Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Provide some way for smaller Javascript projects to pass the Fuzzing check #2792

Closed
djahandarie opened this issue Mar 26, 2023 · 9 comments
Closed
Labels
check/Fuzzing kind/enhancement New feature or request

Comments

@djahandarie
Copy link

Currently, the following options exist for passing the fuzzing check:

  • if the repository name is included in the OSS-Fuzz project list;

    Not possible for smaller projects

  • if ClusterFuzzLite is deployed in the repository;

    Does not support Javascript

  • if there are user-defined language-specified fuzzing functions (currently only supports Go fuzzing) in the repository.

    Does not support Javascript

  • if it contains a OneFuzz integration detection file;

    Does not support Javascript

There are a couple JS fuzzing tools out there, but since OSS-Fuzz has settled on Jazzer.js as their supported JS fuzzing tool, perhaps it'd be a good first step if the scorecard checked for the existence of @jazzer.js/core in the node config as an alternative way to pass this check?

@djahandarie djahandarie added the kind/enhancement New feature or request label Mar 26, 2023
@laurentsimon
Copy link
Contributor

/cc @spencerschrock

@spencerschrock
Copy link
Member

Hmm, I could see about adding logic here:

// Contains fuzzing speficications for programming languages.
// Please use the type Language defined in clients/languages.go rather than a raw string.
var languageFuzzSpecs = map[clients.LanguageName]languageFuzzConfig{
// Default fuzz patterns for Go.
clients.Go: {
filePattern: "*_test.go",
funcPattern: `func\s+Fuzz\w+\s*\(\w+\s+\*testing.F\)`,
Name: fuzzerBuiltInGo,
URL: asPointer("https://go.dev/doc/fuzz/"),
Desc: asPointer(
"Go fuzzing intelligently walks through the source code to report failures and find vulnerabilities."),
},
// TODO: add more language-specific fuzz patterns & configs.
}

I'm not that knowledgable about JS, but would it just be looking for "@jazzer.js/core" in the package.json file? That could have some false positives as opposed to parsing the dev dependencies to look for it

@djahandarie
Copy link
Author

I'm not that knowledgable about JS, but would it just be looking for "@jazzer.js/core" in the package.json file?

Yeah.

That could have some false positives as opposed to parsing the dev dependencies to look for it

In the end it isn't a perfect check as anyone can easily include the dependency and then not actually implementing any fuzzing, so I don't think a false positive due it being in the wrong part of the file is a huge deal.

But I think this is a fine initial level of support, it could be refined to be more accurate if someone comes up with an idea for a more precise check.

@ericcornelissen
Copy link

I'd like to propose considering jsfuzz (jsfuzz repository) in addition to @jazzer.js/core.

@spencerschrock
Copy link
Member

If someone would like to send a PR they can use #2843 as a template more or less.

@dubzzz
Copy link
Contributor

dubzzz commented May 24, 2023

Same as:

I'd like to propose considering jsfuzz (jsfuzz repository) in addition to @jazzer.js/core.

I think adding "the project is relying on fast-check" should also be considered as a fuzzed project.

@laurentsimon
Copy link
Contributor

If you know how how to check support for fas-check, feel free to send a PR

dubzzz added a commit to dubzzz/scorecard that referenced this issue May 26, 2023
As suggested at ossf#2792 (comment), we add support for the detection of fast-check as a possible fuzzing solution.

I also adapted the documentation related to fuzzing accordingly.
dubzzz added a commit to dubzzz/scorecard that referenced this issue May 26, 2023
As suggested at ossf#2792 (comment), we add support for the detection of fast-check as a possible fuzzing solution.

I also adapted the documentation related to fuzzing accordingly.

Signed-off-by: Nicolas DUBIEN <[email protected]>
dubzzz added a commit to dubzzz/scorecard that referenced this issue May 26, 2023
As suggested at ossf#2792 (comment), we add support for the detection of fast-check as a possible fuzzing solution.

I also adapted the documentation related to fuzzing accordingly.

Signed-off-by: Nicolas DUBIEN <[email protected]>
dubzzz added a commit to dubzzz/scorecard that referenced this issue Jun 1, 2023
As suggested at ossf#2792 (comment), we add support for the detection of fast-check as a possible fuzzing solution.

I also adapted the documentation related to fuzzing accordingly.

Signed-off-by: Nicolas DUBIEN <[email protected]>
dubzzz added a commit to dubzzz/scorecard that referenced this issue Jun 4, 2023
As suggested at ossf#2792 (comment), we add support for the detection of fast-check as a possible fuzzing solution.

I also adapted the documentation related to fuzzing accordingly.

Signed-off-by: Nicolas DUBIEN <[email protected]>
naveensrinivasan pushed a commit that referenced this issue Jun 4, 2023
* ✨ Detect fast-check PBT library for fuzz section

As suggested at #2792 (comment), we add support for the detection of fast-check as a possible fuzzing solution.

I also adapted the documentation related to fuzzing accordingly.

Signed-off-by: Nicolas DUBIEN <[email protected]>

* Typo

Signed-off-by: Nicolas DUBIEN <[email protected]>

* Update missing md files

Signed-off-by: Nicolas DUBIEN <[email protected]>

---------

Signed-off-by: Nicolas DUBIEN <[email protected]>
balteravishay pushed a commit to balteravishay/scorecard that referenced this issue Jun 11, 2023
* ✨ Detect fast-check PBT library for fuzz section

As suggested at ossf#2792 (comment), we add support for the detection of fast-check as a possible fuzzing solution.

I also adapted the documentation related to fuzzing accordingly.

Signed-off-by: Nicolas DUBIEN <[email protected]>

* Typo

Signed-off-by: Nicolas DUBIEN <[email protected]>

* Update missing md files

Signed-off-by: Nicolas DUBIEN <[email protected]>

---------

Signed-off-by: Nicolas DUBIEN <[email protected]>
Signed-off-by: Avishay <[email protected]>
balteravishay pushed a commit to balteravishay/scorecard that referenced this issue Jun 11, 2023
* ✨ Detect fast-check PBT library for fuzz section

As suggested at ossf#2792 (comment), we add support for the detection of fast-check as a possible fuzzing solution.

I also adapted the documentation related to fuzzing accordingly.

Signed-off-by: Nicolas DUBIEN <[email protected]>

* Typo

Signed-off-by: Nicolas DUBIEN <[email protected]>

* Update missing md files

Signed-off-by: Nicolas DUBIEN <[email protected]>

---------

Signed-off-by: Nicolas DUBIEN <[email protected]>
Signed-off-by: Avishay <[email protected]>
spencerschrock pushed a commit that referenced this issue Jun 15, 2023
* add nuget package manager

Signed-off-by: Avishay <[email protected]>

* fix pat test messages (#2987)

* also fix pat tests

Signed-off-by: Raghav Kaul <[email protected]>
Signed-off-by: Avishay <[email protected]>

* :seedling: Bump slsa-framework/slsa-github-generator from 1.5.0 to 1.6.0

Bumps [slsa-framework/slsa-github-generator](https://github.com/slsa-framework/slsa-github-generator) from 1.5.0 to 1.6.0.
- [Release notes](https://github.com/slsa-framework/slsa-github-generator/releases)
- [Changelog](https://github.com/slsa-framework/slsa-github-generator/blob/main/CHANGELOG.md)
- [Commits](https://github.com/slsa-framework/slsa-github-generator/compare/v1.5.0...v1.6.0)

---
updated-dependencies:
- dependency-name: slsa-framework/slsa-github-generator
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <[email protected]>
Signed-off-by: Avishay <[email protected]>

* :seedling: Bump cloud.google.com/go/bigquery from 1.51.1 to 1.51.2 (#2984)

Bumps [cloud.google.com/go/bigquery](https://github.com/googleapis/google-cloud-go) from 1.51.1 to 1.51.2.
- [Release notes](https://github.com/googleapis/google-cloud-go/releases)
- [Changelog](https://github.com/googleapis/google-cloud-go/blob/main/CHANGES.md)
- [Commits](https://github.com/googleapis/google-cloud-go/compare/bigquery/v1.51.1...bigquery/v1.51.2)

---
updated-dependencies:
- dependency-name: cloud.google.com/go/bigquery
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <[email protected]>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Signed-off-by: Avishay <[email protected]>

* :seedling: Bump golang.org/x/tools from 0.9.0 to 0.9.1

Bumps [golang.org/x/tools](https://github.com/golang/tools) from 0.9.0 to 0.9.1.
- [Release notes](https://github.com/golang/tools/releases)
- [Commits](https://github.com/golang/tools/compare/v0.9.0...v0.9.1)

---
updated-dependencies:
- dependency-name: golang.org/x/tools
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <[email protected]>
Signed-off-by: Avishay <[email protected]>

* :bug: Update osv-scanner dependency to include Vulnerabilities check fixes (#2981)

* Update osv-scanner dependency to include Vulnerabilities check fixes

Signed-off-by: Laurent Savaëte <[email protected]>

* Run go mod tidy

Signed-off-by: Laurent Savaëte <[email protected]>

---------

Signed-off-by: Laurent Savaëte <[email protected]>
Signed-off-by: Avishay <[email protected]>

* :seedling: Bump github.com/docker/distribution in /tools (#2993)

Bumps [github.com/docker/distribution](https://github.com/docker/distribution) from 2.8.1+incompatible to 2.8.2+incompatible.
- [Release notes](https://github.com/docker/distribution/releases)
- [Commits](https://github.com/docker/distribution/compare/v2.8.1...v2.8.2)

---
updated-dependencies:
- dependency-name: github.com/docker/distribution
  dependency-type: indirect
...

Signed-off-by: dependabot[bot] <[email protected]>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Signed-off-by: Avishay <[email protected]>

* 🌱 Gitlab: e2e test fixes in main (#2992)

* test secret chagnes

Signed-off-by: Raghav Kaul <[email protected]>

* update score

Signed-off-by: Raghav Kaul <[email protected]>

* address cr comments

Signed-off-by: Raghav Kaul <[email protected]>

* update

Signed-off-by: Raghav Kaul <[email protected]>

---------

Signed-off-by: Raghav Kaul <[email protected]>
Signed-off-by: Avishay <[email protected]>

* :seedling: Unit tests log/log.go (#2980)

- Add unit tests for the log package
- Add Apache License to log_test.go

Signed-off-by: naveensrinivasan <[email protected]>
Signed-off-by: Avishay <[email protected]>

* :seedling: Bump github.com/cloudflare/circl in /tools (#2995)

Bumps [github.com/cloudflare/circl](https://github.com/cloudflare/circl) from 1.2.0 to 1.3.3.
- [Release notes](https://github.com/cloudflare/circl/releases)
- [Commits](https://github.com/cloudflare/circl/compare/v1.2.0...v1.3.3)

---
updated-dependencies:
- dependency-name: github.com/cloudflare/circl
  dependency-type: indirect
...

Signed-off-by: dependabot[bot] <[email protected]>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Signed-off-by: Avishay <[email protected]>

* :sparkles: Add releasing workflow for semantic-release (#2989)

Signed-off-by: Matt Travi <[email protected]>
Signed-off-by: Avishay <[email protected]>

* :seedling: Bump slsa-framework/slsa-verifier from 2.2.0 to 2.3.0

Bumps [slsa-framework/slsa-verifier](https://github.com/slsa-framework/slsa-verifier) from 2.2.0 to 2.3.0.
- [Release notes](https://github.com/slsa-framework/slsa-verifier/releases)
- [Changelog](https://github.com/slsa-framework/slsa-verifier/blob/main/RELEASE.md)
- [Commits](https://github.com/slsa-framework/slsa-verifier/compare/v2.2.0...v2.3.0)

---
updated-dependencies:
- dependency-name: slsa-framework/slsa-verifier
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <[email protected]>
Signed-off-by: Avishay <[email protected]>

* :seedling: Bump github.com/cloudflare/circl from 1.1.0 to 1.3.3 (#2994)

Bumps [github.com/cloudflare/circl](https://github.com/cloudflare/circl) from 1.1.0 to 1.3.3.
- [Release notes](https://github.com/cloudflare/circl/releases)
- [Commits](https://github.com/cloudflare/circl/compare/v1.1.0...v1.3.3)

---
updated-dependencies:
- dependency-name: github.com/cloudflare/circl
  dependency-type: indirect
...

Signed-off-by: dependabot[bot] <[email protected]>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Signed-off-by: Avishay <[email protected]>

* :seedling: Additional e2e clients/githubrepo/checkruns.go (#2934)

* :seedling: Additional e2e clients/githubrepo/checkruns.go

- Add `net/http` and `github.com/google/go-github/v38/github` imports
- Add a test for `listCheckRunsForRef` with valid ref
- Add a test for `listCheckRunsForRef` with invalid ref

Signed-off-by: naveensrinivasan <[email protected]>

* Based on code review comments

Signed-off-by: naveensrinivasan <[email protected]>

* Some tweaks

Signed-off-by: naveensrinivasan <[email protected]>

---------

Signed-off-by: naveensrinivasan <[email protected]>
Signed-off-by: Avishay <[email protected]>

* :seedling: E2E for clients/githubrepo/contributors.go (#2939)

* :seedling: E2E for clients/githubrepo/contributors.go

- Add an end-to-end test for `contributorsHandler`

Signed-off-by: naveensrinivasan <[email protected]>

* Fixed based on code review comments.

Signed-off-by: naveensrinivasan <[email protected]>

* Fixed codereview comment.

Signed-off-by: naveensrinivasan <[email protected]>

---------

Signed-off-by: naveensrinivasan <[email protected]>
Signed-off-by: Avishay <[email protected]>

* :book: Clarify that AI/ML doesn't count as human code review (#2953)

* Clarify that AI/ML doesn't count as human code review

Add this clarification per the Scorecards Zoom call meeting today
(2023-05-04).

Signed-off-by: David A. Wheeler <[email protected]>

* Tweaked per review

Signed-off-by: David A. Wheeler <[email protected]>

---------

Signed-off-by: David A. Wheeler <[email protected]>
Signed-off-by: Avishay <[email protected]>

* :seedling: Bump golang from `31a8f92` to `685a22e` in /cron/internal/cii

Bumps golang from `31a8f92` to `685a22e`.

---
updated-dependencies:
- dependency-name: golang
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <[email protected]>
Signed-off-by: Avishay <[email protected]>

* :seedling: Bump golang in /cron/internal/controller

Bumps golang from `31a8f92` to `685a22e`.

---
updated-dependencies:
- dependency-name: golang
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <[email protected]>
Signed-off-by: Avishay <[email protected]>

* :seedling: Bump golang in /cron/internal/worker

Bumps golang from `31a8f92` to `685a22e`.

---
updated-dependencies:
- dependency-name: golang
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <[email protected]>
Signed-off-by: Avishay <[email protected]>

* :seedling: Bump golang in /clients/githubrepo/roundtripper/tokens/server

Bumps golang from `31a8f92` to `685a22e`.

---
updated-dependencies:
- dependency-name: golang
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <[email protected]>
Signed-off-by: Avishay <[email protected]>

* :seedling: Bump golang from `31a8f92` to `685a22e`

Bumps golang from `31a8f92` to `685a22e`.

