Upgrade scorecard version #1

cx-monicac · 2024-02-14T11:43:15Z

What kind of change does this PR introduce?

(Is it a bug fix, feature, docs update, something else?)

PR title follows the guidelines defined in our pull request documentation

What is the current behavior?

What is the new behavior (if this is a feature change)?**

Tests for the changes have been added (for bug fixes/features)

Which issue(s) this PR fixes

Special notes for your reviewer

Does this PR introduce a user-facing change?

For user-facing changes, please add a concise, human-readable release note to
the release-note

(In particular, describe what changes users might need to make in their
application as a result of this pull request.)

* remove old replace directives. Signed-off-by: Spencer Schrock <sschrock@google.com> * Remove dgrijalva/jwt-go replace. Project now maintained at github.com/golang-jwt/jwt. So it's unused. Signed-off-by: Spencer Schrock <sschrock@google.com> * remove replace on unused github.com/buger/jsonparser Signed-off-by: Spencer Schrock <sschrock@google.com> * remove unused github.com/gorilla/handlers replace. Signed-off-by: Spencer Schrock <sschrock@google.com> * remove unused github.com/miekg/dns Signed-off-by: Spencer Schrock <sschrock@google.com> * remove unused github.com/ulikunitz/xz Signed-off-by: Spencer Schrock <sschrock@google.com> * remove unused github.com/satori/go.uuid Signed-off-by: Spencer Schrock <sschrock@google.com> * replace directive no longer needed for github.com/opencontainers/image-spec. Signed-off-by: Spencer Schrock <sschrock@google.com> * potentially unneeded replace for github.com/emicklei/go-restful Signed-off-by: Spencer Schrock <sschrock@google.com> * potentially unneeded replace for github.com/docker/distribution Signed-off-by: Spencer Schrock <sschrock@google.com> --------- Signed-off-by: Spencer Schrock <sschrock@google.com>

Bumps [actions/cache](https://github.com/actions/cache) from 3.3.1 to 3.3.2. - [Release notes](https://github.com/actions/cache/releases) - [Changelog](https://github.com/actions/cache/blob/main/RELEASES.md) - [Commits](actions/cache@88522ab...704facf) --- updated-dependencies: - dependency-name: actions/cache dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

Bumps [actions/upload-artifact](https://github.com/actions/upload-artifact) from 3.1.2 to 3.1.3. - [Release notes](https://github.com/actions/upload-artifact/releases) - [Commits](actions/upload-artifact@0b7f8ab...a8a3f3a) --- updated-dependencies: - dependency-name: actions/upload-artifact dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

Bumps [actions/dependency-review-action](https://github.com/actions/dependency-review-action) from 3.0.8 to 3.1.0. - [Release notes](https://github.com/actions/dependency-review-action/releases) - [Commits](actions/dependency-review-action@f6fff72...6c5ccda) --- updated-dependencies: - dependency-name: actions/dependency-review-action dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

Bumps [tj-actions/changed-files](https://github.com/tj-actions/changed-files) from 39.0.0 to 39.0.2. - [Release notes](https://github.com/tj-actions/changed-files/releases) - [Changelog](https://github.com/tj-actions/changed-files/blob/main/HISTORY.md) - [Commits](tj-actions/changed-files@48566bb...6ee9cdc) --- updated-dependencies: - dependency-name: tj-actions/changed-files dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

Bumps [github.com/bradleyfalzon/ghinstallation/v2](https://github.com/bradleyfalzon/ghinstallation) from 2.6.0 to 2.7.0. - [Release notes](https://github.com/bradleyfalzon/ghinstallation/releases) - [Commits](bradleyfalzon/ghinstallation@v2.6.0...v2.7.0) --- updated-dependencies: - dependency-name: github.com/bradleyfalzon/ghinstallation/v2 dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

Bumps [cloud.google.com/go/bigquery](https://github.com/googleapis/google-cloud-go) from 1.54.0 to 1.55.0. - [Release notes](https://github.com/googleapis/google-cloud-go/releases) - [Changelog](https://github.com/googleapis/google-cloud-go/blob/main/CHANGES.md) - [Commits](googleapis/google-cloud-go@bigquery/v1.54.0...bigquery/v1.55.0) --- updated-dependencies: - dependency-name: cloud.google.com/go/bigquery dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* repo rulesets via v4 api Signed-off-by: Peter Wagner <1559510+thepwagner@users.noreply.github.com> * good enough fnmatch implementation. Signed-off-by: Spencer Schrock <sschrock@google.com> * good enough rulesMatchingBranch Signed-off-by: Peter Wagner <1559510+thepwagner@users.noreply.github.com> * apply matching repo rules to branch protection settings Signed-off-by: Peter Wagner <1559510+thepwagner@users.noreply.github.com> * rules: consider admins and require checks Signed-off-by: Peter Wagner <1559510+thepwagner@users.noreply.github.com> * non-structural chanages from PR feedback Signed-off-by: Peter Wagner <1559510+thepwagner@users.noreply.github.com> * fetch default branch name during repo rules query Signed-off-by: Peter Wagner <1559510+thepwagner@users.noreply.github.com> * Testing applyRepoRules Tests assume a single rule is being applied to a branch, which might be guarded by a legacy branch protection rule. I think this logic gets problematic when there are multiple rules overlaid on the same branch: the "the existing rules does not enforce for admins, but i do and therefore this branch now does" will give false-positives. Signed-off-by: Peter Wagner <1559510+thepwagner@users.noreply.github.com> * Test_applyRepoRules: builder and standardize names Signed-off-by: Peter Wagner <1559510+thepwagner@users.noreply.github.com> * attempt to upgrade/downgrade EnforceAdmins as each rule is applied Signed-off-by: Peter Wagner <1559510+thepwagner@users.noreply.github.com> * simplify enforce admin for now. Signed-off-by: Spencer Schrock <sschrock@google.com> * handle merging pull request reviews Signed-off-by: Spencer Schrock <sschrock@google.com> * handle merging check rules Signed-off-by: Spencer Schrock <sschrock@google.com> * handle last push approval Signed-off-by: Spencer Schrock <sschrock@google.com> * handle linear history Signed-off-by: Spencer Schrock <sschrock@google.com> * use constants for github rule types. Signed-off-by: Spencer Schrock <sschrock@google.com> * add status check test. Signed-off-by: Spencer Schrock <sschrock@google.com> * add e2e test for repo rules. Signed-off-by: Spencer Schrock <sschrock@google.com> * handle nil branch name data Signed-off-by: Spencer Schrock <sschrock@google.com> * add tracking issue. Signed-off-by: Spencer Schrock <sschrock@google.com> * fix precedence in if statement Signed-off-by: Spencer Schrock <sschrock@google.com> * include repo rules in the check docs. Signed-off-by: Spencer Schrock <sschrock@google.com> --------- Signed-off-by: Peter Wagner <1559510+thepwagner@users.noreply.github.com> Signed-off-by: Spencer Schrock <sschrock@google.com> Co-authored-by: Spencer Schrock <sschrock@google.com>

…process more issues (ossf#3483) * Update workflow to increase operations per run to process more issues * 🌱 workflows/stale: Increased operations-per-run from default and reduced days to close stale issues

Signed-off-by: Raghav Kaul <raghavkaul@google.com>

* issue 2157 changes Signed-off-by: leec94 <leec94@bu.edu> * incorporated feedback Signed-off-by: leec94 <leec94@bu.edu> * making the linter happy Signed-off-by: leec94 <leec94@bu.edu> * changing to local variable, testing still not working Signed-off-by: leec94 <leec94@bu.edu> * update tests to ignore date Signed-off-by: leec94 <leec94@bu.edu> * ran through linter Signed-off-by: leec94 <leec94@bu.edu> * resolving suggestions Signed-off-by: leec94 <leec94@bu.edu> --------- Signed-off-by: leec94 <leec94@bu.edu>

Bumps [goreleaser/goreleaser-action](https://github.com/goreleaser/goreleaser-action) from 4.6.0 to 5.0.0. - [Release notes](https://github.com/goreleaser/goreleaser-action/releases) - [Commits](goreleaser/goreleaser-action@5fdedb9...7ec5c2b) --- updated-dependencies: - dependency-name: goreleaser/goreleaser-action dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

Bumps [github.com/go-git/go-git/v5](https://github.com/go-git/go-git) from 5.8.1 to 5.9.0. - [Release notes](https://github.com/go-git/go-git/releases) - [Commits](go-git/go-git@v5.8.1...v5.9.0) --- updated-dependencies: - dependency-name: github.com/go-git/go-git/v5 dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

Bumps [github.com/google/osv-scanner](https://github.com/google/osv-scanner) from 1.3.6 to 1.4.0. - [Release notes](https://github.com/google/osv-scanner/releases) - [Changelog](https://github.com/google/osv-scanner/blob/main/CHANGELOG.md) - [Commits](google/osv-scanner@v1.3.6...v1.4.0) --- updated-dependencies: - dependency-name: github.com/google/osv-scanner dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

Bumps [tj-actions/changed-files](https://github.com/tj-actions/changed-files) from 39.0.2 to 39.1.0. - [Release notes](https://github.com/tj-actions/changed-files/releases) - [Changelog](https://github.com/tj-actions/changed-files/blob/main/HISTORY.md) - [Commits](tj-actions/changed-files@6ee9cdc...8e79ba7) --- updated-dependencies: - dependency-name: tj-actions/changed-files dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* Update README.md Add link to webviewer * Update faq.md Update webviewer link in FAQ * Update README.md Typo * Update faq.md Linebreak

With our current upload setup, it will always show a drop of 6-7%. This is confusing to contributors, so make the check always pass. Also fixes the threshold for the patch coverage. Signed-off-by: Spencer Schrock <sschrock@google.com>

* Update README.md Signed-off-by: olivekl <olivekl@google.com> * Update faq.md Signed-off-by: olivekl <olivekl@google.com> --------- Signed-off-by: olivekl <olivekl@google.com>

Signed-off-by: Raghav Kaul <raghavkaul@google.com>

Bumps [tj-actions/changed-files](https://github.com/tj-actions/changed-files) from 39.1.0 to 39.1.2. - [Release notes](https://github.com/tj-actions/changed-files/releases) - [Changelog](https://github.com/tj-actions/changed-files/blob/main/HISTORY.md) - [Commits](tj-actions/changed-files@8e79ba7...4196030) --- updated-dependencies: - dependency-name: tj-actions/changed-files dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

Bumps [actions/checkout](https://github.com/actions/checkout) from 4.0.0 to 4.1.0. - [Release notes](https://github.com/actions/checkout/releases) - [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md) - [Commits](actions/checkout@3df4ab1...8ade135) --- updated-dependencies: - dependency-name: actions/checkout dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* wip Signed-off-by: Spencer Schrock <sschrock@google.com> * output via tabwriter Signed-off-by: Spencer Schrock <sschrock@google.com> * specify by check. Signed-off-by: Spencer Schrock <sschrock@google.com> * Return aggregate score when unmarshalling. Signed-off-by: Spencer Schrock <sschrock@google.com> * convert from score to bucket in one place. use aggregate score from func Signed-off-by: Spencer Schrock <sschrock@google.com> * fix forgotten usage of ExperimentalFromJSON2 Signed-off-by: Spencer Schrock <sschrock@google.com> * use sentinel errors. Signed-off-by: Spencer Schrock <sschrock@google.com> * move counting to own func for testability Signed-off-by: Spencer Schrock <sschrock@google.com> * remove unneeded fields from results for readability. Signed-off-by: Spencer Schrock <sschrock@google.com> * add test for parse errors. Signed-off-by: Spencer Schrock <sschrock@google.com> * share max result size for any bufio.Scanner which reads results. Signed-off-by: Spencer Schrock <sschrock@google.com> * add basic overall test for calcing stats. Signed-off-by: Spencer Schrock <sschrock@google.com> * make missing file argument generic. Signed-off-by: Spencer Schrock <sschrock@google.com> * validate min args with cobra. Signed-off-by: Spencer Schrock <sschrock@google.com> --------- Signed-off-by: Spencer Schrock <sschrock@google.com>

