Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Test #4

Closed
wants to merge 111 commits into from
Closed

Test #4

wants to merge 111 commits into from

Conversation

diogoteles08
Copy link
Owner

What kind of change does this PR introduce?

(Is it a bug fix, feature, docs update, something else?)

What is the current behavior?

What is the new behavior (if this is a feature change)?**

  • Tests for the changes have been added (for bug fixes/features)

Which issue(s) this PR fixes

Special notes for your reviewer

Does this PR introduce a user-facing change?

For user-facing changes, please add a concise, human-readable release note to
the release-note

(In particular, describe what changes users might need to make in their
application as a result of this pull request.)


Sorry, something went wrong.

diogoteles08 and others added 30 commits November 13, 2023 14:52

Verified

This commit was created on GitHub.com and signed with GitHub’s verified signature. The key has expired.
…ke changes

As discussed at the issue ossf#2727, we're adding the "require PRs prior
to make changes" as another requirement to tier 2. In addition to that,
we're changing the weight of the tier 2 requirements so that
"requiring 1 reviewer" has weight 2, while the other tier 2 requirements
have weight 1

Signed-off-by: Diogo Teles Sant'Anna <[email protected]>
1. Adapt previous test cases to consider that now we'll have an aditional
Info log telling that the project requires PRs to make changes.
2. Add more cases to test relevant use cases on the tier 2 level of
branch protection

Signed-off-by: Diogo Teles Sant'Anna <[email protected]>
…quirement of require PRs to make changes

It adds the new tier 2 requirement, but also specify that the
"require at least 1 reviewer" will have doubled weight.

Signed-off-by: Diogo Teles Sant'Anna <[email protected]>
…ce readability

Made some nice-to-have improvements on project readability,
making it easier easier to  understand how the branch-protection
score is computed. Also unified 8 different functions that were
doing basically the same thing.

Signed-off-by: Diogo Teles Sant'Anna <[email protected]>
* Update docs for signed-releases

Signed-off-by: Raghav Kaul <[email protected]>

* update docs

Signed-off-by: Raghav Kaul <[email protected]>

---------

Signed-off-by: Raghav Kaul <[email protected]>
Signed-off-by: Diogo Teles Sant'Anna <[email protected]>
* bump actionlint.

Signed-off-by: Spencer Schrock <[email protected]>

* fix unit tests.

Signed-off-by: Spencer Schrock <[email protected]>

* include latest update.

Signed-off-by: Spencer Schrock <[email protected]>

---------

Signed-off-by: Spencer Schrock <[email protected]>
Signed-off-by: Diogo Teles Sant'Anna <[email protected]>
Bumps [github.com/onsi/gomega](https://github.com/onsi/gomega) from 1.27.10 to 1.28.0.
- [Release notes](https://github.com/onsi/gomega/releases)
- [Changelog](https://github.com/onsi/gomega/blob/master/CHANGELOG.md)
- [Commits](onsi/gomega@v1.27.10...v1.28.0)

---
updated-dependencies:
- dependency-name: github.com/onsi/gomega
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <[email protected]>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Signed-off-by: Diogo Teles Sant'Anna <[email protected]>
* feat: Create output file argument

Signed-off-by: Gabriela Gutierrez <[email protected]>

* feat: Write results to output file

Signed-off-by: Gabriela Gutierrez <[email protected]>

* fix: Default results format output

Print results headline to output, which may be a file.

Signed-off-by: Gabriela Gutierrez <[email protected]>

* feat: Log start and end of checks work to console

Independent of the logs being output to console or a file, the information on which checks are running is still relevant. Now, we always log this info to the console.

Signed-off-by: Gabriela Gutierrez <[email protected]>

* test: Fix options unit tests

Signed-off-by: Gabriela Gutierrez <[email protected]>

* test: Output option content and shorthand

Signed-off-by: Gabriela Gutierrez <[email protected]>

* test: Output to file with correct format

Signed-off-by: Gabriela Gutierrez <[email protected]>

* test: Fix helper function with linter error

Signed-off-by: Gabriela Gutierrez <[email protected]>

* fix: Define output to console or file inside FormatResults

Signed-off-by: Gabriela Gutierrez <[email protected]>

* fix: Remove intermediate variable to define output

Signed-off-by: Gabriela Gutierrez <[email protected]>

* test: Fix error log

Signed-off-by: Gabriela Gutierrez <[email protected]>

* fix: Close output file before write results

Signed-off-by: Gabriela Gutierrez <[email protected]>

* test: Fix unit test

Signed-off-by: Gabriela Gutierrez <[email protected]>

* test: Fix remove file even if test fails

Signed-off-by: Gabriela Gutierrez <[email protected]>

* test: Fix fail test cases

Fail test if cannot format results or cannot read real or expected outputs.

