🌱 Commit depth for GitLab #3671
Closed
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
ashearin
requested review from
justaugustus and
laurentsimon
and removed request for
a team
* feat: Add npm install to pinned dependencies score Signed-off-by: Gabriela Gutierrez <[email protected]> * test: Fix pinned dependencies evaluation tests Considering the new npm installs dependencies in Pinned-Dependencies score, there are some changes. Now, all tests generate one more Info log for "npm installs are all pinned". Also, for "various wanrings" test, the total score has to weight now 6 scores instead of 5. The new score counts 10 for actionScore, 0 for dockerFromScore, 0 for dockerDownloadScore, 0 for scriptScore, 0 for pipScore and 10 for npm score, which gives us 20/6~=3. Signed-off-by: Gabriela Gutierrez <[email protected]> * test: Fix pinned dependencies e2e tests Considering the new npm installs dependencies in Pinned-Dependencies score, there are some changes. The repo being tested, ossf-tests/scorecard-check-pinned-dependencies-e2e, has third-party GitHub actions pinned, no npm installs, and all other dependencies types are unpinned. This gives us 8 for actionScore, 10 for npmScore and 0 for all other scores. Previously the total score was 8/5~=1, and now the total score is 18/6=3. Also, since there are no npm installs, there's one more Info log for "npm installs are pinned". Signed-off-by: Gabriela Gutierrez <[email protected]> * test: Fix typo Signed-off-by: Gabriela Gutierrez <[email protected]> * test: Unpinned npm install score When having one unpinned npm install and all other dependencies pinned, the score should be 50/6~=8. Also, it should raise 1 warning for the unpinned npm install, 6 infos saying the other dependency types are pinned (2 for GHAs, 2 for dockerfile image and downdloads, 1 for script downdloads and 1 for pip installs), and 0 debug logs since the npm install dependency does not have an error message. Signed-off-by: Gabriela Gutierrez <[email protected]> * test: Undefined npm install score When an error happens to parse a npm install dependency, the error/debug message is saved in "Msg" field. In this case, we were not able to define if the npm install is pinned or not. This dependency is classified as pinned undefined. We treat such cases as pinned cases, so it logs as Info that npm installs are all pinned and counts the score as 10. Then, the final score makes it to 10 as well. Since it logs the error/debug message, the Debug log goes to 1. Signed-off-by: Gabriela Gutierrez <[email protected]> * test: Fix typo Signed-off-by: Gabriela Gutierrez <[email protected]> * test: Fix "validate various warnings and info" test Considering the new npm installs dependencies in Pinned-Dependencies score, there are some changes. Now, all tests generate one more Info log for "npm installs are all pinned". Also, this test total score has to weight now 6 scores instead of 5. The new score counts 10 for actionScore, 0 for dockerFromScore, 0 for dockerDownloadScore, 0 for scriptScore, 0 for pipScore and 10 for npm score, which gives us 20/6~=3. Signed-off-by: Gabriela Gutierrez <[email protected]> * fix: npm dependencies pinned log Signed-off-by: Gabriela Gutierrez <[email protected]> * test: Remove test of error when parsing an npm dependency Signed-off-by: Gabriela Gutierrez <[email protected]> --------- Signed-off-by: Gabriela Gutierrez <[email protected]> Signed-off-by: Allen Shearin <[email protected]>
Bumps [github.com/moby/buildkit](https://github.com/moby/buildkit) from 0.11.6 to 0.12.0. - [Release notes](https://github.com/moby/buildkit/releases) - [Commits](moby/buildkit@v0.11.6...v0.12.0) --- updated-dependencies: - dependency-name: github.com/moby/buildkit dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Signed-off-by: Allen Shearin <[email protected]>
Signed-off-by: Spencer Schrock <[email protected]> Signed-off-by: Allen Shearin <[email protected]>