Signed-off-by: Spencer Schrock <sschrock@google.com>

) Signed-off-by: Spencer Schrock <sschrock@google.com>

Issues are still getting closed after ossf#3493. I assume there's a default value being used somewhere. Signed-off-by: Spencer Schrock <sschrock@google.com>

* Remove EnforceAdmins from tier 1. Scores in some tests either increase to 3, or 4, since EnfroceAdmins no longer keeps them in tier 1. The number of Debug, Info, and Warn messages will decrease by 1 per branch, since we're no longer logging them. Signed-off-by: Spencer Schrock <sschrock@google.com> * move enforce admins to tier 5. Signed-off-by: Spencer Schrock <sschrock@google.com> --------- Signed-off-by: Spencer Schrock <sschrock@google.com>

* feat: Define if dependency is pinned or unpinned Add a field Pinned to Dependency structure. Update to save Dependencies pinned and unpinned. Not only unpinned ones. All download then run executions are considered unpinned. Because there is no remediation to pin them. For package manager downloads: add early return if there are no commands, separate package manager identification (go, npm, choco, pip) from decision if installation is pinned or unpinned. Change Go case "go get -d -v" considered pinned, to any Go installations containing "-d" to be considered pinned. Signed-off-by: Gabriela Gutierrez <gabigutierrez@google.com> * refactor: Convert diff var types to pointer We need to add a new conversion of boolean to pointer. Currently, we had string and int conversions named asPointer but not used in the same file. In order to know when we are using which conversion and considering bool and string would have to be used in the same file, it was needed to differentiate the method names. New method names are asIntPointer, asStringPointer and soon asBoolPointer. Signed-off-by: Gabriela Gutierrez <gabigutierrez@google.com> * fix: Pinned Dependency field type Field needs to be a pointer to work when accessing values on evaluation. Signed-off-by: Gabriela Gutierrez <gabigutierrez@google.com> * feat: Count pinned and unpinned deps We're changing the ecossystems result structure. The result structure previously stored if the ecossystem is fully pinned or not. The new result structure can tell how many dependencies of that ecossystem were found and how many were pinned. This change is necessary to ignore not applicable ecossystems on the final aggregated score. When iterating the dependencies, now we go through pinned and unpinned dependencies, not only unpinned, and in each iteration we update the result. We kept the behavior of only log warnings for unpinned dependencies. Signed-off-by: Gabriela Gutierrez <gabigutierrez@google.com> * feat: Flag not applicable ecossystems If no dependencies of an ecossystem are found, it results in an inconclusive score (-1). As in other checks, this means here that the ecossystem scoring is not applicable in this case. At the same time, we are keep the scoring criteria the same. If all dependencies are pinned, it results in maximum score (10) and if 1 or more dependencies are unpinned, it results in a minimum score (0) for that ecossystem. GitHub workflow cases are handled differently but the idea is the same. We are also adding a log to know when an ecossystem was not found. Signed-off-by: Gabriela Gutierrez <gabigutierrez@google.com> * feat: Score only applicable ecossystems Signed-off-by: Gabriela Gutierrez <gabigutierrez@google.com> * feat: If no dependencies then create inconclusive score Signed-off-by: Gabriela Gutierrez <gabigutierrez@google.com> * test: GitHub Actions score and logs Change test from `createReturnValuesForGitHubActionsWorkflowPinned` function to `createReturnForIsGitHubActionsWorkflowPinned` wrapper function so we can test logs. We have adjusted the existing test cases and included new test cases. Signed-off-by: Gabriela Gutierrez <gabigutierrez@google.com> * test: Pinned dependencies score Break "various warnings" tests into smaller tests for pinned and unpinned dependencies and how they react to warn and debug messages. Plus add tests for how the score is affected when all dependencies are pinned, when no dependencies are pinned, when there are no dependencies, and partial dependencies pinned. Also, how dependencies unpinned in 1 or multiple ecossystems affect the warn messages, add one unpinned case for each ecossystem to see if they are being detected and separate the download then run 2 possible cases, there are currently scoring and logging wrong due to a bug. Signed-off-by: Gabriela Gutierrez <gabigutierrez@google.com> * test: Ecossystems score and logs Signed-off-by: Gabriela Gutierrez <gabigutierrez@google.com> * test: Remove deleted maxScore function test When we changed the scoring method to ignore not applicable scores, we removed the normalization of inconclusive scores to 0. The normalization was done by `maxScore` function, that was deleted in the process. Signed-off-by: Gabriela Gutierrez <gabigutierrez@google.com> * test: Adding GitHub Actions dependencies to result Signed-off-by: Gabriela Gutierrez <gabigutierrez@google.com> * test: Update GitHub Actions result Signed-off-by: Gabriela Gutierrez <gabigutierrez@google.com> * test: Update pip installs result Signed-off-by: Gabriela Gutierrez <gabigutierrez@google.com> * fix: Handle if nuget dependency is pinned or unpinned Signed-off-by: Gabriela Gutierrez <gabigutierrez@google.com> * tests: Fix check warnings for unpinned dependencies Signed-off-by: Gabriela Gutierrez <gabigutierrez@google.com> * fix: Linter errors Signed-off-by: Gabriela Gutierrez <gabigutierrez@google.com> * fix: GitHub Actions pinned log If, for example, you have GitHub-owned actions and none Third-party actions, you should receive a "no Third-party actions found" log and don't receive a "all Third-party actions are pinned" log. At the same time, you deserve the score of pinning Third-party to complement the GitHub-owned score. Signed-off-by: Gabriela Gutierrez <gabigutierrez@google.com> * test: Fix "ossf-tests/scorecard-check-pinned-dependencies-e2e" The repo being tested, `ossf-tests/scorecard-check-pinned-dependencies-e2e`, has no Third-party actions only GitHub-owned actions, that are unpinned, no npm installs, multiple go installs all pinned, and all other dependencies types are unpinned. This gives us 8 for actionScore, -1 for npm score, 10 for goScore, and 0 for all other scores. Previously the total score was 28/7 =~ 4, and now the total score is 18/6 =~ 3. The number of logs remain the same. The "all Third-party actions are pinned" will be replaced by "no Third-party actions found", which is a more realistic info and same thing for npm installs. Signed-off-by: Gabriela Gutierrez <gabigutierrez@google.com> * Revert rename `asPointer` to `asStringPointer` Signed-off-by: Gabriela Gutierrez <gabigutierrez@google.com> * fix: Handle deps with parsing error and undefined pinning When a dependency has a parsing error it ends up with a `Msg` field. In this case, the dependency should not count in the final score, so we should not `updatePinningResults` in this case. Also, to continue with the evaluation calculation, we need to make sure the dependencies have a `Pinned` state. Here we are adding this validation for it along with a debug log. Signed-off-by: Gabriela Gutierrez <gabigutierrez@google.com> * test: Delete unecessary test We already have separate test for if 1 unpinned dependency shows a warn message, and 2 cases for when dependencies have errors and show a debug message. Signed-off-by: Gabriela Gutierrez <gabigutierrez@google.com> * test: Add missing dep Location cases Signed-off-by: Gabriela Gutierrez <gabigutierrez@google.com> * fix: Simplify Dockerfile pinned as name logic Signed-off-by: Gabriela Gutierrez <gabigutierrez@google.com> * fix: If ecossystem is not found show debug log If ecossystem is not found show debug log, not info log. This affects the tests, all not found ecossystems will "move" from info logs to debug logs. We are also complementing the `all dependencies pinned` and `all dependencies unpinned` cases so we have the max score case and the min score case using all kinds of dependencies. Signed-off-by: Gabriela Gutierrez <gabigutierrez@google.com> * test: Fix e2e tests and more unit tests Signed-off-by: Gabriela Gutierrez <gabigutierrez@google.com> * feat: Iterate all dependency types for final score Now we iterate all existing dependency types in the final score. This will fix the problem of new ecossystems not being count in the final score because we needed to update the evaluation part. This also fixes the problem of download then run being counted twice for the score. Now, we only have debug logs when there are errors with the dependency metadata. That means we don't log anymore when dependencies of an ecossystem are not found. We changed the info log format when dependencies are all pinned. We simplified the calculation of the scores. We removed unused error returns. And now we only iterate existing ecossystems. If an ecossystem is not found we will not iterate it. Signed-off-by: Gabriela Gutierrez <gabigutierrez@google.com> * feat: Proportional score We count all pinned dependencies over the total found dependencies of all ecossystems for the final score. But, we still want to give low prioritity to GHA GitHub-owned dependencies over GHA third-party dependencies. That's why we are doing a weighted proportional score, all ecossystems have a normal weight of 10 but GHAs have a weight. If you only have GitHub-owned, it will count as 10, because GHA don't weight less then other ecossystems. Same for GHA third-party, if you only have GHA third-party, it will also count as 10, because GHAs don't weight less then other ecossystems. But if you have both GHA GitHub-owned and third-party, GitHub-owned count less then third-party. Trying to keep the same weight as before, GitHub-owned weights 8 and third-party weights 2. These weights will make the score be more penalized if you have unpinned third-party and less penalized if you have unpinned GitHub-owned. Signed-off-by: Gabriela Gutierrez <gabigutierrez@google.com> * fix: GHA weights in proportional score Signed-off-by: Gabriela Gutierrez <gabigutierrez@google.com> * test: Fix scores and logs checking Add new cases for GHA scores since it's weighted differently now. Remove `createReturnValues` test since the function was removed. Fix current tests to adjust number of logs since we don't log if all dependencies are pinned or not anymore. Fix partially pinned score. Signed-off-by: Gabriela Gutierrez <gabigutierrez@google.com> * test: Fix e2e test The repo being tested, `ossf-tests/scorecard-check-pinned-dependencies-e2e`, has no Third-party actions only GitHub-owned actions, that are unpinned, no npm installs, multiple go installs all pinned, and all other dependencies types are unpinned. This gives us 8 for GHA ecossytem, -1 for npm score, 10 for goScore, and 0 for all other scores. Previously the total score was 18/6 =~ 3. Now, we count 5/6 GitHub-owned GHA pinned, 23/36 containerImage pinned, 0/88 downloadThenRun pinned, 2/49 pipCommand pinned, 17/17 goCommand pinned. This results in 47/186 pinned dependencies which results in 2.5 score, that is rounded down to 2. Plus, the number of info was reduced since we don't log info for "all pinned dependencies in X ecossystem" anymore. Signed-off-by: Gabriela Gutierrez <gabigutierrez@google.com> * refactor: Rename to ProportionalScoreWeighted Signed-off-by: Gabriela Gutierrez <gabigutierrez@google.com> * refactor: Var declarations to create proportional score Signed-off-by: Gabriela Gutierrez <gabigutierrez@google.com> * fix: Remove unnecessary pointer Signed-off-by: Gabriela Gutierrez <gabigutierrez@google.com> * fix: Dependencies priority declaration Signed-off-by: Gabriela Gutierrez <gabigutierrez@google.com> * fix: Ecosystem spelling Signed-off-by: Gabriela Gutierrez <gabigutierrez@google.com> * fix: Handle 0 weight and 0 total when creating proportional weighted score Signed-off-by: Gabriela Gutierrez <gabigutierrez@google.com> * fix: Revert -d flag identification change Signed-off-by: Gabriela Gutierrez <gabigutierrez@google.com> * fix: npm ci command is npm download and is pinned Signed-off-by: Gabriela Gutierrez <gabigutierrez@google.com> * fix: Linter errors Signed-off-by: Gabriela Gutierrez <gabigutierrez@google.com> * fix: Unexport error variable to other packages Signed-off-by: Gabriela Gutierrez <gabigutierrez@google.com> * refactor: Simplify no score groups condition Signed-off-by: Gabriela Gutierrez <gabigutierrez@google.com> * feat: Log proportion of dependencies pinned Signed-off-by: Gabriela Gutierrez <gabigutierrez@google.com> * test: Fix unit tests to include info logs The number of info logs should be same number of identified ecossystems. GitHub-owned GitHubAction and third-party GitHubAction count as different ecossytems. Signed-off-by: Gabriela Gutierrez <gabigutierrez@google.com> * test: Fix e2e tests to include info logs The repo being tested, `ossf-tests/scorecard-check-pinned-dependencies-e2e`, has GitHub-owned GitHubActions, containerImage, downloadThenRun, pipCommand and goCommand dependencies. Therefore it will have 5 Info logs, one for each ecossystem. Signed-off-by: Gabriela Gutierrez <gabigutierrez@google.com> * fix: Linter error Signed-off-by: Gabriela Gutierrez <gabigutierrez@google.com> --------- Signed-off-by: Gabriela Gutierrez <gabigutierrez@google.com>

