✨ branch protection: requiring PRs gives partial credit #3499

…ke changes As discussed at the issue ossf#2727, we're adding the "require PRs prior to make changes" as another requirement to tier 2. In addition to that, we're changing the weight of the tier 2 requirements so that "requiring 1 reviewer" has weight 2, while the other tier 2 requirements have weight 1 Signed-off-by: Diogo Teles Sant'Anna <diogoteles@google.com>

1. Adapt previous test cases to consider that now we'll have an aditional Info log telling that the project requires PRs to make changes. 2. Add more cases to test relevant use cases on the tier 2 level of branch protection Signed-off-by: Diogo Teles Sant'Anna <diogoteles@google.com>

…quirement of require PRs to make changes It adds the new tier 2 requirement, but also specify that the "require at least 1 reviewer" will have doubled weight. Signed-off-by: Diogo Teles Sant'Anna <diogoteles@google.com>

…ce readability Made some nice-to-have improvements on project readability, making it easier easier to understand how the branch-protection score is computed. Also unified 8 different functions that were doing basically the same thing. Signed-off-by: Diogo Teles Sant'Anna <diogoteles@google.com>

* Update docs for signed-releases Signed-off-by: Raghav Kaul <raghavkaul@google.com> * update docs Signed-off-by: Raghav Kaul <raghavkaul@google.com> --------- Signed-off-by: Raghav Kaul <raghavkaul@google.com> Signed-off-by: Diogo Teles Sant'Anna <diogoteles@google.com>

* bump actionlint. Signed-off-by: Spencer Schrock <sschrock@google.com> * fix unit tests. Signed-off-by: Spencer Schrock <sschrock@google.com> * include latest update. Signed-off-by: Spencer Schrock <sschrock@google.com> --------- Signed-off-by: Spencer Schrock <sschrock@google.com> Signed-off-by: Diogo Teles Sant'Anna <diogoteles@google.com>

Bumps [github.com/onsi/gomega](https://github.com/onsi/gomega) from 1.27.10 to 1.28.0. - [Release notes](https://github.com/onsi/gomega/releases) - [Changelog](https://github.com/onsi/gomega/blob/master/CHANGELOG.md) - [Commits](onsi/gomega@v1.27.10...v1.28.0) --- updated-dependencies: - dependency-name: github.com/onsi/gomega dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Signed-off-by: Diogo Teles Sant'Anna <diogoteles@google.com>

* feat: Create output file argument Signed-off-by: Gabriela Gutierrez <gabigutierrez@google.com> * feat: Write results to output file Signed-off-by: Gabriela Gutierrez <gabigutierrez@google.com> * fix: Default results format output Print results headline to output, which may be a file. Signed-off-by: Gabriela Gutierrez <gabigutierrez@google.com> * feat: Log start and end of checks work to console Independent of the logs being output to console or a file, the information on which checks are running is still relevant. Now, we always log this info to the console. Signed-off-by: Gabriela Gutierrez <gabigutierrez@google.com> * test: Fix options unit tests Signed-off-by: Gabriela Gutierrez <gabigutierrez@google.com> * test: Output option content and shorthand Signed-off-by: Gabriela Gutierrez <gabigutierrez@google.com> * test: Output to file with correct format Signed-off-by: Gabriela Gutierrez <gabigutierrez@google.com> * test: Fix helper function with linter error Signed-off-by: Gabriela Gutierrez <gabigutierrez@google.com> * fix: Define output to console or file inside FormatResults Signed-off-by: Gabriela Gutierrez <gabigutierrez@google.com> * fix: Remove intermediate variable to define output Signed-off-by: Gabriela Gutierrez <gabigutierrez@google.com> * test: Fix error log Signed-off-by: Gabriela Gutierrez <gabigutierrez@google.com> * fix: Close output file before write results Signed-off-by: Gabriela Gutierrez <gabigutierrez@google.com> * test: Fix unit test Signed-off-by: Gabriela Gutierrez <gabigutierrez@google.com> * test: Fix remove file even if test fails Signed-off-by: Gabriela Gutierrez <gabigutierrez@google.com> * test: Fix fail test cases Fail test if cannot format results or cannot read real or expected outputs. Signed-off-by: Gabriela Gutierrez <gabigutierrez@google.com> * fix: Copyright notice year and license header spacing Signed-off-by: Gabriela Gutierrez <gabigutierrez@google.com> * fix: Rename Output to ResultsFile Signed-off-by: Gabriela Gutierrez <gabigutierrez@google.com> * fix: Linter errors Signed-off-by: Gabriela Gutierrez <gabigutierrez@google.com> * Revert "feat: Log start and end of checks work to console" This reverts commit c4a00a5. Signed-off-by: Gabriela Gutierrez <gabigutierrez@google.com> * fix: Print results headline in default format Signed-off-by: Gabriela Gutierrez <gabigutierrez@google.com> * test: Fix default format result test Signed-off-by: Gabriela Gutierrez <gabigutierrez@google.com> * fix: Close output only when it's file Signed-off-by: Gabriela Gutierrez <gabigutierrez@google.com> * fix: Linter error Signed-off-by: Gabriela Gutierrez <gabigutierrez@google.com> --------- Signed-off-by: Gabriela Gutierrez <gabigutierrez@google.com> Signed-off-by: Diogo Teles Sant'Anna <diogoteles@google.com>

Bumps [step-security/harden-runner](https://github.com/step-security/harden-runner) from 2.5.1 to 2.6.0. - [Release notes](https://github.com/step-security/harden-runner/releases) - [Commits](step-security/harden-runner@8ca2b8b...1b05615) --- updated-dependencies: - dependency-name: step-security/harden-runner dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Signed-off-by: Diogo Teles Sant'Anna <diogoteles@google.com>

Bumps [tj-actions/changed-files](https://github.com/tj-actions/changed-files) from 39.1.2 to 39.2.1. - [Release notes](https://github.com/tj-actions/changed-files/releases) - [Changelog](https://github.com/tj-actions/changed-files/blob/main/HISTORY.md) - [Commits](tj-actions/changed-files@4196030...db153ba) --- updated-dependencies: - dependency-name: tj-actions/changed-files dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Signed-off-by: Diogo Teles Sant'Anna <diogoteles@google.com>

Signed-off-by: Spencer Schrock <sschrock@google.com> Signed-off-by: Diogo Teles Sant'Anna <diogoteles@google.com>

* fix typo Signed-off-by: omahs <73983677+omahs@users.noreply.github.com> * fix typos Signed-off-by: omahs <73983677+omahs@users.noreply.github.com> * fix typo Signed-off-by: omahs <73983677+omahs@users.noreply.github.com> * fix typo Co-authored-by: Raghav Kaul <8695110+raghavkaul@users.noreply.github.com> Signed-off-by: omahs <73983677+omahs@users.noreply.github.com> * fix typos Signed-off-by: omahs <73983677+omahs@users.noreply.github.com> --------- Signed-off-by: omahs <73983677+omahs@users.noreply.github.com> Signed-off-by: Diogo Teles Sant'Anna <diogoteles@google.com>

