diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml index c92b3a6f03a..94fed5cb9c6 100644 --- a/.github/workflows/codeql-analysis.yml +++ b/.github/workflows/codeql-analysis.yml @@ -50,7 +50,7 @@ jobs: steps: - name: Harden Runner - uses: step-security/harden-runner@bdb12b622a910dfdc99a31fdfe6f45a16bc287a4 # v1 + uses: step-security/harden-runner@9b0655f430fba8c7001d4e38f8d4306db5c6e0ab # v1 with: egress-policy: audit # TODO: change to 'egress-policy: block' after couple of runs diff --git a/.github/workflows/docker.yml b/.github/workflows/docker.yml index 52c96ff9f11..443b3d93fca 100644 --- a/.github/workflows/docker.yml +++ b/.github/workflows/docker.yml @@ -29,13 +29,18 @@ jobs: permissions: contents: read steps: + - name: Harden Runner + uses: step-security/harden-runner@bdb12b622a910dfdc99a31fdfe6f45a16bc287a4 # v1 + with: + egress-policy: audit # TODO: change to 'egress-policy: block' after couple of runs + - name: Install Protoc uses: arduino/setup-protoc@64c0c85d18e984422218383b81c52f8b077404d3 # v1.1.2 with: version: 3.17.3 - name: Cache builds # https://github.com/mvdan/github-actions-golang#how-do-i-set-up-caching-between-builds - uses: actions/cache@937d24475381cd9c75ae6db12cb4e79714b926ed #v2.1.7 + uses: actions/cache@4b0cf6cc4619e737324ddfcec08fff2413359514 #v2.1.7 with: # In order: # * Module download cache @@ -66,13 +71,18 @@ jobs: permissions: contents: read steps: + - name: Harden Runner + uses: step-security/harden-runner@bdb12b622a910dfdc99a31fdfe6f45a16bc287a4 # v1 + with: + egress-policy: audit # TODO: change to 'egress-policy: block' after couple of runs + - name: Install Protoc uses: arduino/setup-protoc@64c0c85d18e984422218383b81c52f8b077404d3 # v1.1.2 with: version: 3.17.3 - name: Cache builds # https://github.com/mvdan/github-actions-golang#how-do-i-set-up-caching-between-builds - uses: actions/cache@937d24475381cd9c75ae6db12cb4e79714b926ed #v2.1.7 + uses: actions/cache@4b0cf6cc4619e737324ddfcec08fff2413359514 #v2.1.7 with: # In order: # * Module download cache @@ -103,13 +113,18 @@ jobs: permissions: contents: read steps: + - name: Harden Runner + uses: step-security/harden-runner@bdb12b622a910dfdc99a31fdfe6f45a16bc287a4 # v1 + with: + egress-policy: audit # TODO: change to 'egress-policy: block' after couple of runs + - name: Install Protoc uses: arduino/setup-protoc@64c0c85d18e984422218383b81c52f8b077404d3 # v1.1.2 with: version: 3.17.3 - name: Cache builds # https://github.com/mvdan/github-actions-golang#how-do-i-set-up-caching-between-builds - uses: actions/cache@937d24475381cd9c75ae6db12cb4e79714b926ed #v2.1.7 + uses: actions/cache@4b0cf6cc4619e737324ddfcec08fff2413359514 #v2.1.7 with: # In order: # * Module download cache @@ -140,13 +155,18 @@ jobs: permissions: contents: read steps: + - name: Harden Runner + uses: step-security/harden-runner@bdb12b622a910dfdc99a31fdfe6f45a16bc287a4 # v1 + with: + egress-policy: audit # TODO: change to 'egress-policy: block' after couple of runs + - name: Install Protoc uses: arduino/setup-protoc@64c0c85d18e984422218383b81c52f8b077404d3 # v1.1.2 with: version: 3.17.3 - name: Cache builds # https://github.com/mvdan/github-actions-golang#how-do-i-set-up-caching-between-builds - uses: actions/cache@937d24475381cd9c75ae6db12cb4e79714b926ed #v2.1.7 + uses: actions/cache@4b0cf6cc4619e737324ddfcec08fff2413359514 #v2.1.7 with: # In order: # * Module download cache @@ -177,13 +197,18 @@ jobs: permissions: contents: read steps: + - name: Harden Runner + uses: step-security/harden-runner@bdb12b622a910dfdc99a31fdfe6f45a16bc287a4 # v1 + with: + egress-policy: audit # TODO: change to 'egress-policy: block' after couple of runs + - name: Install Protoc uses: arduino/setup-protoc@64c0c85d18e984422218383b81c52f8b077404d3 # v1.1.2 with: version: 3.17.3 - name: Cache builds # https://github.com/mvdan/github-actions-golang#how-do-i-set-up-caching-between-builds - uses: actions/cache@937d24475381cd9c75ae6db12cb4e79714b926ed #v2.1.7 + uses: actions/cache@4b0cf6cc4619e737324ddfcec08fff2413359514 #v2.1.7 with: # In order: # * Module download cache @@ -214,13 +239,18 @@ jobs: permissions: contents: read steps: + - name: Harden Runner + uses: step-security/harden-runner@bdb12b622a910dfdc99a31fdfe6f45a16bc287a4 # v1 + with: + egress-policy: audit # TODO: change to 'egress-policy: block' after couple of runs + - name: Install Protoc uses: arduino/setup-protoc@64c0c85d18e984422218383b81c52f8b077404d3 # v1.1.2 with: version: 3.17.3 - name: Cache builds # https://github.com/mvdan/github-actions-golang#how-do-i-set-up-caching-between-builds - uses: actions/cache@937d24475381cd9c75ae6db12cb4e79714b926ed #v2.1.7 + uses: actions/cache@4b0cf6cc4619e737324ddfcec08fff2413359514 #v2.1.7 with: # In order: # * Module download cache @@ -251,13 +281,18 @@ jobs: permissions: contents: read steps: + - name: Harden Runner + uses: step-security/harden-runner@bdb12b622a910dfdc99a31fdfe6f45a16bc287a4 # v1 + with: + egress-policy: audit # TODO: change to 'egress-policy: block' after couple of runs + - name: Install Protoc uses: arduino/setup-protoc@64c0c85d18e984422218383b81c52f8b077404d3 # v1.1.2 with: version: 3.17.3 - name: Cache builds # https://github.com/mvdan/github-actions-golang#how-do-i-set-up-caching-between-builds - uses: actions/cache@937d24475381cd9c75ae6db12cb4e79714b926ed #v2.1.7 + uses: actions/cache@4b0cf6cc4619e737324ddfcec08fff2413359514 #v2.1.7 with: # In order: # * Module download cache diff --git a/.github/workflows/goreleaser.yaml b/.github/workflows/goreleaser.yaml index f8b6f5f0175..22353936dea 100644 --- a/.github/workflows/goreleaser.yaml +++ b/.github/workflows/goreleaser.yaml @@ -25,6 +25,11 @@ jobs: permissions: contents: write steps: + - name: Harden Runner + uses: step-security/harden-runner@bdb12b622a910dfdc99a31fdfe6f45a16bc287a4 # v1 + with: + egress-policy: audit # TODO: change to 'egress-policy: block' after couple of runs + - name: Checkout uses: actions/checkout@a12a3943b4bdde767164f792f33f40b04645d846 # v2.3.4 diff --git a/.github/workflows/integration.yml b/.github/workflows/integration.yml index 63512c2971a..3337daadf31 100644 --- a/.github/workflows/integration.yml +++ b/.github/workflows/integration.yml @@ -24,6 +24,11 @@ jobs: approve: runs-on: ubuntu-latest steps: + - name: Harden Runner + uses: step-security/harden-runner@bdb12b622a910dfdc99a31fdfe6f45a16bc287a4 # v1 + with: + egress-policy: audit # TODO: change to 'egress-policy: block' after couple of runs + - name: approve run: echo For security reasons, all pull requests need to be approved before running integration tests. @@ -32,6 +37,11 @@ jobs: environment: integration-test needs: [approve] steps: + - name: Harden Runner + uses: step-security/harden-runner@bdb12b622a910dfdc99a31fdfe6f45a16bc287a4 # v1 + with: + egress-policy: audit # TODO: change to 'egress-policy: block' after couple of runs + - name: pull_request actions/checkout uses: actions/checkout@a12a3943b4bdde767164f792f33f40b04645d846 # v2.3.4 with: @@ -44,7 +54,7 @@ jobs: - name: Cache builds # https://github.com/mvdan/github-actions-golang#how-do-i-set-up-caching-between-builds - uses: actions/cache@937d24475381cd9c75ae6db12cb4e79714b926ed #v2.1.7 + uses: actions/cache@4b0cf6cc4619e737324ddfcec08fff2413359514 #v2.1.7 with: # In order: # * Module download cache @@ -81,7 +91,7 @@ jobs: verbose: true - name: find comment - uses: peter-evans/find-comment@d2dae40ed151c634e4189471272b57e76ec19ba8 # v1.2.0 + uses: peter-evans/find-comment@1769778a0c5bd330272d749d12c036d65e70d39d # v1.2.0 id: fc with: issue-number: ${{ github.event.pull_request.number || github.event.client_payload.pull_request.number }} @@ -89,7 +99,7 @@ jobs: body-includes: Integration tests ran for - name: create or update comment - uses: peter-evans/create-or-update-comment@a35cf36e5301d70b76f316e867e7788a55a31dae # v1.4.5 + uses: peter-evans/create-or-update-comment@c9fcb64660bc90ec1cc535646af190c992007c32 # v1.4.5 with: issue-number: ${{ github.event.pull_request.number || github.event.client_payload.pull_request.number }} comment-id: ${{ steps.fc.outputs.comment-id }} diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml index c5c0625f5db..1c173f95ff2 100644 --- a/.github/workflows/main.yml +++ b/.github/workflows/main.yml @@ -27,9 +27,14 @@ jobs: permissions: contents: read steps: + - name: Harden Runner + uses: step-security/harden-runner@bdb12b622a910dfdc99a31fdfe6f45a16bc287a4 # v1 + with: + egress-policy: audit # TODO: change to 'egress-policy: block' after couple of runs + - name: Cache builds # https://github.com/mvdan/github-actions-golang#how-do-i-set-up-caching-between-builds - uses: actions/cache@937d24475381cd9c75ae6db12cb4e79714b926ed #v2.1.7 + uses: actions/cache@4b0cf6cc4619e737324ddfcec08fff2413359514 #v2.1.7 with: path: | ~/go/pkg/mod @@ -60,13 +65,18 @@ jobs: permissions: contents: read steps: + - name: Harden Runner + uses: step-security/harden-runner@bdb12b622a910dfdc99a31fdfe6f45a16bc287a4 # v1 + with: + egress-policy: audit # TODO: change to 'egress-policy: block' after couple of runs + - name: Install Protoc uses: arduino/setup-protoc@64c0c85d18e984422218383b81c52f8b077404d3 # v1.1.2 with: version: 3.17.3 - name: Cache builds # https://github.com/mvdan/github-actions-golang#how-do-i-set-up-caching-between-builds - uses: actions/cache@937d24475381cd9c75ae6db12cb4e79714b926ed #v2.1.7 + uses: actions/cache@4b0cf6cc4619e737324ddfcec08fff2413359514 #v2.1.7 with: path: | ~/go/pkg/mod @@ -95,13 +105,18 @@ jobs: permissions: contents: read steps: + - name: Harden Runner + uses: step-security/harden-runner@bdb12b622a910dfdc99a31fdfe6f45a16bc287a4 # v1 + with: + egress-policy: audit # TODO: change to 'egress-policy: block' after couple of runs + - name: Install Protoc uses: arduino/setup-protoc@64c0c85d18e984422218383b81c52f8b077404d3 # v1.1.2 with: version: 3.17.3 - name: Cache builds # https://github.com/mvdan/github-actions-golang#how-do-i-set-up-caching-between-builds - uses: actions/cache@937d24475381cd9c75ae6db12cb4e79714b926ed #v2.1.7 + uses: actions/cache@4b0cf6cc4619e737324ddfcec08fff2413359514 #v2.1.7 with: path: | ~/go/pkg/mod @@ -129,13 +144,18 @@ jobs: permissions: contents: read steps: + - name: Harden Runner + uses: step-security/harden-runner@bdb12b622a910dfdc99a31fdfe6f45a16bc287a4 # v1 + with: + egress-policy: audit # TODO: change to 'egress-policy: block' after couple of runs + - name: Install Protoc uses: arduino/setup-protoc@64c0c85d18e984422218383b81c52f8b077404d3 # v1.1.2 with: version: 3.17.3 - name: Cache builds # https://github.com/mvdan/github-actions-golang#how-do-i-set-up-caching-between-builds - uses: actions/cache@937d24475381cd9c75ae6db12cb4e79714b926ed #v2.1.7 + uses: actions/cache@4b0cf6cc4619e737324ddfcec08fff2413359514 #v2.1.7 with: path: | ~/go/pkg/mod @@ -164,13 +184,18 @@ jobs: permissions: contents: read steps: + - name: Harden Runner + uses: step-security/harden-runner@bdb12b622a910dfdc99a31fdfe6f45a16bc287a4 # v1 + with: + egress-policy: audit # TODO: change to 'egress-policy: block' after couple of runs + - name: Install Protoc uses: arduino/setup-protoc@64c0c85d18e984422218383b81c52f8b077404d3 # v1.1.2 with: version: 3.17.3 - name: Cache builds # https://github.com/mvdan/github-actions-golang#how-do-i-set-up-caching-between-builds - uses: actions/cache@937d24475381cd9c75ae6db12cb4e79714b926ed #v2.1.7 + uses: actions/cache@4b0cf6cc4619e737324ddfcec08fff2413359514 #v2.1.7 with: path: | ~/go/pkg/mod @@ -199,13 +224,18 @@ jobs: permissions: contents: read steps: + - name: Harden Runner + uses: step-security/harden-runner@bdb12b622a910dfdc99a31fdfe6f45a16bc287a4 # v1 + with: + egress-policy: audit # TODO: change to 'egress-policy: block' after couple of runs + - name: Install Protoc uses: arduino/setup-protoc@64c0c85d18e984422218383b81c52f8b077404d3 # v1.1.2 with: version: 3.17.3 - name: Cache builds # https://github.com/mvdan/github-actions-golang#how-do-i-set-up-caching-between-builds - uses: actions/cache@937d24475381cd9c75ae6db12cb4e79714b926ed #v2.1.7 + uses: actions/cache@4b0cf6cc4619e737324ddfcec08fff2413359514 #v2.1.7 with: path: | ~/go/pkg/mod @@ -234,13 +264,18 @@ jobs: permissions: contents: read steps: + - name: Harden Runner + uses: step-security/harden-runner@bdb12b622a910dfdc99a31fdfe6f45a16bc287a4 # v1 + with: + egress-policy: audit # TODO: change to 'egress-policy: block' after couple of runs + - name: Install Protoc uses: arduino/setup-protoc@64c0c85d18e984422218383b81c52f8b077404d3 # v1.1.2 with: version: 3.17.3 - name: Cache builds # https://github.com/mvdan/github-actions-golang#how-do-i-set-up-caching-between-builds - uses: actions/cache@937d24475381cd9c75ae6db12cb4e79714b926ed #v2.1.7 + uses: actions/cache@4b0cf6cc4619e737324ddfcec08fff2413359514 #v2.1.7 with: path: | ~/go/pkg/mod @@ -269,13 +304,18 @@ jobs: permissions: contents: read steps: + - name: Harden Runner + uses: step-security/harden-runner@bdb12b622a910dfdc99a31fdfe6f45a16bc287a4 # v1 + with: + egress-policy: audit # TODO: change to 'egress-policy: block' after couple of runs + - name: Install Protoc uses: arduino/setup-protoc@64c0c85d18e984422218383b81c52f8b077404d3 # v1.1.2 with: version: 3.17.3 - name: Cache builds # https://github.com/mvdan/github-actions-golang#how-do-i-set-up-caching-between-builds - uses: actions/cache@937d24475381cd9c75ae6db12cb4e79714b926ed #v2.1.7 + uses: actions/cache@4b0cf6cc4619e737324ddfcec08fff2413359514 #v2.1.7 with: path: | ~/go/pkg/mod @@ -304,13 +344,18 @@ jobs: permissions: contents: read steps: + - name: Harden Runner + uses: step-security/harden-runner@bdb12b622a910dfdc99a31fdfe6f45a16bc287a4 # v1 + with: + egress-policy: audit # TODO: change to 'egress-policy: block' after couple of runs + - name: Install Protoc uses: arduino/setup-protoc@64c0c85d18e984422218383b81c52f8b077404d3 # v1.1.2 with: version: 3.17.3 - name: Cache builds # https://github.com/mvdan/github-actions-golang#how-do-i-set-up-caching-between-builds - uses: actions/cache@937d24475381cd9c75ae6db12cb4e79714b926ed #v2.1.7 + uses: actions/cache@4b0cf6cc4619e737324ddfcec08fff2413359514 #v2.1.7 with: path: | ~/go/pkg/mod @@ -339,13 +384,18 @@ jobs: permissions: contents: read steps: + - name: Harden Runner + uses: step-security/harden-runner@bdb12b622a910dfdc99a31fdfe6f45a16bc287a4 # v1 + with: + egress-policy: audit # TODO: change to 'egress-policy: block' after couple of runs + - name: Install Protoc uses: arduino/setup-protoc@64c0c85d18e984422218383b81c52f8b077404d3 # v1.1.2 with: version: 3.17.3 - name: Cache builds # https://github.com/mvdan/github-actions-golang#how-do-i-set-up-caching-between-builds - uses: actions/cache@937d24475381cd9c75ae6db12cb4e79714b926ed #v2.1.7 + uses: actions/cache@4b0cf6cc4619e737324ddfcec08fff2413359514 #v2.1.7 with: path: | ~/go/pkg/mod @@ -374,13 +424,18 @@ jobs: permissions: contents: read steps: + - name: Harden Runner + uses: step-security/harden-runner@bdb12b622a910dfdc99a31fdfe6f45a16bc287a4 # v1 + with: + egress-policy: audit # TODO: change to 'egress-policy: block' after couple of runs + - name: Install Protoc uses: arduino/setup-protoc@64c0c85d18e984422218383b81c52f8b077404d3 # v1.1.2 with: version: 3.17.3 - name: Cache builds # https://github.com/mvdan/github-actions-golang#how-do-i-set-up-caching-between-builds - uses: actions/cache@937d24475381cd9c75ae6db12cb4e79714b926ed #v2.1.7 + uses: actions/cache@4b0cf6cc4619e737324ddfcec08fff2413359514 #v2.1.7 with: path: | ~/go/pkg/mod @@ -409,13 +464,18 @@ jobs: permissions: contents: read steps: + - name: Harden Runner + uses: step-security/harden-runner@bdb12b622a910dfdc99a31fdfe6f45a16bc287a4 # v1 + with: + egress-policy: audit # TODO: change to 'egress-policy: block' after couple of runs + - name: Install Protoc uses: arduino/setup-protoc@64c0c85d18e984422218383b81c52f8b077404d3 # v1.1.2 with: version: 3.17.3 - name: Cache builds # https://github.com/mvdan/github-actions-golang#how-do-i-set-up-caching-between-builds - uses: actions/cache@937d24475381cd9c75ae6db12cb4e79714b926ed #v2.1.7 + uses: actions/cache@4b0cf6cc4619e737324ddfcec08fff2413359514 #v2.1.7 with: path: | ~/go/pkg/mod @@ -444,13 +504,18 @@ jobs: permissions: contents: read steps: + - name: Harden Runner + uses: step-security/harden-runner@bdb12b622a910dfdc99a31fdfe6f45a16bc287a4 # v1 + with: + egress-policy: audit # TODO: change to 'egress-policy: block' after couple of runs + - name: Install Protoc uses: arduino/setup-protoc@64c0c85d18e984422218383b81c52f8b077404d3 # v1.1.2 with: version: 3.17.3 - name: Cache builds # https://github.com/mvdan/github-actions-golang#how-do-i-set-up-caching-between-builds - uses: actions/cache@937d24475381cd9c75ae6db12cb4e79714b926ed #v2.1.7 + uses: actions/cache@4b0cf6cc4619e737324ddfcec08fff2413359514 #v2.1.7 with: path: | ~/go/pkg/mod @@ -479,13 +544,18 @@ jobs: permissions: contents: read steps: + - name: Harden Runner + uses: step-security/harden-runner@bdb12b622a910dfdc99a31fdfe6f45a16bc287a4 # v1 + with: + egress-policy: audit # TODO: change to 'egress-policy: block' after couple of runs + - name: Install Protoc uses: arduino/setup-protoc@64c0c85d18e984422218383b81c52f8b077404d3 # v1.1.2 with: version: 3.17.3 - name: Cache builds # https://github.com/mvdan/github-actions-golang#how-do-i-set-up-caching-between-builds - uses: actions/cache@937d24475381cd9c75ae6db12cb4e79714b926ed #v2.1.7 + uses: actions/cache@4b0cf6cc4619e737324ddfcec08fff2413359514 #v2.1.7 with: path: | ~/go/pkg/mod @@ -514,13 +584,18 @@ jobs: permissions: contents: read steps: + - name: Harden Runner + uses: step-security/harden-runner@bdb12b622a910dfdc99a31fdfe6f45a16bc287a4 # v1 + with: + egress-policy: audit # TODO: change to 'egress-policy: block' after couple of runs + - name: Install Protoc uses: arduino/setup-protoc@64c0c85d18e984422218383b81c52f8b077404d3 # v1.1.2 with: version: 3.17.3 - name: Cache builds # https://github.com/mvdan/github-actions-golang#how-do-i-set-up-caching-between-builds - uses: actions/cache@937d24475381cd9c75ae6db12cb4e79714b926ed #v2.1.7 + uses: actions/cache@4b0cf6cc4619e737324ddfcec08fff2413359514 #v2.1.7 with: path: | ~/go/pkg/mod @@ -548,13 +623,18 @@ jobs: permissions: contents: read steps: + - name: Harden Runner + uses: step-security/harden-runner@bdb12b622a910dfdc99a31fdfe6f45a16bc287a4 # v1 + with: + egress-policy: audit # TODO: change to 'egress-policy: block' after couple of runs + - name: Install Protoc uses: arduino/setup-protoc@64c0c85d18e984422218383b81c52f8b077404d3 # v1.1.2 with: version: 3.17.3 - name: Cache builds # https://github.com/mvdan/github-actions-golang#how-do-i-set-up-caching-between-builds - uses: actions/cache@937d24475381cd9c75ae6db12cb4e79714b926ed #v2.1.7 + uses: actions/cache@4b0cf6cc4619e737324ddfcec08fff2413359514 #v2.1.7 with: path: | ~/go/pkg/mod @@ -582,9 +662,14 @@ jobs: permissions: contents: read steps: + - name: Harden Runner + uses: step-security/harden-runner@bdb12b622a910dfdc99a31fdfe6f45a16bc287a4 # v1 + with: + egress-policy: audit # TODO: change to 'egress-policy: block' after couple of runs + - name: Cache builds # https://github.com/mvdan/github-actions-golang#how-do-i-set-up-caching-between-builds - uses: actions/cache@937d24475381cd9c75ae6db12cb4e79714b926ed #v2.1.7 + uses: actions/cache@4b0cf6cc4619e737324ddfcec08fff2413359514 #v2.1.7 with: path: | ~/go/pkg/mod @@ -612,9 +697,14 @@ jobs: permissions: contents: read steps: + - name: Harden Runner + uses: step-security/harden-runner@bdb12b622a910dfdc99a31fdfe6f45a16bc287a4 # v1 + with: + egress-policy: audit # TODO: change to 'egress-policy: block' after couple of runs + - name: Cache builds # https://github.com/mvdan/github-actions-golang#how-do-i-set-up-caching-between-builds - uses: actions/cache@937d24475381cd9c75ae6db12cb4e79714b926ed #v2.1.7 + uses: actions/cache@4b0cf6cc4619e737324ddfcec08fff2413359514 #v2.1.7 with: path: | ~/go/pkg/mod @@ -642,9 +732,14 @@ jobs: permissions: contents: read steps: + - name: Harden Runner + uses: step-security/harden-runner@bdb12b622a910dfdc99a31fdfe6f45a16bc287a4 # v1 + with: + egress-policy: audit # TODO: change to 'egress-policy: block' after couple of runs + - name: Cache builds # https://github.com/mvdan/github-actions-golang#how-do-i-set-up-caching-between-builds - uses: actions/cache@937d24475381cd9c75ae6db12cb4e79714b926ed #v2.1.7 + uses: actions/cache@4b0cf6cc4619e737324ddfcec08fff2413359514 #v2.1.7 with: path: | ~/go/pkg/mod @@ -672,6 +767,11 @@ jobs: permissions: contents: read steps: + - name: Harden Runner + uses: step-security/harden-runner@bdb12b622a910dfdc99a31fdfe6f45a16bc287a4 # v1 + with: + egress-policy: audit # TODO: change to 'egress-policy: block' after couple of runs + - uses: actions/checkout@a12a3943b4bdde767164f792f33f40b04645d846 # v2.3.4 - uses: actions/setup-go@f6164bd8c8acb4a71fb2791a8b6c4024ff038dab # v2.2.0 with: diff --git a/.github/workflows/ok-to-test.yml b/.github/workflows/ok-to-test.yml index 35344b5b344..ae24dc78e8a 100644 --- a/.github/workflows/ok-to-test.yml +++ b/.github/workflows/ok-to-test.yml @@ -26,8 +26,13 @@ jobs: # Only run for PRs, not issue comments if: ${{ github.event.issue.pull_request }} steps: + - name: Harden Runner + uses: step-security/harden-runner@bdb12b622a910dfdc99a31fdfe6f45a16bc287a4 # v1 + with: + egress-policy: audit # TODO: change to 'egress-policy: block' after couple of runs + - name: Slash Command Dispatch - uses: peter-evans/slash-command-dispatch@40877f718dce0101edfc7aea2b3800cc192f9ed5 # v2.1.3 + uses: peter-evans/slash-command-dispatch@2afb49dbaafaba8005860648bf7fc178637aca0d # v2.1.3 env: TOKEN: ${{ steps.generate_token.outputs.token }} with: diff --git a/.github/workflows/scorecard-analysis.yml b/.github/workflows/scorecard-analysis.yml index f03ee7e182e..3e340d1167c 100644 --- a/.github/workflows/scorecard-analysis.yml +++ b/.github/workflows/scorecard-analysis.yml @@ -20,6 +20,11 @@ jobs: security-events: write steps: + - name: Harden Runner + uses: step-security/harden-runner@bdb12b622a910dfdc99a31fdfe6f45a16bc287a4 # v1 + with: + egress-policy: audit # TODO: change to 'egress-policy: block' after couple of runs + - name: "Checkout code" uses: actions/checkout@a12a3943b4bdde767164f792f33f40b04645d846 @@ -39,13 +44,13 @@ jobs: # https://docs.github.com/en/actions/advanced-guides/storing-workflow-data-as-artifacts # Optional. - name: "Upload artifact" - uses: actions/upload-artifact@v2 + uses: actions/upload-artifact@6673cd052c4cd6fcf4b4e6e60ea986c889389535 # v2 with: name: SARIF file path: results.sarif retention-days: 5 - name: "Upload SARIF results" - uses: github/codeql-action/upload-sarif@v1 + uses: github/codeql-action/upload-sarif@f5d822707ee6e8fb81b04a5c0040b736da22e587 # v1 with: sarif_file: results.sarif diff --git a/.github/workflows/stale.yml b/.github/workflows/stale.yml index 2cbcdb72898..5b69d344490 100644 --- a/.github/workflows/stale.yml +++ b/.github/workflows/stale.yml @@ -26,6 +26,11 @@ jobs: pull-requests: write runs-on: ubuntu-latest steps: + - name: Harden Runner + uses: step-security/harden-runner@bdb12b622a910dfdc99a31fdfe6f45a16bc287a4 # v1 + with: + egress-policy: audit # TODO: change to 'egress-policy: block' after couple of runs + - uses: actions/stale@3cc123766321e9f15a6676375c154ccffb12a358 # v3.0.18 with: repo-token: ${{ secrets.GITHUB_TOKEN }} @@ -38,4 +43,4 @@ jobs: days-before-pr-stale: '10' days-before-pr-close: '20' days-before-issue-stale: '60' - + diff --git a/.github/workflows/verify.yml b/.github/workflows/verify.yml index 651ca0d8701..864e7c4ef82 100644 --- a/.github/workflows/verify.yml +++ b/.github/workflows/verify.yml @@ -25,6 +25,11 @@ jobs: name: Verify PR contents runs-on: ubuntu-latest steps: + - name: Harden Runner + uses: step-security/harden-runner@bdb12b622a910dfdc99a31fdfe6f45a16bc287a4 # v1 + with: + egress-policy: audit # TODO: change to 'egress-policy: block' after couple of runs + - name: Verifier action id: verifier uses: kubernetes-sigs/kubebuilder-release-tools@4777888c377a26956f1831d5b9207eea1fa3bf29 # v0.1.1 diff --git a/.golangci.yml b/.golangci.yml index 48724f7da2f..40631058453 100644 --- a/.golangci.yml +++ b/.golangci.yml @@ -3,13 +3,23 @@ run: concurrency: 6 deadline: 5m issues: - new-from-rev: "" include: # revive `package-comments` and `exported` rules. - EXC0012 - EXC0013 - EXC0014 - EXC0015 + # Maximum issues count per one linter. + # Set to 0 to disable. + # Default: 50 + max-issues-per-linter: 0 + # Maximum count of issues with the same text. + # Set to 0 to disable. + # Default: 3 + max-same-issues: 0 + new-from-rev: "" + # Fix found issues (if it's supported by the linter). + fix: true skip-files: - cron/data/request.pb.go # autogenerated linters: diff --git a/Makefile b/Makefile index 9eb947eca15..9fdfd19641a 100644 --- a/Makefile +++ b/Makefile @@ -3,7 +3,7 @@ GINKGO := ginkgo GIT_HASH := $(shell git rev-parse HEAD) GIT_VERSION ?= $(shell git describe --tags --always --dirty) SOURCE_DATE_EPOCH=$(shell git log --date=iso8601-strict -1 --pretty=%ct) -GOLANGGCI_LINT := golangci-lint +GOLANGCI_LINT := golangci-lint PROTOC_GEN_GO := protoc-gen-go MOCKGEN := mockgen PROTOC := $(shell which protoc) @@ -58,9 +58,9 @@ update-dependencies: ## Update go dependencies for all modules cd tools go mod tidy && go mod verify -$(GOLANGGCI_LINT): install +$(GOLANGCI_LINT): install check-linter: ## Install and run golang linter -check-linter: $(GOLANGGCI_LINT) +check-linter: $(GOLANGCI_LINT) # Run golangci-lint linter golangci-lint run -c .golangci.yml diff --git a/checker/client.go b/checker/client.go index 6d643a49863..5653e5bccd7 100644 --- a/checker/client.go +++ b/checker/client.go @@ -32,7 +32,8 @@ func GetClients(ctx context.Context, repoURI, localURI string, logger *log.Logge clients.RepoClient, // ossFuzzClient clients.CIIBestPracticesClient, // ciiClient clients.VulnerabilitiesClient, // vulnClient - error) { + error, +) { var githubRepo clients.Repo if localURI != "" { localRepo, errLocal := localdir.MakeLocalDirRepo(localURI) diff --git a/checks/dangerous_workflow.go b/checks/dangerous_workflow.go index bfe83e65a51..f9a0e342137 100644 --- a/checks/dangerous_workflow.go +++ b/checks/dangerous_workflow.go @@ -109,7 +109,8 @@ func DangerousWorkflow(c *checker.CheckRequest) checker.CheckResult { // Check file content. var validateGitHubActionWorkflowPatterns fileparser.DoWhileTrueOnFileContent = func(path string, content []byte, - args ...interface{}) (bool, error) { + args ...interface{}, +) (bool, error) { if !fileparser.IsWorkflowFile(path) { return true, nil } @@ -160,7 +161,8 @@ var validateGitHubActionWorkflowPatterns fileparser.DoWhileTrueOnFileContent = f } func validateSecretsInPullRequests(workflow *actionlint.Workflow, path string, - dl checker.DetailLogger, pdata *patternCbData) error { + dl checker.DetailLogger, pdata *patternCbData, +) error { triggers := make(map[triggerName]bool) // We need pull request trigger. @@ -194,7 +196,8 @@ func validateSecretsInPullRequests(workflow *actionlint.Workflow, path string, } func validateUntrustedCodeCheckout(workflow *actionlint.Workflow, path string, - dl checker.DetailLogger, pdata *patternCbData) error { + dl checker.DetailLogger, pdata *patternCbData, +) error { if !usesEventTrigger(workflow, triggerPullRequestTarget) { return nil } @@ -229,7 +232,8 @@ func jobUsesEnvironment(job *actionlint.Job) bool { } func checkJobForUsedSecrets(job *actionlint.Job, triggers map[triggerName]bool, - path string, dl checker.DetailLogger, pdata *patternCbData) error { + path string, dl checker.DetailLogger, pdata *patternCbData, +) error { if job == nil { return nil } @@ -271,7 +275,8 @@ func checkJobForUsedSecrets(job *actionlint.Job, triggers map[triggerName]bool, } func workflowUsesCodeCheckoutAndNoEnvironment(workflow *actionlint.Workflow, - triggers map[triggerName]bool) bool { + triggers map[triggerName]bool, +) bool { if workflow == nil { return false } @@ -318,7 +323,8 @@ func jobUsesCodeCheckout(job *actionlint.Job) (bool, string) { } func checkJobForUntrustedCodeCheckout(job *actionlint.Job, path string, - dl checker.DetailLogger, pdata *patternCbData) error { + dl checker.DetailLogger, pdata *patternCbData, +) error { if job == nil { return nil } @@ -359,7 +365,8 @@ func checkJobForUntrustedCodeCheckout(job *actionlint.Job, path string, } func validateScriptInjection(workflow *actionlint.Workflow, path string, - dl checker.DetailLogger, pdata *patternCbData) error { + dl checker.DetailLogger, pdata *patternCbData, +) error { for _, job := range workflow.Jobs { if job == nil { continue @@ -382,7 +389,8 @@ func validateScriptInjection(workflow *actionlint.Workflow, path string, } func checkWorkflowSecretInEnv(workflow *actionlint.Workflow, triggers map[triggerName]bool, - path string, dl checker.DetailLogger, pdata *patternCbData) error { + path string, dl checker.DetailLogger, pdata *patternCbData, +) error { // We need code checkout and not environment rule protection. if !workflowUsesCodeCheckoutAndNoEnvironment(workflow, triggers) { return nil @@ -392,7 +400,8 @@ func checkWorkflowSecretInEnv(workflow *actionlint.Workflow, triggers map[trigge } func checkSecretInEnv(env *actionlint.Env, path string, - dl checker.DetailLogger, pdata *patternCbData) error { + dl checker.DetailLogger, pdata *patternCbData, +) error { if env == nil { return nil } @@ -406,7 +415,8 @@ func checkSecretInEnv(env *actionlint.Env, path string, } func checkSecretInRun(step *actionlint.Step, path string, - dl checker.DetailLogger, pdata *patternCbData) error { + dl checker.DetailLogger, pdata *patternCbData, +) error { if step == nil || step.Exec == nil { return nil } @@ -421,7 +431,8 @@ func checkSecretInRun(step *actionlint.Step, path string, } func checkSecretInActionArgs(step *actionlint.Step, path string, - dl checker.DetailLogger, pdata *patternCbData) error { + dl checker.DetailLogger, pdata *patternCbData, +) error { if step == nil || step.Exec == nil { return nil } @@ -442,7 +453,8 @@ func checkSecretInActionArgs(step *actionlint.Step, path string, } func checkSecretInScript(script string, pos *actionlint.Pos, path string, - dl checker.DetailLogger, pdata *patternCbData) error { + dl checker.DetailLogger, pdata *patternCbData, +) error { for { s := strings.Index(script, "${{") if s == -1 { @@ -454,8 +466,13 @@ func checkSecretInScript(script string, pos *actionlint.Pos, path string, return sce.WithMessage(sce.ErrScorecardInternal, errInvalidGitHubWorkflow.Error()) } + // Note: The default GitHub token is allowed, as it has + // only read permission for `pull_request`. + // For `pull_request_event`, we use other signals such as + // whether checkout action is used. variable := strings.Trim(script[s:s+e+2], " ") - if strings.Contains(variable, "secrets.") { + if !strings.Contains(variable, "secrets.GITHUB_TOKEN") && + strings.Contains(variable, "secrets.") { line := fileparser.GetLineNumber(pos) dl.Warn(&checker.LogMessage{ Path: path, @@ -472,7 +489,8 @@ func checkSecretInScript(script string, pos *actionlint.Pos, path string, } func checkVariablesInScript(script string, pos *actionlint.Pos, path string, - dl checker.DetailLogger, pdata *patternCbData) error { + dl checker.DetailLogger, pdata *patternCbData, +) error { for { s := strings.Index(script, "${{") if s == -1 { @@ -548,7 +566,8 @@ func createResultForDangerousWorkflowPatterns(result patternCbData, err error) c } func testValidateGitHubActionDangerousWorkflow(pathfn string, - content []byte, dl checker.DetailLogger) checker.CheckResult { + content []byte, dl checker.DetailLogger, +) checker.CheckResult { data := patternCbData{ workflowPattern: make(map[dangerousResults]bool), } diff --git a/checks/dangerous_workflow_test.go b/checks/dangerous_workflow_test.go index 065dae30ebc..fc2e018faaf 100644 --- a/checks/dangerous_workflow_test.go +++ b/checks/dangerous_workflow_test.go @@ -241,6 +241,28 @@ func TestGithubDangerousWorkflow(t *testing.T) { NumberOfDebug: 0, }, }, + { + name: "default secret in pull request", + filename: "./testdata/.github/workflows/github-workflow-dangerous-pattern-default-secret-pr.yml", + expected: scut.TestReturn{ + Error: nil, + Score: checker.MaxResultConfidence, + NumberOfWarn: 0, + NumberOfInfo: 0, + NumberOfDebug: 0, + }, + }, + { + name: "default secret in pull request target", + filename: "./testdata/.github/workflows/github-workflow-dangerous-pattern-default-secret-prt.yml", + expected: scut.TestReturn{ + Error: nil, + Score: checker.MinResultConfidence, + NumberOfWarn: 1, + NumberOfInfo: 0, + NumberOfDebug: 0, + }, + }, { name: "secret in top env no checkout pull request target", filename: "./testdata/.github/workflows/github-workflow-dangerous-pattern-secret-env-no-checkout-prt.yml", diff --git a/checks/evaluation/binary_artifacts.go b/checks/evaluation/binary_artifacts.go index d9fd97f8024..dcb9e08ce54 100644 --- a/checks/evaluation/binary_artifacts.go +++ b/checks/evaluation/binary_artifacts.go @@ -21,7 +21,8 @@ import ( // BinaryArtifacts applies the score policy for the Binary-Artifacts check. func BinaryArtifacts(name string, dl checker.DetailLogger, - r *checker.BinaryArtifactData) checker.CheckResult { + r *checker.BinaryArtifactData, +) checker.CheckResult { if r == nil { e := sce.WithMessage(sce.ErrScorecardInternal, "empty raw data") return checker.CreateRuntimeErrorResult(name, e) diff --git a/checks/evaluation/branch_protection.go b/checks/evaluation/branch_protection.go index 41a5a48b949..80326bf66c8 100644 --- a/checks/evaluation/branch_protection.go +++ b/checks/evaluation/branch_protection.go @@ -49,7 +49,8 @@ type levelScore struct { // BranchProtection runs Branch-Protection check. func BranchProtection(name string, dl checker.DetailLogger, - r *checker.BranchProtectionsData) checker.CheckResult { + r *checker.BranchProtectionsData, +) checker.CheckResult { var scores []levelScore // Check protections on all the branches. diff --git a/checks/evaluation/code_review.go b/checks/evaluation/code_review.go