linter warning and add tracking issue. (ossf#3263) Signed-off-by: Spencer Schrock <[email protected]> Signed-off-by: André Backman <[email protected]> * 🐛 Forgive job-level permissions (ossf#3162) * Forgive all job-level permissions Signed-off-by: Pedro Kaj Kjellerup Nacht <[email protected]> * Update tests Signed-off-by: Pedro Kaj Kjellerup Nacht <[email protected]> * Replace magic number Signed-off-by: Pedro Kaj Kjellerup Nacht <[email protected]> * Rename test Signed-off-by: Pedro Kaj Kjellerup Nacht <[email protected]> * Test that multiple job-level permissions are forgiven Signed-off-by: Pedro Kaj Kjellerup Nacht <[email protected]> * Drop unused permissionIsPresent Signed-off-by: Pedro Kaj Kjellerup Nacht <[email protected]> * Update documentation Signed-off-by: Pedro Kaj Kjellerup Nacht <[email protected]> * Modify score descriptions Signed-off-by: Pedro Kaj Kjellerup Nacht <[email protected]> * Document warning for job-level permissions Signed-off-by: Pedro Kaj Kjellerup Nacht <[email protected]> * List job-level permissions that get WARNed Signed-off-by: Pedro Kaj Kjellerup Nacht <[email protected]> --------- Signed-off-by: Pedro Kaj Kjellerup Nacht <[email protected]> Signed-off-by: André Backman <[email protected]> * 🐛 Fix typo (ossf#3267) Signed-off-by: Eugene Kliuchnikov <[email protected]> Signed-off-by: André Backman <[email protected]> * 📖 Suggest new score viewer on badge documentation (ossf#3268) * docs(readme): suggest new score viewer on badge documentation Signed-off-by: Diogo Teles Sant'Anna <[email protected]> * docs(readme): add link to ossf blogpost about the badge Signed-off-by: Diogo Teles Sant'Anna <[email protected]> * docs: update badge of our own README to the new viewer Signed-off-by: Diogo Teles Sant'Anna <[email protected]> --------- Signed-off-by: Diogo Teles Sant'Anna <[email protected]> Signed-off-by: André Backman <[email protected]> * 🌱 Bump tj-actions/changed-files from 37.1.1 to 37.1.2 (ossf#3266) Bumps [tj-actions/changed-files](https://github.com/tj-actions/changed-files) from 37.1.1 to 37.1.2. - [Release notes](https://github.com/tj-actions/changed-files/releases) - [Changelog](https://github.com/tj-actions/changed-files/blob/main/HISTORY.md) - [Commits](tj-actions/changed-files@1f20fb8...2a968ff) --- updated-dependencies: - dependency-name: tj-actions/changed-files dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Signed-off-by: André Backman <[email protected]> * 🌱 Update the cover profile for e2e (ossf#3271) - Update the cover profile for e2e Signed-off-by: naveensrinivasan <[email protected]> Signed-off-by: André Backman <[email protected]> * 🌱 Improve e2e workflow tests (ossf#3273) - Add e2e test for workflow runs - Retrieve successful runs of the scorecard-analysis.yml workflow Signed-off-by: naveensrinivasan <[email protected]> Signed-off-by: André Backman <[email protected]> * 🌱 Excluded dependabot from codecov (ossf#3272) - Exclude dependabot from codecov job in main.yml [.github/workflows/main.yml] - Exclude dependabot from codecov job Signed-off-by: naveensrinivasan <[email protected]> Signed-off-by: André Backman <[email protected]> * 🌱 Increase test coverage for searching commits (ossf#3276) - Add an e2e test for searching commits by author - Search commits by author `dependabot[bot]` and expect results Signed-off-by: naveensrinivasan <[email protected]> Signed-off-by: André Backman <[email protected]> * 🐛 Fix Branch-Protection scoring (ossf#3251) * fix: Verify if branch is required to be up to date before merge Signed-off-by: Gabriela Gutierrez <[email protected]> * docs: Comment tracking GraphQL bug Signed-off-by: Gabriela Gutierrez <[email protected]> * fix: Add validation if pointers are not null before accessing the values Signed-off-by: Gabriela Gutierrez <[email protected]> * fix: Delete debug log file Signed-off-by: Gabriela Gutierrez <[email protected]> --------- Signed-off-by: Gabriela Gutierrez <[email protected]> Signed-off-by: André Backman <[email protected]> * ✨ scdiff: generate cmd skeleton (ossf#3275) * add scdiff root command Signed-off-by: Spencer Schrock <[email protected]> * Add generate boilerplate. Signed-off-by: Spencer Schrock <[email protected]> * get rid of init Signed-off-by: Spencer Schrock <[email protected]> * read newline delimitted repo file Signed-off-by: Spencer Schrock <[email protected]> * Run scorecard and echo results. Signed-off-by: Spencer Schrock <[email protected]> * add license Signed-off-by: Spencer Schrock <[email protected]> * add basic runner tests. Signed-off-by: Spencer Schrock <[email protected]> * Add Runner comment. Signed-off-by: Spencer Schrock <[email protected]> * switch to using scorecard logger. Signed-off-by: Spencer Schrock <[email protected]> * linter fix Signed-off-by: Spencer Schrock <[email protected]> --------- Signed-off-by: Spencer Schrock <[email protected]> Signed-off-by: André Backman <[email protected]> * 🌱 Delete unused project-update functionality. (ossf#3269) Signed-off-by: Spencer Schrock <[email protected]> Signed-off-by: André Backman <[email protected]> * 🌱 Bump tj-actions/changed-files from 37.1.2 to 37.3.0 (ossf#3280) Bumps [tj-actions/changed-files](https://github.com/tj-actions/changed-files) from 37.1.2 to 37.3.0. - [Release notes](https://github.com/tj-actions/changed-files/releases) - [Changelog](https://github.com/tj-actions/changed-files/blob/main/HISTORY.md) - [Commits](tj-actions/changed-files@2a968ff...3928317) --- updated-dependencies: - dependency-name: tj-actions/changed-files dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Signed-off-by: André Backman <[email protected]> * 🌱 Bump github.com/google/osv-scanner from 1.3.5 to 1.3.6 (ossf#3281) Bumps [github.com/google/osv-scanner](https://github.com/google/osv-scanner) from 1.3.5 to 1.3.6. - [Release notes](https://github.com/google/osv-scanner/releases) - [Changelog](https://github.com/google/osv-scanner/blob/main/CHANGELOG.md) - [Commits](google/osv-scanner@v1.3.5...v1.3.6) --- updated-dependencies: - dependency-name: github.com/google/osv-scanner dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Signed-off-by: André Backman <[email protected]> * 🌱 Bump gocloud.dev from 0.30.0 to 0.32.0 (ossf#3284) Bumps [gocloud.dev](https://github.com/google/go-cloud) from 0.30.0 to 0.32.0. - [Release notes](https://github.com/google/go-cloud/releases) - [Commits](google/go-cloud@v0.30.0...v0.32.0) --- updated-dependencies: - dependency-name: gocloud.dev dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Signed-off-by: André Backman <[email protected]> * 🌱 Include attestor Dockerfile in CI and dependabot updates (ossf#3285) Signed-off-by: Spencer Schrock <[email protected]> Signed-off-by: André Backman <[email protected]> * 🌱 Bump tj-actions/changed-files from 37.3.0 to 37.4.0 Bumps [tj-actions/changed-files](https://github.com/tj-actions/changed-files) from 37.3.0 to 37.4.0. - [Release notes](https://github.com/tj-actions/changed-files/releases) - [Changelog](https://github.com/tj-actions/changed-files/blob/main/HISTORY.md) - [Commits](tj-actions/changed-files@3928317...de0eba3) --- updated-dependencies: - dependency-name: tj-actions/changed-files dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <[email protected]> Signed-off-by: André Backman <[email protected]> * 🌱 Bump google-appengine/debian11 in /attestor Bumps google-appengine/debian11 from `fed7dd5` to `97dc4fb`. --- updated-dependencies: - dependency-name: google-appengine/debian11 dependency-type: direct:production ... Signed-off-by: dependabot[bot] <[email protected]> Signed-off-by: André Backman <[email protected]> * 🌱 Bump github.com/xanzy/go-gitlab from 0.86.0 to 0.88.0 Bumps [github.com/xanzy/go-gitlab](https://github.com/xanzy/go-gitlab) from 0.86.0 to 0.88.0. - [Changelog](https://github.com/xanzy/go-gitlab/blob/master/releases_test.go) - [Commits](xanzy/go-gitlab@v0.86.0...v0.88.0) --- updated-dependencies: - dependency-name: github.com/xanzy/go-gitlab dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <[email protected]> Signed-off-by: André Backman <[email protected]> * 🌱 Use a matrix for docker image building (ossf#3290) * working matrix. Signed-off-by: Spencer Schrock <[email protected]> * Remove unneeded env vars. Add comments. Signed-off-by: Spencer Schrock <[email protected]> * minor