Bumps [github.com/onsi/ginkgo/v2](https://github.com/onsi/ginkgo) from 2.12.0 to 2.12.1. - [Release notes](https://github.com/onsi/ginkgo/releases) - [Changelog](https://github.com/onsi/ginkgo/blob/master/CHANGELOG.md) - [Commits](onsi/ginkgo@v2.12.0...v2.12.1) --- updated-dependencies: - dependency-name: github.com/onsi/ginkgo/v2 dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

Bumps [cloud.google.com/go/bigquery](https://github.com/googleapis/google-cloud-go) from 1.57.1 to 1.58.0. - [Release notes](https://github.com/googleapis/google-cloud-go/releases) - [Changelog](https://github.com/googleapis/google-cloud-go/blob/main/CHANGES.md) - [Commits](googleapis/google-cloud-go@bigquery/v1.57.1...bigquery/v1.58.0) --- updated-dependencies: - dependency-name: cloud.google.com/go/bigquery dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* handle osv errors for projects without packages Signed-off-by: Spencer Schrock <sschrock@google.com> * make test parallel Signed-off-by: Spencer Schrock <sschrock@google.com> --------- Signed-off-by: Spencer Schrock <sschrock@google.com>

* enforce check scores are between the min and max if the score is invalid, the Error field is set and the score is replaced with an inconclusive result score. Signed-off-by: Spencer Schrock <sschrock@google.com> * exclude inconclusive result score Callers who want the score should use the CreateInconclusiveResult function. The goal is partly to enforce a consistent coding style, and partly to limit proportions which score to -1 accidentally. Signed-off-by: Spencer Schrock <sschrock@google.com> --------- Signed-off-by: Spencer Schrock <sschrock@google.com>

* fail if add-projects not run Signed-off-by: Spencer Schrock <sschrock@google.com> * add gitlab file to add-projects Signed-off-by: Spencer Schrock <sschrock@google.com> * order gitlab projects with make add-projects Signed-off-by: Spencer Schrock <sschrock@google.com> * simplify workflow job this binary doesn't need the build protos Signed-off-by: Spencer Schrock <sschrock@google.com> --------- Signed-off-by: Spencer Schrock <sschrock@google.com>

Bumps [github.com/onsi/ginkgo/v2](https://github.com/onsi/ginkgo) from 2.14.0 to 2.15.0. - [Release notes](https://github.com/onsi/ginkgo/releases) - [Changelog](https://github.com/onsi/ginkgo/blob/master/CHANGELOG.md) - [Commits](onsi/ginkgo@v2.14.0...v2.15.0) --- updated-dependencies: - dependency-name: github.com/onsi/ginkgo/v2 dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

Bumps [github.com/google/osv-scanner](https://github.com/google/osv-scanner) from 1.6.0 to 1.6.1. - [Release notes](https://github.com/google/osv-scanner/releases) - [Changelog](https://github.com/google/osv-scanner/blob/main/CHANGELOG.md) - [Commits](google/osv-scanner@v1.6.0...v1.6.1) --- updated-dependencies: - dependency-name: github.com/google/osv-scanner dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

Bumps the github-actions group with 4 updates: [actions/dependency-review-action](https://github.com/actions/dependency-review-action), [tj-actions/changed-files](https://github.com/tj-actions/changed-files), [actions/cache](https://github.com/actions/cache) and [actions/upload-artifact](https://github.com/actions/upload-artifact). Updates `actions/dependency-review-action` from 3.1.5 to 4.0.0 - [Release notes](https://github.com/actions/dependency-review-action/releases) - [Commits](actions/dependency-review-action@c74b580...4901385) Updates `tj-actions/changed-files` from 41.1.1 to 42.0.0 - [Release notes](https://github.com/tj-actions/changed-files/releases) - [Changelog](https://github.com/tj-actions/changed-files/blob/main/HISTORY.md) - [Commits](tj-actions/changed-files@62f4729...ae82ed4) Updates `actions/cache` from 3.3.3 to 4.0.0 - [Release notes](https://github.com/actions/cache/releases) - [Changelog](https://github.com/actions/cache/blob/main/RELEASES.md) - [Commits](actions/cache@e12d46a...13aacd8) Updates `actions/upload-artifact` from 4.1.0 to 4.2.0 - [Release notes](https://github.com/actions/upload-artifact/releases) - [Commits](actions/upload-artifact@1eb3cb2...694cdab) --- updated-dependencies: - dependency-name: actions/dependency-review-action dependency-type: direct:production update-type: version-update:semver-major dependency-group: github-actions - dependency-name: tj-actions/changed-files dependency-type: direct:production update-type: version-update:semver-major dependency-group: github-actions - dependency-name: actions/cache dependency-type: direct:production update-type: version-update:semver-major dependency-group: github-actions - dependency-name: actions/upload-artifact dependency-type: direct:production update-type: version-update:semver-minor dependency-group: github-actions ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* 📖 Add documentation about probes and contributing Signed-off-by: Adam Korczynski <adam@adalogics.com> * change 'subdirectory' to 'directory' Signed-off-by: Adam Korczynski <adam@adalogics.com> * fix 'golangci' typo Signed-off-by: Adam Korczynski <adam@adalogics.com> * Added 'make fix-linter' to Makefile Signed-off-by: Adam Korczynski <adam@adalogics.com> * Move commands to their own table Signed-off-by: Adam Korczynski <adam@adalogics.com> * change 'problem' to 'supply-chain security risk' Signed-off-by: Adam Korczynski <adam@adalogics.com> * Add sentence about what a finding is Signed-off-by: Adam Korczynski <adam@adalogics.com> * remove sentence about running make rule locally Signed-off-by: Adam Korczynski <adam@adalogics.com> * change 'supply-chain security risk' to 'heuristic' Signed-off-by: Adam Korczynski <adam@adalogics.com> * Modify text on where to set remediation data Signed-off-by: Adam Korczynski <adam@adalogics.com> * Add example Signed-off-by: Adam Korczynski <adam@adalogics.com> * add line about discussing changes to the score in a GitHub issue Signed-off-by: Adam Korczynski <adam@adalogics.com> --------- Signed-off-by: Adam Korczynski <adam@adalogics.com>

Bumps [cloud.google.com/go/pubsub](https://github.com/googleapis/google-cloud-go) from 1.33.0 to 1.34.0. - [Release notes](https://github.com/googleapis/google-cloud-go/releases) - [Changelog](https://github.com/googleapis/google-cloud-go/blob/main/CHANGES.md) - [Commits](googleapis/google-cloud-go@pubsub/v1.33.0...pubsub/v1.34.0) --- updated-dependencies: - dependency-name: cloud.google.com/go/pubsub dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

Bumps [github.com/onsi/gomega](https://github.com/onsi/gomega) from 1.30.0 to 1.31.1. - [Release notes](https://github.com/onsi/gomega/releases) - [Changelog](https://github.com/onsi/gomega/blob/master/CHANGELOG.md) - [Commits](onsi/gomega@v1.30.0...v1.31.1) --- updated-dependencies: - dependency-name: github.com/onsi/gomega dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

Bumps [github.com/google/go-containerregistry](https://github.com/google/go-containerregistry) from 0.17.0 to 0.18.0. - [Release notes](https://github.com/google/go-containerregistry/releases) - [Changelog](https://github.com/google/go-containerregistry/blob/main/.goreleaser.yml) - [Commits](google/go-containerregistry@v0.17.0...v0.18.0) --- updated-dependencies: - dependency-name: github.com/google/go-containerregistry dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

Bumps [github.com/xanzy/go-gitlab](https://github.com/xanzy/go-gitlab) from 0.95.2 to 0.96.0. - [Changelog](https://github.com/xanzy/go-gitlab/blob/main/releases_test.go) - [Commits](xanzy/go-gitlab@v0.95.2...v0.96.0) --- updated-dependencies: - dependency-name: github.com/xanzy/go-gitlab dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