---
updated-dependencies:
- dependency-name: golang
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <[email protected]>
Signed-off-by: Avishay <[email protected]>

* :seedling: Bump golang from `31a8f92` to `685a22e` in /cron/internal/bq

Bumps golang from `31a8f92` to `685a22e`.

---
updated-dependencies:
- dependency-name: golang
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <[email protected]>
Signed-off-by: Avishay <[email protected]>

* :seedling: Bump golang in /cron/internal/webhook

Bumps golang from `31a8f92` to `685a22e`.

---
updated-dependencies:
- dependency-name: golang
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <[email protected]>
Signed-off-by: Avishay <[email protected]>

* Clarify AI/ML not human code review - in .yml file (#3012)

This clarifies that AI/ML doesn't count as human code review.
This was earlier done in #2953 but that didn't modify the relevant
.yml file - this does.

Signed-off-by: David A. Wheeler <[email protected]>
Signed-off-by: Avishay <[email protected]>

* :seedling: Bump golang.org/x/oauth2 from 0.7.0 to 0.8.0 (#3005)

Bumps [golang.org/x/oauth2](https://github.com/golang/oauth2) from 0.7.0 to 0.8.0.
- [Commits](https://github.com/golang/oauth2/compare/v0.7.0...v0.8.0)

---
updated-dependencies:
- dependency-name: golang.org/x/oauth2
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <[email protected]>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Signed-off-by: Avishay <[email protected]>

* :seedling: Unit tests for checks/raw/maintained.go (#2996)

- Add tests and checks for the `Maintained` function
- Add checks for `IsArchived`, `ListCommits`, `ListIssues`, and `GetCreatedAt`

Signed-off-by: naveensrinivasan <[email protected]>
Signed-off-by: Avishay <[email protected]>

* :seedling: Bump github.com/onsi/ginkgo/v2 from 2.9.4 to 2.9.5 in /tools

Bumps [github.com/onsi/ginkgo/v2](https://github.com/onsi/ginkgo) from 2.9.4 to 2.9.5.
- [Release notes](https://github.com/onsi/ginkgo/releases)
- [Changelog](https://github.com/onsi/ginkgo/blob/master/CHANGELOG.md)
- [Commits](https://github.com/onsi/ginkgo/compare/v2.9.4...v2.9.5)

---
updated-dependencies:
- dependency-name: github.com/onsi/ginkgo/v2
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <[email protected]>
Signed-off-by: Avishay <[email protected]>

* :seedling: Bump actions/setup-go from 4.0.0 to 4.0.1

Bumps [actions/setup-go](https://github.com/actions/setup-go) from 4.0.0 to 4.0.1.
- [Release notes](https://github.com/actions/setup-go/releases)
- [Commits](https://github.com/actions/setup-go/compare/4d34df0c2316fe8122ab82dc22947d607c0c91f9...fac708d6674e30b6ba41289acaab6d4b75aa0753)

---
updated-dependencies:
- dependency-name: actions/setup-go
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <[email protected]>
Signed-off-by: Avishay <[email protected]>

* :seedling: Bump codecov/codecov-action from 3.1.3 to 3.1.4

Bumps [codecov/codecov-action](https://github.com/codecov/codecov-action) from 3.1.3 to 3.1.4.
- [Release notes](https://github.com/codecov/codecov-action/releases)
- [Changelog](https://github.com/codecov/codecov-action/blob/main/CHANGELOG.md)
- [Commits](https://github.com/codecov/codecov-action/compare/894ff025c7b54547a9a2a1e9f228beae737ad3c2...eaaf4bedf32dbdc6b720b63067d99c4d77d6047d)

---
updated-dependencies:
- dependency-name: codecov/codecov-action
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <[email protected]>
Signed-off-by: Avishay <[email protected]>

* :seedling: Unit tests for Policy.go (#3003)

- Included tests for policy.go

Signed-off-by: naveensrinivasan <[email protected]>
Signed-off-by: Avishay <[email protected]>

* :seedling: Bump github.com/onsi/ginkgo/v2 from 2.9.4 to 2.9.5

Bumps [github.com/onsi/ginkgo/v2](https://github.com/onsi/ginkgo) from 2.9.4 to 2.9.5.
- [Release notes](https://github.com/onsi/ginkgo/releases)
- [Changelog](https://github.com/onsi/ginkgo/blob/master/CHANGELOG.md)
- [Commits](https://github.com/onsi/ginkgo/compare/v2.9.4...v2.9.5)

---
updated-dependencies:
- dependency-name: github.com/onsi/ginkgo/v2
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <[email protected]>
Signed-off-by: Avishay <[email protected]>

* :seedling: Bump sigstore/cosign-installer from 3.0.3 to 3.0.4

Bumps [sigstore/cosign-installer](https://github.com/sigstore/cosign-installer) from 3.0.3 to 3.0.4.
- [Release notes](https://github.com/sigstore/cosign-installer/releases)
- [Commits](https://github.com/sigstore/cosign-installer/compare/204a51a57a74d190b284a0ce69b44bc37201f343...03d0fecf172873164a163bbc64bed0f3bf114ed7)

---
updated-dependencies:
- dependency-name: sigstore/cosign-installer
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <[email protected]>
Signed-off-by: Avishay <[email protected]>

* :seedling: Bump github.com/google/go-containerregistry (#3025)

Bumps [github.com/google/go-containerregistry](https://github.com/google/go-containerregistry) from 0.15.1 to 0.15.2.
- [Release notes](https://github.com/google/go-containerregistry/releases)
- [Changelog](https://github.com/google/go-containerregistry/blob/main/.goreleaser.yml)
- [Commits](https://github.com/google/go-containerregistry/compare/v0.15.1...v0.15.2)

---
updated-dependencies:
- dependency-name: github.com/google/go-containerregistry
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <[email protected]>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Signed-off-by: Avishay <[email protected]>

* :seedling: Bump github.com/sirupsen/logrus from 1.9.0 to 1.9.1

Bumps [github.com/sirupsen/logrus](https://github.com/sirupsen/logrus) from 1.9.0 to 1.9.1.
- [Release notes](https://github.com/sirupsen/logrus/releases)
- [Changelog](https://github.com/sirupsen/logrus/blob/master/CHANGELOG.md)
- [Commits](https://github.com/sirupsen/logrus/compare/v1.9.0...v1.9.1)

---
updated-dependencies:
- dependency-name: github.com/sirupsen/logrus
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <[email protected]>
Signed-off-by: Avishay <[email protected]>

* :seedling: Included e2e tests for push to main (#2951)

- Update trigger for integration tests to enable running on `push` and `pull_request` on the `main` branch

Signed-off-by: naveensrinivasan <[email protected]>
Signed-off-by: Avishay <[email protected]>

* :seedling: Included directories that don't require coverage (#3002)

- Included directories that don't require coverage.

Signed-off-by: naveensrinivasan <[email protected]>
Signed-off-by: Avishay <[email protected]>

* :seedling: Unit tests for checks/raw/contributors.go (#2998)

- Add tests and fix casing for Contributors function in checks/raw/contributors_test.go

Signed-off-by: naveensrinivasan <[email protected]>
Signed-off-by: Avishay <[email protected]>

* ✨ GitLab: Code Review check (#2764)

* Add GitLab support for Code-Review check

Signed-off-by: Raghav Kaul <[email protected]>

* Remove spurious printf

Signed-off-by: Raghav Kaul <[email protected]>

* Working commit

Signed-off-by: Raghav Kaul <[email protected]>

* update

Signed-off-by: Raghav Kaul <[email protected]>

* update

Signed-off-by: Raghav Kaul <[email protected]>

* e2e test

Signed-off-by: Raghav Kaul <[email protected]>

* update: test coverage

Signed-off-by: Raghav Kaul <[email protected]>

---------

Signed-off-by: Raghav Kaul <[email protected]>
Signed-off-by: Avishay <[email protected]>

* gitlab: license check (#2834)

Signed-off-by: Raghav Kaul <[email protected]>
Signed-off-by: Avishay <[email protected]>

* :seedling: Bump github.com/sirupsen/logrus from 1.9.1 to 1.9.2 (#3031)

Bumps [github.com/sirupsen/logrus](https://github.com/sirupsen/logrus) from 1.9.1 to 1.9.2.
- [Release notes](https://github.com/sirupsen/logrus/releases)
- [Changelog](https://github.com/sirupsen/logrus/blob/master/CHANGELOG.md)
- [Commits](https://github.com/sirupsen/logrus/compare/v1.9.1...v1.9.2)

---
updated-dependencies:
- dependency-name: github.com/sirupsen/logrus
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <[email protected]>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Signed-off-by: Avishay <[email protected]>

* :seedling: Bump github.com/google/osv-scanner

Bumps [github.com/google/osv-scanner](https://github.com/google/osv-scanner) from 1.3.3-0.20230509011216-baae1796eeea to 1.3.3.
- [Release notes](https://github.com/google/osv-scanner/releases)
- [Changelog](https://github.com/google/osv-scanner/blob/main/CHANGELOG.md)
- [Commits](https://github.com/google/osv-scanner/commits/v1.3.3)

---
updated-dependencies:
- dependency-name: github.com/google/osv-scanner
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <[email protected]>
Signed-off-by: Avishay <[email protected]>

* :seedling: Bump sigstore/cosign-installer from 3.0.4 to 3.0.5 (#3029)

Bumps [sigstore/cosign-installer](https://github.com/sigstore/cosign-installer) from 3.0.4 to 3.0.5.
- [Release notes](https://github.com/sigstore/cosign-installer/releases)
- [Commits](https://github.com/sigstore/cosign-installer/compare/03d0fecf172873164a163bbc64bed0f3bf114ed7...dd6b2e2b610a11fd73dd187a43d57cc1394e35f9)

---
updated-dependencies:
- dependency-name: sigstore/cosign-installer
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <[email protected]>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Signed-off-by: Avishay <[email protected]>

* :seedling: Bump arduino/setup-protoc from 1.1.2 to 1.2.0

Bumps [arduino/setup-protoc](https://github.com/arduino/setup-protoc) from 1.1.2 to 1.2.0.
- [Release notes](https://github.com/arduino/setup-protoc/releases)
- [Commits](https://github.com/arduino/setup-protoc/compare/64c0c85d18e984422218383b81c52f8b077404d3...4b3578161eece2eb20a9dfd84bb8ed105e684dba)

---
updated-dependencies:
- dependency-name: arduino/setup-protoc
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <[email protected]>
Signed-off-by: Avishay <[email protected]>

* :sparkles: Add support for github GHES (#2999)

* :sparkles: adding support for github GHES

Signed-off-by: Niket Patel <[email protected]>

* fix: lint and cleanup

Signed-off-by: Niket Patel <[email protected]>

* fix: flaky test

Signed-off-by: Niket Patel <[email protected]>

* fix: address missing host

Signed-off-by: Niket Patel <[email protected]>

* fix: lint error

Signed-off-by: Niket Patel <[email protected]>

* :seedling: Additional e2e clients/githubrepo/checkruns.go (#2934)

* :seedling: Additional e2e clients/githubrepo/checkruns.go

- Add `net/http` and `github.com/google/go-github/v38/github` imports
- Add a test for `listCheckRunsForRef` with valid ref
- Add a test for `listCheckRunsForRef` with invalid ref

Signed-off-by: naveensrinivasan <[email protected]>

* Based on code review comments

Signed-off-by: naveensrinivasan <[email protected]>

* Some tweaks

Signed-off-by: naveensrinivasan <[email protected]>

---------

Signed-off-by: naveensrinivasan <[email protected]>
Signed-off-by: Niket Patel <[email protected]>

* :seedling: E2E for clients/githubrepo/contributors.go (#2939)

* :seedling: E2E for clients/githubrepo/contributors.go

- Add an end-to-end test for `contributorsHandler`

Signed-off-by: naveensrinivasan <[email protected]>

* Fixed based on code review comments.

Signed-off-by: naveensrinivasan <[email protected]>

* Fixed codereview comment.

Signed-off-by: naveensrinivasan <[email protected]>

---------

Signed-off-by: naveensrinivasan <[email protected]>
Signed-off-by: Niket Patel <[email protected]>

* chore: add GHES instructions

Signed-off-by: Niket Patel <[email protected]>

* refact: use test setenv

Signed-off-by: Niket Patel <[email protected]>

* fix: corp unit test

Signed-off-by: Niket Patel <[email protected]>

---------

Signed-off-by: Niket Patel <[email protected]>
Signed-off-by: naveensrinivasan <[email protected]>
Signed-off-by: Niket Patel <[email protected]>
Co-authored-by: Naveen <[email protected]>
Co-authored-by: raghavkaul <[email protected]>
Signed-off-by: Avishay <[email protected]>

* Change Facilitators to Maintainers (#3039)

Not sure what the old facilitators table was for. Current list of Maintainers is always in CODEOWNERS.

Meaning of "Maintainers" still is not defined, and should be a part of an upcoming contributor ladder.

Signed-off-by: Jeff Mendoza <[email protected]>
Signed-off-by: Avishay <[email protected]>

* :bug: Gitlab: Commit/Commitor Exceptions (#3026)

* feat: Added paging for contributor/users against gitlab projects

Signed-off-by: Robison, Jim B <[email protected]>

* refactor: Updated the bot flag for unmatched users

Signed-off-by: Robison, Jim B <[email protected]>

* fix: Not all commit users are in the git registry instance

Signed-off-by: Robison, Jim B <[email protected]>

* fix: Skipping check if the email is empty, as well as if the "email" doesn't contain a "." char.

Signed-off-by: Robison, Jim B <[email protected]>

* fix: Updated to allow for commits with PRs to be accounted/added to the client.commits

Signed-off-by: Robison, Jim B <[email protected]>

* refactor: Updated to prevent linting issue regarding nested if's

Signed-off-by: Robison, Jim B <[email protected]>

* test: Adding coverage for commits and contributors for gitlab

Signed-off-by: Robison, Jim B <[email protected]>

* refactor: Moved queries from the client to their own functions

Signed-off-by: Robison, Jim B <[email protected]>

* bug: Need to pass the ProjectID value to the contributor query

Signed-off-by: Robison, Jim B <[email protected]>

* bug: Updating project title versus projectID values for api querying

Signed-off-by: Robison, Jim B <[email protected]>

* test: Updated tests to match expected property set for projectID

Signed-off-by: Robison, Jim B <[email protected]>

* revert: Reverted based on feedback during review

Signed-off-by: Robison, Jim B <[email protected]>

---------

Signed-off-by: Robison, Jim B <[email protected]>
Signed-off-by: Avishay <[email protected]>

* :seedling: Bump github.com/onsi/gomega from 1.27.6 to 1.27.7 (#3040)

Bumps [github.com/onsi/gomega](https://github.com/onsi/gomega) from 1.27.6 to 1.27.7.
- [Release notes](https://github.com/onsi/gomega/releases)
- [Changelog](https://github.com/onsi/gomega/blob/master/CHANGELOG.md)
- [Commits](https://github.com/onsi/gomega/compare/v1.27.6...v1.27.7)

---
updated-dependencies:
- dependency-name: github.com/onsi/gomega
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <[email protected]>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Signed-off-by: Avishay <[email protected]>

* :book: Make all StepSecurity app endpoint references consistent (#3042)

Signed-off-by: Ashish Kurmi <[email protected]>
Signed-off-by: Avishay <[email protected]>

* 📖 Update checks.md to show the benefit of >=2 reviewers (#3013)

* Update checks.yaml instead of cehcks.md

Signed-off-by: Joyce <[email protected]>

* feat: generate checks.md

Signed-off-by: Joyce Brum <[email protected]>

---------

Signed-off-by: Joyce <[email protected]>
Signed-off-by: Joyce Brum <[email protected]>
Signed-off-by: Avishay <[email protected]>

* :seedling: Improve workflow pinning remediation tests (#3021)

- Add 3 tests for workflow pinning remediation

[remediation/remediations_test.go]
- Add 3 tests for workflow pinning remediation

Signed-off-by: naveensrinivasan <[email protected]>
Signed-off-by: Avishay <[email protected]>

* :seedling: E2E tests for clients/githubrepo/languages_e2e_test.go (#3000)

* :seedling: E2E tests for clients/githubrepo/languages_e2e_test.go

- Included e2e tests for clients/githubrepo/languages_e2e_test.go

Signed-off-by: naveensrinivasan <[email protected]>

* Fixed the token type check.

