Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

✨ add support for Nuget ad-hoc commands (add/install) in Pinned Dependency checks #2779

Conversation

balteravishay
Copy link
Contributor

@balteravishay balteravishay commented Mar 22, 2023

What kind of change does this PR introduce?

Add support for Nuget ad-hoc commands (add/install) in pinned dependency checks.

What is the current behavior?

Scorecard does not detect unpinned dependencies when using nuget and dotnet clis to add ad-hoc libraries.

What is the new behavior (if this is a feature change)?**

Scorecard detects and warns when using dotnet and nuget cli to add ad-hoc libraries packages without declaring their specific version.

  • [v] Tests for the changes have been added (for bug fixes/features)

Which issue(s) this PR fixes

This PR relates to but does not fix issue #1578

Special notes for your reviewer

Does this PR introduce a user-facing change?

For user-facing changes, please add a concise, human-readable release note to
the release-note

(In particular, describe what changes users might need to make in their
application as a result of this pull request.)

Scorecard checks for unpinned dependencies that are retrieved ad-hoc using nuget and dotnet CLIs ("nuget install" and "dotnet add").

@balteravishay balteravishay temporarily deployed to integration-test March 22, 2023 13:52 — with GitHub Actions Inactive
@balteravishay balteravishay temporarily deployed to integration-test March 22, 2023 14:04 — with GitHub Actions Inactive
@balteravishay balteravishay force-pushed the avbalter/support-nuget-unpinned-dependencies branch from c0f0d46 to 4c3c2bf Compare March 22, 2023 14:27
@balteravishay balteravishay temporarily deployed to integration-test March 22, 2023 14:28 — with GitHub Actions Inactive
@balteravishay balteravishay temporarily deployed to integration-test March 22, 2023 14:28 — with GitHub Actions Inactive
@codecov
Copy link

codecov bot commented Mar 22, 2023

Codecov Report

Merging #2779 (416c737) into main (1c441f3) will decrease coverage by 4.29%.
The diff coverage is 91.42%.

❗ Current head 416c737 differs from pull request most recent head 3a0da40. Consider uploading reports for the commit 3a0da40 to get more accurate results

Additional details and impacted files
@@            Coverage Diff             @@
##             main    #2779      +/-   ##
==========================================
- Coverage   55.18%   50.90%   -4.29%     
==========================================
  Files         158      158              
  Lines       13276    12062    -1214     
==========================================
- Hits         7327     6140    -1187     
- Misses       5514     5547      +33     
+ Partials      435      375      -60     

Copy link
Contributor

@laurentsimon laurentsimon left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for the PR. I left comments about immutability of versions in nuget ecosystem because I'm unfamiliar with it.

checks/raw/shell_download_validate.go Show resolved Hide resolved
checks/raw/shell_download_validate.go Show resolved Hide resolved
checks/raw/shell_download_validate.go Outdated Show resolved Hide resolved
checks/raw/shell_download_validate.go Outdated Show resolved Hide resolved
checks/raw/shell_download_validate.go Outdated Show resolved Hide resolved
@balteravishay balteravishay temporarily deployed to integration-test March 26, 2023 19:37 — with GitHub Actions Inactive
@balteravishay balteravishay temporarily deployed to integration-test March 29, 2023 19:45 — with GitHub Actions Inactive
Copy link

@nkolev92 nkolev92 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

A few comments with the limited context that I have.

BTW, how commonly used phrase is the pinned dependency concept? :)

NuGet has a CPM feature that has a similar name that'd confuse some people: https://learn.microsoft.com/en-us/nuget/consume-packages/central-package-management#transitive-pinning

checks/raw/shell_download_validate.go Outdated Show resolved Hide resolved
checks/raw/shell_download_validate.go Show resolved Hide resolved
checks/raw/shell_download_validate.go Show resolved Hide resolved
@balteravishay balteravishay temporarily deployed to integration-test April 13, 2023 09:23 — with GitHub Actions Inactive
@balteravishay balteravishay temporarily deployed to integration-test April 13, 2023 10:10 — with GitHub Actions Inactive
@balteravishay balteravishay changed the title ✨ add support for Nuget in Pinned Dependency checks ✨ add support for Nuget ad-hoc commands (add/install) in Pinned Dependency checks Apr 13, 2023
dependabot bot and others added 19 commits April 14, 2023 18:29
Bumps [github/codeql-action](https://github.com/github/codeql-action) from 2.2.9 to 2.2.11.
- [Release notes](https://github.com/github/codeql-action/releases)
- [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md)
- [Commits](github/codeql-action@04df126...d186a2a)

