Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

🐛 License: npe #3500

Merged
merged 1 commit into from
Sep 20, 2023
Merged

Conversation

raghavkaul
Copy link
Contributor

What kind of change does this PR introduce?

Fix NPE in licenses check

Signed-off-by: Raghav Kaul <raghavkaul@google.com>
@raghavkaul raghavkaul temporarily deployed to gitlab September 20, 2023 16:02 — with GitHub Actions Inactive
@raghavkaul raghavkaul temporarily deployed to integration-test September 20, 2023 16:02 — with GitHub Actions Inactive
@codecov
Copy link

codecov bot commented Sep 20, 2023

Codecov Report

Merging #3500 (29a6c7b) into main (fe7906f) will decrease coverage by 9.98%.
The diff coverage is 0.00%.

Additional details and impacted files
@@            Coverage Diff             @@
##             main    #3500      +/-   ##
==========================================
- Coverage   74.33%   64.35%   -9.98%     
==========================================
  Files         187      187              
  Lines       13374    13378       +4     
==========================================
- Hits         9941     8610    -1331     
- Misses       2874     4296    +1422     
+ Partials      559      472      -87     

@spencerschrock spencerschrock merged commit 0ce62a8 into ossf:main Sep 20, 2023
40 of 41 checks passed
ashearin pushed a commit to kgangerlm/scorecard-gitlab that referenced this pull request Nov 13, 2023
Signed-off-by: Raghav Kaul <raghavkaul@google.com>
Signed-off-by: Allen Shearin <allen.p.shearin@gmail.com>
cx-monicac added a commit to SCS-Micro-Engines/scorecard-cx that referenced this pull request Feb 28, 2024
* :seedling: Remove go.mod replaces (#3440)

* remove old replace directives.

Signed-off-by: Spencer Schrock <sschrock@google.com>

* Remove dgrijalva/jwt-go replace.

Project now maintained at github.com/golang-jwt/jwt. So it's unused.

Signed-off-by: Spencer Schrock <sschrock@google.com>

* remove replace on unused github.com/buger/jsonparser

Signed-off-by: Spencer Schrock <sschrock@google.com>

* remove unused github.com/gorilla/handlers replace.

Signed-off-by: Spencer Schrock <sschrock@google.com>

* remove unused github.com/miekg/dns

Signed-off-by: Spencer Schrock <sschrock@google.com>

* remove unused github.com/ulikunitz/xz

Signed-off-by: Spencer Schrock <sschrock@google.com>

* remove unused github.com/satori/go.uuid

Signed-off-by: Spencer Schrock <sschrock@google.com>

* replace directive no longer needed for github.com/opencontainers/image-spec.

Signed-off-by: Spencer Schrock <sschrock@google.com>

* potentially unneeded replace for github.com/emicklei/go-restful

Signed-off-by: Spencer Schrock <sschrock@google.com>

* potentially unneeded replace for github.com/docker/distribution

Signed-off-by: Spencer Schrock <sschrock@google.com>

---------

Signed-off-by: Spencer Schrock <sschrock@google.com>

* :seedling: Bump actions/cache from 3.3.1 to 3.3.2 (#3463)

Bumps [actions/cache](https://github.com/actions/cache) from 3.3.1 to 3.3.2.
- [Release notes](https://github.com/actions/cache/releases)
- [Changelog](https://github.com/actions/cache/blob/main/RELEASES.md)
- [Commits](https://github.com/actions/cache/compare/88522ab9f39a2ea568f7027eddc7d8d8bc9d59c8...704facf57e6136b1bc63b828d79edcd491f0ee84)

---
updated-dependencies:
- dependency-name: actions/cache
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* :seedling: Bump actions/upload-artifact from 3.1.2 to 3.1.3 (#3459)

Bumps [actions/upload-artifact](https://github.com/actions/upload-artifact) from 3.1.2 to 3.1.3.
- [Release notes](https://github.com/actions/upload-artifact/releases)
- [Commits](https://github.com/actions/upload-artifact/compare/0b7f8abb1508181956e8e162db84b466c27e18ce...a8a3f3ad30e3422c9c7b888a15615d19a852ae32)

---
updated-dependencies:
- dependency-name: actions/upload-artifact
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* :seedling: Bump actions/dependency-review-action from 3.0.8 to 3.1.0 (#3461)

Bumps [actions/dependency-review-action](https://github.com/actions/dependency-review-action) from 3.0.8 to 3.1.0.
- [Release notes](https://github.com/actions/dependency-review-action/releases)
- [Commits](https://github.com/actions/dependency-review-action/compare/f6fff72a3217f580d5afd49a46826795305b63c7...6c5ccdad469c9f8a2996bfecaec55a631a347034)

---
updated-dependencies:
- dependency-name: actions/dependency-review-action
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* :seedling: Bump tj-actions/changed-files from 39.0.0 to 39.0.2 (#3470)

Bumps [tj-actions/changed-files](https://github.com/tj-actions/changed-files) from 39.0.0 to 39.0.2.
- [Release notes](https://github.com/tj-actions/changed-files/releases)
- [Changelog](https://github.com/tj-actions/changed-files/blob/main/HISTORY.md)
- [Commits](https://github.com/tj-actions/changed-files/compare/48566bbcc22ceb7c5809ebdd27377309f2c3de8c...6ee9cdc5816333acda68e01cf12eedc619e28316)

---
updated-dependencies:
- dependency-name: tj-actions/changed-files
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* :seedling: Bump github.com/bradleyfalzon/ghinstallation/v2 (#3467)

Bumps [github.com/bradleyfalzon/ghinstallation/v2](https://github.com/bradleyfalzon/ghinstallation) from 2.6.0 to 2.7.0.
- [Release notes](https://github.com/bradleyfalzon/ghinstallation/releases)
- [Commits](https://github.com/bradleyfalzon/ghinstallation/compare/v2.6.0...v2.7.0)

---
updated-dependencies:
- dependency-name: github.com/bradleyfalzon/ghinstallation/v2
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* :seedling: Bump cloud.google.com/go/bigquery from 1.54.0 to 1.55.0 (#3471)

Bumps [cloud.google.com/go/bigquery](https://github.com/googleapis/google-cloud-go) from 1.54.0 to 1.55.0.
- [Release notes](https://github.com/googleapis/google-cloud-go/releases)
- [Changelog](https://github.com/googleapis/google-cloud-go/blob/main/CHANGES.md)
- [Commits](https://github.com/googleapis/google-cloud-go/compare/bigquery/v1.54.0...bigquery/v1.55.0)

---
updated-dependencies:
- dependency-name: cloud.google.com/go/bigquery
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* ✨ Support Branch-Protection via GitHub Repository Rules (#3354)

* repo rulesets via v4 api

Signed-off-by: Peter Wagner <1559510+thepwagner@users.noreply.github.com>

* good enough fnmatch implementation.

Signed-off-by: Spencer Schrock <sschrock@google.com>

* good enough rulesMatchingBranch

Signed-off-by: Peter Wagner <1559510+thepwagner@users.noreply.github.com>

* apply matching repo rules to branch protection settings

Signed-off-by: Peter Wagner <1559510+thepwagner@users.noreply.github.com>

* rules: consider admins and require checks

Signed-off-by: Peter Wagner <1559510+thepwagner@users.noreply.github.com>

* non-structural chanages from PR feedback

Signed-off-by: Peter Wagner <1559510+thepwagner@users.noreply.github.com>

* fetch default branch name during repo rules query

Signed-off-by: Peter Wagner <1559510+thepwagner@users.noreply.github.com>

* Testing applyRepoRules

Tests assume a single rule is being applied to a branch, which might be
guarded by a legacy branch protection rule.

I think this logic gets problematic when there are multiple rules
overlaid on the same branch: the "the existing rules does not enforce
for admins, but i do and therefore this branch now does" will give
false-positives.