* Forgive all job-level permissions Signed-off-by: Pedro Kaj Kjellerup Nacht <[email protected]> * Update tests Signed-off-by: Pedro Kaj Kjellerup Nacht <[email protected]> * Replace magic number Signed-off-by: Pedro Kaj Kjellerup Nacht <[email protected]> * Rename test Signed-off-by: Pedro Kaj Kjellerup Nacht <[email protected]> * Test that multiple job-level permissions are forgiven Signed-off-by: Pedro Kaj Kjellerup Nacht <[email protected]> * Drop unused permissionIsPresent Signed-off-by: Pedro Kaj Kjellerup Nacht <[email protected]> * Update documentation Signed-off-by: Pedro Kaj Kjellerup Nacht <[email protected]> * Modify score descriptions Signed-off-by: Pedro Kaj Kjellerup Nacht <[email protected]> * Document warning for job-level permissions Signed-off-by: Pedro Kaj Kjellerup Nacht <[email protected]> * List job-level permissions that get WARNed Signed-off-by: Pedro Kaj Kjellerup Nacht <[email protected]> --------- Signed-off-by: Pedro Kaj Kjellerup Nacht <[email protected]> Signed-off-by: Allen Shearin <[email protected]>
Signed-off-by: Eugene Kliuchnikov <[email protected]> Signed-off-by: Allen Shearin <[email protected]>
* docs(readme): suggest new score viewer on badge documentation Signed-off-by: Diogo Teles Sant'Anna <[email protected]> * docs(readme): add link to ossf blogpost about the badge Signed-off-by: Diogo Teles Sant'Anna <[email protected]> * docs: update badge of our own README to the new viewer Signed-off-by: Diogo Teles Sant'Anna <[email protected]> --------- Signed-off-by: Diogo Teles Sant'Anna <[email protected]> Signed-off-by: Allen Shearin <[email protected]>
Bumps [tj-actions/changed-files](https://github.com/tj-actions/changed-files) from 37.1.1 to 37.1.2. - [Release notes](https://github.com/tj-actions/changed-files/releases) - [Changelog](https://github.com/tj-actions/changed-files/blob/main/HISTORY.md) - [Commits](tj-actions/changed-files@1f20fb8...2a968ff) --- updated-dependencies: - dependency-name: tj-actions/changed-files dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Signed-off-by: Allen Shearin <[email protected]>
- Update the cover profile for e2e Signed-off-by: naveensrinivasan <[email protected]> Signed-off-by: Allen Shearin <[email protected]>
- Add e2e test for workflow runs - Retrieve successful runs of the scorecard-analysis.yml workflow Signed-off-by: naveensrinivasan <[email protected]> Signed-off-by: Allen Shearin <[email protected]>
- Exclude dependabot from codecov job in main.yml [.github/workflows/main.yml] - Exclude dependabot from codecov job Signed-off-by: naveensrinivasan <[email protected]> Signed-off-by: Allen Shearin <[email protected]>
- Add an e2e test for searching commits by author - Search commits by author `dependabot[bot]` and expect results Signed-off-by: naveensrinivasan <[email protected]> Signed-off-by: Allen Shearin <[email protected]>
* fix: Verify if branch is required to be up to date before merge Signed-off-by: Gabriela Gutierrez <[email protected]> * docs: Comment tracking GraphQL bug Signed-off-by: Gabriela Gutierrez <[email protected]> * fix: Add validation if pointers are not null before accessing the values Signed-off-by: Gabriela Gutierrez <[email protected]> * fix: Delete debug log file Signed-off-by: Gabriela Gutierrez <[email protected]> --------- Signed-off-by: Gabriela Gutierrez <[email protected]> Signed-off-by: Allen Shearin <[email protected]>
* add scdiff root command Signed-off-by: Spencer Schrock <[email protected]> * Add generate boilerplate. Signed-off-by: Spencer Schrock <[email protected]> * get rid of init Signed-off-by: Spencer Schrock <[email protected]> * read newline delimitted repo file Signed-off-by: Spencer Schrock <[email protected]> * Run scorecard and echo results. Signed-off-by: Spencer Schrock <[email protected]> * add license Signed-off-by: Spencer Schrock <[email protected]> * add basic runner tests. Signed-off-by: Spencer Schrock <[email protected]> * Add Runner comment. Signed-off-by: Spencer Schrock <[email protected]> * switch to using scorecard logger. Signed-off-by: Spencer Schrock <[email protected]> * linter fix Signed-off-by: Spencer Schrock <[email protected]> --------- Signed-off-by: Spencer Schrock <[email protected]> Signed-off-by: Allen Shearin <[email protected]>