---
updated-dependencies:
- dependency-name: github/codeql-action
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Signed-off-by: Avishay <avishay.balter@gmail.com>
Bumps [tj-actions/changed-files](https://github.com/tj-actions/changed-files) from 35.7.8 to 35.7.12.
- [Release notes](https://github.com/tj-actions/changed-files/releases)
- [Changelog](https://github.com/tj-actions/changed-files/blob/main/HISTORY.md)
- [Commits](tj-actions/changed-files@e9b5807...b109d83)

---
updated-dependencies:
- dependency-name: tj-actions/changed-files
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
Signed-off-by: Avishay <avishay.balter@gmail.com>
Bumps [sigstore/cosign-installer](https://github.com/sigstore/cosign-installer) from 3.0.1 to 3.0.2.
- [Release notes](https://github.com/sigstore/cosign-installer/releases)
- [Commits](sigstore/cosign-installer@c3667d9...9e9de22)

---
updated-dependencies:
- dependency-name: sigstore/cosign-installer
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Signed-off-by: Avishay <avishay.balter@gmail.com>
Bumps [github.com/xeipuuv/gojsonschema](https://github.com/xeipuuv/gojsonschema) from 0.0.0-20180618132009-1d523034197f to 1.2.0.
- [Release notes](https://github.com/xeipuuv/gojsonschema/releases)
- [Commits](https://github.com/xeipuuv/gojsonschema/commits/v1.2.0)

---
updated-dependencies:
- dependency-name: github.com/xeipuuv/gojsonschema
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
Signed-off-by: Avishay <avishay.balter@gmail.com>
Included tests for checker result and request

Signed-off-by: naveensrinivasan <172697+naveensrinivasan@users.noreply.github.com>
Signed-off-by: Avishay <avishay.balter@gmail.com>
* Add haskell-actions/hlint-scan as one of know GitHub actions which upload SARIF.

Signed-off-by: Yoo Chung <chungyc@google.com>

* Test security-events permissions with actions known to upload SARIF.

Signed-off-by: Yoo Chung <chungyc@google.com>

---------

Signed-off-by: Yoo Chung <chungyc@google.com>
Signed-off-by: Avishay <avishay.balter@gmail.com>
Bumps [github.com/bradleyfalzon/ghinstallation/v2](https://github.com/bradleyfalzon/ghinstallation) from 2.2.0 to 2.3.0.
- [Release notes](https://github.com/bradleyfalzon/ghinstallation/releases)
- [Commits](bradleyfalzon/ghinstallation@v2.2.0...v2.3.0)

---
updated-dependencies:
- dependency-name: github.com/bradleyfalzon/ghinstallation/v2
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Signed-off-by: Avishay <avishay.balter@gmail.com>
Bumps [github.com/otiai10/copy](https://github.com/otiai10/copy) from 1.9.0 to 1.10.0.
- [Release notes](https://github.com/otiai10/copy/releases)
- [Commits](otiai10/copy@v1.9.0...v1.10.0)

---
updated-dependencies:
- dependency-name: github.com/otiai10/copy
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
Signed-off-by: Avishay <avishay.balter@gmail.com>
Bumps [github.com/goreleaser/goreleaser](https://github.com/goreleaser/goreleaser) from 1.16.2 to 1.17.0.
- [Release notes](https://github.com/goreleaser/goreleaser/releases)
- [Changelog](https://github.com/goreleaser/goreleaser/blob/main/.goreleaser.yaml)
- [Commits](goreleaser/goreleaser@v1.16.2...v1.17.0)

---
updated-dependencies:
- dependency-name: github.com/goreleaser/goreleaser
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
Signed-off-by: Avishay <avishay.balter@gmail.com>
* Add GitLab test repos.

Signed-off-by: Spencer Schrock <sschrock@google.com>

* Add test GitLab projects to release controller.

Signed-off-by: Spencer Schrock <sschrock@google.com>

* worker gitlab WIP

Signed-off-by: Spencer Schrock <sschrock@google.com>

* Read config in worker.

Signed-off-by: Spencer Schrock <sschrock@google.com>

* Use UTC time for shards.

This avoids issues when the controller and worker timezones differ.

Signed-off-by: Spencer Schrock <sschrock@google.com>

* update directions for gcs fake

Signed-off-by: Spencer Schrock <sschrock@google.com>

* update readme

Signed-off-by: Spencer Schrock <sschrock@google.com>

* Undo gitlab parts, which will be its own PR.

Signed-off-by: Spencer Schrock <sschrock@google.com>

* Clarify project and config files are placeholders.

Signed-off-by: Spencer Schrock <sschrock@google.com>

* remove accidentally added whitespace

Signed-off-by: Spencer Schrock <sschrock@google.com>

* clarify code change with comment.

Signed-off-by: Spencer Schrock <sschrock@google.com>

* Minor edits.

