forked from ossf/scorecard
-
Notifications
You must be signed in to change notification settings - Fork 0
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Test #4
Closed
Closed
Test #4
+544
−214
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
…ke changes As discussed at the issue ossf#2727, we're adding the "require PRs prior to make changes" as another requirement to tier 2. In addition to that, we're changing the weight of the tier 2 requirements so that "requiring 1 reviewer" has weight 2, while the other tier 2 requirements have weight 1 Signed-off-by: Diogo Teles Sant'Anna <[email protected]>
1. Adapt previous test cases to consider that now we'll have an aditional Info log telling that the project requires PRs to make changes. 2. Add more cases to test relevant use cases on the tier 2 level of branch protection Signed-off-by: Diogo Teles Sant'Anna <[email protected]>
…quirement of require PRs to make changes It adds the new tier 2 requirement, but also specify that the "require at least 1 reviewer" will have doubled weight. Signed-off-by: Diogo Teles Sant'Anna <[email protected]>
…ce readability Made some nice-to-have improvements on project readability, making it easier easier to understand how the branch-protection score is computed. Also unified 8 different functions that were doing basically the same thing. Signed-off-by: Diogo Teles Sant'Anna <[email protected]>
* Update docs for signed-releases Signed-off-by: Raghav Kaul <[email protected]> * update docs Signed-off-by: Raghav Kaul <[email protected]> --------- Signed-off-by: Raghav Kaul <[email protected]> Signed-off-by: Diogo Teles Sant'Anna <[email protected]>
* bump actionlint. Signed-off-by: Spencer Schrock <[email protected]> * fix unit tests. Signed-off-by: Spencer Schrock <[email protected]> * include latest update. Signed-off-by: Spencer Schrock <[email protected]> --------- Signed-off-by: Spencer Schrock <[email protected]> Signed-off-by: Diogo Teles Sant'Anna <[email protected]>
Bumps [github.com/onsi/gomega](https://github.com/onsi/gomega) from 1.27.10 to 1.28.0. - [Release notes](https://github.com/onsi/gomega/releases) - [Changelog](https://github.com/onsi/gomega/blob/master/CHANGELOG.md) - [Commits](onsi/gomega@v1.27.10...v1.28.0) --- updated-dependencies: - dependency-name: github.com/onsi/gomega dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Signed-off-by: Diogo Teles Sant'Anna <[email protected]>
* feat: Create output file argument Signed-off-by: Gabriela Gutierrez <[email protected]> * feat: Write results to output file Signed-off-by: Gabriela Gutierrez <[email protected]> * fix: Default results format output Print results headline to output, which may be a file. Signed-off-by: Gabriela Gutierrez <[email protected]> * feat: Log start and end of checks work to console Independent of the logs being output to console or a file, the information on which checks are running is still relevant. Now, we always log this info to the console. Signed-off-by: Gabriela Gutierrez <[email protected]> * test: Fix options unit tests Signed-off-by: Gabriela Gutierrez <[email protected]> * test: Output option content and shorthand Signed-off-by: Gabriela Gutierrez <[email protected]> * test: Output to file with correct format Signed-off-by: Gabriela Gutierrez <[email protected]> * test: Fix helper function with linter error Signed-off-by: Gabriela Gutierrez <[email protected]> * fix: Define output to console or file inside FormatResults Signed-off-by: Gabriela Gutierrez <[email protected]> * fix: Remove intermediate variable to define output Signed-off-by: Gabriela Gutierrez <[email protected]> * test: Fix error log Signed-off-by: Gabriela Gutierrez <[email protected]> * fix: Close output file before write results Signed-off-by: Gabriela Gutierrez <[email protected]> * test: Fix unit test Signed-off-by: Gabriela Gutierrez <[email protected]> * test: Fix remove file even if test fails Signed-off-by: Gabriela Gutierrez <[email protected]> * test: Fix fail test cases Fail test if cannot format results or cannot read real or expected outputs. Signed-off-by: Gabriela Gutierrez <[email protected]> * fix: Copyright notice year and license header spacing Signed-off-by: Gabriela Gutierrez <[email protected]> * fix: Rename Output to ResultsFile Signed-off-by: Gabriela Gutierrez <[email protected]> * fix: Linter errors Signed-off-by: Gabriela Gutierrez <[email protected]> * Revert "feat: Log start and end of checks work to console" This reverts commit c4a00a5. Signed-off-by: Gabriela Gutierrez <[email protected]> * fix: Print results headline in default format Signed-off-by: Gabriela Gutierrez <[email protected]> * test: Fix default format result test Signed-off-by: Gabriela Gutierrez <[email protected]> * fix: Close output only when it's file Signed-off-by: Gabriela Gutierrez <[email protected]> * fix: Linter error Signed-off-by: Gabriela Gutierrez <[email protected]> --------- Signed-off-by: Gabriela Gutierrez <[email protected]> Signed-off-by: Diogo Teles Sant'Anna <[email protected]>
Bumps [step-security/harden-runner](https://github.com/step-security/harden-runner) from 2.5.1 to 2.6.0. - [Release notes](https://github.com/step-security/harden-runner/releases) - [Commits](step-security/harden-runner@8ca2b8b...1b05615) --- updated-dependencies: - dependency-name: step-security/harden-runner dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Signed-off-by: Diogo Teles Sant'Anna <[email protected]>
Bumps [tj-actions/changed-files](https://github.com/tj-actions/changed-files) from 39.1.2 to 39.2.1. - [Release notes](https://github.com/tj-actions/changed-files/releases) - [Changelog](https://github.com/tj-actions/changed-files/blob/main/HISTORY.md) - [Commits](tj-actions/changed-files@4196030...db153ba) --- updated-dependencies: - dependency-name: tj-actions/changed-files dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Signed-off-by: Diogo Teles Sant'Anna <[email protected]>
Signed-off-by: Spencer Schrock <[email protected]> Signed-off-by: Diogo Teles Sant'Anna <[email protected]>
* fix typo Signed-off-by: omahs <[email protected]> * fix typos Signed-off-by: omahs <[email protected]> * fix typo Signed-off-by: omahs <[email protected]> * fix typo Co-authored-by: Raghav Kaul <[email protected]> Signed-off-by: omahs <[email protected]> * fix typos Signed-off-by: omahs <[email protected]> --------- Signed-off-by: omahs <[email protected]> Signed-off-by: Diogo Teles Sant'Anna <[email protected]>
* feat: broaden job matcher for semantic release Signed-off-by: secustor <[email protected]> * tests(checks/permissions): add tests for semantic release if using pnpm and yarn Signed-off-by: secustor <[email protected]> --------- Signed-off-by: secustor <[email protected]> Signed-off-by: Diogo Teles Sant'Anna <[email protected]>
Bumps [nick-invision/retry](https://github.com/nick-invision/retry) from 2.8.3 to 2.9.0. - [Release notes](https://github.com/nick-invision/retry/releases) - [Changelog](https://github.com/nick-fields/retry/blob/master/.releaserc.js) - [Commits](nick-fields/retry@943e742...1467290) --- updated-dependencies: - dependency-name: nick-invision/retry dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Signed-off-by: Diogo Teles Sant'Anna <[email protected]>
Bumps [github.com/xanzy/go-gitlab](https://github.com/xanzy/go-gitlab) from 0.92.1 to 0.92.3. - [Changelog](https://github.com/xanzy/go-gitlab/blob/master/releases_test.go) - [Commits](xanzy/go-gitlab@v0.92.1...v0.92.3) --- updated-dependencies: - dependency-name: github.com/xanzy/go-gitlab dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Signed-off-by: Diogo Teles Sant'Anna <[email protected]>
Bumps [github.com/otiai10/copy](https://github.com/otiai10/copy) from 1.12.0 to 1.14.0. - [Release notes](https://github.com/otiai10/copy/releases) - [Commits](otiai10/copy@v1.12.0...v1.14.0) --- updated-dependencies: - dependency-name: github.com/otiai10/copy dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Signed-off-by: Diogo Teles Sant'Anna <[email protected]>
