Skip to content

Commit

Permalink
✨ add --nuget package manager flag (ossf#3020)
Browse files Browse the repository at this point in the history
* add nuget package manager

Signed-off-by: Avishay <[email protected]>

* fix pat test messages (#2987)

* also fix pat tests

Signed-off-by: Raghav Kaul <[email protected]>
Signed-off-by: Avishay <[email protected]>

* :seedling: Bump slsa-framework/slsa-github-generator from 1.5.0 to 1.6.0

Bumps [slsa-framework/slsa-github-generator](https://github.com/slsa-framework/slsa-github-generator) from 1.5.0 to 1.6.0.
- [Release notes](https://github.com/slsa-framework/slsa-github-generator/releases)
- [Changelog](https://github.com/slsa-framework/slsa-github-generator/blob/main/CHANGELOG.md)
- [Commits](https://github.com/slsa-framework/slsa-github-generator/compare/v1.5.0...v1.6.0)

---
updated-dependencies:
- dependency-name: slsa-framework/slsa-github-generator
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <[email protected]>
Signed-off-by: Avishay <[email protected]>

* :seedling: Bump cloud.google.com/go/bigquery from 1.51.1 to 1.51.2 (#2984)

Bumps [cloud.google.com/go/bigquery](https://github.com/googleapis/google-cloud-go) from 1.51.1 to 1.51.2.
- [Release notes](https://github.com/googleapis/google-cloud-go/releases)
- [Changelog](https://github.com/googleapis/google-cloud-go/blob/main/CHANGES.md)
- [Commits](https://github.com/googleapis/google-cloud-go/compare/bigquery/v1.51.1...bigquery/v1.51.2)

---
updated-dependencies:
- dependency-name: cloud.google.com/go/bigquery
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <[email protected]>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Signed-off-by: Avishay <[email protected]>

* :seedling: Bump golang.org/x/tools from 0.9.0 to 0.9.1

Bumps [golang.org/x/tools](https://github.com/golang/tools) from 0.9.0 to 0.9.1.
- [Release notes](https://github.com/golang/tools/releases)
- [Commits](https://github.com/golang/tools/compare/v0.9.0...v0.9.1)

---
updated-dependencies:
- dependency-name: golang.org/x/tools
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <[email protected]>
Signed-off-by: Avishay <[email protected]>

* :bug: Update osv-scanner dependency to include Vulnerabilities check fixes (#2981)

* Update osv-scanner dependency to include Vulnerabilities check fixes

Signed-off-by: Laurent Savaëte <[email protected]>

* Run go mod tidy

Signed-off-by: Laurent Savaëte <[email protected]>

---------

Signed-off-by: Laurent Savaëte <[email protected]>
Signed-off-by: Avishay <[email protected]>

* :seedling: Bump github.com/docker/distribution in /tools (#2993)

Bumps [github.com/docker/distribution](https://github.com/docker/distribution) from 2.8.1+incompatible to 2.8.2+incompatible.
- [Release notes](https://github.com/docker/distribution/releases)
- [Commits](https://github.com/docker/distribution/compare/v2.8.1...v2.8.2)

---
updated-dependencies:
- dependency-name: github.com/docker/distribution
  dependency-type: indirect
...

Signed-off-by: dependabot[bot] <[email protected]>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Signed-off-by: Avishay <[email protected]>

* 🌱 Gitlab: e2e test fixes in main (#2992)

* test secret chagnes

Signed-off-by: Raghav Kaul <[email protected]>

* update score

Signed-off-by: Raghav Kaul <[email protected]>

* address cr comments

Signed-off-by: Raghav Kaul <[email protected]>

* update

Signed-off-by: Raghav Kaul <[email protected]>

---------

Signed-off-by: Raghav Kaul <[email protected]>
Signed-off-by: Avishay <[email protected]>

* :seedling: Unit tests log/log.go (#2980)

- Add unit tests for the log package
- Add Apache License to log_test.go

Signed-off-by: naveensrinivasan <[email protected]>
Signed-off-by: Avishay <[email protected]>

* :seedling: Bump github.com/cloudflare/circl in /tools (#2995)

Bumps [github.com/cloudflare/circl](https://github.com/cloudflare/circl) from 1.2.0 to 1.3.3.
- [Release notes](https://github.com/cloudflare/circl/releases)
- [Commits](https://github.com/cloudflare/circl/compare/v1.2.0...v1.3.3)

---
updated-dependencies:
- dependency-name: github.com/cloudflare/circl
  dependency-type: indirect
...

Signed-off-by: dependabot[bot] <[email protected]>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Signed-off-by: Avishay <[email protected]>

* :sparkles: Add releasing workflow for semantic-release (#2989)

Signed-off-by: Matt Travi <[email protected]>
Signed-off-by: Avishay <[email protected]>

* :seedling: Bump slsa-framework/slsa-verifier from 2.2.0 to 2.3.0

Bumps [slsa-framework/slsa-verifier](https://github.com/slsa-framework/slsa-verifier) from 2.2.0 to 2.3.0.
- [Release notes](https://github.com/slsa-framework/slsa-verifier/releases)
- [Changelog](https://github.com/slsa-framework/slsa-verifier/blob/main/RELEASE.md)
- [Commits](https://github.com/slsa-framework/slsa-verifier/compare/v2.2.0...v2.3.0)

---
updated-dependencies:
- dependency-name: slsa-framework/slsa-verifier
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <[email protected]>
Signed-off-by: Avishay <[email protected]>

* :seedling: Bump github.com/cloudflare/circl from 1.1.0 to 1.3.3 (#2994)

Bumps [github.com/cloudflare/circl](https://github.com/cloudflare/circl) from 1.1.0 to 1.3.3.
- [Release notes](https://github.com/cloudflare/circl/releases)
- [Commits](https://github.com/cloudflare/circl/compare/v1.1.0...v1.3.3)

---
updated-dependencies:
- dependency-name: github.com/cloudflare/circl
  dependency-type: indirect
...

Signed-off-by: dependabot[bot] <[email protected]>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Signed-off-by: Avishay <[email protected]>

* :seedling: Additional e2e clients/githubrepo/checkruns.go (#2934)

* :seedling: Additional e2e clients/githubrepo/checkruns.go

- Add `net/http` and `github.com/google/go-github/v38/github` imports
- Add a test for `listCheckRunsForRef` with valid ref
- Add a test for `listCheckRunsForRef` with invalid ref

Signed-off-by: naveensrinivasan <[email protected]>

* Based on code review comments

Signed-off-by: naveensrinivasan <[email protected]>

* Some tweaks

Signed-off-by: naveensrinivasan <[email protected]>

---------

Signed-off-by: naveensrinivasan <[email protected]>
Signed-off-by: Avishay <[email protected]>

* :seedling: E2E for clients/githubrepo/contributors.go (#2939)

* :seedling: E2E for clients/githubrepo/contributors.go

- Add an end-to-end test for `contributorsHandler`

Signed-off-by: naveensrinivasan <[email protected]>

* Fixed based on code review comments.

Signed-off-by: naveensrinivasan <[email protected]>

* Fixed codereview comment.

Signed-off-by: naveensrinivasan <[email protected]>

---------

Signed-off-by: naveensrinivasan <[email protected]>
Signed-off-by: Avishay <[email protected]>

* :book: Clarify that AI/ML doesn't count as human code review (#2953)

* Clarify that AI/ML doesn't count as human code review

Add this clarification per the Scorecards Zoom call meeting today
(2023-05-04).

Signed-off-by: David A. Wheeler <[email protected]>

* Tweaked per review

Signed-off-by: David A. Wheeler <[email protected]>

---------

Signed-off-by: David A. Wheeler <[email protected]>
Signed-off-by: Avishay <[email protected]>

* :seedling: Bump golang from `31a8f92` to `685a22e` in /cron/internal/cii

Bumps golang from `31a8f92` to `685a22e`.

---
updated-dependencies:
- dependency-name: golang
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <[email protected]>
Signed-off-by: Avishay <[email protected]>

* :seedling: Bump golang in /cron/internal/controller

Bumps golang from `31a8f92` to `685a22e`.

---
updated-dependencies:
- dependency-name: golang
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <[email protected]>
Signed-off-by: Avishay <[email protected]>

* :seedling: Bump golang in /cron/internal/worker

Bumps golang from `31a8f92` to `685a22e`.

---
updated-dependencies:
- dependency-name: golang
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <[email protected]>
Signed-off-by: Avishay <[email protected]>

* :seedling: Bump golang in /clients/githubrepo/roundtripper/tokens/server

Bumps golang from `31a8f92` to `685a22e`.

---
updated-dependencies:
- dependency-name: golang
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <[email protected]>
Signed-off-by: Avishay <[email protected]>

* :seedling: Bump golang from `31a8f92` to `685a22e`

Bumps golang from `31a8f92` to `685a22e`.

