diff --git a/.github/dependabot.yml b/.github/dependabot.yml index b26072f7bbb..9068436f05e 100644 --- a/.github/dependabot.yml +++ b/.github/dependabot.yml @@ -41,3 +41,12 @@ updates: rebase-strategy: disabled commit-message: prefix: ":seedling:" + # currently needed to get PRs which actually update multiple directories in a single PR + # https://github.com/dependabot/dependabot-core/issues/2178#issuecomment-2109164992 + groups: + golang: + patterns: + - "golang" + distroless: + patterns: + - "distroless/base" diff --git a/Dockerfile b/Dockerfile index dc20aa7ef88..ab1c413c780 100644 --- a/Dockerfile +++ b/Dockerfile @@ -12,7 +12,7 @@ # See the License for the specific language governing permissions and # limitations under the License. -FROM golang:1.22.4@sha256:969349b8121a56d51c74f4c273ab974c15b3a8ae246a5cffc1df7d28b66cf978 AS base +FROM golang:1.22.5@sha256:1a9b9cc9929106f9a24359581bcf35c7a6a3be442c1c53dc12c41a106c1daca8 AS base WORKDIR /src ENV CGO_ENABLED=0 COPY go.* ./ diff --git a/SECURITY.md b/SECURITY.md index 65b40899abb..a9c51688734 100644 --- a/SECURITY.md +++ b/SECURITY.md @@ -1,11 +1,60 @@ -# Reporting Security Issues +# OpenSSF Scorecard Security Policy -To report a security issue, please email -[oss-security@googlegroups.com](mailto:oss-security@googlegroups.com) -with a description of the issue, the steps you took to create the issue, -affected versions, and, if known, mitigations for the issue. +This document outlines security procedures and general policies for the +OpenSSF Scorecard project. -Our vulnerability management team will respond within 3 working days of your -email. If the issue is confirmed as a vulnerability, we will open a -Security Advisory and acknowledge your contributions as part of it. This project -follows a 90 day disclosure timeline. +This policy adheres to the [vulnerability management guidance](https://www.linuxfoundation.org/security) +for Linux Foundation projects. + +- [Disclosing a security issue](#disclosing-a-security-issue) +- [Vulnerability management](#vulnerability-management) +- [Suggesting changes](#suggesting-changes) + +## Disclosing a security issue + +The OpenSSF Scorecard maintainers take all security issues in the project +seriously. Thank you for improving the security of OpenSSF Scorecard. We +appreciate your dedication to responsible disclosure and will make every effort +to acknowledge your contributions. + +OpenSSF Scorecard leverages GitHub's private vulnerability reporting. + +To learn more about this feature and how to submit a vulnerability report, +review [GitHub's documentation on private reporting](https://docs.github.com/code-security/security-advisories/guidance-on-reporting-and-writing-information-about-vulnerabilities/privately-reporting-a-security-vulnerability). + +Here are some helpful details to include in your report: + +- a detailed description of the issue +- the steps required to reproduce the issue +- versions of the project that may be affected by the issue +- if known, any mitigations for the issue + +A maintainer will acknowledge the report within three (3) business days, and +will send a more detailed response within an additional three (3) business days +indicating the next steps in handling your report. + +If you've been unable to successfully draft a vulnerability report via GitHub +or have not received a response during the alloted response window, please +reach out via the [OpenSSF security contact email](mailto:security@openssf.org). + +After the initial reply to your report, the maintainers will endeavor to keep +you informed of the progress towards a fix and full announcement, and may ask +for additional information or guidance. + +## Vulnerability management + +When the maintainers receive a disclosure report, they will assign it to a +primary handler. + +This person will coordinate the fix and release process, which involves the +following steps: + +- confirming the issue +- determining affected versions of the project +- auditing code to find any potential similar problems +- preparing fixes for all releases under maintenance + +## Suggesting changes + +If you have suggestions on how this process could be improved please submit an +issue or pull request. diff --git a/attestor/Dockerfile b/attestor/Dockerfile index 45abf3e6513..2157a87d8ac 100644 --- a/attestor/Dockerfile +++ b/attestor/Dockerfile @@ -12,7 +12,7 @@ # See the License for the specific language governing permissions and # limitations under the License. -FROM golang:1.22.4@sha256:969349b8121a56d51c74f4c273ab974c15b3a8ae246a5cffc1df7d28b66cf978 AS base +FROM golang:1.22.5@sha256:1a9b9cc9929106f9a24359581bcf35c7a6a3be442c1c53dc12c41a106c1daca8 AS base WORKDIR /src/scorecard COPY . ./ diff --git a/clients/githubrepo/roundtripper/tokens/server/Dockerfile b/clients/githubrepo/roundtripper/tokens/server/Dockerfile index 4593da6c002..e338d4c6495 100644 --- a/clients/githubrepo/roundtripper/tokens/server/Dockerfile +++ b/clients/githubrepo/roundtripper/tokens/server/Dockerfile @@ -12,7 +12,7 @@ # See the License for the specific language governing permissions and # limitations under the License. -FROM golang:1.22.4@sha256:969349b8121a56d51c74f4c273ab974c15b3a8ae246a5cffc1df7d28b66cf978 AS base +FROM golang:1.22.5@sha256:1a9b9cc9929106f9a24359581bcf35c7a6a3be442c1c53dc12c41a106c1daca8 AS base WORKDIR /src ENV CGO_ENABLED=0 COPY go.* ./ diff --git a/clients/osv.go b/clients/osv.go index ef8775f5d3f..76df68a5bd8 100644 --- a/clients/osv.go +++ b/clients/osv.go @@ -58,7 +58,8 @@ func (v osvClient) ListUnfixedVulnerabilities( Recursive: true, GitCommits: gitCommits, ExperimentalScannerActions: osvscanner.ExperimentalScannerActions{ - CompareLocally: v.local, + CompareOffline: v.local, + DownloadDatabases: v.local, }, }, nil) // TODO: Do logging? diff --git a/cmd/internal/scdiff/app/runner/runner.go b/cmd/internal/scdiff/app/runner/runner.go index 061850b9486..b9e9f288567 100644 --- a/cmd/internal/scdiff/app/runner/runner.go +++ b/cmd/internal/scdiff/app/runner/runner.go @@ -17,36 +17,22 @@ package runner import ( "context" "errors" - "strings" - "github.com/ossf/scorecard/v5/checker" - "github.com/ossf/scorecard/v5/checks" "github.com/ossf/scorecard/v5/clients" "github.com/ossf/scorecard/v5/clients/githubrepo" "github.com/ossf/scorecard/v5/clients/gitlabrepo" - "github.com/ossf/scorecard/v5/clients/ossfuzz" sce "github.com/ossf/scorecard/v5/errors" - "github.com/ossf/scorecard/v5/internal/packageclient" "github.com/ossf/scorecard/v5/log" "github.com/ossf/scorecard/v5/pkg" ) -const ( - commit = clients.HeadSHA - commitDepth = 0 // default -) - // Runner holds the clients and configuration needed to run Scorecard on multiple repos. type Runner struct { ctx context.Context - logger *log.Logger - enabledChecks checker.CheckNameToFnMap githubClient clients.RepoClient gitlabClient clients.RepoClient - ossFuzz clients.RepoClient - cii clients.CIIBestPracticesClient - vuln clients.VulnerabilitiesClient - deps packageclient.ProjectPackageClient + logger *log.Logger + enabledChecks []string } // Creates a Runner which will run the listed checks. If no checks are provided, all will run. @@ -62,11 +48,7 @@ func New(enabledChecks []string) Runner { logger: logger, githubClient: githubrepo.CreateGithubRepoClient(ctx, logger), gitlabClient: gitlabClient, - ossFuzz: ossfuzz.CreateOSSFuzzClient(ossfuzz.StatusURL), - cii: clients.DefaultCIIBestPracticesClient(), - vuln: clients.DefaultVulnerabilitiesClient(), - deps: packageclient.CreateDepsDevClient(), - enabledChecks: parseChecks(enabledChecks), + enabledChecks: enabledChecks, } } @@ -82,8 +64,9 @@ func (r *Runner) Run(repoURI string) (pkg.ScorecardResult, error) { if err != nil { return pkg.ScorecardResult{}, err } - return pkg.RunScorecard( - r.ctx, repo, commit, commitDepth, r.enabledChecks, repoClient, r.ossFuzz, r.cii, r.vuln, r.deps, + return pkg.Run(r.ctx, repo, + pkg.WithRepoClient(repoClient), + pkg.WithChecks(r.enabledChecks), ) } @@ -93,20 +76,3 @@ func (r *Runner) log(msg string) { r.logger.Info(msg) } } - -func parseChecks(c []string) checker.CheckNameToFnMap { - all := checks.GetAll() - if len(c) == 0 { - return all - } - - ret := checker.CheckNameToFnMap{} - for _, requested := range c { - for key, fn := range all { - if strings.EqualFold(key, requested) { - ret[key] = fn - } - } - } - return ret -} diff --git a/cmd/internal/scdiff/app/runner/runner_test.go b/cmd/internal/scdiff/app/runner/runner_test.go index d62036d2159..a82f7ed36a3 100644 --- a/cmd/internal/scdiff/app/runner/runner_test.go +++ b/cmd/internal/scdiff/app/runner/runner_test.go @@ -15,23 +15,20 @@ package runner import ( + "context" "testing" "github.com/golang/mock/gomock" - "github.com/ossf/scorecard/v5/checker" "github.com/ossf/scorecard/v5/clients" mockrepo "github.com/ossf/scorecard/v5/clients/mockclients" + "github.com/ossf/scorecard/v5/internal/checknames" ) func TestNew(t *testing.T) { t.Parallel() - r := New(nil) - if len(r.enabledChecks) == 0 { - t.Errorf("runner has no checks to run: %v", r.enabledChecks) - } requestedChecks := []string{"Code-Review"} - r = New(requestedChecks) + r := New(requestedChecks) if len(r.enabledChecks) != len(requestedChecks) { t.Errorf("requested %d checks but only got: %v", len(requestedChecks), r.enabledChecks) } @@ -43,11 +40,14 @@ func TestRunner_Run(t *testing.T) { mockRepo := mockrepo.NewMockRepoClient(ctrl) commit := []clients.Commit{{SHA: "foo"}} mockRepo.EXPECT().ListCommits().Return(commit, nil) + mockRepo.EXPECT().ListFiles(gomock.Any()).Return(nil, nil) mockRepo.EXPECT().InitRepo(gomock.Any(), gomock.Any(), gomock.Any()).Return(nil) mockRepo.EXPECT().GetDefaultBranchName().Return("main", nil) mockRepo.EXPECT().Close().Return(nil) r := Runner{ - enabledChecks: checker.CheckNameToFnMap{}, + ctx: context.Background(), + // use a check which works locally, but we declare no files above so no-op + enabledChecks: []string{checknames.BinaryArtifacts}, githubClient: mockRepo, } const repo = "github.com/foo/bar" diff --git a/config/config.go b/config/config.go index 3cbe82b20f0..c9ea7ad1259 100644 --- a/config/config.go +++ b/config/config.go @@ -23,6 +23,7 @@ import ( "gopkg.in/yaml.v3" sce "github.com/ossf/scorecard/v5/errors" + "github.com/ossf/scorecard/v5/internal/checknames" ) var ( @@ -45,19 +46,19 @@ func parseFile(c *Config, content []byte) error { return nil } -func isValidCheck(check string, checks []string) bool { - for _, validCheck := range checks { - if strings.EqualFold(check, validCheck) { +func isValidCheck(check string) bool { + for _, c := range checknames.AllValidChecks { + if strings.EqualFold(c, check) { return true } } return false } -func validate(c Config, checks []string) error { +func validate(c Config) error { for _, annotation := range c.Annotations { for _, check := range annotation.Checks { - if !isValidCheck(check, checks) { + if !isValidCheck(check) { return fmt.Errorf("%w: %s", errInvalidCheck, check) } } @@ -71,7 +72,7 @@ func validate(c Config, checks []string) error { } // Parse reads the configuration file from the repo, stored in scorecard.yml, and returns a `Config`. -func Parse(r io.Reader, checks []string) (Config, error) { +func Parse(r io.Reader) (Config, error) { c := Config{} // Find scorecard.yml file in the repository's root content, err := io.ReadAll(r) @@ -84,7 +85,7 @@ func Parse(r io.Reader, checks []string) (Config, error) { return Config{}, fmt.Errorf("fail to parse configuration file: %w", err) } - err = validate(c, checks) + err = validate(c) if err != nil { return Config{}, fmt.Errorf("configuration file is not valid: %w", err) } diff --git a/config/config_test.go b/config/config_test.go index a21678071ab..055288088dc 100644 --- a/config/config_test.go +++ b/config/config_test.go @@ -12,18 +12,13 @@ // See the License for the specific language governing permissions and // limitations under the License. -// Warning: config cannot import checks. This is why we declare a different package here -// and import both config and checks to test config. -package config_test +package config import ( "os" "testing" "github.com/google/go-cmp/cmp" - - "github.com/ossf/scorecard/v5/checks" - "github.com/ossf/scorecard/v5/config" ) func Test_Parse_Checks(t *testing.T) { @@ -31,17 +26,17 @@ func Test_Parse_Checks(t *testing.T) { tests := []struct { name string configPath string - want config.Config + want Config wantErr bool }{ { name: "Annotation on a single check", configPath: "testdata/single_check.yml", - want: config.Config{ - Annotations: []config.Annotation{ + want: Config{ + Annotations: []Annotation{ { Checks: []string{"binary-artifacts"}, - Reasons: []config.ReasonGroup{{Reason: "test-data"}}, + Reasons: []ReasonGroup{{Reason: "test-data"}}, }, }, }, @@ -49,8 +44,8 @@ func Test_Parse_Checks(t *testing.T) { { name: "Annotation on all checks", configPath: "testdata/all_checks.yml", - want: config.Config{ - Annotations: []config.Annotation{ + want: Config{ + Annotations: []Annotation{ { Checks: []string{ "binary-artifacts", @@ -72,7 +67,7 @@ func Test_Parse_Checks(t *testing.T) { "token-permissions", "vulnerabilities", }, - Reasons: []config.ReasonGroup{{Reason: "test-data"}}, + Reasons: []ReasonGroup{{Reason: "test-data"}}, }, }, }, @@ -80,11 +75,11 @@ func Test_Parse_Checks(t *testing.T) { { name: "Annotating all reasons", configPath: "testdata/all_reasons.yml", - want: config.Config{ - Annotations: []config.Annotation{ + want: Config{ + Annotations: []Annotation{ { Checks: []string{"binary-artifacts"}, - Reasons: []config.ReasonGroup{ + Reasons: []ReasonGroup{ {Reason: "test-data"}, {Reason: "remediated"}, {Reason: "not-applicable"}, @@ -98,15 +93,15 @@ func Test_Parse_Checks(t *testing.T) { { name: "Multiple annotations", configPath: "testdata/multiple_annotations.yml", - want: config.Config{ - Annotations: []config.Annotation{ + want: Config{ + Annotations: []Annotation{ { Checks: []string{"binary-artifacts"}, - Reasons: []config.ReasonGroup{{Reason: "test-data"}}, + Reasons: []ReasonGroup{{Reason: "test-data"}}, }, { Checks: []string{"pinned-dependencies"}, - Reasons: []config.ReasonGroup{{Reason: "not-applicable"}}, + Reasons: []ReasonGroup{{Reason: "not-applicable"}}, }, }, }, @@ -124,17 +119,13 @@ func Test_Parse_Checks(t *testing.T) { } for _, tt := range tests { tt := tt // Re-initializing variable so it is not changed while executing the closure below - allChecks := []string{} - for check := range checks.GetAll() { - allChecks = append(allChecks, check) - } t.Run(tt.name, func(t *testing.T) { t.Parallel() r, err := os.Open(tt.configPath) if err != nil { t.Fatalf("Could not open config test file: %s", tt.configPath) } - result, err := config.Parse(r, allChecks) + result, err := Parse(r) if (err != nil) != tt.wantErr { t.Fatalf("Unexpected error during Parse: got %v, wantErr %v", err, tt.wantErr) } diff --git a/cron/internal/bq/Dockerfile b/cron/internal/bq/Dockerfile index d5d6c0eb694..b3814fe1f77 100644 --- a/cron/internal/bq/Dockerfile +++ b/cron/internal/bq/Dockerfile @@ -12,7 +12,7 @@ # See the License for the specific language governing permissions and # limitations under the License. -FROM golang:1.22.4@sha256:969349b8121a56d51c74f4c273ab974c15b3a8ae246a5cffc1df7d28b66cf978 AS base +FROM golang:1.22.5@sha256:1a9b9cc9929106f9a24359581bcf35c7a6a3be442c1c53dc12c41a106c1daca8 AS base WORKDIR /src ENV CGO_ENABLED=0 COPY go.* ./ diff --git a/cron/internal/cii/Dockerfile b/cron/internal/cii/Dockerfile index 3eaf62299c6..819ea29284c 100644 --- a/cron/internal/cii/Dockerfile +++ b/cron/internal/cii/Dockerfile @@ -12,7 +12,7 @@ # See the License for the specific language governing permissions and # limitations under the License. -FROM golang:1.22.4@sha256:969349b8121a56d51c74f4c273ab974c15b3a8ae246a5cffc1df7d28b66cf978 AS base +FROM golang:1.22.5@sha256:1a9b9cc9929106f9a24359581bcf35c7a6a3be442c1c53dc12c41a106c1daca8 AS base WORKDIR /src ENV CGO_ENABLED=0 COPY go.* ./ diff --git a/cron/internal/controller/Dockerfile b/cron/internal/controller/Dockerfile index b7bd68e2268..8c0b5b95418 100644 --- a/cron/internal/controller/Dockerfile +++ b/cron/internal/controller/Dockerfile @@ -12,7 +12,7 @@ # See the License for the specific language governing permissions and # limitations under the License. -FROM golang:1.22.4@sha256:969349b8121a56d51c74f4c273ab974c15b3a8ae246a5cffc1df7d28b66cf978 AS base +FROM golang:1.22.5@sha256:1a9b9cc9929106f9a24359581bcf35c7a6a3be442c1c53dc12c41a106c1daca8 AS base WORKDIR /src ENV CGO_ENABLED=0 COPY go.