Signed-off-by: naveensrinivasan <[email protected]>

---------

Signed-off-by: naveensrinivasan <[email protected]>
Signed-off-by: Naveen <[email protected]>
Signed-off-by: Avishay <[email protected]>

* :seedling: Unit tests for pkg/json_raw_results (#3044)

* :seedling: Unit tests for pkg/json_raw_results.go

- Unit tests for pkg/json_raw_results.go

Signed-off-by: naveensrinivasan <[email protected]>

* Additional tests

Signed-off-by: naveensrinivasan <[email protected]>

---------

Signed-off-by: naveensrinivasan <[email protected]>
Signed-off-by: Avishay <[email protected]>

* ✨  [experimental] Add probe code and support for Tool-Update-Dependency (#2944)

* update

Signed-off-by: laurentsimon <[email protected]>

* update

Signed-off-by: laurentsimon <[email protected]>

* update

Signed-off-by: laurentsimon <[email protected]>

* update

Signed-off-by: laurentsimon <[email protected]>

* update

Signed-off-by: laurentsimon <[email protected]>

* update

Signed-off-by: laurentsimon <[email protected]>

* update

Signed-off-by: laurentsimon <[email protected]>

* update

Signed-off-by: laurentsimon <[email protected]>

---------

Signed-off-by: laurentsimon <[email protected]>
Signed-off-by: Avishay <[email protected]>

* add zoom link and agenda link (#3050)

Signed-off-by: Amanda L Martin <[email protected]>
Signed-off-by: Avishay <[email protected]>

* :seedling: Run E2E PAT test for push to main (#3046)

- Add E2E PAT tests for push to main.

Signed-off-by: naveensrinivasan <[email protected]>
Signed-off-by: Avishay <[email protected]>

* Update main.yml (#3054)

-Fixed the YAML indenting issue.

Signed-off-by: Naveen <[email protected]>
Signed-off-by: Avishay <[email protected]>

* only run e2e pat on push (#3056)

Signed-off-by: Spencer Schrock <[email protected]>
Signed-off-by: Avishay <[email protected]>

* :seedling: Bump github.com/go-git/go-git/v5 from 5.6.1 to 5.7.0 (#3057)

Bumps [github.com/go-git/go-git/v5](https://github.com/go-git/go-git) from 5.6.1 to 5.7.0.
- [Release notes](https://github.com/go-git/go-git/releases)
- [Commits](https://github.com/go-git/go-git/compare/v5.6.1...v5.7.0)

---
updated-dependencies:
- dependency-name: github.com/go-git/go-git/v5
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <[email protected]>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Signed-off-by: Avishay <[email protected]>

* :book: :ghost: fix anchor link to the code review section (#3058)

* fix anchor link to code-review in checks.yaml

Signed-off-by: dasfreak <[email protected]>
Signed-off-by: Marc Ohm <[email protected]>

* generate checks.md

Signed-off-by: Marc Ohm <[email protected]>

---------

Signed-off-by: dasfreak <[email protected]>
Signed-off-by: Marc Ohm <[email protected]>
Signed-off-by: Avishay <[email protected]>

* 🐛 Gitlab: Tests (#3027)

* fix tests

Signed-off-by: Raghav Kaul <[email protected]>

* use projectID instead of project where applicable

Signed-off-by: Raghav Kaul <[email protected]>

* pass ref as listcommitoption

Signed-off-by: Raghav Kaul <[email protected]>

* update tests

* CI-Tests: check if score > 0. pull request client is limited and can't
go back to arbitrary pull requests. CI-Tests don't run on forks, so this
can't be pinned either. But, for active repositories, we typically
expect *some* tests to be run

Signed-off-by: Raghav Kaul <[email protected]>

* fix commitshandler commitSHA tests

Signed-off-by: Raghav Kaul <[email protected]>

* update tests

Signed-off-by: Raghav Kaul <[email protected]>

---------

Signed-off-by: Raghav Kaul <[email protected]>
Signed-off-by: raghavkaul <[email protected]>
Signed-off-by: Avishay <[email protected]>

* :seedling: Bump github.com/goreleaser/nfpm/v2 in /tools (#3060)

Bumps [github.com/goreleaser/nfpm/v2](https://github.com/goreleaser/nfpm) from 2.28.0 to 2.29.0.
- [Release notes](https://github.com/goreleaser/nfpm/releases)
- [Changelog](https://github.com/goreleaser/nfpm/blob/main/.goreleaser.yml)
- [Commits](https://github.com/goreleaser/nfpm/compare/v2.28.0...v2.29.0)

---
updated-dependencies:
- dependency-name: github.com/goreleaser/nfpm/v2
  dependency-type: indirect
...

Signed-off-by: dependabot[bot] <[email protected]>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Signed-off-by: Avishay <[email protected]>

* ✨ Gitlab: Add projects to cron (#2936)

* cron: add gitlab projects

* support gitlab client
* simplify gitlab detection

Signed-off-by: Raghav Kaul <[email protected]>

* fix MakeGitlabRepo

* shortcut when repo url is github.com
* fixes add-projects, validate-projects

Signed-off-by: Raghav Kaul <[email protected]>

* Move gitlab repos to release controller

Signed-off-by: Raghav Kaul <[email protected]>

* Add csv headers

Signed-off-by: Raghav Kaul <[email protected]>

* Use gitlab.WithBaseURL

Signed-off-by: Raghav Kaul <[email protected]>

* formatting & logging

Signed-off-by: Raghav Kaul <[email protected]>

* remove spurious test

Signed-off-by: Raghav Kaul <[email protected]>

* consolidate logic

Signed-off-by: Raghav Kaul <[email protected]>

* Turn on experimental flag

Signed-off-by: Raghav Kaul <[email protected]>

* Add projects

Signed-off-by: Raghav Kaul <[email protected]>

* Update client

Signed-off-by: Raghav Kaul <[email protected]>

* update

Signed-off-by: Raghav Kaul <[email protected]>

* update

Signed-off-by: Raghav Kaul <[email protected]>

* update

Signed-off-by: Raghav Kaul <[email protected]>

* update

Signed-off-by: Raghav Kaul <[email protected]>

---------

Signed-off-by: Raghav Kaul <[email protected]>
Signed-off-by: Avishay <[email protected]>

* :seedling: Simplify caching in docker workflow (#3061)

Signed-off-by: Spencer Schrock <[email protected]>
Signed-off-by: Avishay <[email protected]>

* :seedling: Bump github/codeql-action from 2.3.3 to 2.3.4 (#3064)

Bumps [github/codeql-action](https://github.com/github/codeql-action) from 2.3.3 to 2.3.4.
- [Release notes](https://github.com/github/codeql-action/releases)
- [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md)
- [Commits](https://github.com/github/codeql-action/compare/29b1f65c5e92e24fe6b6647da1eaabe529cec70f...f0e3dfb30302f8a0881bb509b044e0de4f6ef589)

---
updated-dependencies:
- dependency-name: github/codeql-action
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <[email protected]>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Signed-off-by: Avishay <[email protected]>

* :seedling: Bump cloud.google.com/go/pubsub from 1.30.1 to 1.31.0 (#3065)

Bumps [cloud.google.com/go/pubsub](https://github.com/googleapis/google-cloud-go) from 1.30.1 to 1.31.0.
- [Release notes](https://github.com/googleapis/google-cloud-go/releases)
- [Changelog](https://github.com/googleapis/google-cloud-go/blob/main/CHANGES.md)
- [Commits](https://github.com/googleapis/google-cloud-go/compare/pubsub/v1.30.1...pubsub/v1.31.0)

---
updated-dependencies:
- dependency-name: cloud.google.com/go/pubsub
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <[email protected]>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Signed-off-by: Avishay <[email protected]>

* 🐛 gitlab: cron  (#3070)

Signed-off-by: Raghav Kaul <[email protected]>
Signed-off-by: Avishay <[email protected]>

* :seedling: Bump github/codeql-action from 2.3.4 to 2.3.5 (#3072)

Bumps [github/codeql-action](https://github.com/github/codeql-action) from 2.3.4 to 2.3.5.
- [Release notes](https://github.com/github/codeql-action/releases)
- [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md)
- [Commits](https://github.com/github/codeql-action/compare/f0e3dfb30302f8a0881bb509b044e0de4f6ef589...0225834cc549ee0ca93cb085b92954821a145866)

---
updated-dependencies:
- dependency-name: github/codeql-action
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <[email protected]>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Signed-off-by: Avishay <[email protected]>

* :seedling: Bump tj-actions/changed-files from 35.9.2 to 36.0.3 (#3071)

Bumps [tj-actions/changed-files](https://github.com/tj-actions/changed-files) from 35.9.2 to 36.0.3.
- [Release notes](https://github.com/tj-actions/changed-files/releases)
- [Changelog](https://github.com/tj-actions/changed-files/blob/main/HISTORY.md)
- [Commits](https://github.com/tj-actions/changed-files/compare/b2d17f51244a144849c6b37a3a6791b98a51d86f...25eaddf37ae893cec889065e9a60439c8af6f089)

---
updated-dependencies:
- dependency-name: tj-actions/changed-files
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <[email protected]>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Signed-off-by: Avishay <[email protected]>

* 🐛 Gitlab status updates (#3052)

* doc: Updating gitlab support validation status

Signed-off-by: Robison, Jim B <[email protected]>

* bug: Updated  logic for gitlab to prevent exceptions based on releases

Signed-off-by: Robison, Jim B <[email protected]>

* test: Added initial tests for gitlab branches

Signed-off-by: Robison, Jim B <[email protected]>

* doc: Updated general README

Signed-off-by: Robison, Jim B <[email protected]>

* refactor: Cleaned up the query for pipelines to be focused on the commitID

Signed-off-by: Robison, Jim B <[email protected]>

* feat: Allowed for a non-graphql method of retrieving MRs associated to a commit

Signed-off-by: Robison, Jim B <[email protected]>

* doc: Updated status for the CI-Tests

Signed-off-by: Robison, Jim B <[email protected]>

* bug: Updated the host url for graphql querying. This enabled the removal of the code added for handling empty returns when executing against a non-gitlab.com repository.

Signed-off-by: Robison, Jim B <[email protected]>

---------

Signed-off-by: Robison, Jim B <[email protected]>
Co-authored-by: Raghav Kaul <[email protected]>
Signed-off-by: Avishay <[email protected]>

* :seedling: Bump github.com/sigstore/rekor from 1.1.1 to 1.2.0 in /tools (#3079)

Bumps [github.com/sigstore/rekor](https://github.com/sigstore/rekor) from 1.1.1 to 1.2.0.
- [Release notes](https://github.com/sigstore/rekor/releases)
- [Changelog](https://github.com/sigstore/rekor/blob/main/CHANGELOG.md)
- [Commits](https://github.com/sigstore/rekor/compare/v1.1.1...v1.2.0)

---
updated-dependencies:
- dependency-name: github.com/sigstore/rekor
  dependency-type: indirect
...

Signed-off-by: dependabot[bot] <[email protected]>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Signed-off-by: Avishay <[email protected]>

* get nuget latest version from registration URL

Signed-off-by: Avishay <[email protected]>

* better coverage

Signed-off-by: Avishay <[email protected]>

* sign

Signed-off-by: Avishay <[email protected]>

* fix tests

Signed-off-by: Avishay <[email protected]>

* more tests

Signed-off-by: Avishay <[email protected]>

* client tests

Signed-off-by: Avishay <[email protected]>

* lint

Signed-off-by: Avishay <[email protected]>

* Apply suggestions from code review

Co-authored-by: Joel Verhagen <[email protected]>
Signed-off-by: Avishay Balter <[email protected]>
Signed-off-by: Avishay <[email protected]>

* :seedling: Bump golang from `685a22e` to `690e413` (#3080)

Bumps golang from `685a22e` to `690e413`.

---
updated-dependencies:
- dependency-name: golang
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <[email protected]>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Signed-off-by: Avishay <[email protected]>

* :seedling: Bump golang from `685a22e` to `690e413` in /cron/internal/cii

Bumps golang from `685a22e` to `690e413`.

---
updated-dependencies:
- dependency-name: golang
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <[email protected]>
Signed-off-by: Avishay <[email protected]>

* :seedling: Bump golang in /cron/internal/controller

Bumps golang from `685a22e` to `690e413`.

---
updated-dependencies:
- dependency-name: golang
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <[email protected]>
Signed-off-by: Avishay <[email protected]>

* :seedling: Bump golang in /cron/internal/worker

Bumps golang from `685a22e` to `690e413`.

---
updated-dependencies:
- dependency-name: golang
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <[email protected]>
Signed-off-by: Avishay <[email protected]>

* :seedling: Bump golang in /clients/githubrepo/roundtripper/tokens/server

Bumps golang from `685a22e` to `690e413`.

---
updated-dependencies:
- dependency-name: golang
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <[email protected]>
Signed-off-by: Avishay <[email protected]>

* :seedling: Bump golang in /cron/internal/webhook

Bumps golang from `685a22e` to `690e413`.

---
updated-dependencies:
- dependency-name: golang
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <[email protected]>
Signed-off-by: Avishay <[email protected]>

* :seedling: Bump golang from `685a22e` to `690e413` in /cron/internal/bq

Bumps golang from `685a22e` to `690e413`.

---
updated-dependencies:
- dependency-name: golang
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <[email protected]>
Signed-off-by: Avishay <[email protected]>

* :seedling: Bump arduino/setup-protoc from 1.2.0 to 1.3.0 (#3089)

Bumps [arduino/setup-protoc](https://github.com/arduino/setup-protoc) from 1.2.0 to 1.3.0.
- [Release notes](https://github.com/arduino/setup-protoc/releases)
- [Commits](https://github.com/arduino/setup-protoc/compare/4b3578161eece2eb20a9dfd84bb8ed105e684dba...149f6c87b92550901b26acd1632e11c3662e381f)

---
updated-dependencies:
- dependency-name: arduino/setup-protoc
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <[email protected]>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Signed-off-by: Avishay <[email protected]>

* :seedling: Bump tj-actions/changed-files from 36.0.3 to 36.0.9 (#3088)

Bumps [tj-actions/changed-files](https://github.com/tj-actions/changed-files) from 36.0.3 to 36.0.9.
- [Release notes](https://github.com/tj-actions/changed-files/releases)
- [Changelog](https://github.com/tj-actions/changed-files/blob/main/HISTORY.md)
- [Commits](https://github.com/tj-actions/changed-files/compare/25eaddf37ae893cec889065e9a60439c8af6f089...cf4fe8759a45edd76ed6215da3529d2dbd2a3c68)

---
updated-dependencies:
- dependency-name: tj-actions/changed-files
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <[email protected]>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Signed-off-by: Avishay <[email protected]>

* pr iteration 2

Signed-off-by: Avishay <[email protected]>

* pr iteration 3

Signed-off-by: Avishay <[email protected]>

* switch security policy e2e test to ossf-tests repo. (#3090)

tensorflow/tensorflow is huge and was slowing down tests.
Also removed the rust e2e tests because they're already present as unit tests.