---
updated-dependencies:
- dependency-name: golang
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <[email protected]>
Signed-off-by: Avishay <[email protected]>

* :seedling: Bump golang from `31a8f92` to `685a22e` in /cron/internal/bq

Bumps golang from `31a8f92` to `685a22e`.

---
updated-dependencies:
- dependency-name: golang
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <[email protected]>
Signed-off-by: Avishay <[email protected]>

* :seedling: Bump golang in /cron/internal/webhook

Bumps golang from `31a8f92` to `685a22e`.

---
updated-dependencies:
- dependency-name: golang
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <[email protected]>
Signed-off-by: Avishay <[email protected]>

* Clarify AI/ML not human code review - in .yml file (#3012)

This clarifies that AI/ML doesn't count as human code review.
This was earlier done in #2953 but that didn't modify the relevant
.yml file - this does.

Signed-off-by: David A. Wheeler <[email protected]>
Signed-off-by: Avishay <[email protected]>

* :seedling: Bump golang.org/x/oauth2 from 0.7.0 to 0.8.0 (#3005)

Bumps [golang.org/x/oauth2](https://github.com/golang/oauth2) from 0.7.0 to 0.8.0.
- [Commits](https://github.com/golang/oauth2/compare/v0.7.0...v0.8.0)

---
updated-dependencies:
- dependency-name: golang.org/x/oauth2
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <[email protected]>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Signed-off-by: Avishay <[email protected]>

* :seedling: Unit tests for checks/raw/maintained.go (#2996)

- Add tests and checks for the `Maintained` function
- Add checks for `IsArchived`, `ListCommits`, `ListIssues`, and `GetCreatedAt`

Signed-off-by: naveensrinivasan <[email protected]>
Signed-off-by: Avishay <[email protected]>

* :seedling: Bump github.com/onsi/ginkgo/v2 from 2.9.4 to 2.9.5 in /tools

Bumps [github.com/onsi/ginkgo/v2](https://github.com/onsi/ginkgo) from 2.9.4 to 2.9.5.
- [Release notes](https://github.com/onsi/ginkgo/releases)
- [Changelog](https://github.com/onsi/ginkgo/blob/master/CHANGELOG.md)
- [Commits](https://github.com/onsi/ginkgo/compare/v2.9.4...v2.9.5)

---
updated-dependencies:
- dependency-name: github.com/onsi/ginkgo/v2
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <[email protected]>
Signed-off-by: Avishay <[email protected]>

* :seedling: Bump actions/setup-go from 4.0.0 to 4.0.1

Bumps [actions/setup-go](https://github.com/actions/setup-go) from 4.0.0 to 4.0.1.
- [Release notes](https://github.com/actions/setup-go/releases)
- [Commits](https://github.com/actions/setup-go/compare/4d34df0c2316fe8122ab82dc22947d607c0c91f9...fac708d6674e30b6ba41289acaab6d4b75aa0753)

---
updated-dependencies:
- dependency-name: actions/setup-go
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <[email protected]>
Signed-off-by: Avishay <[email protected]>

* :seedling: Bump codecov/codecov-action from 3.1.3 to 3.1.4

Bumps [codecov/codecov-action](https://github.com/codecov/codecov-action) from 3.1.3 to 3.1.4.
- [Release notes](https://github.com/codecov/codecov-action/releases)
- [Changelog](https://github.com/codecov/codecov-action/blob/main/CHANGELOG.md)
- [Commits](https://github.com/codecov/codecov-action/compare/894ff025c7b54547a9a2a1e9f228beae737ad3c2...eaaf4bedf32dbdc6b720b63067d99c4d77d6047d)

---
updated-dependencies:
- dependency-name: codecov/codecov-action
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <[email protected]>
Signed-off-by: Avishay <[email protected]>

* :seedling: Unit tests for Policy.go (#3003)

- Included tests for policy.go

Signed-off-by: naveensrinivasan <[email protected]>
Signed-off-by: Avishay <[email protected]>

* :seedling: Bump github.com/onsi/ginkgo/v2 from 2.9.4 to 2.9.5

Bumps [github.com/onsi/ginkgo/v2](https://github.com/onsi/ginkgo) from 2.9.4 to 2.9.5.
- [Release notes](https://github.com/onsi/ginkgo/releases)
- [Changelog](https://github.com/onsi/ginkgo/blob/master/CHANGELOG.md)
- [Commits](https://github.com/onsi/ginkgo/compare/v2.9.4...v2.9.5)

---
updated-dependencies:
- dependency-name: github.com/onsi/ginkgo/v2
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <[email protected]>
Signed-off-by: Avishay <[email protected]>

* :seedling: Bump sigstore/cosign-installer from 3.0.3 to 3.0.4

Bumps [sigstore/cosign-installer](https://github.com/sigstore/cosign-installer) from 3.0.3 to 3.0.4.
- [Release notes](https://github.com/sigstore/cosign-installer/releases)
- [Commits](https://github.com/sigstore/cosign-installer/compare/204a51a57a74d190b284a0ce69b44bc37201f343...03d0fecf172873164a163bbc64bed0f3bf114ed7)

---
updated-dependencies:
- dependency-name: sigstore/cosign-installer
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <[email protected]>
Signed-off-by: Avishay <[email protected]>

* :seedling: Bump github.com/google/go-containerregistry (#3025)

Bumps [github.com/google/go-containerregistry](https://github.com/google/go-containerregistry) from 0.15.1 to 0.15.2.
- [Release notes](https://github.com/google/go-containerregistry/releases)
- [Changelog](https://github.com/google/go-containerregistry/blob/main/.goreleaser.yml)
- [Commits](https://github.com/google/go-containerregistry/compare/v0.15.1...v0.15.2)

---
updated-dependencies:
- dependency-name: github.com/google/go-containerregistry
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <[email protected]>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Signed-off-by: Avishay <[email protected]>

* :seedling: Bump github.com/sirupsen/logrus from 1.9.0 to 1.9.1

Bumps [github.com/sirupsen/logrus](https://github.com/sirupsen/logrus) from 1.9.0 to 1.9.1.
- [Release notes](https://github.com/sirupsen/logrus/releases)
- [Changelog](https://github.com/sirupsen/logrus/blob/master/CHANGELOG.md)
- [Commits](https://github.com/sirupsen/logrus/compare/v1.9.0...v1.9.1)

---
updated-dependencies:
- dependency-name: github.com/sirupsen/logrus
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <[email protected]>
Signed-off-by: Avishay <[email protected]>

* :seedling: Included e2e tests for push to main (#2951)

- Update trigger for integration tests to enable running on `push` and `pull_request` on the `main` branch

Signed-off-by: naveensrinivasan <[email protected]>
Signed-off-by: Avishay <[email protected]>

* :seedling: Included directories that don't require coverage (#3002)

- Included directories that don't require coverage.

Signed-off-by: naveensrinivasan <[email protected]>
Signed-off-by: Avishay <[email protected]>

* :seedling: Unit tests for checks/raw/contributors.go (#2998)

- Add tests and fix casing for Contributors function in checks/raw/contributors_test.go

Signed-off-by: naveensrinivasan <[email protected]>
Signed-off-by: Avishay <[email protected]>

* ✨ GitLab: Code Review check (#2764)

* Add GitLab support for Code-Review check

Signed-off-by: Raghav Kaul <[email protected]>

* Remove spurious printf

Signed-off-by: Raghav Kaul <[email protected]>

* Working commit

Signed-off-by: Raghav Kaul <[email protected]>

* update

Signed-off-by: Raghav Kaul <[email protected]>

* update

Signed-off-by: Raghav Kaul <[email protected]>

* e2e test

Signed-off-by: Raghav Kaul <[email protected]>

* update: test coverage

Signed-off-by: Raghav Kaul <[email protected]>

---------

Signed-off-by: Raghav Kaul <[email protected]>
Signed-off-by: Avishay <[email protected]>

* gitlab: license check (#2834)

Signed-off-by: Raghav Kaul <[email protected]>
Signed-off-by: Avishay <[email protected]>

* :seedling: Bump github.com/sirupsen/logrus from 1.9.1 to 1.9.2 (#3031)

Bumps [github.com/sirupsen/logrus](https://github.com/sirupsen/logrus) from 1.9.1 to 1.9.2.
- [Release notes](https://github.com/sirupsen/logrus/releases)
- [Changelog](https://github.com/sirupsen/logrus/blob/master/CHANGELOG.md)
- [Commits](https://github.com/sirupsen/logrus/compare/v1.9.1...v1.9.2)

---
updated-dependencies:
- dependency-name: github.com/sirupsen/logrus
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <[email protected]>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Signed-off-by: Avishay <[email protected]>