* ./ diff --git a/cron/internal/data/projects.csv b/cron/internal/data/projects.csv index 878a2b517e3..9889ade0fca 100755 --- a/cron/internal/data/projects.csv +++ b/cron/internal/data/projects.csv @@ -72798,6 +72798,7 @@ github.com/GameTechDev/ISPCTextureCompressor, github.com/GameTechDev/MaskedOcclusionCulling, github.com/GameTechDev/PresentMon,criticality_score:0.364600 github.com/GameTechDev/SamplerFeedbackStreaming, +github.com/GameTechDev/UE4_GPA_Plugin, github.com/GameTechDev/VALAR-API, github.com/GameTechDev/XeGTAO, github.com/GameTechDev/XeSS-VALAR-Demo, @@ -89150,6 +89151,31 @@ github.com/Intel-bigdata/substrait, github.com/Intel-bigdata/substrait-cpp, github.com/Intel-bigdata/trino, github.com/Intel-bigdata/velox, +github.com/Intel-tensorflow/DeepSpeech, +github.com/Intel-tensorflow/SSD.TensorFlow, +github.com/Intel-tensorflow/Tensorflow-SSD-VGG, +github.com/Intel-tensorflow/benchmarks, +github.com/Intel-tensorflow/build, +github.com/Intel-tensorflow/curl, +github.com/Intel-tensorflow/darkflow, +github.com/Intel-tensorflow/docs, +github.com/Intel-tensorflow/gnn, +github.com/Intel-tensorflow/inference, +github.com/Intel-tensorflow/jax, +github.com/Intel-tensorflow/keras, +github.com/Intel-tensorflow/magenta, +github.com/Intel-tensorflow/mkl-dnn, +github.com/Intel-tensorflow/mlperf-training, +github.com/Intel-tensorflow/models, +github.com/Intel-tensorflow/nmt, +github.com/Intel-tensorflow/runtime, +github.com/Intel-tensorflow/serving, +github.com/Intel-tensorflow/tensor2tensor, +github.com/Intel-tensorflow/tensorflow-wavenet, +github.com/Intel-tensorflow/tensorpack, +github.com/Intel-tensorflow/tf-keras, +github.com/Intel-tensorflow/transformers, +github.com/Intel-tensorflow/xla, github.com/Intel471/prom-stats, github.com/IntelAI/aikit-operator, github.com/IntelAI/experiments, @@ -89166,26 +89192,34 @@ github.com/IntelAI/unet, github.com/IntelLabs/ALTO, github.com/IntelLabs/Auto-Steer, github.com/IntelLabs/Branch-Target-Injection-Gadget-Finder, +github.com/IntelLabs/CLNeRF, +github.com/IntelLabs/Chisel-cocotb-Examples, +github.com/IntelLabs/ConfFlow, +github.com/IntelLabs/ConvAssist, github.com/IntelLabs/DNS, github.com/IntelLabs/DPR-dataset-generator, github.com/IntelLabs/DyNAS-T, github.com/IntelLabs/FP8-Emulation-Toolkit, +github.com/IntelLabs/FloorSet, github.com/IntelLabs/GraVi-T, github.com/IntelLabs/HDFIT, github.com/IntelLabs/HDFIT.NetlistFaultInjector, github.com/IntelLabs/HDFIT.ScriptsHPC, github.com/IntelLabs/HDFIT.SystolicArray, +github.com/IntelLabs/HEC-openfhe-development, github.com/IntelLabs/Hardware-Aware-Automated-Machine-Learning, github.com/IntelLabs/Hybrid-Quantum-Classical-Library, github.com/IntelLabs/Incremental-Neural-Videos-with-PyTorch, github.com/IntelLabs/IntelLabshub.io, github.com/IntelLabs/IntelNeuromorphicDNSChallenge, +github.com/IntelLabs/IntelQuantumSDK-Docker-Dependencies, github.com/IntelLabs/Kernels, github.com/IntelLabs/LLMLNCL, github.com/IntelLabs/LLSRP, github.com/IntelLabs/Latte.py, github.com/IntelLabs/MART, github.com/IntelLabs/MICSAS, +github.com/IntelLabs/MMPano, github.com/IntelLabs/Model-Compression-Research-Package, github.com/IntelLabs/NeuroCounterfactuals, github.com/IntelLabs/OSCAR, @@ -89199,21 +89233,30 @@ github.com/IntelLabs/SAR, github.com/IntelLabs/SLIDE_opt_ia, github.com/IntelLabs/ScalableVectorSearch, github.com/IntelLabs/SpMP, +github.com/IntelLabs/Synthetic-Radio-Frequency-Data-Generator, +github.com/IntelLabs/TME-MK-Fine-Grained-Encryption-Integrity, github.com/IntelLabs/TSAD-Evaluator, github.com/IntelLabs/TinyGarble2.0, github.com/IntelLabs/Trans-Omics-Acceleration-Library, github.com/IntelLabs/VDMS-Docker-Dependencies, github.com/IntelLabs/VL-InterpreT, +github.com/IntelLabs/VectorSearchDatasets, github.com/IntelLabs/Video-Curation-Sample-DEV, github.com/IntelLabs/academic-budget-bert, github.com/IntelLabs/ais-benchmarks, +github.com/IntelLabs/approximate-bayesian-inference, github.com/IntelLabs/aqtnd, github.com/IntelLabs/aspect-extraction, +github.com/IntelLabs/automated-retraining-framework, github.com/IntelLabs/autonomousmavs, +github.com/IntelLabs/baa-ngp, github.com/IntelLabs/bayesian-torch, +github.com/IntelLabs/c3-edk2, +github.com/IntelLabs/c3-edk2-platforms, github.com/IntelLabs/c3-glibc, github.com/IntelLabs/c3-linux, github.com/IntelLabs/c3-llvm, +github.com/IntelLabs/c3-perf-simulator, github.com/IntelLabs/c3-simulator, github.com/IntelLabs/causality-lab, github.com/IntelLabs/chromium-mem-safety, @@ -89240,19 +89283,29 @@ github.com/IntelLabs/kafl.linux, github.com/IntelLabs/kafl.qemu, github.com/IntelLabs/kafl.targets, github.com/IntelLabs/llvmlite, +github.com/IntelLabs/lrpc, +github.com/IntelLabs/lvlm-interpret, github.com/IntelLabs/mat2qubit, github.com/IntelLabs/matsciml, github.com/IntelLabs/mlwins, github.com/IntelLabs/multimodal_cognitive_ai, +github.com/IntelLabs/networkgym, github.com/IntelLabs/nlp-architect,criticality_score:0.418680 github.com/IntelLabs/numba, github.com/IntelLabs/open-omics-alphafold, +github.com/IntelLabs/open-omics-deepvariant, +github.com/IntelLabs/open-omics-scanpy, github.com/IntelLabs/pyzmq, github.com/IntelLabs/riscv-dv, +github.com/IntelLabs/riscv-vector, +github.com/IntelLabs/scenario_execution, github.com/IntelLabs/scipy_proceedings, +github.com/IntelLabs/simics-plus-rtl, github.com/IntelLabs/spic, github.com/IntelLabs/supply-chain-attribute-integrity, github.com/IntelLabs/t2sp, +github.com/IntelLabs/token_elimination, +github.com/IntelLabs/twins-holography, github.com/IntelLabs/vdms, github.com/IntelLabsEurope/landscaper, github.com/IntelPython/BlackScholes_bench, @@ -89263,6 +89316,7 @@ github.com/IntelPython/Profiling_Guide, github.com/IntelPython/bearysta, github.com/IntelPython/composability_bench, github.com/IntelPython/container-images, +github.com/IntelPython/devops-tools, github.com/IntelPython/dpbench, github.com/IntelPython/dpcpp-llvm-spirv, github.com/IntelPython/dpctl, @@ -89270,6 +89324,7 @@ github.com/IntelPython/dpnp, github.com/IntelPython/examples, github.com/IntelPython/fft_benchmark, github.com/IntelPython/ibench, +github.com/IntelPython/intelpython.github.io, github.com/IntelPython/intelpythonhub.io, github.com/IntelPython/mkl-service, github.com/IntelPython/mkl_fft, @@ -89278,10 +89333,13 @@ github.com/IntelPython/mkl_umath, github.com/IntelPython/numba-dpex, github.com/IntelPython/oneAPI-for-SciPy, github.com/IntelPython/optimizations_bench, +github.com/IntelPython/portable-data-parallel-extensions-scipy-2024, github.com/IntelPython/sample-data-parallel-extensions, github.com/IntelPython/scikit-ipp, github.com/IntelPython/scikit-learn_bench, +github.com/IntelPython/scipy-recipe, github.com/IntelPython/sdc,criticality_score:0.411280 +github.com/IntelPython/sharded-array-for-python, github.com/IntelPython/smp, github.com/IntelPython/source-publish, github.com/IntelPython/xgboost_oneapi, @@ -89298,6 +89356,7 @@ github.com/IntelSTORMteam/Papers, github.com/IntelSTORMteam/PastWork, github.com/IntelSTORMteam/Patents, github.com/IntelSTORMteam/Presentations, +github.com/IntelSoftware/AI-PC_Notebooks, github.com/IntelSoftware/DL-using-oneAPI, github.com/IntelSoftware/ForestFirePrediction, github.com/IntelSoftware/Intel_oneAPI_MKL_Training, @@ -89306,6 +89365,9 @@ github.com/IntelSoftware/Jurassic, github.com/IntelSoftware/Machine-Learning-using-oneAPI, github.com/IntelSoftware/NumPy_Optimizations, github.com/IntelSoftware/PyTorch_Optimizations, +github.com/IntelSoftware/Python-Loop-Replacement-with-NumPy-and-PyTorch, +github.com/IntelSoftware/SYCL_101, +github.com/IntelSoftware/sd_ws, github.com/Intelecom/smsgw-client-java,num_dependents_deps.dev:0 github.com/Intelecom/smsgw-client-nodejs,num_dependents_deps.dev:0 github.com/Intelecom/smsgw-client-python, @@ -137501,6 +137563,11 @@ github.com/NocturnalCode/rails_assistant,num_dependents_deps.dev:0 github.com/Noculi/RandomCat-Node,num_dependents_deps.dev:0 github.com/NoczCore/gulp-append-prepend,num_dependents_deps.dev:0 github.com/Nodd/lineprofilergui, +github.com/Node-DC/Node-DC-EIS, +github.com/Node-DC/Node-DC-EIS-client, +github.com/Node-DC/Node-DC-EIS-cluster, +github.com/Node-DC/Node-DC-EIS-microservices, +github.com/Node-DC/Node-DC-SSR, github.com/Node-LabX/lightning-request,num_dependents_deps.dev:0 github.com/Node-M2M/m2m, github.com/Node-Ops/debian-package-installed,num_dependents_deps.dev:0 @@ -139186,6 +139253,22 @@ github.com/OFBDABV/SBTi, github.com/OFFLINE-GmbH/postcss-normalize,num_dependents_deps.dev:0 github.com/OFRBG/CehhCoin-Miner, github.com/OFRBG/TsukiBot, +github.com/OFS/.github, +github.com/OFS/dfl-feature-id, +github.com/OFS/examples-afu, +github.com/OFS/linux-dfl, +github.com/OFS/linux-dfl-backport, +github.com/OFS/meta-ofs, +github.com/OFS/ofs-agx7-pcie-attach, +github.com/OFS/ofs-d5005, +github.com/OFS/ofs-f2000x-pl, +github.com/OFS/ofs-fim-common, +github.com/OFS/ofs-platform-afu-bbb, +github.com/OFS/ofs.github.io, +github.com/OFS/oneapi-asp, +github.com/OFS/opae-legacy, +github.com/OFS/opae-sdk, +github.com/OFS/opae-sim, github.com/OFTechLabs/oratio,num_dependents_deps.dev:0 github.com/OG84/angular-loading-service,num_dependents_deps.dev:0 github.com/OG84/react-simple-side-effects,num_dependents_deps.dev:0 @@ -139329,6 +139412,10 @@ github.com/OPADA-Eng/nativescript-intermec-printer,num_dependents_deps.dev:0 github.com/OPADA-Eng/nativescript-sewoo-printer,num_dependents_deps.dev:0 github.com/OPADA-Eng/nativescript-woosim-printer, github.com/OPADA-Eng/nativescript-woosim-printer-i350,num_dependents_deps.dev:0 +github.com/OPAE/.github, +github.com/OPAE/intel-fpga-bbb, +github.com/OPAE/meta-opae-fpga, +github.com/OPAE/opae.github.io, github.com/OPALESECURITY/hardsploit-gui,num_dependents_deps.dev:0 github.com/OPCFoundation/UA-.NETStandard,criticality_score:0.552890 github.com/OPCUAUniCT/node-opcua-coreaas,num_dependents_deps.dev:0 @@ -141496,6 +141583,7 @@ github.com/OpenIdentityPlatform/OpenAM,num_dependents_deps.dev:22917 github.com/OpenIdentityPlatform/OpenDJ,num_dependents_deps.dev:8032 github.com/OpenIdentityPlatform/OpenIG,num_dependents_deps.dev:36 github.com/OpenIdentityPlatform/commons,num_dependents_deps.dev:32604 +github.com/OpenImageDenoise/OpenImageDenoise.github.io, github.com/OpenImageDenoise/OpenImageDenoisehub.io, github.com/OpenImageDenoise/mkl-dnn, github.com/OpenImageDenoise/oidn, @@ -141660,6 +141748,7 @@ github.com/OpenPIV/openpiv_tk_gui, github.com/OpenPOWERFoundation/rst2db-opf, github.com/OpenPTV/postptv, github.com/OpenPaaS-Suite/jmap-client-ts,num_dependents_deps.dev:0 +github.com/OpenPathGuidingLibrary/openpgl.github.io, github.com/OpenPaymentPlatform/python, github.com/OpenPeeDeeP/depguard, github.com/OpenPeerPower/OPP-ui, @@ -141924,9 +142013,11 @@ github.com/OpenVisualCloud/Cloud-Gaming-Windows-Sample, github.com/OpenVisualCloud/Dockerfiles, github.com/OpenVisualCloud/Dockerfiles-Resources, github.com/OpenVisualCloud/Immersive-Video-Sample, +github.com/OpenVisualCloud/Media-Communications-Mesh, github.com/OpenVisualCloud/Media-Processing-Library.Training, github.com/OpenVisualCloud/Media-Transport-Library, github.com/OpenVisualCloud/SVT-HEVC,criticality_score:0.455960 +github.com/OpenVisualCloud/SVT-JPEG-XS, github.com/OpenVisualCloud/SVT-VP9, github.com/OpenVisualCloud/Smart-City-Sample, github.com/OpenVisualCloud/VCAC-SW-Analytics, @@ -158202,6 +158293,15 @@ github.com/Renddslow/verify-changelog,num_dependents_deps.dev:0 github.com/Rende11/gen-diff, github.com/Rende11/js_l1_brain_games-s12,num_dependents_deps.dev:0 github.com/Rende11/page-loader,num_dependents_deps.dev:0 +github.com/RenderKit/embree, +github.com/RenderKit/mkl-dnn, +github.com/RenderKit/oidn, +github.com/RenderKit/oidn-weights, +github.com/RenderKit/openpgl, +github.com/RenderKit/openvkl, +github.com/RenderKit/ospray, +github.com/RenderKit/ospray-studio, +github.com/RenderKit/superbuild, github.com/RenderMelon/npx-card,num_dependents_deps.dev:0 github.com/Renderz/dva-plugin-common,num_dependents_deps.dev:0 github.com/Renderz/requex,num_dependents_deps.dev:0 @@ -195081,6 +195181,7 @@ github.com/VBots/CMenu,num_dependents_deps.dev:0 github.com/VBots/session-storage, github.com/VC-Team/cz-emoji,num_dependents_deps.dev:0 github.com/VCBE123/excelop, +github.com/VCDP/BRC_Based_On_RL, github.com/VCDP/CDN, github.com/VCDP/FFmpeg-VPL, github.com/VCDP/MediaSDK, @@ -363835,7 +363936,9 @@ github.com/chipsalliance/tree-sitter-firrtl,num_dependents_deps.dev:0 github.com/chipsalliance/verible,Google github.com/chipsalliance/yosys-f4pga-plugins, github.com/chipscoco/OceanMonkey, +github.com/chipsec/ChipsecExperimental, github.com/chipsec/chipsec,criticality_score:0.479850 +github.com/chipsec/chipsec.github.io, github.com/chipsenkbeil/distant,num_dependents_deps.dev:0 github.com/chipsenkbeil/entity-rs,num_dependents_deps.dev:15 github.com/chipsenkbeil/memtable-rs,num_dependents_deps.dev:0 @@ -418568,6 +418671,8 @@ github.com/daorithos/ngx-material-keyboard-core,num_dependents_deps.dev:0 github.com/daos-stack/HiBench, github.com/daos-stack/HiBench-1, github.com/daos-stack/MACSio, +github.com/daos-stack/action-import-commit-pragmas, +github.com/daos-stack/actions-template, github.com/daos-stack/ansible-collection-daos, github.com/daos-stack/argobots, github.com/daos-stack/bullseye, @@ -418577,7 +418682,10 @@ github.com/daos-stack/daos-reproducibility, github.com/daos-stack/daos_scaled_testing, github.com/daos-stack/dpdk, github.com/daos-stack/dtcmp, +github.com/daos-stack/fio, github.com/daos-stack/fuse, +github.com/daos-stack/fuse3, +github.com/daos-stack/fused, github.com/daos-stack/go-build-toolchain, github.com/daos-stack/google-cloud-daos, github.com/daos-stack/hdf5, @@ -418614,6 +418722,7 @@ github.com/daos-stack/terraform-ibm-daos, github.com/daos-stack/testmpio, github.com/daos-stack/tools, github.com/daos-stack/trusted-pipeline-lib, +github.com/daos-stack/update-pipeline-lib-action, github.com/daoshengfu/aries_cli,num_dependents_deps.dev:0 github.com/daosro/eslint-config,num_dependents_deps.dev:0 github.com/daostack/Alchemy-Aurelia,num_dependents_deps.dev:0 @@ -450767,6 +450876,7 @@ github.com/dlsteve/unifi-certbot,num_dependents_deps.dev:0 github.com/dlstjq7685/gobot,num_dependents_deps.dev:0 github.com/dlstonedl/graphql-spring-template,num_dependents_deps.dev:0 github.com/dlstreamer/dlstreamer, +github.com/dlstreamer/dlstreamer.github.io, github.com/dlstreamer/dlstreamerhub.io, github.com/dlstreamer/pipeline-zoo, github.com/dlstreamer/pipeline-zoo-media, @@ -485643,6 +485753,7 @@ github.com/embray/d2to1, github.com/embray/gappy, github.com/embray/tracext-redispub, github.com/embree/embree,criticality_score:0.587220 +github.com/embree/embree.github.com, github.com/embree/embreehub.com, github.com/embree/models, github.com/embroidepy/vpype-embroidery, @@ -547157,6 +547268,7 @@ github.com/geopipes/opl-stream,num_dependents_deps.dev:0 github.com/geopipes/osmium-stream,num_dependents_deps.dev:2 github.com/geopipes/shapefile-stream,num_dependents_deps.dev:8 github.com/geopm/geopm, +github.com/geopm/geopm.github.io, github.com/geopm/geopmhub.io, github.com/geopm/level-one, github.com/geopopos/d7leadfinderapi, @@ -630097,6 +630209,7 @@ github.com/intek-training-jsc/sprite-sheet-kyquanlx, github.com/intek-training-jsc/sprite-sheet-nqcuong96, github.com/intek-training-jsc/sprite-sheet-nvqMinh29101992, github.com/intek-training-jsc/sprite-sheet-tcthai, +github.com/intel-VTG/linux, github.com/intel-aero/device-androidia-mixins, github.com/intel-ai/benchmarks_tutorials, github.com/intel-ai/dswks-benchmark, @@ -630110,18 +630223,30 @@ github.com/intel-ai/timedf_benchmark_census, github.com/intel-analytics/Alphafold2, github.com/intel-analytics/BDT-Mt-Whitney, github.com/intel-analytics/BigDL,criticality_score:0.433460 +github.com/intel-analytics/BigDL-2.x, github.com/intel-analytics/BigDL-PPML-Azure-Occlum-Example, github.com/intel-analytics/BigDL-core, github.com/intel-analytics/Chronos-Smart-Green, github.com/intel-analytics/Chronos-workshop, +github.com/intel-analytics/FastChat, github.com/intel-analytics/InformationExtraction,num_dependents_deps.dev:0 +github.com/intel-analytics/Langchain-Chatchat, github.com/intel-analytics/analytics-zoo,"criticality_score:0.499850,num_dependents_deps.dev:0" github.com/intel-analytics/bigdl-llm-demo, github.com/intel-analytics/client-stable-diffusion, +github.com/intel-analytics/continue, +github.com/intel-analytics/dify-docs, github.com/intel-analytics/friesian, +github.com/intel-analytics/ipex-llm, +github.com/intel-analytics/ipex-llm-tutorial, +github.com/intel-analytics/langchain, +github.com/intel-analytics/llama_index, github.com/intel-analytics/llm-chatbot, github.com/intel-analytics/nuc-ai, +github.com/intel-analytics/openwebui-docs, github.com/intel-analytics/patch_cuda_example, +github.com/intel-analytics/private-gpt, +github.com/intel-analytics/text-generation-webui, github.com/intel-analytics/zoo-tutorials, github.com/intel-cloud/cosbench,criticality_score:0.355400 github.com/intel-corp/bond-cni,num_dependents_deps.dev:0 @@ -630171,6 +630296,7 @@ github.com/intel-hpdd/stub-daddy,num_dependents_deps.dev:0 github.com/intel-hpdd/view-server,num_dependents_deps.dev:0 github.com/intel-hpdd/xml-2-json,num_dependents_deps.dev:0 github.com/intel-iot-devkit/concurrent-video-analytic-pipeline-optimization-sample-l, +github.com/intel-iot-devkit/developer-toolbox-telemetry-sample, github.com/intel-iot-devkit/meta-iot-cloud, github.com/intel-iot-devkit/mraa,num_dependents_deps.dev:25 github.com/intel-iot-devkit/node-red-contrib-upm, @@ -630185,6 +630311,15 @@ github.com/intel-isl/Open3D,criticality_score:0.582270 github.com/intel-isl/Open3D-ML,criticality_score:0.344510 github.com/intel-isl/OpenBot,criticality_score:0.408350 github.com/intel-nrc-ecosystem/models, +github.com/intel-retail/automated-self-checkout, +github.com/intel-retail/automated-vending, +github.com/intel-retail/core-services, +github.com/intel-retail/documentation, +github.com/intel-retail/performance-tools, +github.com/intel-retail/retail-use-cases, +github.com/intel-retail/rtsf-at-checkout-reference-design, +github.com/intel-retail/software-vsync-modulation-sample, +github.com/intel-secl/.github, github.com/intel-secl/build-manifest, github.com/intel-secl/clients, github.com/intel-secl/common, @@ -630204,19 +630339,34 @@ github.com/intel-staging/Speedometer, github.com/intel-staging/acl2, github.com/intel-staging/cassandra, github.com/intel-staging/cve-bin-tool, +github.com/intel-staging/dxvk, +github.com/intel-staging/evaluate, github.com/intel-staging/keylocker, +github.com/intel-staging/libptpmgmt_iaclocklib, github.com/intel-staging/linux-coiommu, +github.com/intel-staging/linux-ptp_iaclocklib, github.com/intel-staging/linux-usi-bpf, +github.com/intel-staging/microcode, +github.com/intel-staging/oneAPI-samples, github.com/intel-staging/ort, github.com/intel-staging/pKVM-IA, +github.com/intel-staging/pgvector, +github.com/intel-staging/presto, github.com/intel-staging/qemu-coiommu, +github.com/intel-staging/qemu-tdx, github.com/intel-staging/spack, github.com/intel-staging/spack-configs, github.com/intel-staging/speedb, +github.com/intel-staging/td-partitioning-svsm, +github.com/intel-staging/torch-mlir, +github.com/intel-staging/tpp-mlir, +github.com/intel-staging/triton, github.com/intel-tensorflow/tensorflow,num_dependents_deps.dev:0 github.com/intel-tools/celadon-documentation, github.com/intel-tools/clear-linux-documentation, github.com/intel-tools/diomon, +github.com/intel-tools/srs, +github.com/intel/.allstar, github.com/intel/.github, github.com/intel/10-bit-per-color-demo, github.com/intel/3rd-party-codes-for-qat-crypto-base-external-release, @@ -630224,6 +630374,7 @@ github.com/intel/ACON, github.com/intel/AI-Hackathon, github.com/intel/AMX-TMUL-Code-Samples, github.com/intel/ARM_NEON_2_x86_SSE,criticality_score:0.307220 +github.com/intel/AccessibilityPlaybook, github.com/intel/AiCSD, github.com/intel/BCT, github.com/intel/BDTK, @@ -630232,6 +630383,7 @@ github.com/intel/BigDL-Privacy-Preserving-Machine-Learning-Toolkit, github.com/intel/BigDL-Recommender-System-Toolkit, github.com/intel/BigDL-Time-Series-Toolkit, github.com/intel/Board-Instrumentation-Framework, +github.com/intel/Bootcamp-Materials, github.com/intel/CacheLib, github.com/intel/CommsPowerManagement, github.com/intel/DML, @@ -630241,15 +630393,22 @@ github.com/intel/DevCloudContent-git, github.com/intel/DevCloudContent-helm, github.com/intel/Display-Virtualization-for-Windows-OS, github.com/intel/Edge-Software-Provisioner, +github.com/intel/Edk2Code, github.com/intel/FPGA-Devcloud, github.com/intel/FSP, +github.com/intel/FdtBusPkg, github.com/intel/FlexRAN, +github.com/intel/FlexRAN-FEC-SDK-Modules, github.com/intel/GPGMM, +github.com/intel/GrapheneSGX-Golang-Support-and-Enhancement, +github.com/intel/HBFA-FL, github.com/intel/IA-Hardware-Composer, github.com/intel/INTEL-SA-00086-Linux-Recovery-Tools, github.com/intel/ISALgo, github.com/intel/Igvtg-qemu, github.com/intel/Intel-Distribution-of-Weston, +github.com/intel/Intel-ECI-ExCat-Ansible, +github.com/intel/Intel-ECI-ExCat-K8s, github.com/intel/Intel-Edge-AI-Performance-Evaluation-Toolkit, github.com/intel/Intel-Linux-Processor-Microcode-Data-Files,criticality_score:0.390980 