Previously, at the evaluation part of branch protetion, the values nil and false or zero were sort of interchangeble. This commit changes the code to set as nil only the data that could not be retrieved from github -- all the others would have values as false, zero, true, etc Signed-off-by: Diogo Teles Sant'Anna <[email protected]>
…oherent 1. Add new test to evaluate how we're interpreting a rule with all checkboxes unchecked (most shouldn't be nil) 2. Adapt existent tests to expect non-nil values for unchecked checkboxes Signed-off-by: Diogo Teles Sant'Anna <[email protected]>
Changes some pieces of code to prefer using pointers of bool instantiated independently. If reusing bool pointers, at some piece of code the value of the bool could inadvertently changed and it would change the value of all other fields reusing that pointer. Signed-off-by: Diogo Teles Sant'Anna <[email protected]>
…dmin At the evaluation step we were using some non untrusted fieldds of the resposte to evaluate if Scorecard was run as admin or not. Now we're using a field provided directly from the client file. Signed-off-by: Diogo Teles Sant'Anna <[email protected]>
…o or not After last commit, the client will tell the evaluation files if Scorecard was run by administrator or not (i.e., if we have all the infos). This commit adapts the testings to also provide this info. Signed-off-by: Diogo Teles Sant'Anna <[email protected]>
- 2 warns (for 'last push approval' and 'codeowners review' disabled) were added because now those informations come as 'not-nil' at the evaluation part. - 1 info was added to say that PRs are required to make changes - 1 debug was removed because it said that we couldn't retrieve 'last push approval' information, but we actually can. It was just incorrectly set as nil Signed-off-by: Diogo Teles Sant'Anna <[email protected]>
Reverts commit 64c3521 and commit e2662b7. Both had chances around using clients/branch.go scructur to store the information of whether Scorecard was being run by admin or not. We decided to not change this structure for this purpose. Signed-off-by: Diogo Teles Sant'Anna <[email protected]>
…tead of value At clients.BranchProtectionRule struct, changing RequiredPullRequestReviews to be a pointer instead of a struct value. This will allow the usage of the nil value of this structure to mean that we can't say if the repository requires reviews or not. Signed-off-by: Diogo Teles Sant'Anna <[email protected]>
we don't know if they require PRs The nil value of the struct RequiredPullRequestReviews will now mean that we can't tell whether the project requires PRs to make changes or not. When we get this case, we're printing a debug informing that we don't have this data, but also printing a warn saying that they don't require reviews, because that will be true at this case. Signed-off-by: Diogo Teles Sant'Anna <[email protected]>
when needed Signed-off-by: Diogo Teles Sant'Anna <[email protected]>
Bumps [github.com/google/osv-scanner](https://github.com/google/osv-scanner) from 1.4.0 to 1.4.1. - [Release notes](https://github.com/google/osv-scanner/releases) - [Changelog](https://github.com/google/osv-scanner/blob/main/CHANGELOG.md) - [Commits](google/osv-scanner@v1.4.0...v1.4.1) --- updated-dependencies: - dependency-name: github.com/google/osv-scanner dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Signed-off-by: Diogo Teles Sant'Anna <[email protected]>
Bumps [github.com/xanzy/go-gitlab](https://github.com/xanzy/go-gitlab) from 0.92.3 to 0.93.0. - [Changelog](https://github.com/xanzy/go-gitlab/blob/master/releases_test.go) - [Commits](xanzy/go-gitlab@v0.92.3...v0.93.0) --- updated-dependencies: - dependency-name: github.com/xanzy/go-gitlab dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Signed-off-by: Diogo Teles Sant'Anna <[email protected]>