syntax change. Signed-off-by: Spencer Schrock <[email protected]> --------- Signed-off-by: Spencer Schrock <[email protected]> Signed-off-by: André Backman <[email protected]> * 🌱 Improve e2e workflow tests (ossf#3282) - Ensure that only head queries are supported in workflow tests - Add a test to detect when a non-existent workflow file is used [e2e/workflow_test.go] - Add a test to check that only head queries are supported - Add a test to check that a non-existent workflow file returns an error Signed-off-by: naveensrinivasan <[email protected]> Signed-off-by: André Backman <[email protected]> * 🌱 Use a matrix for when building binaries in main.yml (ossf#3291) * Use matrix for build jobs. Signed-off-by: Spencer Schrock <[email protected]> * These build targets dont seem to need protoc. This lets us save the API quota. Signed-off-by: Spencer Schrock <[email protected]> --------- Signed-off-by: Spencer Schrock <[email protected]> Signed-off-by: André Backman <[email protected]> * 🌱 Fix hanging docker jobs for doc only changes. (ossf#3292) Signed-off-by: Spencer Schrock <[email protected]> Signed-off-by: André Backman <[email protected]> * 📖 Add contributor ladder (ossf#3246) * Add contributor ladder Signed-off-by: Pedro Kaj Kjellerup Nacht <[email protected]> * Clarify sponsorship Signed-off-by: Pedro Kaj Kjellerup Nacht <[email protected]> * Hope for retirement warning Signed-off-by: Pedro Kaj Kjellerup Nacht <[email protected]> * 1 maintainer can sponsor a community member Signed-off-by: Pedro Kaj Kjellerup Nacht <[email protected]> * Apply suggestions from code review Co-authored-by: Raghav Kaul <[email protected]> Signed-off-by: Pedro Nacht <[email protected]> --------- Signed-off-by: Pedro Kaj Kjellerup Nacht <[email protected]> Signed-off-by: Pedro Nacht <[email protected]> Signed-off-by: André Backman <[email protected]> * 🌱 Consolidate GitLab e2e workflows. (ossf#3278) * Move gitlab to different workflow to parallelize. Signed-off-by: Spencer Schrock <[email protected]> * Add missing versions. Signed-off-by: Spencer Schrock <[email protected]> --------- Signed-off-by: Spencer Schrock <[email protected]> Signed-off-by: André Backman <[email protected]> * 🌱 Add separate cache for long-running tests (ossf#3293) * Add separate cache for unit tests. Signed-off-by: Spencer Schrock <[email protected]> * share cache with gitlab tests too. Signed-off-by: Spencer Schrock <[email protected]> * share cache with github integration tests. Signed-off-by: Spencer Schrock <[email protected]> * explicitly download modules in unit test job Signed-off-by: Spencer Schrock <[email protected]> * checkout needs to be before the go.mod is read. Signed-off-by: Spencer Schrock <[email protected]> * checkout needs to be before the go.sum files are hashed. Signed-off-by: Spencer Schrock <[email protected]> --------- Signed-off-by: Spencer Schrock <[email protected]> Signed-off-by: André Backman <[email protected]> * 🌱 Bump github.com/go-git/go-git/v5 from 5.7.0 to 5.8.0 (ossf#3297) Bumps [github.com/go-git/go-git/v5](https://github.com/go-git/go-git) from 5.7.0 to 5.8.0. - [Release notes](https://github.com/go-git/go-git/releases) - [Commits](go-git/go-git@v5.7.0...v5.8.0) --- updated-dependencies: - dependency-name: github.com/go-git/go-git/v5 dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Signed-off-by: André Backman <[email protected]> * 🌱 Bump github.com/onsi/gomega from 1.27.8 to 1.27.9 (ossf#3298) Bumps [github.com/onsi/gomega](https://github.com/onsi/gomega) from 1.27.8 to 1.27.9. - [Release notes](https://github.com/onsi/gomega/releases) - [Changelog](https://github.com/onsi/gomega/blob/master/CHANGELOG.md) - [Commits](onsi/gomega@v1.27.8...v1.27.9) --- updated-dependencies: - dependency-name: github.com/onsi/gomega dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Signed-off-by: André Backman <[email protected]> * 🌱 Improve search commit e2e tests (ossf#3295) - Add 2 tests for searching commits in e2e/searchCommits_test.go - Fix errors in e2e/searchCommits_test.go when not using HEAD or when user does not exist [e2e/searchCommits_test.go] - Add 2 tests for searching commits - Fix