github.com/intel/Intel-NLP-workflow-for-Azure-ML, @@ -630265,10 +630424,12 @@ github.com/intel/Intel-Unite-Tool-Plugin-Test-App, github.com/intel/Intel-Vector-Data-Streaming-Library, github.com/intel/Intel-Video-Transcode-Acceleration-Library-ffmpeg, github.com/intel/Intel-Video-Transcode-Acceleration-Library-x264, +github.com/intel/Intel-affected-processor-list, github.com/intel/IntelSEAPI,Google github.com/intel/MTMC-Temporal-Profiler, github.com/intel/MigTD, github.com/intel/Multi-channel-Video-Fusion-Reference-Implementation, +github.com/intel/Multi-llms-Chatbot-CloudNative-LangChain, github.com/intel/MultiArchUefiPkg, github.com/intel/NLP-Workflow-with-AWS, github.com/intel/OpenVINO-optimization-for-PointPillars, @@ -630280,36 +630441,55 @@ github.com/intel/QAT-ZSTD-Plugin, github.com/intel/QAT_Engine, github.com/intel/QATzip, github.com/intel/RAAD, +github.com/intel/RealTimePathTracingResearchFramework, github.com/intel/RetailWorkloadOrchestrator,num_dependents_deps.dev:0 github.com/intel/S0ixSelftestTool, github.com/intel/SDM-Processor-Topology-Enumeration, +github.com/intel/SGX-TDX-DCAP-QuoteVerificationLibrary, +github.com/intel/SGX-TDX-DCAP-QuoteVerificationService, github.com/intel/SGXDataCenterAttestationPrimitives,Google github.com/intel/ScaffoldingForGramine, github.com/intel/Scan-At-Field-CLI, +github.com/intel/Self-governedRemoteAttestationScheme, +github.com/intel/Speech-to-Text-Analytics-System, +github.com/intel/TVP, github.com/intel/Training-and-Learning-Suite, github.com/intel/UFT, github.com/intel/Unite, github.com/intel/Updates-for-OSS-Performance, +github.com/intel/X86S, github.com/intel/acat, github.com/intel/accelerator-solution-zoo, +github.com/intel/acrn-riscv, github.com/intel/ad-rss-lib, github.com/intel/adq-k8s-plugins, +github.com/intel/aer-inject, github.com/intel/afxdp-plugins-for-kubernetes, +github.com/intel/ai, github.com/intel/ai-containers, github.com/intel/ai-data-tools, +github.com/intel/ai-innovation-bridge, github.com/intel/ai-reference-models, +github.com/intel/ai-visual-inference-samples, github.com/intel/ai-workflows, github.com/intel/aikit, +github.com/intel/aikit-operator, +github.com/intel/aipc-devkit-install, github.com/intel/aji_openocd, github.com/intel/amber-cli, github.com/intel/amber-client, github.com/intel/amber-docs, github.com/intel/amx-linux, +github.com/intel/ansible-intel-aws-mysql, +github.com/intel/ansible-intel-aws-vm, +github.com/intel/ansible-intel-azure-linux-vm, +github.com/intel/ansible-intel-gcp-vm, github.com/intel/applications-iot-rfid-sensor-controller, github.com/intel/asynch_mode_nginx, github.com/intel/aubstream, github.com/intel/auto-feature-engineering, github.com/intel/auto-pts, +github.com/intel/auto-round, github.com/intel/backport-iwlwifi, github.com/intel/bmap-tools, github.com/intel/bond-cni,num_dependents_deps.dev:0 @@ -630321,8 +630501,12 @@ github.com/intel/cassian, github.com/intel/ccc-linux-guest-hardening, github.com/intel/ccc-linux-guest-hardening-docs, github.com/intel/celadon-applications, +github.com/intel/certified-developer, +github.com/intel/cicd-repo-infrastructure, github.com/intel/cloud-client-ai-service-framework, github.com/intel/cloud-native-ai-pipeline, +github.com/intel/cloud-resource-scheduling-and-isolation, +github.com/intel/cloud-streaming, github.com/intel/cluster-management-toolkit, github.com/intel/cm-compiler, github.com/intel/cm-cpu-emulation, @@ -630333,6 +630517,7 @@ github.com/intel/compute-benchmarks, github.com/intel/compute-runtime,criticality_score:0.647160 github.com/intel/compute-samples, github.com/intel/confidential-cloud-native-primitives, +github.com/intel/confidential-computing-demos, github.com/intel/confidential-computing-zoo, github.com/intel/confidential-containers, github.com/intel/config-builder, @@ -630341,6 +630526,9 @@ github.com/intel/configurable-applications-helm, github.com/intel/container-experience-kits, github.com/intel/content-hub, github.com/intel/conversational-ai-chatbot, +github.com/intel/cpp-baremetal-concurrency, +github.com/intel/cpp-baremetal-senders-and-receivers, +github.com/intel/cpp-std-extensions, github.com/intel/cpu-control-plane-plugin-for-kubernetes, github.com/intel/credit-card-fraud-detection, github.com/intel/cri-resource-manager,num_dependents_deps.dev:1 @@ -630348,6 +630536,7 @@ github.com/intel/crypto-api-toolkit, github.com/intel/cv-training-and-inference-openvino, github.com/intel/cve-bin-tool, github.com/intel/cve-bin-tool-action, +github.com/intel/cxlstresstester, github.com/intel/daal,num_dependents_deps.dev:0 github.com/intel/data-center-gpu-utilities-for-vmware-tanzu, github.com/intel/ddp-tool, @@ -630367,6 +630556,7 @@ github.com/intel/document-automation, github.com/intel/document-level-sentiment-analysis, github.com/intel/double-batched-fft-library, github.com/intel/dptf, +github.com/intel/dream-textures-openvino, github.com/intel/drivers.gpu.control-library, github.com/intel/dsa-perf-micros, github.com/intel/e2eAIOK, @@ -630374,14 +630564,17 @@ github.com/intel/ecfw-zephyr, github.com/intel/edge-ai-collectd, github.com/intel/edge-ai-device-plugin,num_dependents_deps.dev:0 github.com/intel/edge-ai-resource-oriented-scheduler,num_dependents_deps.dev:0 +github.com/intel/edge-developer-kit-reference-scripts, github.com/intel/edge-insights-vision, github.com/intel/edge-to-azure-bridge, github.com/intel/edge-video-analytics-microservice, github.com/intel/efiwrapper, +github.com/intel/ehl-pse-fw, github.com/intel/ehsm, github.com/intel/endurance_profiler, github.com/intel/envoy, github.com/intel/envoy-go-control-plane, +github.com/intel/esate_blog_sgx, github.com/intel/esp-profile-centos, github.com/intel/esp-profile-clearlinux, github.com/intel/esp-profile-redhat, @@ -630390,10 +630583,23 @@ github.com/intel/esp-profile-windows, github.com/intel/eth-fast-fabric, github.com/intel/eth-mpi-apps, github.com/intel/eth-psm3-fi, +github.com/intel/ethernet-linux, +github.com/intel/ethernet-linux-i40e, +github.com/intel/ethernet-linux-iavf, +github.com/intel/ethernet-linux-ice, +github.com/intel/ethernet-linux-idpf, +github.com/intel/ethernet-linux-igb, +github.com/intel/ethernet-linux-ixgbe, +github.com/intel/ethernet-linux-ixgbevf, github.com/intel/event-converter-for-linux-perf,Google github.com/intel/fMBT, github.com/intel/fakedev-exporter, +github.com/intel/fastgo, +github.com/intel/fineibt_glibc, github.com/intel/fineibt_llvm, +github.com/intel/fineibt_testing, +github.com/intel/fineibt_tests, +github.com/intel/fineibt_tools, github.com/intel/fiovisualizer, github.com/intel/firmware-update-abstraction-layer, github.com/intel/fl-tutorial, @@ -630403,13 +630609,16 @@ github.com/intel/flow-planner, github.com/intel/forGoParallel, github.com/intel/forGraphBLASGo, github.com/intel/forLAGraphGo, +github.com/intel/fpga-examples, github.com/intel/fpga-npu, github.com/intel/fpga-partial-reconfig, github.com/intel/fpga-runtime-for-opencl, github.com/intel/fpga-training, github.com/intel/fpga_ip_lvds_video, +github.com/intel/framework-ai-platform-edge-dgpu, github.com/intel/gardener-extension-cri-resmgr, github.com/intel/gdb, +github.com/intel/generic-register-operation-optimizer, github.com/intel/generic-sensor-demos, github.com/intel/gits, github.com/intel/gmmlib, @@ -630417,6 +630626,8 @@ github.com/intel/gna, github.com/intel/go-runtime-optimizations, github.com/intel/goresctrl,num_dependents_deps.dev:37 github.com/intel/gpasdk-doc, +github.com/intel/graph-compiler, +github.com/intel/graph-compiler-playground, github.com/intel/graph-neural-networks-and-analytics, github.com/intel/grub-tdx, github.com/intel/gst-osd, @@ -630459,8 +630670,12 @@ github.com/intel/intel-graphics-compiler,criticality_score:0.580330 github.com/intel/intel-inb-manageability, github.com/intel/intel-ipsec-mb, github.com/intel/intel-linux-firmware, +github.com/intel/intel-lpmd, +github.com/intel/intel-npu-acceleration-library, github.com/intel/intel-one-mono, +github.com/intel/intel-operator-for-telegraf-agent, github.com/intel/intel-optimization-for-horovod, +github.com/intel/intel-policy-library, github.com/intel/intel-qs, github.com/intel/intel-resource-drivers-for-kubernetes, github.com/intel/intel-sdptool-ansible-modules, @@ -630470,12 +630685,14 @@ github.com/intel/intel-sgx-ssl, github.com/intel/intel-ssd-firmware-update-tool, github.com/intel/intel-technology-enabling-for-openshift, github.com/intel/intel-vaapi-driver, +github.com/intel/intel-xai-tools, github.com/intel/intel-xpu-backend-for-triton, github.com/intel/intel.github.io, github.com/intel/intel_hfi, github.com/intel/intelhub.io, github.com/intel/intelligent-collaboration-web, github.com/intel/intelligent-traffic-management, +github.com/intel/intelmodin, github.com/intel/intent-driven-orchestration, github.com/intel/interferencedetector, github.com/intel/iodlr, @@ -630493,11 +630710,15 @@ github.com/intel/iotg_tsn_ref_sw, github.com/intel/ipmctl,Google github.com/intel/ipp-crypto, github.com/intel/ippcp-plugin-rocksdb, +github.com/intel/ipu-opi-plugins, github.com/intel/ipu4-cam-hal, github.com/intel/ipu4-icamerasrc, github.com/intel/ipu6-camera-bins, github.com/intel/ipu6-camera-hal, github.com/intel/ipu6-drivers, +github.com/intel/ipu7-camera-bins, +github.com/intel/ipu7-camera-hal, +github.com/intel/ipu7-drivers, github.com/intel/irqbalance, github.com/intel/isa-l,criticality_score:0.512100 github.com/intel/isa-l_crypto,Google @@ -630524,14 +630745,18 @@ github.com/intel/kvm-multios, github.com/intel/kvm-unit-tests-tdx, github.com/intel/learning-kit-sample-apps, github.com/intel/ledmon, +github.com/intel/level-zero-npu-extensions, github.com/intel/level-zero-raytracing-support, github.com/intel/level-zero-vpu-extensions, github.com/intel/libaji_client, github.com/intel/libipt,criticality_score:0.431620 +github.com/intel/libmebo, github.com/intel/libmei, github.com/intel/libva,criticality_score:0.618410 github.com/intel/libva-utils, github.com/intel/libvirt-tdx, +github.com/intel/libvpl, +github.com/intel/libvpl-tools, github.com/intel/libxcam,criticality_score:0.354770 github.com/intel/libyami, github.com/intel/light-model-transformer, @@ -630539,6 +630764,8 @@ github.com/intel/linux-intel-lts, github.com/intel/linux-intel-quilt, github.com/intel/linux-kernel-overlay, github.com/intel/linux-libusbi3c, +github.com/intel/linux-npu-driver, +github.com/intel/linux-riscv, github.com/intel/linux-sgx,criticality_score:0.484480 github.com/intel/linux-sgx-driver,criticality_score:0.313700 github.com/intel/linux-sgx-ghsa-3jm9-2hcq-f233, @@ -630547,6 +630774,7 @@ github.com/intel/linux-sgx-ghsa-w76m-wgh6-gg3h, github.com/intel/linux-vpu-driver, github.com/intel/lkp-tests, github.com/intel/lkvs, +github.com/intel/llm-on-ray, github.com/intel/llvm,criticality_score:0.836380 github.com/intel/llvm-docs, github.com/intel/llvm-test-suite, @@ -630564,17 +630792,22 @@ github.com/intel/media-driver,criticality_score:0.633600 github.com/intel/media-driver-helper, github.com/intel/media-lab, github.com/intel/memory-bandwidth-benchmarks, +github.com/intel/memory-usage-analyzer, github.com/intel/memtierd, github.com/intel/meta-acrn, github.com/intel/meta-intel-sgx, +github.com/intel/meta-openvino, github.com/intel/metee, +github.com/intel/metric-post-processor, github.com/intel/metrics-discovery, github.com/intel/metrics-library, github.com/intel/mfit, github.com/intel/mfit-storage-lib, github.com/intel/mkl-dnn,Google +github.com/intel/ml-dsa-fia-demo, github.com/intel/mlir-extensions, github.com/intel/mlops, +github.com/intel/models, github.com/intel/modsecurity-wasm-filter, github.com/intel/mongodb-iaa, github.com/intel/mpi, @@ -630589,8 +630822,12 @@ github.com/intel/nemu,"criticality_score:0.376060,num_dependents_deps.dev:0" github.com/intel/net-test-suites, github.com/intel/network-resources-injector,num_dependents_deps.dev:1 github.com/intel/neural-compressor, +github.com/intel/neural-speed, +github.com/intel/ngd-fitting, github.com/intel/nlp-training-and-inference-openvino, github.com/intel/nn-hal, +github.com/intel/npu-nn-cost-model, +github.com/intel/npu-plugin-llvm, github.com/intel/numatop,Google github.com/intel/observability-collectd, github.com/intel/observability-telegraf, @@ -630601,13 +630838,17 @@ github.com/intel/oneapi-containers, github.com/intel/onnxruntime, github.com/intel/onnxruntime-inference-examples, github.com/intel/open-domain-question-and-answer, +github.com/intel/open-ecosystem-evangelism, github.com/intel/open-ecosystem-ref-code, github.com/intel/opencl-clang, github.com/intel/opencl-intercept-layer, github.com/intel/openfl, github.com/intel/openfl-security, +github.com/intel/openikt, github.com/intel/openlldp, github.com/intel/openvino-ai-plugins-gimp, +github.com/intel/openvino-demos, +github.com/intel/openvino-plugins-ai-audacity, github.com/intel/openvino-plugins-for-obs-studio, github.com/intel/openvino-rs,num_dependents_deps.dev:9 github.com/intel/openvino-tensorflow, @@ -630619,11 +630860,13 @@ github.com/intel/pailliercryptolib, github.com/intel/pailliercryptolib_python, github.com/intel/pcm, github.com/intel/pepc, +github.com/intel/perf-hfsort, github.com/intel/perfmon, github.com/intel/pf-bb-config, github.com/intel/pfr-cooper-city, github.com/intel/pfr-eagle-stream, github.com/intel/pfr-wilson-city, +github.com/intel/pin-based-cec, github.com/intel/pinball2elf, github.com/intel/pinplay-tools, github.com/intel/platform-aware-scheduling,num_dependents_deps.dev:0 @@ -630635,14 +630878,18 @@ github.com/intel/policy-library-intel-aws, github.com/intel/policy-library-intel-azure, github.com/intel/policy-library-intel-gcp, github.com/intel/power-optimization-library, +github.com/intel/powertelemetry, github.com/intel/pretraining-with-Intel-accelerators-gpu, github.com/intel/processwatch, +github.com/intel/program-measurement-scripts, +github.com/intel/program-optimization-advice-exploration-scripts, github.com/intel/project-example-for-python, github.com/intel/pse-fw, github.com/intel/psst, github.com/intel/pti-gpu, github.com/intel/pytorch, github.com/intel/qat-java, +github.com/intel/qat-plugin-rocksdb, github.com/intel/qatgo, github.com/intel/qatlib, github.com/intel/qatlib-freebsd, @@ -630652,16 +630899,20 @@ github.com/intel/qemu-tdx, github.com/intel/qpl, github.com/intel/qpl-java, github.com/intel/qt-patched, +github.com/intel/quantum-intrinsics, +github.com/intel/quantum-passes, github.com/intel/quickassist, github.com/intel/recommender-system-with-classical-ml, github.com/intel/recommender-system-with-distributed-classical-ml, github.com/intel/recsys2023-intel-submission, +github.com/intel/rho-diffusion, github.com/intel/rmd-operator,num_dependents_deps.dev:0 github.com/intel/rni-profile-base-ubuntu, github.com/intel/rohd, github.com/intel/rohd-cosim, github.com/intel/rohd-hcl, github.com/intel/rohd-vf, +github.com/intel/rohd-wave-viewer, github.com/intel/rohd-website, github.com/intel/ros2_grasp_library, github.com/intel/ros2_object_msgs, @@ -630681,6 +630932,7 @@ github.com/intel/sails-mssql, github.com/intel/scale-testing-for-vastdata, github.com/intel/scikit-learn-intelex, github.com/intel/secured-cloud-management-stack, +github.com/intel/security-center, github.com/intel/sedi-drivers, github.com/intel/sgx-emm, github.com/intel/sgx-pytorch, @@ -630688,23 +630940,35 @@ github.com/intel/shim-tdx, github.com/intel/simics-fpga-examples, github.com/intel/simics-fpga-visualizer, github.com/intel/simplified-classifier-and-labelling-tool-for-pytorch, +github.com/intel/simulator-bindings, github.com/intel/smart-image-correction, github.com/intel/sriov-cni,num_dependents_deps.dev:1 +github.com/intel/sriov-fec-operator, github.com/intel/sriov-network-device-plugin,num_dependents_deps.dev:0 github.com/intel/srs, +github.com/intel/stablediffusion-pipelines-cpp, github.com/intel/state-components-validation-utilities, github.com/intel/stats-collect, github.com/intel/string-constant-and-logging, github.com/intel/supra-on-oneapi, +github.com/intel/sve2rvv, github.com/intel/svr-info, github.com/intel/synce4l, github.com/intel/systemc-compiler, +github.com/intel/tbtools, github.com/intel/tcf, github.com/intel/td-partitioning, github.com/intel/tdx, +github.com/intel/tdx-guest, +github.com/intel/tdx-linux, +github.com/intel/tdx-loader, +github.com/intel/tdx-module, github.com/intel/tdx-stacks, github.com/intel/tdx-tools, +github.com/intel/tee-io-validator, github.com/intel/telemetry-aware-scheduling,num_dependents_deps.dev:0 +github.com/intel/terraform-intel-aws-aurora-mysql, +github.com/intel/terraform-intel-aws-aurora-postgresql, github.com/intel/terraform-intel-aws-databricks-workspace, github.com/intel/terraform-intel-aws-ecs, github.com/intel/terraform-intel-aws-eks, @@ -630715,6 +630979,7 @@ github.com/intel/terraform-intel-aws-mssql, github.com/intel/terraform-intel-aws-mysql, github.com/intel/terraform-intel-aws-mysql-parameter-group, github.com/intel/terraform-intel-aws-postgresql, +github.com/intel/terraform-intel-aws-postgresql-parameter-group, github.com/intel/terraform-intel-aws-sagemaker-endpoint, github.com/intel/terraform-intel-aws-vm, github.com/intel/terraform-intel-azure-adx, @@ -630727,22 +630992,39 @@ github.com/intel/terraform-intel-azure-databricks-workspace, github.com/intel/terraform-intel-azure-example-app, github.com/intel/terraform-intel-azure-linux-vm, github.com/intel/terraform-intel-azure-mssql, +github.com/intel/terraform-intel-azure-mssql-managed-instance, github.com/intel/terraform-intel-azure-mysql-flexible-server, github.com/intel/terraform-intel-azure-postgresql-flexible-server, +github.com/intel/terraform-intel-azure-windows-vm, github.com/intel/terraform-intel-databricks-cluster, github.com/intel/terraform-intel-gcp-example-app, github.com/intel/terraform-intel-gcp-gke, github.com/intel/terraform-intel-gcp-vm, +github.com/intel/terraform-intel-ibm-vm, github.com/intel/test, github.com/intel/tfortools,num_dependents_deps.dev:0 github.com/intel/thermal_daemon,criticality_score:0.520410 +github.com/intel/thin-layout-optimizer, github.com/intel/thunderbolt-utils, +github.com/intel/tiny-dpcpp-nn, +github.com/intel/tiny-tensor-compiler, github.com/intel/tinycbor,criticality_score:0.465100 github.com/intel/tinycrypt, github.com/intel/torch-ccl, +github.com/intel/torch-xpu-ops, github.com/intel/tpmi_power_management, +github.com/intel/transfer-learning, +github.com/intel/trustauthority-cli, +github.com/intel/trustauthority-client-for-c, +github.com/intel/trustauthority-client-for-go, +github.com/intel/trustauthority-client-for-java, +github.com/intel/trustauthority-client-for-python, +github.com/intel/trustauthority-kbs, +github.com/intel/trustauthority-samples, github.com/intel/trusted-attestation-controller, github.com/intel/trusted-certificate-issuer, +github.com/intel/trusted-ledger-config-store, +github.com/intel/tsffs, github.com/intel/ui-widget-toolkit,num_dependents_deps.dev:0 