Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

🌱 Bump github.com/onsi/gomega from 1.20.2 to 1.23.0 #2409

Merged
merged 1 commit into from
Oct 29, 2022
Merged

🌱 Bump github.com/onsi/gomega from 1.20.2 to 1.23.0 #2409

merged 1 commit into from
Oct 29, 2022

Conversation

dependabot[bot]
Copy link
Contributor

@dependabot dependabot bot commented on behalf of github Oct 28, 2022
edited
Loading

Bumps github.com/onsi/gomega from 1.20.2 to 1.23.0.

Release notes

Sourced from github.com/onsi/gomega's releases.

v1.23.0

1.23.0

Features

  • Custom formatting on a per-type basis can be provided using format.RegisterCustomFormatter() -- see the docs here

  • Substantial improvement have been made to StopTrying():

    • Users can now use StopTrying().Wrap(err) to wrap errors and StopTrying().Attach(description, object) to attach arbitrary objects to the StopTrying() error
    • StopTrying() is now always interpreted as a failure. If you are an early adopter of StopTrying() you may need to change your code as the prior version would match against the returned value even if StopTrying() was returned. Going forward the StopTrying() api should remain stable.
    • StopTrying() and StopTrying().Now() can both be used in matchers - not just polled functions.

  • TryAgainAfter(duration) is used like StopTrying() but instructs Eventually and Consistently that the poll should be tried again after the specified duration. This allows you to dynamically adjust the polling duration.

  • ctx can now be passed-in as the first argument to Eventually and Consistently.

Maintenance

  • Bump github.com/onsi/ginkgo/v2 from 2.3.0 to 2.3.1 (#597) [afed901]
  • Bump nokogiri from 1.13.8 to 1.13.9 in /docs (#599) [7c691b3]
  • Bump github.com/google/go-cmp from 0.5.8 to 0.5.9 (#587) [ff22665]

v1.22.1

1.22.1

Fixes

  • When passed a context and no explicit timeout, Eventually will only timeout when the context is cancelled [e5105cf]
  • Allow StopTrying() to be wrapped [bf3cba9]

Maintenance

  • bump to ginkgo v2.3.0 [c5d5c39]

v1.22.0

1.22.0

Features

Several improvements have been made to Eventually and Consistently in this and the most recent releases:

  • Eventually and Consistently can take a context.Context [65c01bc] This enables integration with Ginkgo 2.3.0's interruptible nodes and node timeouts.
  • Eventually and Consistently that are passed a SpecContext can provide reports when an interrupt occurs [0d063c9]
  • Eventually/Consistently will forward an attached context to functions that ask for one [e2091c5]
  • Eventually/Consistently supports passing arguments to functions via WithArguments() [a2dc7c3]
  • Eventually and Consistently can now be stopped early with StopTrying(message) and StopTrying(message).Now() [52976bb]

These improvements are all documented in Gomega's docs

v1.21.1

Features

... (truncated)

Changelog

Sourced from github.com/onsi/gomega's changelog.

1.23.0

Features

  • Custom formatting on a per-type basis can be provided using format.RegisterCustomFormatter() -- see the docs here

  • Substantial improvement have been made to StopTrying():

    • Users can now use StopTrying().Wrap(err) to wrap errors and StopTrying().Attach(description, object) to attach arbitrary objects to the StopTrying() error
    • StopTrying() is now always interpreted as a failure. If you are an early adopter of StopTrying() you may need to change your code as the prior version would match against the returned value even if StopTrying() was returned. Going forward the StopTrying() api should remain stable.
    • StopTrying() and StopTrying().Now() can both be used in matchers - not just polled functions.

  • TryAgainAfter(duration) is used like StopTrying() but instructs Eventually and Consistently that the poll should be tried again after the specified duration. This allows you to dynamically adjust the polling duration.

  • ctx can now be passed-in as the first argument to Eventually and Consistently.

Maintenance

  • Bump github.com/onsi/ginkgo/v2 from 2.3.0 to 2.3.1 (#597) [afed901]
  • Bump nokogiri from 1.13.8 to 1.13.9 in /docs (#599) [7c691b3]
  • Bump github.com/google/go-cmp from 0.5.8 to 0.5.9 (#587) [ff22665]

1.22.1

Fixes

  • When passed a context and no explicit timeout, Eventually will only timeout when the context is cancelled [e5105cf]
  • Allow StopTrying() to be wrapped [bf3cba9]

Maintenance

  • bump to ginkgo v2.3.0 [c5d5c39]

1.22.0

Features

Several improvements have been made to Eventually and Consistently in this and the most recent releases:

  • Eventually and Consistently can take a context.Context [65c01bc] This enables integration with Ginkgo 2.3.0's interruptible nodes and node timeouts.
  • Eventually and Consistently that are passed a SpecContext can provide reports when an interrupt occurs [0d063c9]
  • Eventually/Consistently will forward an attached context to functions that ask for one [e2091c5]
  • Eventually/Consistently supports passing arguments to functions via WithArguments() [a2dc7c3]
  • Eventually and Consistently can now be stopped early with StopTrying(message) and StopTrying(message).Now() [52976bb]

These improvements are all documented in Gomega's docs

Fixes

Maintenance

1.21.1

... (truncated)

Commits
  • bf817a4 v1.23.0
  • 7b8b801 fix broken call to Eventually
  • ba35cc6 Allow ctx to be passed in as a leading parameter for Eventually and Consistently
  • 818b78c AsyncAssertions emit the format.Object representation of the error when it i...
  • d63d67e Rename AsyncSignalError to PollingSignalError
  • abd25f0 fix go vet
  • 618a133 Introduce TryAgainAfter
  • 67ab22c Simplify StopTrying handling
  • 75c8c70 Fix go vet and drop 1.17 from test matrix
  • 237e97d Matchers can now return StopTrying() errors; StopTrying() can wrap an error t...
  • Additional commits viewable in compare view

Dependabot compatibility score

You can trigger a rebase of this PR by commenting @dependabot rebase.

Dependabot will merge this PR once it's up-to-date and CI passes on it, as requested by @naveensrinivasan.

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot merge will merge this PR after your CI passes on it
  • @dependabot squash and merge will squash and merge this PR after your CI passes on it
  • @dependabot cancel merge will cancel a previously requested merge and block automerging
  • @dependabot reopen will reopen this PR if it is closed
  • @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
  • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

@dependabot dependabot bot added dependencies Pull requests that update a dependency file go Pull requests that update Go code labels Oct 28, 2022
@codecov
Copy link

codecov bot commented Oct 28, 2022
edited
Loading

Codecov Report

Merging #2409 (ee347e6) into main (93b5972) will not change coverage.
The diff coverage is n/a.

Additional details and impacted files 
@@           Coverage Diff           @@
##             main    #2409   +/-   ##
=======================================
  Coverage   40.61%   40.61%           
=======================================
  Files         112      112           
  Lines        8831     8831           
=======================================
  Hits         3587     3587           
  Misses       4984     4984           
  Partials      260      260

@naveensrinivasan
Copy link
Member

@dependabot rebase

@naveensrinivasan
Copy link
Member

@dependabot merge

@dependabot @github
Copy link
Contributor Author

dependabot bot commented on behalf of github Oct 28, 2022

One of your CI runs failed on this pull request, so Dependabot won't merge it.

Dependabot will still automatically merge this pull request if you amend it and your tests pass.

@dependabot dependabot bot force-pushed the dependabot/go_modules/github.com/onsi/gomega-1.23.0 branch from 40eb4a3 to 3ed9875 Compare October 28, 2022 20:10
@dependabot dependabot bot force-pushed the dependabot/go_modules/github.com/onsi/gomega-1.23.0 branch from 3ed9875 to 27d561e Compare October 29, 2022 14:02
@dependabot
🌱 Bump github.com/onsi/gomega from 1.20.2 to 1.23.0
ee347e6 
Bumps [github.com/onsi/gomega](https://github.com/onsi/gomega) from 1.20.2 to 1.23.0.
- [Release notes](https://github.com/onsi/gomega/releases)
- [Changelog](https://github.com/onsi/gomega/blob/master/CHANGELOG.md)
- [Commits](onsi/gomega@v1.20.2...v1.23.0)

---
updated-dependencies:
- dependency-name: github.com/onsi/gomega
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <[email protected]>
@dependabot dependabot bot force-pushed the dependabot/go_modules/github.com/onsi/gomega-1.23.0 branch from 27d561e to ee347e6 Compare October 29, 2022 17:34
@dependabot dependabot bot temporarily deployed to integration-test October 29, 2022 18:32 Inactive
@naveensrinivasan naveensrinivasan enabled auto-merge (squash) October 29, 2022 18:32
@github-actions
Copy link

Integration tests success for
[ee347e6]
(https://github.com/ossf/scorecard/actions/runs/3352326807)

@naveensrinivasan naveensrinivasan merged commit b90b5f0 into main Oct 29, 2022
@naveensrinivasan naveensrinivasan deleted the dependabot/go_modules/github.com/onsi/gomega-1.23.0 branch October 29, 2022 18:44
latortuga71 pushed a commit to latortuga71/scorecard that referenced this pull request Nov 18, 2022
@dependabot @latortuga71
🌱 Bump github.com/onsi/gomega from 1.20.2 to 1.23.0 (ossf#2409)
33868aa 
Bumps [github.com/onsi/gomega](https://github.com/onsi/gomega) from 1.20.2 to 1.23.0.
- [Release notes](https://github.com/onsi/gomega/releases)
- [Changelog](https://github.com/onsi/gomega/blob/master/CHANGELOG.md)
- [Commits](onsi/gomega@v1.20.2...v1.23.0)

---
updated-dependencies:
- dependency-name: github.com/onsi/gomega
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <[email protected]>

Signed-off-by: dependabot[bot] <[email protected]>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Signed-off-by: latortuga71 <[email protected]>
azeemshaikh38 pushed a commit that referenced this pull request Nov 22, 2022
@latortuga71 @dependabot
@raghavkaul @spencerschrock @shissam @scovetta @favonia @calebbrown
✨ Commit depth feature (#2407)
f9f910d 
* 🌱 Bump actions/dependency-review-action from 2.4.1 to 2.5.1

Bumps [actions/dependency-review-action](https://github.com/actions/dependency-review-action) from 2.4.1 to 2.5.1.
- [Release notes](https://github.com/actions/dependency-review-action/releases)
- [Commits](actions/dependency-review-action@9c96258...0efb1d1)

---
updated-dependencies:
- dependency-name: actions/dependency-review-action
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <[email protected]>
Signed-off-by: latortuga71 <[email protected]>

* commit_depth feature

Signed-off-by: latortuga71 <[email protected]>

* added more descriptive comments, changed numberofcommits variable name, moved paging for commits into seperate function.

small changes

Signed-off-by: latortuga71 <[email protected]>

linter

Signed-off-by: latortuga71 <[email protected]>

* added unit tests

Signed-off-by: latortuga71 <[email protected]>

added test in e2e

Signed-off-by: latortuga71 <[email protected]>

* 🌱 Bump github.com/spf13/cobra from 1.6.0 to 1.6.1 (#2397)

Bumps [github.com/spf13/cobra](https://github.com/spf13/cobra) from 1.6.0 to 1.6.1.
- [Release notes](https://github.com/spf13/cobra/releases)
- [Commits](spf13/cobra@v1.6.0...v1.6.1)

---
updated-dependencies:
- dependency-name: github.com/spf13/cobra
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <[email protected]>

Signed-off-by: dependabot[bot] <[email protected]>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Signed-off-by: latortuga71 <[email protected]>

* 🌱 Bump github.com/onsi/ginkgo/v2 from 2.1.6 to 2.4.0

Bumps [github.com/onsi/ginkgo/v2](https://github.com/onsi/ginkgo) from 2.1.6 to 2.4.0.
- [Release notes](https://github.com/onsi/ginkgo/releases)
- [Changelog](https://github.com/onsi/ginkgo/blob/master/CHANGELOG.md)
- [Commits](onsi/ginkgo@v2.1.6...v2.4.0)

---
updated-dependencies:
- dependency-name: github.com/onsi/ginkgo/v2
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <[email protected]>
Signed-off-by: latortuga71 <[email protected]>

* 🌱 Bump cloud.google.com/go/pubsub from 1.25.1 to 1.26.0

Bumps [cloud.google.com/go/pubsub](https://github.com/googleapis/google-cloud-go) from 1.25.1 to 1.26.0.
- [Release notes](https://github.com/googleapis/google-cloud-go/releases)
- [Changelog](https://github.com/googleapis/google-cloud-go/blob/main/CHANGES.md)
- [Commits](googleapis/google-cloud-go@pubsub/v1.25.1...pubsub/v1.26.0)

---
updated-dependencies:
- dependency-name: cloud.google.com/go/pubsub
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <[email protected]>
Signed-off-by: latortuga71 <[email protected]>

* 🌱 Bump github.com/xanzy/go-gitlab from 0.73.1 to 0.74.0

Bumps [github.com/xanzy/go-gitlab](https://github.com/xanzy/go-gitlab) from 0.73.1 to 0.74.0.
- [Release notes](https://github.com/xanzy/go-gitlab/releases)
- [Changelog](https://github.com/xanzy/go-gitlab/blob/master/releases_test.go)
- [Commits](xanzy/go-gitlab@v0.73.1...v0.74.0)

---
updated-dependencies:
- dependency-name: github.com/xanzy/go-gitlab
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <[email protected]>
Signed-off-by: latortuga71 <[email protected]>

* 🌱 Bump github.com/onsi/gomega from 1.20.2 to 1.23.0 (#2409)

Bumps [github.com/onsi/gomega](https://github.com/onsi/gomega) from 1.20.2 to 1.23.0.
- [Release notes](https://github.com/onsi/gomega/releases)
- [Changelog](https://github.com/onsi/gomega/blob/master/CHANGELOG.md)
- [Commits](onsi/gomega@v1.20.2...v1.23.0)

---
updated-dependencies:
- dependency-name: github.com/onsi/gomega
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <[email protected]>

Signed-off-by: dependabot[bot] <[email protected]>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Signed-off-by: latortuga71 <[email protected]>

* 🌱 Bump github.com/onsi/ginkgo/v2 from 2.1.6 to 2.4.0 in /tools

Bumps [github.com/onsi/ginkgo/v2](https://github.com/onsi/ginkgo) from 2.1.6 to 2.4.0.
- [Release notes](https://github.com/onsi/ginkgo/releases)
- [Changelog](https://github.com/onsi/ginkgo/blob/master/CHANGELOG.md)
- [Commits](onsi/ginkgo@v2.1.6...v2.4.0)

---
updated-dependencies:
- dependency-name: github.com/onsi/ginkgo/v2
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <[email protected]>
Signed-off-by: latortuga71 <[email protected]>

* 🌱 Bump github.com/golangci/golangci-lint in /tools

Bumps [github.com/golangci/golangci-lint](https://github.com/golangci/golangci-lint) from 1.50.0 to 1.50.1.
- [Release notes](https://github.com/golangci/golangci-lint/releases)
- [Changelog](https://github.com/golangci/golangci-lint/blob/master/CHANGELOG.md)
- [Commits](golangci/golangci-lint@v1.50.0...v1.50.1)

---
updated-dependencies:
- dependency-name: github.com/golangci/golangci-lint
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <[email protected]>
Signed-off-by: latortuga71 <[email protected]>

* 🌱 Bump goreleaser/goreleaser-action from 2.9.1 to 3.2.0 (#2363)

Bumps [goreleaser/goreleaser-action](https://github.com/goreleaser/goreleaser-action) from 2.9.1 to 3.2.0.
- [Release notes](https://github.com/goreleaser/goreleaser-action/releases)
- [Commits](goreleaser/goreleaser-action@b953231...b508e2e)

---
updated-dependencies:
- dependency-name: goreleaser/goreleaser-action
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <[email protected]>

