From abcf148cb9f9e16b671f03e5299499d41e832a10 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 10 Jul 2023 12:07:18 -0500 Subject: [PATCH 01/18] :seedling: Bump tj-actions/changed-files from 37.0.5 to 37.1.0 (#3253) Bumps [tj-actions/changed-files](https://github.com/tj-actions/changed-files) from 37.0.5 to 37.1.0. - [Release notes](https://github.com/tj-actions/changed-files/releases) - [Changelog](https://github.com/tj-actions/changed-files/blob/main/HISTORY.md) - [Commits](https://github.com/tj-actions/changed-files/compare/54849deb963ca9f24185fb5de2965e002d066e6b...87e23c4c79a603288642711155953c7da34b11ac) --- updated-dependencies: - dependency-name: tj-actions/changed-files dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- .github/workflows/docker.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/docker.yml b/.github/workflows/docker.yml index 2744c4c3743..ed3e39d4302 100644 --- a/.github/workflows/docker.yml +++ b/.github/workflows/docker.yml @@ -42,7 +42,7 @@ jobs: fetch-depth: 2 # needed to diff changed files - id: files name: Get changed files - uses: tj-actions/changed-files@54849deb963ca9f24185fb5de2965e002d066e6b #v37.0.5 + uses: tj-actions/changed-files@87e23c4c79a603288642711155953c7da34b11ac #v37.1.0 with: files_ignore: '**.md' - id: docs_only_check From e93322a6d2e73351b862b5c8d7fe73cdbec6a859 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 10 Jul 2023 17:18:39 +0000 Subject: [PATCH 02/18] :seedling: Bump github.com/goreleaser/goreleaser in /tools (#3252) Bumps [github.com/goreleaser/goreleaser](https://github.com/goreleaser/goreleaser) from 1.19.1 to 1.19.2. - [Release notes](https://github.com/goreleaser/goreleaser/releases) - [Changelog](https://github.com/goreleaser/goreleaser/blob/main/.goreleaser.yaml) - [Commits](https://github.com/goreleaser/goreleaser/compare/v1.19.1...v1.19.2) --- updated-dependencies: - dependency-name: github.com/goreleaser/goreleaser dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- tools/go.mod | 2 +- tools/go.sum | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/tools/go.mod b/tools/go.mod index f710ac61dce..21b18ea8bc5 100644 --- a/tools/go.mod +++ b/tools/go.mod @@ -7,7 +7,7 @@ require ( github.com/golangci/golangci-lint v1.53.3 github.com/google/addlicense v1.1.1 github.com/google/ko v0.14.1 - github.com/goreleaser/goreleaser v1.19.1 + github.com/goreleaser/goreleaser v1.19.2 github.com/naveensrinivasan/stunning-tribble v0.4.2 github.com/onsi/ginkgo/v2 v2.11.0 google.golang.org/protobuf v1.31.0 diff --git a/tools/go.sum b/tools/go.sum index 42050d49f93..7a9edf0ac53 100644 --- a/tools/go.sum +++ b/tools/go.sum @@ -1751,8 +1751,8 @@ github.com/goreleaser/chglog v0.5.0 h1:Sk6BMIpx8+vpAf8KyPit34OgWui8c7nKTMHhYx88j github.com/goreleaser/chglog v0.5.0/go.mod h1:Ri46M3lrMuv76FHszs3vtABR8J8k1w9JHYAzxeeOl28= github.com/goreleaser/fileglob v1.3.0 h1:/X6J7U8lbDpQtBvGcwwPS6OpzkNVlVEsFUVRx9+k+7I= github.com/goreleaser/fileglob v1.3.0/go.mod h1:Jx6BoXv3mbYkEzwm9THo7xbr5egkAraxkGorbJb4RxU= -github.com/goreleaser/goreleaser v1.19.1 h1:MVAFo62jkj6/JflxruefIwfFTqNTeNtkT12Hab1o2Lk= -github.com/goreleaser/goreleaser v1.19.1/go.mod h1:94HBElBUlnXzMZi9Yae1ev8WGeeh21RrxNWYBJW+cxU= +github.com/goreleaser/goreleaser v1.19.2 h1:m24wCy0UzBTGO3zqezAxcoA87RBySRRL0dyJjiNfdjQ= +github.com/goreleaser/goreleaser v1.19.2/go.mod h1:94HBElBUlnXzMZi9Yae1ev8WGeeh21RrxNWYBJW+cxU= github.com/goreleaser/nfpm/v2 v2.31.0 h1:cb8QSZ7tPnUlWPEdYcWwNWXiRvmVPznJ6LYiOIdOJ6Y= github.com/goreleaser/nfpm/v2 v2.31.0/go.mod h1:qlMQCbOTapyqRss16vAPwK/WAjWKdt0gY3vh4wipm8I= github.com/gorilla/context v1.1.1/go.mod h1:kBGZzfjB9CEq2AlWe17Uuf7NDRt0dE0s8S51q0aT7Yg= From 86ae5c16b066da388c8f1c544b450321a81e0042 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 10 Jul 2023 17:20:16 +0000 Subject: [PATCH 03/18] :seedling: Bump golang.org/x/tools from 0.10.0 to 0.11.0 Bumps [golang.org/x/tools](https://github.com/golang/tools) from 0.10.0 to 0.11.0. - [Release notes](https://github.com/golang/tools/releases) - [Commits](https://github.com/golang/tools/compare/v0.10.0...v0.11.0) --- updated-dependencies: - dependency-name: golang.org/x/tools dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] --- go.mod | 5 +++-- go.sum | 10 ++++++---- 2 files changed, 9 insertions(+), 6 deletions(-) diff --git a/go.mod b/go.mod index 4040eedfd95..f6f04837bab 100644 --- a/go.mod +++ b/go.mod @@ -35,7 +35,7 @@ require ( go.opencensus.io v0.24.0 gocloud.dev v0.30.0 golang.org/x/text v0.11.0 - golang.org/x/tools v0.10.0 + golang.org/x/tools v0.11.0 // indirect google.golang.org/genproto v0.0.0-20230530153820-e85fd2cbaebc // indirect google.golang.org/protobuf v1.31.0 gopkg.in/yaml.v2 v2.4.0 @@ -51,6 +51,7 @@ require ( github.com/mcuadros/go-jsonschema-generator v0.0.0-20200330054847-ba7a369d4303 github.com/onsi/ginkgo/v2 v2.11.0 github.com/otiai10/copy v1.12.0 + golang.org/x/tools/go/vcs v0.1.0-deprecated sigs.k8s.io/release-utils v0.6.0 ) @@ -103,7 +104,7 @@ require ( github.com/spdx/gordf v0.0.0-20221230105357-b735bd5aac89 // indirect github.com/spdx/tools-golang v0.5.2 // indirect github.com/zeebo/xxh3 v1.0.2 // indirect - golang.org/x/mod v0.11.0 // indirect + golang.org/x/mod v0.12.0 // indirect golang.org/x/term v0.10.0 // indirect golang.org/x/time v0.3.0 // indirect golang.org/x/vuln v0.0.0-20230303230808-d3042fecc4e3 // indirect diff --git a/go.sum b/go.sum index 57d14a6fae0..2cf6afb7972 100644 --- a/go.sum +++ b/go.sum @@ -2527,8 +2527,8 @@ golang.org/x/mod v0.7.0/go.mod h1:iBbtSCu2XBx23ZKBPSOrRkjjQPZFPuis4dIYUhu/chs= golang.org/x/mod v0.8.0/go.mod h1:iBbtSCu2XBx23ZKBPSOrRkjjQPZFPuis4dIYUhu/chs= golang.org/x/mod v0.9.0/go.mod h1:iBbtSCu2XBx23ZKBPSOrRkjjQPZFPuis4dIYUhu/chs= golang.org/x/mod v0.10.0/go.mod h1:iBbtSCu2XBx23ZKBPSOrRkjjQPZFPuis4dIYUhu/chs= -golang.org/x/mod v0.11.0 h1:bUO06HqtnRcc/7l71XBe4WcqTZ+3AH1J59zWDDwLKgU= -golang.org/x/mod v0.11.0/go.mod h1:iBbtSCu2XBx23ZKBPSOrRkjjQPZFPuis4dIYUhu/chs= +golang.org/x/mod v0.12.0 h1:rmsUpXtvNzj340zd98LZ4KntptpfRHwpFOHG188oHXc= +golang.org/x/mod v0.12.0/go.mod h1:iBbtSCu2XBx23ZKBPSOrRkjjQPZFPuis4dIYUhu/chs= golang.org/x/net v0.0.0-20170114055629-f2499483f923/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= golang.org/x/net v0.0.0-20180724234803-3673e40ba225/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= golang.org/x/net v0.0.0-20180826012351-8a410e7b638d/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= @@ -2987,8 +2987,10 @@ golang.org/x/tools v0.4.0/go.mod h1:UE5sM2OK9E/d67R0ANs2xJizIymRP5gJU295PvKXxjQ= golang.org/x/tools v0.6.0/go.mod h1:Xwgl3UAJ/d3gWutnCtw505GrjyAbvKui8lOU390QaIU= golang.org/x/tools v0.7.0/go.mod h1:4pg6aUX35JBAogB10C9AtvVL+qowtN4pT3CGSQex14s= golang.org/x/tools v0.8.0/go.mod h1:JxBZ99ISMI5ViVkT1tr6tdNmXeTrcpVSD3vZ1RsRdN4= -golang.org/x/tools v0.10.0 h1:tvDr/iQoUqNdohiYm0LmmKcBk+q86lb9EprIUFhHHGg= -golang.org/x/tools v0.10.0/go.mod h1:UJwyiVBsOA2uwvK/e5OY3GTpDUJriEd+/YlqAwLPmyM= +golang.org/x/tools v0.11.0 h1:EMCa6U9S2LtZXLAMoWiR/R8dAQFRqbAitmbJ2UKhoi8= +golang.org/x/tools v0.11.0/go.mod h1:anzJrxPjNtfgiYQYirP2CPGzGLxrH2u2QBhn6Bf3qY8= +golang.org/x/tools/go/vcs v0.1.0-deprecated h1:cOIJqWBl99H1dH5LWizPa+0ImeeJq3t3cJjaeOWUAL4= +golang.org/x/tools/go/vcs v0.1.0-deprecated/go.mod h1:zUrvATBAvEI9535oC0yWYsLsHIV4Z7g63sNPVMtuBy8= golang.org/x/vuln v0.0.0-20230303230808-d3042fecc4e3 h1:9GJsAwSzB/ztwMwsEm3ihUgCXHCULbNsubxqIrdKa44= golang.org/x/vuln v0.0.0-20230303230808-d3042fecc4e3/go.mod h1:LTLnfk/dpXDNKsX6aCg/cI4LyCVnTyrQhgV/yLJuly0= golang.org/x/xerrors v0.0.0-20190410155217-1f06c39b4373/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= From 8613047b1ba172ebea2d2bc7515efb1815952441 Mon Sep 17 00:00:00 2001 From: Naveen <172697+naveensrinivasan@users.noreply.github.com> Date: Mon, 10 Jul 2023 15:35:06 -0500 Subject: [PATCH 04/18] :seedling: Improve rate limit handling in roundtripper (#3237) - Add rate limit testing and handling functionality - Add tests for successful response and Retry-After header set scenarios Signed-off-by: naveensrinivasan <172697+naveensrinivasan@users.noreply.github.com> --- clients/githubrepo/roundtripper/rate_limit.go | 2 +- .../roundtripper/rate_limit_test.go | 94 +++++++++++++++++++ 2 files changed, 95 insertions(+), 1 deletion(-) create mode 100644 clients/githubrepo/roundtripper/rate_limit_test.go diff --git a/clients/githubrepo/roundtripper/rate_limit.go b/clients/githubrepo/roundtripper/rate_limit.go index 950e8f8aa8b..d2ae8378ab1 100644 --- a/clients/githubrepo/roundtripper/rate_limit.go +++ b/clients/githubrepo/roundtripper/rate_limit.go @@ -42,7 +42,7 @@ type rateLimitTransport struct { innerTransport http.RoundTripper } -// Roundtrip handles caching and ratelimiting of responses from GitHub. +// RoundTrip handles caching and rate-limiting of responses from GitHub. func (gh *rateLimitTransport) RoundTrip(r *http.Request) (*http.Response, error) { resp, err := gh.innerTransport.RoundTrip(r) if err != nil { diff --git a/clients/githubrepo/roundtripper/rate_limit_test.go b/clients/githubrepo/roundtripper/rate_limit_test.go new file mode 100644 index 00000000000..b74b7d997b8 --- /dev/null +++ b/clients/githubrepo/roundtripper/rate_limit_test.go @@ -0,0 +1,94 @@ +// Copyright 2023 OpenSSF Scorecard Authors +// +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. +package roundtripper + +import ( + "net/http" + "net/http/httptest" + "testing" + + "github.com/ossf/scorecard/v4/log" +) + +func TestRoundTrip(t *testing.T) { + t.Parallel() + var requestCount int + ts := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) { + // Customize the response headers and body based on the test scenario + switch r.URL.Path { + case "/error": + w.WriteHeader(http.StatusInternalServerError) + w.Write([]byte("Internal Server Error")) // nolint: errcheck + case "/retry": + requestCount++ + if requestCount == 2 { + // Second request: Return successful response + w.Header().Set("X-RateLimit-Remaining", "10") + w.WriteHeader(http.StatusOK) + w.Write([]byte("Success")) // nolint: errcheck + } else { + // First request: Return Retry-After header + w.Header().Set("Retry-After", "1") + w.WriteHeader(http.StatusTooManyRequests) + w.Write([]byte("Rate Limit Exceeded")) // nolint: errcheck + } + case "/success": + w.Header().Set("X-RateLimit-Remaining", "10") + w.WriteHeader(http.StatusOK) + w.Write([]byte("Success")) // nolint: errcheck + } + })) + t.Cleanup(func() { + defer ts.Close() + }) + + // Create the rateLimitTransport with the test server as the inner transport and a default logger + transport := &rateLimitTransport{ + innerTransport: ts.Client().Transport, + logger: log.NewLogger(log.DefaultLevel), + } + + t.Run("Successful response", func(t *testing.T) { + req, err := http.NewRequest(http.MethodGet, ts.URL+"/success", nil) + if err != nil { + t.Fatalf("Failed to create request: %v", err) + } + + resp, err := transport.RoundTrip(req) + if err != nil { + t.Errorf("Unexpected error: %v", err) + } + if resp.StatusCode != http.StatusOK { + t.Errorf("Expected status code %d, got %d", http.StatusOK, resp.StatusCode) + } + }) + + t.Run("Retry-After header set", func(t *testing.T) { + req, err := http.NewRequest(http.MethodGet, ts.URL+"/retry", nil) + if err != nil { + t.Fatalf("Failed to create request: %v", err) + } + + resp, err := transport.RoundTrip(req) + if err != nil { + t.Errorf("Unexpected error: %v", err) + } + if resp.StatusCode != http.StatusOK { + t.Errorf("Expected status code %d, got %d", http.StatusOK, resp.StatusCode) + } + if requestCount != 2 { + t.Errorf("Expected 2 requests, got %d", requestCount) + } + }) +} From 7753d7d8c3985d4dfc29cbef8c145a12a06790e5 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Tue, 11 Jul 2023 08:13:42 -0500 Subject: [PATCH 05/18] :seedling: Bump tj-actions/changed-files from 37.1.0 to 37.1.1 (#3259) Bumps [tj-actions/changed-files](https://github.com/tj-actions/changed-files) from 37.1.0 to 37.1.1. - [Release notes](https://github.com/tj-actions/changed-files/releases) - [Changelog](https://github.com/tj-actions/changed-files/blob/main/HISTORY.md) - [Commits](https://github.com/tj-actions/changed-files/compare/87e23c4c79a603288642711155953c7da34b11ac...1f20fb83f05eabed6e12ba0329edac8b6ec8e207) --- updated-dependencies: - dependency-name: tj-actions/changed-files dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- .github/workflows/docker.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/docker.yml b/.github/workflows/docker.yml index ed3e39d4302..0ac1adecdef 100644 --- a/.github/workflows/docker.yml +++ b/.github/workflows/docker.yml @@ -42,7 +42,7 @@ jobs: fetch-depth: 2 # needed to diff changed files - id: files name: Get changed files - uses: tj-actions/changed-files@87e23c4c79a603288642711155953c7da34b11ac #v37.1.0 + uses: tj-actions/changed-files@1f20fb83f05eabed6e12ba0329edac8b6ec8e207 #v37.1.1 with: files_ignore: '**.md' - id: docs_only_check From c50d76fcfa796b786bc4cdeaa39fe8bdd0c7eada Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Wed, 12 Jul 2023 09:08:34 -0500 Subject: [PATCH 06/18] :seedling: Bump github.com/bradleyfalzon/ghinstallation/v2 (#3260) Bumps [github.com/bradleyfalzon/ghinstallation/v2](https://github.com/bradleyfalzon/ghinstallation) from 2.5.0 to 2.6.0. - [Release notes](https://github.com/bradleyfalzon/ghinstallation/releases) - [Commits](https://github.com/bradleyfalzon/ghinstallation/compare/v2.5.0...v2.6.0) --- updated-dependencies: - dependency-name: github.com/bradleyfalzon/ghinstallation/v2 dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- go.mod | 4 ++-- go.sum | 8 ++++---- 2 files changed, 6 insertions(+), 6 deletions(-) diff --git a/go.mod b/go.mod index f6f04837bab..6c0000a85f1 100644 --- a/go.mod +++ b/go.mod @@ -14,7 +14,7 @@ require ( cloud.google.com/go/trace v1.10.0 // indirect contrib.go.opencensus.io/exporter/stackdriver v0.13.14 github.com/bombsimon/logrusr/v2 v2.0.1 - github.com/bradleyfalzon/ghinstallation/v2 v2.5.0 + github.com/bradleyfalzon/ghinstallation/v2 v2.6.0 github.com/go-git/go-git/v5 v5.7.0 github.com/go-logr/logr v1.2.4 github.com/golang/mock v1.6.0 @@ -79,7 +79,7 @@ require ( github.com/golang/snappy v0.0.4 // indirect github.com/google/flatbuffers v2.0.8+incompatible // indirect github.com/google/gnostic v0.6.9 // indirect - github.com/google/go-github/v53 v53.0.0 // indirect + github.com/google/go-github/v53 v53.2.0 // indirect github.com/google/gofuzz v1.2.0 // indirect github.com/google/pprof v0.0.0-20230406165453-00490a63f317 // indirect github.com/google/s2a-go v0.1.4 // indirect diff --git a/go.sum b/go.sum index 2cf6afb7972..525bd54c6c2 100644 --- a/go.sum +++ b/go.sum @@ -885,8 +885,8 @@ github.com/bombsimon/logrusr/v2 v2.0.1 h1:1VgxVNQMCvjirZIYaT9JYn6sAVGVEcNtRE0y4m github.com/bombsimon/logrusr/v2 v2.0.1/go.mod h1:ByVAX+vHdLGAfdroiMg6q0zgq2FODY2lc5YJvzmOJio= github.com/boombuler/barcode v1.0.0/go.mod h1:paBWMcWSl3LHKBqUq+rly7CNSldXjb2rDl3JlRe0mD8= github.com/boombuler/barcode v1.0.1/go.mod h1:paBWMcWSl3LHKBqUq+rly7CNSldXjb2rDl3JlRe0mD8= -github.com/bradleyfalzon/ghinstallation/v2 v2.5.0 h1:yaYcGQ7yEIGbsJfW/9z7v1sLiZg/5rSNNXwmMct5XaE= -github.com/bradleyfalzon/ghinstallation/v2 v2.5.0/go.mod h1:amcvPQMrRkWNdueWOjPytGL25xQGzox7425qMgzo+Vo= +github.com/bradleyfalzon/ghinstallation/v2 v2.6.0 h1:IRY7Xy588KylkoycsUhFpW7cdGpy5Y5BPsz4IfuJtGk= +github.com/bradleyfalzon/ghinstallation/v2 v2.6.0/go.mod h1:oQ3etOwN3TRH4EwgW5/7MxSVMGlMlzG/O8TU7eYdoSk= github.com/bradleyjkemp/cupaloy/v2 v2.8.0 h1:any4BmKE+jGIaMpnU8YgH/I2LPiLBufr6oMMlVBbn9M= github.com/buger/jsonparser v1.1.1/go.mod h1:6RYKKt7H4d4+iWqouImQ9R2FZql3VbhNgx27UK13J/0= github.com/bwesterb/go-ristretto v1.2.0/go.mod h1:fUIoIZaG73pV5biE2Blr2xEzDoMj7NFEuV9ekS419A0= @@ -1442,8 +1442,8 @@ github.com/google/go-containerregistry v0.15.2 h1:MMkSh+tjSdnmJZO7ljvEqV1DjfekB6 github.com/google/go-containerregistry v0.15.2/go.mod h1:wWK+LnOv4jXMM23IT/F1wdYftGWGr47Is8CG+pmHK1Q= github.com/google/go-github/v38 v38.1.0 h1:C6h1FkaITcBFK7gAmq4eFzt6gbhEhk7L5z6R3Uva+po= github.com/google/go-github/v38 v38.1.0/go.mod h1:cStvrz/7nFr0FoENgG6GLbp53WaelXucT+BBz/3VKx4= -github.com/google/go-github/v53 v53.0.0 h1:T1RyHbSnpHYnoF0ZYKiIPSgPtuJ8G6vgc0MKodXsQDQ= -github.com/google/go-github/v53 v53.0.0/go.mod h1:XhFRObz+m/l+UCm9b7KSIC3lT3NWSXGt7mOsAWEloao= +github.com/google/go-github/v53 v53.2.0 h1:wvz3FyF53v4BK+AsnvCmeNhf8AkTaeh2SoYu/XUvTtI= +github.com/google/go-github/v53 v53.2.0/go.mod h1:XhFRObz+m/l+UCm9b7KSIC3lT3NWSXGt7mOsAWEloao= github.com/google/go-pkcs11 v0.2.0/go.mod h1:6eQoGcuNJpa7jnd5pMGdkSaQpNDYvPlXWMcjXXThLlY= github.com/google/go-querystring v1.0.0/go.mod h1:odCYkC5MyYFN7vkCjXpyrEuKhc/BUO6wN/zVPAxq5ck= github.com/google/go-querystring v1.1.0 h1:AnCroh3fv4ZBgVIf1Iwtovgjaw/GiKJo8M8yD/fhyJ8= From 380da963c848e083459ebc98bc959a9f5ee62dc0 Mon Sep 17 00:00:00 2001 From: Ajmal Kottilingal <90693406+ajmalab@users.noreply.github.com> Date: Wed, 12 Jul 2023 18:22:38 +0100 Subject: [PATCH 07/18] =?UTF-8?q?