Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Upgrade scorecard version #1

Merged
merged 395 commits into from
Feb 28, 2024
Merged

Upgrade scorecard version #1

merged 395 commits into from
Feb 28, 2024

Conversation

cx-monicac
Copy link

What kind of change does this PR introduce?

(Is it a bug fix, feature, docs update, something else?)

What is the current behavior?

What is the new behavior (if this is a feature change)?**

  • Tests for the changes have been added (for bug fixes/features)

Which issue(s) this PR fixes

Special notes for your reviewer

Does this PR introduce a user-facing change?

For user-facing changes, please add a concise, human-readable release note to
the release-note

(In particular, describe what changes users might need to make in their
application as a result of this pull request.)


spencerschrock and others added 30 commits September 12, 2023 17:55
* remove old replace directives.

Signed-off-by: Spencer Schrock <[email protected]>

* Remove dgrijalva/jwt-go replace.

Project now maintained at github.com/golang-jwt/jwt. So it's unused.

Signed-off-by: Spencer Schrock <[email protected]>

* remove replace on unused github.com/buger/jsonparser

Signed-off-by: Spencer Schrock <[email protected]>

* remove unused github.com/gorilla/handlers replace.

Signed-off-by: Spencer Schrock <[email protected]>

* remove unused github.com/miekg/dns

Signed-off-by: Spencer Schrock <[email protected]>

* remove unused github.com/ulikunitz/xz

Signed-off-by: Spencer Schrock <[email protected]>

* remove unused github.com/satori/go.uuid

Signed-off-by: Spencer Schrock <[email protected]>

* replace directive no longer needed for github.com/opencontainers/image-spec.

Signed-off-by: Spencer Schrock <[email protected]>

* potentially unneeded replace for github.com/emicklei/go-restful

Signed-off-by: Spencer Schrock <[email protected]>

* potentially unneeded replace for github.com/docker/distribution

Signed-off-by: Spencer Schrock <[email protected]>

---------

Signed-off-by: Spencer Schrock <[email protected]>
Bumps [actions/cache](https://github.com/actions/cache) from 3.3.1 to 3.3.2.
- [Release notes](https://github.com/actions/cache/releases)
- [Changelog](https://github.com/actions/cache/blob/main/RELEASES.md)
- [Commits](actions/cache@88522ab...704facf)

---
updated-dependencies:
- dependency-name: actions/cache
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <[email protected]>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Bumps [actions/upload-artifact](https://github.com/actions/upload-artifact) from 3.1.2 to 3.1.3.
- [Release notes](https://github.com/actions/upload-artifact/releases)
- [Commits](actions/upload-artifact@0b7f8ab...a8a3f3a)

---
updated-dependencies:
- dependency-name: actions/upload-artifact
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <[email protected]>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Bumps [actions/dependency-review-action](https://github.com/actions/dependency-review-action) from 3.0.8 to 3.1.0.
- [Release notes](https://github.com/actions/dependency-review-action/releases)
- [Commits](actions/dependency-review-action@f6fff72...6c5ccda)

---
updated-dependencies:
- dependency-name: actions/dependency-review-action
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <[email protected]>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Bumps [tj-actions/changed-files](https://github.com/tj-actions/changed-files) from 39.0.0 to 39.0.2.
- [Release notes](https://github.com/tj-actions/changed-files/releases)
- [Changelog](https://github.com/tj-actions/changed-files/blob/main/HISTORY.md)
- [Commits](tj-actions/changed-files@48566bb...6ee9cdc)

---
updated-dependencies:
- dependency-name: tj-actions/changed-files
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <[email protected]>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Bumps [github.com/bradleyfalzon/ghinstallation/v2](https://github.com/bradleyfalzon/ghinstallation) from 2.6.0 to 2.7.0.
- [Release notes](https://github.com/bradleyfalzon/ghinstallation/releases)
- [Commits](bradleyfalzon/ghinstallation@v2.6.0...v2.7.0)

---
updated-dependencies:
- dependency-name: github.com/bradleyfalzon/ghinstallation/v2
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <[email protected]>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Bumps [cloud.google.com/go/bigquery](https://github.com/googleapis/google-cloud-go) from 1.54.0 to 1.55.0.
- [Release notes](https://github.com/googleapis/google-cloud-go/releases)
- [Changelog](https://github.com/googleapis/google-cloud-go/blob/main/CHANGES.md)
- [Commits](googleapis/google-cloud-go@bigquery/v1.54.0...bigquery/v1.55.0)

---
updated-dependencies:
- dependency-name: cloud.google.com/go/bigquery
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <[email protected]>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
* repo rulesets via v4 api

Signed-off-by: Peter Wagner <[email protected]>

* good enough fnmatch implementation.

Signed-off-by: Spencer Schrock <[email protected]>

* good enough rulesMatchingBranch

Signed-off-by: Peter Wagner <[email protected]>

* apply matching repo rules to branch protection settings

Signed-off-by: Peter Wagner <[email protected]>

* rules: consider admins and require checks

Signed-off-by: Peter Wagner <[email protected]>

* non-structural chanages from PR feedback

Signed-off-by: Peter Wagner <[email protected]>

* fetch default branch name during repo rules query

Signed-off-by: Peter Wagner <[email protected]>

* Testing applyRepoRules

Tests assume a single rule is being applied to a branch, which might be
guarded by a legacy branch protection rule.

I think this logic gets problematic when there are multiple rules
overlaid on the same branch: the "the existing rules does not enforce
for admins, but i do and therefore this branch now does" will give
false-positives.

Signed-off-by: Peter Wagner <[email protected]>

* Test_applyRepoRules: builder and standardize names

Signed-off-by: Peter Wagner <[email protected]>

* attempt to upgrade/downgrade EnforceAdmins as each rule is applied

Signed-off-by: Peter Wagner <[email protected]>

* simplify enforce admin for now.

Signed-off-by: Spencer Schrock <[email protected]>

* handle merging pull request reviews

Signed-off-by: Spencer Schrock <[email protected]>

* handle merging check rules

Signed-off-by: Spencer Schrock <[email protected]>

* handle last push approval

Signed-off-by: Spencer Schrock <[email protected]>

* handle linear history

Signed-off-by: Spencer Schrock <[email protected]>

* use constants for github rule types.

Signed-off-by: Spencer Schrock <[email protected]>

* add status check test.

Signed-off-by: Spencer Schrock <[email protected]>

* add e2e test for repo rules.

Signed-off-by: Spencer Schrock <[email protected]>

* handle nil branch name data

Signed-off-by: Spencer Schrock <[email protected]>

* add tracking issue.

Signed-off-by: Spencer Schrock <[email protected]>

* fix precedence in if statement

Signed-off-by: Spencer Schrock <[email protected]>

* include repo rules in the check docs.

Signed-off-by: Spencer Schrock <[email protected]>

---------

Signed-off-by: Peter Wagner <[email protected]>
Signed-off-by: Spencer Schrock <[email protected]>
Co-authored-by: Spencer Schrock <[email protected]>
…process more issues (ossf#3483)

* Update workflow to increase operations per run to process more issues

* 🌱 workflows/stale: Increased operations-per-run from default and reduced days to close stale issues
* issue 2157 changes

Signed-off-by: leec94 <[email protected]>

* incorporated feedback

Signed-off-by: leec94 <[email protected]>

* making the linter happy

Signed-off-by: leec94 <[email protected]>

* changing to local variable, testing still not working

Signed-off-by: leec94 <[email protected]>

* update tests to ignore date

Signed-off-by: leec94 <[email protected]>

* ran through linter

Signed-off-by: leec94 <[email protected]>

* resolving suggestions

Signed-off-by: leec94 <[email protected]>

---------

Signed-off-by: leec94 <[email protected]>
Bumps [goreleaser/goreleaser-action](https://github.com/goreleaser/goreleaser-action) from 4.6.0 to 5.0.0.
- [Release notes](https://github.com/goreleaser/goreleaser-action/releases)
- [Commits](goreleaser/goreleaser-action@5fdedb9...7ec5c2b)

---
updated-dependencies:
- dependency-name: goreleaser/goreleaser-action
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <[email protected]>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Bumps [github.com/go-git/go-git/v5](https://github.com/go-git/go-git) from 5.8.1 to 5.9.0.
- [Release notes](https://github.com/go-git/go-git/releases)
- [Commits](go-git/go-git@v5.8.1...v5.9.0)

---
updated-dependencies:
- dependency-name: github.com/go-git/go-git/v5
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <[email protected]>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Bumps [github.com/google/osv-scanner](https://github.com/google/osv-scanner) from 1.3.6 to 1.4.0.
- [Release notes](https://github.com/google/osv-scanner/releases)
- [Changelog](https://github.com/google/osv-scanner/blob/main/CHANGELOG.md)
- [Commits](google/osv-scanner@v1.3.6...v1.4.0)

---
updated-dependencies:
- dependency-name: github.com/google/osv-scanner
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <[email protected]>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Bumps [tj-actions/changed-files](https://github.com/tj-actions/changed-files) from 39.0.2 to 39.1.0.
- [Release notes](https://github.com/tj-actions/changed-files/releases)
- [Changelog](https://github.com/tj-actions/changed-files/blob/main/HISTORY.md)
- [Commits](tj-actions/changed-files@6ee9cdc...8e79ba7)

---
updated-dependencies:
- dependency-name: tj-actions/changed-files
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <[email protected]>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
* Update README.md

Add link to webviewer

* Update faq.md

Update webviewer link in FAQ

* Update README.md

Typo

* Update faq.md

Linebreak
With our current upload setup, it will always show a drop of 6-7%.
This is confusing to contributors, so make the check always pass.
Also fixes the threshold for the patch coverage.

Signed-off-by: Spencer Schrock <[email protected]>
* Update README.md

Signed-off-by: olivekl <[email protected]>

* Update faq.md

Signed-off-by: olivekl <[email protected]>

---------

Signed-off-by: olivekl <[email protected]>
Bumps [tj-actions/changed-files](https://github.com/tj-actions/changed-files) from 39.1.0 to 39.1.2.
- [Release notes](https://github.com/tj-actions/changed-files/releases)
- [Changelog](https://github.com/tj-actions/changed-files/blob/main/HISTORY.md)
- [Commits](tj-actions/changed-files@8e79ba7...4196030)

---
updated-dependencies:
- dependency-name: tj-actions/changed-files
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <[email protected]>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Bumps [actions/checkout](https://github.com/actions/checkout) from 4.0.0 to 4.1.0.
- [Release notes](https://github.com/actions/checkout/releases)
- [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md)
- [Commits](actions/checkout@3df4ab1...8ade135)

---
updated-dependencies:
- dependency-name: actions/checkout
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <[email protected]>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
* wip

Signed-off-by: Spencer Schrock <[email protected]>

* output via tabwriter

Signed-off-by: Spencer Schrock <[email protected]>

* specify by check.

