Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

✨ Add Sonatype Lift as a dependency update tool, doc upgrade #2328

Merged
merged 4 commits into from
Oct 19, 2022
Merged

✨ Add Sonatype Lift as a dependency update tool, doc upgrade #2328

merged 4 commits into from
Oct 19, 2022

Conversation

theresa-m
Copy link
Contributor

@theresa-m theresa-m commented Oct 4, 2022
edited
Loading

What kind of change does this PR introduce?

This change adds Sonatype Lift as a dependency update tool and updates documentation to include Lift and the previously added PyUp tool.

What is the current behavior?

dependabot, renovatebot, PyUp are recognized dependency upgrade tools.

What is the new behavior (if this is a feature change)?**

Configuration files for Sonatype Lift are detected as an option for the dependency update tool check.

  • Tests for the changes have been added (for bug fixes/features)
    I've added Lift configuration file names to an existing test although it doesn't appear to actually run. Please advise if this test was intended to be removed.

Which issue(s) this PR fixes

#2312

Special notes for your reviewer

Does this PR introduce a user-facing change?

For user-facing changes, please add a concise, human-readable release note to
the release-note

(In particular, describe what changes users might need to make in their
application as a result of this pull request.)

Projects using Sonatype Lift will pass the Dependency Update Tool check if a .lift/config.toml and .lift.toml exists.

@azeemshaikh38
Copy link
Contributor

@theresa-m looking at https://help.sonatype.com/lift, Sonatype Lift seems to be a code analysis tool and not really something that helps with automatic dependency updates?

@theresa-m theresa-m temporarily deployed to integration-test October 4, 2022 22:11 Inactive
@github-actions
Copy link

github-actions bot commented Oct 4, 2022

Integration tests success for
[bb6fa01]
(https://github.com/ossf/scorecard/actions/runs/3185804523)

@theresa-m
Copy link
Contributor Author

theresa-m commented Oct 4, 2022
edited
Loading

hey @azeemshaikh38 Lift notifies projects of new and existing vulnerabilities in dependencies. The goal of the dependency upgrade tool is to keep projects up to date in hopes of avoiding vulnerable versions. I believe they accomplish that same goal.

@codecov
Copy link

codecov bot commented Oct 11, 2022
edited
Loading

Codecov Report

Merging #2328 (6dbed17) into main (2f504b7) will increase coverage by 0.06%.
The diff coverage is 100.00%.

Additional details and impacted files 
@@            Coverage Diff             @@
##             main    #2328      +/-   ##
==========================================
+ Coverage   40.55%   40.61%   +0.06%     
==========================================
  Files         112      112              
  Lines        8822     8831       +9     
==========================================
+ Hits         3578     3587       +9     
  Misses       4984     4984              
  Partials      260      260

@azeemshaikh38 azeemshaikh38 temporarily deployed to integration-test October 11, 2022 17:57 Inactive
@github-actions
Copy link

Integration tests success for
[b3555be]
(https://github.com/ossf/scorecard/actions/runs/3229092553)

@theresa-m theresa-m temporarily deployed to integration-test October 17, 2022 14:23 Inactive
@theresa-m theresa-m temporarily deployed to integration-test October 17, 2022 14:27 Inactive
@github-actions
Copy link

Integration tests success for
[76169d4]
(https://github.com/ossf/scorecard/actions/runs/3265950224)

@github-actions
Copy link

Integration tests success for
[074a458]
(https://github.com/ossf/scorecard/actions/runs/3265986088)

@theresa-m @naveensrinivasan
Add Sonatype Lift as a dependency update tool, doc upgrade
508b16f 
Signed-off-by: Theresa Mammarella <mammarellatheresa8@gmail.com>
@theresa-m @naveensrinivasan
Fix integration tests
ff37bea 
Signed-off-by: Theresa Mammarella <mammarellatheresa8@gmail.com>
@theresa-m @naveensrinivasan
Generate docs
b11042c 
Signed-off-by: Theresa Mammarella <mammarellatheresa8@gmail.com>
@naveensrinivasan naveensrinivasan enabled auto-merge (squash) October 17, 2022 16:30
@azeemshaikh38 azeemshaikh38 temporarily deployed to integration-test October 19, 2022 15:12 Inactive
@github-actions
Copy link