Signed-off-by: Spencer Schrock <[email protected]> Signed-off-by: Allen Shearin <[email protected]>
Bumps [tj-actions/changed-files](https://github.com/tj-actions/changed-files) from 37.1.2 to 37.3.0. - [Release notes](https://github.com/tj-actions/changed-files/releases) - [Changelog](https://github.com/tj-actions/changed-files/blob/main/HISTORY.md) - [Commits](tj-actions/changed-files@2a968ff...3928317) --- updated-dependencies: - dependency-name: tj-actions/changed-files dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Signed-off-by: Allen Shearin <[email protected]>
Bumps [github.com/google/osv-scanner](https://github.com/google/osv-scanner) from 1.3.5 to 1.3.6. - [Release notes](https://github.com/google/osv-scanner/releases) - [Changelog](https://github.com/google/osv-scanner/blob/main/CHANGELOG.md) - [Commits](google/osv-scanner@v1.3.5...v1.3.6) --- updated-dependencies: - dependency-name: github.com/google/osv-scanner dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Signed-off-by: Allen Shearin <[email protected]>
Bumps [gocloud.dev](https://github.com/google/go-cloud) from 0.30.0 to 0.32.0. - [Release notes](https://github.com/google/go-cloud/releases) - [Commits](google/go-cloud@v0.30.0...v0.32.0) --- updated-dependencies: - dependency-name: gocloud.dev dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Signed-off-by: Allen Shearin <[email protected]>
Signed-off-by: Spencer Schrock <[email protected]> Signed-off-by: Allen Shearin <[email protected]>
Bumps [tj-actions/changed-files](https://github.com/tj-actions/changed-files) from 37.3.0 to 37.4.0. - [Release notes](https://github.com/tj-actions/changed-files/releases) - [Changelog](https://github.com/tj-actions/changed-files/blob/main/HISTORY.md) - [Commits](tj-actions/changed-files@3928317...de0eba3) --- updated-dependencies: - dependency-name: tj-actions/changed-files dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <[email protected]> Signed-off-by: Allen Shearin <[email protected]>
Bumps google-appengine/debian11 from `fed7dd5` to `97dc4fb`. --- updated-dependencies: - dependency-name: google-appengine/debian11 dependency-type: direct:production ... Signed-off-by: dependabot[bot] <[email protected]> Signed-off-by: Allen Shearin <[email protected]>
Bumps [github.com/xanzy/go-gitlab](https://github.com/xanzy/go-gitlab) from 0.86.0 to 0.88.0. - [Changelog](https://github.com/xanzy/go-gitlab/blob/master/releases_test.go) - [Commits](xanzy/go-gitlab@v0.86.0...v0.88.0) --- updated-dependencies: - dependency-name: github.com/xanzy/go-gitlab dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <[email protected]> Signed-off-by: Allen Shearin <[email protected]>
* working matrix. Signed-off-by: Spencer Schrock <[email protected]> * Remove unneeded env vars. Add comments. Signed-off-by: Spencer Schrock <[email protected]> * minor syntax change. Signed-off-by: Spencer Schrock <[email protected]> --------- Signed-off-by: Spencer Schrock <[email protected]> Signed-off-by: Allen Shearin <[email protected]>
- Ensure that only head queries are supported in workflow tests - Add a test to detect when a non-existent workflow file is used [e2e/workflow_test.go] - Add a test to check that only head queries are supported - Add a test to check that a non-existent workflow file returns an error Signed-off-by: naveensrinivasan <[email protected]> Signed-off-by: Allen Shearin <[email protected]>
* Use matrix for build jobs. Signed-off-by: Spencer Schrock <[email protected]> * These build targets dont seem to need protoc. This lets us save the API quota. Signed-off-by: Spencer Schrock <[email protected]> --------- Signed-off-by: Spencer Schrock <[email protected]> Signed-off-by: Allen Shearin <[email protected]>
Signed-off-by: Spencer Schrock <[email protected]> Signed-off-by: Allen Shearin <[email protected]>
