✨ add support for Nuget ad-hoc commands (add/install) in Pinned Dependency checks #2779
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
balteravishay
requested review from
olivekl,
azeemshaikh38,
justaugustus,
laurentsimon,
naveensrinivasan,
spencerschrock and
raghavkaul
as code owners
balteravishay
temporarily deployed
to
integration-test
GitHub Actions
Inactive
balteravishay
temporarily deployed
to
integration-test
GitHub Actions
Inactive
balteravishay
force-pushed
the
avbalter/support-nuget-unpinned-dependencies
branch
from
c0f0d46
to
4c3c2bf
Compare
balteravishay
temporarily deployed
to
integration-test
GitHub Actions
Inactive
balteravishay
temporarily deployed
to
integration-test
GitHub Actions
Inactive
Codecov Report
Additional details and impacted files@@ Coverage Diff @@
## main #2779 +/- ##
==========================================
- Coverage 55.18% 50.90% -4.29%
==========================================
Files 158 158
Lines 13276 12062 -1214
==========================================
- Hits 7327 6140 -1187
- Misses 5514 5547 +33
+ Partials 435 375 -60 |
balteravishay
temporarily deployed
to
integration-test
GitHub Actions
Inactive
balteravishay
requested review from
laurentsimon
and removed request for
naveensrinivasan,
justaugustus,
azeemshaikh38,
spencerschrock,
raghavkaul and
olivekl
balteravishay
had a problem deploying
to
integration-test
GitHub Actions
Failure
balteravishay
temporarily deployed
to
integration-test
GitHub Actions
Inactive
nkolev92
reviewed
Mar 31, 2023
There was a problem hiding this comment.
A few comments with the limited context that I have.
BTW, how commonly used phrase is the pinned dependency concept? :)
NuGet has a CPM feature that has a similar name that'd confuse some people: https://learn.microsoft.com/en-us/nuget/consume-packages/central-package-management#transitive-pinning
balteravishay
temporarily deployed
to
integration-test
GitHub Actions
Inactive
balteravishay
temporarily deployed
to
integration-test
GitHub Actions
Inactive
balteravishay
changed the title
Bumps [github/codeql-action](https://github.com/github/codeql-action) from 2.2.9 to 2.2.11. - [Release notes](https://github.com/github/codeql-action/releases) - [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md) - [Commits](github/codeql-action@04df126...d186a2a) --- updated-dependencies: - dependency-name: github/codeql-action dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Signed-off-by: Avishay <avishay.balter@gmail.com>
Bumps [tj-actions/changed-files](https://github.com/tj-actions/changed-files) from 35.7.8 to 35.7.12. - [Release notes](https://github.com/tj-actions/changed-files/releases) - [Changelog](https://github.com/tj-actions/changed-files/blob/main/HISTORY.md) - [Commits](tj-actions/changed-files@e9b5807...b109d83) --- updated-dependencies: - dependency-name: tj-actions/changed-files dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Signed-off-by: Avishay <avishay.balter@gmail.com>
Bumps [sigstore/cosign-installer](https://github.com/sigstore/cosign-installer) from 3.0.1 to 3.0.2. - [Release notes](https://github.com/sigstore/cosign-installer/releases) - [Commits](sigstore/cosign-installer@c3667d9...9e9de22) --- updated-dependencies: - dependency-name: sigstore/cosign-installer dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Signed-off-by: Avishay <avishay.balter@gmail.com>
Bumps [github.com/xeipuuv/gojsonschema](https://github.com/xeipuuv/gojsonschema) from 0.0.0-20180618132009-1d523034197f to 1.2.0. - [Release notes](https://github.com/xeipuuv/gojsonschema/releases) - [Commits](https://github.com/xeipuuv/gojsonschema/commits/v1.2.0) --- updated-dependencies: - dependency-name: github.com/xeipuuv/gojsonschema dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] <support@github.com> Signed-off-by: Avishay <avishay.balter@gmail.com>