Signed-off-by: Spencer Schrock <[email protected]>

* Return aggregate score when unmarshalling.

Signed-off-by: Spencer Schrock <[email protected]>

* convert from score to bucket in one place. use aggregate score from func

Signed-off-by: Spencer Schrock <[email protected]>

* fix forgotten usage of ExperimentalFromJSON2

Signed-off-by: Spencer Schrock <[email protected]>

* use sentinel errors.

Signed-off-by: Spencer Schrock <[email protected]>

* move counting to own func for testability

Signed-off-by: Spencer Schrock <[email protected]>

* remove unneeded fields from results for readability.

Signed-off-by: Spencer Schrock <[email protected]>

* add test for parse errors.

Signed-off-by: Spencer Schrock <[email protected]>

* share max result size for any bufio.Scanner which reads results.

Signed-off-by: Spencer Schrock <[email protected]>

* add basic overall test for calcing stats.

Signed-off-by: Spencer Schrock <[email protected]>

* make missing file argument generic.

Signed-off-by: Spencer Schrock <[email protected]>

* validate min args with cobra.

Signed-off-by: Spencer Schrock <[email protected]>

---------

Signed-off-by: Spencer Schrock <[email protected]>
Issues are still getting closed after ossf#3493.
I assume there's a default value being used somewhere.

Signed-off-by: Spencer Schrock <[email protected]>
* Remove EnforceAdmins from tier 1.

Scores in some tests either increase to 3, or 4, since EnfroceAdmins no longer keeps them in tier 1.
The number of Debug, Info, and Warn messages will decrease by 1 per branch, since we're no longer logging them.

Signed-off-by: Spencer Schrock <[email protected]>

* move enforce admins to tier 5.

Signed-off-by: Spencer Schrock <[email protected]>

---------

Signed-off-by: Spencer Schrock <[email protected]>
* feat: Define if dependency is pinned or unpinned

Add a field Pinned to Dependency structure.
Update to save Dependencies pinned and unpinned. Not only unpinned ones.
All download then run executions are considered unpinned. Because there is no remediation to pin them.
For package manager downloads: add early return if there are no commands, separate package manager  identification (go, npm, choco, pip) from decision if installation is pinned or unpinned.
Change Go case "go get -d -v" considered pinned, to any Go installations containing "-d" to be considered pinned.

Signed-off-by: Gabriela Gutierrez <[email protected]>

* refactor: Convert diff var types to pointer

We need to add a new conversion of boolean to pointer. Currently, we had string and int conversions named asPointer but not used in the same file. In order to know when we are using which conversion and considering bool and string would have to be used in the same file, it was needed to differentiate the method names. New method names are asIntPointer, asStringPointer and soon asBoolPointer.

Signed-off-by: Gabriela Gutierrez <[email protected]>

* fix: Pinned Dependency field type

Field needs to be a pointer to work when accessing values on evaluation.

Signed-off-by: Gabriela Gutierrez <[email protected]>

* feat: Count pinned and unpinned deps

We're changing the ecossystems result structure. The result structure previously stored if the ecossystem is fully pinned or not. The new result structure can tell how many dependencies of that ecossystem were found and how many were pinned. This change is necessary to ignore not applicable ecossystems on the final aggregated score. When iterating the dependencies, now we go through pinned and unpinned dependencies, not only unpinned, and in each iteration we update the result. We kept the behavior of only log warnings for unpinned dependencies.

Signed-off-by: Gabriela Gutierrez <[email protected]>

* feat: Flag not applicable ecossystems

If no dependencies of an ecossystem are found, it results in an inconclusive score (-1). As in other checks, this means here that the ecossystem scoring is not applicable in this case. At the same time, we are keep the scoring criteria the same. If all dependencies are pinned, it results in maximum score (10) and if 1 or more dependencies are unpinned, it results in a minimum score (0) for that ecossystem. GitHub workflow cases are handled differently but the idea is the same. We are also adding a log to know when an ecossystem was not found.

Signed-off-by: Gabriela Gutierrez <[email protected]>

* feat: Score only applicable ecossystems

Signed-off-by: Gabriela Gutierrez <[email protected]>

* feat: If no dependencies then create inconclusive score

Signed-off-by: Gabriela Gutierrez <[email protected]>

* test: GitHub Actions score and logs

Change test from `createReturnValuesForGitHubActionsWorkflowPinned` function to `createReturnForIsGitHubActionsWorkflowPinned` wrapper function so we can test logs. We have adjusted the existing test cases and included new test cases.

Signed-off-by: Gabriela Gutierrez <[email protected]>

* test: Pinned dependencies score

Break "various warnings" tests into smaller tests for pinned and unpinned dependencies and how they react to warn and debug messages. Plus add tests for how the score is affected when all dependencies are pinned, when no dependencies are pinned, when there are no dependencies, and partial dependencies pinned. Also, how dependencies unpinned in 1 or multiple ecossystems affect the warn messages,  add one unpinned case for each ecossystem to see if they are being detected and separate the download then run 2 possible cases, there are currently scoring and logging wrong due to a bug.

Signed-off-by: Gabriela Gutierrez <[email protected]>

* test: Ecossystems score and logs

Signed-off-by: Gabriela Gutierrez <[email protected]>

* test: Remove deleted maxScore function test

When we changed the scoring method to ignore not applicable scores, we removed the normalization of inconclusive scores to 0. The normalization was done by `maxScore` function, that was deleted in the process.

Signed-off-by: Gabriela Gutierrez <[email protected]>

* test: Adding GitHub Actions dependencies to result

Signed-off-by: Gabriela Gutierrez <[email protected]>

* test: Update GitHub Actions result

Signed-off-by: Gabriela Gutierrez <[email protected]>

* test: Update pip installs result

Signed-off-by: Gabriela Gutierrez <[email protected]>

* fix: Handle if nuget dependency is pinned or unpinned

Signed-off-by: Gabriela Gutierrez <[email protected]>

* tests: Fix check warnings for unpinned dependencies

Signed-off-by: Gabriela Gutierrez <[email protected]>

* fix: Linter errors

Signed-off-by: Gabriela Gutierrez <[email protected]>

* fix: GitHub Actions pinned log

If, for example, you have GitHub-owned actions and none Third-party actions, you should receive a "no Third-party actions found" log and don't receive a "all Third-party actions are pinned" log. At the same time, you deserve the score of pinning Third-party to complement the GitHub-owned score.

Signed-off-by: Gabriela Gutierrez <[email protected]>

* test: Fix "ossf-tests/scorecard-check-pinned-dependencies-e2e"

The repo being tested, `ossf-tests/scorecard-check-pinned-dependencies-e2e`, has no Third-party actions only GitHub-owned actions, that are unpinned, no npm installs, multiple go installs all pinned, and all other dependencies types are unpinned. This gives us 8 for actionScore, -1 for npm score, 10 for goScore, and 0 for all other scores. Previously the total score was 28/7 =~ 4, and now the total score is 18/6 =~ 3. The number of logs remain the same. The "all Third-party actions are pinned" will be replaced by "no Third-party actions found", which is a more realistic info and same thing for npm installs.

Signed-off-by: Gabriela Gutierrez <[email protected]>

* Revert rename `asPointer` to `asStringPointer`

Signed-off-by: Gabriela Gutierrez <[email protected]>

* fix: Handle deps with parsing error and undefined pinning

When a dependency has a parsing error it ends up with a `Msg` field. In this case, the dependency should not count in the final score, so we should not `updatePinningResults` in this case. Also, to continue with the evaluation calculation, we need to make sure the dependencies have a `Pinned` state. Here we are adding this validation for it along with a debug log.

Signed-off-by: Gabriela Gutierrez <[email protected]>

* test: Delete unecessary test

We already have separate test for if 1 unpinned dependency shows a warn message, and 2 cases for when dependencies have errors and show a debug message.

Signed-off-by: Gabriela Gutierrez <[email protected]>

* test: Add missing dep Location cases

Signed-off-by: Gabriela Gutierrez <[email protected]>

* fix: Simplify Dockerfile pinned as name logic

Signed-off-by: Gabriela Gutierrez <[email protected]>

* fix: If ecossystem is not found show debug log

If ecossystem is not found show debug log, not info log. This affects the tests, all not found ecossystems will "move" from info logs to debug logs. We are also complementing the `all dependencies pinned` and `all dependencies unpinned` cases so we have the max score case and the min score case using all kinds of dependencies.

Signed-off-by: Gabriela Gutierrez <[email protected]>

* test: Fix e2e tests and more unit tests

Signed-off-by: Gabriela Gutierrez <[email protected]>

* feat: Iterate all dependency types for final score

Now we iterate all existing dependency types in the final score. This will fix the problem of new ecossystems not being count in the final score because we needed to update the evaluation part. This also fixes the problem of download then run being counted twice for the score. Now, we only have debug logs when there are errors with the dependency metadata. That means we don't log anymore when dependencies of an ecossystem are not found. We changed the info log format when dependencies are all pinned. We simplified the calculation of the scores. We removed unused error returns. And now we only iterate existing ecossystems. If an ecossystem is not found we will not iterate it.

Signed-off-by: Gabriela Gutierrez <[email protected]>

* feat: Proportional score

We count all pinned dependencies over the total found dependencies of all ecossystems for the final score. But, we still want to give low prioritity to GHA GitHub-owned dependencies over GHA third-party dependencies. That's why we are doing a weighted proportional score, all ecossystems have a normal weight of 10 but GHAs have a weight. If you only have GitHub-owned, it will count as 10, because GHA don't weight less then other ecossystems. Same for GHA third-party, if you only have GHA third-party, it will also count as 10, because GHAs don't weight less then other ecossystems. But if you have both GHA GitHub-owned and third-party, GitHub-owned count less then third-party. Trying to keep the same weight as before, GitHub-owned weights 8 and third-party weights 2. These weights will make the score be more penalized if you have unpinned third-party and less penalized if you have unpinned GitHub-owned.