github.com/intel/uintr-ipc-bench, github.com/intel/uintr-liburing, @@ -630759,8 +631041,11 @@ github.com/intel/vbh, github.com/intel/vc-intrinsics, github.com/intel/video-streamer, github.com/intel/vision-based-transfer-learning-and-inference, +github.com/intel/vision-drivers, github.com/intel/visual-quality-inspection, github.com/intel/vmtaint, +github.com/intel/vmware-platforms-scripts-and-tools, +github.com/intel/vpl-gpu-rt, github.com/intel/vpu-accelerator-device-plugin, github.com/intel/vpu-accelerator-manager, github.com/intel/vpu-accelerator-samples, @@ -630774,10 +631059,13 @@ github.com/intel/vscode-oneapi-extension-pack, github.com/intel/vscode-oneapi-gdb-debug, github.com/intel/vscode-quantum-sdk, github.com/intel/vscode-sample-browser, +github.com/intel/vscode-simics, github.com/intel/vscode-software-development-tools, +github.com/intel/vscode-tcf-debug, github.com/intel/vsi-vaapi-driver, github.com/intel/vtpm-td, github.com/intel/wafer-insights-with-classical-ml, +github.com/intel/web-ai-showcase, github.com/intel/webml-polyfill, github.com/intel/wireless-network-ready-intelligent-traffic-management, github.com/intel/wmi-native-module, @@ -630798,6 +631086,7 @@ github.com/intel/yoko-tool, github.com/intel/zephyr, github.com/intel/zephyr-ia, github.com/intel/zlib, +github.com/intel/ztunnel, github.com/intel352/go-userdir,num_dependents_deps.dev:0 github.com/intel352/resty,num_dependents_deps.dev:0 github.com/intel352/revel,num_dependents_deps.dev:0 @@ -630951,6 +631240,7 @@ github.com/intelsdi-x/snap-plugin-collector-jolokia, github.com/intelsdi-x/snap-plugin-collector-pysmart, github.com/intelsdi-x/snap-plugin-lib-py, github.com/intelsnap/antd-final-form,num_dependents_deps.dev:0 +github.com/intelxed/intelxed.github.io, github.com/intelxed/intelxedhub.io, github.com/intelxed/mbuild,Google github.com/intelxed/xed,criticality_score:0.551430 @@ -636753,8 +637043,56 @@ github.com/iskorotkov/rusprofile-grpc,num_dependents_deps.dev:0 github.com/iskracat/Hitotsubashi-University, github.com/iskrenyp/spock-goodies,num_dependents_deps.dev:0 github.com/iskylite/nodeset,num_dependents_deps.dev:0 +github.com/isl-org/0shot-object-insertion, +github.com/isl-org/DFE, +github.com/isl-org/DPT, +github.com/isl-org/DeepLagrangianFluids, +github.com/isl-org/DirectFuturePrediction, +github.com/isl-org/FastGlobalRegistration, +github.com/isl-org/FreeViewSynthesis, +github.com/isl-org/Intseg, +github.com/isl-org/LMRS, +github.com/isl-org/MetaLearningTradeoffs, +github.com/isl-org/MiDaS, +github.com/isl-org/MultiObjectiveOptimization, +github.com/isl-org/NPHard, +github.com/isl-org/Next-ViT, github.com/isl-org/Open3D, +github.com/isl-org/Open3D-3rdparty, +github.com/isl-org/Open3D-ML, +github.com/isl-org/Open3D-PointNet, +github.com/isl-org/Open3D-PointNet2-Semantic3D, +github.com/isl-org/Open3D-PoissonRecon, +github.com/isl-org/Open3D-Python-CI, +github.com/isl-org/Open3D-Viewer, +github.com/isl-org/OpenBot, +github.com/isl-org/PhotorealismEnhancement, +github.com/isl-org/StableViewSynthesis, +github.com/isl-org/TanksAndTemples, +github.com/isl-org/VI-Depth, github.com/isl-org/ZoeDepth, +github.com/isl-org/adaptive-surface-reconstruction, +github.com/isl-org/dcflow, +github.com/isl-org/faiss, +github.com/isl-org/filament, +github.com/isl-org/generalized-smoothing, +github.com/isl-org/hello-world-docker-action, +github.com/isl-org/lang-seg, +github.com/isl-org/librealsense, +github.com/isl-org/libzmq, +github.com/isl-org/m2r, +github.com/isl-org/mshadow, +github.com/isl-org/objects-with-lighting, +github.com/isl-org/open3d-cmake-external-project, +github.com/isl-org/open3d-cmake-find-package, +github.com/isl-org/open3d_downloads, +github.com/isl-org/open3d_sphinx_theme, +github.com/isl-org/pytorch_builder, +github.com/isl-org/redwood-3dscan, +github.com/isl-org/spear, +github.com/isl-org/stdgpu, +github.com/isl-org/torchmcubes, +github.com/isl-org/vision-for-action, github.com/isl-x/django-rq-scheduler, github.com/isla-opt/ISLA, github.com/islam-shaheen/mylib,num_dependents_deps.dev:0 @@ -637207,8 +637545,10 @@ github.com/isovalent/gke-test-cluster-operator,num_dependents_deps.dev:0 github.com/isovector/take2, github.com/isp-insoft-gmbh/scanmate,num_dependents_deps.dev:0 github.com/ispal/vue-chevron,num_dependents_deps.dev:0 +github.com/ispc/install-ispc-action, github.com/ispc/ispc,criticality_score:0.617450 github.com/ispc/ispc.dependencies, +github.com/ispc/ispc.github.com, github.com/ispc/ispc.syntax, github.com/ispc/ispchub.com, github.com/ispec-inc/mocmock,num_dependents_deps.dev:0 @@ -744271,6 +744611,7 @@ github.com/lava-nc/lava, github.com/lava-nc/lava-dl, github.com/lava-nc/lava-dnf, github.com/lava-nc/lava-docs, +github.com/lava-nc/lava-nc.github.io, github.com/lava-nc/lava-nchub.io, github.com/lava-nc/lava-optimization, github.com/lava-nc/lava-peripherals, @@ -899767,9 +900108,13 @@ github.com/oap-project/oap-mllib, github.com/oap-project/oap-projecthub.io, github.com/oap-project/oap-tools, github.com/oap-project/pmem-shuffle, +github.com/oap-project/protobuf, +github.com/oap-project/pyspark-ai, github.com/oap-project/raydp, github.com/oap-project/recdp, github.com/oap-project/remote-shuffle, +github.com/oap-project/spark-ai-kit, +github.com/oap-project/text2sql-gluten, github.com/oap-project/velox, github.com/oapi-codegen/chi-middleware, github.com/oapi-codegen/echo-middleware, @@ -908038,6 +908383,11 @@ github.com/oneacik/nestjs-i18n,num_dependents_deps.dev:0 github.com/onealexharms/tableize,num_dependents_deps.dev:0 github.com/oneall/ios-sdk,num_dependents_deps.dev:0 github.com/oneall/node-js-sdk,num_dependents_deps.dev:0 +github.com/oneapi-community/awesome-oneapi, +github.com/oneapi-community/community, +github.com/oneapi-community/documentation, +github.com/oneapi-community/oneapi-community.github.io, +github.com/oneapi-community/oneapi-web-showcase, github.com/oneapi-src/DPCPP_Reference, github.com/oneapi-src/SYCLomatic, github.com/oneapi-src/SYCLomatic-test, @@ -908055,6 +908405,7 @@ github.com/oneapi-src/demand-forecasting, github.com/oneapi-src/digital-twin, github.com/oneapi-src/disease-prediction, github.com/oneapi-src/distributed-ranges, +github.com/oneapi-src/distributed-ranges-tutorial, github.com/oneapi-src/document-automation, github.com/oneapi-src/drone-navigation-inspection, github.com/oneapi-src/engineering-design-optimization, @@ -908062,6 +908413,7 @@ github.com/oneapi-src/historical-assets-document-process, github.com/oneapi-src/image-data-generation, github.com/oneapi-src/intelligent-indexing, github.com/oneapi-src/invoice-to-cash-automation, +github.com/oneapi-src/ishmem, github.com/oneapi-src/level-zero, github.com/oneapi-src/level-zero-spec, github.com/oneapi-src/level-zero-tests, @@ -908081,6 +908433,7 @@ github.com/oneapi-src/oneVPL, github.com/oneapi-src/oneVPL-cpu, github.com/oneapi-src/oneVPL-intel-gpu, github.com/oneapi-src/oneapi-ci, +github.com/oneapi-src/oneapi-src.github.io, github.com/oneapi-src/order-to-delivery-time-forecasting, github.com/oneapi-src/powerline-fault-detection, github.com/oneapi-src/predictive-asset-health-analytics, @@ -908089,6 +908442,7 @@ github.com/oneapi-src/purchase-prediction, github.com/oneapi-src/structural-damage-assessment, github.com/oneapi-src/text-data-generation, github.com/oneapi-src/traffic-camera-object-detection, +github.com/oneapi-src/unified-memory-framework, github.com/oneapi-src/unified-runtime, github.com/oneapi-src/vertical-search-engine, github.com/oneapi-src/visual-process-discovery, @@ -909973,6 +910327,7 @@ github.com/open-amdocs/zusammen-collaborative-git,num_dependents_deps.dev:0 github.com/open-amdocs/zusammen-commons,num_dependents_deps.dev:266 github.com/open-amdocs/zusammen-metadata-cassandra,num_dependents_deps.dev:0 github.com/open-amdocs/zusammen-search-elastic,num_dependents_deps.dev:0 +github.com/open-amt-cloud-toolkit/console, github.com/open-amt-cloud-toolkit/docs, github.com/open-amt-cloud-toolkit/enterprise-assistant, github.com/open-amt-cloud-toolkit/go-wsman-messages, @@ -913372,7 +913727,10 @@ github.com/openvenues/node-postal,num_dependents_deps.dev:4 github.com/openvenues/pypostal, github.com/openvex/setup-vexctl, github.com/openvino/openvino-api,num_dependents_deps.dev:0 +github.com/openvinotoolkit/.github, +github.com/openvinotoolkit/MLPerf, github.com/openvinotoolkit/anomalib, +github.com/openvinotoolkit/awesome-openvino, github.com/openvinotoolkit/cpu_extensions, github.com/openvinotoolkit/cvat,criticality_score:0.586260 github.com/openvinotoolkit/datumaro, @@ -913387,18 +913745,27 @@ github.com/openvinotoolkit/model_analyzer, github.com/openvinotoolkit/model_api, github.com/openvinotoolkit/model_server,criticality_score:0.396510 github.com/openvinotoolkit/nncf, +github.com/openvinotoolkit/npu_plugin, +github.com/openvinotoolkit/npu_plugin_btc, +github.com/openvinotoolkit/npu_plugin_elf, github.com/openvinotoolkit/oneDNN, github.com/openvinotoolkit/open_model_zoo,criticality_score:0.509080 github.com/openvinotoolkit/openvino,"criticality_score:0.641370,num_dependents_deps.dev:0" +github.com/openvinotoolkit/openvino.genai, +github.com/openvinotoolkit/openvino_build_deploy, github.com/openvinotoolkit/openvino_contrib, github.com/openvinotoolkit/openvino_notebooks, github.com/openvinotoolkit/openvino_tensorflow, +github.com/openvinotoolkit/openvino_tokenizers, +github.com/openvinotoolkit/openvino_xai, github.com/openvinotoolkit/operator, github.com/openvinotoolkit/security_addon, +github.com/openvinotoolkit/shl, github.com/openvinotoolkit/stable-diffusion-webui, github.com/openvinotoolkit/telemetry, github.com/openvinotoolkit/testdata, github.com/openvinotoolkit/testrepo, +github.com/openvinotoolkit/tflite_openvino_delegate, github.com/openvinotoolkit/training_extensions,criticality_score:0.419840 github.com/openvinotoolkit/training_toolbox_caffe, github.com/openvinotoolkit/vpux_plugin, @@ -917444,6 +917811,7 @@ github.com/ospirentos/money, github.com/ospray/anari-ospray, github.com/ospray/hdospray, github.com/ospray/ospray,criticality_score:0.518910 +github.com/ospray/ospray.github.io, github.com/ospray/ospray_studio, github.com/ospray/osprayhub.io, github.com/ospray/rkcommon, @@ -960545,6 +960913,8 @@ github.com/projectceladon/OpenCL-ICD-Loader, github.com/projectceladon/aaf, github.com/projectceladon/ade, github.com/projectceladon/ai-dispatcher, +github.com/projectceladon/aic-cmd-channel-service, +github.com/projectceladon/android-container, github.com/projectceladon/app-icon-manager, github.com/projectceladon/audio-vhal, github.com/projectceladon/camera-vhal, @@ -960567,6 +960937,7 @@ github.com/projectceladon/device-intel-civ-battery, github.com/projectceladon/device-intel-civ-thermal, github.com/projectceladon/device-intel-common, github.com/projectceladon/device-intel-sepolicy, +github.com/projectceladon/docker-entry-files, github.com/projectceladon/drm-hwcomposer, github.com/projectceladon/efiwrapper, github.com/projectceladon/external-gnu-efi, @@ -960584,6 +960955,7 @@ github.com/projectceladon/ia-qemu, github.com/projectceladon/ikgt-core, github.com/projectceladon/intel-graphics-compiler, github.com/projectceladon/ittapi, +github.com/projectceladon/kernel-modules, github.com/projectceladon/kernelflinger, github.com/projectceladon/libbt-vendor-intel, github.com/projectceladon/libdmi, @@ -960598,6 +960970,7 @@ github.com/projectceladon/linux-intel-lts2020-chromium, github.com/projectceladon/linux-intel-lts2020-yocto, github.com/projectceladon/linux-intel-lts2021, github.com/projectceladon/linux-intel-lts2021-chromium, +github.com/projectceladon/linux-intel-lts2022, github.com/projectceladon/linux-intel-lts2022-chromium, github.com/projectceladon/log_capture, github.com/projectceladon/manifest, @@ -960606,6 +960979,7 @@ github.com/projectceladon/mediasdk-omx, github.com/projectceladon/mediasdk_release, github.com/projectceladon/metrics-discovery, github.com/projectceladon/minigbm, +github.com/projectceladon/multi-user, github.com/projectceladon/nn-hal, github.com/projectceladon/oneDNN, github.com/projectceladon/oneTBB, @@ -1073383,11 +1073757,13 @@ github.com/slimaneakalie/fizzbuzz-golang,num_dependents_deps.dev:0 github.com/slimani-ibrahim/csv2json,num_dependents_deps.dev:0 github.com/slimani-ibrahim/jwt-decoder,num_dependents_deps.dev:0 github.com/slimbloody/leetgo,num_dependents_deps.dev:0 +github.com/slimbootloader/.github, github.com/slimbootloader/documentation, github.com/slimbootloader/firmwareblob, github.com/slimbootloader/hub, github.com/slimbootloader/payloads, github.com/slimbootloader/slimbootloader, +github.com/slimbootloader/slimbootloader.github.io, github.com/slimbootloader/slimbootloaderhub.io, github.com/slimcdk/dolt-ops-repos,num_dependents_deps.dev:0 github.com/slimcdk/octotray,num_dependents_deps.dev:0 @@ -1175807,6 +1176183,7 @@ github.com/ultram4rine/go-ssh1,num_dependents_deps.dev:0 github.com/ultram4rine/switchmap,num_dependents_deps.dev:0 github.com/ultramarin4/gopacket,num_dependents_deps.dev:0 github.com/ultramega/android-radar-chart,num_dependents_deps.dev:0 +github.com/ultramobile-kits/ultramobile-kits.github.io, github.com/ultramodern/logo,num_dependents_deps.dev:0 github.com/ultranaco/goutils,num_dependents_deps.dev:0 github.com/ultranaco/parallel-js,num_dependents_deps.dev:0 diff --git a/cron/internal/webhook/Dockerfile b/cron/internal/webhook/Dockerfile index 9be907bc68a..f5779e2be5c 100644 --- a/cron/internal/webhook/Dockerfile +++ b/cron/internal/webhook/Dockerfile @@ -12,7 +12,7 @@ # See the License for the specific language governing permissions and # limitations under the License. -FROM golang:1.22.4@sha256:969349b8121a56d51c74f4c273ab974c15b3a8ae246a5cffc1df7d28b66cf978 AS base +FROM golang:1.22.5@sha256:1a9b9cc9929106f9a24359581bcf35c7a6a3be442c1c53dc12c41a106c1daca8 AS base WORKDIR /src ENV CGO_ENABLED=0 COPY go.* ./ diff --git a/cron/internal/worker/Dockerfile b/cron/internal/worker/Dockerfile index c7dd8cc5699..f2eb4b3e084 100644 --- a/cron/internal/worker/Dockerfile +++ b/cron/internal/worker/Dockerfile @@ -12,7 +12,7 @@ # See the License for the specific language governing permissions and # limitations under the License. -FROM golang:1.22.4@sha256:969349b8121a56d51c74f4c273ab974c15b3a8ae246a5cffc1df7d28b66cf978 AS base +FROM golang:1.22.5@sha256:1a9b9cc9929106f9a24359581bcf35c7a6a3be442c1c53dc12c41a106c1daca8 AS base WORKDIR /src ENV CGO_ENABLED=0 COPY go.* ./ diff --git a/cron/internal/worker/main.go b/cron/internal/worker/main.go index eab19a4cae8..14073c82348 100644 --- a/cron/internal/worker/main.go +++ b/cron/internal/worker/main.go @@ -40,7 +40,6 @@ import ( "github.com/ossf/scorecard/v5/cron/worker" docs "github.com/ossf/scorecard/v5/docs/checks" sce "github.com/ossf/scorecard/v5/errors" - "github.com/ossf/scorecard/v5/internal/packageclient" "github.com/ossf/scorecard/v5/log" "github.com/ossf/scorecard/v5/pkg" "github.com/ossf/scorecard/v5/policy" @@ -90,7 +89,6 @@ type ScorecardWorker struct { ciiClient clients.CIIBestPracticesClient ossFuzzRepoClient clients.RepoClient vulnsClient clients.VulnerabilitiesClient - projectClient packageclient.ProjectPackageClient apiBucketURL string rawBucketURL string blacklistedChecks []string @@ -138,8 +136,6 @@ func newScorecardWorker() (*ScorecardWorker, error) { sw.vulnsClient = clients.DefaultVulnerabilitiesClient() } - sw.projectClient = packageclient.CreateDepsDevClient() - if sw.exporter, err = startMetricsExporter(); err != nil { return nil, fmt.Errorf("startMetricsExporter: %w", err) } @@ -161,7 +157,7 @@ func (sw *ScorecardWorker) Close() { func (sw *ScorecardWorker) Process(ctx context.Context, req *data.ScorecardBatchRequest, bucketURL string) error { return processRequest(ctx, req, sw.blacklistedChecks, bucketURL, sw.rawBucketURL, sw.apiBucketURL, sw.checkDocs, sw.githubClient, sw.gitlabClient, sw.ossFuzzRepoClient, sw.ciiClient, - sw.vulnsClient, sw.projectClient, sw.logger) + sw.vulnsClient, sw.logger) } func (sw *ScorecardWorker) PostProcess() { @@ -176,7 +172,6 @@ func processRequest(ctx context.Context, githubClient, gitlabClient clients.RepoClient, ossFuzzRepoClient clients.RepoClient, ciiClient clients.CIIBestPracticesClient, vulnsClient clients.VulnerabilitiesClient, - projectClient packageclient.ProjectPackageClient, logger *log.Logger, ) error { filename := worker.ResultFilename(batchRequest) @@ -200,6 +195,9 @@ func processRequest(ctx context.Context, } repo.AppendMetadata(repoReq.GetMetadata()...) + // TODO: realistically the enabled/disabled checks can just be + // calculated once in newScorecardWorker as all of the repos use + // clients.HeadSHA. but not doing yet to keep refactor small commitSHA := clients.HeadSHA requiredRequestType := []checker.RequestType{} if repoReq.GetCommit() != clients.HeadSHA { @@ -214,9 +212,19 @@ func processRequest(ctx context.Context, for _, check := range disabledChecks { delete(checksToRun, check) } + enabledChecks := make([]string, 0, len(checksToRun)) + for check := range checksToRun { + enabledChecks = append(enabledChecks, check) + } - result, err := pkg.RunScorecard(ctx, repo, commitSHA, 0, checksToRun, - repoClient, ossFuzzRepoClient, ciiClient, vulnsClient, projectClient) + result, err := pkg.Run(ctx, repo, + pkg.WithCommitSHA(commitSHA), + pkg.WithChecks(enabledChecks), + pkg.WithRepoClient(repoClient), + pkg.WithOSSFuzzClient(ossFuzzRepoClient), + pkg.WithOpenSSFBestPraticesClient(ciiClient), + pkg.WithVulnerabilitiesClient(vulnsClient), + ) if errors.Is(err, sce.ErrRepoUnreachable) { // Not accessible repo - continue. continue diff --git a/docs/probes.md b/docs/probes.md index ca9dfebdb70..16c7db619ad 100644 --- a/docs/probes.md +++ b/docs/probes.md @@ -7,6 +7,8 @@ please [contribute](../CONTRIBUTING.md)! ## archived +**Lifecycle**: stable + **Description**: Check that the project is archived **Motivation**: An archived project will not received security patches, and is not actively tested or used. @@ -19,6 +21,8 @@ If the project is not archived, the outcome is OutcomeFalse. ## blocksDeleteOnBranches +**Lifecycle**: stable + **Description**: Check that the project blocks non-admins from deleting branches. **Motivation**: Allowing non-admins to delete project branches has a similar effect to performing force pushes. @@ -30,6 +34,8 @@ If the project is not archived, the outcome is OutcomeFalse. ## blocksForcePushOnBranches +**Lifecycle**: stable + **Description**: Check that the project blocks force push on its branches. **Motivation**: Allowing force pushes to branches could allow those with write access to make insecure changes to the behavior of the project. @@ -42,6 +48,8 @@ Returns OutcomeNotAvailable if Scorecard cannot fetch the data from the reposito ## branchProtectionAppliesToAdmins +**Lifecycle**: stable + **Description**: Check that the project's