-
Notifications
You must be signed in to change notification settings - Fork 503
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
✨ add support for Nuget ad-hoc commands (add/install) in Pinned Dependency checks #2779
✨ add support for Nuget ad-hoc commands (add/install) in Pinned Dependency checks #2779
Conversation
c0f0d46
to
4c3c2bf
Compare
Codecov Report
Additional details and impacted files@@ Coverage Diff @@
## main #2779 +/- ##
==========================================
- Coverage 55.18% 50.90% -4.29%
==========================================
Files 158 158
Lines 13276 12062 -1214
==========================================
- Hits 7327 6140 -1187
- Misses 5514 5547 +33
+ Partials 435 375 -60 |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks for the PR. I left comments about immutability of versions in nuget ecosystem because I'm unfamiliar with it.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
A few comments with the limited context that I have.
BTW, how commonly used phrase is the pinned dependency
concept? :)
NuGet has a CPM feature that has a similar name that'd confuse some people: https://learn.microsoft.com/en-us/nuget/consume-packages/central-package-management#transitive-pinning
Bumps [github/codeql-action](https://github.com/github/codeql-action) from 2.2.9 to 2.2.11. - [Release notes](https://github.com/github/codeql-action/releases) - [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md) - [Commits](github/codeql-action@04df126...d186a2a) --- updated-dependencies: - dependency-name: github/codeql-action dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Signed-off-by: Avishay <avishay.balter@gmail.com>
Bumps [tj-actions/changed-files](https://github.com/tj-actions/changed-files) from 35.7.8 to 35.7.12. - [Release notes](https://github.com/tj-actions/changed-files/releases) - [Changelog](https://github.com/tj-actions/changed-files/blob/main/HISTORY.md) - [Commits](tj-actions/changed-files@e9b5807...b109d83) --- updated-dependencies: - dependency-name: tj-actions/changed-files dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Signed-off-by: Avishay <avishay.balter@gmail.com>
Bumps [sigstore/cosign-installer](https://github.com/sigstore/cosign-installer) from 3.0.1 to 3.0.2. - [Release notes](https://github.com/sigstore/cosign-installer/releases) - [Commits](sigstore/cosign-installer@c3667d9...9e9de22) --- updated-dependencies: - dependency-name: sigstore/cosign-installer dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Signed-off-by: Avishay <avishay.balter@gmail.com>
Bumps [github.com/xeipuuv/gojsonschema](https://github.com/xeipuuv/gojsonschema) from 0.0.0-20180618132009-1d523034197f to 1.2.0. - [Release notes](https://github.com/xeipuuv/gojsonschema/releases) - [Commits](https://github.com/xeipuuv/gojsonschema/commits/v1.2.0) --- updated-dependencies: - dependency-name: github.com/xeipuuv/gojsonschema dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] <support@github.com> Signed-off-by: Avishay <avishay.balter@gmail.com>
Included tests for checker result and request Signed-off-by: naveensrinivasan <172697+naveensrinivasan@users.noreply.github.com> Signed-off-by: Avishay <avishay.balter@gmail.com>
* Add haskell-actions/hlint-scan as one of know GitHub actions which upload SARIF. Signed-off-by: Yoo Chung <chungyc@google.com> * Test security-events permissions with actions known to upload SARIF. Signed-off-by: Yoo Chung <chungyc@google.com> --------- Signed-off-by: Yoo Chung <chungyc@google.com> Signed-off-by: Avishay <avishay.balter@gmail.com>
Bumps [github.com/bradleyfalzon/ghinstallation/v2](https://github.com/bradleyfalzon/ghinstallation) from 2.2.0 to 2.3.0. - [Release notes](https://github.com/bradleyfalzon/ghinstallation/releases) - [Commits](bradleyfalzon/ghinstallation@v2.2.0...v2.3.0) --- updated-dependencies: - dependency-name: github.com/bradleyfalzon/ghinstallation/v2 dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Signed-off-by: Avishay <avishay.balter@gmail.com>
Bumps [github.com/otiai10/copy](https://github.com/otiai10/copy) from 1.9.0 to 1.10.0. - [Release notes](https://github.com/otiai10/copy/releases) - [Commits](otiai10/copy@v1.9.0...v1.10.0) --- updated-dependencies: - dependency-name: github.com/otiai10/copy dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> Signed-off-by: Avishay <avishay.balter@gmail.com>
Bumps [github.com/goreleaser/goreleaser](https://github.com/goreleaser/goreleaser) from 1.16.2 to 1.17.0. - [Release notes](https://github.com/goreleaser/goreleaser/releases) - [Changelog](https://github.com/goreleaser/goreleaser/blob/main/.goreleaser.yaml) - [Commits](goreleaser/goreleaser@v1.16.2...v1.17.0) --- updated-dependencies: - dependency-name: github.com/goreleaser/goreleaser dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> Signed-off-by: Avishay <avishay.balter@gmail.com>
