🌱 Commit depth for GitLab #3671
Closed
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
ashearin
requested review from
justaugustus and
laurentsimon
and removed request for
a team
* feat: Add npm install to pinned dependencies score Signed-off-by: Gabriela Gutierrez <gabigutierrez@google.com> * test: Fix pinned dependencies evaluation tests Considering the new npm installs dependencies in Pinned-Dependencies score, there are some changes. Now, all tests generate one more Info log for "npm installs are all pinned". Also, for "various wanrings" test, the total score has to weight now 6 scores instead of 5. The new score counts 10 for actionScore, 0 for dockerFromScore, 0 for dockerDownloadScore, 0 for scriptScore, 0 for pipScore and 10 for npm score, which gives us 20/6~=3. Signed-off-by: Gabriela Gutierrez <gabigutierrez@google.com> * test: Fix pinned dependencies e2e tests Considering the new npm installs dependencies in Pinned-Dependencies score, there are some changes. The repo being tested, ossf-tests/scorecard-check-pinned-dependencies-e2e, has third-party GitHub actions pinned, no npm installs, and all other dependencies types are unpinned. This gives us 8 for actionScore, 10 for npmScore and 0 for all other scores. Previously the total score was 8/5~=1, and now the total score is 18/6=3. Also, since there are no npm installs, there's one more Info log for "npm installs are pinned". Signed-off-by: Gabriela Gutierrez <gabigutierrez@google.com> * test: Fix typo Signed-off-by: Gabriela Gutierrez <gabigutierrez@google.com> * test: Unpinned npm install score When having one unpinned npm install and all other dependencies pinned, the score should be 50/6~=8. Also, it should raise 1 warning for the unpinned npm install, 6 infos saying the other dependency types are pinned (2 for GHAs, 2 for dockerfile image and downdloads, 1 for script downdloads and 1 for pip installs), and 0 debug logs since the npm install dependency does not have an error message. Signed-off-by: Gabriela Gutierrez <gabigutierrez@google.com> * test: Undefined npm install score When an error happens to parse a npm install dependency, the error/debug message is saved in "Msg" field. In this case, we were not able to define if the npm install is pinned or not. This dependency is classified as pinned undefined. We treat such cases as pinned cases, so it logs as Info that npm installs are all pinned and counts the score as 10. Then, the final score makes it to 10 as well. Since it logs the error/debug message, the Debug log goes to 1. Signed-off-by: Gabriela Gutierrez <gabigutierrez@google.com> * test: Fix typo Signed-off-by: Gabriela Gutierrez <gabigutierrez@google.com> * test: Fix "validate various warnings and info" test Considering the new npm installs dependencies in Pinned-Dependencies score, there are some changes. Now, all tests generate one more Info log for "npm installs are all pinned". Also, this test total score has to weight now 6 scores instead of 5. The new score counts 10 for actionScore, 0 for dockerFromScore, 0 for dockerDownloadScore, 0 for scriptScore, 0 for pipScore and 10 for npm score, which gives us 20/6~=3. Signed-off-by: Gabriela Gutierrez <gabigutierrez@google.com> * fix: npm dependencies pinned log Signed-off-by: Gabriela Gutierrez <gabigutierrez@google.com> * test: Remove test of error when parsing an npm dependency Signed-off-by: Gabriela Gutierrez <gabigutierrez@google.com> --------- Signed-off-by: Gabriela Gutierrez <gabigutierrez@google.com> Signed-off-by: Allen Shearin <allen.p.shearin@gmail.com>