Signed-off-by: Spencer Schrock <[email protected]>
Signed-off-by: Avishay <[email protected]>

* :seedling: Bump github.com/onsi/ginkgo/v2 from 2.9.5 to 2.9.7 in /tools (#3094)

Bumps [github.com/onsi/ginkgo/v2](https://github.com/onsi/ginkgo) from 2.9.5 to 2.9.7.
- [Release notes](https://github.com/onsi/ginkgo/releases)
- [Changelog](https://github.com/onsi/ginkgo/blob/master/CHANGELOG.md)
- [Commits](https://github.com/onsi/ginkgo/compare/v2.9.5...v2.9.7)

---
updated-dependencies:
- dependency-name: github.com/onsi/ginkgo/v2
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <[email protected]>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Signed-off-by: Avishay <[email protected]>

* :seedling: Bump github.com/onsi/ginkgo/v2 from 2.9.5 to 2.9.7 (#3093)

Bumps [github.com/onsi/ginkgo/v2](https://github.com/onsi/ginkgo) from 2.9.5 to 2.9.7.
- [Release notes](https://github.com/onsi/ginkgo/releases)
- [Changelog](https://github.com/onsi/ginkgo/blob/master/CHANGELOG.md)
- [Commits](https://github.com/onsi/ginkgo/compare/v2.9.5...v2.9.7)

---
updated-dependencies:
- dependency-name: github.com/onsi/ginkgo/v2
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <[email protected]>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Signed-off-by: Avishay <[email protected]>

* :seedling: Bump actions/dependency-review-action from 3.0.4 to 3.0.6 (#3104)

Bumps [actions/dependency-review-action](https://github.com/actions/dependency-review-action) from 3.0.4 to 3.0.6.
- [Release notes](https://github.com/actions/dependency-review-action/releases)
- [Commits](https://github.com/actions/dependency-review-action/compare/f46c48ed6d4f1227fb2d9ea62bf6bcbed315589e...1360a344ccb0ab6e9475edef90ad2f46bf8003b1)

---
updated-dependencies:
- dependency-name: actions/dependency-review-action
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <[email protected]>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Signed-off-by: Avishay <[email protected]>

* :seedling: Bump tj-actions/changed-files from 36.0.9 to 36.0.12 (#3108)

Bumps [tj-actions/changed-files](https://github.com/tj-actions/changed-files) from 36.0.9 to 36.0.12.
- [Release notes](https://github.com/tj-actions/changed-files/releases)
- [Changelog](https://github.com/tj-actions/changed-files/blob/main/HISTORY.md)
- [Commits](https://github.com/tj-actions/changed-files/compare/cf4fe8759a45edd76ed6215da3529d2dbd2a3c68...5978e5a2df95ef20cde627d4acb5edd1f87ba46a)

---
updated-dependencies:
- dependency-name: tj-actions/changed-files
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <[email protected]>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Signed-off-by: Avishay <[email protected]>

* :seedling: Bump github.com/xanzy/go-gitlab from 0.83.0 to 0.84.0 (#3106)

Bumps [github.com/xanzy/go-gitlab](https://github.com/xanzy/go-gitlab) from 0.83.0 to 0.84.0.
- [Changelog](https://github.com/xanzy/go-gitlab/blob/master/releases_test.go)
- [Commits](https://github.com/xanzy/go-gitlab/compare/v0.83.0...v0.84.0)

---
updated-dependencies:
- dependency-name: github.com/xanzy/go-gitlab
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <[email protected]>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Signed-off-by: Avishay <[email protected]>

* :seedling: Bump golang.org/x/tools from 0.9.1 to 0.9.2

Bumps [golang.org/x/tools](https://github.com/golang/tools) from 0.9.1 to 0.9.2.
- [Release notes](https://github.com/golang/tools/releases)
- [Commits](https://github.com/golang/tools/compare/v0.9.1...v0.9.2)

---
updated-dependencies:
- dependency-name: golang.org/x/tools
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <[email protected]>
Signed-off-by: Avishay <[email protected]>

* ✨ GitLab: enable more checks in cron (#3097)

* Enable checks

* Binary-Artifacts
* Code-Review
* License
* Vulnerabilities

Signed-off-by: Raghav Kaul <[email protected]>

* Enable more checks

* CII Best Practices
* Fuzzing
* Maintained
* Packaging
* Pinned-Dependencies
* Signed-Releases

Signed-off-by: Raghav Kaul <[email protected]>

* update repo name

Signed-off-by: Raghav Kaul <[email protected]>

---------

Signed-off-by: Raghav Kaul <[email protected]>
Signed-off-by: Avishay <[email protected]>

* :book: agenda link change (#3111)

Signed-off-by: Amanda L Martin <[email protected]>
Signed-off-by: Avishay <[email protected]>

* :seedling: Bump github/codeql-action from 2.3.5 to 2.3.6 (#3112)

Bumps [github/codeql-action](https://github.com/github/codeql-action) from 2.3.5 to 2.3.6.
- [Release notes](https://github.com/github/codeql-action/releases)
- [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md)
- [Commits](https://github.com/github/codeql-action/compare/0225834cc549ee0ca93cb085b92954821a145866...83f0fe6c4988d98a455712a27f0255212bba9bd4)

---
updated-dependencies:
- dependency-name: github/codeql-action
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <[email protected]>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Signed-off-by: Avishay <[email protected]>

* :seedling: Bump tj-actions/changed-files from 36.0.12 to 36.0.15 (#3116)

Bumps [tj-actions/changed-files](https://github.com/tj-actions/changed-files) from 36.0.12 to 36.0.15.
- [Release notes](https://github.com/tj-actions/changed-files/releases)
- [Changelog](https://github.com/tj-actions/changed-files/blob/main/HISTORY.md)
- [Commits](https://github.com/tj-actions/changed-files/compare/5978e5a2df95ef20cde627d4acb5edd1f87ba46a...5d2fcdb4cbef720a52f49fd05d8c7edd18a64758)

---
updated-dependencies:
- dependency-name: tj-actions/changed-files
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <[email protected]>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Signed-off-by: Avishay <[email protected]>

* :seedling: Bump golang.org/x/tools from 0.9.2 to 0.9.3

Bumps [golang.org/x/tools](https://github.com/golang/tools) from 0.9.2 to 0.9.3.
- [Release notes](https://github.com/golang/tools/releases)
- [Commits](https://github.com/golang/tools/compare/v0.9.2...v0.9.3)

---
updated-dependencies:
- dependency-name: golang.org/x/tools
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <[email protected]>
Signed-off-by: Avishay <[email protected]>

* :seedling: Unit tests for option (#3109)

- Add flags for repo, local, commit, log level, NPM, PyPI, RubyGems, metadata, show details, checks to run, policy file, and format
- Add tests for checks to run and format flags

Signed-off-by: naveensrinivasan <[email protected]>
Signed-off-by: Avishay <[email protected]>

* 🌱 GitLab: add gitlab auth token to cron worker env (#3117)

Signed-off-by: Raghav Kaul <[email protected]>
Signed-off-by: Avishay <[email protected]>

* Don't run pat e2e on dependabot merges (#3119)

Signed-off-by: Raghav Kaul <[email protected]>
Signed-off-by: Avishay <[email protected]>

* ✨ Detect fast-check PBT library for fuzz section (#3073)

* ✨ Detect fast-check PBT library for fuzz section

As suggested at https://github.com/ossf/scorecard/issues/2792#issuecomment-1562007596, we add support for the detection of fast-check as a possible fuzzing solution.

I also adapted the documentation related to fuzzing accordingly.

Signed-off-by: Nicolas DUBIEN <[email protected]>

* Typo

Signed-off-by: Nicolas DUBIEN <[email protected]>

* Update missing md files

Signed-off-by: Nicolas DUBIEN <[email protected]>

---------

Signed-off-by: Nicolas DUBIEN <[email protected]>
Signed-off-by: Avishay <[email protected]>

* :seedling: temporarily disable failing e2e tests so we don't block all PRs. (#3130)

Signed-off-by: Spencer Schrock <[email protected]>
Signed-off-by: Avishay <[email protected]>

* pr comments

Signed-off-by: Avishay <[email protected]>

* :seedling: Bump github.com/sirupsen/logrus from 1.9.2 to 1.9.3 (#3121)

Bumps [github.com/sirupsen/logrus](https://github.com/sirupsen/logrus) from 1.9.2 to 1.9.3.
- [Release notes](https://github.com/sirupsen/logrus/releases)
- [Changelog](https://github.com/sirupsen/logrus/blob/master/CHANGELOG.md)
- [Commits](https://github.com/sirupsen/logrus/compare/v1.9.2...v1.9.3)

---
updated-dependencies:
- dependency-name: github.com/sirupsen/logrus
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <[email protected]>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Signed-off-by: Avishay <[email protected]>

* i:seedling: Ignore all pb files for test (#3127)

- Update .codecov.yml to ignore additional files

Signed-off-by: naveensrinivasan <[email protected]>
Signed-off-by: Avishay <[email protected]>

* :seedling: Deprecate dependencydiff package and add access token requirement (#3125)

- Deprecate the `dependencydiff` package and the `GetDependencyDiffResults` function
- Add a line to the `.codecov.yml` to ignore the `dependencydiff` package

Signed-off-by: naveensrinivasan <[email protected]>
Signed-off-by: Avishay <[email protected]>

* ✨ [experimental] Support for new `--format probe` (#3048)

* update

Signed-off-by: laurentsimon <[email protected]>

* update

Signed-off-by: laurentsimon <[email protected]>

* update

Signed-off-by: laurentsimon <[email protected]>

* update

Signed-off-by: laurentsimon <[email protected]>

* update

Signed-off-by: laurentsimon <[email protected]>

* update

Signed-off-by: laurentsimon <[email protected]>

* update

Signed-off-by: laurentsimon <[email protected]>

* update

Signed-off-by: laurentsimon <[email protected]>

* update

Signed-off-by: laurentsimon <[email protected]>

* update

Signed-off-by: laurentsimon <[email protected]>

* update

Signed-off-by: laurentsimon <[email protected]>

* update

Signed-off-by: laurentsimon <[email protected]>

* update

Signed-off-by: laurentsimon <[email protected]>

* update

Signed-off-by: laurentsimon <[email protected]>

* update

Signed-off-by: laurentsimon <[email protected]>

* update

Signed-off-by: laurentsimon <[email protected]>

* update

Signed-off-by: laurentsimon <[email protected]>

---------

Signed-off-by: laurentsimon <[email protected]>
Signed-off-by: Avishay <[email protected]>

* :seedling: Bump distroless/base (#3122)

Bumps distroless/base from `10985f0` to `c623859`.

---
updated-dependencies:
- dependency-name: distroless/base
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <[email protected]>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Signed-off-by: Avishay <[email protected]>

* :seedling: Ignore deprecation warning for dependencydiff tests. (#3136)

Signed-off-by: Spencer Schrock <[email protected]>
Signed-off-by: Avishay <[email protected]>

* :seedling: Bump tj-actions/changed-files from 36.0.15 to 36.0.18

Bumps [tj-actions/changed-files](https://github.com/tj-actions/changed-files) from 36.0.15 to 36.0.18.
- [Release notes](https://github.com/tj-actions/changed-files/releases)
- [Changelog](https://github.com/tj-actions/changed-files/blob/main/HISTORY.md)
- [Commits](https://github.com/tj-actions/changed-files/compare/5d2fcdb4cbef720a52f49fd05d8c7edd18a64758...07e0177b72d3640efced741cae32f9861eee1367)

---
updated-dependencies:
- dependency-name: tj-actions/changed-files
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <[email protected]>
Signed-off-by: Avishay <[email protected]>

* :seedling: Bump github.com/onsi/ginkgo/v2 from 2.9.7 to 2.10.0 in /tools (#3135)

Bumps [github.com/onsi/ginkgo/v2](https://github.com/onsi/ginkgo) from 2.9.7 to 2.10.0.
- [Release notes](https://github.com/onsi/ginkgo/releases)
- [Changelog](https://github.com/onsi/ginkgo/blob/master/CHANGELOG.md)
- [Commits](https://github.com/onsi/ginkgo/compare/v2.9.7...v2.10.0)

---
updated-dependencies:
- dependency-name: github.com/onsi/ginkgo/v2
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <[email protected]>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Signed-off-by: Avishay <[email protected]>

* :seedling: Bump github.com/google/osv-scanner from 1.3.3 to 1.3.4

Bumps [github.com/google/osv-scanner](https://github.com/google/osv-scanner) from 1.3.3 to 1.3.4.
- [Release notes](https://github.com/google/osv-scanner/releases)
- [Changelog](https://github.com/google/osv-scanner/blob/main/CHANGELOG.md)
- [Commits](https://github.com/google/osv-scanner/compare/v1.3.3...v1.3.4)

---
updated-dependencies:
- dependency-name: github.com/google/osv-scanner
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <[email protected]>
Signed-off-by: Avishay <[email protected]>

* :seedling: Bump github.com/onsi/ginkgo/v2 from 2.9.7 to 2.10.0

Bumps [github.com/onsi/ginkgo/v2](https://github.com/onsi/ginkgo) from 2.9.7 to 2.10.0.
- [Release notes](https://github.com/onsi/ginkgo/releases)
- [Changelog](https://github.com/onsi/ginkgo/blob/master/CHANGELOG.md)
- [Commits](https://github.com/onsi/ginkgo/compare/v2.9.7...v2.10.0)

---
updated-dependencies:
- dependency-name: github.com/onsi/ginkgo/v2
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <[email protected]>
Signed-off-by: Avishay <[email protected]>

* :seedling: Bump github.com/onsi/gomega from 1.27.7 to 1.27.8

Bumps [github.com/onsi/gomega](https://github.com/onsi/gomega) from 1.27.7 to 1.27.8.
- [Release notes](https://github.com/onsi/gomega/releases)
- [Changelog](https://github.com/onsi/gomega/blob/master/CHANGELOG.md)
- [Commits](https://github.com/onsi/gomega/compare/v1.27.7...v1.27.8)

---
updated-dependencies:
- dependency-name: github.com/onsi/gomega
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <[email protected]>
Signed-off-by: Avishay <[email protected]>

* :seedling: Bump slsa-framework/slsa-github-generator from 1.6.0 to 1.7.0 (#3139)

Bumps [slsa-framework/slsa-github-generator](https://github.com/slsa-framework/slsa-github-generator) from 1.6.0 to 1.7.0.
- [Release notes](https://github.com/slsa-framework/slsa-github-generator/releases)
- [Changelog](https://github.com/slsa-framework/slsa-github-generator/blob/main/CHANGELOG.md)
- [Commits](https://github.com/slsa-framework/slsa-github-generator/compare/v1.6.0...v1.7.0)

---
updated-dependencies:
- dependency-name: slsa-framework/slsa-github-generator
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <[email protected]>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Signed-off-by: Avishay <[email protected]>

* :seedling: Increase test coverage for finding outcomes (#3142)

* Increase test coverage for finding outcomes

- Add tests for Outcome UnmarshalYAML function in `finding/finding_test.go`

Signed-off-by: naveensrinivasan <[email protected]>

* Updates based on Codereview

- Update `Outcome` variable in `finding/finding_test.go`
- Add `t.Parallel()` for test parallelization
- Add comparison using `cmp.Diff` to test for mismatches
- Update test cases for various outcomes

Signed-off-by: naveensrinivasan <[email protected]>

---------

Signed-off-by: naveensrinivasan <[email protected]>
Signed-off-by: Avishay <[email protected]>

* :seedling: Bump tj-actions/changed-files from 36.0.18 to 36.1.0 (#3143)

Bumps [tj-actions/changed-files](https://github.com/tj-actions/changed-files) from 36.0.18 to 36.1.0.
- [Release notes](https://github.com/tj-actions/changed-files/releases)
- [Changelog](https://github.com/tj-actions/changed-files/blob/main/HISTORY.md)
- [Commits](https://github.com/tj-actions/changed-files/compare/07e0177b72d3640efced741cae32f9861eee1367...fb20f4d24890fadc539505b1746d260504b213d0)

---
updated-dependencies:
- dependency-name: tj-actions/changed-files
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <[email protected]>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Signed-off-by: Avishay <[email protected]>

* :seedling: Re-enable skipped e2e tests. Switch to smaller code review repo. (#3144)

* re-enable skipped ci test

Signed-off-by: Spencer Schrock <[email protected]>

* re-enable skipped attestor test. switch to ossf-tests repo

Signed-off-by: Spencer Schrock <[email protected]>

* remove extra policies from tests that only look at code review.