Signed-off-by: Gabriela Gutierrez <[email protected]>

* fix: Copyright notice year and license header spacing

Signed-off-by: Gabriela Gutierrez <[email protected]>

* fix: Rename Output to ResultsFile

Signed-off-by: Gabriela Gutierrez <[email protected]>

* fix: Linter errors

Signed-off-by: Gabriela Gutierrez <[email protected]>

* Revert "feat: Log start and end of checks work to console"

This reverts commit c4a00a5.

Signed-off-by: Gabriela Gutierrez <[email protected]>

* fix: Print results headline in default format

Signed-off-by: Gabriela Gutierrez <[email protected]>

* test: Fix default format result test

Signed-off-by: Gabriela Gutierrez <[email protected]>

* fix: Close output only when it's file

Signed-off-by: Gabriela Gutierrez <[email protected]>

* fix: Linter error

Signed-off-by: Gabriela Gutierrez <[email protected]>

---------

Signed-off-by: Gabriela Gutierrez <[email protected]>
Signed-off-by: Diogo Teles Sant'Anna <[email protected]>
Bumps [step-security/harden-runner](https://github.com/step-security/harden-runner) from 2.5.1 to 2.6.0.
- [Release notes](https://github.com/step-security/harden-runner/releases)
- [Commits](step-security/harden-runner@8ca2b8b...1b05615)

---
updated-dependencies:
- dependency-name: step-security/harden-runner
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <[email protected]>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Signed-off-by: Diogo Teles Sant'Anna <[email protected]>
Bumps [tj-actions/changed-files](https://github.com/tj-actions/changed-files) from 39.1.2 to 39.2.1.
- [Release notes](https://github.com/tj-actions/changed-files/releases)
- [Changelog](https://github.com/tj-actions/changed-files/blob/main/HISTORY.md)
- [Commits](tj-actions/changed-files@4196030...db153ba)

---
updated-dependencies:
- dependency-name: tj-actions/changed-files
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <[email protected]>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Signed-off-by: Diogo Teles Sant'Anna <[email protected]>
Signed-off-by: Spencer Schrock <[email protected]>
Signed-off-by: Diogo Teles Sant'Anna <[email protected]>
* fix typo

Signed-off-by: omahs <[email protected]>

* fix typos

Signed-off-by: omahs <[email protected]>

* fix typo

Signed-off-by: omahs <[email protected]>

* fix typo

Co-authored-by: Raghav Kaul <[email protected]>
Signed-off-by: omahs <[email protected]>

* fix typos

Signed-off-by: omahs <[email protected]>

---------

Signed-off-by: omahs <[email protected]>
Signed-off-by: Diogo Teles Sant'Anna <[email protected]>
* feat: broaden job matcher for semantic release

Signed-off-by: secustor <[email protected]>

* tests(checks/permissions): add tests for semantic release if using pnpm and yarn

Signed-off-by: secustor <[email protected]>

---------

Signed-off-by: secustor <[email protected]>
Signed-off-by: Diogo Teles Sant'Anna <[email protected]>
Bumps [nick-invision/retry](https://github.com/nick-invision/retry) from 2.8.3 to 2.9.0.
- [Release notes](https://github.com/nick-invision/retry/releases)
- [Changelog](https://github.com/nick-fields/retry/blob/master/.releaserc.js)
- [Commits](nick-fields/retry@943e742...1467290)

---
updated-dependencies:
- dependency-name: nick-invision/retry
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <[email protected]>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Signed-off-by: Diogo Teles Sant'Anna <[email protected]>
Bumps [github.com/xanzy/go-gitlab](https://github.com/xanzy/go-gitlab) from 0.92.1 to 0.92.3.
- [Changelog](https://github.com/xanzy/go-gitlab/blob/master/releases_test.go)
- [Commits](xanzy/go-gitlab@v0.92.1...v0.92.3)