Signed-off-by: dependabot[bot] <[email protected]>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Signed-off-by: latortuga71 <[email protected]>

* 🌱 Bump github.com/goreleaser/goreleaser in /tools (#2373)

Bumps [github.com/goreleaser/goreleaser](https://github.com/goreleaser/goreleaser) from 1.11.5 to 1.12.3.
- [Release notes](https://github.com/goreleaser/goreleaser/releases)
- [Changelog](https://github.com/goreleaser/goreleaser/blob/main/.goreleaser.yaml)
- [Commits](goreleaser/goreleaser@v1.11.5...v1.12.3)

---
updated-dependencies:
- dependency-name: github.com/goreleaser/goreleaser
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <[email protected]>

Signed-off-by: dependabot[bot] <[email protected]>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Signed-off-by: latortuga71 <[email protected]>

* ✨ CLI for scorecard-attestor (#2309)

* Reorganize

Signed-off-by: Raghav Kaul <[email protected]>

* Working commit

Signed-off-by: Raghav Kaul <[email protected]>

* Compile with local scorecard; go mod tidy

Signed-off-by: Raghav Kaul <[email protected]>

* Add signing code

Heavily borrowed from https://github.com/grafeas/kritis/blob/master/cmd/kritis/signer/main.go

Signed-off-by: Raghav Kaul <[email protected]>

* Update deps

* Naming
* Makefile

Signed-off-by: Raghav Kaul <[email protected]>

* Edit license, add lint.yml

Signed-off-by: Raghav Kaul <[email protected]>

* checks: go mod tidy, license

Signed-off-by: Raghav Kaul <[email protected]>

* Address PR comments

* Split into checker/signer files
* Naming convention

Signed-off-by: Raghav Kaul <[email protected]>

* License, remove golangci.yml

Signed-off-by: Raghav Kaul <[email protected]>

* Address PR comments

* Use cobra

Signed-off-by: Raghav Kaul <[email protected]>

* Add tests for root command

Signed-off-by: Raghav Kaul <[email protected]>

* Filter out checks that aren't needed for policy evaluation

Signed-off-by: Raghav Kaul <[email protected]>

* Add `make` targets for attestor; submit coverage stats

Signed-off-by: Raghav Kaul <[email protected]>

* Improvements

* Use sclog instead of glog
* Remove unneeded subcommands
* Formatting

Signed-off-by: Raghav Kaul <[email protected]>

* Flags: Make note-name constant and fix messaging

Signed-off-by: Raghav Kaul <[email protected]>

* Remove SupportedRequestTypes

Signed-off-by: Raghav Kaul <[email protected]>

* go mod tidy

Signed-off-by: Raghav Kaul <[email protected]>

* go mod tidy, makefile

Signed-off-by: Raghav Kaul <[email protected]>

* Fix GH actions run

Signed-off-by: Raghav Kaul <[email protected]>

Signed-off-by: Raghav Kaul <[email protected]>
Signed-off-by: latortuga71 <[email protected]>

* fix workflow (#2417)

Signed-off-by: Spencer Schrock <[email protected]>

Signed-off-by: Spencer Schrock <[email protected]>
Signed-off-by: latortuga71 <[email protected]>

* Bump scorecard-action (#2416)

Signed-off-by: Spencer Schrock <[email protected]>

Signed-off-by: Spencer Schrock <[email protected]>
Signed-off-by: latortuga71 <[email protected]>

* Fail unit-test job if codecov upload fails (#2415)

Signed-off-by: Spencer Schrock <[email protected]>

Signed-off-by: Spencer Schrock <[email protected]>
Signed-off-by: latortuga71 <[email protected]>

* 🌱 Enable comparison for alternative isText implementation (#2414)

* use more performant IsText

Signed-off-by: Spencer Schrock <[email protected]>

* AB test isText implementations

Signed-off-by: Spencer Schrock <[email protected]>

* Add comparison env var to release test.

Signed-off-by: Spencer Schrock <[email protected]>

* go mod tidy for attestor

Signed-off-by: Spencer Schrock <[email protected]>

Signed-off-by: Spencer Schrock <[email protected]>
Signed-off-by: latortuga71 <[email protected]>

* 🐛 modify alternative isText to accept carriage returns (#2421)

* modify IsText from golang.org/x/tools/godoc/util to accept carriage returns.

Signed-off-by: Spencer Schrock <[email protected]>

* add TODO reminder to cleanup after release tests

Signed-off-by: Spencer Schrock <[email protected]>

Signed-off-by: Spencer Schrock <[email protected]>
Signed-off-by: latortuga71 <[email protected]>

* 🌱 Bump github.com/onsi/gomega from 1.23.0 to 1.24.0

Bumps [github.com/onsi/gomega](https://github.com/onsi/gomega) from 1.23.0 to 1.24.0.
- [Release notes](https://github.com/onsi/gomega/releases)
- [Changelog](https://github.com/onsi/gomega/blob/master/CHANGELOG.md)
- [Commits](onsi/gomega@v1.23.0...v1.24.0)

---
updated-dependencies:
- dependency-name: github.com/onsi/gomega
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <[email protected]>
Signed-off-by: latortuga71 <[email protected]>

* 🌱 Bump github/codeql-action from 2.1.29 to 2.1.30

Bumps [github/codeql-action](https://github.com/github/codeql-action) from 2.1.29 to 2.1.30.
- [Release notes](https://github.com/github/codeql-action/releases)
- [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md)
- [Commits](github/codeql-action@ec3cf9c...18fe527)

---
updated-dependencies:
- dependency-name: github/codeql-action
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <[email protected]>
Signed-off-by: latortuga71 <[email protected]>

* revert failing unit-test on ci error (#2422)

Signed-off-by: Spencer Schrock <[email protected]>

Signed-off-by: Spencer Schrock <[email protected]>
Signed-off-by: latortuga71 <[email protected]>

* ✨ Improved Security Policy Check (#2195)

* ✨ Improved Security Policy Check (#2137)

* Examines and awards points for linked content (URLs / Emails)

* Examines and awards points for hints of disclosure and vulnerability practices

* Examines and awards points for hints of elaboration of timelines

Signed-off-by: Scott Hissam <[email protected]>

* Repaired Security Policy to correctly use linked content length for evaluation

Signed-off-by: Scott Hissam <[email protected]>

* gofmt'ed changes

Signed-off-by: Scott Hissam <[email protected]>

* Repaired the case in the evaluation which was too sensitive to content length over the length of the linked content for urls and emails

Signed-off-by: Scott Hissam <[email protected]>

* added unit test cases for the new content-based Security Policy checks

Signed-off-by: Scott Hissam <[email protected]>

* reverted the direct (mistaken) change to checks.md and updated the checks.yaml for generate-docs

Signed-off-by: Scott Hissam <[email protected]>

* ✨ Improved Security Policy Check (#2137) (revisted based on comments)

* replaced reason strings with log.Info & log.Warn (as seen in --show-details)

* internal assertion check for nil (*pinfo) and empty pfile

* internal switched to FileTypeText over FileTypeSource

* internal implement type SecurityPolicyInformationType/SecurityPolicyInformation revised SecurityPolicyData to support only one file

* revised expected unit-test results and revised unit-test to reflect the new SecurityPolicyData type

Signed-off-by: Scott Hissam <[email protected]>

* revised the score value based on observation of one *or more* url(s) or one email(s) found; unit tests update accordingly

Signed-off-by: Scott Hissam <[email protected]>

* revised the score value based on observation of one *or more* url(s) or one email(s) found; unit tests update accordingly

Signed-off-by: Scott Hissam <[email protected]>

* revised the score value based on observation of one *or more* url(s) or one email(s) found; e2e tests update accordingly

Signed-off-by: Scott Hissam <[email protected]>

* Addressed PR comments; added telemetry for policy hits in security policy file to track hits by line number

Signed-off-by: Scott Hissam <[email protected]>

* Resolved merge conflict with checks.yaml

Signed-off-by: Scott Hissam <[email protected]>

* updated raw results to emit all the raw information for the new security policy check

Signed-off-by: Scott Hissam <[email protected]>

* Resolved merge conflicts and lint errors with json_raw_results.go

Signed-off-by: Scott Hissam <[email protected]>

* Addressed review comments to reorganize security policy data struct to support the potential for multiple security policy files.

Signed-off-by: Scott Hissam <[email protected]>

* Added logic to the security policy to process multiple security policy files only after future improvements to aggregating scoring across such files are designed. For now the security policy behaves as originally designed to stop once one of the expected policy files are found in the repo

Signed-off-by: Scott Hissam <[email protected]>

* added comments regarding the capacity to support multiple policy files and removed unneeded break statements in the code

Signed-off-by: Scott Hissam <[email protected]>

* Addressed review comments to remove the dependency on the path in the filename from the code and introduced FileSize to checker.File type and removed the SecurityContentLength which was used to hold that information for the new security policy assessment

Signed-off-by: Scott Hissam <[email protected]>

* restored reporting full security policy path and filename for policies found in the org level repos

Signed-off-by: Scott Hissam <[email protected]>

* Resolved conflicts in checks.yaml for documentation

Signed-off-by: Scott Hissam <[email protected]>

* ✨ CLI for scorecard-attestor (#2309)

* Reorganize

Signed-off-by: Raghav Kaul <[email protected]>

* Working commit

Signed-off-by: Raghav Kaul <[email protected]>

* Compile with local scorecard; go mod tidy

Signed-off-by: Raghav Kaul <[email protected]>

* Add signing code

Heavily borrowed from https://github.com/grafeas/kritis/blob/master/cmd/kritis/signer/main.go

Signed-off-by: Raghav Kaul <[email protected]>

* Update deps

* Naming
* Makefile

Signed-off-by: Raghav Kaul <[email protected]>

* Edit license, add lint.yml

Signed-off-by: Raghav Kaul <[email protected]>

* checks: go mod tidy, license

Signed-off-by: Raghav Kaul <[email protected]>

* Address PR comments

* Split into checker/signer files
* Naming convention

Signed-off-by: Raghav Kaul <[email protected]>

* License, remove golangci.yml

Signed-off-by: Raghav Kaul <[email protected]>

* Address PR comments

* Use cobra

Signed-off-by: Raghav Kaul <[email protected]>

* Add tests for root command

Signed-off-by: Raghav Kaul <[email protected]>

* Filter out checks that aren't needed for policy evaluation

Signed-off-by: Raghav Kaul <[email protected]>

* Add `make` targets for attestor; submit coverage stats

Signed-off-by: Raghav Kaul <[email protected]>

* Improvements

* Use sclog instead of glog
* Remove unneeded subcommands
* Formatting

Signed-off-by: Raghav Kaul <[email protected]>

* Flags: Make note-name constant and fix messaging

Signed-off-by: Raghav Kaul <[email protected]>

* Remove SupportedRequestTypes

Signed-off-by: Raghav Kaul <[email protected]>

* go mod tidy

Signed-off-by: Raghav Kaul <[email protected]>

* go mod tidy, makefile

Signed-off-by: Raghav Kaul <[email protected]>

* Fix GH actions run

Signed-off-by: Raghav Kaul <[email protected]>

Signed-off-by: Raghav Kaul <[email protected]>
Signed-off-by: Scott Hissam <[email protected]>

* removed whitespace before stanza for Run attestor e2e

Signed-off-by: Scott Hissam <[email protected]>

* resolved code review and doc review comments

Signed-off-by: Scott Hissam <[email protected]>

* repaired the link for the maintainer's guide for supporting the coordinated vulnerability disclosure guidelines

Signed-off-by: Scott Hissam <[email protected]>

Signed-off-by: Scott Hissam <[email protected]>
Signed-off-by: latortuga71 <[email protected]>

* 🌱 Bump github/codeql-action from 2.1.30 to 2.1.31 (#2431)

Bumps [github/codeql-action](https://github.com/github/codeql-action) from 2.1.30 to 2.1.31.
- [Release notes](https://github.com/github/codeql-action/releases)
- [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md)
- [Commits](github/codeql-action@18fe527...c3b6fce)

---
updated-dependencies:
- dependency-name: github/codeql-action
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <[email protected]>

Signed-off-by: dependabot[bot] <[email protected]>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Signed-off-by: latortuga71 <[email protected]>

* enable more performant isText (#2433)

Signed-off-by: Spencer Schrock <[email protected]>

Signed-off-by: Spencer Schrock <[email protected]>
Signed-off-by: latortuga71 <[email protected]>

* modified tests,InitRepo Function, Added GetCommitDepth Function to Client Interface

Signed-off-by: latortuga71 <[email protected]>

* removed getcommitdepth function

Signed-off-by: latortuga71 <[email protected]>

* added TODO

Signed-off-by: latortuga71 <[email protected]>

* 🌱 Bump github.com/onsi/ginkgo/v2 from 2.4.0 to 2.5.0 in /tools (#2436)

Bumps [github.com/onsi/ginkgo/v2](https://github.com/onsi/ginkgo) from 2.4.0 to 2.5.0.
- [Release notes](https://github.com/onsi/ginkgo/releases)
- [Changelog](https://github.com/onsi/ginkgo/blob/master/CHANGELOG.md)
- [Commits](onsi/ginkgo@v2.4.0...v2.5.0)

---
updated-dependencies:
- dependency-name: github.com/onsi/ginkgo/v2
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <[email protected]>

Signed-off-by: dependabot[bot] <[email protected]>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Signed-off-by: latortuga71 <[email protected]>

* 🌱 Bump github.com/onsi/ginkgo/v2 from 2.4.0 to 2.5.0

Bumps [github.com/onsi/ginkgo/v2](https://github.com/onsi/ginkgo) from 2.4.0 to 2.5.0.
- [Release notes](https://github.com/onsi/ginkgo/releases)
- [Changelog](https://github.com/onsi/ginkgo/blob/master/CHANGELOG.md)
- [Commits](onsi/ginkgo@v2.4.0...v2.5.0)

---
updated-dependencies:
- dependency-name: github.com/onsi/ginkgo/v2
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <[email protected]>
Signed-off-by: latortuga71 <[email protected]>

* 🌱 Code Review: treat merging a PR as code review (#2413)

* Merges on Github count as a code review by the maintainer

Signed-off-by: Raghav Kaul <[email protected]>

* Update Raw Results

* More detailed information for Changesets
* If there's no Revision ID, use the Commit SHA instead

Signed-off-by: Raghav Kaul <[email protected]>

* Check that pull request had atleast one reviewer that wasn't its author

* Add field for Pull Request Merged-By to Github and Gitlab
* Note, this check can be bypassed if an author opens a PR with other
  people's commits

Signed-off-by: Raghav Kaul <[email protected]>

Signed-off-by: Raghav Kaul <[email protected]>
Signed-off-by: latortuga71 <[email protected]>

* Trivial: Fix typo (exepted -> expected) (#2440)

Signed-off-by: Michael Scovetta <[email protected]>

Signed-off-by: Michael Scovetta <[email protected]>
Signed-off-by: latortuga71 <[email protected]>

* 🌱 Bump step-security/harden-runner from 1.5.0 to 2.0.0 (#2443)

Bumps [step-security/harden-runner](https://github.com/step-security/harden-runner) from 1.5.0 to 2.0.0.
- [Release notes](https://github.com/step-security/harden-runner/releases)
- [Commits](step-security/harden-runner@2e205a2...ebacdc2)

---
updated-dependencies:
- dependency-name: step-security/harden-runner
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <[email protected]>

Signed-off-by: dependabot[bot] <[email protected]>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Signed-off-by: latortuga71 <[email protected]>

* 🌱 cron: support reading prefix from file for controller input files (7/n) (#2445)

* add prefix marker file to config

Signed-off-by: Spencer Schrock <[email protected]>

* Read the new config values, if they exist.

Signed-off-by: Spencer Schrock <[email protected]>

* Add function to fetch prefix file config value.