* :seedling: Bump github.com/google/osv-scanner

Bumps [github.com/google/osv-scanner](https://github.com/google/osv-scanner) from 1.3.3-0.20230509011216-baae1796eeea to 1.3.3.
- [Release notes](https://github.com/google/osv-scanner/releases)
- [Changelog](https://github.com/google/osv-scanner/blob/main/CHANGELOG.md)
- [Commits](https://github.com/google/osv-scanner/commits/v1.3.3)

---
updated-dependencies:
- dependency-name: github.com/google/osv-scanner
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <[email protected]>
Signed-off-by: Avishay <[email protected]>

* :seedling: Bump sigstore/cosign-installer from 3.0.4 to 3.0.5 (#3029)

Bumps [sigstore/cosign-installer](https://github.com/sigstore/cosign-installer) from 3.0.4 to 3.0.5.
- [Release notes](https://github.com/sigstore/cosign-installer/releases)
- [Commits](https://github.com/sigstore/cosign-installer/compare/03d0fecf172873164a163bbc64bed0f3bf114ed7...dd6b2e2b610a11fd73dd187a43d57cc1394e35f9)

---
updated-dependencies:
- dependency-name: sigstore/cosign-installer
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <[email protected]>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Signed-off-by: Avishay <[email protected]>

* :seedling: Bump arduino/setup-protoc from 1.1.2 to 1.2.0

Bumps [arduino/setup-protoc](https://github.com/arduino/setup-protoc) from 1.1.2 to 1.2.0.
- [Release notes](https://github.com/arduino/setup-protoc/releases)
- [Commits](https://github.com/arduino/setup-protoc/compare/64c0c85d18e984422218383b81c52f8b077404d3...4b3578161eece2eb20a9dfd84bb8ed105e684dba)

---
updated-dependencies:
- dependency-name: arduino/setup-protoc
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <[email protected]>
Signed-off-by: Avishay <[email protected]>

* :sparkles: Add support for github GHES (#2999)

* :sparkles: adding support for github GHES

Signed-off-by: Niket Patel <[email protected]>

* fix: lint and cleanup

Signed-off-by: Niket Patel <[email protected]>

* fix: flaky test

Signed-off-by: Niket Patel <[email protected]>

* fix: address missing host

Signed-off-by: Niket Patel <[email protected]>

* fix: lint error

Signed-off-by: Niket Patel <[email protected]>

* :seedling: Additional e2e clients/githubrepo/checkruns.go (#2934)

* :seedling: Additional e2e clients/githubrepo/checkruns.go

- Add `net/http` and `github.com/google/go-github/v38/github` imports
- Add a test for `listCheckRunsForRef` with valid ref
- Add a test for `listCheckRunsForRef` with invalid ref

Signed-off-by: naveensrinivasan <[email protected]>

* Based on code review comments

Signed-off-by: naveensrinivasan <[email protected]>

* Some tweaks

Signed-off-by: naveensrinivasan <[email protected]>

---------

Signed-off-by: naveensrinivasan <[email protected]>
Signed-off-by: Niket Patel <[email protected]>

* :seedling: E2E for clients/githubrepo/contributors.go (#2939)

* :seedling: E2E for clients/githubrepo/contributors.go

- Add an end-to-end test for `contributorsHandler`

Signed-off-by: naveensrinivasan <[email protected]>

* Fixed based on code review comments.

Signed-off-by: naveensrinivasan <[email protected]>

* Fixed codereview comment.

Signed-off-by: naveensrinivasan <[email protected]>

---------

Signed-off-by: naveensrinivasan <[email protected]>
Signed-off-by: Niket Patel <[email protected]>

* chore: add GHES instructions

Signed-off-by: Niket Patel <[email protected]>

* refact: use test setenv

Signed-off-by: Niket Patel <[email protected]>

* fix: corp unit test

Signed-off-by: Niket Patel <[email protected]>

---------

Signed-off-by: Niket Patel <[email protected]>
Signed-off-by: naveensrinivasan <[email protected]>
Signed-off-by: Niket Patel <[email protected]>
Co-authored-by: Naveen <[email protected]>
Co-authored-by: raghavkaul <[email protected]>
Signed-off-by: Avishay <[email protected]>

* Change Facilitators to Maintainers (#3039)

Not sure what the old facilitators table was for. Current list of Maintainers is always in CODEOWNERS.

Meaning of "Maintainers" still is not defined, and should be a part of an upcoming contributor ladder.

Signed-off-by: Jeff Mendoza <[email protected]>
Signed-off-by: Avishay <[email protected]>

* :bug: Gitlab: Commit/Commitor Exceptions (#3026)

* feat: Added paging for contributor/users against gitlab projects

Signed-off-by: Robison, Jim B <[email protected]>

* refactor: Updated the bot flag for unmatched users

Signed-off-by: Robison, Jim B <[email protected]>

* fix: Not all commit users are in the git registry instance

Signed-off-by: Robison, Jim B <[email protected]>

* fix: Skipping check if the email is empty, as well as if the "email" doesn't contain a "." char.

Signed-off-by: Robison, Jim B <[email protected]>

* fix: Updated to allow for commits with PRs to be accounted/added to the client.commits

Signed-off-by: Robison, Jim B <[email protected]>

* refactor: Updated to prevent linting issue regarding nested if's

Signed-off-by: Robison, Jim B <[email protected]>

* test: Adding coverage for commits and contributors for gitlab

Signed-off-by: Robison, Jim B <[email protected]>

* refactor: Moved queries from the client to their own functions

Signed-off-by: Robison, Jim B <[email protected]>

* bug: Need to pass the ProjectID value to the contributor query

Signed-off-by: Robison, Jim B <[email protected]>

* bug: Updating project title versus projectID values for api querying

Signed-off-by: Robison, Jim B <[email protected]>

* test: Updated tests to match expected property set for projectID

Signed-off-by: Robison, Jim B <[email protected]>

* revert: Reverted based on feedback during review

Signed-off-by: Robison, Jim B <[email protected]>

---------

Signed-off-by: Robison, Jim B <[email protected]>
Signed-off-by: Avishay <[email protected]>

* :seedling: Bump github.com/onsi/gomega from 1.27.6 to 1.27.7 (#3040)

Bumps [github.com/onsi/gomega](https://github.com/onsi/gomega) from 1.27.6 to 1.27.7.
- [Release notes](https://github.com/onsi/gomega/releases)
- [Changelog](https://github.com/onsi/gomega/blob/master/CHANGELOG.md)
- [Commits](https://github.com/onsi/gomega/compare/v1.27.6...v1.27.7)

---
updated-dependencies:
- dependency-name: github.com/onsi/gomega
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <[email protected]>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Signed-off-by: Avishay <[email protected]>

* :book: Make all StepSecurity app endpoint references consistent (#3042)

Signed-off-by: Ashish Kurmi <[email protected]>
Signed-off-by: Avishay <[email protected]>

* 📖 Update checks.md to show the benefit of >=2 reviewers (#3013)

* Update checks.yaml instead of cehcks.md

Signed-off-by: Joyce <[email protected]>

* feat: generate checks.md

Signed-off-by: Joyce Brum <[email protected]>

---------

Signed-off-by: Joyce <[email protected]>
Signed-off-by: Joyce Brum <[email protected]>
Signed-off-by: Avishay <[email protected]>

* :seedling: Improve workflow pinning remediation tests (#3021)

- Add 3 tests for workflow pinning remediation

[remediation/remediations_test.go]
- Add 3 tests for workflow pinning remediation

Signed-off-by: naveensrinivasan <[email protected]>
Signed-off-by: Avishay <[email protected]>

* :seedling: E2E tests for clients/githubrepo/languages_e2e_test.go (#3000)

* :seedling: E2E tests for clients/githubrepo/languages_e2e_test.go

- Included e2e tests for clients/githubrepo/languages_e2e_test.go

Signed-off-by: naveensrinivasan <[email protected]>

* Fixed the token type check.

Signed-off-by: naveensrinivasan <[email protected]>

---------

Signed-off-by: naveensrinivasan <[email protected]>
Signed-off-by: Naveen <[email protected]>
Signed-off-by: Avishay <[email protected]>

* :seedling: Unit tests for pkg/json_raw_results (#3044)

* :seedling: Unit tests for pkg/json_raw_results.go

- Unit tests for pkg/json_raw_results.go

Signed-off-by: naveensrinivasan <[email protected]>

* Additional tests

Signed-off-by: naveensrinivasan <[email protected]>

---------

Signed-off-by: naveensrinivasan <[email protected]>
Signed-off-by: Avishay <[email protected]>

* ✨  [experimental] Add probe code and support for Tool-Update-Dependency (#2944)

* update

Signed-off-by: laurentsimon <[email protected]>

* update

Signed-off-by: laurentsimon <[email protected]>

* update

Signed-off-by: laurentsimon <[email protected]>

* update

Signed-off-by: laurentsimon <[email protected]>

* update

Signed-off-by: laurentsimon <[email protected]>

* update

Signed-off-by: laurentsimon <[email protected]>

* update

Signed-off-by: laurentsimon <[email protected]>

* update

Signed-off-by: laurentsimon <[email protected]>

---------

Signed-off-by: laurentsimon <[email protected]>
Signed-off-by: Avishay <[email protected]>

* add zoom link and agenda link (#3050)

Signed-off-by: Amanda L Martin <[email protected]>
Signed-off-by: Avishay <[email protected]>

* :seedling: Run E2E PAT test for push to main (#3046)

- Add E2E PAT tests for push to main.

