-
Notifications
You must be signed in to change notification settings - Fork 504
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
✨ Add support for Nuget restore #4157
✨ Add support for Nuget restore #4157
Conversation
73a1af8
to
282c324
Compare
/scdiff generate Pinned-Dependencies |
I'll preface this by saying I'm not familiar with the C# ecosystem, but the changes seem reasonable, given the documentation:
The implementation seems fine, and the tests match expectations. I'm not sure any of our |
Thank you for the review @spencerschrock ! I am sorry that I did not provide enough information for folks who are unfamiliar with the dotnet/nuget ecosystem. Here are some repos I found that could be used for testing: https://github.com/PlexRipper/PlexRipper (locked with dotnet) I'll try to get someone from the nuget/dotnet tool to review this as well. |
Follow up question: is there a way that I can search for other files in the repo during the dependency-check? The reason I am asking is because the current implementation does not support locking the dependency by using the .csproj file attribute "RestoreLockedMode" (which is being used as far as I can tell: https://github.com/search?q=path%3A**%2F*.csproj%20RestoreLockedMode&type=code). |
Thanks for the info!
Note: I'm not seeing this one detected. go run main.go --repo PULSAR-Modders/pulsar-mod-loader --checks Pinned-Dependencies --format json --show-details | jq
Generally this is done via
I'm curious how we would tie a given
agreed for different PR |
Signed-off-by: balteraivshay <avishay.balter@gmail.com>
Bumps [github.com/google/osv-scanner](https://github.com/google/osv-scanner) from 1.7.3 to 1.7.4. - [Release notes](https://github.com/google/osv-scanner/releases) - [Changelog](https://github.com/google/osv-scanner/blob/main/CHANGELOG.md) - [Commits](google/osv-scanner@v1.7.3...v1.7.4) --- updated-dependencies: - dependency-name: github.com/google/osv-scanner dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Signed-off-by: balteraivshay <avishay.balter@gmail.com>
…pm database (ossf#4118) * Update endpoint used when getting repo from npm to solve ossf#3166 Signed-off-by: aklevans <alexklevans@gmail.com> * Update test files to account for endpoint change when getting repo from npm Signed-off-by: aklevans <alexklevans@gmail.com> * Fix linter issues Signed-off-by: aklevans <alexklevans@gmail.com> * Added unit tests for ossf#3166 and ossf#2441 Signed-off-by: aklevans <alexklevans@gmail.com> * fix linter issues and reduce mock json output in package_manager_test to only include necessary data Signed-off-by: aklevans <alexklevans@gmail.com> * fix linter issues in package_managers.go Signed-off-by: aklevans <alexklevans@gmail.com> * convert windows line breaks to linux Signed-off-by: aklevans <alexklevans@gmail.com> * reduce test case size, still has windows line breaks Signed-off-by: aklevans <alexklevans@gmail.com> * Fix unit tests Signed-off-by: aklevans <alexklevans@gmail.com> * attempt linter fix Signed-off-by: aklevans <alexklevans@gmail.com> * Fix linter issues stemming from windows line breaks Signed-off-by: aklevans <alexklevans@gmail.com> * Remove magic number and rename variable to be more accurate Signed-off-by: aklevans <alexklevans@gmail.com> --------- Signed-off-by: aklevans <alexklevans@gmail.com> Signed-off-by: aklevans <105876795+aklevans@users.noreply.github.com> Signed-off-by: balteraivshay <avishay.balter@gmail.com>
Signed-off-by: balteraivshay <avishay.balter@gmail.com>
Signed-off-by: balteraivshay <avishay.balter@gmail.com>
Signed-off-by: balteraivshay <avishay.balter@gmail.com>
Signed-off-by: Spencer Schrock <sschrock@google.com> Signed-off-by: balteraivshay <avishay.balter@gmail.com>
Before this change, when running with '-o foo' the output would end with: ``` RESULTS ------- ``` This was rather confusing. There's of course many ways to make this more clear, this commit adds a log line announcing where the output is written to: ``` RESULTS ------- Writing to foo ``` Signed-off-by: Arnout Engelen <arnout@bzzt.net> Signed-off-by: balteraivshay <avishay.balter@gmail.com>
* fix unlicense detection The code previously had some special logic for handling the Unlicense SPDX identifier. While this worked for local file detection, it broke detection for SPDX identifiers provided by the forge. This change moves the logic to the part of the code concerned with local file detection, so both work now. Signed-off-by: Spencer Schrock <sschrock@google.com> * remove part of comment which is no longer relevant Signed-off-by: Spencer Schrock <sschrock@google.com> --------- Signed-off-by: Spencer Schrock <sschrock@google.com> Signed-off-by: balteraivshay <avishay.balter@gmail.com>
* add projectpackageversions to signed releases raw results Signed-off-by: Raghav Kaul <raghavkaul+github@google.com> * finding: add NewNot* helpers, fix error msg Signed-off-by: Raghav Kaul <raghavkaul+github@google.com> * probe: releasesHaveVerifiedProvenance Signed-off-by: Raghav Kaul <raghavkaul+github@google.com> * logging Signed-off-by: Raghav Kaul <raghavkaul+github@google.com> * fix tests and lint Signed-off-by: Raghav Kaul <raghavkaul+github@google.com> * address comments Signed-off-by: Raghav Kaul <raghavkaul+github@google.com> * remove unused Signed-off-by: Raghav Kaul <raghavkaul+github@google.com> * fix merge conflict Signed-off-by: Raghav Kaul <raghavkaul+github@google.com> --------- Signed-off-by: Raghav Kaul <raghavkaul+github@google.com> Signed-off-by: balteraivshay <avishay.balter@gmail.com>
Signed-off-by: balteraivshay <avishay.balter@gmail.com>
258682b
to
9e66eb2
Compare
Sorry, forgot to push a fix in the supportedShells. please pull and try again. |
Ah I didn't look too closely at why it wasn't parsing. We may need to back this out (haven't had time to look at it closely yet). // supportedShells is the list of shells that are supported by mvdan.cc/sh/v3/syntax. And |
yes, i see your point. but TBH, it is not the "common" case. thoughts? |
This pull request has been marked stale because it has been open for 10 days with no activity |
Let's undo 9e66eb2 for now, and we can merge this in with partial support. |
This pull request has been marked stale because it has been open for 10 days with no activity |
This reverts commit 9e66eb2. Signed-off-by: Spencer Schrock <sschrock@google.com>
Signed-off-by: Spencer Schrock <sschrock@google.com>
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks for the PR! I went ahead and reverted the supported shell change to at least get partial support before our next release.
What kind of change does this PR introduce?
Add support for checking Nuget repeatable builds through the Pinned-Dependency checks.
This supports nuget cli, dotnet cli and msbuild through an explicit restore command with the locked mode feature such as:
It does not support implicit restores through build command such as
and does not support csproj definition of RestoreLockedMode attribute.
What is the current behavior?
dotnet/nuget restore commands are not being evaluated when calculating the Pinned-Dependency score.
What is the new behavior (if this is a feature change)?**
dotnet, nuget and msbuild restore commands are validated for using the "locked mode" flag which assumes that the repository has a lock file and that it cannot be changed during a CI build.
Which issue(s) this PR fixes
Fixes #2865
Special notes for your reviewer
Does this PR introduce a user-facing change?
For user-facing changes, please add a concise, human-readable release note to
the
release-note