Signed-off-by: Peter Wagner <1559510+thepwagner@users.noreply.github.com>

* Test_applyRepoRules: builder and standardize names

Signed-off-by: Peter Wagner <1559510+thepwagner@users.noreply.github.com>

* attempt to upgrade/downgrade EnforceAdmins as each rule is applied

Signed-off-by: Peter Wagner <1559510+thepwagner@users.noreply.github.com>

* simplify enforce admin for now.

Signed-off-by: Spencer Schrock <sschrock@google.com>

* handle merging pull request reviews

Signed-off-by: Spencer Schrock <sschrock@google.com>

* handle merging check rules

Signed-off-by: Spencer Schrock <sschrock@google.com>

* handle last push approval

Signed-off-by: Spencer Schrock <sschrock@google.com>

* handle linear history

Signed-off-by: Spencer Schrock <sschrock@google.com>

* use constants for github rule types.

Signed-off-by: Spencer Schrock <sschrock@google.com>

* add status check test.

Signed-off-by: Spencer Schrock <sschrock@google.com>

* add e2e test for repo rules.

Signed-off-by: Spencer Schrock <sschrock@google.com>

* handle nil branch name data

Signed-off-by: Spencer Schrock <sschrock@google.com>

* add tracking issue.

Signed-off-by: Spencer Schrock <sschrock@google.com>

* fix precedence in if statement

Signed-off-by: Spencer Schrock <sschrock@google.com>

* include repo rules in the check docs.

Signed-off-by: Spencer Schrock <sschrock@google.com>

---------

Signed-off-by: Peter Wagner <1559510+thepwagner@users.noreply.github.com>
Signed-off-by: Spencer Schrock <sschrock@google.com>
Co-authored-by: Spencer Schrock <sschrock@google.com>

* 🌱 workflows/stale: Update workflow to increase operations-per-run to process more issues (#3483)

* Update workflow to increase operations per run to process more issues

* 🌱 workflows/stale: Increased operations-per-run from default and reduced days to close stale issues

* Update URI() for GitLab repos. Add fuzzing test (#3477)

Signed-off-by: Raghav Kaul <raghavkaul@google.com>

* :bug: Print Info in Empty Repo Scans (#3426)

* issue 2157 changes

Signed-off-by: leec94 <leec94@bu.edu>

* incorporated feedback

Signed-off-by: leec94 <leec94@bu.edu>

* making the linter happy

Signed-off-by: leec94 <leec94@bu.edu>

* changing to local variable, testing still not working

Signed-off-by: leec94 <leec94@bu.edu>

* update tests to ignore date

Signed-off-by: leec94 <leec94@bu.edu>

* ran through linter

Signed-off-by: leec94 <leec94@bu.edu>

* resolving suggestions

Signed-off-by: leec94 <leec94@bu.edu>

---------

Signed-off-by: leec94 <leec94@bu.edu>

* :seedling: Bump goreleaser/goreleaser-action from 4.6.0 to 5.0.0 (#3478)

Bumps [goreleaser/goreleaser-action](https://github.com/goreleaser/goreleaser-action) from 4.6.0 to 5.0.0.
- [Release notes](https://github.com/goreleaser/goreleaser-action/releases)
- [Commits](https://github.com/goreleaser/goreleaser-action/compare/5fdedb94abba051217030cc86d4523cf3f02243d...7ec5c2b0c6cdda6e8bbb49444bc797dd33d74dd8)

---
updated-dependencies:
- dependency-name: goreleaser/goreleaser-action
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* :seedling: Bump github.com/go-git/go-git/v5 from 5.8.1 to 5.9.0 (#3479)

Bumps [github.com/go-git/go-git/v5](https://github.com/go-git/go-git) from 5.8.1 to 5.9.0.
- [Release notes](https://github.com/go-git/go-git/releases)
- [Commits](https://github.com/go-git/go-git/compare/v5.8.1...v5.9.0)

---
updated-dependencies:
- dependency-name: github.com/go-git/go-git/v5
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* :seedling: Bump github.com/google/osv-scanner from 1.3.6 to 1.4.0 (#3481)

Bumps [github.com/google/osv-scanner](https://github.com/google/osv-scanner) from 1.3.6 to 1.4.0.
- [Release notes](https://github.com/google/osv-scanner/releases)
- [Changelog](https://github.com/google/osv-scanner/blob/main/CHANGELOG.md)
- [Commits](https://github.com/google/osv-scanner/compare/v1.3.6...v1.4.0)

---
updated-dependencies:
- dependency-name: github.com/google/osv-scanner
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* :seedling: Bump tj-actions/changed-files from 39.0.2 to 39.1.0 (#3488)

Bumps [tj-actions/changed-files](https://github.com/tj-actions/changed-files) from 39.0.2 to 39.1.0.
- [Release notes](https://github.com/tj-actions/changed-files/releases)
- [Changelog](https://github.com/tj-actions/changed-files/blob/main/HISTORY.md)
- [Commits](https://github.com/tj-actions/changed-files/compare/6ee9cdc5816333acda68e01cf12eedc619e28316...8e79ba7ab9fee9984275219aeb2c8db47bcb8a2d)

---
updated-dependencies:
- dependency-name: tj-actions/changed-files
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* :book: Add webviewer link (#3490)

* Update README.md

Add link to webviewer

* Update faq.md

Update webviewer link in FAQ

* Update README.md

Typo

* Update faq.md

Linebreak

* 🌱 workflows/stale: Remove issue auto-close (#3493)

* :seedling: Reduce confusion around codecov check status. (#3492)

With our current upload setup, it will always show a drop of 6-7%.
This is confusing to contributors, so make the check always pass.
Also fixes the threshold for the patch coverage.

Signed-off-by: Spencer Schrock <sschrock@google.com>

* :book: Add gitlab links to viewer example (#3494)

* Update README.md

Signed-off-by: olivekl <olivekl@google.com>

* Update faq.md

Signed-off-by: olivekl <olivekl@google.com>

---------

Signed-off-by: olivekl <olivekl@google.com>

* :bug: Fix npe for GitLab repos without license API data (#3500)

Signed-off-by: Raghav Kaul <raghavkaul@google.com>

* :seedling: Bump tj-actions/changed-files from 39.1.0 to 39.1.2 (#3504)

Bumps [tj-actions/changed-files](https://github.com/tj-actions/changed-files) from 39.1.0 to 39.1.2.
- [Release notes](https://github.com/tj-actions/changed-files/releases)
- [Changelog](https://github.com/tj-actions/changed-files/blob/main/HISTORY.md)
- [Commits](https://github.com/tj-actions/changed-files/compare/8e79ba7ab9fee9984275219aeb2c8db47bcb8a2d...41960309398d165631f08c5df47a11147e14712b)

---
updated-dependencies:
- dependency-name: tj-actions/changed-files
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* :seedling: Bump actions/checkout from 4.0.0 to 4.1.0 (#3511)

Bumps [actions/checkout](https://github.com/actions/checkout) from 4.0.0 to 4.1.0.
- [Release notes](https://github.com/actions/checkout/releases)
- [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md)
- [Commits](https://github.com/actions/checkout/compare/3df4ab11eba7bda6032a0b82a6bb43b11571feac...8ade135a41bc03ea155e62e844d188df1ea18608)

---
updated-dependencies:
- dependency-name: actions/checkout
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* :sparkles: scdiff: add basic stats command to count scores by buckets (#3458)

* wip

Signed-off-by: Spencer Schrock <sschrock@google.com>

* output via tabwriter

Signed-off-by: Spencer Schrock <sschrock@google.com>

* specify by check.

Signed-off-by: Spencer Schrock <sschrock@google.com>

* Return aggregate score when unmarshalling.

Signed-off-by: Spencer Schrock <sschrock@google.com>

* convert from score to bucket in one place. use aggregate score from func

Signed-off-by: Spencer Schrock <sschrock@google.com>

* fix forgotten usage of ExperimentalFromJSON2

Signed-off-by: Spencer Schrock <sschrock@google.com>

* use sentinel errors.