Bumps [github.com/moby/buildkit](https://github.com/moby/buildkit) from 0.11.6 to 0.12.0. - [Release notes](https://github.com/moby/buildkit/releases) - [Commits](moby/buildkit@v0.11.6...v0.12.0) --- updated-dependencies: - dependency-name: github.com/moby/buildkit dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Signed-off-by: Allen Shearin <allen.p.shearin@gmail.com>
Signed-off-by: Spencer Schrock <sschrock@google.com> Signed-off-by: Allen Shearin <allen.p.shearin@gmail.com>
* Forgive all job-level permissions Signed-off-by: Pedro Kaj Kjellerup Nacht <pnacht@google.com> * Update tests Signed-off-by: Pedro Kaj Kjellerup Nacht <pnacht@google.com> * Replace magic number Signed-off-by: Pedro Kaj Kjellerup Nacht <pnacht@google.com> * Rename test Signed-off-by: Pedro Kaj Kjellerup Nacht <pnacht@google.com> * Test that multiple job-level permissions are forgiven Signed-off-by: Pedro Kaj Kjellerup Nacht <pnacht@google.com> * Drop unused permissionIsPresent Signed-off-by: Pedro Kaj Kjellerup Nacht <pnacht@google.com> * Update documentation Signed-off-by: Pedro Kaj Kjellerup Nacht <pnacht@google.com> * Modify score descriptions Signed-off-by: Pedro Kaj Kjellerup Nacht <pnacht@google.com> * Document warning for job-level permissions Signed-off-by: Pedro Kaj Kjellerup Nacht <pnacht@google.com> * List job-level permissions that get WARNed Signed-off-by: Pedro Kaj Kjellerup Nacht <pnacht@google.com> --------- Signed-off-by: Pedro Kaj Kjellerup Nacht <pnacht@google.com> Signed-off-by: Allen Shearin <allen.p.shearin@gmail.com>
Signed-off-by: Eugene Kliuchnikov <eustas@google.com> Signed-off-by: Allen Shearin <allen.p.shearin@gmail.com>
* docs(readme): suggest new score viewer on badge documentation Signed-off-by: Diogo Teles Sant'Anna <diogoteles@google.com> * docs(readme): add link to ossf blogpost about the badge Signed-off-by: Diogo Teles Sant'Anna <diogoteles@google.com> * docs: update badge of our own README to the new viewer Signed-off-by: Diogo Teles Sant'Anna <diogoteles@google.com> --------- Signed-off-by: Diogo Teles Sant'Anna <diogoteles@google.com> Signed-off-by: Allen Shearin <allen.p.shearin@gmail.com>
Bumps [tj-actions/changed-files](https://github.com/tj-actions/changed-files) from 37.1.1 to 37.1.2. - [Release notes](https://github.com/tj-actions/changed-files/releases) - [Changelog](https://github.com/tj-actions/changed-files/blob/main/HISTORY.md) - [Commits](tj-actions/changed-files@1f20fb8...2a968ff) --- updated-dependencies: - dependency-name: tj-actions/changed-files dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Signed-off-by: Allen Shearin <allen.p.shearin@gmail.com>
- Update the cover profile for e2e Signed-off-by: naveensrinivasan <172697+naveensrinivasan@users.noreply.github.com> Signed-off-by: Allen Shearin <allen.p.shearin@gmail.com>
- Add e2e test for workflow runs - Retrieve successful runs of the scorecard-analysis.yml workflow Signed-off-by: naveensrinivasan <172697+naveensrinivasan@users.noreply.github.com> Signed-off-by: Allen Shearin <allen.p.shearin@gmail.com>
- Exclude dependabot from codecov job in main.yml [.github/workflows/main.yml] - Exclude dependabot from codecov job Signed-off-by: naveensrinivasan <172697+naveensrinivasan@users.noreply.github.com> Signed-off-by: Allen Shearin <allen.p.shearin@gmail.com>
- Add an e2e test for searching commits by author - Search commits by author `dependabot[bot]` and expect results Signed-off-by: naveensrinivasan <172697+naveensrinivasan@users.noreply.github.com> Signed-off-by: Allen Shearin <allen.p.shearin@gmail.com>