* accept checks arg when generating golden. Signed-off-by: Spencer Schrock <[email protected]> * dont shadow import Signed-off-by: Spencer Schrock <[email protected]> --------- Signed-off-by: Spencer Schrock <[email protected]> Signed-off-by: Diogo Teles Sant'Anna <[email protected]>
Signed-off-by: AdamKorcz <[email protected]> Signed-off-by: Diogo Teles Sant'Anna <[email protected]>
Bumps [github.com/golangci/golangci-lint](https://github.com/golangci/golangci-lint) from 1.55.0 to 1.55.1. - [Release notes](https://github.com/golangci/golangci-lint/releases) - [Changelog](https://github.com/golangci/golangci-lint/blob/master/CHANGELOG.md) - [Commits](golangci/golangci-lint@v1.55.0...v1.55.1) --- updated-dependencies: - dependency-name: github.com/golangci/golangci-lint dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Signed-off-by: Diogo Teles Sant'Anna <[email protected]>
…3634) * 🌱 Update stale workflow to exempt Structured Results milestone * Removed duplicate line, updated stale-pr-message, and removed custom stale labels Signed-off-by: Diogo Teles Sant'Anna <[email protected]>
Bumps [github.com/docker/docker](https://github.com/docker/docker) from 24.0.4+incompatible to 24.0.7+incompatible. - [Release notes](https://github.com/docker/docker/releases) - [Commits](moby/moby@v24.0.4...v24.0.7) --- updated-dependencies: - dependency-name: github.com/docker/docker dependency-type: indirect ... Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Signed-off-by: Diogo Teles Sant'Anna <[email protected]>
Bumps [github.com/docker/docker](https://github.com/docker/docker) from 24.0.6+incompatible to 24.0.7+incompatible. - [Release notes](https://github.com/docker/docker/releases) - [Commits](moby/moby@v24.0.6...v24.0.7) --- updated-dependencies: - dependency-name: github.com/docker/docker dependency-type: indirect ... Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Signed-off-by: Diogo Teles Sant'Anna <[email protected]>
Bumps [github.com/go-logr/logr](https://github.com/go-logr/logr) from 1.2.4 to 1.3.0. - [Release notes](https://github.com/go-logr/logr/releases) - [Changelog](https://github.com/go-logr/logr/blob/master/CHANGELOG.md) - [Commits](go-logr/logr@v1.2.4...v1.3.0) --- updated-dependencies: - dependency-name: github.com/go-logr/logr dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Signed-off-by: Diogo Teles Sant'Anna <[email protected]>
Bumps [github.com/go-git/go-git/v5](https://github.com/go-git/go-git) from 5.9.0 to 5.10.0. - [Release notes](https://github.com/go-git/go-git/releases) - [Commits](go-git/go-git@v5.9.0...v5.10.0) --- updated-dependencies: - dependency-name: github.com/go-git/go-git/v5 dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Signed-off-by: Diogo Teles Sant'Anna <[email protected]>
Bumps [github.com/onsi/gomega](https://github.com/onsi/gomega) from 1.28.1 to 1.29.0. - [Release notes](https://github.com/onsi/gomega/releases) - [Changelog](https://github.com/onsi/gomega/blob/master/CHANGELOG.md) - [Commits](onsi/gomega@v1.28.1...v1.29.0) --- updated-dependencies: - dependency-name: github.com/onsi/gomega dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Signed-off-by: Diogo Teles Sant'Anna <[email protected]>
Bumps [cloud.google.com/go/bigquery](https://github.com/googleapis/google-cloud-go) from 1.56.0 to 1.57.1. - [Release notes](https://github.com/googleapis/google-cloud-go/releases) - [Changelog](https://github.com/googleapis/google-cloud-go/blob/main/CHANGES.md) - [Commits](googleapis/google-cloud-go@bigquery/v1.56.0...bigquery/v1.57.1) --- updated-dependencies: - dependency-name: cloud.google.com/go/bigquery dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Signed-off-by: Diogo Teles Sant'Anna <[email protected]>
For now, this is just producing very long detail strings. Probably negatively affecting cron results Signed-off-by: Spencer Schrock <[email protected]> Signed-off-by: Diogo Teles Sant'Anna <[email protected]>