Signed-off-by: naveensrinivasan <[email protected]>
Signed-off-by: Avishay <[email protected]>

* Update main.yml (#3054)

-Fixed the YAML indenting issue.

Signed-off-by: Naveen <[email protected]>
Signed-off-by: Avishay <[email protected]>

* only run e2e pat on push (#3056)

Signed-off-by: Spencer Schrock <[email protected]>
Signed-off-by: Avishay <[email protected]>

* :seedling: Bump github.com/go-git/go-git/v5 from 5.6.1 to 5.7.0 (#3057)

Bumps [github.com/go-git/go-git/v5](https://github.com/go-git/go-git) from 5.6.1 to 5.7.0.
- [Release notes](https://github.com/go-git/go-git/releases)
- [Commits](https://github.com/go-git/go-git/compare/v5.6.1...v5.7.0)

---
updated-dependencies:
- dependency-name: github.com/go-git/go-git/v5
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <[email protected]>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Signed-off-by: Avishay <[email protected]>

* :book: :ghost: fix anchor link to the code review section (#3058)

* fix anchor link to code-review in checks.yaml

Signed-off-by: dasfreak <[email protected]>
Signed-off-by: Marc Ohm <[email protected]>

* generate checks.md

Signed-off-by: Marc Ohm <[email protected]>

---------

Signed-off-by: dasfreak <[email protected]>
Signed-off-by: Marc Ohm <[email protected]>
Signed-off-by: Avishay <[email protected]>

* 🐛 Gitlab: Tests (#3027)

* fix tests

Signed-off-by: Raghav Kaul <[email protected]>

* use projectID instead of project where applicable

Signed-off-by: Raghav Kaul <[email protected]>

* pass ref as listcommitoption

Signed-off-by: Raghav Kaul <[email protected]>

* update tests

* CI-Tests: check if score > 0. pull request client is limited and can't
go back to arbitrary pull requests. CI-Tests don't run on forks, so this
can't be pinned either. But, for active repositories, we typically
expect *some* tests to be run

Signed-off-by: Raghav Kaul <[email protected]>

* fix commitshandler commitSHA tests

Signed-off-by: Raghav Kaul <[email protected]>

* update tests

Signed-off-by: Raghav Kaul <[email protected]>

---------

Signed-off-by: Raghav Kaul <[email protected]>
Signed-off-by: raghavkaul <[email protected]>
Signed-off-by: Avishay <[email protected]>

* :seedling: Bump github.com/goreleaser/nfpm/v2 in /tools (#3060)

Bumps [github.com/goreleaser/nfpm/v2](https://github.com/goreleaser/nfpm) from 2.28.0 to 2.29.0.
- [Release notes](https://github.com/goreleaser/nfpm/releases)
- [Changelog](https://github.com/goreleaser/nfpm/blob/main/.goreleaser.yml)
- [Commits](https://github.com/goreleaser/nfpm/compare/v2.28.0...v2.29.0)

---
updated-dependencies:
- dependency-name: github.com/goreleaser/nfpm/v2
  dependency-type: indirect
...

Signed-off-by: dependabot[bot] <[email protected]>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Signed-off-by: Avishay <[email protected]>

* ✨ Gitlab: Add projects to cron (#2936)

* cron: add gitlab projects

* support gitlab client
* simplify gitlab detection

Signed-off-by: Raghav Kaul <[email protected]>

* fix MakeGitlabRepo

* shortcut when repo url is github.com
* fixes add-projects, validate-projects

Signed-off-by: Raghav Kaul <[email protected]>

* Move gitlab repos to release controller

Signed-off-by: Raghav Kaul <[email protected]>

* Add csv headers

Signed-off-by: Raghav Kaul <[email protected]>

* Use gitlab.WithBaseURL

Signed-off-by: Raghav Kaul <[email protected]>

* formatting & logging

Signed-off-by: Raghav Kaul <[email protected]>

* remove spurious test

Signed-off-by: Raghav Kaul <[email protected]>

* consolidate logic

Signed-off-by: Raghav Kaul <[email protected]>

* Turn on experimental flag

Signed-off-by: Raghav Kaul <[email protected]>

* Add projects

Signed-off-by: Raghav Kaul <[email protected]>

* Update client

Signed-off-by: Raghav Kaul <[email protected]>

* update

Signed-off-by: Raghav Kaul <[email protected]>

* update

Signed-off-by: Raghav Kaul <[email protected]>

* update

Signed-off-by: Raghav Kaul <[email protected]>

* update

Signed-off-by: Raghav Kaul <[email protected]>

---------

Signed-off-by: Raghav Kaul <[email protected]>
Signed-off-by: Avishay <[email protected]>

* :seedling: Simplify caching in docker workflow (#3061)

Signed-off-by: Spencer Schrock <[email protected]>
Signed-off-by: Avishay <[email protected]>

* :seedling: Bump github/codeql-action from 2.3.3 to 2.3.4 (#3064)

Bumps [github/codeql-action](https://github.com/github/codeql-action) from 2.3.3 to 2.3.4.
- [Release notes](https://github.com/github/codeql-action/releases)
- [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md)
- [Commits](https://github.com/github/codeql-action/compare/29b1f65c5e92e24fe6b6647da1eaabe529cec70f...f0e3dfb30302f8a0881bb509b044e0de4f6ef589)

---
updated-dependencies:
- dependency-name: github/codeql-action
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <[email protected]>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Signed-off-by: Avishay <[email protected]>

* :seedling: Bump cloud.google.com/go/pubsub from 1.30.1 to 1.31.0 (#3065)

Bumps [cloud.google.com/go/pubsub](https://github.com/googleapis/google-cloud-go) from 1.30.1 to 1.31.0.
- [Release notes](https://github.com/googleapis/google-cloud-go/releases)
- [Changelog](https://github.com/googleapis/google-cloud-go/blob/main/CHANGES.md)
- [Commits](https://github.com/googleapis/google-cloud-go/compare/pubsub/v1.30.1...pubsub/v1.31.0)

---
updated-dependencies:
- dependency-name: cloud.google.com/go/pubsub
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <[email protected]>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Signed-off-by: Avishay <[email protected]>

* 🐛 gitlab: cron  (#3070)

Signed-off-by: Raghav Kaul <[email protected]>
Signed-off-by: Avishay <[email protected]>

* :seedling: Bump github/codeql-action from 2.3.4 to 2.3.5 (#3072)

Bumps [github/codeql-action](https://github.com/github/codeql-action) from 2.3.4 to 2.3.5.
- [Release notes](https://github.com/github/codeql-action/releases)
- [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md)
- [Commits](https://github.com/github/codeql-action/compare/f0e3dfb30302f8a0881bb509b044e0de4f6ef589...0225834cc549ee0ca93cb085b92954821a145866)

---
updated-dependencies:
- dependency-name: github/codeql-action
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <[email protected]>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Signed-off-by: Avishay <[email protected]>

* :seedling: Bump tj-actions/changed-files from 35.9.2 to 36.0.3 (#3071)

Bumps [tj-actions/changed-files](https://github.com/tj-actions/changed-files) from 35.9.2 to 36.0.3.
- [Release notes](https://github.com/tj-actions/changed-files/releases)
- [Changelog](https://github.com/tj-actions/changed-files/blob/main/HISTORY.md)
- [Commits](https://github.com/tj-actions/changed-files/compare/b2d17f51244a144849c6b37a3a6791b98a51d86f...25eaddf37ae893cec889065e9a60439c8af6f089)

---
updated-dependencies:
- dependency-name: tj-actions/changed-files
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <[email protected]>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Signed-off-by: Avishay <[email protected]>

* 🐛 Gitlab status updates (#3052)

* doc: Updating gitlab support validation status

Signed-off-by: Robison, Jim B <[email protected]>

* bug: Updated  logic for gitlab to prevent exceptions based on releases

Signed-off-by: Robison, Jim B <[email protected]>

* test: Added initial tests for gitlab branches

Signed-off-by: Robison, Jim B <[email protected]>

* doc: Updated general README

Signed-off-by: Robison, Jim B <[email protected]>

* refactor: Cleaned up the query for pipelines to be focused on the commitID

Signed-off-by: Robison, Jim B <[email protected]>

* feat: Allowed for a non-graphql method of retrieving MRs associated to a commit

Signed-off-by: Robison, Jim B <[email protected]>

* doc: Updated status for the CI-Tests

Signed-off-by: Robison, Jim B <[email protected]>

* bug: Updated the host url for graphql querying. This enabled the removal of the code added for handling empty returns when executing against a non-gitlab.com repository.

