From 0e7a09b37ee543286ae6a4a0e764e6fcf3c4ec70 Mon Sep 17 00:00:00 2001 From: afmarcum <138055109+afmarcum@users.noreply.github.com> Date: Fri, 3 May 2024 12:46:46 -0500 Subject: [PATCH 01/26] :book: Remove survey (#4077) Signed-off-by: afmarcum <138055109+afmarcum@users.noreply.github.com> --- README.md | 4 ---- 1 file changed, 4 deletions(-) diff --git a/README.md b/README.md index 18c332c3117..bbfc2625a1d 100644 --- a/README.md +++ b/README.md @@ -20,10 +20,6 @@ - [Scorecard's Public Data](#public-data) ## Using Scorecard -> [!IMPORTANT] -> OpenSSF Scorecard has opened a survey to better understand user expectations and needs from the project. The survey will remain open through OSS NA and the results will help steer the roadmap. **_[Survey link](https://forms.gle/6poWj6gQ15chxTDH8)_** -> -> Please let us know what is working, what is not, and what you would like to see from the project. **Thank you for participating!** - [Scorecard GitHub Action](#scorecard-github-action) - [Scorecard REST API](#scorecard-rest-api) From a788a3830d285aa53488f5f479789925ba59de9b Mon Sep 17 00:00:00 2001 From: "S. E. Elder" Date: Fri, 3 May 2024 17:50:50 -0400 Subject: [PATCH 02/26] =?UTF-8?q?=F0=9F=8C=B1=20=20Update=20Binary-Artifac?= =?UTF-8?q?ts=20and=20License=20checks=20(#4079)?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit * replaced localRepoClient with mockRepoClient Signed-off-by: seelder * Update binary_artifact_test.go to use scut Updated the test to use scut. Updated the test data to use scut, including adding NumberOfInfo and NumberOfWarn for each test case Signed-off-by: seelder * Update license_test to use gomock First attempt at updating license_test to use gomock instead of localDir. Note: localDir currently has a TODO for implementing ListLicenses. It returns an UnsupportedFeatures error, which is then handled in checks/raw/license. This first attempt replicates that existing behavior. Signed-off-by: seelder * Update license_test documentation Clarified why the mock simply throws an error Signed-off-by: seelder * Fixed linting error in license_test Signed-off-by: seelder --------- Signed-off-by: seelder --- checks/binary_artifact_test.go | 57 +++++++++++++++++++--------------- checks/license_test.go | 46 ++++++++++++++++----------- 2 files changed, 60 insertions(+), 43 deletions(-) diff --git a/checks/binary_artifact_test.go b/checks/binary_artifact_test.go index 98daad416d1..67f027a159f 100644 --- a/checks/binary_artifact_test.go +++ b/checks/binary_artifact_test.go @@ -16,15 +16,14 @@ package checks import ( "context" - "errors" + "io" + "os" "testing" "github.com/golang/mock/gomock" "github.com/ossf/scorecard/v5/checker" - "github.com/ossf/scorecard/v5/clients" - "github.com/ossf/scorecard/v5/clients/localdir" - "github.com/ossf/scorecard/v5/log" + mockrepo "github.com/ossf/scorecard/v5/clients/mockclients" scut "github.com/ossf/scorecard/v5/utests" ) @@ -34,22 +33,26 @@ func TestBinaryArtifacts(t *testing.T) { name string inputFolder string err error - expected checker.CheckResult + expected scut.TestReturn }{ { name: "Jar file", inputFolder: "testdata/binaryartifacts/jars", err: nil, - expected: checker.CheckResult{ - Score: 8, + expected: scut.TestReturn{ + Score: 8, + NumberOfInfo: 0, + NumberOfWarn: 2, }, }, { name: "non binary file", inputFolder: "testdata/licensedir/withlicense", err: nil, - expected: checker.CheckResult{ - Score: 10, + expected: scut.TestReturn{ + Score: checker.MaxResultScore, + NumberOfInfo: 0, + NumberOfWarn: 0, }, }, } @@ -58,35 +61,39 @@ func TestBinaryArtifacts(t *testing.T) { t.Run(tt.name, func(t *testing.T) { t.Parallel() - logger := log.NewLogger(log.DebugLevel) - - // TODO: Use gMock instead of Localdir here. ctrl := gomock.NewController(t) - repo, err := localdir.MakeLocalDirRepo(tt.inputFolder) - if !errors.Is(err, tt.err) { - t.Errorf("MakeLocalDirRepo: %v, expected %v", err, tt.err) - } + mockRepoClient := mockrepo.NewMockRepoClient(ctrl) - ctx := context.Background() + mockRepoClient.EXPECT().ListFiles(gomock.Any()).DoAndReturn(func(predicate func(string) (bool, error)) ([]string, error) { + var files []string + dirFiles, err := os.ReadDir(tt.inputFolder) + if err == nil { + for _, file := range dirFiles { + files = append(files, file.Name()) + } + print(files) + } + return files, err + }).AnyTimes() - client := localdir.CreateLocalDirClient(ctx, logger) - if err := client.InitRepo(repo, clients.HeadSHA, 0); err != nil { - t.Errorf("InitRepo: %v", err) - } + mockRepoClient.EXPECT().GetFileReader(gomock.Any()).DoAndReturn(func(file string) (io.ReadCloser, error) { + return os.Open("./" + tt.inputFolder + "/" + file) + }).AnyTimes() + + ctx := context.Background() dl := scut.TestDetailLogger{} req := checker.CheckRequest{ Ctx: ctx, - RepoClient: client, + RepoClient: mockRepoClient, Dlogger: &dl, } result := BinaryArtifacts(&req) - if result.Score != tt.expected.Score { - t.Errorf("BinaryArtifacts: %v, expected %v for tests %v", result.Score, tt.expected.Score, tt.name) - } + + scut.ValidateTestReturn(t, tt.name, &tt.expected, &result, &dl) ctrl.Finish() }) diff --git a/checks/license_test.go b/checks/license_test.go index bb659bf1413..fc50bc32a16 100644 --- a/checks/license_test.go +++ b/checks/license_test.go @@ -16,15 +16,16 @@ package checks import ( "context" - "errors" + "fmt" + "io" + "os" "testing" "github.com/golang/mock/gomock" "github.com/ossf/scorecard/v5/checker" - "github.com/ossf/scorecard/v5/clients" - "github.com/ossf/scorecard/v5/clients/localdir" - "github.com/ossf/scorecard/v5/log" + clients "github.com/ossf/scorecard/v5/clients" + mockrepo "github.com/ossf/scorecard/v5/clients/mockclients" scut "github.com/ossf/scorecard/v5/utests" ) @@ -66,28 +67,37 @@ func TestLicenseFileSubdirectory(t *testing.T) { t.Run(tt.name, func(t *testing.T) { t.Parallel() - logger := log.NewLogger(log.DebugLevel) - - // TODO: Use gMock instead of Localdir here. ctrl := gomock.NewController(t) - repo, err := localdir.MakeLocalDirRepo(tt.inputFolder) - - if !errors.Is(err, tt.err) { - t.Errorf("MakeLocalDirRepo: %v, expected %v", err, tt.err) - } + mockRepoClient := mockrepo.NewMockRepoClient(ctrl) + + mockRepoClient.EXPECT().ListFiles(gomock.Any()).DoAndReturn(func(predicate func(string) (bool, error)) ([]string, error) { + var files []string + dirFiles, err := os.ReadDir(tt.inputFolder) + if err == nil { + for _, file := range dirFiles { + files = append(files, file.Name()) + } + print(files) + } + return files, err + }).AnyTimes() + + mockRepoClient.EXPECT().GetFileReader(gomock.Any()).DoAndReturn(func(file string) (io.ReadCloser, error) { + return os.Open("./" + tt.inputFolder + "/" + file) + }).AnyTimes() + + // Currently the check itself handles this error gracefully, + // searching through the directory to find the license file(s) + // if that functionality is ever changed, this mock needs to be updated accordingly + mockRepoClient.EXPECT().ListLicenses().Return(nil, fmt.Errorf("ListLicenses: %w", clients.ErrUnsupportedFeature)).AnyTimes() ctx := context.Background() - client := localdir.CreateLocalDirClient(ctx, logger) - if err := client.InitRepo(repo, clients.HeadSHA, 0); err != nil { - t.Errorf("InitRepo: %v", err) - } - dl := scut.TestDetailLogger{} req := checker.CheckRequest{ Ctx: ctx, - RepoClient: client, + RepoClient: mockRepoClient, Dlogger: &dl, } From 16a88c3ce57cc93862c1eb083f75d7b4316466ba Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 6 May 2024 13:04:32 -0700 Subject: [PATCH 03/26] :seedling: Bump github.com/onsi/ginkgo/v2 in /tools (#4076) Bumps [github.com/onsi/ginkgo/v2](https://github.com/onsi/ginkgo) from 2.17.1 to 2.17.2. - [Release notes](https://github.com/onsi/ginkgo/releases) - [Changelog](https://github.com/onsi/ginkgo/blob/master/CHANGELOG.md) - [Commits](https://github.com/onsi/ginkgo/compare/v2.17.1...v2.17.2) --- updated-dependencies: - dependency-name: github.com/onsi/ginkgo/v2 dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- tools/go.mod | 12 ++++++------ tools/go.sum | 29 ++++++++++++++--------------- 2 files changed, 20 insertions(+), 21 deletions(-) diff --git a/tools/go.mod b/tools/go.mod index 4d6d1728d43..8a6249899d7 100644 --- a/tools/go.mod +++ b/tools/go.mod @@ -8,7 +8,7 @@ require ( github.com/google/addlicense v1.1.1 github.com/google/ko v0.15.2 github.com/goreleaser/goreleaser v1.25.1 - github.com/onsi/ginkgo/v2 v2.17.1 + github.com/onsi/ginkgo/v2 v2.17.2 google.golang.org/protobuf v1.33.0 ) @@ -169,7 +169,7 @@ require ( github.com/go-openapi/strfmt v0.23.0 // indirect github.com/go-openapi/swag v0.23.0 // indirect github.com/go-openapi/validate v0.24.0 // indirect - github.com/go-task/slim-sprig v0.0.0-20230315185526-52ccab3ef572 // indirect + github.com/go-task/slim-sprig/v3 v3.0.0 // indirect github.com/go-telegram-bot-api/telegram-bot-api v4.6.4+incompatible // indirect github.com/go-toolsmith/astcast v1.1.0 // indirect github.com/go-toolsmith/astcopy v1.1.0 // indirect @@ -197,7 +197,7 @@ require ( github.com/google/go-containerregistry v0.19.1 // indirect github.com/google/go-github/v61 v61.0.0 // indirect github.com/google/go-querystring v1.1.0 // indirect - github.com/google/pprof v0.0.0-20231023181126-ff6d637d2a7b // indirect + github.com/google/pprof v0.0.0-20240424215950-a892ee059fd6 // indirect github.com/google/rpmpack v0.6.0 // indirect github.com/google/s2a-go v0.1.7 // indirect github.com/google/safetext v0.0.0-20220905092116-b49f7bc46da2 // indirect @@ -370,15 +370,15 @@ require ( golang.org/x/crypto v0.22.0 // indirect golang.org/x/exp v0.0.0-20240103183307-be819d1f06fc // indirect golang.org/x/exp/typeparams v0.0.0-20240314144324-c7f7c6466f7f // indirect - golang.org/x/mod v0.16.0 // indirect - golang.org/x/net v0.23.0 // indirect + golang.org/x/mod v0.17.0 // indirect + golang.org/x/net v0.24.0 // indirect golang.org/x/oauth2 v0.19.0 // indirect golang.org/x/sync v0.7.0 // indirect golang.org/x/sys v0.19.0 // indirect golang.org/x/term v0.19.0 // indirect golang.org/x/text v0.14.0 // indirect golang.org/x/time v0.5.0 // indirect - golang.org/x/tools v0.19.0 // indirect + golang.org/x/tools v0.20.0 // indirect golang.org/x/xerrors v0.0.0-20231012003039-104605ab7028 // indirect google.golang.org/api v0.172.0 // indirect google.golang.org/genproto v0.0.0-20240311173647-c811ad7063a7 // indirect diff --git a/tools/go.sum b/tools/go.sum index 990dd502f0d..6ce42144cc3 100644 --- a/tools/go.sum +++ b/tools/go.sum @@ -440,8 +440,8 @@ github.com/go-openapi/validate v0.24.0 h1:LdfDKwNbpB6Vn40xhTdNZAnfLECL81w+VX3Bum github.com/go-openapi/validate v0.24.0/go.mod h1:iyeX1sEufmv3nPbBdX3ieNviWnOZaJ1+zquzJEf2BAQ= github.com/go-stack/stack v1.8.0/go.mod h1:v0f6uXyyMGvRgIKkXu+yp6POWl0qKG85gN/melR3HDY= github.com/go-task/slim-sprig v0.0.0-20210107165309-348f09dbbbc0/go.mod h1:fyg7847qk6SyHyPtNmDHnmrv/HOrqktSC+C9fM+CJOE= -github.com/go-task/slim-sprig v0.0.0-20230315185526-52ccab3ef572 h1:tfuBGBXKqDEevZMzYi5KSi8KkcZtzBcTgAUUtapy0OI= -github.com/go-task/slim-sprig v0.0.0-20230315185526-52ccab3ef572/go.mod h1:9Pwr4B2jHnOSGXyyzV8ROjYa2ojvAY6HCGYYfMoC3Ls= +github.com/go-task/slim-sprig/v3 v3.0.0 h1:sUs3vkvUymDpBKi3qH1YSqBQk9+9D/8M2mN1vB6EwHI= +github.com/go-task/slim-sprig/v3 v3.0.0/go.mod h1:W848ghGpv3Qj3dhTPRyJypKRiqCdHZiAzKg9hl15HA8= github.com/go-telegram-bot-api/telegram-bot-api v4.6.4+incompatible h1:2cauKuaELYAEARXRkq2LrJ0yDDv1rW7+wrTEdVL3uaU= github.com/go-telegram-bot-api/telegram-bot-api v4.6.4+incompatible/go.mod h1:qf9acutJ8cwBUhm1bqgz6Bei9/C/c93FPDljKWwsOgM= github.com/go-test/deep v1.0.4/go.mod h1:wGDj63lr65AM2AQyKZd/NYHGb0R+1RLqB8NKt3aSFNA= @@ -577,8 +577,8 @@ github.com/google/pprof v0.0.0-20200229191704-1ebb73c60ed3/go.mod h1:ZgVRPoUq/hf github.com/google/pprof v0.0.0-20200430221834-fc25d7d30c6d/go.mod h1:ZgVRPoUq/hfqzAqh7sHMqb3I9Rq5C59dIz2SbBwJ4eM= github.com/google/pprof v0.0.0-20200708004538-1a94d8640e99/go.mod h1:ZgVRPoUq/hfqzAqh7sHMqb3I9Rq5C59dIz2SbBwJ4eM= github.com/google/pprof v0.0.0-20210407192527-94a9f03dee38/go.mod h1:kpwsk12EmLew5upagYY7GY0pfYCcupk39gWOCRROcvE= -github.com/google/pprof v0.0.0-20231023181126-ff6d637d2a7b h1:RMpPgZTSApbPf7xaVel+QkoGPRLFLrwFO89uDUHEGf0= -github.com/google/pprof v0.0.0-20231023181126-ff6d637d2a7b/go.mod h1:czg5+yv1E0ZGTi6S6vVK1mke0fV+FaUhNGcd6VRS9Ik= +github.com/google/pprof v0.0.0-20240424215950-a892ee059fd6 h1:k7nVchz72niMH6YLQNvHSdIE7iqsQxK1P41mySCvssg= +github.com/google/pprof v0.0.0-20240424215950-a892ee059fd6/go.mod h1:kf6iHlnVGwgKolg33glAes7Yg/8iWP8ukqeldJSO7jw= github.com/google/renameio v0.1.0/go.mod h1:KWCgfxg9yswjAJkECMjeO8J8rahYeXnNhOm40UhjYkI= github.com/google/rpmpack v0.6.0 h1:LoQuqlw6kHRwg25n3M0xtYrW+z2pTkR0ae1xx11hRw8= github.com/google/rpmpack v0.6.0/go.mod h1:uqVAUVQLq8UY2hCDfmJ/+rtO3aw7qyhc90rCVEabEfI= @@ -830,14 +830,14 @@ github.com/onsi/ginkgo v1.12.1/go.mod h1:zj2OWP4+oCPe1qIXoGWkgMRwljMUYCdkwsT2108 github.com/onsi/ginkgo v1.16.4 h1:29JGrr5oVBm5ulCWet69zQkzWipVXIol6ygQUe/EzNc= github.com/onsi/ginkgo v1.16.4/go.mod h1:dX+/inL/fNMqNlz0e9LfyB9TswhZpCVdJM/Z6Vvnwo0= github.com/onsi/ginkgo/v2 v2.1.3/go.mod h1:vw5CSIxN1JObi/U8gcbwft7ZxR2dgaR70JSE3/PpL4c= -github.com/onsi/ginkgo/v2 v2.17.1 h1:V++EzdbhI4ZV4ev0UTIj0PzhzOcReJFyJaLjtSF55M8= -github.com/onsi/ginkgo/v2 v2.17.1/go.mod h1:llBI3WDLL9Z6taip6f33H76YcWtJv+7R3HigUjbIBOs= +github.com/onsi/ginkgo/v2 v2.17.2 h1:7eMhcy3GimbsA3hEnVKdw/PQM9XN9krpKVXsZdph0/g= +github.com/onsi/ginkgo/v2 v2.17.2/go.mod h1:nP2DPOQoNsQmsVyv5rDA8JkXQoCs6goXIvr/PRJ1eCc= github.com/onsi/gomega v1.7.1/go.mod h1:XdKZgCCFLUoM/7CFJVPcG8C1xQ1AJ0vpAezJrB7JYyY= github.com/onsi/gomega v1.10.1/go.mod h1:iN09h71vgCQne3DLsj+A5owkum+a2tYe+TOCB1ybHNo= github.com/onsi/gomega v1.17.0/go.mod h1:HnhC7FXeEQY45zxNK3PPoIUhzk/80Xly9PcubAlGdZY= github.com/onsi/gomega v1.19.0/go.mod h1:LY+I3pBVzYsTBU1AnDwOSxaYi9WoWiqgwooUqq9yPro= -github.com/onsi/gomega v1.31.1 h1:KYppCUK+bUgAZwHOu7EXVBKyQA6ILvOESHkn/tgoqvo= -github.com/onsi/gomega v1.31.1/go.mod h1:y40C95dwAD1Nz36SsEnxvfFe8FFfNxzI5eJ0EYGyAy0= +github.com/onsi/gomega v1.33.0 h1:snPCflnZrpMsy94p4lXVEkHo12lmPnc3vY5XBbreexE= +github.com/onsi/gomega v1.33.0/go.mod h1:+925n5YtiFsLzzafLUHzVMBpvvRAzrydIBiSIxjX3wY= github.com/opencontainers/go-digest v1.0.0 h1:apOUWs51W5PlhuyGyz9FCeeBIOUDA/6nW8Oi/yOhh5U= github.com/opencontainers/go-digest v1.0.0/go.mod h1:0JzlMkj0TRzQZfJkVvzbP0HBR3IKzErnv2BNG4W4MAM= github.com/opencontainers/image-spec v1.1.0 h1:8SG7/vwALn54lVB/0yZ/MMwhFrPYtpEHQb2IpWsCzug= @@ -1001,7 +1001,6 @@ github.com/stretchr/testify v1.2.2/go.mod h1:a8OnRcib4nhh0OaRAV+Yts87kKdq0PP7pXf github.com/stretchr/testify v1.3.0/go.mod h1:M5WIy9Dh21IEIfnGCwXGc5bZfKNJtfHm1UVUgZn+9EI= github.com/stretchr/testify v1.4.0/go.mod h1:j7eGeouHqKxXV5pUuKE4zz7dFj8WfuZ+81PSLYec5m4= github.com/stretchr/testify v1.5.1/go.mod h1:5W2xD1RspED5o8YsWQXVCued0rvSQ+mT+I5cxcmMvtA= -github.com/stretchr/testify v1.6.1/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg= github.com/stretchr/testify v1.7.0/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg= github.com/stretchr/testify v1.7.1/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg= github.com/stretchr/testify v1.8.0/go.mod h1:yNjHg4UonilssWZ8iaSj1OCr/vHnekPRkoO+kdMU+MU= @@ -1189,8 +1188,8 @@ golang.org/x/mod v0.7.0/go.mod h1:iBbtSCu2XBx23ZKBPSOrRkjjQPZFPuis4dIYUhu/chs= golang.org/x/mod v0.8.0/go.mod h1:iBbtSCu2XBx23ZKBPSOrRkjjQPZFPuis4dIYUhu/chs= golang.org/x/mod v0.12.0/go.mod h1:iBbtSCu2XBx23ZKBPSOrRkjjQPZFPuis4dIYUhu/chs= golang.org/x/mod v0.14.0/go.mod h1:hTbmBsO62+eylJbnUtE2MGJUyE7QWk4xUqPFrRgJ+7c= -golang.org/x/mod v0.16.0 h1:QX4fJ0Rr5cPQCF7O9lh9Se4pmwfwskqZfq5moyldzic= -golang.org/x/mod v0.16.0/go.mod h1:hTbmBsO62+eylJbnUtE2MGJUyE7QWk4xUqPFrRgJ+7c= +golang.org/x/mod v0.17.0 h1:zY54UmvipHiNd+pm+m0x9KhZ9hl1/7QNMyxXbc6ICqA= +golang.org/x/mod v0.17.0/go.mod h1:hTbmBsO62+eylJbnUtE2MGJUyE7QWk4xUqPFrRgJ+7c= golang.org/x/net v0.0.0-20180724234803-3673e40ba225/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= golang.org/x/net v0.0.0-20180826012351-8a410e7b638d/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= golang.org/x/net v0.0.0-20180906233101-161cd47e91fd/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= @@ -1239,8 +1238,8 @@ golang.org/x/net v0.8.0/go.mod h1:QVkue5JL9kW//ek3r6jTKnTFis1tRmNAW2P1shuFdJc= golang.org/x/net v0.10.0/go.mod h1:0qNGK6F8kojg2nk9dLZ2mShWaEBan6FAoqfSigmmuDg= golang.org/x/net v0.15.0/go.mod h1:idbUs1IY1+zTqbi8yxTbhexhEEk5ur9LInksu6HrEpk= golang.org/x/net v0.20.0/go.mod h1:z8BVo6PvndSri0LbOE3hAn0apkU+1YvI6E70E9jsnvY= -golang.org/x/net v0.23.0 h1:7EYJ93RZ9vYSZAIb2x3lnuvqO5zneoD6IvWjuhfxjTs= -golang.org/x/net v0.23.0/go.mod h1:JKghWKKOSdJwpW2GEx0Ja7fmaKnMsbu+MWVZTokSYmg= +golang.org/x/net v0.24.0 h1:1PcaxkF854Fu3+lvBIx5SYn9wRlBzzcnHZSiaFFAb0w= +golang.org/x/net v0.24.0/go.mod h1:2Q7sJY5mzlzWjKtYUEXSlBWCdyaioyXzRB2RtU8KVE8= golang.org/x/oauth2 v0.0.0-20180821212333-d2e6202438be/go.mod h1:N/0e6XlmueqKjAGxoOufVs8QHGRruUQn6yWY3a++T0U= golang.org/x/oauth2 v0.0.0-20190226205417-e64efc72b421/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw= golang.org/x/oauth2 v0.0.0-20190604053449-0f29369cfe45/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw= @@ -1433,8 +1432,8 @@ golang.org/x/tools v0.5.0/go.mod h1:N+Kgy78s5I24c24dU8OfWNEotWjutIs8SnJvn5IDq+k= golang.org/x/tools v0.6.0/go.mod h1:Xwgl3UAJ/d3gWutnCtw505GrjyAbvKui8lOU390QaIU= golang.org/x/tools v0.13.0/go.mod h1:HvlwmtVNQAhOuCjW7xxvovg8wbNq7LwfXh/k7wXUl58= golang.org/x/tools v0.17.0/go.mod h1:xsh6VxdV005rRVaS6SSAf9oiAqljS7UZUacMZ8Bnsps= -golang.org/x/tools