branch protection rules apply to project admins. **Motivation**: Admins may be able to bypass branch protection settings which could defeat the purpose of having them. @@ -53,6 +61,8 @@ Returns OutcomeNotAvailable if Scorecard cannot fetch the data from the reposito ## branchesAreProtected +**Lifecycle**: stable + **Description**: Check that the project uses protected branches. **Motivation**: Unprotected branches may allow actions that could compromise the project's security. @@ -64,6 +74,8 @@ Returns OutcomeNotAvailable if Scorecard cannot fetch the data from the reposito ## codeApproved +**Lifecycle**: stable + **Description**: Check that all recent changesets have been approved by someone who is not the author of the changeset. **Motivation**: To ensure that the review process works, the proposed changes should have a minimum number of approvals. @@ -77,6 +89,8 @@ If there are no changes, the probe returns OutcomeNotApplicable ## codeReviewOneReviewers +**Lifecycle**: experimental + **Description**: Check that at least one reviewers review a change before merging. **Motivation**: To ensure that the review process works, the proposed changes should have a minimum number of approvals. @@ -89,6 +103,8 @@ If the changes had fewer than one reviewers, the prove returns OutcomeFalse (0) ## contributorsFromOrgOrCompany +**Lifecycle**: experimental + **Description**: Checks whether a project has a contributions from users associated with a company or organization. **Motivation**: This probe tries to determine if the project has recent contributors from multiple organizations. For some projects, having a diverse group of contributors is an indicator of project health. @@ -101,6 +117,8 @@ If the project has contributing organizations, the probe returns 1 OutcomeTrue p ## createdRecently +**Lifecycle**: stable + **Description**: Checks if the project was created in the last 90 days. **Motivation**: Recently created repositories have been used for malicious forks / typosquatting attacks in the past. A newly created repo is not a strong signal on its own, but can be a useful piece of information. @@ -113,6 +131,8 @@ If the project is older than 90 days, the outcome is OutcomeFalse. The finding w ## dependencyUpdateToolConfigured +**Lifecycle**: stable + **Description**: Check that a dependency update tool config is present. **Motivation**: Out-of-date dependencies make a project vulnerable to known flaws and prone to attacks. Tools can help the process of updating dependencies by scanning for outdated or insecure requirements, and opening a pull request to update them if found. @@ -125,6 +145,8 @@ If no tool is detected, the probe returns OutcomeFalse. ## dismissesStaleReviews +**Lifecycle**: stable + **Description**: Check that the project dismisses stale reviews when new commits are pushed. **Motivation**: When a project does not dismiss stale reviews, contributors can bring their pull requests to an approved state and then make unreviewed commits. @@ -136,6 +158,8 @@ If no tool is detected, the probe returns OutcomeFalse. ## fuzzed +**Lifecycle**: stable + **Description**: Check that the project is fuzzed **Motivation**: Fuzzing, or fuzz testing, is the practice of feeding unexpected or random data into a program to expose bugs. Regular fuzzing is important to detect vulnerabilities that may be exploited by others, especially since attackers can also use fuzzing to find the same flaws. @@ -148,6 +172,8 @@ If no fuzzing tool is found, or the project uses a tool we don't detect, one fin ## hasBinaryArtifacts +**Lifecycle**: stable + **Description**: Checks if the project has any binary files in its source tree. **Motivation**: Binary files are not human readable so users and reviewers can't easily see what they do. @@ -160,6 +186,8 @@ If the probe finds no binary files, it returns a single OutcomeFalse. ## hasDangerousWorkflowScriptInjection +**Lifecycle**: stable + **Description**: Check whether the project has GitHub Actions workflows that enable script injection. **Motivation**: Script injections allow attackers to use untrusted input to access privileged resources (code execution, secret exfiltration, etc.) @@ -172,6 +200,8 @@ If no dangerous patterns are found, the probe returns one finding with OutcomeFa ## hasDangerousWorkflowUntrustedCheckout +**Lifecycle**: stable + **Description**: Check whether the project has GitHub Actions workflows that does untrusted checkouts. **Motivation**: GitHub workflows triggered with pull_request_target or workflow_run have write permission to the target repository and access to target repository secrets. Combined with a dangerous checkout of PR contents, attackers may be able to compromise the repository, for example, by using build scripts controlled by the PR author. @@ -184,6 +214,8 @@ The probe returns one finding with OutcomeFalse if no untrusted checkouts are de ## hasFSFOrOSIApprovedLicense +**Lifecycle**: stable + **Description**: Check that the project has an FSF or OSI approved license. **Motivation**: A license can give users information about how the source code may or may not be used. Using a recognized license facilitates security or legal reviews for potential users. @@ -197,6 +229,8 @@ If the license is not of an approved format, the probe returns a single OutcomeF ## hasLicenseFile +**Lifecycle**: stable + **Description**: Check that the project has a license file **Motivation**: A license can give users information about how the source code may or may not be used. The lack of a license will impede any kind of security review or audit and creates a legal risk for potential users. @@ -209,6 +243,8 @@ If a license file is not found, the probe returns a single OutcomeFalse. ## hasNoGitHubWorkflowPermissionUnknown +**Lifecycle**: experimental + **Description**: Checks that GitHub workflows have workflows with unknown permissions **Motivation**: Unknown permissions may be a result of a bug or another error from fetching the permission levels. @@ -221,6 +257,8 @@ The probe returns 1 true outcome if the project has no workflows with unknown pe ## hasOSVVulnerabilities +**Lifecycle**: stable + **Description**: Check whether the project has known vulnerabilities **Motivation**: This check determines whether the project has open, unfixed vulnerabilities in its own codebase or its dependencies using the OSV (Open Source Vulnerabilities) service. An open vulnerability may be exploited by attackers and should be fixed as soon as possible. @@ -233,6 +271,8 @@ If there are no known vulnerabilities detected, the probe returns one false outc ## hasOpenSSFBadge +**Lifecycle**: stable + **Description**: This check determines whether the project has an OpenSSF (formerly CII) Best Practices Badge. **Motivation**: The OpenSSF Best Practices badge indicates whether or not the project uses a set of security-focused best development practices for open source software. @@ -245,6 +285,8 @@ If the project does not have a badge, the probe returns one OutcomeFalse. ## hasPermissiveLicense +**Lifecycle**: stable + **Description**: Check that the project has an permissive license. **Motivation**: A permissive license allows users to use the analyzed component to be used in derivative works. Non-permissive licenses (as copyleft licenses) might be a legal risk for potential users. @@ -258,6 +300,8 @@ If the license is not permissive, the probe returns a single OutcomeFalse. ## hasRecentCommits +**Lifecycle**: stable + **Description**: Check whether the project has at least one commit per week over the last 90 days. **Motivation**: A project which is not active might not be patched, have its dependencies patched, or be actively tested and used. A lack of active maintenance should signal that potential users should investigate further to judge the situation. A project may not need further features or maintenance; In this case, the probe results can be disregarded. @@ -270,6 +314,8 @@ If the project does not have commits in the last 90 days, the probe returns a si ## hasReleaseSBOM +**Lifecycle**: experimental + **Description**: Check that the project publishes an SBOM as part of its release artifacts. **Motivation**: An SBOM can give users information about how the source code components and dependencies. They help facilitate sotware supplychain security and aid in identifying upstream vulnerabilities in a codebase. @@ -282,6 +328,8 @@ If an SBOM artifact is not found, the probe returns a single OutcomeFalse. ## hasSBOM +**Lifecycle**: experimental + **Description**: Check that the project has an SBOM file **Motivation**: An SBOM can give users information about how the source code components and dependencies. They help facilitate sotware supplychain security and aid in identifying upstream vulnerabilities in a codebase. @@ -294,6 +342,8 @@ If an SBOM file is not found, the probe returns a single OutcomeFalse. ## hasUnverifiedBinaryArtifacts +**Lifecycle**: stable + **Description**: Checks if the project has binary files in its source tree. The probe skips verified binary files which currently are gradle-wrappers. **Motivation**: Binary files are not human readable so users and reviewers can't easily see what they do. @@ -306,6 +356,8 @@ If the probe finds no unverified binary files, it returns OutcomeFalse. ## issueActivityByProjectMember +**Lifecycle**: stable + **Description**: Checks that a collaborator, member or owner has participated in issues in the last 90 days. **Motivation**: A project which does not respond to issues may not be actively maintained. A lack of active maintenance should signal that potential users should investigate further to judge the situation. However a project may simply not have any recent issues; In this case, the probe results can be disregarded. @@ -318,6 +370,8 @@ If collaborators, members or owners have NOT participated in issues in the last ## jobLevelPermissions +**Lifecycle**: experimental + **Description**: Checks that GitHub workflows do not have "write" permissions at the "job" level. **Motivation**: In some circumstances, having "write" permissions at the "job" level may enable attackers to escalate privileges. @@ -330,6 +384,8 @@ The probe returns 1 true outcome if the project has no workflows "write" permiss ## packagedWithAutomatedWorkflow +**Lifecycle**: stable + **Description**: Checks whether the project uses automated packaging. **Motivation**: Packages give users of a project an easy way to download, install, update, and uninstall the software by a package manager. In particular, they make it easy for users to receive security patches as updates. @@ -342,6 +398,8 @@ If the project doesn't use automated packaing we can detect, the outcome is nega ## pinsDependencies +**Lifecycle**: stable + **Description**: Check that the project pins dependencies to a specific digest. **Motivation**: Pinned dependencies ensure that checking and deployment are all done with the same software, reducing deployment risks, simplifying debugging, and enabling reproducibility. They can help mitigate compromised dependencies from undermining the security of the project (in the case where you've evaluated the pinned dependency, you are confident it's not compromised, and a later version is released that is compromised). @@ -355,6 +413,8 @@ If the project has no supported dependencies, the probe returns OutcomeNotApplic ## releasesAreSigned +**Lifecycle**: stable + **Description**: Check that the projects GitHub and GitLab releases are signed. **Motivation**: Signed releases allow consumers to verify their artifacts before consuming them. @@ -368,6 +428,8 @@ If the project has no releases, the probe returns OutcomeNotApplicable. ## releasesHaveProvenance +**Lifecycle**: stable + **Description**: Check that the projects releases on GitHub and GitLab have provenance. **Motivation**: Provenance give users security-critical, verifiable information so that consumers can verify their artifacts before consuming them. @@ -381,6 +443,8 @@ If the project has no releases, the probe returns OutcomeNotApplicable. ## releasesHaveVerifiedProvenance +**Lifecycle**: experimental + **Description**: Checks if the project releases with provenance attestations that have been verified **Motivation**: Package provenance attestations provide a greater guarantee of authenticity and integrity than package signatures alone, since the attestation can be performed over a hash of both the package contents and metadata. Developers can attest to particular qualities of the build, such as the build environment, build steps or builder identity. @@ -393,6 +457,8 @@ If we didn't find a package or didn't find releases, return OutcomeNotAvailable. ## requiresApproversForPullRequests +**Lifecycle**: stable + **Description**: Check that the project requires approvers for pull requests. **Motivation**: Requiring approvers for pull requests makes it harder to introduce vulnerable code to the project. @@ -404,6 +470,8 @@ If we didn't find a package or didn't find releases, return OutcomeNotAvailable. ## requiresCodeOwnersReview +**Lifecycle**: stable + **Description**: Check that the project requires dedicated code owners to review PRs. **Motivation**: Code owners are expected to have deep knowledge about a code; Having experienced reviewers for PRs is expected to prevent security issues. @@ -415,6 +483,8 @@ If we didn't find a package or didn't find releases, return OutcomeNotAvailable. ## requiresLastPushApproval +**Lifecycle**: stable + **Description**: Check that the project requires approval of the most recent push. **Motivation**: Requiring approval of the most recent push prevents contributors from sneaking malicious commits into a PR after it has been approved. @@ -426,6 +496,8 @@ If we didn't find a package or didn't find releases, return OutcomeNotAvailable. ## requiresPRsToChangeCode +**Lifecycle**: stable + **Description**: Check that the project requires pull requests to change code. **Motivation**: Changing code through pull requests promotes testing and reviews of the suggested change. @@ -437,6 +509,8 @@ If we didn't find a package or didn't find releases, return OutcomeNotAvailable. ## requiresUpToDateBranches +**Lifecycle**: stable + **Description**: Check that the project requires PRs to be in sync with the base branch. **Motivation**: Requiring PRs to be in sync with the base branch is good practice. @@ -448,6 +522,8 @@ If we didn't find a package or didn't find releases, return OutcomeNotAvailable. ## runsStatusChecksBeforeMerging +**Lifecycle**: stable + **Description**: Check that the project runs required status checks **Motivation**: Required status checks can check for common errors and resolve issues in PRs. @@ -459,6 +535,8 @@ If we didn't find a package or didn't find releases, return OutcomeNotAvailable. ## sastToolConfigured +**Lifecycle**: stable + **Description**: Check that the project uses a SAST tool **Motivation**: SAST is testing run on source code before the application is run. Using SAST tools can prevent known classes of bugs from being inadvertently introduced in the codebase. @@ -471,6 +549,8 @@ If the project does not use a SAST tool, or uses a tool we dont currently detect ## sastToolRunsOnAllCommits +**Lifecycle**: stable + **Description**: Checks that a SAST tool runs on all commits in the projects CI. **Motivation**: SAST is testing run on source code before the application is run. Using SAST tools can prevent known classes of bugs from being inadvertently introduced in the codebase. @@ -484,6 +564,8 @@ If the project does not run any SAST tools successfully on every pull request be ## securityPolicyContainsLinks +**Lifecycle**: stable + **Description**: Check that the security policy contains web or email links. **Motivation**: URLs point users to additional information as well as online disclosure forms. Emails provide a point of contact for vulnerability disclosure. @@ -497,6 +579,8 @@ If no security policy files are found, one finding with OutcomeFalse is returned ## securityPolicyContainsText +**Lifecycle**: stable + **Description**: Check that the security policy contains enough text and not just links. **Motivation**: Telling security researchers how to privately disclose problems with your project is important. The more details available, the better. @@ -510,6 +594,8 @@ If no security policy is found, one finding with OutcomeFalse is returned. ## securityPolicyContainsVulnerabilityDisclosure +**Lifecycle**: stable + **Description**: Check that the security policy indicates a vulnerability disclosure process. **Motivation**: If someone finds a vulnerability in the project, it is important for them to be able to communicate it to the maintainers. @@ -523,6 +609,8 @@ If no security policy is found, the probe returns one finding with OutcomeFalse. ## securityPolicyPresent +**Lifecycle**: stable + **Description**: Check if a security policy is defined in the repository or in the org's .github repository. **Motivation**: A security policy (typically a SECURITY.md file) can give users information about what constitutes a vulnerability and how to report one securely so that information about a bug is not publicly visible. If you have a large organization, having a unified security policy across all your repositories may simplify the vulnerability disclosure response. @@ -535,6 +623,8 @@ If no security file is found, one finding with OutcomeFalse is returned. ## testsRunInCI +**Lifecycle**: stable + **Description**: Checks that the project runs tests in the CI for example with GitHub Actions or Prow. **Motivation**: Running tests helps developers catch mistakes early on, which can reduce the number of vulnerabilities that find their way into a project. @@ -547,6 +637,8 @@ The probe returns a single OutcomeNotApplicable if the projects has had no pull ## topLevelPermissions +**Lifecycle**: experimental + **Description**: Checks that the project does not have any top-level write permissions in its workflows. **Motivation**: In some circumstances, having "write" permissions at the "top" level may enable attackers to escalate privileges. @@ -559,6 +651,8 @@ The probe returns 1 true outcome if the project has no workflows "write" permiss ## webhooksUseSecrets +**Lifecycle**: experimental + **Description**: This check determines whether the webhooks defined in the repository have secrets configured to authenticate the origins of requests. **Motivation**: Webhooks without secret authorization have the potential to make projects accessible to third-parties. diff --git a/docs/probes/internal/generate/main.go b/docs/probes/internal/generate/main.go index 0ee461f1675..126a1a17fc4 100644 --- a/docs/probes/internal/generate/main.go +++ b/docs/probes/internal/generate/main.go @@ -39,6 +39,7 @@ func printField(w io.Writer, name string, value any) { func printProbe(w