* fix: Verify if branch is required to be up to date before merge Signed-off-by: Gabriela Gutierrez <gabigutierrez@google.com> * docs: Comment tracking GraphQL bug Signed-off-by: Gabriela Gutierrez <gabigutierrez@google.com> * fix: Add validation if pointers are not null before accessing the values Signed-off-by: Gabriela Gutierrez <gabigutierrez@google.com> * fix: Delete debug log file Signed-off-by: Gabriela Gutierrez <gabigutierrez@google.com> --------- Signed-off-by: Gabriela Gutierrez <gabigutierrez@google.com> Signed-off-by: Allen Shearin <allen.p.shearin@gmail.com>
* add scdiff root command Signed-off-by: Spencer Schrock <sschrock@google.com> * Add generate boilerplate. Signed-off-by: Spencer Schrock <sschrock@google.com> * get rid of init Signed-off-by: Spencer Schrock <sschrock@google.com> * read newline delimitted repo file Signed-off-by: Spencer Schrock <sschrock@google.com> * Run scorecard and echo results. Signed-off-by: Spencer Schrock <sschrock@google.com> * add license Signed-off-by: Spencer Schrock <sschrock@google.com> * add basic runner tests. Signed-off-by: Spencer Schrock <sschrock@google.com> * Add Runner comment. Signed-off-by: Spencer Schrock <sschrock@google.com> * switch to using scorecard logger. Signed-off-by: Spencer Schrock <sschrock@google.com> * linter fix Signed-off-by: Spencer Schrock <sschrock@google.com> --------- Signed-off-by: Spencer Schrock <sschrock@google.com> Signed-off-by: Allen Shearin <allen.p.shearin@gmail.com>
Signed-off-by: Spencer Schrock <sschrock@google.com> Signed-off-by: Allen Shearin <allen.p.shearin@gmail.com>
Bumps [tj-actions/changed-files](https://github.com/tj-actions/changed-files) from 37.1.2 to 37.3.0. - [Release notes](https://github.com/tj-actions/changed-files/releases) - [Changelog](https://github.com/tj-actions/changed-files/blob/main/HISTORY.md) - [Commits](tj-actions/changed-files@2a968ff...3928317) --- updated-dependencies: - dependency-name: tj-actions/changed-files dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Signed-off-by: Allen Shearin <allen.p.shearin@gmail.com>
Bumps [github.com/google/osv-scanner](https://github.com/google/osv-scanner) from 1.3.5 to 1.3.6. - [Release notes](https://github.com/google/osv-scanner/releases) - [Changelog](https://github.com/google/osv-scanner/blob/main/CHANGELOG.md) - [Commits](google/osv-scanner@v1.3.5...v1.3.6) --- updated-dependencies: - dependency-name: github.com/google/osv-scanner dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Signed-off-by: Allen Shearin <allen.p.shearin@gmail.com>
Bumps [gocloud.dev](https://github.com/google/go-cloud) from 0.30.0 to 0.32.0. - [Release notes](https://github.com/google/go-cloud/releases) - [Commits](google/go-cloud@v0.30.0...v0.32.0) --- updated-dependencies: - dependency-name: gocloud.dev dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Signed-off-by: Allen Shearin <allen.p.shearin@gmail.com>
Signed-off-by: Spencer Schrock <sschrock@google.com> Signed-off-by: Allen Shearin <allen.p.shearin@gmail.com>
Bumps [tj-actions/changed-files](https://github.com/tj-actions/changed-files) from 37.3.0 to 37.4.0. - [Release notes](https://github.com/tj-actions/changed-files/releases) - [Changelog](https://github.com/tj-actions/changed-files/blob/main/HISTORY.md) - [Commits](tj-actions/changed-files@3928317...de0eba3) --- updated-dependencies: - dependency-name: tj-actions/changed-files dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> Signed-off-by: Allen Shearin <allen.p.shearin@gmail.com>
Bumps google-appengine/debian11 from `fed7dd5` to `97dc4fb`. --- updated-dependencies: - dependency-name: google-appengine/debian11 dependency-type: direct:production ... Signed-off-by: dependabot[bot] <support@github.com> Signed-off-by: Allen Shearin <allen.p.shearin@gmail.com>