=F0=9F=8C=B1Add=20urls=20for=20openteleme?= =?UTF-8?q?try,=20micrometer=20and=20new=20relic=20to=20weekly=20cron=20(#?= =?UTF-8?q?3248)?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit * add urls for opentelemetry and micrometer Signed-off-by: Ajmal Kottilingal * add jakarta-activation url Signed-off-by: Ajmal Kottilingal * adding json-path Signed-off-by: Ajmal Kottilingal * fix uing make Signed-off-by: Ajmal Kottilingal --------- Signed-off-by: Ajmal Kottilingal --- cron/internal/data/projects.csv | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/cron/internal/data/projects.csv b/cron/internal/data/projects.csv index c413885739e..612b37a55eb 100755 --- a/cron/internal/data/projects.csv +++ b/cron/internal/data/projects.csv @@ -458356,6 +458356,7 @@ github.com/eclipse-che/che-operator,num_dependents_deps.dev:0 github.com/eclipse-che/che-theia,num_dependents_deps.dev:0 github.com/eclipse-color-theme/eclipse-color-theme,criticality_score:0.336420 github.com/eclipse-cyclonedds/cyclonedds-python, +github.com/eclipse-ee4j/angus-activation, github.com/eclipse-ee4j/authentication,num_dependents_deps.dev:124 github.com/eclipse-ee4j/batch-api,num_dependents_deps.dev:10 github.com/eclipse-ee4j/batch-tck,num_dependents_deps.dev:16 @@ -803275,7 +803276,9 @@ github.com/micromdm/micromdm,"criticality_score:0.430170,num_dependents_deps.dev github.com/micromdm/nanomdm,num_dependents_deps.dev:0 github.com/micromdm/scep,num_dependents_deps.dev:36 github.com/micromed-dev/herz-ui,num_dependents_deps.dev:0 +github.com/micrometer-metrics/context-propagation, github.com/micrometer-metrics/micrometer,criticality_score:0.638810 +github.com/micrometer-metrics/tracing, github.com/microminion/1tp, github.com/microminion/1tp-registrar,num_dependents_deps.dev:0 github.com/microminion/mm-runtime-info,num_dependents_deps.dev:4 @@ -852948,6 +852951,7 @@ github.com/newrelic/newrelic-fluent-bit-output,num_dependents_deps.dev:0 github.com/newrelic/newrelic-infra-operator,num_dependents_deps.dev:0 github.com/newrelic/newrelic-introspector-node, github.com/newrelic/newrelic-introspector-python, +github.com/newrelic/newrelic-java-agent, github.com/newrelic/newrelic-kubernetes-operator,num_dependents_deps.dev:0 github.com/newrelic/newrelic-lambda-cli, github.com/newrelic/newrelic-lambda-extension,num_dependents_deps.dev:0 @@ -887562,6 +887566,7 @@ github.com/open-telemetry/opentelemetry-go,"criticality_score:0.587880,num_depen github.com/open-telemetry/opentelemetry-go-build-tools,num_dependents_deps.dev:2 github.com/open-telemetry/opentelemetry-go-contrib,num_dependents_deps.dev:1476 github.com/open-telemetry/opentelemetry-java,"criticality_score:0.596480,num_dependents_deps.dev:101" +github.com/open-telemetry/opentelemetry-java-instrumentation, github.com/open-telemetry/opentelemetry-js,"criticality_score:0.610960,num_dependents_deps.dev:13812" github.com/open-telemetry/opentelemetry-js-api,num_dependents_deps.dev:3224 github.com/open-telemetry/opentelemetry-js-contrib,num_dependents_deps.dev:168 From c1df902bf4c7f2d0020cac9de7ad4498384e051d Mon Sep 17 00:00:00 2001 From: Gabriela Gutierrez Date: Wed, 12 Jul 2023 21:26:06 +0000 Subject: [PATCH 08/18] =?UTF-8?q?=F0=9F=90=9B=20=20Add=20npm=20installs=20?= =?UTF-8?q?to=20Pinned-Dependencies=20score=20(#2960)?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit * feat: Add npm install to pinned dependencies score Signed-off-by: Gabriela Gutierrez * test: Fix pinned dependencies evaluation tests Considering the new npm installs dependencies in Pinned-Dependencies score, there are some changes. Now, all tests generate one more Info log for "npm installs are all pinned". Also, for "various wanrings" test, the total score has to weight now 6 scores instead of 5. The new score counts 10 for actionScore, 0 for dockerFromScore, 0 for dockerDownloadScore, 0 for scriptScore, 0 for pipScore and 10 for npm score, which gives us 20/6~=3. Signed-off-by: Gabriela Gutierrez * test: Fix pinned dependencies e2e tests Considering the new npm installs dependencies in Pinned-Dependencies score, there are some changes. The repo being tested, ossf-tests/scorecard-check-pinned-dependencies-e2e, has third-party GitHub actions pinned, no npm installs, and all other dependencies types are unpinned. This gives us 8 for actionScore, 10 for npmScore and 0 for all other scores. Previously the total score was 8/5~=1, and now the total score is 18/6=3. Also, since there are no npm installs, there's one more Info log for "npm installs are pinned". Signed-off-by: Gabriela Gutierrez * test: Fix typo Signed-off-by: Gabriela Gutierrez * test: Unpinned npm install score When having one unpinned npm install and all other dependencies pinned, the score should be 50/6~=8. Also, it should raise 1 warning for the unpinned npm install, 6 infos saying the other dependency types are pinned (2 for GHAs, 2 for dockerfile image and downdloads, 1 for script downdloads and 1 for pip installs), and 0 debug logs since the npm install dependency does not have an error message. Signed-off-by: Gabriela Gutierrez * test: Undefined npm install score When an error happens to parse a npm install dependency, the error/debug message is saved in "Msg" field. In this case, we were not able to define if the npm install is pinned or not. This dependency is classified as pinned undefined. We treat such cases as pinned cases, so it logs as Info that npm installs are all pinned and counts the score as 10. Then, the final score makes it to 10 as well. Since it logs the error/debug message, the Debug log goes to 1. Signed-off-by: Gabriela Gutierrez * test: Fix typo Signed-off-by: Gabriela Gutierrez * test: Fix "validate various warnings and info" test Considering the new npm installs dependencies in Pinned-Dependencies score, there are some changes. Now, all tests generate one more Info log for "npm installs are all pinned". Also, this test total score has to weight now 6 scores instead of 5. The new score counts 10 for actionScore, 0 for dockerFromScore, 0 for dockerDownloadScore, 0 for scriptScore, 0 for pipScore and 10 for npm score, which gives us 20/6~=3. Signed-off-by: Gabriela Gutierrez * fix: npm dependencies pinned log Signed-off-by: Gabriela Gutierrez * test: Remove test of error when parsing an npm dependency Signed-off-by: Gabriela Gutierrez --------- Signed-off-by: Gabriela Gutierrez --- checks/evaluation/pinned_dependencies.go | 18 ++++++++- checks/evaluation/pinned_dependencies_test.go | 38 +++++++++++++------ e2e/pinned_dependencies_test.go | 12 +++--- 3 files changed, 50 insertions(+), 18 deletions(-) diff --git a/checks/evaluation/pinned_dependencies.go b/checks/evaluation/pinned_dependencies.go index d9133d76da4..a8e98be8e17 100644 --- a/checks/evaluation/pinned_dependencies.go +++ b/checks/evaluation/pinned_dependencies.go @@ -127,15 +127,22 @@ func PinningDependencies(name string, c *checker.CheckRequest, return checker.CreateRuntimeErrorResult(name, err) } + // Npm installs. + npmScore, err := createReturnForIsNpmInstallPinned(pr, dl) + if err != nil { + return checker.CreateRuntimeErrorResult(name, err) + } + // Scores may be inconclusive. actionScore = maxScore(0, actionScore) dockerFromScore = maxScore(0, dockerFromScore) dockerDownloadScore = maxScore(0, dockerDownloadScore) scriptScore = maxScore(0, scriptScore) pipScore = maxScore(0, pipScore) + npmScore = maxScore(0, npmScore) score := checker.AggregateScores(actionScore, dockerFromScore, - dockerDownloadScore, scriptScore, pipScore) + dockerDownloadScore, scriptScore, pipScore, npmScore) if score == checker.MaxResultScore { return checker.CreateMaxScoreResult(name, "all dependencies are pinned") @@ -260,6 +267,15 @@ func createReturnForIsPipInstallPinned(pr map[checker.DependencyUseType]pinnedRe dl) } +// Create the result for npm install commands. +func createReturnForIsNpmInstallPinned(pr map[checker.DependencyUseType]pinnedResult, + dl checker.DetailLogger, +) (int, error) { + return createReturnValues(pr, checker.DependencyUseTypeNpmCommand, + "npm installs are pinned", + dl) +} + func createReturnValues(pr map[checker.DependencyUseType]pinnedResult, t checker.DependencyUseType, infoMsg string, dl checker.DetailLogger, diff --git a/checks/evaluation/pinned_dependencies_test.go b/checks/evaluation/pinned_dependencies_test.go index cd497a6cfbf..5e3e369a314 100644 --- a/checks/evaluation/pinned_dependencies_test.go +++ b/checks/evaluation/pinned_dependencies_test.go @@ -111,7 +111,7 @@ func Test_PinningDependencies(t *testing.T) { Error: nil, Score: checker.MaxResultScore, NumberOfWarn: 0, - NumberOfInfo: 6, + NumberOfInfo: 7, NumberOfDebug: 1, }, }, @@ -132,12 +132,12 @@ func Test_PinningDependencies(t *testing.T) { Error: nil, Score: 6, NumberOfWarn: 1, - NumberOfInfo: 4, + NumberOfInfo: 5, NumberOfDebug: 1, }, }, { - name: "various wanrings", + name: "various warnings", dependencies: []checker.Dependency{ { Location: &checker.File{}, @@ -158,9 +158,9 @@ func Test_PinningDependencies(t *testing.T) { }, expected: scut.TestReturn{ Error: nil, - Score: 2, + Score: 3, NumberOfWarn: 3, - NumberOfInfo: 2, + NumberOfInfo: 3, NumberOfDebug: 1, }, }, @@ -176,7 +176,7 @@ func Test_PinningDependencies(t *testing.T) { Error: nil, Score: 8, NumberOfWarn: 1, - NumberOfInfo: 5, + NumberOfInfo: 6, NumberOfDebug: 0, }, }, @@ -193,7 +193,7 @@ func Test_PinningDependencies(t *testing.T) { Error: nil, Score: 10, NumberOfWarn: 0, - NumberOfInfo: 6, + NumberOfInfo: 7, NumberOfDebug: 1, }, }, @@ -203,12 +203,12 @@ func Test_PinningDependencies(t *testing.T) { Error: nil, Score: 10, NumberOfWarn: 0, - NumberOfInfo: 6, + NumberOfInfo: 7, NumberOfDebug: 0, }, }, { - name: "Validate various wanrings and info", + name: "Validate various warnings and info", dependencies: []checker.Dependency{ { Location: &checker.File{}, @@ -229,12 +229,28 @@ func Test_PinningDependencies(t *testing.T) { }, expected: scut.TestReturn{ Error: nil, - Score: 2, + Score: 3, NumberOfWarn: 3, - NumberOfInfo: 2, + NumberOfInfo: 3, NumberOfDebug: 1, }, }, + { + name: "unpinned npm install", + dependencies: []checker.Dependency{ + { + Location: &checker.File{}, + Type: checker.DependencyUseTypeNpmCommand, + }, + }, + expected: scut.TestReturn{ + Error: nil, + Score: 8, + NumberOfWarn: 1, + NumberOfInfo: 6, + NumberOfDebug: 0, + }, + }, } for _, tt := range tests { diff --git a/e2e/pinned_dependencies_test.go b/e2e/pinned_dependencies_test.go index aaec45dda63..8253abf49cc 100644 --- a/e2e/pinned_dependencies_test.go +++ b/e2e/pinned_dependencies_test.go @@ -49,9 +49,9 @@ var _ = Describe("E2E TEST:"+checks.CheckPinnedDependencies, func() { } expected := scut.TestReturn{ Error: nil, - Score: 1, + Score: 3, NumberOfWarn: 139, - NumberOfInfo: 1, + NumberOfInfo: 2, NumberOfDebug: 0, } result := checks.PinningDependencies(&req) @@ -74,9 +74,9 @@ var _ = Describe("E2E TEST:"+checks.CheckPinnedDependencies, func() { } expected := scut.TestReturn{ Error: nil, - Score: 1, + Score: 3, NumberOfWarn: 139, - NumberOfInfo: 1, + NumberOfInfo: 2, NumberOfDebug: 0, } result := checks.PinningDependencies(&req) @@ -110,9 +110,9 @@ var _ = Describe("E2E TEST:"+checks.CheckPinnedDependencies, func() { } expected := scut.TestReturn{ Error: nil, - Score: 1, + Score: 3, NumberOfWarn: 139, - NumberOfInfo: 1, + NumberOfInfo: 2, NumberOfDebug: 0, } result := checks.PinningDependencies(&req) From 16ff3eccfccb225d078fa36ba21563a20b04e974 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Thu, 13 Jul 2023 17:41:32 -0500 Subject: [PATCH 09/18] :seedling: Bump github.com/moby/buildkit from 0.11.6 to 0.12.0 (#3264) Bumps [github.com/moby/buildkit](https://github.com/moby/buildkit) from 0.11.6 to 0.12.0. - [Release notes](https://github.com/moby/buildkit/releases) - [Commits](https://github.com/moby/buildkit/compare/v0.11.6...v0.12.0) --- updated-dependencies: - dependency-name: github.com/moby/buildkit dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- go.mod | 8 ++++---- go.sum | 15 ++++++++------- 2 files changed, 12 insertions(+), 11 deletions(-) diff --git a/go.mod b/go.mod index 6c0000a85f1..6b2406fcf78 100644 --- a/go.mod +++ b/go.mod @@ -24,7 +24,7 @@ require ( github.com/grafeas/kritis v0.2.3-0.20210120183821-faeba81c520c github.com/h2non/filetype v1.1.3 github.com/jszwec/csvutil v1.8.0 - github.com/moby/buildkit v0.11.6 + github.com/moby/buildkit v0.12.0 github.com/olekukonko/tablewriter v0.0.5 github.com/onsi/gomega v1.27.8 github.com/shurcooL/githubv4 v0.0.0-20201206200315-234843c633fa @@ -66,6 +66,7 @@ require ( github.com/apache/arrow/go/v12 v12.0.0 // indirect github.com/apache/thrift v0.16.0 // indirect github.com/cloudflare/circl v1.3.3 // indirect + github.com/containerd/typeurl/v2 v2.1.1 // indirect github.com/davecgh/go-spew v1.1.1 // indirect github.com/emicklei/go-restful/v3 v3.10.1 // indirect github.com/go-openapi/jsonpointer v0.19.6 // indirect @@ -134,10 +135,9 @@ require ( github.com/census-instrumentation/opencensus-proto v0.4.1 // indirect github.com/common-nighthawk/go-figure v0.0.0-20210622060536-734e95fb86be // indirect github.com/containerd/stargz-snapshotter/estargz v0.14.3 // indirect - github.com/containerd/typeurl v1.0.2 // indirect - github.com/docker/cli v23.0.5+incompatible // indirect + github.com/docker/cli v24.0.2+incompatible // indirect github.com/docker/distribution v2.8.2+incompatible // indirect - github.com/docker/docker v23.0.5+incompatible // indirect + github.com/docker/docker v24.0.0-rc.2.0.20230706181717-98d3da79ef9c+incompatible // indirect github.com/docker/docker-credential-helpers v0.7.0 // indirect github.com/emirpasic/gods v1.18.1 // indirect github.com/fatih/color v1.14.1 // indirect diff --git a/go.sum b/go.sum index 525bd54c6c2..8010cb9abef 100644 --- a/go.sum +++ b/go.sum @@ -1033,8 +1033,9 @@ github.com/containerd/ttrpc v1.1.0/go.mod h1:XX4ZTnoOId4HklF4edwc4DcqskFZuvXB1Ev github.com/containerd/typeurl v0.0.0-20180627222232-a93fcdb778cd/go.mod h1:Cm3kwCdlkCfMSHURc+r6fwoGH6/F1hH3S4sg0rLFWPc= github.com/containerd/typeurl v0.0.0-20190911142611-5eb25027c9fd/go.mod h1:GeKYzf2pQcqv7tJ0AoCuuhtnqhva5LNU3U+OyKxxJpk= github.com/containerd/typeurl v1.0.1/go.mod h1:TB1hUtrpaiO88KEK56ijojHS1+NeF0izUACaJW2mdXg= -github.com/containerd/typeurl v1.0.2 h1:Chlt8zIieDbzQFzXzAeBEF92KhExuE4p9p92/QmY7aY= github.com/containerd/typeurl v1.0.2/go.mod h1:9trJWW2sRlGub4wZJRTW83VtbOLS6hwcDZXTn6oPz9s= +github.com/containerd/typeurl/v2 v2.1.1 h1:3Q4Pt7i8nYwy2KmQWIw2+1hTvwTE/6w9FqcttATPO/4= +github.com/containerd/typeurl/v2 v2.1.1/go.mod h1:IDp2JFvbwZ31H8dQbEIY7sDl2L3o3HZj1hsSQlywkQ0= github.com/containerd/zfs v0.0.0-20200918131355-0a33824f23a2/go.mod h1:8IgZOBdv8fAgXddBT4dBXJPtxyRsejFIpXoklgxgEjw= github.com/containerd/zfs v0.0.0-20210301145711-11e8f1707f62/go.mod h1:A9zfAbMlQwE+/is6hi0Xw8ktpL+6glmqZYtevJgaB8Y= github.com/containerd/zfs v0.0.0-20210315114300-dde8f0fda960/go.mod h1:m+m51S1DvAP6r3FcmYCp54bQ34pyOwTieQDNRIRHsFY= @@ -1099,16 +1100,16 @@ github.com/dnaeon/go-vcr v1.0.1/go.mod h1:aBB1+wY4s93YsC3HHjMBMrwTj2R9FHDzUr9KyG