---
updated-dependencies:
- dependency-name: github.com/xanzy/go-gitlab
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <[email protected]>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Signed-off-by: Diogo Teles Sant'Anna <[email protected]>
Bumps [github.com/otiai10/copy](https://github.com/otiai10/copy) from 1.12.0 to 1.14.0.
- [Release notes](https://github.com/otiai10/copy/releases)
- [Commits](otiai10/copy@v1.12.0...v1.14.0)

---
updated-dependencies:
- dependency-name: github.com/otiai10/copy
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <[email protected]>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Signed-off-by: Diogo Teles Sant'Anna <[email protected]>
Previously, at the evaluation part of branch protetion, the
values nil and false or zero were sort of interchangeble. This commit
changes the code to set as nil only the data that could not be retrieved
from github -- all the others would have values as false, zero, true, etc

Signed-off-by: Diogo Teles Sant'Anna <[email protected]>
…oherent

1. Add new test to evaluate how we're interpreting a rule with all
checkboxes unchecked (most shouldn't be nil)
2. Adapt existent tests to expect non-nil values for unchecked
   checkboxes

Signed-off-by: Diogo Teles Sant'Anna <[email protected]>
Changes some pieces of code to prefer using pointers of
bool instantiated independently. If reusing bool pointers, at some piece
of code the value of the bool could inadvertently changed and it would change the
value of all other fields reusing that pointer.

Signed-off-by: Diogo Teles Sant'Anna <[email protected]>
…dmin

At the evaluation step we were using some non untrusted fieldds of the
resposte to evaluate if Scorecard was run as admin or not. Now we're
using a field provided directly from the client file.

Signed-off-by: Diogo Teles Sant'Anna <[email protected]>
…o or not

After last commit, the client will tell the evaluation files if
Scorecard was run by administrator or not (i.e., if we have all the
infos). This commit adapts the testings to also provide this info.

Signed-off-by: Diogo Teles Sant'Anna <[email protected]>
- 2 warns (for 'last push approval' and 'codeowners review' disabled) were added because now those informations come as 'not-nil' at the evaluation part.
- 1 info was added to say that PRs are required to make changes
- 1 debug was removed because it said that we couldn't retrieve 'last push approval' information, but we actually can. It was just incorrectly set as nil

Signed-off-by: Diogo Teles Sant'Anna <[email protected]>
Reverts commit 64c3521 and commit e2662b7.
Both had chances around using clients/branch.go scructur to store the
information of whether Scorecard was being run by admin or not. We
decided to not change this structure for this purpose.

Signed-off-by: Diogo Teles Sant'Anna <[email protected]>
…tead of value

At clients.BranchProtectionRule struct, changing
RequiredPullRequestReviews to be a pointer instead of a struct value.
This will allow the usage of the nil value of this structure to mean
that we can't say if the repository requires reviews or not.

Signed-off-by: Diogo Teles Sant'Anna <[email protected]>
we don't know if they require PRs

The nil value of the struct RequiredPullRequestReviews will now mean
that we can't tell whether the project requires PRs to make changes or not.

When we get this case, we're printing a debug informing that we don't have
this data, but also printing a warn saying that they don't require
reviews, because that will be true at this case.

Signed-off-by: Diogo Teles Sant'Anna <[email protected]>
Bumps [github.com/google/osv-scanner](https://github.com/google/osv-scanner) from 1.4.0 to 1.4.1.
- [Release notes](https://github.com/google/osv-scanner/releases)
- [Changelog](https://github.com/google/osv-scanner/blob/main/CHANGELOG.md)
- [Commits](google/osv-scanner@v1.4.0...v1.4.1)

---
updated-dependencies:
- dependency-name: github.com/google/osv-scanner
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <[email protected]>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Signed-off-by: Diogo Teles Sant'Anna <[email protected]>
Bumps [github.com/xanzy/go-gitlab](https://github.com/xanzy/go-gitlab) from 0.92.3 to 0.93.0.
- [Changelog](https://github.com/xanzy/go-gitlab/blob/master/releases_test.go)
- [Commits](xanzy/go-gitlab@v0.92.3...v0.93.0)

---
updated-dependencies:
- dependency-name: github.com/xanzy/go-gitlab
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <[email protected]>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Signed-off-by: Diogo Teles Sant'Anna <[email protected]>
* accept checks arg when generating golden.

