Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
🐛 Add go installs to Pinned-Dependencies score (ossf#3424)
* feat: Add go install to pinned dependencies score Signed-off-by: Gabriela Gutierrez <[email protected]> * test: Fix info logs count Considering the new go installs dependencies in Pinned-Dependencies score, there are some changes. Now, all tests generate one more Info log for "go installs are all pinned". Signed-off-by: Gabriela Gutierrez <[email protected]> * test: Fix "download then run pinned debug and warn" Considering the new go installs dependencies in Pinned-Dependencies score, there are some changes. Now, all tests have to weight 7 scores instead of 6. For "download then run pinned debug and warn", we have a 0 for 2 groups, `dockerDownloadScore` and `scriptScore`. Previously, it scored 4/6 =~ 6, and now it scores 5/7 =~ 7. Signed-off-by: Gabriela Gutierrez <[email protected]> * test: Fix "various warnings" Considering the new go installs dependencies in Pinned-Dependencies score, there are some changes. Now, all tests have to weight 7 scores instead of 6. For "various warnings", we have a 0 for 4 groups, `pipScore`, `dockerDownloadScore`, `scriptScore` and `dockerFromScore`. Previously, it scored 2/6 =~ 3, and now it scores 3/7 =~ 4. Signed-off-by: Gabriela Gutierrez <[email protected]> * test: Fix "Validate various warnings and info" Considering the new go installs dependencies in Pinned-Dependencies score, there are some changes. Now, all tests have to weight 7 scores instead of 6. For "Validate various warnings and info", we have a 0 for 4 groups, `pipScore`, `dockerDownloadScore`, `scriptScore` and `dockerFromScore`. Previously, it scored 2/6 =~ 3, and now it scores 3/7 =~ 4. Signed-off-by: Gabriela Gutierrez <[email protected]> * test: Fix "ossf-tests/scorecard-check-pinned-dependencies-e2e" Considering the new go installs dependencies in Pinned-Dependencies score, there are some changes. The repo being tested, `ossf-tests/scorecard-check-pinned-dependencies-e2e`, has third-party GitHub actions pinned, no npm installs, multiple go installs all pinned, and all other dependencies types are unpinned. This gives us 8 for actionScore, 10 for npm score, 10 for goScore, and 0 for all other scores. Previously the total score was 18/6 =~ 3, and now the total score is 28/7 =~ 4. Since all go installs are pinned, there's an additional info log for "go installs are pinned". Signed-off-by: Gabriela Gutierrez <[email protected]> * test: Unpinned go install score When having one unpinned go install and all other dependencies pinned, the score should be 60/7 =~ 8. Also, it should raise 1 warning for the unpinned go install, 7 infos saying the other dependency types are pinned (2 for GHAs, 2 for dockerfile image and downdloads, 1 for script downdloads, 1 for pip installs and 1 for npm installs), and 0 debug logs since the go install dependency does not have an error message. Signed-off-by: Gabriela Gutierrez <[email protected]> --------- Signed-off-by: Gabriela Gutierrez <[email protected]> Signed-off-by: Allen Shearin <[email protected]>
- Loading branch information