-
Notifications
You must be signed in to change notification settings - Fork 485
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
🐛 Add go installs to Pinned-Dependencies score #3424
🐛 Add go installs to Pinned-Dependencies score #3424
Commits on Aug 24, 2023
-
feat: Add go install to pinned dependencies score
Signed-off-by: Gabriela Gutierrez <[email protected]>
Configuration menu - View commit details
-
Copy full SHA for 111842a - Browse repository at this point
Copy the full SHA 111842aView commit details -
Considering the new go installs dependencies in Pinned-Dependencies score, there are some changes. Now, all tests generate one more Info log for "go installs are all pinned". Signed-off-by: Gabriela Gutierrez <[email protected]>
Configuration menu - View commit details
-
Copy full SHA for d751349 - Browse repository at this point
Copy the full SHA d751349View commit details -
test: Fix "download then run pinned debug and warn"
Considering the new go installs dependencies in Pinned-Dependencies score, there are some changes. Now, all tests have to weight 7 scores instead of 6. For "download then run pinned debug and warn", we have a 0 for 2 groups, `dockerDownloadScore` and `scriptScore`. Previously, it scored 4/6 =~ 6, and now it scores 5/7 =~ 7. Signed-off-by: Gabriela Gutierrez <[email protected]>
Configuration menu - View commit details
-
Copy full SHA for 6557c61 - Browse repository at this point
Copy the full SHA 6557c61View commit details -
Considering the new go installs dependencies in Pinned-Dependencies score, there are some changes. Now, all tests have to weight 7 scores instead of 6. For "various warnings", we have a 0 for 4 groups, `pipScore`, `dockerDownloadScore`, `scriptScore` and `dockerFromScore`. Previously, it scored 2/6 =~ 3, and now it scores 3/7 =~ 4. Signed-off-by: Gabriela Gutierrez <[email protected]>
Configuration menu - View commit details
-
Copy full SHA for 1783313 - Browse repository at this point
Copy the full SHA 1783313View commit details -
test: Fix "Validate various warnings and info"
Considering the new go installs dependencies in Pinned-Dependencies score, there are some changes. Now, all tests have to weight 7 scores instead of 6. For "Validate various warnings and info", we have a 0 for 4 groups, `pipScore`, `dockerDownloadScore`, `scriptScore` and `dockerFromScore`. Previously, it scored 2/6 =~ 3, and now it scores 3/7 =~ 4. Signed-off-by: Gabriela Gutierrez <[email protected]>
Configuration menu - View commit details
-
Copy full SHA for b34abdd - Browse repository at this point
Copy the full SHA b34abddView commit details -
test: Fix "ossf-tests/scorecard-check-pinned-dependencies-e2e"
Considering the new go installs dependencies in Pinned-Dependencies score, there are some changes. The repo being tested, `ossf-tests/scorecard-check-pinned-dependencies-e2e`, has third-party GitHub actions pinned, no npm installs, multiple go installs all pinned, and all other dependencies types are unpinned. This gives us 8 for actionScore, 10 for npm score, 10 for goScore, and 0 for all other scores. Previously the total score was 18/6 =~ 3, and now the total score is 28/7 =~ 4. Since all go installs are pinned, there's an additional info log for "go installs are pinned". Signed-off-by: Gabriela Gutierrez <[email protected]>
Configuration menu - View commit details
-
Copy full SHA for f83a92f - Browse repository at this point
Copy the full SHA f83a92fView commit details -
test: Unpinned go install score
When having one unpinned go install and all other dependencies pinned, the score should be 60/7 =~ 8. Also, it should raise 1 warning for the unpinned go install, 7 infos saying the other dependency types are pinned (2 for GHAs, 2 for dockerfile image and downdloads, 1 for script downdloads, 1 for pip installs and 1 for npm installs), and 0 debug logs since the go install dependency does not have an error message. Signed-off-by: Gabriela Gutierrez <[email protected]>
Configuration menu - View commit details
-
Copy full SHA for d9423d0 - Browse repository at this point
Copy the full SHA d9423d0View commit details
Commits on Aug 25, 2023
-
Configuration menu - View commit details
-
Copy full SHA for baaf7bb - Browse repository at this point
Copy the full SHA baaf7bbView commit details