Signed-off-by: Spencer Schrock <sschrock@google.com>

* move counting to own func for testability

Signed-off-by: Spencer Schrock <sschrock@google.com>

* remove unneeded fields from results for readability.

Signed-off-by: Spencer Schrock <sschrock@google.com>

* add test for parse errors.

Signed-off-by: Spencer Schrock <sschrock@google.com>

* share max result size for any bufio.Scanner which reads results.

Signed-off-by: Spencer Schrock <sschrock@google.com>

* add basic overall test for calcing stats.

Signed-off-by: Spencer Schrock <sschrock@google.com>

* make missing file argument generic.

Signed-off-by: Spencer Schrock <sschrock@google.com>

* validate min args with cobra.

Signed-off-by: Spencer Schrock <sschrock@google.com>

---------

Signed-off-by: Spencer Schrock <sschrock@google.com>

* :seedling: Switch test import to remove gotest.tools dependency. (#3501)

Signed-off-by: Spencer Schrock <sschrock@google.com>

* :bug: Set repo commit SHA in results after fetching successfully. (#3514)

Signed-off-by: Spencer Schrock <sschrock@google.com>

* :seedling: Don't close stale issues explicitly (#3513)

Issues are still getting closed after https://github.com/ossf/scorecard/pull/3493.
I assume there's a default value being used somewhere.

Signed-off-by: Spencer Schrock <sschrock@google.com>

* :sparkles: Move "EnforcesAdmins" to tier 5 Branch-Protection (#3502)

* Remove EnforceAdmins from tier 1.

Scores in some tests either increase to 3, or 4, since EnfroceAdmins no longer keeps them in tier 1.
The number of Debug, Info, and Warn messages will decrease by 1 per branch, since we're no longer logging them.

Signed-off-by: Spencer Schrock <sschrock@google.com>

* move enforce admins to tier 5.

Signed-off-by: Spencer Schrock <sschrock@google.com>

---------

Signed-off-by: Spencer Schrock <sschrock@google.com>

* :bug: Pinned-Dependencies: only score detected ecosystems (#3436)

* feat: Define if dependency is pinned or unpinned

Add a field Pinned to Dependency structure.
Update to save Dependencies pinned and unpinned. Not only unpinned ones.
All download then run executions are considered unpinned. Because there is no remediation to pin them.
For package manager downloads: add early return if there are no commands, separate package manager  identification (go, npm, choco, pip) from decision if installation is pinned or unpinned.
Change Go case "go get -d -v" considered pinned, to any Go installations containing "-d" to be considered pinned.

Signed-off-by: Gabriela Gutierrez <gabigutierrez@google.com>

* refactor: Convert diff var types to pointer

We need to add a new conversion of boolean to pointer. Currently, we had string and int conversions named asPointer but not used in the same file. In order to know when we are using which conversion and considering bool and string would have to be used in the same file, it was needed to differentiate the method names. New method names are asIntPointer, asStringPointer and soon asBoolPointer.

Signed-off-by: Gabriela Gutierrez <gabigutierrez@google.com>

* fix: Pinned Dependency field type

Field needs to be a pointer to work when accessing values on evaluation.

Signed-off-by: Gabriela Gutierrez <gabigutierrez@google.com>

* feat: Count pinned and unpinned deps

We're changing the ecossystems result structure. The result structure previously stored if the ecossystem is fully pinned or not. The new result structure can tell how many dependencies of that ecossystem were found and how many were pinned. This change is necessary to ignore not applicable ecossystems on the final aggregated score. When iterating the dependencies, now we go through pinned and unpinned dependencies, not only unpinned, and in each iteration we update the result. We kept the behavior of only log warnings for unpinned dependencies.

Signed-off-by: Gabriela Gutierrez <gabigutierrez@google.com>

* feat: Flag not applicable ecossystems

If no dependencies of an ecossystem are found, it results in an inconclusive score (-1). As in other checks, this means here that the ecossystem scoring is not applicable in this case. At the same time, we are keep the scoring criteria the same. If all dependencies are pinned, it results in maximum score (10) and if 1 or more dependencies are unpinned, it results in a minimum score (0) for that ecossystem. GitHub workflow cases are handled differently but the idea is the same. We are also adding a log to know when an ecossystem was not found.

Signed-off-by: Gabriela Gutierrez <gabigutierrez@google.com>

* feat: Score only applicable ecossystems

Signed-off-by: Gabriela Gutierrez <gabigutierrez@google.com>

* feat: If no dependencies then create inconclusive score

Signed-off-by: Gabriela Gutierrez <gabigutierrez@google.com>

* test: GitHub Actions score and logs

Change test from `createReturnValuesForGitHubActionsWorkflowPinned` function to `createReturnForIsGitHubActionsWorkflowPinned` wrapper function so we can test logs. We have adjusted the existing test cases and included new test cases.

Signed-off-by: Gabriela Gutierrez <gabigutierrez@google.com>

* test: Pinned dependencies score

Break "various warnings" tests into smaller tests for pinned and unpinned dependencies and how they react to warn and debug messages. Plus add tests for how the score is affected when all dependencies are pinned, when no dependencies are pinned, when there are no dependencies, and partial dependencies pinned. Also, how dependencies unpinned in 1 or multiple ecossystems affect the warn messages,  add one unpinned case for each ecossystem to see if they are being detected and separate the download then run 2 possible cases, there are currently scoring and logging wrong due to a bug.

Signed-off-by: Gabriela Gutierrez <gabigutierrez@google.com>

* test: Ecossystems score and logs

Signed-off-by: Gabriela Gutierrez <gabigutierrez@google.com>

* test: Remove deleted maxScore function test

When we changed the scoring method to ignore not applicable scores, we removed the normalization of inconclusive scores to 0. The normalization was done by `maxScore` function, that was deleted in the process.

Signed-off-by: Gabriela Gutierrez <gabigutierrez@google.com>

* test: Adding GitHub Actions dependencies to result

Signed-off-by: Gabriela Gutierrez <gabigutierrez@google.com>

* test: Update GitHub Actions result

Signed-off-by: Gabriela Gutierrez <gabigutierrez@google.com>

* test: Update pip installs result

Signed-off-by: Gabriela Gutierrez <gabigutierrez@google.com>

* fix: Handle if nuget dependency is pinned or unpinned

Signed-off-by: Gabriela Gutierrez <gabigutierrez@google.com>

* tests: Fix check warnings for unpinned dependencies

Signed-off-by: Gabriela Gutierrez <gabigutierrez@google.com>

* fix: Linter errors

Signed-off-by: Gabriela Gutierrez <gabigutierrez@google.com>

* fix: GitHub Actions pinned log

If, for example, you have GitHub-owned actions and none Third-party actions, you should receive a "no Third-party actions found" log and don't receive a "all Third-party actions are pinned" log. At the same time, you deserve the score of pinning Third-party to complement the GitHub-owned score.

Signed-off-by: Gabriela Gutierrez <gabigutierrez@google.com>

* test: Fix "ossf-tests/scorecard-check-pinned-dependencies-e2e"

The repo being tested, `ossf-tests/scorecard-check-pinned-dependencies-e2e`, has no Third-party actions only GitHub-owned actions, that are unpinned, no npm installs, multiple go installs all pinned, and all other dependencies types are unpinned. This gives us 8 for actionScore, -1 for npm score, 10 for goScore, and 0 for all other scores. Previously the total score was 28/7 =~ 4, and now the total score is 18/6 =~ 3. The number of logs remain the same. The "all Third-party actions are pinned" will be replaced by "no Third-party actions found", which is a more realistic info and same thing for npm installs.