* feat: broaden job matcher for semantic release Signed-off-by: secustor <sebastian@poxhofer.at> * tests(checks/permissions): add tests for semantic release if using pnpm and yarn Signed-off-by: secustor <sebastian@poxhofer.at> --------- Signed-off-by: secustor <sebastian@poxhofer.at> Signed-off-by: Diogo Teles Sant'Anna <diogoteles@google.com>

Bumps [nick-invision/retry](https://github.com/nick-invision/retry) from 2.8.3 to 2.9.0. - [Release notes](https://github.com/nick-invision/retry/releases) - [Changelog](https://github.com/nick-fields/retry/blob/master/.releaserc.js) - [Commits](nick-fields/retry@943e742...1467290) --- updated-dependencies: - dependency-name: nick-invision/retry dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Signed-off-by: Diogo Teles Sant'Anna <diogoteles@google.com>

Bumps [github.com/xanzy/go-gitlab](https://github.com/xanzy/go-gitlab) from 0.92.1 to 0.92.3. - [Changelog](https://github.com/xanzy/go-gitlab/blob/master/releases_test.go) - [Commits](xanzy/go-gitlab@v0.92.1...v0.92.3) --- updated-dependencies: - dependency-name: github.com/xanzy/go-gitlab dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Signed-off-by: Diogo Teles Sant'Anna <diogoteles@google.com>

Bumps [github.com/otiai10/copy](https://github.com/otiai10/copy) from 1.12.0 to 1.14.0. - [Release notes](https://github.com/otiai10/copy/releases) - [Commits](otiai10/copy@v1.12.0...v1.14.0) --- updated-dependencies: - dependency-name: github.com/otiai10/copy dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Signed-off-by: Diogo Teles Sant'Anna <diogoteles@google.com>

Previously, at the evaluation part of branch protetion, the values nil and false or zero were sort of interchangeble. This commit changes the code to set as nil only the data that could not be retrieved from github -- all the others would have values as false, zero, true, etc Signed-off-by: Diogo Teles Sant'Anna <diogoteles@google.com>

…oherent 1. Add new test to evaluate how we're interpreting a rule with all checkboxes unchecked (most shouldn't be nil) 2. Adapt existent tests to expect non-nil values for unchecked checkboxes Signed-off-by: Diogo Teles Sant'Anna <diogoteles@google.com>

Changes some pieces of code to prefer using pointers of bool instantiated independently. If reusing bool pointers, at some piece of code the value of the bool could inadvertently changed and it would change the value of all other fields reusing that pointer. Signed-off-by: Diogo Teles Sant'Anna <diogoteles@google.com>

…dmin At the evaluation step we were using some non untrusted fieldds of the resposte to evaluate if Scorecard was run as admin or not. Now we're using a field provided directly from the client file. Signed-off-by: Diogo Teles Sant'Anna <diogoteles@google.com>

…o or not After last commit, the client will tell the evaluation files if Scorecard was run by administrator or not (i.e., if we have all the infos). This commit adapts the testings to also provide this info. Signed-off-by: Diogo Teles Sant'Anna <diogoteles@google.com>

- 2 warns (for 'last push approval' and 'codeowners review' disabled) were added because now those informations come as 'not-nil' at the evaluation part. - 1 info was added to say that PRs are required to make changes - 1 debug was removed because it said that we couldn't retrieve 'last push approval' information, but we actually can. It was just incorrectly set as nil Signed-off-by: Diogo Teles Sant'Anna <diogoteles@google.com>

Reverts commit 64c3521 and commit e2662b7. Both had chances around using clients/branch.go scructur to store the information of whether Scorecard was being run by admin or not. We decided to not change this structure for this purpose. Signed-off-by: Diogo Teles Sant'Anna <diogoteles@google.com>

…tead of value At clients.BranchProtectionRule struct, changing RequiredPullRequestReviews to be a pointer instead of a struct value. This will allow the usage of the nil value of this structure to mean that we can't say if the repository requires reviews or not. Signed-off-by: Diogo Teles Sant'Anna <diogoteles@google.com>

we don't know if they require PRs The nil value of the struct RequiredPullRequestReviews will now mean that we can't tell whether the project requires PRs to make changes or not. When we get this case, we're printing a debug informing that we don't have this data, but also printing a warn saying that they don't require reviews, because that will be true at this case. Signed-off-by: Diogo Teles Sant'Anna <diogoteles@google.com>

when needed Signed-off-by: Diogo Teles Sant'Anna <diogoteles@google.com>

Bumps [github.com/google/osv-scanner](https://github.com/google/osv-scanner) from 1.4.0 to 1.4.1. - [Release notes](https://github.com/google/osv-scanner/releases) - [Changelog](https://github.com/google/osv-scanner/blob/main/CHANGELOG.md) - [Commits](google/osv-scanner@v1.4.0...v1.4.1) --- updated-dependencies: - dependency-name: github.com/google/osv-scanner dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Signed-off-by: Diogo Teles Sant'Anna <diogoteles@google.com>

Bumps [github.com/xanzy/go-gitlab](https://github.com/xanzy/go-gitlab) from 0.92.3 to 0.93.0. - [Changelog](https://github.com/xanzy/go-gitlab/blob/master/releases_test.go) - [Commits](xanzy/go-gitlab@v0.92.3...v0.93.0) --- updated-dependencies: - dependency-name: github.com/xanzy/go-gitlab dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Signed-off-by: Diogo Teles Sant'Anna <diogoteles@google.com>

* accept checks arg when generating golden. Signed-off-by: Spencer Schrock <sschrock@google.com> * dont shadow import Signed-off-by: Spencer Schrock <sschrock@google.com> --------- Signed-off-by: Spencer Schrock <sschrock@google.com> Signed-off-by: Diogo Teles Sant'Anna <diogoteles@google.com>

Signed-off-by: AdamKorcz <adam@adalogics.com> Signed-off-by: Diogo Teles Sant'Anna <diogoteles@google.com>

Signed-off-by: AdamKorcz <adam@adalogics.com> Co-authored-by: laurentsimon <64505099+laurentsimon@users.noreply.github.com> Signed-off-by: Diogo Teles Sant'Anna <diogoteles@google.com>

Bumps [ossf/scorecard-action](https://github.com/ossf/scorecard-action) from 2.2.0 to 2.3.0. - [Release notes](https://github.com/ossf/scorecard-action/releases) - [Changelog](https://github.com/ossf/scorecard-action/blob/main/RELEASE.md) - [Commits](ossf/scorecard-action@08b4669...483ef80) --- updated-dependencies: - dependency-name: ossf/scorecard-action dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Signed-off-by: Diogo Teles Sant'Anna <diogoteles@google.com>

Bumps [golang.org/x/oauth2](https://github.com/golang/oauth2) from 0.12.0 to 0.13.0. - [Commits](golang/oauth2@v0.12.0...v0.13.0) --- updated-dependencies: - dependency-name: golang.org/x/oauth2 dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Signed-off-by: Diogo Teles Sant'Anna <diogoteles@google.com>

Bumps [github.com/xanzy/go-gitlab](https://github.com/xanzy/go-gitlab) from 0.93.0 to 0.93.1. - [Changelog](https://github.com/xanzy/go-gitlab/blob/master/releases_test.go) - [Commits](xanzy/go-gitlab@v0.93.0...v0.93.1) --- updated-dependencies: - dependency-name: github.com/xanzy/go-gitlab dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Signed-off-by: Diogo Teles Sant'Anna <diogoteles@google.com>

