Update README.md #2
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Added a short motivational video
dlorenc
approved these changes
Oct 9, 2020
david-a-wheeler
added a commit
to david-a-wheeler/scorecard
that referenced
this pull request
Sep 16, 2021
Make various improvements to the text on packaging. * The original text assumes that only software developers install software packages, which is absurd; end-users install software packages all the time. * The original text seemed to assume that there are only language-level packages, but system-level packages & containers are a thing :-). At least acknowledge them. Also, this doesn't make sense in some cases (e.g., software specific to one website that's updated through commits, or IoT software where there are no "packages" - you upload the entire image); that should be admitted. * Fix main text to stop using "you/your" to mean "project developer". There are at least two *different* readers: (1) developers of the project being measured and (2) potential users of the project being measured. Many users of scorecard will be ossf#2, they'll reading scorecard results to decide if they want to use the software being measured. So don't say "you" and assume that "you" means project developers. I left "you" meaning "project developers" inside remediation, under the assumption that this was remdediation text for project developers. To be fair, *users* of software can also sometimes take remediation steps; that might be worth adding as its own section if we text to add there (e.g., `user_remediation`). I have intentionally not run `make generate-docs` as that would add other irrelevant changes. Instead, after this PR is accepted there should be a `make generate-docs` & a pull of *that*. Signed-off-by: David A. Wheeler <dwheeler@dwheeler.com>
naveensrinivasan
pushed a commit
that referenced
this pull request
Sep 17, 2021
* Improve text on Packaging Make various improvements to the text on packaging. * The original text assumes that only software developers install software packages, which is absurd; end-users install software packages all the time. * The original text seemed to assume that there are only language-level packages, but system-level packages & containers are a thing :-). At least acknowledge them. Also, this doesn't make sense in some cases (e.g., software specific to one website that's updated through commits, or IoT software where there are no "packages" - you upload the entire image); that should be admitted. * Fix main text to stop using "you/your" to mean "project developer". There are at least two *different* readers: (1) developers of the project being measured and (2) potential users of the project being measured. Many users of scorecard will be #2, they'll reading scorecard results to decide if they want to use the software being measured. So don't say "you" and assume that "you" means project developers. I left "you" meaning "project developers" inside remediation, under the assumption that this was remdediation text for project developers. To be fair, *users* of software can also sometimes take remediation steps; that might be worth adding as its own section if we text to add there (e.g., `user_remediation`). I have intentionally not run `make generate-docs` as that would add other irrelevant changes. Instead, after this PR is accepted there should be a `make generate-docs` & a pull of *that*. Signed-off-by: David A. Wheeler <dwheeler@dwheeler.com> * Add note about filing an issue Add note about filing an issue if scorecard fails to detect the packaging mechanism, per review by @naveensrinivasan (thanks!). Signed-off-by: David A. Wheeler <dwheeler@dwheeler.com>
pnacht
pushed a commit
to pnacht/scorecard
that referenced
this pull request
Mar 8, 2024
test(dang-workflows-remediation): create initial tests
pnacht
added a commit
to pnacht/scorecard
that referenced
this pull request
Jun 29, 2024
Signed-off-by: Pedro Kaj Kjellerup Nacht <pnacht@google.com>
pnacht
pushed a commit
to pnacht/scorecard
that referenced
this pull request
Jun 29, 2024
Signed-off-by: Pedro Kaj Kjellerup Nacht <pnacht@google.com>
pnacht
pushed a commit
to pnacht/scorecard
that referenced
this pull request
Jun 29, 2024
Signed-off-by: Pedro Kaj Kjellerup Nacht <pnacht@google.com>
pnacht
pushed a commit
to pnacht/scorecard
that referenced
this pull request
Jun 29, 2024
Signed-off-by: Pedro Kaj Kjellerup Nacht <pnacht@google.com>
pnacht
pushed a commit
to pnacht/scorecard
that referenced
this pull request
Jun 29, 2024
Signed-off-by: Pedro Kaj Kjellerup Nacht <pnacht@google.com>
pnacht
pushed a commit
to pnacht/scorecard
that referenced
this pull request
Aug 29, 2024
Signed-off-by: Pedro Kaj Kjellerup Nacht <pnacht@google.com>
pnacht
pushed a commit
to pnacht/scorecard
that referenced
this pull request
Oct 1, 2024
Signed-off-by: Pedro Kaj Kjellerup Nacht <pnacht@google.com>
pnacht
pushed a commit
to pnacht/scorecard
that referenced
this pull request
Oct 1, 2024
Signed-off-by: Pedro Kaj Kjellerup Nacht <pnacht@google.com>
spencerschrock
pushed a commit
that referenced
this pull request
Nov 10, 2024