Signed-off-by: Spencer Schrock <[email protected]>

* Read prefix file if prefix not set.

Signed-off-by: Spencer Schrock <[email protected]>

* Add tests to verify how List works with various prefixes

Signed-off-by: Spencer Schrock <[email protected]>

* Add tests for getPrefix

Signed-off-by: Spencer Schrock <[email protected]>

* Remove panics from iterator helper functions

Signed-off-by: Spencer Schrock <[email protected]>

Signed-off-by: Spencer Schrock <[email protected]>
Signed-off-by: latortuga71 <[email protected]>

* Detect SECURITY.markdown in addition to SECURITY.md (#2447)

GitHub probably supports many more file extensions for Markdown
files, but at the very least, `.md` and `.markdown` have been
standardized in RFC 7763.

Signed-off-by: favonia <[email protected]>

Signed-off-by: favonia <[email protected]>
Signed-off-by: latortuga71 <[email protected]>

* Add Pinned-Dependency, Vulnerability, and Code-Review checks to attestor (#2430)

Signed-off-by: Raghav Kaul <[email protected]>

Signed-off-by: Raghav Kaul <[email protected]>
Signed-off-by: latortuga71 <[email protected]>

* 🌱 cron: expose the stackdriver prefix as a config variable so it can be changed. (#2446)

* Expose the stackdriver prefix as a config variable so it can be changed.

Signed-off-by: Caleb Brown <[email protected]>

* fix linter warning

Signed-off-by: Caleb Brown <[email protected]>

Signed-off-by: Caleb Brown <[email protected]>
Co-authored-by: Spencer Schrock <[email protected]>
Signed-off-by: latortuga71 <[email protected]>

* Only write to the rawBucket if the value exists. (#2451)

Signed-off-by: Caleb Brown <[email protected]>

Signed-off-by: Caleb Brown <[email protected]>
Signed-off-by: latortuga71 <[email protected]>

* 🌱 Bump golang.org/x/tools from 0.2.0 to 0.3.0 (#2448)

* 🌱 Bump golang.org/x/tools from 0.2.0 to 0.3.0

Bumps [golang.org/x/tools](https://github.com/golang/tools) from 0.2.0 to 0.3.0.
- [Release notes](https://github.com/golang/tools/releases)
- [Commits](golang/tools@v0.2.0...v0.3.0)

---
updated-dependencies:
- dependency-name: golang.org/x/tools
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <[email protected]>

* bump attestor modules

Signed-off-by: Spencer Schrock <[email protected]>

Signed-off-by: dependabot[bot] <[email protected]>
Signed-off-by: Spencer Schrock <[email protected]>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: Spencer Schrock <[email protected]>
Signed-off-by: latortuga71 <[email protected]>

* Move cron monitoring to a non-internal location. (#2453)

This allows external workers (e.g. criticality_score) to use the same
monitoring code.

Signed-off-by: Caleb Brown <[email protected]>

Signed-off-by: Caleb Brown <[email protected]>
Signed-off-by: latortuga71 <[email protected]>

* 🌱 Bump actions/dependency-review-action from 2.5.1 to 3.0.0 (#2455)

Bumps [actions/dependency-review-action](https://github.com/actions/dependency-review-action) from 2.5.1 to 3.0.0.
- [Release notes](https://github.com/actions/dependency-review-action/releases)
- [Commits](actions/dependency-review-action@0efb1d1...30d5821)

---
updated-dependencies:
- dependency-name: actions/dependency-review-action
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <[email protected]>

Signed-off-by: dependabot[bot] <[email protected]>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Signed-off-by: latortuga71 <[email protected]>

* 🌱 [cron] generalize some of the transfer logic so it is easy to build new transfer agents (#2454)

* Generalize the transfer logic so it is easy to build new transfer agents

This change moves code that reads shards and produces summaries into the
data package so that it can be reused to create new transfer agents,
similar to the BigQuery transfer agent in cron/internal/bq.

Signed-off-by: Caleb Brown <[email protected]>

* Lint fix and commentary.

Signed-off-by: Caleb Brown <[email protected]>

Signed-off-by: Caleb Brown <[email protected]>
Signed-off-by: latortuga71 <[email protected]>

* 🌱 Bump github.com/google/addlicense in /tools (#2459)

Bumps [github.com/google/addlicense](https://github.com/google/addlicense) from 1.0.0 to 1.1.0.
- [Release notes](https://github.com/google/addlicense/releases)
- [Changelog](https://github.com/google/addlicense/blob/master/.goreleaser.yaml)
- [Commits](google/addlicense@v1.0.0...v1.1.0)

---
updated-dependencies:
- dependency-name: github.com/google/addlicense
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <[email protected]>

Signed-off-by: dependabot[bot] <[email protected]>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Signed-off-by: latortuga71 <[email protected]>

* 🌱 Bump github.com/google/go-containerregistry

Bumps [github.com/google/go-containerregistry](https://github.com/google/go-containerregistry) from 0.12.0 to 0.12.1.
- [Release notes](https://github.com/google/go-containerregistry/releases)
- [Changelog](https://github.com/google/go-containerregistry/blob/main/.goreleaser.yml)
- [Commits](google/go-containerregistry@v0.12.0...v0.12.1)

---
updated-dependencies:
- dependency-name: github.com/google/go-containerregistry
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <[email protected]>
Signed-off-by: latortuga71 <[email protected]>

* go mod tidy

Signed-off-by: Spencer Schrock <[email protected]>
Signed-off-by: latortuga71 <[email protected]>

* Added <= instead of == incase negative int is passed

Signed-off-by: latortuga71 <[email protected]>

* missed test fix

Signed-off-by: latortuga71 <[email protected]>

Signed-off-by: dependabot[bot] <[email protected]>
Signed-off-by: latortuga71 <[email protected]>
Signed-off-by: Raghav Kaul <[email protected]>
Signed-off-by: Spencer Schrock <[email protected]>
Signed-off-by: Scott Hissam <[email protected]>
Signed-off-by: Michael Scovetta <[email protected]>
Signed-off-by: favonia <[email protected]>
Signed-off-by: Caleb Brown <[email protected]>
Signed-off-by: Latortuga <[email protected]>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: raghavkaul <[email protected]>
Co-authored-by: Spencer Schrock <[email protected]>
Co-authored-by: scott hissam <[email protected]>
Co-authored-by: Michael Scovetta <[email protected]>
Co-authored-by: favonia <[email protected]>
Co-authored-by: Caleb Brown <[email protected]>
N8BWert pushed a commit to N8BWert/scorecard that referenced this pull request Nov 28, 2022
@dependabot
🌱 Bump github.com/onsi/gomega from 1.20.2 to 1.23.0 (ossf#2409)
6282ca2 
Bumps [github.com/onsi/gomega](https://github.com/onsi/gomega) from 1.20.2 to 1.23.0.
- [Release notes](https://github.com/onsi/gomega/releases)
- [Changelog](https://github.com/onsi/gomega/blob/master/CHANGELOG.md)
- [Commits](onsi/gomega@v1.20.2...v1.23.0)

---
updated-dependencies:
- dependency-name: github.com/onsi/gomega
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <[email protected]>

Signed-off-by: dependabot[bot] <[email protected]>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Signed-off-by: nathaniel.wert <[email protected]>
N8BWert pushed a commit to N8BWert/scorecard that referenced this pull request Nov 28, 2022
@latortuga71 @dependabot
@raghavkaul @spencerschrock @shissam @scovetta @favonia @calebbrown
✨ Commit depth feature (ossf#2407)
6c3fcf7 
* 🌱 Bump actions/dependency-review-action from 2.4.1 to 2.5.1

Bumps [actions/dependency-review-action](https://github.com/actions/dependency-review-action) from 2.4.1 to 2.5.1.
- [Release notes](https://github.com/actions/dependency-review-action/releases)
- [Commits](actions/dependency-review-action@9c96258...0efb1d1)

---
updated-dependencies:
- dependency-name: actions/dependency-review-action
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <[email protected]>
Signed-off-by: latortuga71 <[email protected]>

* commit_depth feature

Signed-off-by: latortuga71 <[email protected]>

* added more descriptive comments, changed numberofcommits variable name, moved paging for commits into seperate function.

small changes

Signed-off-by: latortuga71 <[email protected]>

linter

Signed-off-by: latortuga71 <[email protected]>

* added unit tests

Signed-off-by: latortuga71 <[email protected]>

added test in e2e

Signed-off-by: latortuga71 <[email protected]>

* 🌱 Bump github.com/spf13/cobra from 1.6.0 to 1.6.1 (ossf#2397)

Bumps [github.com/spf13/cobra](https://github.com/spf13/cobra) from 1.6.0 to 1.6.1.
- [Release notes](https://github.com/spf13/cobra/releases)
- [Commits](spf13/cobra@v1.6.0...v1.6.1)

---
updated-dependencies:
- dependency-name: github.com/spf13/cobra
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <[email protected]>

Signed-off-by: dependabot[bot] <[email protected]>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Signed-off-by: latortuga71 <[email protected]>

* 🌱 Bump github.com/onsi/ginkgo/v2 from 2.1.6 to 2.4.0

Bumps [github.com/onsi/ginkgo/v2](https://github.com/onsi/ginkgo) from 2.1.6 to 2.4.0.
- [Release notes](https://github.com/onsi/ginkgo/releases)
- [Changelog](https://github.com/onsi/ginkgo/blob/master/CHANGELOG.md)
- [Commits](onsi/ginkgo@v2.1.6...v2.4.0)

---
updated-dependencies:
- dependency-name: github.com/onsi/ginkgo/v2
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <[email protected]>
Signed-off-by: latortuga71 <[email protected]>

* 🌱 Bump cloud.google.com/go/pubsub from 1.25.1 to 1.26.0

Bumps [cloud.google.com/go/pubsub](https://github.com/googleapis/google-cloud-go) from 1.25.1 to 1.26.0.
- [Release notes](https://github.com/googleapis/google-cloud-go/releases)
- [Changelog](https://github.com/googleapis/google-cloud-go/blob/main/CHANGES.md)
- [Commits](googleapis/google-cloud-go@pubsub/v1.25.1...pubsub/v1.26.0)

---
updated-dependencies:
- dependency-name: cloud.google.com/go/pubsub
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <[email protected]>
Signed-off-by: latortuga71 <[email protected]>

* 🌱 Bump github.com/xanzy/go-gitlab from 0.73.1 to 0.74.0

Bumps [github.com/xanzy/go-gitlab](https://github.com/xanzy/go-gitlab) from 0.73.1 to 0.74.0.
- [Release notes](https://github.com/xanzy/go-gitlab/releases)
- [Changelog](https://github.com/xanzy/go-gitlab/blob/master/releases_test.go)
- [Commits](xanzy/go-gitlab@v0.73.1...v0.74.0)

---
updated-dependencies:
- dependency-name: github.com/xanzy/go-gitlab
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <[email protected]>
Signed-off-by: latortuga71 <[email protected]>

* 🌱 Bump github.com/onsi/gomega from 1.20.2 to 1.23.0 (ossf#2409)

Bumps [github.com/onsi/gomega](https://github.com/onsi/gomega) from 1.20.2 to 1.23.0.
- [Release notes](https://github.com/onsi/gomega/releases)
- [Changelog](https://github.com/onsi/gomega/blob/master/CHANGELOG.md)
- [Commits](onsi/gomega@v1.20.2...v1.23.0)

---
updated-dependencies:
- dependency-name: github.com/onsi/gomega
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <[email protected]>

Signed-off-by: dependabot[bot] <[email protected]>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Signed-off-by: latortuga71 <[email protected]>

* 🌱 Bump github.com/onsi/ginkgo/v2 from 2.1.6 to 2.4.0 in /tools

Bumps [github.com/onsi/ginkgo/v2](https://github.com/onsi/ginkgo) from 2.1.6 to 2.4.0.
- [Release notes](https://github.com/onsi/ginkgo/releases)
- [Changelog](https://github.com/onsi/ginkgo/blob/master/CHANGELOG.md)
- [Commits](onsi/ginkgo@v2.1.6...v2.4.0)

---
updated-dependencies:
- dependency-name: github.com/onsi/ginkgo/v2
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <[email protected]>
Signed-off-by: latortuga71 <[email protected]>

* 🌱 Bump github.com/golangci/golangci-lint in /tools

Bumps [github.com/golangci/golangci-lint](https://github.com/golangci/golangci-lint) from 1.50.0 to 1.50.1.
- [Release notes](https://github.com/golangci/golangci-lint/releases)
- [Changelog](https://github.com/golangci/golangci-lint/blob/master/CHANGELOG.md)
- [Commits](golangci/golangci-lint@v1.50.0...v1.50.1)

---
updated-dependencies:
- dependency-name: github.com/golangci/golangci-lint
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <[email protected]>
Signed-off-by: latortuga71 <[email protected]>

* 🌱 Bump goreleaser/goreleaser-action from 2.9.1 to 3.2.0 (ossf#2363)

Bumps [goreleaser/goreleaser-action](https://github.com/goreleaser/goreleaser-action) from 2.9.1 to 3.2.0.
- [Release notes](https://github.com/goreleaser/goreleaser-action/releases)
- [Commits](goreleaser/goreleaser-action@b953231...b508e2e)

---
updated-dependencies:
- dependency-name: goreleaser/goreleaser-action
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <[email protected]>

Signed-off-by: dependabot[bot] <[email protected]>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Signed-off-by: latortuga71 <[email protected]>

* 🌱 Bump github.com/goreleaser/goreleaser in /tools (ossf#2373)

Bumps [github.com/goreleaser/goreleaser](https://github.com/goreleaser/goreleaser) from 1.11.5 to 1.12.3.
- [Release notes](https://github.com/goreleaser/goreleaser/releases)
- [Changelog](https://github.com/goreleaser/goreleaser/blob/main/.goreleaser.yaml)
- [Commits](goreleaser/goreleaser@v1.11.5...v1.12.3)

---
updated-dependencies:
- dependency-name: github.com/goreleaser/goreleaser
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <[email protected]>

Signed-off-by: dependabot[bot] <[email protected]>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Signed-off-by: latortuga71 <[email protected]>

* ✨ CLI for scorecard-attestor (ossf#2309)

* Reorganize

Signed-off-by: Raghav Kaul <[email protected]>

* Working commit

Signed-off-by: Raghav Kaul <[email protected]>

* Compile with local scorecard; go mod tidy

Signed-off-by: Raghav Kaul <[email protected]>

* Add signing code

Heavily borrowed from https://github.com/grafeas/kritis/blob/master/cmd/kritis/signer/main.go

Signed-off-by: Raghav Kaul <[email protected]>

* Update deps

* Naming
* Makefile

Signed-off-by: Raghav Kaul <[email protected]>

* Edit license, add lint.yml

Signed-off-by: Raghav Kaul <[email protected]>

* checks: go mod tidy, license

Signed-off-by: Raghav Kaul <[email protected]>

* Address PR comments

* Split into checker/signer files
* Naming convention

Signed-off-by: Raghav Kaul <[email protected]>

* License, remove golangci.yml

Signed-off-by: Raghav Kaul <[email protected]>

* Address PR comments

* Use cobra

Signed-off-by: Raghav Kaul <[email protected]>

* Add tests for root command

Signed-off-by: Raghav Kaul <[email protected]>

* Filter out checks that aren't needed for policy evaluation

Signed-off-by: Raghav Kaul <[email protected]>

* Add `make` targets for attestor; submit coverage stats

Signed-off-by: Raghav Kaul <[email protected]>

* Improvements

* Use sclog instead of glog
* Remove unneeded subcommands
* Formatting

Signed-off-by: Raghav Kaul <[email protected]>

* Flags: Make note-name constant and fix messaging

Signed-off-by: Raghav Kaul <[email protected]>

* Remove SupportedRequestTypes

Signed-off-by: Raghav Kaul <[email protected]>

* go mod tidy

Signed-off-by: Raghav Kaul <[email protected]>

* go mod tidy, makefile

Signed-off-by: Raghav Kaul <[email protected]>

* Fix GH actions run

Signed-off-by: Raghav Kaul <[email protected]>

Signed-off-by: Raghav Kaul <[email protected]>
Signed-off-by: latortuga71 <[email protected]>

* fix workflow (ossf#2417)

Signed-off-by: Spencer Schrock <[email protected]>

Signed-off-by: Spencer Schrock <[email protected]>
Signed-off-by: latortuga71 <[email protected]>

* Bump scorecard-action (ossf#2416)

Signed-off-by: Spencer Schrock <[email protected]>

Signed-off-by: Spencer Schrock <[email protected]>
Signed-off-by: latortuga71 <[email protected]>

* Fail unit-test job if codecov upload fails (ossf#2415)

Signed-off-by: Spencer Schrock <[email protected]>

Signed-off-by: Spencer Schrock <[email protected]>
Signed-off-by: latortuga71 <[email protected]>

* 🌱 Enable comparison for alternative isText implementation (ossf#2414)

* use more performant IsText

Signed-off-by: Spencer Schrock <[email protected]>

* AB test isText implementations

Signed-off-by: Spencer Schrock <[email protected]>

* Add comparison env var to release test.