error when not using HEAD - Fix error when user does not exist Signed-off-by: naveensrinivasan <[email protected]> Signed-off-by: André Backman <[email protected]> * 📖 update docs for webhooks documentation (ossf#3299) * update docs for webhooks documentation Signed-off-by: leec94 <[email protected]> * change webhook severity in readme Signed-off-by: leec94 <[email protected]> --------- Signed-off-by: leec94 <[email protected]> Signed-off-by: André Backman <[email protected]> * 🌱 Unit tests OSSFuzz client (ossf#3301) * 🌱 Unit tests OSSFuzz client - Included tests for IsArchived, LocalPath, ListFiles, GetFileContent, GetBranch, GetDefaultBranch, GetOrgRepoClient, GetDefaultBranchName, ListCommits, ListIssues, ListReleases, ListContributors, ListSuccessfulWorkflowRuns, ListCheckRunsForRef, ListStatuses, ListWebhooks, SearchCommits, Close, ListProgrammingLanguages, Signed-off-by: naveensrinivasan <[email protected]> * Improve OSSFuzz client tests [clients/ossfuzz/client_test.go] - Add a test for the `GetCreatedAt` method - Fix the `URI` method to return the correct value Signed-off-by: naveensrinivasan <[email protected]> --------- Signed-off-by: naveensrinivasan <[email protected]> Signed-off-by: André Backman <[email protected]> * 🌱 Ensure check markdown is kept in sync with source yaml. (ossf#3300) * Ensure check markdown is kept in sync with check yaml. Signed-off-by: Spencer Schrock <[email protected]> * change generate-docs target to detect changes to docs/checks.md directly. Signed-off-by: Spencer Schrock <[email protected]> --------- Signed-off-by: Spencer Schrock <[email protected]> Signed-off-by: André Backman <[email protected]> * Update def.yml license Signed-off-by: André Backman <[email protected]> Signed-off-by: André Backman <[email protected]> * Update def.yml license Signed-off-by: André Backman <[email protected]> Signed-off-by: André Backman <[email protected]> * Update def.yml license Signed-off-by: André Backman <[email protected]> Signed-off-by: André Backman <[email protected]> * Update code_review.go license Signed-off-by: André Backman <[email protected]> Signed-off-by: André Backman <[email protected]> * Update entries.go; CodeReviewChecks now called CodeReview Signed-off-by: André Backman <[email protected]> Signed-off-by: André Backman <[email protected]> * refactor codeReviewTwoReviewers; moved utility functions into impl.go Signed-off-by: André Backman <[email protected]> * Update impl.go, refactor codeReviewTwoReviewers; moved utility functions into impl.go Signed-off-by: André Backman <[email protected]> * Update go.mod, aligned imports Signed-off-by: André Backman <[email protected]> * update license comments Signed-off-by: André Backman <[email protected]> * update license comments Signed-off-by: André Backman <[email protected]> * change EOL = CRLF to LF Signed-off-by: André Backman <[email protected]> * add error handling in case of no changesets Signed-off-by: André Backman <[email protected]> * completed tests for code-review probes Signed-off-by: André Backman <[email protected]> * update codeReview probes and utils Signed-off-by: André Backman <[email protected]> * fixed some lint errors, check for more Signed-off-by: André Backman <[email protected]> * fixed lint issues Signed-off-by: André Backman <[email protected]> * fix lint errors Signed-off-by: André Backman <[email protected]> * add test for multiple reviews with only one unique reviewer Signed-off-by: André Backman <[email protected]> * simplify func uniqueReviewers, use map[string]bool Signed-off-by: André Backman <[email protected]> * fix linting error Signed-off-by: André Backman <[email protected]> * moved probe tests to their own function Signed-off-by: André Backman <[email protected]> * fix comment syntax Signed-off-by: André Backman <[email protected]> * gci-ed files to fix linter errors Signed-off-by: André Backman <[email protected]> * implement change to skip bot-authored changesets that are reviewed/approved Signed-off-by: André Backman <[email protected]> * rewrite finding message Signed-off-by: André Backman <[email protected]> * fix output message; do not count the number of