Included tests for checker result and request Signed-off-by: naveensrinivasan <172697+naveensrinivasan@users.noreply.github.com> Signed-off-by: Avishay <avishay.balter@gmail.com>
* Add haskell-actions/hlint-scan as one of know GitHub actions which upload SARIF. Signed-off-by: Yoo Chung <chungyc@google.com> * Test security-events permissions with actions known to upload SARIF. Signed-off-by: Yoo Chung <chungyc@google.com> --------- Signed-off-by: Yoo Chung <chungyc@google.com> Signed-off-by: Avishay <avishay.balter@gmail.com>
Bumps [github.com/bradleyfalzon/ghinstallation/v2](https://github.com/bradleyfalzon/ghinstallation) from 2.2.0 to 2.3.0. - [Release notes](https://github.com/bradleyfalzon/ghinstallation/releases) - [Commits](bradleyfalzon/ghinstallation@v2.2.0...v2.3.0) --- updated-dependencies: - dependency-name: github.com/bradleyfalzon/ghinstallation/v2 dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Signed-off-by: Avishay <avishay.balter@gmail.com>
Bumps [github.com/otiai10/copy](https://github.com/otiai10/copy) from 1.9.0 to 1.10.0. - [Release notes](https://github.com/otiai10/copy/releases) - [Commits](otiai10/copy@v1.9.0...v1.10.0) --- updated-dependencies: - dependency-name: github.com/otiai10/copy dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> Signed-off-by: Avishay <avishay.balter@gmail.com>
Bumps [github.com/goreleaser/goreleaser](https://github.com/goreleaser/goreleaser) from 1.16.2 to 1.17.0. - [Release notes](https://github.com/goreleaser/goreleaser/releases) - [Changelog](https://github.com/goreleaser/goreleaser/blob/main/.goreleaser.yaml) - [Commits](goreleaser/goreleaser@v1.16.2...v1.17.0) --- updated-dependencies: - dependency-name: github.com/goreleaser/goreleaser dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> Signed-off-by: Avishay <avishay.balter@gmail.com>
* Add GitLab test repos. Signed-off-by: Spencer Schrock <sschrock@google.com> * Add test GitLab projects to release controller. Signed-off-by: Spencer Schrock <sschrock@google.com> * worker gitlab WIP Signed-off-by: Spencer Schrock <sschrock@google.com> * Read config in worker. Signed-off-by: Spencer Schrock <sschrock@google.com> * Use UTC time for shards. This avoids issues when the controller and worker timezones differ. Signed-off-by: Spencer Schrock <sschrock@google.com> * update directions for gcs fake Signed-off-by: Spencer Schrock <sschrock@google.com> * update readme Signed-off-by: Spencer Schrock <sschrock@google.com> * Undo gitlab parts, which will be its own PR. Signed-off-by: Spencer Schrock <sschrock@google.com> * Clarify project and config files are placeholders. Signed-off-by: Spencer Schrock <sschrock@google.com> * remove accidentally added whitespace Signed-off-by: Spencer Schrock <sschrock@google.com> * clarify code change with comment. Signed-off-by: Spencer Schrock <sschrock@google.com> * Minor edits. Signed-off-by: Spencer Schrock <sschrock@google.com> --------- Signed-off-by: Spencer Schrock <sschrock@google.com> Signed-off-by: Avishay <avishay.balter@gmail.com>
Bumps [golang.org/x/tools](https://github.com/golang/tools) from 0.7.0 to 0.8.0. - [Release notes](https://github.com/golang/tools/releases) - [Commits](golang/tools@v0.7.0...v0.8.0) --- updated-dependencies: - dependency-name: golang.org/x/tools dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Signed-off-by: Avishay <avishay.balter@gmail.com>
Bumps [codecov/codecov-action](https://github.com/codecov/codecov-action) from 3.1.0 to 3.1.2. - [Release notes](https://github.com/codecov/codecov-action/releases) - [Changelog](https://github.com/codecov/codecov-action/blob/main/CHANGELOG.md) - [Commits](codecov/codecov-action@81cd2dc...40a12dc) --- updated-dependencies: - dependency-name: codecov/codecov-action dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Signed-off-by: Avishay <avishay.balter@gmail.com>