Signed-off-by: Robison, Jim B <[email protected]>

---------

Signed-off-by: Robison, Jim B <[email protected]>
Co-authored-by: Raghav Kaul <[email protected]>
Signed-off-by: Avishay <[email protected]>

* :seedling: Bump github.com/sigstore/rekor from 1.1.1 to 1.2.0 in /tools (#3079)

Bumps [github.com/sigstore/rekor](https://github.com/sigstore/rekor) from 1.1.1 to 1.2.0.
- [Release notes](https://github.com/sigstore/rekor/releases)
- [Changelog](https://github.com/sigstore/rekor/blob/main/CHANGELOG.md)
- [Commits](https://github.com/sigstore/rekor/compare/v1.1.1...v1.2.0)

---
updated-dependencies:
- dependency-name: github.com/sigstore/rekor
  dependency-type: indirect
...

Signed-off-by: dependabot[bot] <[email protected]>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Signed-off-by: Avishay <[email protected]>

* get nuget latest version from registration URL

Signed-off-by: Avishay <[email protected]>

* better coverage

Signed-off-by: Avishay <[email protected]>

* sign

Signed-off-by: Avishay <[email protected]>

* fix tests

Signed-off-by: Avishay <[email protected]>

* more tests

Signed-off-by: Avishay <[email protected]>

* client tests

Signed-off-by: Avishay <[email protected]>

* lint

Signed-off-by: Avishay <[email protected]>

* Apply suggestions from code review

Co-authored-by: Joel Verhagen <[email protected]>
Signed-off-by: Avishay Balter <[email protected]>
Signed-off-by: Avishay <[email protected]>

* :seedling: Bump golang from `685a22e` to `690e413` (#3080)

Bumps golang from `685a22e` to `690e413`.

---
updated-dependencies:
- dependency-name: golang
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <[email protected]>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Signed-off-by: Avishay <[email protected]>

* :seedling: Bump golang from `685a22e` to `690e413` in /cron/internal/cii

Bumps golang from `685a22e` to `690e413`.

---
updated-dependencies:
- dependency-name: golang
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <[email protected]>
Signed-off-by: Avishay <[email protected]>

* :seedling: Bump golang in /cron/internal/controller

Bumps golang from `685a22e` to `690e413`.

---
updated-dependencies:
- dependency-name: golang
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <[email protected]>
Signed-off-by: Avishay <[email protected]>

* :seedling: Bump golang in /cron/internal/worker

Bumps golang from `685a22e` to `690e413`.

---
updated-dependencies:
- dependency-name: golang
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <[email protected]>
Signed-off-by: Avishay <[email protected]>

* :seedling: Bump golang in /clients/githubrepo/roundtripper/tokens/server

Bumps golang from `685a22e` to `690e413`.

---
updated-dependencies:
- dependency-name: golang
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <[email protected]>
Signed-off-by: Avishay <[email protected]>

* :seedling: Bump golang in /cron/internal/webhook

Bumps golang from `685a22e` to `690e413`.

---
updated-dependencies:
- dependency-name: golang
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <[email protected]>
Signed-off-by: Avishay <[email protected]>

* :seedling: Bump golang from `685a22e` to `690e413` in /cron/internal/bq

Bumps golang from `685a22e` to `690e413`.

---
updated-dependencies:
- dependency-name: golang
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <[email protected]>
Signed-off-by: Avishay <[email protected]>

* :seedling: Bump arduino/setup-protoc from 1.2.0 to 1.3.0 (#3089)

Bumps [arduino/setup-protoc](https://github.com/arduino/setup-protoc) from 1.2.0 to 1.3.0.
- [Release notes](https://github.com/arduino/setup-protoc/releases)
- [Commits](https://github.com/arduino/setup-protoc/compare/4b3578161eece2eb20a9dfd84bb8ed105e684dba...149f6c87b92550901b26acd1632e11c3662e381f)

---
updated-dependencies:
- dependency-name: arduino/setup-protoc
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <[email protected]>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Signed-off-by: Avishay <[email protected]>

* :seedling: Bump tj-actions/changed-files from 36.0.3 to 36.0.9 (#3088)

Bumps [tj-actions/changed-files](https://github.com/tj-actions/changed-files) from 36.0.3 to 36.0.9.
- [Release notes](https://github.com/tj-actions/changed-files/releases)
- [Changelog](https://github.com/tj-actions/changed-files/blob/main/HISTORY.md)
- [Commits](https://github.com/tj-actions/changed-files/compare/25eaddf37ae893cec889065e9a60439c8af6f089...cf4fe8759a45edd76ed6215da3529d2dbd2a3c68)

---
updated-dependencies:
- dependency-name: tj-actions/changed-files
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <[email protected]>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Signed-off-by: Avishay <[email protected]>

* pr iteration 2

Signed-off-by: Avishay <[email protected]>

* pr iteration 3

Signed-off-by: Avishay <[email protected]>

* switch security policy e2e test to ossf-tests repo. (#3090)

tensorflow/tensorflow is huge and was slowing down tests.
Also removed the rust e2e tests because they're already present as unit tests.

Signed-off-by: Spencer Schrock <[email protected]>
Signed-off-by: Avishay <[email protected]>

* :seedling: Bump github.com/onsi/ginkgo/v2 from 2.9.5 to 2.9.7 in /tools (#3094)

Bumps [github.com/onsi/ginkgo/v2](https://github.com/onsi/ginkgo) from 2.9.5 to 2.9.7.
- [Release notes](https://github.com/onsi/ginkgo/releases)
- [Changelog](https://github.com/onsi/ginkgo/blob/master/CHANGELOG.md)
- [Commits](https://github.com/onsi/ginkgo/compare/v2.9.5...v2.9.7)

---
updated-dependencies:
- dependency-name: github.com/onsi/ginkgo/v2
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <[email protected]>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Signed-off-by: Avishay <[email protected]>

* :seedling: Bump github.com/onsi/ginkgo/v2 from 2.9.5 to 2.9.7 (#3093)

Bumps [github.com/onsi/ginkgo/v2](https://github.com/onsi/ginkgo) from 2.9.5 to 2.9.7.
- [Release notes](https://github.com/onsi/ginkgo/releases)
- [Changelog](https://github.com/onsi/ginkgo/blob/master/CHANGELOG.md)
- [Commits](https://github.com/onsi/ginkgo/compare/v2.9.5...v2.9.7)

---
updated-dependencies:
- dependency-name: github.com/onsi/ginkgo/v2
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <[email protected]>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Signed-off-by: Avishay <[email protected]>

* :seedling: Bump actions/dependency-review-action from 3.0.4 to 3.0.6 (#3104)

Bumps [actions/dependency-review-action](https://github.com/actions/dependency-review-action) from 3.0.4 to 3.0.6.
- [Release notes](https://github.com/actions/dependency-review-action/releases)
- [Commits](https://github.com/actions/dependency-review-action/compare/f46c48ed6d4f1227fb2d9ea62bf6bcbed315589e...1360a344ccb0ab6e9475edef90ad2f46bf8003b1)

---
updated-dependencies:
- dependency-name: actions/dependency-review-action
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <[email protected]>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Signed-off-by: Avishay <[email protected]>

* :seedling: Bump tj-actions/changed-files from 36.0.9 to 36.0.12 (#3108)

Bumps [tj-actions/changed-files](https://github.com/tj-actions/changed-files) from 36.0.9 to 36.0.12.
- [Release notes](https://github.com/tj-actions/changed-files/releases)
- [Changelog](https://github.com/tj-actions/changed-files/blob/main/HISTORY.md)
- [Commits](https://github.com/tj-actions/changed-files/compare/cf4fe8759a45edd76ed6215da3529d2dbd2a3c68...5978e5a2df95ef20cde627d4acb5edd1f87ba46a)

---
updated-dependencies:
- dependency-name: tj-actions/changed-files
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <[email protected]>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Signed-off-by: Avishay <[email protected]>

* :seedling: Bump github.com/xanzy/go-gitlab from 0.83.0 to 0.84.0 (#3106)

Bumps [github.com/xanzy/go-gitlab](https://github.com/xanzy/go-gitlab) from 0.83.0 to 0.84.0.
- [Changelog](https://github.com/xanzy/go-gitlab/blob/master/releases_test.go)
- [Commits](https://github.com/xanzy/go-gitlab/compare/v0.83.0...v0.84.0)

---
updated-dependencies:
- dependency-name: github.com/xanzy/go-gitlab
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <[email protected]>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Signed-off-by: Avishay <[email protected]>