Bumps [github.com/xanzy/go-gitlab](https://github.com/xanzy/go-gitlab) from 0.86.0 to 0.88.0. - [Changelog](https://github.com/xanzy/go-gitlab/blob/master/releases_test.go) - [Commits](xanzy/go-gitlab@v0.86.0...v0.88.0) --- updated-dependencies: - dependency-name: github.com/xanzy/go-gitlab dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> Signed-off-by: Allen Shearin <allen.p.shearin@gmail.com>
* working matrix. Signed-off-by: Spencer Schrock <sschrock@google.com> * Remove unneeded env vars. Add comments. Signed-off-by: Spencer Schrock <sschrock@google.com> * minor syntax change. Signed-off-by: Spencer Schrock <sschrock@google.com> --------- Signed-off-by: Spencer Schrock <sschrock@google.com> Signed-off-by: Allen Shearin <allen.p.shearin@gmail.com>
- Ensure that only head queries are supported in workflow tests - Add a test to detect when a non-existent workflow file is used [e2e/workflow_test.go] - Add a test to check that only head queries are supported - Add a test to check that a non-existent workflow file returns an error Signed-off-by: naveensrinivasan <172697+naveensrinivasan@users.noreply.github.com> Signed-off-by: Allen Shearin <allen.p.shearin@gmail.com>
* Use matrix for build jobs. Signed-off-by: Spencer Schrock <sschrock@google.com> * These build targets dont seem to need protoc. This lets us save the API quota. Signed-off-by: Spencer Schrock <sschrock@google.com> --------- Signed-off-by: Spencer Schrock <sschrock@google.com> Signed-off-by: Allen Shearin <allen.p.shearin@gmail.com>
Signed-off-by: Spencer Schrock <sschrock@google.com> Signed-off-by: Allen Shearin <allen.p.shearin@gmail.com>
* Add contributor ladder Signed-off-by: Pedro Kaj Kjellerup Nacht <pnacht@google.com> * Clarify sponsorship Signed-off-by: Pedro Kaj Kjellerup Nacht <pnacht@google.com> * Hope for retirement warning Signed-off-by: Pedro Kaj Kjellerup Nacht <pnacht@google.com> * 1 maintainer can sponsor a community member Signed-off-by: Pedro Kaj Kjellerup Nacht <pnacht@google.com> * Apply suggestions from code review Co-authored-by: Raghav Kaul <8695110+raghavkaul@users.noreply.github.com> Signed-off-by: Pedro Nacht <pedro.k.night@gmail.com> --------- Signed-off-by: Pedro Kaj Kjellerup Nacht <pnacht@google.com> Signed-off-by: Pedro Nacht <pedro.k.night@gmail.com> Signed-off-by: Allen Shearin <allen.p.shearin@gmail.com>
Bumps [github.com/golangci/golangci-lint](https://github.com/golangci/golangci-lint) from 1.55.0 to 1.55.1. - [Release notes](https://github.com/golangci/golangci-lint/releases) - [Changelog](https://github.com/golangci/golangci-lint/blob/master/CHANGELOG.md) - [Commits](golangci/golangci-lint@v1.55.0...v1.55.1) --- updated-dependencies: - dependency-name: github.com/golangci/golangci-lint dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Signed-off-by: Allen Shearin <allen.p.shearin@gmail.com>
…3634) * 🌱 Update stale workflow to exempt Structured Results milestone * Removed duplicate line, updated stale-pr-message, and removed custom stale labels Signed-off-by: Allen Shearin <allen.p.shearin@gmail.com>
Bumps [github.com/docker/docker](https://github.com/docker/docker) from 24.0.4+incompatible to 24.0.7+incompatible. - [Release notes](https://github.com/docker/docker/releases) - [Commits](moby/moby@v24.0.4...v24.0.7) --- updated-dependencies: - dependency-name: github.com/docker/docker dependency-type: indirect ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Signed-off-by: Allen Shearin <allen.p.shearin@gmail.com>
Bumps [github.com/docker/docker](https://github.com/docker/docker) from 24.0.6+incompatible to 24.0.7+incompatible. - [Release notes](https://github.com/docker/docker/releases) - [Commits](moby/moby@v24.0.6...v24.0.7) --- updated-dependencies: - dependency-name: github.com/docker/docker dependency-type: indirect ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Signed-off-by: Allen Shearin <allen.p.shearin@gmail.com>