…c457a2` to `e9ebfe9` (ossf#3548) * bump distroless. Signed-off-by: Spencer Schrock <sschrock@google.com> * bump golang 1.21 Signed-off-by: Spencer Schrock <sschrock@google.com> --------- Signed-off-by: Spencer Schrock <sschrock@google.com> Signed-off-by: Diogo Teles Sant'Anna <diogoteles@google.com>

Bumps [cloud.google.com/go/bigquery](https://github.com/googleapis/google-cloud-go) from 1.55.0 to 1.56.0. - [Release notes](https://github.com/googleapis/google-cloud-go/releases) - [Changelog](https://github.com/googleapis/google-cloud-go/blob/main/CHANGES.md) - [Commits](googleapis/google-cloud-go@bigquery/v1.55.0...bigquery/v1.56.0) --- updated-dependencies: - dependency-name: cloud.google.com/go/bigquery dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Signed-off-by: Diogo Teles Sant'Anna <diogoteles@google.com>

Signed-off-by: AdamKorcz <adam@adalogics.com> Signed-off-by: Diogo Teles Sant'Anna <diogoteles@google.com>

* Extend with additional fuzzing probes Signed-off-by: David Korczynski <david@adalogics.com> * fix formatting Signed-off-by: David Korczynski <david@adalogics.com> * cleanup formatting Signed-off-by: David Korczynski <david@adalogics.com> * make skip testing optional Signed-off-by: David Korczynski <david@adalogics.com> * address reviews Signed-off-by: David Korczynski <david@adalogics.com> * add todo Signed-off-by: David Korczynski <david@adalogics.com> * nit Signed-off-by: David Korczynski <david@adalogics.com> * nit Signed-off-by: David Korczynski <david@adalogics.com> * add swift fuzzing probe Signed-off-by: David Korczynski <david@adalogics.com> * avoid changing OnMatchingFileContentDo Signed-off-by: David Korczynski <david@adalogics.com> * nit Signed-off-by: David Korczynski <david@adalogics.com> * undo matching file content extension Signed-off-by: David Korczynski <david@adalogics.com> * nit: fix constant Signed-off-by: David Korczynski <david@adalogics.com> * test all fileMatchPatterns per client Signed-off-by: David Korczynski <david@adalogics.com> * fix test logging counts Signed-off-by: David Korczynski <david@adalogics.com> * nit Signed-off-by: David Korczynski <david@adalogics.com> --------- Signed-off-by: David Korczynski <david@adalogics.com> Signed-off-by: Diogo Teles Sant'Anna <diogoteles@google.com>

Signed-off-by: guoguangwu <guoguangwu@magic-shield.com> Signed-off-by: Diogo Teles Sant'Anna <diogoteles@google.com>

Signed-off-by: Spencer Schrock <sschrock@google.com> Signed-off-by: Diogo Teles Sant'Anna <diogoteles@google.com>

Signed-off-by: AdamKorcz <adam@adalogics.com> Signed-off-by: Diogo Teles Sant'Anna <diogoteles@google.com>

Bumps [golang.org/x/net](https://github.com/golang/net) from 0.16.0 to 0.17.0. - [Commits](golang/net@v0.16.0...v0.17.0) --- updated-dependencies: - dependency-name: golang.org/x/net dependency-type: indirect ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Signed-off-by: Diogo Teles Sant'Anna <diogoteles@google.com>

Bumps [golang.org/x/net](https://github.com/golang/net) from 0.14.0 to 0.17.0. - [Commits](golang/net@v0.14.0...v0.17.0) --- updated-dependencies: - dependency-name: golang.org/x/net dependency-type: indirect ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Signed-off-by: Diogo Teles Sant'Anna <diogoteles@google.com>

Signed-off-by: Ryan Ware <ryan.ware@intel.com> Signed-off-by: Diogo Teles Sant'Anna <diogoteles@google.com>

Bumps [github.com/onsi/ginkgo/v2](https://github.com/onsi/ginkgo) from 2.12.1 to 2.13.0. - [Release notes](https://github.com/onsi/ginkgo/releases) - [Changelog](https://github.com/onsi/ginkgo/blob/master/CHANGELOG.md) - [Commits](onsi/ginkgo@v2.12.1...v2.13.0) --- updated-dependencies: - dependency-name: github.com/onsi/ginkgo/v2 dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Signed-off-by: Diogo Teles Sant'Anna <diogoteles@google.com>

Bumps [github.com/google/go-cmp](https://github.com/google/go-cmp) from 0.5.9 to 0.6.0. - [Release notes](https://github.com/google/go-cmp/releases) - [Commits](google/go-cmp@v0.5.9...v0.6.0) --- updated-dependencies: - dependency-name: github.com/google/go-cmp dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Signed-off-by: Diogo Teles Sant'Anna <diogoteles@google.com>

Bumps [kubernetes-sigs/kubebuilder-release-tools](https://github.com/kubernetes-sigs/kubebuilder-release-tools) from 0.3.0 to 0.4.0. - [Release notes](https://github.com/kubernetes-sigs/kubebuilder-release-tools/releases) - [Changelog](https://github.com/kubernetes-sigs/kubebuilder-release-tools/blob/master/RELEASE.md) - [Commits](kubernetes-sigs/kubebuilder-release-tools@4f3d108...d8367c2) --- updated-dependencies: - dependency-name: kubernetes-sigs/kubebuilder-release-tools dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Signed-off-by: Diogo Teles Sant'Anna <diogoteles@google.com>

Signed-off-by: AdamKorcz <adam@adalogics.com> Signed-off-by: Diogo Teles Sant'Anna <diogoteles@google.com>

Signed-off-by: Spencer Schrock <sschrock@google.com> Signed-off-by: Diogo Teles Sant'Anna <diogoteles@google.com>

* fallback to cron style when parsing dates. The cron output was never updated in ossf#2712. In the interim, support both formats. Signed-off-by: Spencer Schrock <sschrock@google.com> * continue on first diff, to highlight all differences. Signed-off-by: Spencer Schrock <sschrock@google.com> * tests for date fallback. Signed-off-by: Spencer Schrock <sschrock@google.com> --------- Signed-off-by: Spencer Schrock <sschrock@google.com> Signed-off-by: Diogo Teles Sant'Anna <diogoteles@google.com>

Signed-off-by: Pierre Cavin <me@sherlox.io> Signed-off-by: Diogo Teles Sant'Anna <diogoteles@google.com>

Bumps [github.com/bradleyfalzon/ghinstallation/v2](https://github.com/bradleyfalzon/ghinstallation) from 2.7.0 to 2.8.0. - [Release notes](https://github.com/bradleyfalzon/ghinstallation/releases) - [Commits](bradleyfalzon/ghinstallation@v2.7.0...v2.8.0) --- updated-dependencies: - dependency-name: github.com/bradleyfalzon/ghinstallation/v2 dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Signed-off-by: Diogo Teles Sant'Anna <diogoteles@google.com>