* :seedling: Bump golang.org/x/tools from 0.9.1 to 0.9.2

Bumps [golang.org/x/tools](https://github.com/golang/tools) from 0.9.1 to 0.9.2.
- [Release notes](https://github.com/golang/tools/releases)
- [Commits](https://github.com/golang/tools/compare/v0.9.1...v0.9.2)

---
updated-dependencies:
- dependency-name: golang.org/x/tools
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <[email protected]>
Signed-off-by: Avishay <[email protected]>

* ✨ GitLab: enable more checks in cron (#3097)

* Enable checks

* Binary-Artifacts
* Code-Review
* License
* Vulnerabilities

Signed-off-by: Raghav Kaul <[email protected]>

* Enable more checks

* CII Best Practices
* Fuzzing
* Maintained
* Packaging
* Pinned-Dependencies
* Signed-Releases

Signed-off-by: Raghav Kaul <[email protected]>

* update repo name

Signed-off-by: Raghav Kaul <[email protected]>

---------

Signed-off-by: Raghav Kaul <[email protected]>
Signed-off-by: Avishay <[email protected]>

* :book: agenda link change (#3111)

Signed-off-by: Amanda L Martin <[email protected]>
Signed-off-by: Avishay <[email protected]>

* :seedling: Bump github/codeql-action from 2.3.5 to 2.3.6 (#3112)

Bumps [github/codeql-action](https://github.com/github/codeql-action) from 2.3.5 to 2.3.6.
- [Release notes](https://github.com/github/codeql-action/releases)
- [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md)
- [Commits](https://github.com/github/codeql-action/compare/0225834cc549ee0ca93cb085b92954821a145866...83f0fe6c4988d98a455712a27f0255212bba9bd4)

---
updated-dependencies:
- dependency-name: github/codeql-action
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <[email protected]>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Signed-off-by: Avishay <[email protected]>

* :seedling: Bump tj-actions/changed-files from 36.0.12 to 36.0.15 (#3116)

Bumps [tj-actions/changed-files](https://github.com/tj-actions/changed-files) from 36.0.12 to 36.0.15.
- [Release notes](https://github.com/tj-actions/changed-files/releases)
- [Changelog](https://github.com/tj-actions/changed-files/blob/main/HISTORY.md)
- [Commits](https://github.com/tj-actions/changed-files/compare/5978e5a2df95ef20cde627d4acb5edd1f87ba46a...5d2fcdb4cbef720a52f49fd05d8c7edd18a64758)

---
updated-dependencies:
- dependency-name: tj-actions/changed-files
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <[email protected]>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Signed-off-by: Avishay <[email protected]>

* :seedling: Bump golang.org/x/tools from 0.9.2 to 0.9.3

Bumps [golang.org/x/tools](https://github.com/golang/tools) from 0.9.2 to 0.9.3.
- [Release notes](https://github.com/golang/tools/releases)
- [Commits](https://github.com/golang/tools/compare/v0.9.2...v0.9.3)

---
updated-dependencies:
- dependency-name: golang.org/x/tools
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <[email protected]>
Signed-off-by: Avishay <[email protected]>

* :seedling: Unit tests for option (#3109)

- Add flags for repo, local, commit, log level, NPM, PyPI, RubyGems, metadata, show details, checks to run, policy file, and format
- Add tests for checks to run and format flags

Signed-off-by: naveensrinivasan <[email protected]>
Signed-off-by: Avishay <[email protected]>

* 🌱 GitLab: add gitlab auth token to cron worker env (#3117)

Signed-off-by: Raghav Kaul <[email protected]>
Signed-off-by: Avishay <[email protected]>

* Don't run pat e2e on dependabot merges (#3119)

Signed-off-by: Raghav Kaul <[email protected]>
Signed-off-by: Avishay <[email protected]>

* ✨ Detect fast-check PBT library for fuzz section (#3073)

* ✨ Detect fast-check PBT library for fuzz section

As suggested at https://github.com/ossf/scorecard/issues/2792#issuecomment-1562007596, we add support for the detection of fast-check as a possible fuzzing solution.

I also adapted the documentation related to fuzzing accordingly.

Signed-off-by: Nicolas DUBIEN <[email protected]>

* Typo

Signed-off-by: Nicolas DUBIEN <[email protected]>

* Update missing md files

Signed-off-by: Nicolas DUBIEN <[email protected]>

---------

Signed-off-by: Nicolas DUBIEN <[email protected]>
Signed-off-by: Avishay <[email protected]>

* :seedling: temporarily disable failing e2e tests so we don't block all PRs. (#3130)

Signed-off-by: Spencer Schrock <[email protected]>
Signed-off-by: Avishay <[email protected]>

* pr comments

Signed-off-by: Avishay <[email protected]>

* :seedling: Bump github.com/sirupsen/logrus from 1.9.2 to 1.9.3 (#3121)

Bumps [github.com/sirupsen/logrus](https://github.com/sirupsen/logrus) from 1.9.2 to 1.9.3.
- [Release notes](https://github.com/sirupsen/logrus/releases)
- [Changelog](https://github.com/sirupsen/logrus/blob/master/CHANGELOG.md)
- [Commits](https://github.com/sirupsen/logrus/compare/v1.9.2...v1.9.3)

---
updated-dependencies:
- dependency-name: github.com/sirupsen/logrus
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <[email protected]>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Signed-off-by: Avishay <[email protected]>

* i:seedling: Ignore all pb files for test (#3127)

- Update .codecov.yml to ignore additional files

Signed-off-by: naveensrinivasan <[email protected]>
Signed-off-by: Avishay <[email protected]>

* :seedling: Deprecate dependencydiff package and add access token requirement (#3125)

- Deprecate the `dependencydiff` package and the `GetDependencyDiffResults` function
- Add a line to the `.codecov.yml` to ignore the `dependencydiff` package

Signed-off-by: naveensrinivasan <[email protected]>
Signed-off-by: Avishay <[email protected]>

* ✨ [experimental] Support for new `--format probe` (#3048)

* update

Signed-off-by: laurentsimon <[email protected]>

* update

Signed-off-by: laurentsimon <[email protected]>

* update

Signed-off-by: laurentsimon <[email protected]>

* update

Signed-off-by: laurentsimon <[email protected]>

* update

Signed-off-by: laurentsimon <[email protected]>

* update

Signed-off-by: laurentsimon <[email protected]>

* update

Signed-off-by: laurentsimon <[email protected]>

* update

Signed-off-by: laurentsimon <[email protected]>

* update

Signed-off-by: laurentsimon <[email protected]>

* update

Signed-off-by: laurentsimon <[email protected]>

* update

Signed-off-by: laurentsimon <[email protected]>

* update

Signed-off-by: laurentsimon <[email protected]>

* update

Signed-off-by: laurentsimon <[email protected]>

* update

Signed-off-by: laurentsimon <[email protected]>

* update

Signed-off-by: laurentsimon <[email protected]>

* update

Signed-off-by: laurentsimon <[email protected]>

* update

Signed-off-by: laurentsimon <[email protected]>

---------

Signed-off-by: laurentsimon <[email protected]>
Signed-off-by: Avishay <[email protected]>

* :seedling: Bump distroless/base (#3122)

Bumps distroless/base from `10985f0` to `c623859`.

---
updated-dependencies:
- dependency-name: distroless/base
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <[email protected]>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Signed-off-by: Avishay <[email protected]>

* :seedling: Ignore deprecation warning for dependencydiff tests. (#3136)

Signed-off-by: Spencer Schrock <[email protected]>
Signed-off-by: Avishay <[email protected]>

* :seedling: Bump tj-actions/changed-files from 36.0.15 to 36.0.18

Bumps [tj-actions/changed-files](https://github.com/tj-actions/changed-files) from 36.0.15 to 36.0.18.
- [Release notes](https://github.com/tj-actions/changed-files/releases)
- [Changelog](https://github.com/tj-actions/changed-files/blob/main/HISTORY.md)
- [Commits](https://github.com/tj-actions/changed-files/compare/5d2fcdb4cbef720a52f49fd05d8c7edd18a64758...07e0177b72d3640efced741cae32f9861eee1367)

---
updated-dependencies:
- dependency-name: tj-actions/changed-files
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <[email protected]>
Signed-off-by: Avishay <[email protected]>

* :seedling: Bump github.com/onsi/ginkgo/v2 from 2.9.7 to 2.10.0 in /tools (#3135)

Bumps [github.com/onsi/ginkgo/v2](https://github.com/onsi/ginkgo) from 2.9.7 to 2.10.0.
- [Release notes](https://github.com/onsi/ginkgo/releases)
- [Changelog](https://github.com/onsi/ginkgo/blob/master/CHANGELOG.md)
- [Commits](https://github.com/onsi/ginkgo/compare/v2.9.7...v2.10.0)

