From c1563e19662d8caca901ed571db8aaa8318cc213 Mon Sep 17 00:00:00 2001 From: Spencer Schrock Date: Thu, 15 Feb 2024 11:32:35 -0800 Subject: [PATCH 1/2] :seedling: Combine SAST probes into single probe (#3874) * check logger counts for SAST tests previously, we only checked the result score. test failures with this method dont produce as actionable feedback. Signed-off-by: Spencer Schrock * clarify test names and score constants used Signed-off-by: Spencer Schrock * add generic sastToolConfigured probe switch over the evaluation code to using the single probe with tool value. Signed-off-by: Spencer Schrock * remove old probes Signed-off-by: Spencer Schrock * add tests Signed-off-by: Spencer Schrock * experiment with one readme Signed-off-by: Spencer Schrock * appease linter Signed-off-by: Spencer Schrock * remove colon from yaml which led to parse errors Signed-off-by: Spencer Schrock * polish documentation details Signed-off-by: Spencer Schrock --------- Signed-off-by: Spencer Schrock --- checks/evaluation/sast.go | 58 ++----- checks/evaluation/sast_test.go | 164 +++--------------- docs/checks/sast/README.md | 14 ++ probes/entries.go | 16 +- probes/sastToolCodeQLInstalled/def.yml | 44 ----- probes/sastToolCodeQLInstalled/impl.go | 57 ------ probes/sastToolCodeQLInstalled/impl_test.go | 92 ---------- .../def.yml | 30 ++-- .../impl.go | 38 ++-- .../impl_test.go | 130 +++++++++++--- probes/sastToolPysaInstalled/def.yml | 35 ---- probes/sastToolPysaInstalled/impl.go | 60 ------- probes/sastToolPysaInstalled/impl_test.go | 104 ----------- probes/sastToolQodanaInstalled/def.yml | 41 ----- probes/sastToolQodanaInstalled/impl.go | 60 ------- probes/sastToolSnykInstalled/impl.go | 60 ------- probes/sastToolSnykInstalled/impl_test.go | 98 ----------- probes/sastToolSonarInstalled/def.yml | 48 ----- probes/sastToolSonarInstalled/impl_test.go | 92 ---------- 19 files changed, 184 insertions(+), 1057 deletions(-) create mode 100644 docs/checks/sast/README.md delete mode 100644 probes/sastToolCodeQLInstalled/def.yml delete mode 100644 probes/sastToolCodeQLInstalled/impl.go delete mode 100644 probes/sastToolCodeQLInstalled/impl_test.go rename probes/{sastToolSnykInstalled => sastToolConfigured}/def.yml (52%) rename probes/{sastToolSonarInstalled => sastToolConfigured}/impl.go (61%) rename probes/{sastToolQodanaInstalled => sastToolConfigured}/impl_test.go (53%) delete mode 100644 probes/sastToolPysaInstalled/def.yml delete mode 100644 probes/sastToolPysaInstalled/impl.go delete mode 100644 probes/sastToolPysaInstalled/impl_test.go delete mode 100644 probes/sastToolQodanaInstalled/def.yml delete mode 100644 probes/sastToolQodanaInstalled/impl.go delete mode 100644 probes/sastToolSnykInstalled/impl.go delete mode 100644 probes/sastToolSnykInstalled/impl_test.go delete mode 100644 probes/sastToolSonarInstalled/def.yml delete mode 100644 probes/sastToolSonarInstalled/impl_test.go diff --git a/checks/evaluation/sast.go b/checks/evaluation/sast.go index a01ecf9516e4..95fd6e855376 100644 --- a/checks/evaluation/sast.go +++ b/checks/evaluation/sast.go @@ -21,26 +21,17 @@ import ( "github.com/ossf/scorecard/v4/checker" sce "github.com/ossf/scorecard/v4/errors" "github.com/ossf/scorecard/v4/finding" - "github.com/ossf/scorecard/v4/probes/sastToolCodeQLInstalled" - "github.com/ossf/scorecard/v4/probes/sastToolPysaInstalled" - "github.com/ossf/scorecard/v4/probes/sastToolQodanaInstalled" + "github.com/ossf/scorecard/v4/probes/sastToolConfigured" "github.com/ossf/scorecard/v4/probes/sastToolRunsOnAllCommits" - "github.com/ossf/scorecard/v4/probes/sastToolSnykInstalled" - "github.com/ossf/scorecard/v4/probes/sastToolSonarInstalled" ) // SAST applies the score policy for the SAST check. func SAST(name string, findings []finding.Finding, dl checker.DetailLogger, ) checker.CheckResult { - // We have 3 unique probes, each should have a finding. expectedProbes := []string{ - sastToolCodeQLInstalled.Probe, - sastToolPysaInstalled.Probe, - sastToolQodanaInstalled.Probe, + sastToolConfigured.Probe, sastToolRunsOnAllCommits.Probe, - sastToolSonarInstalled.Probe, - sastToolSnykInstalled.Probe, } if !finding.UniqueProbesEqual(findings, expectedProbes) { @@ -48,7 +39,7 @@ func SAST(name string, return checker.CreateRuntimeErrorResult(name, e) } - var sastScore, codeQlScore, pysaScore, qodanaScore, snykScore, sonarScore int + var sastScore, codeQlScore, otherScore int var err error // Assign sastScore, codeQlScore and sonarScore for i := range findings { @@ -59,43 +50,24 @@ func SAST(name string, if err != nil { return checker.CreateRuntimeErrorResult(name, sce.WithMessage(sce.ErrScorecardInternal, err.Error())) } - case sastToolCodeQLInstalled.Probe: - codeQlScore = getSastToolScore(f, dl) - case sastToolSnykInstalled.Probe: - snykScore = getSastToolScore(f, dl) - case sastToolPysaInstalled.Probe: - pysaScore = getSastToolScore(f, dl) - case sastToolQodanaInstalled.Probe: - qodanaScore = getSastToolScore(f, dl) - case sastToolSonarInstalled.Probe: - if f.Outcome == finding.OutcomePositive { - sonarScore = checker.MaxResultScore - dl.Info(&checker.LogMessage{ - Text: f.Message, - Type: f.Location.Type, - Path: f.Location.Path, - Offset: *f.Location.LineStart, - EndOffset: *f.Location.LineEnd, - Snippet: *f.Location.Snippet, - }) - } else if f.Outcome == finding.OutcomeNegative { - sonarScore = checker.MinResultScore + case sastToolConfigured.Probe: + tool, ok := f.Values[sastToolConfigured.ToolKey] + if f.Outcome == finding.OutcomePositive && !ok { + return checker.CreateRuntimeErrorResult(name, sce.WithMessage(sce.ErrScorecardInternal, "missing SAST tool")) + } + score := getSastToolScore(f, dl) + switch checker.SASTWorkflowType(tool) { + case checker.CodeQLWorkflow: + codeQlScore = score + default: + otherScore = score } } } - if sonarScore == checker.MaxResultScore { + if otherScore == checker.MaxResultScore { return checker.CreateMaxScoreResult(name, "SAST tool detected") } - if snykScore == checker.MaxResultScore { - return checker.CreateMaxScoreResult(name, "SAST tool detected: Snyk") - } - if pysaScore == checker.MaxResultScore { - return checker.CreateMaxScoreResult(name, "SAST tool detected: Pysa") - } - if qodanaScore == checker.MaxResultScore { - return checker.CreateMaxScoreResult(name, "SAST tool detected: Qodana") - } if sastScore == checker.InconclusiveResultScore && codeQlScore == checker.InconclusiveResultScore { diff --git a/checks/evaluation/sast_test.go b/checks/evaluation/sast_test.go index 350f8ec5d2c5..004f7ece19f1 100644 --- a/checks/evaluation/sast_test.go +++ b/checks/evaluation/sast_test.go @@ -19,14 +19,12 @@ import ( "github.com/ossf/scorecard/v4/checker" sce "github.com/ossf/scorecard/v4/errors" "github.com/ossf/scorecard/v4/finding" + "github.com/ossf/scorecard/v4/probes/sastToolConfigured" "github.com/ossf/scorecard/v4/probes/sastToolRunsOnAllCommits" scut "github.com/ossf/scorecard/v4/utests" ) func TestSAST(t *testing.T) { - snippet := "some code snippet" - sline := uint(10) - eline := uint(46) t.Parallel() tests := []struct { name string @@ -34,16 +32,8 @@ func TestSAST(t *testing.T) { result scut.TestReturn }{ { - name: "SAST - Missing a probe", + name: "SAST - Missing a probe (sastToolConfigured)", findings: []finding.Finding{ - { - Probe: "sastToolCodeQLInstalled", - Outcome: finding.OutcomePositive, - }, - { - Probe: "sastToolSnykInstalled", - Outcome: finding.OutcomeNegative, - }, { Probe: sastToolRunsOnAllCommits.Probe, Outcome: finding.OutcomePositive, @@ -55,24 +45,10 @@ func TestSAST(t *testing.T) { }, }, { - name: "Sonar and codeQL is installed. Snyk, Qodana and Pysa are not installed.", + name: "Sonar and codeQL is installed", findings: []finding.Finding{ - { - Probe: "sastToolCodeQLInstalled", - Outcome: finding.OutcomePositive, - }, - { - Probe: "sastToolSnykInstalled", - Outcome: finding.OutcomeNegative, - }, - { - Probe: "sastToolPysaInstalled", - Outcome: finding.OutcomeNegative, - }, - { - Probe: "sastToolQodanaInstalled", - Outcome: finding.OutcomeNegative, - }, + tool(checker.SonarWorkflow), + tool(checker.CodeQLWorkflow), { Probe: sastToolRunsOnAllCommits.Probe, Outcome: finding.OutcomePositive, @@ -81,17 +57,6 @@ func TestSAST(t *testing.T) { sastToolRunsOnAllCommits.TotalPRsKey: "2", }, }, - { - Probe: "sastToolSonarInstalled", - Outcome: finding.OutcomePositive, - Location: &finding.Location{ - Type: finding.FileTypeSource, - Path: "path/to/file.txt", - LineStart: &sline, - LineEnd: &eline, - Snippet: &snippet, - }, - }, }, result: scut.TestReturn{ Score: 10, @@ -102,22 +67,7 @@ func TestSAST(t *testing.T) { { name: "Pysa is installed. CodeQL, Snyk, Qodana and Sonar are not installed.", findings: []finding.Finding{ - { - Probe: "sastToolCodeQLInstalled", - Outcome: finding.OutcomeNegative, - }, - { - Probe: "sastToolSnykInstalled", - Outcome: finding.OutcomeNegative, - }, - { - Probe: "sastToolPysaInstalled", - Outcome: finding.OutcomePositive, - }, - { - Probe: "sastToolQodanaInstalled", - Outcome: finding.OutcomeNegative, - }, + tool(checker.PysaWorkflow), { Probe: sastToolRunsOnAllCommits.Probe, Outcome: finding.OutcomePositive, @@ -126,10 +76,6 @@ func TestSAST(t *testing.T) { sastToolRunsOnAllCommits.TotalPRsKey: "2", }, }, - { - Probe: "sastToolSonarInstalled", - Outcome: finding.OutcomeNegative, - }, }, result: scut.TestReturn{ Score: 10, @@ -142,37 +88,11 @@ func TestSAST(t *testing.T) { Does not have info about whether SAST runs on every commit.