Bumps [github.com/spf13/cobra](https://github.com/spf13/cobra) from 1.7.0 to 1.8.0. - [Release notes](https://github.com/spf13/cobra/releases) - [Commits](spf13/cobra@v1.7.0...v1.8.0) --- updated-dependencies: - dependency-name: github.com/spf13/cobra dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Signed-off-by: Diogo Teles Sant'Anna <[email protected]>
* 🌱 Convert Dangerous Workflow check to probes Signed-off-by: AdamKorcz <[email protected]> * remove hasAnyWorkflows probe Signed-off-by: AdamKorcz <[email protected]> * combine two conditionals into one Signed-off-by: AdamKorcz <[email protected]> * preserve logging from original evaluation Signed-off-by: AdamKorcz <[email protected]> * rebase Signed-off-by: AdamKorcz <[email protected]> --------- Signed-off-by: AdamKorcz <[email protected]> Signed-off-by: Diogo Teles Sant'Anna <[email protected]>
* Convert SAST checks to probes Signed-off-by: AdamKorcz <[email protected]> * Update checks/evaluation/sast.go Co-authored-by: Raghav Kaul <[email protected]> Signed-off-by: AdamKorcz <[email protected]> * preserve file info when logging positive Sonar findings Signed-off-by: AdamKorcz <[email protected]> * rebase Signed-off-by: AdamKorcz <[email protected]> * Remove warning logging Signed-off-by: AdamKorcz <[email protected]> * add outcome and message to finding on the same line Signed-off-by: AdamKorcz <[email protected]> * codeql workflow -> codeql action Signed-off-by: AdamKorcz <[email protected]> * 'the Sonar' -> 'Sonar' in probe def.yml Signed-off-by: AdamKorcz <[email protected]> * fix typo Signed-off-by: AdamKorcz <[email protected]> * Change how probe creates location Signed-off-by: AdamKorcz <[email protected]> * Change names of values Signed-off-by: AdamKorcz <[email protected]> * change 'SAST tool detected: xx' to 'SAST tool installed: xx' Signed-off-by: AdamKorcz <[email protected]> * make text in probe def.yml easier to read Signed-off-by: AdamKorcz <[email protected]> * Change 'to' to 'two' Signed-off-by: AdamKorcz <[email protected]> * Minor change Signed-off-by: AdamKorcz <[email protected]> --------- Signed-off-by: AdamKorcz <[email protected]> Signed-off-by: AdamKorcz <[email protected]> Co-authored-by: Raghav Kaul <[email protected]> Signed-off-by: Diogo Teles Sant'Anna <[email protected]>
Bumps [github.com/google/osv-scanner](https://github.com/google/osv-scanner) from 1.4.2 to 1.4.3. - [Release notes](https://github.com/google/osv-scanner/releases) - [Changelog](https://github.com/google/osv-scanner/blob/main/CHANGELOG.md) - [Commits](google/osv-scanner@v1.4.2...v1.4.3) --- updated-dependencies: - dependency-name: github.com/google/osv-scanner dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Signed-off-by: Diogo Teles Sant'Anna <[email protected]>
Bumps [golang.org/x/text](https://github.com/golang/text) from 0.13.0 to 0.14.0. - [Release notes](https://github.com/golang/text/releases) - [Commits](golang/text@v0.13.0...v0.14.0) --- updated-dependencies: - dependency-name: golang.org/x/text dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Signed-off-by: Diogo Teles Sant'Anna <[email protected]>
Bumps [github.com/golangci/golangci-lint](https://github.com/golangci/golangci-lint) from 1.55.1 to 1.55.2. - [Release notes](https://github.com/golangci/golangci-lint/releases) - [Changelog](https://github.com/golangci/golangci-lint/blob/master/CHANGELOG.md) - [Commits](golangci/golangci-lint@v1.55.1...v1.55.2) --- updated-dependencies: - dependency-name: github.com/golangci/golangci-lint dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Signed-off-by: Diogo Teles Sant'Anna <[email protected]>