…4218) * Merge pull request #1 from joycebrum/feature/setup-environment-for-dw-fix create environment for patch on DW script injections Signed-off-by: Diogo Teles Sant'Anna <diogoteles@google.com> Signed-off-by: Pedro Kaj Kjellerup Nacht <pnacht@google.com> * Merge pull request #3 from joycebrum/feat/connect-patch-generator-with-remediation-output Include the generated patch in the output Signed-off-by: Joyce Brum <joycebrum@google.com> Signed-off-by: Pedro Kaj Kjellerup Nacht <pnacht@google.com> * Merge pull request #2 from joycebrum/test/initial-tests-for-dw-fix Signed-off-by: Pedro Kaj Kjellerup Nacht <pnacht@google.com> * Merge pull request #4 from joycebrum/feat/get-input-needed-to-generate-patch Signed-off-by: Pedro Kaj Kjellerup Nacht <pnacht@google.com> * impl.go: slight refactor to loop Signed-off-by: Pedro Kaj Kjellerup Nacht <pnacht@google.com> * Add envvars to existing or new env, still not replaced in `run` Signed-off-by: Pedro Kaj Kjellerup Nacht <pnacht@google.com> * Replace unsafe variables in run commands, generate git diff Git diff created using hexops/gotextdiff, WHICH IS ARCHIVED. It is unfortunately the only package I found which could do it. To be discussed with Scorecard maintainers whether it's worth it. Signed-off-by: Pedro Kaj Kjellerup Nacht <pnacht@google.com> * Rewrite test file - Test patchWorkflow instead of GeneratePatch. This avoids the complication of comparing diff files; we can instead simply compare the output workflow to an expected "fixed" workflow. - Examples with multiple findings must have separate "fixed" workflows for each finding, not a single file which covers all findings - Instead of hard-coding the finding details (snippet, line position), run raw.DangerousWorkflow() to get that data automatically. This does make these tests a bit more "integration-test-like", but makes them substantially easier to maintain. Signed-off-by: Pedro Kaj Kjellerup Nacht <pnacht@google.com> * Rewrite patch/impl.go - misc refactors - use go-git to generate diff - Most functions now return errors instead of bools. This can be later used for simpler logging - Existing environment variables are now detected by parsing the files as GH workflows. This is WIP to handle existing envvars in our patches. - Remove instances of C-style for-loops, unnecessarily dangerous! - Fixed proper detection of existing env, handling blank lines and comments. Signed-off-by: Pedro Kaj Kjellerup Nacht <pnacht@google.com> * Update test workflows - Fix inconsistencies between original and "fixed" versions - Store multiple "fixed" workflows for tests with multiple findings. Each "fixed" workflow fixes a single finding. The files are numbered according to the order in which the findings are found by moving down the file. - allKindsOfUserInput removed. Would require too many "fixed" workflows to test. The behavior can be tested more directly. Signed-off-by: Pedro Kaj Kjellerup Nacht <pnacht@google.com> * Use existing envvars, validate patched workflow - If an envvar with our name and value already existed but simply wasn't used, the patch no longer duplicates it. - After the patched workflow is created, we validate that it is valid. Or, at least did not introduce any syntax errors that were not present in the original workflow. Signed-off-by: Pedro Kaj Kjellerup Nacht <pnacht@google.com> * Test for same injection in same step, leading to duplicate findings Signed-off-by: Pedro Kaj Kjellerup Nacht <pnacht@google.com> * Use existing envvars with different name but same meaning Signed-off-by: Pedro Kaj Kjellerup Nacht <pnacht@google.com> * Avoid conflicts with irrelevant but existing envvars Signed-off-by: Pedro Kaj Kjellerup Nacht <pnacht@google.com> * Use first job's indent to define envvar indent Signed-off-by: Pedro Kaj Kjellerup Nacht <pnacht@google.com> * Refactor patch/impl_test - Create helper function `readWorkflow` - Improved error handling in case of failed workflow validation - Allow the declaration of duplicate findings (cases where 2+ findings have the same patch) Signed-off-by: Pedro Kaj Kjellerup Nacht <pnacht@google.com> * patch/impl: Simplify unsafePatterns, use errors, docs, lint - Simplify use of unsafePatterns - Replaced boolean returns with errors, for easier log/debugging - Improved documentation - Changes to satisfy linter, adoption of 120-char line limit Signed-off-by: Pedro Kaj Kjellerup Nacht <pnacht@google.com> * Fix panic in hasScriptInjection test due to missing file Signed-off-by: Pedro Kaj Kjellerup Nacht <pnacht@google.com> * Avoid duplicate envvars dealing with array variables Signed-off-by: Pedro Kaj Kjellerup Nacht <pnacht@google.com> * Adopt existing inter-block spacing for new env Signed-off-by: Pedro Kaj Kjellerup Nacht <pnacht@google.com> * chore: Tidy up function order, remove unused files Signed-off-by: Pedro Kaj Kjellerup Nacht <pnacht@google.com> * Define localPath in runScorecard Signed-off-by: Pedro Kaj Kjellerup Nacht <pnacht@google.com> * Assert valid offset, use TrimSpace, drop unused struct member Signed-off-by: Pedro Kaj Kjellerup Nacht <pnacht@google.com> * Just use []bytes instead of string Signed-off-by: Pedro Kaj Kjellerup Nacht <pnacht@google.com> * Use []byte, not string Signed-off-by: Pedro Kaj Kjellerup Nacht <pnacht@google.com> * go mod tidy updates Signed-off-by: Pedro Kaj Kjellerup Nacht <pnacht@google.com> * Ensure valid offset Signed-off-by: Pedro Kaj Kjellerup Nacht <pnacht@google.com> * Move /patch to /internal/patch Signed-off-by: Pedro Kaj Kjellerup Nacht <pnacht@google.com> * Document patch behavior and add patch to remediation in def.yml Signed-off-by: Pedro Kaj Kjellerup Nacht <pnacht@google.com> * Updates from review Signed-off-by: Pedro Kaj Kjellerup Nacht <pnacht@google.com> * Add patch to finding before adding to list of findings Signed-off-by: Pedro Kaj Kjellerup Nacht <pnacht@google.com> --------- Signed-off-by: Diogo Teles Sant'Anna <diogoteles@google.com> Signed-off-by: Pedro Kaj Kjellerup Nacht <pnacht@google.com> Signed-off-by: Joyce Brum <joycebrum@google.com> Co-authored-by: Diogo Teles Sant'Anna <diogoteles@google.com> Co-authored-by: Joyce Brum <joycebrum@google.com>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Added a short motivational video