Signed-off-by: Spencer Schrock <[email protected]>

* remove unneeded policies from binary artifact tests.

Signed-off-by: Spencer Schrock <[email protected]>

---------

Signed-off-by: Spencer Schrock <[email protected]>
Signed-off-by: Avishay <[email protected]>

* add license header

Signed-off-by: Avishay <[email protected]>

* pr comments

Signed-off-by: Avishay <[email protected]>

* making the packages internal

Signed-off-by: Avishay <[email protected]>

* generate mocks

Signed-off-by: Avishay <[email protected]>

---------

Signed-off-by: Avishay <[email protected]>
Signed-off-by: Avishay Balter <[email protected]>
@github-actions
Copy link

Stale issue message - this issue will be closed in 7 days

@spencerschrock
Copy link
Member

Completed initially via #3073, with other issues tracking alternatives (e.g. #3491 for jazzer.js)

ashearin pushed a commit to kgangerlm/scorecard-gitlab that referenced this issue Nov 13, 2023
* ✨ Detect fast-check PBT library for fuzz section

As suggested at ossf#2792 (comment), we add support for the detection of fast-check as a possible fuzzing solution.

I also adapted the documentation related to fuzzing accordingly.

Signed-off-by: Nicolas DUBIEN <[email protected]>

* Typo

Signed-off-by: Nicolas DUBIEN <[email protected]>

* Update missing md files

Signed-off-by: Nicolas DUBIEN <[email protected]>

---------

Signed-off-by: Nicolas DUBIEN <[email protected]>
Signed-off-by: Allen Shearin <[email protected]>
ashearin pushed a commit to kgangerlm/scorecard-gitlab that referenced this issue Nov 13, 2023
* add nuget package manager

Signed-off-by: Avishay <[email protected]>

* fix pat test messages (#2987)

* also fix pat tests

Signed-off-by: Raghav Kaul <[email protected]>
Signed-off-by: Avishay <[email protected]>

* :seedling: Bump slsa-framework/slsa-github-generator from 1.5.0 to 1.6.0

Bumps [slsa-framework/slsa-github-generator](https://github.com/slsa-framework/slsa-github-generator) from 1.5.0 to 1.6.0.
- [Release notes](https://github.com/slsa-framework/slsa-github-generator/releases)
- [Changelog](https://github.com/slsa-framework/slsa-github-generator/blob/main/CHANGELOG.md)
- [Commits](https://github.com/slsa-framework/slsa-github-generator/compare/v1.5.0...v1.6.0)

---
updated-dependencies:
- dependency-name: slsa-framework/slsa-github-generator
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <[email protected]>
Signed-off-by: Avishay <[email protected]>

* :seedling: Bump cloud.google.com/go/bigquery from 1.51.1 to 1.51.2 (#2984)

Bumps [cloud.google.com/go/bigquery](https://github.com/googleapis/google-cloud-go) from 1.51.1 to 1.51.2.
- [Release notes](https://github.com/googleapis/google-cloud-go/releases)
- [Changelog](https://github.com/googleapis/google-cloud-go/blob/main/CHANGES.md)
- [Commits](https://github.com/googleapis/google-cloud-go/compare/bigquery/v1.51.1...bigquery/v1.51.2)

---
updated-dependencies:
- dependency-name: cloud.google.com/go/bigquery
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <[email protected]>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Signed-off-by: Avishay <[email protected]>

* :seedling: Bump golang.org/x/tools from 0.9.0 to 0.9.1

Bumps [golang.org/x/tools](https://github.com/golang/tools) from 0.9.0 to 0.9.1.
- [Release notes](https://github.com/golang/tools/releases)
- [Commits](https://github.com/golang/tools/compare/v0.9.0...v0.9.1)

---
updated-dependencies:
- dependency-name: golang.org/x/tools
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <[email protected]>
Signed-off-by: Avishay <[email protected]>

* :bug: Update osv-scanner dependency to include Vulnerabilities check fixes (#2981)

* Update osv-scanner dependency to include Vulnerabilities check fixes

Signed-off-by: Laurent Savaëte <[email protected]>

* Run go mod tidy

Signed-off-by: Laurent Savaëte <[email protected]>

---------

Signed-off-by: Laurent Savaëte <[email protected]>
Signed-off-by: Avishay <[email protected]>

* :seedling: Bump github.com/docker/distribution in /tools (#2993)

Bumps [github.com/docker/distribution](https://github.com/docker/distribution) from 2.8.1+incompatible to 2.8.2+incompatible.
- [Release notes](https://github.com/docker/distribution/releases)
- [Commits](https://github.com/docker/distribution/compare/v2.8.1...v2.8.2)

---
updated-dependencies:
- dependency-name: github.com/docker/distribution
  dependency-type: indirect
...

Signed-off-by: dependabot[bot] <[email protected]>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Signed-off-by: Avishay <[email protected]>

* 🌱 Gitlab: e2e test fixes in main (#2992)

* test secret chagnes

Signed-off-by: Raghav Kaul <[email protected]>

* update score

Signed-off-by: Raghav Kaul <[email protected]>

* address cr comments

Signed-off-by: Raghav Kaul <[email protected]>

* update

Signed-off-by: Raghav Kaul <[email protected]>

---------

Signed-off-by: Raghav Kaul <[email protected]>
Signed-off-by: Avishay <[email protected]>

* :seedling: Unit tests log/log.go (#2980)

- Add unit tests for the log package
- Add Apache License to log_test.go

Signed-off-by: naveensrinivasan <[email protected]>
Signed-off-by: Avishay <[email protected]>

* :seedling: Bump github.com/cloudflare/circl in /tools (#2995)

Bumps [github.com/cloudflare/circl](https://github.com/cloudflare/circl) from 1.2.0 to 1.3.3.
- [Release notes](https://github.com/cloudflare/circl/releases)
- [Commits](https://github.com/cloudflare/circl/compare/v1.2.0...v1.3.3)

---
updated-dependencies:
- dependency-name: github.com/cloudflare/circl
  dependency-type: indirect
...

Signed-off-by: dependabot[bot] <[email protected]>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Signed-off-by: Avishay <[email protected]>

* :sparkles: Add releasing workflow for semantic-release (#2989)

Signed-off-by: Matt Travi <[email protected]>
Signed-off-by: Avishay <[email protected]>

* :seedling: Bump slsa-framework/slsa-verifier from 2.2.0 to 2.3.0

Bumps [slsa-framework/slsa-verifier](https://github.com/slsa-framework/slsa-verifier) from 2.2.0 to 2.3.0.
- [Release notes](https://github.com/slsa-framework/slsa-verifier/releases)
- [Changelog](https://github.com/slsa-framework/slsa-verifier/blob/main/RELEASE.md)
- [Commits](https://github.com/slsa-framework/slsa-verifier/compare/v2.2.0...v2.3.0)

---
updated-dependencies:
- dependency-name: slsa-framework/slsa-verifier
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <[email protected]>
Signed-off-by: Avishay <[email protected]>

* :seedling: Bump github.com/cloudflare/circl from 1.1.0 to 1.3.3 (#2994)

Bumps [github.com/cloudflare/circl](https://github.com/cloudflare/circl) from 1.1.0 to 1.3.3.
- [Release notes](https://github.com/cloudflare/circl/releases)
- [Commits](https://github.com/cloudflare/circl/compare/v1.1.0...v1.3.3)

---
updated-dependencies:
- dependency-name: github.com/cloudflare/circl
  dependency-type: indirect
...

Signed-off-by: dependabot[bot] <[email protected]>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Signed-off-by: Avishay <[email protected]>

* :seedling: Additional e2e clients/githubrepo/checkruns.go (#2934)

* :seedling: Additional e2e clients/githubrepo/checkruns.go

- Add `net/http` and `github.com/google/go-github/v38/github` imports
- Add a test for `listCheckRunsForRef` with valid ref
- Add a test for `listCheckRunsForRef` with invalid ref

Signed-off-by: naveensrinivasan <[email protected]>

* Based on code review comments

Signed-off-by: naveensrinivasan <[email protected]>

* Some tweaks

Signed-off-by: naveensrinivasan <[email protected]>

---------

Signed-off-by: naveensrinivasan <[email protected]>
Signed-off-by: Avishay <[email protected]>

* :seedling: E2E for clients/githubrepo/contributors.go (#2939)

* :seedling: E2E for clients/githubrepo/contributors.go

- Add an end-to-end test for `contributorsHandler`

Signed-off-by: naveensrinivasan <[email protected]>

* Fixed based on code review comments.

Signed-off-by: naveensrinivasan <[email protected]>

* Fixed codereview comment.

Signed-off-by: naveensrinivasan <[email protected]>

---------

Signed-off-by: naveensrinivasan <[email protected]>
Signed-off-by: Avishay <[email protected]>

* :book: Clarify that AI/ML doesn't count as human code review (#2953)

* Clarify that AI/ML doesn't count as human code review

Add this clarification per the Scorecards Zoom call meeting today
(2023-05-04).

Signed-off-by: David A. Wheeler <[email protected]>

* Tweaked per review

Signed-off-by: David A. Wheeler <[email protected]>

---------

Signed-off-by: David A. Wheeler <[email protected]>
Signed-off-by: Avishay <[email protected]>

* :seedling: Bump golang from `31a8f92` to `685a22e` in /cron/internal/cii

Bumps golang from `31a8f92` to `685a22e`.

---
updated-dependencies:
- dependency-name: golang
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <[email protected]>
Signed-off-by: Avishay <[email protected]>

* :seedling: Bump golang in /cron/internal/controller

Bumps golang from `31a8f92` to `685a22e`.

---
updated-dependencies:
- dependency-name: golang
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <[email protected]>
Signed-off-by: Avishay <[email protected]>

* :seedling: Bump golang in /cron/internal/worker

Bumps golang from `31a8f92` to `685a22e`.

---
updated-dependencies:
- dependency-name: golang
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <[email protected]>
Signed-off-by: Avishay <[email protected]>

* :seedling: Bump golang in /clients/githubrepo/roundtripper/tokens/server

Bumps golang from `31a8f92` to `685a22e`.

---
updated-dependencies:
- dependency-name: golang
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <[email protected]>
Signed-off-by: Avishay <[email protected]>

* :seedling: Bump golang from `31a8f92` to `685a22e`

Bumps golang from `31a8f92` to `685a22e`.

---
updated-dependencies:
- dependency-name: golang
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <[email protected]>
Signed-off-by: Avishay <[email protected]>

* :seedling: Bump golang from `31a8f92` to `685a22e` in /cron/internal/bq

Bumps golang from `31a8f92` to `685a22e`.

---
updated-dependencies:
- dependency-name: golang
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <[email protected]>
Signed-off-by: Avishay <[email protected]>

* :seedling: Bump golang in /cron/internal/webhook

Bumps golang from `31a8f92` to `685a22e`.

---
updated-dependencies:
- dependency-name: golang
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <[email protected]>
Signed-off-by: Avishay <[email protected]>

* Clarify AI/ML not human code review - in .yml file (#3012)

This clarifies that AI/ML doesn't count as human code review.
This was earlier done in #2953 but that didn't modify the relevant
.yml file - this does.