github.com/dnaeon/go-vcr v1.1.0/go.mod h1:M7tiix8f0r6mKKJ3Yq/kqU1OYf3MnfmBWVbPx/yU9ko= github.com/dnaeon/go-vcr v1.2.0/go.mod h1:R4UdLID7HZT3taECzJs4YgbbH6PIGXB6W/sc5OLb6RQ= github.com/docker/cli v0.0.0-20191017083524-a8ff7f821017/go.mod h1:JLrzqnKDaYBop7H2jaqPtU4hHvMKP+vjCwu2uszcLI8= -github.com/docker/cli v23.0.5+incompatible h1:ufWmAOuD3Vmr7JP2G5K3cyuNC4YZWiAsuDEvFVVDafE= -github.com/docker/cli v23.0.5+incompatible/go.mod h1:JLrzqnKDaYBop7H2jaqPtU4hHvMKP+vjCwu2uszcLI8= +github.com/docker/cli v24.0.2+incompatible h1:QdqR7znue1mtkXIJ+ruQMGQhpw2JzMJLRXp6zpzF6tM= +github.com/docker/cli v24.0.2+incompatible/go.mod h1:JLrzqnKDaYBop7H2jaqPtU4hHvMKP+vjCwu2uszcLI8= github.com/docker/distribution v2.8.2+incompatible h1:T3de5rq0dB1j30rp0sA2rER+m322EBzniBPB6ZIzuh8= github.com/docker/distribution v2.8.2+incompatible/go.mod h1:J2gT2udsDAN96Uj4KfcMRqY0/ypR+oyYUYmja8H+y+w= github.com/docker/docker v0.7.3-0.20190327010347-be7ac8be2ae0/go.mod h1:eEKB0N0r5NX/I1kEveEz05bcu8tLC/8azJZsviup8Sk= github.com/docker/docker v1.4.2-0.20190924003213-a8608b5b67c7/go.mod h1:eEKB0N0r5NX/I1kEveEz05bcu8tLC/8azJZsviup8Sk= github.com/docker/docker v20.10.14+incompatible/go.mod h1:eEKB0N0r5NX/I1kEveEz05bcu8tLC/8azJZsviup8Sk= github.com/docker/docker v23.0.4+incompatible/go.mod h1:eEKB0N0r5NX/I1kEveEz05bcu8tLC/8azJZsviup8Sk= -github.com/docker/docker v23.0.5+incompatible h1:DaxtlTJjFSnLOXVNUBU1+6kXGz2lpDoEAH6QoxaSg8k= -github.com/docker/docker v23.0.5+incompatible/go.mod h1:eEKB0N0r5NX/I1kEveEz05bcu8tLC/8azJZsviup8Sk= +github.com/docker/docker v24.0.0-rc.2.0.20230706181717-98d3da79ef9c+incompatible h1:XccikgvtGCEZE9ZQoaEApdx9ZvruGYakfi2tw4d/vUg= +github.com/docker/docker v24.0.0-rc.2.0.20230706181717-98d3da79ef9c+incompatible/go.mod h1:eEKB0N0r5NX/I1kEveEz05bcu8tLC/8azJZsviup8Sk= github.com/docker/docker-credential-helpers v0.6.3/go.mod h1:WRaJzqw3CTB9bk10avuGsjVBZsD05qeibJ1/TYlvc0Y= github.com/docker/docker-credential-helpers v0.7.0 h1:xtCHsjxogADNZcdv1pKUHXryefjlVRqWqIhk/uXJp0A= github.com/docker/docker-credential-helpers v0.7.0/go.mod h1:rETQfLdHNT3foU5kuNkFR1R1V12OJRRO5lzt2D1b5X0= @@ -1874,8 +1875,8 @@ github.com/mitchellh/mapstructure v1.4.1/go.mod h1:bFUtVrKA4DC2yAKiSyO/QUcy7e+RR github.com/mitchellh/mapstructure v1.4.2/go.mod h1:bFUtVrKA4DC2yAKiSyO/QUcy7e+RRV2QTWOzhPopBRo= github.com/mitchellh/mapstructure v1.4.3/go.mod h1:bFUtVrKA4DC2yAKiSyO/QUcy7e+RRV2QTWOzhPopBRo= github.com/mitchellh/mapstructure v1.5.0/go.mod h1:bFUtVrKA4DC2yAKiSyO/QUcy7e+RRV2QTWOzhPopBRo= -github.com/moby/buildkit v0.11.6 h1:VYNdoKk5TVxN7k4RvZgdeM4GOyRvIi4Z8MXOY7xvyUs= -github.com/moby/buildkit v0.11.6/go.mod h1:GCqKfHhz+pddzfgaR7WmHVEE3nKKZMMDPpK8mh3ZLv4= +github.com/moby/buildkit v0.12.0 h1:hgPDVSeondFLb28cBtRR5O0N4t8uWGJ4YNukT2aICIs= +github.com/moby/buildkit v0.12.0/go.mod h1:+n9GmkxwBCjVz4u7wmiyh+oqvjIjQM+1zk3iJrWfdos= github.com/moby/locker v1.0.1/go.mod h1:S7SDdo5zpBK84bzzVlKr2V0hz+7x9hWbYC/kq7oQppc= github.com/moby/spdystream v0.2.0/go.mod h1:f7i0iNDQJ059oMTcWxx8MA/zKFIuD/lY+0GqbN2Wy8c= github.com/moby/sys/mountinfo v0.4.0/go.mod h1:rEr8tzG/lsIZHBtN/JjGG+LMYx9eXgW2JI+6q0qou+A= From 96b216922535c187c61167e5f3e28886f4dfbb1c Mon Sep 17 00:00:00 2001 From: Spencer Schrock Date: Thu, 13 Jul 2023 15:52:40 -0700 Subject: [PATCH 10/18] Ack linter warning and add tracking issue. (#3263) Signed-off-by: Spencer Schrock --- cron/internal/data/update/dependency.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/cron/internal/data/update/dependency.go b/cron/internal/data/update/dependency.go index fde69bac255..e0757aad033 100644 --- a/cron/internal/data/update/dependency.go +++ b/cron/internal/data/update/dependency.go @@ -27,7 +27,7 @@ import ( "github.com/go-git/go-git/v5" "github.com/google/go-github/v38/github" - "golang.org/x/tools/go/vcs" + "golang.org/x/tools/go/vcs" //nolint:staticcheck // TODO(https://github.com/ossf/scorecard/issues/3262) "github.com/ossf/scorecard/v4/clients/githubrepo" "github.com/ossf/scorecard/v4/cron/data" From fc87616fdf9d355595fe586dfb85a73316af5b86 Mon Sep 17 00:00:00 2001 From: Pedro Nacht Date: Thu, 13 Jul 2023 21:33:21 -0300 Subject: [PATCH 11/18] =?UTF-8?q?=F0=9F=90=9B=20Forgive=20job-level=20perm?= =?UTF-8?q?issions=20(#3162)?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit * Forgive all job-level permissions Signed-off-by: Pedro Kaj Kjellerup Nacht * Update tests Signed-off-by: Pedro Kaj Kjellerup Nacht * Replace magic number Signed-off-by: Pedro Kaj Kjellerup Nacht * Rename test Signed-off-by: Pedro Kaj Kjellerup Nacht * Test that multiple job-level permissions are forgiven Signed-off-by: Pedro Kaj Kjellerup Nacht * Drop unused permissionIsPresent Signed-off-by: Pedro Kaj Kjellerup Nacht * Update documentation Signed-off-by: Pedro Kaj Kjellerup Nacht * Modify score descriptions Signed-off-by: Pedro Kaj Kjellerup Nacht * Document warning for job-level permissions Signed-off-by: Pedro Kaj Kjellerup Nacht * List job-level permissions that get WARNed Signed-off-by: Pedro Kaj Kjellerup Nacht --------- Signed-off-by: Pedro Kaj Kjellerup Nacht --- checks/evaluation/permissions/permissions.go | 17 +++--- checks/permissions_test.go | 21 ++++++-- ...kflow-permissions-run-multiple-writes.yaml | 30 +++++++++++ docs/checks.md | 38 +++++++------- docs/checks/internal/checks.yaml | 52 ++++++++++--------- 5 files changed, 101 insertions(+), 57 deletions(-) create mode 100644 checks/testdata/.github/workflows/github-workflow-permissions-run-multiple-writes.yaml diff --git a/checks/evaluation/permissions/permissions.go b/checks/evaluation/permissions/permissions.go index ed8b0cbc21d..8f0c1be5d2b 100644 --- a/checks/evaluation/permissions/permissions.go +++ b/checks/evaluation/permissions/permissions.go @@ -56,11 +56,11 @@ func TokenPermissions(name string, c *checker.CheckRequest, r *checker.TokenPerm if score != checker.MaxResultScore { return checker.CreateResultWithScore(name, - "non read-only tokens detected in GitHub workflows", score) + "detected GitHub workflow tokens with excessive permissions", score) } return checker.CreateMaxScoreResult(name, - "tokens are read-only in GitHub workflows") + "GitHub workflow tokens follow principle of least privilege") } func applyScorePolicy(results *checker.TokenPermissionsData, c *checker.CheckRequest) (int, error) { @@ -325,21 +325,21 @@ func calculateScore(result map[string]permissions) int { // status: https://docs.github.com/en/rest/reference/repos#statuses. // May allow an attacker to change the result of pre-submit and get a PR merged. // Low risk: -0.5. - if permissionIsPresent(perms, "statuses") { + if permissionIsPresentInTopLevel(perms, "statuses") { score -= 0.5 } // checks. // May allow an attacker to edit checks to remove pre-submit and introduce a bug. // Low risk: -0.5. - if permissionIsPresent(perms, "checks") { + if permissionIsPresentInTopLevel(perms, "checks") { score -= 0.5 } // secEvents. // May allow attacker to read vuln reports before patch available. // Low risk: -1 - if permissionIsPresent(perms, "security-events") { + if permissionIsPresentInTopLevel(perms, "security-events") { score-- } @@ -348,7 +348,7 @@ func calculateScore(result map[string]permissions) int { // and tiny chance an attacker can trigger a remote // service with code they own if server accepts code/location var unsanitized. // Low risk: -1 - if permissionIsPresent(perms, "deployments") { + if permissionIsPresentInTopLevel(perms, "deployments") { score-- } @@ -386,11 +386,6 @@ func calculateScore(result map[string]permissions) int { return int(score) } -func permissionIsPresent(perms permissions, name string) bool { - return permissionIsPresentInTopLevel(perms, name) || - permissionIsPresentInRunLevel(perms, name) -} - func permissionIsPresentInTopLevel(perms permissions, name string) bool { _, ok := perms.topLevelWritePermissions[name] return ok diff --git a/checks/permissions_test.go b/checks/permissions_test.go index 41f42f105bf..0b06e0628f8 100644 --- a/checks/permissions_test.go +++ b/checks/permissions_test.go @@ -53,7 +53,7 @@ func TestGithubTokenPermissions(t *testing.T) { filenames: []string{"./testdata/.github/workflows/github-workflow-permissions-run-no-codeql-write.yaml"}, expected: scut.TestReturn{ Error: nil, - Score: checker.MaxResultScore - 1, + Score: checker.MaxResultScore, NumberOfWarn: 1, NumberOfInfo: 1, NumberOfDebug: 4, @@ -302,11 +302,11 @@ func TestGithubTokenPermissions(t *testing.T) { }, }, { - name: "workflow jobs only", + name: "penalize job-level read without top level permissions", filenames: []string{"./testdata/.github/workflows/github-workflow-permissions-jobs-only.yaml"}, expected: scut.TestReturn{ Error: nil, - Score: 9, + Score: checker.MaxResultScore - 1, NumberOfWarn: 1, NumberOfInfo: 4, NumberOfDebug: 4, @@ -317,7 +317,7 @@ func TestGithubTokenPermissions(t *testing.T) { filenames: []string{"./testdata/.github/workflows/github-workflow-permissions-run-write-codeql-comment.yaml"}, expected: scut.TestReturn{ Error: nil, - Score: checker.MaxResultScore - 1, + Score: checker.MaxResultScore, NumberOfWarn: 1, NumberOfInfo: 1, NumberOfDebug: 4, @@ -389,6 +389,19 @@ func TestGithubTokenPermissions(t *testing.T) { NumberOfDebug: 5, }, }, + { + name: "don't penalize job-level writes", + filenames: []string{ + "./testdata/.github/workflows/github-workflow-permissions-run-multiple-writes.yaml", + }, + expected: scut.TestReturn{ + Error: nil, + Score: checker.MaxResultScore, + NumberOfWarn: 7, // number of job-level write permissions + NumberOfInfo: 1, // read-only top-level permissions + NumberOfDebug: 4, // This is 4 + (number of actions = 0) + }, + }, } for _, tt := range tests { tt := tt // Re-initializing variable so it is not changed while executing the closure below diff --git a/checks/testdata/.github/workflows/github-workflow-permissions-run-multiple-writes.yaml b/checks/testdata/.github/workflows/github-workflow-permissions-run-multiple-writes.yaml new file mode 100644 index 00000000000..427579485fa --- /dev/null +++ b/checks/testdata/.github/workflows/github-workflow-permissions-run-multiple-writes.yaml @@ -0,0 +1,30 @@ +# Copyright 2021 OpenSSF Scorecard Authors +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +name: write-and-read workflow +on: [push] +permissions: read-all + +jobs: + Explore-GitHub-Actions: + runs-on: ubuntu-latest + permissions: + statuses: write + checks: write + security-events: write + deployments: write + contents: write + packages: write + actions: write + steps: + - run: echo "write-and-read workflow" diff --git a/docs/checks.md b/docs/checks.md index 406bb213f1b..a8aafd8a937 100644 --- a/docs/checks.md +++ b/docs/checks.md @@ -613,13 +613,13 @@ Note: The check does not verify the signatures. Risk: `High` (vulnerable to malicious code additions) -This check determines whether the project's automated workflows tokens are set -to read-only by default. It is currently limited to repositories hosted on -GitHub, and does not support other source hosting repositories (i.e., Forges). +This check determines whether the project's automated workflows tokens follow the +principle of least privilege. This is important because attackers may use a +compromised token with write access to, for example, push malicious code into the +project. -Setting token permissions to read-only follows the principle of least privilege. -This is important because attackers may use a compromised token with write -access to push malicious code into the project. +It is currently limited to repositories hosted on GitHub, and does not support +other source hosting repositories (i.e., Forges). The highest score is awarded when the permissions definitions in each workflow's yaml file are set as read-only at the @@ -630,25 +630,27 @@ One point is reduced from the score if all jobs have their permissions defined b This configuration is secure, but there is a chance that when a new job is added to the workflow, its job permissions could be left undefined because of human error. -The check cannot detect if the "read-only" GitHub permission setting is -enabled, as there is no API available. - -Additionally, points are reduced if certain write permissions are defined for a job. +Though a project's score won't be penalized, the check's details will include +warnings for more sensitive run-level permissions, listed below: -### Write permissions causing a small reduction -* `statuses` - May allow an attacker to change the result of pre-submit checks and get a PR merged. +* `actions` - May allow an attacker to steal GitHub secrets by approving to run an action that needs approval. * `checks` - May allow an attacker to remove pre-submit checks and introduce a bug. -* `security-events` - May allow an attacker to read vulnerability reports before a patch is available. However, points are not reduced if the job utilizes a recognized action for uploading SARIF results. -* `deployments` - May allow an attacker to charge repo owner by triggering VM runs, and tiny chance an attacker can trigger a remote service with code they own if server accepts code/location variables unsanitized. - -### Write permissions causing a large reduction * `contents` - Allows an attacker to commit unreviewed code. However, points are not reduced if the job utilizes a recognized packaging action or command. +* `deployments` - May allow an attacker to charge repo owner by triggering VM runs, and tiny chance an attacker can trigger a remote service with code they own if server accepts code/location variables unsanitized. * `packages` - Allows an attacker to publish packages. However, points are not reduced if the job utilizes a recognized packaging action or command. -* `actions` - May allow an attacker to steal GitHub secrets by approving to run an action that needs approval. +* `security-events` - May allow an attacker to read vulnerability reports before a patch is available. However, points are not reduced if the job utilizes a recognized action for uploading SARIF results. +* `statuses` - May allow an attacker to change the result of pre-submit checks and get a PR merged. + +This compromise makes it clear the maintainer has done what's possible to use those permissions safety, +but allows users to identify that the permissions are used. + +The check cannot detect if the "read-only" GitHub permission setting is +enabled, as there is no API available. **Remediation steps** -- Set permissions as `read-all` or `contents: read` as described in GitHub's [documentation](https://docs.github.com/en/actions/reference/workflow-syntax-for-github-actions#permissions). +- Set top-level permissions as `read-all` or `contents: read` as described in GitHub's [documentation](https://docs.github.com/en/actions/reference/workflow-syntax-for-github-actions#permissions). +- Set any required write permissions at the job-level. Only set the permissions required for that job; do not set `permissions: write-all` at the job level. - To help determine the permissions needed for your workflows, you may use [StepSecurity's online tool](https://app.stepsecurity.io/secureworkflow/) by ticking the "Restrict permissions for GITHUB_TOKEN". You may also tick the "Pin actions to a full length commit SHA" to fix issues found by the Pinned-dependencies check. ## Vulnerabilities diff --git a/docs/checks/internal/checks.yaml b/docs/checks/internal/checks.yaml index 51601c05a55..9233da7a4df 100644 --- a/docs/checks/internal/checks.yaml +++ b/docs/checks/internal/checks.yaml @@ -653,13 +653,13 @@ checks: description: | Risk: `High` (vulnerable to malicious code additions) - This check determines whether the project's automated workflows tokens are set - to read-only by default. It is currently limited to repositories hosted on - GitHub, and does not support other source hosting repositories (i.e., Forges). + This check determines whether the project's automated workflows tokens follow the + principle of least privilege. This is important because attackers may use a + compromised