Bumps [cloud.google.com/go/pubsub](https://github.com/googleapis/google-cloud-go) from 1.34.0 to 1.35.0. - [Release notes](https://github.com/googleapis/google-cloud-go/releases) - [Changelog](https://github.com/googleapis/google-cloud-go/blob/main/CHANGES.md) - [Commits](googleapis/google-cloud-go@pubsub/v1.34.0...pubsub/v1.35.0) --- updated-dependencies: - dependency-name: cloud.google.com/go/pubsub dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* 🌱 Bump github.com/goreleaser/goreleaser in /tools (ossf#3238) Bumps [github.com/goreleaser/goreleaser](https://github.com/goreleaser/goreleaser) from 1.18.2 to 1.19.1. - [Release notes](https://github.com/goreleaser/goreleaser/releases) - [Changelog](https://github.com/goreleaser/goreleaser/blob/main/.goreleaser.yaml) - [Commits](goreleaser/goreleaser@v1.18.2...v1.19.1) --- updated-dependencies: - dependency-name: github.com/goreleaser/goreleaser dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Signed-off-by: André Backman <andre.backman@nokia.com> * begin implementing probe: minTwoCodeReviewers Signed-off-by: André Backman <andre.backman@nokia.com> * print raw results Signed-off-by: André Backman <andre.backman@nokia.com> * print raw results Signed-off-by: André Backman <andre.backman@nokia.com> * print raw results Signed-off-by: André Backman <andre.backman@nokia.com> * rename probe directory: minimumCodeReviewers Signed-off-by: André Backman <andre.backman@nokia.com> * rename probe CodeReviewers Signed-off-by: André Backman <andre.backman@nokia.com> * rename import for CodeReviewers probe Signed-off-by: André Backman <andre.backman@nokia.com> * update code reviewers definition Signed-off-by: André Backman <andre.backman@nokia.com> * update code reviewers implementation; fixed embed FS usage Signed-off-by: André Backman <andre.backman@nokia.com> * printing all findings, work out where to concatenate them Signed-off-by: André Backman <andre.backman@nokia.com> * concatenated findings to one single finding, outcome is based on the least found unique reviewers Signed-off-by: André Backman <andre.backman@nokia.com> * refactored uniqueCodeReviewers probe, needs more error checks Signed-off-by: André Backman <andre.backman@nokia.com> * add error handling for cases of non-existant author and/or reviewer logins Signed-off-by: André Backman <andre.backman@nokia.com> * add error handling for cases of non-existant author and/or reviewer logins Signed-off-by: André Backman <andre.backman@nokia.com> * rename probe Signed-off-by: André Backman <andre.backman@nokia.com> * update codeReviewTwoReviewers definition Signed-off-by: André Backman <andre.backman@nokia.com> * rename unique code reviewers probe Signed-off-by: André Backman <andre.backman@nokia.com> * implement codeApproved probe, validation of reviews needs fixing Signed-off-by: André Backman <andre.backman@nokia.com> * update codeApproved probe, validation of reviews needs fixing Signed-off-by: André Backman <andre.backman@nokia.com> * working version of codeApproved probe Signed-off-by: André Backman <andre.backman@nokia.com> * codeReviewed probe implemented Signed-off-by: André Backman <andre.backman@nokia.com> * clean up comments, add imports, run all probes Signed-off-by: André Backman <andre.backman@nokia.com> * update license comments Signed-off-by: André Backman <andre.backman@nokia.com> * Update def.yml license Signed-off-by: André Backman <88145164+andrelmbackman@users.noreply.github.com> * Update def.yml license Signed-off-by: André Backman <88145164+andrelmbackman@users.noreply.github.com> * Update def.yml license Signed-off-by: André Backman <88145164+andrelmbackman@users.noreply.github.com> * Update impl.go license Signed-off-by: André Backman <88145164+andrelmbackman@users.noreply.github.com> * Update impl.go license to Apache 2 Signed-off-by: André Backman <88145164+andrelmbackman@users.noreply.github.com> * Update impl.go license to Apache 2 Signed-off-by: André Backman <88145164+andrelmbackman@users.noreply.github.com> * Update code_review.go license Signed-off-by: André Backman <88145164+andrelmbackman@users.noreply.github.com> * Update entries.go; CodeReviewChecks now called CodeReview Signed-off-by: André Backman <88145164+andrelmbackman@users.noreply.github.com> * Update impl.go, refactor codeReviewTwoReviewers; moved utility functions into impl.go Signed-off-by: André Backman <88145164+andrelmbackman@users.noreply.github.com> * Delete code_review.go utilities moved utility functions to the impl.go they are used in Signed-off-by: André Backman <88145164+andrelmbackman@users.noreply.github.com> * rename probe Signed-off-by: André Backman <andre.backman@nokia.com> * update codeReviewTwoReviewers definition Signed-off-by: André Backman <andre.backman@nokia.com> * implement codeApproved probe, validation of reviews needs fixing Signed-off-by: André Backman <andre.backman@nokia.com> * update codeApproved probe, validation of reviews needs fixing Signed-off-by: André Backman <andre.backman@nokia.com> * working version of codeApproved probe Signed-off-by: André Backman <andre.backman@nokia.com> * codeReviewed probe implemented Signed-off-by: André Backman <andre.backman@nokia.com> * clean up comments, add imports, run all probes Signed-off-by: André Backman <andre.backman@nokia.com> * update license comments Signed-off-by: André Backman <andre.backman@nokia.com> * update license comments Signed-off-by: André Backman <andre.backman@nokia.com> * 🌱 Included unit tests (ossf#3242) - Included unit tests Signed-off-by: naveensrinivasan <172697+naveensrinivasan@users.noreply.github.com> Signed-off-by: André Backman <andre.backman@nokia.com> * 🌱 Bump golang.org/x/text from 0.10.0 to 0.11.0 (ossf#3243) Bumps [golang.org/x/text](https://github.com/golang/text) from 0.10.0 to 0.11.0. - [Release notes](https://github.com/golang/text/releases) - [Commits](golang/text@v0.10.0...v0.11.0) --- updated-dependencies: - dependency-name: golang.org/x/text dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Signed-off-by: André Backman <andre.backman@nokia.com> * 🌱 Bump golang.org/x/oauth2 from 0.9.0 to 0.10.0 (ossf#3244) Bumps [golang.org/x/oauth2](https://github.com/golang/oauth2) from 0.9.0 to 0.10.0. - [Commits](golang/oauth2@v0.9.0...v0.10.0) --- updated-dependencies: - dependency-name: golang.org/x/oauth2 dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Signed-off-by: André Backman <andre.backman@nokia.com> * 📖 Update Branch-Protection admin and non-admin requirements (ossf#2772) * docs: Branch protection admin-only requirements Signed-off-by: Gabriela Gutierrez <gabigutierrez@google.com> * docs: Branch protection requirements by tier Signed-off-by: Gabriela Gutierrez <gabigutierrez@google.com> * docs: How get a perfect score in branch protection Signed-off-by: Gabriela Gutierrez <gabigutierrez@google.com> * docs: Fix local images ref in doc Signed-off-by: Gabriela Gutierrez <gabigutierrez@google.com> * docs: Fix typo Co-authored-by: Pedro Nacht <pedro.k.night@gmail.com> Signed-off-by: Gabriela Gutierrez <gabigutierrez@google.com> * docs: Fix check specific table of contents Signed-off-by: Gabriela Gutierrez <gabigutierrez@google.com> * fix: Code owners setting is non admin Signed-off-by: Gabriela Gutierrez <gabigutierrez@google.com> * docs: Fix branch protection applied not only to main branch Signed-off-by: Gabriela Gutierrez <gabigutierrez@google.com> * docs: Add alt text for images Signed-off-by: Gabriela Gutierrez <gabigutierrez@google.com> * docs: You can get a perfect score with non admin access Signed-off-by: Gabriela Gutierrez <gabigutierrez@google.com> * docs: update max tier scores Signed-off-by: Gabriela Gutierrez <gabigutierrez@google.com> * docs: update tier 1 max points explanation Signed-off-by: Gabriela Gutierrez <gabigutierrez@google.com> * docs: Move changes to internal checks doc Move changes done in docs/checks.md to docs/checks/internal/checks.yaml. Signed-off-by: Gabriela Gutierrez <gabigutierrez@google.com> * docs: Revert changes on checks doc Signed-off-by: Gabriela Gutierrez <gabigutierrez@google.com> * docs: Fix admin settings evaluated on branch protection Signed-off-by: Gabriela Gutierrez <gabigutierrez@google.com> * docs: Change branch protection model status checks Signed-off-by: Gabriela Gutierrez <gabigutierrez@google.com> * docs: Change tiers score to expected score The expected score for the code to output is 3/10 for Tier 1 case and 7/10 for Tier 3 case. The scoring issue will be reported as bug. Signed-off-by: Gabriela Gutierrez <gabigutierrez@google.com> * docs: Fix Tier 3 score Signed-off-by: Gabriela Gutierrez <gabigutierrez@google.com> --------- Signed-off-by: Gabriela Gutierrez <gabigutierrez@google.com> Co-authored-by: Pedro Nacht <pedro.k.night@gmail.com> Signed-off-by: André Backman <andre.backman@nokia.com> * 🌱 Linter workflow cleanup (ossf#3247) * Fix linter timeout by renaming deprecated deadline. Signed-off-by: Spencer Schrock <sschrock@google.com> * Disable depguard linter. As of golangci-lint v3.5.0, the depguard linter is complaining. We don't use a .depguard.yml file, so just disabling the linter. Signed-off-by: Spencer Schrock <sschrock@google.com> * Move linter into own workflow. Signed-off-by: Spencer Schrock <sschrock@google.com> * Fix bash command substitution. Signed-off-by: Spencer Schrock <sschrock@google.com> * Add harden runner. Signed-off-by: Spencer Schrock <sschrock@google.com> * switch names to existing linter job Signed-off-by: Spencer Schrock <sschrock@google.com> * Update golangci-lint to v1.53.3 Signed-off-by: Spencer Schrock <sschrock@google.com> --------- Signed-off-by: Spencer Schrock <sschrock@google.com> Signed-off-by: André Backman <andre.backman@nokia.com> * 🌱 Bump tj-actions/changed-files from 37.0.5 to 37.1.0 (ossf#3253) Bumps [tj-actions/changed-files](https://github.com/tj-actions/changed-files) from 37.0.5 to 37.1.0. - [Release notes](https://github.com/tj-actions/changed-files/releases) - [Changelog](https://github.com/tj-actions/changed-files/blob/main/HISTORY.md) - [Commits](tj-actions/changed-files@54849de...87e23c4) --- updated-dependencies: - dependency-name: tj-actions/changed-files dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Signed-off-by: André Backman <andre.backman@nokia.com> * 🌱 Bump github.com/goreleaser/goreleaser in /tools (ossf#3252) Bumps [github.com/goreleaser/goreleaser](https://github.com/goreleaser/goreleaser) from 1.19.1 to 1.19.2. - [Release notes](https://github.com/goreleaser/goreleaser/releases) - [Changelog](https://github.com/goreleaser/goreleaser/blob/main/.goreleaser.yaml) - [Commits](goreleaser/goreleaser@v1.19.1...v1.19.2) --- updated-dependencies: - dependency-name: github.com/goreleaser/goreleaser dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Signed-off-by: André Backman <andre.backman@nokia.com> * 🌱 Bump golang.org/x/tools from 0.10.0 to 0.11.0 Bumps [golang.org/x/tools](https://github.com/golang/tools) from 0.10.0 to 0.11.0. - [Release notes](https://github.com/golang/tools/releases) - [Commits](golang/tools@v0.10.0...v0.11.0) --- updated-dependencies: - dependency-name: golang.org/x/tools dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> Signed-off-by: André Backman <andre.backman@nokia.com> * 🌱 Improve rate limit handling in roundtripper (ossf#3237) - Add rate limit testing and handling functionality - Add tests for successful response and Retry-After header set scenarios Signed-off-by: naveensrinivasan <172697+naveensrinivasan@users.noreply.github.com> Signed-off-by: André Backman <andre.backman@nokia.com> * 🌱 Bump tj-actions/changed-files from 37.1.0 to 37.1.1 (ossf#3259) Bumps [tj-actions/changed-files](https://github.com/tj-actions/changed-files) from 37.1.0 to 37.1.1. - [Release notes](https://github.com/tj-actions/changed-files/releases) - [Changelog](https://github.com/tj-actions/changed-files/blob/main/HISTORY.md) - [Commits](tj-actions/changed-files@87e23c4...1f20fb8) --- updated-dependencies: - dependency-name: tj-actions/changed-files dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Signed-off-by: André Backman <andre.backman@nokia.com> * 🌱 Bump github.com/bradleyfalzon/ghinstallation/v2 (ossf#3260) Bumps [github.com/bradleyfalzon/ghinstallation/v2](https://github.com/bradleyfalzon/ghinstallation) from 2.5.0 to 2.6.0. - [Release notes](https://github.com/bradleyfalzon/ghinstallation/releases) - [Commits](bradleyfalzon/ghinstallation@v2.5.0...v2.6.0) --- updated-dependencies: - dependency-name: github.com/bradleyfalzon/ghinstallation/v2 dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Signed-off-by: André Backman <andre.backman@nokia.com> * 🌱Add urls for opentelemetry, micrometer and new