Integration tests success for
[6dbed17]
(https://github.com/ossf/scorecard/actions/runs/3282781451)

@naveensrinivasan naveensrinivasan merged commit 3f58335 into ossf:main Oct 19, 2022
latortuga71 pushed a commit to latortuga71/scorecard that referenced this pull request Oct 27, 2022
@theresa-m
✨ Add Sonatype Lift as a dependency update tool, doc upgrade (ossf#2328)
a571d2e 
* Add Sonatype Lift as a dependency update tool, doc upgrade

Signed-off-by: Theresa Mammarella <mammarellatheresa8@gmail.com>

* Fix integration tests

Signed-off-by: Theresa Mammarella <mammarellatheresa8@gmail.com>

* Generate docs

Signed-off-by: Theresa Mammarella <mammarellatheresa8@gmail.com>

Signed-off-by: Theresa Mammarella <mammarellatheresa8@gmail.com>
Signed-off-by: latortuga <latortugaaaa>
N8BWert pushed a commit to N8BWert/scorecard that referenced this pull request Nov 28, 2022
@theresa-m
✨ Add Sonatype Lift as a dependency update tool, doc upgrade (ossf#2328)
13f46bc 
* Add Sonatype Lift as a dependency update tool, doc upgrade

Signed-off-by: Theresa Mammarella <mammarellatheresa8@gmail.com>

* Fix integration tests

Signed-off-by: Theresa Mammarella <mammarellatheresa8@gmail.com>

* Generate docs

Signed-off-by: Theresa Mammarella <mammarellatheresa8@gmail.com>

Signed-off-by: Theresa Mammarella <mammarellatheresa8@gmail.com>
Signed-off-by: nathaniel.wert <nathaniel.wert@kudelskisecurity.com>
N8BWert pushed a commit to N8BWert/scorecard that referenced this pull request Nov 28, 2022
@theresa-m
✨ Add Sonatype Lift as a dependency update tool, doc upgrade (ossf#2328)
90ba719 
* Add Sonatype Lift as a dependency update tool, doc upgrade

Signed-off-by: Theresa Mammarella <mammarellatheresa8@gmail.com>

* Fix integration tests

Signed-off-by: Theresa Mammarella <mammarellatheresa8@gmail.com>

* Generate docs

Signed-off-by: Theresa Mammarella <mammarellatheresa8@gmail.com>

Signed-off-by: Theresa Mammarella <mammarellatheresa8@gmail.com>
Signed-off-by: nathaniel.wert <nathaniel.wert@kudelskisecurity.com>
raghavkaul pushed a commit to raghavkaul/scorecard that referenced this pull request Feb 9, 2023
@theresa-m @raghavkaul
✨ Add Sonatype Lift as a dependency update tool, doc upgrade (ossf#2328)
0d01022 
* Add Sonatype Lift as a dependency update tool, doc upgrade

Signed-off-by: Theresa Mammarella <mammarellatheresa8@gmail.com>

* Fix integration tests

Signed-off-by: Theresa Mammarella <mammarellatheresa8@gmail.com>

* Generate docs

Signed-off-by: Theresa Mammarella <mammarellatheresa8@gmail.com>

Signed-off-by: Theresa Mammarella <mammarellatheresa8@gmail.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@azeemshaikh38 azeemshaikh38 azeemshaikh38 approved these changes

@olivekl olivekl Awaiting requested review from olivekl

@justaugustus justaugustus Awaiting requested review from justaugustus

@laurentsimon laurentsimon Awaiting requested review from laurentsimon

@naveensrinivasan naveensrinivasan Awaiting requested review from naveensrinivasan

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@theresa-m @azeemshaikh38 @naveensrinivasan