---
updated-dependencies:
- dependency-name: github.com/onsi/ginkgo/v2
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <[email protected]>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Signed-off-by: Avishay <[email protected]>

* :seedling: Bump github.com/google/osv-scanner from 1.3.3 to 1.3.4

Bumps [github.com/google/osv-scanner](https://github.com/google/osv-scanner) from 1.3.3 to 1.3.4.
- [Release notes](https://github.com/google/osv-scanner/releases)
- [Changelog](https://github.com/google/osv-scanner/blob/main/CHANGELOG.md)
- [Commits](https://github.com/google/osv-scanner/compare/v1.3.3...v1.3.4)

---
updated-dependencies:
- dependency-name: github.com/google/osv-scanner
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <[email protected]>
Signed-off-by: Avishay <[email protected]>

* :seedling: Bump github.com/onsi/ginkgo/v2 from 2.9.7 to 2.10.0

Bumps [github.com/onsi/ginkgo/v2](https://github.com/onsi/ginkgo) from 2.9.7 to 2.10.0.
- [Release notes](https://github.com/onsi/ginkgo/releases)
- [Changelog](https://github.com/onsi/ginkgo/blob/master/CHANGELOG.md)
- [Commits](https://github.com/onsi/ginkgo/compare/v2.9.7...v2.10.0)

---
updated-dependencies:
- dependency-name: github.com/onsi/ginkgo/v2
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <[email protected]>
Signed-off-by: Avishay <[email protected]>

* :seedling: Bump github.com/onsi/gomega from 1.27.7 to 1.27.8

Bumps [github.com/onsi/gomega](https://github.com/onsi/gomega) from 1.27.7 to 1.27.8.
- [Release notes](https://github.com/onsi/gomega/releases)
- [Changelog](https://github.com/onsi/gomega/blob/master/CHANGELOG.md)
- [Commits](https://github.com/onsi/gomega/compare/v1.27.7...v1.27.8)

---
updated-dependencies:
- dependency-name: github.com/onsi/gomega
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <[email protected]>
Signed-off-by: Avishay <[email protected]>

* :seedling: Bump slsa-framework/slsa-github-generator from 1.6.0 to 1.7.0 (#3139)

Bumps [slsa-framework/slsa-github-generator](https://github.com/slsa-framework/slsa-github-generator) from 1.6.0 to 1.7.0.
- [Release notes](https://github.com/slsa-framework/slsa-github-generator/releases)
- [Changelog](https://github.com/slsa-framework/slsa-github-generator/blob/main/CHANGELOG.md)
- [Commits](https://github.com/slsa-framework/slsa-github-generator/compare/v1.6.0...v1.7.0)

---
updated-dependencies:
- dependency-name: slsa-framework/slsa-github-generator
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <[email protected]>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Signed-off-by: Avishay <[email protected]>

* :seedling: Increase test coverage for finding outcomes (#3142)

* Increase test coverage for finding outcomes

- Add tests for Outcome UnmarshalYAML function in `finding/finding_test.go`

Signed-off-by: naveensrinivasan <[email protected]>

* Updates based on Codereview

- Update `Outcome` variable in `finding/finding_test.go`
- Add `t.Parallel()` for test parallelization
- Add comparison using `cmp.Diff` to test for mismatches
- Update test cases for various outcomes

Signed-off-by: naveensrinivasan <[email protected]>

---------

Signed-off-by: naveensrinivasan <[email protected]>
Signed-off-by: Avishay <[email protected]>

* :seedling: Bump tj-actions/changed-files from 36.0.18 to 36.1.0 (#3143)

Bumps [tj-actions/changed-files](https://github.com/tj-actions/changed-files) from 36.0.18 to 36.1.0.
- [Release notes](https://github.com/tj-actions/changed-files/releases)
- [Changelog](https://github.com/tj-actions/changed-files/blob/main/HISTORY.md)
- [Commits](https://github.com/tj-actions/changed-files/compare/07e0177b72d3640efced741cae32f9861eee1367...fb20f4d24890fadc539505b1746d260504b213d0)

---
updated-dependencies:
- dependency-name: tj-actions/changed-files
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <[email protected]>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Signed-off-by: Avishay <[email protected]>

* :seedling: Re-enable skipped e2e tests. Switch to smaller code review repo. (#3144)

* re-enable skipped ci test

Signed-off-by: Spencer Schrock <[email protected]>

* re-enable skipped attestor test. switch to ossf-tests repo

Signed-off-by: Spencer Schrock <[email protected]>

* remove extra policies from tests that only look at code review.

Signed-off-by: Spencer Schrock <[email protected]>

* remove unneeded policies from binary artifact tests.

Signed-off-by: Spencer Schrock <[email protected]>

---------

Signed-off-by: Spencer Schrock <[email protected]>
Signed-off-by: Avishay <[email protected]>

* add license header

Signed-off-by: Avishay <[email protected]>

* pr comments

Signed-off-by: Avishay <[email protected]>

* making the packages internal

Signed-off-by: Avishay <[email protected]>

* generate mocks

Signed-off-by: Avishay <[email protected]>

---------

Signed-off-by: Avishay <[email protected]>
Signed-off-by: Avishay Balter <[email protected]>
Signed-off-by: Allen Shearin <[email protected]>
  • Loading branch information
balteravishay authored and ashearin committed Nov 13, 2023
1 parent 3a89890 commit 82096bd
Show file tree
Hide file tree
Showing 42 changed files with 1,946 additions and 88 deletions.
10 changes: 7 additions & 3 deletions Makefile
Original file line number Diff line number Diff line change
Expand Up @@ -139,7 +139,8 @@ generate-mocks: clients/mockclients/repo_client.go \
clients/mockclients/repo.go \
clients/mockclients/cii_client.go \
checks/mockclients/vulnerabilities.go \
cmd/packagemanager_mockclient.go
cmd/internal/packagemanager/packagemanager_mockclient.go \
cmd/internal/nuget/nuget_mockclient.go
clients/mockclients/repo_client.go: clients/repo_client.go | $(MOCKGEN)
# Generating MockRepoClient
$(MOCKGEN) -source=clients/repo_client.go -destination=clients/mockclients/repo_client.go -package=mockrepo -copyright_file=clients/mockclients/license.txt
Expand All @@ -152,9 +153,12 @@ clients/mockclients/cii_client.go: clients/cii_client.go | $(MOCKGEN)
checks/mockclients/vulnerabilities.go: clients/vulnerabilities.go | $(MOCKGEN)
# Generating MockCIIClient
$(MOCKGEN) -source=clients/vulnerabilities.go -destination=clients/mockclients/vulnerabilities.go -package=mockrepo -copyright_file=clients/mockclients/license.txt
cmd/packagemanager_mockclient.go: cmd/packagemanager_client.go | $(MOCKGEN)
cmd/internal/packagemanager/packagemanager_mockclient.go: cmd/internal/packagemanager/client.go | $(MOCKGEN)
# Generating MockPackageManagerClient
$(MOCKGEN) -source=cmd/packagemanager_client.go -destination=cmd/packagemanager_mockclient.go -package=cmd -copyright_file=clients/mockclients/license.txt
$(MOCKGEN) -source=cmd/internal/packagemanager/client.go -destination=cmd/internal/packagemanager/packagemanager_mockclient.go -package=packagemanager -copyright_file=clients/mockclients/license.txt
cmd/internal/nuget/nuget_mockclient.go: cmd/internal/nuget/client.go | $(MOCKGEN)
# Generating MockNugetClient
$(MOCKGEN) -source=cmd/internal/nuget/client.go -destination=cmd/internal/nuget/nuget_mockclient.go -package=nuget -copyright_file=clients/mockclients/license.txt

generate-docs: ## Generates docs
generate-docs: validate-docs docs/checks.md
Expand Down
2 changes: 1 addition & 1 deletion README.md
Original file line number Diff line number Diff line change
Expand Up @@ -420,7 +420,7 @@ scorecard --repo=org/repo

##### Using a Package manager

For projects in the `--npm`, `--pypi`, or `--rubygems` ecosystems, you have the
For projects in the `--npm`, `--pypi`, `--rubygems`, or `--nuget` ecosystems, you have the
option to run Scorecard using a package manager. Provide the package name to
run the checks on the corresponding GitHub source code.

Expand Down
275 changes: 275 additions & 0 deletions cmd/internal/nuget/client.go
Original file line number Diff line number Diff line change
@@ -0,0 +1,275 @@
// Copyright 2020 OpenSSF Scorecard Authors
//
// Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License.
// You may obtain a copy of the License at
//
// http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
// See the License for the specific language governing permissions and
// limitations under the License.