Signed-off-by: Gabriela Gutierrez <[email protected]>

* fix: GHA weights in proportional score

Signed-off-by: Gabriela Gutierrez <[email protected]>

* test: Fix scores and logs checking

Add new cases for GHA scores since it's weighted differently now. Remove `createReturnValues` test since the function was removed. Fix current tests to adjust number of logs since we don't log if all dependencies are pinned or not anymore. Fix partially pinned score.

Signed-off-by: Gabriela Gutierrez <[email protected]>

* test: Fix e2e test

The repo being tested, `ossf-tests/scorecard-check-pinned-dependencies-e2e`, has no Third-party actions only GitHub-owned actions, that are unpinned, no npm installs, multiple go installs all pinned, and all other dependencies types are unpinned. This gives us 8 for GHA ecossytem, -1 for npm score, 10 for goScore, and 0 for all other scores. Previously the total score was 18/6 =~ 3. Now, we count 5/6 GitHub-owned GHA pinned, 23/36 containerImage pinned, 0/88 downloadThenRun pinned, 2/49 pipCommand pinned, 17/17 goCommand pinned. This results in 47/186 pinned dependencies which results in 2.5 score, that is rounded down to 2. Plus, the number of info was reduced since we don't log info for "all pinned dependencies in X ecossystem" anymore.

Signed-off-by: Gabriela Gutierrez <[email protected]>

* refactor: Rename to ProportionalScoreWeighted

Signed-off-by: Gabriela Gutierrez <[email protected]>

* refactor: Var declarations to create proportional score

Signed-off-by: Gabriela Gutierrez <[email protected]>

* fix: Remove unnecessary pointer

Signed-off-by: Gabriela Gutierrez <[email protected]>

* fix: Dependencies priority declaration

Signed-off-by: Gabriela Gutierrez <[email protected]>

* fix: Ecosystem spelling

Signed-off-by: Gabriela Gutierrez <[email protected]>

* fix: Handle 0 weight and 0 total when creating proportional weighted score

Signed-off-by: Gabriela Gutierrez <[email protected]>

* fix: Revert -d flag identification change

Signed-off-by: Gabriela Gutierrez <[email protected]>

* fix: npm ci command is npm download and is pinned

Signed-off-by: Gabriela Gutierrez <[email protected]>

* fix: Linter errors

Signed-off-by: Gabriela Gutierrez <[email protected]>

* fix: Unexport error variable to other packages

Signed-off-by: Gabriela Gutierrez <[email protected]>

* refactor: Simplify no score groups condition

Signed-off-by: Gabriela Gutierrez <[email protected]>

* feat: Log proportion of dependencies pinned

Signed-off-by: Gabriela Gutierrez <[email protected]>

* test: Fix unit tests to include info logs

The number of info logs should be same number of identified ecossystems. GitHub-owned GitHubAction and third-party GitHubAction count as different ecossytems.

Signed-off-by: Gabriela Gutierrez <[email protected]>

* test: Fix e2e tests to include info logs

The repo being tested, `ossf-tests/scorecard-check-pinned-dependencies-e2e`, has GitHub-owned GitHubActions, containerImage, downloadThenRun, pipCommand and goCommand dependencies. Therefore it will have 5 Info logs, one for each ecossystem.

Signed-off-by: Gabriela Gutierrez <[email protected]>

* fix: Linter error

Signed-off-by: Gabriela Gutierrez <[email protected]>

---------

Signed-off-by: Gabriela Gutierrez <[email protected]>
Bumps [github.com/onsi/ginkgo/v2](https://github.com/onsi/ginkgo) from 2.12.0 to 2.12.1.
- [Release notes](https://github.com/onsi/ginkgo/releases)
- [Changelog](https://github.com/onsi/ginkgo/blob/master/CHANGELOG.md)
- [Commits](onsi/ginkgo@v2.12.0...v2.12.1)

---
updated-dependencies:
- dependency-name: github.com/onsi/ginkgo/v2
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <[email protected]>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Bumps [github.com/onsi/ginkgo/v2](https://github.com/onsi/ginkgo) from 2.12.0 to 2.12.1.
- [Release notes](https://github.com/onsi/ginkgo/releases)
- [Changelog](https://github.com/onsi/ginkgo/blob/master/CHANGELOG.md)
- [Commits](onsi/ginkgo@v2.12.0...v2.12.1)

---
updated-dependencies:
- dependency-name: github.com/onsi/ginkgo/v2
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <[email protected]>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
dependabot bot and others added 24 commits January 19, 2024 08:53
Bumps [cloud.google.com/go/bigquery](https://github.com/googleapis/google-cloud-go) from 1.57.1 to 1.58.0.
- [Release notes](https://github.com/googleapis/google-cloud-go/releases)
- [Changelog](https://github.com/googleapis/google-cloud-go/blob/main/CHANGES.md)
- [Commits](googleapis/google-cloud-go@bigquery/v1.57.1...bigquery/v1.58.0)

---
updated-dependencies:
- dependency-name: cloud.google.com/go/bigquery
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <[email protected]>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
* handle osv errors for projects without packages

Signed-off-by: Spencer Schrock <[email protected]>

* make test parallel

Signed-off-by: Spencer Schrock <[email protected]>

---------

Signed-off-by: Spencer Schrock <[email protected]>
* enforce check scores are between the min and max

if the score is invalid, the Error field is set and the score is
replaced with an inconclusive result score.

Signed-off-by: Spencer Schrock <[email protected]>

* exclude inconclusive result score

Callers who want the score should use the CreateInconclusiveResult function.
The goal is partly to enforce a consistent coding style, and partly to
limit proportions which score to -1 accidentally.

Signed-off-by: Spencer Schrock <[email protected]>

---------

Signed-off-by: Spencer Schrock <[email protected]>
* fail if add-projects not run

Signed-off-by: Spencer Schrock <[email protected]>

* add gitlab file to add-projects

Signed-off-by: Spencer Schrock <[email protected]>

* order gitlab projects with make add-projects

Signed-off-by: Spencer Schrock <[email protected]>

* simplify workflow job

this binary doesn't need the build protos

Signed-off-by: Spencer Schrock <[email protected]>

---------

Signed-off-by: Spencer Schrock <[email protected]>
Bumps [github.com/onsi/ginkgo/v2](https://github.com/onsi/ginkgo) from 2.14.0 to 2.15.0.
- [Release notes](https://github.com/onsi/ginkgo/releases)
- [Changelog](https://github.com/onsi/ginkgo/blob/master/CHANGELOG.md)
- [Commits](onsi/ginkgo@v2.14.0...v2.15.0)

---
updated-dependencies:
- dependency-name: github.com/onsi/ginkgo/v2
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <[email protected]>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Bumps [github.com/google/osv-scanner](https://github.com/google/osv-scanner) from 1.6.0 to 1.6.1.
- [Release notes](https://github.com/google/osv-scanner/releases)
- [Changelog](https://github.com/google/osv-scanner/blob/main/CHANGELOG.md)
- [Commits](google/osv-scanner@v1.6.0...v1.6.1)

---
updated-dependencies:
- dependency-name: github.com/google/osv-scanner
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <[email protected]>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Bumps the github-actions group with 4 updates: [actions/dependency-review-action](https://github.com/actions/dependency-review-action), [tj-actions/changed-files](https://github.com/tj-actions/changed-files), [actions/cache](https://github.com/actions/cache) and [actions/upload-artifact](https://github.com/actions/upload-artifact).


Updates `actions/dependency-review-action` from 3.1.5 to 4.0.0
- [Release notes](https://github.com/actions/dependency-review-action/releases)
- [Commits](actions/dependency-review-action@c74b580...4901385)

Updates `tj-actions/changed-files` from 41.1.1 to 42.0.0
- [Release notes](https://github.com/tj-actions/changed-files/releases)
- [Changelog](https://github.com/tj-actions/changed-files/blob/main/HISTORY.md)
- [Commits](tj-actions/changed-files@62f4729...ae82ed4)

Updates `actions/cache` from 3.3.3 to 4.0.0
- [Release notes](https://github.com/actions/cache/releases)
- [Changelog](https://github.com/actions/cache/blob/main/RELEASES.md)
- [Commits](actions/cache@e12d46a...13aacd8)

Updates `actions/upload-artifact` from 4.1.0 to 4.2.0
- [Release notes](https://github.com/actions/upload-artifact/releases)
- [Commits](actions/upload-artifact@1eb3cb2...694cdab)

---
updated-dependencies:
- dependency-name: actions/dependency-review-action
  dependency-type: direct:production
  update-type: version-update:semver-major
  dependency-group: github-actions
- dependency-name: tj-actions/changed-files
  dependency-type: direct:production
  update-type: version-update:semver-major
  dependency-group: github-actions
- dependency-name: actions/cache
  dependency-type: direct:production
  update-type: version-update:semver-major
  dependency-group: github-actions
- dependency-name: actions/upload-artifact
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: github-actions
...

Signed-off-by: dependabot[bot] <[email protected]>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
* 📖 Add documentation about probes and contributing

Signed-off-by: Adam Korczynski <[email protected]>

* change 'subdirectory' to 'directory'

Signed-off-by: Adam Korczynski <[email protected]>

* fix 'golangci' typo

Signed-off-by: Adam Korczynski <[email protected]>

* Added 'make fix-linter' to Makefile

Signed-off-by: Adam Korczynski <[email protected]>

* Move commands to their own table

Signed-off-by: Adam Korczynski <[email protected]>

* change 'problem' to 'supply-chain security risk'

Signed-off-by: Adam Korczynski <[email protected]>

* Add sentence about what a finding is

Signed-off-by: Adam Korczynski <[email protected]>

* remove sentence about running make rule locally

Signed-off-by: Adam Korczynski <[email protected]>

* change 'supply-chain security risk' to 'heuristic'

Signed-off-by: Adam Korczynski <[email protected]>

* Modify text on where to set remediation data

Signed-off-by: Adam Korczynski <[email protected]>

* Add example

Signed-off-by: Adam Korczynski <[email protected]>

* add line about discussing changes to the score in a GitHub issue

Signed-off-by: Adam Korczynski <[email protected]>

---------

Signed-off-by: Adam Korczynski <[email protected]>
Bumps [cloud.google.com/go/pubsub](https://github.com/googleapis/google-cloud-go) from 1.33.0 to 1.34.0.
- [Release notes](https://github.com/googleapis/google-cloud-go/releases)
- [Changelog](https://github.com/googleapis/google-cloud-go/blob/main/CHANGES.md)
- [Commits](googleapis/google-cloud-go@pubsub/v1.33.0...pubsub/v1.34.0)