Bumps [tj-actions/changed-files](https://github.com/tj-actions/changed-files) from 39.2.1 to 39.2.3. - [Release notes](https://github.com/tj-actions/changed-files/releases) - [Changelog](https://github.com/tj-actions/changed-files/blob/main/HISTORY.md) - [Commits](tj-actions/changed-files@db153ba...95690f9) --- updated-dependencies: - dependency-name: tj-actions/changed-files dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Signed-off-by: Diogo Teles Sant'Anna <diogoteles@google.com>

Bumps [github.com/google/ko](https://github.com/google/ko) from 0.14.1 to 0.15.0. - [Release notes](https://github.com/google/ko/releases) - [Changelog](https://github.com/ko-build/ko/blob/main/.goreleaser.yml) - [Commits](ko-build/ko@v0.14.1...v0.15.0) --- updated-dependencies: - dependency-name: github.com/google/ko dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Signed-off-by: Diogo Teles Sant'Anna <diogoteles@google.com>

Bumps [actions/checkout](https://github.com/actions/checkout) from 4.1.0 to 4.1.1. - [Release notes](https://github.com/actions/checkout/releases) - [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md) - [Commits](actions/checkout@8ade135...b4ffde6) --- updated-dependencies: - dependency-name: actions/checkout dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Signed-off-by: Diogo Teles Sant'Anna <diogoteles@google.com>

* Fix SAST no longer working for CodeQL The app slug for CodeQL appears to have changed from `github-advanced-security` to `github-code-scanning`, causing the SAST rule to false-negative on commits. Signed-off-by: martincostello <martin@martincostello.com> * Fix lint warning Fix lint warning. Signed-off-by: martincostello <martin@martincostello.com> --------- Signed-off-by: martincostello <martin@martincostello.com> Signed-off-by: Diogo Teles Sant'Anna <diogoteles@google.com>

* enable bugs preset Signed-off-by: Spencer Schrock <sschrock@google.com> * fix noctx linter Signed-off-by: Spencer Schrock <sschrock@google.com> * fix bodyclose linter Signed-off-by: Spencer Schrock <sschrock@google.com> * fix contextcheck linter Signed-off-by: Spencer Schrock <sschrock@google.com> * This ignores all existing cases of musttag linter complaints. This analyzer seems useful in the future, but some of this code is old and I don't want to change it for existing code now. Signed-off-by: Spencer Schrock <sschrock@google.com> * ignore existing nilerr lints. This behavior is from the initial commit, and primarily affects metrics. Leaving as is, and hope to benefit from the linter in the future. Signed-off-by: Spencer Schrock <sschrock@google.com> --------- Signed-off-by: Spencer Schrock <sschrock@google.com> Signed-off-by: Diogo Teles Sant'Anna <diogoteles@google.com>

* enable forbidigo for print statements. include reasoning as message exposed to developer. Signed-off-by: Spencer Schrock <sschrock@google.com> * remove or grant exceptions for existing print statements Signed-off-by: Spencer Schrock <sschrock@google.com> * swap stdout to stderr Signed-off-by: Spencer Schrock <sschrock@google.com> * separate msg from regex for better readability. Signed-off-by: Spencer Schrock <sschrock@google.com> --------- Signed-off-by: Spencer Schrock <sschrock@google.com> Signed-off-by: Diogo Teles Sant'Anna <diogoteles@google.com>

* fix: Run for gitlab private repos Signed-off-by: Gabriela Gutierrez <gabigutierrez@google.com> * test: gitlab repo is accessible Signed-off-by: Gabriela Gutierrez <gabigutierrez@google.com> * fix: linter error Signed-off-by: Gabriela Gutierrez <gabigutierrez@google.com> --------- Signed-off-by: Gabriela Gutierrez <gabigutierrez@google.com> Co-authored-by: Raghav Kaul <8695110+raghavkaul@users.noreply.github.com> Signed-off-by: Diogo Teles Sant'Anna <diogoteles@google.com>

Bumps [github.com/xanzy/go-gitlab](https://github.com/xanzy/go-gitlab) from 0.93.1 to 0.93.2. - [Changelog](https://github.com/xanzy/go-gitlab/blob/main/releases_test.go) - [Commits](xanzy/go-gitlab@v0.93.1...v0.93.2) --- updated-dependencies: - dependency-name: github.com/xanzy/go-gitlab dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Signed-off-by: Diogo Teles Sant'Anna <diogoteles@google.com>

Bumps [github.com/onsi/gomega](https://github.com/onsi/gomega) from 1.28.0 to 1.28.1. - [Release notes](https://github.com/onsi/gomega/releases) - [Changelog](https://github.com/onsi/gomega/blob/master/CHANGELOG.md) - [Commits](onsi/gomega@v1.28.0...v1.28.1) --- updated-dependencies: - dependency-name: github.com/onsi/gomega dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Signed-off-by: Diogo Teles Sant'Anna <diogoteles@google.com>

* fix tenv linter and bug with t.Parallel Signed-off-by: Spencer Schrock <sschrock@google.com> * fix usestdlibvars linter Signed-off-by: Spencer Schrock <sschrock@google.com> * fix mirror linter Signed-off-by: Spencer Schrock <sschrock@google.com> --------- Signed-off-by: Spencer Schrock <sschrock@google.com> Signed-off-by: Diogo Teles Sant'Anna <diogoteles@google.com>

Signed-off-by: Spencer Schrock <sschrock@google.com> Signed-off-by: Diogo Teles Sant'Anna <diogoteles@google.com>

* enable errname linter Signed-off-by: Spencer Schrock <sschrock@google.com> * convert publish err to custom error type. Signed-off-by: Spencer Schrock <sschrock@google.com> * remove unused exported error. Signed-off-by: Spencer Schrock <sschrock@google.com> * convert unsupported exporter type to custom error type. Signed-off-by: Spencer Schrock <sschrock@google.com> * exempt public errors from linter. Signed-off-by: Spencer Schrock <sschrock@google.com> * exempt cron config errors from linter. Signed-off-by: Spencer Schrock <sschrock@google.com> --------- Signed-off-by: Spencer Schrock <sschrock@google.com> Signed-off-by: Diogo Teles Sant'Anna <diogoteles@google.com>

This is a followup cleanup of d4b44e5 (ossf#2303). Signed-off-by: Spencer Schrock <sschrock@google.com> Signed-off-by: Diogo Teles Sant'Anna <diogoteles@google.com>

Bumps [github.com/golangci/golangci-lint](https://github.com/golangci/golangci-lint) from 1.54.2 to 1.55.0. - [Release notes](https://github.com/golangci/golangci-lint/releases) - [Changelog](https://github.com/golangci/golangci-lint/blob/master/CHANGELOG.md) - [Commits](golangci/golangci-lint@v1.54.2...v1.55.0) --- updated-dependencies: - dependency-name: github.com/golangci/golangci-lint dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Signed-off-by: Diogo Teles Sant'Anna <diogoteles@google.com>

Signed-off-by: Raghav Kaul <raghavkaul@google.com> Signed-off-by: Diogo Teles Sant'Anna <diogoteles@google.com>