* Add GitLab test repos. Signed-off-by: Spencer Schrock <sschrock@google.com> * Add test GitLab projects to release controller. Signed-off-by: Spencer Schrock <sschrock@google.com> * worker gitlab WIP Signed-off-by: Spencer Schrock <sschrock@google.com> * Read config in worker. Signed-off-by: Spencer Schrock <sschrock@google.com> * Use UTC time for shards. This avoids issues when the controller and worker timezones differ. Signed-off-by: Spencer Schrock <sschrock@google.com> * update directions for gcs fake Signed-off-by: Spencer Schrock <sschrock@google.com> * update readme Signed-off-by: Spencer Schrock <sschrock@google.com> * Undo gitlab parts, which will be its own PR. Signed-off-by: Spencer Schrock <sschrock@google.com> * Clarify project and config files are placeholders. Signed-off-by: Spencer Schrock <sschrock@google.com> * remove accidentally added whitespace Signed-off-by: Spencer Schrock <sschrock@google.com> * clarify code change with comment. Signed-off-by: Spencer Schrock <sschrock@google.com> * Minor edits. Signed-off-by: Spencer Schrock <sschrock@google.com> --------- Signed-off-by: Spencer Schrock <sschrock@google.com> Signed-off-by: Avishay <avishay.balter@gmail.com>
Bumps [golang.org/x/tools](https://github.com/golang/tools) from 0.7.0 to 0.8.0. - [Release notes](https://github.com/golang/tools/releases) - [Commits](golang/tools@v0.7.0...v0.8.0) --- updated-dependencies: - dependency-name: golang.org/x/tools dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Signed-off-by: Avishay <avishay.balter@gmail.com>
Bumps [codecov/codecov-action](https://github.com/codecov/codecov-action) from 3.1.0 to 3.1.2. - [Release notes](https://github.com/codecov/codecov-action/releases) - [Changelog](https://github.com/codecov/codecov-action/blob/main/CHANGELOG.md) - [Commits](codecov/codecov-action@81cd2dc...40a12dc) --- updated-dependencies: - dependency-name: codecov/codecov-action dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Signed-off-by: Avishay <avishay.balter@gmail.com>
Signed-off-by: Yoo Chung <chungyc@google.com> Signed-off-by: Avishay <avishay.balter@gmail.com>
…2843) * Add Haskell as a language. Signed-off-by: Yoo Chung <chungyc@google.com> * Detect fuzzing in Haskell using presence of property-based testing. Signed-off-by: Yoo Chung <chungyc@google.com> * Mention fuzzing detection for Haskell in documentation. Signed-off-by: Yoo Chung <chungyc@google.com> * Fix pattern and test. Add test case. Signed-off-by: Yoo Chung <chungyc@google.com> --------- Signed-off-by: Yoo Chung <chungyc@google.com> Signed-off-by: Avishay <avishay.balter@gmail.com>
- Add tests for `GetRequiredChecksForPolicy` and `EvaluateResults` - Add checks for binary artifacts, vulnerabilities, unpinned dependencies, and code review [attestor/policy/attestation_policy_test.go] - Add `github.com/google/go-cmp/cmp` to imports - Add a test for `GetRequiredChecksForPolicy` - Add a test for `EvaluateResults` Signed-off-by: naveensrinivasan <172697+naveensrinivasan@users.noreply.github.com> Signed-off-by: Avishay <avishay.balter@gmail.com>
Bumps [github.com/xanzy/go-gitlab](https://github.com/xanzy/go-gitlab) from 0.81.0 to 0.82.0. - [Release notes](https://github.com/xanzy/go-gitlab/releases) - [Changelog](https://github.com/xanzy/go-gitlab/blob/master/releases_test.go) - [Commits](xanzy/go-gitlab@v0.81.0...v0.82.0) --- updated-dependencies: - dependency-name: github.com/xanzy/go-gitlab dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> Signed-off-by: Avishay <avishay.balter@gmail.com>
* Look for codeQL action use with local files instead of search. Signed-off-by: Spencer Schrock <sschrock@google.com> * Switch SAST mocks to using local file contents. Signed-off-by: Spencer Schrock <sschrock@google.com> * Update e2e test Signed-off-by: Spencer Schrock <sschrock@google.com> * Remove unneeded code. The tests deleted here were merged with another test in an earlier commit. Signed-off-by: Spencer Schrock <sschrock@google.com> * update Signed-off-by: Spencer Schrock <sschrock@google.com> * Add tests to get code coverage up. Signed-off-by: Spencer Schrock <sschrock@google.com> --------- Signed-off-by: Spencer Schrock <sschrock@google.com> Signed-off-by: Avishay <avishay.balter@gmail.com>
Head branch was pushed to by a user without write access
0018e37
to
5ccdf0b
Compare
Signed-off-by: Avishay Balter <avishay.balter@gmail.com>
Signed-off-by: Avishay <avishay.balter@gmail.com>
What kind of change does this PR introduce?
Add support for Nuget ad-hoc commands (add/install) in pinned dependency checks.
What is the current behavior?
Scorecard does not detect unpinned dependencies when using nuget and dotnet clis to add ad-hoc libraries.
What is the new behavior (if this is a feature change)?**
Scorecard detects and warns when using dotnet and nuget cli to add ad-hoc libraries packages without declaring their specific version.
Which issue(s) this PR fixes
This PR relates to but does not fix issue #1578
Special notes for your reviewer
Does this PR introduce a user-facing change?
For user-facing changes, please add a concise, human-readable release note to
the
release-note
(In particular, describe what changes users might need to make in their
application as a result of this pull request.)