relic to weekly cron (ossf#3248) * add urls for opentelemetry and micrometer Signed-off-by: Ajmal Kottilingal <ajmal.kottilingal@transferwise.com> * add jakarta-activation url Signed-off-by: Ajmal Kottilingal <ajmal.kottilingal@transferwise.com> * adding json-path Signed-off-by: Ajmal Kottilingal <ajmal.kottilingal@transferwise.com> * fix uing make Signed-off-by: Ajmal Kottilingal <ajmal.kottilingal@transferwise.com> --------- Signed-off-by: Ajmal Kottilingal <ajmal.kottilingal@transferwise.com> Signed-off-by: André Backman <andre.backman@nokia.com> * 🐛 Add npm installs to Pinned-Dependencies score (ossf#2960) * feat: Add npm install to pinned dependencies score Signed-off-by: Gabriela Gutierrez <gabigutierrez@google.com> * test: Fix pinned dependencies evaluation tests Considering the new npm installs dependencies in Pinned-Dependencies score, there are some changes. Now, all tests generate one more Info log for "npm installs are all pinned". Also, for "various wanrings" test, the total score has to weight now 6 scores instead of 5. The new score counts 10 for actionScore, 0 for dockerFromScore, 0 for dockerDownloadScore, 0 for scriptScore, 0 for pipScore and 10 for npm score, which gives us 20/6~=3. Signed-off-by: Gabriela Gutierrez <gabigutierrez@google.com> * test: Fix pinned dependencies e2e tests Considering the new npm installs dependencies in Pinned-Dependencies score, there are some changes. The repo being tested, ossf-tests/scorecard-check-pinned-dependencies-e2e, has third-party GitHub actions pinned, no npm installs, and all other dependencies types are unpinned. This gives us 8 for actionScore, 10 for npmScore and 0 for all other scores. Previously the total score was 8/5~=1, and now the total score is 18/6=3. Also, since there are no npm installs, there's one more Info log for "npm installs are pinned". Signed-off-by: Gabriela Gutierrez <gabigutierrez@google.com> * test: Fix typo Signed-off-by: Gabriela Gutierrez <gabigutierrez@google.com> * test: Unpinned npm install score When having one unpinned npm install and all other dependencies pinned, the score should be 50/6~=8. Also, it should raise 1 warning for the unpinned npm install, 6 infos saying the other dependency types are pinned (2 for GHAs, 2 for dockerfile image and downdloads, 1 for script downdloads and 1 for pip installs), and 0 debug logs since the npm install dependency does not have an error message. Signed-off-by: Gabriela Gutierrez <gabigutierrez@google.com> * test: Undefined npm install score When an error happens to parse a npm install dependency, the error/debug message is saved in "Msg" field. In this case, we were not able to define if the npm install is pinned or not. This dependency is classified as pinned undefined. We treat such cases as pinned cases, so it logs as Info that npm installs are all pinned and counts the score as 10. Then, the final score makes it to 10 as well. Since it logs the error/debug message, the Debug log goes to 1. Signed-off-by: Gabriela Gutierrez <gabigutierrez@google.com> * test: Fix typo Signed-off-by: Gabriela Gutierrez <gabigutierrez@google.com> * test: Fix "validate various warnings and info" test Considering the new npm installs dependencies in Pinned-Dependencies score, there are some changes. Now, all tests generate one more Info log for "npm installs are all pinned". Also, this test total score has to weight now 6 scores instead of 5. The new score counts 10 for actionScore, 0 for dockerFromScore, 0 for dockerDownloadScore, 0 for scriptScore, 0 for pipScore and 10 for npm score, which gives us 20/6~=3. Signed-off-by: Gabriela Gutierrez <gabigutierrez@google.com> * fix: npm dependencies pinned log Signed-off-by: Gabriela Gutierrez <gabigutierrez@google.com> * test: Remove test of error when parsing an npm dependency Signed-off-by: Gabriela Gutierrez <gabigutierrez@google.com> --------- Signed-off-by: Gabriela Gutierrez <gabigutierrez@google.com> Signed-off-by: André Backman <andre.backman@nokia.com> * 🌱 Bump github.com/moby/buildkit from 0.11.6 to 0.12.0 (ossf#3264) Bumps [github.com/moby/buildkit](https://github.com/moby/buildkit) from 0.11.6 to 0.12.0. - [Release notes](https://github.com/moby/buildkit/releases) - [Commits](moby/buildkit@v0.11.6...v0.12.0) --- updated-dependencies: - dependency-name: github.com/moby/buildkit dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Signed-off-by: André Backman <andre.backman@nokia.com> * Ack linter warning and add tracking issue. (ossf#3263) Signed-off-by: Spencer Schrock <sschrock@google.com> Signed-off-by: André Backman <andre.backman@nokia.com> * 🐛 Forgive job-level permissions (ossf#3162) * Forgive all job-level permissions Signed-off-by: Pedro Kaj Kjellerup Nacht <pnacht@google.com> * Update tests Signed-off-by: Pedro Kaj Kjellerup Nacht <pnacht@google.com> * Replace magic number Signed-off-by: Pedro Kaj Kjellerup Nacht <pnacht@google.com> * Rename test Signed-off-by: Pedro Kaj Kjellerup Nacht <pnacht@google.com> * Test that multiple job-level permissions are forgiven Signed-off-by: Pedro Kaj Kjellerup Nacht <pnacht@google.com> * Drop unused permissionIsPresent Signed-off-by: Pedro Kaj Kjellerup Nacht <pnacht@google.com> * Update documentation Signed-off-by: Pedro Kaj Kjellerup Nacht <pnacht@google.com> * Modify score descriptions Signed-off-by: Pedro Kaj Kjellerup Nacht <pnacht@google.com> * Document warning for job-level permissions Signed-off-by: Pedro Kaj Kjellerup Nacht <pnacht@google.com> * List job-level permissions that get WARNed Signed-off-by: Pedro Kaj Kjellerup Nacht <pnacht@google.com> --------- Signed-off-by: Pedro Kaj Kjellerup Nacht <pnacht@google.com> Signed-off-by: André Backman <andre.backman@nokia.com> * 🐛 Fix typo (ossf#3267) Signed-off-by: Eugene Kliuchnikov <eustas@google.com> Signed-off-by: André Backman <andre.backman@nokia.com> * 📖 Suggest new score viewer on badge documentation (ossf#3268) * docs(readme): suggest new score viewer on badge documentation Signed-off-by: Diogo Teles Sant'Anna <diogoteles@google.com> * docs(readme): add link to ossf blogpost about the badge Signed-off-by: Diogo Teles Sant'Anna <diogoteles@google.com> * docs: update badge of our own README to the new viewer Signed-off-by: Diogo Teles Sant'Anna <diogoteles@google.com> --------- Signed-off-by: Diogo Teles Sant'Anna <diogoteles@google.com> Signed-off-by: André Backman <andre.backman@nokia.com> * 🌱 Bump tj-actions/changed-files from 37.1.1 to 37.1.2 (ossf#3266) Bumps [tj-actions/changed-files](https://github.com/tj-actions/changed-files) from 37.1.1 to 37.1.2. - [Release notes](https://github.com/tj-actions/changed-files/releases) - [Changelog](https://github.com/tj-actions/changed-files/blob/main/HISTORY.md) - [Commits](tj-actions/changed-files@1f20fb8...2a968ff) --- updated-dependencies: - dependency-name: tj-actions/changed-files dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Signed-off-by: André Backman <andre.backman@nokia.com> * 🌱 Update the cover profile for e2e (ossf#3271) - Update the cover profile for e2e Signed-off-by: naveensrinivasan <172697+naveensrinivasan@users.noreply.github.com> Signed-off-by: André Backman <andre.backman@nokia.com> * 🌱 Improve e2e workflow tests (ossf#3273) - Add e2e test for workflow runs - Retrieve successful runs of the scorecard-analysis.yml workflow Signed-off-by: naveensrinivasan <172697+naveensrinivasan@users.noreply.github.com> Signed-off-by: André Backman <andre.backman@nokia.com> * 🌱 Excluded dependabot from codecov (ossf#3272) - Exclude dependabot from codecov job in main.yml [.github/workflows/main.yml] - Exclude dependabot from codecov job Signed-off-by: naveensrinivasan <172697+naveensrinivasan@users.noreply.github.com> Signed-off-by: André Backman <andre.backman@nokia.com> * 🌱 Increase test coverage for searching commits (ossf#3276) - Add an e2e test for searching commits by author - Search commits by author `dependabot[bot]` and expect results Signed-off-by: naveensrinivasan <172697+naveensrinivasan@users.noreply.github.com> Signed-off-by: André Backman <andre.backman@nokia.com> * 🐛 Fix Branch-Protection scoring (ossf#3251) * fix: Verify if branch is required to be up to date before merge Signed-off-by: Gabriela Gutierrez <gabigutierrez@google.com> * docs: Comment tracking GraphQL bug Signed-off-by: Gabriela Gutierrez <gabigutierrez@google.com> * fix: Add validation if pointers are not null before accessing the values Signed-off-by: Gabriela Gutierrez <gabigutierrez@google.com> * fix: Delete debug log file Signed-off-by: Gabriela Gutierrez <gabigutierrez@google.com> --------- Signed-off-by: Gabriela Gutierrez <gabigutierrez@google.com> Signed-off-by: André Backman <andre.backman@nokia.com> * ✨ scdiff: generate cmd skeleton (ossf#3275) * add scdiff root command Signed-off-by: Spencer Schrock <sschrock@google.com> * Add generate boilerplate. Signed-off-by: Spencer Schrock <sschrock@google.com> * get rid of init Signed-off-by: Spencer Schrock <sschrock@google.com> * read newline delimitted repo file Signed-off-by: Spencer Schrock <sschrock@google.com> * Run scorecard and echo results. Signed-off-by: Spencer Schrock <sschrock@google.com> * add license Signed-off-by: Spencer Schrock <sschrock@google.com> * add basic runner tests. Signed-off-by: Spencer Schrock <sschrock@google.com> * Add Runner comment. Signed-off-by: Spencer Schrock <sschrock@google.com> * switch to using scorecard logger. Signed-off-by: Spencer Schrock <sschrock@google.com> * linter fix Signed-off-by: Spencer Schrock <sschrock@google.com> --------- Signed-off-by: Spencer Schrock <sschrock@google.com> Signed-off-by: André Backman <andre.backman@nokia.com> * 🌱 Delete unused project-update functionality. (ossf#3269) Signed-off-by: Spencer Schrock <sschrock@google.com> Signed-off-by: André Backman <andre.backman@nokia.com> * 🌱 Bump tj-actions/changed-files from 37.1.2 to 37.3.0 (ossf#3280) Bumps [tj-actions/changed-files](https://github.com/tj-actions/changed-files) from 37.1.2 to 37.3.0. - [Release notes](https://github.com/tj-actions/changed-files/releases) - [Changelog](https://github.com/tj-actions/changed-files/blob/main/HISTORY.md) - [Commits](tj-actions/changed-files@2a968ff...3928317) --- updated-dependencies: - dependency-name: tj-actions/changed-files dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Signed-off-by: André Backman <andre.backman@nokia.com> * 🌱 Bump github.com/google/osv-scanner from 1.3.5 to 1.3.6 (ossf#3281) Bumps [github.com/google/osv-scanner](https://github.com/google/osv-scanner) from 1.3.5 to 1.3.6. - [Release notes](https://github.com/google/osv-scanner/releases) - [Changelog](https://github.com/google/osv-scanner/blob/main/CHANGELOG.md) - [Commits](google/osv-scanner@v1.3.5...v1.3.6) --- updated-dependencies: - dependency-name: github.com/google/osv-scanner dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Signed-off-by: André Backman <andre.backman@nokia.com> * 🌱 Bump gocloud.dev from 0.30.0 to 0.32.0 (ossf#3284) Bumps [gocloud.dev](https://github.com/google/go-cloud) from 0.30.0 to 0.32.0. - [Release notes](https://github.com/google/go-cloud/releases) - [Commits](google/go-cloud@v0.30.0...v0.32.0) --- updated-dependencies: - dependency-name: gocloud.dev dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Signed-off-by: André Backman <andre.backman@nokia.com> * 🌱 Include attestor Dockerfile in CI and dependabot updates (ossf#3285) Signed-off-by: Spencer Schrock <sschrock@google.com> Signed-off-by: André Backman <andre.backman@nokia.com> * 🌱 Bump tj-actions/changed-files from 37.3.0 to 37.4.0 Bumps [tj-actions/changed-files](https://github.com/tj-actions/changed-files) from 37.3.0 to 37.4.0. - [Release notes](https://github.com/tj-actions/changed-files/releases) - [Changelog](https://github.com/tj-actions/changed-files/blob/main/HISTORY.md) - [Commits](tj-actions/changed-files@3928317...de0eba3) --- updated-dependencies: - dependency-name: tj-actions/changed-files dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> Signed-off-by: André Backman <andre.backman@nokia.com> * 🌱 Bump google-appengine/debian11 in /attestor Bumps google-appengine/debian11 from `fed7dd5` to `97dc4fb`. --- updated-dependencies: - dependency-name: google-appengine/debian11 dependency-type: direct:production ... Signed-off-by: dependabot[bot] <support@github.com> Signed-off-by: André Backman <andre.backman@nokia.com> * 🌱 Bump github.com/xanzy/go-gitlab from 0.86.0 to 0.88.0 Bumps [github.com/xanzy/go-gitlab](https://github.com/xanzy/go-gitlab) from 0.86.0 to 0.88.0. - [Changelog](https://github.com/xanzy/go-gitlab/blob/master/releases_test.go) - [Commits](xanzy/go-gitlab@v0.86.0...v0.88.0) --- updated-dependencies: - dependency-name: github.com/xanzy/go-gitlab dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> Signed-off-by: André Backman <andre.backman@nokia.com> * 🌱 Use a matrix for docker image building (ossf#3290) * working matrix. Signed-off-by: Spencer Schrock <sschrock@google.com> * Remove unneeded env vars. Add comments. Signed-off-by: Spencer Schrock <sschrock@google.com> * minor syntax change. Signed-off-by: Spencer Schrock <sschrock@google.com> --------- Signed-off-by: Spencer Schrock <sschrock@google.com> Signed-off-by: André Backman <andre.backman@nokia.com> * 🌱 Improve e2e workflow tests (ossf#3282) - Ensure that only head queries are supported in workflow tests - Add a test to detect when a non-existent workflow file is used [e2e/workflow_test.go] - Add a test to check that only head queries are supported - Add a test to check that a non-existent workflow file returns an error Signed-off-by: naveensrinivasan <172697+naveensrinivasan@users.noreply.github.com> Signed-off-by: André Backman <andre.backman@nokia.com> * 🌱 Use a matrix for when building binaries in main.yml (ossf#3291) * Use matrix for build jobs. Signed-off-by: Spencer Schrock <sschrock@google.com> * These build targets dont seem to need protoc. This lets us save the API quota. Signed-off-by: Spencer Schrock <sschrock@google.com> --------- Signed-off-by: Spencer Schrock <sschrock@google.com> Signed-off-by: André Backman <andre.backman@nokia.com> * 🌱 Fix hanging docker jobs for doc only changes. (ossf#3292) Signed-off-by: Spencer Schrock <sschrock@google.com> Signed-off-by: André Backman <andre.backman@nokia.com> * 📖 Add contributor ladder (ossf#3246) * Add contributor ladder Signed-off-by: Pedro Kaj Kjellerup Nacht <pnacht@google.com> * Clarify sponsorship Signed-off-by: Pedro Kaj Kjellerup Nacht <pnacht@google.com> * Hope for retirement warning Signed-off-by: Pedro Kaj Kjellerup Nacht <pnacht@google.com> * 1 maintainer can sponsor a community member Signed-off-by: Pedro Kaj Kjellerup Nacht <pnacht@google.com> * Apply suggestions from code review Co-authored-by: Raghav Kaul <8695110+raghavkaul@users.noreply.github.com> Signed-off-by: Pedro Nacht <pedro.k.night@gmail.com> --------- Signed-off-by: Pedro Kaj Kjellerup Nacht <pnacht@google.com> Signed-off-by: Pedro Nacht <pedro.k.night@gmail.com> Signed-off-by: André Backman <andre.backman@nokia.com> * 🌱 Consolidate GitLab e2e workflows. (ossf#3278) * Move gitlab to different workflow to parallelize. Signed-off-by: Spencer Schrock <sschrock@google.com> * Add missing versions. Signed-off-by: Spencer Schrock <sschrock@google.com> --------- Signed-off-by: Spencer Schrock <sschrock@google.com> Signed-off-by: André Backman <andre.backman@nokia.com> * 🌱 Add separate cache for long-running tests (ossf#3293) * Add separate cache for unit tests. Signed-off-by: Spencer Schrock <sschrock@google.com> * share cache with gitlab tests too. Signed-off-by: Spencer Schrock <sschrock@google.com> * share cache with github integration tests. Signed-off-by: Spencer Schrock <sschrock@google.com> * explicitly download modules in unit test job Signed-off-by: Spencer Schrock <sschrock@google.com> * checkout needs to be before the go.mod is read. Signed-off-by: Spencer Schrock <sschrock@google.com> * checkout needs to be before the go.sum files are hashed. Signed-off-by: Spencer Schrock <sschrock@google.com> --------- Signed-off-by: Spencer Schrock <sschrock@google.com> Signed-off-by: André Backman <andre.backman@nokia.com> * 🌱 Bump github.com/go-git/go-git/v5 from 5.7.0 to 5.8.0 (ossf#3297) Bumps [github.com/go-git/go-git/v5](https://github.com/go-git/go-git) from 5.7.0 to 5.8.0. - [Release notes](https://github.com/go-git/go-git/releases) - [Commits](go-git/go-git@v5.7.0...v5.8.0) --- updated-dependencies: - dependency-name: github.com/go-git/go-git/v5 dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Signed-off-by: André Backman <andre.backman@nokia.com> * 🌱 Bump github.com/onsi/gomega from 1.27.8 to 1.27.9 (ossf#3298) Bumps [github.com/onsi/gomega](https://github.com/onsi/gomega) from 1.27.8 to 1.27.9. - [Release notes](https://github.com/onsi/gomega/releases) - [Changelog](https://github.com/onsi/gomega/blob/master/CHANGELOG.md) - [Commits](onsi/gomega@v1.27.8...v1.27.9) --- updated-dependencies: - dependency-name: github.com/onsi/gomega dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Signed-off-by: André Backman <andre.backman@nokia.com> * 🌱 Improve search commit e2e tests (ossf#3295) - Add 2 tests for searching commits in e2e/searchCommits_test.go - Fix errors in e2e/searchCommits_test.go when not using HEAD or when user does not exist [e2e/searchCommits_test.go] - Add 2 tests for searching commits - Fix error when not using HEAD - Fix error when user does not exist Signed-off-by: naveensrinivasan <172697+naveensrinivasan@users.noreply.github.com> Signed-off-by: André Backman <andre.backman@nokia.com> * 📖 update docs for webhooks documentation (ossf#3299) * update docs for webhooks documentation Signed-off-by: leec94 <leec94@bu.edu> * change webhook severity in readme Signed-off-by: leec94 <leec94@bu.edu> --------- Signed-off-by: leec94 <leec94@bu.edu> Signed-off-by: André Backman <andre.backman@nokia.com> * 🌱 Unit tests OSSFuzz client (ossf#3301) * 🌱 Unit tests OSSFuzz client - Included tests for IsArchived, LocalPath, ListFiles, GetFileContent, GetBranch, GetDefaultBranch, GetOrgRepoClient, GetDefaultBranchName, ListCommits, ListIssues, ListReleases, ListContributors, ListSuccessfulWorkflowRuns, ListCheckRunsForRef, ListStatuses, ListWebhooks, SearchCommits, Close, ListProgrammingLanguages, Signed-off-by: naveensrinivasan <172697+naveensrinivasan@users.noreply.github.com> * Improve OSSFuzz client tests [clients/ossfuzz/client_test.go] - Add a test for the `GetCreatedAt` method - Fix the `URI` method to return the correct value Signed-off-by: naveensrinivasan <172697+naveensrinivasan@users.noreply.github.com> --------- Signed-off-by: naveensrinivasan <172697+naveensrinivasan@users.noreply.github.com> Signed-off-by: André Backman <andre.backman@nokia.com> * 🌱 Ensure check markdown is kept in sync with source yaml. (ossf#3300) * Ensure check markdown is kept in sync with check yaml. Signed-off-by: Spencer Schrock <sschrock@google.com> * change generate-docs target to detect changes to docs/checks.md directly. Signed-off-by: Spencer Schrock <sschrock@google.com> --------- Signed-off-by: Spencer Schrock <sschrock@google.com> Signed-off-by: André Backman <andre.backman@nokia.com> * Update def.yml license Signed-off-by: André Backman <88145164+andrelmbackman@users.noreply.github.com> Signed-off-by: André Backman <andre.backman@nokia.com> * Update def.yml license Signed-off-by: André Backman <88145164+andrelmbackman@users.noreply.github.com> Signed-off-by: André Backman <andre.backman@nokia.com> * Update def.yml license Signed-off-by: André Backman <88145164+andrelmbackman@users.noreply.github.com> Signed-off-by: André Backman <andre.backman@nokia.com> * Update code_review.go license Signed-off-by: André Backman <88145164+andrelmbackman@users.noreply.github.com> Signed-off-by: André Backman <andre.backman@nokia.com> * Update entries.go; CodeReviewChecks now called CodeReview Signed-off-by: André Backman <88145164+andrelmbackman@users.noreply.github.com> Signed-off-by: André Backman <andre.backman@nokia.com> * refactor codeReviewTwoReviewers; moved utility functions into impl.go Signed-off-by: André Backman <andre.backman@nokia.com> * Update impl.go, refactor codeReviewTwoReviewers; moved utility functions into impl.go Signed-off-by: André Backman <88145164+andrelmbackman@users.noreply.github.com> * Update go.mod, aligned imports Signed-off-by: André Backman <88145164+andrelmbackman@users.noreply.github.com> * update license comments Signed-off-by: André Backman <andre.backman@nokia.com> * update license comments Signed-off-by: André Backman <andre.backman@nokia.com> * change EOL = CRLF to LF Signed-off-by: André Backman <andre.backman@nokia.com> * add error handling in case of no changesets Signed-off-by: André Backman <andre.backman@nokia.com> * completed tests for code-review probes Signed-off-by: André Backman <andre.backman@nokia.com> * update codeReview probes and utils Signed-off-by: André Backman <andre.backman@nokia.com> * fixed some lint errors, check for more Signed-off-by: André Backman <andre.backman@nokia.com> * fixed lint issues Signed-off-by: André Backman <andre.backman@nokia.com> * fix lint errors Signed-off-by: André Backman <andre.backman@nokia.com> * add test for multiple reviews with only one unique reviewer Signed-off-by: André Backman <andre.backman@nokia.com> * simplify func uniqueReviewers, use map[string]bool Signed-off-by: André Backman <andre.backman@nokia.com> * fix linting error Signed-off-by: André Backman <andre.backman@nokia.com> * moved probe tests to their own function Signed-off-by: André Backman <andre.backman@nokia.com> * fix comment syntax Signed-off-by: André Backman <andre.backman@nokia.com> * gci-ed files to fix linter errors Signed-off-by: André Backman <andre.backman@nokia.com> * implement change to skip bot-authored changesets that are reviewed/approved Signed-off-by: André Backman <andre.backman@nokia.com> * rewrite finding message Signed-off-by: André Backman <andre.backman@nokia.com> * fix output message; do not count the number of approved bot-authored changesets Signed-off-by: André Backman <andre.backman@nokia.com> * fix typos Signed-off-by: André Backman <andre.backman@nokia.com> * moved probe tests to their corresponding location Signed-off-by: André Backman <andrebackmann@gmail.com> * removed redundant probe codeReviewed Signed-off-by: André Backman <andrebackmann@gmail.com> * Update probes/codeApproved/def.yml Co-authored-by: Raghav Kaul <8695110+raghavkaul@users.noreply.github.com> Signed-off-by: jitsengupta17 <145664639+jitsengupta17@users.noreply.github.com> * Update probes/codeApproved/def.yml Co-authored-by: Raghav Kaul <8695110+raghavkaul@users.noreply.github.com> Signed-off-by: jitsengupta17 <145664639+jitsengupta17@users.noreply.github.com> * Update probes/codeApproved/def.yml Co-authored-by: Raghav Kaul <8695110+raghavkaul@users.noreply.github.com> Signed-off-by: jitsengupta17 <145664639+jitsengupta17@users.noreply.github.com> * Update probes/codeApproved/def.yml Co-authored-by: Raghav Kaul <8695110+raghavkaul@users.noreply.github.com> Signed-off-by: jitsengupta17 <145664639+jitsengupta17@users.noreply.github.com> * Update probes/codeApproved/def.yml Co-authored-by: Raghav Kaul <8695110+raghavkaul@users.noreply.github.com> Signed-off-by: jitsengupta17 <145664639+jitsengupta17@users.noreply.github.com> * Update probes/codeReviewOneReviewers/def.yml Co-authored-by: Raghav Kaul <8695110+raghavkaul@users.noreply.github.com> Signed-off-by: jitsengupta17 <145664639+jitsengupta17@users.noreply.github.com> * Lint Signed-off-by: Raghav Kaul <raghavkaul@google.com> --------- Signed-off-by: dependabot[bot] <support@github.com> Signed-off-by: André Backman <andre.backman@nokia.com> Signed-off-by: André Backman <88145164+andrelmbackman@users.noreply.github.com> Signed-off-by: naveensrinivasan <172697+naveensrinivasan@users.noreply.github.com> Signed-off-by: Gabriela Gutierrez <gabigutierrez@google.com> Signed-off-by: Spencer Schrock <sschrock@google.com> Signed-off-by: Ajmal Kottilingal <ajmal.kottilingal@transferwise.com> Signed-off-by: Pedro Kaj Kjellerup Nacht <pnacht@google.com> Signed-off-by: Eugene Kliuchnikov <eustas@google.com> Signed-off-by: Diogo Teles Sant'Anna <diogoteles@google.com> Signed-off-by: Pedro Nacht <pedro.k.night@gmail.com> Signed-off-by: leec94 <leec94@bu.edu> Signed-off-by: André Backman <andrebackmann@gmail.com> Signed-off-by: jitsengupta17 <145664639+jitsengupta17@users.noreply.github.com> Signed-off-by: Raghav Kaul <raghavkaul@google.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: André Backman <andre.backman@nokia.com> Co-authored-by: Naveen <172697+naveensrinivasan@users.noreply.github.com> Co-authored-by: Gabriela Gutierrez <gabigutierrez@google.com> Co-authored-by: Pedro Nacht <pedro.k.night@gmail.com> Co-authored-by: Spencer Schrock <sschrock@google.com> Co-authored-by: Ajmal Kottilingal <90693406+ajmalab@users.noreply.github.com> Co-authored-by: Pedro Nacht <pnacht@google.com> Co-authored-by: Eugene Kliuchnikov <eustas@google.com> Co-authored-by: Diogo Teles Sant'Anna <diogoteles@google.com> Co-authored-by: Caroline <leec94@bu.edu> Co-authored-by: jitsengupta17 <145664639+jitsengupta17@users.noreply.github.com> Co-authored-by: Raghav Kaul <8695110+raghavkaul@users.noreply.github.com> Co-authored-by: gowriNSN <143079242+gowriNSN@users.noreply.github.com> Co-authored-by: Raghav Kaul <raghavkaul@google.com>