Signed-off-by: Spencer Schrock <[email protected]>

* dont shadow import

Signed-off-by: Spencer Schrock <[email protected]>

---------

Signed-off-by: Spencer Schrock <[email protected]>
Signed-off-by: Diogo Teles Sant'Anna <[email protected]>
Signed-off-by: AdamKorcz <[email protected]>
Signed-off-by: Diogo Teles Sant'Anna <[email protected]>
dependabot bot and others added 28 commits November 13, 2023 14:52
Bumps [github.com/golangci/golangci-lint](https://github.com/golangci/golangci-lint) from 1.55.0 to 1.55.1.
- [Release notes](https://github.com/golangci/golangci-lint/releases)
- [Changelog](https://github.com/golangci/golangci-lint/blob/master/CHANGELOG.md)
- [Commits](golangci/golangci-lint@v1.55.0...v1.55.1)

---
updated-dependencies:
- dependency-name: github.com/golangci/golangci-lint
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <[email protected]>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Signed-off-by: Diogo Teles Sant'Anna <[email protected]>
…3634)

* 🌱 Update stale workflow to exempt Structured Results milestone

* Removed duplicate line, updated stale-pr-message, and removed custom stale labels

Signed-off-by: Diogo Teles Sant'Anna <[email protected]>
Bumps [github.com/docker/docker](https://github.com/docker/docker) from 24.0.4+incompatible to 24.0.7+incompatible.
- [Release notes](https://github.com/docker/docker/releases)
- [Commits](moby/moby@v24.0.4...v24.0.7)

---
updated-dependencies:
- dependency-name: github.com/docker/docker
  dependency-type: indirect
...

Signed-off-by: dependabot[bot] <[email protected]>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Signed-off-by: Diogo Teles Sant'Anna <[email protected]>
Bumps [github.com/docker/docker](https://github.com/docker/docker) from 24.0.6+incompatible to 24.0.7+incompatible.
- [Release notes](https://github.com/docker/docker/releases)
- [Commits](moby/moby@v24.0.6...v24.0.7)

---
updated-dependencies:
- dependency-name: github.com/docker/docker
  dependency-type: indirect
...

Signed-off-by: dependabot[bot] <[email protected]>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Signed-off-by: Diogo Teles Sant'Anna <[email protected]>
Bumps [github.com/go-logr/logr](https://github.com/go-logr/logr) from 1.2.4 to 1.3.0.
- [Release notes](https://github.com/go-logr/logr/releases)
- [Changelog](https://github.com/go-logr/logr/blob/master/CHANGELOG.md)
- [Commits](go-logr/logr@v1.2.4...v1.3.0)

---
updated-dependencies:
- dependency-name: github.com/go-logr/logr
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <[email protected]>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Signed-off-by: Diogo Teles Sant'Anna <[email protected]>
Bumps [github.com/go-git/go-git/v5](https://github.com/go-git/go-git) from 5.9.0 to 5.10.0.
- [Release notes](https://github.com/go-git/go-git/releases)
- [Commits](go-git/go-git@v5.9.0...v5.10.0)

---
updated-dependencies:
- dependency-name: github.com/go-git/go-git/v5
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <[email protected]>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Signed-off-by: Diogo Teles Sant'Anna <[email protected]>
Bumps [github.com/onsi/gomega](https://github.com/onsi/gomega) from 1.28.1 to 1.29.0.
- [Release notes](https://github.com/onsi/gomega/releases)
- [Changelog](https://github.com/onsi/gomega/blob/master/CHANGELOG.md)
- [Commits](onsi/gomega@v1.28.1...v1.29.0)

---
updated-dependencies:
- dependency-name: github.com/onsi/gomega
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <[email protected]>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Signed-off-by: Diogo Teles Sant'Anna <[email protected]>
Bumps [cloud.google.com/go/bigquery](https://github.com/googleapis/google-cloud-go) from 1.56.0 to 1.57.1.
- [Release notes](https://github.com/googleapis/google-cloud-go/releases)
- [Changelog](https://github.com/googleapis/google-cloud-go/blob/main/CHANGES.md)
- [Commits](googleapis/google-cloud-go@bigquery/v1.56.0...bigquery/v1.57.1)

---
updated-dependencies:
- dependency-name: cloud.google.com/go/bigquery
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <[email protected]>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Signed-off-by: Diogo Teles Sant'Anna <[email protected]>
For now, this is just producing very long detail strings.
Probably negatively affecting cron results