---
updated-dependencies:
- dependency-name: cloud.google.com/go/pubsub
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <[email protected]>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Bumps [github.com/onsi/gomega](https://github.com/onsi/gomega) from 1.30.0 to 1.31.1.
- [Release notes](https://github.com/onsi/gomega/releases)
- [Changelog](https://github.com/onsi/gomega/blob/master/CHANGELOG.md)
- [Commits](onsi/gomega@v1.30.0...v1.31.1)

---
updated-dependencies:
- dependency-name: github.com/onsi/gomega
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <[email protected]>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Bumps [github.com/google/go-containerregistry](https://github.com/google/go-containerregistry) from 0.17.0 to 0.18.0.
- [Release notes](https://github.com/google/go-containerregistry/releases)
- [Changelog](https://github.com/google/go-containerregistry/blob/main/.goreleaser.yml)
- [Commits](google/go-containerregistry@v0.17.0...v0.18.0)

---
updated-dependencies:
- dependency-name: github.com/google/go-containerregistry
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <[email protected]>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Bumps [github.com/xanzy/go-gitlab](https://github.com/xanzy/go-gitlab) from 0.95.2 to 0.96.0.
- [Changelog](https://github.com/xanzy/go-gitlab/blob/main/releases_test.go)
- [Commits](xanzy/go-gitlab@v0.95.2...v0.96.0)

---
updated-dependencies:
- dependency-name: github.com/xanzy/go-gitlab
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <[email protected]>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Bumps [cloud.google.com/go/pubsub](https://github.com/googleapis/google-cloud-go) from 1.34.0 to 1.35.0.
- [Release notes](https://github.com/googleapis/google-cloud-go/releases)
- [Changelog](https://github.com/googleapis/google-cloud-go/blob/main/CHANGES.md)
- [Commits](googleapis/google-cloud-go@pubsub/v1.34.0...pubsub/v1.35.0)

---
updated-dependencies:
- dependency-name: cloud.google.com/go/pubsub
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <[email protected]>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
* 🌱 Bump github.com/goreleaser/goreleaser in /tools (ossf#3238)

Bumps [github.com/goreleaser/goreleaser](https://github.com/goreleaser/goreleaser) from 1.18.2 to 1.19.1.
- [Release notes](https://github.com/goreleaser/goreleaser/releases)
- [Changelog](https://github.com/goreleaser/goreleaser/blob/main/.goreleaser.yaml)
- [Commits](goreleaser/goreleaser@v1.18.2...v1.19.1)

---
updated-dependencies:
- dependency-name: github.com/goreleaser/goreleaser
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <[email protected]>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Signed-off-by: André Backman <[email protected]>

* begin implementing probe: minTwoCodeReviewers

Signed-off-by: André Backman <[email protected]>

* print raw results

Signed-off-by: André Backman <[email protected]>

* print raw results

Signed-off-by: André Backman <[email protected]>

* print raw results

Signed-off-by: André Backman <[email protected]>

* rename probe directory: minimumCodeReviewers

Signed-off-by: André Backman <[email protected]>

* rename probe CodeReviewers

Signed-off-by: André Backman <[email protected]>

* rename import for CodeReviewers probe

Signed-off-by: André Backman <[email protected]>

* update code reviewers definition

Signed-off-by: André Backman <[email protected]>

* update code reviewers implementation; fixed embed FS usage

Signed-off-by: André Backman <[email protected]>

* printing all findings, work out where to concatenate them

Signed-off-by: André Backman <[email protected]>

* concatenated findings to one single finding, outcome is based on the least found unique reviewers

Signed-off-by: André Backman <[email protected]>

* refactored uniqueCodeReviewers probe, needs more error checks

Signed-off-by: André Backman <[email protected]>

* add error handling for cases of non-existant author and/or reviewer logins

Signed-off-by: André Backman <[email protected]>

* add error handling for cases of non-existant author and/or reviewer logins

Signed-off-by: André Backman <[email protected]>

* rename probe

Signed-off-by: André Backman <[email protected]>

* update codeReviewTwoReviewers definition

Signed-off-by: André Backman <[email protected]>

* rename unique code reviewers probe

Signed-off-by: André Backman <[email protected]>

* implement codeApproved probe, validation of reviews needs fixing

Signed-off-by: André Backman <[email protected]>

* update codeApproved probe, validation of reviews needs fixing

Signed-off-by: André Backman <[email protected]>

* working version of codeApproved probe

Signed-off-by: André Backman <[email protected]>

* codeReviewed probe implemented

Signed-off-by: André Backman <[email protected]>

* clean up comments, add imports, run all probes

Signed-off-by: André Backman <[email protected]>

* update license comments

Signed-off-by: André Backman <[email protected]>

* Update def.yml license

Signed-off-by: André Backman <[email protected]>

* Update def.yml license

Signed-off-by: André Backman <[email protected]>

* Update def.yml license

Signed-off-by: André Backman <[email protected]>

* Update impl.go license

Signed-off-by: André Backman <[email protected]>

* Update impl.go license to Apache 2

Signed-off-by: André Backman <[email protected]>

* Update impl.go license to Apache 2

Signed-off-by: André Backman <[email protected]>

* Update code_review.go license

Signed-off-by: André Backman <[email protected]>

* Update entries.go; CodeReviewChecks now called CodeReview

Signed-off-by: André Backman <[email protected]>

* Update impl.go, refactor codeReviewTwoReviewers; moved utility functions into impl.go

Signed-off-by: André Backman <[email protected]>

* Delete code_review.go utilities

moved utility functions to the impl.go they are used in

Signed-off-by: André Backman <[email protected]>

* rename probe

Signed-off-by: André Backman <[email protected]>

* update codeReviewTwoReviewers definition

Signed-off-by: André Backman <[email protected]>

* implement codeApproved probe, validation of reviews needs fixing

Signed-off-by: André Backman <[email protected]>

* update codeApproved probe, validation of reviews needs fixing

Signed-off-by: André Backman <[email protected]>

* working version of codeApproved probe

Signed-off-by: André Backman <[email protected]>

* codeReviewed probe implemented

Signed-off-by: André Backman <[email protected]>

* clean up comments, add imports, run all probes

Signed-off-by: André Backman <[email protected]>

* update license comments

Signed-off-by: André Backman <[email protected]>

* update license comments

Signed-off-by: André Backman <[email protected]>

* 🌱 Included unit tests (ossf#3242)

- Included unit tests

Signed-off-by: naveensrinivasan <[email protected]>
Signed-off-by: André Backman <[email protected]>

* 🌱 Bump golang.org/x/text from 0.10.0 to 0.11.0 (ossf#3243)

Bumps [golang.org/x/text](https://github.com/golang/text) from 0.10.0 to 0.11.0.
- [Release notes](https://github.com/golang/text/releases)
- [Commits](golang/text@v0.10.0...v0.11.0)

---
updated-dependencies:
- dependency-name: golang.org/x/text
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <[email protected]>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Signed-off-by: André Backman <[email protected]>

* 🌱 Bump golang.org/x/oauth2 from 0.9.0 to 0.10.0 (ossf#3244)

Bumps [golang.org/x/oauth2](https://github.com/golang/oauth2) from 0.9.0 to 0.10.0.
- [Commits](golang/oauth2@v0.9.0...v0.10.0)

---
updated-dependencies:
- dependency-name: golang.org/x/oauth2
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <[email protected]>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Signed-off-by: André Backman <[email protected]>

* 📖 Update Branch-Protection admin and non-admin requirements (ossf#2772)

* docs: Branch protection admin-only requirements

Signed-off-by: Gabriela Gutierrez <[email protected]>

* docs: Branch protection requirements by tier

Signed-off-by: Gabriela Gutierrez <[email protected]>

* docs: How get a perfect score in branch protection

Signed-off-by: Gabriela Gutierrez <[email protected]>

* docs: Fix local images ref in doc

Signed-off-by: Gabriela Gutierrez <[email protected]>

* docs: Fix typo

Co-authored-by: Pedro Nacht <[email protected]>
Signed-off-by: Gabriela Gutierrez <[email protected]>

* docs: Fix check specific table of contents

Signed-off-by: Gabriela Gutierrez <[email protected]>

* fix: Code owners setting is non admin

Signed-off-by: Gabriela Gutierrez <[email protected]>

* docs: Fix branch protection applied not only to main branch

Signed-off-by: Gabriela Gutierrez <[email protected]>

* docs: Add alt text for images

Signed-off-by: Gabriela Gutierrez <[email protected]>

* docs: You can get a perfect score with non admin access

Signed-off-by: Gabriela Gutierrez <[email protected]>

* docs: update max tier scores

Signed-off-by: Gabriela Gutierrez <[email protected]>

* docs: update tier 1 max points explanation

Signed-off-by: Gabriela Gutierrez <[email protected]>

* docs: Move changes to internal checks doc

Move changes done in docs/checks.md to docs/checks/internal/checks.yaml.

Signed-off-by: Gabriela Gutierrez <[email protected]>

* docs: Revert changes on checks doc

Signed-off-by: Gabriela Gutierrez <[email protected]>

* docs: Fix admin settings evaluated on branch protection

Signed-off-by: Gabriela Gutierrez <[email protected]>

* docs: Change branch protection model status checks

Signed-off-by: Gabriela Gutierrez <[email protected]>

* docs: Change tiers score to expected score

The expected score for the code to output is 3/10 for Tier 1 case and 7/10 for Tier 3 case. The scoring issue will be reported as bug.

Signed-off-by: Gabriela Gutierrez <[email protected]>

* docs: Fix Tier 3 score

Signed-off-by: Gabriela Gutierrez <[email protected]>

---------

Signed-off-by: Gabriela Gutierrez <[email protected]>
Co-authored-by: Pedro Nacht <[email protected]>
Signed-off-by: André Backman <[email protected]>

* 🌱 Linter workflow cleanup (ossf#3247)

* Fix linter timeout by renaming deprecated deadline.

Signed-off-by: Spencer Schrock <[email protected]>

* Disable depguard linter.

As of golangci-lint v3.5.0, the depguard linter is complaining. We don't use a .depguard.yml file, so just disabling the linter.

Signed-off-by: Spencer Schrock <[email protected]>

* Move linter into own workflow.

Signed-off-by: Spencer Schrock <[email protected]>

* Fix bash command substitution.