* 🌱 Add license probe Signed-off-by: AdamKorcz <adam@adalogics.com> * [WIP] add two remaining license checks as probes Signed-off-by: AdamKorcz <adam@adalogics.com> * fix nits Signed-off-by: AdamKorcz <adam@adalogics.com> * Use Errorf in test Signed-off-by: AdamKorcz <adam@adalogics.com> * use zrunner Signed-off-by: AdamKorcz <adam@adalogics.com> * fix wrong return value Signed-off-by: AdamKorcz <adam@adalogics.com> * fix linting issues and remove empty default Signed-off-by: AdamKorcz <adam@adalogics.com> * fix double if statement Signed-off-by: AdamKorcz <adam@adalogics.com> * Remove struct field from test Signed-off-by: AdamKorcz <adam@adalogics.com> * Add test for nil-case of license files slice Signed-off-by: AdamKorcz <adam@adalogics.com> * rewrite multiple def.ymls Signed-off-by: AdamKorcz <adam@adalogics.com> * fix nits Signed-off-by: AdamKorcz <adam@adalogics.com> * Add unit test with multiple unapproved license files Signed-off-by: AdamKorcz <adam@adalogics.com> * Add link to approved license formats Signed-off-by: AdamKorcz <adam@adalogics.com> * fix linting Signed-off-by: AdamKorcz <adam@adalogics.com> * remove comment Signed-off-by: AdamKorcz <adam@adalogics.com> * preserve logging from original check Signed-off-by: AdamKorcz <adam@adalogics.com> * fix typo Signed-off-by: AdamKorcz <adam@adalogics.com> * remove redundant map manipulation Signed-off-by: AdamKorcz <adam@adalogics.com> * rename hasApproveLicense probe Signed-off-by: AdamKorcz <adam@adalogics.com> * Return OutcomeNotApplicable if hasFSFOrOSIApprovedLicense probe does not find a license Signed-off-by: AdamKorcz <adam@adalogics.com> * Include license file locations in log Signed-off-by: AdamKorcz <adam@adalogics.com> * fix linting issues Signed-off-by: AdamKorcz <adam@adalogics.com> * replace strings filtering with OutcomeNotApplicable in hasLicenseFileAtTopDir probe Signed-off-by: AdamKorcz <adam@adalogics.com> * Fix linter issue Signed-off-by: AdamKorcz <adam@adalogics.com> * Include location of found license files Signed-off-by: AdamKorcz <adam@adalogics.com> --------- Signed-off-by: AdamKorcz <adam@adalogics.com> Signed-off-by: Diogo Teles Sant'Anna <diogoteles@google.com>

* 🌱 convert packaging check to probe Signed-off-by: AdamKorcz <adam@adalogics.com> * amend text in def.yml Signed-off-by: AdamKorcz <adam@adalogics.com> * Correct short description in def.yml Signed-off-by: AdamKorcz <adam@adalogics.com> * log negative findings Signed-off-by: AdamKorcz <adam@adalogics.com> * rename probe Signed-off-by: AdamKorcz <adam@adalogics.com> * Fix the broken e2e test: The probe returned minimum score instead of inconclusive score which was not consistent with the previous scoring. This commit also removes the debug statements Signed-off-by: AdamKorcz <adam@adalogics.com> * change score text Signed-off-by: AdamKorcz <adam@adalogics.com> * include file details. process all packaging workflows Signed-off-by: AdamKorcz <adam@adalogics.com> --------- Signed-off-by: AdamKorcz <adam@adalogics.com> Signed-off-by: Diogo Teles Sant'Anna <diogoteles@google.com>

* 🌱 Add probe support for contributors metrics Signed-off-by: AdamKorcz <adam@adalogics.com> * fix lint issues Signed-off-by: AdamKorcz <adam@adalogics.com> * change 'contributorsWith' to 'contributorsFrom' Signed-off-by: AdamKorcz <adam@adalogics.com> * change remediation difficulty Signed-off-by: AdamKorcz <adam@adalogics.com> * fix nits Signed-off-by: AdamKorcz <adam@adalogics.com> * Updates to checks and checks/evaluation Signed-off-by: AdamKorcz <adam@adalogics.com> * fix tests like in ossf#3409 Signed-off-by: AdamKorcz <adam@adalogics.com> * fix raw test Signed-off-by: AdamKorcz <adam@adalogics.com> * Update description in def.yml Signed-off-by: AdamKorcz <adam@adalogics.com> * move logic out of utils Signed-off-by: AdamKorcz <adam@adalogics.com> * add comment to consolidate unit test validation Signed-off-by: AdamKorcz <adam@adalogics.com> * change a couple of t.Fatal to t.Error Signed-off-by: AdamKorcz <adam@adalogics.com> * un-remove comment Signed-off-by: AdamKorcz <adam@adalogics.com> * remove map Signed-off-by: AdamKorcz <adam@adalogics.com> * fix typo Signed-off-by: AdamKorcz <adam@adalogics.com> * remove lint comment Signed-off-by: AdamKorcz <adam@adalogics.com> * fix incorrect -1/0 scoring Signed-off-by: AdamKorcz <adam@adalogics.com> * Do not specify 'Github' in def.yml Signed-off-by: AdamKorcz <adam@adalogics.com> * do not mention 'which companies' in def.yml Signed-off-by: AdamKorcz <adam@adalogics.com> * Rename tests Signed-off-by: AdamKorcz <adam@adalogics.com> * Use getRawResults and uncomment logging statement Signed-off-by: AdamKorcz <adam@adalogics.com> * Define return values of probe better Signed-off-by: AdamKorcz <adam@adalogics.com> * Use proportional score instead of min score Signed-off-by: AdamKorcz <adam@adalogics.com> * revert changed scoring Signed-off-by: AdamKorcz <adam@adalogics.com> * fix incorrect function name Signed-off-by: AdamKorcz <adam@adalogics.com> * remove utility function that finds non-positive outcomes Signed-off-by: AdamKorcz <adam@adalogics.com> * rebase with latest upstream main and fix linter issues Signed-off-by: AdamKorcz <adam@adalogics.com> * Log findings in one statements except a logging statements per finding Signed-off-by: AdamKorcz <adam@adalogics.com> * redefine conditional logic Signed-off-by: AdamKorcz <adam@adalogics.com> * rebase Signed-off-by: AdamKorcz <adam@adalogics.com> * remove unused function Signed-off-by: AdamKorcz <adam@adalogics.com> --------- Signed-off-by: AdamKorcz <adam@adalogics.com> Signed-off-by: Diogo Teles Sant'Anna <diogoteles@google.com>

…ssf#3603) * fix protogetter issues Signed-off-by: Spencer Schrock <sschrock@google.com> * de-dupe property based fuzzer description Signed-off-by: Spencer Schrock <sschrock@google.com> --------- Signed-off-by: Spencer Schrock <sschrock@google.com> Signed-off-by: Diogo Teles Sant'Anna <diogoteles@google.com>

Signed-off-by: Spencer Schrock <sschrock@google.com> Signed-off-by: Diogo Teles Sant'Anna <diogoteles@google.com>