Signed-off-by: Gabriela Gutierrez <gabigutierrez@google.com>

* Revert rename `asPointer` to `asStringPointer`

Signed-off-by: Gabriela Gutierrez <gabigutierrez@google.com>

* fix: Handle deps with parsing error and undefined pinning

When a dependency has a parsing error it ends up with a `Msg` field. In this case, the dependency should not count in the final score, so we should not `updatePinningResults` in this case. Also, to continue with the evaluation calculation, we need to make sure the dependencies have a `Pinned` state. Here we are adding this validation for it along with a debug log.

Signed-off-by: Gabriela Gutierrez <gabigutierrez@google.com>

* test: Delete unecessary test

We already have separate test for if 1 unpinned dependency shows a warn message, and 2 cases for when dependencies have errors and show a debug message.

Signed-off-by: Gabriela Gutierrez <gabigutierrez@google.com>

* test: Add missing dep Location cases

Signed-off-by: Gabriela Gutierrez <gabigutierrez@google.com>

* fix: Simplify Dockerfile pinned as name logic

Signed-off-by: Gabriela Gutierrez <gabigutierrez@google.com>

* fix: If ecossystem is not found show debug log

If ecossystem is not found show debug log, not info log. This affects the tests, all not found ecossystems will "move" from info logs to debug logs. We are also complementing the `all dependencies pinned` and `all dependencies unpinned` cases so we have the max score case and the min score case using all kinds of dependencies.

Signed-off-by: Gabriela Gutierrez <gabigutierrez@google.com>

* test: Fix e2e tests and more unit tests

Signed-off-by: Gabriela Gutierrez <gabigutierrez@google.com>

* feat: Iterate all dependency types for final score

Now we iterate all existing dependency types in the final score. This will fix the problem of new ecossystems not being count in the final score because we needed to update the evaluation part. This also fixes the problem of download then run being counted twice for the score. Now, we only have debug logs when there are errors with the dependency metadata. That means we don't log anymore when dependencies of an ecossystem are not found. We changed the info log format when dependencies are all pinned. We simplified the calculation of the scores. We removed unused error returns. And now we only iterate existing ecossystems. If an ecossystem is not found we will not iterate it.

Signed-off-by: Gabriela Gutierrez <gabigutierrez@google.com>

* feat: Proportional score

We count all pinned dependencies over the total found dependencies of all ecossystems for the final score. But, we still want to give low prioritity to GHA GitHub-owned dependencies over GHA third-party dependencies. That's why we are doing a weighted proportional score, all ecossystems have a normal weight of 10 but GHAs have a weight. If you only have GitHub-owned, it will count as 10, because GHA don't weight less then other ecossystems. Same for GHA third-party, if you only have GHA third-party, it will also count as 10, because GHAs don't weight less then other ecossystems. But if you have both GHA GitHub-owned and third-party, GitHub-owned count less then third-party. Trying to keep the same weight as before, GitHub-owned weights 8 and third-party weights 2. These weights will make the score be more penalized if you have unpinned third-party and less penalized if you have unpinned GitHub-owned.

Signed-off-by: Gabriela Gutierrez <gabigutierrez@google.com>

* fix: GHA weights in proportional score

Signed-off-by: Gabriela Gutierrez <gabigutierrez@google.com>

* test: Fix scores and logs checking

Add new cases for GHA scores since it's weighted differently now. Remove `createReturnValues` test since the function was removed. Fix current tests to adjust number of logs since we don't log if all dependencies are pinned or not anymore. Fix partially pinned score.

Signed-off-by: Gabriela Gutierrez <gabigutierrez@google.com>

* test: Fix e2e test

The repo being tested, `ossf-tests/scorecard-check-pinned-dependencies-e2e`, has no Third-party actions only GitHub-owned actions, that are unpinned, no npm installs, multiple go installs all pinned, and all other dependencies types are unpinned. This gives us 8 for GHA ecossytem, -1 for npm score, 10 for goScore, and 0 for all other scores. Previously the total score was 18/6 =~ 3. Now, we count 5/6 GitHub-owned GHA pinned, 23/36 containerImage pinned, 0/88 downloadThenRun pinned, 2/49 pipCommand pinned, 17/17 goCommand pinned. This results in 47/186 pinned dependencies which results in 2.5 score, that is rounded down to 2. Plus, the number of info was reduced since we don't log info for "all pinned dependencies in X ecossystem" anymore.

Signed-off-by: Gabriela Gutierrez <gabigutierrez@google.com>

* refactor: Rename to ProportionalScoreWeighted

Signed-off-by: Gabriela Gutierrez <gabigutierrez@google.com>

* refactor: Var declarations to create proportional score

Signed-off-by: Gabriela Gutierrez <gabigutierrez@google.com>

* fix: Remove unnecessary pointer

Signed-off-by: Gabriela Gutierrez <gabigutierrez@google.com>

* fix: Dependencies priority declaration

Signed-off-by: Gabriela Gutierrez <gabigutierrez@google.com>

* fix: Ecosystem spelling

Signed-off-by: Gabriela Gutierrez <gabigutierrez@google.com>

* fix: Handle 0 weight and 0 total when creating proportional weighted score

Signed-off-by: Gabriela Gutierrez <gabigutierrez@google.com>

* fix: Revert -d flag identification change

Signed-off-by: Gabriela Gutierrez <gabigutierrez@google.com>

* fix: npm ci command is npm download and is pinned

Signed-off-by: Gabriela Gutierrez <gabigutierrez@google.com>

* fix: Linter errors

Signed-off-by: Gabriela Gutierrez <gabigutierrez@google.com>

* fix: Unexport error variable to other packages

Signed-off-by: Gabriela Gutierrez <gabigutierrez@google.com>

* refactor: Simplify no score groups condition

Signed-off-by: Gabriela Gutierrez <gabigutierrez@google.com>

* feat: Log proportion of dependencies pinned

Signed-off-by: Gabriela Gutierrez <gabigutierrez@google.com>

* test: Fix unit tests to include info logs

The number of info logs should be same number of identified ecossystems. GitHub-owned GitHubAction and third-party GitHubAction count as different ecossytems.

Signed-off-by: Gabriela Gutierrez <gabigutierrez@google.com>

* test: Fix e2e tests to include info logs

The repo being tested, `ossf-tests/scorecard-check-pinned-dependencies-e2e`, has GitHub-owned GitHubActions, containerImage, downloadThenRun, pipCommand and goCommand dependencies. Therefore it will have 5 Info logs, one for each ecossystem.

Signed-off-by: Gabriela Gutierrez <gabigutierrez@google.com>

* fix: Linter error

Signed-off-by: Gabriela Gutierrez <gabigutierrez@google.com>

---------

Signed-off-by: Gabriela Gutierrez <gabigutierrez@google.com>

* :seedling: Bump github.com/onsi/ginkgo/v2 in /tools (#3497)

Bumps [github.com/onsi/ginkgo/v2](https://github.com/onsi/ginkgo) from 2.12.0 to 2.12.1.
- [Release notes](https://github.com/onsi/ginkgo/releases)
- [Changelog](https://github.com/onsi/ginkgo/blob/master/CHANGELOG.md)
- [Commits](https://github.com/onsi/ginkgo/compare/v2.12.0...v2.12.1)

---
updated-dependencies:
- dependency-name: github.com/onsi/ginkgo/v2
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* :seedling: Bump github.com/onsi/ginkgo/v2 from 2.12.0 to 2.12.1 (#3496)

Bumps [github.com/onsi/ginkgo/v2](https://github.com/onsi/ginkgo) from 2.12.0 to 2.12.1.
- [Release notes](https://github.com/onsi/ginkgo/releases)
- [Changelog](https://github.com/onsi/ginkgo/blob/master/CHANGELOG.md)
- [Commits](https://github.com/onsi/ginkgo/compare/v2.12.0...v2.12.1)

---
updated-dependencies:
- dependency-name: github.com/onsi/ginkgo/v2
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* :seedling: Bump github.com/xanzy/go-gitlab from 0.91.1 to 0.92.1 (#3517)

Bumps [github.com/xanzy/go-gitlab](https://github.com/xanzy/go-gitlab) from 0.91.1 to 0.92.1.
- [Changelog](https://github.com/xanzy/go-gitlab/blob/master/releases_test.go)
- [Commits](https://github.com/xanzy/go-gitlab/compare/v0.91.1...v0.92.1)

---
updated-dependencies:
- dependency-name: github.com/xanzy/go-gitlab
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* 📖 Update docs for Signed-Releases check (#3469)

* Update docs for signed-releases

Signed-off-by: Raghav Kaul <raghavkaul@google.com>

* update docs

Signed-off-by: Raghav Kaul <raghavkaul@google.com>

---------

Signed-off-by: Raghav Kaul <raghavkaul@google.com>

* :seedling: Bump github.com/rhysd/actionlint from 1.6.15 to 1.6.26 (#3489)

* bump actionlint.