Signed-off-by: Spencer Schrock <[email protected]>

* Add harden runner.

Signed-off-by: Spencer Schrock <[email protected]>

* switch names to existing linter job

Signed-off-by: Spencer Schrock <[email protected]>

* Update golangci-lint to v1.53.3

Signed-off-by: Spencer Schrock <[email protected]>

---------

Signed-off-by: Spencer Schrock <[email protected]>
Signed-off-by: André Backman <[email protected]>

* 🌱 Bump tj-actions/changed-files from 37.0.5 to 37.1.0 (ossf#3253)

Bumps [tj-actions/changed-files](https://github.com/tj-actions/changed-files) from 37.0.5 to 37.1.0.
- [Release notes](https://github.com/tj-actions/changed-files/releases)
- [Changelog](https://github.com/tj-actions/changed-files/blob/main/HISTORY.md)
- [Commits](tj-actions/changed-files@54849de...87e23c4)

---
updated-dependencies:
- dependency-name: tj-actions/changed-files
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <[email protected]>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Signed-off-by: André Backman <[email protected]>

* 🌱 Bump github.com/goreleaser/goreleaser in /tools (ossf#3252)

Bumps [github.com/goreleaser/goreleaser](https://github.com/goreleaser/goreleaser) from 1.19.1 to 1.19.2.
- [Release notes](https://github.com/goreleaser/goreleaser/releases)
- [Changelog](https://github.com/goreleaser/goreleaser/blob/main/.goreleaser.yaml)
- [Commits](goreleaser/goreleaser@v1.19.1...v1.19.2)

---
updated-dependencies:
- dependency-name: github.com/goreleaser/goreleaser
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <[email protected]>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Signed-off-by: André Backman <[email protected]>

* 🌱 Bump golang.org/x/tools from 0.10.0 to 0.11.0

Bumps [golang.org/x/tools](https://github.com/golang/tools) from 0.10.0 to 0.11.0.
- [Release notes](https://github.com/golang/tools/releases)
- [Commits](golang/tools@v0.10.0...v0.11.0)

---
updated-dependencies:
- dependency-name: golang.org/x/tools
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <[email protected]>
Signed-off-by: André Backman <[email protected]>

* 🌱 Improve rate limit handling in roundtripper (ossf#3237)

- Add rate limit testing and handling functionality
- Add tests for successful response and Retry-After header set scenarios

Signed-off-by: naveensrinivasan <[email protected]>
Signed-off-by: André Backman <[email protected]>

* 🌱 Bump tj-actions/changed-files from 37.1.0 to 37.1.1 (ossf#3259)

Bumps [tj-actions/changed-files](https://github.com/tj-actions/changed-files) from 37.1.0 to 37.1.1.
- [Release notes](https://github.com/tj-actions/changed-files/releases)
- [Changelog](https://github.com/tj-actions/changed-files/blob/main/HISTORY.md)
- [Commits](tj-actions/changed-files@87e23c4...1f20fb8)

---
updated-dependencies:
- dependency-name: tj-actions/changed-files
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <[email protected]>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Signed-off-by: André Backman <[email protected]>

* 🌱 Bump github.com/bradleyfalzon/ghinstallation/v2 (ossf#3260)

Bumps [github.com/bradleyfalzon/ghinstallation/v2](https://github.com/bradleyfalzon/ghinstallation) from 2.5.0 to 2.6.0.
- [Release notes](https://github.com/bradleyfalzon/ghinstallation/releases)
- [Commits](bradleyfalzon/ghinstallation@v2.5.0...v2.6.0)

---
updated-dependencies:
- dependency-name: github.com/bradleyfalzon/ghinstallation/v2
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <[email protected]>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Signed-off-by: André Backman <[email protected]>

* 🌱Add urls for opentelemetry, micrometer and new relic to weekly cron (ossf#3248)

* add urls for opentelemetry and micrometer

Signed-off-by: Ajmal Kottilingal <[email protected]>

* add jakarta-activation url

Signed-off-by: Ajmal Kottilingal <[email protected]>

* adding json-path

Signed-off-by: Ajmal Kottilingal <[email protected]>

* fix uing make

Signed-off-by: Ajmal Kottilingal <[email protected]>

---------

Signed-off-by: Ajmal Kottilingal <[email protected]>
Signed-off-by: André Backman <[email protected]>

* 🐛  Add npm installs to Pinned-Dependencies score (ossf#2960)

* feat: Add npm install to pinned dependencies score

Signed-off-by: Gabriela Gutierrez <[email protected]>

* test: Fix pinned dependencies evaluation tests

Considering the new npm installs dependencies in Pinned-Dependencies score, there are some changes. Now, all tests generate one more Info log for "npm installs are all pinned". Also, for "various wanrings" test, the total score has to weight now 6 scores instead of 5. The new score counts 10 for actionScore, 0 for dockerFromScore, 0 for dockerDownloadScore, 0 for scriptScore, 0 for pipScore and 10 for npm score, which gives us 20/6~=3.

Signed-off-by: Gabriela Gutierrez <[email protected]>

* test: Fix pinned dependencies e2e tests

Considering the new npm installs dependencies in Pinned-Dependencies score, there are some changes. The repo being tested, ossf-tests/scorecard-check-pinned-dependencies-e2e, has third-party GitHub actions pinned, no npm installs, and all other dependencies types are unpinned. This gives us 8 for actionScore, 10 for npmScore and 0 for all other scores. Previously the total score was 8/5~=1, and now the total score is 18/6=3. Also, since there are no npm installs, there's one more Info log for "npm installs are pinned".

Signed-off-by: Gabriela Gutierrez <[email protected]>

* test: Fix typo

Signed-off-by: Gabriela Gutierrez <[email protected]>

* test: Unpinned npm install score

When having one unpinned npm install and all other dependencies pinned, the score should be 50/6~=8. Also, it should raise 1 warning for the unpinned npm install, 6 infos saying the other dependency types are pinned (2 for GHAs, 2 for dockerfile image and downdloads, 1 for script downdloads and 1 for pip installs), and 0 debug logs since the npm install dependency does not have an error message.

Signed-off-by: Gabriela Gutierrez <[email protected]>

* test: Undefined npm install score

When an error happens to parse a npm install dependency, the error/debug message is saved in "Msg" field. In this case, we were not able to define if the npm install is pinned or not. This dependency is classified as pinned undefined. We treat such cases as pinned cases, so it logs as Info that npm installs are all pinned and counts the score as 10. Then, the final score makes it to 10 as well. Since it logs the error/debug message, the Debug log goes to 1.

Signed-off-by: Gabriela Gutierrez <[email protected]>

* test: Fix typo

Signed-off-by: Gabriela Gutierrez <[email protected]>

* test: Fix "validate various warnings and info" test

Considering the new npm installs dependencies in Pinned-Dependencies score, there are some changes. Now, all tests generate one more Info log for "npm installs are all pinned". Also, this test total score has to weight now 6 scores instead of 5. The new score counts 10 for actionScore, 0 for dockerFromScore, 0 for dockerDownloadScore, 0 for scriptScore, 0 for pipScore and 10 for npm score, which gives us 20/6~=3.

Signed-off-by: Gabriela Gutierrez <[email protected]>

* fix: npm dependencies pinned log

Signed-off-by: Gabriela Gutierrez <[email protected]>

* test: Remove test of error when parsing an npm dependency

Signed-off-by: Gabriela Gutierrez <[email protected]>

---------

Signed-off-by: Gabriela Gutierrez <[email protected]>
Signed-off-by: André Backman <[email protected]>

* 🌱 Bump github.com/moby/buildkit from 0.11.6 to 0.12.0 (ossf#3264)

Bumps [github.com/moby/buildkit](https://github.com/moby/buildkit) from 0.11.6 to 0.12.0.
- [Release notes](https://github.com/moby/buildkit/releases)
- [Commits](moby/buildkit@v0.11.6...v0.12.0)

---
updated-dependencies:
- dependency-name: github.com/moby/buildkit
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <[email protected]>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Signed-off-by: André Backman <[email protected]>

* Ack linter warning and add tracking issue. (ossf#3263)

Signed-off-by: Spencer Schrock <[email protected]>
Signed-off-by: André Backman <[email protected]>

* 🐛 Forgive job-level permissions (ossf#3162)

* Forgive all job-level permissions

Signed-off-by: Pedro Kaj Kjellerup Nacht <[email protected]>

* Update tests

Signed-off-by: Pedro Kaj Kjellerup Nacht <[email protected]>

* Replace magic number

Signed-off-by: Pedro Kaj Kjellerup Nacht <[email protected]>

* Rename test

Signed-off-by: Pedro Kaj Kjellerup Nacht <[email protected]>

* Test that multiple job-level permissions are forgiven

Signed-off-by: Pedro Kaj Kjellerup Nacht <[email protected]>

* Drop unused permissionIsPresent

Signed-off-by: Pedro Kaj Kjellerup Nacht <[email protected]>

* Update documentation

Signed-off-by: Pedro Kaj Kjellerup Nacht <[email protected]>

* Modify score descriptions

Signed-off-by: Pedro Kaj Kjellerup Nacht <[email protected]>

* Document warning for job-level permissions

Signed-off-by: Pedro Kaj Kjellerup Nacht <[email protected]>

* List job-level permissions that get WARNed

Signed-off-by: Pedro Kaj Kjellerup Nacht <[email protected]>

---------

Signed-off-by: Pedro Kaj Kjellerup Nacht <[email protected]>
Signed-off-by: André Backman <[email protected]>

* 🐛 Fix typo (ossf#3267)

Signed-off-by: Eugene Kliuchnikov <[email protected]>
Signed-off-by: André Backman <[email protected]>

* 📖  Suggest new score viewer on badge documentation (ossf#3268)

* docs(readme): suggest new score viewer on badge documentation

Signed-off-by: Diogo Teles Sant'Anna <[email protected]>

* docs(readme): add link to ossf blogpost about the badge

Signed-off-by: Diogo Teles Sant'Anna <[email protected]>

* docs: update badge of our own README to the new viewer

Signed-off-by: Diogo Teles Sant'Anna <[email protected]>

---------

Signed-off-by: Diogo Teles Sant'Anna <[email protected]>
Signed-off-by: André Backman <[email protected]>

* 🌱 Bump tj-actions/changed-files from 37.1.1 to 37.1.2 (ossf#3266)