Signed-off-by: Spencer Schrock <[email protected]>

* go mod tidy for attestor

Signed-off-by: Spencer Schrock <[email protected]>

Signed-off-by: Spencer Schrock <[email protected]>
Signed-off-by: latortuga71 <[email protected]>

* 🐛 modify alternative isText to accept carriage returns (ossf#2421)

* modify IsText from golang.org/x/tools/godoc/util to accept carriage returns.

Signed-off-by: Spencer Schrock <[email protected]>

* add TODO reminder to cleanup after release tests

Signed-off-by: Spencer Schrock <[email protected]>

Signed-off-by: Spencer Schrock <[email protected]>
Signed-off-by: latortuga71 <[email protected]>

* 🌱 Bump github.com/onsi/gomega from 1.23.0 to 1.24.0

Bumps [github.com/onsi/gomega](https://github.com/onsi/gomega) from 1.23.0 to 1.24.0.
- [Release notes](https://github.com/onsi/gomega/releases)
- [Changelog](https://github.com/onsi/gomega/blob/master/CHANGELOG.md)
- [Commits](onsi/gomega@v1.23.0...v1.24.0)

---
updated-dependencies:
- dependency-name: github.com/onsi/gomega
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <[email protected]>
Signed-off-by: latortuga71 <[email protected]>

* 🌱 Bump github/codeql-action from 2.1.29 to 2.1.30

Bumps [github/codeql-action](https://github.com/github/codeql-action) from 2.1.29 to 2.1.30.
- [Release notes](https://github.com/github/codeql-action/releases)
- [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md)
- [Commits](github/codeql-action@ec3cf9c...18fe527)

---
updated-dependencies:
- dependency-name: github/codeql-action
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <[email protected]>
Signed-off-by: latortuga71 <[email protected]>

* revert failing unit-test on ci error (ossf#2422)

Signed-off-by: Spencer Schrock <[email protected]>

Signed-off-by: Spencer Schrock <[email protected]>
Signed-off-by: latortuga71 <[email protected]>

* ✨ Improved Security Policy Check (ossf#2195)

* ✨ Improved Security Policy Check (ossf#2137)

* Examines and awards points for linked content (URLs / Emails)

* Examines and awards points for hints of disclosure and vulnerability practices

* Examines and awards points for hints of elaboration of timelines

Signed-off-by: Scott Hissam <[email protected]>

* Repaired Security Policy to correctly use linked content length for evaluation

Signed-off-by: Scott Hissam <[email protected]>

* gofmt'ed changes

Signed-off-by: Scott Hissam <[email protected]>

* Repaired the case in the evaluation which was too sensitive to content length over the length of the linked content for urls and emails

Signed-off-by: Scott Hissam <[email protected]>

* added unit test cases for the new content-based Security Policy checks

Signed-off-by: Scott Hissam <[email protected]>

* reverted the direct (mistaken) change to checks.md and updated the checks.yaml for generate-docs

Signed-off-by: Scott Hissam <[email protected]>

* ✨ Improved Security Policy Check (ossf#2137) (revisted based on comments)

* replaced reason strings with log.Info & log.Warn (as seen in --show-details)

* internal assertion check for nil (*pinfo) and empty pfile

* internal switched to FileTypeText over FileTypeSource

* internal implement type SecurityPolicyInformationType/SecurityPolicyInformation revised SecurityPolicyData to support only one file

* revised expected unit-test results and revised unit-test to reflect the new SecurityPolicyData type

Signed-off-by: Scott Hissam <[email protected]>

* revised the score value based on observation of one *or more* url(s) or one email(s) found; unit tests update accordingly

Signed-off-by: Scott Hissam <[email protected]>

* revised the score value based on observation of one *or more* url(s) or one email(s) found; unit tests update accordingly

Signed-off-by: Scott Hissam <[email protected]>

* revised the score value based on observation of one *or more* url(s) or one email(s) found; e2e tests update accordingly

Signed-off-by: Scott Hissam <[email protected]>

* Addressed PR comments; added telemetry for policy hits in security policy file to track hits by line number

Signed-off-by: Scott Hissam <[email protected]>

* Resolved merge conflict with checks.yaml

Signed-off-by: Scott Hissam <[email protected]>

* updated raw results to emit all the raw information for the new security policy check

Signed-off-by: Scott Hissam <[email protected]>

* Resolved merge conflicts and lint errors with json_raw_results.go

Signed-off-by: Scott Hissam <[email protected]>

* Addressed review comments to reorganize security policy data struct to support the potential for multiple security policy files.

Signed-off-by: Scott Hissam <[email protected]>

* Added logic to the security policy to process multiple security policy files only after future improvements to aggregating scoring across such files are designed. For now the security policy behaves as originally designed to stop once one of the expected policy files are found in the repo

Signed-off-by: Scott Hissam <[email protected]>

* added comments regarding the capacity to support multiple policy files and removed unneeded break statements in the code

Signed-off-by: Scott Hissam <[email protected]>

* Addressed review comments to remove the dependency on the path in the filename from the code and introduced FileSize to checker.File type and removed the SecurityContentLength which was used to hold that information for the new security policy assessment

Signed-off-by: Scott Hissam <[email protected]>

* restored reporting full security policy path and filename for policies found in the org level repos

Signed-off-by: Scott Hissam <[email protected]>

* Resolved conflicts in checks.yaml for documentation

Signed-off-by: Scott Hissam <[email protected]>

* ✨ CLI for scorecard-attestor (ossf#2309)

* Reorganize

Signed-off-by: Raghav Kaul <[email protected]>

* Working commit

Signed-off-by: Raghav Kaul <[email protected]>

* Compile with local scorecard; go mod tidy

Signed-off-by: Raghav Kaul <[email protected]>

* Add signing code

Heavily borrowed from https://github.com/grafeas/kritis/blob/master/cmd/kritis/signer/main.go

Signed-off-by: Raghav Kaul <[email protected]>

* Update deps

* Naming
* Makefile

Signed-off-by: Raghav Kaul <[email protected]>

* Edit license, add lint.yml

Signed-off-by: Raghav Kaul <[email protected]>

* checks: go mod tidy, license

Signed-off-by: Raghav Kaul <[email protected]>

* Address PR comments

* Split into checker/signer files
* Naming convention

Signed-off-by: Raghav Kaul <[email protected]>

* License, remove golangci.yml

Signed-off-by: Raghav Kaul <[email protected]>

* Address PR comments

* Use cobra

Signed-off-by: Raghav Kaul <[email protected]>

* Add tests for root command

Signed-off-by: Raghav Kaul <[email protected]>

* Filter out checks that aren't needed for policy evaluation

Signed-off-by: Raghav Kaul <[email protected]>

* Add `make` targets for attestor; submit coverage stats

Signed-off-by: Raghav Kaul <[email protected]>

* Improvements

* Use sclog instead of glog
* Remove unneeded subcommands
* Formatting

Signed-off-by: Raghav Kaul <[email protected]>

* Flags: Make note-name constant and fix messaging

Signed-off-by: Raghav Kaul <[email protected]>

* Remove SupportedRequestTypes

Signed-off-by: Raghav Kaul <[email protected]>

* go mod tidy

Signed-off-by: Raghav Kaul <[email protected]>

* go mod tidy, makefile

Signed-off-by: Raghav Kaul <[email protected]>

* Fix GH actions run

Signed-off-by: Raghav Kaul <[email protected]>

Signed-off-by: Raghav Kaul <[email protected]>
Signed-off-by: Scott Hissam <[email protected]>

* removed whitespace before stanza for Run attestor e2e

Signed-off-by: Scott Hissam <[email protected]>

* resolved code review and doc review comments

Signed-off-by: Scott Hissam <[email protected]>

* repaired the link for the maintainer's guide for supporting the coordinated vulnerability disclosure guidelines

Signed-off-by: Scott Hissam <[email protected]>

Signed-off-by: Scott Hissam <[email protected]>
Signed-off-by: latortuga71 <[email protected]>

* 🌱 Bump github/codeql-action from 2.1.30 to 2.1.31 (ossf#2431)

Bumps [github/codeql-action](https://github.com/github/codeql-action) from 2.1.30 to 2.1.31.
- [Release notes](https://github.com/github/codeql-action/releases)
- [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md)
- [Commits](github/codeql-action@18fe527...c3b6fce)

---
updated-dependencies:
- dependency-name: github/codeql-action
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <[email protected]>

Signed-off-by: dependabot[bot] <[email protected]>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Signed-off-by: latortuga71 <[email protected]>

* enable more performant isText (ossf#2433)

Signed-off-by: Spencer Schrock <[email protected]>

Signed-off-by: Spencer Schrock <[email protected]>
Signed-off-by: latortuga71 <[email protected]>

* modified tests,InitRepo Function, Added GetCommitDepth Function to Client Interface

Signed-off-by: latortuga71 <[email protected]>

* removed getcommitdepth function

Signed-off-by: latortuga71 <[email protected]>

* added TODO

Signed-off-by: latortuga71 <[email protected]>

* 🌱 Bump github.com/onsi/ginkgo/v2 from 2.4.0 to 2.5.0 in /tools (ossf#2436)

Bumps [github.com/onsi/ginkgo/v2](https://github.com/onsi/ginkgo) from 2.4.0 to 2.5.0.
- [Release notes](https://github.com/onsi/ginkgo/releases)
- [Changelog](https://github.com/onsi/ginkgo/blob/master/CHANGELOG.md)
- [Commits](onsi/ginkgo@v2.4.0...v2.5.0)

---
updated-dependencies:
- dependency-name: github.com/onsi/ginkgo/v2
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <[email protected]>

Signed-off-by: dependabot[bot] <[email protected]>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Signed-off-by: latortuga71 <[email protected]>

* 🌱 Bump github.com/onsi/ginkgo/v2 from 2.4.0 to 2.5.0

Bumps [github.com/onsi/ginkgo/v2](https://github.com/onsi/ginkgo) from 2.4.0 to 2.5.0.
- [Release notes](https://github.com/onsi/ginkgo/releases)
- [Changelog](https://github.com/onsi/ginkgo/blob/master/CHANGELOG.md)
- [Commits](onsi/ginkgo@v2.4.0...v2.5.0)

---
updated-dependencies:
- dependency-name: github.com/onsi/ginkgo/v2
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <[email protected]>
Signed-off-by: latortuga71 <[email protected]>

* 🌱 Code Review: treat merging a PR as code review (ossf#2413)

* Merges on Github count as a code review by the maintainer

Signed-off-by: Raghav Kaul <[email protected]>

* Update Raw Results

* More detailed information for Changesets
* If there's no Revision ID, use the Commit SHA instead

Signed-off-by: Raghav Kaul <[email protected]>

* Check that pull request had atleast one reviewer that wasn't its author

* Add field for Pull Request Merged-By to Github and Gitlab
* Note, this check can be bypassed if an author opens a PR with other
  people's commits

Signed-off-by: Raghav Kaul <[email protected]>

Signed-off-by: Raghav Kaul <[email protected]>
Signed-off-by: latortuga71 <[email protected]>

* Trivial: Fix typo (exepted -> expected) (ossf#2440)

Signed-off-by: Michael Scovetta <[email protected]>

Signed-off-by: Michael Scovetta <[email protected]>
Signed-off-by: latortuga71 <[email protected]>

* 🌱 Bump step-security/harden-runner from 1.5.0 to 2.0.0 (ossf#2443)

Bumps [step-security/harden-runner](https://github.com/step-security/harden-runner) from 1.5.0 to 2.0.0.
- [Release notes](https://github.com/step-security/harden-runner/releases)
- [Commits](step-security/harden-runner@2e205a2...ebacdc2)

---
updated-dependencies:
- dependency-name: step-security/harden-runner
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <[email protected]>

Signed-off-by: dependabot[bot] <[email protected]>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Signed-off-by: latortuga71 <[email protected]>

* 🌱 cron: support reading prefix from file for controller input files (7/n) (ossf#2445)

* add prefix marker file to config

Signed-off-by: Spencer Schrock <[email protected]>

* Read the new config values, if they exist.

Signed-off-by: Spencer Schrock <[email protected]>

* Add function to fetch prefix file config value.

Signed-off-by: Spencer Schrock <[email protected]>

* Read prefix file if prefix not set.

Signed-off-by: Spencer Schrock <[email protected]>

* Add tests to verify how List works with various prefixes

Signed-off-by: Spencer Schrock <[email protected]>

* Add tests for getPrefix

Signed-off-by: Spencer Schrock <[email protected]>

* Remove panics from iterator helper functions

Signed-off-by: Spencer Schrock <[email protected]>

Signed-off-by: Spencer Schrock <[email protected]>
Signed-off-by: latortuga71 <[email protected]>

* Detect SECURITY.markdown in addition to SECURITY.md (ossf#2447)

GitHub probably supports many more file extensions for Markdown
files, but at the very least, `.md` and `.markdown` have been
standardized in RFC 7763.

Signed-off-by: favonia <[email protected]>

Signed-off-by: favonia <[email protected]>
Signed-off-by: latortuga71 <[email protected]>

* Add Pinned-Dependency, Vulnerability, and Code-Review checks to attestor (ossf#2430)

Signed-off-by: Raghav Kaul <[email protected]>

Signed-off-by: Raghav Kaul <[email protected]>
Signed-off-by: latortuga71 <[email protected]>

* 🌱 cron: expose the stackdriver prefix as a config variable so it can be changed. (ossf#2446)

* Expose the stackdriver prefix as a config variable so it can be changed.

Signed-off-by: Caleb Brown <[email protected]>

* fix linter warning

Signed-off-by: Caleb Brown <[email protected]>

Signed-off-by: Caleb Brown <[email protected]>
Co-authored-by: Spencer Schrock <[email protected]>
Signed-off-by: latortuga71 <[email protected]>

* Only write to the rawBucket if the value exists. (ossf#2451)

Signed-off-by: Caleb Brown <[email protected]>

Signed-off-by: Caleb Brown <[email protected]>
Signed-off-by: latortuga71 <[email protected]>

* 🌱 Bump golang.org/x/tools from 0.2.0 to 0.3.0 (ossf#2448)

* 🌱 Bump golang.org/x/tools from 0.2.0 to 0.3.0

Bumps [golang.org/x/tools](https://github.com/golang/tools) from 0.2.0 to 0.3.0.
- [Release notes](https://github.com/golang/tools/releases)
- [Commits](golang/tools@v0.2.0...v0.3.0)

---
updated-dependencies:
- dependency-name: golang.org/x/tools
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <[email protected]>

* bump attestor modules

Signed-off-by: Spencer Schrock <[email protected]>

Signed-off-by: dependabot[bot] <[email protected]>
Signed-off-by: Spencer Schrock <[email protected]>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: Spencer Schrock <[email protected]>
Signed-off-by: latortuga71 <[email protected]>

* Move cron monitoring to a non-internal location. (ossf#2453)

This allows external workers (e.g. criticality_score) to use the same
monitoring code.