token with write access to, for example, push malicious code into the + project. - Setting token permissions to read-only follows the principle of least privilege. - This is important because attackers may use a compromised token with write - access to push malicious code into the project. + It is currently limited to repositories hosted on GitHub, and does not support + other source hosting repositories (i.e., Forges). The highest score is awarded when the permissions definitions in each workflow's yaml file are set as read-only at the @@ -670,26 +670,30 @@ checks: This configuration is secure, but there is a chance that when a new job is added to the workflow, its job permissions could be left undefined because of human error. - The check cannot detect if the "read-only" GitHub permission setting is - enabled, as there is no API available. - - Additionally, points are reduced if certain write permissions are defined for a job. + Though a project's score won't be penalized, the check's details will include + warnings for more sensitive run-level permissions, listed below: - ### Write permissions causing a small reduction - * `statuses` - May allow an attacker to change the result of pre-submit checks and get a PR merged. + * `actions` - May allow an attacker to steal GitHub secrets by approving to run an action that needs approval. * `checks` - May allow an attacker to remove pre-submit checks and introduce a bug. - * `security-events` - May allow an attacker to read vulnerability reports before a patch is available. However, points are not reduced if the job utilizes a recognized action for uploading SARIF results. - * `deployments` - May allow an attacker to charge repo owner by triggering VM runs, and tiny chance an attacker can trigger a remote service with code they own if server accepts code/location variables unsanitized. - - ### Write permissions causing a large reduction * `contents` - Allows an attacker to commit unreviewed code. However, points are not reduced if the job utilizes a recognized packaging action or command. + * `deployments` - May allow an attacker to charge repo owner by triggering VM runs, and tiny chance an attacker can trigger a remote service with code they own if server accepts code/location variables unsanitized. * `packages` - Allows an attacker to publish packages. However, points are not reduced if the job utilizes a recognized packaging action or command. - * `actions` - May allow an attacker to steal GitHub secrets by approving to run an action that needs approval. + * `security-events` - May allow an attacker to read vulnerability reports before a patch is available. However, points are not reduced if the job utilizes a recognized action for uploading SARIF results. + * `statuses` - May allow an attacker to change the result of pre-submit checks and get a PR merged. + + This compromise makes it clear the maintainer has done what's possible to use those permissions safety, + but allows users to identify that the permissions are used. + + The check cannot detect if the "read-only" GitHub permission setting is + enabled, as there is no API available. remediation: - >- - Set permissions as `read-all` or `contents: read` as described in + Set top-level permissions as `read-all` or `contents: read` as described in GitHub's [documentation](https://docs.github.com/en/actions/reference/workflow-syntax-for-github-actions#permissions). + - >- + Set any required write permissions at the job-level. Only set the permissions + required for that job; do not set `permissions: write-all` at the job level. - >- To help determine the permissions needed for your workflows, you may use [StepSecurity's online tool](https://app.stepsecurity.io/secureworkflow/) by ticking the "Restrict permissions for GITHUB_TOKEN". You may also tick the "Pin actions to a full length commit SHA" to fix issues found @@ -819,9 +823,9 @@ checks: This check determines whether the webhook defined in the repository has a token configured to authenticate the origins of requests. remediation: - - >- - Check whether your service supports token authentication. - - >- - If there is support for token authentication, set the secret in the webhook configuration. See [Setting up a webhook](https://docs.github.com/en/developers/webhooks-and-events/webhooks/creating-webhooks#setting-up-a-webhook) - - >- - If there is no support for token authentication, consider implementing it by following [these directions](https://docs.github.com/en/developers/webhooks-and-events/webhooks/securing-your-webhooks). + - >- + Check whether your service supports token authentication. + - >- + If there is support for token authentication, set the secret in the webhook configuration. See [Setting up a webhook](https://docs.github.com/en/developers/webhooks-and-events/webhooks/creating-webhooks#setting-up-a-webhook) + - >- + If there is no support for token authentication, consider implementing it by following [these directions](https://docs.github.com/en/developers/webhooks-and-events/webhooks/securing-your-webhooks). From e1eede2d3fa09d08bbc00ca2331c2bffebdc602d Mon Sep 17 00:00:00 2001 From: Eugene Kliuchnikov Date: Fri, 14 Jul 2023 18:09:13 +0200 Subject: [PATCH 12/18] :bug: Fix typo (#3267) Signed-off-by: Eugene Kliuchnikov --- checks/sast.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/checks/sast.go b/checks/sast.go index 423767f842e..2aab45c9039 100644 --- a/checks/sast.go +++ b/checks/sast.go @@ -100,7 +100,7 @@ func SAST(c *checker.CheckRequest) checker.CheckResult { Text: getNonCompliantPRMessage(nonCompliantPRs), }) score := checker.AggregateScoresWithWeight(map[int]int{sastScore: sastWeight, codeQlScore: codeQlWeight}) - return checker.CreateResultWithScore(CheckSAST, "SAST tool detected but not run on all commmits", score) + return checker.CreateResultWithScore(CheckSAST, "SAST tool detected but not run on all commits", score) default: return checker.CreateRuntimeErrorResult(CheckSAST, sce.WithMessage(sce.ErrScorecardInternal, "contact team")) } From 875262ace77820b2eafdd60d01b6535ba273e837 Mon Sep 17 00:00:00 2001 From: Diogo Teles Sant'Anna Date: Sun, 16 Jul 2023 13:27:55 -0300 Subject: [PATCH 13/18] =?UTF-8?q?=F0=9F=93=96=20=20Suggest=20new=20score?= =?UTF-8?q?=20viewer=20on=20badge=20documentation=20(#3268)?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit * docs(readme): suggest new score viewer on badge documentation Signed-off-by: Diogo Teles Sant'Anna * docs(readme): add link to ossf blogpost about the badge Signed-off-by: Diogo Teles Sant'Anna * docs: update badge of our own README to the new viewer Signed-off-by: Diogo Teles Sant'Anna --------- Signed-off-by: Diogo Teles Sant'Anna --- README.md | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/README.md b/README.md index 0201b8fbc00..f5e59c76d34 100644 --- a/README.md +++ b/README.md @@ -1,6 +1,6 @@ # OpenSSF Scorecard -[![OpenSSF Scorecard](https://api.securityscorecards.dev/projects/github.com/ossf/scorecard/badge)](https://api.securityscorecards.dev/projects/github.com/ossf/scorecard) +[![OpenSSF Scorecard](https://api.securityscorecards.dev/projects/github.com/ossf/scorecard/badge)](https://securityscorecards.dev/viewer/?uri=github.com/ossf/scorecard) [![OpenSSF Best Practices](https://bestpractices.coreinfrastructure.org/projects/5621/badge)](https://bestpractices.coreinfrastructure.org/projects/5621) ![build](https://github.com/ossf/scorecard/workflows/build/badge.svg?branch=main) ![CodeQL](https://github.com/ossf/scorecard/workflows/CodeQL/badge.svg?branch=main) @@ -154,12 +154,12 @@ in the Scorecard GitHub Action setting. Enabling [`publish_results: true`](https://github.com/ossf/scorecard-action/blob/dd5015aaf9688596b0e6d11e7f24fff566aa366b/action.yaml#L35) in Scorecard GitHub Actions also allows maintainers to display a Scorecard badge on their repository to show off their -hard work. This badge also auto-updates for every change made to the repository. +hard