Bumps [tj-actions/changed-files](https://github.com/tj-actions/changed-files) from 37.1.1 to 37.1.2.
- [Release notes](https://github.com/tj-actions/changed-files/releases)
- [Changelog](https://github.com/tj-actions/changed-files/blob/main/HISTORY.md)
- [Commits](tj-actions/changed-files@1f20fb8...2a968ff)

---
updated-dependencies:
- dependency-name: tj-actions/changed-files
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <[email protected]>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Signed-off-by: André Backman <[email protected]>

* 🌱 Update the cover profile for e2e (ossf#3271)

- Update the cover profile for e2e

Signed-off-by: naveensrinivasan <[email protected]>
Signed-off-by: André Backman <[email protected]>

* 🌱 Improve e2e workflow tests (ossf#3273)

- Add e2e test for workflow runs
- Retrieve successful runs of the scorecard-analysis.yml workflow

Signed-off-by: naveensrinivasan <[email protected]>
Signed-off-by: André Backman <[email protected]>

* 🌱 Excluded dependabot from codecov (ossf#3272)

- Exclude dependabot from codecov job in main.yml

[.github/workflows/main.yml]
- Exclude dependabot from codecov job

Signed-off-by: naveensrinivasan <[email protected]>
Signed-off-by: André Backman <[email protected]>

* 🌱 Increase test coverage for searching commits (ossf#3276)

- Add an e2e test for searching commits by author
- Search commits by author `dependabot[bot]` and expect results

Signed-off-by: naveensrinivasan <[email protected]>
Signed-off-by: André Backman <[email protected]>

* 🐛 Fix Branch-Protection scoring (ossf#3251)

* fix: Verify if branch is required to be up to date before merge

Signed-off-by: Gabriela Gutierrez <[email protected]>

* docs: Comment tracking GraphQL bug

Signed-off-by: Gabriela Gutierrez <[email protected]>

* fix: Add validation if pointers are not null before accessing the values

Signed-off-by: Gabriela Gutierrez <[email protected]>

* fix: Delete debug log file

Signed-off-by: Gabriela Gutierrez <[email protected]>

---------

Signed-off-by: Gabriela Gutierrez <[email protected]>
Signed-off-by: André Backman <[email protected]>

* ✨ scdiff: generate cmd skeleton (ossf#3275)

* add scdiff root command

Signed-off-by: Spencer Schrock <[email protected]>

* Add generate boilerplate.

Signed-off-by: Spencer Schrock <[email protected]>

* get rid of init

Signed-off-by: Spencer Schrock <[email protected]>

* read newline delimitted repo file

Signed-off-by: Spencer Schrock <[email protected]>

* Run scorecard and echo results.

Signed-off-by: Spencer Schrock <[email protected]>

* add license

Signed-off-by: Spencer Schrock <[email protected]>

* add basic runner tests.

Signed-off-by: Spencer Schrock <[email protected]>

* Add Runner comment.

Signed-off-by: Spencer Schrock <[email protected]>

* switch to using scorecard logger.

Signed-off-by: Spencer Schrock <[email protected]>

* linter fix

Signed-off-by: Spencer Schrock <[email protected]>

---------

Signed-off-by: Spencer Schrock <[email protected]>
Signed-off-by: André Backman <[email protected]>

* 🌱 Delete unused project-update functionality. (ossf#3269)

Signed-off-by: Spencer Schrock <[email protected]>
Signed-off-by: André Backman <[email protected]>

* 🌱 Bump tj-actions/changed-files from 37.1.2 to 37.3.0 (ossf#3280)

Bumps [tj-actions/changed-files](https://github.com/tj-actions/changed-files) from 37.1.2 to 37.3.0.
- [Release notes](https://github.com/tj-actions/changed-files/releases)
- [Changelog](https://github.com/tj-actions/changed-files/blob/main/HISTORY.md)
- [Commits](tj-actions/changed-files@2a968ff...3928317)

---
updated-dependencies:
- dependency-name: tj-actions/changed-files
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <[email protected]>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Signed-off-by: André Backman <[email protected]>

* 🌱 Bump github.com/google/osv-scanner from 1.3.5 to 1.3.6 (ossf#3281)

Bumps [github.com/google/osv-scanner](https://github.com/google/osv-scanner) from 1.3.5 to 1.3.6.
- [Release notes](https://github.com/google/osv-scanner/releases)
- [Changelog](https://github.com/google/osv-scanner/blob/main/CHANGELOG.md)
- [Commits](google/osv-scanner@v1.3.5...v1.3.6)

---
updated-dependencies:
- dependency-name: github.com/google/osv-scanner
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <[email protected]>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Signed-off-by: André Backman <[email protected]>

* 🌱 Bump gocloud.dev from 0.30.0 to 0.32.0 (ossf#3284)

Bumps [gocloud.dev](https://github.com/google/go-cloud) from 0.30.0 to 0.32.0.
- [Release notes](https://github.com/google/go-cloud/releases)
- [Commits](google/go-cloud@v0.30.0...v0.32.0)

---
updated-dependencies:
- dependency-name: gocloud.dev
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <[email protected]>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Signed-off-by: André Backman <[email protected]>

* 🌱 Include attestor Dockerfile in CI and dependabot updates (ossf#3285)

Signed-off-by: Spencer Schrock <[email protected]>
Signed-off-by: André Backman <[email protected]>

* 🌱 Bump tj-actions/changed-files from 37.3.0 to 37.4.0

Bumps [tj-actions/changed-files](https://github.com/tj-actions/changed-files) from 37.3.0 to 37.4.0.
- [Release notes](https://github.com/tj-actions/changed-files/releases)
- [Changelog](https://github.com/tj-actions/changed-files/blob/main/HISTORY.md)
- [Commits](tj-actions/changed-files@3928317...de0eba3)

---
updated-dependencies:
- dependency-name: tj-actions/changed-files
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <[email protected]>
Signed-off-by: André Backman <[email protected]>

* 🌱 Bump google-appengine/debian11 in /attestor

Bumps google-appengine/debian11 from `fed7dd5` to `97dc4fb`.

---
updated-dependencies:
- dependency-name: google-appengine/debian11
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <[email protected]>
Signed-off-by: André Backman <[email protected]>

* 🌱 Bump github.com/xanzy/go-gitlab from 0.86.0 to 0.88.0

Bumps [github.com/xanzy/go-gitlab](https://github.com/xanzy/go-gitlab) from 0.86.0 to 0.88.0.
- [Changelog](https://github.com/xanzy/go-gitlab/blob/master/releases_test.go)
- [Commits](xanzy/go-gitlab@v0.86.0...v0.88.0)

---
updated-dependencies:
- dependency-name: github.com/xanzy/go-gitlab
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <[email protected]>
Signed-off-by: André Backman <[email protected]>

* 🌱 Use a matrix for docker image building (ossf#3290)

* working matrix.

Signed-off-by: Spencer Schrock <[email protected]>

* Remove unneeded env vars. Add comments.

Signed-off-by: Spencer Schrock <[email protected]>

* minor syntax change.

Signed-off-by: Spencer Schrock <[email protected]>

---------

Signed-off-by: Spencer Schrock <[email protected]>
Signed-off-by: André Backman <[email protected]>

* 🌱 Improve e2e workflow tests (ossf#3282)

- Ensure that only head queries are supported in workflow tests
- Add a test to detect when a non-existent workflow file is used

[e2e/workflow_test.go]
- Add a test to check that only head queries are supported
- Add a test to check that a non-existent workflow file returns an error

Signed-off-by: naveensrinivasan <[email protected]>
Signed-off-by: André Backman <[email protected]>

* 🌱 Use a matrix for when building binaries in main.yml (ossf#3291)

* Use matrix for build jobs.

Signed-off-by: Spencer Schrock <[email protected]>

* These build targets dont seem to need protoc.

This lets us save the API quota.

Signed-off-by: Spencer Schrock <[email protected]>

---------

Signed-off-by: Spencer Schrock <[email protected]>
Signed-off-by: André Backman <[email protected]>

* 🌱 Fix hanging docker jobs for doc only changes. (ossf#3292)

Signed-off-by: Spencer Schrock <[email protected]>
Signed-off-by: André Backman <[email protected]>

* 📖 Add contributor ladder (ossf#3246)

* Add contributor ladder

Signed-off-by: Pedro Kaj Kjellerup Nacht <[email protected]>

* Clarify sponsorship

Signed-off-by: Pedro Kaj Kjellerup Nacht <[email protected]>

* Hope for retirement warning

Signed-off-by: Pedro Kaj Kjellerup Nacht <[email protected]>

* 1 maintainer can sponsor a community member

Signed-off-by: Pedro Kaj Kjellerup Nacht <[email protected]>

* Apply suggestions from code review

Co-authored-by: Raghav Kaul <[email protected]>
Signed-off-by: Pedro Nacht <[email protected]>

---------

Signed-off-by: Pedro Kaj Kjellerup Nacht <[email protected]>
Signed-off-by: Pedro Nacht <[email protected]>
Signed-off-by: André Backman <[email protected]>

* 🌱 Consolidate GitLab e2e workflows. (ossf#3278)

* Move gitlab to different workflow to parallelize.

Signed-off-by: Spencer Schrock <[email protected]>

* Add missing versions.

Signed-off-by: Spencer Schrock <[email protected]>

---------

Signed-off-by: Spencer Schrock <[email protected]>
Signed-off-by: André Backman <[email protected]>

* 🌱 Add separate cache for long-running tests (ossf#3293)

* Add separate cache for unit tests.

Signed-off-by: Spencer Schrock <[email protected]>

* share cache with gitlab tests too.

Signed-off-by: Spencer Schrock <[email protected]>

* share cache with github integration tests.

Signed-off-by: Spencer Schrock <[email protected]>

* explicitly download modules in unit test job

Signed-off-by: Spencer Schrock <[email protected]>

* checkout needs to be before the go.mod is read.

Signed-off-by: Spencer Schrock <[email protected]>

* checkout needs to be before the go.sum files are hashed.