Signed-off-by: Caleb Brown <[email protected]>

Signed-off-by: Caleb Brown <[email protected]>
Signed-off-by: latortuga71 <[email protected]>

* 🌱 Bump actions/dependency-review-action from 2.5.1 to 3.0.0 (ossf#2455)

Bumps [actions/dependency-review-action](https://github.com/actions/dependency-review-action) from 2.5.1 to 3.0.0.
- [Release notes](https://github.com/actions/dependency-review-action/releases)
- [Commits](actions/dependency-review-action@0efb1d1...30d5821)

---
updated-dependencies:
- dependency-name: actions/dependency-review-action
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <[email protected]>

Signed-off-by: dependabot[bot] <[email protected]>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Signed-off-by: latortuga71 <[email protected]>

* 🌱 [cron] generalize some of the transfer logic so it is easy to build new transfer agents (ossf#2454)

* Generalize the transfer logic so it is easy to build new transfer agents

This change moves code that reads shards and produces summaries into the
data package so that it can be reused to create new transfer agents,
similar to the BigQuery transfer agent in cron/internal/bq.

Signed-off-by: Caleb Brown <[email protected]>

* Lint fix and commentary.

Signed-off-by: Caleb Brown <[email protected]>

Signed-off-by: Caleb Brown <[email protected]>
Signed-off-by: latortuga71 <[email protected]>

* 🌱 Bump github.com/google/addlicense in /tools (ossf#2459)

Bumps [github.com/google/addlicense](https://github.com/google/addlicense) from 1.0.0 to 1.1.0.
- [Release notes](https://github.com/google/addlicense/releases)
- [Changelog](https://github.com/google/addlicense/blob/master/.goreleaser.yaml)
- [Commits](google/addlicense@v1.0.0...v1.1.0)

---
updated-dependencies:
- dependency-name: github.com/google/addlicense
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <[email protected]>

Signed-off-by: dependabot[bot] <[email protected]>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Signed-off-by: latortuga71 <[email protected]>

* 🌱 Bump github.com/google/go-containerregistry

Bumps [github.com/google/go-containerregistry](https://github.com/google/go-containerregistry) from 0.12.0 to 0.12.1.
- [Release notes](https://github.com/google/go-containerregistry/releases)
- [Changelog](https://github.com/google/go-containerregistry/blob/main/.goreleaser.yml)
- [Commits](google/go-containerregistry@v0.12.0...v0.12.1)

---
updated-dependencies:
- dependency-name: github.com/google/go-containerregistry
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <[email protected]>
Signed-off-by: latortuga71 <[email protected]>

* go mod tidy

Signed-off-by: Spencer Schrock <[email protected]>
Signed-off-by: latortuga71 <[email protected]>

* Added <= instead of == incase negative int is passed

Signed-off-by: latortuga71 <[email protected]>

* missed test fix

Signed-off-by: latortuga71 <[email protected]>

Signed-off-by: dependabot[bot] <[email protected]>
Signed-off-by: latortuga71 <[email protected]>
Signed-off-by: Raghav Kaul <[email protected]>
Signed-off-by: Spencer Schrock <[email protected]>
Signed-off-by: Scott Hissam <[email protected]>
Signed-off-by: Michael Scovetta <[email protected]>
Signed-off-by: favonia <[email protected]>
Signed-off-by: Caleb Brown <[email protected]>
Signed-off-by: Latortuga <[email protected]>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: raghavkaul <[email protected]>
Co-authored-by: Spencer Schrock <[email protected]>
Co-authored-by: scott hissam <[email protected]>
Co-authored-by: Michael Scovetta <[email protected]>
Co-authored-by: favonia <[email protected]>
Co-authored-by: Caleb Brown <[email protected]>
N8BWert pushed a commit to N8BWert/scorecard that referenced this pull request Nov 28, 2022
@dependabot
🌱 Bump github.com/onsi/gomega from 1.20.2 to 1.23.0 (ossf#2409)
6d5dda8 
Bumps [github.com/onsi/gomega](https://github.com/onsi/gomega) from 1.20.2 to 1.23.0.
- [Release notes](https://github.com/onsi/gomega/releases)
- [Changelog](https://github.com/onsi/gomega/blob/master/CHANGELOG.md)
- [Commits](onsi/gomega@v1.20.2...v1.23.0)

---
updated-dependencies:
- dependency-name: github.com/onsi/gomega
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <[email protected]>

Signed-off-by: dependabot[bot] <[email protected]>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Signed-off-by: nathaniel.wert <[email protected]>
N8BWert pushed a commit to N8BWert/scorecard that referenced this pull request Nov 28, 2022
@latortuga71 @dependabot
@raghavkaul @spencerschrock @shissam @scovetta @favonia @calebbrown
✨ Commit depth feature (ossf#2407)
10322da 
* 🌱 Bump actions/dependency-review-action from 2.4.1 to 2.5.1

Bumps [actions/dependency-review-action](https://github.com/actions/dependency-review-action) from 2.4.1 to 2.5.1.
- [Release notes](https://github.com/actions/dependency-review-action/releases)
- [Commits](actions/dependency-review-action@9c96258...0efb1d1)

---
updated-dependencies:
- dependency-name: actions/dependency-review-action
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <[email protected]>
Signed-off-by: latortuga71 <[email protected]>

* commit_depth feature

Signed-off-by: latortuga71 <[email protected]>

* added more descriptive comments, changed numberofcommits variable name, moved paging for commits into seperate function.

small changes

Signed-off-by: latortuga71 <[email protected]>

linter

Signed-off-by: latortuga71 <[email protected]>

* added unit tests

Signed-off-by: latortuga71 <[email protected]>

added test in e2e

Signed-off-by: latortuga71 <[email protected]>

* 🌱 Bump github.com/spf13/cobra from 1.6.0 to 1.6.1 (ossf#2397)

Bumps [github.com/spf13/cobra](https://github.com/spf13/cobra) from 1.6.0 to 1.6.1.
- [Release notes](https://github.com/spf13/cobra/releases)
- [Commits](spf13/cobra@v1.6.0...v1.6.1)

---
updated-dependencies:
- dependency-name: github.com/spf13/cobra
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <[email protected]>

Signed-off-by: dependabot[bot] <[email protected]>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Signed-off-by: latortuga71 <[email protected]>

* 🌱 Bump github.com/onsi/ginkgo/v2 from 2.1.6 to 2.4.0

Bumps [github.com/onsi/ginkgo/v2](https://github.com/onsi/ginkgo) from 2.1.6 to 2.4.0.
- [Release notes](https://github.com/onsi/ginkgo/releases)
- [Changelog](https://github.com/onsi/ginkgo/blob/master/CHANGELOG.md)
- [Commits](onsi/ginkgo@v2.1.6...v2.4.0)

---
updated-dependencies:
- dependency-name: github.com/onsi/ginkgo/v2
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <[email protected]>
Signed-off-by: latortuga71 <[email protected]>

* 🌱 Bump cloud.google.com/go/pubsub from 1.25.1 to 1.26.0

Bumps [cloud.google.com/go/pubsub](https://github.com/googleapis/google-cloud-go) from 1.25.1 to 1.26.0.
- [Release notes](https://github.com/googleapis/google-cloud-go/releases)
- [Changelog](https://github.com/googleapis/google-cloud-go/blob/main/CHANGES.md)
- [Commits](googleapis/google-cloud-go@pubsub/v1.25.1...pubsub/v1.26.0)

---
updated-dependencies:
- dependency-name: cloud.google.com/go/pubsub
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <[email protected]>
Signed-off-by: latortuga71 <[email protected]>

* 🌱 Bump github.com/xanzy/go-gitlab from 0.73.1 to 0.74.0

Bumps [github.com/xanzy/go-gitlab](https://github.com/xanzy/go-gitlab) from 0.73.1 to 0.74.0.
- [Release notes](https://github.com/xanzy/go-gitlab/releases)
- [Changelog](https://github.com/xanzy/go-gitlab/blob/master/releases_test.go)
- [Commits](xanzy/go-gitlab@v0.73.1...v0.74.0)

---
updated-dependencies:
- dependency-name: github.com/xanzy/go-gitlab
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <[email protected]>
Signed-off-by: latortuga71 <[email protected]>

* 🌱 Bump github.com/onsi/gomega from 1.20.2 to 1.23.0 (ossf#2409)

Bumps [github.com/onsi/gomega](https://github.com/onsi/gomega) from 1.20.2 to 1.23.0.
- [Release notes](https://github.com/onsi/gomega/releases)
- [Changelog](https://github.com/onsi/gomega/blob/master/CHANGELOG.md)
- [Commits](onsi/gomega@v1.20.2...v1.23.0)

---
updated-dependencies:
- dependency-name: github.com/onsi/gomega
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <[email protected]>

Signed-off-by: dependabot[bot] <[email protected]>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Signed-off-by: latortuga71 <[email protected]>

* 🌱 Bump github.com/onsi/ginkgo/v2 from 2.1.6 to 2.4.0 in /tools

Bumps [github.com/onsi/ginkgo/v2](https://github.com/onsi/ginkgo) from 2.1.6 to 2.4.0.
- [Release notes](https://github.com/onsi/ginkgo/releases)
- [Changelog](https://github.com/onsi/ginkgo/blob/master/CHANGELOG.md)
- [Commits](onsi/ginkgo@v2.1.6...v2.4.0)

---
updated-dependencies:
- dependency-name: github.com/onsi/ginkgo/v2
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <[email protected]>
Signed-off-by: latortuga71 <[email protected]>

* 🌱 Bump github.com/golangci/golangci-lint in /tools

Bumps [github.com/golangci/golangci-lint](https://github.com/golangci/golangci-lint) from 1.50.0 to 1.50.1.
- [Release notes](https://github.com/golangci/golangci-lint/releases)
- [Changelog](https://github.com/golangci/golangci-lint/blob/master/CHANGELOG.md)
- [Commits](golangci/golangci-lint@v1.50.0...v1.50.1)

---
updated-dependencies:
- dependency-name: github.com/golangci/golangci-lint
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <[email protected]>
Signed-off-by: latortuga71 <[email protected]>

* 🌱 Bump goreleaser/goreleaser-action from 2.9.1 to 3.2.0 (ossf#2363)

Bumps [goreleaser/goreleaser-action](https://github.com/goreleaser/goreleaser-action) from 2.9.1 to 3.2.0.
- [Release notes](https://github.com/goreleaser/goreleaser-action/releases)
- [Commits](goreleaser/goreleaser-action@b953231...b508e2e)

---
updated-dependencies:
- dependency-name: goreleaser/goreleaser-action
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <[email protected]>

Signed-off-by: dependabot[bot] <[email protected]>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Signed-off-by: latortuga71 <[email protected]>

* 🌱 Bump github.com/goreleaser/goreleaser in /tools (ossf#2373)

Bumps [github.com/goreleaser/goreleaser](https://github.com/goreleaser/goreleaser) from 1.11.5 to 1.12.3.
- [Release notes](https://github.com/goreleaser/goreleaser/releases)
- [Changelog](https://github.com/goreleaser/goreleaser/blob/main/.goreleaser.yaml)
- [Commits](goreleaser/goreleaser@v1.11.5...v1.12.3)

---
updated-dependencies:
- dependency-name: github.com/goreleaser/goreleaser
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <[email protected]>

Signed-off-by: dependabot[bot] <[email protected]>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Signed-off-by: latortuga71 <[email protected]>

* ✨ CLI for scorecard-attestor (ossf#2309)

* Reorganize

Signed-off-by: Raghav Kaul <[email protected]>

* Working commit

Signed-off-by: Raghav Kaul <[email protected]>

* Compile with local scorecard; go mod tidy

Signed-off-by: Raghav Kaul <[email protected]>

* Add signing code

Heavily borrowed from https://github.com/grafeas/kritis/blob/master/cmd/kritis/signer/main.go

Signed-off-by: Raghav Kaul <[email protected]>

* Update deps

* Naming
* Makefile

Signed-off-by: Raghav Kaul <[email protected]>

* Edit license, add lint.yml

Signed-off-by: Raghav Kaul <[email protected]>

* checks: go mod tidy, license

Signed-off-by: Raghav Kaul <[email protected]>

* Address PR comments

* Split into checker/signer files
* Naming convention

Signed-off-by: Raghav Kaul <[email protected]>

* License, remove golangci.yml

Signed-off-by: Raghav Kaul <[email protected]>

* Address PR comments

* Use cobra

Signed-off-by: Raghav Kaul <[email protected]>

* Add tests for root command

Signed-off-by: Raghav Kaul <[email protected]>

* Filter out checks that aren't needed for policy evaluation

Signed-off-by: Raghav Kaul <[email protected]>

* Add `make` targets for attestor; submit coverage stats

Signed-off-by: Raghav Kaul <[email protected]>

* Improvements

* Use sclog instead of glog
* Remove unneeded subcommands
* Formatting

Signed-off-by: Raghav Kaul <[email protected]>

* Flags: Make note-name constant and fix messaging

Signed-off-by: Raghav Kaul <[email protected]>

* Remove SupportedRequestTypes

Signed-off-by: Raghav Kaul <[email protected]>

* go mod tidy

Signed-off-by: Raghav Kaul <[email protected]>

* go mod tidy, makefile

Signed-off-by: Raghav Kaul <[email protected]>

* Fix GH actions run

Signed-off-by: Raghav Kaul <[email protected]>

Signed-off-by: Raghav Kaul <[email protected]>
Signed-off-by: latortuga71 <[email protected]>

* fix workflow (ossf#2417)

Signed-off-by: Spencer Schrock <[email protected]>

Signed-off-by: Spencer Schrock <[email protected]>
Signed-off-by: latortuga71 <[email protected]>

* Bump scorecard-action (ossf#2416)

Signed-off-by: Spencer Schrock <[email protected]>

Signed-off-by: Spencer Schrock <[email protected]>
Signed-off-by: latortuga71 <[email protected]>

* Fail unit-test job if codecov upload fails (ossf#2415)

Signed-off-by: Spencer Schrock <[email protected]>

Signed-off-by: Spencer Schrock <[email protected]>
Signed-off-by: latortuga71 <[email protected]>

* 🌱 Enable comparison for alternative isText implementation (ossf#2414)

* use more performant IsText

Signed-off-by: Spencer Schrock <[email protected]>

* AB test isText implementations

Signed-off-by: Spencer Schrock <[email protected]>

* Add comparison env var to release test.

Signed-off-by: Spencer Schrock <[email protected]>

* go mod tidy for attestor

Signed-off-by: Spencer Schrock <[email protected]>

Signed-off-by: Spencer Schrock <[email protected]>
Signed-off-by: latortuga71 <[email protected]>

* 🐛 modify alternative isText to accept carriage returns (ossf#2421)

* modify IsText from golang.org/x/tools/godoc/util to accept carriage returns.