Signed-off-by: Spencer Schrock <sschrock@google.com>

* fix unit tests.

Signed-off-by: Spencer Schrock <sschrock@google.com>

* include latest update.

Signed-off-by: Spencer Schrock <sschrock@google.com>

---------

Signed-off-by: Spencer Schrock <sschrock@google.com>

* :seedling: Bump github.com/onsi/gomega from 1.27.10 to 1.28.0 (#3523)

Bumps [github.com/onsi/gomega](https://github.com/onsi/gomega) from 1.27.10 to 1.28.0.
- [Release notes](https://github.com/onsi/gomega/releases)
- [Changelog](https://github.com/onsi/gomega/blob/master/CHANGELOG.md)
- [Commits](https://github.com/onsi/gomega/compare/v1.27.10...v1.28.0)

---
updated-dependencies:
- dependency-name: github.com/onsi/gomega
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* ✨ Add --output argument to write results to file (#3482)

* feat: Create output file argument

Signed-off-by: Gabriela Gutierrez <gabigutierrez@google.com>

* feat: Write results to output file

Signed-off-by: Gabriela Gutierrez <gabigutierrez@google.com>

* fix: Default results format output

Print results headline to output, which may be a file.

Signed-off-by: Gabriela Gutierrez <gabigutierrez@google.com>

* feat: Log start and end of checks work to console

Independent of the logs being output to console or a file, the information on which checks are running is still relevant. Now, we always log this info to the console.

Signed-off-by: Gabriela Gutierrez <gabigutierrez@google.com>

* test: Fix options unit tests

Signed-off-by: Gabriela Gutierrez <gabigutierrez@google.com>

* test: Output option content and shorthand

Signed-off-by: Gabriela Gutierrez <gabigutierrez@google.com>

* test: Output to file with correct format

Signed-off-by: Gabriela Gutierrez <gabigutierrez@google.com>

* test: Fix helper function with linter error

Signed-off-by: Gabriela Gutierrez <gabigutierrez@google.com>

* fix: Define output to console or file inside FormatResults

Signed-off-by: Gabriela Gutierrez <gabigutierrez@google.com>

* fix: Remove intermediate variable to define output

Signed-off-by: Gabriela Gutierrez <gabigutierrez@google.com>

* test: Fix error log

Signed-off-by: Gabriela Gutierrez <gabigutierrez@google.com>

* fix: Close output file before write results

Signed-off-by: Gabriela Gutierrez <gabigutierrez@google.com>

* test: Fix unit test

Signed-off-by: Gabriela Gutierrez <gabigutierrez@google.com>

* test: Fix remove file even if test fails

Signed-off-by: Gabriela Gutierrez <gabigutierrez@google.com>

* test: Fix fail test cases

Fail test if cannot format results or cannot read real or expected outputs.

Signed-off-by: Gabriela Gutierrez <gabigutierrez@google.com>

* fix: Copyright notice year and license header spacing

Signed-off-by: Gabriela Gutierrez <gabigutierrez@google.com>

* fix: Rename Output to ResultsFile

Signed-off-by: Gabriela Gutierrez <gabigutierrez@google.com>

* fix: Linter errors

Signed-off-by: Gabriela Gutierrez <gabigutierrez@google.com>

* Revert "feat: Log start and end of checks work to console"

This reverts commit c4a00a5ca7268d91940dd2784277373e630fcad2.

Signed-off-by: Gabriela Gutierrez <gabigutierrez@google.com>

* fix: Print results headline in default format

Signed-off-by: Gabriela Gutierrez <gabigutierrez@google.com>

* test: Fix default format result test

Signed-off-by: Gabriela Gutierrez <gabigutierrez@google.com>

* fix: Close output only when it's file

Signed-off-by: Gabriela Gutierrez <gabigutierrez@google.com>

* fix: Linter error

Signed-off-by: Gabriela Gutierrez <gabigutierrez@google.com>

---------

Signed-off-by: Gabriela Gutierrez <gabigutierrez@google.com>

* :seedling: Bump step-security/harden-runner from 2.5.1 to 2.6.0 (#3532)

Bumps [step-security/harden-runner](https://github.com/step-security/harden-runner) from 2.5.1 to 2.6.0.
- [Release notes](https://github.com/step-security/harden-runner/releases)
- [Commits](https://github.com/step-security/harden-runner/compare/8ca2b8b2ece13480cda6dacd3511b49857a23c09...1b05615854632b887b69ae1be8cbefe72d3ae423)

---
updated-dependencies:
- dependency-name: step-security/harden-runner
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* :seedling: Bump tj-actions/changed-files from 39.1.2 to 39.2.1 (#3531)

Bumps [tj-actions/changed-files](https://github.com/tj-actions/changed-files) from 39.1.2 to 39.2.1.
- [Release notes](https://github.com/tj-actions/changed-files/releases)
- [Changelog](https://github.com/tj-actions/changed-files/blob/main/HISTORY.md)
- [Commits](https://github.com/tj-actions/changed-files/compare/41960309398d165631f08c5df47a11147e14712b...db153baf731265ad02cd490b07f470e2d55e3345)

---
updated-dependencies:
- dependency-name: tj-actions/changed-files
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* :seedling: Fix race condition in output file test. (#3533)

Signed-off-by: Spencer Schrock <sschrock@google.com>

* :book: Fix documentation typos (#3505)

* fix typo

Signed-off-by: omahs <73983677+omahs@users.noreply.github.com>

* fix typos

Signed-off-by: omahs <73983677+omahs@users.noreply.github.com>

* fix typo

Signed-off-by: omahs <73983677+omahs@users.noreply.github.com>

* fix typo

Co-authored-by: Raghav Kaul <8695110+raghavkaul@users.noreply.github.com>
Signed-off-by: omahs <73983677+omahs@users.noreply.github.com>

* fix typos

Signed-off-by: omahs <73983677+omahs@users.noreply.github.com>

---------

Signed-off-by: omahs <73983677+omahs@users.noreply.github.com>

* :sparkles: broaden job matcher for semantic release (#3506)

* feat: broaden job matcher for semantic release

Signed-off-by: secustor <sebastian@poxhofer.at>

* tests(checks/permissions): add tests for semantic release if using pnpm and yarn

Signed-off-by: secustor <sebastian@poxhofer.at>

---------

Signed-off-by: secustor <sebastian@poxhofer.at>

* :seedling: Bump nick-invision/retry from 2.8.3 to 2.9.0 (#3519)

Bumps [nick-invision/retry](https://github.com/nick-invision/retry) from 2.8.3 to 2.9.0.
- [Release notes](https://github.com/nick-invision/retry/releases)
- [Changelog](https://github.com/nick-fields/retry/blob/master/.releaserc.js)
- [Commits](https://github.com/nick-invision/retry/compare/943e742917ac94714d2f408a0e8320f2d1fcafcd...14672906e672a08bd6eeb15720e9ed3ce869cdd4)

---
updated-dependencies:
- dependency-name: nick-invision/retry
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* :seedling: Bump github.com/xanzy/go-gitlab from 0.92.1 to 0.92.3 (#3528)