Signed-off-by: Spencer Schrock <[email protected]>
Signed-off-by: Diogo Teles Sant'Anna <[email protected]>
Bumps [github.com/spf13/cobra](https://github.com/spf13/cobra) from 1.7.0 to 1.8.0.
- [Release notes](https://github.com/spf13/cobra/releases)
- [Commits](spf13/cobra@v1.7.0...v1.8.0)

---
updated-dependencies:
- dependency-name: github.com/spf13/cobra
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <[email protected]>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Signed-off-by: Diogo Teles Sant'Anna <[email protected]>
* 🌱 Convert Dangerous Workflow check to probes

Signed-off-by: AdamKorcz <[email protected]>

* remove hasAnyWorkflows probe

Signed-off-by: AdamKorcz <[email protected]>

* combine two conditionals into one

Signed-off-by: AdamKorcz <[email protected]>

* preserve logging from original evaluation

Signed-off-by: AdamKorcz <[email protected]>

* rebase

Signed-off-by: AdamKorcz <[email protected]>

---------

Signed-off-by: AdamKorcz <[email protected]>
Signed-off-by: Diogo Teles Sant'Anna <[email protected]>
* Convert SAST checks to probes

Signed-off-by: AdamKorcz <[email protected]>

* Update checks/evaluation/sast.go

Co-authored-by: Raghav Kaul <[email protected]>
Signed-off-by: AdamKorcz <[email protected]>

* preserve file info when logging positive Sonar findings

Signed-off-by: AdamKorcz <[email protected]>

* rebase

Signed-off-by: AdamKorcz <[email protected]>

* Remove warning logging

Signed-off-by: AdamKorcz <[email protected]>

* add outcome and message to finding on the same line

Signed-off-by: AdamKorcz <[email protected]>

* codeql workflow -> codeql action

Signed-off-by: AdamKorcz <[email protected]>

* 'the Sonar' -> 'Sonar' in probe def.yml

Signed-off-by: AdamKorcz <[email protected]>

* fix typo

Signed-off-by: AdamKorcz <[email protected]>

* Change how probe creates location

Signed-off-by: AdamKorcz <[email protected]>

* Change names of values

Signed-off-by: AdamKorcz <[email protected]>

* change 'SAST tool detected: xx' to 'SAST tool installed: xx'

Signed-off-by: AdamKorcz <[email protected]>

* make text in probe def.yml easier to read

Signed-off-by: AdamKorcz <[email protected]>

* Change 'to' to 'two'

Signed-off-by: AdamKorcz <[email protected]>

* Minor change

Signed-off-by: AdamKorcz <[email protected]>

---------

Signed-off-by: AdamKorcz <[email protected]>
Signed-off-by: AdamKorcz <[email protected]>
Co-authored-by: Raghav Kaul <[email protected]>
Signed-off-by: Diogo Teles Sant'Anna <[email protected]>
Bumps [github.com/google/osv-scanner](https://github.com/google/osv-scanner) from 1.4.2 to 1.4.3.
- [Release notes](https://github.com/google/osv-scanner/releases)
- [Changelog](https://github.com/google/osv-scanner/blob/main/CHANGELOG.md)
- [Commits](google/osv-scanner@v1.4.2...v1.4.3)

---
updated-dependencies:
- dependency-name: github.com/google/osv-scanner
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <[email protected]>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Signed-off-by: Diogo Teles Sant'Anna <[email protected]>
Bumps [golang.org/x/text](https://github.com/golang/text) from 0.13.0 to 0.14.0.
- [Release notes](https://github.com/golang/text/releases)
- [Commits](golang/text@v0.13.0...v0.14.0)

---
updated-dependencies:
- dependency-name: golang.org/x/text
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <[email protected]>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Signed-off-by: Diogo Teles Sant'Anna <[email protected]>
Bumps [github.com/golangci/golangci-lint](https://github.com/golangci/golangci-lint) from 1.55.1 to 1.55.2.
- [Release notes](https://github.com/golangci/golangci-lint/releases)
- [Changelog](https://github.com/golangci/golangci-lint/blob/master/CHANGELOG.md)
- [Commits](golangci/golangci-lint@v1.55.1...v1.55.2)

---
updated-dependencies:
- dependency-name: github.com/golangci/golangci-lint
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <[email protected]>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Signed-off-by: Diogo Teles Sant'Anna <[email protected]>
* Continue on error detecting OS

Signed-off-by: Pedro Kaj Kjellerup Nacht <[email protected]>

* Add tests for error detecting OS

Signed-off-by: Pedro Kaj Kjellerup Nacht <[email protected]>

* Add ElementError to identify elements that errored

Signed-off-by: Pedro Kaj Kjellerup Nacht <[email protected]>

* Add Incomplete field to PinningDependenciesData

Will store all errors handled during analysis, which may lead to incomplete results.