Bumps [github.com/go-logr/logr](https://github.com/go-logr/logr) from 1.2.4 to 1.3.0. - [Release notes](https://github.com/go-logr/logr/releases) - [Changelog](https://github.com/go-logr/logr/blob/master/CHANGELOG.md) - [Commits](go-logr/logr@v1.2.4...v1.3.0) --- updated-dependencies: - dependency-name: github.com/go-logr/logr dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Signed-off-by: Allen Shearin <allen.p.shearin@gmail.com>
Bumps [github.com/go-git/go-git/v5](https://github.com/go-git/go-git) from 5.9.0 to 5.10.0. - [Release notes](https://github.com/go-git/go-git/releases) - [Commits](go-git/go-git@v5.9.0...v5.10.0) --- updated-dependencies: - dependency-name: github.com/go-git/go-git/v5 dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Signed-off-by: Allen Shearin <allen.p.shearin@gmail.com>
Bumps [github.com/onsi/gomega](https://github.com/onsi/gomega) from 1.28.1 to 1.29.0. - [Release notes](https://github.com/onsi/gomega/releases) - [Changelog](https://github.com/onsi/gomega/blob/master/CHANGELOG.md) - [Commits](onsi/gomega@v1.28.1...v1.29.0) --- updated-dependencies: - dependency-name: github.com/onsi/gomega dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Signed-off-by: Allen Shearin <allen.p.shearin@gmail.com>
Bumps [cloud.google.com/go/bigquery](https://github.com/googleapis/google-cloud-go) from 1.56.0 to 1.57.1. - [Release notes](https://github.com/googleapis/google-cloud-go/releases) - [Changelog](https://github.com/googleapis/google-cloud-go/blob/main/CHANGES.md) - [Commits](googleapis/google-cloud-go@bigquery/v1.56.0...bigquery/v1.57.1) --- updated-dependencies: - dependency-name: cloud.google.com/go/bigquery dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Signed-off-by: Allen Shearin <allen.p.shearin@gmail.com>
For now, this is just producing very long detail strings. Probably negatively affecting cron results Signed-off-by: Spencer Schrock <sschrock@google.com> Signed-off-by: Allen Shearin <allen.p.shearin@gmail.com>
Bumps [github.com/spf13/cobra](https://github.com/spf13/cobra) from 1.7.0 to 1.8.0. - [Release notes](https://github.com/spf13/cobra/releases) - [Commits](spf13/cobra@v1.7.0...v1.8.0) --- updated-dependencies: - dependency-name: github.com/spf13/cobra dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Signed-off-by: Allen Shearin <allen.p.shearin@gmail.com>
* 🌱 Convert Dangerous Workflow check to probes Signed-off-by: AdamKorcz <adam@adalogics.com> * remove hasAnyWorkflows probe Signed-off-by: AdamKorcz <adam@adalogics.com> * combine two conditionals into one Signed-off-by: AdamKorcz <adam@adalogics.com> * preserve logging from original evaluation Signed-off-by: AdamKorcz <adam@adalogics.com> * rebase Signed-off-by: AdamKorcz <adam@adalogics.com> --------- Signed-off-by: AdamKorcz <adam@adalogics.com> Signed-off-by: Allen Shearin <allen.p.shearin@gmail.com>
* Convert SAST checks to probes Signed-off-by: AdamKorcz <adam@adalogics.com> * Update checks/evaluation/sast.go Co-authored-by: Raghav Kaul <8695110+raghavkaul@users.noreply.github.com> Signed-off-by: AdamKorcz <44787359+AdamKorcz@users.noreply.github.com> * preserve file info when logging positive Sonar findings Signed-off-by: AdamKorcz <adam@adalogics.com> * rebase Signed-off-by: AdamKorcz <adam@adalogics.com> * Remove warning logging Signed-off-by: AdamKorcz <adam@adalogics.com> * add outcome and message to finding on the same line Signed-off-by: AdamKorcz <adam@adalogics.com> * codeql workflow -> codeql action Signed-off-by: AdamKorcz <adam@adalogics.com> * 'the Sonar' -> 'Sonar' in probe def.yml Signed-off-by: AdamKorcz <adam@adalogics.com> * fix typo Signed-off-by: AdamKorcz <adam@adalogics.com> * Change how probe creates location Signed-off-by: AdamKorcz <adam@adalogics.com> * Change names of values Signed-off-by: AdamKorcz <adam@adalogics.com> * change 'SAST tool detected: xx' to 'SAST tool installed: xx' Signed-off-by: AdamKorcz <adam@adalogics.com> * make text in probe def.yml easier to read Signed-off-by: AdamKorcz <adam@adalogics.com> * Change 'to' to 'two' Signed-off-by: AdamKorcz <adam@adalogics.com> * Minor change Signed-off-by: AdamKorcz <adam@adalogics.com> --------- Signed-off-by: AdamKorcz <adam@adalogics.com> Signed-off-by: AdamKorcz <44787359+AdamKorcz@users.noreply.github.com> Co-authored-by: Raghav Kaul <8695110+raghavkaul@users.noreply.github.com> Signed-off-by: Allen Shearin <allen.p.shearin@gmail.com>
Bumps [github.com/google/osv-scanner](https://github.com/google/osv-scanner) from 1.4.2 to 1.4.3. - [Release notes](https://github.com/google/osv-scanner/releases) - [Changelog](https://github.com/google/osv-scanner/blob/main/CHANGELOG.md) - [Commits](google/osv-scanner@v1.4.2...v1.4.3) --- updated-dependencies: - dependency-name: github.com/google/osv-scanner dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Signed-off-by: Allen Shearin <allen.p.shearin@gmail.com>
Signed-off-by: Allen Shearin <allen.p.shearin@gmail.com>
Bumps [golang.org/x/text](https://github.com/golang/text) from 0.13.0 to 0.14.0. - [Release notes](https://github.com/golang/text/releases) - [Commits](golang/text@v0.13.0...v0.14.0) --- updated-dependencies: - dependency-name: golang.org/x/text dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Signed-off-by: Allen Shearin <allen.p.shearin@gmail.com>
Bumps [github.com/golangci/golangci-lint](https://github.com/golangci/golangci-lint) from 1.55.1 to 1.55.2. - [Release notes](https://github.com/golangci/golangci-lint/releases) - [Changelog](https://github.com/golangci/golangci-lint/blob/master/CHANGELOG.md) - [Commits](golangci/golangci-lint@v1.55.1...v1.55.2) --- updated-dependencies: - dependency-name: github.com/golangci/golangci-lint dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Signed-off-by: Allen Shearin <allen.p.shearin@gmail.com>
* Continue on error detecting OS Signed-off-by: Pedro Kaj Kjellerup Nacht <pnacht@google.com> * Add tests for error detecting OS Signed-off-by: Pedro Kaj Kjellerup Nacht <pnacht@google.com> * Add ElementError to identify elements that errored Signed-off-by: Pedro Kaj Kjellerup Nacht <pnacht@google.com> * Add Incomplete field to PinningDependenciesData Will store all errors handled during analysis, which may lead to incomplete results. Signed-off-by: Pedro Kaj Kjellerup Nacht <pnacht@google.com> * Register job steps that errored out Signed-off-by: Pedro Kaj Kjellerup Nacht <pnacht@google.com> * Add tests that incomplete steps are caught Signed-off-by: Pedro Kaj Kjellerup Nacht <pnacht@google.com> * Add warnings to details about incomplete steps Signed-off-by: Pedro Kaj Kjellerup Nacht <pnacht@google.com> * Add tests that incomplete steps generate warnings Signed-off-by: Pedro Kaj Kjellerup Nacht <pnacht@google.com> * Register shell files skipped due to parser errors Signed-off-by: Pedro Kaj Kjellerup Nacht <pnacht@google.com> * Add tests showing when parser errors affect analysis Dockerfile pinning is not affected. Everything in a 'broken' Dockerfile RUN block is ignored Everything in a 'broken' shell script is ignored testdata/script-invalid.sh modified to demonstrate the above Signed-off-by: Pedro