Signed-off-by: Spencer Schrock <[email protected]>

* add TODO reminder to cleanup after release tests

Signed-off-by: Spencer Schrock <[email protected]>

Signed-off-by: Spencer Schrock <[email protected]>
Signed-off-by: latortuga71 <[email protected]>

* 🌱 Bump github.com/onsi/gomega from 1.23.0 to 1.24.0

Bumps [github.com/onsi/gomega](https://github.com/onsi/gomega) from 1.23.0 to 1.24.0.
- [Release notes](https://github.com/onsi/gomega/releases)
- [Changelog](https://github.com/onsi/gomega/blob/master/CHANGELOG.md)
- [Commits](onsi/gomega@v1.23.0...v1.24.0)

---
updated-dependencies:
- dependency-name: github.com/onsi/gomega
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <[email protected]>
Signed-off-by: latortuga71 <[email protected]>

* 🌱 Bump github/codeql-action from 2.1.29 to 2.1.30

Bumps [github/codeql-action](https://github.com/github/codeql-action) from 2.1.29 to 2.1.30.
- [Release notes](https://github.com/github/codeql-action/releases)
- [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md)
- [Commits](github/codeql-action@ec3cf9c...18fe527)

---
updated-dependencies:
- dependency-name: github/codeql-action
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <[email protected]>
Signed-off-by: latortuga71 <[email protected]>

* revert failing unit-test on ci error (ossf#2422)

Signed-off-by: Spencer Schrock <[email protected]>

Signed-off-by: Spencer Schrock <[email protected]>
Signed-off-by: latortuga71 <[email protected]>

* ✨ Improved Security Policy Check (ossf#2195)

* ✨ Improved Security Policy Check (ossf#2137)

* Examines and awards points for linked content (URLs / Emails)

* Examines and awards points for hints of disclosure and vulnerability practices

* Examines and awards points for hints of elaboration of timelines

Signed-off-by: Scott Hissam <[email protected]>

* Repaired Security Policy to correctly use linked content length for evaluation

Signed-off-by: Scott Hissam <[email protected]>

* gofmt'ed changes

Signed-off-by: Scott Hissam <[email protected]>

* Repaired the case in the evaluation which was too sensitive to content length over the length of the linked content for urls and emails

Signed-off-by: Scott Hissam <[email protected]>

* added unit test cases for the new content-based Security Policy checks

Signed-off-by: Scott Hissam <[email protected]>

* reverted the direct (mistaken) change to checks.md and updated the checks.yaml for generate-docs

Signed-off-by: Scott Hissam <[email protected]>

* ✨ Improved Security Policy Check (ossf#2137) (revisted based on comments)

* replaced reason strings with log.Info & log.Warn (as seen in --show-details)

* internal assertion check for nil (*pinfo) and empty pfile

* internal switched to FileTypeText over FileTypeSource

* internal implement type SecurityPolicyInformationType/SecurityPolicyInformation revised SecurityPolicyData to support only one file

* revised expected unit-test results and revised unit-test to reflect the new SecurityPolicyData type

Signed-off-by: Scott Hissam <[email protected]>

* revised the score value based on observation of one *or more* url(s) or one email(s) found; unit tests update accordingly

Signed-off-by: Scott Hissam <[email protected]>

* revised the score value based on observation of one *or more* url(s) or one email(s) found; unit tests update accordingly

Signed-off-by: Scott Hissam <[email protected]>

* revised the score value based on observation of one *or more* url(s) or one email(s) found; e2e tests update accordingly

Signed-off-by: Scott Hissam <[email protected]>

* Addressed PR comments; added telemetry for policy hits in security policy file to track hits by line number

Signed-off-by: Scott Hissam <[email protected]>

* Resolved merge conflict with checks.yaml

Signed-off-by: Scott Hissam <[email protected]>

* updated raw results to emit all the raw information for the new security policy check

Signed-off-by: Scott Hissam <[email protected]>

* Resolved merge conflicts and lint errors with json_raw_results.go

Signed-off-by: Scott Hissam <[email protected]>

* Addressed review comments to reorganize security policy data struct to support the potential for multiple security policy files.

Signed-off-by: Scott Hissam <[email protected]>

* Added logic to the security policy to process multiple security policy files only after future improvements to aggregating scoring across such files are designed. For now the security policy behaves as originally designed to stop once one of the expected policy files are found in the repo

Signed-off-by: Scott Hissam <[email protected]>

* added comments regarding the capacity to support multiple policy files and removed unneeded break statements in the code

Signed-off-by: Scott Hissam <[email protected]>

* Addressed review comments to remove the dependency on the path in the filename from the code and introduced FileSize to checker.File type and removed the SecurityContentLength which was used to hold that information for the new security policy assessment

Signed-off-by: Scott Hissam <[email protected]>

* restored reporting full security policy path and filename for policies found in the org level repos

Signed-off-by: Scott Hissam <[email protected]>

* Resolved conflicts in checks.yaml for documentation

Signed-off-by: Scott Hissam <[email protected]>

* ✨ CLI for scorecard-attestor (ossf#2309)

* Reorganize

Signed-off-by: Raghav Kaul <[email protected]>

* Working commit

Signed-off-by: Raghav Kaul <[email protected]>

* Compile with local scorecard; go mod tidy

Signed-off-by: Raghav Kaul <[email protected]>

* Add signing code

Heavily borrowed from https://github.com/grafeas/kritis/blob/master/cmd/kritis/signer/main.go

Signed-off-by: Raghav Kaul <[email protected]>

* Update deps

* Naming
* Makefile

Signed-off-by: Raghav Kaul <[email protected]>

* Edit license, add lint.yml

Signed-off-by: Raghav Kaul <[email protected]>

* checks: go mod tidy, license

Signed-off-by: Raghav Kaul <[email protected]>

* Address PR comments

* Split into checker/signer files
* Naming convention

Signed-off-by: Raghav Kaul <[email protected]>

* License, remove golangci.yml

Signed-off-by: Raghav Kaul <[email protected]>

* Address PR comments

* Use cobra

Signed-off-by: Raghav Kaul <[email protected]>

* Add tests for root command

Signed-off-by: Raghav Kaul <[email protected]>

* Filter out checks that aren't needed for policy evaluation

Signed-off-by: Raghav Kaul <[email protected]>

* Add `make` targets for attestor; submit coverage stats

Signed-off-by: Raghav Kaul <[email protected]>

* Improvements

* Use sclog instead of glog
* Remove unneeded subcommands
* Formatting

Signed-off-by: Raghav Kaul <[email protected]>

* Flags: Make note-name constant and fix messaging

Signed-off-by: Raghav Kaul <[email protected]>

* Remove SupportedRequestTypes

Signed-off-by: Raghav Kaul <[email protected]>

* go mod tidy

Signed-off-by: Raghav Kaul <[email protected]>

* go mod tidy, makefile

Signed-off-by: Raghav Kaul <[email protected]>

* Fix GH actions run

Signed-off-by: Raghav Kaul <[email protected]>

Signed-off-by: Raghav Kaul <[email protected]>
Signed-off-by: Scott Hissam <[email protected]>

* removed whitespace before stanza for Run attestor e2e

Signed-off-by: Scott Hissam <[email protected]>

* resolved code review and doc review comments

Signed-off-by: Scott Hissam <[email protected]>

* repaired the link for the maintainer's guide for supporting the coordinated vulnerability disclosure guidelines

Signed-off-by: Scott Hissam <[email protected]>

Signed-off-by: Scott Hissam <[email protected]>
Signed-off-by: latortuga71 <[email protected]>

* 🌱 Bump github/codeql-action from 2.1.30 to 2.1.31 (ossf#2431)

Bumps [github/codeql-action](https://github.com/github/codeql-action) from 2.1.30 to 2.1.31.
- [Release notes](https://github.com/github/codeql-action/releases)
- [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md)
- [Commits](github/codeql-action@18fe527...c3b6fce)

---
updated-dependencies:
- dependency-name: github/codeql-action
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <[email protected]>

Signed-off-by: dependabot[bot] <[email protected]>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Signed-off-by: latortuga71 <[email protected]>

* enable more performant isText (ossf#2433)

Signed-off-by: Spencer Schrock <[email protected]>

Signed-off-by: Spencer Schrock <[email protected]>
Signed-off-by: latortuga71 <[email protected]>

* modified tests,InitRepo Function, Added GetCommitDepth Function to Client Interface

Signed-off-by: latortuga71 <[email protected]>

* removed getcommitdepth function

Signed-off-by: latortuga71 <[email protected]>

* added TODO

Signed-off-by: latortuga71 <[email protected]>

* 🌱 Bump github.com/onsi/ginkgo/v2 from 2.4.0 to 2.5.0 in /tools (ossf#2436)

Bumps [github.com/onsi/ginkgo/v2](https://github.com/onsi/ginkgo) from 2.4.0 to 2.5.0.
- [Release notes](https://github.com/onsi/ginkgo/releases)
- [Changelog](https://github.com/onsi/ginkgo/blob/master/CHANGELOG.md)
- [Commits](onsi/ginkgo@v2.4.0...v2.5.0)

---
updated-dependencies:
- dependency-name: github.com/onsi/ginkgo/v2
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <[email protected]>

Signed-off-by: dependabot[bot] <[email protected]>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Signed-off-by: latortuga71 <[email protected]>

* 🌱 Bump github.com/onsi/ginkgo/v2 from 2.4.0 to 2.5.0

Bumps [github.com/onsi/ginkgo/v2](https://github.com/onsi/ginkgo) from 2.4.0 to 2.5.0.
- [Release notes](https://github.com/onsi/ginkgo/releases)
- [Changelog](https://github.com/onsi/ginkgo/blob/master/CHANGELOG.md)
- [Commits](onsi/ginkgo@v2.4.0...v2.5.0)

---
updated-dependencies:
- dependency-name: github.com/onsi/ginkgo/v2
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <[email protected]>
Signed-off-by: latortuga71 <[email protected]>

* 🌱 Code Review: treat merging a PR as code review (ossf#2413)

* Merges on Github count as a code review by the maintainer

Signed-off-by: Raghav Kaul <[email protected]>

* Update Raw Results

* More detailed information for Changesets
* If there's no Revision ID, use the Commit SHA instead

Signed-off-by: Raghav Kaul <[email protected]>

* Check that pull request had atleast one reviewer that wasn't its author

* Add field for Pull Request Merged-By to Github and Gitlab
* Note, this check can be bypassed if an author opens a PR with other
  people's commits

Signed-off-by: Raghav Kaul <[email protected]>

Signed-off-by: Raghav Kaul <[email protected]>
Signed-off-by: latortuga71 <[email protected]>

* Trivial: Fix typo (exepted -> expected) (ossf#2440)

Signed-off-by: Michael Scovetta <[email protected]>

Signed-off-by: Michael Scovetta <[email protected]>
Signed-off-by: latortuga71 <[email protected]>

* 🌱 Bump step-security/harden-runner from 1.5.0 to 2.0.0 (ossf#2443)

Bumps [step-security/harden-runner](https://github.com/step-security/harden-runner) from 1.5.0 to 2.0.0.
- [Release notes](https://github.com/step-security/harden-runner/releases)
- [Commits](step-security/harden-runner@2e205a2...ebacdc2)

---
updated-dependencies:
- dependency-name: step-security/harden-runner
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <[email protected]>

Signed-off-by: dependabot[bot] <[email protected]>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Signed-off-by: latortuga71 <[email protected]>

* 🌱 cron: support reading prefix from file for controller input files (7/n) (ossf#2445)

* add prefix marker file to config

Signed-off-by: Spencer Schrock <[email protected]>

* Read the new config values, if they exist.

Signed-off-by: Spencer Schrock <[email protected]>

* Add function to fetch prefix file config value.

Signed-off-by: Spencer Schrock <[email protected]>

* Read prefix file if prefix not set.

Signed-off-by: Spencer Schrock <[email protected]>

* Add tests to verify how List works with various prefixes

Signed-off-by: Spencer Schrock <[email protected]>

* Add tests for getPrefix

Signed-off-by: Spencer Schrock <[email protected]>

* Remove panics from iterator helper functions

Signed-off-by: Spencer Schrock <[email protected]>

Signed-off-by: Spencer Schrock <[email protected]>
Signed-off-by: latortuga71 <[email protected]>

* Detect SECURITY.markdown in addition to SECURITY.md (ossf#2447)

GitHub probably supports many more file extensions for Markdown
files, but at the very least, `.md` and `.markdown` have been
standardized in RFC 7763.

Signed-off-by: favonia <[email protected]>

Signed-off-by: favonia <[email protected]>
Signed-off-by: latortuga71 <[email protected]>

* Add Pinned-Dependency, Vulnerability, and Code-Review checks to attestor (ossf#2430)

Signed-off-by: Raghav Kaul <[email protected]>

Signed-off-by: Raghav Kaul <[email protected]>
Signed-off-by: latortuga71 <[email protected]>

* 🌱 cron: expose the stackdriver prefix as a config variable so it can be changed. (ossf#2446)

* Expose the stackdriver prefix as a config variable so it can be changed.

Signed-off-by: Caleb Brown <[email protected]>

* fix linter warning

Signed-off-by: Caleb Brown <[email protected]>

Signed-off-by: Caleb Brown <[email protected]>
Co-authored-by: Spencer Schrock <[email protected]>
Signed-off-by: latortuga71 <[email protected]>

* Only write to the rawBucket if the value exists. (ossf#2451)

Signed-off-by: Caleb Brown <[email protected]>

Signed-off-by: Caleb Brown <[email protected]>
Signed-off-by: latortuga71 <[email protected]>

* 🌱 Bump golang.org/x/tools from 0.2.0 to 0.3.0 (ossf#2448)

* 🌱 Bump golang.org/x/tools from 0.2.0 to 0.3.0

Bumps [golang.org/x/tools](https://github.com/golang/tools) from 0.2.0 to 0.3.0.
- [Release notes](https://github.com/golang/tools/releases)
- [Commits](golang/tools@v0.2.0...v0.3.0)

---
updated-dependencies:
- dependency-name: golang.org/x/tools
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <[email protected]>

* bump attestor modules

Signed-off-by: Spencer Schrock <[email protected]>

Signed-off-by: dependabot[bot] <[email protected]>
Signed-off-by: Spencer Schrock <[email protected]>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: Spencer Schrock <[email protected]>
Signed-off-by: latortuga71 <[email protected]>

* Move cron monitoring to a non-internal location. (ossf#2453)

This allows external workers (e.g. criticality_score) to use the same
monitoring code.

Signed-off-by: Caleb Brown <[email protected]>

Signed-off-by: Caleb Brown <[email protected]>
Signed-off-by: latortuga71 <[email protected]>

* 🌱 Bump actions/dependency-review-action from 2.5.1 to 3.0.0 (ossf#2455)

Bumps [actions/dependency-review-action](https://github.com/actions/dependency-review-action) from 2.5.1 to 3.0.0.
- [Release notes](https://github.com/actions/dependency-review-action/releases)
- [Commits](actions/dependency-review-action@0efb1d1...30d5821)

---
updated-dependencies:
- dependency-name: actions/dependency-review-action
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <[email protected]>

Signed-off-by: dependabot[bot] <[email protected]>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Signed-off-by: latortuga71 <[email protected]>

* 🌱 [cron] generalize some of the transfer logic so it is easy to build new transfer agents (ossf#2454)

* Generalize the transfer logic so it is easy to build new transfer agents

This change moves code that reads shards and produces summaries into the
data package so that it can be reused to create new transfer agents,
similar to the BigQuery transfer agent in cron/internal/bq.

Signed-off-by: Caleb Brown <[email protected]>

* Lint fix and commentary.