`, findings: []finding.Finding{ - { - Probe: "sastToolCodeQLInstalled", - Outcome: finding.OutcomeNegative, - }, - { - Probe: "sastToolSnykInstalled", - Outcome: finding.OutcomeNegative, - }, - { - Probe: "sastToolQodanaInstalled", - Outcome: finding.OutcomeNegative, - }, - { - Probe: "sastToolPysaInstalled", - Outcome: finding.OutcomeNegative, - }, + tool(checker.SonarWorkflow), { Probe: sastToolRunsOnAllCommits.Probe, Outcome: finding.OutcomeNotApplicable, }, - { - Probe: "sastToolSonarInstalled", - Outcome: finding.OutcomePositive, - Location: &finding.Location{ - Type: finding.FileTypeSource, - Path: "path/to/file.txt", - LineStart: &sline, - LineEnd: &eline, - Snippet: &snippet, - }, - }, }, result: scut.TestReturn{ Score: 10, @@ -184,19 +104,7 @@ func TestSAST(t *testing.T) { name: "Sonar, CodeQL, Snyk, Qodana and Pysa are not installed", findings: []finding.Finding{ { - Probe: "sastToolCodeQLInstalled", - Outcome: finding.OutcomeNegative, - }, - { - Probe: "sastToolSnykInstalled", - Outcome: finding.OutcomeNegative, - }, - { - Probe: "sastToolPysaInstalled", - Outcome: finding.OutcomeNegative, - }, - { - Probe: "sastToolQodanaInstalled", + Probe: sastToolConfigured.Probe, Outcome: finding.OutcomeNegative, }, { @@ -207,10 +115,6 @@ func TestSAST(t *testing.T) { sastToolRunsOnAllCommits.TotalPRsKey: "3", }, }, - { - Probe: "sastToolSonarInstalled", - Outcome: finding.OutcomeNegative, - }, }, result: scut.TestReturn{ Score: 3, @@ -221,14 +125,7 @@ func TestSAST(t *testing.T) { { name: "Snyk is installed, Sonar, Qodana and CodeQL are not installed", findings: []finding.Finding{ - { - Probe: "sastToolCodeQLInstalled", - Outcome: finding.OutcomeNegative, - }, - { - Probe: "sastToolSnykInstalled", - Outcome: finding.OutcomePositive, - }, + tool(checker.SnykWorkflow), { Probe: sastToolRunsOnAllCommits.Probe, Outcome: finding.OutcomePositive, @@ -237,18 +134,6 @@ func TestSAST(t *testing.T) { sastToolRunsOnAllCommits.TotalPRsKey: "3", }, }, - { - Probe: "sastToolSonarInstalled", - Outcome: finding.OutcomeNegative, - }, - { - Probe: "sastToolPysaInstalled", - Outcome: finding.OutcomeNegative, - }, - { - Probe: "sastToolQodanaInstalled", - Outcome: finding.OutcomeNegative, - }, }, result: scut.TestReturn{ Score: 10, @@ -259,14 +144,7 @@ func TestSAST(t *testing.T) { { name: "Qodana is installed, Snyk, Sonar, and CodeQL are not installed", findings: []finding.Finding{ - { - Probe: "sastToolCodeQLInstalled", - Outcome: finding.OutcomeNegative, - }, - { - Probe: "sastToolSnykInstalled", - Outcome: finding.OutcomeNegative, - }, + tool(checker.QodanaWorkflow), { Probe: sastToolRunsOnAllCommits.Probe, Outcome: finding.OutcomePositive, @@ -275,18 +153,6 @@ func TestSAST(t *testing.T) { sastToolRunsOnAllCommits.TotalPRsKey: "3", }, }, - { - Probe: "sastToolSonarInstalled", - Outcome: finding.OutcomeNegative, - }, - { - Probe: "sastToolPysaInstalled", - Outcome: finding.OutcomeNegative, - }, - { - Probe: "sastToolQodanaInstalled", - Outcome: finding.OutcomePositive, - }, }, result: scut.TestReturn{ Score: 10, @@ -305,3 +171,13 @@ func TestSAST(t *testing.T) { }) } } + +func tool(name checker.SASTWorkflowType) finding.Finding { + return finding.Finding{ + Probe: sastToolConfigured.Probe, + Outcome: finding.OutcomePositive, + Values: map[string]string{ + sastToolConfigured.ToolKey: string(name), + }, + } +} diff --git a/docs/checks/sast/README.md b/docs/checks/sast/README.md new file mode 100644 index 000000000000..f3682b1af7f7 --- /dev/null +++ b/docs/checks/sast/README.md @@ -0,0 +1,14 @@ +# Supported Tools +* [CodeQL](https://docs.github.com/code-security/code-scanning/enabling-code-scanning/configuring-default-setup-for-code-scanning) + * Detection is based on GitHub workflows using `github/codeql-action/analyze`, or GitHub Action checks run against PRs. +* [Qodona](https://github.com/JetBrains/qodana-action) + * Detection based on GitHub workflows using `JetBrains/qodana-action`. +* [Snyk](https://github.com/snyk/actions) + * Detection based on GitHub workflows using one of the actions from the set at https://github.com/snyk/actions +* [Sonar](https://docs.sonarsource.com/sonarqube/latest/setup-and-upgrade/overview/) + * Detection based on the presence of a `pom.xml` file specifying a `sonar.host.url`, or GitHub Action checks run against PRs. + +# Add Support + +Don't see your SAST tool listed? +Search for an existing issue, or create one, to discuss adding support. diff --git a/probes/entries.go b/probes/entries.go index 7765da3bdd9e..7e7aabfcf5ec 100644 --- a/probes/entries.go +++ b/probes/entries.go @@ -49,12 +49,8 @@ import ( "github.com/ossf/scorecard/v4/probes/packagedWithAutomatedWorkflow" "github.com/ossf/scorecard/v4/probes/releasesAreSigned" "github.com/ossf/scorecard/v4/probes/releasesHaveProvenance" - "github.com/ossf/scorecard/v4/probes/sastToolCodeQLInstalled" - "github.com/ossf/scorecard/v4/probes/sastToolPysaInstalled" - "github.com/ossf/scorecard/v4/probes/sastToolQodanaInstalled" + "github.com/ossf/scorecard/v4/probes/sastToolConfigured" "github.com/ossf/scorecard/v4/probes/sastToolRunsOnAllCommits" - "github.com/ossf/scorecard/v4/probes/sastToolSnykInstalled" - "github.com/ossf/scorecard/v4/probes/sastToolSonarInstalled" "github.com/ossf/scorecard/v4/probes/securityPolicyContainsLinks" "github.com/ossf/scorecard/v4/probes/securityPolicyContainsText" "github.com/ossf/scorecard/v4/probes/securityPolicyContainsVulnerabilityDisclosure" @@ -120,12 +116,8 @@ var ( codeReviewOneReviewers.Run, } SAST = []ProbeImpl{ - sastToolCodeQLInstalled.Run, - sastToolPysaInstalled.Run, - sastToolQodanaInstalled.Run, - sastToolSnykInstalled.Run, + sastToolConfigured.Run, sastToolRunsOnAllCommits.Run, - sastToolSonarInstalled.Run, } DangerousWorkflows = []ProbeImpl{ hasDangerousWorkflowScriptInjection.Run, @@ -181,9 +173,7 @@ var ( hasLicenseFileAtTopDir.Probe: hasLicenseFileAtTopDir.Run, contributorsFromOrgOrCompany.Probe: contributorsFromOrgOrCompany.Run, hasOSVVulnerabilities.Probe: hasOSVVulnerabilities.Run, - sastToolCodeQLInstalled.Probe: sastToolCodeQLInstalled.Run, sastToolRunsOnAllCommits.Probe: sastToolRunsOnAllCommits.Run, - sastToolSonarInstalled.Probe: sastToolSonarInstalled.Run, hasDangerousWorkflowScriptInjection.Probe: hasDangerousWorkflowScriptInjection.Run, hasDangerousWorkflowUntrustedCheckout.Probe: hasDangerousWorkflowUntrustedCheckout.Run, notArchived.Probe: notArchived.Run, @@ -218,9 +208,7 @@ var ( hasLicenseFileAtTopDir.Probe: "License", contributorsFromOrgOrCompany.Probe: "Contributors", hasOSVVulnerabilities.Probe: "Vulnerabilities", - sastToolCodeQLInstalled.Probe: "SAST", sastToolRunsOnAllCommits.Probe: "SAST", - sastToolSonarInstalled.Probe: "SAST", hasDangerousWorkflowScriptInjection.Probe: "Dangerous-Workflow", hasDangerousWorkflowUntrustedCheckout.Probe: "Dangerous-Workflow", notArchived.Probe: "Maintained", diff --git a/probes/sastToolCodeQLInstalled/def.yml b/probes/sastToolCodeQLInstalled/def.yml deleted file mode 100644 index 2241fef2e529..000000000000 --- a/probes/sastToolCodeQLInstalled/def.yml +++ /dev/null @@ -1,44 +0,0 @@ -# Copyright 2023 OpenSSF Scorecard Authors -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -id: sastToolCodeQLInstalled -short: Check that the project uses the CodeQL github actions -motivation: > - SAST is testing run on source code before the application is run. Using SAST tools can prevent known