Kaj Kjellerup Nacht <pnacht@google.com> * Incomplete results logged as Info, not Warn Signed-off-by: Pedro Kaj Kjellerup Nacht <pnacht@google.com> * Remove `Type` from logging of incomplete results Signed-off-by: Pedro Kaj Kjellerup Nacht <pnacht@google.com> * Update tests after rebase Signed-off-by: Pedro Kaj Kjellerup Nacht <pnacht@google.com> * Add Unwrap for ElementError, improve its docs Signed-off-by: Pedro Kaj Kjellerup Nacht <pnacht@google.com> * Add ElementError case to evaluation unit test Signed-off-by: Pedro Kaj Kjellerup Nacht <pnacht@google.com> * Move ElementError to checker/raw_result checker/raw_result defines types used to describe analysis results. ElementError is meant to describe potential flaws in the analysis and is therefore a sort of analysis result itself. Signed-off-by: Pedro Kaj Kjellerup Nacht <pnacht@google.com> * Use finding.Location for ElementError.Element Signed-off-by: Pedro Kaj Kjellerup Nacht <pnacht@google.com> * Use an ElementError for script parser errors Signed-off-by: Pedro Kaj Kjellerup Nacht <pnacht@google.com> * Replace .Incomplete []error with .ProcessingErrors []ElementError Signed-off-by: Pedro Kaj Kjellerup Nacht <pnacht@google.com> * Adopt from reviewer comments - Replace ElementError's `Element *finding.Location` with `Location finding.Location` - Rename ErrorJobOSParsing to ErrJobOSParsing to satisfy linter - Fix unit test Signed-off-by: Pedro Kaj Kjellerup Nacht <pnacht@google.com> --------- Signed-off-by: Pedro Kaj Kjellerup Nacht <pnacht@google.com> Signed-off-by: Allen Shearin <allen.p.shearin@gmail.com>
Bumps [actions/dependency-review-action](https://github.com/actions/dependency-review-action) from 3.1.0 to 3.1.2. - [Release notes](https://github.com/actions/dependency-review-action/releases) - [Commits](actions/dependency-review-action@6c5ccda...fde92ac) --- updated-dependencies: - dependency-name: actions/dependency-review-action dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Signed-off-by: Allen Shearin <allen.p.shearin@gmail.com>
Bumps [kubernetes-sigs/kubebuilder-release-tools](https://github.com/kubernetes-sigs/kubebuilder-release-tools) from 0.4.0 to 0.4.2. - [Release notes](https://github.com/kubernetes-sigs/kubebuilder-release-tools/releases) - [Changelog](https://github.com/kubernetes-sigs/kubebuilder-release-tools/blob/master/RELEASE.md) - [Commits](kubernetes-sigs/kubebuilder-release-tools@d8367c2...3c34113) --- updated-dependencies: - dependency-name: kubernetes-sigs/kubebuilder-release-tools dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Signed-off-by: Allen Shearin <allen.p.shearin@gmail.com>
Bumps [tj-actions/changed-files](https://github.com/tj-actions/changed-files) from 39.2.3 to 40.1.1. - [Release notes](https://github.com/tj-actions/changed-files/releases) - [Changelog](https://github.com/tj-actions/changed-files/blob/main/HISTORY.md) - [Commits](tj-actions/changed-files@95690f9...25ef392) --- updated-dependencies: - dependency-name: tj-actions/changed-files dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Signed-off-by: Allen Shearin <allen.p.shearin@gmail.com>
Bumps [sigstore/cosign-installer](https://github.com/sigstore/cosign-installer) from 3.1.2 to 3.2.0. - [Release notes](https://github.com/sigstore/cosign-installer/releases) - [Commits](sigstore/cosign-installer@11086d2...1fc5bd3) --- updated-dependencies: - dependency-name: sigstore/cosign-installer dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Signed-off-by: Allen Shearin <allen.p.shearin@gmail.com>