approved bot-authored changesets Signed-off-by: André Backman <[email protected]> * fix typos Signed-off-by: André Backman <[email protected]> * moved probe tests to their corresponding location Signed-off-by: André Backman <[email protected]> * removed redundant probe codeReviewed Signed-off-by: André Backman <[email protected]> * Update probes/codeApproved/def.yml Co-authored-by: Raghav Kaul <[email protected]> Signed-off-by: jitsengupta17 <[email protected]> * Update probes/codeApproved/def.yml Co-authored-by: Raghav Kaul <[email protected]> Signed-off-by: jitsengupta17 <[email protected]> * Update probes/codeApproved/def.yml Co-authored-by: Raghav Kaul <[email protected]> Signed-off-by: jitsengupta17 <[email protected]> * Update probes/codeApproved/def.yml Co-authored-by: Raghav Kaul <[email protected]> Signed-off-by: jitsengupta17 <[email protected]> * Update probes/codeApproved/def.yml Co-authored-by: Raghav Kaul <[email protected]> Signed-off-by: jitsengupta17 <[email protected]> * Update probes/codeReviewOneReviewers/def.yml Co-authored-by: Raghav Kaul <[email protected]> Signed-off-by: jitsengupta17 <[email protected]> * Lint Signed-off-by: Raghav Kaul <[email protected]> --------- Signed-off-by: dependabot[bot] <[email protected]> Signed-off-by: André Backman <[email protected]> Signed-off-by: André Backman <[email protected]> Signed-off-by: naveensrinivasan <[email protected]> Signed-off-by: Gabriela Gutierrez <[email protected]> Signed-off-by: Spencer Schrock <[email protected]> Signed-off-by: Ajmal Kottilingal <[email protected]> Signed-off-by: Pedro Kaj Kjellerup Nacht <[email protected]> Signed-off-by: Eugene Kliuchnikov <[email protected]> Signed-off-by: Diogo Teles Sant'Anna <[email protected]> Signed-off-by: Pedro Nacht <[email protected]> Signed-off-by: leec94 <[email protected]> Signed-off-by: André Backman <[email protected]> Signed-off-by: jitsengupta17 <[email protected]> Signed-off-by: Raghav Kaul <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: André Backman <[email protected]> Co-authored-by: Naveen <[email protected]> Co-authored-by: Gabriela Gutierrez <[email protected]> Co-authored-by: Pedro Nacht <[email protected]> Co-authored-by: Spencer Schrock <[email protected]> Co-authored-by: Ajmal Kottilingal <[email protected]> Co-authored-by: Pedro Nacht <[email protected]> Co-authored-by: Eugene Kliuchnikov <[email protected]> Co-authored-by: Diogo Teles Sant'Anna <[email protected]> Co-authored-by: Caroline <[email protected]> Co-authored-by: jitsengupta17 <[email protected]> Co-authored-by: Raghav Kaul <[email protected]> Co-authored-by: gowriNSN <[email protected]> Co-authored-by: Raghav Kaul <[email protected]>
Configuration menu - View commit details
-
Copy full SHA for 9440b76 - Browse repository at this point
Copy the full SHA 9440b76View commit details -
🌱 Add active cisco-open projects to cronjob (ossf#3822)
Signed-off-by: lelia <[email protected]>
Configuration menu - View commit details
-
Copy full SHA for da3e5ad - Browse repository at this point
Copy the full SHA da3e5adView commit details -
* spelling: accurate Signed-off-by: Josh Soref <[email protected]> * spelling: administrator Signed-off-by: Josh Soref <[email protected]> * spelling: analyze Signed-off-by: Josh Soref <[email protected]> * spelling: andtwenty Signed-off-by: Josh Soref <[email protected]> * spelling: ascii Signed-off-by: Josh Soref <[email protected]> * spelling: association Signed-off-by: Josh Soref <[email protected]> * spelling: at least Signed-off-by: Josh Soref <[email protected]> * spelling: attestor Signed-off-by: Josh Soref <[email protected]> * spelling: barbaric Signed-off-by: Josh Soref <[email protected]> * spelling: bucket Signed-off-by: Josh Soref <[email protected]> * spelling: by Signed-off-by: Josh Soref <[email protected]> * spelling: can Signed-off-by: Josh Soref <[email protected]> * spelling: case-insensitive Signed-off-by: Josh Soref <[email protected]> * spelling: case-sensitive Signed-off-by: Josh Soref <[email protected]> * spelling: checking Signed-off-by: Josh Soref <[email protected]> * spelling: command-line Signed-off-by: Josh Soref <[email