v0.19.0 h1:tfGCXNR1OsFG+sVdLAitlpjAvD/I6dHDKnYrpEZUHkw= -golang.org/x/tools v0.19.0/go.mod h1:qoJWxmGSIBmAeriMx19ogtrEPrGtDbPK634QFIcLAhc= +golang.org/x/tools v0.20.0 h1:hz/CVckiOxybQvFw6h7b/q80NTr9IUQb4s1IIzW7KNY= +golang.org/x/tools v0.20.0/go.mod h1:WvitBU7JJf6A4jOdg4S1tviW9bhUxkgeCui/0JHctQg= golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= golang.org/x/xerrors v0.0.0-20191011141410-1b5146add898/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= From cad20c5355107a5aadfcc61fcce0f39b10def14d Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 6 May 2024 20:25:24 +0000 Subject: [PATCH 04/26] :seedling: Bump cloud.google.com/go/bigquery from 1.60.0 to 1.61.0 (#4069) --- go.mod | 29 +++++++++++++------------- go.sum | 66 ++++++++++++++++++++++++++++++---------------------------- 2 files changed, 49 insertions(+), 46 deletions(-) diff --git a/go.mod b/go.mod index a257ea110ed..181d26827d1 100644 --- a/go.mod +++ b/go.mod @@ -3,10 +3,10 @@ module github.com/ossf/scorecard/v5 go 1.21.8 require ( - cloud.google.com/go/bigquery v1.60.0 - cloud.google.com/go/monitoring v1.18.0 // indirect + cloud.google.com/go/bigquery v1.61.0 + cloud.google.com/go/monitoring v1.18.1 // indirect cloud.google.com/go/pubsub v1.37.0 - cloud.google.com/go/trace v1.10.5 // indirect + cloud.google.com/go/trace v1.10.6 // indirect contrib.go.opencensus.io/exporter/stackdriver v0.13.14 github.com/bombsimon/logrusr/v2 v2.0.1 github.com/bradleyfalzon/ghinstallation/v2 v2.10.0 @@ -31,7 +31,7 @@ require ( gocloud.dev v0.37.0 golang.org/x/text v0.14.0 golang.org/x/tools v0.20.0 // indirect - google.golang.org/genproto v0.0.0-20240311173647-c811ad7063a7 // indirect + google.golang.org/genproto v0.0.0-20240401170217-c3f982113cda // indirect google.golang.org/protobuf v1.34.0 gopkg.in/yaml.v2 v2.4.0 gopkg.in/yaml.v3 v3.0.1 @@ -51,15 +51,17 @@ require ( ) require ( - cloud.google.com/go/compute/metadata v0.2.3 // indirect - cloud.google.com/go/containeranalysis v0.11.4 // indirect - cloud.google.com/go/kms v1.15.7 // indirect + cloud.google.com/go/auth v0.2.2 // indirect + cloud.google.com/go/auth/oauth2adapt v0.2.1 // indirect + cloud.google.com/go/compute/metadata v0.3.0 // indirect + cloud.google.com/go/containeranalysis v0.11.5 // indirect + cloud.google.com/go/kms v1.15.8 // indirect dario.cat/mergo v1.0.0 // indirect deps.dev/api/v3 v3.0.0-20240411010756-f6f382da6e02 // indirect github.com/BurntSushi/toml v1.3.2 // indirect github.com/CycloneDX/cyclonedx-go v0.8.0 // indirect github.com/anchore/go-struct-converter v0.0.0-20230627203149-c72ef8859ca9 // indirect - github.com/apache/arrow/go/v14 v14.0.2 // indirect + github.com/apache/arrow/go/v15 v15.0.2 // indirect github.com/cloudflare/circl v1.3.7 // indirect github.com/containerd/typeurl/v2 v2.1.1 // indirect github.com/cyphar/filepath-securejoin v0.2.4 // indirect @@ -111,8 +113,8 @@ require ( golang.org/x/term v0.19.0 // indirect golang.org/x/time v0.5.0 // indirect golang.org/x/vuln v1.0.4 // indirect - google.golang.org/genproto/googleapis/api v0.0.0-20240314234333-6e1732d8331c // indirect - google.golang.org/genproto/googleapis/rpc v0.0.0-20240314234333-6e1732d8331c // indirect + google.golang.org/genproto/googleapis/api v0.0.0-20240415180920-8c6c420018be // indirect + google.golang.org/genproto/googleapis/rpc v0.0.0-20240415180920-8c6c420018be // indirect gopkg.in/inf.v0 v0.9.1 // indirect k8s.io/api v0.28.6 // indirect k8s.io/apimachinery v0.28.6 // indirect @@ -126,10 +128,9 @@ require ( ) require ( - cloud.google.com/go v0.112.1 // indirect - cloud.google.com/go/compute v1.25.0 // indirect + cloud.google.com/go v0.112.2 // indirect cloud.google.com/go/iam v1.1.7 // indirect - cloud.google.com/go/storage v1.39.1 // indirect + cloud.google.com/go/storage v1.40.0 // indirect github.com/Microsoft/go-winio v0.6.1 // indirect github.com/ProtonMail/go-crypto v1.0.0 // indirect github.com/aws/aws-sdk-go v1.50.36 // indirect @@ -181,7 +182,7 @@ require ( golang.org/x/sync v0.7.0 // indirect golang.org/x/sys v0.19.0 // indirect golang.org/x/xerrors v0.0.0-20231012003039-104605ab7028 // indirect - google.golang.org/api v0.170.0 // indirect + google.golang.org/api v0.175.0 // indirect google.golang.org/grpc v1.63.2 // indirect gopkg.in/warnings.v0 v0.1.2 // indirect ) diff --git a/go.sum b/go.sum index 730eb742ab7..ae1ec9ed489 100644 --- a/go.sum +++ b/go.sum @@ -9,19 +9,21 @@ cloud.google.com/go v0.50.0/go.mod h1:r9sluTvynVuxRIOHXQEHMFffphuXHOMZMycpNR5e6T cloud.google.com/go v0.52.0/go.mod h1:pXajvRH/6o3+F9jDHZWQ5PbGhn+o8w9qiu/CffaVdO4= cloud.google.com/go v0.53.0/go.mod h1:fp/UouUEsRkN6ryDKNW/Upv/JBKnv6WDthjR6+vze6M= cloud.google.com/go v0.57.0/go.mod h1:oXiQ6Rzq3RAkkY7N6t3TcE6jE+CIBBbA36lwQ1JyzZs= -cloud.google.com/go v0.112.1 h1:uJSeirPke5UNZHIb4SxfZklVSiWWVqW4oXlETwZziwM= -cloud.google.com/go v0.112.1/go.mod h1:+Vbu+Y1UU+I1rjmzeMOb/8RfkKJK2Gyxi1X6jJCZLo4= +cloud.google.com/go v0.112.2 h1:ZaGT6LiG7dBzi6zNOvVZwacaXlmf3lRqnC4DQzqyRQw= +cloud.google.com/go v0.112.2/go.mod h1:iEqjp//KquGIJV/m+Pk3xecgKNhV+ry+vVTsy4TbDms= +cloud.google.com/go/auth v0.2.2 h1:gmxNJs4YZYcw6YvKRtVBaF2fyUE6UrWPyzU8jHvYfmI= +cloud.google.com/go/auth v0.2.2/go.mod h1:2bDNJWtWziDT3Pu1URxHHbkHE/BbOCuyUiKIGcNvafo= +cloud.google.com/go/auth/oauth2adapt v0.2.1 h1:VSPmMmUlT8CkIZ2PzD9AlLN+R3+D1clXMWHHa6vG/Ag= +cloud.google.com/go/auth/oauth2adapt v0.2.1/go.mod h1:tOdK/k+D2e4GEwfBRA48dKNQiDsqIXxLh7VU319eV0g= cloud.google.com/go/bigquery v1.0.1/go.mod h1:i/xbL2UlR5RvWAURpBYZTtm/cXjCha9lbfbpx4poX+o= cloud.google.com/go/bigquery v1.3.0/go.mod h1:PjpwJnslEMmckchkHFfq+HTD2DmtT67aNFKH1/VBDHE= cloud.google.com/go/bigquery v1.4.0/go.mod h1:S8dzgnTigyfTmLBfrtrhyYhwRxG72rYxvftPBK2Dvzc= -cloud.google.com/go/bigquery v1.60.0 h1:kA96WfgvCbkqfLnr7xI5uEfJ4h4FrnkdEb0yty0KSZo= -cloud.google.com/go/bigquery v1.60.0/go.mod h1:Clwk2OeC0ZU5G5LDg7mo+h8U7KlAa5v06z5rptKdM3g= -cloud.google.com/go/compute v1.25.0 h1:H1/4SqSUhjPFE7L5ddzHOfY2bCAvjwNRZPNl6Ni5oYU= -cloud.google.com/go/compute v1.25.0/go.mod h1:GR7F0ZPZH8EhChlMo9FkLd7eUTwEymjqQagxzilIxIE= -cloud.google.com/go/compute/metadata v0.2.3 h1:mg4jlk7mCAj6xXp9UJ4fjI9VUI5rubuGBW5aJ7UnBMY= -cloud.google.com/go/compute/metadata v0.2.3/go.mod h1:VAV5nSsACxMJvgaAuX6Pk2AawlZn8kiOGuCv6gTkwuA= -cloud.google.com/go/containeranalysis v0.11.4 h1:doJ0M1ljS4hS0D2UbHywlHGwB7sQLNrt9vFk9Zyi7vY= -cloud.google.com/go/containeranalysis v0.11.4/go.mod h1:cVZT7rXYBS9NG1rhQbWL9pWbXCKHWJPYraE8/FTSYPE= +cloud.google.com/go/bigquery v1.61.0 h1:w2Goy9n6gh91LVi6B2Sc+HpBl8WbWhIyzdvVvrAuEIw= +cloud.google.com/go/bigquery v1.61.0/go.mod h1:PjZUje0IocbuTOdq4DBOJLNYB0WF3pAKBHzAYyxCwFo= +cloud.google.com/go/compute/metadata v0.3.0 h1:Tz+eQXMEqDIKRsmY3cHTL6FVaynIjX2QxYC4trgAKZc= +cloud.google.com/go/compute/metadata v0.3.0/go.mod h1:zFmK7XCadkQkj6TtorcaGlCW1hT1fIilQDwofLpJ20k= +cloud.google.com/go/containeranalysis v0.11.5 h1:yzohQ0HDoZq2TtCJkbUBsJs9RIR5WbKZlHrD7ilp2yg= +cloud.google.com/go/containeranalysis v0.11.5/go.mod h1:DlgF5MaxAmGdq6F9wCUEp/JNx9lsr6QaQONFd4mxG8A= cloud.google.com/go/datacatalog v1.20.0 h1:BGDsEjqpAo0Ka+b9yDLXnE5k+jU3lXGMh//NsEeDMIg= cloud.google.com/go/datacatalog v1.20.0/go.mod h1:fSHaKjIroFpmRrYlwz9XBB2gJBpXufpnxyAKaT4w6L0= cloud.google.com/go/datastore v1.0.0/go.mod h1:LXYbyblFSglQ5pkeyhO+Qmw7ukd3C+pD7TKLgZqpHYE= @@ -29,12 +31,12 @@ cloud.google.com/go/datastore v1.1.0/go.mod h1:umbIZjpQpHh4hmRpGhH4tLFup+FVzqBi1 cloud.google.com/go/firestore v1.1.0/go.mod h1:ulACoGHTpvq5r8rxGJ4ddJZBZqakUQqClKRT5SZwBmk= cloud.google.com/go/iam v1.1.7 h1:z4VHOhwKLF/+UYXAJDFwGtNF0b6gjsW1Pk9Ml0U/IoM= cloud.google.com/go/iam v1.1.7/go.mod h1:J4PMPg8TtyurAUvSmPj8FF3EDgY1SPRZxcUGrn7WXGA= -cloud.google.com/go/kms v1.15.7 h1:7caV9K3yIxvlQPAcaFffhlT7d1qpxjB1wHBtjWa13SM= -cloud.google.com/go/kms v1.15.7/go.mod h1:ub54lbsa6tDkUwnu4W7Yt1aAIFLnspgh0kPGToDukeI= +cloud.google.com/go/kms v1.15.8 h1:szIeDCowID8th2i8XE4uRev5PMxQFqW+JjwYxL9h6xs= +cloud.google.com/go/kms v1.15.8/go.mod h1:WoUHcDjD9pluCg7pNds131awnH429QGvRM3N/4MyoVs= cloud.google.com/go/longrunning v0.5.6 h1:xAe8+0YaWoCKr9t1+aWe+OeQgN/iJK1fEgZSXmjuEaE= cloud.google.com/go/longrunning v0.5.6/go.mod h1:vUaDrWYOMKRuhiv6JBnn49YxCPz2Ayn9GqyjaBT8/mA= -cloud.google.com/go/monitoring v1.18.0 h1:NfkDLQDG2UR3WYZVQE8kwSbUIEyIqJUPl+aOQdFH1T4= -cloud.google.com/go/monitoring v1.18.0/go.mod h1:c92vVBCeq/OB4Ioyo+NbN2U7tlg5ZH41PZcdvfc+Lcg= +cloud.google.com/go/monitoring v1.18.1 h1:0yvFXK+xQd95VKo6thndjwnJMno7c7Xw1CwMByg0B+8= +cloud.google.com/go/monitoring v1.18.1/go.mod h1:52hTzJ5XOUMRm7jYi7928aEdVxBEmGwA0EjNJXIBvt8= cloud.google.com/go/pubsub v1.0.1/go.mod h1:R0Gpsv3s54REJCy4fxDixWD93lHJMoZTyQ2kNxGRt3I= cloud.google.com/go/pubsub v1.1.0/go.mod h1:EwwdRX2sKPjnvnqCa270oGRyludottCI76h+R3AArQw= cloud.google.com/go/pubsub v1.2.0/go.mod h1:jhfEVHT8odbXTkndysNHCcx0awwzvfOlguIAii9o8iA= @@ -43,10 +45,10 @@ cloud.google.com/go/pubsub v1.37.0/go.mod h1:YQOQr1uiUM092EXwKs56OPT650nwnawc+8/ cloud.google.com/go/storage v1.0.0/go.mod h1:IhtSnM/ZTZV8YYJWCY8RULGVqBDmpoyjwiyrjsg+URw= cloud.google.com/go/storage v1.5.0/go.mod h1:tpKbwo567HUNpVclU5sGELwQWBDZ8gh0ZeosJ0Rtdos= cloud.google.com/go/storage v1.6.0/go.mod h1:N7U0C8pVQ/+NIKOBQyamJIeKQKkZ+mxpohlUTyfDhBk= -cloud.google.com/go/storage v1.39.1 h1:MvraqHKhogCOTXTlct/9C3K3+Uy2jBmFYb3/Sp6dVtY= -cloud.google.com/go/storage v1.39.1/go.mod h1:xK6xZmxZmo+fyP7+DEF6FhNc24/JAe95OLyOHCXFH1o= -cloud.google.com/go/trace v1.10.5 h1:0pr4lIKJ5XZFYD9GtxXEWr0KkVeigc3wlGpZco0X1oA= -cloud.google.com/go/trace v1.10.5/go.mod h1:9hjCV1nGBCtXbAE4YK7OqJ8pmPYSxPA0I67JwRd5s3M= +cloud.google.com/go/storage v1.40.0 h1:VEpDQV5CJxFmJ6ueWNsKxcr1QAYOXEgxDa+sBbJahPw= +cloud.google.com/go/storage v1.40.0/go.mod h1:Rrj7/hKlG87BLqDJYtwR0fbPld8uJPbQ2ucUMY7Ir0g= +cloud.google.com/go/trace v1.10.6 h1:XF0Ejdw0NpRfAvuZUeQe3ClAG4R/9w5JYICo7l2weaw= +cloud.google.com/go/trace v1.10.6/go.mod h1:EABXagUjxGuKcZMy4pXyz0fJpE5Ghog3jzTxcEsVJS4= contrib.go.opencensus.io/exporter/stackdriver v0.13.14 h1:zBakwHardp9Jcb8sQHcHpXy/0+JIb1M8KjigCJzx7+4= contrib.go.opencensus.io/exporter/stackdriver v0.13.14/go.mod h1:5pSSGY0Bhuk7waTHuDf4aQ8D2DrhgETRo9fy6k3Xlzc= dario.cat/mergo v1.0.0 h1:AGCNq9Evsj31mOgNPcLyXc+4PNABt905YmuqPYYpBWk= @@ -108,8 +110,8 @@ github.com/anchore/go-struct-converter v0.0.0-20230627203149-c72ef8859ca9 h1:6CO github.com/anchore/go-struct-converter v0.0.0-20230627203149-c72ef8859ca9/go.mod h1:rYqSE9HbjzpHTI74vwPvae4ZVYZd1lue2ta6xHPdblA= github.com/anmitsu/go-shlex v0.0.0-20200514113438-38f4b401e2be h1:9AeTilPcZAjCFIImctFaOjnTIavg87rW78vTPkQqLI8= github.com/anmitsu/go-shlex v0.0.0-20200514113438-38f4b401e2be/go.mod h1:ySMOLuWl6zY27l47sB3qLNK6tF2fkHG55UZxx8oIVo4= -github.com/apache/arrow/go/v14 v14.0.2 h1:N8OkaJEOfI3mEZt07BIkvo4sC6XDbL+48MBPWO5IONw= -github.com/apache/arrow/go/v14 v14.0.2/go.mod h1:u3fgh3EdgN/YQ8cVQRguVW3R+seMybFg8QBQ5LU+eBY= +github.com/apache/arrow/go/v15 v15.0.2 h1:60IliRbiyTWCWjERBCkO1W4Qun9svcYoZrSLcyOsMLE= +github.com/apache/arrow/go/v15 v15.0.2/go.mod h1:DGXsR3ajT524njufqf95822i+KTh+yea1jass9YXgjA= github.com/apparentlymart/go-textseg/v13 v13.0.0/go.mod h1:ZK2fH7c4NqDTLtiYLvIkEghdlcqw7yxLeM89kiTRPUo= github.com/armon/circbuf v0.0.0-20150827004946-bbbad097214e/go.mod h1:3U/XgcO3hCbHZ8TKRvWD2dDTCfh9M9ya+I9JpbB7O8o= github.com/armon/consul-api v0.0.0-20180202201655-eb2c6b5be1b6/go.mod h1:grANhF5doyWs3UAsr3K4I6qtAmlQcZDesFNEHPZAzj8= @@ -404,8 +406,8 @@ github.com/google/gofuzz v1.2.0 h1:xRy4A+RhZaiKjJ1bPfwQ8sedCA+YS2YcCHW6ec7JMi0= github.com/google/gofuzz v1.2.0/go.mod h1:dBl0BpW6vV/+mYPU4Po3pmUjxk6FQPldtuIdl/M65Eg= github.com/google/martian v2.1.0+incompatible h1:/CP5g8u/VJHijgedC/Legn3BAbAaWPgecwXBIDzw5no= github.com/google/martian v2.1.0+incompatible/go.mod h1:9I4somxYTbIHy5NJKHRl3wXiIaQGbYVAs8BPL6v8lEs= -github.com/google/martian/v3 v3.3.2 h1:IqNFLAmvJOgVlpdEBiQbDc2EwKW77amAycfTuWKdfvw= -github.com/google/martian/v3 v3.3.2/go.mod h1:oBOf6HBosgwRXnUGWUB05QECsc6uvmMiJ3+6W4l/CUk= +github.com/google/martian/v3 v3.3.3 h1:DIhPTQrbPkgs2yJYdXU/eNACCG5DVQjySNRNlflZ9Fc= +github.com/google/martian/v3 v3.3.3/go.mod h1:iEPrYcgCF7jA9OtScMFQyAlZZ4YXTKEtJ1E6RWzmBA0= github.com/google/osv-scanner v1.7.2 h1:Mq7napa+8QKcwpf7IAwtJhISbNFB+lvevKXpeayFv0c= github.com/google/osv-scanner v1.7.2/go.mod h1:r0WoRNZW7nYX+gr8ff6B6euUZfjIX3iCOOffQf/dn8I= github.com/google/pprof v0.0.0-20181206194817-3ea8567a2e57/go.mod h1:zfwlbNMJ+OItoe0UupaVj+oy1omPYYDuagoSzA8v9mc= @@ -805,8 +807,8 @@ go.opentelemetry.io/otel v1.24.0 h1:0LAOdjNmQeSTzGBzduGe/rU4tZhMwL5rWgtp9Ku5Jfo= go.opentelemetry.io/otel v1.24.0/go.mod h1:W7b9Ozg4nkF5tWI5zsXkaKKDjdVjpD4oAt9Qi/MArHo= go.opentelemetry.io/otel/metric v1.24.0 h1:6EhoGWWK28x1fbpA4tYTOWBkPefTDQnb8WSGXlc88kI= go.opentelemetry.io/otel/metric v1.24.0/go.mod h1:VYhLe1rFfxuTXLgj4CBiyz+9WYBA8pNGJgDcSFRKBco= -go.opentelemetry.io/otel/sdk v1.22.0 h1:6coWHw9xw7EfClIC/+O31R8IY3/+EiRFHevmHafB2Gw= -go.opentelemetry.io/otel/sdk v1.22.0/go.mod h1:iu7luyVGYovrRpe2fmj3CVKouQNdTOkxtLzPvPz1DOc= +go.opentelemetry.io/otel/sdk v1.24.0 h1:YMPPDNymmQN3ZgczicBY3B6sf9n62Dlj9pWD3ucgoDw= +go.opentelemetry.io/otel/sdk v1.24.0/go.mod h1:KVrIYw6tEubO9E96HQpcmpTKDVn9gdv35HoYiQWGDFg= go.opentelemetry.io/otel/trace v1.24.0 h1:CsKnnL4dUAr/0llH9FKuc698G04IrpWV0MQA/Y1YELI= go.opentelemetry.io/otel/trace v1.24.0/go.mod h1:HPc3Xr/cOApsBI154IU0OI0HJexz+aw5uPdbs3UCjNU= go.uber.org/atomic v1.3.2/go.mod h1:gD2HeocX3+yG+ygLZcrzQJaqmWj9AIm7n08wl/qW/PE= @@ -1116,8 +1118,8 @@ google.golang.org/api v0.15.0/go.mod h1:iLdEw5Ide6rF15KTC1Kkl0iskquN2gFfn9o9XIsb google.golang.org/api v0.17.0/go.mod h1:BwFmGc8tA3vsd7r/7kR8DY7iEEGSU04BFxCo5jP/sfE= google.golang.org/api v0.18.0/go.mod h1:BwFmGc8tA3vsd7r/7kR8DY7iEEGSU04BFxCo5jP/sfE= google.golang.org/api v0.22.0/go.mod h1:BwFmGc8tA3vsd7r/7kR8DY7iEEGSU04BFxCo5jP/sfE= -google.golang.org/api v0.170.0 h1:zMaruDePM88zxZBG+NG8+reALO2rfLhe/JShitLyT48= -google.golang.org/api v0.170.0/go.mod h1:/xql9M2btF85xac/VAm4PsLMTLVGUOpq4BE9R8jyNy8= +google.golang.org/api v0.175.0 h1:9bMDh10V9cBuU8N45Wlc3cKkItfqMRV0Fi8UscLEtbY= +google.golang.org/api v0.175.0/go.mod h1:Rra+ltKu14pps/4xTycZfobMgLpbosoaaL7c+SEMrO8= google.golang.org/appengine v1.1.0/go.mod h1:EbEs0AVv82hx2wNQdGPgUI5lhzA/G0D9YwlJXL52JkM= google.golang.org/appengine v1.4.0/go.mod h1:xpcJRLb0r/rnEns0DIKYYv+WjYCduHsrkT7/EB5XEv4= google.golang.org/appengine v1.5.0/go.mod h1:xpcJRLb0r/rnEns0DIKYYv+WjYCduHsrkT7/EB5XEv4= @@ -1145,12 +1147,12 @@ google.golang.org/genproto v0.0.0-20200430143042-b979b6f78d84/go.mod h1:55QSHmfG google.golang.org/genproto v0.0.0-20200526211855-cb27e3aa2013/go.mod h1:NbSheEEYHJ7i3ixzK3sjbqSGDJWnxyFXZblF3eUsNvo= google.golang.org/genproto v0.0.0-20200527145253-8367513e4ece/go.mod h1:jDfRM7FcilCzHH/e9qn6dsT145K34l5v+OpcnNgKAAA= google.golang.org/genproto v0.0.0-20201203001206-6486ece9c497/go.mod h1:FWY/as6DDZQgahTzZj3fqbO1CbirC29ZNUFHwi0/+no= -google.golang.org/genproto v0.0.0-20240311173647-c811ad7063a7 h1:ImUcDPHjTrAqNhlOkSocDLfG9rrNHH7w7uoKWPaWZ8s= -google.golang.org/genproto v0.0.0-20240311173647-c811ad7063a7/go.mod h1:/3XmxOjePkvmKrHuBy4zNFw7IzxJXtAgdpXi8Ll990U= -google.golang.org/genproto/googleapis/api v0.0.0-20240314234333-6e1732d8331c h1:kaI7oewGK5YnVwj+Y+EJBO/YN1ht8iTL9XkFHtVZLsc= -google.golang.org/genproto/googleapis/api v0.0.0-20240314234333-6e1732d8331c/go.mod h1:VQW3tUculP/D4B+xVCo+VgSq8As6wA9ZjHl//pmk+6s= -google.golang.org/genproto/googleapis/rpc v0.0.0-20240314234333-6e1732d8331c h1:lfpJ/2rWPa/kJgxyyXM8PrNnfCzcmxJ265mADgwmvLI= -google.golang.org/genproto/googleapis/rpc v0.0.0-20240314234333-6e1732d8331c/go.mod h1:WtryC6hu0hhx87FDGxWCDptyssuo68sk10vYjF+T9fY= +google.golang.org/genproto v0.0.0-20240401170217-c3f982113cda h1:wu/KJm9KJwpfHWhkkZGohVC6KRrc1oJNr4jwtQMOQXw= +google.golang.org/genproto v0.0.0-20240401170217-c3f982113cda/go.mod h1:g2LLCvCeCSir/JJSWosk19BR4NVxGqHUC6rxIRsd7Aw= +google.golang.org/genproto/googleapis/api v0.0.0-20240415180920-8c6c420018be h1:Zz7rLWqp0ApfsR/l7+zSHhY3PMiH2xqgxlfYfAfNpoU= +google.golang.org/genproto/googleapis/api v0.0.0-20240415180920-8c6c420018be/go.mod h1:dvdCTIoAGbkWbcIKBniID56/7XHTt6WfxXNMxuziJ+w= +google.golang.org/genproto/googleapis/rpc v0.0.0-20240415180920-8c6c420018be h1:LG9vZxsWGOmUKieR8wPAUR3u3MpnYFQZROPIMaXh7/A= +google.golang.org/genproto/googleapis/rpc v0.0.0-20240415180920-8c6c420018be/go.mod h1:WtryC6hu0hhx87FDGxWCDptyssuo68sk10vYjF+T9fY= google.golang.org/grpc v1.19.0/go.mod h1:mqu4LbDTu4XGKhr4mRzUsmM4RtVoemTSY81AxZiDr8c= google.golang.org/grpc v1.20.1/go.mod h1:10oTOabMzJvdu6/UiuZezV6QK5dSlG84ov/aaiqXj38= google.golang.org/grpc v1.21.0/go.mod h1:oYelfM1adQP15Ek0mdvEgi9Df8B9CZIaU1084ijfRaM= From 233741b2007fff31a539232aa527d0cde6701573 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 6 May 2024 20:41:29 +0000 Subject: [PATCH 05/26] :seedling: Bump google.golang.org/protobuf in /tools (#4084) --- tools/go.mod | 2 +- tools/go.sum | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/tools/go.mod b/tools/go.mod index 8a6249899d7..6dd27bfa5d7 100644 --- a/tools/go.mod +++ b/tools/go.mod @@ -9,7 +9,7 @@ require ( github.com/google/ko v0.15.2 github.com/goreleaser/goreleaser v1.25.1 github.com/onsi/ginkgo/v2 v2.17.2 - google.golang.org/protobuf v1.33.0 + google.golang.org/protobuf v1.34.1 ) require ( diff --git a/tools/go.sum b/tools/go.sum index 6ce42144cc3..cd3f3f63edf 100644 --- a/tools/go.sum +++ b/tools/go.sum @@ -1526,8 +1526,8 @@ google.golang.org/protobuf v1.24.0/go.mod h1:r/3tXBNzIEhYS9I1OUVjXDlt8tc493IdKGj google.golang.org/protobuf v1.25.0/go.mod h1:9JNX74DMeImyA3h4bdi1ymwjUzf21/xIlbajtzgsN7c= google.golang.org/protobuf