Signed-off-by: Caleb Brown <[email protected]>

Signed-off-by: Caleb Brown <[email protected]>
Signed-off-by: latortuga71 <[email protected]>

* 🌱 Bump github.com/google/addlicense in /tools (ossf#2459)

Bumps [github.com/google/addlicense](https://github.com/google/addlicense) from 1.0.0 to 1.1.0.
- [Release notes](https://github.com/google/addlicense/releases)
- [Changelog](https://github.com/google/addlicense/blob/master/.goreleaser.yaml)
- [Commits](google/addlicense@v1.0.0...v1.1.0)

---
updated-dependencies:
- dependency-name: github.com/google/addlicense
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <[email protected]>

Signed-off-by: dependabot[bot] <[email protected]>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Signed-off-by: latortuga71 <[email protected]>

* 🌱 Bump github.com/google/go-containerregistry

Bumps [github.com/google/go-containerregistry](https://github.com/google/go-containerregistry) from 0.12.0 to 0.12.1.
- [Release notes](https://github.com/google/go-containerregistry/releases)
- [Changelog](https://github.com/google/go-containerregistry/blob/main/.goreleaser.yml)
- [Commits](google/go-containerregistry@v0.12.0...v0.12.1)

---
updated-dependencies:
- dependency-name: github.com/google/go-containerregistry
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <[email protected]>
Signed-off-by: latortuga71 <[email protected]>

* go mod tidy

Signed-off-by: Spencer Schrock <[email protected]>
Signed-off-by: latortuga71 <[email protected]>

* Added <= instead of == incase negative int is passed

Signed-off-by: latortuga71 <[email protected]>

* missed test fix

Signed-off-by: latortuga71 <[email protected]>

Signed-off-by: dependabot[bot] <[email protected]>
Signed-off-by: latortuga71 <[email protected]>
Signed-off-by: Raghav Kaul <[email protected]>
Signed-off-by: Spencer Schrock <[email protected]>
Signed-off-by: Scott Hissam <[email protected]>
Signed-off-by: Michael Scovetta <[email protected]>
Signed-off-by: favonia <[email protected]>
Signed-off-by: Caleb Brown <[email protected]>
Signed-off-by: Latortuga <[email protected]>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: raghavkaul <[email protected]>
Co-authored-by: Spencer Schrock <[email protected]>
Co-authored-by: scott hissam <[email protected]>
Co-authored-by: Michael Scovetta <[email protected]>
Co-authored-by: favonia <[email protected]>
Co-authored-by: Caleb Brown <[email protected]>
Signed-off-by: nathaniel.wert <[email protected]>
raghavkaul pushed a commit to raghavkaul/scorecard that referenced this pull request Feb 9, 2023
@dependabot @raghavkaul
🌱 Bump github.com/onsi/gomega from 1.20.2 to 1.23.0 (ossf#2409)
6f1f5c4 
Bumps [github.com/onsi/gomega](https://github.com/onsi/gomega) from 1.20.2 to 1.23.0.
- [Release notes](https://github.com/onsi/gomega/releases)
- [Changelog](https://github.com/onsi/gomega/blob/master/CHANGELOG.md)
- [Commits](onsi/gomega@v1.20.2...v1.23.0)

---
updated-dependencies:
- dependency-name: github.com/onsi/gomega
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <[email protected]>

Signed-off-by: dependabot[bot] <[email protected]>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
raghavkaul added a commit to raghavkaul/scorecard that referenced this pull request Feb 9, 2023
@latortuga71 @dependabot
@raghavkaul @spencerschrock @shissam @scovetta @favonia @calebbrown
✨ Commit depth feature (ossf#2407)
b8f722c 
* 🌱 Bump actions/dependency-review-action from 2.4.1 to 2.5.1

Bumps [actions/dependency-review-action](https://github.com/actions/dependency-review-action) from 2.4.1 to 2.5.1.
- [Release notes](https://github.com/actions/dependency-review-action/releases)
- [Commits](actions/dependency-review-action@9c96258...0efb1d1)

---
updated-dependencies:
- dependency-name: actions/dependency-review-action
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <[email protected]>
Signed-off-by: latortuga71 <[email protected]>

* commit_depth feature

Signed-off-by: latortuga71 <[email protected]>

* added more descriptive comments, changed numberofcommits variable name, moved paging for commits into seperate function.

small changes

Signed-off-by: latortuga71 <[email protected]>

linter

Signed-off-by: latortuga71 <[email protected]>

* added unit tests

Signed-off-by: latortuga71 <[email protected]>

added test in e2e

Signed-off-by: latortuga71 <[email protected]>

* 🌱 Bump github.com/spf13/cobra from 1.6.0 to 1.6.1 (ossf#2397)

Bumps [github.com/spf13/cobra](https://github.com/spf13/cobra) from 1.6.0 to 1.6.1.
- [Release notes](https://github.com/spf13/cobra/releases)
- [Commits](spf13/cobra@v1.6.0...v1.6.1)

---
updated-dependencies:
- dependency-name: github.com/spf13/cobra
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <[email protected]>

Signed-off-by: dependabot[bot] <[email protected]>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Signed-off-by: latortuga71 <[email protected]>

* 🌱 Bump github.com/onsi/ginkgo/v2 from 2.1.6 to 2.4.0

Bumps [github.com/onsi/ginkgo/v2](https://github.com/onsi/ginkgo) from 2.1.6 to 2.4.0.
- [Release notes](https://github.com/onsi/ginkgo/releases)
- [Changelog](https://github.com/onsi/ginkgo/blob/master/CHANGELOG.md)
- [Commits](onsi/ginkgo@v2.1.6...v2.4.0)

---
updated-dependencies:
- dependency-name: github.com/onsi/ginkgo/v2
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <[email protected]>
Signed-off-by: latortuga71 <[email protected]>

* 🌱 Bump cloud.google.com/go/pubsub from 1.25.1 to 1.26.0

Bumps [cloud.google.com/go/pubsub](https://github.com/googleapis/google-cloud-go) from 1.25.1 to 1.26.0.
- [Release notes](https://github.com/googleapis/google-cloud-go/releases)
- [Changelog](https://github.com/googleapis/google-cloud-go/blob/main/CHANGES.md)
- [Commits](googleapis/google-cloud-go@pubsub/v1.25.1...pubsub/v1.26.0)

---
updated-dependencies:
- dependency-name: cloud.google.com/go/pubsub
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <[email protected]>
Signed-off-by: latortuga71 <[email protected]>

* 🌱 Bump github.com/xanzy/go-gitlab from 0.73.1 to 0.74.0

Bumps [github.com/xanzy/go-gitlab](https://github.com/xanzy/go-gitlab) from 0.73.1 to 0.74.0.
- [Release notes](https://github.com/xanzy/go-gitlab/releases)
- [Changelog](https://github.com/xanzy/go-gitlab/blob/master/releases_test.go)
- [Commits](xanzy/go-gitlab@v0.73.1...v0.74.0)

---
updated-dependencies:
- dependency-name: github.com/xanzy/go-gitlab
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <[email protected]>
Signed-off-by: latortuga71 <[email protected]>

* 🌱 Bump github.com/onsi/gomega from 1.20.2 to 1.23.0 (ossf#2409)

Bumps [github.com/onsi/gomega](https://github.com/onsi/gomega) from 1.20.2 to 1.23.0.
- [Release notes](https://github.com/onsi/gomega/releases)
- [Changelog](https://github.com/onsi/gomega/blob/master/CHANGELOG.md)
- [Commits](onsi/gomega@v1.20.2...v1.23.0)

---
updated-dependencies:
- dependency-name: github.com/onsi/gomega
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <[email protected]>

Signed-off-by: dependabot[bot] <[email protected]>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Signed-off-by: latortuga71 <[email protected]>

* 🌱 Bump github.com/onsi/ginkgo/v2 from 2.1.6 to 2.4.0 in /tools

Bumps [github.com/onsi/ginkgo/v2](https://github.com/onsi/ginkgo) from 2.1.6 to 2.4.0.
- [Release notes](https://github.com/onsi/ginkgo/releases)
- [Changelog](https://github.com/onsi/ginkgo/blob/master/CHANGELOG.md)
- [Commits](onsi/ginkgo@v2.1.6...v2.4.0)

---
updated-dependencies:
- dependency-name: github.com/onsi/ginkgo/v2
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <[email protected]>
Signed-off-by: latortuga71 <[email protected]>

* 🌱 Bump github.com/golangci/golangci-lint in /tools

Bumps [github.com/golangci/golangci-lint](https://github.com/golangci/golangci-lint) from 1.50.0 to 1.50.1.
- [Release notes](https://github.com/golangci/golangci-lint/releases)
- [Changelog](https://github.com/golangci/golangci-lint/blob/master/CHANGELOG.md)
- [Commits](golangci/golangci-lint@v1.50.0...v1.50.1)

---
updated-dependencies:
- dependency-name: github.com/golangci/golangci-lint
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <[email protected]>
Signed-off-by: latortuga71 <[email protected]>

* 🌱 Bump goreleaser/goreleaser-action from 2.9.1 to 3.2.0 (ossf#2363)

Bumps [goreleaser/goreleaser-action](https://github.com/goreleaser/goreleaser-action) from 2.9.1 to 3.2.0.
- [Release notes](https://github.com/goreleaser/goreleaser-action/releases)
- [Commits](goreleaser/goreleaser-action@b953231...b508e2e)

---
updated-dependencies:
- dependency-name: goreleaser/goreleaser-action
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <[email protected]>

Signed-off-by: dependabot[bot] <[email protected]>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Signed-off-by: latortuga71 <[email protected]>

* 🌱 Bump github.com/goreleaser/goreleaser in /tools (ossf#2373)

Bumps [github.com/goreleaser/goreleaser](https://github.com/goreleaser/goreleaser) from 1.11.5 to 1.12.3.
- [Release notes](https://github.com/goreleaser/goreleaser/releases)
- [Changelog](https://github.com/goreleaser/goreleaser/blob/main/.goreleaser.yaml)
- [Commits](goreleaser/goreleaser@v1.11.5...v1.12.3)

---
updated-dependencies:
- dependency-name: github.com/goreleaser/goreleaser
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <[email protected]>

Signed-off-by: dependabot[bot] <[email protected]>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Signed-off-by: latortuga71 <[email protected]>

* ✨ CLI for scorecard-attestor (ossf#2309)

* Reorganize

Signed-off-by: Raghav Kaul <[email protected]>

* Working commit

Signed-off-by: Raghav Kaul <[email protected]>

* Compile with local scorecard; go mod tidy

Signed-off-by: Raghav Kaul <[email protected]>

* Add signing code

Heavily borrowed from https://github.com/grafeas/kritis/blob/master/cmd/kritis/signer/main.go

Signed-off-by: Raghav Kaul <[email protected]>

* Update deps

* Naming
* Makefile

Signed-off-by: Raghav Kaul <[email protected]>

* Edit license, add lint.yml

Signed-off-by: Raghav Kaul <[email protected]>

* checks: go mod tidy, license

Signed-off-by: Raghav Kaul <[email protected]>

* Address PR comments

* Split into checker/signer files
* Naming convention

Signed-off-by: Raghav Kaul <[email protected]>

* License, remove golangci.yml

Signed-off-by: Raghav Kaul <[email protected]>

* Address PR comments

* Use cobra

Signed-off-by: Raghav Kaul <[email protected]>

* Add tests for root command

Signed-off-by: Raghav Kaul <[email protected]>

* Filter out checks that aren't needed for policy evaluation

Signed-off-by: Raghav Kaul <[email protected]>

* Add `make` targets for attestor; submit coverage stats

Signed-off-by: Raghav Kaul <[email protected]>

* Improvements

* Use sclog instead of glog
* Remove unneeded subcommands
* Formatting

Signed-off-by: Raghav Kaul <[email protected]>

* Flags: Make note-name constant and fix messaging

Signed-off-by: Raghav Kaul <[email protected]>

* Remove SupportedRequestTypes

Signed-off-by: Raghav Kaul <[email protected]>

* go mod tidy

Signed-off-by: Raghav Kaul <[email protected]>

* go mod tidy, makefile

Signed-off-by: Raghav Kaul <[email protected]>

* Fix GH actions run

Signed-off-by: Raghav Kaul <[email protected]>

Signed-off-by: Raghav Kaul <[email protected]>
Signed-off-by: latortuga71 <[email protected]>

* fix workflow (ossf#2417)

Signed-off-by: Spencer Schrock <[email protected]>

Signed-off-by: Spencer Schrock <[email protected]>
Signed-off-by: latortuga71 <[email protected]>

* Bump scorecard-action (ossf#2416)

Signed-off-by: Spencer Schrock <[email protected]>

Signed-off-by: Spencer Schrock <[email protected]>
Signed-off-by: latortuga71 <[email protected]>

* Fail unit-test job if codecov upload fails (ossf#2415)

Signed-off-by: Spencer Schrock <[email protected]>

Signed-off-by: Spencer Schrock <[email protected]>
Signed-off-by: latortuga71 <[email protected]>

* 🌱 Enable comparison for alternative isText implementation (ossf#2414)

* use more performant IsText

Signed-off-by: Spencer Schrock <[email protected]>

* AB test isText implementations

Signed-off-by: Spencer Schrock <[email protected]>

* Add comparison env var to release test.

Signed-off-by: Spencer Schrock <[email protected]>

* go mod tidy for attestor

Signed-off-by: Spencer Schrock <[email protected]>

Signed-off-by: Spencer Schrock <[email protected]>
Signed-off-by: latortuga71 <[email protected]>

* 🐛 modify alternative isText to accept carriage returns (ossf#2421)

* modify IsText from golang.org/x/tools/godoc/util to accept carriage returns.

Signed-off-by: Spencer Schrock <[email protected]>

* add TODO reminder to cleanup after release tests

Signed-off-by: Spencer Schrock <[email protected]>

Signed-off-by: Spencer Schrock <[email protected]>
Signed-off-by: latortuga71 <[email protected]>

* 🌱 Bump github.com/onsi/gomega from 1.23.0 to 1.24.0

Bumps [github.com/onsi/gomega](https://github.com/onsi/gomega) from 1.23.0 to 1.24.0.
- [Release notes](https://github.com/onsi/gomega/releases)
- [Changelog](https://github.com/onsi/gomega/blob/master/CHANGELOG.md)
- [Commits](onsi/gomega@v1.23.0...v1.24.0)

---
updated-dependencies:
- dependency-name: github.com/onsi/gomega
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <[email protected]>
Signed-off-by: latortuga71 <[email protected]>

* 🌱 Bump github/codeql-action from 2.1.29 to 2.1.30

Bumps [github/codeql-action](https://github.com/github/codeql-action) from 2.1.29 to 2.1.30.
- [Release notes](https://github.com/github/codeql-action/releases)
- [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md)
- [Commits](github/codeql-action@ec3cf9c...18fe527)

---
updated-dependencies:
- dependency-name: github/codeql-action
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <[email protected]>
Signed-off-by: latortuga71 <[email protected]>

* revert failing unit-test on ci error (ossf#2422)

Signed-off-by: Spencer Schrock <[email protected]>

Signed-off-by: Spencer Schrock <[email protected]>
Signed-off-by: latortuga71 <[email protected]>

* ✨ Improved Security Policy Check (ossf#2195)

* ✨ Improved Security Policy Check (ossf#2137)

* Examines and awards points for linked content (URLs / Emails)

* Examines and awards points for hints of disclosure and vulnerability practices

* Examines and awards points for hints of elaboration of timelines

Signed-off-by: Scott Hissam <[email protected]>

* Repaired Security Policy to correctly use linked content length for evaluation

Signed-off-by: Scott Hissam <[email protected]>

* gofmt'ed changes

Signed-off-by: Scott Hissam <[email protected]>

* Repaired the case in the evaluation which was too sensitive to content length over the length of the linked content for urls and emails

Signed-off-by: Scott Hissam <[email protected]>

* added unit test cases for the new content-based Security Policy checks

Signed-off-by: Scott Hissam <[email protected]>

* reverted the direct (mistaken) change to checks.md and updated the checks.yaml for generate-docs

Signed-off-by: Scott Hissam <[email protected]>

* ✨ Improved Security Policy Check (ossf#2137) (revisted based on comments)

* replaced reason strings with log.Info & log.Warn (as seen in --show-details)

* internal assertion check for nil (*pinfo) and empty pfile

* internal switched to FileTypeText over FileTypeSource

* internal implement type SecurityPolicyInformationType/SecurityPolicyInformation revised SecurityPolicyData to support only one file

* revised expected unit-test results and revised unit-test to reflect the new SecurityPolicyData type

Signed-off-by: Scott Hissam <[email protected]>

* revised the score value based on observation of one *or more* url(s) or one email(s) found; unit tests update accordingly

Signed-off-by: Scott Hissam <[email protected]>

* revised the score value based on observation of one *or more* url(s) or one email(s) found; unit tests update accordingly

Signed-off-by: Scott Hissam <[email protected]>

* revised the score value based on observation of one *or more* url(s) or one email(s) found; e2e tests update accordingly

Signed-off-by: Scott Hissam <[email protected]>

* Addressed PR comments; added telemetry for policy hits in security policy file to track hits by line number

Signed-off-by: Scott Hissam <[email protected]>

* Resolved merge conflict with checks.yaml

Signed-off-by: Scott Hissam <[email protected]>

* updated raw results to emit all the raw information for the new security policy check

Signed-off-by: Scott Hissam <[email protected]>

* Resolved merge conflicts and lint errors with json_raw_results.go

Signed-off-by: Scott Hissam <[email protected]>

* Addressed review comments to reorganize security policy data struct to support the potential for multiple security policy files.