* Add contributor ladder Signed-off-by: Pedro Kaj Kjellerup Nacht <[email protected]> * Clarify sponsorship Signed-off-by: Pedro Kaj Kjellerup Nacht <[email protected]> * Hope for retirement warning Signed-off-by: Pedro Kaj Kjellerup Nacht <[email protected]> * 1 maintainer can sponsor a community member Signed-off-by: Pedro Kaj Kjellerup Nacht <[email protected]> * Apply suggestions from code review Co-authored-by: Raghav Kaul <[email protected]> Signed-off-by: Pedro Nacht <[email protected]> --------- Signed-off-by: Pedro Kaj Kjellerup Nacht <[email protected]> Signed-off-by: Pedro Nacht <[email protected]> Signed-off-by: Allen Shearin <[email protected]>
Bumps [github.com/golangci/golangci-lint](https://github.com/golangci/golangci-lint) from 1.55.0 to 1.55.1. - [Release notes](https://github.com/golangci/golangci-lint/releases) - [Changelog](https://github.com/golangci/golangci-lint/blob/master/CHANGELOG.md) - [Commits](golangci/golangci-lint@v1.55.0...v1.55.1) --- updated-dependencies: - dependency-name: github.com/golangci/golangci-lint dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Signed-off-by: Allen Shearin <[email protected]>
…3634) * 🌱 Update stale workflow to exempt Structured Results milestone * Removed duplicate line, updated stale-pr-message, and removed custom stale labels Signed-off-by: Allen Shearin <[email protected]>
Bumps [github.com/docker/docker](https://github.com/docker/docker) from 24.0.4+incompatible to 24.0.7+incompatible. - [Release notes](https://github.com/docker/docker/releases) - [Commits](moby/moby@v24.0.4...v24.0.7) --- updated-dependencies: - dependency-name: github.com/docker/docker dependency-type: indirect ... Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Signed-off-by: Allen Shearin <[email protected]>
Bumps [github.com/docker/docker](https://github.com/docker/docker) from 24.0.6+incompatible to 24.0.7+incompatible. - [Release notes](https://github.com/docker/docker/releases) - [Commits](moby/moby@v24.0.6...v24.0.7) --- updated-dependencies: - dependency-name: github.com/docker/docker dependency-type: indirect ... Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Signed-off-by: Allen Shearin <[email protected]>
Bumps [github.com/go-logr/logr](https://github.com/go-logr/logr) from 1.2.4 to 1.3.0. - [Release notes](https://github.com/go-logr/logr/releases) - [Changelog](https://github.com/go-logr/logr/blob/master/CHANGELOG.md) - [Commits](go-logr/logr@v1.2.4...v1.3.0) --- updated-dependencies: - dependency-name: github.com/go-logr/logr dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Signed-off-by: Allen Shearin <[email protected]>
Bumps [github.com/go-git/go-git/v5](https://github.com/go-git/go-git) from 5.9.0 to 5.10.0. - [Release notes](https://github.com/go-git/go-git/releases) - [Commits](go-git/go-git@v5.9.0...v5.10.0) --- updated-dependencies: - dependency-name: github.com/go-git/go-git/v5 dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Signed-off-by: Allen Shearin <[email protected]>
Bumps [github.com/onsi/gomega](https://github.com/onsi/gomega) from 1.28.1 to 1.29.0. - [Release notes](https://github.com/onsi/gomega/releases) - [Changelog](https://github.com/onsi/gomega/blob/master/CHANGELOG.md) - [Commits](onsi/gomega@v1.28.1...v1.29.0) --- updated-dependencies: - dependency-name: github.com/onsi/gomega dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Signed-off-by: Allen Shearin <[email protected]>
Bumps [cloud.google.com/go/bigquery](https://github.com/googleapis/google-cloud-go) from 1.56.0 to 1.57.1. - [Release notes](https://github.com/googleapis/google-cloud-go/releases) - [Changelog](https://github.com/googleapis/google-cloud-go/blob/main/CHANGES.md) - [Commits](googleapis/google-cloud-go@bigquery/v1.56.0...bigquery/v1.57.1) --- updated-dependencies: - dependency-name: cloud.google.com/go/bigquery dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Signed-off-by: Allen Shearin <[email protected]>
For now, this is just producing very long detail strings. Probably negatively affecting cron results Signed-off-by: Spencer Schrock <[email protected]> Signed-off-by: Allen Shearin <[email protected]>