Bumps [slsa-framework/slsa-verifier](https://github.com/slsa-framework/slsa-verifier) from 2.4.0 to 2.4.1. - [Release notes](https://github.com/slsa-framework/slsa-verifier/releases) - [Changelog](https://github.com/slsa-framework/slsa-verifier/blob/main/RELEASE.md) - [Commits](slsa-framework/slsa-verifier@v2.4.0...v2.4.1) --- updated-dependencies: - dependency-name: slsa-framework/slsa-verifier dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Signed-off-by: Allen Shearin <allen.p.shearin@gmail.com>
Bumps [github.com/onsi/gomega](https://github.com/onsi/gomega) from 1.29.0 to 1.30.0. - [Release notes](https://github.com/onsi/gomega/releases) - [Changelog](https://github.com/onsi/gomega/blob/master/CHANGELOG.md) - [Commits](onsi/gomega@v1.29.0...v1.30.0) --- updated-dependencies: - dependency-name: github.com/onsi/gomega dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Signed-off-by: Allen Shearin <allen.p.shearin@gmail.com>
* switch ossfuzz test to smaller repo tensorflow/tensorflow is huge, and this causes the test to take forever. locally this reduces the test time from 17 to 2.4 seconds Signed-off-by: Spencer Schrock <sschrock@google.com> * reuse scorecard results for scorecard attestor policies previously this test took 27 seconds locally, and now takes 8. which is split across 3 subtests: good repos: 1s bad repos: 5s code review policies: 2s Signed-off-by: Spencer Schrock <sschrock@google.com> --------- Signed-off-by: Spencer Schrock <sschrock@google.com> Signed-off-by: Allen Shearin <allen.p.shearin@gmail.com>
…ssf#3632) * 🌱 Add dependency remediation in raw results instead of at log time Signed-off-by: AdamKorcz <adam@adalogics.com> * add unit test Signed-off-by: AdamKorcz <adam@adalogics.com> * add unit test Signed-off-by: AdamKorcz <adam@adalogics.com> * return error Signed-off-by: AdamKorcz <adam@adalogics.com> * use pointer to dependency Signed-off-by: AdamKorcz <adam@adalogics.com> * check for errors in test Signed-off-by: AdamKorcz <adam@adalogics.com> * Return nil if repo client returns an error from unsupported feature Signed-off-by: AdamKorcz <adam@adalogics.com> * revert error checking Signed-off-by: AdamKorcz <adam@adalogics.com> * revert returning nil is unsupported feature Signed-off-by: AdamKorcz <adam@adalogics.com> * Fix wrong test name Signed-off-by: AdamKorcz <adam@adalogics.com> * only create remediation when required Signed-off-by: AdamKorcz <adam@adalogics.com> * remove remediation helper function Signed-off-by: AdamKorcz <adam@adalogics.com> --------- Signed-off-by: AdamKorcz <adam@adalogics.com> Signed-off-by: Spencer Schrock <sschrock@google.com> Signed-off-by: Allen Shearin <allen.p.shearin@gmail.com>
actions which influence the build/release process are excluded. dependabot will send individual updates for those. Signed-off-by: Spencer Schrock <sschrock@google.com> Signed-off-by: Allen Shearin <allen.p.shearin@gmail.com>
ashearin
force-pushed
the
commit-depth
branch
from
1c79121
to
b3ed1f0
Compare
|
Closing, will start a fresh branch and reopen |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
What kind of change does this PR introduce?
Bug fix for #2828, reopening of #2829
What is the current behavior?
The new gitlab functionality is not using the parameter --commit-depth in querying the gitlab repo for commits. In addition the defaulted value of 30 was not being used either, for the same reason.
What is the new behavior (if this is a feature change)?**
Which issue(s) this PR fixes
Fixes #2828
Special notes for your reviewer
Does this PR introduce a user-facing change?
For user-facing changes, please add a concise, human-readable release note to
the
release-note(In particular, describe what changes users might need to make in their
application as a result of this pull request.)