Signed-off-by: Yoo Chung <chungyc@google.com> Signed-off-by: Avishay <avishay.balter@gmail.com>
…2843) * Add Haskell as a language. Signed-off-by: Yoo Chung <chungyc@google.com> * Detect fuzzing in Haskell using presence of property-based testing. Signed-off-by: Yoo Chung <chungyc@google.com> * Mention fuzzing detection for Haskell in documentation. Signed-off-by: Yoo Chung <chungyc@google.com> * Fix pattern and test. Add test case. Signed-off-by: Yoo Chung <chungyc@google.com> --------- Signed-off-by: Yoo Chung <chungyc@google.com> Signed-off-by: Avishay <avishay.balter@gmail.com>
- Add tests for `GetRequiredChecksForPolicy` and `EvaluateResults` - Add checks for binary artifacts, vulnerabilities, unpinned dependencies, and code review [attestor/policy/attestation_policy_test.go] - Add `github.com/google/go-cmp/cmp` to imports - Add a test for `GetRequiredChecksForPolicy` - Add a test for `EvaluateResults` Signed-off-by: naveensrinivasan <172697+naveensrinivasan@users.noreply.github.com> Signed-off-by: Avishay <avishay.balter@gmail.com>
Bumps [github.com/xanzy/go-gitlab](https://github.com/xanzy/go-gitlab) from 0.81.0 to 0.82.0. - [Release notes](https://github.com/xanzy/go-gitlab/releases) - [Changelog](https://github.com/xanzy/go-gitlab/blob/master/releases_test.go) - [Commits](xanzy/go-gitlab@v0.81.0...v0.82.0) --- updated-dependencies: - dependency-name: github.com/xanzy/go-gitlab dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> Signed-off-by: Avishay <avishay.balter@gmail.com>
* Look for codeQL action use with local files instead of search. Signed-off-by: Spencer Schrock <sschrock@google.com> * Switch SAST mocks to using local file contents. Signed-off-by: Spencer Schrock <sschrock@google.com> * Update e2e test Signed-off-by: Spencer Schrock <sschrock@google.com> * Remove unneeded code. The tests deleted here were merged with another test in an earlier commit. Signed-off-by: Spencer Schrock <sschrock@google.com> * update Signed-off-by: Spencer Schrock <sschrock@google.com> * Add tests to get code coverage up. Signed-off-by: Spencer Schrock <sschrock@google.com> --------- Signed-off-by: Spencer Schrock <sschrock@google.com> Signed-off-by: Avishay <avishay.balter@gmail.com>
auto-merge was automatically disabled
April 14, 2023 18:52
Head branch was pushed to by a user without write access
balteravishay
force-pushed
the
avbalter/support-nuget-unpinned-dependencies
branch
3 times, most recently
from
0018e37
to
5ccdf0b
Compare
Signed-off-by: Avishay Balter <avishay.balter@gmail.com>
balteravishay
temporarily deployed
to
integration-test
GitHub Actions
Inactive
Signed-off-by: Avishay <avishay.balter@gmail.com>
balteravishay
temporarily deployed
to
integration-test
GitHub Actions
Inactive
balteravishay
temporarily deployed
to
integration-test
GitHub Actions
Inactive
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
What kind of change does this PR introduce?
Add support for Nuget ad-hoc commands (add/install) in pinned dependency checks.
What is the current behavior?
Scorecard does not detect unpinned dependencies when using nuget and dotnet clis to add ad-hoc libraries.
What is the new behavior (if this is a feature change)?**
Scorecard detects and warns when using dotnet and nuget cli to add ad-hoc libraries packages without declaring their specific version.
Which issue(s) this PR fixes
This PR relates to but does not fix issue #1578
Special notes for your reviewer
Does this PR introduce a user-facing change?
For user-facing changes, please add a concise, human-readable release note to
the
release-note(In particular, describe what changes users might need to make in their
application as a result of this pull request.)