Bumps [github.com/spf13/cobra](https://github.com/spf13/cobra) from 1.7.0 to 1.8.0. - [Release notes](https://github.com/spf13/cobra/releases) - [Commits](spf13/cobra@v1.7.0...v1.8.0) --- updated-dependencies: - dependency-name: github.com/spf13/cobra dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Signed-off-by: Allen Shearin <[email protected]>
* 🌱 Convert Dangerous Workflow check to probes Signed-off-by: AdamKorcz <[email protected]> * remove hasAnyWorkflows probe Signed-off-by: AdamKorcz <[email protected]> * combine two conditionals into one Signed-off-by: AdamKorcz <[email protected]> * preserve logging from original evaluation Signed-off-by: AdamKorcz <[email protected]> * rebase Signed-off-by: AdamKorcz <[email protected]> --------- Signed-off-by: AdamKorcz <[email protected]> Signed-off-by: Allen Shearin <[email protected]>
* Convert SAST checks to probes Signed-off-by: AdamKorcz <[email protected]> * Update checks/evaluation/sast.go Co-authored-by: Raghav Kaul <[email protected]> Signed-off-by: AdamKorcz <[email protected]> * preserve file info when logging positive Sonar findings Signed-off-by: AdamKorcz <[email protected]> * rebase Signed-off-by: AdamKorcz <[email protected]> * Remove warning logging Signed-off-by: AdamKorcz <[email protected]> * add outcome and message to finding on the same line Signed-off-by: AdamKorcz <[email protected]> * codeql workflow -> codeql action Signed-off-by: AdamKorcz <[email protected]> * 'the Sonar' -> 'Sonar' in probe def.yml Signed-off-by: AdamKorcz <[email protected]> * fix typo Signed-off-by: AdamKorcz <[email protected]> * Change how probe creates location Signed-off-by: AdamKorcz <[email protected]> * Change names of values Signed-off-by: AdamKorcz <[email protected]> * change 'SAST tool detected: xx' to 'SAST tool installed: xx' Signed-off-by: AdamKorcz <[email protected]> * make text in probe def.yml easier to read Signed-off-by: AdamKorcz <[email protected]> * Change 'to' to 'two' Signed-off-by: AdamKorcz <[email protected]> * Minor change Signed-off-by: AdamKorcz <[email protected]> --------- Signed-off-by: AdamKorcz <[email protected]> Signed-off-by: AdamKorcz <[email protected]> Co-authored-by: Raghav Kaul <[email protected]> Signed-off-by: Allen Shearin <[email protected]>
Bumps [github.com/google/osv-scanner](https://github.com/google/osv-scanner) from 1.4.2 to 1.4.3. - [Release notes](https://github.com/google/osv-scanner/releases) - [Changelog](https://github.com/google/osv-scanner/blob/main/CHANGELOG.md) - [Commits](google/osv-scanner@v1.4.2...v1.4.3) --- updated-dependencies: - dependency-name: github.com/google/osv-scanner dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Signed-off-by: Allen Shearin <[email protected]>
Signed-off-by: Allen Shearin <[email protected]>
Bumps [golang.org/x/text](https://github.com/golang/text) from 0.13.0 to 0.14.0. - [Release notes](https://github.com/golang/text/releases) - [Commits](golang/text@v0.13.0...v0.14.0) --- updated-dependencies: - dependency-name: golang.org/x/text dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Signed-off-by: Allen Shearin <[email protected]>
Bumps [github.com/golangci/golangci-lint](https://github.com/golangci/golangci-lint) from 1.55.1 to 1.55.2. - [Release notes](https://github.com/golangci/golangci-lint/releases) - [Changelog](https://github.com/golangci/golangci-lint/blob/master/CHANGELOG.md) - [Commits](golangci/golangci-lint@v1.55.1...v1.55.2) --- updated-dependencies: - dependency-name: github.com/golangci/golangci-lint dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Signed-off-by: Allen Shearin <[email protected]>