Signed-off-by: Pedro Kaj Kjellerup Nacht <[email protected]>

* Register job steps that errored out

Signed-off-by: Pedro Kaj Kjellerup Nacht <[email protected]>

* Add tests that incomplete steps are caught

Signed-off-by: Pedro Kaj Kjellerup Nacht <[email protected]>

* Add warnings to details about incomplete steps

Signed-off-by: Pedro Kaj Kjellerup Nacht <[email protected]>

* Add tests that incomplete steps generate warnings

Signed-off-by: Pedro Kaj Kjellerup Nacht <[email protected]>

* Register shell files skipped due to parser errors

Signed-off-by: Pedro Kaj Kjellerup Nacht <[email protected]>

* Add tests showing when parser errors affect analysis

Dockerfile pinning is not affected.
Everything in a 'broken' Dockerfile RUN block is ignored
Everything in a 'broken' shell script is ignored
testdata/script-invalid.sh modified to demonstrate the above

Signed-off-by: Pedro Kaj Kjellerup Nacht <[email protected]>

* Incomplete results logged as Info, not Warn

Signed-off-by: Pedro Kaj Kjellerup Nacht <[email protected]>

* Remove `Type` from logging of incomplete results

Signed-off-by: Pedro Kaj Kjellerup Nacht <[email protected]>

* Update tests after rebase

Signed-off-by: Pedro Kaj Kjellerup Nacht <[email protected]>

* Add Unwrap for ElementError, improve its docs

Signed-off-by: Pedro Kaj Kjellerup Nacht <[email protected]>

* Add ElementError case to evaluation unit test

Signed-off-by: Pedro Kaj Kjellerup Nacht <[email protected]>

* Move ElementError to checker/raw_result

checker/raw_result defines types used to describe analysis results.

ElementError is meant to describe potential flaws in the analysis
and is therefore a sort of analysis result itself.

Signed-off-by: Pedro Kaj Kjellerup Nacht <[email protected]>

* Use finding.Location for ElementError.Element

Signed-off-by: Pedro Kaj Kjellerup Nacht <[email protected]>

* Use an ElementError for script parser errors

Signed-off-by: Pedro Kaj Kjellerup Nacht <[email protected]>

* Replace .Incomplete []error with .ProcessingErrors []ElementError

Signed-off-by: Pedro Kaj Kjellerup Nacht <[email protected]>

* Adopt from reviewer comments

- Replace ElementError's `Element *finding.Location`
  with `Location finding.Location`
- Rename ErrorJobOSParsing to ErrJobOSParsing to satisfy linter
- Fix unit test

Signed-off-by: Pedro Kaj Kjellerup Nacht <[email protected]>

---------

Signed-off-by: Pedro Kaj Kjellerup Nacht <[email protected]>
Signed-off-by: Diogo Teles Sant'Anna <[email protected]>
Bumps [actions/dependency-review-action](https://github.com/actions/dependency-review-action) from 3.1.0 to 3.1.2.
- [Release notes](https://github.com/actions/dependency-review-action/releases)
- [Commits](actions/dependency-review-action@6c5ccda...fde92ac)

---
updated-dependencies:
- dependency-name: actions/dependency-review-action
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <[email protected]>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Signed-off-by: Diogo Teles Sant'Anna <[email protected]>
Bumps [kubernetes-sigs/kubebuilder-release-tools](https://github.com/kubernetes-sigs/kubebuilder-release-tools) from 0.4.0 to 0.4.2.
- [Release notes](https://github.com/kubernetes-sigs/kubebuilder-release-tools/releases)
- [Changelog](https://github.com/kubernetes-sigs/kubebuilder-release-tools/blob/master/RELEASE.md)
- [Commits](kubernetes-sigs/kubebuilder-release-tools@d8367c2...3c34113)