index e21bfb8b4b0..cf46d603af1 100644 --- a/checks/evaluation/code_review.go +++ b/checks/evaluation/code_review.go @@ -30,7 +30,8 @@ var ( // CodeReview applies the score policy for the Code-Review check. func CodeReview(name string, dl checker.DetailLogger, - r *checker.CodeReviewData) checker.CheckResult { + r *checker.CodeReviewData, +) checker.CheckResult { if r == nil { e := sce.WithMessage(sce.ErrScorecardInternal, "empty raw data") return checker.CreateRuntimeErrorResult(name, e) diff --git a/checks/evaluation/dependency_update_tool.go b/checks/evaluation/dependency_update_tool.go index 6c81e913f3c..ab11edc0d40 100644 --- a/checks/evaluation/dependency_update_tool.go +++ b/checks/evaluation/dependency_update_tool.go @@ -23,7 +23,8 @@ import ( // DependencyUpdateTool applies the score policy for the Dependency-Update-Tool check. func DependencyUpdateTool(name string, dl checker.DetailLogger, - r *checker.DependencyUpdateToolData) checker.CheckResult { + r *checker.DependencyUpdateToolData, +) checker.CheckResult { if r == nil { e := sce.WithMessage(sce.ErrScorecardInternal, "empty raw data") return checker.CreateRuntimeErrorResult(name, e) diff --git a/checks/evaluation/vulnerabilities.go b/checks/evaluation/vulnerabilities.go index 1130686abd5..757db98f669 100644 --- a/checks/evaluation/vulnerabilities.go +++ b/checks/evaluation/vulnerabilities.go @@ -24,7 +24,8 @@ import ( // Vulnerabilities applies the score policy for the Vulnerabilities check. func Vulnerabilities(name string, dl checker.DetailLogger, - r *checker.VulnerabilitiesData) checker.CheckResult { + r *checker.VulnerabilitiesData, +) checker.CheckResult { if r == nil { e := sce.WithMessage(sce.ErrScorecardInternal, "empty raw data") return checker.CreateRuntimeErrorResult(name, e) diff --git a/checks/fileparser/github_workflow.go b/checks/fileparser/github_workflow.go index 9c4a42b5613..89ed8e9ca66 100644 --- a/checks/fileparser/github_workflow.go +++ b/checks/fileparser/github_workflow.go @@ -332,7 +332,8 @@ type JobMatcherStep struct { // AnyJobsMatch returns true if any of the jobs have a match in the given workflow. func AnyJobsMatch(workflow *actionlint.Workflow, jobMatchers []JobMatcher, fp string, dl checker.DetailLogger, - logMsgNoMatch string) bool { + logMsgNoMatch string, +) bool { for _, job := range workflow.Jobs { for _, matcher := range jobMatchers { if !matcher.matches(job) { diff --git a/checks/fileparser/listing.go b/checks/fileparser/listing.go index 44582315162..0319824124c 100644 --- a/checks/fileparser/listing.go +++ b/checks/fileparser/listing.go @@ -71,7 +71,8 @@ type DoWhileTrueOnFileContent func(path string, content []byte, args ...interfac // Continues iterating along the matched files until onFileContent returns // either a false value or an error. func OnMatchingFileContentDo(repoClient clients.RepoClient, matchPathTo PathMatcher, - onFileContent DoWhileTrueOnFileContent, args ...interface{}) error { + onFileContent DoWhileTrueOnFileContent, args ...interface{}, +) error { predicate := func(filepath string) (bool, error) { // Filter out test files. if isTestdataFile(filepath) { diff --git a/checks/permissions.go b/checks/permissions.go index e878a51dddc..ba114c2f565 100644 --- a/checks/permissions.go +++ b/checks/permissions.go @@ -92,7 +92,8 @@ func TokenPermissions(c *checker.CheckRequest) checker.CheckResult { // Check file content. var validateGitHubActionTokenPermissions fileparser.DoWhileTrueOnFileContent = func(path string, content []byte, - args ...interface{}) (bool, error) { + args ...interface{}, +) (bool, error) { if !fileparser.IsWorkflowFile(path) { return true, nil } @@ -146,7 +147,8 @@ var validateGitHubActionTokenPermissions fileparser.DoWhileTrueOnFileContent = f func validatePermission(permissionKey permission, permissionValue *actionlint.PermissionScope, permLevel, path string, dl checker.DetailLogger, pPermissions map[permission]bool, - ignoredPermissions map[permission]bool) error { + ignoredPermissions map[permission]bool, +) error { if permissionValue.Value == nil { return sce.WithMessage(sce.ErrScorecardInternal, errInvalidGitHubWorkflow.Error()) } @@ -188,7 +190,8 @@ func validatePermission(permissionKey permission, permissionValue *actionlint.Pe func validateMapPermissions(scopes map[string]*actionlint.PermissionScope, permLevel, path string, dl checker.DetailLogger, pPermissions map[permission]bool, - ignoredPermissions map[permission]bool) error { + ignoredPermissions map[permission]bool, +) error { for key, v := range scopes { if err := validatePermission(permission(key), v, permLevel, path, dl, pPermissions, ignoredPermissions); err != nil { return err @@ -223,7 +226,8 @@ func recordAllPermissionsWrite(p *permissionCbData, permLevel, path string) { func validatePermissions(permissions *actionlint.Permissions, permLevel, path string, dl checker.DetailLogger, pdata *permissionCbData, - ignoredPermissions map[permission]bool) error { + ignoredPermissions map[permission]bool, +) error { allIsSet := permissions != nil && permissions.All != nil && permissions.All.Value != "" scopeIsSet := permissions != nil && len(permissions.Scopes) > 0 if permissions == nil || (!allIsSet && !scopeIsSet) { @@ -264,7 +268,8 @@ func validatePermissions(permissions *actionlint.Permissions, permLevel, path st } func validateTopLevelPermissions(workflow *actionlint.Workflow, path string, - dl checker.DetailLogger, pdata *permissionCbData) error { + dl checker.DetailLogger, pdata *permissionCbData, +) error { // Check if permissions are set explicitly. if workflow.Permissions == nil { dl.Warn(&checker.LogMessage{ @@ -283,7 +288,8 @@ func validateTopLevelPermissions(workflow *actionlint.Workflow, path string, func validatejobLevelPermissions(workflow *actionlint.Workflow, path string, dl checker.DetailLogger, pdata *permissionCbData, - ignoredPermissions map[permission]bool) error { + ignoredPermissions map[permission]bool, +) error { for _, job := range workflow.Jobs { // Run-level permissions may be left undefined. // For most workflows, no write permissions are needed, diff --git a/checks/permissions_test.go b/checks/permissions_test.go index 9fb57fc4ba5..8377f7c220a 100644 --- a/checks/permissions_test.go +++ b/checks/permissions_test.go @@ -30,7 +30,8 @@ type file struct { } func testValidateGitHubActionTokenPermissions(files []file, - dl checker.DetailLogger) checker.CheckResult { + dl checker.DetailLogger, +) checker.CheckResult { data := permissionCbData{ workflows: make(map[string]permissions), } diff --git a/checks/pinned_dependencies.go b/checks/pinned_dependencies.go index 493ea6e2d04..950150727d9 100644 --- a/checks/pinned_dependencies.go +++ b/checks/pinned_dependencies.go @@ -170,7 +170,8 @@ func dataAsDetailLogger(data interface{}) checker.DetailLogger { } func createReturnValuesForGitHubActionsWorkflowPinned(r worklowPinningResult, infoMsg string, - dl checker.DetailLogger, err error) (int, error) { + dl checker.DetailLogger, err error, +) (int, error) { if err != nil { return checker.InconclusiveResultScore, err } @@ -227,14 +228,16 @@ func isShellScriptFreeOfInsecureDownloads(c *checker.CheckRequest) (int, error) } func createReturnForIsShellScriptFreeOfInsecureDownloads(r pinnedResult, - dl checker.DetailLogger, err error) (int, error) { + dl checker.DetailLogger, err error, +) (int, error) { return createReturnValues(r, "no insecure (not pinned by hash) dependency downloads found in shell scripts", dl, err) } func testValidateShellScriptIsFreeOfInsecureDownloads(pathfn string, - content []byte, dl checker.DetailLogger) (int, error) { + content []byte, dl checker.DetailLogger, +) (int, error) { var r pinnedResult _, err := validateShellScriptIsFreeOfInsecureDownloads(pathfn, content, dl, &r) return createReturnForIsShellScriptFreeOfInsecureDownloads(r, dl, err) @@ -243,7 +246,8 @@ func testValidateShellScriptIsFreeOfInsecureDownloads(pathfn string, var validateShellScriptIsFreeOfInsecureDownloads fileparser.DoWhileTrueOnFileContent = func( pathfn string, content []byte, - args ...interface{}) (bool, error) { + args ...interface{}, +) (bool, error) { if len(args) != 2 { return false, fmt.Errorf( "validateShellScriptIsFreeOfInsecureDownloads requires exactly 2 arguments: %w", errInvalidArgLength) @@ -277,14 +281,16 @@ func isDockerfileFreeOfInsecureDownloads(c *checker.CheckRequest) (int, error) { // Create the result. func createReturnForIsDockerfileFreeOfInsecureDownloads(r pinnedResult, - dl checker.DetailLogger, err error) (int, error) { + dl checker.DetailLogger, err error, +) (int, error) { return createReturnValues(r, "no insecure (not pinned by hash) dependency downloads found in Dockerfiles", dl, err) } func testValidateDockerfileIsFreeOfInsecureDownloads(pathfn string, - content []byte, dl checker.DetailLogger) (int, error) { + content []byte, dl checker.DetailLogger, +) (int, error) { var r pinnedResult _, err := validateDockerfileIsFreeOfInsecureDownloads(pathfn, content, dl, &r) return createReturnForIsDockerfileFreeOfInsecureDownloads(r, dl, err) @@ -308,7 +314,8 @@ func isDockerfile(pathfn string, content []byte) bool { var validateDockerfileIsFreeOfInsecureDownloads fileparser.DoWhileTrueOnFileContent = func( pathfn string, content []byte, - args ...interface{}) (bool, error) { + args ...interface{}, +) (bool, error) { if len(args) != 2 { return false, fmt.Errorf( "validateDockerfileIsFreeOfInsecureDownloads requires exactly 2 arguments: %w", errInvalidArgLength) @@ -394,7 +401,8 @@ func testValidateDockerfileIsPinned(pathfn string, content []byte, dl checker.De var validateDockerfileIsPinned fileparser.DoWhileTrueOnFileContent = func( pathfn string, content []byte, - args ...interface{}) (bool, error) { + args ...interface{}, +) (bool, error) { // Users may use various names, e.g., // Dockerfile.aarch64, Dockerfile.template, Dockerfile_template, dockerfile, Dockerfile-name.template @@ -517,14 +525,16 @@ func isGitHubWorkflowScriptFreeOfInsecureDownloads(c *checker.CheckRequest) (int // Create the result. func createReturnForIsGitHubWorkflowScriptFreeOfInsecureDownloads(r pinnedResult, - dl checker.DetailLogger, err error) (int, error) { + dl checker.DetailLogger, err error, +) (int, error) { return createReturnValues(r, "no insecure (not pinned by hash) dependency downloads found in GitHub workflows", dl, err) } func testValidateGitHubWorkflowScriptFreeOfInsecureDownloads(pathfn string, - content []byte, dl checker.DetailLogger) (int, error) { + content []byte, dl checker.DetailLogger, +) (int, error) { var r pinnedResult _, err := validateGitHubWorkflowIsFreeOfInsecureDownloads(pathfn, content, dl, &r) return createReturnForIsGitHubWorkflowScriptFreeOfInsecureDownloads(r, dl, err) @@ -535,7 +545,8 @@ func testValidateGitHubWorkflowScriptFreeOfInsecureDownloads(pathfn string, var validateGitHubWorkflowIsFreeOfInsecureDownloads fileparser.DoWhileTrueOnFileContent = func( pathfn string, content []byte, - args ...interface{}) (bool, error) { + args ...interface{}, +) (bool, error) { if !fileparser.IsWorkflowFile(pathfn) { return true, nil } @@ -622,7 +633,8 @@ func isGitHubActionsWorkflowPinned(c *checker.CheckRequest) (int, error) { // Create the result. func createReturnForIsGitHubActionsWorkflowPinned(r worklowPinningResult, dl checker.DetailLogger, - err error) (int, error) { + err error, +) (int, error) { return createReturnValuesForGitHubActionsWorkflowPinned(r, "actions are pinned", dl, err) @@ -646,7 +658,8 @@ func generateOwnerToDisplay(gitHubOwned bool) string { var validateGitHubActionWorkflow fileparser.DoWhileTrueOnFileContent = func( pathfn string, content []byte, - args ...interface{}) (bool, error) { + args ...interface{}, +) (bool, error) { if !fileparser.IsWorkflowFile(pathfn) { return true, nil } diff --git a/checks/raw/binary_artifact.go b/checks/raw/binary_artifact.go index 2fa1881bd10..ae1bbf1c19a 100644 --- a/checks/raw/binary_artifact.go +++ b/checks/raw/binary_artifact.go @@ -44,7 +44,8 @@ func BinaryArtifacts(c clients.RepoClient) (checker.BinaryArtifactData, error) { } var checkBinaryFileContent fileparser.DoWhileTrueOnFileContent = func(path string, content []byte, - args ...interface{}) (bool, error) { + args ...interface{}, +) (bool, error) { if len(args) != 1 { return false, fmt.Errorf( "checkBinaryFileContent requires exactly one argument: %w", errInvalidArgLength) diff --git a/checks/shell_download_validate.go b/checks/shell_download_validate.go index 4d715856c85..85fb589825e 100644 --- a/checks/shell_download_validate.go +++ b/checks/shell_download_validate.go @@ -294,7 +294,8 @@ func getLine(startLine, endLine uint, node syntax.Node) (uint, uint) { } func isFetchPipeExecute(startLine, endLine uint, node syntax.Node, cmd, pathfn string, - dl checker.DetailLogger) bool { + dl checker.DetailLogger, +) bool { // BinaryCmd {Op=|, X=CallExpr{Args={curl, -s, url}}, Y=CallExpr{Args={bash,}}}. bc, ok := node.