Bumps [github.com/xanzy/go-gitlab](https://github.com/xanzy/go-gitlab) from 0.92.1 to 0.92.3.
- [Changelog](https://github.com/xanzy/go-gitlab/blob/master/releases_test.go)
- [Commits](https://github.com/xanzy/go-gitlab/compare/v0.92.1...v0.92.3)

---
updated-dependencies:
- dependency-name: github.com/xanzy/go-gitlab
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* :seedling: Bump github.com/otiai10/copy from 1.12.0 to 1.14.0 (#3527)

Bumps [github.com/otiai10/copy](https://github.com/otiai10/copy) from 1.12.0 to 1.14.0.
- [Release notes](https://github.com/otiai10/copy/releases)
- [Commits](https://github.com/otiai10/copy/compare/v1.12.0...v1.14.0)

---
updated-dependencies:
- dependency-name: github.com/otiai10/copy
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* :seedling: Bump github.com/google/osv-scanner from 1.4.0 to 1.4.1 (#3536)

Bumps [github.com/google/osv-scanner](https://github.com/google/osv-scanner) from 1.4.0 to 1.4.1.
- [Release notes](https://github.com/google/osv-scanner/releases)
- [Changelog](https://github.com/google/osv-scanner/blob/main/CHANGELOG.md)
- [Commits](https://github.com/google/osv-scanner/compare/v1.4.0...v1.4.1)

---
updated-dependencies:
- dependency-name: github.com/google/osv-scanner
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* :seedling: Bump github.com/xanzy/go-gitlab from 0.92.3 to 0.93.0 (#3537)

Bumps [github.com/xanzy/go-gitlab](https://github.com/xanzy/go-gitlab) from 0.92.3 to 0.93.0.
- [Changelog](https://github.com/xanzy/go-gitlab/blob/master/releases_test.go)
- [Commits](https://github.com/xanzy/go-gitlab/compare/v0.92.3...v0.93.0)

---
updated-dependencies:
- dependency-name: github.com/xanzy/go-gitlab
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* :sparkles: scdiff: Limit generating results to specific checks (#3535)

* accept checks arg when generating golden.

Signed-off-by: Spencer Schrock <sschrock@google.com>

* dont shadow import

Signed-off-by: Spencer Schrock <sschrock@google.com>

---------

Signed-off-by: Spencer Schrock <sschrock@google.com>

* :seedling: Add probe test utility (#3541)

Signed-off-by: AdamKorcz <adam@adalogics.com>

* :seedling: Sort fields of raw results alphabetically (#3540)

Signed-off-by: AdamKorcz <adam@adalogics.com>
Co-authored-by: laurentsimon <64505099+laurentsimon@users.noreply.github.com>

* :seedling: Bump ossf/scorecard-action from 2.2.0 to 2.3.0 (#3544)

Bumps [ossf/scorecard-action](https://github.com/ossf/scorecard-action) from 2.2.0 to 2.3.0.
- [Release notes](https://github.com/ossf/scorecard-action/releases)
- [Changelog](https://github.com/ossf/scorecard-action/blob/main/RELEASE.md)
- [Commits](https://github.com/ossf/scorecard-action/compare/08b4669551908b1024bb425080c797723083c031...483ef80eb98fb506c348f7d62e28055e49fe2398)

---
updated-dependencies:
- dependency-name: ossf/scorecard-action
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* :seedling: Bump golang.org/x/oauth2 from 0.12.0 to 0.13.0 (#3545)

Bumps [golang.org/x/oauth2](https://github.com/golang/oauth2) from 0.12.0 to 0.13.0.
- [Commits](https://github.com/golang/oauth2/compare/v0.12.0...v0.13.0)

---
updated-dependencies:
- dependency-name: golang.org/x/oauth2
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* :seedling: Bump github.com/xanzy/go-gitlab from 0.93.0 to 0.93.1 (#3546)

Bumps [github.com/xanzy/go-gitlab](https://github.com/xanzy/go-gitlab) from 0.93.0 to 0.93.1.
- [Changelog](https://github.com/xanzy/go-gitlab/blob/master/releases_test.go)
- [Commits](https://github.com/xanzy/go-gitlab/compare/v0.93.0...v0.93.1)

---
updated-dependencies:
- dependency-name: github.com/xanzy/go-gitlab
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* :seedling: Bump distroless/base from `27647a6` to `29da700` and golang from `ec457a2` to `e9ebfe9` (#3548)

* bump distroless.

Signed-off-by: Spencer Schrock <sschrock@google.com>

* bump golang 1.21

Signed-off-by: Spencer Schrock <sschrock@google.com>

---------

Signed-off-by: Spencer Schrock <sschrock@google.com>

* :seedling: Bump cloud.google.com/go/bigquery from 1.55.0 to 1.56.0 (#3538)

Bumps [cloud.google.com/go/bigquery](https://github.com/googleapis/google-cloud-go) from 1.55.0 to 1.56.0.
- [Release notes](https://github.com/googleapis/google-cloud-go/releases)
- [Changelog](https://github.com/googleapis/google-cloud-go/blob/main/CHANGES.md)
- [Commits](https://github.com/googleapis/google-cloud-go/compare/bigquery/v1.55.0...bigquery/v1.56.0)

---
updated-dependencies:
- dependency-name: cloud.google.com/go/bigquery
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* :seedling: Add OutcomeNotApplicable (#3539)

Signed-off-by: AdamKorcz <adam@adalogics.com>

* :sparkles: Add additional fuzzing probes (#3473)

* Extend with additional fuzzing probes

Signed-off-by: David Korczynski <david@adalogics.com>

* fix formatting

Signed-off-by: David Korczynski <david@adalogics.com>

* cleanup formatting

Signed-off-by: David Korczynski <david@adalogics.com>

* make skip testing optional

Signed-off-by: David Korczynski <david@adalogics.com>

* address reviews

Signed-off-by: David Korczynski <david@adalogics.com>

* add todo

Signed-off-by: David Korczynski <david@adalogics.com>

* nit

Signed-off-by: David Korczynski <david@adalogics.com>

* nit

Signed-off-by: David Korczynski <david@adalogics.com>

* add swift fuzzing probe

Signed-off-by: David Korczynski <david@adalogics.com>

* avoid changing OnMatchingFileContentDo

Signed-off-by: David Korczynski <david@adalogics.com>

* nit

Signed-off-by: David Korczynski <david@adalogics.com>

* undo matching file content extension

Signed-off-by: David Korczynski <david@adalogics.com>

* nit: fix constant

Signed-off-by: David Korczynski <david@adalogics.com>

* test all fileMatchPatterns per client

Signed-off-by: David Korczynski <david@adalogics.com>

* fix test logging counts

Signed-off-by: David Korczynski <david@adalogics.com>

* nit

Signed-off-by: David Korczynski <david@adalogics.com>

---------

Signed-off-by: David Korczynski <david@adalogics.com>

* :book: fix "default" typo (#3543)

Signed-off-by: guoguangwu <guoguangwu@magic-shield.com>

* :seedling: checks/raw: fix struct alignment linter issue (#3550)

Signed-off-by: Spencer Schrock <sschrock@google.com>

* :seedling: Add map to Finding (#3558)

Signed-off-by: AdamKorcz <adam@adalogics.com>

* :seedling: Bump golang.org/x/net from 0.16.0 to 0.17.0 (#3563)

Bumps [golang.org/x/net](https://github.com/golang/net) from 0.16.0 to 0.17.0.
- [Commits](https://github.com/golang/net/compare/v0.16.0...v0.17.0)

---
updated-dependencies:
- dependency-name: golang.org/x/net
  dependency-type: indirect
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* :seedling: Bump golang.org/x/net from 0.14.0 to 0.17.0 in /tools (#3562)