v1.26.0-rc.1/go.mod h1:jlhhOSvTdKEhbULTjvd4ARK9grFBp09yW+WbY/TyQbw= google.golang.org/protobuf v1.26.0/go.mod h1:9q0QmTI4eRPtz6boOQmLYwt+qCgq0jsYwAQnmE0givc= -google.golang.org/protobuf v1.33.0 h1:uNO2rsAINq/JlFpSdYEKIZ0uKD/R9cpdv0T+yoGwGmI= -google.golang.org/protobuf v1.33.0/go.mod h1:c6P6GXX6sHbq/GpV6MGZEdwhWPcYBgnhAHhKbcUYpos= +google.golang.org/protobuf v1.34.1 h1:9ddQBjfCyZPOHPUiPxpYESBLc+T8P3E+Vo4IbKZgFWg= +google.golang.org/protobuf v1.34.1/go.mod h1:c6P6GXX6sHbq/GpV6MGZEdwhWPcYBgnhAHhKbcUYpos= gopkg.in/alecthomas/kingpin.v2 v2.2.6/go.mod h1:FMv+mEhP44yOT+4EoQTLFTRgOQ1FBLkstjWtayDeSgw= gopkg.in/alexcesaro/quotedprintable.v3 v3.0.0-20150716171945-2caba252f4dc h1:2gGKlE2+asNV9m7xrywl36YYNnBG5ZQ0r/BOOxqPpmk= gopkg.in/alexcesaro/quotedprintable.v3 v3.0.0-20150716171945-2caba252f4dc/go.mod h1:m7x9LTH6d71AHyAX77c9yqWCCa3UKHcVEj9y7hAtKDk= From f3859fcd731c9ecd2701cf9ede23376a6e65ad98 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 6 May 2024 20:59:35 +0000 Subject: [PATCH 06/26] :seedling: Bump the github-actions group across 1 directory with 2 updates (#4085) --- .github/workflows/codeql-analysis.yml | 2 +- .github/workflows/depsreview.yml | 2 +- .github/workflows/docker.yml | 4 ++-- .github/workflows/gitlab.yml | 2 +- .github/workflows/goreleaser.yaml | 2 +- .github/workflows/integration.yml | 2 +- .github/workflows/lint.yml | 4 ++-- .github/workflows/main.yml | 18 +++++++++--------- .github/workflows/publishimage.yml | 2 +- .github/workflows/scdiff.yml | 4 ++-- .github/workflows/scorecard-analysis.yml | 2 +- .github/workflows/slsa-goreleaser.yml | 2 +- 12 files changed, 23 insertions(+), 23 deletions(-) diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml index c7540575ff3..779d4dc8698 100644 --- a/.github/workflows/codeql-analysis.yml +++ b/.github/workflows/codeql-analysis.yml @@ -60,7 +60,7 @@ jobs: egress-policy: audit # TODO: change to 'egress-policy: block' after couple of runs - name: Checkout repository - uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4.1.4 + uses: actions/checkout@44c2b7a8a4ea60a981eaca3cf939b5f4305c123b # v4.1.5 # don't use the default version of Go from GitHub runners # https://github.com/github/codeql-action/issues/1842#issuecomment-1704398087 diff --git a/.github/workflows/depsreview.yml b/.github/workflows/depsreview.yml index 4d2a11ede81..88253c830c9 100644 --- a/.github/workflows/depsreview.yml +++ b/.github/workflows/depsreview.yml @@ -22,6 +22,6 @@ jobs: runs-on: ubuntu-latest steps: - name: 'Checkout Repository' - uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4.1.4 + uses: actions/checkout@44c2b7a8a4ea60a981eaca3cf939b5f4305c123b # v4.1.5 - name: 'Dependency Review' uses: actions/dependency-review-action@0c155c5e8556a497adf53f2c18edabf945ed8e70 # v4.3.2 diff --git a/.github/workflows/docker.yml b/.github/workflows/docker.yml index 50a2eae92aa..3b5e4adf5ad 100644 --- a/.github/workflows/docker.yml +++ b/.github/workflows/docker.yml @@ -35,7 +35,7 @@ jobs: docs_only: ${{ steps.docs_only_check.outputs.docs_only }} steps: - name: Check out code - uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b #v4.1.4 + uses: actions/checkout@44c2b7a8a4ea60a981eaca3cf939b5f4305c123b #v4.1.5 with: fetch-depth: 2 # needed to diff changed files - id: docs_only_check @@ -77,7 +77,7 @@ jobs: egress-policy: audit # TODO: change to 'egress-policy: block' after couple of runs - name: Clone the code if: (needs.docs_only_check.outputs.docs_only != 'true') - uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4.1.4 + uses: actions/checkout@44c2b7a8a4ea60a981eaca3cf939b5f4305c123b # v4.1.5 - name: Setup Go # needed for some of the Makefile evaluations, even if building happens in Docker if: (needs.docs_only_check.outputs.docs_only != 'true') uses: actions/setup-go@0c52d547c9bc32b1aa3301fd7a9cb496313a4491 # v5.0.0 diff --git a/.github/workflows/gitlab.yml b/.github/workflows/gitlab.yml index 6be3ac4c638..584645d8cac 100644 --- a/.github/workflows/gitlab.yml +++ b/.github/workflows/gitlab.yml @@ -37,7 +37,7 @@ jobs: with: egress-policy: audit # TODO: change to 'egress-policy: block' after couple of runs - name: Clone the code - uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4.1.4 + uses: actions/checkout@44c2b7a8a4ea60a981eaca3cf939b5f4305c123b # v4.1.5 with: ref: ${{ github.event.pull_request.head.sha || github.sha }} # head SHA if PR, else fallback to push SHA - name: Setup Go diff --git a/.github/workflows/goreleaser.yaml b/.github/workflows/goreleaser.yaml index fc837e43ce8..91c6cc1a908 100644 --- a/.github/workflows/goreleaser.yaml +++ b/.github/workflows/goreleaser.yaml @@ -39,7 +39,7 @@ jobs: egress-policy: audit # TODO: change to 'egress-policy: block' after couple of runs - name: Checkout - uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4.1.4 + uses: actions/checkout@44c2b7a8a4ea60a981eaca3cf939b5f4305c123b # v4.1.5 with: fetch-depth: 0 - name: Set up Go diff --git a/.github/workflows/integration.yml b/.github/workflows/integration.yml index 091c03226db..b5e22acd906 100644 --- a/.github/workflows/integration.yml +++ b/.github/workflows/integration.yml @@ -48,7 +48,7 @@ jobs: with: egress-policy: audit # TODO: change to 'egress-policy: block' after couple of runs - name: Clone the code - uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4.1.4 + uses: actions/checkout@44c2b7a8a4ea60a981eaca3cf939b5f4305c123b # v4.1.5 with: ref: ${{ github.event.pull_request.head.sha }} - name: Setup Go diff --git a/.github/workflows/lint.yml b/.github/workflows/lint.yml index 406f1f57108..0b7ff109f98 100644 --- a/.github/workflows/lint.yml +++ b/.github/workflows/lint.yml @@ -22,7 +22,7 @@ jobs: - uses: step-security/harden-runner@a4aa98b93cab29d9b1101a6143fb8bce00e2eac4 # v2.7.1 with: egress-policy: audit # TODO: change to 'egress-policy: block' after couple of runs - - uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4.1.4 + - uses: actions/checkout@44c2b7a8a4ea60a981eaca3cf939b5f4305c123b # v4.1.5 - uses: actions/setup-go@0c52d547c9bc32b1aa3301fd7a9cb496313a4491 # v5.0.0 with: go-version: ${{ env.GO_VERSION }} @@ -31,7 +31,7 @@ jobs: run: | echo "GOLANGCI_LINT_VERSION=$(cd tools; go list -m -f '{{ .Version }}' github.com/golangci/golangci-lint)" >> "$GITHUB_ENV" - name: golangci-lint - uses: golangci/golangci-lint-action@9d1e0624a798bb64f6c3cea93db47765312263dc # v5.1.0 + uses: golangci/golangci-lint-action@38e1018663fa5173f3968ea0777460d3de38f256 # v5.3.0 with: version: ${{ env.GOLANGCI_LINT_VERSION }} only-new-issues: true diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml index 9d8c737d407..6d707b3ed7c 100644 --- a/.github/workflows/main.yml +++ b/.github/workflows/main.yml @@ -41,7 +41,7 @@ jobs: with: egress-policy: audit # TODO: change to 'egress-policy: block' after couple of runs - name: Clone the code - uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4.1.4 + uses: actions/checkout@44c2b7a8a4ea60a981eaca3cf939b5f4305c123b # v4.1.5 - name: Setup Go uses: actions/setup-go@0c52d547c9bc32b1aa3301fd7a9cb496313a4491 # v5.0.0 with: @@ -117,7 +117,7 @@ jobs: restore-keys: | ${{ runner.os }}-go- - name: Clone the code - uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4.1.4 + uses: actions/checkout@44c2b7a8a4ea60a981eaca3cf939b5f4305c123b # v4.1.5 with: fetch-depth: 0 - name: Setup Go @@ -147,7 +147,7 @@ jobs: with: egress-policy: audit # TODO: change to 'egress-policy: block' after couple of runs - name: Clone the code - uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4.1.4 + uses: actions/checkout@44c2b7a8a4ea60a981eaca3cf939b5f4305c123b # v4.1.5 - name: Setup Go uses: actions/setup-go@0c52d547c9bc32b1aa3301fd7a9cb496313a4491 # v5.0.0 with: @@ -182,7 +182,7 @@ jobs: version: ${{ env.PROTOC_VERSION }} repo-token: ${{ secrets.GITHUB_TOKEN }} - name: Clone the code - uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4.1.4 + uses: actions/checkout@44c2b7a8a4ea60a981eaca3cf939b5f4305c123b # v4.1.5 with: fetch-depth: 0 - name: Setup Go @@ -237,7 +237,7 @@ jobs: restore-keys: | ${{ runner.os }}-go- - name: Clone the code - uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4.1.4 + uses: actions/checkout@44c2b7a8a4ea60a981eaca3cf939b5f4305c123b # v4.1.5 - name: Setup Go uses: actions/setup-go@0c52d547c9bc32b1aa3301fd7a9cb496313a4491 # v5.0.0 with: @@ -277,7 +277,7 @@ jobs: restore-keys: | ${{ runner.os }}-go- - name: Clone the code - uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4.1.4 + uses: actions/checkout@44c2b7a8a4ea60a981eaca3cf939b5f4305c123b # v4.1.5 with: fetch-depth: 0 - name: Setup Go @@ -306,7 +306,7 @@ jobs: with: egress-policy: audit # TODO: change to 'egress-policy: block' after couple of runs - name: Clone the code - uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4.1.4 + uses: actions/checkout@44c2b7a8a4ea60a981eaca3cf939b5f4305c123b # v4.1.5 - name: Setup Go uses: actions/setup-go@0c52d547c9bc32b1aa3301fd7a9cb496313a4491 # v5.0.0 with: @@ -340,7 +340,7 @@ jobs: version: ${{ env.PROTOC_VERSION }} repo-token: ${{ secrets.GITHUB_TOKEN }} - name: Clone the code - uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4.1.4 + uses: actions/checkout@44c2b7a8a4ea60a981eaca3cf939b5f4305c123b # v4.1.5 with: fetch-depth: 0 - name: Setup Go @@ -369,7 +369,7 @@ jobs: with: egress-policy: audit # TODO: change to 'egress-policy: block' after couple of runs - - uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4.1.4 + - uses: actions/checkout@44c2b7a8a4ea60a981eaca3cf939b5f4305c123b # v4.1.5 - uses: actions/setup-go@0c52d547c9bc32b1aa3301fd7a9cb496313a4491 # v2.2.0 with: go-version: ${{ env.GO_VERSION }} diff --git a/.github/workflows/publishimage.yml b/.github/workflows/publishimage.yml index fbfef54d4e7..d66432d657f 100644 --- a/.github/workflows/publishimage.yml +++ b/.github/workflows/publishimage.yml @@ -41,7 +41,7 @@ jobs: egress-policy: audit # TODO: change to 'egress-policy: block' after couple of runs - name: Clone the code - uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4.1.4 + uses: actions/checkout@44c2b7a8a4ea60a981eaca3cf939b5f4305c123b # v4.1.5 with: fetch-depth: 0 - name: Setup Go diff --git a/.github/workflows/scdiff.yml b/.github/workflows/scdiff.yml index a460497709d..5e84bc1d783 100644 --- a/.github/workflows/scdiff.yml +++ b/.github/workflows/scdiff.yml @@ -78,7 +78,7 @@ jobs: checks = found[1] } core.exportVariable('SCORECARD_CHECKS', checks) - - uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4.1.4 + - uses: actions/checkout@44c2b7a8a4ea60a981eaca3cf939b5f4305c123b # v4.1.5 with: ref: ${{ steps.config.outputs.base }} - name: Setup Go @@ -94,7 +94,7 @@ jobs: go run cmd/internal/scdiff/main.go generate \ --repos $HOME/repos.txt \ --checks $SCORECARD_CHECKS > $HOME/before.json - - uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4.1.4 + - uses: actions/checkout@44c2b7a8a4ea60a981eaca3cf939b5f4305c123b # v4.1.5 with: ref: ${{ steps.config.outputs.head }} - name: generate after results diff --git a/.github/workflows/scorecard-analysis.yml b/.github/workflows/scorecard-analysis.yml index 1b77053ec4e..b7d7148559f 100644 --- a/.github/workflows/scorecard-analysis.yml +++ b/.github/workflows/scorecard-analysis.yml @@ -22,7 +22,7 @@ jobs: steps: - name: "Checkout code" - uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4.1.4 + uses: actions/checkout@44c2b7a8a4ea60a981eaca3cf939b5f4305c123b # v4.1.5 with: persist-credentials: false diff --git a/.github/workflows/slsa-goreleaser.yml b/.github/workflows/slsa-goreleaser.yml index 649f06f7ffb..59350ea16a7 100644 --- a/.github/workflows/slsa-goreleaser.yml +++ b/.github/workflows/slsa-goreleaser.yml @@ -19,7 +19,7 @@ jobs: go-binary-name: ${{ steps.build.outputs.go-binary-name }} steps: - id: checkout - uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4.1.4 + uses: actions/checkout@44c2b7a8a4ea60a981eaca3cf939b5f4305c123b # v4.1.5 with: fetch-depth: 0 - id: ldflags From 81d239f19c7498048bd588a00781f674143be27f Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 6 May 2024 21:15:59 +0000 Subject: [PATCH 07/26] :seedling: Bump actions/setup-go from 5.0.0 to 5.0.1 (#4083) --- .github/workflows/codeql-analysis.yml | 2 +- .github/workflows/docker.yml | 2 +- .github/workflows/gitlab.yml | 2 +- .github/workflows/goreleaser.yaml | 2 +- .github/workflows/integration.yml | 2 +- .github/workflows/lint.yml | 2 +- .github/workflows/main.yml | 18 +++++++++--------- .github/workflows/publishimage.yml | 2 +- .github/workflows/scdiff.yml | 2 +- 9 files changed, 17 insertions(+), 17 deletions(-) diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml index 779d4dc8698..56e8db83921 100644 --- a/.github/workflows/codeql-analysis.yml +++ b/.github/workflows/codeql-analysis.yml @@ -65,7 +65,7 @@ jobs: # don't use the default version of Go from GitHub runners # https://github.com/github/codeql-action/issues/1842#issuecomment-1704398087 - name: Setup Go - uses: actions/setup-go@0c52d547c9bc32b1aa3301fd7a9cb496313a4491 # v5.0.0 + uses: actions/setup-go@cdcb36043654635271a94b9a6d1392de5bb323a7 # v5.0.1 with: go-version: ${{ env.GO_VERSION }} check-latest: true diff --git a/.github/workflows/docker.yml b/.github/workflows/docker.yml index 3b5e4adf5ad..86ac4d5544e 100644 --- a/.github/workflows/docker.yml +++ b/.github/workflows/docker.yml @@ -80,7 +80,7 @@ jobs: uses: actions/checkout@44c2b7a8a4ea60a981eaca3cf939b5f4305c123b # v4.1.5 - name: Setup Go # needed for some of the Makefile evaluations, even if building happens in Docker if: (needs.docs_only_check.outputs.docs_only != 'true') - uses: actions/setup-go@0c52d547c9bc32b1aa3301fd7a9cb496313a4491 # v5.0.0 + uses: actions/setup-go@cdcb36043654635271a94b9a6d1392de5bb323a7 # v5.0.1 with: go-version: ${{ env.GO_VERSION }} check-latest: true diff --git a/.github/workflows/gitlab.yml b/.github/workflows/gitlab.yml index 584645d8cac..05dce078d2e 100644 --- a/.github/workflows/gitlab.yml +++ b/.github/workflows/gitlab.yml @@ -41,7 +41,7 @@ jobs: with: ref: ${{ github.event.pull_request.head.sha || github.sha }} # head SHA if PR, else fallback to push SHA - name: Setup Go - uses: actions/setup-go@0c52d547c9bc32b1aa3301fd7a9cb496313a4491 # v5.0.0 + uses: actions/setup-go@cdcb36043654635271a94b9a6d1392de5bb323a7 # v5.0.1 with: go-version: ${{ env.GO_VERSION }} check-latest: true diff --git a/.github/workflows/goreleaser.yaml b/.github/workflows/goreleaser.yaml index 91c6cc1a908..72b16993101 100644 --- a/.github/workflows/goreleaser.yaml +++ b/.github/workflows/goreleaser.yaml @@ -43,7 +43,7 @@ jobs: with: fetch-depth: 0 - name: Set up Go - uses: actions/setup-go@0c52d547c9bc32b1aa3301fd7a9cb496313a4491 # v2.2.0 + uses: actions/setup-go@cdcb36043654635271a94b9a6d1392de5bb323a7 # v2.2.0 with: go-version: ${{ env.GO_VERSION }} check-latest: true diff --git a/.github/workflows/integration.yml b/.github/workflows/integration.yml index b5e22acd906..7d106567272 100644 --- a/.github/workflows/integration.yml +++ b/.github/workflows/integration.yml @@ -52,7 +52,7 @@ jobs: with: ref: ${{ github.event.pull_request.head.sha }} - name: Setup Go - uses: actions/setup-go@0c52d547c9bc32b1aa3301fd7a9cb496313a4491 # v5.0.0 + uses: actions/setup-go@cdcb36043654635271a94b9a6d1392de5bb323a7 # v5.0.1 with: go-version: ${{ env.GO_VERSION }} check-latest: true diff --git a/.github/workflows/lint.yml b/.github/workflows/lint.yml index 0b7ff109f98..65b5b1b2a80 100644 --- a/.github/workflows/lint.yml +++ b/.github/workflows/lint.yml @@ -23,7 +23,7 @@ jobs: with: egress-policy: audit # TODO: change to 'egress-policy: block' after couple of runs - uses: actions/checkout@44c2b7a8a4ea60a981eaca3cf939b5f4305c123b # v4.1.5 - - uses: actions/setup-go@0c52d547c9bc32b1aa3301fd7a9cb496313a4491 # v5.0.0 + - uses: actions/setup-go@cdcb36043654635271a94b9a6d1392de5bb323a7 # v5.0.1 with: go-version: ${{ env.GO_VERSION }} cache: false # golangci-lint maintains its own cache diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml index 6d707b3ed7c..1fd6cf02c67 100644 --- a/.github/workflows/main.yml +++ b/.github/workflows/main.yml @@ -43,7 +43,7 @@ jobs: - name: Clone the code uses: actions/checkout@44c2b7a8a4ea60a981eaca3cf939b5f4305c123b # v4.1.5 - name: Setup Go - uses: actions/setup-go@0c52d547c9bc32b1aa3301fd7a9cb496313a4491 # v5.0.0 + uses: actions/setup-go@cdcb36043654635271a94b9a6d1392de5bb323a7 # v5.0.1 with: go-version: ${{ env.GO_VERSION }} check-latest: true @@ -121,7 +121,7 @@ jobs: with: fetch-depth: 0 - name: Setup Go - uses: actions/setup-go@0c52d547c9bc32b1aa3301fd7a9cb496313a4491 # v2.2.0 + uses: actions/setup-go@cdcb36043654635271a94b9a6d1392de5bb323a7 # v2.2.0 with: go-version: ${{ env.GO_VERSION }} check-latest: true @@ -149,7 +149,7 @@ jobs: - name: Clone the code uses: actions/checkout@44c2b7a8a4ea60a981eaca3cf939b5f4305c123b # v4.1.5 - name: Setup Go - uses: actions/setup-go@0c52d547c9bc32b1aa3301fd7a9cb496313a4491 # v5.0.0 + uses: actions/setup-go@cdcb36043654635271a94b9a6d1392de5bb323a7 # v5.0.1 with: go-version: ${{ env.GO_VERSION }} check-latest: true @@ -186,7 +186,7 @@ jobs: with: fetch-depth: 0 - name: Setup Go - uses: actions/setup-go@0c52d547c9bc32b1aa3301fd7a9cb496313a4491 # v2.2.0 + uses: actions/setup-go@cdcb36043654635271a94b9a6d1392de5bb323a7 # v2.2.0 with: go-version: ${{ env.GO_VERSION }} check-latest: true @@ -239,7 +239,7 @@ jobs: - name: Clone the code uses: actions/checkout@44c2b7a8a4ea60a981eaca3cf939b5f4305c123b # v4.1.5 - name: Setup Go - uses: actions/setup-go@0c52d547c9bc32b1aa3301fd7a9cb496313a4491 # v5.0.0 + uses: actions/setup-go@cdcb36043654635271a94b9a6d1392de5bb323a7 # v5.0.1 with: go-version: ${{ env.GO_VERSION }} check-latest: true @@ -281,7 +281,7 @@ jobs: with: fetch-depth: 0 - name: Setup Go - uses: actions/setup-go@0c52d547c9bc32b1aa3301fd7a9cb496313a4491 # v2.2.0 + uses: actions/setup-go@cdcb36043654635271a94b9a6d1392de5bb323a7 # v2.2.0 with: go-version: ${{ env.GO_VERSION }} check-latest: true @@ -308,7 +308,7 @@ jobs: - name: Clone the code uses: actions/checkout@44c2b7a8a4ea60a981eaca3cf939b5f4305c123b # v4.1.5 - name: Setup Go - uses: actions/setup-go@0c52d547c9bc32b1aa3301fd7a9cb496313a4491 # v5.0.0 + uses: actions/setup-go@cdcb36043654635271a94b9a6d1392de5bb323a7 # v5.0.1 with: go-version: ${{ env.GO_VERSION }} check-latest: true @@ -344,7 +344,7 @@ jobs: with: fetch-depth: 0 - name: Setup Go - uses: actions/setup-go@0c52d547c9bc32b1aa3301fd7a9cb496313a4491 # v2.2.0 + uses: actions/setup-go@cdcb36043654635271a94b9a6d1392de5bb323a7 # v2.2.0 with: go-version: ${{ env.GO_VERSION }} check-latest: true @@ -370,7 +370,7 @@ jobs: egress-policy: audit # TODO: change to 'egress-policy: block' after couple of runs - uses: actions/checkout@44c2b7a8a4ea60a981eaca3cf939b5f4305c123b # v4.1.5 - - uses: actions/setup-go@0c52d547c9bc32b1aa3301fd7a9cb496313a4491 # v2.2.0 + - uses: actions/setup-go@cdcb36043654635271a94b9a6d1392de5bb323a7 # v2.2.0 with: go-version: ${{ env.GO_VERSION }} check-latest: true diff --git a/.github/workflows/publishimage.yml b/.github/workflows/publishimage.yml index d66432d657f..87159b0e0ca 100644 --- a/.github/workflows/publishimage.yml +++ b/.github/workflows/publishimage.yml @@ -45,7 +45,7 @@ jobs: with: fetch-depth: 0 - name: Setup Go - uses: actions/setup-go@0c52d547c9bc32b1aa3301fd7a9cb496313a4491 + uses: actions/setup-go@cdcb36043654635271a94b9a6d1392de5bb323a7 with: go-version: ${{ env.GO_VERSION }} check-latest: true diff --git a/.github/workflows/scdiff.yml b/.github/workflows/scdiff.yml index 5e84bc1d783..6eea6c8103e 100644 --- a/.github/workflows/scdiff.yml +++ b/.github/workflows/scdiff.yml @@ -82,7 +82,7 @@ jobs: with: ref: ${{ steps.config.outputs.base }} - name: Setup Go - uses: actions/setup-go@0c52d547c9bc32b1aa3301fd7a9cb496313a4491 # v5.0.0 + uses: actions/setup-go@cdcb36043654635271a94b9a6d1392de5bb323a7 # v5.0.1 with: go-version: ${{ env.GO_VERSION }} check-latest: true From 250690511dc87fd853836a6e53d298987a41fc5a Mon Sep 17 00:00:00 2001 From: Spencer Schrock Date: Tue, 7 May 2024 09:51:39 -0700 Subject: [PATCH 08/26] :bug: Code-Review: change phabricator regex to allow URLs (#4086) The old regex used \w which only allowed [0-9A-Za-z_], however most projects use full URLs with phabricator (e.g. https://reviews.foo.org/D###). This led to errors parsing the revisions, where "https" was seen as the revision, leading to an underreporting of code review practices. The new regex focuses on the D#### part and uses it as the revision. Signed-off-by: Spencer Schrock --- checks/code_review_test.go | 4 +- checks/raw/code_review.go | 2 +- checks/raw/code_review_test.go | 90 ++++++++++++++++++++++++---------- 3 files changed, 66 insertions(+), 30 deletions(-) diff --git a/checks/code_review_test.go b/checks/code_review_test.go index 1459f0e29b0..beb3b1b8d18 100644 --- a/checks/code_review_test.go +++ b/checks/code_review_test.go @@ -206,7 +206,7 @@ func TestCodereview(t *testing.T) { Committer: clients.User{ Login: "bob", }, - Message: "Title\nReviewed By: alice\nDifferential Revision: PHAB234", + Message: "Title\nReviewed By: alice\nDifferential Revision: D234", }, }, expected: scut.TestReturn{ @@ -236,7 +236,7 @@ func TestCodereview(t *testing.T) { Committer: clients.User{ Login: "bob", }, - Message: "Title\nDifferential Revision: PHAB234", + Message: "Title\nDifferential Revision: D234", }, }, expected: scut.TestReturn{ diff --git a/checks/raw/code_review.go b/checks/raw/code_review.go index 8c089374e0d..fe7eb88ef5d 100644 --- a/checks/raw/code_review.go +++ b/checks/raw/code_review.go @@ -25,7 +25,7 @@ import ( ) var ( - rePhabricatorRevID = regexp.MustCompile(`Differential Revision:\s*(\w+)`) + rePhabricatorRevID = regexp.MustCompile(`Differential Revision:[^\r\n]*(D\d+)`) rePiperRevID = regexp.MustCompile(`PiperOrigin-RevId:\s*(\d{3,})`) ) diff --git a/checks/raw/code_review_test.go b/checks/raw/code_review_test.go index 8430670d443..f954a0454cf 100644 --- a/checks/raw/code_review_test.go +++ b/checks/raw/code_review_test.go @@ -67,29 +67,41 @@ func Test_getChangesets(t *testing.T) { } phabricatorCommitA = clients.Commit{ - Message: "\nDifferential Revision: 123\nReviewed By: user-123", + Message: "\nDifferential Revision: D123\nReviewed By: user-123", SHA: "abc", } phabricatorCommitAUnsquashed = clients.Commit{ - Message: "\nDifferential Revision: 123\nReviewed By: user-123", + Message: "\nDifferential Revision: D123\nReviewed By: user-123", SHA: "adef", } phabricatorCommitAUnsquashed2 = clients.Commit{ - Message: "\nDifferential Revision: 123\nReviewed By: user-456", + Message: "\nDifferential Revision: D123\nReviewed By: user-456", SHA: "afab", } phabricatorCommitB = clients.Commit{ - Message: "\nDifferential Revision: 158\nReviewed By: user-123", + Message: "\nDifferential Revision: D158\nReviewed By: user-123", SHA: "def", } phabricatorCommitC = clients.Commit{ - Message: "\nDifferential Revision: 2000\nReviewed By: user-456", + Message: "\nDifferential Revision: D2000\nReviewed By: user-456", SHA: "fab", } phabricatorCommitD = clients.Commit{ - Message: "\nDifferential Revision: 2\nReviewed By: user-456", + Message: "\nDifferential Revision: D2\nReviewed By: user-456", SHA: "d", } + phabricatorCommitE = clients.Commit{ + Message: "\nDifferential Revision: https://reviews.foo.org/D123 \nReviewed By: user-123", + SHA: "e", + } + phabricatorCommitF = clients.Commit{ + Message: "\nDifferential Revision: https://foo.bar.example.com/D456 \nReviewed By: user-123", + SHA: "f", + } + phabricatorCommitG = clients.Commit{ + Message: "\nDifferential Revision: https://reviews.bar.org/D78910 \nReviewed By: user-123", + SHA: "g", + } gerritCommitB = clients.Commit{ Message: "first change\nReviewed-on: server.url \nReviewed-by:user-123", @@ -256,17 +268,17 @@ func Test_getChangesets(t *testing.T) { commits: []clients.Commit{phabricatorCommitA, phabricatorCommitB, phabricatorCommitC}, expected: []checker.Changeset{ { - RevisionID: "123", + RevisionID: "D123", ReviewPlatform: checker.ReviewPlatformPhabricator, Commits: []clients.Commit{phabricatorCommitA}, }, { - RevisionID: "158", + RevisionID: "D158", ReviewPlatform: checker.ReviewPlatformPhabricator, Commits: []clients.Commit{phabricatorCommitB}, }, { - RevisionID: "2000", + RevisionID: "D2000", ReviewPlatform: checker.ReviewPlatformPhabricator, Commits: []clients.Commit{phabricatorCommitC}, }, @@ -277,7 +289,7 @@ func Test_getChangesets(t *testing.T) { commits: []clients.Commit{phabricatorCommitA, phabricatorCommitAUnsquashed, phabricatorCommitAUnsquashed2}, expected: []checker.Changeset{ { - RevisionID: "123", + RevisionID: "D123", ReviewPlatform: checker.ReviewPlatformPhabricator, Commits: []clients.Commit{phabricatorCommitA, phabricatorCommitAUnsquashed, phabricatorCommitAUnsquashed2}, }, @@ -305,12 +317,12 @@ func Test_getChangesets(t *testing.T) { expected: []checker.Changeset{ { ReviewPlatform: checker.ReviewPlatformPhabricator, - RevisionID: "123", + RevisionID: "D123", Commits: []clients.Commit{phabricatorCommitA}, }, { ReviewPlatform: checker.ReviewPlatformPhabricator, - RevisionID: "2", + RevisionID: "D2", Commits: []clients.Commit{phabricatorCommitD}, }, { @@ -351,23 +363,47 @@ func Test_getChangesets(t *testing.T) { }, }, }, + { + name: "phabricator with URL for differential revision", + commits: []clients.Commit{phabricatorCommitE, phabricatorCommitF, phabricatorCommitG}, + expected: []checker.Changeset{ + { + ReviewPlatform: checker.ReviewPlatformPhabricator, + RevisionID: "D123", + Commits: []clients.Commit{phabricatorCommitE}, + }, + { + ReviewPlatform: checker.ReviewPlatformPhabricator, + RevisionID: "D456", + Commits: []clients.Commit{phabricatorCommitF}, + }, + { + ReviewPlatform: checker.ReviewPlatformPhabricator, + RevisionID: "D78910", + Commits: []clients.Commit{phabricatorCommitG}, + }, + }, + }, } for _, tt := range tests { - t.Logf("test: %s", tt.name) - changesets := getChangesets(tt.commits) - if !cmp.Equal(tt.expected, changesets, - cmpopts.SortSlices(func(x, y checker.Changeset) bool { - if x.RevisionID == y.RevisionID { - return x.ReviewPlatform < y.ReviewPlatform - } - return x.RevisionID < y.RevisionID - }), - cmpopts.SortSlices(func(x, y clients.Commit) bool { - return x.SHA < y.SHA - })) { - t.Log(cmp.Diff(tt.expected, changesets)) - t.Fail() - } + tt := tt + t.Run(tt.name, func(t *testing.T) { + t.Parallel() + changesets := getChangesets(tt.commits) + if !cmp.Equal(tt.expected, changesets, + cmpopts.SortSlices(func(x, y checker.Changeset) bool { + if x.RevisionID == y.RevisionID { + return x.ReviewPlatform < y.ReviewPlatform + } + return x.RevisionID < y.RevisionID + }), + cmpopts.SortSlices(func(x, y clients.Commit) bool { + return x.SHA < y.SHA + })) { + t.Log(cmp.Diff(tt.expected, changesets)) + t.Fail() + } + }) } } From e6f5767190dcfddd7adccb0de1c1edae8e02ca50 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Tue, 7 May 2024 17:20:00 +0000 Subject: [PATCH 09/26] :seedling: Bump golang.org/x/oauth2 from 0.19.0 to 0.20.0 (#4087) --- go.mod | 2 +- go.sum | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/go.mod b/go.mod index 181d26827d1..dabb84c0f41 100644 --- a/go.mod +++ b/go.mod @@ -178,7 +178,7 @@ require ( golang.org/x/crypto v0.22.0 // indirect golang.org/x/exp v0.0.0-20240416160154-fe59bbe5cc7f // indirect golang.org/x/net v0.24.0 // indirect - golang.org/x/oauth2 v0.19.0 + golang.org/x/oauth2 v0.20.0 golang.org/x/sync v0.7.0 // indirect golang.org/x/sys v0.19.0 // indirect golang.org/x/xerrors v0.0.0-20231012003039-104605ab7028 // indirect diff --git a/go.sum b/go.sum index ae1ec9ed489..96d980981e4 100644 --- a/go.sum +++ b/go.sum @@ -931,8 +931,8 @@ golang.org/x/oauth2 v0.0.0-20190226205417-e64efc72b421/go.mod h1:gOpvHmFTYa4Iltr golang.org/x/oauth2 v0.0.0-20190604053449-0f29369cfe45/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw= golang.org/x/oauth2 v0.0.0-20191202225959-858c2ad4c8b6/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw= golang.org/x/oauth2 v0.0.0-20200107190931-bf48bf16ab8d/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw= -golang.org/x/oauth2 v0.19.0 h1:9+E/EZBCbTLNrbN35fHv/a/d/mOBatymz1zbtQrXpIg= -golang.org/x/oauth2 v0.19.0/go.mod h1:vYi7skDa1x015PmRRYZ7+s1cWyPgrPiSYRe4rnsexc8= +golang.org/x/oauth2 v0.20.0 h1:4mQdhULixXKP1rwYBW0vAijoXnkTG0BLCDRzfe1idMo= +golang.org/x/oauth2 v0.20.0/go.mod h1:XYTD2NtWslqkgxebSiOHnXEap4TF09sJSc7H1sXbhtI= golang.org/x/sync v0.0.0-20180314180146-1d60e4601c6f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= golang.org/x/sync v0.0.0-20181108010431-42b317875d0f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= golang.org/x/sync v0.0.0-20181221193216-37e7f081c4d4/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= From 13c7254fd5a6729d519f39d998b017d5476c404e Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Tue, 7 May 2024 17:32:27 +0000 Subject: [PATCH 10/26] :seedling: Bump golang.org/x/text from 0.14.0 to 0.15.0 (#4089) --- go.mod | 2 +- go.sum | 3 ++- 2 files changed, 3 insertions(+), 2 deletions(-) diff --git a/go.mod b/go.mod index dabb84c0f41..8b12c259bed 100644 --- a/go.mod +++ b/go.mod @@ -29,7 +29,7 @@ require ( github.com/xeipuuv/gojsonschema v1.2.0 go.opencensus.io v0.24.0 gocloud.dev v0.37.0 - golang.org/x/text v0.14.0 + golang.org/x/text v0.15.0 golang.org/x/tools v0.20.0 // indirect google.golang.org/genproto v0.0.0-20240401170217-c3f982113cda // indirect google.golang.org/protobuf v1.34.0 diff --git a/go.sum b/go.sum index 96d980981e4..709e07b153b 100644 --- a/go.sum +++ b/go.sum @@ -1036,8 +1036,9 @@ golang.org/x/text v0.7.0/go.mod h1:mrYo+phRRbMaCq/xk9113O4dZlRixOauAjOtrjsXDZ8= golang.org/x/text v0.8.0/go.mod h1:e1OnstbJyHTd6l/uOt8jFFHp6TRDWZR/bV3emEE/zU8= golang.org/x/text v0.9.0/go.mod h1:e1OnstbJyHTd6l/uOt8jFFHp6TRDWZR/bV3emEE/zU8= golang.org/x/text v0.13.0/go.mod h1:TvPlkZtksWOMsz7fbANvkp4WM8x/WCo/om8BMLbz+aE= -golang.org/x/text v0.14.0 h1:ScX5w1eTa3QqT8oi6+ziP7dTV1S2+ALU0bI+0zXKWiQ= golang.org/x/text v0.14.0/go.mod h1:18ZOQIKpY8NJVqYksKHtTdi31H5itFRjB5/qKTNYzSU= +golang.org/x/text v0.15.0 h1:h1V/4gjBv8v9cjcR6+AR5+/cIYK5N/WAgiv4xlsEtAk= +golang.org/x/text v0.15.0/go.mod h1:18ZOQIKpY8NJVqYksKHtTdi31H5itFRjB5/qKTNYzSU= golang.org/x/time v0.0.0-20180412165947-fbb02b2291d2/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ= golang.org/x/time v0.0.0-20181108054448-85acf8d2951c/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ= golang.org/x/time v0.0.0-20190308202827-9d24e82272b4/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ= From 6b5cb27cd011f6f3657e703b28ea824b9eae7552 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Tue, 7 May 2024 17:49:20 +0000 Subject: [PATCH 11/26] :seedling: Bump cloud.google.com/go/pubsub from 1.37.0 to 1.38.0 (#4088) --- go.mod | 12 ++++++------ go.sum | 24 ++++++++++++------------ 2 files changed, 18 insertions(+), 18 deletions(-) diff --git a/go.mod b/go.mod index 8b12c259bed..5ca8fd654f4 100644 --- a/go.mod +++ b/go.mod @@ -5,7 +5,7 @@ go 1.21.8 require ( cloud.google.com/go/bigquery v1.61.0 cloud.google.com/go/monitoring v1.18.1 // indirect - cloud.google.com/go/pubsub v1.37.0 + cloud.google.com/go/pubsub v1.38.0 cloud.google.com/go/trace v1.10.6 // indirect contrib.go.opencensus.io/exporter/stackdriver v0.13.14 github.com/bombsimon/logrusr/v2 v2.0.1 @@ -51,8 +51,8 @@ require ( ) require ( - cloud.google.com/go/auth v0.2.2 // indirect - cloud.google.com/go/auth/oauth2adapt v0.2.1 // indirect + cloud.google.com/go/auth v0.3.0 // indirect + cloud.google.com/go/auth/oauth2adapt v0.2.2 // indirect cloud.google.com/go/compute/metadata v0.3.0 // indirect cloud.google.com/go/containeranalysis v0.11.5 // indirect cloud.google.com/go/kms v1.15.8 // indirect @@ -113,8 +113,8 @@ require ( golang.org/x/term v0.19.0 // indirect golang.org/x/time v0.5.0 // indirect golang.org/x/vuln v1.0.4 // indirect - google.golang.org/genproto/googleapis/api v0.0.0-20240415180920-8c6c420018be // indirect - google.golang.org/genproto/googleapis/rpc v0.0.0-20240415180920-8c6c420018be // indirect + google.golang.org/genproto/googleapis/api v0.0.0-20240429193739-8cf5692501f6 // indirect + google.golang.org/genproto/googleapis/rpc v0.0.0-20240429193739-8cf5692501f6 // indirect gopkg.in/inf.v0 v0.9.1 // indirect k8s.io/api v0.28.6 // indirect k8s.io/apimachinery v0.28.6 // indirect @@ -182,7 +182,7 @@ require ( golang.org/x/sync v0.7.0 // indirect golang.org/x/sys v0.19.0 // indirect golang.org/x/xerrors v0.0.0-20231012003039-104605ab7028 // indirect - google.golang.org/api v0.175.0 // indirect + google.golang.org/api v0.177.0 // indirect google.golang.org/grpc v1.63.2 // indirect gopkg.in/warnings.v0 v0.1.2 // indirect ) diff --git a/go.sum b/go.sum index 709e07b153b..6113f4984d2 100644 --- a/go.sum +++ b/go.sum @@ -11,10 +11,10 @@ cloud.google.com/go v0.53.0/go.mod h1:fp/UouUEsRkN6ryDKNW/Upv/JBKnv6WDthjR6+vze6 cloud.google.com/go v0.57.0/go.mod h1:oXiQ6Rzq3RAkkY7N6t3TcE6jE+CIBBbA36lwQ1JyzZs= cloud.google.com/go v0.112.2 h1:ZaGT6LiG7dBzi6zNOvVZwacaXlmf3lRqnC4DQzqyRQw= cloud.google.com/go v0.112.2/go.mod h1:iEqjp//KquGIJV/m+Pk3xecgKNhV+ry+vVTsy4TbDms= -cloud.google.com/go/auth v0.2.2 h1:gmxNJs4YZYcw6YvKRtVBaF2fyUE6UrWPyzU8jHvYfmI= -cloud.google.com/go/auth v0.2.2/go.mod h1:2bDNJWtWziDT3Pu1URxHHbkHE/BbOCuyUiKIGcNvafo= -cloud.google.com/go/auth/oauth2adapt v0.2.1 h1:VSPmMmUlT8CkIZ2PzD9AlLN+R3+D1clXMWHHa6vG/Ag= -cloud.google.com/go/auth/oauth2adapt v0.2.1/go.mod h1:tOdK/k+D2e4GEwfBRA48dKNQiDsqIXxLh7VU319eV0g= +cloud.google.com/go/auth v0.3.0 h1:PRyzEpGfx/Z9e8+lHsbkoUVXD0gnu4MNmm7Gp8TQNIs= +cloud.google.com/go/auth v0.3.0/go.mod h1:lBv6NKTWp8E3LPzmO1TbiiRKc4drLOfHsgmlH9ogv5w= +cloud.google.com/go/auth/oauth2adapt v0.2.2 h1:+TTV8aXpjeChS9M+aTtN/TjdQnzJvmzKFt//oWu7HX4= +cloud.google.com/go/auth/oauth2adapt v0.2.2/go.mod h1:wcYjgpZI9+Yu7LyYBg4pqSiaRkfEK3GQcpb7C/uyF1Q= cloud.google.com/go/bigquery v1.0.1/go.mod h1:i/xbL2UlR5RvWAURpBYZTtm/cXjCha9lbfbpx4poX+o= cloud.google.com/go/bigquery v1.3.0/go.mod h1:PjpwJnslEMmckchkHFfq+HTD2DmtT67aNFKH1/VBDHE= cloud.google.com/go/bigquery v1.4.0/go.mod h1:S8dzgnTigyfTmLBfrtrhyYhwRxG72rYxvftPBK2Dvzc= @@ -40,8 +40,8 @@ cloud.google.com/go/monitoring v1.18.1/go.mod h1:52hTzJ5XOUMRm7jYi7928aEdVxBEmGw cloud.google.com/go/pubsub v1.0.1/go.mod h1:R0Gpsv3s54REJCy4fxDixWD93lHJMoZTyQ2kNxGRt3I= cloud.google.com/go/pubsub v1.1.0/go.mod h1:EwwdRX2sKPjnvnqCa270oGRyludottCI76h+R3AArQw= cloud.google.com/go/pubsub v1.2.0/go.mod h1:jhfEVHT8odbXTkndysNHCcx0awwzvfOlguIAii9o8iA= -cloud.google.com/go/pubsub v1.37.0 h1:0uEEfaB1VIJzabPpwpZf44zWAKAme3zwKKxHk7vJQxQ= -cloud.google.com/go/pubsub v1.37.0/go.mod h1:YQOQr1uiUM092EXwKs56OPT650nwnawc+8/IjoUeGzQ= +cloud.google.com/go/pubsub v1.38.0 h1:J1OT7h51ifATIedjqk/uBNPh+1hkvUaH4VKbz4UuAsc= +cloud.google.com/go/pubsub v1.38.0/go.mod h1:IPMJSWSus/cu57UyR01Jqa/bNOQA+XnPF6Z4dKW4fAA= cloud.google.com/go/storage v1.0.0/go.mod h1:IhtSnM/ZTZV8YYJWCY8RULGVqBDmpoyjwiyrjsg+URw= cloud.google.com/go/storage v1.5.0/go.mod h1:tpKbwo567HUNpVclU5sGELwQWBDZ8gh0ZeosJ0Rtdos= cloud.google.com/go/storage v1.6.0/go.mod