protected]> * spelling: commit Signed-off-by: Josh Soref <[email protected]> * spelling: committed Signed-off-by: Josh Soref <[email protected]> * spelling: conclusion Signed-off-by: Josh Soref <[email protected]> * spelling: corresponding Signed-off-by: Josh Soref <[email protected]> * spelling: created Signed-off-by: Josh Soref <[email protected]> * spelling: dataset Signed-off-by: Josh Soref <[email protected]> * spelling: default Signed-off-by: Josh Soref <[email protected]> * spelling: defines Signed-off-by: Josh Soref <[email protected]> * spelling: dependabot Signed-off-by: Josh Soref <[email protected]> * spelling: dependency Signed-off-by: Josh Soref <[email protected]> * spelling: depending Signed-off-by: Josh Soref <[email protected]> * spelling: desired Signed-off-by: Josh Soref <[email protected]> * spelling: different Signed-off-by: Josh Soref <[email protected]> * spelling: disclose Signed-off-by: Josh Soref <[email protected]> * spelling: download Signed-off-by: Josh Soref <[email protected]> * spelling: each Signed-off-by: Josh Soref <[email protected]> * spelling: enforce Signed-off-by: Josh Soref <[email protected]> * spelling: every time Signed-off-by: Josh Soref <[email protected]> * spelling: exist Signed-off-by: Josh Soref <[email protected]> * spelling: existing Signed-off-by: Josh Soref <[email protected]> * spelling: fields Signed-off-by: Josh Soref <[email protected]> * spelling: files Signed-off-by: Josh Soref <[email protected]> * spelling: for Signed-off-by: Josh Soref <[email protected]> * spelling: force-push Signed-off-by: Josh Soref <[email protected]> * spelling: github Signed-off-by: Josh Soref <[email protected]> * spelling: gitlab Signed-off-by: Josh Soref <[email protected]> * spelling: ignoreed Signed-off-by: Josh Soref <[email protected]> * spelling: implementation Signed-off-by: Josh Soref <[email protected]> * spelling: implements Signed-off-by: Josh Soref <[email protected]> * spelling: increase Signed-off-by: Josh Soref <[email protected]> * spelling: indicates Signed-off-by: Josh Soref <[email protected]> * spelling: initialized Signed-off-by: Josh Soref <[email protected]> * spelling: instructions Signed-off-by: Josh Soref <[email protected]> * spelling: invalid Signed-off-by: Josh Soref <[email protected]> * spelling: marshal Signed-off-by: Josh Soref <[email protected]> * spelling: match Signed-off-by: Josh Soref <[email protected]> * spelling: name Signed-off-by: Josh Soref <[email protected]> * spelling: nonexistent Signed-off-by: Josh Soref <[email protected]> * spelling: organization Signed-off-by: Josh Soref <[email protected]> * spelling: package Signed-off-by: Josh Soref <[email protected]> * spelling: provenance Signed-off-by: Josh Soref <[email protected]> * spelling: query Signed-off-by: Josh Soref <[email protected]> * spelling: readers Signed-off-by: Josh Soref <[email protected]> * spelling: receive Signed-off-by: Josh Soref <[email protected]> * spelling: registered Signed-off-by: Josh Soref <[email protected]> * spelling: remediate Signed-off-by: Josh Soref <[email protected]> * spelling: representation Signed-off-by: Josh Soref <[email protected]> * spelling: requests Signed-off-by: Josh Soref <[email protected]> * spelling: requires Signed-off-by: Josh Soref <[email protected]> * spelling: return Signed-off-by: Josh Soref <[email protected]> * spelling: scorecard Signed-off-by: Josh Soref <[email protected]> * spelling: separator Signed-off-by: Josh Soref <[email protected]> * spelling: serialization Signed-off-by: Josh Soref <[email protected]> * spelling: sign up Signed-off-by: Josh Soref <[email protected]> * spelling: specifications Signed-off-by: Josh Soref <[email protected]> * spelling: specified Signed-off-by: Josh Soref <[email protected]> * spelling: success Signed-off-by: Josh Soref <[email protected]> * spelling: successfully Signed-off-by: Josh Soref <[email protected]> * spelling: the Signed-off-by: Josh Soref <[email protected]> * spelling: their Signed-off-by: Josh Soref <[email protected]> * spelling: twenty Signed-off-by: Josh Soref <[email protected]> * spelling: unexpected Signed-off-by: Josh Soref <[email protected]> * spelling: unused Signed-off-by: Josh Soref <[email protected]> * spelling: unverified Signed-off-by: Josh Soref <[email protected]> * spelling: validate Signed-off-by: Josh Soref <[email protected]> * spelling: vendor Signed-off-by: Josh Soref <[email protected]> * spelling: vulnerabilities Signed-off-by: Josh Soref <[email protected]> * spelling: vulns Signed-off-by: Josh Soref <[email protected]> * spelling: will Signed-off-by: Josh Soref <[email protected]> * spelling: without Signed-off-by: Josh Soref <[email protected]> * spelling: workflow Signed-off-by: Josh Soref <[email protected]> * spelling: workflows Signed-off-by: Josh Soref <[email protected]> --------- Signed-off-by: Josh Soref <[email protected]>
Configuration menu - View commit details
-
Copy full SHA for 3b94825 - Browse repository at this point
Copy the full SHA 3b94825View commit details
Commits on Jan 29, 2024
-
✨ dependency-update-tool: detect GitLab Renovate config files (ossf#3823
) also organize the list in order of appearance on website. this makes it easier to compare. Signed-off-by: Spencer Schrock <[email protected]>
Configuration menu - View commit details
-
Copy full SHA for 301208c - Browse repository at this point
Copy the full SHA 301208cView commit details -
🌱 Bump the github-actions group with 3 updates (ossf#3825)
Bumps the github-actions group with 3 updates: [tj-actions/changed-files](https://github.com/tj-actions/changed-files), [codecov/codecov-action](https://github.com/codecov/codecov-action) and [actions/upload-artifact](https://github.com/actions/upload-artifact). Updates `tj-actions/changed-files` from 42.0.0 to 42.0.2 - [Release notes](https://github.com/tj-actions/changed-files/releases) - [Changelog](https://github.com/tj-actions/changed-files/blob/main/HISTORY.md) - [Commits](tj-actions/changed-files@ae82ed4...90a06d6) Updates `codecov/codecov-action` from 3.1.4 to 3.1.5 - [Release notes](https://github.com/codecov/codecov-action/releases) - [Changelog](https://github.com/codecov/codecov-action/blob/main/CHANGELOG.md) - [Commits](codecov/codecov-action@eaaf4be...4fe8c5f) Updates `actions/upload-artifact` from 4.2.0 to 4.3.0 - [Release notes](https://github.com/actions/upload-artifact/releases) - [Commits](actions/upload-artifact@694cdab...26f96df) --- updated-dependencies: - dependency-name: tj-actions/changed-files dependency-type: direct:production update-type: version-update:semver-patch dependency-group: github-actions - dependency-name: codecov/codecov-action dependency-type: direct:production update-type: version-update:semver-patch dependency-group: github-actions - dependency-name: actions/upload-artifact dependency-type: direct:production update-type: version-update:semver-minor dependency-group: github-actions ... Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Configuration menu - View commit details
-
Copy full SHA for a25f108 - Browse repository at this point
Copy the full SHA a25f108View commit details
Commits on Jan 30, 2024
-
🌱 Bump github.com/google/go-containerregistry (ossf#3828)
Bumps [github.com/google/go-containerregistry](https://github.com/google/go-containerregistry) from 0.18.0 to 0.19.0. - [Release notes](https://github.com/google/go-containerregistry/releases) - [Changelog](https://github.com/google/go-containerregistry/blob/main/.goreleaser.yml) - [Commits](google/go-containerregistry@v0.18.0...v0.19.0) --- updated-dependencies: - dependency-name: github.com/google/go-containerregistry dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Configuration menu - View commit details
-
Copy full SHA for 19047e8 - Browse repository at this point
Copy the full SHA 19047e8View commit details -
🌱 Enhance test output and management in ValidateTestReturn (ossf#3810)
* test failures should print the details they receive this makes debugging failing tests easier. Signed-off-by: Spencer Schrock <[email protected]> * use GinkgoTB so the test helpers work instead of panicing Signed-off-by: Spencer Schrock <[email protected]> * ValidateTestReturn will fail the test directly, no need for the bool return Signed-off-by: Spencer Schrock <[email protected]> * clarify diff details Signed-off-by: Spencer Schrock <[email protected]> --------- Signed-off-by: Spencer Schrock <[email protected]>