---
updated-dependencies:
- dependency-name: kubernetes-sigs/kubebuilder-release-tools
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <[email protected]>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Signed-off-by: Diogo Teles Sant'Anna <[email protected]>
Bumps [tj-actions/changed-files](https://github.com/tj-actions/changed-files) from 39.2.3 to 40.1.1.
- [Release notes](https://github.com/tj-actions/changed-files/releases)
- [Changelog](https://github.com/tj-actions/changed-files/blob/main/HISTORY.md)
- [Commits](tj-actions/changed-files@95690f9...25ef392)

---
updated-dependencies:
- dependency-name: tj-actions/changed-files
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <[email protected]>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Signed-off-by: Diogo Teles Sant'Anna <[email protected]>
Bumps [sigstore/cosign-installer](https://github.com/sigstore/cosign-installer) from 3.1.2 to 3.2.0.
- [Release notes](https://github.com/sigstore/cosign-installer/releases)
- [Commits](sigstore/cosign-installer@11086d2...1fc5bd3)

---
updated-dependencies:
- dependency-name: sigstore/cosign-installer
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <[email protected]>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Signed-off-by: Diogo Teles Sant'Anna <[email protected]>
Bumps [slsa-framework/slsa-verifier](https://github.com/slsa-framework/slsa-verifier) from 2.4.0 to 2.4.1.
- [Release notes](https://github.com/slsa-framework/slsa-verifier/releases)
- [Changelog](https://github.com/slsa-framework/slsa-verifier/blob/main/RELEASE.md)
- [Commits](slsa-framework/slsa-verifier@v2.4.0...v2.4.1)

---
updated-dependencies:
- dependency-name: slsa-framework/slsa-verifier
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <[email protected]>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Signed-off-by: Diogo Teles Sant'Anna <[email protected]>
Bumps [github.com/onsi/gomega](https://github.com/onsi/gomega) from 1.29.0 to 1.30.0.
- [Release notes](https://github.com/onsi/gomega/releases)
- [Changelog](https://github.com/onsi/gomega/blob/master/CHANGELOG.md)
- [Commits](onsi/gomega@v1.29.0...v1.30.0)

---
updated-dependencies:
- dependency-name: github.com/onsi/gomega
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <[email protected]>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Signed-off-by: Diogo Teles Sant'Anna <[email protected]>
* switch ossfuzz test to smaller repo

tensorflow/tensorflow is huge, and this causes the test to take forever.
locally this reduces the test time from 17 to 2.4 seconds

Signed-off-by: Spencer Schrock <[email protected]>

* reuse scorecard results for scorecard attestor policies

previously this test took 27 seconds locally, and now takes 8.
which is split across 3 subtests:
good repos: 1s
bad repos: 5s
code review policies: 2s

Signed-off-by: Spencer Schrock <[email protected]>

---------

Signed-off-by: Spencer Schrock <[email protected]>
Signed-off-by: Diogo Teles Sant'Anna <[email protected]>
…ssf#3632)

* 🌱 Add dependency remediation in raw results instead of at log time

Signed-off-by: AdamKorcz <[email protected]>

* add unit test

Signed-off-by: AdamKorcz <[email protected]>

* add unit test

Signed-off-by: AdamKorcz <[email protected]>

* return error

Signed-off-by: AdamKorcz <[email protected]>

* use pointer to dependency

Signed-off-by: AdamKorcz <[email protected]>

* check for errors in test

Signed-off-by: AdamKorcz <[email protected]>

* Return nil if repo client returns an error from unsupported feature

Signed-off-by: AdamKorcz <[email protected]>

* revert error checking

Signed-off-by: AdamKorcz <[email protected]>

* revert returning nil is unsupported feature

Signed-off-by: AdamKorcz <[email protected]>

* Fix wrong test name

Signed-off-by: AdamKorcz <[email protected]>

* only create remediation when required

Signed-off-by: AdamKorcz <[email protected]>

* remove remediation helper function

Signed-off-by: AdamKorcz <[email protected]>

---------

Signed-off-by: AdamKorcz <[email protected]>
Signed-off-by: Spencer Schrock <[email protected]>
Signed-off-by: Diogo Teles Sant'Anna <[email protected]>
actions which influence the build/release process are excluded.
dependabot will send individual updates for those.

Signed-off-by: Spencer Schrock <[email protected]>
Signed-off-by: Diogo Teles Sant'Anna <[email protected]>
…on tier 2 scores

Signed-off-by: Diogo Teles Sant'Anna <[email protected]>
… num comparation

Signed-off-by: Diogo Teles Sant'Anna <[email protected]>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

None yet