h1:N7U0C8pVQ/+NIKOBQyamJIeKQKkZ+mxpohlUTyfDhBk= @@ -1119,8 +1119,8 @@ google.golang.org/api v0.15.0/go.mod h1:iLdEw5Ide6rF15KTC1Kkl0iskquN2gFfn9o9XIsb google.golang.org/api v0.17.0/go.mod h1:BwFmGc8tA3vsd7r/7kR8DY7iEEGSU04BFxCo5jP/sfE= google.golang.org/api v0.18.0/go.mod h1:BwFmGc8tA3vsd7r/7kR8DY7iEEGSU04BFxCo5jP/sfE= google.golang.org/api v0.22.0/go.mod h1:BwFmGc8tA3vsd7r/7kR8DY7iEEGSU04BFxCo5jP/sfE= -google.golang.org/api v0.175.0 h1:9bMDh10V9cBuU8N45Wlc3cKkItfqMRV0Fi8UscLEtbY= -google.golang.org/api v0.175.0/go.mod h1:Rra+ltKu14pps/4xTycZfobMgLpbosoaaL7c+SEMrO8= +google.golang.org/api v0.177.0 h1:8a0p/BbPa65GlqGWtUKxot4p0TV8OGOfyTjtmkXNXmk= +google.golang.org/api v0.177.0/go.mod h1:srbhue4MLjkjbkux5p3dw/ocYOSZTaIEvf7bCOnFQDw= google.golang.org/appengine v1.1.0/go.mod h1:EbEs0AVv82hx2wNQdGPgUI5lhzA/G0D9YwlJXL52JkM= google.golang.org/appengine v1.4.0/go.mod h1:xpcJRLb0r/rnEns0DIKYYv+WjYCduHsrkT7/EB5XEv4= google.golang.org/appengine v1.5.0/go.mod h1:xpcJRLb0r/rnEns0DIKYYv+WjYCduHsrkT7/EB5XEv4= @@ -1150,10 +1150,10 @@ google.golang.org/genproto v0.0.0-20200527145253-8367513e4ece/go.mod h1:jDfRM7Fc google.golang.org/genproto v0.0.0-20201203001206-6486ece9c497/go.mod h1:FWY/as6DDZQgahTzZj3fqbO1CbirC29ZNUFHwi0/+no= google.golang.org/genproto v0.0.0-20240401170217-c3f982113cda h1:wu/KJm9KJwpfHWhkkZGohVC6KRrc1oJNr4jwtQMOQXw= google.golang.org/genproto v0.0.0-20240401170217-c3f982113cda/go.mod h1:g2LLCvCeCSir/JJSWosk19BR4NVxGqHUC6rxIRsd7Aw= -google.golang.org/genproto/googleapis/api v0.0.0-20240415180920-8c6c420018be h1:Zz7rLWqp0ApfsR/l7+zSHhY3PMiH2xqgxlfYfAfNpoU= -google.golang.org/genproto/googleapis/api v0.0.0-20240415180920-8c6c420018be/go.mod h1:dvdCTIoAGbkWbcIKBniID56/7XHTt6WfxXNMxuziJ+w= -google.golang.org/genproto/googleapis/rpc v0.0.0-20240415180920-8c6c420018be h1:LG9vZxsWGOmUKieR8wPAUR3u3MpnYFQZROPIMaXh7/A= -google.golang.org/genproto/googleapis/rpc v0.0.0-20240415180920-8c6c420018be/go.mod h1:WtryC6hu0hhx87FDGxWCDptyssuo68sk10vYjF+T9fY= +google.golang.org/genproto/googleapis/api v0.0.0-20240429193739-8cf5692501f6 h1:DTJM0R8LECCgFeUwApvcEJHz85HLagW8uRENYxHh1ww= +google.golang.org/genproto/googleapis/api v0.0.0-20240429193739-8cf5692501f6/go.mod h1:10yRODfgim2/T8csjQsMPgZOMvtytXKTDRzH6HRGzRw= +google.golang.org/genproto/googleapis/rpc v0.0.0-20240429193739-8cf5692501f6 h1:DujSIu+2tC9Ht0aPNA7jgj23Iq8Ewi5sgkQ++wdvonE= +google.golang.org/genproto/googleapis/rpc v0.0.0-20240429193739-8cf5692501f6/go.mod h1:WtryC6hu0hhx87FDGxWCDptyssuo68sk10vYjF+T9fY= google.golang.org/grpc v1.19.0/go.mod h1:mqu4LbDTu4XGKhr4mRzUsmM4RtVoemTSY81AxZiDr8c= google.golang.org/grpc v1.20.1/go.mod h1:10oTOabMzJvdu6/UiuZezV6QK5dSlG84ov/aaiqXj38= google.golang.org/grpc v1.21.0/go.mod h1:oYelfM1adQP15Ek0mdvEgi9Df8B9CZIaU1084ijfRaM= From 256d5a3b50a2b2b54f258697199a9f5e2809663d Mon Sep 17 00:00:00 2001 From: Raghav Kaul <8695110+raghavkaul@users.noreply.github.com> Date: Wed, 8 May 2024 13:58:02 -0400 Subject: [PATCH 12/26] =?UTF-8?q?=F0=9F=8C=B1=20Add=20script=20to=20set=20?= =?UTF-8?q?up=20probe=20boilerplate=20(#3948)?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit * Add script Signed-off-by: Raghav Kaul * script -> go Signed-off-by: Raghav Kaul * v4 -> v5 Signed-off-by: Raghav Kaul * update Signed-off-by: Raghav Kaul * update Signed-off-by: Raghav Kaul --------- Signed-off-by: Raghav Kaul --- Makefile | 3 + probes/internal/scripts/setup.go | 147 +++++++++++++++++++++++++++++++ 2 files changed, 150 insertions(+) create mode 100644 probes/internal/scripts/setup.go diff --git a/Makefile b/Makefile index 0826191bdba..b1f9e29678c 100644 --- a/Makefile +++ b/Makefile @@ -174,6 +174,9 @@ validate-docs: docs/checks/internal/generate/main.go # Validating checks.yaml go run ./docs/checks/internal/validate/main.go +setup-probe: + go run ./probes/internal/scripts/setup.go $(probeName) + SCORECARD_DEPS = $(shell find . -iname "*.go" | grep -v tools/) build-scorecard: ## Build Scorecard CLI build-scorecard: scorecard diff --git a/probes/internal/scripts/setup.go b/probes/internal/scripts/setup.go new file mode 100644 index 00000000000..2a0562e4225 --- /dev/null +++ b/probes/internal/scripts/setup.go @@ -0,0 +1,147 @@ +// Copyright 2024 OpenSSF Scorecard Authors +// +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. +package main + +import ( + "fmt" + "os" + "path" + "time" +) + +func main() { + if len(os.Args) != 2 { + panic("usage: make setup-probe probeName=arg") + } + pn := os.Args[1] + + pd := path.Join("probes", pn) + err := os.Mkdir(pd, 0o700) + if err != nil { + panic(err) + } + + y := time.Now().Year() + + implBoilerplate := fmt.Sprintf(`// Copyright %d OpenSSF Scorecard Authors +// +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. + +//nolint:stylecheck +package %s + +import ( + "embed" + + "github.com/ossf/scorecard/v5/checker" + "github.com/ossf/scorecard/v5/finding" +) + +//go:embed *.yml +var fs embed.FS + +const ( + Probe = "%s" +) + +// If your probe is associated with a Scorecard check, map it like so: +// and create the entry in probes/entries.go +// func init() { +// probes.MustRegister(Probe, Run, []probes.CheckName{probes.}) +// } +// If your probe isn't supposed to be part of a Scorecard check, you must +// register it independently: +// func init() { +// probes.MustRegisterIndependent(Probe, Run) +// } + +func Run(raw *checker.RawResults) ([]finding.Finding, string, error) { + return nil, "", nil +} +`, y, pn, pn) + err = os.WriteFile(path.Join(pd, "impl.go"), []byte(implBoilerplate), 0o600) + if err != nil { + panic(err) + } + + implTestBoilerplate := fmt.Sprintf(`// Copyright %d OpenSSF Scorecard Authors +// +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. + +//nolint:stylecheck +package %s +`, y, pn) + err = os.WriteFile(path.Join(pd, "impl_test.go"), []byte(implTestBoilerplate), 0o600) + if err != nil { + panic(err) + } + + defYmlBoilerplate := fmt.Sprintf(`# Copyright %d OpenSSF Scorecard Authors +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +id: %s +short: A short description of this probe +motivation: > + What is the motivation for this probe? +implementation: > + How does this probe work under-the-hood? +outcome: + - +remediation: + onOutcome: # Which direction of a probe outcome (True/False) requires a "fix"? + effort: # High, Medium, Low + text: + - +ecosystem: + languages: + - + clients: + - +`, y, pn) + err = os.WriteFile(path.Join(pd, "def.yml"), []byte(defYmlBoilerplate), 0o600) + if err != nil { + panic(err) + } +} From cc7132d63171e2dd79fb24014c7930cbb969760b Mon Sep 17 00:00:00 2001 From: Spencer Schrock Date: Wed, 8 May 2024 12:07:43 -0700 Subject: [PATCH 13/26] :seedling: implement basic rate limiting for best practices worker. (#4090) We are getting connection reset requests from bestpractices.dev and 429 errors from our GCS bucket for too many writes. The GCS limit (1000 QPS) is much higher, so just use the bestpractices.dev limit of 1 QPS. https://github.com/coreinfrastructure/best-practices-badge/blob/main/docs/api.md The construct was taken from https://go.dev/wiki/RateLimiting which "works well for rates up to tens of operations per second." Signed-off-by: Spencer Schrock --- cron/internal/cii/main.go | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/cron/internal/cii/main.go b/cron/internal/cii/main.go index dc3739b7be9..f1048ceedbb 100644 --- a/cron/internal/cii/main.go +++ b/cron/internal/cii/main.go @@ -24,6 +24,7 @@ import ( "log" "net/http" "strings" + "time" "github.com/ossf/scorecard/v5/clients" "github.com/ossf/scorecard/v5/cron/config" @@ -95,9 +96,13 @@ func main() { panic(err) } + throttle := time.NewTicker(time.Second) // bestpractices.dev wants 1 QPS + defer throttle.Stop() + pageNum := 1 pageResp, err := getPage(ctx, pageNum) for err == nil && len(pageResp) > 0 { + <-throttle.C if err := writeToCIIDataBucket(ctx, pageResp, ciiDataBucket); err != nil { panic(err) } From c92efe9bb23dde5ff67b06f13daab7ec378831cd Mon Sep 17 00:00:00 2001 From: Spencer Schrock Date: Wed, 8 May 2024 13:41:39 -0700 Subject: [PATCH 14/26] :seedling: cron: don't write anything for projects without URL (#4095) We still run into the 429 GCS responses due to the lower limits on the same file. All of the projects without a repo_url are being mapped to the same object and leading to rate limiting. "Maximum rate of writes to the same object name: One write per second" https://cloud.google.com/storage/quotas#objects Signed-off-by: Spencer Schrock --- cron/internal/cii/main.go | 3 +++ 1 file changed, 3 insertions(+) diff --git a/cron/internal/cii/main.go b/cron/internal/cii/main.go index f1048ceedbb..bc53be1a32c 100644 --- a/cron/internal/cii/main.go +++ b/cron/internal/cii/main.go @@ -42,6 +42,9 @@ func writeToCIIDataBucket(ctx context.Context, pageResp []ciiPageResp, bucketURL for _, project := range pageResp { projectURL := strings.TrimPrefix(project.RepoURL, "https://") projectURL = strings.TrimPrefix(projectURL, "http://") + if projectURL == "" { + continue + } jsonData, err := clients.BadgeResponse{ BadgeLevel: project.BadgeLevel, }.AsJSON() From f8422929ccd3215a4c46c18c5255210182ca00f9 Mon Sep 17 00:00:00 2001 From: Raghav Kaul <8695110+raghavkaul@users.noreply.github.com> Date: Wed, 8 May 2024 16:56:36 -0400 Subject: [PATCH 15/26] =?UTF-8?q?=F0=9F=8C=B1=20Add=20ProjectPackageClient?= =?UTF-8?q?=20interface=20and=20deps.dev=20default=20client=20(#3954)?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit * Add ProjectPackageClient interface and deps.dev default client Signed-off-by: Raghav Kaul * v4 -> v5 Signed-off-by: Raghav Kaul * Move to internal Signed-off-by: Raghav Kaul * move internal to higher-level w/ shared root Signed-off-by: Raghav Kaul * update Signed-off-by: Raghav Kaul --------- Signed-off-by: Raghav Kaul --- e2e/depsdev_test.go | 55 +++++++++++++++++++ internal/packageclient/depsdev.go | 89 +++++++++++++++++++++++++++++++ 2 files changed, 144 insertions(+) create mode 100644 e2e/depsdev_test.go create mode 100644 internal/packageclient/depsdev.go diff --git a/e2e/depsdev_test.go b/e2e/depsdev_test.go new file mode 100644 index 00000000000..00323bf0781 --- /dev/null +++ b/e2e/depsdev_test.go @@ -0,0 +1,55 @@ +// Copyright 2024 OpenSSF Scorecard Authors +// +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. + +package e2e + +import ( + "context" + + . "github.com/onsi/ginkgo/v2" + . "github.com/onsi/gomega" + + "github.com/ossf/scorecard/v5/internal/packageclient" +) + +var _ = Describe("E2E TEST: depsdevclient.GetProjectPackageVersions", func() { + var client packageclient.ProjectPackageClient + + Context("E2E TEST: Confirm ProjectPackageClient works", func() { + It("Should receive a non-empty response from deps.dev for existing projects", func() { + client = packageclient.CreateDepsDevClient() + versions, err := client.GetProjectPackageVersions( + context.Background(), "github.com", "ossf/scorecard", + ) + Expect(err).Should(BeNil()) + Expect(len(versions.Versions)).Should(BeNumerically(">", 0)) + }) + It("Should error from deps.dev for nonexistent projects", func() { + client = packageclient.CreateDepsDevClient() + versions, err := client.GetProjectPackageVersions( + context.Background(), "github.com", "ossf/scorecard-E2E-TEST-DOES-NOT-EXIST", + ) + Expect(err).ShouldNot(BeNil()) + Expect(versions).Should(BeNil()) + }) + It("Should receive a non-empty response from deps.dev for existing projects", func() { + client = packageclient.CreateDepsDevClient() + versions, err := client.GetProjectPackageVersions( + context.Background(), "gitlab.com", "libtiff/libtiff", + ) + Expect(err).Should(BeNil()) + Expect(len(versions.Versions)).Should(BeNumerically(">", 0)) + }) + }) +}) diff --git a/internal/packageclient/depsdev.go b/internal/packageclient/depsdev.go new file mode 100644 index 00000000000..b816296c2fc --- /dev/null +++ b/internal/packageclient/depsdev.go @@ -0,0 +1,89 @@ +// Copyright 2024 OpenSSF Scorecard Authors +// +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. + +package packageclient + +import ( + "context" + "encoding/json" + "fmt" + "io" + "net/http" + "net/url" +) + +// This interface lets Scorecard look up package manager metadata for a project. +type ProjectPackageClient interface { + GetProjectPackageVersions(ctx context.Context, host, project string) (*ProjectPackageVersions, error) +} + +type depsDevClient struct { + client *http.Client +} + +type ProjectPackageVersions struct { + // field alignment + //nolint:govet + Versions []struct { + VersionKey struct { + System string `json:"system"` + Name string `json:"name"` + Version string `json:"version"` + } `json:"versionKey"` + SLSAProvenances []struct { + SourceRepository string `json:"sourceRepository"` + Commit string `json:"commit"` + Verified bool `json:"verified"` + } `json:"slsaProvenances"` + RelationType string `json:"relationType"` + RelationProvenance string `json:"relationProvenance"` + } `json:"versions"` +} + +func CreateDepsDevClient() ProjectPackageClient { + return depsDevClient{ + client: &http.Client{}, + } +} + +func (d depsDevClient) GetProjectPackageVersions( + ctx context.Context, host, project string, +) (*ProjectPackageVersions, error) { + path := fmt.Sprintf("%s/%s", host, project) + query := fmt.Sprintf("https://api.deps.dev/v3/projects/%s:packageversions", url.QueryEscape(path)) + + req, err := http.NewRequestWithContext(ctx, http.MethodGet, query, nil) + if err != nil { + return nil, fmt.Errorf("http.NewRequestWithContext: %w", err) + } + + resp, err := d.client.Do(req) + if err != nil { + return nil, fmt.Errorf("deps.dev GetProjectPackageVersions: %w", err) + } + defer resp.Body.Close() + + body, err := io.ReadAll(resp.Body) + if err != nil { + return nil, fmt.Errorf("resp.Body.Read: %w", err) + } + + var res ProjectPackageVersions + err = json.Unmarshal(body, &res) + if err != nil { + return nil, fmt.Errorf("json.Unmarshal from deps.dev: %w", err) + } + + return &res, nil +} From 7ce8609469289d5f3b1bf5ee3122f42b4e3054fb Mon Sep 17 00:00:00 2001 From: Spencer Schrock Date: Thu, 9 May 2024 11:27:34 -0700 Subject: [PATCH 16/26] :bug: Support renamed gradle verification action and callers which pin to hash (#4097) * Support renamed gradle verification action From gradle/wrapper-validation-action's readme: "As of v3 this action has been superceded by gradle/actions/wrapper-validation" Also support actions pinned to a hash. Signed-off-by: Spencer Schrock * remove unneeded dependency Signed-off-by: Spencer Schrock --------- Signed-off-by: Spencer Schrock --- checks/raw/binary_artifact.go | 30 ++----------------- checks/raw/binary_artifact_test.go | 17 +++++++++-- ...ction.yaml => verify-new-gradle-name.yaml} | 5 ++-- go.mod | 1 - go.sum | 2 -- 5 files changed, 19 insertions(+), 36 deletions(-) rename checks/testdata/binaryartifacts/workflows/{verify-outdated-action.yaml => verify-new-gradle-name.yaml} (53%) diff --git a/checks/raw/binary_artifact.go b/checks/raw/binary_artifact.go index 2d1ded74908..370b0d85458 100644 --- a/checks/raw/binary_artifact.go +++ b/checks/raw/binary_artifact.go @@ -19,11 +19,9 @@ import ( "fmt" "io" "path/filepath" - "regexp" "strings" "unicode/utf8" - semver "github.com/Masterminds/semver/v3" "github.com/h2non/filetype" "github.com/h2non/filetype/types" "github.com/rhysd/actionlint" @@ -35,23 +33,9 @@ import ( "github.com/ossf/scorecard/v5/finding" ) -var ( - gradleWrapperValidationActionRegex = regexp.MustCompile(`^gradle\/wrapper-validation-action@v?(.