* Continue on error detecting OS Signed-off-by: Pedro Kaj Kjellerup Nacht <[email protected]> * Add tests for error detecting OS Signed-off-by: Pedro Kaj Kjellerup Nacht <[email protected]> * Add ElementError to identify elements that errored Signed-off-by: Pedro Kaj Kjellerup Nacht <[email protected]> * Add Incomplete field to PinningDependenciesData Will store all errors handled during analysis, which may lead to incomplete results. Signed-off-by: Pedro Kaj Kjellerup Nacht <[email protected]> * Register job steps that errored out Signed-off-by: Pedro Kaj Kjellerup Nacht <[email protected]> * Add tests that incomplete steps are caught Signed-off-by: Pedro Kaj Kjellerup Nacht <[email protected]> * Add warnings to details about incomplete steps Signed-off-by: Pedro Kaj Kjellerup Nacht <[email protected]> * Add tests that incomplete steps generate warnings Signed-off-by: Pedro Kaj Kjellerup Nacht <[email protected]> * Register shell files skipped due to parser errors Signed-off-by: Pedro Kaj Kjellerup Nacht <[email protected]> * Add tests showing when parser errors affect analysis Dockerfile pinning is not affected. Everything in a 'broken' Dockerfile RUN block is ignored Everything in a 'broken' shell script is ignored testdata/script-invalid.sh modified to demonstrate the above Signed-off-by: Pedro Kaj Kjellerup Nacht <[email protected]> * Incomplete results logged as Info, not Warn Signed-off-by: Pedro Kaj Kjellerup Nacht <[email protected]> * Remove `Type` from logging of incomplete results Signed-off-by: Pedro Kaj Kjellerup Nacht <[email protected]> * Update tests after rebase Signed-off-by: Pedro Kaj Kjellerup Nacht <[email protected]> * Add Unwrap for ElementError, improve its docs Signed-off-by: Pedro Kaj Kjellerup Nacht <[email protected]> * Add ElementError case to evaluation unit test Signed-off-by: Pedro Kaj Kjellerup Nacht <[email protected]> * Move ElementError to checker/raw_result checker/raw_result defines types used to describe analysis results. ElementError is meant to describe potential flaws in the analysis and is therefore a sort of analysis result itself. Signed-off-by: Pedro Kaj Kjellerup Nacht <[email protected]> * Use finding.Location for ElementError.Element Signed-off-by: Pedro Kaj Kjellerup Nacht <[email protected]> * Use an ElementError for script parser errors Signed-off-by: Pedro Kaj Kjellerup Nacht <[email protected]> * Replace .Incomplete []error with .ProcessingErrors []ElementError Signed-off-by: Pedro Kaj Kjellerup Nacht <[email protected]> * Adopt from reviewer comments - Replace ElementError's `Element *finding.Location` with `Location finding.Location` - Rename ErrorJobOSParsing to ErrJobOSParsing to satisfy linter - Fix unit test Signed-off-by: Pedro Kaj Kjellerup Nacht <[email protected]> --------- Signed-off-by: Pedro Kaj Kjellerup Nacht <[email protected]> Signed-off-by: Allen Shearin <[email protected]>
Bumps [actions/dependency-review-action](https://github.com/actions/dependency-review-action) from 3.1.0 to 3.1.2. - [Release notes](https://github.com/actions/dependency-review-action/releases) - [Commits](actions/dependency-review-action@6c5ccda...fde92ac) --- updated-dependencies: - dependency-name: actions/dependency-review-action dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Signed-off-by: Allen Shearin <[email protected]>
Bumps [kubernetes-sigs/kubebuilder-release-tools](https://github.com/kubernetes-sigs/kubebuilder-release-tools) from 0.4.0 to 0.4.2. - [Release notes](https://github.com/kubernetes-sigs/kubebuilder-release-tools/releases) - [Changelog](https://github.com/kubernetes-sigs/kubebuilder-release-tools/blob/master/RELEASE.md) - [Commits](kubernetes-sigs/kubebuilder-release-tools@d8367c2...3c34113) --- updated-dependencies: - dependency-name: kubernetes-sigs/kubebuilder-release-tools dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Signed-off-by: Allen Shearin <[email protected]>
Bumps [tj-actions/changed-files](https://github.com/tj-actions/changed-files) from 39.2.3 to 40.1.1. - [Release notes](https://github.com/tj-actions/changed-files/releases) - [Changelog](https://github.com/tj-actions/changed-files/blob/main/HISTORY.md) - [Commits](tj-actions/changed-files@95690f9...25ef392) --- updated-dependencies: - dependency-name: tj-actions/changed-files dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Signed-off-by: Allen Shearin <[email protected]>