classes of bugs from being inadvertently introduced in the codebase. -implementation: > - The implementation checks whether the project invokes the github/codeql-action/analyze action. -outcome: - - If the project uses the github/codeql-action/analyze action, the probe returns one finding with OutcomePositive (1). - - If the project does not use the github/codeql-action/analyze action, the probe returns one finding with OutcomeNegative (0). -remediation: - effort: Medium - text: - - Follow the steps in https://docs.github.com/en/code-security/codeql-cli/getting-started-with-the-codeql-cli/preparing-your-code-for-codeql-analysis to integrate CodeQL for your project. - markdown: - - Follow the steps in https://docs.github.com/en/code-security/codeql-cli/getting-started-with-the-codeql-cli/preparing-your-code-for-codeql-analysis to integrate CodeQL for your project. -ecosystem: - languages: - - c - - c++ - - go - - java - - kotlin - - javascript - - python - - ruby - - swift - - typescript - clients: - - github - - gitlab \ No newline at end of file diff --git a/probes/sastToolCodeQLInstalled/impl.go b/probes/sastToolCodeQLInstalled/impl.go deleted file mode 100644 index dd781d5f22e7..000000000000 --- a/probes/sastToolCodeQLInstalled/impl.go +++ /dev/null @@ -1,57 +0,0 @@ -// Copyright 2023 OpenSSF Scorecard Authors -// -// Licensed under the Apache License, Version 2.0 (the "License"); -// you may not use this file except in compliance with the License. -// You may obtain a copy of the License at -// -// http://www.apache.org/licenses/LICENSE-2.0 -// -// Unless required by applicable law or agreed to in writing, software -// distributed under the License is distributed on an "AS IS" BASIS, -// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -// See the License for the specific language governing permissions and -// limitations under the License. - -//nolint:stylecheck -package sastToolCodeQLInstalled - -import ( - "embed" - "fmt" - - "github.com/ossf/scorecard/v4/checker" - "github.com/ossf/scorecard/v4/finding" - "github.com/ossf/scorecard/v4/probes/internal/utils/uerror" -) - -//go:embed *.yml -var fs embed.FS - -const Probe = "sastToolCodeQLInstalled" - -func Run(raw *checker.RawResults) ([]finding.Finding, string, error) { - if raw == nil { - return nil, "", fmt.Errorf("%w: raw", uerror.ErrNil) - } - - r := raw.SASTResults - - for _, wf := range r.Workflows { - if wf.Type == checker.CodeQLWorkflow { - f, err := finding.NewWith(fs, Probe, - "SAST tool installed: CodeQL", nil, - finding.OutcomePositive) - if err != nil { - return nil, Probe, fmt.Errorf("create finding: %w", err) - } - return []finding.Finding{*f}, Probe, nil - } - } - f, err := finding.NewWith(fs, Probe, - "CodeQL tool not installed", nil, - finding.OutcomeNegative) - if err != nil { - return nil, Probe, fmt.Errorf("create finding: %w", err) - } - return []finding.Finding{*f}, Probe, nil -} diff --git a/probes/sastToolCodeQLInstalled/impl_test.go b/probes/sastToolCodeQLInstalled/impl_test.go deleted file mode 100644 index 60165f2a2790..000000000000 --- a/probes/sastToolCodeQLInstalled/impl_test.go +++ /dev/null @@ -1,92 +0,0 @@ -// Copyright 2023 OpenSSF Scorecard Authors -// -// Licensed under the Apache License, Version 2.0 (the "License"); -// you may not use this file except in compliance with the License. -// You may obtain a copy of the License at -// -// http://www.apache.org/licenses/LICENSE-2.0 -// -// Unless required by applicable law or agreed to in writing, software -// distributed under the License is distributed on an "AS IS" BASIS, -// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -// See the License for the specific language governing permissions and -// limitations under the License. - -//nolint:stylecheck -package sastToolCodeQLInstalled - -import ( - "testing" - - "github.com/google/go-cmp/cmp" - "github.com/google/go-cmp/cmp/cmpopts" - - "github.com/ossf/scorecard/v4/checker" - "github.com/ossf/scorecard/v4/finding" - "github.com/ossf/scorecard/v4/probes/internal/utils/test" -) - -func Test_Run(t *testing.T) { - t.Parallel() - //nolint:govet - tests := []struct { - name string - raw *checker.RawResults - outcomes []finding.Outcome - err error - }{ - { - name: "codeql present", - err: nil, - raw: &checker.RawResults{ - SASTResults: checker.SASTData{ - Workflows: []checker.SASTWorkflow{ - { - Type: checker.CodeQLWorkflow, - }, - { - Type: checker.SonarWorkflow, - }, - }, - }, - }, - outcomes: []finding.Outcome{ - finding.OutcomePositive, - }, - }, - { - name: "codeql not present", - err: nil, - raw: &checker.RawResults{ - SASTResults: checker.SASTData{ - Workflows: []checker.SASTWorkflow{ - { - Type: checker.SonarWorkflow, - }, - }, - }, - }, - outcomes: []finding.Outcome{ - finding.OutcomeNegative, - }, - }, - } - for _, tt := range tests { - tt := tt // Re-initializing variable so it is not changed while executing the closure below - t.Run(tt.name, func(t *testing.T) { - t.Parallel() - - findings, s, err := Run(tt.raw) - if !cmp.Equal(tt.err, err, cmpopts.EquateErrors()) { - t.Errorf("mismatch (-want +got):\n%s", cmp.Diff(tt.err, err, cmpopts.EquateErrors())) - } - if err != nil { - return - } - if diff := cmp.Diff(Probe, s); diff != "" { - t.Errorf("mismatch (-want +got):\n%s", diff) - } - test.AssertOutcomes(t, findings, tt.outcomes) - }) - } -} diff --git a/probes/sastToolSnykInstalled/def.yml b/probes/sastToolConfigured/def.yml similarity index 52% rename from probes/sastToolSnykInstalled/def.yml rename to probes/sastToolConfigured/def.yml index 1c770d7bcf4c..71e6ed8f5439 100644 --- a/probes/sastToolSnykInstalled/def.yml +++ b/probes/sastToolConfigured/def.yml @@ -1,4 +1,4 @@ -# Copyright 2023 OpenSSF Scorecard Authors +# Copyright 2024 OpenSSF Scorecard Authors # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -12,34 +12,24 @@ # See the License for the specific language governing permissions and # limitations under the License. -id: sastToolSnykInstalled -short: Check that the project uses the Snyk github action +id: sastToolConfigured +short: Check that the project uses a SAST tool motivation: > SAST is testing run on source code before the application is run. Using SAST tools can prevent known classes of bugs from being inadvertently introduced in the codebase. implementation: > - The implementation checks whether the project invokes the snyk/actions action. + The implementation checks for evidence of various SAST tools. This includes configuration files, GitHub Action workflows, and GitHub PR check annotations. outcome: - - If the project uses the snyk/actions/* action, the probe returns one finding with OutcomePositive (1). - - If the project does not use the snyk/actions/* action, the probe returns one finding with OutcomeNegative (0). + - If the project uses a SAST tool we can detect, the probe returns one finding per tool with OutcomePositive. + - If the project does not use a SAST tool, or uses a tool we dont currently detect, the probe returns one finding with OutcomeNegative. remediation: effort: Medium text: - - Follow the steps in https://github.com/snyk/actions + - Setup one of tools we currently detect https://github.com/ossf/scorecard/blob/main/docs/checks/sast/README.md. markdown: - - Follow the steps in https://github.com/snyk/actions + - Setup one of [tools we currently detect](https://github.com/ossf/scorecard/blob/main/docs/checks/sast/README.md). ecosystem: languages: - - c - - c++ - - go - - java - - kotlin - - javascript - - php - - python - - swift - - objectivec - - typescript + - all clients: - github - - gitlab \ No newline at end of file + - gitlab diff --git a/probes/sastToolSonarInstalled/impl.go b/probes/sastToolConfigured/impl.go similarity index 61% rename from probes/sastToolSonarInstalled/impl.go rename to probes/sastToolConfigured/impl.go index 991d94ebb87f..f3cb9f86cfc0 100644 --- a/probes/sastToolSonarInstalled/impl.go +++ b/probes/sastToolConfigured/impl.go @@ -1,4 +1,4 @@ -// Copyright 2023 OpenSSF Scorecard Authors +// Copyright 2024 OpenSSF Scorecard Authors // // Licensed under the Apache License, Version 2.0 (the "License"); // you may not use this file except in compliance with the License. @@ -13,7 +13,7 @@ // limitations under the License. //nolint:stylecheck -package sastToolSonarInstalled +package sastToolConfigured import ( "embed" @@ -27,7 +27,10 @@ import ( //go:embed *.yml var fs embed.FS -const Probe = "sastToolSonarInstalled" +const ( + Probe = "sastToolConfigured" + ToolKey = "tool" +) func Run(raw *checker.RawResults) ([]finding.Finding, string, error) { if raw == nil { @@ -36,25 +39,24 @@ func Run(raw *checker.RawResults) ([]finding.Finding, string, error) { r := raw.SASTResults - for _, wf := range r.Workflows { - wf := wf - if wf.Type != checker.SonarWorkflow { - continue - } - loc := wf.File.Location() - f, err := finding.NewWith(fs, Probe, - "SAST tool installed: Sonar", loc, - finding.OutcomePositive) + if len(r.Workflows) == 0 { + f, err := finding.NewWith(fs, Probe, "no SAST configuration files detected", nil, finding.OutcomeNegative) if err != nil { return nil, Probe, fmt.Errorf("create finding: %w", err) } return []finding.Finding{*f}, Probe, nil } - f, err := finding.NewWith(fs, Probe, - "Sonar tool not installed", nil, - finding.OutcomeNegative) - if err != nil { - return nil, Probe, fmt.Errorf("create finding: %w", err) + + findings := make([]finding.Finding, len(r.Workflows)) + for i := range r.Workflows { + tool := string(r.Workflows[i].Type) + loc := r.Workflows[i].File.Location() + f, err := finding.NewWith(fs, Probe, "SAST configuration detected: "+tool, loc, finding.OutcomePositive) + if err != nil { + return nil, Probe, fmt.Errorf("create finding: %w", err) + } + f = f.WithValue(ToolKey, tool) + findings[i] = *f } - return []finding.Finding{*f}, Probe, nil + return findings, Probe, nil } diff --git a/probes/sastToolQodanaInstalled/impl_test.go b/probes/sastToolConfigured/impl_test.go similarity index 53% rename from probes/sastToolQodanaInstalled/impl_test.go rename to probes/sastToolConfigured/impl_test.go index c1d496508e75..7b4ea658525b 100644 --- a/probes/sastToolQodanaInstalled/impl_test.go +++ b/probes/sastToolConfigured/impl_test.go @@ -1,4 +1,4 @@ -// Copyright 2023 OpenSSF Scorecard Authors +// Copyright 2024 OpenSSF Scorecard Authors // // Licensed under the Apache License, Version 2.0 (the "License"); // you may not use this file except in compliance with the License. @@ -13,7 +13,7 @@ // limitations under the License. //nolint:stylecheck -package sastToolQodanaInstalled +package sastToolConfigured import ( "testing" @@ -24,19 +24,36 @@ import ( "github.com/ossf/scorecard/v4/checker" "github.com/ossf/scorecard/v4/finding" "github.com/ossf/scorecard/v4/probes/internal/utils/test" + "github.com/ossf/scorecard/v4/probes/internal/utils/uerror" ) func Test_Run(t *testing.T) { t.Parallel() - //nolint:govet tests := []struct { - name string + err error raw *checker.RawResults + name string outcomes []finding.Outcome - err error }{ { - name: "qodana present", + name: "no raw data", + raw: nil, + err: uerror.ErrNil, + outcomes: nil, + }, + { + name: "no SAST tools detected", + raw: &checker.RawResults{ + SASTResults: checker.SASTData{ + Workflows: []checker.SASTWorkflow{}, + }, + }, + outcomes: []finding.Outcome{ + finding.OutcomeNegative, + }, + }, + { + name: "multiple tools detected", err: nil, raw: &checker.RawResults{ SASTResults: checker.SASTData{ @@ -45,38 +62,84 @@ func Test_Run(t *testing.T) { Type: checker.CodeQLWorkflow, }, { - Type: checker.SnykWorkflow, - }, - { - Type: checker.SonarWorkflow, + Type: checker.QodanaWorkflow, }, { Type: checker.PysaWorkflow, }, - { - Type: checker.QodanaWorkflow, - }, }, }, }, outcomes: []finding.Outcome{ finding.OutcomePositive, + finding.OutcomePositive, + finding.OutcomePositive, }, }, + } + for _, tt := range tests { + tt := tt // Re-initializing variable so it is not changed while executing the closure below + t.Run(tt.name, func(t *testing.T) { + t.Parallel() + + findings, s, err := Run(tt.raw) + if !cmp.Equal(tt.err, err, cmpopts.EquateErrors()) { + t.Errorf("mismatch (-want +got):\n%s", cmp.Diff(tt.err, err, cmpopts.EquateErrors())) + } + if err != nil { + return + } + if diff := cmp.Diff(Probe, s); diff != "" { + t.Errorf("mismatch (-want +got):\n%s", diff) + } + test.AssertOutcomes(t, findings, tt.outcomes) + }) + } +} + +func Test_Run_tools(t *testing.T) { + t.Parallel() + tests := []struct { + name string + raw *checker.RawResults + tools []string + }{ { - name: "qodana not present", - err: nil, + name: "one tool", raw: &checker.RawResults{ SASTResults: checker.SASTData{ Workflows: []checker.SASTWorkflow{ { - Type: checker.SonarWorkflow, + Type: checker.CodeQLWorkflow, }, + }, + }, + }, + tools: []string{"CodeQL"}, + }, + { + name: "one tool, multiple times", + raw: &checker.RawResults{ + SASTResults: checker.SASTData{ + Workflows: []checker.SASTWorkflow{ { Type: checker.CodeQLWorkflow, }, { - Type: checker.SnykWorkflow, + Type: checker.CodeQLWorkflow, + }, + }, + }, + }, + tools: []string{"CodeQL", "CodeQL"}, + }, + { + name: "multiple tools", + raw: &checker.RawResults{ + SASTResults: checker.SASTData{ + Workflows: []checker.SASTWorkflow{ + { + Type: checker.SonarWorkflow, }, { Type: checker.PysaWorkflow, @@ -84,27 +147,40 @@ func Test_Run(t *testing.T) { }, }, }, - outcomes: []finding.Outcome{ - finding.OutcomeNegative, - }, + tools: []string{"Sonar", "Pysa"}, }, } for _, tt := range tests { - tt := tt // Re-initializing variable so it is not changed while executing the closure below + tt := tt t.Run(tt.name, func(t *testing.T) { t.Parallel() - findings, s, err := Run(tt.raw) - if !cmp.Equal(tt.err, err, cmpopts.EquateErrors()) { - t.Errorf("mismatch (-want +got):\n%s", cmp.Diff(tt.err, err, cmpopts.EquateErrors())) - } if err != nil { - return + t.Fatalf("expected no error: %v", err) } if diff := cmp.Diff(Probe, s); diff != "" { t.Errorf("mismatch (-want +got):\n%s", diff) } - test.AssertOutcomes(t, findings, tt.outcomes) + assertTools(t, findings, tt.tools) }) } } + +func assertTools(tb testing.TB, findings []finding.Finding, tools []string) { + tb.Helper() + if len(findings) != len(tools) { + tb.Fatalf("mismatch between number of finding (%d) and tools (%d)", len(findings), len(tools)) + } + for i, f := range findings { + if f.Outcome != finding.OutcomePositive { + tb.Errorf("outcome (%v) shouldn't have a tool field", f.Outcome) + } + tool, ok := f.Values[ToolKey] + if !ok { + tb.Errorf("no tool present") + } + if tool != tools[i] { + tb.Errorf("got: %s, wanted: %s", tool, tools[i]) + } + } +} diff --git a/probes/sastToolPysaInstalled/def.yml b/probes/sastToolPysaInstalled/def.yml deleted file mode 100644 index 57c4bbc2522e..000000000000 --- a/probes/sastToolPysaInstalled/def.yml +++ /dev/null @@ -1,35 +0,0 @@ -# Copyright 2023 OpenSSF Scorecard Authors -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -id: sastToolPysaInstalled -short: Check that the project uses the Pysa github action -motivation: > - SAST is testing run on source code before the application is run. Using SAST tools can prevent known classes of bugs from being inadvertently introduced in the codebase. -implementation: > - The implementation checks whether the project invokes the facebook/pysa-action action. -outcome: - - If the project uses the facebook/pysa-action action, the probe returns one finding with OutcomePositive (1). - - If the project does not use the facebook/pysa-action action, the probe returns one finding with OutcomeNegative (0). -remediation: - effort: Medium - text: - - Follow the steps in https://github.com/facebook/pysa-action - markdown: - - Follow the steps in https://github.com/facebook/pysa-action -ecosystem: - languages: - - python - clients: - - github - - gitlab \ No newline at end of file diff --git a/probes/sastToolPysaInstalled/impl.go b/probes/sastToolPysaInstalled/impl.go deleted file mode 100644 index f79c018e6c82..000000000000 --- a/probes/sastToolPysaInstalled/impl.go +++ /dev/null @@ -1,60 +0,0 @@ -// Copyright 2023 OpenSSF Scorecard Authors -// -// Licensed under the Apache License, Version 2.0 (the "License"); -// you may not use this file except in compliance with the License. -// You may obtain a copy of the License at -// -// http://www.apache.org/licenses/LICENSE-2.0 -// -// Unless required by applicable law or agreed to in writing, software -// distributed under the License is distributed on an "AS IS" BASIS, -// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -// See the License for the specific language governing permissions and -// limitations under the License. - -//nolint:stylecheck -package sastToolPysaInstalled - -import ( - "embed" - "fmt" - - "github.com/ossf/scorecard/v4/checker" - "github.com/ossf/scorecard/v4/finding" - "github.com/ossf/scorecard/v4/probes/internal/utils/uerror" -) - -//go:embed *.yml -var fs embed.FS - -const Probe = "sastToolPysaInstalled" - -func Run(raw *checker.RawResults) ([]finding.Finding, string, error) { - if raw == nil { - return nil, "", fmt.Errorf("%w: raw", uerror.ErrNil) - } - - r := raw.SASTResults - - for _, wf := range r.Workflows { - if wf.Type == checker.PysaWorkflow { - f, err := finding.NewWith(fs, Probe, - "SAST tool installed: Pysa", nil, - finding.OutcomePositive) - if err != nil { - return nil, Probe, fmt.Errorf("create finding: %w", err) - } - f = f.WithLocation(&finding.Location{ - Path: wf.File.Path, - }) - return []finding.Finding{*f}, Probe, nil - } - } - f, err := finding.NewWith(fs, Probe, - "Pysa tool not installed", nil, - finding.OutcomeNegative) - if err != nil { - return nil, Probe, fmt.Errorf("create finding: %w", err) - } - return []finding.Finding{*f}, Probe, nil -} diff --git a/probes/sastToolPysaInstalled/impl_test.go b/probes/sastToolPysaInstalled/impl_test.go deleted file mode 100644 index dffe8930a425..000000000000 --- a/probes/sastToolPysaInstalled/impl_test.go +++ /dev/null @@ -1,104 +0,0 @@ -// Copyright 2023 OpenSSF Scorecard Authors -// -// Licensed under the Apache License, Version 2.0 (the "License"); -// you may not use this file except in compliance with the License. -// You may obtain a copy of the License at -// -// http://www.apache.org/licenses/LICENSE-2.0 -// -// Unless required by applicable law or agreed to in writing, software -// distributed under the License is distributed on an "AS IS" BASIS, -// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -// See the License for the specific language governing permissions and -// limitations under the License. - -//nolint:stylecheck -package sastToolPysaInstalled - -import ( - "testing" - - "github.com/google/go-cmp/cmp" - "github.com/google/go-cmp/cmp/cmpopts" - - "github.com/ossf/scorecard/v4/checker" - "github.com/ossf/scorecard/v4/finding" - "github.com/ossf/scorecard/v4/probes/internal/utils/test" -) - -func Test_Run(t *testing.T) { - t.Parallel() - //nolint:govet - tests := []struct { - name string - raw *checker.RawResults - outcomes []finding.Outcome - err error - }{ - { - name: "pysa present", - err: nil, - raw: &checker.RawResults{ - SASTResults: checker.SASTData{ - Workflows: []checker.SASTWorkflow{ - { - Type: checker.CodeQLWorkflow, - }, - { - Type: checker.SnykWorkflow, - }, - { - Type: checker.SonarWorkflow, - }, - { - Type: checker.PysaWorkflow, - }, - }, - }, - }, - outcomes: []finding.Outcome{ - finding.OutcomePositive, - }, - }, - { - name: "pysa not present", - err: nil, - raw: &checker.RawResults{ - SASTResults: checker.SASTData{ - Workflows: []checker.SASTWorkflow{ - { - Type: checker.SonarWorkflow, - }, - { - Type: checker.CodeQLWorkflow, - }, - { - Type: checker.SnykWorkflow, - }, - }, - }, - }, - outcomes: []finding.Outcome{ - finding.OutcomeNegative, - }, - }, - } - for _, tt := range tests { - tt := tt // Re-initializing variable so it is not changed while executing the closure below - t.Run(tt.name, func(t *testing.T) { - t.Parallel() - - findings, s, err := Run(tt.raw) - if !cmp.Equal(tt.err, err, cmpopts.EquateErrors()) { - t.Errorf("mismatch (-want +got):\n%s", cmp.Diff(tt.err, err, cmpopts.EquateErrors())) - } - if err != nil { - return - } - if diff := cmp.Diff(Probe, s); diff != "" { - t.Errorf("mismatch (-want +got):\n%s", diff) - } - test.AssertOutcomes(t, findings, tt.outcomes) - }) - } -} diff --git a/probes/sastToolQodanaInstalled/def.yml b/probes/sastToolQodanaInstalled/def.yml deleted file mode 100644 index 78e67cfa6368..000000000000 --- a/probes/sastToolQodanaInstalled/def.yml +++ /dev/null @@ -1,41 +0,0 @@ -# Copyright 2023 OpenSSF Scorecard Authors -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -id: sastToolQodanaInstalled -short: Check that the project uses the Qodana github action -motivation: > - SAST is testing run on source code before the application is run. Using SAST tools can prevent known classes of bugs from being inadvertently introduced in the codebase. -implementation: > - The implementation checks whether the project invokes the JetBrains/qodana-action action. -outcome: - - If the project uses the JetBrains/qodana-action action, the probe returns one finding with OutcomePositive (1). - - If the project does not use the JetBrains/qodana-action action, the probe returns one finding with OutcomeNegative (0). -remediation: - effort: Medium - text: - - Follow the steps in https://github.com/JetBrains/qodana-action - markdown: - - Follow the steps in https://github.com/JetBrains/qodana-action -ecosystem: - languages: - - java - - kotlin - - javascript - - typescript - - c# - - php - - go - clients: - - github - - gitlab \ No newline at end of file diff --git a/probes/sastToolQodanaInstalled/impl.go b/probes/sastToolQodanaInstalled/impl.go deleted file mode 100644 index 1f4fb686713c..000000000000 --- a/probes/sastToolQodanaInstalled/impl.go +++ /dev/null @@ -1,60 +0,0 @@ -// Copyright 2023 OpenSSF Scorecard Authors -// -// Licensed under the Apache License, Version 2.0 (the "License"); -// you may not use this file except in compliance with the License. -// You may obtain a copy of the License at -// -// http://www.apache.org/licenses/LICENSE-2.0 -// -// Unless required by applicable law or agreed to in writing, software -// distributed under the License is distributed on an "AS IS" BASIS, -// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -// See the License for the specific language governing permissions and -// limitations under the License. - -//nolint:stylecheck -package sastToolQodanaInstalled - -import ( - "embed" - "fmt" - - "github.com/ossf/scorecard/v4/checker" - "github.com/ossf/scorecard/v4/finding" - "github.com/ossf/scorecard/v4/probes/internal/utils/uerror" -) - -//go:embed *.yml -var fs embed.FS - -const Probe = "sastToolQodanaInstalled" - -func Run(raw *checker.RawResults) ([]finding.Finding, string, error) { - if raw == nil { - return nil, "", fmt.Errorf("%w: raw", uerror.ErrNil) - } - - r := raw.SASTResults - - for _, wf := range r.Workflows { - if wf.Type == checker.QodanaWorkflow { - f, err := finding.NewWith(fs, Probe, - "SAST tool installed: Qodana", nil, - finding.OutcomePositive) - if err != nil { - return nil, Probe, fmt.Errorf("create finding: %w", err) - } - f = f.WithLocation(&finding.Location{ - Path: wf.File.Path, - }) - return []finding.Finding{*f}, Probe, nil - } - } - f, err := finding.NewWith(fs, Probe, - "Qodana tool not installed", nil, - finding.OutcomeNegative) - if err != nil { - return nil, Probe, fmt.Errorf("create finding: %w", err) - } - return []finding.Finding{*f}, Probe, nil -} diff --git a/probes/sastToolSnykInstalled/impl.go b/probes/sastToolSnykInstalled/impl.go deleted file mode 100644 index dba73332c18e..000000000000 --- a/probes/sastToolSnykInstalled/impl.go +++ /dev/null @@ -1,60 +0,0 @@ -// Copyright 2023 OpenSSF Scorecard Authors -// -// Licensed under the Apache License, Version 2.0 (the "License"); -// you may not use this file except in compliance with the License. -// You may obtain a copy of the License at -// -// http://www.apache.org/licenses/LICENSE-2.0 -// -// Unless required by applicable law or agreed to in writing, software -// distributed under the License is distributed on an "AS IS" BASIS, -// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -// See the License for the specific language governing permissions and -// limitations under the License. - -//nolint:stylecheck -package sastToolSnykInstalled - -import ( - "embed" - "fmt" - - "github.com/ossf/scorecard/v4/checker" - "github.com/ossf/scorecard/v4/finding" - "github.com/ossf/scorecard/v4/probes/internal/utils/uerror" -) - -//go:embed *.yml -var fs embed.FS - -const Probe = "sastToolSnykInstalled" - -func Run(raw *checker.RawResults) ([]finding.Finding, string, error) { - if raw == nil { - return nil, "", fmt.Errorf("%w: raw", uerror.ErrNil) - } - - r := raw.SASTResults - - for _, wf := range r.Workflows { - if wf.Type == checker.SnykWorkflow { - f, err := finding.NewWith(fs, Probe, - "SAST tool installed: Snyk", nil, - finding.OutcomePositive) - if err != nil { - return nil, Probe, fmt.Errorf("create finding: %w", err) - } - f = f.WithLocation(&finding.Location{ - Path: wf.File.Path, - }) - return []finding.Finding{*f}, Probe, nil - } - } - f, err := finding.NewWith(fs, Probe, - "Snyk