Signed-off-by: Scott Hissam <[email protected]>

* Added logic to the security policy to process multiple security policy files only after future improvements to aggregating scoring across such files are designed. For now the security policy behaves as originally designed to stop once one of the expected policy files are found in the repo

Signed-off-by: Scott Hissam <[email protected]>

* added comments regarding the capacity to support multiple policy files and removed unneeded break statements in the code

Signed-off-by: Scott Hissam <[email protected]>

* Addressed review comments to remove the dependency on the path in the filename from the code and introduced FileSize to checker.File type and removed the SecurityContentLength which was used to hold that information for the new security policy assessment

Signed-off-by: Scott Hissam <[email protected]>

* restored reporting full security policy path and filename for policies found in the org level repos

Signed-off-by: Scott Hissam <[email protected]>

* Resolved conflicts in checks.yaml for documentation

Signed-off-by: Scott Hissam <[email protected]>

* ✨ CLI for scorecard-attestor (ossf#2309)

* Reorganize

Signed-off-by: Raghav Kaul <[email protected]>

* Working commit

Signed-off-by: Raghav Kaul <[email protected]>

* Compile with local scorecard; go mod tidy

Signed-off-by: Raghav Kaul <[email protected]>

* Add signing code

Heavily borrowed from https://github.com/grafeas/kritis/blob/master/cmd/kritis/signer/main.go

Signed-off-by: Raghav Kaul <[email protected]>

* Update deps

* Naming
* Makefile

Signed-off-by: Raghav Kaul <[email protected]>

* Edit license, add lint.yml

Signed-off-by: Raghav Kaul <[email protected]>

* checks: go mod tidy, license

Signed-off-by: Raghav Kaul <[email protected]>

* Address PR comments

* Split into checker/signer files
* Naming convention

Signed-off-by: Raghav Kaul <[email protected]>

* License, remove golangci.yml

Signed-off-by: Raghav Kaul <[email protected]>

* Address PR comments

* Use cobra

Signed-off-by: Raghav Kaul <[email protected]>

* Add tests for root command

Signed-off-by: Raghav Kaul <[email protected]>

* Filter out checks that aren't needed for policy evaluation

Signed-off-by: Raghav Kaul <[email protected]>

* Add `make` targets for attestor; submit coverage stats

Signed-off-by: Raghav Kaul <[email protected]>

* Improvements

* Use sclog instead of glog
* Remove unneeded subcommands
* Formatting

Signed-off-by: Raghav Kaul <[email protected]>

* Flags: Make note-name constant and fix messaging

Signed-off-by: Raghav Kaul <[email protected]>

* Remove SupportedRequestTypes

Signed-off-by: Raghav Kaul <[email protected]>

* go mod tidy

Signed-off-by: Raghav Kaul <[email protected]>

* go mod tidy, makefile

Signed-off-by: Raghav Kaul <[email protected]>

* Fix GH actions run

Signed-off-by: Raghav Kaul <[email protected]>

Signed-off-by: Raghav Kaul <[email protected]>
Signed-off-by: Scott Hissam <[email protected]>

* removed whitespace before stanza for Run attestor e2e

Signed-off-by: Scott Hissam <[email protected]>

* resolved code review and doc review comments

Signed-off-by: Scott Hissam <[email protected]>

* repaired the link for the maintainer's guide for supporting the coordinated vulnerability disclosure guidelines

Signed-off-by: Scott Hissam <[email protected]>

Signed-off-by: Scott Hissam <[email protected]>
Signed-off-by: latortuga71 <[email protected]>

* 🌱 Bump github/codeql-action from 2.1.30 to 2.1.31 (ossf#2431)

Bumps [github/codeql-action](https://github.com/github/codeql-action) from 2.1.30 to 2.1.31.
- [Release notes](https://github.com/github/codeql-action/releases)
- [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md)
- [Commits](github/codeql-action@18fe527...c3b6fce)

---
updated-dependencies:
- dependency-name: github/codeql-action
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <[email protected]>

Signed-off-by: dependabot[bot] <[email protected]>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Signed-off-by: latortuga71 <[email protected]>

* enable more performant isText (ossf#2433)

Signed-off-by: Spencer Schrock <[email protected]>

Signed-off-by: Spencer Schrock <[email protected]>
Signed-off-by: latortuga71 <[email protected]>

* modified tests,InitRepo Function, Added GetCommitDepth Function to Client Interface

Signed-off-by: latortuga71 <[email protected]>

* removed getcommitdepth function

Signed-off-by: latortuga71 <[email protected]>

* added TODO

Signed-off-by: latortuga71 <[email protected]>

* 🌱 Bump github.com/onsi/ginkgo/v2 from 2.4.0 to 2.5.0 in /tools (ossf#2436)

Bumps [github.com/onsi/ginkgo/v2](https://github.com/onsi/ginkgo) from 2.4.0 to 2.5.0.
- [Release notes](https://github.com/onsi/ginkgo/releases)
- [Changelog](https://github.com/onsi/ginkgo/blob/master/CHANGELOG.md)
- [Commits](onsi/ginkgo@v2.4.0...v2.5.0)

---
updated-dependencies:
- dependency-name: github.com/onsi/ginkgo/v2
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <[email protected]>

Signed-off-by: dependabot[bot] <[email protected]>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Signed-off-by: latortuga71 <[email protected]>

* 🌱 Bump github.com/onsi/ginkgo/v2 from 2.4.0 to 2.5.0

Bumps [github.com/onsi/ginkgo/v2](https://github.com/onsi/ginkgo) from 2.4.0 to 2.5.0.
- [Release notes](https://github.com/onsi/ginkgo/releases)
- [Changelog](https://github.com/onsi/ginkgo/blob/master/CHANGELOG.md)
- [Commits](onsi/ginkgo@v2.4.0...v2.5.0)

---
updated-dependencies:
- dependency-name: github.com/onsi/ginkgo/v2
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <[email protected]>
Signed-off-by: latortuga71 <[email protected]>

* 🌱 Code Review: treat merging a PR as code review (ossf#2413)

* Merges on Github count as a code review by the maintainer

Signed-off-by: Raghav Kaul <[email protected]>

* Update Raw Results

* More detailed information for Changesets
* If there's no Revision ID, use the Commit SHA instead

Signed-off-by: Raghav Kaul <[email protected]>

* Check that pull request had atleast one reviewer that wasn't its author

* Add field for Pull Request Merged-By to Github and Gitlab
* Note, this check can be bypassed if an author opens a PR with other
  people's commits

Signed-off-by: Raghav Kaul <[email protected]>

Signed-off-by: Raghav Kaul <[email protected]>
Signed-off-by: latortuga71 <[email protected]>

* Trivial: Fix typo (exepted -> expected) (ossf#2440)

Signed-off-by: Michael Scovetta <[email protected]>

Signed-off-by: Michael Scovetta <[email protected]>
Signed-off-by: latortuga71 <[email protected]>

* 🌱 Bump step-security/harden-runner from 1.5.0 to 2.0.0 (ossf#2443)

Bumps [step-security/harden-runner](https://github.com/step-security/harden-runner) from 1.5.0 to 2.0.0.
- [Release notes](https://github.com/step-security/harden-runner/releases)
- [Commits](step-security/harden-runner@2e205a2...ebacdc2)

---
updated-dependencies:
- dependency-name: step-security/harden-runner
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <[email protected]>

Signed-off-by: dependabot[bot] <[email protected]>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Signed-off-by: latortuga71 <[email protected]>

* 🌱 cron: support reading prefix from file for controller input files (7/n) (ossf#2445)

* add prefix marker file to config

Signed-off-by: Spencer Schrock <[email protected]>

* Read the new config values, if they exist.

Signed-off-by: Spencer Schrock <[email protected]>

* Add function to fetch prefix file config value.

Signed-off-by: Spencer Schrock <[email protected]>

* Read prefix file if prefix not set.

Signed-off-by: Spencer Schrock <[email protected]>

* Add tests to verify how List works with various prefixes

Signed-off-by: Spencer Schrock <[email protected]>

* Add tests for getPrefix

Signed-off-by: Spencer Schrock <[email protected]>

* Remove panics from iterator helper functions

Signed-off-by: Spencer Schrock <[email protected]>

Signed-off-by: Spencer Schrock <[email protected]>
Signed-off-by: latortuga71 <[email protected]>

* Detect SECURITY.markdown in addition to SECURITY.md (ossf#2447)

GitHub probably supports many more file extensions for Markdown
files, but at the very least, `.md` and `.markdown` have been
standardized in RFC 7763.

Signed-off-by: favonia <[email protected]>

Signed-off-by: favonia <[email protected]>
Signed-off-by: latortuga71 <[email protected]>

* Add Pinned-Dependency, Vulnerability, and Code-Review checks to attestor (ossf#2430)

Signed-off-by: Raghav Kaul <[email protected]>

Signed-off-by: Raghav Kaul <[email protected]>
Signed-off-by: latortuga71 <[email protected]>

* 🌱 cron: expose the stackdriver prefix as a config variable so it can be changed. (ossf#2446)

* Expose the stackdriver prefix as a config variable so it can be changed.

Signed-off-by: Caleb Brown <[email protected]>

* fix linter warning

Signed-off-by: Caleb Brown <[email protected]>

Signed-off-by: Caleb Brown <[email protected]>
Co-authored-by: Spencer Schrock <[email protected]>
Signed-off-by: latortuga71 <[email protected]>

* Only write to the rawBucket if the value exists. (ossf#2451)

Signed-off-by: Caleb Brown <[email protected]>

Signed-off-by: Caleb Brown <[email protected]>
Signed-off-by: latortuga71 <[email protected]>

* 🌱 Bump golang.org/x/tools from 0.2.0 to 0.3.0 (ossf#2448)

* 🌱 Bump golang.org/x/tools from 0.2.0 to 0.3.0

Bumps [golang.org/x/tools](https://github.com/golang/tools) from 0.2.0 to 0.3.0.
- [Release notes](https://github.com/golang/tools/releases)
- [Commits](golang/tools@v0.2.0...v0.3.0)

---
updated-dependencies:
- dependency-name: golang.org/x/tools
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <[email protected]>

* bump attestor modules

Signed-off-by: Spencer Schrock <[email protected]>

Signed-off-by: dependabot[bot] <[email protected]>
Signed-off-by: Spencer Schrock <[email protected]>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: Spencer Schrock <[email protected]>
Signed-off-by: latortuga71 <[email protected]>

* Move cron monitoring to a non-internal location. (ossf#2453)

This allows external workers (e.g. criticality_score) to use the same
monitoring code.

Signed-off-by: Caleb Brown <[email protected]>

Signed-off-by: Caleb Brown <[email protected]>
Signed-off-by: latortuga71 <[email protected]>

* 🌱 Bump actions/dependency-review-action from 2.5.1 to 3.0.0 (ossf#2455)

Bumps [actions/dependency-review-action](https://github.com/actions/dependency-review-action) from 2.5.1 to 3.0.0.
- [Release notes](https://github.com/actions/dependency-review-action/releases)
- [Commits](actions/dependency-review-action@0efb1d1...30d5821)

---
updated-dependencies:
- dependency-name: actions/dependency-review-action
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <[email protected]>

Signed-off-by: dependabot[bot] <[email protected]>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Signed-off-by: latortuga71 <[email protected]>

* 🌱 [cron] generalize some of the transfer logic so it is easy to build new transfer agents (ossf#2454)

* Generalize the transfer logic so it is easy to build new transfer agents

This change moves code that reads shards and produces summaries into the
data package so that it can be reused to create new transfer agents,
similar to the BigQuery transfer agent in cron/internal/bq.

Signed-off-by: Caleb Brown <[email protected]>

* Lint fix and commentary.

Signed-off-by: Caleb Brown <[email protected]>

Signed-off-by: Caleb Brown <[email protected]>
Signed-off-by: latortuga71 <[email protected]>

* 🌱 Bump github.com/google/addlicense in /tools (ossf#2459)

Bumps [github.com/google/addlicense](https://github.com/google/addlicense) from 1.0.0 to 1.1.0.
- [Release notes](https://github.com/google/addlicense/releases)
- [Changelog](https://github.com/google/addlicense/blob/master/.goreleaser.yaml)
- [Commits](google/addlicense@v1.0.0...v1.1.0)

---
updated-dependencies:
- dependency-name: github.com/google/addlicense
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <[email protected]>

Signed-off-by: dependabot[bot] <[email protected]>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Signed-off-by: latortuga71 <[email protected]>

* 🌱 Bump github.com/google/go-containerregistry

Bumps [github.com/google/go-containerregistry](https://github.com/google/go-containerregistry) from 0.12.0 to 0.12.1.
- [Release notes](https://github.com/google/go-containerregistry/releases)
- [Changelog](https://github.com/google/go-containerregistry/blob/main/.goreleaser.yml)
- [Commits](google/go-containerregistry@v0.12.0...v0.12.1)

---
updated-dependencies:
- dependency-name: github.com/google/go-containerregistry
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <[email protected]>
Signed-off-by: latortuga71 <[email protected]>

* go mod tidy

Signed-off-by: Spencer Schrock <[email protected]>
Signed-off-by: latortuga71 <[email protected]>

* Added <= instead of == incase negative int is passed

Signed-off-by: latortuga71 <[email protected]>

* missed test fix

Signed-off-by: latortuga71 <[email protected]>

Signed-off-by: dependabot[bot] <[email protected]>
Signed-off-by: latortuga71 <[email protected]>
Signed-off-by: Raghav Kaul <[email protected]>
Signed-off-by: Spencer Schrock <[email protected]>
Signed-off-by: Scott Hissam <[email protected]>
Signed-off-by: Michael Scovetta <[email protected]>
Signed-off-by: favonia <[email protected]>
Signed-off-by: Caleb Brown <[email protected]>
Signed-off-by: Latortuga <[email protected]>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: raghavkaul <[email protected]>
Co-authored-by: Spencer Schrock <[email protected]>
Co-authored-by: scott hissam <[email protected]>
Co-authored-by: Michael Scovetta <[email protected]>
Co-authored-by: favonia <[email protected]>
Co-authored-by: Caleb Brown <[email protected]>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@naveensrinivasan naveensrinivasan naveensrinivasan approved these changes

@azeemshaikh38 azeemshaikh38 Awaiting requested review from azeemshaikh38

@justaugustus justaugustus Awaiting requested review from justaugustus

@laurentsimon laurentsimon Awaiting requested review from laurentsimon

@spencerschrock spencerschrock Awaiting requested review from spencerschrock

Assignees
No one assigned
Labels
dependencies Pull requests that update a dependency file go Pull requests that update Go code
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
1 participant
@naveensrinivasan