Bumps [sigstore/cosign-installer](https://github.com/sigstore/cosign-installer) from 3.1.2 to 3.2.0. - [Release notes](https://github.com/sigstore/cosign-installer/releases) - [Commits](sigstore/cosign-installer@11086d2...1fc5bd3) --- updated-dependencies: - dependency-name: sigstore/cosign-installer dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Signed-off-by: Allen Shearin <[email protected]>
Bumps [slsa-framework/slsa-verifier](https://github.com/slsa-framework/slsa-verifier) from 2.4.0 to 2.4.1. - [Release notes](https://github.com/slsa-framework/slsa-verifier/releases) - [Changelog](https://github.com/slsa-framework/slsa-verifier/blob/main/RELEASE.md) - [Commits](slsa-framework/slsa-verifier@v2.4.0...v2.4.1) --- updated-dependencies: - dependency-name: slsa-framework/slsa-verifier dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Signed-off-by: Allen Shearin <[email protected]>
Bumps [github.com/onsi/gomega](https://github.com/onsi/gomega) from 1.29.0 to 1.30.0. - [Release notes](https://github.com/onsi/gomega/releases) - [Changelog](https://github.com/onsi/gomega/blob/master/CHANGELOG.md) - [Commits](onsi/gomega@v1.29.0...v1.30.0) --- updated-dependencies: - dependency-name: github.com/onsi/gomega dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Signed-off-by: Allen Shearin <[email protected]>
* switch ossfuzz test to smaller repo tensorflow/tensorflow is huge, and this causes the test to take forever. locally this reduces the test time from 17 to 2.4 seconds Signed-off-by: Spencer Schrock <[email protected]> * reuse scorecard results for scorecard attestor policies previously this test took 27 seconds locally, and now takes 8. which is split across 3 subtests: good repos: 1s bad repos: 5s code review policies: 2s Signed-off-by: Spencer Schrock <[email protected]> --------- Signed-off-by: Spencer Schrock <[email protected]> Signed-off-by: Allen Shearin <[email protected]>
…ssf#3632) * 🌱 Add dependency remediation in raw results instead of at log time Signed-off-by: AdamKorcz <[email protected]> * add unit test Signed-off-by: AdamKorcz <[email protected]> * add unit test Signed-off-by: AdamKorcz <[email protected]> * return error Signed-off-by: AdamKorcz <[email protected]> * use pointer to dependency Signed-off-by: AdamKorcz <[email protected]> * check for errors in test Signed-off-by: AdamKorcz <[email protected]> * Return nil if repo client returns an error from unsupported feature Signed-off-by: AdamKorcz <[email protected]> * revert error checking Signed-off-by: AdamKorcz <[email protected]> * revert returning nil is unsupported feature Signed-off-by: AdamKorcz <[email protected]> * Fix wrong test name Signed-off-by: AdamKorcz <[email protected]> * only create remediation when required Signed-off-by: AdamKorcz <[email protected]> * remove remediation helper function Signed-off-by: AdamKorcz <[email protected]> --------- Signed-off-by: AdamKorcz <[email protected]> Signed-off-by: Spencer Schrock <[email protected]> Signed-off-by: Allen Shearin <[email protected]>
actions which influence the build/release process are excluded. dependabot will send individual updates for those. Signed-off-by: Spencer Schrock <[email protected]> Signed-off-by: Allen Shearin <[email protected]>
ashearin
force-pushed
the
commit-depth
branch
from
1c79121 to
b3ed1f0
Compare
|
Closing, will start a fresh branch and reopen |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
What kind of change does this PR introduce?
Bug fix for #2828, reopening of #2829
What is the current behavior?
The new gitlab functionality is not using the parameter --commit-depth in querying the gitlab repo for commits. In addition the defaulted value of 30 was not being used either, for the same reason.
What is the new behavior (if this is a feature change)?**
Which issue(s) this PR fixes
Fixes #2828
Special notes for your reviewer
Does this PR introduce a user-facing change?
For user-facing changes, please add a concise, human-readable release note to
the
release-note(In particular, describe what changes users might need to make in their
application as a result of this pull request.)