Bumps [golang.org/x/net](https://github.com/golang/net) from 0.14.0 to 0.17.0.
- [Commits](https://github.com/golang/net/compare/v0.14.0...v0.17.0)

---
updated-dependencies:
- dependency-name: golang.org/x/net
  dependency-type: indirect
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* :seedling: Adding all Intel public GitHub repos (#3556)

Signed-off-by: Ryan Ware <ryan.ware@intel.com>

* :seedling: Bump github.com/onsi/ginkgo/v2 from 2.12.1 to 2.13.0 (#3551)

Bumps [github.com/onsi/ginkgo/v2](https://github.com/onsi/ginkgo) from 2.12.1 to 2.13.0.
- [Release notes](https://github.com/onsi/ginkgo/releases)
- [Changelog](https://github.com/onsi/ginkgo/blob/master/CHANGELOG.md)
- [Commits](https://github.com/onsi/ginkgo/compare/v2.12.1...v2.13.0)

---
updated-dependencies:
- dependency-name: github.com/onsi/ginkgo/v2
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* :seedling: Bump github.com/onsi/ginkgo/v2 in /tools (#3552)

Bumps [github.com/onsi/ginkgo/v2](https://github.com/onsi/ginkgo) from 2.12.1 to 2.13.0.
- [Release notes](https://github.com/onsi/ginkgo/releases)
- [Changelog](https://github.com/onsi/ginkgo/blob/master/CHANGELOG.md)
- [Commits](https://github.com/onsi/ginkgo/compare/v2.12.1...v2.13.0)

---
updated-dependencies:
- dependency-name: github.com/onsi/ginkgo/v2
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* :seedling: Bump github.com/google/go-cmp from 0.5.9 to 0.6.0 (#3557)

Bumps [github.com/google/go-cmp](https://github.com/google/go-cmp) from 0.5.9 to 0.6.0.
- [Release notes](https://github.com/google/go-cmp/releases)
- [Commits](https://github.com/google/go-cmp/compare/v0.5.9...v0.6.0)

---
updated-dependencies:
- dependency-name: github.com/google/go-cmp
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* :seedling: Bump kubernetes-sigs/kubebuilder-release-tools (#3553)

Bumps [kubernetes-sigs/kubebuilder-release-tools](https://github.com/kubernetes-sigs/kubebuilder-release-tools) from 0.3.0 to 0.4.0.
- [Release notes](https://github.com/kubernetes-sigs/kubebuilder-release-tools/releases)
- [Changelog](https://github.com/kubernetes-sigs/kubebuilder-release-tools/blob/master/RELEASE.md)
- [Commits](https://github.com/kubernetes-sigs/kubebuilder-release-tools/compare/4f3d1085b4458a49ed86918b4b55505716715b77...d8367c29de8af903319d3a76de2436672515729b)

---
updated-dependencies:
- dependency-name: kubernetes-sigs/kubebuilder-release-tools
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* :bug: Fix wrong quotes (#3565)

Signed-off-by: AdamKorcz <adam@adalogics.com>

* :seedling: Add new outcome to UnmarshalYAML (#3566)

Signed-off-by: AdamKorcz <adam@adalogics.com>

* :bug: scdiff: fix generate cmd when no --checks arg provided. (#3570)

Signed-off-by: Spencer Schrock <sschrock@google.com>

* :sparkles: scdiff: improve `compare` usability (#3573)

* fallback to cron style when parsing dates.

The cron output was never updated in #2712. In the interim, support both formats.

Signed-off-by: Spencer Schrock <sschrock@google.com>

* continue on first diff, to highlight all differences.

Signed-off-by: Spencer Schrock <sschrock@google.com>

* tests for date fallback.

Signed-off-by: Spencer Schrock <sschrock@google.com>

---------

Signed-off-by: Spencer Schrock <sschrock@google.com>

* :sparkles: Add fast-check test runners integrations (#3568)

Signed-off-by: Pierre Cavin <me@sherlox.io>

* :seedling: Bump github.com/bradleyfalzon/ghinstallation/v2 (#3575)

Bumps [github.com/bradleyfalzon/ghinstallation/v2](https://github.com/bradleyfalzon/ghinstallation) from 2.7.0 to 2.8.0.
- [Release notes](https://github.com/bradleyfalzon/ghinstallation/releases)
- [Commits](https://github.com/bradleyfalzon/ghinstallation/compare/v2.7.0...v2.8.0)

---
updated-dependencies:
- dependency-name: github.com/bradleyfalzon/ghinstallation/v2
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* :seedling: Bump tj-actions/changed-files from 39.2.1 to 39.2.3 (#3577)

Bumps [tj-actions/changed-files](https://github.com/tj-actions/changed-files) from 39.2.1 to 39.2.3.
- [Release notes](https://github.com/tj-actions/changed-files/releases)
- [Changelog](https://github.com/tj-actions/changed-files/blob/main/HISTORY.md)
- [Commits](https://github.com/tj-actions/changed-files/compare/db153baf731265ad02cd490b07f470e2d55e3345...95690f9ece77c1740f4a55b7f1de9023ed6b1f87)

---
updated-dependencies:
- dependency-name: tj-actions/changed-files
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* :seedling: Bump github.com/google/ko from 0.14.1 to 0.15.0 in /tools (#3578)

Bumps [github.com/google/ko](https://github.com/google/ko) from 0.14.1 to 0.15.0.
- [Release notes](https://github.com/google/ko/releases)
- [Changelog](https://github.com/ko-build/ko/blob/main/.goreleaser.yml)
- [Commits](https://github.com/google/ko/compare/v0.14.1...v0.15.0)

---
updated-dependencies:
- dependency-name: github.com/google/ko
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* :seedling: Bump actions/checkout from 4.1.0 to 4.1.1 (#3580)

Bumps [actions/checkout](https://github.com/actions/checkout) from 4.1.0 to 4.1.1.
- [Release notes](https://github.com/actions/checkout/releases)
- [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md)
- [Commits](https://github.com/actions/checkout/compare/8ade135a41bc03ea155e62e844d188df1ea18608...b4ffde65f46336ab88eb53be808477a3936bae11)

---
updated-dependencies:
- dependency-name: actions/checkout
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* :bug: SAST detect new GitHub app slug for CodeQL (#3591)

* Fix SAST no longer working for CodeQL

The app slug for CodeQL appears to have changed from `github-advanced-security` to `github-code-scanning`, causing the SAST rule to false-negative on commits.

Signed-off-by: martincostello <martin@martincostello.com>

* Fix lint warning

Fix lint warning.

Signed-off-by: martincostello <martin@martincostello.com>

---------

Signed-off-by: martincostello <martin@martincostello.com>

* :seedling: enable the golangci-lint `bugs` preset (#3583)

* enable bugs preset

Signed-off-by: Spencer Schrock <sschrock@google.com>

* fix noctx linter

Signed-off-by: Spencer Schrock <sschrock@google.com>

* fix bodyclose linter

Signed-off-by: Spencer Schrock <sschrock@google.com>

* fix contextcheck linter

Signed-off-by: Spencer Schrock <sschrock@google.com>

* This ignores all existing cases of musttag linter complaints.

This analyzer seems useful in the future, but some of this code
is old and I don't want to change it for existing code now.

Signed-off-by: Spencer Schrock <sschrock@google.com>

* ignore existing nilerr lints.

This behavior is from the initial commit, and primarily affects metrics.
Leaving as is, and hope to benefit from the linter in the future.

Signed-off-by: Spencer Schrock <sschrock@google.com>

---------

Signed-off-by: Spencer Schrock <sschrock@google.com>

* :seedling: use forbidigo linter to prevent print statements (#3585)

* enable forbidigo for print statements.

include reasoning as message exposed to developer.

Signed-off-by: Spencer Schrock <sschrock@google.com>

* remove or grant exceptions for existing print statements

Signed-off-by: Spencer Schrock <sschrock@google.com>

* swap stdout to stderr

Signed-off-by: Spencer Schrock <sschrock@google.com>

* separate msg from regex for better readability.