Signed-off-by: Spencer Schrock <sschrock@google.com>

---------

Signed-off-by: Spencer Schrock <sschrock@google.com>
Signed-off-by: Avishay <avishay.balter@gmail.com>
Bumps [golang.org/x/tools](https://github.com/golang/tools) from 0.7.0 to 0.8.0.
- [Release notes](https://github.com/golang/tools/releases)
- [Commits](golang/tools@v0.7.0...v0.8.0)

---
updated-dependencies:
- dependency-name: golang.org/x/tools
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Signed-off-by: Avishay <avishay.balter@gmail.com>
Bumps [codecov/codecov-action](https://github.com/codecov/codecov-action) from 3.1.0 to 3.1.2.
- [Release notes](https://github.com/codecov/codecov-action/releases)
- [Changelog](https://github.com/codecov/codecov-action/blob/main/CHANGELOG.md)
- [Commits](codecov/codecov-action@81cd2dc...40a12dc)

---
updated-dependencies:
- dependency-name: codecov/codecov-action
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
Signed-off-by: Avishay <avishay.balter@gmail.com>
Signed-off-by: Yoo Chung <chungyc@google.com>
Signed-off-by: Avishay <avishay.balter@gmail.com>
…2843)

* Add Haskell as a language.

Signed-off-by: Yoo Chung <chungyc@google.com>

* Detect fuzzing in Haskell using presence of property-based testing.

Signed-off-by: Yoo Chung <chungyc@google.com>

* Mention fuzzing detection for Haskell in documentation.

Signed-off-by: Yoo Chung <chungyc@google.com>

* Fix pattern and test.  Add test case.

Signed-off-by: Yoo Chung <chungyc@google.com>

---------

Signed-off-by: Yoo Chung <chungyc@google.com>
Signed-off-by: Avishay <avishay.balter@gmail.com>
- Add tests for `GetRequiredChecksForPolicy` and `EvaluateResults`
- Add checks for binary artifacts, vulnerabilities, unpinned dependencies, and code review

[attestor/policy/attestation_policy_test.go]
- Add `github.com/google/go-cmp/cmp` to imports
- Add a test for `GetRequiredChecksForPolicy`
- Add a test for `EvaluateResults`

Signed-off-by: naveensrinivasan <172697+naveensrinivasan@users.noreply.github.com>
Signed-off-by: Avishay <avishay.balter@gmail.com>
Bumps [github.com/xanzy/go-gitlab](https://github.com/xanzy/go-gitlab) from 0.81.0 to 0.82.0.
- [Release notes](https://github.com/xanzy/go-gitlab/releases)
- [Changelog](https://github.com/xanzy/go-gitlab/blob/master/releases_test.go)
- [Commits](xanzy/go-gitlab@v0.81.0...v0.82.0)

---
updated-dependencies:
- dependency-name: github.com/xanzy/go-gitlab
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
Signed-off-by: Avishay <avishay.balter@gmail.com>
* Look for codeQL action use with local files instead of search.

Signed-off-by: Spencer Schrock <sschrock@google.com>

* Switch SAST mocks to using local file contents.

Signed-off-by: Spencer Schrock <sschrock@google.com>

* Update e2e test

Signed-off-by: Spencer Schrock <sschrock@google.com>

* Remove unneeded code.

The tests deleted here were merged with another test in an earlier commit.

Signed-off-by: Spencer Schrock <sschrock@google.com>

* update

Signed-off-by: Spencer Schrock <sschrock@google.com>

* Add tests to get code coverage up.

Signed-off-by: Spencer Schrock <sschrock@google.com>

---------

Signed-off-by: Spencer Schrock <sschrock@google.com>
Signed-off-by: Avishay <avishay.balter@gmail.com>
Signed-off-by: Avishay <avishay.balter@gmail.com>
Signed-off-by: Avishay <avishay.balter@gmail.com>
auto-merge was automatically disabled April 14, 2023 18:52

Head branch was pushed to by a user without write access

@balteravishay balteravishay force-pushed the avbalter/support-nuget-unpinned-dependencies branch 3 times, most recently from 0018e37 to 5ccdf0b Compare April 14, 2023 19:04
Signed-off-by: Avishay Balter <avishay.balter@gmail.com>
@balteravishay balteravishay temporarily deployed to integration-test April 14, 2023 19:13 — with GitHub Actions Inactive
Signed-off-by: Avishay <avishay.balter@gmail.com>
@balteravishay balteravishay temporarily deployed to integration-test April 14, 2023 19:16 — with GitHub Actions Inactive
@balteravishay balteravishay temporarily deployed to integration-test April 17, 2023 06:27 — with GitHub Actions Inactive
@laurentsimon laurentsimon merged commit 3bf6c2a into ossf:main Apr 17, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

9 participants