* 🌱 convert vulnerabilities check to probe Signed-off-by: AdamKorcz <adam@adalogics.com> * rename probe + nits Signed-off-by: AdamKorcz <adam@adalogics.com> * edit def.yml Signed-off-by: AdamKorcz <adam@adalogics.com> * Add vuln ID dynamically to def.yml Signed-off-by: AdamKorcz <adam@adalogics.com> * Elaborate the purpose of test data in unit test Signed-off-by: AdamKorcz <adam@adalogics.com> * Move logging out of loop and change logic of negativeFindings() Signed-off-by: AdamKorcz <adam@adalogics.com> * preserve number of vulns found in output Signed-off-by: AdamKorcz <adam@adalogics.com> * Preserve grouping of vulns Signed-off-by: AdamKorcz <adam@adalogics.com> * fix linter issues Signed-off-by: AdamKorcz <adam@adalogics.com> * Add remediation data Signed-off-by: AdamKorcz <adam@adalogics.com> * use checker.LogFindings() Signed-off-by: AdamKorcz <adam@adalogics.com> --------- Signed-off-by: AdamKorcz <adam@adalogics.com> Signed-off-by: Diogo Teles Sant'Anna <diogoteles@google.com>

* update Signed-off-by: laurentsimon <laurentsimon@google.com> * update comment Signed-off-by: laurentsimon <laurentsimon@google.com> * typo Signed-off-by: laurentsimon <laurentsimon@google.com> --------- Signed-off-by: laurentsimon <laurentsimon@google.com> Signed-off-by: Diogo Teles Sant'Anna <diogoteles@google.com>

…ossf#3620) Individual maintainer assignments within CODEOWNERS mean that we cannot take advantage of GitHub code review distribution schemes for team review assignments. In this commit, we switch to team assignments within CODEOWNERS. A common complaint with this approach is that unless you are a part of the GitHub organization, you will not be able to view a team's membership/understand who the maintainers of a project are. To provide visibility into the maintainer list, we've added a MAINTAINERS.md here as well. Signed-off-by: Stephen Augustus <foo@auggie.dev> Signed-off-by: Diogo Teles Sant'Anna <diogoteles@google.com>

* enable test preset Leaves some opinionated linters disabled with reasons. Signed-off-by: Spencer Schrock <sschrock@google.com> * fix tparallel issues. Signed-off-by: Spencer Schrock <sschrock@google.com> --------- Signed-off-by: Spencer Schrock <sschrock@google.com> Signed-off-by: Diogo Teles Sant'Anna <diogoteles@google.com>

Bumps [google.golang.org/grpc](https://github.com/grpc/grpc-go) from 1.57.0 to 1.57.1. - [Release notes](https://github.com/grpc/grpc-go/releases) - [Commits](grpc/grpc-go@v1.57.0...v1.57.1) --- updated-dependencies: - dependency-name: google.golang.org/grpc dependency-type: indirect ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Signed-off-by: Diogo Teles Sant'Anna <diogoteles@google.com>

) Bumps [google.golang.org/grpc](https://github.com/grpc/grpc-go) from 1.58.2 to 1.58.3. - [Release notes](https://github.com/grpc/grpc-go/releases) - [Commits](grpc/grpc-go@v1.58.2...v1.58.3) --- updated-dependencies: - dependency-name: google.golang.org/grpc dependency-type: indirect ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Signed-off-by: Diogo Teles Sant'Anna <diogoteles@google.com>

Bumps [ossf/scorecard-action](https://github.com/ossf/scorecard-action) from 2.3.0 to 2.3.1. - [Release notes](https://github.com/ossf/scorecard-action/releases) - [Changelog](https://github.com/ossf/scorecard-action/blob/main/RELEASE.md) - [Commits](ossf/scorecard-action@483ef80...0864cf1) --- updated-dependencies: - dependency-name: ossf/scorecard-action dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Signed-off-by: Diogo Teles Sant'Anna <diogoteles@google.com>

Bumps [github.com/google/osv-scanner](https://github.com/google/osv-scanner) from 1.4.1 to 1.4.2. - [Release notes](https://github.com/google/osv-scanner/releases) - [Changelog](https://github.com/google/osv-scanner/blob/main/CHANGELOG.md) - [Commits](google/osv-scanner@v1.4.1...v1.4.2) --- updated-dependencies: - dependency-name: github.com/google/osv-scanner dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Signed-off-by: Diogo Teles Sant'Anna <diogoteles@google.com>

Bumps [github.com/moby/buildkit](https://github.com/moby/buildkit) from 0.12.2 to 0.12.3. - [Release notes](https://github.com/moby/buildkit/releases) - [Commits](moby/buildkit@v0.12.2...v0.12.3) --- updated-dependencies: - dependency-name: github.com/moby/buildkit dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Signed-off-by: Diogo Teles Sant'Anna <diogoteles@google.com>

Bumps [github.com/golangci/golangci-lint](https://github.com/golangci/golangci-lint) from 1.55.0 to 1.55.1. - [Release notes](https://github.com/golangci/golangci-lint/releases) - [Changelog](https://github.com/golangci/golangci-lint/blob/master/CHANGELOG.md) - [Commits](golangci/golangci-lint@v1.55.0...v1.55.1) --- updated-dependencies: - dependency-name: github.com/golangci/golangci-lint dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Signed-off-by: Diogo Teles Sant'Anna <diogoteles@google.com>

…3634) * 🌱 Update stale workflow to exempt Structured Results milestone * Removed duplicate line, updated stale-pr-message, and removed custom stale labels Signed-off-by: Diogo Teles Sant'Anna <diogoteles@google.com>

Bumps [github.com/docker/docker](https://github.com/docker/docker) from 24.0.4+incompatible to 24.0.7+incompatible. - [Release notes](https://github.com/docker/docker/releases) - [Commits](moby/moby@v24.0.4...v24.0.7) --- updated-dependencies: - dependency-name: github.com/docker/docker dependency-type: indirect ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Signed-off-by: Diogo Teles Sant'Anna <diogoteles@google.com>

Bumps [github.com/docker/docker](https://github.com/docker/docker) from 24.0.6+incompatible to 24.0.7+incompatible. - [Release notes](https://github.com/docker/docker/releases) - [Commits](moby/moby@v24.0.6...v24.0.7) --- updated-dependencies: - dependency-name: github.com/docker/docker dependency-type: indirect ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Signed-off-by: Diogo Teles Sant'Anna <diogoteles@google.com>

Bumps [github.com/go-logr/logr](https://github.com/go-logr/logr) from 1.2.4 to 1.3.0. - [Release notes](https://github.com/go-logr/logr/releases) - [Changelog](https://github.com/go-logr/logr/blob/master/CHANGELOG.md) - [Commits](go-logr/logr@v1.2.4...v1.3.0) --- updated-dependencies: - dependency-name: github.com/go-logr/logr dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Signed-off-by: Diogo Teles Sant'Anna <diogoteles@google.com>

Bumps [github.com/go-git/go-git/v5](https://github.com/go-git/go-git) from 5.9.0 to 5.10.0. - [Release notes](https://github.com/go-git/go-git/releases) - [Commits](go-git/go-git@v5.9.0...v5.10.0) --- updated-dependencies: - dependency-name: github.com/go-git/go-git/v5 dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Signed-off-by: Diogo Teles Sant'Anna <diogoteles@google.com>