+)$`) - gradleWrapperValidationActionVersionConstraint = mustParseConstraint(`>= 1.0.0`) -) - // how many bytes are considered when determining if a file is text or binary. const binaryTestLen = 1024 -// mustParseConstraint attempts parse of semver constraint, panics if fail. -func mustParseConstraint(c string) *semver.Constraints { - if c, err := semver.NewConstraint(c); err != nil { - panic(fmt.Errorf("failed to parse constraint: %w", err)) - } else { - return c - } -} - // BinaryArtifacts retrieves the raw data for the Binary-Artifacts check. func BinaryArtifacts(req *checker.CheckRequest) (checker.BinaryArtifactData, error) { c := req.RepoClient @@ -266,18 +250,8 @@ func checkWorkflowValidatesGradleWrapper(path string, content []byte, args ...in if ea.Uses == nil { continue } - sms := gradleWrapperValidationActionRegex.FindStringSubmatch(ea.Uses.Value) - if len(sms) > 1 { - v, err := semver.NewVersion(sms[1]) - if err != nil { - // Couldn't parse version, hopefully another step has - // a correct one. - continue - } - if !gradleWrapperValidationActionVersionConstraint.Check(v) { - // Version out of acceptable range. - continue - } + if strings.HasPrefix(ea.Uses.Value, "gradle/wrapper-validation-action@") || + strings.HasPrefix(ea.Uses.Value, "gradle/actions/wrapper-validation@") { // OK! This is it. *validatingWorkflowFile = filepath.Base(path) return false, nil diff --git a/checks/raw/binary_artifact_test.go b/checks/raw/binary_artifact_test.go index b352892c38a..fff2c5d482f 100644 --- a/checks/raw/binary_artifact_test.go +++ b/checks/raw/binary_artifact_test.go @@ -164,13 +164,26 @@ func TestBinaryArtifacts(t *testing.T) { expect: 1, }, { - name: "gradle-wrapper.jar with outdated verification action", + name: "gradle-wrapper.jar with new verification action", err: nil, files: [][]string{ {"../testdata/binaryartifacts/jars/gradle-wrapper.jar"}, { "../testdata/binaryartifacts/workflows/nonverify.yaml", - "../testdata/binaryartifacts/workflows/verify-outdated-action.yaml", + "../testdata/binaryartifacts/workflows/verify-new-gradle-name.yaml", + }, + }, + successfulWorkflowRuns: []clients.WorkflowRun{ + { + HeadSHA: strptr("sha-a"), + }, + }, + commits: []clients.Commit{ + { + SHA: "sha-a", + }, + { + SHA: "sha-old", }, }, getFileContentCount: 3, diff --git a/checks/testdata/binaryartifacts/workflows/verify-outdated-action.yaml b/checks/testdata/binaryartifacts/workflows/verify-new-gradle-name.yaml similarity index 53% rename from checks/testdata/binaryartifacts/workflows/verify-outdated-action.yaml rename to checks/testdata/binaryartifacts/workflows/verify-new-gradle-name.yaml index 477c45ffcb9..27dc62d2be5 100644 --- a/checks/testdata/binaryartifacts/workflows/verify-outdated-action.yaml +++ b/checks/testdata/binaryartifacts/workflows/verify-new-gradle-name.yaml @@ -6,7 +6,6 @@ jobs: name: "GW Validate Job" runs-on: ubuntu-latest steps: - - uses: actions/checkout@v2 + - uses: actions/checkout@v4 - name: GW Validate Step - # this is a made-up outdated version of the action: - uses: gradle/wrapper-validation-action@v0.1.0 + uses: gradle/actions/wrapper-validation@v3 diff --git a/go.mod b/go.mod index 5ca8fd654f4..59a1b01a02d 100644 --- a/go.mod +++ b/go.mod @@ -39,7 +39,6 @@ require ( ) require ( - github.com/Masterminds/semver/v3 v3.2.1 github.com/caarlos0/env/v6 v6.10.0 github.com/gobwas/glob v0.2.3 github.com/google/go-github/v53 v53.2.0 diff --git a/go.sum b/go.sum index 6113f4984d2..3c546a19c50 100644 --- a/go.sum +++ b/go.sum @@ -89,8 +89,6 @@ github.com/BurntSushi/xgb v0.0.0-20160522181843-27f122750802/go.mod h1:IVnqGOEym github.com/CycloneDX/cyclonedx-go v0.8.0 h1:FyWVj6x6hoJrui5uRQdYZcSievw3Z32Z88uYzG/0D6M= github.com/CycloneDX/cyclonedx-go v0.8.0/go.mod h1:K2bA+324+Og0X84fA8HhN2X066K7Bxz4rpMQ4ZhjtSk= github.com/GoogleCloudPlatform/k8s-cloud-provider v0.0.0-20190822182118-27a4ced34534/go.mod h1:iroGtC8B3tQiqtds1l+mgk/BBOrxbqjH+eUfFQYRc14= -github.com/Masterminds/semver/v3 v3.2.1 h1:RN9w6+7QoMeJVGyfmbcgs28Br8cvmnucEXnY0rYXWg0= -github.com/Masterminds/semver/v3 v3.2.1/go.mod h1:qvl/7zhW3nngYb5+80sSMF+FG2BjYrf8m9wsX0PNOMQ= github.com/Microsoft/go-winio v0.4.14/go.mod h1:qXqCSQ3Xa7+6tgxaGTIe4Kpcdsi+P8jBhyzoq1bpyYA= github.com/Microsoft/go-winio v0.5.2/go.mod h1:WpS1mjBmmwHBEWmogvA2mj8546UReBk4v8QkMxJ6pZY= github.com/Microsoft/go-winio v0.6.1 h1:9/kr64B9VUZrLm5YYwbGtUJnMgqWVOdUAXu6Migciow= From 9e9de6ac0668f2271f205c33302e300348f96111 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Fri, 10 May 2024 18:08:39 +0000 Subject: [PATCH 17/26] :seedling: Bump golang from 1.22.2 to 1.22.3 (#4098) * :seedling: Bump golang from 1.22.2 to 1.22.3 Bumps golang from 1.22.2 to 1.22.3. --- updated-dependencies: - dependency-name: golang dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] * bump the other 7 dockerfiles Signed-off-by: Spencer Schrock --------- Signed-off-by: dependabot[bot] Signed-off-by: Spencer Schrock Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: Spencer Schrock --- Dockerfile | 2 +- attestor/Dockerfile | 2 +- clients/githubrepo/roundtripper/tokens/server/Dockerfile | 2 +- cron/internal/bq/Dockerfile | 2 +- cron/internal/cii/Dockerfile | 2 +- cron/internal/controller/Dockerfile | 2 +- cron/internal/webhook/Dockerfile | 2 +- cron/internal/worker/Dockerfile | 2 +- 8 files changed, 8 insertions(+), 8 deletions(-) diff --git a/Dockerfile b/Dockerfile index 81d1bbc7894..a355497ef7a 100644 --- a/Dockerfile +++ b/Dockerfile @@ -12,7 +12,7 @@ # See the License for the specific language governing permissions and # limitations under the License. -FROM golang:1.22.2@sha256:c4fb952e712efd8f787bcd8e53fd66d1d83b7dc26adabc218e9eac1dbf776bdf AS base +FROM golang:1.22.3@sha256:b1e05e2c918f52c59d39ce7d5844f73b2f4511f7734add8bb98c9ecdd4443365 AS base WORKDIR /src ENV CGO_ENABLED=0 COPY go.* ./ diff --git a/attestor/Dockerfile b/attestor/Dockerfile index 9ad87fba499..b606a569a72 100644 --- a/attestor/Dockerfile +++ b/attestor/Dockerfile @@ -12,7 +12,7 @@ # See the License for the specific language governing permissions and # limitations under the License. -FROM golang:1.22.2@sha256:c4fb952e712efd8f787bcd8e53fd66d1d83b7dc26adabc218e9eac1dbf776bdf AS base +FROM golang:1.22.3@sha256:b1e05e2c918f52c59d39ce7d5844f73b2f4511f7734add8bb98c9ecdd4443365 AS base WORKDIR /src/scorecard COPY . ./ diff --git a/clients/githubrepo/roundtripper/tokens/server/Dockerfile b/clients/githubrepo/roundtripper/tokens/server/Dockerfile index a8b9e8cf338..f33011e9370 100644 --- a/clients/githubrepo/roundtripper/tokens/server/Dockerfile +++ b/clients/githubrepo/roundtripper/tokens/server/Dockerfile @@ -12,7 +12,7 @@ # See the License for the specific language governing permissions and # limitations under the License. -FROM golang:1.22.2@sha256:c4fb952e712efd8f787bcd8e53fd66d1d83b7dc26adabc218e9eac1dbf776bdf AS base +FROM golang:1.22.3@sha256:b1e05e2c918f52c59d39ce7d5844f73b2f4511f7734add8bb98c9ecdd4443365 AS base WORKDIR /src ENV CGO_ENABLED=0 COPY go.* ./ diff --git a/cron/internal/bq/Dockerfile b/cron/internal/bq/Dockerfile index 1c6c762a5d0..2d55e40692b 100644 --- a/cron/internal/bq/Dockerfile +++ b/cron/internal/bq/Dockerfile @@ -12,7 +12,7 @@ # See the License for the specific language governing permissions and # limitations under the License. -FROM golang:1.22.2@sha256:c4fb952e712efd8f787bcd8e53fd66d1d83b7dc26adabc218e9eac1dbf776bdf AS base +FROM golang:1.22.3@sha256:b1e05e2c918f52c59d39ce7d5844f73b2f4511f7734add8bb98c9ecdd4443365 AS base WORKDIR /src ENV CGO_ENABLED=0 COPY go.* ./ diff --git a/cron/internal/cii/Dockerfile b/cron/internal/cii/Dockerfile index 9398fdf576d..be98c571695 100644 --- a/cron/internal/cii/Dockerfile +++ b/cron/internal/cii/Dockerfile @@ -12,7 +12,7 @@ # See the License for the specific language governing permissions and # limitations under the License. -FROM golang:1.22.2@sha256:c4fb952e712efd8f787bcd8e53fd66d1d83b7dc26adabc218e9eac1dbf776bdf AS base +FROM golang:1.22.3@sha256:b1e05e2c918f52c59d39ce7d5844f73b2f4511f7734add8bb98c9ecdd4443365 AS base WORKDIR /src ENV CGO_ENABLED=0 COPY go.* ./ diff --git a/cron/internal/controller/Dockerfile b/cron/internal/controller/Dockerfile index b3640c8e186..a611c523b9b 100644 --- a/cron/internal/controller/Dockerfile +++ b/cron/internal/controller/Dockerfile @@ -12,7 +12,7 @@ # See the License for the specific language governing permissions and # limitations under the License. -FROM golang:1.22.2@sha256:c4fb952e712efd8f787bcd8e53fd66d1d83b7dc26adabc218e9eac1dbf776bdf AS base +FROM golang:1.22.3@sha256:b1e05e2c918f52c59d39ce7d5844f73b2f4511f7734add8bb98c9ecdd4443365 AS base WORKDIR /src ENV CGO_ENABLED=0 COPY go.* ./ diff --git a/cron/internal/webhook/Dockerfile b/cron/internal/webhook/Dockerfile index 5b440997a10..2da5d21c6de 100644 --- a/cron/internal/webhook/Dockerfile +++ b/cron/internal/webhook/Dockerfile @@ -12,7 +12,7 @@ # See the License for the specific language governing permissions and # limitations under the License. -FROM golang:1.22.2@sha256:c4fb952e712efd8f787bcd8e53fd66d1d83b7dc26adabc218e9eac1dbf776bdf AS base +FROM golang:1.22.3@sha256:b1e05e2c918f52c59d39ce7d5844f73b2f4511f7734add8bb98c9ecdd4443365 AS base WORKDIR /src ENV CGO_ENABLED=0 COPY go.* ./ diff --git a/cron/internal/worker/Dockerfile b/cron/internal/worker/Dockerfile index a38b3d133e4..399684bdb37 100644 --- a/cron/internal/worker/Dockerfile +++ b/cron/internal/worker/Dockerfile @@ -12,7 +12,7 @@ # See the License for the specific language governing permissions and # limitations under the License. -FROM golang:1.22.2@sha256:c4fb952e712efd8f787bcd8e53fd66d1d83b7dc26adabc218e9eac1dbf776bdf AS base +FROM golang:1.22.3@sha256:b1e05e2c918f52c59d39ce7d5844f73b2f4511f7734add8bb98c9ecdd4443365 AS base WORKDIR /src ENV CGO_ENABLED=0 COPY go.* ./ From 5a593576588df279179e36fe8bfd22d2c2f21dee Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Fri, 10 May 2024 18:33:13 +0000 Subject: [PATCH 18/26] :seedling: Bump github.com/xanzy/go-gitlab from 0.103.0 to 0.105.0 (#4099) --- go.mod | 2 +- go.sum | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/go.mod b/go.mod index 59a1b01a02d..190551723ca 100644 --- a/go.mod +++ b/go.mod @@ -170,7 +170,7 @@ require ( github.com/sergi/go-diff v1.3.2-0.20230802210424-5b0b94c5c0d3 // indirect github.com/spf13/pflag v1.0.5 // indirect github.com/vbatts/tar-split v0.11.5 // indirect - github.com/xanzy/go-gitlab v0.103.0 + github.com/xanzy/go-gitlab v0.105.0 github.com/xanzy/ssh-agent v0.3.3 // indirect github.com/xeipuuv/gojsonpointer v0.0.0-20190905194746-02993c407bfb // indirect github.com/xeipuuv/gojsonreference v0.0.0-20180127040603-bd5ef7bd5415 // indirect diff --git a/go.sum b/go.sum index 3c546a19c50..15a1a457370 100644 --- a/go.sum +++ b/go.sum @@ -766,8 +766,8 @@ github.com/vdemeester/k8s-pkg-credentialprovider v1.18.1-0.20201019120933-f1d169 github.com/vmihailenco/msgpack/v4 v4.3.12/go.mod h1:gborTTJjAo/GWTqqRjrLCn9pgNN+NXzzngzBKDPIqw4= github.com/vmihailenco/tagparser v0.1.1/go.mod h1:OeAg3pn3UbLjkWt+rN9oFYB6u/cQgqMEUPoW2WPyhdI= github.com/vmware/govmomi v0.20.3/go.mod h1:URlwyTFZX72RmxtxuaFL2Uj3fD1JTvZdx59bHWk6aFU= -github.com/xanzy/go-gitlab v0.103.0 h1:J9pTQoq0GsEFqzd6srCM1QfdfKAxSNz6mT6ntrpNF2w= -github.com/xanzy/go-gitlab v0.103.0/go.mod h1:ETg8tcj4OhrB84UEgeE8dSuV/0h4BBL1uOV/qK0vlyI= +github.com/xanzy/go-gitlab v0.105.0 h1:3nyLq0ESez0crcaM19o5S//SvezOQguuIHZ3wgX64hM= +github.com/xanzy/go-gitlab v0.105.0/go.mod h1:ETg8tcj4OhrB84UEgeE8dSuV/0h4BBL1uOV/qK0vlyI= github.com/xanzy/ssh-agent v0.3.3 h1:+/15pJfg/RsTxqYcX6fHqOXZwwMP+2VyYWJeWM2qQFM= github.com/xanzy/ssh-agent v0.3.3/go.mod h1:6dzNDKs0J9rVPHPhaGCukekBHKqfl+L3KghI1Bc68Uw= github.com/xeipuuv/gojsonpointer v0.0.0-20180127040702-4e3ac2762d5f/go.mod h1:N2zxlSyiKSe5eX1tZViRH5QA0qijqEDrYZiPEAiq3wU= From c11d89bfe666eb72c3e83c13b5c82a0c2453589a Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Fri, 10 May 2024 19:42:53 +0000 Subject: [PATCH 19/26] :seedling: Bump distroless/base from `29da700` to `e238d40` (#4064) --- Dockerfile | 2 +- clients/githubrepo/roundtripper/tokens/server/Dockerfile | 2 +- cron/internal/bq/Dockerfile | 2 +- cron/internal/cii/Dockerfile | 2 +- cron/internal/controller/Dockerfile | 2 +- cron/internal/webhook/Dockerfile | 2 +- cron/internal/worker/Dockerfile | 2 +- 7 files changed, 7 insertions(+), 7 deletions(-) diff --git a/Dockerfile b/Dockerfile index a355497ef7a..d196c1875ea 100644 --- a/Dockerfile +++ b/Dockerfile @@ -24,6 +24,6 @@ ARG TARGETOS ARG TARGETARCH RUN CGO_ENABLED=0 make build-scorecard -FROM gcr.io/distroless/base:nonroot@sha256:29da700a46816467c7cb91058f53eac4170a4a25ac8551d316d9fd38e2c58bdf +FROM gcr.io/distroless/base:nonroot@sha256:53745e95f227cd66e8058d52f64efbbeb6c6af2c193e3c16981137e5083e6a32 COPY --from=build /src/scorecard / ENTRYPOINT [ "/scorecard" ] diff --git a/clients/githubrepo/roundtripper/tokens/server/Dockerfile b/clients/githubrepo/roundtripper/tokens/server/Dockerfile index f33011e9370..51e0fbe3f07 100644 --- a/clients/githubrepo/roundtripper/tokens/server/Dockerfile +++ b/clients/githubrepo/roundtripper/tokens/server/Dockerfile @@ -24,6 +24,6 @@ ARG TARGETOS ARG TARGETARCH RUN CGO_ENABLED=0 make build-github-server -FROM gcr.io/distroless/base:nonroot@sha256:29da700a46816467c7cb91058f53eac4170a4a25ac8551d316d9fd38e2c58bdf +FROM gcr.io/distroless/base:nonroot@sha256:53745e95f227cd66e8058d52f64efbbeb6c6af2c193e3c16981137e5083e6a32 COPY --from=authserver /src/clients/githubrepo/roundtripper/tokens/server/github-auth-server clients/githubrepo/roundtripper/tokens/server/github-auth-server ENTRYPOINT ["clients/githubrepo/roundtripper/tokens/server/github-auth-server"] diff --git a/cron/internal/bq/Dockerfile b/cron/internal/bq/Dockerfile index 2d55e40692b..bae9d92a6c7 100644 --- a/cron/internal/bq/Dockerfile +++ b/cron/internal/bq/Dockerfile @@ -24,6 +24,6 @@ ARG TARGETOS ARG TARGETARCH RUN CGO_ENABLED=0 make build-bq-transfer -FROM gcr.io/distroless/base:nonroot@sha256:29da700a46816467c7cb91058f53eac4170a4a25ac8551d316d9fd38e2c58bdf +FROM gcr.io/distroless/base:nonroot@sha256:53745e95f227cd66e8058d52f64efbbeb6c6af2c193e3c16981137e5083e6a32 COPY --from=transfer /src/cron/internal/bq/data-transfer cron/internal/bq/data-transfer ENTRYPOINT ["cron/internal/bq/data-transfer"] diff --git a/cron/internal/cii/Dockerfile b/cron/internal/cii/Dockerfile index be98c571695..52432e0b8de 100644 --- a/cron/internal/cii/Dockerfile +++ b/cron/internal/cii/Dockerfile @@ -24,6 +24,6 @@ ARG TARGETOS ARG TARGETARCH RUN CGO_ENABLED=0 make build-cii-worker -FROM gcr.io/distroless/base:nonroot@sha256:29da700a46816467c7cb91058f53eac4170a4a25ac8551d316d9fd38e2c58bdf +FROM gcr.io/distroless/base:nonroot@sha256:53745e95f227cd66e8058d52f64efbbeb6c6af2c193e3c16981137e5083e6a32 COPY --from=cii /src/cron/internal/cii/cii-worker cron/internal/cii/cii-worker ENTRYPOINT ["cron/internal/cii/cii-worker"] diff --git a/cron/internal/controller/Dockerfile b/cron/internal/controller/Dockerfile index a611c523b9b..0d0de8fef70 100644 --- a/cron/internal/controller/Dockerfile +++ b/cron/internal/controller/Dockerfile @@ -30,7 +30,7 @@ ARG TARGETOS ARG TARGETARCH RUN CGO_ENABLED=0 make build-controller -FROM gcr.io/distroless/base:nonroot@sha256:29da700a46816467c7cb91058f53eac4170a4a25ac8551d316d9fd38e2c58bdf +FROM gcr.io/distroless/base:nonroot@sha256:53745e95f227cd66e8058d52f64efbbeb6c6af2c193e3c16981137e5083e6a32 COPY ./cron/internal/data/projects*csv cron/internal/data/ COPY ./cron/internal/data/gitlab-projects-releasetest.csv cron/internal/data/ COPY ./cron/internal/data/gitlab-projects.csv cron/internal/data/ diff --git a/cron/internal/webhook/Dockerfile b/cron/internal/webhook/Dockerfile index 2da5d21c6de..db153927cf2 100644 --- a/cron/internal/webhook/Dockerfile +++ b/cron/internal/webhook/Dockerfile @@ -24,6 +24,6 @@ ARG TARGETOS ARG TARGETARCH RUN CGO_ENABLED=0 make build-webhook -FROM gcr.io/distroless/base:nonroot@sha256:29da700a46816467c7cb91058f53eac4170a4a25ac8551d316d9fd38e2c58bdf +FROM gcr.io/distroless/base:nonroot@sha256:53745e95f227cd66e8058d52f64efbbeb6c6af2c193e3c16981137e5083e6a32 COPY --from=webhook /src/cron/internal/webhook/webhook cron/internal/webhook/webhook ENTRYPOINT ["cron/internal/webhook/webhook"] diff --git a/cron/internal/worker/Dockerfile b/cron/internal/worker/Dockerfile index 399684bdb37..67e6f206ae9 100644 --- a/cron/internal/worker/Dockerfile +++ b/cron/internal/worker/Dockerfile @@ -24,6 +24,6 @@ ARG TARGETOS ARG TARGETARCH RUN CGO_ENABLED=0 make build-worker -FROM gcr.io/distroless/base:nonroot@sha256:29da700a46816467c7cb91058f53eac4170a4a25ac8551d316d9fd38e2c58bdf +FROM gcr.io/distroless/base:nonroot@sha256:53745e95f227cd66e8058d52f64efbbeb6c6af2c193e3c16981137e5083e6a32 COPY --from=worker /src/cron/internal/worker/worker cron/internal/worker/worker ENTRYPOINT ["cron/internal/worker/worker"] From db720cc870d16790568185a8967e3648a7889bf7 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Fri, 10 May 2024 21:21:27 +0000 Subject: [PATCH 20/26] :seedling: Bump google.golang.org/protobuf from 1.34.0 to 1.34.1 (#4092) --- go.mod | 2 +- go.sum | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/go.mod b/go.mod index 190551723ca..a231fbdf00c 100644 --- a/go.mod +++ b/go.mod @@ -32,7 +32,7 @@ require ( golang.org/x/text v0.15.0 golang.org/x/tools v0.20.0 // indirect google.golang.org/genproto v0.0.0-20240401170217-c3f982113cda // indirect - google.golang.org/protobuf v1.34.0 + google.golang.org/protobuf v1.34.1 gopkg.in/yaml.v2 v2.4.0 gopkg.in/yaml.v3 v3.0.1 mvdan.cc/sh/v3 v3.8.0 diff --git a/go.sum b/go.sum index 15a1a457370..ac00bca0f36 100644 --- a/go.sum +++ b/go.sum @@ -1178,8 +1178,8 @@ google.golang.org/protobuf v1.24.0/go.mod h1:r/3tXBNzIEhYS9I1OUVjXDlt8tc493IdKGj google.golang.org/protobuf v1.25.0/go.mod h1:9JNX74DMeImyA3h4bdi1ymwjUzf21/xIlbajtzgsN7c= google.golang.org/protobuf v1.26.0-rc.1/go.mod h1:jlhhOSvTdKEhbULTjvd4ARK9grFBp09yW+WbY/TyQbw= google.golang.org/protobuf v1.27.1/go.mod h1:9q0QmTI4eRPtz6boOQmLYwt+qCgq0jsYwAQnmE0givc= -google.golang.org/protobuf v1.34.0 h1:Qo/qEd2RZPCf2nKuorzksSknv0d3ERwp1vFG38gSmH4= -google.golang.org/protobuf v1.34.0/go.mod h1:c6P6GXX6sHbq/GpV6MGZEdwhWPcYBgnhAHhKbcUYpos= +google.golang.org/protobuf v1.34.1 h1:9ddQBjfCyZPOHPUiPxpYESBLc+T8P3E+Vo4IbKZgFWg= +google.golang.org/protobuf v1.34.1/go.mod h1:c6P6GXX6sHbq/GpV6MGZEdwhWPcYBgnhAHhKbcUYpos= gopkg.in/alecthomas/kingpin.v2 v2.2.6/go.mod h1:FMv+mEhP44yOT+4EoQTLFTRgOQ1FBLkstjWtayDeSgw= gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0= gopkg.in/check.v1 v1.0.0-20180628173108-788fd7840127/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0= From 32b59637667c9abb7c4d2ecd9c1293634de2d80f Mon Sep 17 00:00:00 2001 From: Raghav Kaul <8695110+raghavkaul@users.noreply.github.com> Date: Mon, 13 May 2024 11:59:46 -0400 Subject: [PATCH 21/26] =?UTF-8?q?=20=E2=9A=A0=EF=B8=8F=20Add=20projectclie?= =?UTF-8?q?nt=20to=20cli=20and=20cron,=20update=20runscorecard=20(#4096)?