Signed-off-by: Spencer Schrock <sschrock@google.com>

---------

Signed-off-by: Spencer Schrock <sschrock@google.com>

* :bug: scanning gitlab private repositories (#3596)

* fix: Run for gitlab private repos

Signed-off-by: Gabriela Gutierrez <gabigutierrez@google.com>

* test: gitlab repo is accessible

Signed-off-by: Gabriela Gutierrez <gabigutierrez@google.com>

* fix: linter error

Signed-off-by: Gabriela Gutierrez <gabigutierrez@google.com>

---------

Signed-off-by: Gabriela Gutierrez <gabigutierrez@google.com>
Co-authored-by: Raghav Kaul <8695110+raghavkaul@users.noreply.github.com>

* :seedling: Bump github.com/xanzy/go-gitlab from 0.93.1 to 0.93.2 (#3593)

Bumps [github.com/xanzy/go-gitlab](https://github.com/xanzy/go-gitlab) from 0.93.1 to 0.93.2.
- [Changelog](https://github.com/xanzy/go-gitlab/blob/main/releases_test.go)
- [Commits](https://github.com/xanzy/go-gitlab/compare/v0.93.1...v0.93.2)

---
updated-dependencies:
- dependency-name: github.com/xanzy/go-gitlab
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* :seedling: Bump github.com/onsi/gomega from 1.28.0 to 1.28.1 (#3597)

Bumps [github.com/onsi/gomega](https://github.com/onsi/gomega) from 1.28.0 to 1.28.1.
- [Release notes](https://github.com/onsi/gomega/releases)
- [Changelog](https://github.com/onsi/gomega/blob/master/CHANGELOG.md)
- [Commits](https://github.com/onsi/gomega/compare/v1.28.0...v1.28.1)

---
updated-dependencies:
- dependency-name: github.com/onsi/gomega
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* :seedling: add style linters: mirror, tenv, usestdlibvars (#3586)

* fix tenv linter and bug with t.Parallel

Signed-off-by: Spencer Schrock <sschrock@google.com>

* fix usestdlibvars linter

Signed-off-by: Spencer Schrock <sschrock@google.com>

* fix mirror linter

Signed-off-by: Spencer Schrock <sschrock@google.com>

---------

Signed-off-by: Spencer Schrock <sschrock@google.com>

* :seedling: enable gomoddirectives linter. (#3584)

Signed-off-by: Spencer Schrock <sschrock@google.com>

* :seedling: enable style linter `errname` (#3587)

* enable errname linter

Signed-off-by: Spencer Schrock <sschrock@google.com>

* convert publish err to custom error type.

Signed-off-by: Spencer Schrock <sschrock@google.com>

* remove unused exported error.

Signed-off-by: Spencer Schrock <sschrock@google.com>

* convert unsupported exporter type to custom error type.

Signed-off-by: Spencer Schrock <sschrock@google.com>

* exempt public errors from linter.

Signed-off-by: Spencer Schrock <sschrock@google.com>

* exempt cron config errors from linter.

Signed-off-by: Spencer Schrock <sschrock@google.com>

---------

Signed-off-by: Spencer Schrock <sschrock@google.com>

* :seedling: remove unused osv helper tool. (#3572)

This is a followup cleanup of d4b44e52eb9a104949f617a62cf47291d1ea2d99 (#2303).

Signed-off-by: Spencer Schrock <sschrock@google.com>

* :seedling: Bump github.com/golangci/golangci-lint in /tools (#3592)

Bumps [github.com/golangci/golangci-lint](https://github.com/golangci/golangci-lint) from 1.54.2 to 1.55.0.
- [Release notes](https://github.com/golangci/golangci-lint/releases)
- [Changelog](https://github.com/golangci/golangci-lint/blob/master/CHANGELOG.md)
- [Commits](https://github.com/golangci/golangci-lint/compare/v1.54.2...v1.55.0)

---
updated-dependencies:
- dependency-name: github.com/golangci/golangci-lint
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* :seedling: GitLab: track coverage for gitlab e2e tests (#3601)

Signed-off-by: Raghav Kaul <raghavkaul@google.com>

* :seedling: Add license probe (#3465)

* :seedling: Add license probe

Signed-off-by: AdamKorcz <adam@adalogics.com>

* [WIP] add two remaining license checks as probes

Signed-off-by: AdamKorcz <adam@adalogics.com>

* fix nits

Signed-off-by: AdamKorcz <adam@adalogics.com>

* Use Errorf in test

Signed-off-by: AdamKorcz <adam@adalogics.com>

* use zrunner

Signed-off-by: AdamKorcz <adam@adalogics.com>

* fix wrong return value

Signed-off-by: AdamKorcz <adam@adalogics.com>

* fix linting issues and remove empty default

Signed-off-by: AdamKorcz <adam@adalogics.com>

* fix double if statement

Signed-off-by: AdamKorcz <adam@adalogics.com>

* Remove struct field from test

Signed-off-by: AdamKorcz <adam@adalogics.com>

* Add test for nil-case of license files slice

Signed-off-by: AdamKorcz <adam@adalogics.com>

* rewrite multiple def.ymls

Signed-off-by: AdamKorcz <adam@adalogics.com>

* fix nits

Signed-off-by: AdamKorcz <adam@adalogics.com>

* Add unit test with multiple unapproved license files

Signed-off-by: AdamKorcz <adam@adalogics.com>

* Add link to approved license formats

Signed-off-by: AdamKorcz <adam@adalogics.com>

* fix linting

Signed-off-by: AdamKorcz <adam@adalogics.com>

* remove comment

Signed-off-by: AdamKorcz <adam@adalogics.com>

* preserve logging from original check

Signed-off-by: AdamKorcz <adam@adalogics.com>

* fix typo

Signed-off-by: AdamKorcz <adam@adalogics.com>

* remove redundant map manipulation

Signed-off-by: AdamKorcz <adam@adalogics.com>

* rename hasApproveLicense probe

Signed-off-by: AdamKorcz <adam@adalogics.com>

* Return OutcomeNotApplicable if hasFSFOrOSIApprovedLicense probe does not find a license

Signed-off-by: AdamKorcz <adam@adalogics.com>

* Include license file locations in log

Signed-off-by: AdamKorcz <adam@adalogics.com>

* fix linting issues

Signed-off-by: AdamKorcz <adam@adalogics.com>

* replace strings filtering with OutcomeNotApplicable in hasLicenseFileAtTopDir probe

Signed-off-by: AdamKorcz <adam@adalogics.com>

* Fix linter issue

Signed-off-by: AdamKorcz <adam@adalogics.com>

* Include location of found license files

Signed-off-by: AdamKorcz <adam@adalogics.com>

---------

Signed-off-by: AdamKorcz <adam@adalogics.com>

* 🌱 convert packaging check to probe (#3486)

* :seedling: convert packaging check to probe

Signed-off-by: AdamKorcz <adam@adalogics.com>

* amend text in def.yml

Signed-off-by: AdamKorcz <adam@adalogics.com>

* Correct short description in def.yml

Signed-off-by: AdamKorcz <adam@adalogics.com>

* log negative findings

Signed-off-by: AdamKorcz <adam@adalogics.com>

* rename probe

Signed-off-by: AdamKorcz <adam@adalogics.com>

* Fix the broken e2e test: The probe returned minimum score instead of inconclusive score which was not consistent with the previous scoring. This commit also removes the debug statements

Signed-off-by: AdamKorcz <adam@adalogics.com>

* change score text

Signed-off-by: AdamKorcz <adam@adalogics.com>

* include file details. process all packaging workflows

Signed-off-by: AdamKorcz <adam@adalogics.com>

---------

Signed-off-by: AdamKorcz <adam@adalogics.com>

* :seedling: Add probe support for contributors metrics (#3460)

* :seedling: Add probe support for cont…
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

2 participants