Bumps [github.com/onsi/gomega](https://github.com/onsi/gomega) from 1.28.1 to 1.29.0. - [Release notes](https://github.com/onsi/gomega/releases) - [Changelog](https://github.com/onsi/gomega/blob/master/CHANGELOG.md) - [Commits](onsi/gomega@v1.28.1...v1.29.0) --- updated-dependencies: - dependency-name: github.com/onsi/gomega dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Signed-off-by: Diogo Teles Sant'Anna <diogoteles@google.com>

Bumps [cloud.google.com/go/bigquery](https://github.com/googleapis/google-cloud-go) from 1.56.0 to 1.57.1. - [Release notes](https://github.com/googleapis/google-cloud-go/releases) - [Changelog](https://github.com/googleapis/google-cloud-go/blob/main/CHANGES.md) - [Commits](googleapis/google-cloud-go@bigquery/v1.56.0...bigquery/v1.57.1) --- updated-dependencies: - dependency-name: cloud.google.com/go/bigquery dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Signed-off-by: Diogo Teles Sant'Anna <diogoteles@google.com>

For now, this is just producing very long detail strings. Probably negatively affecting cron results Signed-off-by: Spencer Schrock <sschrock@google.com> Signed-off-by: Diogo Teles Sant'Anna <diogoteles@google.com>

Bumps [github.com/spf13/cobra](https://github.com/spf13/cobra) from 1.7.0 to 1.8.0. - [Release notes](https://github.com/spf13/cobra/releases) - [Commits](spf13/cobra@v1.7.0...v1.8.0) --- updated-dependencies: - dependency-name: github.com/spf13/cobra dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Signed-off-by: Diogo Teles Sant'Anna <diogoteles@google.com>

* 🌱 Convert Dangerous Workflow check to probes Signed-off-by: AdamKorcz <adam@adalogics.com> * remove hasAnyWorkflows probe Signed-off-by: AdamKorcz <adam@adalogics.com> * combine two conditionals into one Signed-off-by: AdamKorcz <adam@adalogics.com> * preserve logging from original evaluation Signed-off-by: AdamKorcz <adam@adalogics.com> * rebase Signed-off-by: AdamKorcz <adam@adalogics.com> --------- Signed-off-by: AdamKorcz <adam@adalogics.com> Signed-off-by: Diogo Teles Sant'Anna <diogoteles@google.com>

* Convert SAST checks to probes Signed-off-by: AdamKorcz <adam@adalogics.com> * Update checks/evaluation/sast.go Co-authored-by: Raghav Kaul <8695110+raghavkaul@users.noreply.github.com> Signed-off-by: AdamKorcz <44787359+AdamKorcz@users.noreply.github.com> * preserve file info when logging positive Sonar findings Signed-off-by: AdamKorcz <adam@adalogics.com> * rebase Signed-off-by: AdamKorcz <adam@adalogics.com> * Remove warning logging Signed-off-by: AdamKorcz <adam@adalogics.com> * add outcome and message to finding on the same line Signed-off-by: AdamKorcz <adam@adalogics.com> * codeql workflow -> codeql action Signed-off-by: AdamKorcz <adam@adalogics.com> * 'the Sonar' -> 'Sonar' in probe def.yml Signed-off-by: AdamKorcz <adam@adalogics.com> * fix typo Signed-off-by: AdamKorcz <adam@adalogics.com> * Change how probe creates location Signed-off-by: AdamKorcz <adam@adalogics.com> * Change names of values Signed-off-by: AdamKorcz <adam@adalogics.com> * change 'SAST tool detected: xx' to 'SAST tool installed: xx' Signed-off-by: AdamKorcz <adam@adalogics.com> * make text in probe def.yml easier to read Signed-off-by: AdamKorcz <adam@adalogics.com> * Change 'to' to 'two' Signed-off-by: AdamKorcz <adam@adalogics.com> * Minor change Signed-off-by: AdamKorcz <adam@adalogics.com> --------- Signed-off-by: AdamKorcz <adam@adalogics.com> Signed-off-by: AdamKorcz <44787359+AdamKorcz@users.noreply.github.com> Co-authored-by: Raghav Kaul <8695110+raghavkaul@users.noreply.github.com> Signed-off-by: Diogo Teles Sant'Anna <diogoteles@google.com>

Bumps [github.com/google/osv-scanner](https://github.com/google/osv-scanner) from 1.4.2 to 1.4.3. - [Release notes](https://github.com/google/osv-scanner/releases) - [Changelog](https://github.com/google/osv-scanner/blob/main/CHANGELOG.md) - [Commits](google/osv-scanner@v1.4.2...v1.4.3) --- updated-dependencies: - dependency-name: github.com/google/osv-scanner dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Signed-off-by: Diogo Teles Sant'Anna <diogoteles@google.com>

Bumps [golang.org/x/text](https://github.com/golang/text) from 0.13.0 to 0.14.0. - [Release notes](https://github.com/golang/text/releases) - [Commits](golang/text@v0.13.0...v0.14.0) --- updated-dependencies: - dependency-name: golang.org/x/text dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Signed-off-by: Diogo Teles Sant'Anna <diogoteles@google.com>

Bumps [github.com/golangci/golangci-lint](https://github.com/golangci/golangci-lint) from 1.55.1 to 1.55.2. - [Release notes](https://github.com/golangci/golangci-lint/releases) - [Changelog](https://github.com/golangci/golangci-lint/blob/master/CHANGELOG.md) - [Commits](golangci/golangci-lint@v1.55.1...v1.55.2) --- updated-dependencies: - dependency-name: github.com/golangci/golangci-lint dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Signed-off-by: Diogo Teles Sant'Anna <diogoteles@google.com>