tool not installed", nil, - finding.OutcomeNegative) - if err != nil { - return nil, Probe, fmt.Errorf("create finding: %w", err) - } - return []finding.Finding{*f}, Probe, nil -} diff --git a/probes/sastToolSnykInstalled/impl_test.go b/probes/sastToolSnykInstalled/impl_test.go deleted file mode 100644 index 78183a233f6e..000000000000 --- a/probes/sastToolSnykInstalled/impl_test.go +++ /dev/null @@ -1,98 +0,0 @@ -// Copyright 2023 OpenSSF Scorecard Authors -// -// Licensed under the Apache License, Version 2.0 (the "License"); -// you may not use this file except in compliance with the License. -// You may obtain a copy of the License at -// -// http://www.apache.org/licenses/LICENSE-2.0 -// -// Unless required by applicable law or agreed to in writing, software -// distributed under the License is distributed on an "AS IS" BASIS, -// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -// See the License for the specific language governing permissions and -// limitations under the License. - -//nolint:stylecheck -package sastToolSnykInstalled - -import ( - "testing" - - "github.com/google/go-cmp/cmp" - "github.com/google/go-cmp/cmp/cmpopts" - - "github.com/ossf/scorecard/v4/checker" - "github.com/ossf/scorecard/v4/finding" - "github.com/ossf/scorecard/v4/probes/internal/utils/test" -) - -func Test_Run(t *testing.T) { - t.Parallel() - //nolint:govet - tests := []struct { - name string - raw *checker.RawResults - outcomes []finding.Outcome - err error - }{ - { - name: "snyk present", - err: nil, - raw: &checker.RawResults{ - SASTResults: checker.SASTData{ - Workflows: []checker.SASTWorkflow{ - { - Type: checker.CodeQLWorkflow, - }, - { - Type: checker.SnykWorkflow, - }, - { - Type: checker.SonarWorkflow, - }, - }, - }, - }, - outcomes: []finding.Outcome{ - finding.OutcomePositive, - }, - }, - { - name: "snyk not present", - err: nil, - raw: &checker.RawResults{ - SASTResults: checker.SASTData{ - Workflows: []checker.SASTWorkflow{ - { - Type: checker.SonarWorkflow, - }, - { - Type: checker.CodeQLWorkflow, - }, - }, - }, - }, - outcomes: []finding.Outcome{ - finding.OutcomeNegative, - }, - }, - } - for _, tt := range tests { - tt := tt // Re-initializing variable so it is not changed while executing the closure below - t.Run(tt.name, func(t *testing.T) { - t.Parallel() - - findings, s, err := Run(tt.raw) - if !cmp.Equal(tt.err, err, cmpopts.EquateErrors()) { - t.Errorf("mismatch (-want +got):\n%s", cmp.Diff(tt.err, err, cmpopts.EquateErrors())) - } - if err != nil { - return - } - if diff := cmp.Diff(Probe, s); diff != "" { - t.Errorf("mismatch (-want +got):\n%s", diff) - } - test.AssertOutcomes(t, findings, tt.outcomes) - }) - } -} diff --git a/probes/sastToolSonarInstalled/def.yml b/probes/sastToolSonarInstalled/def.yml deleted file mode 100644 index 3c6d9012a1b3..000000000000 --- a/probes/sastToolSonarInstalled/def.yml +++ /dev/null @@ -1,48 +0,0 @@ -# Copyright 2023 OpenSSF Scorecard Authors -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -id: sastToolSonarInstalled -short: Check that the project uses Sonar. -motivation: > - SAST is testing run on source code before the application is run. Using SAST tools can prevent known classes of bugs from being inadvertently introduced in the codebase. -implementation: > - The implementation checks the projects pom.xml for use of Sonar. -outcome: - - If the project uses Sonar, the probe returns one finding with OutcomePositive (1). - - If the project does not the Sonar, the probe returns one finding with OutcomeNegative (0). -remediation: - effort: Medium - text: - - Follow the steps in https://docs.sonarsource.com/sonarqube/latest/setup-and-upgrade/overview/ to integrate Sonar into your project. - markdown: - - Follow the steps in https://docs.sonarsource.com/sonarqube/latest/setup-and-upgrade/overview/ to integrate CodeQL into your project. -ecosystem: - languages: - - c - - c++ - - c# - - go - - java - - kotlin - - javascript - - objectivec - - php - - python - - ruby - - scala - - swift - - typescript - clients: - - github - - gitlab \ No newline at end of file diff --git a/probes/sastToolSonarInstalled/impl_test.go b/probes/sastToolSonarInstalled/impl_test.go deleted file mode 100644 index 166b49d8b549..000000000000 --- a/probes/sastToolSonarInstalled/impl_test.go +++ /dev/null @@ -1,92 +0,0 @@ -// Copyright 2023 OpenSSF Scorecard Authors -// -// Licensed under the Apache License, Version 2.0 (the "License"); -// you may not use this file except in compliance with the License. -// You may obtain a copy of the License at -// -// http://www.apache.org/licenses/LICENSE-2.0 -// -// Unless required by applicable law or agreed to in writing, software -// distributed under the License is distributed on an "AS IS" BASIS, -// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -// See the License for the specific language governing permissions and -// limitations under the License. - -//nolint:stylecheck -package sastToolSonarInstalled - -import ( - "testing" - - "github.com/google/go-cmp/cmp" - "github.com/google/go-cmp/cmp/cmpopts" - - "github.com/ossf/scorecard/v4/checker" - "github.com/ossf/scorecard/v4/finding" - "github.com/ossf/scorecard/v4/probes/internal/utils/test" -) - -func Test_Run(t *testing.T) { - t.Parallel() - //nolint:govet - tests := []struct { - name string - raw *checker.RawResults - outcomes []finding.Outcome - err error - }{ - { - name: "sonar present", - err: nil, - raw: &checker.RawResults{ - SASTResults: checker.SASTData{ - Workflows: []checker.SASTWorkflow{ - { - Type: checker.CodeQLWorkflow, - }, - { - Type: checker.SonarWorkflow, - }, - }, - }, - }, - outcomes: []finding.Outcome{ - finding.OutcomePositive, - }, - }, - { - name: "sonar not present", - err: nil, - raw: &checker.RawResults{ - SASTResults: checker.SASTData{ - Workflows: []checker.SASTWorkflow{ - { - Type: checker.CodeQLWorkflow, - }, - }, - }, - }, - outcomes: []finding.Outcome{ - finding.OutcomeNegative, - }, - }, - } - for _, tt := range tests { - tt := tt // Re-initializing variable so it is not changed while executing the closure below - t.Run(tt.name, func(t *testing.T) { - t.Parallel() - - findings, s, err := Run(tt.raw) - if !cmp.Equal(tt.err, err, cmpopts.EquateErrors()) { - t.Errorf("mismatch (-want +got):\n%s", cmp.Diff(tt.err, err, cmpopts.EquateErrors())) - } - if err != nil { - return - } - if diff := cmp.Diff(Probe, s); diff != "" { - t.Errorf("mismatch (-want +got):\n%s", diff) - } - test.AssertOutcomes(t, findings, tt.outcomes) - }) - } -} From 54690b41ae065b634a2d002007e3f95547c2deab Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Fri, 16 Feb 2024 10:55:38 -0800 Subject: [PATCH 2/2] :seedling: Bump github.com/golangci/golangci-lint in /tools (#3878) Bumps [github.com/golangci/golangci-lint](https://github.com/golangci/golangci-lint) from 1.56.1 to 1.56.2. - [Release notes](https://github.com/golangci/golangci-lint/releases) - [Changelog](https://github.com/golangci/golangci-lint/blob/master/CHANGELOG.md) - [Commits](https://github.com/golangci/golangci-lint/compare/v1.56.1...v1.56.2) --- updated-dependencies: - dependency-name: github.com/golangci/golangci-lint dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- tools/go.mod | 26 ++++++++++++------------- tools/go.sum | 55 ++++++++++++++++++++++++++-------------------------- 2 files changed, 41 insertions(+), 40 deletions(-) diff --git a/tools/go.mod b/tools/go.mod index 330df5ad9b78..5f5a0c93f571 100644 --- a/tools/go.mod +++ b/tools/go.mod @@ -4,7 +4,7 @@ go 1.22 require ( github.com/golang/mock v1.6.0 - github.com/golangci/golangci-lint v1.56.1 + github.com/golangci/golangci-lint v1.56.2 github.com/google/addlicense v1.1.1 github.com/google/ko v0.15.1 github.com/goreleaser/goreleaser v1.24.0 @@ -28,7 +28,7 @@ require ( github.com/AlekSi/pointer v1.2.0 // indirect github.com/Antonboom/errname v0.1.12 // indirect github.com/Antonboom/nilnil v0.1.7 // indirect - github.com/Antonboom/testifylint v1.1.1 // indirect + github.com/Antonboom/testifylint v1.1.2 // indirect github.com/Azure/azure-sdk-for-go v68.0.0+incompatible // indirect github.com/Azure/azure-sdk-for-go/sdk/azcore v1.9.0 // indirect github.com/Azure/azure-sdk-for-go/sdk/azidentity v1.4.0 // indirect @@ -96,7 +96,7 @@ require ( github.com/blakesmith/ar v0.0.0-20190502131153-809d4375e1fb // indirect github.com/blizzy78/varnamelen v0.8.0 // indirect github.com/bmatcuk/doublestar/v4 v4.2.0 // indirect - github.com/bombsimon/wsl/v4 v4.2.0 // indirect + github.com/bombsimon/wsl/v4 v4.2.1 // indirect github.com/breml/bidichk v0.2.7 // indirect github.com/breml/errchkjson v0.3.6 // indirect github.com/buger/jsonparser v1.1.1 // indirect @@ -110,7 +110,7 @@ require ( github.com/caarlos0/log v0.4.4 // indirect github.com/catenacyber/perfsprint v0.6.0 // indirect github.com/cavaliergopher/cpio v1.0.1 // indirect - github.com/ccojocar/zxcvbn-go v1.0.1 // indirect + github.com/ccojocar/zxcvbn-go v1.0.2 // indirect github.com/cenkalti/backoff/v4 v4.2.1 // indirect github.com/cespare/xxhash/v2 v2.2.0 // indirect github.com/charithe/durationcheck v0.0.10 // indirect @@ -150,7 +150,7 @@ require ( github.com/fsnotify/fsnotify v1.7.0 // indirect github.com/fzipp/gocyclo v0.6.0 // indirect github.com/ghostiam/protogetter v0.3.4 // indirect - github.com/go-critic/go-critic v0.11.0 // indirect + github.com/go-critic/go-critic v0.11.1 // indirect github.com/go-fed/httpsig v1.1.0 // indirect github.com/go-git/gcfg v1.5.1-0.20230307220236-3a3c6141e376 // indirect github.com/go-git/go-billy/v5 v5.5.0 // indirect @@ -170,7 +170,7 @@ require ( github.com/go-telegram-bot-api/telegram-bot-api v4.6.4+incompatible // indirect github.com/go-toolsmith/astcast v1.1.0 // indirect github.com/go-toolsmith/astcopy v1.1.0 // indirect - github.com/go-toolsmith/astequal v1.1.0 // indirect + github.com/go-toolsmith/astequal v1.2.0 // indirect github.com/go-toolsmith/astfmt v1.1.0 // indirect github.com/go-toolsmith/astp v1.1.0 // indirect github.com/go-toolsmith/strparse v1.1.0 // indirect @@ -304,9 +304,9 @@ require ( github.com/sagikazarmark/slog-shim v0.1.0 // indirect github.com/sanposhiho/wastedassign/v2 v2.0.7 // indirect github.com/sashamelentyev/interfacebloat v1.1.0 // indirect - github.com/sashamelentyev/usestdlibvars v1.24.0 // indirect + github.com/sashamelentyev/usestdlibvars v1.25.0 // indirect github.com/secure-systems-lab/go-securesystemslib v0.7.0 // indirect - github.com/securego/gosec/v2 v2.18.2 // indirect + github.com/securego/gosec/v2 v2.19.0 // indirect github.com/sergi/go-diff v1.2.0 // indirect github.com/shazow/go-diff v0.0.0-20160112020656-b6b7b6733b8c // indirect github.com/shopspring/decimal v1.2.0 // indirect @@ -365,18 +365,18 @@ require ( go.uber.org/multierr v1.11.0 // indirect go.uber.org/zap v1.26.0 // indirect gocloud.dev v0.36.0 // indirect - golang.org/x/crypto v0.18.0 // indirect + golang.org/x/crypto v0.19.0 // indirect golang.org/x/exp v0.0.0-20240103183307-be819d1f06fc // indirect golang.org/x/exp/typeparams v0.0.0-20231219180239-dc181d75b848 // indirect golang.org/x/mod v0.15.0 // indirect - golang.org/x/net v0.20.0 // indirect + golang.org/x/net v0.21.0 // indirect golang.org/x/oauth2 v0.16.0 // indirect golang.org/x/sync v0.6.0 // indirect - golang.org/x/sys v0.16.0 // indirect - golang.org/x/term v0.16.0 // indirect + golang.org/x/sys v0.17.0 // indirect + golang.org/x/term v0.17.0 // indirect golang.org/x/text v0.14.0 // indirect golang.org/x/time v0.5.0 // indirect - golang.org/x/tools v0.17.0 // indirect + golang.org/x/tools v0.18.0 // indirect golang.org/x/xerrors v0.0.0-20231012003039-104605ab7028 // indirect google.golang.org/api v0.152.0 // indirect google.golang.org/appengine v1.6.8 // indirect diff --git a/tools/go.sum b/tools/go.sum index 3ee22c68dff2..32f5c78f0b31 100644 --- a/tools/go.sum +++ b/tools/go.sum @@ -61,8 +61,8 @@ github.com/Antonboom/errname v0.1.12 h1:oh9ak2zUtsLp5oaEd/erjB4GPu9w19NyoIskZClD github.com/Antonboom/errname v0.1.12/go.mod h1:bK7todrzvlaZoQagP1orKzWXv59X/x0W0Io2XT1Ssro= github.com/Antonboom/nilnil v0.1.7 h1:ofgL+BA7vlA1K2wNQOsHzLJ2Pw5B5DpWRLdDAVvvTow= github.com/Antonboom/nilnil v0.1.7/go.mod h1:TP+ScQWVEq0eSIxqU8CbdT5DFWoHp0MbP+KMUO1BKYQ= -github.com/Antonboom/testifylint v1.1.1 h1:xCxYDNOBLImTKjBKPGtx1cHkTSywDAn76mYHTwH5lG8= -github.com/Antonboom/testifylint v1.1.1/go.mod h1:9PFi+vWa8zzl4/B/kqmFJcw85ZUv8ReyBzuQCd30+WI= +github.com/Antonboom/testifylint v1.1.2 h1:IdLRermiLRogxY5AumBL4sP0A+qKHQM/AP1Xd7XOTKc= +github.com/Antonboom/testifylint v1.1.2/go.mod h1:9PFi+vWa8zzl4/B/kqmFJcw85ZUv8ReyBzuQCd30+WI= github.com/Azure/azure-sdk-for-go v68.0.0+incompatible h1:fcYLmCpyNYRnvJbPerq7U0hS+6+I79yEDJBqVNcqUzU= github.com/Azure/azure-sdk-for-go v68.0.0+incompatible/go.mod h1:9XXNKU+eRnpl9moKnB4QOLf1HestfXbmab5FXxiDBjc= github.com/Azure/azure-sdk-for-go/sdk/azcore v1.9.0 h1:fb8kj/Dh4CSwgsOzHeZY4Xh68cFVbzXx+ONXGMY//4w= @@ -242,8 +242,8 @@ github.com/blizzy78/varnamelen v0.8.0/go.mod h1:V9TzQZ4fLJ1DSrjVDfl89H7aMnTvKkAp github.com/bmatcuk/doublestar/v4 v4.0.2/go.mod h1:xBQ8jztBU6kakFMg+8WGxn0c6z1fTSPVIjEY1Wr7jzc= github.com/bmatcuk/doublestar/v4 v4.2.0 h1:Qu+u9wR3Vd89LnlLMHvnZ5coJMWKQamqdz9/p5GNthA= github.com/bmatcuk/doublestar/v4 v4.2.0/go.mod h1:xBQ8jztBU6kakFMg+8WGxn0c6z1fTSPVIjEY1Wr7jzc= -github.com/bombsimon/wsl/v4 v4.2.0 h1:dKK3o/Hk2aIt6t72CWg02ham2P5lnH9MBSW6cTU9xxU= -github.com/bombsimon/wsl/v4 v4.2.0/go.mod h1:1zaTbf/7ywOQtMdoUdTF2X1fbbBLiBUkajyuFAanT28= +github.com/bombsimon/wsl/v4 v4.2.1 h1:Cxg6u+XDWff75SIFFmNsqnIOgob+Q9hG6y/ioKbRFiM= +github.com/bombsimon/wsl/v4 v4.2.1/go.mod h1:Xu/kDxGZTofQcDGCtQe9KCzhHphIe0fDuyWTxER9Feo= github.com/breml/bidichk v0.2.7 h1:dAkKQPLl/Qrk7hnP6P+E0xOodrq8Us7+U0o4UBOAlQY= github.com/breml/bidichk v0.2.7/go.mod h1:YodjipAGI9fGcYM7II6wFvGhdMYsC5pHDlGzqvEW3tQ= github.com/breml/errchkjson v0.3.6 h1:VLhVkqSBH96AvXEyclMR37rZslRrY2kcyq+31HCsVrA= @@ -275,8 +275,8 @@ github.com/catenacyber/perfsprint v0.6.0 h1:VSv95RRkk5+BxrU/YTPcnxuMEWar1iMK5Vyh github.com/catenacyber/perfsprint v0.6.0/go.mod h1:/wclWYompEyjUD2FuIIDVKNkqz7IgBIWXIH3V0Zol50= github.com/cavaliergopher/cpio v1.0.1 h1:KQFSeKmZhv0cr+kawA3a0xTQCU4QxXF1vhU7P7av2KM= github.com/cavaliergopher/cpio v1.0.1/go.mod h1:pBdaqQjnvXxdS/6CvNDwIANIFSP0xRKI16PX4xejRQc= -github.com/ccojocar/zxcvbn-go v1.0.1 h1:+sxrANSCj6CdadkcMnvde/GWU1vZiiXRbqYSCalV4/4= -github.com/ccojocar/zxcvbn-go v1.0.1/go.mod h1:g1qkXtUSvHP8lhHp5GrSmTz6uWALGRMQdw6Qnz/hi60= +github.com/ccojocar/zxcvbn-go v1.0.2 h1:na/czXU8RrhXO4EZme6eQJLR4PzcGsahsBOAwU6I3Vg= +github.com/ccojocar/zxcvbn-go v1.0.2/go.mod h1:g1qkXtUSvHP8lhHp5GrSmTz6uWALGRMQdw6Qnz/hi60= github.com/cenkalti/backoff/v4 v4.2.1 h1:y4OZtCnogmCPw98Zjyt5a6+QwPLGkiQsYW5oUqylYbM= github.com/cenkalti/backoff/v4 v4.2.1/go.mod h1:Y3VNntkOUPxTVeUxJ/G5vcM//AlwfmyYozVcomhLiZE= github.com/census-instrumentation/opencensus-proto v0.2.1/go.mod h1:f6KPmirojxKA12rnyqOA5BBL4O983OfeGPqjHWSTneU= @@ -390,8 +390,8 @@ github.com/ghostiam/protogetter v0.3.4 h1:5SZ+lZSNmNkSbGVSF9hUHhv/b7ELF9Rwchoq7b github.com/ghostiam/protogetter v0.3.4/go.mod h1:A0JgIhs0fgVnotGinjQiKaFVG3waItLJNwPmcMzDnvk= github.com/gliderlabs/ssh v0.3.5 h1:OcaySEmAQJgyYcArR+gGGTHCyE7nvhEMTlYY+Dp8CpY= github.com/gliderlabs/ssh v0.3.5/go.mod h1:8XB4KraRrX39qHhT6yxPsHedjA08I/uBVwj4xC+/+z4= -github.com/go-critic/go-critic v0.11.0 h1:mARtIFX7jPtJ3SzxO9Isa5T2jd2dZxFmQHK3yNf0wrE= -github.com/go-critic/go-critic v0.11.0/go.mod h1:Cz6lr1PlkIu/0Y0U9KqJgcIJJECAF8mEwmzVjKnhbfI= +github.com/go-critic/go-critic v0.11.1 h1:/zBseUSUMytnRqxjlsYNbDDxpu3R2yH8oLXo/FOE8b8= +github.com/go-critic/go-critic v0.11.1/go.mod h1:aZVQR7+gazH6aDEQx4356SD7d8ez8MipYjXbEl5JAKA= github.com/go-fed/httpsig v1.1.0 h1:9M+hb0jkEICD8/cAiNqEB66R87tTINszBRTjwjQzWcI= github.com/go-fed/httpsig v1.1.0/go.mod h1:RCMrTZvN1bJYtofsG4rd5NaO5obxQ5xBkdiS7xsT7bM= github.com/go-git/gcfg v1.5.1-0.20230307220236-3a3c6141e376 h1:+zs/tPmkDkHx3U66DAb0lQFJrpS6731Oaa12ikc+DiI= @@ -467,8 +467,9 @@ github.com/go-toolsmith/astcast v1.1.0/go.mod h1:qdcuFWeGGS2xX5bLM/c3U9lewg7+Zu4 github.com/go-toolsmith/astcopy v1.1.0 h1:YGwBN0WM+ekI/6SS6+52zLDEf8Yvp3n2seZITCUBt5s= github.com/go-toolsmith/astcopy v1.1.0/go.mod h1:hXM6gan18VA1T/daUEHCFcYiW8Ai1tIwIzHY6srfEAw= github.com/go-toolsmith/astequal v1.0.3/go.mod h1:9Ai4UglvtR+4up+bAD4+hCj7iTo4m/OXVTSLnCyTAx4= -github.com/go-toolsmith/astequal v1.1.0 h1:kHKm1AWqClYn15R0K1KKE4RG614D46n+nqUQ06E1dTw= github.com/go-toolsmith/astequal v1.1.0/go.mod h1:sedf7VIdCL22LD8qIvv7Nn9MuWJruQA/ysswh64lffQ= +github.com/go-toolsmith/astequal v1.2.0 h1:3Fs3CYZ1k9Vo4FzFhwwewC3CHISHDnVUPC4x0bI2+Cw= +github.com/go-toolsmith/astequal v1.2.0/go.mod h1:c8NZ3+kSFtFY/8lPso4v8LuJjdJiUFVnSuU3s0qrrDY= github.com/go-toolsmith/astfmt v1.1.0 h1:iJVPDPp6/7AaeLJEruMsBUlOYCmvg0MoCfJprsOmcco= github.com/go-toolsmith/astfmt v1.1.0/go.mod h1:OrcLlRwu0CuiIBp/8b5PYF9ktGVZUjlNMV634mhwuQ4= github.com/go-toolsmith/astp v1.1.0 