Signed-off-by: Spencer Schrock <[email protected]>

---------

Signed-off-by: Spencer Schrock <[email protected]>
Signed-off-by: André Backman <[email protected]>

* 🌱 Bump github.com/go-git/go-git/v5 from 5.7.0 to 5.8.0 (ossf#3297)

Bumps [github.com/go-git/go-git/v5](https://github.com/go-git/go-git) from 5.7.0 to 5.8.0.
- [Release notes](https://github.com/go-git/go-git/releases)
- [Commits](go-git/go-git@v5.7.0...v5.8.0)

---
updated-dependencies:
- dependency-name: github.com/go-git/go-git/v5
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <[email protected]>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Signed-off-by: André Backman <[email protected]>

* 🌱 Bump github.com/onsi/gomega from 1.27.8 to 1.27.9 (ossf#3298)

Bumps [github.com/onsi/gomega](https://github.com/onsi/gomega) from 1.27.8 to 1.27.9.
- [Release notes](https://github.com/onsi/gomega/releases)
- [Changelog](https://github.com/onsi/gomega/blob/master/CHANGELOG.md)
- [Commits](onsi/gomega@v1.27.8...v1.27.9)

---
updated-dependencies:
- dependency-name: github.com/onsi/gomega
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <[email protected]>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Signed-off-by: André Backman <[email protected]>

* 🌱 Improve search commit e2e tests (ossf#3295)

- Add 2 tests for searching commits in e2e/searchCommits_test.go
- Fix errors in e2e/searchCommits_test.go when not using HEAD or when user does not exist

[e2e/searchCommits_test.go]
- Add 2 tests for searching commits
- Fix error when not using HEAD
- Fix error when user does not exist

Signed-off-by: naveensrinivasan <[email protected]>
Signed-off-by: André Backman <[email protected]>

* 📖  update docs for webhooks documentation (ossf#3299)

* update docs for webhooks documentation

Signed-off-by: leec94 <[email protected]>

* change webhook severity in readme

Signed-off-by: leec94 <[email protected]>

---------

Signed-off-by: leec94 <[email protected]>
Signed-off-by: André Backman <[email protected]>

* 🌱 Unit tests OSSFuzz client (ossf#3301)

* 🌱 Unit tests OSSFuzz client

- Included tests for  IsArchived, LocalPath, ListFiles, GetFileContent, GetBranch, GetDefaultBranch, GetOrgRepoClient, GetDefaultBranchName, ListCommits, ListIssues, ListReleases, ListContributors, ListSuccessfulWorkflowRuns, ListCheckRunsForRef, ListStatuses, ListWebhooks, SearchCommits, Close, ListProgrammingLanguages,

Signed-off-by: naveensrinivasan <[email protected]>

* Improve OSSFuzz client tests

[clients/ossfuzz/client_test.go]
- Add a test for the `GetCreatedAt` method
- Fix the `URI` method to return the correct value

Signed-off-by: naveensrinivasan <[email protected]>

---------

Signed-off-by: naveensrinivasan <[email protected]>
Signed-off-by: André Backman <[email protected]>

* 🌱 Ensure check markdown is kept in sync with source yaml. (ossf#3300)

* Ensure check markdown is kept in sync with check yaml.

Signed-off-by: Spencer Schrock <[email protected]>

* change generate-docs target to detect changes to docs/checks.md directly.

Signed-off-by: Spencer Schrock <[email protected]>

---------

Signed-off-by: Spencer Schrock <[email protected]>
Signed-off-by: André Backman <[email protected]>

* Update def.yml license

Signed-off-by: André Backman <[email protected]>
Signed-off-by: André Backman <[email protected]>

* Update def.yml license

Signed-off-by: André Backman <[email protected]>
Signed-off-by: André Backman <[email protected]>

* Update def.yml license

Signed-off-by: André Backman <[email protected]>
Signed-off-by: André Backman <[email protected]>

* Update code_review.go license

Signed-off-by: André Backman <[email protected]>
Signed-off-by: André Backman <[email protected]>

* Update entries.go; CodeReviewChecks now called CodeReview

Signed-off-by: André Backman <[email protected]>
Signed-off-by: André Backman <[email protected]>

* refactor codeReviewTwoReviewers; moved utility functions into impl.go

Signed-off-by: André Backman <[email protected]>

* Update impl.go, refactor codeReviewTwoReviewers; moved utility functions into impl.go

Signed-off-by: André Backman <[email protected]>

* Update go.mod, aligned imports

Signed-off-by: André Backman <[email protected]>

* update license comments

Signed-off-by: André Backman <[email protected]>

* update license comments

Signed-off-by: André Backman <[email protected]>

* change EOL = CRLF to LF

Signed-off-by: André Backman <[email protected]>

* add error handling in case of no changesets

Signed-off-by: André Backman <[email protected]>

* completed tests for code-review probes

Signed-off-by: André Backman <[email protected]>

* update codeReview probes and utils

Signed-off-by: André Backman <[email protected]>

* fixed some lint errors, check for more

Signed-off-by: André Backman <[email protected]>

* fixed lint issues

Signed-off-by: André Backman <[email protected]>

* fix lint errors

Signed-off-by: André Backman <[email protected]>

* add test for multiple reviews with only one unique reviewer

Signed-off-by: André Backman <[email protected]>

* simplify func uniqueReviewers, use map[string]bool

Signed-off-by: André Backman <[email protected]>

* fix linting error

Signed-off-by: André Backman <[email protected]>

* moved probe tests to their own function

Signed-off-by: André Backman <[email protected]>

* fix comment syntax

Signed-off-by: André Backman <[email protected]>

* gci-ed files to fix linter errors

Signed-off-by: André Backman <[email protected]>

* implement change to skip bot-authored changesets that are reviewed/approved

Signed-off-by: André Backman <[email protected]>

* rewrite finding message

Signed-off-by: André Backman <[email protected]>

* fix output message; do not count the number of approved bot-authored changesets

Signed-off-by: André Backman <[email protected]>

* fix typos

Signed-off-by: André Backman <[email protected]>

* moved probe tests to their corresponding location

Signed-off-by: André Backman <[email protected]>

* removed redundant probe codeReviewed

Signed-off-by: André Backman <[email protected]>

* Update probes/codeApproved/def.yml

Co-authored-by: Raghav Kaul <[email protected]>
Signed-off-by: jitsengupta17 <[email protected]>

* Update probes/codeApproved/def.yml

Co-authored-by: Raghav Kaul <[email protected]>
Signed-off-by: jitsengupta17 <[email protected]>

* Update probes/codeApproved/def.yml

Co-authored-by: Raghav Kaul <[email protected]>
Signed-off-by: jitsengupta17 <[email protected]>

* Update probes/codeApproved/def.yml

Co-authored-by: Raghav Kaul <[email protected]>
Signed-off-by: jitsengupta17 <[email protected]>

* Update probes/codeApproved/def.yml

Co-authored-by: Raghav Kaul <[email protected]>
Signed-off-by: jitsengupta17 <[email protected]>

* Update probes/codeReviewOneReviewers/def.yml

Co-authored-by: Raghav Kaul <[email protected]>
Signed-off-by: jitsengupta17 <[email protected]>

* Lint

Signed-off-by: Raghav Kaul <[email protected]>

---------

Signed-off-by: dependabot[bot] <[email protected]>
Signed-off-by: André Backman <[email protected]>
Signed-off-by: André Backman <[email protected]>
Signed-off-by: naveensrinivasan <[email protected]>
Signed-off-by: Gabriela Gutierrez <[email protected]>
Signed-off-by: Spencer Schrock <[email protected]>
Signed-off-by: Ajmal Kottilingal <[email protected]>
Signed-off-by: Pedro Kaj Kjellerup Nacht <[email protected]>
Signed-off-by: Eugene Kliuchnikov <[email protected]>
Signed-off-by: Diogo Teles Sant'Anna <[email protected]>
Signed-off-by: Pedro Nacht <[email protected]>
Signed-off-by: leec94 <[email protected]>
Signed-off-by: André Backman <[email protected]>
Signed-off-by: jitsengupta17 <[email protected]>
Signed-off-by: Raghav Kaul <[email protected]>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: André Backman <[email protected]>
Co-authored-by: Naveen <[email protected]>
Co-authored-by: Gabriela Gutierrez <[email protected]>
Co-authored-by: Pedro Nacht <[email protected]>
Co-authored-by: Spencer Schrock <[email protected]>
Co-authored-by: Ajmal Kottilingal <[email protected]>
Co-authored-by: Pedro Nacht <[email protected]>
Co-authored-by: Eugene Kliuchnikov <[email protected]>
Co-authored-by: Diogo Teles Sant'Anna <[email protected]>
Co-authored-by: Caroline <[email protected]>
Co-authored-by: jitsengupta17 <[email protected]>
Co-authored-by: Raghav Kaul <[email protected]>
Co-authored-by: gowriNSN <[email protected]>
Co-authored-by: Raghav Kaul <[email protected]>
* spelling: accurate