io.Writer, p *pyaml.Probe) { // short, motivation, implementation, outcome, remediation, ecosystem fmt.Fprint(w, "\n"+"## "+p.ID+"\n\n") + printField(w, "Lifecycle", p.Lifecycle) printField(w, "Description", p.Short) printField(w, "Motivation", p.Motivation) printField(w, "Implementation", p.Implementation) diff --git a/finding/probe.go b/finding/probe.go index 33778f2aeff..0e3a07f0823 100644 --- a/finding/probe.go +++ b/finding/probe.go @@ -28,6 +28,9 @@ import ( // RemediationEffort indicates the estimated effort necessary to remediate a finding. type RemediationEffort int +// lifecycle indicates the probe's stability. +type lifecycle string + const ( // RemediationEffortNone indicates a no remediation effort. RemediationEffortNone RemediationEffort = iota @@ -37,6 +40,10 @@ const ( RemediationEffortMedium // RemediationEffortHigh indicates a high remediation effort. RemediationEffortHigh + + lifecycleExperimental lifecycle = "experimental" + lifecycleStable lifecycle = "stable" + lifecycleDeprecated lifecycle = "deprecated" ) // Remediation represents the remediation for a finding. @@ -109,6 +116,9 @@ func validate(r *pyaml.Probe, probeID string) error { if err := validateEcosystem(r.Ecosystem); err != nil { return err } + if err := validateLifecycle(lifecycle(r.Lifecycle)); err != nil { + return err + } return nil } @@ -178,6 +188,15 @@ func validateSupportedClients(r pyaml.Ecosystem) error { return nil } +func validateLifecycle(l lifecycle) error { + switch l { + case lifecycleExperimental, lifecycleStable, lifecycleDeprecated: + return nil + default: + return fmt.Errorf("%w: %v", errInvalid, fmt.Sprintf("lifecycle '%v'", l)) + } +} + func parseFromYAML(content []byte) (*pyaml.Probe, error) { r := pyaml.Probe{} diff --git a/finding/probe_test.go b/finding/probe_test.go index 0b02ba37c2f..a6bceabdacd 100644 --- a/finding/probe_test.go +++ b/finding/probe_test.go @@ -90,6 +90,18 @@ func Test_probeFromBytes(t *testing.T) { path: "testdata/invalid-client.yml", err: errInvalid, }, + { + name: "invalid lifecycle is an error", + id: "invalid-lifecycle", + path: "testdata/invalid-lifecycle.yml", + err: errInvalid, + }, + { + name: "missing lifecycle is an error", + id: "missing-lifecycle", + path: "testdata/missing-lifecycle.yml", + err: errInvalid, + }, } for _, tt := range tests { tt := tt // Re-initializing variable so it is not changed while executing the closure below diff --git a/finding/testdata/all-fields.yml b/finding/testdata/all-fields.yml index ff1627f7a00..18c4ce70a31 100644 --- a/finding/testdata/all-fields.yml +++ b/finding/testdata/all-fields.yml @@ -1,4 +1,5 @@ id: all-fields +lifecycle: stable short: short description motivation: > mot1 diff --git a/finding/testdata/effort-high.yml b/finding/testdata/effort-high.yml index ea005702b2d..6ff37e0e9f5 100644 --- a/finding/testdata/effort-high.yml +++ b/finding/testdata/effort-high.yml @@ -1,4 +1,5 @@ id: effort-high +lifecycle: stable short: short description motivation: > line1 diff --git a/finding/testdata/effort-low.yml b/finding/testdata/effort-low.yml index b8db02dee9d..cc095c0689a 100644 --- a/finding/testdata/effort-low.yml +++ b/finding/testdata/effort-low.yml @@ -1,4 +1,5 @@ id: effort-low +lifecycle: stable short: short description motivation: > line1 diff --git a/finding/testdata/invalid-client.yml b/finding/testdata/invalid-client.yml index 261c1197977..c99acde385b 100644 --- a/finding/testdata/invalid-client.yml +++ b/finding/testdata/invalid-client.yml @@ -1,4 +1,5 @@ id: invalid-client +lifecycle: stable short: short description motivation: > mot1 diff --git a/finding/testdata/invalid-effort.yml b/finding/testdata/invalid-effort.yml index 0fc9474478c..ddf98aebd69 100644 --- a/finding/testdata/invalid-effort.yml +++ b/finding/testdata/invalid-effort.yml @@ -1,4 +1,5 @@ id: invalid-effort +lifecycle: stable short: short description motivation: > line1 diff --git a/finding/testdata/invalid-language.yml b/finding/testdata/invalid-language.yml index c697ad0a8c2..7a1e8b903d5 100644 --- a/finding/testdata/invalid-language.yml +++ b/finding/testdata/invalid-language.yml @@ -1,4 +1,5 @@ id: invalid-language +lifecycle: stable short: short description motivation: > mot1 diff --git a/finding/testdata/invalid-lifecycle.yml b/finding/testdata/invalid-lifecycle.yml new file mode 100644 index 00000000000..f8674544ec5 --- /dev/null +++ b/finding/testdata/invalid-lifecycle.yml @@ -0,0 +1,26 @@ +id: all-fields +lifecycle: foo +short: short description +motivation: > + mot1 + mot2 +implementation: > + impl1 + impl2 +remediation: + onOutcome: False + effort: Low + text: + - step1 + - step2 https://www.google.com/something + markdown: + - step1 + - step2 [google.com](https://www.google.com/something) +ecosystem: + languages: + - c + - c++ + clients: + - github + - gitlab + - localdir diff --git a/finding/testdata/metadata-variables.yml b/finding/testdata/metadata-variables.yml index 30c962b7d18..3ce1db88ad0 100644 --- a/finding/testdata/metadata-variables.yml +++ b/finding/testdata/metadata-variables.yml @@ -1,4 +1,5 @@ id: metadata-variables +lifecycle: stable short: short description motivation: > line1 diff --git a/finding/testdata/missing-id.yml b/finding/testdata/missing-id.yml index 7fb1325e35d..08919865150 100644 --- a/finding/testdata/missing-id.yml +++ b/finding/testdata/missing-id.yml @@ -1,3 +1,4 @@ +lifecycle: stable short: short description motivation: > line1 diff --git a/finding/testdata/missing-lifecycle.yml b/finding/testdata/missing-lifecycle.yml new file mode 100644 index 00000000000..ff1627f7a00 --- /dev/null +++ b/finding/testdata/missing-lifecycle.yml @@ -0,0 +1,25 @@ +id: all-fields +short: short description +motivation: > + mot1 + mot2 +implementation: > + impl1 + impl2 +remediation: + onOutcome: False + effort: Low + text: + - step1 + - step2 https://www.google.com/something + markdown: + - step1 + - step2 [google.com](https://www.google.com/something) +ecosystem: + languages: + - c + - c++ + clients: + - github + - gitlab + - localdir diff --git a/go.mod b/go.mod index 7ec45f9c69a..b7273b25dc3 100644 --- a/go.mod +++ b/go.mod @@ -1,6 +1,6 @@ module github.com/ossf/scorecard/v5 -go 1.21.10 +go 1.21.11 require ( cloud.google.com/go/bigquery v1.61.0 @@ -30,7 +30,7 @@ require ( go.opencensus.io v0.24.0 gocloud.dev v0.37.0 golang.org/x/text v0.16.0 - golang.org/x/tools v0.21.1-0.20240508182429-e35e4ccd0d2d // indirect + golang.org/x/tools v0.22.0 // indirect google.golang.org/genproto v0.0.0-20240617180043-68d350f18fd4 // indirect google.golang.org/protobuf v1.34.2 gopkg.in/yaml.v2 v2.4.0 @@ -42,7 +42,7 @@ require ( github.com/caarlos0/env/v6 v6.10.0 github.com/gobwas/glob v0.2.3 github.com/google/go-github/v53 v53.2.0 - github.com/google/osv-scanner v1.7.4 + github.com/google/osv-scanner v1.8.1 github.com/mcuadros/go-jsonschema-generator v0.0.0-20200330054847-ba7a369d4303 github.com/onsi/ginkgo/v2 v2.19.0 github.com/otiai10/copy v1.14.0 @@ -57,9 +57,12 @@ require ( cloud.google.com/go/kms v1.17.1 // indirect cloud.google.com/go/longrunning v0.5.7 // indirect dario.cat/mergo v1.0.0 // indirect - deps.dev/api/v3 v3.0.0-20240516073147-b352d7eeeae6 // indirect + deps.dev/api/v3 v3.0.0-20240617015216-b147e04533eb // indirect + deps.dev/util/maven v0.0.0-20240617015216-b147e04533eb // indirect + deps.dev/util/resolve v0.0.0-20240617015216-b147e04533eb // indirect + deps.dev/util/semver v0.0.0-20240617015216-b147e04533eb // indirect github.com/BurntSushi/toml v1.4.0 // indirect - github.com/CycloneDX/cyclonedx-go v0.8.0 // indirect + github.com/CycloneDX/cyclonedx-go v0.9.0 // indirect github.com/anchore/go-struct-converter v0.0.0-20230627203149-c72ef8859ca9 // indirect github.com/apache/arrow/go/v15 v15.0.2 // indirect github.com/cloudflare/circl v1.3.7 // indirect @@ -103,19 +106,23 @@ require ( github.com/skeema/knownhosts v1.2.2 // indirect github.com/spdx/gordf v0.0.0-20221230105357-b735bd5aac89 // indirect github.com/spdx/tools-golang v0.5.4 // indirect + github.com/tidwall/gjson v1.17.1 // indirect + github.com/tidwall/match v1.1.1 // indirect + github.com/tidwall/pretty v1.2.1 // indirect github.com/zeebo/xxh3 v1.0.2 // indirect go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc v0.49.0 // indirect go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.49.0 // indirect go.opentelemetry.io/otel v1.24.0 // indirect go.opentelemetry.io/otel/metric v1.24.0 // indirect go.opentelemetry.io/otel/trace v1.24.0 // indirect - golang.org/x/mod v0.17.0 // indirect + golang.org/x/mod v0.18.0 // indirect golang.org/x/term v0.21.0 // indirect golang.org/x/time v0.5.0 // indirect golang.org/x/vuln v1.0.4 // indirect google.golang.org/genproto/googleapis/api v0.0.0-20240617180043-68d350f18fd4 // indirect google.golang.org/genproto/googleapis/rpc v0.0.0-20240617180043-68d350f18fd4 // indirect gopkg.in/inf.v0 v0.9.1 // indirect + gopkg.in/ini.v1 v1.67.0 // indirect k8s.io/api v0.28.6 // indirect k8s.io/apimachinery v0.28.6 // indirect k8s.io/client-go v0.28.6 // indirect @@ -176,7 +183,7 @@ require ( github.com/xeipuuv/gojsonpointer v0.0.0-20190905194746-02993c407bfb // indirect github.com/xeipuuv/gojsonreference v0.0.0-20180127040603-bd5ef7bd5415 // indirect golang.org/x/crypto v0.24.0 // indirect - golang.org/x/exp v0.0.0-20240525044651-4c93da0ed11d // indirect + golang.org/x/exp v0.0.0-20240613232115-7f521ea00fb8 // indirect golang.org/x/net v0.26.0 // indirect golang.org/x/oauth2 v0.21.0 golang.org/x/sync v0.7.0 // indirect diff --git a/go.sum b/go.sum index 7d28b73b17e..92b950b6d73 100644 --- a/go.sum +++ b/go.sum @@ -53,8 +53,14 @@ contrib.go.opencensus.io/exporter/stackdriver v0.13.14 h1:zBakwHardp9Jcb8sQHcHpX contrib.go.opencensus.io/exporter/stackdriver v0.13.14/go.mod h1:5pSSGY0Bhuk7waTHuDf4aQ8D2DrhgETRo9fy6k3Xlzc= dario.cat/mergo v1.0.0 h1:AGCNq9Evsj31mOgNPcLyXc+4PNABt905YmuqPYYpBWk= dario.cat/mergo v1.0.0/go.mod h1:uNxQE+84aUszobStD9th8a29P2fMDhsBdgRYvZOxGmk= -deps.dev/api/v3 v3.0.0-20240516073147-b352d7eeeae6 h1:pxD1B50Np8PJRcI3KkYHWCfbhOSuDKz1tzXoazCO8eg= -deps.dev/api/v3 v3.0.0-20240516073147-b352d7eeeae6/go.mod h1:DyBY3wNVqRCwvb4tLvz6LL/FupH3FMflEROyQAv2Vi0= +deps.dev/api/v3 v3.0.0-20240617015216-b147e04533eb h1:iBVrvSHrpmBvPpaIt9NZgzjsnXJcXlxcgw7p6huasKc= +deps.dev/api/v3 v3.0.0-20240617015216-b147e04533eb/go.mod h1:DyBY3wNVqRCwvb4tLvz6LL/FupH3FMflEROyQAv2Vi0= +deps.dev/util/maven v0.0.0-20240617015216-b147e04533eb h1:EgJUHeaZYedhv/0ldRcKwsjQOioVqu38/yaZ5Pm95W8= +deps.dev/util/maven v0.0.0-20240617015216-b147e04533eb/go.mod h1:SBW3EribdkZYk6zxi5oVn/ZECvi4ixb7EGgEWfSimNk= +deps.dev/util/resolve v0.0.0-20240617015216-b147e04533eb h1:8tVvl7Synmf+zhSLJtL1BSU8AjGDrI8h9IoCH63whP0= +deps.dev/util/resolve v0.0.0-20240617015216-b147e04533eb/go.mod h1:XXi6yRYqhtxw5DvGX/mbG6fHSLn8OgoPowNd8EAxDgk= +deps.dev/util/semver v0.0.0-20240617015216-b147e04533eb h1:+nbsqRQnYMxwPhqBOvj8ffWserppKMLk3Il6AsaEdwE= +deps.dev/util/semver v0.0.0-20240617015216-b147e04533eb/go.mod h1:jkcH+k02gWHBiZ7G4OnUOkSZ6WDq54Pt5DrOA8FN8Uo= dmitri.shuralyov.com/gpu/mtl v0.0.0-20190408044501-666a987793e9/go.mod h1:H6x//7gZCb22OMCxBHrMx7a5I7Hp++hsVxbQ4BYO7hU= github.com/Azure/azure-sdk-for-go v35.0.0+incompatible/go.mod h1:9XXNKU+eRnpl9moKnB4QOLf1HestfXbmab5FXxiDBjc= github.com/Azure/azure-sdk-for-go v38.0.0+incompatible/go.mod h1:9XXNKU+eRnpl9moKnB4QOLf1HestfXbmab5FXxiDBjc= @@ -86,8 +92,8 @@ github.com/BurntSushi/toml v0.3.1/go.mod h1:xHWCNGjB5oqiDr8zfno3MHue2Ht5sIBksp03 github.com/BurntSushi/toml v1.4.0 h1:kuoIxZQy2WRRk1pttg9asf+WVv6tWQuBNVmK8+nqPr0= github.com/BurntSushi/toml v1.4.0/go.mod h1:ukJfTF/6rtPPRCnwkur4qwRxa8vTRFBF0uk2lLoLwho= github.com/BurntSushi/xgb v0.0.0-20160522181843-27f122750802/go.mod h1:IVnqGOEym/WlBOVXweHU+Q+/VP0lqqI8lqeDx9IjBqo= -github.com/CycloneDX/cyclonedx-go v0.8.0 h1:FyWVj6x6hoJrui5uRQdYZcSievw3Z32Z88uYzG/0D6M= -github.com/CycloneDX/cyclonedx-go v0.8.0/go.mod h1:K2bA+324+Og0X84fA8HhN2X066K7Bxz4rpMQ4ZhjtSk= +github.com/CycloneDX/cyclonedx-go v0.9.0 h1:inaif7qD8bivyxp7XLgxUYtOXWtDez7+j72qKTMQTb8= +github.com/CycloneDX/cyclonedx-go v0.9.0/go.mod h1:NE/EWvzELOFlG6+ljX/QeMlVt9VKcTwu8u0ccsACEsw= github.com/GoogleCloudPlatform/k8s-cloud-provider v0.0.0-20190822182118-27a4ced34534/go.mod h1:iroGtC8B3tQiqtds1l+mgk/BBOrxbqjH+eUfFQYRc14= github.com/Microsoft/go-winio v0.4.14/go.mod h1:qXqCSQ3Xa7+6tgxaGTIe4Kpcdsi+P8jBhyzoq1bpyYA= github.com/Microsoft/go-winio v0.5.2/go.mod h1:WpS1mjBmmwHBEWmogvA2mj8546UReBk4v8QkMxJ6pZY= @@ -406,8 +412,8 @@ github.com/google/martian v2.1.0+incompatible h1:/CP5g8u/VJHijgedC/Legn3BAbAaWPg github.com/google/martian v2.1.0+incompatible/go.mod h1:9I4somxYTbIHy5NJKHRl3wXiIaQGbYVAs8BPL6v8lEs= github.com/google/martian/v3 v3.3.3 h1:DIhPTQrbPkgs2yJYdXU/eNACCG5DVQjySNRNlflZ9Fc= github.com/google/martian/v3 v3.3.3/go.mod h1:iEPrYcgCF7jA9OtScMFQyAlZZ4YXTKEtJ1E6RWzmBA0= -github.com/google/osv-scanner v1.7.4 h1:u021ANn9P/xZUPpYXVv7O1n9FYhF+YmYEqt/05BLpPA= -github.com/google/osv-scanner v1.7.4/go.mod h1:GWXnZYfJEeICRUFJIbW/BRHzsDHVkqPOvKo5uBi5+jU= +github.com/google/osv-scanner v1.8.1 h1:g7qnejJYy+/bMP0rrojz8E+O9Lsos0PdyGOYfZinf/Q= +github.com/google/osv-scanner v1.8.1/go.mod h1:UxJshXEvWzHZfSQQc2MPvqnHGMws43EIkqoalbzboCE= github.com/google/pprof v0.0.0-20181206194817-3ea8567a2e57/go.mod h1:zfwlbNMJ+OItoe0UupaVj+oy1omPYYDuagoSzA8v9mc= github.com/google/pprof v0.0.0-20190515194954-54271f7e092f/go.mod h1:zfwlbNMJ+OItoe0UupaVj+oy1omPYYDuagoSzA8v9mc= github.com/google/pprof v0.0.0-20191218002539-d4f498aebedc/go.mod h1:ZgVRPoUq/hfqzAqh7sHMqb3I9Rq5C59dIz2SbBwJ4eM= @@ -751,6 +757,7 @@ github.com/tidwall/gjson v1.17.1 h1:wlYEnwqAHgzmhNUFfw7Xalt2JzQvsMx2Se4PcoFCT/U= github.com/tidwall/gjson v1.17.1/go.mod h1:/wbyibRr2FHMks5tjHJ5F8dMZh3AcwJEMf5vlfC0lxk= github.com/tidwall/match v1.1.1 h1:+Ho715JplO36QYgwN9PGYNhgZvoUSc9X2c80KVTi+GA= github.com/tidwall/match v1.1.1/go.mod h1:eRSPERbgtNPcGhD8UCthc6PmLEQXEWd3PRB5JTxsfmM= +github.com/tidwall/pretty v1.2.0/go.mod h1:ITEVvHYasfjBbM0u2Pg8T2nJnzm8xPwvNhhsoaGGjNU= github.com/tidwall/pretty v1.2.1 h1:qjsOFOWWQl+N3RsoF5/ssm1pHmJJwhjlSbZ51I6wMl4= github.com/tidwall/pretty v1.2.1/go.mod h1:ITEVvHYasfjBbM0u2Pg8T2nJnzm8xPwvNhhsoaGGjNU= github.com/tidwall/sjson v1.2.5 h1:kLy8mja+1c9jlljvWTlSazM7cKDRfJuR/bOJhcY5NcY= @@ -847,8 +854,8 @@ golang.org/x/exp v0.0.0-20191227195350-da58074b4299/go.mod h1:2RIsYlXP63K8oxa1u0 golang.org/x/exp v0.0.0-20200119233911-0405dc783f0a/go.mod h1:2RIsYlXP63K8oxa1u096TMicItID8zy7Y6sNkU49FU4= golang.org/x/exp v0.0.0-20200207192155-f17229e696bd/go.mod h1:J/WKrq2StrnmMY6+EHIKF9dgMWnmCNThgcyBT1FY9mM= golang.org/x/exp v0.0.0-20200224162631-6cc2880d07d6/go.mod h1:3jZMyOhIsHpP37uCMkUooju7aAi5cS1Q23tOzKc+0MU= -golang.org/x/exp v0.0.0-20240525044651-4c93da0ed11d h1:N0hmiNbwsSNwHBAvR3QB5w25pUwH4tK0Y/RltD1j1h4= -golang.org/x/exp v0.0.0-20240525044651-4c93da0ed11d/go.mod h1:XtvwrStGgqGPLc4cjQfWqZHG1YFdYs6swckp8vpsjnc= +golang.org/x/exp v0.0.0-20240613232115-7f521ea00fb8 h1:yixxcjnhBmY0nkL253HFVIm0JsFHwrHdT3Yh6szTnfY= +golang.org/x/exp v0.0.0-20240613232115-7f521ea00fb8/go.mod h1:jj3sYF3dwk5D+ghuXyeI3r5MFf+NT2An6/9dOA95KSI= golang.org/x/image v0.0.0-20190227222117-0694c2d4d067/go.mod h1:kZ7UVZpmo3dzQBMxlp+ypCbDeSB+sBbTgSJuh5dn5js= golang.org/x/image v0.0.0-20190802002840-cff245a6509b/go.mod h1:FeLwcggjj3mMvU+oOTbSwawSJRM1uh48EjtB4UJZlP0= golang.org/x/lint v0.0.0-20181026193005-c67002cb31c3/go.mod h1:UVdnD1Gm6xHRNCYTkRU2/jEulfH38KcIWyp/GAMgvoE= @@ -874,8 +881,8 @@ golang.org/x/mod v0.6.0-dev.0.20220419223038-86c51ed26bb4/go.mod h1:jJ57K6gSWd91 golang.org/x/mod v0.8.0/go.mod h1:iBbtSCu2XBx23ZKBPSOrRkjjQPZFPuis4dIYUhu/chs= golang.org/x/mod v0.12.0/go.mod h1:iBbtSCu2XBx23ZKBPSOrRkjjQPZFPuis4dIYUhu/chs= golang.org/x/mod v0.14.0/go.mod h1:hTbmBsO62+eylJbnUtE2MGJUyE7QWk4xUqPFrRgJ+7c= -golang.org/x/mod v0.17.0 h1:zY54UmvipHiNd+pm+m0x9KhZ9hl1/7QNMyxXbc6ICqA= -golang.org/x/mod v0.17.0/go.mod h1:hTbmBsO62+eylJbnUtE2MGJUyE7QWk4xUqPFrRgJ+7c= +golang.org/x/mod v0.18.0 h1:5+9lSbEzPSdWkH32vYPBwEpX8KwDbM52Ud9xBUvNlb0= +golang.org/x/mod v0.18.0/go.mod h1:hTbmBsO62+eylJbnUtE2MGJUyE7QWk4xUqPFrRgJ+7c= golang.org/x/net v0.0.0-20170114055629-f2499483f923/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= golang.org/x/net v0.0.0-20180724234803-3673e40ba225/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= golang.org/x/net v0.0.0-20180826012351-8a410e7b638d/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= @@ -1090,8 +1097,8 @@ golang.org/x/tools v0.1.12/go.mod h1:hNGJHUnrk76NpqgfD5Aqm5Crs+Hm0VOH/i9J2+nxYbc golang.org/x/tools v0.6.0/go.mod h1:Xwgl3UAJ/d3gWutnCtw505GrjyAbvKui8lOU390QaIU= golang.org/x/tools v0.13.0/go.mod h1:HvlwmtVNQAhOuCjW7xxvovg8wbNq7LwfXh/k7wXUl58= golang.org/x/tools v0.17.0/go.mod h1:xsh6VxdV005rRVaS6SSAf9oiAqljS7UZUacMZ8Bnsps= -golang.org/x/tools v0.21.1-0.20240508182429-e35e4ccd0d2d h1:vU5i/LfpvrRCpgM/VPfJLg5KjxD3E+hfT1SH+d9zLwg= -golang.org/x/tools v0.21.1-0.20240508182429-e35e4ccd0d2d/go.mod h1:aiJjzUbINMkxbQROHiO6hDPo2LHcIPhhQsa9DLh0yGk= +golang.org/x/tools v0.22.0 h1:gqSGLZqv+AI9lIQzniJ0nZDRG5GBPsSi+DRNHWNz6yA= +golang.org/x/tools v0.22.0/go.mod h1:aCwcsjqvq7Yqt6TNyX7QMU2enbQ/Gt0bo6krSeEri+c= golang.org/x/vuln v1.0.4 h1:SP0mPeg2PmGCu03V+61EcQiOjmpri2XijexKdzv8Z1I= golang.org/x/vuln v1.0.4/go.mod h1:NbJdUQhX8jY++FtuhrXs2Eyx0yePo9pF7nPlIjo9aaQ= golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= @@ -1195,6 +1202,8 @@ gopkg.in/gcfg.v1 v1.2.0/go.mod h1:yesOnuUOFQAhST5vPY4nbZsb/huCgGGXlipJsBn0b3o= gopkg.in/inf.v0 v0.9.1 h1:73M5CoZyi3ZLMOyDlQh031Cx6N9NDJ2Vvfl76EDAgDc= gopkg.in/inf.v0 v0.9.1/go.mod h1:cWUDdTG/fYaXco+Dcufb5Vnc6Gp2YChqWtbxRZE0mXw= gopkg.in/ini.v1 v1.51.0/go.mod h1:pNLf8WUiyNEtQjuu5G5vTm06TEv9tsIgeAvK8hOrP4k= +gopkg.in/ini.v1 v1.67.0 h1:Dgnx+6+nfE+IfzjUEISNeydPJh9AXNNsWbGP9KzCsOA= +gopkg.in/ini.v1 v1.67.0/go.mod h1:pNLf8WUiyNEtQjuu5G5vTm06TEv9tsIgeAvK8hOrP4k= gopkg.in/natefinch/lumberjack.v2 v2.0.0/go.mod h1:l0ndWWf7gzL7RNwBG7wST/UCcT4T24xpD6X8LsfU/+k= gopkg.in/resty.v1 v1.12.0/go.mod h1:mDo4pnntr5jdWRML875a/NmxYqAlA73dVijT2AXvQQo= gopkg.in/square/go-jose.v2 v2.2.2/go.mod h1:M9dMgbHiYLoDGQrXy7OpJDJWiKiU//h+vD76mk0e1AI= diff --git a/internal/checknames/checknames.go b/internal/checknames/checknames.go new file mode 100644 index 00000000000..aaf6bd48327 --- /dev/null +++ b/internal/checknames/checknames.go @@ -0,0 +1,64 @@ +// Copyright 2024 OpenSSF Scorecard Authors +// +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. + +package checknames + +type CheckName = string + +// Redefining check names here to avoid circular imports. +const ( + BinaryArtifacts CheckName = "Binary-Artifacts" + BranchProtection CheckName = "Branch-Protection" + CIIBestPractices CheckName = "CII-Best-Practices" + CITests CheckName = "CI-Tests" + CodeReview CheckName = "Code-Review" + Contributors CheckName = "Contributors" + DangerousWorkflow CheckName = "Dangerous-Workflow" + DependencyUpdateTool CheckName = "Dependency-Update-Tool" + Fuzzing CheckName = "Fuzzing" + License