Signed-off-by: lelia <le1ia@me.com>

* spelling: accurate Signed-off-by: Josh Soref <2119212+jsoref@users.noreply.github.com> * spelling: administrator Signed-off-by: Josh Soref <2119212+jsoref@users.noreply.github.com> * spelling: analyze Signed-off-by: Josh Soref <2119212+jsoref@users.noreply.github.com> * spelling: andtwenty Signed-off-by: Josh Soref <2119212+jsoref@users.noreply.github.com> * spelling: ascii Signed-off-by: Josh Soref <2119212+jsoref@users.noreply.github.com> * spelling: association Signed-off-by: Josh Soref <2119212+jsoref@users.noreply.github.com> * spelling: at least Signed-off-by: Josh Soref <2119212+jsoref@users.noreply.github.com> * spelling: attestor Signed-off-by: Josh Soref <2119212+jsoref@users.noreply.github.com> * spelling: barbaric Signed-off-by: Josh Soref <2119212+jsoref@users.noreply.github.com> * spelling: bucket Signed-off-by: Josh Soref <2119212+jsoref@users.noreply.github.com> * spelling: by Signed-off-by: Josh Soref <2119212+jsoref@users.noreply.github.com> * spelling: can Signed-off-by: Josh Soref <2119212+jsoref@users.noreply.github.com> * spelling: case-insensitive Signed-off-by: Josh Soref <2119212+jsoref@users.noreply.github.com> * spelling: case-sensitive Signed-off-by: Josh Soref <2119212+jsoref@users.noreply.github.com> * spelling: checking Signed-off-by: Josh Soref <2119212+jsoref@users.noreply.github.com> * spelling: command-line Signed-off-by: Josh Soref <2119212+jsoref@users.noreply.github.com> * spelling: commit Signed-off-by: Josh Soref <2119212+jsoref@users.noreply.github.com> * spelling: committed Signed-off-by: Josh Soref <2119212+jsoref@users.noreply.github.com> * spelling: conclusion Signed-off-by: Josh Soref <2119212+jsoref@users.noreply.github.com> * spelling: corresponding Signed-off-by: Josh Soref <2119212+jsoref@users.noreply.github.com> * spelling: created Signed-off-by: Josh Soref <2119212+jsoref@users.noreply.github.com> * spelling: dataset Signed-off-by: Josh Soref <2119212+jsoref@users.noreply.github.com> * spelling: default Signed-off-by: Josh Soref <2119212+jsoref@users.noreply.github.com> * spelling: defines Signed-off-by: Josh Soref <2119212+jsoref@users.noreply.github.com> * spelling: dependabot Signed-off-by: Josh Soref <2119212+jsoref@users.noreply.github.com> * spelling: dependency Signed-off-by: Josh Soref <2119212+jsoref@users.noreply.github.com> * spelling: depending Signed-off-by: Josh Soref <2119212+jsoref@users.noreply.github.com> * spelling: desired Signed-off-by: Josh Soref <2119212+jsoref@users.noreply.github.com> * spelling: different Signed-off-by: Josh Soref <2119212+jsoref@users.noreply.github.com> * spelling: disclose Signed-off-by: Josh Soref <2119212+jsoref@users.noreply.github.com> * spelling: download Signed-off-by: Josh Soref <2119212+jsoref@users.noreply.github.com> * spelling: each Signed-off-by: Josh Soref <2119212+jsoref@users.noreply.github.com> * spelling: enforce Signed-off-by: Josh Soref <2119212+jsoref@users.noreply.github.com> * spelling: every time Signed-off-by: Josh Soref <2119212+jsoref@users.noreply.github.com> * spelling: exist Signed-off-by: Josh Soref <2119212+jsoref@users.noreply.github.com> * spelling: existing Signed-off-by: Josh Soref <2119212+jsoref@users.noreply.github.com> * spelling: fields Signed-off-by: Josh Soref <2119212+jsoref@users.noreply.github.com> * spelling: files Signed-off-by: Josh Soref <2119212+jsoref@users.noreply.github.com> * spelling: for Signed-off-by: Josh Soref <2119212+jsoref@users.noreply.github.com> * spelling: force-push Signed-off-by: Josh Soref <2119212+jsoref@users.noreply.github.com> * spelling: github Signed-off-by: Josh Soref <2119212+jsoref@users.noreply.github.com> * spelling: gitlab Signed-off-by: Josh Soref <2119212+jsoref@users.noreply.github.com> * spelling: ignoreed Signed-off-by: Josh Soref <2119212+jsoref@users.noreply.github.com> * spelling: implementation Signed-off-by: Josh Soref <2119212+jsoref@users.noreply.github.com> * spelling: implements Signed-off-by: Josh Soref <2119212+jsoref@users.noreply.github.com> * spelling: increase Signed-off-by: Josh Soref <2119212+jsoref@users.noreply.github.com> * spelling: indicates Signed-off-by: Josh Soref <2119212+jsoref@users.noreply.github.com> * spelling: initialized Signed-off-by: Josh Soref <2119212+jsoref@users.noreply.github.com> * spelling: instructions Signed-off-by: Josh Soref <2119212+jsoref@users.noreply.github.com> * spelling: invalid Signed-off-by: Josh Soref <2119212+jsoref@users.noreply.github.com> * spelling: marshal Signed-off-by: Josh Soref <2119212+jsoref@users.noreply.github.com> * spelling: match Signed-off-by: Josh Soref <2119212+jsoref@users.noreply.github.com> * spelling: name Signed-off-by: Josh Soref <2119212+jsoref@users.noreply.github.com> * spelling: nonexistent Signed-off-by: Josh Soref <2119212+jsoref@users.noreply.github.com> * spelling: organization Signed-off-by: Josh Soref <2119212+jsoref@users.noreply.github.com> * spelling: package Signed-off-by: Josh Soref <2119212+jsoref@users.noreply.github.com> * spelling: provenance Signed-off-by: Josh Soref <2119212+jsoref@users.noreply.github.com> * spelling: query Signed-off-by: Josh Soref <2119212+jsoref@users.noreply.github.com> * spelling: readers Signed-off-by: Josh Soref <2119212+jsoref@users.noreply.github.com> * spelling: receive Signed-off-by: Josh Soref <2119212+jsoref@users.noreply.github.com> * spelling: registered Signed-off-by: Josh Soref <2119212+jsoref@users.noreply.github.com> * spelling: remediate Signed-off-by: Josh Soref <2119212+jsoref@users.noreply.github.com> * spelling: representation Signed-off-by: Josh Soref <2119212+jsoref@users.noreply.github.com> * spelling: requests Signed-off-by: Josh Soref <2119212+jsoref@users.noreply.github.com> * spelling: requires Signed-off-by: Josh Soref <2119212+jsoref@users.noreply.github.com> * spelling: return Signed-off-by: Josh Soref <2119212+jsoref@users.noreply.github.com> * spelling: scorecard Signed-off-by: Josh Soref <2119212+jsoref@users.noreply.github.com> * spelling: separator Signed-off-by: Josh Soref <2119212+jsoref@users.noreply.github.com> * spelling: serialization Signed-off-by: Josh Soref <2119212+jsoref@users.noreply.github.com> * spelling: sign up Signed-off-by: Josh Soref <2119212+jsoref@users.noreply.github.com> * spelling: specifications Signed-off-by: Josh Soref <2119212+jsoref@users.noreply.github.com> * spelling: specified Signed-off-by: Josh Soref <2119212+jsoref@users.noreply.github.com> * spelling: success Signed-off-by: Josh Soref <2119212+jsoref@users.noreply.github.com> * spelling: successfully Signed-off-by: Josh Soref <2119212+jsoref@users.noreply.github.com> * spelling: the Signed-off-by: Josh Soref <2119212+jsoref@users.noreply.github.com> * spelling: their Signed-off-by: Josh Soref <2119212+jsoref@users.noreply.github.com> * spelling: twenty Signed-off-by: Josh Soref <2119212+jsoref@users.noreply.github.com> * spelling: unexpected Signed-off-by: Josh Soref <2119212+jsoref@users.noreply.github.com> * spelling: unused Signed-off-by: Josh Soref <2119212+jsoref@users.noreply.github.com> * spelling: unverified Signed-off-by: Josh Soref <2119212+jsoref@users.noreply.github.com> * spelling: validate Signed-off-by: Josh Soref <2119212+jsoref@users.noreply.github.com> * spelling: vendor Signed-off-by: Josh Soref <2119212+jsoref@users.noreply.github.com> * spelling: vulnerabilities Signed-off-by: Josh Soref <2119212+jsoref@users.noreply.github.com> * spelling: vulns Signed-off-by: Josh Soref <2119212+jsoref@users.noreply.github.com> * spelling: will Signed-off-by: Josh Soref <2119212+jsoref@users.noreply.github.com> * spelling: without Signed-off-by: Josh Soref <2119212+jsoref@users.noreply.github.com> * spelling: workflow Signed-off-by: Josh Soref <2119212+jsoref@users.noreply.github.com> * spelling: workflows Signed-off-by: Josh Soref <2119212+jsoref@users.noreply.github.com> --------- Signed-off-by: Josh Soref <2119212+jsoref@users.noreply.github.com>