work. This badge also auto-updates for every change made to the repository. See more details on [this OSSF blogpost](https://openssf.org/blog/2022/09/08/show-off-your-security-score-announcing-scorecards-badges/). + To include a badge on your project's repository, simply add the following markdown to your README: ``` -[![OpenSSF -Scorecard](https://api.securityscorecards.dev/projects/github.com/{owner}/{repo}/badge)](https://api.securityscorecards.dev/projects/github.com/{owner}/{repo}) +[![OpenSSF Scorecard](https://api.securityscorecards.dev/projects/github.com/{owner}/{repo}/badge)](https://securityscorecards.dev/viewer/?uri=github.com/{owner}/{repo}) ``` ### Scorecard Command Line Interface From 9545d797fcd37b679789008a3582a36e796321d1 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Sun, 16 Jul 2023 17:46:25 +0000 Subject: [PATCH 14/18] :seedling: Bump tj-actions/changed-files from 37.1.1 to 37.1.2 (#3266) Bumps [tj-actions/changed-files](https://github.com/tj-actions/changed-files) from 37.1.1 to 37.1.2. - [Release notes](https://github.com/tj-actions/changed-files/releases) - [Changelog](https://github.com/tj-actions/changed-files/blob/main/HISTORY.md) - [Commits](https://github.com/tj-actions/changed-files/compare/1f20fb83f05eabed6e12ba0329edac8b6ec8e207...2a968ff601949c81b47d9c1fdb789b0d25ddeea2) --- updated-dependencies: - dependency-name: tj-actions/changed-files dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- .github/workflows/docker.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/docker.yml b/.github/workflows/docker.yml index 0ac1adecdef..a41de8eb12c 100644 --- a/.github/workflows/docker.yml +++ b/.github/workflows/docker.yml @@ -42,7 +42,7 @@ jobs: fetch-depth: 2 # needed to diff changed files - id: files name: Get changed files - uses: tj-actions/changed-files@1f20fb83f05eabed6e12ba0329edac8b6ec8e207 #v37.1.1 + uses: tj-actions/changed-files@2a968ff601949c81b47d9c1fdb789b0d25ddeea2 #v37.1.2 with: files_ignore: '**.md' - id: docs_only_check From 1ac091a456f3c256d842337207953fd5c29007f0 Mon Sep 17 00:00:00 2001 From: Naveen <172697+naveensrinivasan@users.noreply.github.com> Date: Mon, 17 Jul 2023 09:31:17 -0500 Subject: [PATCH 15/18] :seedling: Update the cover profile for e2e (#3271) - Update the cover profile for e2e Signed-off-by: naveensrinivasan <172697+naveensrinivasan@users.noreply.github.com> --- Makefile | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/Makefile b/Makefile index 076cc69708a..31a9d0c0297 100644 --- a/Makefile +++ b/Makefile @@ -336,7 +336,7 @@ endif e2e-pat: ## Runs e2e tests. Requires GITHUB_AUTH_TOKEN env var to be set to GitHub personal access token e2e-pat: build-scorecard check-env | $(GINKGO) # Run e2e tests. GITHUB_AUTH_TOKEN with personal access token must be exported to run this - TOKEN_TYPE="PAT" $(GINKGO) --race -p -v -cover -coverprofile=e2e-coverage.out --keep-separate-coverprofiles ./... + TOKEN_TYPE="PAT" $(GINKGO) --race -p -v -coverprofile=e2e-coverage.out -coverpkg=./... -r ./... e2e-gh-token: ## Runs e2e tests. Requires GITHUB_AUTH_TOKEN env var to be set to default GITHUB_TOKEN e2e-gh-token: build-scorecard check-env | $(GINKGO) @@ -450,4 +450,4 @@ cron-github-server-ko: | $(KO) $(KOCACHE_PATH) --tags latest,$(GIT_VERSION),$(GIT_HASH) \ github.com/ossf/scorecard/v4/clients/githubrepo/roundtripper/tokens/server -############################################################################### \ No newline at end of file +############################################################################### From 48ec683e240f5eb2c53f5bc151760c6547aae77e Mon Sep 17 00:00:00 2001 From: Naveen <172697+naveensrinivasan@users.noreply.github.com> Date: Mon, 17 Jul 2023 11:06:27 -0500 Subject: [PATCH 16/18] :seedling: Improve e2e workflow tests (#3273) - Add e2e test for workflow runs - Retrieve successful runs of the scorecard-analysis.yml workflow Signed-off-by: naveensrinivasan <172697+naveensrinivasan@users.noreply.github.com> --- e2e/workflow_test.go | 42 ++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 42 insertions(+) create mode 100644 e2e/workflow_test.go diff --git a/e2e/workflow_test.go b/e2e/workflow_test.go new file mode 100644 index 00000000000..b7b37653cff --- /dev/null +++ b/e2e/workflow_test.go @@ -0,0 +1,42 @@ +// Copyright 2023 OpenSSF Scorecard Authors +// +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. + +package e2e + +import ( + "context" + + . "github.com/onsi/ginkgo/v2" + . "github.com/onsi/gomega" + + "github.com/ossf/scorecard/v4/clients" + "github.com/ossf/scorecard/v4/clients/githubrepo" +) + +var _ = Describe("E2E TEST:WorkflowRun", func() { + Context("E2E TEST:WorkflowRun", func() { + It("Should return scorecard analysis workflow run", func() { + // using the scorecard repo as an example. The tests repo workflow won't have any runs in the future and + // that is why we are using the scorecard repo. + repo, err := githubrepo.MakeGithubRepo("ossf/scorecard") + Expect(err).Should(BeNil()) + repoClient := githubrepo.CreateGithubRepoClient(context.Background(), logger) + err = repoClient.InitRepo(repo, clients.HeadSHA, 0) + Expect(err).Should(BeNil()) + runs, err := repoClient.ListSuccessfulWorkflowRuns("scorecard-analysis.yml") + Expect(err).Should(BeNil()) + Expect(len(runs)).Should(BeNumerically(">", 0)) + }) + }) +}) From 4d85d8f1cc2f2992254a866494b017b06d0760c9 Mon Sep 17 00:00:00 2001 From: Naveen <172697+naveensrinivasan@users.noreply.github.com> Date: Mon, 17 Jul 2023 12:09:15 -0500 Subject: [PATCH 17/18] :seedling: Excluded dependabot from codecov (#3272) - Exclude dependabot from codecov job in main.yml [.github/workflows/main.yml] - Exclude dependabot from codecov job Signed-off-by: naveensrinivasan <172697+naveensrinivasan@users.noreply.github.com> --- .github/workflows/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml index 72a97577a71..9de4cb718e5 100644 --- a/.github/workflows/main.yml +++ b/.github/workflows/main.yml @@ -82,7 +82,7 @@ jobs: command: make e2e-pat - name: codecov uses: codecov/codecov-action@eaaf4bedf32dbdc6b720b63067d99c4d77d6047d # 2.1.0 - if: ${{ github.event_name != 'pull_request' }} + if: ${{ github.event_name != 'pull_request' || github.actor != 'dependabot[bot]' }} with: files: "*e2e-coverage.out" verbose: true From ac6e02760f0433dc1a7c6188db0876097011deee Mon Sep 17 00:00:00 2001 From: Naveen <172697+naveensrinivasan@users.noreply.github.com> Date: Tue, 18 Jul 2023 11:33:42 -0500 Subject: [PATCH 18/18] :seedling: Increase test coverage for searching commits (#3276) - Add an e2e test for searching commits by author - Search commits by author `dependabot[bot]` and expect results Signed-off-by: naveensrinivasan <172697+naveensrinivasan@users.noreply.github.com> --- e2e/searchCommits_test.go | 40 +++++++++++++++++++++++++++++++++++++++ 1 file changed, 40 insertions(+) create mode 100644 e2e/searchCommits_test.go diff --git a/e2e/searchCommits_test.go b/e2e/searchCommits_test.go new file mode 100644 index 00000000000..1d8d8c419f0 --- /dev/null +++ b/e2e/searchCommits_test.go @@ -0,0 +1,40 @@ +// Copyright 2023 OpenSSF Scorecard Authors +// +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. + +package e2e + +import ( + "context" + + . "github.com/onsi/ginkgo/v2" + . "github.com/onsi/gomega" + + "github.com/ossf/scorecard/v4/clients" + "github.com/ossf/scorecard/v4/clients/githubrepo" +) + +var _ = Describe("E2E TEST:SearchCommits", func() { + Context("E2E TEST:SearchCommits", func() { + It("Should return commits by dependabot", func() { + repo, err := githubrepo.MakeGithubRepo("ossf/scorecard") + Expect(err).Should(BeNil()) + repoClient := githubrepo.CreateGithubRepoClient(context.Background(), logger) + err = repoClient.InitRepo(repo, clients.HeadSHA, 0) + Expect(err).Should(BeNil()) + commits, err := repoClient.SearchCommits(clients.SearchCommitsOptions{Author: "dependabot[bot]"}) + Expect(err).Should(BeNil()) + Expect(len(commits)).Should(BeNumerically(">", 0)) + }) + }) +})