// Package nuget implements Nuget API client.
package nuget

import (
"encoding/json"
"encoding/xml"
"fmt"
"io"
"net/http"
"regexp"
"strings"

"golang.org/x/exp/slices"

pmc "github.com/ossf/scorecard/v4/cmd/internal/packagemanager"
sce "github.com/ossf/scorecard/v4/errors"
)

type indexResults struct {
Resources []indexResult `json:"resources"`
}

func (n indexResults) findResourceByType(resultType string) (string, error) {
resourceIndex := slices.IndexFunc(n.Resources,
func(n indexResult) bool { return n.Type == resultType })
if resourceIndex == -1 {
return "", sce.WithMessage(sce.ErrScorecardInternal,
fmt.Sprintf("failed to find %v URI at nuget index json", resultType))
}

return n.Resources[resourceIndex].ID, nil
}

type indexResult struct {
ID string `json:"@id"`
Type string `json:"@type"`
}

type packageRegistrationCatalogRoot struct {
Pages []packageRegistrationCatalogPage `json:"items"`
}

func (n packageRegistrationCatalogRoot) latestVersion(manager pmc.Client) (string, error) {
for pageIndex := len(n.Pages) - 1; pageIndex >= 0; pageIndex-- {
page := n.Pages[pageIndex]
if page.Packages == nil {
err := decodeResponseFromClient(func() (*http.Response, error) {
//nolint: wrapcheck
return manager.GetURI(page.ID)
},
func(rc io.ReadCloser) error {
//nolint: wrapcheck
return json.NewDecoder(rc).Decode(&page)
}, "nuget package registration page")
if err != nil {
return "", err
}
}
for packageIndex := len(page.Packages) - 1; packageIndex >= 0; packageIndex-- {
base, preReleaseSuffix := parseNugetSemVer(page.Packages[packageIndex].Entry.Version)
// skipping non listed and pre-releases
if page.Packages[packageIndex].Entry.Listed && len(strings.TrimSpace(preReleaseSuffix)) == 0 {
return base, nil
}
}
}
return "", sce.WithMessage(sce.ErrScorecardInternal, "failed to get a listed version for package")
}

type packageRegistrationCatalogPage struct {
ID string `json:"@id"`
Packages []packageRegistrationCatalogItem `json:"items"`
}

type packageRegistrationCatalogItem struct {
Entry packageRegistrationCatalogEntry `json:"catalogEntry"`
}

type packageRegistrationCatalogEntry struct {
Version string `json:"version"`
Listed bool `json:"listed"`
}

func (e *packageRegistrationCatalogEntry) UnmarshalJSON(text []byte) error {
type Alias packageRegistrationCatalogEntry
aux := Alias{
Listed: true, // set the default value before parsing JSON
}
if err := json.Unmarshal(text, &aux); err != nil {
return fmt.Errorf("failed to unmarshal json: %w", err)
}
*e = packageRegistrationCatalogEntry(aux)
return nil
}

type packageNuspec struct {
XMLName xml.Name `xml:"package"`
Metadata nuspecMetadata `xml:"metadata"`
}

func (p *packageNuspec) projectURL(packageName string) (string, error) {
for _, projectURL := range []string{p.Metadata.Repository.URL, p.Metadata.ProjectURL} {
projectURL = strings.TrimSpace(projectURL)
if projectURL != "" && isSupportedProjectURL(projectURL) {
projectURL = strings.TrimSuffix(projectURL, "/")
projectURL = strings.TrimSuffix(projectURL, ".git")
return projectURL, nil
}
}
return "", sce.WithMessage(sce.ErrScorecardInternal,
fmt.Sprintf("source repo is not defined for nuget package %v", packageName))
}

type nuspecMetadata struct {
XMLName xml.Name `xml:"metadata"`
ProjectURL string `xml:"projectUrl"`
Repository nuspecRepository `xml:"repository"`
}

type nuspecRepository struct {
XMLName xml.Name `xml:"repository"`
URL string `xml:"url,attr"`
}

type Client interface {
GitRepositoryByPackageName(packageName string) (string, error)
}

type NugetClient struct {
Manager pmc.Client
}

func (c NugetClient) GitRepositoryByPackageName(packageName string) (string, error) {
packageBaseURL, registrationBaseURL, err := c.baseUrls()
if err != nil {
return "", err
}

packageSpec, err := c.packageSpec(packageBaseURL, registrationBaseURL, packageName)
if err != nil {
return "", err
}

packageURL, err := packageSpec.projectURL(packageName)
if err != nil {
return "", err
}
return packageURL, nil
}

func (c *NugetClient) packageSpec(packageBaseURL, registrationBaseURL, packageName string) (packageNuspec, error) {
lowerCasePackageName := strings.ToLower(packageName)
lastPackageVersion, err := c.latestListedVersion(registrationBaseURL,
lowerCasePackageName)
if err != nil {
return packageNuspec{}, err
}
packageSpecResults := &packageNuspec{}
err = decodeResponseFromClient(func() (*http.Response, error) {
//nolint: wrapcheck
return c.Manager.Get(
packageBaseURL+"%[1]v/"+lastPackageVersion+"/%[1]v.nuspec", lowerCasePackageName)
},
func(rc io.ReadCloser) error {
//nolint: wrapcheck
return xml.NewDecoder(rc).Decode(packageSpecResults)
}, "nuget package spec")

if err != nil {
return packageNuspec{}, err
}
if packageSpecResults.Metadata == (nuspecMetadata{}) {
return packageNuspec{}, sce.WithMessage(sce.ErrScorecardInternal,
"Nuget nuspec xml Metadata is empty")
}
return *packageSpecResults, nil
}

func (c *NugetClient) baseUrls() (string, string, error) {
indexURL := "https://api.nuget.org/v3/index.json"
indexResults := &indexResults{}
err := decodeResponseFromClient(func() (*http.Response, error) {
//nolint: wrapcheck
return c.Manager.GetURI(indexURL)
},
func(rc io.ReadCloser) error {
//nolint: wrapcheck
return json.NewDecoder(rc).Decode(indexResults)
}, "nuget index json")
if err != nil {
return "", "", err
}
packageBaseURL, err := indexResults.findResourceByType("PackageBaseAddress/3.0.0")
if err != nil {
return "", "", err
}
registrationBaseURL, err := indexResults.findResourceByType("RegistrationsBaseUrl/3.6.0")
if err != nil {
return "", "", err
}
return packageBaseURL, registrationBaseURL, nil
}

// Gets the latest listed nuget version of a package, based on the protocol defined at
// https://learn.microsoft.com/en-us/nuget/api/package-base-address-resource#enumerate-package-versions
func (c *NugetClient) latestListedVersion(baseURL, packageName string) (string, error) {
packageRegistrationCatalogRoot := &packageRegistrationCatalogRoot{}
err := decodeResponseFromClient(func() (*http.Response, error) {
//nolint: wrapcheck
return c.Manager.Get(baseURL+"%s/index.json", packageName)
},
func(rc io.ReadCloser) error {
//nolint: wrapcheck
return json.NewDecoder(rc).Decode(packageRegistrationCatalogRoot)
}, "nuget package registration index json")
if err != nil {
return "", err
}
return packageRegistrationCatalogRoot.latestVersion(c.Manager)
}

func isSupportedProjectURL(projectURL string) bool {
pattern := `^(?:https?://)?(?:www\.)?(?:github|gitlab)\.com/([A-Za-z0-9_\.-]+)/([A-Za-z0-9_\./-]+)$`
regex := regexp.MustCompile(pattern)
return regex.MatchString(projectURL)
}

// Nuget semver diverges from Semantic Versioning.
// This method returns the Nuget represntation of version and pre release strings.
// nolint: lll // long URL
// more info: https://learn.microsoft.com/en-us/nuget/concepts/package-versioning#where-nugetversion-diverges-from-semantic-versioning
func parseNugetSemVer(versionString string) (base, preReleaseSuffix string) {
metadataAndVersion := strings.Split(versionString, "+")
prereleaseAndVersions := strings.Split(metadataAndVersion[0], "-")
if len(prereleaseAndVersions) == 1 {
return prereleaseAndVersions[0], ""
}
return prereleaseAndVersions[0], prereleaseAndVersions[1]
}

func decodeResponseFromClient(getFunc func() (*http.Response, error),
decodeFunc func(io.ReadCloser) error, name string,
) error {
response, err := getFunc()
if err != nil {
return sce.WithMessage(sce.ErrScorecardInternal,
fmt.Sprintf("failed to get %s: %v", name, err))
}
if response.StatusCode != http.StatusOK {
return sce.WithMessage(sce.ErrScorecardInternal,
fmt.Sprintf("failed to get %s with status: %v", name, response.Status))
}
defer response.Body.Close()

err = decodeFunc(response.Body)
if err != nil {
return sce.WithMessage(sce.ErrScorecardInternal,
fmt.Sprintf("failed to parse %s: %v", name, err))
}
return nil
}
Loading

0 comments on commit 82096bd

Please sign in to comment.