-
Notifications
You must be signed in to change notification settings - Fork 500
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
✨ add support for Nuget ad-hoc commands (add/install) in Pinned Dependency checks #2779
✨ add support for Nuget ad-hoc commands (add/install) in Pinned Dependency checks #2779
Conversation
c0f0d46
to
4c3c2bf
Compare
Codecov Report
Additional details and impacted files@@ Coverage Diff @@
## main #2779 +/- ##
==========================================
- Coverage 55.18% 50.90% -4.29%
==========================================
Files 158 158
Lines 13276 12062 -1214
==========================================
- Hits 7327 6140 -1187
- Misses 5514 5547 +33
+ Partials 435 375 -60 |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks for the PR. I left comments about immutability of versions in nuget ecosystem because I'm unfamiliar with it.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
A few comments with the limited context that I have.
BTW, how commonly used phrase is the pinned dependency
concept? :)
NuGet has a CPM feature that has a similar name that'd confuse some people: https://learn.microsoft.com/en-us/nuget/consume-packages/central-package-management#transitive-pinning
Bumps [github/codeql-action](https://github.com/github/codeql-action) from 2.2.9 to 2.2.11. - [Release notes](https://github.com/github/codeql-action/releases) - [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md) - [Commits](github/codeql-action@04df126...d186a2a) --- updated-dependencies: - dependency-name: github/codeql-action dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Signed-off-by: Avishay <[email protected]>
Bumps [tj-actions/changed-files](https://github.com/tj-actions/changed-files) from 35.7.8 to 35.7.12. - [Release notes](https://github.com/tj-actions/changed-files/releases) - [Changelog](https://github.com/tj-actions/changed-files/blob/main/HISTORY.md) - [Commits](tj-actions/changed-files@e9b5807...b109d83) --- updated-dependencies: - dependency-name: tj-actions/changed-files dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <[email protected]> Signed-off-by: Avishay <[email protected]>
Bumps [sigstore/cosign-installer](https://github.com/sigstore/cosign-installer) from 3.0.1 to 3.0.2. - [Release notes](https://github.com/sigstore/cosign-installer/releases) - [Commits](sigstore/cosign-installer@c3667d9...9e9de22) --- updated-dependencies: - dependency-name: sigstore/cosign-installer dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Signed-off-by: Avishay <[email protected]>
Bumps [github.com/xeipuuv/gojsonschema](https://github.com/xeipuuv/gojsonschema) from 0.0.0-20180618132009-1d523034197f to 1.2.0. - [Release notes](https://github.com/xeipuuv/gojsonschema/releases) - [Commits](https://github.com/xeipuuv/gojsonschema/commits/v1.2.0) --- updated-dependencies: - dependency-name: github.com/xeipuuv/gojsonschema dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] <[email protected]> Signed-off-by: Avishay <[email protected]>
Included tests for checker result and request Signed-off-by: naveensrinivasan <[email protected]> Signed-off-by: Avishay <[email protected]>
* Add haskell-actions/hlint-scan as one of know GitHub actions which upload SARIF. Signed-off-by: Yoo Chung <[email protected]> * Test security-events permissions with actions known to upload SARIF. Signed-off-by: Yoo Chung <[email protected]> --------- Signed-off-by: Yoo Chung <[email protected]> Signed-off-by: Avishay <[email protected]>
Bumps [github.com/bradleyfalzon/ghinstallation/v2](https://github.com/bradleyfalzon/ghinstallation) from 2.2.0 to 2.3.0. - [Release notes](https://github.com/bradleyfalzon/ghinstallation/releases) - [Commits](bradleyfalzon/ghinstallation@v2.2.0...v2.3.0) --- updated-dependencies: - dependency-name: github.com/bradleyfalzon/ghinstallation/v2 dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Signed-off-by: Avishay <[email protected]>
Bumps [github.com/otiai10/copy](https://github.com/otiai10/copy) from 1.9.0 to 1.10.0. - [Release notes](https://github.com/otiai10/copy/releases) - [Commits](otiai10/copy@v1.9.0...v1.10.0) --- updated-dependencies: - dependency-name: github.com/otiai10/copy dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <[email protected]> Signed-off-by: Avishay <[email protected]>
Bumps [github.com/goreleaser/goreleaser](https://github.com/goreleaser/goreleaser) from 1.16.2 to 1.17.0. - [Release notes](https://github.com/goreleaser/goreleaser/releases) - [Changelog](https://github.com/goreleaser/goreleaser/blob/main/.goreleaser.yaml) - [Commits](goreleaser/goreleaser@v1.16.2...v1.17.0) --- updated-dependencies: - dependency-name: github.com/goreleaser/goreleaser dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <[email protected]> Signed-off-by: Avishay <[email protected]>