Signed-off-by: David A. Wheeler <[email protected]>
Signed-off-by: Avishay <[email protected]>

* :seedling: Bump golang.org/x/oauth2 from 0.7.0 to 0.8.0 (#3005)

Bumps [golang.org/x/oauth2](https://github.com/golang/oauth2) from 0.7.0 to 0.8.0.
- [Commits](https://github.com/golang/oauth2/compare/v0.7.0...v0.8.0)

---
updated-dependencies:
- dependency-name: golang.org/x/oauth2
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <[email protected]>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Signed-off-by: Avishay <[email protected]>

* :seedling: Unit tests for checks/raw/maintained.go (#2996)

- Add tests and checks for the `Maintained` function
- Add checks for `IsArchived`, `ListCommits`, `ListIssues`, and `GetCreatedAt`

Signed-off-by: naveensrinivasan <[email protected]>
Signed-off-by: Avishay <[email protected]>

* :seedling: Bump github.com/onsi/ginkgo/v2 from 2.9.4 to 2.9.5 in /tools

Bumps [github.com/onsi/ginkgo/v2](https://github.com/onsi/ginkgo) from 2.9.4 to 2.9.5.
- [Release notes](https://github.com/onsi/ginkgo/releases)
- [Changelog](https://github.com/onsi/ginkgo/blob/master/CHANGELOG.md)
- [Commits](https://github.com/onsi/ginkgo/compare/v2.9.4...v2.9.5)

---
updated-dependencies:
- dependency-name: github.com/onsi/ginkgo/v2
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <[email protected]>
Signed-off-by: Avishay <[email protected]>

* :seedling: Bump actions/setup-go from 4.0.0 to 4.0.1

Bumps [actions/setup-go](https://github.com/actions/setup-go) from 4.0.0 to 4.0.1.
- [Release notes](https://github.com/actions/setup-go/releases)
- [Commits](https://github.com/actions/setup-go/compare/4d34df0c2316fe8122ab82dc22947d607c0c91f9...fac708d6674e30b6ba41289acaab6d4b75aa0753)

---
updated-dependencies:
- dependency-name: actions/setup-go
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <[email protected]>
Signed-off-by: Avishay <[email protected]>

* :seedling: Bump codecov/codecov-action from 3.1.3 to 3.1.4

Bumps [codecov/codecov-action](https://github.com/codecov/codecov-action) from 3.1.3 to 3.1.4.
- [Release notes](https://github.com/codecov/codecov-action/releases)
- [Changelog](https://github.com/codecov/codecov-action/blob/main/CHANGELOG.md)
- [Commits](https://github.com/codecov/codecov-action/compare/894ff025c7b54547a9a2a1e9f228beae737ad3c2...eaaf4bedf32dbdc6b720b63067d99c4d77d6047d)

---
updated-dependencies:
- dependency-name: codecov/codecov-action
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <[email protected]>
Signed-off-by: Avishay <[email protected]>

* :seedling: Unit tests for Policy.go (#3003)

- Included tests for policy.go

Signed-off-by: naveensrinivasan <[email protected]>
Signed-off-by: Avishay <[email protected]>

* :seedling: Bump github.com/onsi/ginkgo/v2 from 2.9.4 to 2.9.5

Bumps [github.com/onsi/ginkgo/v2](https://github.com/onsi/ginkgo) from 2.9.4 to 2.9.5.
- [Release notes](https://github.com/onsi/ginkgo/releases)
- [Changelog](https://github.com/onsi/ginkgo/blob/master/CHANGELOG.md)
- [Commits](https://github.com/onsi/ginkgo/compare/v2.9.4...v2.9.5)

---
updated-dependencies:
- dependency-name: github.com/onsi/ginkgo/v2
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <[email protected]>
Signed-off-by: Avishay <[email protected]>

* :seedling: Bump sigstore/cosign-installer from 3.0.3 to 3.0.4

Bumps [sigstore/cosign-installer](https://github.com/sigstore/cosign-installer) from 3.0.3 to 3.0.4.
- [Release notes](https://github.com/sigstore/cosign-installer/releases)
- [Commits](https://github.com/sigstore/cosign-installer/compare/204a51a57a74d190b284a0ce69b44bc37201f343...03d0fecf172873164a163bbc64bed0f3bf114ed7)

---
updated-dependencies:
- dependency-name: sigstore/cosign-installer
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <[email protected]>
Signed-off-by: Avishay <[email protected]>

* :seedling: Bump github.com/google/go-containerregistry (#3025)

Bumps [github.com/google/go-containerregistry](https://github.com/google/go-containerregistry) from 0.15.1 to 0.15.2.
- [Release notes](https://github.com/google/go-containerregistry/releases)
- [Changelog](https://github.com/google/go-containerregistry/blob/main/.goreleaser.yml)
- [Commits](https://github.com/google/go-containerregistry/compare/v0.15.1...v0.15.2)

---
updated-dependencies:
- dependency-name: github.com/google/go-containerregistry
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <[email protected]>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Signed-off-by: Avishay <[email protected]>

* :seedling: Bump github.com/sirupsen/logrus from 1.9.0 to 1.9.1

Bumps [github.com/sirupsen/logrus](https://github.com/sirupsen/logrus) from 1.9.0 to 1.9.1.
- [Release notes](https://github.com/sirupsen/logrus/releases)
- [Changelog](https://github.com/sirupsen/logrus/blob/master/CHANGELOG.md)
- [Commits](https://github.com/sirupsen/logrus/compare/v1.9.0...v1.9.1)

---
updated-dependencies:
- dependency-name: github.com/sirupsen/logrus
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <[email protected]>
Signed-off-by: Avishay <[email protected]>

* :seedling: Included e2e tests for push to main (#2951)

- Update trigger for integration tests to enable running on `push` and `pull_request` on the `main` branch

Signed-off-by: naveensrinivasan <[email protected]>
Signed-off-by: Avishay <[email protected]>

* :seedling: Included directories that don't require coverage (#3002)

- Included directories that don't require coverage.

Signed-off-by: naveensrinivasan <[email protected]>
Signed-off-by: Avishay <[email protected]>

* :seedling: Unit tests for checks/raw/contributors.go (#2998)

- Add tests and fix casing for Contributors function in checks/raw/contributors_test.go

Signed-off-by: naveensrinivasan <[email protected]>
Signed-off-by: Avishay <[email protected]>

* ✨ GitLab: Code Review check (#2764)

* Add GitLab support for Code-Review check

Signed-off-by: Raghav Kaul <[email protected]>

* Remove spurious printf

Signed-off-by: Raghav Kaul <[email protected]>

* Working commit

Signed-off-by: Raghav Kaul <[email protected]>

* update

Signed-off-by: Raghav Kaul <[email protected]>

* update

Signed-off-by: Raghav Kaul <[email protected]>

* e2e test

Signed-off-by: Raghav Kaul <[email protected]>

* update: test coverage

Signed-off-by: Raghav Kaul <[email protected]>

---------

Signed-off-by: Raghav Kaul <[email protected]>
Signed-off-by: Avishay <[email protected]>

* gitlab: license check (#2834)

Signed-off-by: Raghav Kaul <[email protected]>
Signed-off-by: Avishay <[email protected]>

* :seedling: Bump github.com/sirupsen/logrus from 1.9.1 to 1.9.2 (#3031)

Bumps [github.com/sirupsen/logrus](https://github.com/sirupsen/logrus) from 1.9.1 to 1.9.2.
- [Release notes](https://github.com/sirupsen/logrus/releases)
- [Changelog](https://github.com/sirupsen/logrus/blob/master/CHANGELOG.md)
- [Commits](https://github.com/sirupsen/logrus/compare/v1.9.1...v1.9.2)

---
updated-dependencies:
- dependency-name: github.com/sirupsen/logrus
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <[email protected]>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Signed-off-by: Avishay <[email protected]>

* :seedling: Bump github.com/google/osv-scanner

Bumps [github.com/google/osv-scanner](https://github.com/google/osv-scanner) from 1.3.3-0.20230509011216-baae1796eeea to 1.3.3.
- [Release notes](https://github.com/google/osv-scanner/releases)
- [Changelog](https://github.com/google/osv-scanner/blob/main/CHANGELOG.md)
- [Commits](https://github.com/google/osv-scanner/commits/v1.3.3)

---
updated-dependencies:
- dependency-name: github.com/google/osv-scanner
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <[email protected]>
Signed-off-by: Avishay <[email protected]>

* :seedling: Bump sigstore/cosign-installer from 3.0.4 to 3.0.5 (#3029)

Bumps [sigstore/cosign-installer](https://github.com/sigstore/cosign-installer) from 3.0.4 to 3.0.5.
- [Release notes](https://github.com/sigstore/cosign-installer/releases)
- [Commits](https://github.com/sigstore/cosign-installer/compare/03d0fecf172873164a163bbc64bed0f3bf114ed7...dd6b2e2b610a11fd73dd187a43d57cc1394e35f9)

---
updated-dependencies:
- dependency-name: sigstore/cosign-installer
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <[email protected]>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Signed-off-by: Avishay <[email protected]>

* :seedling: Bump arduino/setup-protoc from 1.1.2 to 1.2.0

Bumps [arduino/setup-protoc](https://github.com/arduino/setup-protoc) from 1.1.2 to 1.2.0.
- [Release notes](https://github.com/arduino/setup-protoc/releases)
- [Commits](https://github.com/arduino/setup-protoc/compare/64c0c85d18e984422218383b81c52f8b077404d3...4b3578161eece2eb20a9dfd84bb8ed105e684dba)

---
updated-dependencies:
- dependency-name: arduino/setup-protoc
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <[email protected]>
Signed-off-by: Avishay <[email protected]>

* :sparkles: Add support for github GHES (#2999)

* :sparkles: adding support for github GHES

Signed-off-by: Niket Patel <[email protected]>

* fix: lint and cleanup

Signed-off-by: Niket Patel <[email protected]>

* fix: flaky test

Signed-off-by: Niket Patel <[email protected]>

* fix: address missing host

Signed-off-by: Niket Patel <[email protected]>

* fix: lint error

Signed-off-by: Niket Patel <[email protected]>

* :seedling: Additional e2e clients/githubrepo/checkruns.go (#2934)

* :seedling: Additional e2e clients/githubrepo/checkruns.go

- Add `net/http` and `github.com/google/go-github/v38/github` imports
- Add a test for `listCheckRunsForRef` with valid ref
- Add a test for `listCheckRunsForRef` with invalid ref

Signed-off-by: naveensrinivasan <[email protected]>

* Based on code review comments

Signed-off-by: naveensrinivasan <[email protected]>

* Some tweaks

Signed-off-by: naveensrinivasan <[email protected]>

---------

Signed-off-by: naveensrinivasan <[email protected]>
Signed-off-by: Niket Patel <[email protected]>

* :seedling: E2E for clients/githubrepo/contributors.go (#2939)

* :seedling: E2E for clients/githubrepo/contributors.go

- Add an end-to-end test for `contributorsHandler`

Signed-off-by: naveensrinivasan <[email protected]>

* Fixed based on code review comments.

Signed-off-by: naveensrinivasan <[email protected]>

* Fixed codereview comment.

Signed-off-by: naveensrinivasan <[email protected]>

---------

Signed-off-by: naveensrinivasan <[email protected]>
Signed-off-by: Niket Patel <[email protected]>

* chore: add GHES instructions

Signed-off-by: Niket Patel <[email protected]>

* refact: use test setenv

Signed-off-by: Niket Patel <[email protected]>

* fix: corp unit test

Signed-off-by: Niket Patel <[email protected]>

---------

Signed-off-by: Niket Patel <[email protected]>
Signed-off-by: naveensrinivasan <[email protected]>
Signed-off-by: Niket Patel <[email protected]>
Co-authored-by: Naveen <[email protected]>
Co-authored-by: raghavkaul <[email protected]>
Signed-off-by: Avishay <[email protected]>

* Change Facilitators to Maintainers (#3039)

Not sure what the old facilitators table was for. Current list of Maintainers is always in CODEOWNERS.

Meaning of "Maintainers" still is not defined, and should be a part of an upcoming contributor ladder.

Signed-off-by: Jeff Mendoza <[email protected]>
Signed-off-by: Avishay <[email protected]>

* :bug: Gitlab: Commit/Commitor Exceptions (#3026)

* feat: Added paging for contributor/users against gitlab projects

Signed-off-by: Robison, Jim B <[email protected]>

* refactor: Updated the bot flag for unmatched users

Signed-off-by: Robison, Jim B <[email protected]>

* fix: Not all commit users are in the git registry instance

Signed-off-by: Robison, Jim B <[email protected]>

* fix: Skipping check if the email is empty, as well as if the "email" doesn't contain a "." char.

Signed-off-by: Robison, Jim B <[email protected]>

* fix: Updated to allow for commits with PRs to be accounted/added to the client.commits

Signed-off-by: Robison, Jim B <[email protected]>

* refactor: Updated to prevent linting issue regarding nested if's

Signed-off-by: Robison, Jim B <[email protected]>

* test: Adding coverage for commits and contributors for gitlab

Signed-off-by: Robison, Jim B <[email protected]>

* refactor: Moved queries from the client to their own functions

Signed-off-by: Robison, Jim B <[email protected]>

* bug: Need to pass the ProjectID value to the contributor query

Signed-off-by: Robison, Jim B <[email protected]>

* bug: Updating project title versus projectID values for api querying

Signed-off-by: Robison, Jim B <[email protected]>

* test: Updated tests to match expected property set for projectID

Signed-off-by: Robison, Jim B <[email protected]>

* revert: Reverted based on feedback during review

Signed-off-by: Robison, Jim B <[email protected]>

---------

Signed-off-by: Robison, Jim B <[email protected]>
Signed-off-by: Avishay <[email protected]>

* :seedling: Bump github.com/onsi/gomega from 1.27.6 to 1.27.7 (#3040)

Bumps [github.com/onsi/gomega](https://github.com/onsi/gomega) from 1.27.6 to 1.27.7.
- [Release notes](https://github.com/onsi/gomega/releases)
- [Changelog](https://github.com/onsi/gomega/blob/master/CHANGELOG.md)
- [Commits](https://github.com/onsi/gomega/compare/v1.27.6...v1.27.7)

---
updated-dependencies:
- dependency-name: github.com/onsi/gomega
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <[email protected]>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Signed-off-by: Avishay <[email protected]>

* :book: Make all StepSecurity app endpoint references consistent (#3042)

Signed-off-by: Ashish Kurmi <[email protected]>
Signed-off-by: Avishay <[email protected]>

* 📖 Update checks.md to show the benefit of >=2 reviewers (#3013)

* Update checks.yaml instead of cehcks.md

Signed-off-by: Joyce <[email protected]>

* feat: generate checks.md

Signed-off-by: Joyce Brum <[email protected]>

---------

Signed-off-by: Joyce <[email protected]>
Signed-off-by: Joyce Brum <[email protected]>
Signed-off-by: Avishay <[email protected]>

* :seedling: Improve workflow pinning remediation tests (#3021)

- Add 3 tests for workflow pinning remediation

[remediation/remediations_test.go]
- Add 3 tests for workflow pinning remediation

Signed-off-by: naveensrinivasan <[email protected]>
Signed-off-by: Avishay <[email protected]>

* :seedling: E2E tests for clients/githubrepo/languages_e2e_test.go (#3000)

* :seedling: E2E tests for clients/githubrepo/languages_e2e_test.go

- Included e2e tests for clients/githubrepo/languages_e2e_test.go

Signed-off-by: naveensrinivasan <[email protected]>

* Fixed the token type check.

Signed-off-by: naveensrinivasan <[email protected]>

---------

Signed-off-by: naveensrinivasan <[email protected]>
Signed-off-by: Naveen <[email protected]>
Signed-off-by: Avishay <[email protected]>

* :seedling: Unit tests for pkg/json_raw_results (#3044)

* :seedling: Unit tests for pkg/json_raw_results.go

- Unit tests for pkg/json_raw_results.go

Signed-off-by: naveensrinivasan <[email protected]>

* Additional tests

Signed-off-by: naveensrinivasan <[email protected]>

---------

Signed-off-by: naveensrinivasan <[email protected]>
Signed-off-by: Avishay <[email protected]>

* ✨  [experimental] Add probe code and support for Tool-Update-Dependency (#2944)

* update

Signed-off-by: laurentsimon <[email protected]>

* update

Signed-off-by: laurentsimon <[email protected]>

* update

Signed-off-by: laurentsimon <[email protected]>

* update

Signed-off-by: laurentsimon <[email protected]>

* update

Signed-off-by: laurentsimon <[email protected]>

* update

Signed-off-by: laurentsimon <[email protected]>

* update

Signed-off-by: laurentsimon <[email protected]>

* update

Signed-off-by: laurentsimon <[email protected]>

---------

Signed-off-by: laurentsimon <[email protected]>
Signed-off-by: Avishay <[email protected]>

* add zoom link and agenda link (#3050)

Signed-off-by: Amanda L Martin <[email protected]>
Signed-off-by: Avishay <[email protected]>

* :seedling: Run E2E PAT test for push to main (#3046)

- Add E2E PAT tests for push to main.

Signed-off-by: naveensrinivasan <[email protected]>
Signed-off-by: Avishay <[email protected]>

* Update main.yml (#3054)

-Fixed the YAML indenting issue.