h1:dXPuCl6u2llURjdPLLDxJeZInAeZ0/eZwFJmqZMnpQA= @@ -563,8 +564,8 @@ github.com/golangci/go-misc v0.0.0-20220329215616-d24fe342adfe h1:6RGUuS7EGotKx6 github.com/golangci/go-misc v0.0.0-20220329215616-d24fe342adfe/go.mod h1:gjqyPShc/m8pEMpk0a3SeagVb0kaqvhscv+i9jI5ZhQ= github.com/golangci/gofmt v0.0.0-20231018234816-f50ced29576e h1:ULcKCDV1LOZPFxGZaA6TlQbiM3J2GCPnkx/bGF6sX/g= github.com/golangci/gofmt v0.0.0-20231018234816-f50ced29576e/go.mod h1:Pm5KhLPA8gSnQwrQ6ukebRcapGb/BG9iUkdaiCcGHJM= -github.com/golangci/golangci-lint v1.56.1 h1:vR6rJpjE1w6pRp2EkVeCAbISyUIl6c7OO/hrEtGK1yo= -github.com/golangci/golangci-lint v1.56.1/go.mod h1:sOHqnOxdEZ0u9JYrDuofOaIyO0jRgT8Y6nWfzuoSv0Y= +github.com/golangci/golangci-lint v1.56.2 h1:dgQzlWHgNbCqJjuxRJhFEnHDVrrjuTGQHJ3RIZMpp/o= +github.com/golangci/golangci-lint v1.56.2/go.mod h1:7CfNO675+EY7j84jihO4iAqDQ80s3HCjcc5M6B7SlZQ= github.com/golangci/lint-1 v0.0.0-20191013205115-297bf364a8e0 h1:MfyDlzVjl1hoaPzPD4Gpb/QgoRfSBR0jdhwGyAWwMSA= github.com/golangci/lint-1 v0.0.0-20191013205115-297bf364a8e0/go.mod h1:66R6K6P6VWk9I95jvqGxkqJxVWGFy9XlDwLwVz1RCFg= github.com/golangci/maligned v0.0.0-20180506175553-b1d89398deca h1:kNY3/svz5T29MYHubXix4aDDuE3RWHkPvopM/EDv/MA= @@ -896,8 +897,8 @@ github.com/onsi/gomega v1.7.1/go.mod h1:XdKZgCCFLUoM/7CFJVPcG8C1xQ1AJ0vpAezJrB7J github.com/onsi/gomega v1.10.1/go.mod h1:iN09h71vgCQne3DLsj+A5owkum+a2tYe+TOCB1ybHNo= github.com/onsi/gomega v1.17.0/go.mod h1:HnhC7FXeEQY45zxNK3PPoIUhzk/80Xly9PcubAlGdZY= github.com/onsi/gomega v1.19.0/go.mod h1:LY+I3pBVzYsTBU1AnDwOSxaYi9WoWiqgwooUqq9yPro= -github.com/onsi/gomega v1.30.0 h1:hvMK7xYz4D3HapigLTeGdId/NcfQx1VHMJc60ew99+8= -github.com/onsi/gomega v1.30.0/go.mod h1:9sxs+SwGrKI0+PWe4Fxa9tFQQBG5xSsSbMXOI8PPpoQ= +github.com/onsi/gomega v1.31.1 h1:KYppCUK+bUgAZwHOu7EXVBKyQA6ILvOESHkn/tgoqvo= +github.com/onsi/gomega v1.31.1/go.mod h1:y40C95dwAD1Nz36SsEnxvfFe8FFfNxzI5eJ0EYGyAy0= github.com/opencontainers/go-digest v1.0.0 h1:apOUWs51W5PlhuyGyz9FCeeBIOUDA/6nW8Oi/yOhh5U= github.com/opencontainers/go-digest v1.0.0/go.mod h1:0JzlMkj0TRzQZfJkVvzbP0HBR3IKzErnv2BNG4W4MAM= github.com/opencontainers/image-spec v1.1.0-rc5 h1:Ygwkfw9bpDvs+c9E34SdgGOj41dX/cbdlwvlWt0pnFI= @@ -991,12 +992,12 @@ github.com/sanposhiho/wastedassign/v2 v2.0.7 h1:J+6nrY4VW+gC9xFzUc+XjPD3g3wF3je/ github.com/sanposhiho/wastedassign/v2 v2.0.7/go.mod h1:KyZ0MWTwxxBmfwn33zh3k1dmsbF2ud9pAAGfoLfjhtI= github.com/sashamelentyev/interfacebloat v1.1.0 h1:xdRdJp0irL086OyW1H/RTZTr1h/tMEOsumirXcOJqAw= github.com/sashamelentyev/interfacebloat v1.1.0/go.mod h1:+Y9yU5YdTkrNvoX0xHc84dxiN1iBi9+G8zZIhPVoNjQ= -github.com/sashamelentyev/usestdlibvars v1.24.0 h1:MKNzmXtGh5N0y74Z/CIaJh4GlB364l0K1RUT08WSWAc= -github.com/sashamelentyev/usestdlibvars v1.24.0/go.mod h1:9cYkq+gYJ+a5W2RPdhfaSCnTVUC1OQP/bSiiBhq3OZE= +github.com/sashamelentyev/usestdlibvars v1.25.0 h1:IK8SI2QyFzy/2OD2PYnhy84dpfNo9qADrRt6LH8vSzU= +github.com/sashamelentyev/usestdlibvars v1.25.0/go.mod h1:9nl0jgOfHKWNFS43Ojw0i7aRoS4j6EBye3YBhmAIRF8= github.com/secure-systems-lab/go-securesystemslib v0.7.0 h1:OwvJ5jQf9LnIAS83waAjPbcMsODrTQUpJ02eNLUoxBg= github.com/secure-systems-lab/go-securesystemslib v0.7.0/go.mod h1:/2gYnlnHVQ6xeGtfIqFy7Do03K4cdCY0A/GlJLDKLHI= -github.com/securego/gosec/v2 v2.18.2 h1:DkDt3wCiOtAHf1XkiXZBhQ6m6mK/b9T/wD257R3/c+I= -github.com/securego/gosec/v2 v2.18.2/go.mod h1:xUuqSF6i0So56Y2wwohWAmB07EdBkUN6crbLlHwbyJs= +github.com/securego/gosec/v2 v2.19.0 h1:gl5xMkOI0/E6Hxx0XCY2XujA3V7SNSefA8sC+3f1gnk= +github.com/securego/gosec/v2 v2.19.0/go.mod h1:hOkDcHz9J/XIgIlPDXalxjeVYsHxoWUc5zJSHxcB8YM= github.com/sergi/go-diff v1.2.0 h1:XU+rvMAioB0UC3q1MFrIQy4Vo5/4VsRDQQXHsEya6xQ= github.com/sergi/go-diff v1.2.0/go.mod h1:STckp+ISIX8hZLjrqAeVduY0gWCT9IjLuqbuNXdaHfM= github.com/shazow/go-diff v0.0.0-20160112020656-b6b7b6733b8c h1:W65qqJCIOVP4jpqPQ0YvHYKwcMEMVWIzWC5iNQQfBTU= @@ -1201,8 +1202,8 @@ golang.org/x/crypto v0.3.1-0.20221117191849-2c476679df9a/go.mod h1:hebNnKkNXi2Uz golang.org/x/crypto v0.6.0/go.mod h1:OFC/31mSvZgRz0V1QTNCzfAI1aIRzbiufJtkMIlEp58= golang.org/x/crypto v0.7.0/go.mod h1:pYwdfH91IfpZVANVyUOhSIPZaFoJGxTFbZhFTx+dXZU= golang.org/x/crypto v0.17.0/go.mod h1:gCAAfMLgwOJRpTjQ2zCCt2OcSfYMTeZVSRtQlPC7Nq4= -golang.org/x/crypto v0.18.0 h1:PGVlW0xEltQnzFZ55hkuX5+KLyrMYhHld1YHO4AKcdc= -golang.org/x/crypto v0.18.0/go.mod h1:R0j02AL6hcrfOiy9T4ZYp/rcWeMxM3L6QYxlOuEG1mg= +golang.org/x/crypto v0.19.0 h1:ENy+Az/9Y1vSrlrvBSyna3PITt4tiZLf7sgCjZBX7Wo= +golang.org/x/crypto v0.19.0/go.mod h1:Iy9bg/ha4yyC70EfRS8jz+B6ybOBKMaSxLj6P6oBDfU= golang.org/x/exp v0.0.0-20190121172915-509febef88a4/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA= golang.org/x/exp v0.0.0-20190306152737-a1d7652674e8/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA= golang.org/x/exp v0.0.0-20190510132918-efd6b22b2522/go.mod h1:ZjyILWgesfNpC6sMxTJOJm9Kp84zZh5NQWvqDGG3Qr8= @@ -1296,8 +1297,8 @@ golang.org/x/net v0.5.0/go.mod h1:DivGGAXEgPSlEBzxGzZI+ZLohi+xUj054jfeKui00ws= golang.org/x/net v0.6.0/go.mod h1:2Tu9+aMcznHK/AK1HMvgo6xiTLG5rD5rZLDS+rp2Bjs= golang.org/x/net v0.8.0/go.mod h1:QVkue5JL9kW//ek3r6jTKnTFis1tRmNAW2P1shuFdJc= golang.org/x/net v0.10.0/go.mod h1:0qNGK6F8kojg2nk9dLZ2mShWaEBan6FAoqfSigmmuDg= -golang.org/x/net v0.20.0 h1:aCL9BSgETF1k+blQaYUBx9hJ9LOGP3gAVemcZlf1Kpo= -golang.org/x/net v0.20.0/go.mod h1:z8BVo6PvndSri0LbOE3hAn0apkU+1YvI6E70E9jsnvY= +golang.org/x/net v0.21.0 h1:AQyQV4dYCvJ7vGmJyKki9+PBdyvhkSd8EIx/qb0AYv4= +golang.org/x/net v0.21.0/go.mod h1:bIjVDfnllIU7BJ2DNgfnXvpSvtn8VRwhlsaeUTyUS44= golang.org/x/oauth2 v0.0.0-20180821212333-d2e6202438be/go.mod h1:N/0e6XlmueqKjAGxoOufVs8QHGRruUQn6yWY3a++T0U= golang.org/x/oauth2 v0.0.0-20190226205417-e64efc72b421/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw= golang.org/x/oauth2 v0.0.0-20190604053449-0f29369cfe45/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw= @@ -1391,8 +1392,8 @@ golang.org/x/sys v0.5.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.6.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.8.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.15.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA= -golang.org/x/sys v0.16.0 h1:xWw16ngr6ZMtmxDyKyIgsE93KNKz5HKmMa3b8ALHidU= -golang.org/x/sys v0.16.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA= +golang.org/x/sys v0.17.0 h1:25cE3gD+tdBA7lp7QfhuV+rJiE9YXTcS3VG1SqssI/Y= +golang.org/x/sys v0.17.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA= golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo= golang.org/x/term v0.0.0-20210927222741-03fcf44c2211/go.mod h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8= golang.org/x/term v0.1.0/go.mod h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8= @@ -1402,8 +1403,8 @@ golang.org/x/term v0.5.0/go.mod h1:jMB1sMXY+tzblOD4FWmEbocvup2/aLOaQEp7JmGp78k= golang.org/x/term v0.6.0/go.mod h1:m6U89DPEgQRMq3DNkDClhWw02AUbt2daBVO4cn4Hv9U= golang.org/x/term v0.8.0/go.mod h1:xPskH00ivmX89bAKVGSKKtLOWNx2+17Eiy94tnKShWo= golang.org/x/term v0.15.0/go.mod h1:BDl952bC7+uMoWR75FIrCDx79TPU9oHkTZ9yRbYOrX0= -golang.org/x/term v0.16.0 h1:m+B6fahuftsE9qjo0VWp2FW0mB3MTJvR0BaMQrq0pmE= -golang.org/x/term v0.16.0/go.mod h1:yn7UURbUtPyrVJPGPq404EukNFxcm/foM+bV/bfcDsY= +golang.org/x/term v0.17.0 h1:mkTF7LCd6WGJNL3K1Ad7kwxNfYAW6a8a8QqtMblp/4U= +golang.org/x/term v0.17.0/go.mod h1:lLRBjIVuehSbZlaOtGMbcMncT+aqLLLmKrsjNrUguwk= golang.org/x/text v0.0.0-20170915032832-14c0d48ead0c/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ= golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ= golang.org/x/text v0.3.1-0.20180807135948-17ff2d5776d2/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ= @@ -1495,8 +1496,8 @@ golang.org/x/tools v0.2.0/go.mod h1:y4OqIKeOV/fWJetJ8bXPU1sEVniLMIyDAZWeHdV+NTA= golang.org/x/tools v0.3.0/go.mod h1:/rWhSS2+zyEVwoJf8YAX6L2f0ntZ7Kn/mGgAWcipA5k= golang.org/x/tools v0.5.0/go.mod h1:N+Kgy78s5I24c24dU8OfWNEotWjutIs8SnJvn5IDq+k= golang.org/x/tools v0.6.0/go.mod h1:Xwgl3UAJ/d3gWutnCtw505GrjyAbvKui8lOU390QaIU= -golang.org/x/tools v0.17.0 h1:FvmRgNOcs3kOa+T20R1uhfP9F6HgG2mfxDv1vrx1Htc= -golang.org/x/tools v0.17.0/go.mod h1:xsh6VxdV005rRVaS6SSAf9oiAqljS7UZUacMZ8Bnsps= +golang.org/x/tools v0.18.0 h1:k8NLag8AGHnn+PHbl7g43CtqZAwG60vZkLqgyZgIHgQ= +golang.org/x/tools v0.18.0/go.mod h1:GL7B4CwcLLeo59yx/9UWWuNOW1n3VZ4f5axWfML7Lcg= golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= golang.org/x/xerrors v0.0.0-20191011141410-1b5146add898/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=