Signed-off-by: Josh Soref <[email protected]>

* spelling: administrator

Signed-off-by: Josh Soref <[email protected]>

* spelling: analyze

Signed-off-by: Josh Soref <[email protected]>

* spelling: andtwenty

Signed-off-by: Josh Soref <[email protected]>

* spelling: ascii

Signed-off-by: Josh Soref <[email protected]>

* spelling: association

Signed-off-by: Josh Soref <[email protected]>

* spelling: at least

Signed-off-by: Josh Soref <[email protected]>

* spelling: attestor

Signed-off-by: Josh Soref <[email protected]>

* spelling: barbaric

Signed-off-by: Josh Soref <[email protected]>

* spelling: bucket

Signed-off-by: Josh Soref <[email protected]>

* spelling: by

Signed-off-by: Josh Soref <[email protected]>

* spelling: can

Signed-off-by: Josh Soref <[email protected]>

* spelling: case-insensitive

Signed-off-by: Josh Soref <[email protected]>

* spelling: case-sensitive

Signed-off-by: Josh Soref <[email protected]>

* spelling: checking

Signed-off-by: Josh Soref <[email protected]>

* spelling: command-line

Signed-off-by: Josh Soref <[email protected]>

* spelling: commit

Signed-off-by: Josh Soref <[email protected]>

* spelling: committed

Signed-off-by: Josh Soref <[email protected]>

* spelling: conclusion

Signed-off-by: Josh Soref <[email protected]>

* spelling: corresponding

Signed-off-by: Josh Soref <[email protected]>

* spelling: created

Signed-off-by: Josh Soref <[email protected]>

* spelling: dataset

Signed-off-by: Josh Soref <[email protected]>

* spelling: default

Signed-off-by: Josh Soref <[email protected]>

* spelling: defines

Signed-off-by: Josh Soref <[email protected]>

* spelling: dependabot

Signed-off-by: Josh Soref <[email protected]>

* spelling: dependency

Signed-off-by: Josh Soref <[email protected]>

* spelling: depending

Signed-off-by: Josh Soref <[email protected]>

* spelling: desired

Signed-off-by: Josh Soref <[email protected]>

* spelling: different

Signed-off-by: Josh Soref <[email protected]>

* spelling: disclose

Signed-off-by: Josh Soref <[email protected]>

* spelling: download

Signed-off-by: Josh Soref <[email protected]>

* spelling: each

Signed-off-by: Josh Soref <[email protected]>

* spelling: enforce

Signed-off-by: Josh Soref <[email protected]>

* spelling: every time

Signed-off-by: Josh Soref <[email protected]>

* spelling: exist

Signed-off-by: Josh Soref <[email protected]>

* spelling: existing

Signed-off-by: Josh Soref <[email protected]>

* spelling: fields

Signed-off-by: Josh Soref <[email protected]>

* spelling: files

Signed-off-by: Josh Soref <[email protected]>

* spelling: for

Signed-off-by: Josh Soref <[email protected]>

* spelling: force-push

Signed-off-by: Josh Soref <[email protected]>

* spelling: github

Signed-off-by: Josh Soref <[email protected]>

* spelling: gitlab

Signed-off-by: Josh Soref <[email protected]>

* spelling: ignoreed

Signed-off-by: Josh Soref <[email protected]>

* spelling: implementation

Signed-off-by: Josh Soref <[email protected]>

* spelling: implements

Signed-off-by: Josh Soref <[email protected]>

* spelling: increase

Signed-off-by: Josh Soref <[email protected]>

* spelling: indicates

Signed-off-by: Josh Soref <[email protected]>

* spelling: initialized

Signed-off-by: Josh Soref <[email protected]>

* spelling: instructions

Signed-off-by: Josh Soref <[email protected]>

* spelling: invalid

Signed-off-by: Josh Soref <[email protected]>

* spelling: marshal

Signed-off-by: Josh Soref <[email protected]>

* spelling: match

Signed-off-by: Josh Soref <[email protected]>

* spelling: name

Signed-off-by: Josh Soref <[email protected]>

* spelling: nonexistent

Signed-off-by: Josh Soref <[email protected]>

* spelling: organization

Signed-off-by: Josh Soref <[email protected]>

* spelling: package

Signed-off-by: Josh Soref <[email protected]>

* spelling: provenance

Signed-off-by: Josh Soref <[email protected]>

* spelling: query

Signed-off-by: Josh Soref <[email protected]>

* spelling: readers

Signed-off-by: Josh Soref <[email protected]>

* spelling: receive

Signed-off-by: Josh Soref <[email protected]>

* spelling: registered

Signed-off-by: Josh Soref <[email protected]>

* spelling: remediate

Signed-off-by: Josh Soref <[email protected]>

* spelling: representation

Signed-off-by: Josh Soref <[email protected]>

* spelling: requests

Signed-off-by: Josh Soref <[email protected]>

* spelling: requires

Signed-off-by: Josh Soref <[email protected]>

* spelling: return

Signed-off-by: Josh Soref <[email protected]>

* spelling: scorecard

Signed-off-by: Josh Soref <[email protected]>

* spelling: separator

Signed-off-by: Josh Soref <[email protected]>

* spelling: serialization

Signed-off-by: Josh Soref <[email protected]>

* spelling: sign up

Signed-off-by: Josh Soref <[email protected]>

* spelling: specifications

Signed-off-by: Josh Soref <[email protected]>

* spelling: specified

Signed-off-by: Josh Soref <[email protected]>

* spelling: success

Signed-off-by: Josh Soref <[email protected]>

* spelling: successfully

Signed-off-by: Josh Soref <[email protected]>

* spelling: the

Signed-off-by: Josh Soref <[email protected]>

* spelling: their

Signed-off-by: Josh Soref <[email protected]>

* spelling: twenty

Signed-off-by: Josh Soref <[email protected]>

* spelling: unexpected

Signed-off-by: Josh Soref <[email protected]>

* spelling: unused

Signed-off-by: Josh Soref <[email protected]>

* spelling: unverified

Signed-off-by: Josh Soref <[email protected]>

* spelling: validate

Signed-off-by: Josh Soref <[email protected]>

* spelling: vendor

Signed-off-by: Josh Soref <[email protected]>

* spelling: vulnerabilities

Signed-off-by: Josh Soref <[email protected]>

* spelling: vulns

Signed-off-by: Josh Soref <[email protected]>

* spelling: will

Signed-off-by: Josh Soref <[email protected]>

* spelling: without

Signed-off-by: Josh Soref <[email protected]>

* spelling: workflow

Signed-off-by: Josh Soref <[email protected]>

* spelling: workflows

Signed-off-by: Josh Soref <[email protected]>

---------

Signed-off-by: Josh Soref <[email protected]>
)

also organize the list in order of appearance on website.
this makes it easier to compare.

Signed-off-by: Spencer Schrock <[email protected]>
Bumps the github-actions group with 3 updates: [tj-actions/changed-files](https://github.com/tj-actions/changed-files), [codecov/codecov-action](https://github.com/codecov/codecov-action) and [actions/upload-artifact](https://github.com/actions/upload-artifact).


Updates `tj-actions/changed-files` from 42.0.0 to 42.0.2
- [Release notes](https://github.com/tj-actions/changed-files/releases)
- [Changelog](https://github.com/tj-actions/changed-files/blob/main/HISTORY.md)
- [Commits](tj-actions/changed-files@ae82ed4...90a06d6)

Updates `codecov/codecov-action` from 3.1.4 to 3.1.5
- [Release notes](https://github.com/codecov/codecov-action/releases)
- [Changelog](https://github.com/codecov/codecov-action/blob/main/CHANGELOG.md)
- [Commits](codecov/codecov-action@eaaf4be...4fe8c5f)

Updates `actions/upload-artifact` from 4.2.0 to 4.3.0
- [Release notes](https://github.com/actions/upload-artifact/releases)
- [Commits](actions/upload-artifact@694cdab...26f96df)

---
updated-dependencies:
- dependency-name: tj-actions/changed-files
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: github-actions
- dependency-name: codecov/codecov-action
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: github-actions
- dependency-name: actions/upload-artifact
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: github-actions
...

Signed-off-by: dependabot[bot] <[email protected]>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Bumps [github.com/google/go-containerregistry](https://github.com/google/go-containerregistry) from 0.18.0 to 0.19.0.
- [Release notes](https://github.com/google/go-containerregistry/releases)
- [Changelog](https://github.com/google/go-containerregistry/blob/main/.goreleaser.yml)
- [Commits](google/go-containerregistry@v0.18.0...v0.19.0)

---
updated-dependencies:
- dependency-name: github.com/google/go-containerregistry
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <[email protected]>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
* test failures should print the details they receive

this makes debugging failing tests easier.

Signed-off-by: Spencer Schrock <[email protected]>

* use GinkgoTB so the test helpers work instead of panicing

Signed-off-by: Spencer Schrock <[email protected]>

* ValidateTestReturn will fail the test directly, no need for the bool return

Signed-off-by: Spencer Schrock <[email protected]>

* clarify diff details

Signed-off-by: Spencer Schrock <[email protected]>

---------

Signed-off-by: Spencer Schrock <[email protected]>
…onent (ossf#3819)

* Add GL_HOST env flag

Self-hosted instances which dont use a subdomain result in broken API links.
This change may not be finished, but is intended to evaluate the solution.

Previously, self hosted instances where the instance is part of the path (foo.com/gitlab/owner/repo)
would have their API base URL registered as foo.com/api/v4/ instead of foo.com/gitlab/api/v4/

Signed-off-by: Spencer Schrock <[email protected]>

* include token in gitlab project probe

Signed-off-by: Spencer Schrock <[email protected]>

* consider GL_HOST when parsing gitlab repo urls

Signed-off-by: Spencer Schrock <[email protected]>

* remove unneeded GL_HOST parsing

now that repoURL_parse handles GL_HOST, we dont need it elsewhere.

Signed-off-by: Spencer Schrock <[email protected]>

* cleanup

Signed-off-by: Spencer Schrock <[email protected]>

* mention GL_HOST in readme

Signed-off-by: Spencer Schrock <[email protected]>

* fix linter

Signed-off-by: Spencer Schrock <[email protected]>

* handle GL_HOST without scheme

Signed-off-by: Spencer Schrock <[email protected]>

* move api-less check earlier

if we can avoid an API call, do it.

Signed-off-by: Spencer Schrock <[email protected]>

* try listing projects with and without auth token

Signed-off-by: Spencer Schrock <[email protected]>

* fix linter

Signed-off-by: Spencer Schrock <[email protected]>

* revert passing token to list projects

the simpler the better

Signed-off-by: Spencer Schrock <[email protected]>

---------

Signed-off-by: Spencer Schrock <[email protected]>
* 🌱 Bump github.com/google/osv-scanner from 1.6.1 to 1.6.2

Bumps [github.com/google/osv-scanner](https://github.com/google/osv-scanner) from 1.6.1 to 1.6.2.
- [Release notes](https://github.com/google/osv-scanner/releases)
- [Changelog](https://github.com/google/osv-scanner/blob/main/CHANGELOG.md)
- [Commits](google/osv-scanner@v1.6.1...v1.6.2)

---
updated-dependencies:
- dependency-name: github.com/google/osv-scanner
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <[email protected]>

* specify go patch version

go mod tidy requires this. I was able to delete the toolchain directive,
and it wasn't added back.

Signed-off-by: Spencer Schrock <[email protected]>

* bump dockerfiles to 1.21.6 so the build works

Signed-off-by: Spencer Schrock <[email protected]>

* bump go version used in codeql workflow

github runners currently use Go 1.20 by default,
which doesn't understand 1.21.x format.

Signed-off-by: Spencer Schrock <[email protected]>

---------

Signed-off-by: dependabot[bot] <[email protected]>
Signed-off-by: Spencer Schrock <[email protected]>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: Spencer Schrock <[email protected]>
Bumps [github.com/moby/buildkit](https://github.com/moby/buildkit) from 0.12.4 to 0.12.5.
- [Release notes](https://github.com/moby/buildkit/releases)
- [Commits](moby/buildkit@v0.12.4...v0.12.5)

---
updated-dependencies:
- dependency-name: github.com/moby/buildkit
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <[email protected]>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
@cx-monicac cx-monicac merged commit 40961d3 into main Feb 28, 2024
32 of 38 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.