Signed-off-by: Naveen <[email protected]>
Signed-off-by: Avishay <[email protected]>

* only run e2e pat on push (#3056)

Signed-off-by: Spencer Schrock <[email protected]>
Signed-off-by: Avishay <[email protected]>

* :seedling: Bump github.com/go-git/go-git/v5 from 5.6.1 to 5.7.0 (#3057)

Bumps [github.com/go-git/go-git/v5](https://github.com/go-git/go-git) from 5.6.1 to 5.7.0.
- [Release notes](https://github.com/go-git/go-git/releases)
- [Commits](https://github.com/go-git/go-git/compare/v5.6.1...v5.7.0)

---
updated-dependencies:
- dependency-name: github.com/go-git/go-git/v5
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <[email protected]>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Signed-off-by: Avishay <[email protected]>

* :book: :ghost: fix anchor link to the code review section (#3058)

* fix anchor link to code-review in checks.yaml

Signed-off-by: dasfreak <[email protected]>
Signed-off-by: Marc Ohm <[email protected]>

* generate checks.md

Signed-off-by: Marc Ohm <[email protected]>

---------

Signed-off-by: dasfreak <[email protected]>
Signed-off-by: Marc Ohm <[email protected]>
Signed-off-by: Avishay <[email protected]>

* 🐛 Gitlab: Tests (#3027)

* fix tests

Signed-off-by: Raghav Kaul <[email protected]>

* use projectID instead of project where applicable

Signed-off-by: Raghav Kaul <[email protected]>

* pass ref as listcommitoption

Signed-off-by: Raghav Kaul <[email protected]>

* update tests

* CI-Tests: check if score > 0. pull request client is limited and can't
go back to arbitrary pull requests. CI-Tests don't run on forks, so this
can't be pinned either. But, for active repositories, we typically
expect *some* tests to be run

Signed-off-by: Raghav Kaul <[email protected]>

* fix commitshandler commitSHA tests

Signed-off-by: Raghav Kaul <[email protected]>

* update tests

Signed-off-by: Raghav Kaul <[email protected]>

---------

Signed-off-by: Raghav Kaul <[email protected]>
Signed-off-by: raghavkaul <[email protected]>
Signed-off-by: Avishay <[email protected]>

* :seedling: Bump github.com/goreleaser/nfpm/v2 in /tools (#3060)

Bumps [github.com/goreleaser/nfpm/v2](https://github.com/goreleaser/nfpm) from 2.28.0 to 2.29.0.
- [Release notes](https://github.com/goreleaser/nfpm/releases)
- [Changelog](https://github.com/goreleaser/nfpm/blob/main/.goreleaser.yml)
- [Commits](https://github.com/goreleaser/nfpm/compare/v2.28.0...v2.29.0)

---
updated-dependencies:
- dependency-name: github.com/goreleaser/nfpm/v2
  dependency-type: indirect
...

Signed-off-by: dependabot[bot] <[email protected]>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Signed-off-by: Avishay <[email protected]>

* ✨ Gitlab: Add projects to cron (#2936)

* cron: add gitlab projects

* support gitlab client
* simplify gitlab detection

Signed-off-by: Raghav Kaul <[email protected]>

* fix MakeGitlabRepo

* shortcut when repo url is github.com
* fixes add-projects, validate-projects

Signed-off-by: Raghav Kaul <[email protected]>

* Move gitlab repos to release controller

Signed-off-by: Raghav Kaul <[email protected]>

* Add csv headers

Signed-off-by: Raghav Kaul <[email protected]>

* Use gitlab.WithBaseURL

Signed-off-by: Raghav Kaul <[email protected]>

* formatting & logging

Signed-off-by: Raghav Kaul <[email protected]>

* remove spurious test

Signed-off-by: Raghav Kaul <[email protected]>

* consolidate logic

Signed-off-by: Raghav Kaul <[email protected]>

* Turn on experimental flag

Signed-off-by: Raghav Kaul <[email protected]>

* Add projects

Signed-off-by: Raghav Kaul <[email protected]>

* Update client

Signed-off-by: Raghav Kaul <[email protected]>

* update

Signed-off-by: Raghav Kaul <[email protected]>

* update

Signed-off-by: Raghav Kaul <[email protected]>

* update

Signed-off-by: Raghav Kaul <[email protected]>

* update

Signed-off-by: Raghav Kaul <[email protected]>

---------

Signed-off-by: Raghav Kaul <[email protected]>
Signed-off-by: Avishay <[email protected]>

* :seedling: Simplify caching in docker workflow (#3061)

Signed-off-by: Spencer Schrock <[email protected]>
Signed-off-by: Avishay <[email protected]>

* :seedling: Bump github/codeql-action from 2.3.3 to 2.3.4 (#3064)

Bumps [github/codeql-action](https://github.com/github/codeql-action) from 2.3.3 to 2.3.4.
- [Release notes](https://github.com/github/codeql-action/releases)
- [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md)
- [Commits](https://github.com/github/codeql-action/compare/29b1f65c5e92e24fe6b6647da1eaabe529cec70f...f0e3dfb30302f8a0881bb509b044e0de4f6ef589)

---
updated-dependencies:
- dependency-name: github/codeql-action
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <[email protected]>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Signed-off-by: Avishay <[email protected]>

* :seedling: Bump cloud.google.com/go/pubsub from 1.30.1 to 1.31.0 (#3065)

Bumps [cloud.google.com/go/pubsub](https://github.com/googleapis/google-cloud-go) from 1.30.1 to 1.31.0.
- [Release notes](https://github.com/googleapis/google-cloud-go/releases)
- [Changelog](https://github.com/googleapis/google-cloud-go/blob/main/CHANGES.md)
- [Commits](https://github.com/googleapis/google-cloud-go/compare/pubsub/v1.30.1...pubsub/v1.31.0)

---
updated-dependencies:
- dependency-name: cloud.google.com/go/pubsub
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <[email protected]>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Signed-off-by: Avishay <[email protected]>

* 🐛 gitlab: cron  (#3070)

Signed-off-by: Raghav Kaul <[email protected]>
Signed-off-by: Avishay <[email protected]>

* :seedling: Bump github/codeql-action from 2.3.4 to 2.3.5 (#3072)

Bumps [github/codeql-action](https://github.com/github/codeql-action) from 2.3.4 to 2.3.5.
- [Release notes](https://github.com/github/codeql-action/releases)
- [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md)
- [Commits](https://github.com/github/codeql-action/compare/f0e3dfb30302f8a0881bb509b044e0de4f6ef589...0225834cc549ee0ca93cb085b92954821a145866)

---
updated-dependencies:
- dependency-name: github/codeql-action
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <[email protected]>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Signed-off-by: Avishay <[email protected]>

* :seedling: Bump tj-actions/changed-files from 35.9.2 to 36.0.3 (#3071)

Bumps [tj-actions/changed-files](https://github.com/tj-actions/changed-files) from 35.9.2 to 36.0.3.
- [Release notes](https://github.com/tj-actions/changed-files/releases)
- [Changelog](https://github.com/tj-actions/changed-files/blob/main/HISTORY.md)
- [Commits](https://github.com/tj-actions/changed-files/compare/b2d17f51244a144849c6b37a3a6791b98a51d86f...25eaddf37ae893cec889065e9a60439c8af6f089)

---
updated-dependencies:
- dependency-name: tj-actions/changed-files
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <[email protected]>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Signed-off-by: Avishay <[email protected]>

* 🐛 Gitlab status updates (#3052)

* doc: Updating gitlab support validation status

Signed-off-by: Robison, Jim B <[email protected]>

* bug: Updated  logic for gitlab to prevent exceptions based on releases

Signed-off-by: Robison, Jim B <[email protected]>

* test: Added initial tests for gitlab branches

Signed-off-by: Robison, Jim B <[email protected]>

* doc: Updated general README

Signed-off-by: Robison, Jim B <[email protected]>

* refactor: Cleaned up the query for pipelines to be focused on the commitID

Signed-off-by: Robison, Jim B <[email protected]>

* feat: Allowed for a non-graphql method of retrieving MRs associated to a commit

Signed-off-by: Robison, Jim B <[email protected]>

* doc: Updated status for the CI-Tests

Signed-off-by: Robison, Jim B <[email protected]>

* bug: Updated the host url for graphql querying. This enabled the removal of the code added for handling empty returns when executing against a non-gitlab.com repository.

Signed-off-by: Robison, Jim B <[email protected]>

---------

Signed-off-by: Robison, Jim B <[email protected]>
Co-authored-by: Raghav Kaul <[email protected]>
Signed-off-by: Avishay <[email protected]>

* :seedling: Bump github.com/sigstore/rekor from 1.1.1 to 1.2.0 in /tools (#3079)

Bumps [github.com/sigstore/rekor](https://github.com/sigstore/rekor) from 1.1.1 to 1.2.0.
- [Release notes](https://github.com/sigstore/rekor/releases)
- [Changelog](https://github.com/sigstore/rekor/blob/main/CHANGELOG.md)
- [Commits](https://github.com/sigstore/rekor/compare/v1.1.1...v1.2.0)

---
updated-dependencies:
- dependency-name: github.com/sigstore/rekor
  dependency-type: indirect
...

Signed-off-by: dependabot[bot] <[email protected]>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Signed-off-by: Avishay <[email protected]>

* get nuget latest version from registration URL

Signed-off-by: Avishay <[email protected]>

* better coverage

Signed-off-by: Avishay <[email protected]>

* sign

Signed-off-by: Avishay <[email protected]>

* fix tests

Signed-off-by: Avishay <[email protected]>

* more tests

Signed-off-by: Avishay <[email protected]>

* client tests

Signed-off-by: Avishay <[email protected]>

* lint

Signed-off-by: Avishay <[email protected]>

* Apply suggestions from code review

Co-authored-by: Joel Verhagen <[email protected]>
Signed-off-by: Avishay Balter <[email protected]>
Signed-off-by: Avishay <[email protected]>

* :seedling: Bump golang from `685a22e` to `690e413` (#3080)

Bumps golang from `685a22e` to `690e413`.

---
updated-dependencies:
- dependency-name: golang
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <[email protected]>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Signed-off-by: Avishay <[email protected]>

* :seedling: Bump golang from `685a22e` to `690e413` in /cron/internal/cii

Bumps golang from `685a22e` to `690e413`.

---
updated-dependencies:
- dependency-name: golang
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <[email protected]>
Signed-off-by: Avishay <[email protected]>

* :seedling: Bump golang in /cron/internal/controller

Bumps golang from `685a22e` to `690e413`.

---
updated-dependencies:
- dependency-name: golang
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <[email protected]>
Signed-off-by: Avishay <[email protected]>

* :seedling: Bump golang in /cron/internal/worker

Bumps golang from `685a22e` to `690e413`.

---
updated-dependencies:
- dependency-name: golang
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <[email protected]>
Signed-off-by: Avishay <[email protected]>

* :seedling: Bump golang in /clients/githubrepo/roundtripper/tokens/server

Bumps golang from `685a22e` to `690e413`.

---
updated-dependencies:
- dependency-name: golang
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <[email protected]>
Signed-off-by: Avishay <[email protected]>

* :seedling: Bump golang in /cron/internal/webhook

Bumps golang from `685a22e` to `690e413`.

---
updated-dependencies:
- dependency-name: golang
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <[email protected]>
Signed-off-by: Avishay <[email protected]>

* :seedling: Bump golang from `685a22e` to `690e413` in /cron/internal/bq

Bumps golang from `685a22e` to `690e413`.

---
updated-dependencies:
- dependency-name: golang
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <[email protected]>
Signed-off-by: Avishay <[email protected]>

* :seedling: Bump arduino/setup-protoc from 1.2.0 to 1.3.0 (#3089)

Bumps [arduino/setup-protoc](https://github.com/arduino/setup-protoc) from 1.2.0 to 1.3.0.
- [Release notes](https://github.com/arduino/setup-protoc/releases)
- [Commits](https://github.com/arduino/setup-protoc/compare/4b3578161eece2eb20a9dfd84bb8ed105e684dba...149f6c87b92550901b26acd1632e11c3662e381f)

---
updated-dependencies:
- dependency-name: arduino/setup-protoc
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <[email protected]>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Signed-off-by: Avishay <[email protected]>

* :seedling: Bump tj-actions/changed-files from 36.0.3 to 36.0.9 (#3088)

Bumps [tj-actions/changed-files](https://github.com/tj-actions/changed-files) from 36.0.3 to 36.0.9.
- [Release notes](https://github.com/tj-actions/changed-files/releases)
- [Changelog](https://github.com/tj-actions/changed-files/blob/main/HISTORY.md)
- [Commits](https://github.com/tj-actions/changed-files/compare/25eaddf37ae893cec889065e9a60439c8af6f089...cf4fe8759a45edd76ed6215da3529d2dbd2a3c68)

---
updated-dependencies:
- dependency-name: tj-actions/changed-files
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <[email protected]>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Signed-off-by: Avishay <[email protected]>

* pr iteration 2

Signed-off-by: Avishay <[email protected]>

* pr iteration 3

Signed-off-by: Avishay <[email protected]>

* switch security policy e2e test to ossf-tests repo. (#3090)

tensorflow/tensorflow is huge and was slowing down tests.
Also removed the rust e2e tests because they're already present as unit tests.