(*syntax.BinaryCmd) if !ok { @@ -357,7 +358,8 @@ func getRedirectFile(red []*syntax.Redirect) (string, bool) { } func isExecuteFiles(startLine, endLine uint, node syntax.Node, cmd, pathfn string, files map[string]bool, - dl checker.DetailLogger) bool { + dl checker.DetailLogger, +) bool { ce, ok := node.(*syntax.CallExpr) if !ok { return false @@ -574,7 +576,8 @@ func isPipUnpinnedDownload(cmd []string) bool { } func isUnpinnedPakageManagerDownload(startLine, endLine uint, node syntax.Node, - cmd, pathfn string, dl checker.DetailLogger) bool { + cmd, pathfn string, dl checker.DetailLogger, +) bool { ce, ok := node.(*syntax.CallExpr) if !ok { return false @@ -655,7 +658,8 @@ func recordFetchFileFromNode(node syntax.Node) (pathfn string, ok bool, err erro } func isFetchProcSubsExecute(startLine, endLine uint, node syntax.Node, cmd, pathfn string, - dl checker.DetailLogger) bool { + dl checker.DetailLogger, +) bool { ce, ok := node.(*syntax.CallExpr) if !ok { return false @@ -792,7 +796,8 @@ func nodeToString(p *syntax.Printer, node syntax.Node) (string, error) { } func validateShellFileAndRecord(pathfn string, startLine, endLine uint, content []byte, files map[string]bool, - dl checker.DetailLogger) (bool, error) { + dl checker.DetailLogger, +) (bool, error) { in := strings.NewReader(string(content)) f, err := syntax.NewParser().Parse(in, pathfn) if err != nil { @@ -942,7 +947,8 @@ func isMatchingShellScriptFile(pathfn string, content []byte, shellsToMatch []st } func validateShellFile(pathfn string, startLine, endLine uint, - content []byte, taintedFiles map[string]bool, dl checker.DetailLogger) (bool, error) { + content []byte, taintedFiles map[string]bool, dl checker.DetailLogger, +) (bool, error) { r, err := validateShellFileAndRecord(pathfn, startLine, endLine, content, taintedFiles, dl) if err != nil && errors.Is(err, sce.ErrorShellParsing) { // Discard and print this particular error for now. diff --git a/checks/testdata/.github/workflows/github-workflow-dangerous-pattern-default-secret-pr.yml b/checks/testdata/.github/workflows/github-workflow-dangerous-pattern-default-secret-pr.yml new file mode 100644 index 00000000000..9e927e8a00c --- /dev/null +++ b/checks/testdata/.github/workflows/github-workflow-dangerous-pattern-default-secret-pr.yml @@ -0,0 +1,36 @@ +name: Close issue on Jira + +on: + pull_request + +env: + BLA: ${{ secrets.GITHUB_TOKEN }} + +jobs: + test1: + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v1.2.3 + with: + ref: ${{ github.event.pull_request.head.sha }} + name: Use in env toJson + + - uses: some/action@v1.2.3 + with: + option: ${{ secrets.GITHUB_TOKEN }} + name: Use secret in args + + - name: Use in with toJson + env: + GITHUB_CONTEXT: ${{ secrets.GITHUB_TOKEN }} + run: | + echo "$GITHUB_CONTEXT" + echo "${{ secrets.GITHUB_TOKEN }}" + + - name: Use in with toJson + uses: some/action@v1.2.3 + env: + GITHUB_CONTEXT: ${{ secrets.GITHUB_TOKEN }} + run: | + echo "$GITHUB_CONTEXT" + echo "${{ secrets.GITHUB_TOKEN }}" diff --git a/checks/testdata/.github/workflows/github-workflow-dangerous-pattern-default-secret-prt.yml b/checks/testdata/.github/workflows/github-workflow-dangerous-pattern-default-secret-prt.yml new file mode 100644 index 00000000000..28e185b57cb --- /dev/null +++ b/checks/testdata/.github/workflows/github-workflow-dangerous-pattern-default-secret-prt.yml @@ -0,0 +1,36 @@ +name: Close issue on Jira + +on: + pull_request_target + +env: + BLA: ${{ secrets.GITHUB_TOKEN }} + +jobs: + test1: + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v1.2.3 + with: + ref: ${{ github.event.pull_request.head.sha }} + name: Use in env toJson + + - uses: some/action@v1.2.3 + with: + option: ${{ secrets.GITHUB_TOKEN }} + name: Use secret in args + + - name: Use in with toJson + env: + GITHUB_CONTEXT: ${{ secrets.GITHUB_TOKEN }} + run: | + echo "$GITHUB_CONTEXT" + echo "${{ secrets.GITHUB_TOKEN }}" + + - name: Use in with toJson + uses: some/action@v1.2.3 + env: + GITHUB_CONTEXT: ${{ secrets.GITHUB_TOKEN }} + run: | + echo "$GITHUB_CONTEXT" + echo "${{ secrets.GITHUB_TOKEN }}" diff --git a/clients/localdir/client.go b/clients/localdir/client.go index 029e4531f50..3ff7c8d7473 100644 --- a/clients/localdir/client.go +++ b/clients/localdir/client.go @@ -109,8 +109,11 @@ func listFiles(clientPath string) ([]string, error) { return files, nil } -func applyPredicate(clientFiles []string, - errFiles error, predicate func(string) (bool, error)) ([]string, error) { +func applyPredicate( + clientFiles []string, + errFiles error, + predicate func(string) (bool, error), +) ([]string, error) { if errFiles != nil { return nil, errFiles } diff --git a/cmd/package_managers.go b/cmd/package_managers.go index cd1fd715c67..3ec0188a2c6 100644 --- a/cmd/package_managers.go +++ b/cmd/package_managers.go @@ -28,7 +28,8 @@ type packageMangerResponse struct { } func fetchGitRepositoryFromPackageManagers(npm, pypi, rubygems string, - manager packageManagerClient) (packageMangerResponse, error) { + manager packageManagerClient, +) (packageMangerResponse, error) { if npm != "" { gitRepo, err := fetchGitRepositoryFromNPM(npm, manager) return packageMangerResponse{ diff --git a/cron/bq/main.go b/cron/bq/main.go index f5e03f67e56..5882643e05c 100644 --- a/cron/bq/main.go +++ b/cron/bq/main.go @@ -96,7 +96,8 @@ func isCompleted(expected, created int, completionThreshold float64) bool { func transferDataToBq(ctx context.Context, bucketURL, projectID, datasetName, tableName string, completionThreshold float64, webhookURL string, - summary *bucketSummary) error { + summary *bucketSummary, +) error { for creationTime, shards := range summary.shards { if shards.isTransferred || !isCompleted(shards.shardsExpected, shards.shardsCreated, completionThreshold) { continue diff --git a/cron/bq/transfer.go b/cron/bq/transfer.go index 0f3b95e56f4..0091141540a 100644 --- a/cron/bq/transfer.go +++ b/cron/bq/transfer.go @@ -32,7 +32,8 @@ func createGCSRef(bucketURL, fileURI string) *bigquery.GCSReference { } func createBQLoader(ctx context.Context, projectID, datasetName, tableName string, - partitionDate time.Time, gcsRef *bigquery.GCSReference) (*bigquery.Client, *bigquery.Loader, error) { + partitionDate time.Time, gcsRef *bigquery.GCSReference, +) (*bigquery.Client, *bigquery.Loader, error) { bqClient, err := bigquery.NewClient(ctx, projectID) if err != nil { return nil, nil, fmt.Errorf("failed to create bigquery client: %w", err) @@ -46,7 +47,8 @@ func createBQLoader(ctx context.Context, projectID, datasetName, tableName strin func startDataTransferJob(ctx context.Context, bucketURL, fileURI, projectID, datasetName, tableName string, - partitionDate time.Time) error { + partitionDate time.Time, +) error { gcsRef := createGCSRef(bucketURL, fileURI) bqClient, loader, err := createBQLoader(ctx, projectID, datasetName, tableName, partitionDate, gcsRef) if err != nil { diff --git a/cron/controller/Dockerfile b/cron/controller/Dockerfile index 6179695557c..49081acf309 100644 --- a/cron/controller/Dockerfile +++ b/cron/controller/Dockerfile @@ -30,7 +30,7 @@ ARG TARGETOS ARG TARGETARCH RUN CGO_ENABLED=0 make build-controller -FROM gcr.io/distroless/base:nonroot@sha256:02f667185ccf78dbaaf79376b6904aea6d832638e1314387c2c2932f217ac5cb +FROM gcr.io/distroless/base:nonroot@sha256:792dfe78a236dfb6fb180a250d105e0a03585dcbc73f8fce033fe62d4fd59bcb COPY ./cron/data/projects*csv cron/data/ COPY --from=shuffle /src/cron/data/projects.release.csv cron/data/projects.release.csv COPY --from=controller /src/cron/controller/controller cron/controller/controller diff --git a/cron/format/json.go b/cron/format/json.go index 2d8ea9228df..f75ce379039 100644 --- a/cron/format/json.go +++ b/cron/format/json.go @@ -120,7 +120,8 @@ func AsJSON(r *pkg.ScorecardResult, showDetails bool, logLevel log.Level, writer // AsJSON2 exports results as JSON for the cron job and in the new detail format. func AsJSON2(r *pkg.ScorecardResult, showDetails bool, - logLevel log.Level, checkDocs docs.Doc, writer io.Writer) error { + logLevel log.Level, checkDocs docs.Doc, writer io.Writer, +) error { score, err := r.GetAggregateScore(checkDocs) if err != nil { //nolint:wrapcheck diff --git a/cron/format/json.raw.schema b/cron/format/json.raw.schema new file mode 100644 index 00000000000..5e67289bcd3 --- /dev/null +++ b/cron/format/json.raw.schema @@ -0,0 +1,306 @@ +{ + "$schema": "http://json-schema.org/schema#", + "type": "object", + "properties": { + "date": { + "type": "string" + }, + "metadata": { + "type": "array", + "items": { + "type": "string" + } + }, + "repo": { + "type": "object", + "properties": { + "commit": { + "type": "string" + }, + "name": { + "type": "string" + } + }, + "required": [ + "name", + "commit" + ] + }, + "results": { + "type": "object", + "properties": { + "binaries": { + "type": "array", + "items": { + "type": "object", + "properties": { + "offset": { + "type": "integer" + }, + "path": { + "type": "string" + } + }, + "required": [ + "path" + ] + } + }, + "branch-protections": { + "type": "array", + "items": { + "type": "object", + "properties": { + "name": { + "type": "string" + }, + "protection": { + "type": "object", + "properties": { + "allows-deletions": { + "type": "boolean" + }, + "allows-force-pushes": { + "type": "boolean" + }, + "dismisses-stale-reviews": { + "type": "boolean" + }, + "enforces-admin": { + "type": "boolean" + }, + "required-linear-history": { + "type": "boolean" + }, + "required-reviewer-count": { + "type": "integer" + }, + "requires-code-owner-review": { + "type": "boolean" + }, + "requires-status-checks": { + "type": "boolean" + }, + "requires-updated-branches-to-merge": { + "type": "boolean" + }, + "status-checks-contexts": { + "type": "array", + "items": { + "type": "string" + } + } + }, + "required": [ + "required-reviewer-count", + "allows-deletions", + "allows-force-pushes", + "requires-code-owner-review", + "required-linear-history", + "dismisses-stale-reviews", + "enforces-admin", + "requires-status-checks", + "requires-updated-branches-to-merge", + "status-checks-contexts" + ] + } + }, + "required": [ + "protection", + "name" + ] + } + }, + "database-vulnerabilities": { + "type": "array", + "items": { + "type": "object", + "properties": { + "ID": { + "type": "string" + } + }, + "required": [ + "ID" + ] + } + }, + "default-branch-commits": { + "type": "array", + "items": { + "type": "object", + "properties": { + "commit-message": { + "type": "string" + }, + "committer": { + "type": "object", + "properties": { + "login": { + "type": "string" + } + }, + "required": [ + "login" + ] + }, + "merge-request": { + "type": "object", + "properties": { + "author": { + "type": "object", + "properties": { + "login": { + "type": "string" + } + }, + "required": [ + "login" + ] + }, + "labels": { + "type": "array", + "items": { + "type": "string" + } + }, + "number": { + "type": "integer" + }, + "reviews": { + "type": "array", + "items": { + "type": "object", + "properties": { + "reviewer": { + "type": "object", + "properties": { + "login": { + "type": "string" + } + }, + "required": [ + "login" + ] + }, + "state": { + "type": "string" + } + }, + "required": [ + "reviewer", + "state" + ] + } + } + }, + "required": [ + "number", + "labels", + "reviews", + "author" + ] + }, + "sha": { + "type": "string" + } + }, + "required": [ + "committer", + "merge-request", + "commit-message", + "sha" + ] + } + }, + "dependency-update-tools": { + "type": "array", + "items": { + "type": "object", + "properties": { + "desc": { + "type": "string" + }, + "files": { + "type": "array", + "items": { + "type": "object", + "properties": { + "offset": { + "type": "integer" + }, + "path": { + "type": "string" + } + }, + "required": [ + "path" + ] + } + }, + "name": { + "type": "string" + }, + "url": { + "type": "string" + } + }, + "required": [ + "name", + "url", + "desc", + "files" + ] + } + }, + "security-policies": { + "type": "array", + "items": { + "type": "object", + "properties": { + "offset": { + "type": "integer" + }, + "path": { + "type": "string" + } + }, + "required": [ + "path" + ] + } + } + }, + "required": [ + "database-vulnerabilities", + "binaries", + "security-policies", + "dependency-update-tools", + "branch-protections", + "default-branch-commits" + ] + }, + "scorecard": { + "type": "object", + "properties": { + "commit": { + "type": "string" + }, + "version": { + "type": "string" + } + }, + "required": [ + "version", + "commit" + ] + } + }, + "required": [ + "date", + "repo", + "scorecard", + "metadata", + "results" + ] +} \ No newline at end of file diff --git a/cron/k8s/transfer.release-raw.yaml b/cron/k8s/transfer.release-raw.yaml index 5a30062e272..3e285f0f133 100644 --- a/cron/k8s/transfer.release-raw.yaml +++ b/cron/k8s/transfer.release-raw.yaml @@ -33,7 +33,7 @@ spec: - name: RAW_SCORECARD_DATA_BUCKET_URL value: "gs://ossf-scorecard-rawdata-releasetest" - name: RAW_SCORECARD_BIGQUERY_TABLE - value: "scorecard_raw-releasetest" + value: "scorecard-rawdata-releasetest" - name: SCORECARD_COMPLETION_THRESHOLD value: "0.9" resources: diff --git a/go.mod b/go.mod index 84d8ffffcc4..f1d5dc23e4c 100644 --- a/go.mod +++ b/go.mod @@ -38,7 +38,7 @@ require ( golang.org/x/text v0.3.7 golang.org/x/tools v0.1.9 google.golang.org/genproto v0.0.0-20220304144024-325a89244dc8 - google.golang.org/protobuf v1.27.1 + google.golang.org/protobuf v1.28.0 gopkg.in/yaml.v2 v2.4.0 gopkg.in/yaml.v3 v3.0.0-20210107192922-496545a6307b mvdan.cc/sh/v3 v3.4.3 diff --git a/go.sum b/go.sum index 286c8b7ce9c..366028f15fe 100644 --- a/go.sum +++ b/go.sum @@ -2062,8 +2062,9 @@ google.golang.org/protobuf v1.24.0/go.mod h1:r/3tXBNzIEhYS9I1OUVjXDlt8tc493IdKGj google.golang.org/protobuf v1.25.0/go.mod h1:9JNX74DMeImyA3h4bdi1ymwjUzf21/xIlbajtzgsN7c= google.golang.org/protobuf v1.26.0-rc.1/go.mod h1:jlhhOSvTdKEhbULTjvd4ARK9grFBp09yW+WbY/TyQbw= google.golang.org/protobuf v1.26.0/go.mod h1:9q0QmTI4eRPtz6boOQmLYwt+qCgq0jsYwAQnmE0givc= -google.golang.org/protobuf v1.27.1 h1:SnqbnDw1V7RiZcXPx5MEeqPv2s79L9i7BJUlG/+RurQ= google.golang.org/protobuf v1.27.1/go.mod h1:9q0QmTI4eRPtz6boOQmLYwt+qCgq0jsYwAQnmE0givc= +google.golang.org/protobuf v1.28.0 h1:w43yiav+6bVFTBQFZX0r7ipe9JQ1QsbMgHwbBziscLw= +google.golang.org/protobuf v1.28.0/go.mod h1:HV8QOd/L58Z+nl8r43ehVNZIU/HEI6OcFqwMG9pJV4I= gopkg.in/airbrake/gobrake.v2 v2.0.9/go.mod h1:/h5ZAUhDkGaJfjzjKLSjv6zCL6O0LLBxU4K+aSYdM/U= gopkg.in/alecthomas/kingpin.v2 v2.2.6/go.mod h1:FMv+mEhP44yOT+4EoQTLFTRgOQ1FBLkstjWtayDeSgw= gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0= diff --git a/pkg/json.go b/pkg/json.go index 12e3d0b4990..ffc2a392da0 100644 --- a/pkg/json.go +++ b/pkg/json.go @@ -119,7 +119,8 @@ func (r *ScorecardResult) AsJSON(showDetails bool, logLevel log.Level, writer io // AsJSON2 exports results as JSON for new detail format. func (r *ScorecardResult) AsJSON2(showDetails bool, - logLevel log.Level, checkDocs docs.Doc, writer io.Writer) error { + logLevel log.Level, checkDocs docs.Doc, writer io.Writer, +) error { score, err := r.GetAggregateScore(checkDocs) if err != nil { return err diff --git a/pkg/json.raw.schema b/pkg/json.raw.schema new file mode 100644 index 00000000000..5e67289bcd3 --- /dev/null +++ b/pkg/json.raw.schema @@ -0,0 +1,306 @@ +{ + "$schema": "http://json-schema.org/schema#", + "type": "object", + "properties": { + "date": { + "type": "string" + }, + "metadata": { + "type": "array", + "items": { + "type": "string" + } + }, + "repo": { + "type": "object", + "properties": { + "commit": { + "type": "string" + }, + "name": { + "type": "string" + } + }, + "required": [ + "name", + "commit" + ] + }, + "results": { + "type": "object", + "properties": { + "binaries": { + "type": "array", + "items": { + "type": "object", + "properties": { + "offset": { + "type": "integer" + }, + "path": { + "type": "string" + } + }, + "required": [ + "path" + ] + } + }, + "branch-protections": { + "type": "array", + "items": { + "type": "object", + "properties": { + "name": { + "type": "string" + }, + "protection": { + "type": "object", + "properties": { + "allows-deletions": { + "type": "boolean" + }, + "allows-force-pushes": { + "type": "boolean" + }, + "dismisses-stale-reviews": { + "type": "boolean" + }, + "enforces-admin": { + "type": "boolean" + }, + "required-linear-history": { + "type": "boolean" + }, + "required-reviewer-count": { + "type": "integer" + }, + "requires-code-owner-review": { + "type": "boolean" + }, + "requires-status-checks": { + "type": "boolean" + }, + "requires-updated-branches-to-merge": { + "type": "boolean" + }, + "status-checks-contexts": { + "type": "array", + "items": { + "type": "string" + } + } + }, + "required": [ + "required-reviewer-count", + "allows-deletions", + "allows-force-pushes", + "requires-code-owner-review", + "required-linear-history", + "dismisses-stale-reviews", + "enforces-admin", + "requires-status-checks", + "requires-updated-branches-to-merge", + "status-checks-contexts" + ] + } + }, + "required": [ + "protection", + "name" + ] + } + }, + "database-vulnerabilities": { + "type": "array", + "items": { + "type": "object", + "properties": { + "ID": { + "type": "string" + } + }, + "required": [ + "ID" + ] + } + }, + "default-branch-commits": { + "type": "array", + "items": { + "type": "object", + "properties": { + "commit-message": { + "type": "string" + }, + "committer": { + "type": "object", + "properties": { + "login": { + "type": "string" + } + }, + "required": [ + "login" + ] + }, + "merge-request": { + "type": "object", + "properties": { + "author": { + "type": "object", + "properties": { + "login": { + "type": "string" + } + }, + "required": [ + "login" + ] + }, + "labels": { + "type": "array", + "items": { + "type": "string" + } + }, + "number": { + "type": "integer" + }, + "reviews": { + "type": "array", + "items": { + "type": "object", + "properties": { + "reviewer": { + "type": "object", + "properties": { + "login": { + "type": "string" + } + }, + "required": [ + "login" + ] + }, + "state": { + "type": "string" + } + }, + "required": [ + "reviewer", + "state" + ] + } + } + }, + "required": [ + "number", + "labels", + "reviews", + "author" + ] + }, + "sha": { + "type": "string" + } + }, + "required": [ + "committer", + "merge-request", + "commit-message", + "sha" + ] + } + }, + "dependency-update-tools": { + "type": "array", + "items": { + "type": "object", + "properties": { + "desc": { + "type": "string" + }, + "files": { + "type": "array", + "items": { + "type": "object", + "properties": { + "offset": { + "type": "integer" + }, + "path": { + "type": "string" + } + }, + "required": [ + "path" + ] + } + }, + "name": { + "type": "string" + }, + "url": { + "type": "string" + } + }, + "required": [ + "name", + "url", + "desc", + "files" + ] + } + }, + "security-policies": { + "type": "array", + "items": { + "type": "object", + "properties": { + "offset": { + "type": "integer" + }, + "path": { + "type": "string" + } + }, + "required": [ + "path" + ] + } + } + }, + "required": [ + "database-vulnerabilities", + "binaries", + "security-policies", + "dependency-update-tools", + "branch-protections", + "default-branch-commits" + ] + }, + "scorecard": { + "type": "object", + "properties": { + "commit": { + "type": "string" + }, + "version": { + "type": "string" + } + }, + "required": [ + "version", + "commit" + ] + } + }, + "required": [ + "date", + "repo", + "scorecard", + "metadata", + "results" + ] +} \ No newline at end of file diff --git a/pkg/sarif.go b/pkg/sarif.go index 1332a796e5a..32fc7d29a21 100644 --- a/pkg/sarif.go +++ b/pkg/sarif.go @@ -252,7 +252,8 @@ func detailToRegion(details *checker.CheckDetail) region { } func shouldAddLocation(detail *checker.CheckDetail, showDetails bool, - minScore, score int) bool { + minScore, score int, +) bool { switch { default: return false @@ -269,7 +270,8 @@ func shouldAddLocation(detail *checker.CheckDetail, showDetails bool, } func detailsToLocations(details []checker.CheckDetail, - showDetails bool, minScore, score int) []location { + showDetails bool, minScore, score int, +) []location { locs := []location{} //nolint @@ -355,7 +357,8 @@ func createSARIFTool(url, name, version string) tool { } func createSARIFRun(uri, toolName, version, commit string, t time.Time, - category, runName string) run { + category, runName string, +) run { return run{ Tool: createSARIFTool(uri, toolName, version), Results: []result{}, @@ -370,7 +373,8 @@ func createSARIFRun(uri, toolName, version, commit string, t time.Time, func getOrCreateSARIFRun(runs map[string]*run, runName string, uri, toolName, version, commit string, t time.Time, - category string) *run { + category string, +) *run { if prun, exists := runs[runName]; exists { return prun } @@ -399,7 +403,8 @@ func generateMarkdownText(longDesc, risk string, remediation []string) string { func createSARIFRule(checkName, checkID, descURL, longDesc, shortDesc, risk string, remediation []string, - tags []string) rule { + tags []string, +) rule { return rule{ ID: checkID, Name: checkName, @@ -526,7 +531,8 @@ func createDefaultLocationMessage(check *checker.CheckResult, score int) string // AsSARIF outputs ScorecardResult in SARIF 2.1.0 format. func (r *ScorecardResult) AsSARIF(showDetails bool, logLevel log.Level, - writer io.Writer, checkDocs docs.Doc, policy *spol.ScorecardPolicy) error { + writer io.Writer, checkDocs docs.Doc, policy *spol.ScorecardPolicy, +) error { //nolint // https://docs.oasis-open.org/sarif/sarif/v2.1.0/cs01/sarif-v2.1.0-cs01.html. // We only support GitHub-supported properties: diff --git a/pkg/scorecard_result.go b/pkg/scorecard_result.go index efc388c2c50..b3fd008bab3 100644 --- a/pkg/scorecard_result.go +++ b/pkg/scorecard_result.go @@ -137,7 +137,8 @@ func FormatResults( // AsString returns ScorecardResult in string format. func (r *ScorecardResult) AsString(showDetails bool, logLevel log.Level, - checkDocs checks.Doc, writer io.Writer) error { + checkDocs checks.Doc, writer io.Writer, +) error { data := make([][]string, len(r.Checks)) //nolint for i, row := range r.Checks { diff --git a/tools/go.mod b/tools/go.mod index 4fc18ebf612..d96b0561ddf 100644 --- a/tools/go.mod +++ b/tools/go.mod @@ -4,13 +4,13 @@ go 1.17 require ( github.com/golang/mock v1.6.0 - github.com/golangci/golangci-lint v1.44.2 + github.com/golangci/golangci-lint v1.45.0 github.com/google/addlicense v1.0.0 github.com/google/ko v0.10.1-0.20220221173235-a36ea50a9eca github.com/goreleaser/goreleaser v1.6.3 github.com/naveensrinivasan/stunning-tribble v0.4.2 github.com/onsi/ginkgo/v2 v2.1.3 - google.golang.org/protobuf v1.27.1 + google.golang.org/protobuf v1.28.0 ) require ( @@ -58,7 +58,7 @@ require ( github.com/apex/log v1.9.0 // indirect github.com/asaskevich/govalidator v0.0.0-20210307081110-f21760c49a8d // indirect github.com/ashanbrown/forbidigo v1.3.0 // indirect - github.com/ashanbrown/makezero v1.1.0 // indirect + github.com/ashanbrown/makezero v1.1.1 // indirect github.com/atc0005/go-teams-notify/v2 v2.6.1 // indirect github.com/aws/aws-sdk-go v1.42.43 // indirect github.com/aws/aws-sdk-go-v2 v1.13.0 // indirect @@ -103,9 +103,9 @@ require ( github.com/containerd/containerd v1.6.0 // indirect github.com/containerd/stargz-snapshotter/estargz v0.11.1 // indirect github.com/cpuguy83/go-md2man/v2 v2.0.1 // indirect - github.com/daixiang0/gci v0.3.1 // indirect + github.com/daixiang0/gci v0.3.3 // indirect github.com/davecgh/go-spew v1.1.1 // indirect - github.com/denis-tingajkin/go-header v0.4.2 // indirect + github.com/denis-tingaikin/go-header v0.4.3 // indirect github.com/dghubble/go-twitter v0.0.0-20211115160449-93a8679adecb // indirect github.com/dghubble/oauth1 v0.7.1 // indirect github.com/dghubble/sling v1.4.0 // indirect @@ -225,7 +225,6 @@ require ( github.com/mattn/go-runewidth v0.0.13 // indirect github.com/matttproud/golang_protobuf_extensions v1.0.2-0.20181231171920-c182affec369 // indirect github.com/mbilski/exhaustivestruct v1.2.0 // indirect - github.com/mgechev/dots v0.0.0-20210922191527-e955255bf517 // indirect github.com/mgechev/revive v1.1.4 // indirect github.com/mitchellh/copystructure v1.2.0 // indirect github.com/mitchellh/go-homedir v1.1.0 // indirect @@ -263,21 +262,21 @@ require ( github.com/ryanrolds/sqlclosecheck v0.3.0 // indirect github.com/sanposhiho/wastedassign/v2 v2.0.6 // indirect github.com/secure-systems-lab/go-securesystemslib v0.3.0 // indirect - github.com/securego/gosec/v2 v2.9.6 // indirect + github.com/securego/gosec/v2 v2.10.0 // indirect github.com/sergi/go-diff v1.2.0 // indirect github.com/shazow/go-diff v0.0.0-20160112020656-b6b7b6733b8c // indirect github.com/sigstore/cosign v1.5.2 // indirect github.com/sigstore/rekor v0.5.0 // indirect github.com/sigstore/sigstore v1.1.1-0.20220130134424-bae9b66b8442 // indirect github.com/sirupsen/logrus v1.8.1 // indirect - github.com/sivchari/containedctx v1.0.1 // indirect + github.com/sivchari/containedctx v1.0.2 // indirect github.com/sivchari/tenv v1.4.7 // indirect github.com/slack-go/slack v0.10.2 // indirect github.com/sonatard/noctx v0.0.1 // indirect github.com/sourcegraph/go-diff v0.6.1 // indirect github.com/spf13/afero v1.8.1 // indirect github.com/spf13/cast v1.4.1 // indirect - github.com/spf13/cobra v1.3.0 // indirect + github.com/spf13/cobra v1.4.0 // indirect github.com/spf13/jwalterweatherman v1.1.0 // indirect github.com/spf13/pflag v1.0.5 // indirect github.com/spf13/viper v1.10.1 // indirect @@ -292,7 +291,7 @@ require ( github.com/tetafro/godot v1.4.11 // indirect github.com/theupdateframework/go-tuf v0.0.0-20220211205608-f0c3294f63b9 // indirect github.com/timakin/bodyclose v0.0.0-20210704033933-f49887972144 // indirect - github.com/tomarrell/wrapcheck/v2 v2.4.0 // indirect + github.com/tomarrell/wrapcheck/v2 v2.5.0 // indirect github.com/tommy-muehle/go-mnd/v2 v2.5.0 // indirect github.com/ulikunitz/xz v0.5.10 // indirect github.com/ultraware/funlen v0.0.3 // indirect @@ -308,7 +307,7 @@ require ( go.opencensus.io v0.23.0 // indirect gocloud.dev v0.24.1-0.20211119014450-028788aaaa4c // indirect golang.org/x/crypto v0.0.0-20220214200702-86341886e292 // indirect - golang.org/x/mod v0.5.1 // indirect + golang.org/x/mod v0.6.0-dev.0.20220106191415-9b9b3d81d5e3 // indirect golang.org/x/net v0.0.0-20220127200216-cd36cc0744dd // indirect golang.org/x/oauth2 v0.0.0-20211104180415-d3ed0bb246c8 // indirect golang.org/x/sync v0.0.0-20210220032951-036812b2e83c // indirect @@ -316,7 +315,7 @@ require ( golang.org/x/term v0.0.0-20210927222741-03fcf44c2211 // indirect golang.org/x/text v0.3.7 // indirect golang.org/x/time v0.0.0-20211116232009-f0f3c7e86c11 // indirect - golang.org/x/tools v0.1.9 // indirect + golang.org/x/tools v0.1.10 // indirect golang.org/x/xerrors v0.0.0-20200804184101-5ec99f83aff1 // indirect google.golang.org/api v0.70.0 // indirect google.golang.org/appengine v1.6.7 // indirect @@ -332,7 +331,7 @@ require ( k8s.io/apimachinery v0.23.4 // indirect k8s.io/klog/v2 v2.40.1 // indirect k8s.io/utils v0.0.0-20220210201930-3a6ce19ff2f9 // indirect - mvdan.cc/gofumpt v0.2.1 // indirect + mvdan.cc/gofumpt v0.3.0 // indirect mvdan.cc/interfacer v0.0.0-20180901003855-c20040233aed // indirect mvdan.cc/lint v0.0.0-20170908181259-adc824a0674b // indirect mvdan.cc/unparam v0.0.0-20211214103731-d0ef000c54e5 // indirect diff --git a/tools/go.sum b/tools/go.sum index dc2fa259a9a..1827bb7bc3e 100644 --- a/tools/go.sum +++ b/tools/go.sum @@ -397,8 +397,8 @@ github.com/ashanbrown/forbidigo v1.2.0/go.mod h1:vVW7PEdqEFqapJe95xHkTfB1+XvZXBF github.com/ashanbrown/forbidigo v1.3.0 h1:VkYIwb/xxdireGAdJNZoo24O4lmnEWkactplBlWTShc= github.com/ashanbrown/forbidigo v1.3.0/go.mod h1:vVW7PEdqEFqapJe95xHkTfB1+XvZXBFg8t0sG2FIxmI= github.com/ashanbrown/makezero v0.0.0-20210520155254-b6261585ddde/go.mod h1:oG9Dnez7/ESBqc4EdrdNlryeo7d0KcW1ftXHm7nU/UU= -github.com/ashanbrown/makezero v1.1.0 h1:b2FVq4dTlBpy9f6qxhbyWH+6zy56IETE9cFbBGtDqs8= -github.com/ashanbrown/makezero v1.1.0/go.mod h1:oG9Dnez7/ESBqc4EdrdNlryeo7d0KcW1ftXHm7nU/UU= +github.com/ashanbrown/makezero v1.1.1 h1:iCQ87C0V0vSyO+M9E/FZYbu65auqH0lnsOkf5FcB28s= +github.com/ashanbrown/makezero v1.1.1/go.mod h1:i1bJLCRSCHOcOa9Y6MyF2FTfMZMFdHvxKHxgO5Z1axI= github.com/atc0005/go-teams-notify/v2 v2.6.1 h1:t22ybzQuaQs4UJe4ceF5VYGsPhs6ir3nZOId/FBy6Go= github.com/atc0005/go-teams-notify/v2 v2.6.1/go.mod h1:xo6GejLDHn3tWBA181F8LrllIL0xC1uRsRxq7YNXaaY= github.com/aws/aws-lambda-go v1.13.3/go.mod h1:4UKl9IzQMoD+QF79YdCuzCwp8VbmG4VAQwij/eHl5CU= @@ -723,9 +723,8 @@ github.com/d2g/dhcp4client v1.0.0/go.mod h1:j0hNfjhrt2SxUOw55nL0ATM/z4Yt3t2Kd1mW github.com/d2g/dhcp4server v0.0.0-20181031114812-7d4a0a7f59a5/go.mod h1:Eo87+Kg/IX2hfWJfwxMzLyuSZyxSoAug2nGa1G2QAi8= github.com/d2g/hardwareaddr v0.0.0-20190221164911-e7d9fbe030e4/go.mod h1:bMl4RjIciD2oAxI7DmWRx6gbeqrkoLqv3MV0vzNad+I= github.com/daixiang0/gci v0.2.9/go.mod h1:+4dZ7TISfSmqfAGv59ePaHfNzgGtIkHAhhdKggP1JAc= -github.com/daixiang0/gci v0.3.1-0.20220208004058-76d765e3ab48/go.mod h1:jaASoJmv/ykO9dAAPy31iJnreV19248qKDdVWf3QgC4= -github.com/daixiang0/gci v0.3.1 h1:X6oIaRYm0MZSoE7oNEYWZXy7Pma5KwLV1mxrW4LmUf4= -github.com/daixiang0/gci v0.3.1/go.mod h1:jaASoJmv/ykO9dAAPy31iJnreV19248qKDdVWf3QgC4= +github.com/daixiang0/gci v0.3.3 h1:55xJKH7Gl9Vk6oQ1cMkwrDWjAkT1D+D1G9kNmRcAIY4= +github.com/daixiang0/gci v0.3.3/go.mod h1:1Xr2bxnQbDxCqqulUOv8qpGqkgRw9RSCGGjEC2LjF8o= github.com/danieljoos/wincred v1.0.2/go.mod h1:SnuYRW9lp1oJrZX/dXJqr0cPK5gYXqx3EJbmjhLdK9U= github.com/danieljoos/wincred v1.1.0/go.mod h1:XYlo+eRTsVA9aHGp7NGjFkPla4m+DCL7hqDjlFjiygg= github.com/danieljoos/wincred v1.1.1/go.mod h1:gSBQmTx6G0VmLowygiA7ZD0p0E09HJ68vta8z/RT2d0= @@ -733,7 +732,8 @@ github.com/davecgh/go-spew v0.0.0-20161028175848-04cdfd42973b/go.mod h1:J7Y8YcW2 github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38= github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c= github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38= -github.com/denis-tingajkin/go-header v0.4.2 h1:jEeSF4sdv8/3cT/WY8AgDHUoItNSoEZ7qg9dX7pc218= +github.com/denis-tingaikin/go-header v0.4.3 h1:tEaZKAlqql6SKCY++utLmkPLd6K8IBM20Ha7UVm+mtU= +github.com/denis-tingaikin/go-header v0.4.3/go.mod h1:0wOCWuN71D5qIgE2nz9KrKmuYBAC2Mra5RassOIQ2/c= github.com/denis-tingajkin/go-header v0.4.2/go.mod h1:eLRHAVXzE5atsKAnNRDB90WHCFFnBUn4RN0nRcs1LJA= github.com/denisenkom/go-mssqldb v0.9.0/go.mod h1:xbL0rPBG9cCiLr28tMa8zpbdarY27NDyej4t/EjAShU= github.com/denisenkom/go-mssqldb v0.11.0/go.mod h1:xbL0rPBG9cCiLr28tMa8zpbdarY27NDyej4t/EjAShU= @@ -852,8 +852,8 @@ github.com/franela/goreq v0.0.0-20171204163338-bcd34c9993f8/go.mod h1:ZhphrRTfi2 github.com/frankban/quicktest v1.10.0/go.mod h1:ui7WezCLWMWxVWr1GETZY3smRy0G4KWq9vcPtJmFl7Y= github.com/frankban/quicktest v1.11.3/go.mod h1:wRf/ReqHper53s+kmmSZizM8NamnL3IM0I9ntUbOk+k= github.com/frankban/quicktest v1.13.0/go.mod h1:qLE0fzW0VuyUAJgPU19zByoIr0HtCHN/r/VLSOOIySU= -github.com/frankban/quicktest v1.14.0 h1:+cqqvzZV87b4adx/5ayVOaYZ2CrvM4ejQvUdBzPPUss= -github.com/frankban/quicktest v1.14.0/go.mod h1:NeW+ay9A/U67EYXNFA1nPE8e/tnQv/09mUdL/ijj8og= +github.com/frankban/quicktest v1.14.2 h1:SPb1KFFmM+ybpEjPUhCCkZOM5xlovT5UbrMvWnXyBns= +github.com/frankban/quicktest v1.14.2/go.mod h1:mgiwOwqx65TmIk1wJ6Q7wvnVMocbUorkibMOrVTHZps= github.com/fsnotify/fsnotify v1.4.7/go.mod h1:jwhsz4b93w/PPRr/qN1Yymfu8t87LnFCMoQvtojpjFo= github.com/fsnotify/fsnotify v1.4.9/go.mod h1:znqG4EE+3YCdAaPaxE2ZRY/06pZUdp0tY4IgpuI1SZQ= github.com/fsnotify/fsnotify v1.5.1 h1:mZcQUHVQUQWoPXXtuf9yuEXKudkV2sx1E06UadKWpgI= @@ -1197,8 +1197,8 @@ github.com/golangci/go-misc v0.0.0-20180628070357-927a3d87b613/go.mod h1:SyvUF2N github.com/golangci/gofmt v0.0.0-20190930125516-244bba706f1a h1:iR3fYXUjHCR97qWS8ch1y9zPNsgXThGwjKPrYfqMPks= github.com/golangci/gofmt v0.0.0-20190930125516-244bba706f1a/go.mod h1:9qCChq59u/eW8im404Q2WWTrnBUQKjpNYKMbU4M7EFU= github.com/golangci/golangci-lint v1.43.0/go.mod h1:VIFlUqidx5ggxDfQagdvd9E67UjMXtTHBkBQ7sHoC5Q= -github.com/golangci/golangci-lint v1.44.2 h1:MzvkDt1j1OHkv42/feNJVNNXRFACPp7aAWBWDo5aYQw= -github.com/golangci/golangci-lint v1.44.2/go.mod h1:KjBgkLvsTWDkhfu12iCrv0gwL1kON5KNhbyjQ6qN7Jo= +github.com/golangci/golangci-lint v1.45.0 h1:T2oCVkYoeckBxcNS6DTYiSXN2QcTNuAWaHyLGfqzMlU= +github.com/golangci/golangci-lint v1.45.0/go.mod