Configuration menu - View commit details
-
Copy full SHA for 83ff808 - Browse repository at this point
Copy the full SHA 83ff808View commit details
Commits on Jan 31, 2024
-
🐛 Support self-hosted GitLab instances where base URL has a path comp…
…onent (ossf#3819) * Add GL_HOST env flag Self-hosted instances which dont use a subdomain result in broken API links. This change may not be finished, but is intended to evaluate the solution. Previously, self hosted instances where the instance is part of the path (foo.com/gitlab/owner/repo) would have their API base URL registered as foo.com/api/v4/ instead of foo.com/gitlab/api/v4/ Signed-off-by: Spencer Schrock <[email protected]> * include token in gitlab project probe Signed-off-by: Spencer Schrock <[email protected]> * consider GL_HOST when parsing gitlab repo urls Signed-off-by: Spencer Schrock <[email protected]> * remove unneeded GL_HOST parsing now that repoURL_parse handles GL_HOST, we dont need it elsewhere. Signed-off-by: Spencer Schrock <[email protected]> * cleanup Signed-off-by: Spencer Schrock <[email protected]> * mention GL_HOST in readme Signed-off-by: Spencer Schrock <[email protected]> * fix linter Signed-off-by: Spencer Schrock <[email protected]> * handle GL_HOST without scheme Signed-off-by: Spencer Schrock <[email protected]> * move api-less check earlier if we can avoid an API call, do it. Signed-off-by: Spencer Schrock <[email protected]> * try listing projects with and without auth token Signed-off-by: Spencer Schrock <[email protected]> * fix linter Signed-off-by: Spencer Schrock <[email protected]> * revert passing token to list projects the simpler the better Signed-off-by: Spencer Schrock <[email protected]> --------- Signed-off-by: Spencer Schrock <[email protected]>
Configuration menu - View commit details
-
Copy full SHA for e10dbb1 - Browse repository at this point
Copy the full SHA e10dbb1View commit details -
🌱 Bump github.com/google/osv-scanner from 1.6.1 to 1.6.2 (ossf#3834)
* 🌱 Bump github.com/google/osv-scanner from 1.6.1 to 1.6.2 Bumps [github.com/google/osv-scanner](https://github.com/google/osv-scanner) from 1.6.1 to 1.6.2. - [Release notes](https://github.com/google/osv-scanner/releases) - [Changelog](https://github.com/google/osv-scanner/blob/main/CHANGELOG.md) - [Commits](google/osv-scanner@v1.6.1...v1.6.2) --- updated-dependencies: - dependency-name: github.com/google/osv-scanner dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <[email protected]> * specify go patch version go mod tidy requires this. I was able to delete the toolchain directive, and it wasn't added back. Signed-off-by: Spencer Schrock <[email protected]> * bump dockerfiles to 1.21.6 so the build works Signed-off-by: Spencer Schrock <[email protected]> * bump go version used in codeql workflow github runners currently use Go 1.20 by default, which doesn't understand 1.21.x format. Signed-off-by: Spencer Schrock <[email protected]> --------- Signed-off-by: dependabot[bot] <[email protected]> Signed-off-by: Spencer Schrock <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: Spencer Schrock <[email protected]>
Configuration menu - View commit details
-
Copy full SHA for 6f816c8 - Browse repository at this point
Copy the full SHA 6f816c8View commit details
Commits on Feb 1, 2024
-
🌱 Bump github.com/moby/buildkit from 0.12.4 to 0.12.5 (ossf#3836)
Bumps [github.com/moby/buildkit](https://github.com/moby/buildkit) from 0.12.4 to 0.12.5. - [Release notes](https://github.com/moby/buildkit/releases) - [Commits](moby/buildkit@v0.12.4...v0.12.5) --- updated-dependencies: - dependency-name: github.com/moby/buildkit dependency-type: direct:production ... Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Configuration menu - View commit details
-
Copy full SHA for db86b8b - Browse repository at this point
Copy the full SHA db86b8bView commit details -
Configuration menu - View commit details
-
Copy full SHA for df5e563 - Browse repository at this point
Copy the full SHA df5e563View commit details