Signed-off-by: Spencer Schrock <[email protected]>
Signed-off-by: Avishay <[email protected]>

* :seedling: Bump github.com/onsi/ginkgo/v2 from 2.9.5 to 2.9.7 in /tools (#3094)

Bumps [github.com/onsi/ginkgo/v2](https://github.com/onsi/ginkgo) from 2.9.5 to 2.9.7.
- [Release notes](https://github.com/onsi/ginkgo/releases)
- [Changelog](https://github.com/onsi/ginkgo/blob/master/CHANGELOG.md)
- [Commits](https://github.com/onsi/ginkgo/compare/v2.9.5...v2.9.7)

---
updated-dependencies:
- dependency-name: github.com/onsi/ginkgo/v2
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <[email protected]>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Signed-off-by: Avishay <[email protected]>

* :seedling: Bump github.com/onsi/ginkgo/v2 from 2.9.5 to 2.9.7 (#3093)

Bumps [github.com/onsi/ginkgo/v2](https://github.com/onsi/ginkgo) from 2.9.5 to 2.9.7.
- [Release notes](https://github.com/onsi/ginkgo/releases)
- [Changelog](https://github.com/onsi/ginkgo/blob/master/CHANGELOG.md)
- [Commits](https://github.com/onsi/ginkgo/compare/v2.9.5...v2.9.7)

---
updated-dependencies:
- dependency-name: github.com/onsi/ginkgo/v2
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <[email protected]>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Signed-off-by: Avishay <[email protected]>

* :seedling: Bump actions/dependency-review-action from 3.0.4 to 3.0.6 (#3104)

Bumps [actions/dependency-review-action](https://github.com/actions/dependency-review-action) from 3.0.4 to 3.0.6.
- [Release notes](https://github.com/actions/dependency-review-action/releases)
- [Commits](https://github.com/actions/dependency-review-action/compare/f46c48ed6d4f1227fb2d9ea62bf6bcbed315589e...1360a344ccb0ab6e9475edef90ad2f46bf8003b1)

---
updated-dependencies:
- dependency-name: actions/dependency-review-action
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <[email protected]>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Signed-off-by: Avishay <[email protected]>

* :seedling: Bump tj-actions/changed-files from 36.0.9 to 36.0.12 (#3108)

Bumps [tj-actions/changed-files](https://github.com/tj-actions/changed-files) from 36.0.9 to 36.0.12.
- [Release notes](https://github.com/tj-actions/changed-files/releases)
- [Changelog](https://github.com/tj-actions/changed-files/blob/main/HISTORY.md)
- [Commits](https://github.com/tj-actions/changed-files/compare/cf4fe8759a45edd76ed6215da3529d2dbd2a3c68...5978e5a2df95ef20cde627d4acb5edd1f87ba46a)

---
updated-dependencies:
- dependency-name: tj-actions/changed-files
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <[email protected]>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Signed-off-by: Avishay <[email protected]>

* :seedling: Bump github.com/xanzy/go-gitlab from 0.83.0 to 0.84.0 (#3106)

Bumps [github.com/xanzy/go-gitlab](https://github.com/xanzy/go-gitlab) from 0.83.0 to 0.84.0.
- [Changelog](https://github.com/xanzy/go-gitlab/blob/master/releases_test.go)
- [Commits](https://github.com/xanzy/go-gitlab/compare/v0.83.0...v0.84.0)

---
updated-dependencies:
- dependency-name: github.com/xanzy/go-gitlab
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <[email protected]>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Signed-off-by: Avishay <[email protected]>

* :seedling: Bump golang.org/x/tools from 0.9.1 to 0.9.2

Bumps [golang.org/x/tools](https://github.com/golang/tools) from 0.9.1 to 0.9.2.
- [Release notes](https://github.com/golang/tools/releases)
- [Commits](https://github.com/golang/tools/compare/v0.9.1...v0.9.2)

---
updated-dependencies:
- dependency-name: golang.org/x/tools
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <[email protected]>
Signed-off-by: Avishay <[email protected]>

* ✨ GitLab: enable more checks in cron (#3097)

* Enable checks

* Binary-Artifacts
* Code-Review
* License
* Vulnerabilities

Signed-off-by: Raghav Kaul <[email protected]>

* Enable more checks

* CII Best Practices
* Fuzzing
* Maintained
* Packaging
* Pinned-Dependencies
* Signed-Releases

Signed-off-by: Raghav Kaul <[email protected]>

* update repo name

Signed-off-by: Raghav Kaul <[email protected]>

---------

Signed-off-by: Raghav Kaul <[email protected]>
Signed-off-by: Avishay <[email protected]>

* :book: agenda link change (#3111)

Signed-off-by: Amanda L Martin <[email protected]>
Signed-off-by: Avishay <[email protected]>

* :seedling: Bump github/codeql-action from 2.3.5 to 2.3.6 (#3112)

Bumps [github/codeql-action](https://github.com/github/codeql-action) from 2.3.5 to 2.3.6.
- [Release notes](https://github.com/github/codeql-action/releases)
- [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md)
- [Commits](https://github.com/github/codeql-action/compare/0225834cc549ee0ca93cb085b92954821a145866...83f0fe6c4988d98a455712a27f0255212bba9bd4)

---
updated-dependencies:
- dependency-name: github/codeql-action
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <[email protected]>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Signed-off-by: Avishay <[email protected]>

* :seedling: Bump tj-actions/changed-files from 36.0.12 to 36.0.15 (#3116)

Bumps [tj-actions/changed-files](https://github.com/tj-actions/changed-files) from 36.0.12 to 36.0.15.
- [Release notes](https://github.com/tj-actions/changed-files/releases)
- [Changelog](https://github.com/tj-actions/changed-files/blob/main/HISTORY.md)
- [Commits](https://github.com/tj-actions/changed-files/compare/5978e5a2df95ef20cde627d4acb5edd1f87ba46a...5d2fcdb4cbef720a52f49fd05d8c7edd18a64758)

---
updated-dependencies:
- dependency-name: tj-actions/changed-files
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <[email protected]>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Signed-off-by: Avishay <[email protected]>

* :seedling: Bump golang.org/x/tools from 0.9.2 to 0.9.3

Bumps [golang.org/x/tools](https://github.com/golang/tools) from 0.9.2 to 0.9.3.
- [Release notes](https://github.com/golang/tools/releases)
- [Commits](https://github.com/golang/tools/compare/v0.9.2...v0.9.3)

---
updated-dependencies:
- dependency-name: golang.org/x/tools
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <[email protected]>
Signed-off-by: Avishay <[email protected]>

* :seedling: Unit tests for option (#3109)

- Add flags for repo, local, commit, log level, NPM, PyPI, RubyGems, metadata, show details, checks to run, policy file, and format
- Add tests for checks to run and format flags

Signed-off-by: naveensrinivasan <[email protected]>
Signed-off-by: Avishay <[email protected]>

* 🌱 GitLab: add gitlab auth token to cron worker env (#3117)

Signed-off-by: Raghav Kaul <[email protected]>
Signed-off-by: Avishay <[email protected]>

* Don't run pat e2e on dependabot merges (#3119)

Signed-off-by: Raghav Kaul <[email protected]>
Signed-off-by: Avishay <[email protected]>

* ✨ Detect fast-check PBT library for fuzz section (#3073)

* ✨ Detect fast-check PBT library for fuzz section

As suggested at https://github.com/ossf/scorecard/issues/2792#issuecomment-1562007596, we add support for the detection of fast-check as a possible fuzzing solution.

I also adapted the documentation related to fuzzing accordingly.

Signed-off-by: Nicolas DUBIEN <[email protected]>

* Typo

Signed-off-by: Nicolas DUBIEN <[email protected]>

* Update missing md files

Signed-off-by: Nicolas DUBIEN <[email protected]>

---------

Signed-off-by: Nicolas DUBIEN <[email protected]>
Signed-off-by: Avishay <[email protected]>

* :seedling: temporarily disable failing e2e tests so we don't block all PRs. (#3130)

Signed-off-by: Spencer Schrock <[email protected]>
Signed-off-by: Avishay <[email protected]>

* pr comments

Signed-off-by: Avishay <[email protected]>

* :seedling: Bump github.com/sirupsen/logrus from 1.9.2 to 1.9.3 (#3121)

Bumps [github.com/sirupsen/logrus](https://github.com/sirupsen/logrus) from 1.9.2 to 1.9.3.
- [Release notes](https://github.com/sirupsen/logrus/releases)
- [Changelog](https://github.com/sirupsen/logrus/blob/master/CHANGELOG.md)
- [Commits](https://github.com/sirupsen/logrus/compare/v1.9.2...v1.9.3)

---
updated-dependencies:
- dependency-name: github.com/sirupsen/logrus
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <[email protected]>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Signed-off-by: Avishay <[email protected]>

* i:seedling: Ignore all pb files for test (#3127)

- Update .codecov.yml to ignore additional files

Signed-off-by: naveensrinivasan <[email protected]>
Signed-off-by: Avishay <[email protected]>

* :seedling: Deprecate dependencydiff package and add access token requirement (#3125)

- Deprecate the `dependencydiff` package and the `GetDependencyDiffResults` function
- Add a line to the `.codecov.yml` to ignore the `dependencydiff` package

Signed-off-by: naveensrinivasan <[email protected]>
Signed-off-by: Avishay <[email protected]>

* ✨ [experimental] Support for new `--format probe` (#3048)

* update

Signed-off-by: laurentsimon <[email protected]>

* update

Signed-off-by: laurentsimon <[email protected]>

* update

Signed-off-by: laurentsimon <[email protected]>

* update

Signed-off-by: laurentsimon <[email protected]>

* update

Signed-off-by: laurentsimon <[email protected]>

* update

Signed-off-by: laurentsimon <[email protected]>

* update

Signed-off-by: laurentsimon <[email protected]>

* update

Signed-off-by: laurentsimon <[email protected]>

* update

Signed-off-by: laurentsimon <[email protected]>

* update

Signed-off-by: laurentsimon <[email protected]>

* update

Signed-off-by: laurentsimon <[email protected]>

* update

Signed-off-by: laurentsimon <[email protected]>

* update

Signed-off-by: laurentsimon <[email protected]>

* update

Signed-off-by: laurentsimon <[email protected]>

* update

Signed-off-by: laurentsimon <[email protected]>

* update

Signed-off-by: laurentsimon <[email protected]>

* update

Signed-off-by: laurentsimon <[email protected]>

---------

Signed-off-by: laurentsimon <[email protected]>
Signed-off-by: Avishay <[email protected]>

* :seedling: Bump distroless/base (#3122)

Bumps distroless/base from `10985f0` to `c623859`.

---
updated-dependencies:
- dependency-name: distroless/base
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <[email protected]>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Signed-off-by: Avishay <[email protected]>

* :seedling: Ignore deprecation warning for dependencydiff tests. (#3136)

Signed-off-by: Spencer Schrock <[email protected]>
Signed-off-by: Avishay <[email protected]>

* :seedling: Bump tj-actions/changed-files from 36.0.15 to 36.0.18

Bumps [tj-actions/changed-files](https://github.com/tj-actions/changed-files) from 36.0.15 to 36.0.18.
- [Release notes](https://github.com/tj-actions/changed-files/releases)
- [Changelog](https://github.com/tj-actions/changed-files/blob/main/HISTORY.md)
- [Commits](https://github.com/tj-actions/changed-files/compare/5d2fcdb4cbef720a52f49fd05d8c7edd18a64758...07e0177b72d3640efced741cae32f9861eee1367)

---
updated-dependencies:
- dependency-name: tj-actions/changed-files
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <[email protected]>
Signed-off-by: Avishay <[email protected]>

* :seedling: Bump github.com/onsi/ginkgo/v2 from 2.9.7 to 2.10.0 in /tools (#3135)

Bumps [github.com/onsi/ginkgo/v2](https://github.com/onsi/ginkgo) from 2.9.7 to 2.10.0.
- [Release notes](https://github.com/onsi/ginkgo/releases)
- [Changelog](https://github.com/onsi/ginkgo/blob/master/CHANGELOG.md)
- [Commits](https://github.com/onsi/ginkgo/compare/v2.9.7...v2.10.0)

---
updated-dependencies:
- dependency-name: github.com/onsi/ginkgo/v2
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <[email protected]>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Signed-off-by: Avishay <[email protected]>

* :seedling: Bump github.com/google/osv-scanner from 1.3.3 to 1.3.4

Bumps [github.com/google/osv-scanner](https://github.com/google/osv-scanner) from 1.3.3 to 1.3.4.
- [Release notes](https://github.com/google/osv-scanner/releases)
- [Changelog](https://github.com/google/osv-scanner/blob/main/CHANGELOG.md)
- [Commits](https://github.com/google/osv-scanner/compare/v1.3.3...v1.3.4)

---
updated-dependencies:
- dependency-name: github.com/google/osv-scanner
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <[email protected]>
Signed-off-by: Avishay <[email protected]>

* :seedling: Bump github.com/onsi/ginkgo/v2 from 2.9.7 to 2.10.0

Bumps [github.com/onsi/ginkgo/v2](https://github.com/onsi/ginkgo) from 2.9.7 to 2.10.0.
- [Release notes](https://github.com/onsi/ginkgo/releases)
- [Changelog](https://github.com/onsi/ginkgo/blob/master/CHANGELOG.md)
- [Commits](https://github.com/onsi/ginkgo/compare/v2.9.7...v2.10.0)

---
updated-dependencies:
- dependency-name: github.com/onsi/ginkgo/v2
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <[email protected]>
Signed-off-by: Avishay <[email protected]>

* :seedling: Bump github.com/onsi/gomega from 1.27.7 to 1.27.8

Bumps [github.com/onsi/gomega](https://github.com/onsi/gomega) from 1.27.7 to 1.27.8.
- [Release notes](https://github.com/onsi/gomega/releases)
- [Changelog](https://github.com/onsi/gomega/blob/master/CHANGELOG.md)
- [Commits](https://github.com/onsi/gomega/compare/v1.27.7...v1.27.8)

---
updated-dependencies:
- dependency-name: github.com/onsi/gomega
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <[email protected]>
Signed-off-by: Avishay <[email protected]>

* :seedling: Bump slsa-framework/slsa-github-generator from 1.6.0 to 1.7.0 (#3139)

Bumps [slsa-framework/slsa-github-generator](https://github.com/slsa-framework/slsa-github-generator) from 1.6.0 to 1.7.0.
- [Release notes](https://github.com/slsa-framework/slsa-github-generator/releases)
- [Changelog](https://github.com/slsa-framework/slsa-github-generator/blob/main/CHANGELOG.md)
- [Commits](https://github.com/slsa-framework/slsa-github-generator/compare/v1.6.0...v1.7.0)

---
updated-dependencies:
- dependency-name: slsa-framework/slsa-github-generator
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <[email protected]>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Signed-off-by: Avishay <[email protected]>

* :seedling: Increase test coverage for finding outcomes (#3142)

* Increase test coverage for finding outcomes

- Add tests for Outcome UnmarshalYAML function in `finding/finding_test.go`

Signed-off-by: naveensrinivasan <[email protected]>

* Updates based on Codereview

- Update `Outcome` variable in `finding/finding_test.go`
- Add `t.Parallel()` for test parallelization
- Add comparison using `cmp.Diff` to test for mismatches
- Update test cases for various outcomes

Signed-off-by: naveensrinivasan <[email protected]>

---------

Signed-off-by: naveensrinivasan <[email protected]>
Signed-off-by: Avishay <[email protected]>

* :seedling: Bump tj-actions/changed-files from 36.0.18 to 36.1.0 (#3143)

Bumps [tj-actions/changed-files](https://github.com/tj-actions/changed-files) from 36.0.18 to 36.1.0.
- [Release notes](https://github.com/tj-actions/changed-files/releases)
- [Changelog](https://github.com/tj-actions/changed-files/blob/main/HISTORY.md)
- [Commits](https://github.com/tj-actions/changed-files/compare/07e0177b72d3640efced741cae32f9861eee1367...fb20f4d24890fadc539505b1746d260504b213d0)

---
updated-dependencies:
- dependency-name: tj-actions/changed-files
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <[email protected]>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Signed-off-by: Avishay <[email protected]>

* :seedling: Re-enable skipped e2e tests. Switch to smaller code review repo. (#3144)

* re-enable skipped ci test

Signed-off-by: Spencer Schrock <[email protected]>

* re-enable skipped attestor test. switch to ossf-tests repo

Signed-off-by: Spencer Schrock <[email protected]>

* remove extra policies from tests that only look at code review.

Signed-off-by: Spencer Schrock <[email protected]>

* remove unneeded policies from binary artifact tests.

Signed-off-by: Spencer Schrock <[email protected]>

---------

Signed-off-by: Spencer Schrock <[email protected]>
Signed-off-by: Avishay <[email protected]>

* add license header

Signed-off-by: Avishay <[email protected]>

* pr comments

Signed-off-by: Avishay <[email protected]>

* making the packages internal

Signed-off-by: Avishay <[email protected]>

* generate mocks

Signed-off-by: Avishay <[email protected]>

---------

Signed-off-by: Avishay <[email protected]>
Signed-off-by: Avishay Balter <[email protected]>
Signed-off-by: Allen Shearin <[email protected]>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
check/Fuzzing kind/enhancement New feature or request
Projects
None yet
Development

No branches or pull requests

6 participants