h1:Y6grRO3drH/7kGP88i9jSl9fGWwCrbA5u7i++jOXll4= github.com/golangci/lint-1 v0.0.0-20191013205115-297bf364a8e0 h1:MfyDlzVjl1hoaPzPD4Gpb/QgoRfSBR0jdhwGyAWwMSA= github.com/golangci/lint-1 v0.0.0-20191013205115-297bf364a8e0/go.mod h1:66R6K6P6VWk9I95jvqGxkqJxVWGFy9XlDwLwVz1RCFg= github.com/golangci/maligned v0.0.0-20180506175553-b1d89398deca h1:kNY3/svz5T29MYHubXix4aDDuE3RWHkPvopM/EDv/MA= @@ -1747,7 +1747,6 @@ github.com/mbilski/exhaustivestruct v1.2.0 h1:wCBmUnSYufAHO6J4AVWY6ff+oxWxsVFrwg github.com/mbilski/exhaustivestruct v1.2.0/go.mod h1:OeTBVxQWoEmB2J2JCHmXWPJ0aksxSUOUy+nvtVEfzXc= github.com/mediocregopher/radix/v4 v4.0.0-beta.1/go.mod h1:Z74pilm773ghbGV4EEoPvi6XWgkAfr0VCNkfa8gI1PU= github.com/mediocregopher/radix/v4 v4.0.0/go.mod h1:ajchozX/6ELmydxWeWM6xCFHVpZ4+67LXHOTOVR0nCE= -github.com/mgechev/dots v0.0.0-20210922191527-e955255bf517 h1:zpIH83+oKzcpryru8ceC6BxnoG8TBrhgAvRg8obzup0= github.com/mgechev/dots v0.0.0-20210922191527-e955255bf517/go.mod h1:KQ7+USdGKfpPjXk4Ga+5XxQM4Lm4e3gAogrreFAYpOg= github.com/mgechev/revive v1.1.2/go.mod h1:bnXsMr+ZTH09V5rssEI+jHAZ4z+ZdyhgO/zsy3EhK+0= github.com/mgechev/revive v1.1.4 h1:sZOjY6GU35Kr9jKa/wsKSHgrFz8eASIB5i3tqWZMp0A= @@ -2108,8 +2107,8 @@ github.com/secure-systems-lab/go-securesystemslib v0.2.0/go.mod h1:eIjBmIP8LD2ML github.com/secure-systems-lab/go-securesystemslib v0.3.0 h1:PH0mUKuUSXVEVDbrKMgGPcrqrnKA8gJii614+EKKi7g= github.com/secure-systems-lab/go-securesystemslib v0.3.0/go.mod h1:o8hhjkbNl2gOamKUA/eNW3xUrntHT9L4W89W1nfj43U= github.com/securego/gosec/v2 v2.9.1/go.mod h1:oDcDLcatOJxkCGaCaq8lua1jTnYf6Sou4wdiJ1n4iHc= -github.com/securego/gosec/v2 v2.9.6 h1:ysfvgQBp2zmTgXQl65UkqEkYlQGbnVSRUGpCrJiiR4c= -github.com/securego/gosec/v2 v2.9.6/go.mod h1:EESY9Ywxo/Zc5NyF/qIj6Cop+4PSWM0F0OfGD7FdIXc= +github.com/securego/gosec/v2 v2.10.0 h1:l6BET4EzWtyUXCpY2v7N92v0DDCas0L7ngg3bpqbr8g= +github.com/securego/gosec/v2 v2.10.0/go.mod h1:PVq8Ewh/nCN8l/kKC6zrGXSr7m2NmEK6ITIAWMtIaA0= github.com/segmentio/ksuid v1.0.3/go.mod h1:/XUiZBD3kVx5SmUOl55voK5yeAbBNNIed+2O73XgrPE= github.com/segmentio/ksuid v1.0.4/go.mod h1:/XUiZBD3kVx5SmUOl55voK5yeAbBNNIed+2O73XgrPE= github.com/sergi/go-diff v1.0.0/go.mod h1:0CfEIISq7TuYL3j771MWULgwwjU+GofnZX9QAmXWZgo= @@ -2121,7 +2120,7 @@ github.com/shazow/go-diff v0.0.0-20160112020656-b6b7b6733b8c/go.mod h1:/PevMnwAx github.com/shibumi/go-pathspec v1.2.0/go.mod h1:bDxCftD0fST3qXIlHoQ/fChsU4mWMVklXp1yPErQaaY= github.com/shibumi/go-pathspec v1.3.0/go.mod h1:Xutfslp817l2I1cZvgcfeMQJG5QnU2lh5tVaaMCl3jE= github.com/shirou/gopsutil/v3 v3.21.10/go.mod h1:t75NhzCZ/dYyPQjyQmrAYP6c8+LCdFANeBMdLPCNnew= -github.com/shirou/gopsutil/v3 v3.22.1/go.mod h1:WapW1AOOPlHyXr+yOyw3uYx36enocrtSoSBy0L5vUHY= +github.com/shirou/gopsutil/v3 v3.22.2/go.mod h1:WapW1AOOPlHyXr+yOyw3uYx36enocrtSoSBy0L5vUHY= github.com/shopspring/decimal v1.2.0/go.mod h1:DKyhrW/HYNuLGql+MJL6WCR6knT2jwCFRcu2hWCYk4o= github.com/shurcooL/go v0.0.0-20180423040247-9e1955d9fb6e/go.mod h1:TDJrrUr11Vxrven61rcy3hJMUqaf/CLWYhHNPmT14Lk= github.com/shurcooL/go-goon v0.0.0-20170922171312-37c2f522c041/go.mod h1:N5mDOmsrJOB+vfqUK+7DmDyjhSLIIBnXo9lvZJj3MWQ= @@ -2151,8 +2150,8 @@ github.com/sirupsen/logrus v1.6.0/go.mod h1:7uNnSEd1DgxDLC74fIahvMZmmYsHGZGEOFrf github.com/sirupsen/logrus v1.7.0/go.mod h1:yWOB1SBYBC5VeMP7gHvWumXLIWorT60ONWic61uBYv0= github.com/sirupsen/logrus v1.8.1 h1:dJKuHgqk1NNQlqoA6BTlM1Wf9DOH3NBjQyu0h9+AZZE= github.com/sirupsen/logrus v1.8.1/go.mod h1:yWOB1SBYBC5VeMP7gHvWumXLIWorT60ONWic61uBYv0= -github.com/sivchari/containedctx v1.0.1 h1:fJq44cX+tD+uT5xGrsg25GwiaY61NGybQk9WWKij3Uo= -github.com/sivchari/containedctx v1.0.1/go.mod h1:PwZOeqm4/DLoJOqMSIJs3aKqXRX4YO+uXww087KZ7Bw= +github.com/sivchari/containedctx v1.0.2 h1:0hLQKpgC53OVF1VT7CeoFHk9YKstur1XOgfYIc1yrHI= +github.com/sivchari/containedctx v1.0.2/go.mod h1:PwZOeqm4/DLoJOqMSIJs3aKqXRX4YO+uXww087KZ7Bw= github.com/sivchari/tenv v1.4.7 h1:FdTpgRlTue5eb5nXIYgS/lyVXSjugU8UUVDwhP1NLU8= github.com/sivchari/tenv v1.4.7/go.mod h1:5nF+bITvkebQVanjU6IuMbvIot/7ReNsUV7I5NbprB0= github.com/skratchdot/open-golang v0.0.0-20200116055534-eef842397966/go.mod h1:sUM3LWHvSMaG192sy56D9F7CNvL7jUJVXoqM1QKLnog= @@ -2194,8 +2193,9 @@ github.com/spf13/cobra v1.0.0/go.mod h1:/6GTrnGXV9HjY+aR4k0oJ5tcvakLuG6EuKReYlHN github.com/spf13/cobra v1.1.1/go.mod h1:WnodtKOvamDL/PwE2M4iKs8aMDBZ5Q5klgD3qfVJQMI= github.com/spf13/cobra v1.1.3/go.mod h1:pGADOWyqRD/YMrPZigI/zbliZ2wVD/23d+is3pSWzOo= github.com/spf13/cobra v1.2.1/go.mod h1:ExllRjgxM/piMAM+3tAZvg8fsklGAf3tPfi+i8t68Nk= -github.com/spf13/cobra v1.3.0 h1:R7cSvGu+Vv+qX0gW5R/85dx2kmmJT5z5NM8ifdYjdn0= github.com/spf13/cobra v1.3.0/go.mod h1:BrRVncBjOJa/eUcVVm9CE+oC6as8k+VYr4NY7WCi9V4= +github.com/spf13/cobra v1.4.0 h1:y+wJpx64xcgO1V+RcnwW0LEHxTKRi2ZDPSBjWnrg88Q= +github.com/spf13/cobra v1.4.0/go.mod h1:Wo4iy3BUC+X2Fybo0PDqwJIv3dNRiZLHQymsfxlB84g= github.com/spf13/jwalterweatherman v1.0.0/go.mod h1:cQK4TGJAtQXfYWX+Ddv3mKDzgVb68N+wFjFa4jdeBTo= github.com/spf13/jwalterweatherman v1.1.0 h1:ue6voC5bR5F8YxI5S67j9i582FU4Qvo2bmqnqMYADFk= github.com/spf13/jwalterweatherman v1.1.0/go.mod h1:aNWZUN0dPAAO/Ljvb5BEdw96iTZ0EXowPYD95IqWIGo= @@ -2289,8 +2289,9 @@ github.com/tmc/grpc-websocket-proxy v0.0.0-20170815181823-89b8d40f7ca8/go.mod h1 github.com/tmc/grpc-websocket-proxy v0.0.0-20190109142713-0ad062ec5ee5/go.mod h1:ncp9v5uamzpCO7NfCPTXjqaC+bZgJeR0sMTm6dMHP7U= github.com/tmc/grpc-websocket-proxy v0.0.0-20200427203606-3cfed13b9966/go.mod h1:ncp9v5uamzpCO7NfCPTXjqaC+bZgJeR0sMTm6dMHP7U= github.com/tmc/grpc-websocket-proxy v0.0.0-20201229170055-e5319fda7802/go.mod h1:ncp9v5uamzpCO7NfCPTXjqaC+bZgJeR0sMTm6dMHP7U= -github.com/tomarrell/wrapcheck/v2 v2.4.0 h1:mU4H9KsqqPZUALOUbVOpjy8qNQbWLoLI9fV68/1tq30= github.com/tomarrell/wrapcheck/v2 v2.4.0/go.mod h1:68bQ/eJg55BROaRTbMjC7vuhL2OgfoG8bLp9ZyoBfyY= +github.com/tomarrell/wrapcheck/v2 v2.5.0 h1:g27SGGHNoQdvHz4KZA9o4v09RcWzylR+b1yueE5ECiw= +github.com/tomarrell/wrapcheck/v2 v2.5.0/go.mod h1:68bQ/eJg55BROaRTbMjC7vuhL2OgfoG8bLp9ZyoBfyY= github.com/tomasen/realip v0.0.0-20180522021738-f0c99a92ddce/go.mod h1:o8v6yHRoik09Xen7gje4m9ERNah1d1PPsVq1VEx9vE4= github.com/tommy-muehle/go-mnd/v2 v2.4.0/go.mod h1:WsUAkMJMYww6l/ufffCD3m+P7LEvr8TnZn9lwVDlgzw= github.com/tommy-muehle/go-mnd/v2 v2.5.0 h1:iAj0a8e6+dXSL7Liq0aXPox36FiN1dBbjA6lt9fl65s= @@ -2595,8 +2596,9 @@ golang.org/x/mod v0.4.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA= golang.org/x/mod v0.4.1/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA= golang.org/x/mod v0.4.2/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA= golang.org/x/mod v0.5.0/go.mod h1:5OXOZSfqPIIbmVBIIKWRFfZjPR0E5r58TLhUjH0a2Ro= -golang.org/x/mod v0.5.1 h1:OJxoQ/rynoF0dcCdI7cLPktw/hR2cueqYfjm43oqK38= golang.org/x/mod v0.5.1/go.mod h1:5OXOZSfqPIIbmVBIIKWRFfZjPR0E5r58TLhUjH0a2Ro= +golang.org/x/mod v0.6.0-dev.0.20220106191415-9b9b3d81d5e3 h1:kQgndtyPBW/JIYERgdxfwMYh3AVStj88WQTlNDi2a+o= +golang.org/x/mod v0.6.0-dev.0.20220106191415-9b9b3d81d5e3/go.mod h1:3p9vT2HGsQu2K1YbXdKPJLVgG5VJdoTa1poYQBtP1AY= golang.org/x/net v0.0.0-20180530234432-1e491301e022/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= golang.org/x/net v0.0.0-20180724234803-3673e40ba225/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= golang.org/x/net v0.0.0-20180826012351-8a410e7b638d/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= @@ -3039,8 +3041,9 @@ golang.org/x/tools v0.1.6/go.mod h1:LGqMHiF4EqQNHR1JncWGqT5BVaXmza+X+BDGol+dOxo= golang.org/x/tools v0.1.7/go.mod h1:LGqMHiF4EqQNHR1JncWGqT5BVaXmza+X+BDGol+dOxo= golang.org/x/tools v0.1.8/go.mod h1:nABZi5QlRsZVlzPpHl034qft6wpY4eDcsTt5AaioBiU= golang.org/x/tools v0.1.9-0.20211228192929-ee1ca4ffc4da/go.mod h1:nABZi5QlRsZVlzPpHl034qft6wpY4eDcsTt5AaioBiU= -golang.org/x/tools v0.1.9 h1:j9KsMiaP1c3B0OTQGth0/k+miLGTgLsAFUCrF2vLcF8= golang.org/x/tools v0.1.9/go.mod h1:nABZi5QlRsZVlzPpHl034qft6wpY4eDcsTt5AaioBiU= +golang.org/x/tools v0.1.10 h1:QjFRCZxdOhBJ/UNgnBZLbNV13DlbnK0quyivTnXJM20= +golang.org/x/tools v0.1.10/go.mod h1:Uh6Zz+xoGYZom868N8YTex3t7RhtHDBrE8Gzo9bV56E= golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= golang.org/x/xerrors v0.0.0-20191011141410-1b5146add898/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= @@ -3287,8 +3290,9 @@ google.golang.org/protobuf v1.25.0/go.mod h1:9JNX74DMeImyA3h4bdi1ymwjUzf21/xIlba google.golang.org/protobuf v1.25.1-0.20200805231151-a709e31e5d12/go.mod h1:9JNX74DMeImyA3h4bdi1ymwjUzf21/xIlbajtzgsN7c= google.golang.org/protobuf v1.26.0-rc.1/go.mod h1:jlhhOSvTdKEhbULTjvd4ARK9grFBp09yW+WbY/TyQbw= google.golang.org/protobuf v1.26.0/go.mod h1:9q0QmTI4eRPtz6boOQmLYwt+qCgq0jsYwAQnmE0givc= -google.golang.org/protobuf v1.27.1 h1:SnqbnDw1V7RiZcXPx5MEeqPv2s79L9i7BJUlG/+RurQ= google.golang.org/protobuf v1.27.1/go.mod h1:9q0QmTI4eRPtz6boOQmLYwt+qCgq0jsYwAQnmE0givc= +google.golang.org/protobuf v1.28.0 h1:w43yiav+6bVFTBQFZX0r7ipe9JQ1QsbMgHwbBziscLw= +google.golang.org/protobuf v1.28.0/go.mod h1:HV8QOd/L58Z+nl8r43ehVNZIU/HEI6OcFqwMG9pJV4I= gopkg.in/airbrake/gobrake.v2 v2.0.9/go.mod h1:/h5ZAUhDkGaJfjzjKLSjv6zCL6O0LLBxU4K+aSYdM/U= gopkg.in/alecthomas/kingpin.v2 v2.2.6/go.mod h1:FMv+mEhP44yOT+4EoQTLFTRgOQ1FBLkstjWtayDeSgw= gopkg.in/alexcesaro/quotedprintable.v3 v3.0.0-20150716171945-2caba252f4dc h1:2gGKlE2+asNV9m7xrywl36YYNnBG5ZQ0r/BOOxqPpmk= @@ -3444,8 +3448,8 @@ knative.dev/hack v0.0.0-20220118141833-9b2ed8471e30/go.mod h1:PHt8x8yX5Z9pPquBEf knative.dev/pkg v0.0.0-20211004133827-74ac82a333a4/go.mod h1:r27D20afKNeK+9aNOg+0qMv8JgQcyeP+CAYQIR1jEQY= knative.dev/pkg v0.0.0-20220121092305-3ba5d72e310a/go.mod h1:etVT7Tm8pSDf4RKhGk4r7j/hj3dNBpvT7bO6a6wpahs= mvdan.cc/gofumpt v0.1.1/go.mod h1:yXG1r1WqZVKWbVRtBWKWX9+CxGYfA51nSomhM0woR48= -mvdan.cc/gofumpt v0.2.1 h1:7jakRGkQcLAJdT+C8Bwc9d0BANkVPSkHZkzNv07pJAs= -mvdan.cc/gofumpt v0.2.1/go.mod h1:a/rvZPhsNaedOJBzqRD9omnwVwHZsBdJirXHa9Gh9Ig= +mvdan.cc/gofumpt v0.3.0 h1:kTojdZo9AcEYbQYhGuLf/zszYthRdhDNDUi2JKTxas4= +mvdan.cc/gofumpt v0.3.0/go.mod h1:0+VyGZWleeIj5oostkOex+nDBA0eyavuDnDusAJ8ylo= mvdan.cc/interfacer v0.0.0-20180901003855-c20040233aed h1:WX1yoOaKQfddO/mLzdV4wptyWgoH/6hwLs7QHTixo0I= mvdan.cc/interfacer v0.0.0-20180901003855-c20040233aed/go.mod h1:Xkxe497xwlCKkIaQYRfC7CSLworTXY9RMqwhhCm+8Nc= mvdan.cc/lint v0.0.0-20170908181259-adc824a0674b h1:DxJ5nJdkhDlLok9K6qO+5290kphDJbHOQO1DFFFTeBo= diff --git a/utests/utlib.go b/utests/utlib.go index 3dc1dc354b7..eb67e213d8e 100644 --- a/utests/utlib.go +++ b/utests/utlib.go @@ -100,8 +100,13 @@ func errCmp(e1, e2 error) bool { // ValidateTestReturn validates expected TestReturn with actual checker.CheckResult values. // nolint: thelper -func ValidateTestReturn(t *testing.T, name string, expected *TestReturn, - actual *checker.CheckResult, logger *TestDetailLogger) bool { +func ValidateTestReturn( + t *testing.T, + name string, + expected *TestReturn, + actual *checker.CheckResult, + logger *TestDetailLogger, +) bool { actualTestReturn, err := getTestReturn(actual, logger) if err != nil { panic(err) @@ -115,7 +120,8 @@ func ValidateTestReturn(t *testing.T, name string, expected *TestReturn, // ValidateLogMessage tests that at least one log message returns true for isExpectedMessage. func ValidateLogMessage(isExpectedMessage func(checker.LogMessage, checker.DetailType) bool, - dl *TestDetailLogger) bool { + dl *TestDetailLogger, +) bool { for _, message := range dl.messages { if isExpectedMessage(message.Msg, message.Type) { return true