* Add GitLab test repos. Signed-off-by: Spencer Schrock <[email protected]> * Add test GitLab projects to release controller. Signed-off-by: Spencer Schrock <[email protected]> * worker gitlab WIP Signed-off-by: Spencer Schrock <[email protected]> * Read config in worker. Signed-off-by: Spencer Schrock <[email protected]> * Use UTC time for shards. This avoids issues when the controller and worker timezones differ. Signed-off-by: Spencer Schrock <[email protected]> * update directions for gcs fake Signed-off-by: Spencer Schrock <[email protected]> * update readme Signed-off-by: Spencer Schrock <[email protected]> * Undo gitlab parts, which will be its own PR. Signed-off-by: Spencer Schrock <[email protected]> * Clarify project and config files are placeholders. Signed-off-by: Spencer Schrock <[email protected]> * remove accidentally added whitespace Signed-off-by: Spencer Schrock <[email protected]> * clarify code change with comment. Signed-off-by: Spencer Schrock <[email protected]> * Minor edits. Signed-off-by: Spencer Schrock <[email protected]> --------- Signed-off-by: Spencer Schrock <[email protected]> Signed-off-by: Avishay <[email protected]>
Bumps [golang.org/x/tools](https://github.com/golang/tools) from 0.7.0 to 0.8.0. - [Release notes](https://github.com/golang/tools/releases) - [Commits](golang/tools@v0.7.0...v0.8.0) --- updated-dependencies: - dependency-name: golang.org/x/tools dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Signed-off-by: Avishay <[email protected]>
Bumps [codecov/codecov-action](https://github.com/codecov/codecov-action) from 3.1.0 to 3.1.2. - [Release notes](https://github.com/codecov/codecov-action/releases) - [Changelog](https://github.com/codecov/codecov-action/blob/main/CHANGELOG.md) - [Commits](codecov/codecov-action@81cd2dc...40a12dc) --- updated-dependencies: - dependency-name: codecov/codecov-action dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <[email protected]> Signed-off-by: Avishay <[email protected]>
Signed-off-by: Yoo Chung <[email protected]> Signed-off-by: Avishay <[email protected]>
…2843) * Add Haskell as a language. Signed-off-by: Yoo Chung <[email protected]> * Detect fuzzing in Haskell using presence of property-based testing. Signed-off-by: Yoo Chung <[email protected]> * Mention fuzzing detection for Haskell in documentation. Signed-off-by: Yoo Chung <[email protected]> * Fix pattern and test. Add test case. Signed-off-by: Yoo Chung <[email protected]> --------- Signed-off-by: Yoo Chung <[email protected]> Signed-off-by: Avishay <[email protected]>
- Add tests for `GetRequiredChecksForPolicy` and `EvaluateResults` - Add checks for binary artifacts, vulnerabilities, unpinned dependencies, and code review [attestor/policy/attestation_policy_test.go] - Add `github.com/google/go-cmp/cmp` to imports - Add a test for `GetRequiredChecksForPolicy` - Add a test for `EvaluateResults` Signed-off-by: naveensrinivasan <[email protected]> Signed-off-by: Avishay <[email protected]>
Bumps [github.com/xanzy/go-gitlab](https://github.com/xanzy/go-gitlab) from 0.81.0 to 0.82.0. - [Release notes](https://github.com/xanzy/go-gitlab/releases) - [Changelog](https://github.com/xanzy/go-gitlab/blob/master/releases_test.go) - [Commits](xanzy/go-gitlab@v0.81.0...v0.82.0) --- updated-dependencies: - dependency-name: github.com/xanzy/go-gitlab dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <[email protected]> Signed-off-by: Avishay <[email protected]>
* Look for codeQL action use with local files instead of search. Signed-off-by: Spencer Schrock <[email protected]> * Switch SAST mocks to using local file contents. Signed-off-by: Spencer Schrock <[email protected]> * Update e2e test Signed-off-by: Spencer Schrock <[email protected]> * Remove unneeded code. The tests deleted here were merged with another test in an earlier commit. Signed-off-by: Spencer Schrock <[email protected]> * update Signed-off-by: Spencer Schrock <[email protected]> * Add tests to get code coverage up. Signed-off-by: Spencer Schrock <[email protected]> --------- Signed-off-by: Spencer Schrock <[email protected]> Signed-off-by: Avishay <[email protected]>
Signed-off-by: Avishay <[email protected]>
Signed-off-by: Avishay <[email protected]>
Head branch was pushed to by a user without write access
0018e37
to
5ccdf0b
Compare
Signed-off-by: Avishay Balter <[email protected]>
Signed-off-by: Avishay <[email protected]>
What kind of change does this PR introduce?
Add support for Nuget ad-hoc commands (add/install) in pinned dependency checks.
What is the current behavior?
Scorecard does not detect unpinned dependencies when using nuget and dotnet clis to add ad-hoc libraries.
What is the new behavior (if this is a feature change)?**
Scorecard detects and warns when using dotnet and nuget cli to add ad-hoc libraries packages without declaring their specific version.
Which issue(s) this PR fixes
This PR relates to but does not fix issue #1578
Special notes for your reviewer
Does this PR introduce a user-facing change?
For user-facing changes, please add a concise, human-readable release note to
the
release-note
(In particular, describe what changes users might need to make in their
application as a result of this pull request.)