* Continue on error detecting OS Signed-off-by: Pedro Kaj Kjellerup Nacht <[email protected]> * Add tests for error detecting OS Signed-off-by: Pedro Kaj Kjellerup Nacht <[email protected]> * Add ElementError to identify elements that errored Signed-off-by: Pedro Kaj Kjellerup Nacht <[email protected]> * Add Incomplete field to PinningDependenciesData Will store all errors handled during analysis, which may lead to incomplete results. Signed-off-by: Pedro Kaj Kjellerup Nacht <[email protected]> * Register job steps that errored out Signed-off-by: Pedro Kaj Kjellerup Nacht <[email protected]> * Add tests that incomplete steps are caught Signed-off-by: Pedro Kaj Kjellerup Nacht <[email protected]> * Add warnings to details about incomplete steps Signed-off-by: Pedro Kaj Kjellerup Nacht <[email protected]> * Add tests that incomplete steps generate warnings Signed-off-by: Pedro Kaj Kjellerup Nacht <[email protected]> * Register shell files skipped due to parser errors Signed-off-by: Pedro Kaj Kjellerup Nacht <[email protected]> * Add tests showing when parser errors affect analysis Dockerfile pinning is not affected. Everything in a 'broken' Dockerfile RUN block is ignored Everything in a 'broken' shell script is ignored testdata/script-invalid.sh modified to demonstrate the above Signed-off-by: Pedro Kaj Kjellerup Nacht <[email protected]> * Incomplete results logged as Info, not Warn Signed-off-by: Pedro Kaj Kjellerup Nacht <[email protected]> * Remove `Type` from logging of incomplete results Signed-off-by: Pedro Kaj Kjellerup Nacht <[email protected]> * Update tests after rebase Signed-off-by: Pedro Kaj Kjellerup Nacht <[email protected]> * Add Unwrap for ElementError, improve its docs Signed-off-by: Pedro Kaj Kjellerup Nacht <[email protected]> * Add ElementError case to evaluation unit test Signed-off-by: Pedro Kaj Kjellerup Nacht <[email protected]> * Move ElementError to checker/raw_result checker/raw_result defines types used to describe analysis results. ElementError is meant to describe potential flaws in the analysis and is therefore a sort of analysis result itself. Signed-off-by: Pedro Kaj Kjellerup Nacht <[email protected]> * Use finding.Location for ElementError.Element Signed-off-by: Pedro Kaj Kjellerup Nacht <[email protected]> * Use an ElementError for script parser errors Signed-off-by: Pedro Kaj Kjellerup Nacht <[email protected]> * Replace .Incomplete []error with .ProcessingErrors []ElementError Signed-off-by: Pedro Kaj Kjellerup Nacht <[email protected]> * Adopt from reviewer comments - Replace ElementError's `Element *finding.Location` with `Location finding.Location` - Rename ErrorJobOSParsing to ErrJobOSParsing to satisfy linter - Fix unit test Signed-off-by: Pedro Kaj Kjellerup Nacht <[email protected]> --------- Signed-off-by: Pedro Kaj Kjellerup Nacht <[email protected]> Signed-off-by: Diogo Teles Sant'Anna <[email protected]>
Bumps [actions/dependency-review-action](https://github.com/actions/dependency-review-action) from 3.1.0 to 3.1.2. - [Release notes](https://github.com/actions/dependency-review-action/releases) - [Commits](actions/dependency-review-action@6c5ccda...fde92ac) --- updated-dependencies: - dependency-name: actions/dependency-review-action dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Signed-off-by: Diogo Teles Sant'Anna <[email protected]>
Bumps [kubernetes-sigs/kubebuilder-release-tools](https://github.com/kubernetes-sigs/kubebuilder-release-tools) from 0.4.0 to 0.4.2. - [Release notes](https://github.com/kubernetes-sigs/kubebuilder-release-tools/releases) - [Changelog](https://github.com/kubernetes-sigs/kubebuilder-release-tools/blob/master/RELEASE.md) - [Commits](kubernetes-sigs/kubebuilder-release-tools@d8367c2...3c34113) --- updated-dependencies: - dependency-name: kubernetes-sigs/kubebuilder-release-tools dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Signed-off-by: Diogo Teles Sant'Anna <[email protected]>
Bumps [tj-actions/changed-files](https://github.com/tj-actions/changed-files) from 39.2.3 to 40.1.1. - [Release notes](https://github.com/tj-actions/changed-files/releases) - [Changelog](https://github.com/tj-actions/changed-files/blob/main/HISTORY.md) - [Commits](tj-actions/changed-files@95690f9...25ef392) --- updated-dependencies: - dependency-name: tj-actions/changed-files dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Signed-off-by: Diogo Teles Sant'Anna <[email protected]>