* Continue on error detecting OS Signed-off-by: Pedro Kaj Kjellerup Nacht <pnacht@google.com> * Add tests for error detecting OS Signed-off-by: Pedro Kaj Kjellerup Nacht <pnacht@google.com> * Add ElementError to identify elements that errored Signed-off-by: Pedro Kaj Kjellerup Nacht <pnacht@google.com> * Add Incomplete field to PinningDependenciesData Will store all errors handled during analysis, which may lead to incomplete results. Signed-off-by: Pedro Kaj Kjellerup Nacht <pnacht@google.com> * Register job steps that errored out Signed-off-by: Pedro Kaj Kjellerup Nacht <pnacht@google.com> * Add tests that incomplete steps are caught Signed-off-by: Pedro Kaj Kjellerup Nacht <pnacht@google.com> * Add warnings to details about incomplete steps Signed-off-by: Pedro Kaj Kjellerup Nacht <pnacht@google.com> * Add tests that incomplete steps generate warnings Signed-off-by: Pedro Kaj Kjellerup Nacht <pnacht@google.com> * Register shell files skipped due to parser errors Signed-off-by: Pedro Kaj Kjellerup Nacht <pnacht@google.com> * Add tests showing when parser errors affect analysis Dockerfile pinning is not affected. Everything in a 'broken' Dockerfile RUN block is ignored Everything in a 'broken' shell script is ignored testdata/script-invalid.sh modified to demonstrate the above Signed-off-by: Pedro Kaj Kjellerup Nacht <pnacht@google.com> * Incomplete results logged as Info, not Warn Signed-off-by: Pedro Kaj Kjellerup Nacht <pnacht@google.com> * Remove `Type` from logging of incomplete results Signed-off-by: Pedro Kaj Kjellerup Nacht <pnacht@google.com> * Update tests after rebase Signed-off-by: Pedro Kaj Kjellerup Nacht <pnacht@google.com> * Add Unwrap for ElementError, improve its docs Signed-off-by: Pedro Kaj Kjellerup Nacht <pnacht@google.com> * Add ElementError case to evaluation unit test Signed-off-by: Pedro Kaj Kjellerup Nacht <pnacht@google.com> * Move ElementError to checker/raw_result checker/raw_result defines types used to describe analysis results. ElementError is meant to describe potential flaws in the analysis and is therefore a sort of analysis result itself. Signed-off-by: Pedro Kaj Kjellerup Nacht <pnacht@google.com> * Use finding.Location for ElementError.Element Signed-off-by: Pedro Kaj Kjellerup Nacht <pnacht@google.com> * Use an ElementError for script parser errors Signed-off-by: Pedro Kaj Kjellerup Nacht <pnacht@google.com> * Replace .Incomplete []error with .ProcessingErrors []ElementError Signed-off-by: Pedro Kaj Kjellerup Nacht <pnacht@google.com> * Adopt from reviewer comments - Replace ElementError's `Element *finding.Location` with `Location finding.Location` - Rename ErrorJobOSParsing to ErrJobOSParsing to satisfy linter - Fix unit test Signed-off-by: Pedro Kaj Kjellerup Nacht <pnacht@google.com> --------- Signed-off-by: Pedro Kaj Kjellerup Nacht <pnacht@google.com> Signed-off-by: Diogo Teles Sant'Anna <diogoteles@google.com>

Bumps [actions/dependency-review-action](https://github.com/actions/dependency-review-action) from 3.1.0 to 3.1.2. - [Release notes](https://github.com/actions/dependency-review-action/releases) - [Commits](actions/dependency-review-action@6c5ccda...fde92ac) --- updated-dependencies: - dependency-name: actions/dependency-review-action dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Signed-off-by: Diogo Teles Sant'Anna <diogoteles@google.com>

Bumps [kubernetes-sigs/kubebuilder-release-tools](https://github.com/kubernetes-sigs/kubebuilder-release-tools) from 0.4.0 to 0.4.2. - [Release notes](https://github.com/kubernetes-sigs/kubebuilder-release-tools/releases) - [Changelog](https://github.com/kubernetes-sigs/kubebuilder-release-tools/blob/master/RELEASE.md) - [Commits](kubernetes-sigs/kubebuilder-release-tools@d8367c2...3c34113) --- updated-dependencies: - dependency-name: kubernetes-sigs/kubebuilder-release-tools dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Signed-off-by: Diogo Teles Sant'Anna <diogoteles@google.com>

Bumps [tj-actions/changed-files](https://github.com/tj-actions/changed-files) from 39.2.3 to 40.1.1. - [Release notes](https://github.com/tj-actions/changed-files/releases) - [Changelog](https://github.com/tj-actions/changed-files/blob/main/HISTORY.md) - [Commits](tj-actions/changed-files@95690f9...25ef392) --- updated-dependencies: - dependency-name: tj-actions/changed-files dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Signed-off-by: Diogo Teles Sant'Anna <diogoteles@google.com>

Bumps [sigstore/cosign-installer](https://github.com/sigstore/cosign-installer) from 3.1.2 to 3.2.0. - [Release notes](https://github.com/sigstore/cosign-installer/releases) - [Commits](sigstore/cosign-installer@11086d2...1fc5bd3) --- updated-dependencies: - dependency-name: sigstore/cosign-installer dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Signed-off-by: Diogo Teles Sant'Anna <diogoteles@google.com>

Bumps [slsa-framework/slsa-verifier](https://github.com/slsa-framework/slsa-verifier) from 2.4.0 to 2.4.1. - [Release notes](https://github.com/slsa-framework/slsa-verifier/releases) - [Changelog](https://github.com/slsa-framework/slsa-verifier/blob/main/RELEASE.md) - [Commits](slsa-framework/slsa-verifier@v2.4.0...v2.4.1) --- updated-dependencies: - dependency-name: slsa-framework/slsa-verifier dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Signed-off-by: Diogo Teles Sant'Anna <diogoteles@google.com>

Bumps [github.com/onsi/gomega](https://github.com/onsi/gomega) from 1.29.0 to 1.30.0. - [Release notes](https://github.com/onsi/gomega/releases) - [Changelog](https://github.com/onsi/gomega/blob/master/CHANGELOG.md) - [Commits](onsi/gomega@v1.29.0...v1.30.0) --- updated-dependencies: - dependency-name: github.com/onsi/gomega dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Signed-off-by: Diogo Teles Sant'Anna <diogoteles@google.com>

* switch ossfuzz test to smaller repo tensorflow/tensorflow is huge, and this causes the test to take forever. locally this reduces the test time from 17 to 2.4 seconds Signed-off-by: Spencer Schrock <sschrock@google.com> * reuse scorecard results for scorecard attestor policies previously this test took 27 seconds locally, and now takes 8. which is split across 3 subtests: good repos: 1s bad repos: 5s code review policies: 2s Signed-off-by: Spencer Schrock <sschrock@google.com> --------- Signed-off-by: Spencer Schrock <sschrock@google.com> Signed-off-by: Diogo Teles Sant'Anna <diogoteles@google.com>

…ssf#3632) * 🌱 Add dependency remediation in raw results instead of at log time Signed-off-by: AdamKorcz <adam@adalogics.com> * add unit test Signed-off-by: AdamKorcz <adam@adalogics.com> * add unit test Signed-off-by: AdamKorcz <adam@adalogics.com> * return error Signed-off-by: AdamKorcz <adam@adalogics.com> * use pointer to dependency Signed-off-by: AdamKorcz <adam@adalogics.com> * check for errors in test Signed-off-by: AdamKorcz <adam@adalogics.com> * Return nil if repo client returns an error from unsupported feature Signed-off-by: AdamKorcz <adam@adalogics.com> * revert error checking Signed-off-by: AdamKorcz <adam@adalogics.com> * revert returning nil is unsupported feature Signed-off-by: AdamKorcz <adam@adalogics.com> * Fix wrong test name Signed-off-by: AdamKorcz <adam@adalogics.com> * only create remediation when required Signed-off-by: AdamKorcz <adam@adalogics.com> * remove remediation helper function Signed-off-by: AdamKorcz <adam@adalogics.com> --------- Signed-off-by: AdamKorcz <adam@adalogics.com> Signed-off-by: Spencer Schrock <sschrock@google.com> Signed-off-by: Diogo Teles Sant'Anna <diogoteles@google.com>

actions which influence the build/release process are excluded. dependabot will send individual updates for those. Signed-off-by: Spencer Schrock <sschrock@google.com> Signed-off-by: Diogo Teles Sant'Anna <diogoteles@google.com>

…s-only-through-pr

…on tier 2 scores Signed-off-by: Diogo Teles Sant'Anna <diogoteles@google.com>

… num comparation Signed-off-by: Diogo Teles Sant'Anna <diogoteles@google.com>