) also organize the list in order of appearance on website. this makes it easier to compare. Signed-off-by: Spencer Schrock <sschrock@google.com>

Bumps the github-actions group with 3 updates: [tj-actions/changed-files](https://github.com/tj-actions/changed-files), [codecov/codecov-action](https://github.com/codecov/codecov-action) and [actions/upload-artifact](https://github.com/actions/upload-artifact). Updates `tj-actions/changed-files` from 42.0.0 to 42.0.2 - [Release notes](https://github.com/tj-actions/changed-files/releases) - [Changelog](https://github.com/tj-actions/changed-files/blob/main/HISTORY.md) - [Commits](tj-actions/changed-files@ae82ed4...90a06d6) Updates `codecov/codecov-action` from 3.1.4 to 3.1.5 - [Release notes](https://github.com/codecov/codecov-action/releases) - [Changelog](https://github.com/codecov/codecov-action/blob/main/CHANGELOG.md) - [Commits](codecov/codecov-action@eaaf4be...4fe8c5f) Updates `actions/upload-artifact` from 4.2.0 to 4.3.0 - [Release notes](https://github.com/actions/upload-artifact/releases) - [Commits](actions/upload-artifact@694cdab...26f96df) --- updated-dependencies: - dependency-name: tj-actions/changed-files dependency-type: direct:production update-type: version-update:semver-patch dependency-group: github-actions - dependency-name: codecov/codecov-action dependency-type: direct:production update-type: version-update:semver-patch dependency-group: github-actions - dependency-name: actions/upload-artifact dependency-type: direct:production update-type: version-update:semver-minor dependency-group: github-actions ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

Bumps [github.com/google/go-containerregistry](https://github.com/google/go-containerregistry) from 0.18.0 to 0.19.0. - [Release notes](https://github.com/google/go-containerregistry/releases) - [Changelog](https://github.com/google/go-containerregistry/blob/main/.goreleaser.yml) - [Commits](google/go-containerregistry@v0.18.0...v0.19.0) --- updated-dependencies: - dependency-name: github.com/google/go-containerregistry dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* test failures should print the details they receive this makes debugging failing tests easier. Signed-off-by: Spencer Schrock <sschrock@google.com> * use GinkgoTB so the test helpers work instead of panicing Signed-off-by: Spencer Schrock <sschrock@google.com> * ValidateTestReturn will fail the test directly, no need for the bool return Signed-off-by: Spencer Schrock <sschrock@google.com> * clarify diff details Signed-off-by: Spencer Schrock <sschrock@google.com> --------- Signed-off-by: Spencer Schrock <sschrock@google.com>

…onent (ossf#3819) * Add GL_HOST env flag Self-hosted instances which dont use a subdomain result in broken API links. This change may not be finished, but is intended to evaluate the solution. Previously, self hosted instances where the instance is part of the path (foo.com/gitlab/owner/repo) would have their API base URL registered as foo.com/api/v4/ instead of foo.com/gitlab/api/v4/ Signed-off-by: Spencer Schrock <sschrock@google.com> * include token in gitlab project probe Signed-off-by: Spencer Schrock <sschrock@google.com> * consider GL_HOST when parsing gitlab repo urls Signed-off-by: Spencer Schrock <sschrock@google.com> * remove unneeded GL_HOST parsing now that repoURL_parse handles GL_HOST, we dont need it elsewhere. Signed-off-by: Spencer Schrock <sschrock@google.com> * cleanup Signed-off-by: Spencer Schrock <sschrock@google.com> * mention GL_HOST in readme Signed-off-by: Spencer Schrock <sschrock@google.com> * fix linter Signed-off-by: Spencer Schrock <sschrock@google.com> * handle GL_HOST without scheme Signed-off-by: Spencer Schrock <sschrock@google.com> * move api-less check earlier if we can avoid an API call, do it. Signed-off-by: Spencer Schrock <sschrock@google.com> * try listing projects with and without auth token Signed-off-by: Spencer Schrock <sschrock@google.com> * fix linter Signed-off-by: Spencer Schrock <sschrock@google.com> * revert passing token to list projects the simpler the better Signed-off-by: Spencer Schrock <sschrock@google.com> --------- Signed-off-by: Spencer Schrock <sschrock@google.com>

* 🌱 Bump github.com/google/osv-scanner from 1.6.1 to 1.6.2 Bumps [github.com/google/osv-scanner](https://github.com/google/osv-scanner) from 1.6.1 to 1.6.2. - [Release notes](https://github.com/google/osv-scanner/releases) - [Changelog](https://github.com/google/osv-scanner/blob/main/CHANGELOG.md) - [Commits](google/osv-scanner@v1.6.1...v1.6.2) --- updated-dependencies: - dependency-name: github.com/google/osv-scanner dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> * specify go patch version go mod tidy requires this. I was able to delete the toolchain directive, and it wasn't added back. Signed-off-by: Spencer Schrock <sschrock@google.com> * bump dockerfiles to 1.21.6 so the build works Signed-off-by: Spencer Schrock <sschrock@google.com> * bump go version used in codeql workflow github runners currently use Go 1.20 by default, which doesn't understand 1.21.x format. Signed-off-by: Spencer Schrock <sschrock@google.com> --------- Signed-off-by: dependabot[bot] <support@github.com> Signed-off-by: Spencer Schrock <sschrock@google.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: Spencer Schrock <sschrock@google.com>

Bumps [github.com/moby/buildkit](https://github.com/moby/buildkit) from 0.12.4 to 0.12.5. - [Release notes](https://github.com/moby/buildkit/releases) - [Commits](moby/buildkit@v0.12.4...v0.12.5) --- updated-dependencies: - dependency-name: github.com/moby/buildkit dependency-type: direct:production ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

…sion

spencerschrock and others added 30 commits September 12, 2023 17:55

Update URI() for GitLab repos. Add fuzzing test (ossf#3477)

f7f75d0

Signed-off-by: Raghav Kaul <raghavkaul@google.com>

📖 Add webviewer link (ossf#3490)

5c93fe6

* Update README.md Add link to webviewer * Update faq.md Update webviewer link in FAQ * Update README.md Typo * Update faq.md Linebreak

🌱 workflows/stale: Remove issue auto-close (ossf#3493)

893a472

📖 Add gitlab links to viewer example (ossf#3494)

fe7906f

* Update README.md Signed-off-by: olivekl <olivekl@google.com> * Update faq.md Signed-off-by: olivekl <olivekl@google.com> --------- Signed-off-by: olivekl <olivekl@google.com>

🐛 Fix npe for GitLab repos without license API data (ossf#3500)

0ce62a8

Signed-off-by: Raghav Kaul <raghavkaul@google.com>

🌱 Switch test import to remove gotest.tools dependency. (ossf#3501)

fd12f6a

Signed-off-by: Spencer Schrock <sschrock@google.com>

🐛 Set repo commit SHA in results after fetching successfully. (ossf#3514

bbd673c

) Signed-off-by: Spencer Schrock <sschrock@google.com>

🌱 Don't close stale issues explicitly (ossf#3513)

6aa3bcc

Issues are still getting closed after ossf#3493. I assume there's a default value being used somewhere. Signed-off-by: Spencer Schrock <sschrock@google.com>

dependabot bot and others added 24 commits January 19, 2024 08:53

🌱 Add active cisco-open projects to cronjob (ossf#3822)

da3e5ad

Signed-off-by: lelia <le1ia@me.com>

✨ dependency-update-tool: detect GitLab Renovate config files (ossf#3823

301208c

) also organize the list in order of appearance on website. this makes it easier to compare. Signed-off-by: Spencer Schrock <sschrock@google.com>

Merge remote-tracking branch 'upstream/main' into upgradeScorecardVer…

df5e563

…sion

cx-monicac had a problem deploying to gitlab February 14, 2024 11:43 — with GitHub Actions Failure

cx-monicac had a problem deploying to integration-test February 14, 2024 11:43 — with GitHub Actions Failure

cx-monicac requested a review from diogo-fjrocha February 14, 2024 11:43

cx-monicac had a problem deploying to gitlab February 21, 2024 14:01 — with GitHub Actions Failure

diogo-fjrocha approved these changes Feb 28, 2024

View reviewed changes

cx-monicac merged commit 40961d3 into main Feb 28, 2024
32 of 38 checks passed

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Upgrade scorecard version #1

Upgrade scorecard version #1

cx-monicac commented Feb 14, 2024

Upgrade scorecard version #1

Upgrade scorecard version #1

Conversation

cx-monicac commented Feb 14, 2024

What kind of change does this PR introduce?

What is the current behavior?

What is the new behavior (if this is a feature change)?**

Which issue(s) this PR fixes

Special notes for your reviewer

Does this PR introduce a user-facing change?