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Raghav Kaul --- attestor/command/check.go | 3 ++- checker/check_request.go | 2 ++ checker/client.go | 5 +++++ checker/client_test.go | 27 ++++++++++++++---------- cmd/internal/scdiff/app/runner/runner.go | 6 +++++- cmd/root.go | 3 ++- cmd/serve.go | 4 +++- cron/internal/worker/main.go | 8 +++++-- dependencydiff/dependencydiff.go | 7 +++++- e2e/attestor_policy_test.go | 4 ++-- pkg/scorecard.go | 6 ++++++ pkg/scorecard_e2e_test.go | 8 +++---- pkg/scorecard_test.go | 6 ++++-- 13 files changed, 63 insertions(+), 26 deletions(-) diff --git a/attestor/command/check.go b/attestor/command/check.go index 71650d06264..9b715f14951 100644 --- a/attestor/command/check.go +++ b/attestor/command/check.go @@ -77,7 +77,7 @@ func RunCheckWithParams(repoURL, commitSHA, policyPath string) (policy.PolicyRes } } - repo, repoClient, ossFuzzRepoClient, ciiClient, vulnsClient, err := checker.GetClients( + repo, repoClient, ossFuzzRepoClient, ciiClient, vulnsClient, projectClient, err := checker.GetClients( ctx, repoURL, "", logger) if err != nil { return policy.Fail, fmt.Errorf("couldn't set up clients: %w", err) @@ -117,6 +117,7 @@ func RunCheckWithParams(repoURL, commitSHA, policyPath string) (policy.PolicyRes ossFuzzRepoClient, ciiClient, vulnsClient, + projectClient, ) if err != nil { return policy.Fail, fmt.Errorf("RunScorecard: %w", err) diff --git a/checker/check_request.go b/checker/check_request.go index b04d4050039..6bd8be59c06 100644 --- a/checker/check_request.go +++ b/checker/check_request.go @@ -18,6 +18,7 @@ import ( "context" "github.com/ossf/scorecard/v5/clients" + "github.com/ossf/scorecard/v5/internal/packageclient" ) // CheckRequest struct encapsulates all data to be passed into a CheckFn. @@ -29,6 +30,7 @@ type CheckRequest struct { Dlogger DetailLogger Repo clients.Repo VulnerabilitiesClient clients.VulnerabilitiesClient + ProjectClient packageclient.ProjectPackageClient // UPGRADEv6: return raw results instead of scores. RawResults *RawResults RequiredTypes []RequestType diff --git a/checker/client.go b/checker/client.go index 22c9aff3cdb..6e1829d7804 100644 --- a/checker/client.go +++ b/checker/client.go @@ -23,6 +23,7 @@ import ( glrepo "github.com/ossf/scorecard/v5/clients/gitlabrepo" "github.com/ossf/scorecard/v5/clients/localdir" "github.com/ossf/scorecard/v5/clients/ossfuzz" + "github.com/ossf/scorecard/v5/internal/packageclient" "github.com/ossf/scorecard/v5/log" ) @@ -34,6 +35,7 @@ func GetClients(ctx context.Context, repoURI, localURI string, logger *log.Logge clients.RepoClient, // ossFuzzClient clients.CIIBestPracticesClient, // ciiClient clients.VulnerabilitiesClient, // vulnClient + packageclient.ProjectPackageClient, // projectClient error, ) { var repo clients.Repo @@ -50,6 +52,7 @@ func GetClients(ctx context.Context, repoURI, localURI string, logger *log.Logge nil, /*ossFuzzClient*/ nil, /*ciiClient*/ clients.DefaultVulnerabilitiesClient(), /*vulnClient*/ + nil, retErr } @@ -68,6 +71,7 @@ func GetClients(ctx context.Context, repoURI, localURI string, logger *log.Logge nil, nil, nil, + packageclient.CreateDepsDevClient(), fmt.Errorf("error making github repo: %w", makeRepoError) } repoClient = ghrepo.CreateGithubRepoClient(ctx, logger) @@ -78,5 +82,6 @@ func GetClients(ctx context.Context, repoURI, localURI string, logger *log.Logge ossfuzz.CreateOSSFuzzClient(ossfuzz.StatusURL), /*ossFuzzClient*/ clients.DefaultCIIBestPracticesClient(), /*ciiClient*/ clients.DefaultVulnerabilitiesClient(), /*vulnClient*/ + packageclient.CreateDepsDevClient(), nil } diff --git a/checker/client_test.go b/checker/client_test.go index 168db20e92a..d4e4e49ef4e 100644 --- a/checker/client_test.go +++ b/checker/client_test.go @@ -20,6 +20,7 @@ import ( "github.com/ossf/scorecard/v5/log" ) +//nolint:gocognit func TestGetClients(t *testing.T) { type args struct { //nolint:govet ctx context.Context @@ -28,16 +29,17 @@ func TestGetClients(t *testing.T) { logger *log.Logger } tests := []struct { //nolint:govet - name string - args args - shouldOSSFuzzBeNil bool - shouldRepoClientBeNil bool - shouldVulnClientBeNil bool - shouldRepoBeNil bool - shouldCIIBeNil bool - wantErr bool - experimental bool - isGhHost bool + name string + args args + shouldOSSFuzzBeNil bool + shouldRepoClientBeNil bool + shouldVulnClientBeNil bool + shouldRepoBeNil bool + shouldCIIBeNil bool + shouldProjectClientBeNil bool + wantErr bool + experimental bool + isGhHost bool }{ { name: "localURI is not empty", @@ -105,7 +107,7 @@ func TestGetClients(t *testing.T) { t.Setenv("GH_HOST", "github.corp.com") t.Setenv("GH_TOKEN", "PAT") } - got, repoClient, ossFuzzClient, ciiClient, vulnsClient, err := GetClients(tt.args.ctx, tt.args.repoURI, tt.args.localURI, tt.args.logger) + got, repoClient, ossFuzzClient, ciiClient, vulnsClient, projectClient, err := GetClients(tt.args.ctx, tt.args.repoURI, tt.args.localURI, tt.args.logger) if (err != nil) != tt.wantErr { t.Fatalf("GetClients() error = %v, wantErr %v", err, tt.wantErr) } @@ -124,6 +126,9 @@ func TestGetClients(t *testing.T) { if vulnsClient != nil && tt.shouldVulnClientBeNil { t.Errorf("GetClients() vulnsClient = %v", vulnsClient) } + if projectClient != nil && tt.shouldProjectClientBeNil { + t.Errorf("GetClients() projectClient = %v", projectClient) + } }) } } diff --git a/cmd/internal/scdiff/app/runner/runner.go b/cmd/internal/scdiff/app/runner/runner.go index 6c8bf3f95eb..644a89fdc6f 100644 --- a/cmd/internal/scdiff/app/runner/runner.go +++ b/cmd/internal/scdiff/app/runner/runner.go @@ -26,6 +26,7 @@ import ( "github.com/ossf/scorecard/v5/clients/gitlabrepo" "github.com/ossf/scorecard/v5/clients/ossfuzz" sce "github.com/ossf/scorecard/v5/errors" + "github.com/ossf/scorecard/v5/internal/packageclient" "github.com/ossf/scorecard/v5/log" "github.com/ossf/scorecard/v5/pkg" ) @@ -45,6 +46,7 @@ type Runner struct { ossFuzz clients.RepoClient cii clients.CIIBestPracticesClient vuln clients.VulnerabilitiesClient + deps packageclient.ProjectPackageClient } // Creates a Runner which will run the listed checks. If no checks are provided, all will run. @@ -79,7 +81,9 @@ func (r *Runner) Run(repoURI string) (pkg.ScorecardResult, error) { if err != nil { return pkg.ScorecardResult{}, err } - return pkg.RunScorecard(r.ctx, repo, commit, commitDepth, r.enabledChecks, repoClient, r.ossFuzz, r.cii, r.vuln) + return pkg.RunScorecard( + r.ctx, repo, commit, commitDepth, r.enabledChecks, repoClient, r.ossFuzz, r.cii, r.vuln, r.deps, + ) } // logs only if logger is set. diff --git a/cmd/root.go b/cmd/root.go index 6314e0a5228..8b01f216274 100644 --- a/cmd/root.go +++ b/cmd/root.go @@ -93,7 +93,7 @@ func rootCmd(o *options.Options) error { ctx := context.Background() logger := sclog.NewLogger(sclog.ParseLevel(o.LogLevel)) - repoURI, repoClient, ossFuzzRepoClient, ciiClient, vulnsClient, err := checker.GetClients( + repoURI, repoClient, ossFuzzRepoClient, ciiClient, vulnsClient, projectClient, err := checker.GetClients( ctx, o.Repo, o.Local, logger) // MODIFIED if err != nil { return fmt.Errorf("GetClients: %w", err) @@ -142,6 +142,7 @@ func rootCmd(o *options.Options) error { ossFuzzRepoClient, ciiClient, vulnsClient, + projectClient, ) if err != nil { return fmt.Errorf("RunScorecard: %w", err) diff --git a/cmd/serve.go b/cmd/serve.go index 87b2a8e592d..9830fd4600c 100644 --- a/cmd/serve.go +++ b/cmd/serve.go @@ -27,6 +27,7 @@ import ( "github.com/ossf/scorecard/v5/clients" "github.com/ossf/scorecard/v5/clients/githubrepo" "github.com/ossf/scorecard/v5/clients/ossfuzz" + "github.com/ossf/scorecard/v5/internal/packageclient" "github.com/ossf/scorecard/v5/log" "github.com/ossf/scorecard/v5/options" "github.com/ossf/scorecard/v5/pkg" @@ -69,10 +70,11 @@ func serveCmd(o *options.Options) *cobra.Command { } defer ossFuzzRepoClient.Close() ciiClient := clients.DefaultCIIBestPracticesClient() + projectClient := packageclient.CreateDepsDevClient() checksToRun := checks.GetAll() repoResult, err := pkg.RunScorecard( ctx, repo, clients.HeadSHA /*commitSHA*/, o.CommitDepth, checksToRun, repoClient, - ossFuzzRepoClient, ciiClient, vulnsClient) + ossFuzzRepoClient, ciiClient, vulnsClient, projectClient) if err != nil { logger.Error(err, "running enabled scorecard checks on repo") rw.WriteHeader(http.StatusInternalServerError) diff --git a/cron/internal/worker/main.go b/cron/internal/worker/main.go index d71aa4d63f4..8bda9152879 100644 --- a/cron/internal/worker/main.go +++ b/cron/internal/worker/main.go @@ -40,6 +40,7 @@ import ( "github.com/ossf/scorecard/v5/cron/worker" docs "github.com/ossf/scorecard/v5/docs/checks" sce "github.com/ossf/scorecard/v5/errors" + "github.com/ossf/scorecard/v5/internal/packageclient" "github.com/ossf/scorecard/v5/log" "github.com/ossf/scorecard/v5/pkg" "github.com/ossf/scorecard/v5/policy" @@ -89,6 +90,7 @@ type ScorecardWorker struct { ciiClient clients.CIIBestPracticesClient ossFuzzRepoClient clients.RepoClient vulnsClient clients.VulnerabilitiesClient + projectClient packageclient.ProjectPackageClient apiBucketURL string rawBucketURL string blacklistedChecks []string @@ -156,7 +158,8 @@ func (sw *ScorecardWorker) Close() { func (sw *ScorecardWorker) Process(ctx context.Context, req *data.ScorecardBatchRequest, bucketURL string) error { return processRequest(ctx, req, sw.blacklistedChecks, bucketURL, sw.rawBucketURL, sw.apiBucketURL, - sw.checkDocs, sw.githubClient, sw.gitlabClient, sw.ossFuzzRepoClient, sw.ciiClient, sw.vulnsClient, sw.logger) + sw.checkDocs, sw.githubClient, sw.gitlabClient, sw.ossFuzzRepoClient, sw.ciiClient, + sw.vulnsClient, sw.projectClient, sw.logger) } func (sw *ScorecardWorker) PostProcess() { @@ -171,6 +174,7 @@ func processRequest(ctx context.Context, githubClient, gitlabClient clients.RepoClient, ossFuzzRepoClient clients.RepoClient, ciiClient clients.CIIBestPracticesClient, vulnsClient clients.VulnerabilitiesClient, + projectClient packageclient.ProjectPackageClient, logger *log.Logger, ) error { filename := worker.ResultFilename(batchRequest) @@ -210,7 +214,7 @@ func processRequest(ctx context.Context, } result, err := pkg.RunScorecard(ctx, repo, commitSHA, 0, checksToRun, - repoClient, ossFuzzRepoClient, ciiClient, vulnsClient) + repoClient, ossFuzzRepoClient, ciiClient, vulnsClient, projectClient) if errors.Is(err, sce.ErrRepoUnreachable) { // Not accessible repo - continue. continue diff --git a/dependencydiff/dependencydiff.go b/dependencydiff/dependencydiff.go index 99a74739dbf..3eb28f837d9 100644 --- a/dependencydiff/dependencydiff.go +++ b/dependencydiff/dependencydiff.go @@ -24,6 +24,7 @@ import ( "github.com/ossf/scorecard/v5/checks" "github.com/ossf/scorecard/v5/clients" sce "github.com/ossf/scorecard/v5/errors" + "github.com/ossf/scorecard/v5/internal/packageclient" sclog "github.com/ossf/scorecard/v5/log" "github.com/ossf/scorecard/v5/pkg" "github.com/ossf/scorecard/v5/policy" @@ -44,6 +45,7 @@ type dependencydiffContext struct { ossFuzzClient clients.RepoClient vulnsClient clients.VulnerabilitiesClient ciiClient clients.CIIBestPracticesClient + projectClient packageclient.ProjectPackageClient changeTypesToCheck []string checkNamesToRun []string dependencydiffs []dependency @@ -95,7 +97,7 @@ func GetDependencyDiffResults( } func initRepoAndClientByChecks(dCtx *dependencydiffContext, dSrcRepo string) error { - repo, repoClient, ossFuzzClient, ciiClient, vulnsClient, err := checker.GetClients( + repo, repoClient, ossFuzzClient, ciiClient, vulnsClient, projectClient, err := checker.GetClients( dCtx.ctx, dSrcRepo, "", dCtx.logger) if err != nil { return fmt.Errorf("error getting the github repo and clients: %w", err) @@ -115,6 +117,8 @@ func initRepoAndClientByChecks(dCtx *dependencydiffContext, dSrcRepo string) err dCtx.ciiClient = ciiClient case checks.CheckVulnerabilities: dCtx.vulnsClient = vulnsClient + case checks.CheckSignedReleases: + dCtx.projectClient = projectClient } } return nil @@ -171,6 +175,7 @@ func getScorecardCheckResults(dCtx *dependencydiffContext) error { dCtx.ossFuzzClient, dCtx.ciiClient, dCtx.vulnsClient, + dCtx.projectClient, ) // If the run fails, we leave the current dependency scorecard result empty and record the error // rather than letting the entire API return nil since we still expect results for other dependencies. diff --git a/e2e/attestor_policy_test.go b/e2e/attestor_policy_test.go index 6d8e170079c..c3c0f2b16f3 100644 --- a/e2e/attestor_policy_test.go +++ b/e2e/attestor_policy_test.go @@ -242,11 +242,11 @@ func getScorecardResult(repoURL string) (pkg.ScorecardResult, error) { Fn: checks.PinningDependencies, }, } - repo, repoClient, ossFuzzRepoClient, ciiClient, vulnsClient, err := checker.GetClients( + repo, repoClient, ossFuzzRepoClient, ciiClient, vulnsClient, projectClient, err := checker.GetClients( ctx, repoURL, "", logger) if err != nil { return pkg.ScorecardResult{}, fmt.Errorf("couldn't set up clients: %w", err) } - return pkg.RunScorecard(ctx, repo, clients.HeadSHA, 0, enabledChecks, repoClient, ossFuzzRepoClient, ciiClient, vulnsClient) + return pkg.RunScorecard(ctx, repo, clients.HeadSHA, 0, enabledChecks, repoClient, ossFuzzRepoClient, ciiClient, vulnsClient, projectClient) } diff --git a/pkg/scorecard.go b/pkg/scorecard.go index 03640349fff..7989ac6db16 100644 --- a/pkg/scorecard.go +++ b/pkg/scorecard.go @@ -31,6 +31,7 @@ import ( "github.com/ossf/scorecard/v5/config" sce "github.com/ossf/scorecard/v5/errors" "github.com/ossf/scorecard/v5/finding" + "github.com/ossf/scorecard/v5/internal/packageclient" proberegistration "github.com/ossf/scorecard/v5/internal/probes" sclog "github.com/ossf/scorecard/v5/log" "github.com/ossf/scorecard/v5/options" @@ -91,6 +92,7 @@ func runScorecard(ctx context.Context, ossFuzzRepoClient clients.RepoClient, ciiClient clients.CIIBestPracticesClient, vulnsClient clients.VulnerabilitiesClient, + projectClient packageclient.ProjectPackageClient, ) (ScorecardResult, error) { if err := repoClient.InitRepo(repo, commitSHA, commitDepth); err != nil { // No need to call sce.WithMessage() since InitRepo will do that for us. @@ -232,6 +234,7 @@ func RunScorecard(ctx context.Context, ossFuzzRepoClient clients.RepoClient, ciiClient clients.CIIBestPracticesClient, vulnsClient clients.VulnerabilitiesClient, + projectClient packageclient.ProjectPackageClient, ) (ScorecardResult, error) { return runScorecard(ctx, repo, @@ -243,6 +246,7 @@ func RunScorecard(ctx context.Context, ossFuzzRepoClient, ciiClient, vulnsClient, + projectClient, ) } @@ -257,6 +261,7 @@ func ExperimentalRunProbes(ctx context.Context, ossFuzzRepoClient clients.RepoClient, ciiClient clients.CIIBestPracticesClient, vulnsClient clients.VulnerabilitiesClient, + projectClient packageclient.ProjectPackageClient, ) (ScorecardResult, error) { return runScorecard(ctx, repo, @@ -268,5 +273,6 @@ func ExperimentalRunProbes(ctx context.Context, ossFuzzRepoClient, ciiClient, vulnsClient, + projectClient, ) } diff --git a/pkg/scorecard_e2e_test.go b/pkg/scorecard_e2e_test.go index e480e583199..f2357dc94cb 100644 --- a/pkg/scorecard_e2e_test.go +++ b/pkg/scorecard_e2e_test.go @@ -108,20 +108,20 @@ var _ = Describe("E2E TEST: RunScorecard with re-used repoClient", func() { isolatedLogger := sclog.NewLogger(sclog.DebugLevel) lastRepo := repos[len(repos)-1] - repo, rc, ofrc, cc, vc, err := checker.GetClients(ctx, lastRepo, "", isolatedLogger) + repo, rc, ofrc, cc, vc, dc, err := checker.GetClients(ctx, lastRepo, "", isolatedLogger) Expect(err).Should(BeNil()) - isolatedResult, err := RunScorecard(ctx, repo, clients.HeadSHA, 0, allChecks, rc, ofrc, cc, vc) + isolatedResult, err := RunScorecard(ctx, repo, clients.HeadSHA, 0, allChecks, rc, ofrc, cc, vc, dc) Expect(err).Should(BeNil()) logger := sclog.NewLogger(sclog.DebugLevel) - _, rc2, ofrc2, cc2, vc2, err := checker.GetClients(ctx, repos[0], "", logger) + _, rc2, ofrc2, cc2, vc2, dc2, err := checker.GetClients(ctx, repos[0], "", logger) Expect(err).Should(BeNil()) var sharedResult ScorecardResult for i := range repos { repo, err = githubrepo.MakeGithubRepo(repos[i]) Expect(err).Should(BeNil()) - sharedResult, err = RunScorecard(ctx, repo, clients.HeadSHA, 0, allChecks, rc2, ofrc2, cc2, vc2) + sharedResult, err = RunScorecard(ctx, repo, clients.HeadSHA, 0, allChecks, rc2, ofrc2, cc2, vc2, dc2) Expect(err).Should(BeNil()) } diff --git a/pkg/scorecard_test.go b/pkg/scorecard_test.go index 254ea84691c..da3bb651936 100644 --- a/pkg/scorecard_test.go +++ b/pkg/scorecard_test.go @@ -179,7 +179,7 @@ func TestRunScorecard(t *testing.T) { }, nil }) defer ctrl.Finish() - got, err := RunScorecard(context.Background(), repo, tt.args.commitSHA, 0, nil, mockRepoClient, nil, nil, nil) + got, err := RunScorecard(context.Background(), repo, tt.args.commitSHA, 0, nil, mockRepoClient, nil, nil, nil, nil) if (err != nil) != tt.wantErr { t.Errorf("RunScorecard() error = %v, wantErr %v", err, tt.wantErr) return @@ -315,7 +315,9 @@ func TestExperimentalRunProbes(t *testing.T) { mockRepoClient, nil, nil, - nil) + nil, + nil, + ) if (err != nil) != tt.wantErr { t.Errorf("RunScorecard() error = %v, wantErr %v", err, tt.wantErr) return From 6815161e15b9acaec08bc868869894dc906e3252 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 13 May 2024 20:31:43 +0000 Subject: [PATCH 22/26] :seedling: Bump the github-actions group across 1 directory with 3 updates (#4105) --- .github/workflows/codeql-analysis.yml | 6 +++--- .github/workflows/lint.yml | 2 +- .github/workflows/scorecard-analysis.yml | 4 ++-- 3 files changed, 6 insertions(+), 6 deletions(-) diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml index 56e8db83921..2fae8db892e 100644 --- a/.github/workflows/codeql-analysis.yml +++ b/.github/workflows/codeql-analysis.yml @@ -73,7 +73,7 @@ jobs: # Initializes the CodeQL tools for scanning. - name: Initialize CodeQL - uses: github/codeql-action/init@d39d31e687223d841ef683f52467bd88e9b21c14 # v3.25.3 + uses: github/codeql-action/init@b7cec7526559c32f1616476ff32d17ba4c59b2d6 # v3.25.5 with: languages: ${{ matrix.language }} queries: +security-extended @@ -85,7 +85,7 @@ jobs: # Autobuild attempts to build any compiled languages (C/C++, C#, or Java). # If this step fails, then you should remove it and run the build manually (see below) - name: Autobuild - uses: github/codeql-action/autobuild@d39d31e687223d841ef683f52467bd88e9b21c14 # v3.25.3 + uses: github/codeql-action/autobuild@b7cec7526559c32f1616476ff32d17ba4c59b2d6 # v3.25.5 # ℹī¸ Command-line programs to run using the OS shell. # 📚 https://git.io/JvXDl @@ -99,4 +99,4 @@ jobs: # make release - name: Perform CodeQL Analysis - uses: github/codeql-action/analyze@d39d31e687223d841ef683f52467bd88e9b21c14 # v3.25.3 + uses: github/codeql-action/analyze@b7cec7526559c32f1616476ff32d17ba4c59b2d6 # v3.25.5 diff --git a/.github/workflows/lint.yml b/.github/workflows/lint.yml index 65b5b1b2a80..63b510634bd 100644 --- a/.github/workflows/lint.yml +++ b/.github/workflows/lint.yml @@ -31,7 +31,7 @@ jobs: run: | echo "GOLANGCI_LINT_VERSION=$(cd tools; go list -m -f '{{ .Version }}' github.com/golangci/golangci-lint)" >> "$GITHUB_ENV" - name: golangci-lint - uses: golangci/golangci-lint-action@38e1018663fa5173f3968ea0777460d3de38f256 # v5.3.0 + uses: golangci/golangci-lint-action@a4f60bb28d35aeee14e6880718e0c85ff1882e64 # v6.0.1 with: version: ${{ env.GOLANGCI_LINT_VERSION }} only-new-issues: true diff --git a/.github/workflows/scorecard-analysis.yml b/.github/workflows/scorecard-analysis.yml index b7d7148559f..19cf246c26a 100644 --- a/.github/workflows/scorecard-analysis.yml +++ b/.github/workflows/scorecard-analysis.yml @@ -27,7 +27,7 @@ jobs: persist-credentials: false - name: "Run analysis" - uses: ossf/scorecard-action@0864cf19026789058feabb7e87baa5f140aac736 # v2.3.1 + uses: ossf/scorecard-action@dc50aa9510b46c811795eb24b2f1ba02a914e534 # v2.3.3 with: results_file: results.sarif results_format: sarif @@ -51,6 +51,6 @@ jobs: # Upload the results to GitHub's code scanning dashboard (optional). # Commenting out will disable upload of results to your repo's Code Scanning dashboard - name: "Upload to code-scanning" - uses: github/codeql-action/upload-sarif@d39d31e687223d841ef683f52467bd88e9b21c14 # v3.25.3 + uses: github/codeql-action/upload-sarif@b7cec7526559c32f1616476ff32d17ba4c59b2d6 # v3.25.5 with: sarif_file: results.sarif From 840f30c7c3e830d439a285c246b9b8b62b92b1be Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Tue, 14 May 2024 10:36:59 -0700 Subject: [PATCH 23/26] :seedling: Bump goreleaser/goreleaser-action from 5.0.0 to 5.1.0 (#4103) * :seedling: Bump goreleaser/goreleaser-action from 5.0.0 to 5.1.0 Bumps [goreleaser/goreleaser-action](https://github.com/goreleaser/goreleaser-action) from 5.0.0 to 5.1.0. - [Release notes](https://github.com/goreleaser/goreleaser-action/releases) - [Commits](https://github.com/goreleaser/goreleaser-action/compare/7ec5c2b0c6cdda6e8bbb49444bc797dd33d74dd8...5742e2a039330cbb23ebf35f046f814d4c6ff811) --- updated-dependencies: - dependency-name: goreleaser/goreleaser-action dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] * fixup version comment Signed-off-by: Spencer Schrock * remove version arg to use default as of v5 of the action, the version is v1 latest. when this switches to v5, the version will be v2 latest. Signed-off-by: Spencer Schrock * use clean instead of deprecated rm-dist Signed-off-by: Spencer Schrock --------- Signed-off-by: dependabot[bot] Signed-off-by: Spencer Schrock Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: Spencer Schrock --- .github/workflows/goreleaser.yaml | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/.github/workflows/goreleaser.yaml b/.github/workflows/goreleaser.yaml index 72b16993101..a3e07663b3a 100644 --- a/.github/workflows/goreleaser.yaml +++ b/.github/workflows/goreleaser.yaml @@ -52,10 +52,9 @@ jobs: run: echo "version_flags=$(./scripts/version-ldflags)" >> "$GITHUB_OUTPUT" - name: Run GoReleaser id: run-goreleaser - uses: goreleaser/goreleaser-action@7ec5c2b0c6cdda6e8bbb49444bc797dd33d74dd8 # v2.5.0 + uses: goreleaser/goreleaser-action@5742e2a039330cbb23ebf35f046f814d4c6ff811 # v5.1.0 with: - version: latest - args: release --rm-dist + args: release --clean env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} VERSION_LDFLAGS: ${{ steps.ldflags.outputs.version_flags }} From 665e9c48e8af02cec6857d18551b88ee814e57e6 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Tue, 14 May 2024 17:58:15 +0000 Subject: [PATCH 24/26] :seedling: Bump github.com/google/osv-scanner from 1.7.2 to 1.7.3 (#4101) * :seedling: Bump github.com/google/osv-scanner from 1.7.2 to 1.7.3 Bumps [github.com/google/osv-scanner](https://github.com/google/osv-scanner) from 1.7.2 to 1.7.3. - [Release notes](https://github.com/google/osv-scanner/releases) - [Changelog](https://github.com/google/osv-scanner/blob/main/CHANGELOG.md) - [Commits](https://github.com/google/osv-scanner/compare/v1.7.2...v1.7.3) --- updated-dependencies: - dependency-name: github.com/google/osv-scanner dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] * remove toolchain directive and run go mod tidy Signed-off-by: Spencer Schrock --------- Signed-off-by: dependabot[bot] Signed-off-by: Spencer Schrock Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: Spencer Schrock --- go.mod | 12 ++++++------ go.sum | 24 ++++++++++++------------ 2 files changed, 18 insertions(+), 18 deletions(-) diff --git a/go.mod b/go.mod index a231fbdf00c..41dc8ea50c8 100644 --- a/go.mod +++ b/go.mod @@ -1,6 +1,6 @@ module github.com/ossf/scorecard/v5 -go 1.21.8 +go 1.21.10 require ( cloud.google.com/go/bigquery v1.61.0 @@ -42,7 +42,7 @@ require ( github.com/caarlos0/env/v6 v6.10.0 github.com/gobwas/glob v0.2.3 github.com/google/go-github/v53 v53.2.0 - github.com/google/osv-scanner v1.7.2 + github.com/google/osv-scanner v1.7.3 github.com/mcuadros/go-jsonschema-generator v0.0.0-20200330054847-ba7a369d4303 github.com/onsi/ginkgo/v2 v2.17.2 github.com/otiai10/copy v1.14.0 @@ -56,7 +56,7 @@ require ( cloud.google.com/go/containeranalysis v0.11.5 // indirect cloud.google.com/go/kms v1.15.8 // indirect dario.cat/mergo v1.0.0 // indirect - deps.dev/api/v3 v3.0.0-20240411010756-f6f382da6e02 // indirect + deps.dev/api/v3 v3.0.0-20240503042720-6166138ce783 // indirect github.com/BurntSushi/toml v1.3.2 // indirect github.com/CycloneDX/cyclonedx-go v0.8.0 // indirect github.com/anchore/go-struct-converter v0.0.0-20230627203149-c72ef8859ca9 // indirect @@ -84,7 +84,7 @@ require ( github.com/hashicorp/go-cleanhttp v0.5.2 // indirect github.com/hashicorp/go-retryablehttp v0.7.5 // indirect github.com/ianlancetaylor/demangle v0.0.0-20240312041847-bd984b5ce465 // indirect - github.com/jedib0t/go-pretty/v6 v6.5.8 // indirect + github.com/jedib0t/go-pretty/v6 v6.5.9 // indirect github.com/josharian/intern v1.0.0 // indirect github.com/json-iterator/go v1.1.12 // indirect github.com/klauspost/cpuid/v2 v2.2.5 // indirect @@ -109,7 +109,7 @@ require ( go.opentelemetry.io/otel/metric v1.24.0 // indirect go.opentelemetry.io/otel/trace v1.24.0 // indirect golang.org/x/mod v0.17.0 // indirect - golang.org/x/term v0.19.0 // indirect + golang.org/x/term v0.20.0 // indirect golang.org/x/time v0.5.0 // indirect golang.org/x/vuln v1.0.4 // indirect google.golang.org/genproto/googleapis/api v0.0.0-20240429193739-8cf5692501f6 // indirect @@ -179,7 +179,7 @@ require ( golang.org/x/net v0.24.0 // indirect golang.org/x/oauth2 v0.20.0 golang.org/x/sync v0.7.0 // indirect - golang.org/x/sys v0.19.0 // indirect + golang.org/x/sys v0.20.0 // indirect golang.org/x/xerrors v0.0.0-20231012003039-104605ab7028 // indirect google.golang.org/api v0.177.0 // indirect google.golang.org/grpc v1.63.2 // indirect diff --git a/go.sum b/go.sum index ac00bca0f36..eb33dede401 100644 --- a/go.sum +++ b/go.sum @@ -53,8 +53,8 @@ contrib.go.opencensus.io/exporter/stackdriver v0.13.14 h1:zBakwHardp9Jcb8sQHcHpX contrib.go.opencensus.io/exporter/stackdriver v0.13.14/go.mod h1:5pSSGY0Bhuk7waTHuDf4aQ8D2DrhgETRo9fy6k3Xlzc= dario.cat/mergo v1.0.0 h1:AGCNq9Evsj31mOgNPcLyXc+4PNABt905YmuqPYYpBWk= dario.cat/mergo v1.0.0/go.mod h1:uNxQE+84aUszobStD9th8a29P2fMDhsBdgRYvZOxGmk= -deps.dev/api/v3 v3.0.0-20240411010756-f6f382da6e02 h1:ygllcnHZYlhWVYdYjZ9G3RnncTaOT8K7dD8B86IC/OA= -deps.dev/api/v3 v3.0.0-20240411010756-f6f382da6e02/go.mod h1:k3RHZwAw7ijqoXmVDvcO7ikeTwTC4jtmhCDathV+IKE= +deps.dev/api/v3 v3.0.0-20240503042720-6166138ce783 h1:ls9MrAHgWyVrhaRw/xGuFc6/oNUR4VYKGWf2ZCAVsjo= +deps.dev/api/v3 v3.0.0-20240503042720-6166138ce783/go.mod h1:DyBY3wNVqRCwvb4tLvz6LL/FupH3FMflEROyQAv2Vi0= dmitri.shuralyov.com/gpu/mtl v0.0.0-20190408044501-666a987793e9/go.mod h1:H6x//7gZCb22OMCxBHrMx7a5I7Hp++hsVxbQ4BYO7hU= github.com/Azure/azure-sdk-for-go v35.0.0+incompatible/go.mod h1:9XXNKU+eRnpl9moKnB4QOLf1HestfXbmab5FXxiDBjc= github.com/Azure/azure-sdk-for-go v38.0.0+incompatible/go.mod h1:9XXNKU+eRnpl9moKnB4QOLf1HestfXbmab5FXxiDBjc= @@ -272,8 +272,8 @@ github.com/gkampitakis/ciinfo v0.3.0 h1:gWZlOC2+RYYttL0hBqcoQhM7h1qNkVqvRCV1fOvp github.com/gkampitakis/ciinfo v0.3.0/go.mod h1:1NIwaOcFChN4fa/B0hEBdAb6npDlFL8Bwx4dfRLRqAo= github.com/gkampitakis/go-diff v1.3.2 h1:Qyn0J9XJSDTgnsgHRdz9Zp24RaJeKMUHg2+PDZZdC4M= github.com/gkampitakis/go-diff v1.3.2/go.mod h1:LLgOrpqleQe26cte8s36HTWcTmMEur6OPYerdAAS9tk= -github.com/gkampitakis/go-snaps v0.5.3 h1:2cJnBgHzJhh0Jk5XBIyDYDe1Ylfncoa9r9bVJ5qvOAE= -github.com/gkampitakis/go-snaps v0.5.3/go.mod h1:ZABkO14uCuVxBHAXAfKG+bqNz+aa1bGPAg8jkI0Nk8Y= +github.com/gkampitakis/go-snaps v0.5.4 h1:GX+dkKmVsRenz7SoTbdIEL4KQARZctkMiZ8ZKprRwT8= +github.com/gkampitakis/go-snaps v0.5.4/go.mod h1:ZABkO14uCuVxBHAXAfKG+bqNz+aa1bGPAg8jkI0Nk8Y= github.com/gliderlabs/ssh v0.3.7 h1:iV3Bqi942d9huXnzEF2Mt+CY9gLu8DNM4Obd+8bODRE= github.com/gliderlabs/ssh v0.3.7/go.mod h1:zpHEXBstFnQYtGnB8k8kQLol82umzn/2/snG7alWVD8= github.com/go-git/gcfg v1.5.1-0.20230307220236-3a3c6141e376 h1:+zs/tPmkDkHx3U66DAb0lQFJrpS6731Oaa12ikc+DiI= @@ -406,8 +406,8 @@ github.com/google/martian v2.1.0+incompatible h1:/CP5g8u/VJHijgedC/Legn3BAbAaWPg github.com/google/martian v2.1.0+incompatible/go.mod h1:9I4somxYTbIHy5NJKHRl3wXiIaQGbYVAs8BPL6v8lEs= github.com/google/martian/v3 v3.3.3 h1:DIhPTQrbPkgs2yJYdXU/eNACCG5DVQjySNRNlflZ9Fc= github.com/google/martian/v3 v3.3.3/go.mod h1:iEPrYcgCF7jA9OtScMFQyAlZZ4YXTKEtJ1E6RWzmBA0= -github.com/google/osv-scanner v1.7.2 h1:Mq7napa+8QKcwpf7IAwtJhISbNFB+lvevKXpeayFv0c= -github.com/google/osv-scanner v1.7.2/go.mod h1:r0WoRNZW7nYX+gr8ff6B6euUZfjIX3iCOOffQf/dn8I= +github.com/google/osv-scanner v1.7.3 h1:zT7g8QkYag0c5a/OmPXmiHuCldj9gWcF4OmcPFFp7oY= +github.com/google/osv-scanner v1.7.3/go.mod h1:uRrd+koUIBfw1fLAG2Zfyql0cz5HGfKB1e2RdGz/fPs= github.com/google/pprof v0.0.0-20181206194817-3ea8567a2e57/go.mod h1:zfwlbNMJ+OItoe0UupaVj+oy1omPYYDuagoSzA8v9mc= github.com/google/pprof v0.0.0-20190515194954-54271f7e092f/go.mod h1:zfwlbNMJ+OItoe0UupaVj+oy1omPYYDuagoSzA8v9mc= github.com/google/pprof v0.0.0-20191218002539-d4f498aebedc/go.mod h1:ZgVRPoUq/hfqzAqh7sHMqb3I9Rq5C59dIz2SbBwJ4eM= @@ -491,8 +491,8 @@ github.com/inconshreveable/mousetrap v1.1.0 h1:wN+x4NVGpMsO7ErUn/mUI3vEoE6Jt13X2 github.com/inconshreveable/mousetrap v1.1.0/go.mod h1:vpF70FUmC8bwa3OWnCshd2FqLfsEA9PFc4w1p2J65bw= github.com/jbenet/go-context v0.0.0-20150711004518-d14ea06fba99 h1:BQSFePA1RWJOlocH6Fxy8MmwDt+yVQYULKfN0RoTN8A= github.com/jbenet/go-context v0.0.0-20150711004518-d14ea06fba99/go.mod h1:1lJo3i6rXxKeerYnT8Nvf0QmHCRC1n8sfWVwXF2Frvo= -github.com/jedib0t/go-pretty/v6 v6.5.8 h1:8BCzJdSvUbaDuRba4YVh+SKMGcAAKdkcF3SVFbrHAtQ= -github.com/jedib0t/go-pretty/v6 v6.5.8/go.mod h1:zbn98qrYlh95FIhwwsbIip0LYpwSG8SUOScs+v9/t0E= +github.com/jedib0t/go-pretty/v6 v6.5.9 h1:ACteMBRrrmm1gMsXe9PSTOClQ63IXDUt03H5U+UV8OU= +github.com/jedib0t/go-pretty/v6 v6.5.9/go.mod h1:zbn98qrYlh95FIhwwsbIip0LYpwSG8SUOScs+v9/t0E= github.com/jessevdk/go-flags v1.4.0/go.mod h1:4FA24M0QyGHXBuZZK/XkWh8h0e1EYbRYJSGM75WSRxI= github.com/jmespath/go-jmespath v0.0.0-20180206201540-c2b33e8439af/go.mod h1:Nht3zPeWKUH0NzdCt2Blrr5ys8VGpn0CEB0cQHVjt7k= github.com/jmespath/go-jmespath v0.3.0/go.mod h1:9QtRXoHjLGCJ5IBSaohpXITPlowMeeYCZ7fLUTSywik= @@ -1006,8 +1006,8 @@ golang.org/x/sys v0.6.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.8.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.12.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.16.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA= -golang.org/x/sys v0.19.0 h1:q5f1RH2jigJ1MoAWp2KTp3gm5zAGFUTarQZ5U386+4o= -golang.org/x/sys v0.19.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA= +golang.org/x/sys v0.20.0 h1:Od9JTbYCk261bKm4M/mw7AklTlFYIa0bIp9BgSm1S8Y= +golang.org/x/sys v0.20.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA= golang.org/x/term v0.0.0-20201117132131-f5c789dd3221/go.mod h1:Nr5EML6q2oocZ2LXRh80K7BxOlk5/8JxuGnuhpl+muw= golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo= golang.org/x/term v0.0.0-20201210144234-2321bbc49cbf/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo= @@ -1018,8 +1018,8 @@ golang.org/x/term v0.6.0/go.mod h1:m6U89DPEgQRMq3DNkDClhWw02AUbt2daBVO4cn4Hv9U= golang.org/x/term v0.8.0/go.mod h1:xPskH00ivmX89bAKVGSKKtLOWNx2+17Eiy94tnKShWo= golang.org/x/term v0.12.0/go.mod h1:owVbMEjm3cBLCHdkQu9b1opXd4ETQWc3BhuQGKgXgvU= golang.org/x/term v0.16.0/go.mod h1:yn7UURbUtPyrVJPGPq404EukNFxcm/foM+bV/bfcDsY= -golang.org/x/term v0.19.0 h1:+ThwsDv+tYfnJFhF4L8jITxu1tdTWRTZpdsWgEgjL6Q= -golang.org/x/term v0.19.0/go.mod h1:2CuTdWZ7KHSQwUzKva0cbMg6q2DMI3Mmxp+gKJbskEk= +golang.org/x/term v0.20.0 h1:VnkxpohqXaOBYJtBmEppKUG6mXpi+4O6purfc2+sMhw= +golang.org/x/term v0.20.0/go.mod h1:8UkIAJTvZgivsXaD6/pH6U9ecQzZ45awqEOzuCvwpFY= golang.org/x/text v0.0.0-20160726164857-2910a502d2bf/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ= golang.org/x/text v0.0.0-20170915032832-14c0d48ead0c/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ= golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ= From d40ecbacb3b9d866bcf465441c2c1ce826c055e1 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Tue, 14 May 2024 19:26:15 +0000 Subject: [PATCH 25/26] :seedling: Bump github.com/onsi/ginkgo/v2 from 2.17.2 to 2.17.3 (#4091) --- go.mod | 2 +- go.sum | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/go.mod b/go.mod index 41dc8ea50c8..33a302eb509 100644 --- a/go.mod +++ b/go.mod @@ -44,7 +44,7 @@ require ( github.com/google/go-github/v53 v53.2.0 github.com/google/osv-scanner v1.7.3 github.com/mcuadros/go-jsonschema-generator v0.0.0-20200330054847-ba7a369d4303 - github.com/onsi/ginkgo/v2 v2.17.2 + github.com/onsi/ginkgo/v2 v2.17.3 github.com/otiai10/copy v1.14.0 sigs.k8s.io/release-utils v0.8.1 ) diff --git a/go.sum b/go.sum index eb33dede401..7d9bb2bd640 100644 --- a/go.sum +++ b/go.sum @@ -604,8 +604,8 @@ github.com/onsi/ginkgo v1.11.0/go.mod h1:lLunBs/Ym6LB5Z9jYTR76FiuTmxDTDusOGeTQH+ github.com/onsi/ginkgo v1.12.0/go.mod h1:oUhWkIvk5aDxtKvDDuw8gItl8pKl42LzjC9KZE0HfGg= github.com/onsi/ginkgo v1.12.1/go.mod h1:zj2OWP4+oCPe1qIXoGWkgMRwljMUYCdkwsT2108oapk= github.com/onsi/ginkgo v1.14.2/go.mod h1:iSB4RoI2tjJc9BBv4NKIKWKya62Rps+oPG/Lv9klQyY= -github.com/onsi/ginkgo/v2 v2.17.2 h1:7eMhcy3GimbsA3hEnVKdw/PQM9XN9krpKVXsZdph0/g= -github.com/onsi/ginkgo/v2 v2.17.2/go.mod h1:nP2DPOQoNsQmsVyv5rDA8JkXQoCs6goXIvr/PRJ1eCc= +github.com/onsi/ginkgo/v2 v2.17.3 h1:oJcvKpIb7/8uLpDDtnQuf18xVnwKp8DTD7DQ6gTd/MU= +github.com/onsi/ginkgo/v2 v2.17.3/go.mod h1:nP2DPOQoNsQmsVyv5rDA8JkXQoCs6goXIvr/PRJ1eCc= github.com/onsi/gomega v0.0.0-20170829124025-dcabb60a477c/go.mod h1:C1qb7wdrVGGVU+Z6iS04AVkA3Q65CEZX59MT0QO5uiA= github.com/onsi/gomega v1.5.0/go.mod h1:ex+gbHU/CVuBBDIJjb2X0qEXbFg53c61hWP/1CpauHY= github.com/onsi/gomega v1.7.0/go.mod h1:ex+gbHU/CVuBBDIJjb2X0qEXbFg53c61hWP/1CpauHY= From 6f9a5122963c8a84474c7db3f45f723ceaa767a1 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Tue, 14 May 2024 19:43:41 +0000 Subject: [PATCH 26/26] :seedling: Bump github.com/rhysd/actionlint from 1.6.27 to 1.7.0 (#4100) --- go.mod | 2 +- go.sum | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/go.mod b/go.mod index 33a302eb509..8b5ba869e9a 100644 --- a/go.mod +++ b/go.mod @@ -21,7 +21,7 @@ require ( github.com/moby/buildkit v0.13.2 github.com/olekukonko/tablewriter v0.0.5 github.com/onsi/gomega v1.33.1 - github.com/rhysd/actionlint v1.6.27 + github.com/rhysd/actionlint v1.7.0 github.com/shurcooL/githubv4 v0.0.0-20201206200315-234843c633fa github.com/shurcooL/graphql v0.0.0-20200928012149-18c5c3165e3a github.com/sirupsen/logrus v1.9.3 diff --git a/go.sum b/go.sum index 7d9bb2bd640..f3ead5ffa37 100644 --- a/go.sum +++ b/go.sum @@ -666,8 +666,8 @@ github.com/prometheus/prometheus v0.50.1 h1:N2L+DYrxqPh4WZStU+o1p/gQlBaqFbcLBTjl github.com/prometheus/prometheus v0.50.1/go.mod h1:FvE8dtQ1Ww63IlyKBn1V4s+zMwF9kHkVNkQBR1pM4CU= github.com/prometheus/tsdb v0.7.1/go.mod h1:qhTCs0VvXwvX/y3TZrWD7rabWM+ijKTux40TwIPHuXU= github.com/remyoudompheng/bigfft v0.0.0-20170806203942-52369c62f446/go.mod h1:uYEyJGbgTkfkS4+E/PavXkNJcbFIpEtjt2B0KDQ5+9M= -github.com/rhysd/actionlint v1.6.27 h1:xxwe8YmveBcC8lydW6GoHMGmB6H/MTqUU60F2p10wjw= -github.com/rhysd/actionlint v1.6.27/go.mod h1:m2nFUjAnOrxCMXuOMz9evYBRCLUsMnKY2IJl/N5umbk= +github.com/rhysd/actionlint v1.7.0 h1:xRSXsT5GGwWTpabqtksigZf27G06VOf7kyEGezYum1w= +github.com/rhysd/actionlint v1.7.0/go.mod h1:Pkvt8R+wpr8LQAAEE2xv9hhdPufPkkAwnh+QFydomqg= github.com/rivo/uniseg v0.2.0/go.mod h1:J6wj4VEh+S6ZtnVlnTBMWIodfgj8LQOQFoIToxlJtxc= github.com/rivo/uniseg v0.4.7 h1:WUdvkW8uEhrYfLC4ZzdpI2ztxP1I582+49Oc5Mq64VQ= github.com/rivo/uniseg v0.4.7/go.mod h1:FN3SvrM+Zdj16jyLfmOkMNblXMcoc8DfTHruCPUcx88=