Bumps [sigstore/cosign-installer](https://github.com/sigstore/cosign-installer) from 3.1.2 to 3.2.0. - [Release notes](https://github.com/sigstore/cosign-installer/releases) - [Commits](sigstore/cosign-installer@11086d2...1fc5bd3) --- updated-dependencies: - dependency-name: sigstore/cosign-installer dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Signed-off-by: Diogo Teles Sant'Anna <[email protected]>
Bumps [slsa-framework/slsa-verifier](https://github.com/slsa-framework/slsa-verifier) from 2.4.0 to 2.4.1. - [Release notes](https://github.com/slsa-framework/slsa-verifier/releases) - [Changelog](https://github.com/slsa-framework/slsa-verifier/blob/main/RELEASE.md) - [Commits](slsa-framework/slsa-verifier@v2.4.0...v2.4.1) --- updated-dependencies: - dependency-name: slsa-framework/slsa-verifier dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Signed-off-by: Diogo Teles Sant'Anna <[email protected]>
Bumps [github.com/onsi/gomega](https://github.com/onsi/gomega) from 1.29.0 to 1.30.0. - [Release notes](https://github.com/onsi/gomega/releases) - [Changelog](https://github.com/onsi/gomega/blob/master/CHANGELOG.md) - [Commits](onsi/gomega@v1.29.0...v1.30.0) --- updated-dependencies: - dependency-name: github.com/onsi/gomega dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Signed-off-by: Diogo Teles Sant'Anna <[email protected]>
* switch ossfuzz test to smaller repo tensorflow/tensorflow is huge, and this causes the test to take forever. locally this reduces the test time from 17 to 2.4 seconds Signed-off-by: Spencer Schrock <[email protected]> * reuse scorecard results for scorecard attestor policies previously this test took 27 seconds locally, and now takes 8. which is split across 3 subtests: good repos: 1s bad repos: 5s code review policies: 2s Signed-off-by: Spencer Schrock <[email protected]> --------- Signed-off-by: Spencer Schrock <[email protected]> Signed-off-by: Diogo Teles Sant'Anna <[email protected]>
…ssf#3632) * 🌱 Add dependency remediation in raw results instead of at log time Signed-off-by: AdamKorcz <[email protected]> * add unit test Signed-off-by: AdamKorcz <[email protected]> * add unit test Signed-off-by: AdamKorcz <[email protected]> * return error Signed-off-by: AdamKorcz <[email protected]> * use pointer to dependency Signed-off-by: AdamKorcz <[email protected]> * check for errors in test Signed-off-by: AdamKorcz <[email protected]> * Return nil if repo client returns an error from unsupported feature Signed-off-by: AdamKorcz <[email protected]> * revert error checking Signed-off-by: AdamKorcz <[email protected]> * revert returning nil is unsupported feature Signed-off-by: AdamKorcz <[email protected]> * Fix wrong test name Signed-off-by: AdamKorcz <[email protected]> * only create remediation when required Signed-off-by: AdamKorcz <[email protected]> * remove remediation helper function Signed-off-by: AdamKorcz <[email protected]> --------- Signed-off-by: AdamKorcz <[email protected]> Signed-off-by: Spencer Schrock <[email protected]> Signed-off-by: Diogo Teles Sant'Anna <[email protected]>
actions which influence the build/release process are excluded. dependabot will send individual updates for those. Signed-off-by: Spencer Schrock <[email protected]> Signed-off-by: Diogo Teles Sant'Anna <[email protected]>
…s-only-through-pr
…on tier 2 scores Signed-off-by: Diogo Teles Sant'Anna <[email protected]>
… num comparation Signed-off-by: Diogo Teles Sant'Anna <[email protected]>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
What kind of change does this PR introduce?
(Is it a bug fix, feature, docs update, something else?)
What is the current behavior?
What is the new behavior (if this is a feature change)?**
Which issue(s) this PR fixes
Special notes for your reviewer
Does this PR introduce a user-facing change?
For user-facing changes, please add a concise, human-readable release note to
the
release-note
(In particular, describe what changes users might need to make in their
application as a result of this pull request.)