CheckName = "License" + Maintained CheckName = "Maintained" + Packaging CheckName = "Packaging" + PinnedDependencies CheckName = "Pinned-Dependencies" + SAST CheckName = "SAST" + SBOM CheckName = "SBOM" + SecurityPolicy CheckName = "Security-Policy" + SignedReleases CheckName = "Signed-Releases" + TokenPermissions CheckName = "Token-Permissions" + Vulnerabilities CheckName = "Vulnerabilities" + Webhooks CheckName = "Webhooks" +) + +var AllValidChecks []string = []string{ + BinaryArtifacts, + BranchProtection, + CIIBestPractices, + CITests, + CodeReview, + Contributors, + DangerousWorkflow, + DependencyUpdateTool, + Fuzzing, + License, + Maintained, + Packaging, + PinnedDependencies, + SAST, + SBOM, + SecurityPolicy, + SignedReleases, + TokenPermissions, + Vulnerabilities, + Webhooks, +} diff --git a/internal/probes/probes.go b/internal/probes/probes.go index bc125256d90..437f5c87bdc 100644 --- a/internal/probes/probes.go +++ b/internal/probes/probes.go @@ -20,39 +20,14 @@ import ( "github.com/ossf/scorecard/v5/checker" "github.com/ossf/scorecard/v5/errors" "github.com/ossf/scorecard/v5/finding" -) - -type CheckName string - -// Redefining check names here to avoid circular imports. -const ( - BinaryArtifacts CheckName = "Binary-Artifacts" - BranchProtection CheckName = "Branch-Protection" - CIIBestPractices CheckName = "CII-Best-Practices" - CITests CheckName = "CI-Tests" - CodeReview CheckName = "Code-Review" - Contributors CheckName = "Contributors" - DangerousWorkflow CheckName = "Dangerous-Workflow" - DependencyUpdateTool CheckName = "Dependency-Update-Tool" - Fuzzing CheckName = "Fuzzing" - License CheckName = "License" - Maintained CheckName = "Maintained" - Packaging CheckName = "Packaging" - PinnedDependencies CheckName = "Pinned-Dependencies" - SAST CheckName = "SAST" - SBOM CheckName = "SBOM" - SecurityPolicy CheckName = "Security-Policy" - SignedReleases CheckName = "Signed-Releases" - TokenPermissions CheckName = "Token-Permissions" - Vulnerabilities CheckName = "Vulnerabilities" - Webhooks CheckName = "Webhooks" + "github.com/ossf/scorecard/v5/internal/checknames" ) type Probe struct { Name string Implementation ProbeImpl IndependentImplementation IndependentProbeImpl - RequiredRawData []CheckName + RequiredRawData []checknames.CheckName } type ProbeImpl func(*checker.RawResults) ([]finding.Finding, string, error) @@ -62,7 +37,7 @@ type IndependentProbeImpl func(*checker.CheckRequest) ([]finding.Finding, string // registered is the mapping of all registered probes. var registered = map[string]Probe{} -func MustRegister(name string, impl ProbeImpl, requiredRawData []CheckName) { +func MustRegister(name string, impl ProbeImpl, requiredRawData []checknames.CheckName) { err := register(Probe{ Name: name, Implementation: impl, diff --git a/internal/probes/probes_test.go b/internal/probes/probes_test.go index 800c721955c..74b57d93ada 100644 --- a/internal/probes/probes_test.go +++ b/internal/probes/probes_test.go @@ -21,6 +21,7 @@ import ( "github.com/ossf/scorecard/v5/checker" "github.com/ossf/scorecard/v5/finding" + . "github.com/ossf/scorecard/v5/internal/checknames" ) func emptyImpl(r *checker.RawResults) ([]finding.Finding, string, error) { diff --git a/internal/probes/yaml/yaml.go b/internal/probes/yaml/yaml.go index 2759013e3f7..53c1943099d 100644 --- a/internal/probes/yaml/yaml.go +++ b/internal/probes/yaml/yaml.go @@ -31,6 +31,7 @@ type Probe struct { ID string `yaml:"id"` Short string `yaml:"short"` Motivation string `yaml:"motivation"` + Lifecycle string `yaml:"lifecycle"` Implementation string `yaml:"implementation"` Ecosystem Ecosystem `yaml:"ecosystem"` Outcomes []string `yaml:"outcome"` diff --git a/pkg/scorecard.go b/pkg/scorecard.go index 819194d16f5..bf13c246228 100644 --- a/pkg/scorecard.go +++ b/pkg/scorecard.go @@ -180,11 +180,7 @@ func runScorecard(ctx context.Context, if r != nil { defer r.Close() logger.Info(fmt.Sprintf("using maintainer annotations: %s", path)) - checks := []string{} - for check := range checksToRun { - checks = append(checks, check) - } - c, err := config.Parse(r, checks) + c, err := config.Parse(r) if err != nil { logger.Info(fmt.Sprintf("couldn't parse maintainer annotations: %v", err)) } diff --git a/pkg/scorecard_result.go b/pkg/scorecard_result.go index 3cf90f54a11..84ba8f8947d 100644 --- a/pkg/scorecard_result.go +++ b/pkg/scorecard_result.go @@ -402,7 +402,7 @@ func populateRawResults(request *checker.CheckRequest, probesToRun []string, ret return fmt.Errorf("getting probe %q: %w", probeName, err) } for _, checkName := range p.RequiredRawData { - checkName := string(checkName) + checkName := checkName if !seen[checkName] { err := assignRawData(checkName, request, ret) if err != nil { diff --git a/probes/README.md b/probes/README.md index 7acd973d76a..86e91442335 100644 --- a/probes/README.md +++ b/probes/README.md @@ -16,6 +16,13 @@ A probe consists of three files: - `impl.go`: The actual implementation of the probe. - `impl_test.go`: The probe's test. +## Lifecycle + +Probes can exist in several different lifecycle states: +* `Experimental`: The semantics of the probe may change, and there are no stability guarantees. +* `Stable`: The probe behavior and semantics will not change. There may be bug fixes as needed. +* `Deprecated`: The probe is no longer supported and callers should not expect it to be maintained. + ## Reusing code in probes When multiple probes use the same code, the reused code can be placed in a package under `probes/internal/` diff --git a/probes/archived/def.yml b/probes/archived/def.yml index 96a55830eb4..4b7c7502cff 100644 --- a/probes/archived/def.yml +++ b/probes/archived/def.yml @@ -13,6 +13,7 @@ # limitations under the License. id: archived +lifecycle: stable short: Check that the project is archived motivation: > An archived project will not received security patches, and is not actively tested or used. diff --git a/probes/archived/impl.go b/probes/archived/impl.go index ecb6bcf37f4..c70ea2b5dc6 100644 --- a/probes/archived/impl.go +++ b/probes/archived/impl.go @@ -20,12 +20,13 @@ import ( "github.com/ossf/scorecard/v5/checker" "github.com/ossf/scorecard/v5/finding" + "github.com/ossf/scorecard/v5/internal/checknames" "github.com/ossf/scorecard/v5/internal/probes" "github.com/ossf/scorecard/v5/probes/internal/utils/uerror" ) func init() { - probes.MustRegister(Probe, Run, []probes.CheckName{probes.Maintained}) + probes.MustRegister(Probe, Run, []checknames.CheckName{checknames.Maintained}) } //go:embed *.yml diff --git a/probes/blocksDeleteOnBranches/def.yml b/probes/blocksDeleteOnBranches/def.yml index 7eb618c2c9a..580d58688fe 100644 --- a/probes/blocksDeleteOnBranches/def.yml +++ b/probes/blocksDeleteOnBranches/def.yml @@ -13,6 +13,7 @@ # limitations under the License. id: blocksDeleteOnBranches +lifecycle: stable short: Check that the project blocks non-admins from deleting branches. motivation: > Allowing non-admins to delete project branches has a similar effect to performing force pushes. diff --git a/probes/blocksDeleteOnBranches/impl.go b/probes/blocksDeleteOnBranches/impl.go index 065da42edb1..c86a9298d78 100644 --- a/probes/blocksDeleteOnBranches/impl.go +++ b/probes/blocksDeleteOnBranches/impl.go @@ -21,12 +21,13 @@ import ( "github.com/ossf/scorecard/v5/checker" "github.com/ossf/scorecard/v5/finding" + "github.com/ossf/scorecard/v5/internal/checknames" "github.com/ossf/scorecard/v5/internal/probes" "github.com/ossf/scorecard/v5/probes/internal/utils/uerror" ) func init() { - probes.MustRegister(Probe, Run, []probes.CheckName{probes.BranchProtection}) + probes.MustRegister(Probe, Run, []checknames.CheckName{checknames.BranchProtection}) } //go:embed *.yml diff --git a/probes/blocksForcePushOnBranches/def.yml b/probes/blocksForcePushOnBranches/def.yml index 5f93616e047..c7e3c1c9d96 100644 --- a/probes/blocksForcePushOnBranches/def.yml +++ b/probes/blocksForcePushOnBranches/def.yml @@ -13,6 +13,7 @@ # limitations under the License. id: blocksForcePushOnBranches +lifecycle: stable short: Check that the project blocks force push on its branches. motivation: > Allowing force pushes to branches could allow those with write access to make insecure changes to the behavior of the project. diff --git a/probes/blocksForcePushOnBranches/impl.go b/probes/blocksForcePushOnBranches/impl.go index 73724cc9623..30ea3268529 100644 --- a/probes/blocksForcePushOnBranches/impl.go +++ b/probes/blocksForcePushOnBranches/impl.go @@ -21,12 +21,13 @@ import ( "github.com/ossf/scorecard/v5/checker" "github.com/ossf/scorecard/v5/finding" + "github.com/ossf/scorecard/v5/internal/checknames" "github.com/ossf/scorecard/v5/internal/probes" "github.com/ossf/scorecard/v5/probes/internal/utils/uerror" ) func init() { - probes.MustRegister(Probe, Run, []probes.CheckName{probes.BranchProtection}) + probes.MustRegister(Probe, Run, []checknames.CheckName{checknames.BranchProtection}) } //go:embed *.yml diff --git a/probes/branchProtectionAppliesToAdmins/def.yml b/probes/branchProtectionAppliesToAdmins/def.yml index 008f4e14007..100623c729c 100644 --- a/probes/branchProtectionAppliesToAdmins/def.yml +++ b/probes/branchProtectionAppliesToAdmins/def.yml @@ -13,6 +13,7 @@ # limitations under the License. id: branchProtectionAppliesToAdmins +lifecycle: stable short: Check that the project's branch protection rules apply to project admins. motivation: > Admins may be able to bypass branch protection settings which could defeat the purpose of having them. diff --git a/probes/branchProtectionAppliesToAdmins/impl.go b/probes/branchProtectionAppliesToAdmins/impl.go index ff20bd01ec6..b8cd21c37e2 100644 --- a/probes/branchProtectionAppliesToAdmins/impl.go +++ b/probes/branchProtectionAppliesToAdmins/impl.go @@ -21,13 +21,14 @@ import ( "github.com/ossf/scorecard/v5/checker" "github.com/ossf/scorecard/v5/finding" + "github.com/ossf/scorecard/v5/internal/checknames" "github.com/ossf/scorecard/v5/internal/probes" "github.com/ossf/scorecard/v5/probes/internal/utils/branchprotection" "github.com/ossf/scorecard/v5/probes/internal/utils/uerror" ) func init() { - probes.MustRegister(Probe, Run, []probes.CheckName{probes.BranchProtection}) + probes.MustRegister(Probe, Run, []checknames.CheckName{checknames.BranchProtection}) } //go:embed *.yml diff --git a/probes/branchesAreProtected/def.yml b/probes/branchesAreProtected/def.yml index 81288456ee5..3ed8b4b8474 100644 --- a/probes/branchesAreProtected/def.yml +++ b/probes/branchesAreProtected/def.yml @@ -13,6 +13,7 @@ # limitations under the License. id: branchesAreProtected +lifecycle: stable short: Check that the project uses protected branches. motivation: > Unprotected branches may allow actions that could compromise the project's security. diff --git a/probes/branchesAreProtected/impl.go b/probes/branchesAreProtected/impl.go index 33a0165272b..159020edc92 100644 --- a/probes/branchesAreProtected/impl.go +++ b/probes/branchesAreProtected/impl.go @@ -21,12 +21,13 @@ import ( "github.com/ossf/scorecard/v5/checker" "github.com/ossf/scorecard/v5/finding" + "github.com/ossf/scorecard/v5/internal/checknames" "github.com/ossf/scorecard/v5/internal/probes" "github.com/ossf/scorecard/v5/probes/internal/utils/uerror" ) func init() { - probes.MustRegister(Probe, Run, []probes.CheckName{probes.BranchProtection}) + probes.MustRegister(Probe, Run, []checknames.CheckName{checknames.BranchProtection}) } //go:embed *.yml diff --git a/probes/codeApproved/def.yml b/probes/codeApproved/def.yml index 0b34a7a9b4a..c8a978ad740 100644 --- a/probes/codeApproved/def.yml +++ b/probes/codeApproved/def.yml @@ -14,6 +14,7 @@ id: codeApproved +lifecycle: stable short: Check that all recent changesets have been approved by someone who is not the author of the changeset. motivation: > To ensure that the review process works, the proposed changes diff --git a/probes/codeApproved/impl.go b/probes/codeApproved/impl.go index d3dfff5efe7..fe9f0eacf58 100644 --- a/probes/codeApproved/impl.go +++ b/probes/codeApproved/impl.go @@ -22,12 +22,13 @@ import ( "github.com/ossf/scorecard/v5/checker" "github.com/ossf/scorecard/v5/finding" + "github.com/ossf/scorecard/v5/internal/checknames" "github.com/ossf/scorecard/v5/internal/probes" "github.com/ossf/scorecard/v5/probes/internal/utils/uerror" ) func init() { - probes.MustRegister(Probe, Run, []probes.CheckName{probes.CodeReview}) + probes.MustRegister(Probe, Run, []checknames.CheckName{checknames.CodeReview}) } //go:embed *.yml diff --git a/probes/codeReviewOneReviewers/def.yml b/probes/codeReviewOneReviewers/def.yml index e0a47abf49f..a40c7bab790 100644 --- a/probes/codeReviewOneReviewers/def.yml +++ b/probes/codeReviewOneReviewers/def.yml @@ -13,6 +13,7 @@ # limitations under the License. id: codeReviewOneReviewers +lifecycle: experimental short: Check that at least one reviewers review a change before merging. motivation: > To ensure that the review process works, the proposed changes diff --git a/probes/codeReviewOneReviewers/impl.go b/probes/codeReviewOneReviewers/impl.go index e68bffd7cc5..8176f19b69a 100644 --- a/probes/codeReviewOneReviewers/impl.go +++ b/probes/codeReviewOneReviewers/impl.go @@ -22,12 +22,13 @@ import ( "github.com/ossf/scorecard/v5/checker" "github.com/ossf/scorecard/v5/clients" "github.com/ossf/scorecard/v5/finding" + "github.com/ossf/scorecard/v5/internal/checknames" "github.com/ossf/scorecard/v5/internal/probes" "github.com/ossf/scorecard/v5/probes/utils" ) func init() { - probes.MustRegister(Probe, Run, []probes.CheckName{probes.CodeReview}) + probes.MustRegister(Probe, Run, []checknames.CheckName{checknames.CodeReview}) } var ( diff --git a/probes/contributorsFromOrgOrCompany/def.yml b/probes/contributorsFromOrgOrCompany/def.yml index 2cd0f4a560a..1538a26d4e0 100644 --- a/probes/contributorsFromOrgOrCompany/def.yml +++ b/probes/contributorsFromOrgOrCompany/def.yml @@ -13,6 +13,7 @@ # limitations under the License. id: contributorsFromOrgOrCompany +lifecycle: experimental short: Checks whether a project has a contributions from users associated with a company or organization. motivation: > This probe tries to determine if the project has recent contributors from multiple organizations. diff --git a/probes/contributorsFromOrgOrCompany/impl.go b/probes/contributorsFromOrgOrCompany/impl.go index a5172e8a6bd..0bed128ed6f 100644 --- a/probes/contributorsFromOrgOrCompany/impl.go +++ b/probes/contributorsFromOrgOrCompany/impl.go @@ -21,6 +21,7 @@ import ( "github.com/ossf/scorecard/v5/checker" "github.com/ossf/scorecard/v5/finding" + "github.com/ossf/scorecard/v5/internal/checknames" "github.com/ossf/scorecard/v5/internal/probes" "github.com/ossf/scorecard/v5/probes/internal/utils/uerror" ) @@ -30,7 +31,7 @@ const ( ) func init() { - probes.MustRegister(Probe, Run, []probes.CheckName{probes.Contributors}) + probes.MustRegister(Probe, Run, []checknames.CheckName{checknames.Contributors}) } //go:embed *.yml diff --git a/probes/createdRecently/def.yml b/probes/createdRecently/def.yml index b2fb844a040..6a20315360b 100644 --- a/probes/createdRecently/def.yml +++ b/probes/createdRecently/def.yml @@ -13,6 +13,7 @@ # limitations under the License. id: createdRecently +lifecycle: stable short: Checks if the project was created in the last 90 days. motivation: > Recently created repositories have been used for malicious forks / typosquatting attacks in the past. diff --git a/probes/createdRecently/impl.go b/probes/createdRecently/impl.go index 5b87a817e4f..b846b611502 100644 --- a/probes/createdRecently/impl.go +++ b/probes/createdRecently/impl.go @@ -23,12 +23,13 @@ import ( "github.com/ossf/scorecard/v5/checker" "github.com/ossf/scorecard/v5/finding" + "github.com/ossf/scorecard/v5/internal/checknames" "github.com/ossf/scorecard/v5/internal/probes" "github.com/ossf/scorecard/v5/probes/internal/utils/uerror" ) func init() { - probes.MustRegister(Probe, Run, []probes.CheckName{probes.Maintained}) + probes.MustRegister(Probe, Run, []checknames.CheckName{checknames.Maintained}) } //go:embed *.yml diff --git a/probes/dependencyUpdateToolConfigured/def.yml b/probes/dependencyUpdateToolConfigured/def.yml index 2a0dea93634..a2bc4f46db7 100644 --- a/probes/dependencyUpdateToolConfigured/def.yml +++ b/probes/dependencyUpdateToolConfigured/def.yml @@ -13,6 +13,7 @@ # limitations under the License. id: dependencyUpdateToolConfigured +lifecycle: stable short: Check that a dependency update tool config is present. motivation: > Out-of-date dependencies make a project vulnerable to known flaws and prone to attacks. diff --git a/probes/dependencyUpdateToolConfigured/impl.go b/probes/dependencyUpdateToolConfigured/impl.go index 67e94acc07a..98d508e8201 100644 --- a/probes/dependencyUpdateToolConfigured/impl.go +++ b/probes/dependencyUpdateToolConfigured/impl.go @@ -21,12 +21,13 @@ import ( "github.com/ossf/scorecard/v5/checker" "github.com/ossf/scorecard/v5/finding" + "github.com/ossf/scorecard/v5/internal/checknames" "github.com/ossf/scorecard/v5/internal/probes" "github.com/ossf/scorecard/v5/probes/internal/utils/uerror" ) func init() { - probes.MustRegister(Probe, Run, []probes.CheckName{probes.DependencyUpdateTool}) + probes.MustRegister(Probe, Run, []checknames.CheckName{checknames.DependencyUpdateTool}) } //go:embed *.yml diff --git a/probes/dismissesStaleReviews/def.yml b/probes/dismissesStaleReviews/def.yml index a642671bd1e..d915c29e119 100644 --- a/probes/dismissesStaleReviews/def.yml +++ b/probes/dismissesStaleReviews/def.yml @@ -13,6 +13,7 @@ # limitations under the License. id: dismissesStaleReviews +lifecycle: stable short: Check that the project dismisses stale reviews when new commits are pushed. motivation: > When a project does not dismiss stale reviews, contributors can bring their pull requests to an approved state and then make unreviewed commits. diff --git a/probes/dismissesStaleReviews/impl.go b/probes/dismissesStaleReviews/impl.go index a955bec893a..fea575cade4 100644 --- a/probes/dismissesStaleReviews/impl.go +++ b/probes/dismissesStaleReviews/impl.go @@ -21,13 +21,14 @@ import ( "github.com/ossf/scorecard/v5/checker" "github.com/ossf/scorecard/v5/finding" + "github.com/ossf/scorecard/v5/internal/checknames" "github.com/ossf/scorecard/v5/internal/probes" "github.com/ossf/scorecard/v5/probes/internal/utils/branchprotection" "github.com/ossf/scorecard/v5/probes/internal/utils/uerror" ) func init() { - probes.MustRegister(Probe, Run, []probes.CheckName{probes.BranchProtection}) + probes.MustRegister(Probe, Run, []checknames.CheckName{checknames.BranchProtection}) } //go:embed *.yml diff --git a/probes/fuzzed/def.yml b/probes/fuzzed/def.yml index c5cefdedfa9..f9c0dd4a0c0 100644 --- a/probes/fuzzed/def.yml +++ b/probes/fuzzed/def.yml @@ -13,6 +13,7 @@ # limitations under the License. id: fuzzed +lifecycle: stable short: Check that the project is fuzzed motivation: > Fuzzing, or fuzz testing, is the practice of feeding unexpected or random data into a program to expose bugs. diff --git a/probes/fuzzed/impl.go b/probes/fuzzed/impl.go index de4c40a4237..5373605602f 100644 --- a/probes/fuzzed/impl.go +++ b/probes/fuzzed/impl.go @@ -20,12 +20,13 @@ import ( "github.com/ossf/scorecard/v5/checker" "github.com/ossf/scorecard/v5/finding" + "github.com/ossf/scorecard/v5/internal/checknames" "github.com/ossf/scorecard/v5/internal/probes" "github.com/ossf/scorecard/v5/probes/internal/utils/uerror" ) func init() { - probes.MustRegister(Probe, Run, []probes.CheckName{probes.Fuzzing}) + probes.MustRegister(Probe, Run, []checknames.CheckName{checknames.Fuzzing}) } //go:embed *.yml diff --git a/probes/hasBinaryArtifacts/def.yml b/probes/hasBinaryArtifacts/def.yml index 84c699e3c55..8c2f2d837c1 100644 --- a/probes/hasBinaryArtifacts/def.yml +++ b/probes/hasBinaryArtifacts/def.yml @@ -13,6 +13,7 @@ # limitations under the License. id: hasBinaryArtifacts +lifecycle: stable short: Checks if the project has any binary files in its source tree. motivation: > Binary files are not human readable so users and reviewers can't easily see what they do. diff --git a/probes/hasBinaryArtifacts/impl.go b/probes/hasBinaryArtifacts/impl.go index be2b38608c9..7013b043402 100644 --- a/probes/hasBinaryArtifacts/impl.go +++ b/probes/hasBinaryArtifacts/impl.go @@ -21,12 +21,13 @@ import ( "github.com/ossf/scorecard/v5/checker" "github.com/ossf/scorecard/v5/finding" + "github.com/ossf/scorecard/v5/internal/checknames" "github.com/ossf/scorecard/v5/internal/probes" "github.com/ossf/scorecard/v5/probes/internal/utils/uerror" ) func init() { - probes.MustRegister(Probe, Run, []probes.CheckName{probes.BinaryArtifacts}) + probes.MustRegister(Probe, Run, []checknames.CheckName{checknames.BinaryArtifacts}) } //go:embed *.yml diff --git a/probes/hasDangerousWorkflowScriptInjection/def.yml b/probes/hasDangerousWorkflowScriptInjection/def.yml index 176cf4c0218..7c4f482ae0c 100644 --- a/probes/hasDangerousWorkflowScriptInjection/def.yml +++ b/probes/hasDangerousWorkflowScriptInjection/def.yml @@ -13,6 +13,7 @@ # limitations under the License. id: hasDangerousWorkflowScriptInjection +lifecycle: stable short: Check whether the project has GitHub Actions workflows that enable script injection. motivation: > Script injections allow attackers to use untrusted input to access privileged resources (code execution, secret exfiltration, etc.) diff --git a/probes/hasDangerousWorkflowScriptInjection/impl.go b/probes/hasDangerousWorkflowScriptInjection/impl.go index f368b73adde..1ec39da97dc 100644 --- a/probes/hasDangerousWorkflowScriptInjection/impl.go +++ b/probes/hasDangerousWorkflowScriptInjection/impl.go @@ -21,12 +21,13 @@ import ( "github.com/ossf/scorecard/v5/checker" "github.com/ossf/scorecard/v5/finding" + "github.com/ossf/scorecard/v5/internal/checknames" "github.com/ossf/scorecard/v5/internal/probes" "github.com/ossf/scorecard/v5/probes/internal/utils/uerror" ) func init() { - probes.MustRegister(Probe, Run, []probes.CheckName{probes.DangerousWorkflow}) + probes.MustRegister(Probe, Run, []checknames.CheckName{checknames.DangerousWorkflow}) } //go:embed *.yml diff --git a/probes/hasDangerousWorkflowUntrustedCheckout/def.yml b/probes/hasDangerousWorkflowUntrustedCheckout/def.yml index 00c480b8e4a..ca94cbd2be1 100644 --- a/probes/hasDangerousWorkflowUntrustedCheckout/def.yml +++ b/probes/hasDangerousWorkflowUntrustedCheckout/def.yml @@ -13,6 +13,7 @@ # limitations under the License. id: hasDangerousWorkflowUntrustedCheckout +lifecycle: stable short: Check whether the project has GitHub Actions workflows that does untrusted checkouts. motivation: > GitHub workflows triggered with pull_request_target or workflow_run have write permission to the target repository and access to target repository secrets. diff --git a/probes/hasDangerousWorkflowUntrustedCheckout/impl.go b/probes/hasDangerousWorkflowUntrustedCheckout/impl.go index 0e5fa88436b..83727cc9b63 100644 --- a/probes/hasDangerousWorkflowUntrustedCheckout/impl.go +++ b/probes/hasDangerousWorkflowUntrustedCheckout/impl.go @@ -21,12 +21,13 @@ import ( "github.com/ossf/scorecard/v5/checker" "github.com/ossf/scorecard/v5/finding" + "github.com/ossf/scorecard/v5/internal/checknames" "github.com/ossf/scorecard/v5/internal/probes" "github.com/ossf/scorecard/v5/probes/internal/utils/uerror" ) func init() { - probes.MustRegister(Probe, Run, []probes.CheckName{probes.DangerousWorkflow}) + probes.MustRegister(Probe, Run, []checknames.CheckName{checknames.DangerousWorkflow}) } //go:embed *.yml diff --git a/probes/hasFSFOrOSIApprovedLicense/def.yml b/probes/hasFSFOrOSIApprovedLicense/def.yml index 2d0ae3b1634..25da80850ed 100644 --- a/probes/hasFSFOrOSIApprovedLicense/def.yml +++ b/probes/hasFSFOrOSIApprovedLicense/def.yml @@ -13,6 +13,7 @@ # limitations under the License. id: hasFSFOrOSIApprovedLicense +lifecycle: stable short: Check that the project has an FSF or OSI approved license. motivation: > A license can give users information about how the source code may or may not be used. diff --git a/probes/hasFSFOrOSIApprovedLicense/impl.go b/probes/hasFSFOrOSIApprovedLicense/impl.go index cbe0360ff8b..1a53dc14a5b 100644 --- a/probes/hasFSFOrOSIApprovedLicense/impl.go +++ b/probes/hasFSFOrOSIApprovedLicense/impl.go @@ -21,12 +21,13 @@ import ( "github.com/ossf/scorecard/v5/checker" "github.com/ossf/scorecard/v5/finding" + "github.com/ossf/scorecard/v5/internal/checknames" "github.com/ossf/scorecard/v5/internal/probes" "github.com/ossf/scorecard/v5/probes/internal/utils/uerror" ) func init() { - probes.MustRegister(Probe, Run, []probes.CheckName{probes.License}) + probes.MustRegister(Probe, Run, []checknames.CheckName{checknames.License}) } //go:embed *.yml diff --git a/probes/hasLicenseFile/def.yml b/probes/hasLicenseFile/def.yml index 3cf96a4089b..eeca9bad8a8 100644 --- a/probes/hasLicenseFile/def.yml +++ b/probes/hasLicenseFile/def.yml @@ -13,6 +13,7 @@ # limitations under the License. id: hasLicenseFile +lifecycle: stable short: Check that the project has a license file motivation: > A license can give users information about how the source code may or may not be used. diff --git a/probes/hasLicenseFile/impl.go b/probes/hasLicenseFile/impl.go index 0fb7e9e3f88..f3de9b1dbb6 100644 --- a/probes/hasLicenseFile/impl.go +++ b/probes/hasLicenseFile/impl.go @@ -21,12 +21,13 @@ import ( "github.com/ossf/scorecard/v5/checker" "github.com/ossf/scorecard/v5/finding" + "github.com/ossf/scorecard/v5/internal/checknames" "github.com/ossf/scorecard/v5/internal/probes" "github.com/ossf/scorecard/v5/probes/internal/utils/uerror" ) func init() { - probes.MustRegister(Probe, Run, []probes.CheckName{probes.License}) + probes.MustRegister(Probe, Run, []checknames.CheckName{checknames.License}) } //go:embed *.yml diff --git a/probes/hasNoGitHubWorkflowPermissionUnknown/def.yml b/probes/hasNoGitHubWorkflowPermissionUnknown/def.yml index fb22aa2bb42..a903440fbc1 100644 --- a/probes/hasNoGitHubWorkflowPermissionUnknown/def.yml +++ b/probes/hasNoGitHubWorkflowPermissionUnknown/def.yml @@ -13,6 +13,7 @@ # limitations under the License. id: hasNoGitHubWorkflowPermissionUnknown +lifecycle: experimental short: Checks that GitHub workflows have workflows with unknown permissions motivation: > Unknown permissions may be a result of a bug or another error from fetching the permission levels. diff --git a/probes/hasOSVVulnerabilities/def.yml b/probes/hasOSVVulnerabilities/def.yml index 26fd8a6b4d9..53f903819af 100644 --- a/probes/hasOSVVulnerabilities/def.yml +++ b/probes/hasOSVVulnerabilities/def.yml @@ -13,6 +13,7 @@ # limitations under the License. id: hasOSVVulnerabilities +lifecycle: stable short: Check whether the project has known vulnerabilities motivation: > This check determines whether the project has open, unfixed vulnerabilities in its own codebase or its dependencies using the OSV (Open Source Vulnerabilities) service. diff --git a/probes/hasOSVVulnerabilities/impl.go b/probes/hasOSVVulnerabilities/impl.go index 49da22e2ac2..61f36639f25 100644 --- a/probes/hasOSVVulnerabilities/impl.go +++ b/probes/hasOSVVulnerabilities/impl.go @@ -25,12 +25,13 @@ import ( "github.com/ossf/scorecard/v5/checker" "github.com/ossf/scorecard/v5/finding" + "github.com/ossf/scorecard/v5/internal/checknames" "github.com/ossf/scorecard/v5/internal/probes" "github.com/ossf/scorecard/v5/probes/internal/utils/uerror" ) func init() { - probes.MustRegister(Probe, Run, []probes.CheckName{probes.Vulnerabilities}) + probes.MustRegister(Probe, Run, []checknames.CheckName{checknames.Vulnerabilities}) } //go:embed *.yml diff --git a/probes/hasOpenSSFBadge/def.yml b/probes/hasOpenSSFBadge/def.yml index 621fe4636c6..f558f098939 100644 --- a/probes/hasOpenSSFBadge/def.yml +++ b/probes/hasOpenSSFBadge/def.yml @@ -13,6 +13,7 @@ # limitations under the License. id: hasOpenSSFBadge +lifecycle: stable short: This check determines whether the project has an OpenSSF (formerly CII) Best Practices Badge. motivation: > The OpenSSF Best Practices badge indicates whether or not the project uses a set of security-focused best development practices for open source software. diff --git a/probes/hasOpenSSFBadge/impl.go b/probes/hasOpenSSFBadge/impl.go index 71f43357b87..7124d9a5ce1 100644 --- a/probes/hasOpenSSFBadge/impl.go +++ b/probes/hasOpenSSFBadge/impl.go @@ -22,12 +22,13 @@ import ( "github.com/ossf/scorecard/v5/checker" "github.com/ossf/scorecard/v5/clients" "github.com/ossf/scorecard/v5/finding" + "github.com/ossf/scorecard/v5/internal/checknames" "github.com/ossf/scorecard/v5/internal/probes" "github.com/ossf/scorecard/v5/probes/internal/utils/uerror" ) func init() { - probes.MustRegister(Probe, Run, []probes.CheckName{probes.CIIBestPractices}) + probes.MustRegister(Probe, Run, []checknames.CheckName{checknames.CIIBestPractices}) } //go:embed *.yml diff --git a/probes/hasPermissiveLicense/def.yml b/probes/hasPermissiveLicense/def.yml index bdacd4b19a0..d93aff76da2 100644 --- a/probes/hasPermissiveLicense/def.yml +++ b/probes/hasPermissiveLicense/def.yml @@ -13,6 +13,7 @@ # limitations under the License. id: hasPermissiveLicense +lifecycle: stable short: Check that the project has an permissive license. motivation: > A permissive license allows users to use the analyzed component to be used in derivative works. Non-permissive licenses (as copyleft licenses) might be a legal risk for potential users. diff --git a/probes/hasPermissiveLicense/impl.go b/probes/hasPermissiveLicense/impl.go index ac80f0cdbc5..b7c7cf9aadf 100644 --- a/probes/hasPermissiveLicense/impl.go +++ b/probes/hasPermissiveLicense/impl.go @@ -21,6 +21,7 @@ import ( "github.com/ossf/scorecard/v5/checker" "github.com/ossf/scorecard/v5/finding" + "github.com/ossf/scorecard/v5/internal/checknames" "github.com/ossf/scorecard/v5/internal/probes" "github.com/ossf/scorecard/v5/probes/internal/utils/uerror" ) @@ -29,7 +30,7 @@ import ( var fs embed.FS func init() { - probes.MustRegister(Probe, Run, []probes.CheckName{probes.License}) + probes.MustRegister(Probe, Run, []checknames.CheckName{checknames.License}) } const Probe = "hasPermissiveLicense" diff --git a/probes/hasRecentCommits/def.yml b/probes/hasRecentCommits/def.yml index aba447fac4f..a7e495c80b8 100644 --- a/probes/hasRecentCommits/def.yml +++ b/probes/hasRecentCommits/def.yml @@ -13,6 +13,7 @@ # limitations under the License. id: hasRecentCommits +lifecycle: stable short: Check whether the project has at least one commit per week over the last 90 days. motivation: > A project which is not active might not be patched, have its dependencies patched, or be actively tested and used. diff --git a/probes/hasRecentCommits/impl.go b/probes/hasRecentCommits/impl.go index f92f54e4bf6..fe63cd959fa 100644 --- a/probes/hasRecentCommits/impl.go +++ b/probes/hasRecentCommits/impl.go @@ -23,12 +23,13 @@ import ( "github.com/ossf/scorecard/v5/checker" "github.com/ossf/scorecard/v5/finding" + "github.com/ossf/scorecard/v5/internal/checknames" "github.com/ossf/scorecard/v5/internal/probes" "github.com/ossf/scorecard/v5/probes/internal/utils/uerror" ) func init() { - probes.MustRegister(Probe, Run, []probes.CheckName{probes.Maintained}) + probes.MustRegister(Probe, Run, []checknames.CheckName{checknames.Maintained}) } //go:embed *.yml diff --git a/probes/hasReleaseSBOM/def.yml b/probes/hasReleaseSBOM/def.yml index e8d911252b9..237671c3a6e 100644 --- a/probes/hasReleaseSBOM/def.yml +++ b/probes/hasReleaseSBOM/def.yml @@ -13,6 +13,7 @@ # limitations under the License. id: hasReleaseSBOM +lifecycle: experimental short: Check that the project publishes an SBOM as part of its release artifacts. motivation: > An SBOM can give users information about how the source code components and dependencies. They help facilitate sotware supplychain security and aid in identifying upstream vulnerabilities in a codebase. diff --git a/probes/hasReleaseSBOM/impl.go b/probes/hasReleaseSBOM/impl.go index ecf3d49ce1f..239b26d27f0 100644 --- a/probes/hasReleaseSBOM/impl.go +++ b/probes/hasReleaseSBOM/impl.go @@ -21,12 +21,13 @@ import ( "github.com/ossf/scorecard/v5/checker" "github.com/ossf/scorecard/v5/finding" + "github.com/ossf/scorecard/v5/internal/checknames" "github.com/ossf/scorecard/v5/internal/probes" "github.com/ossf/scorecard/v5/probes/internal/utils/uerror" ) func init() { - probes.MustRegister(Probe, Run, []probes.CheckName{probes.SBOM}) + probes.MustRegister(Probe, Run, []checknames.CheckName{checknames.SBOM}) } //go:embed *.yml diff --git a/probes/hasSBOM/def.yml b/probes/hasSBOM/def.yml index d303b1ddcaa..2a7909565a2 100644 --- a/probes/hasSBOM/def.yml +++ b/probes/hasSBOM/def.yml @@ -13,6 +13,7 @@ # limitations under the License. id: hasSBOM +lifecycle: experimental short: Check that the project has an SBOM file motivation: > An SBOM can give users information about how the source code components and dependencies. They help facilitate sotware supplychain security and aid in identifying upstream vulnerabilities in a codebase. diff --git a/probes/hasSBOM/impl.go b/probes/hasSBOM/impl.go index 5ce606ff96b..c4acfaf3cbc 100644 --- a/probes/hasSBOM/impl.go +++ b/probes/hasSBOM/impl.go @@ -21,12 +21,13 @@ import ( "github.com/ossf/scorecard/v5/checker" "github.com/ossf/scorecard/v5/finding" + "github.com/ossf/scorecard/v5/internal/checknames" "github.com/ossf/scorecard/v5/internal/probes" "github.com/ossf/scorecard/v5/probes/internal/utils/uerror" ) func init() { - probes.MustRegister(Probe, Run, []probes.CheckName{probes.SBOM}) + probes.MustRegister(Probe, Run, []checknames.CheckName{checknames.SBOM}) } //go:embed *.yml diff --git a/probes/hasUnverifiedBinaryArtifacts/def.yml b/probes/hasUnverifiedBinaryArtifacts/def.yml index ec4b1e1603a..bb887862587 100644 --- a/probes/hasUnverifiedBinaryArtifacts/def.yml +++ b/probes/hasUnverifiedBinaryArtifacts/def.yml @@ -13,6 +13,7 @@ # limitations under the License. id: hasUnverifiedBinaryArtifacts +lifecycle: stable short: Checks if the project has binary files in its source tree. The probe skips verified binary files which currently are gradle-wrappers. motivation: > Binary files are not human readable so users and reviewers can't easily see what they do. diff --git a/probes/hasUnverifiedBinaryArtifacts/impl.go b/probes/hasUnverifiedBinaryArtifacts/impl.go index 4ea740274e2..697fa8d51e2 100644 --- a/probes/hasUnverifiedBinaryArtifacts/impl.go +++ b/probes/hasUnverifiedBinaryArtifacts/impl.go @@ -21,12 +21,13 @@ import ( "github.com/ossf/scorecard/v5/checker" "github.com/ossf/scorecard/v5/finding" + "github.com/ossf/scorecard/v5/internal/checknames" "github.com/ossf/scorecard/v5/internal/probes" "github.com/ossf/scorecard/v5/probes/internal/utils/uerror" ) func init() { - probes.MustRegister(Probe, Run, []probes.CheckName{probes.BinaryArtifacts}) + probes.MustRegister(Probe, Run, []checknames.CheckName{checknames.BinaryArtifacts}) } //go:embed *.yml diff --git a/probes/issueActivityByProjectMember/def.yml b/probes/issueActivityByProjectMember/def.yml index afe9ae546e9..1154a0bf79b 100644 --- a/probes/issueActivityByProjectMember/def.yml +++ b/probes/issueActivityByProjectMember/def.yml @@ -13,6 +13,7 @@ # limitations under the License. id: issueActivityByProjectMember +lifecycle: stable short: Checks that a collaborator, member or owner has participated in issues in the last 90 days. motivation: > A project which does not respond to issues may not be actively maintained. diff --git a/probes/issueActivityByProjectMember/impl.go b/probes/issueActivityByProjectMember/impl.go index d97ae1eb925..39a2bda2204 100644 --- a/probes/issueActivityByProjectMember/impl.go +++ b/probes/issueActivityByProjectMember/impl.go @@ -24,12 +24,13 @@ import ( "github.com/ossf/scorecard/v5/checker" "github.com/ossf/scorecard/v5/clients" "github.com/ossf/scorecard/v5/finding" + "github.com/ossf/scorecard/v5/internal/checknames" "github.com/ossf/scorecard/v5/internal/probes" "github.com/ossf/scorecard/v5/probes/internal/utils/uerror" ) func init() { - probes.MustRegister(Probe, Run, []probes.CheckName{probes.Maintained}) + probes.MustRegister(Probe, Run, []checknames.CheckName{checknames.Maintained}) } //go:embed *.yml diff --git a/probes/jobLevelPermissions/def.yml b/probes/jobLevelPermissions/def.yml index 398e8752026..6d83a1d6c52 100644 --- a/probes/jobLevelPermissions/def.yml +++ b/probes/jobLevelPermissions/def.yml @@ -13,6 +13,7 @@ # limitations under the License. id: jobLevelPermissions +lifecycle: experimental short: Checks that GitHub workflows do not have "write" permissions at the "job" level. motivation: > In some circumstances, having "write" permissions at the "job" level may enable attackers to escalate privileges. diff --git a/probes/packagedWithAutomatedWorkflow/def.yml b/probes/packagedWithAutomatedWorkflow/def.yml index 450c6ec7539..5eb3731b9cb 100644 --- a/probes/packagedWithAutomatedWorkflow/def.yml +++ b/probes/packagedWithAutomatedWorkflow/def.yml @@ -13,6 +13,7 @@ # limitations under the License. id: packagedWithAutomatedWorkflow +lifecycle: stable short: Checks whether the project uses automated packaging. motivation: > Packages give users of a project an easy way to download, install, update, and uninstall the software by a package manager. diff --git a/probes/packagedWithAutomatedWorkflow/impl.go b/probes/packagedWithAutomatedWorkflow/impl.go index 88bd2ba2b79..2de64040a41 100644 --- a/probes/packagedWithAutomatedWorkflow/impl.go +++ b/probes/packagedWithAutomatedWorkflow/impl.go @@ -21,12 +21,13 @@ import ( "github.com/ossf/scorecard/v5/checker" "github.com/ossf/scorecard/v5/finding" + "github.com/ossf/scorecard/v5/internal/checknames" "github.com/ossf/scorecard/v5/internal/probes" "github.com/ossf/scorecard/v5/probes/internal/utils/uerror" ) func init() { - probes.MustRegister(Probe, Run, []probes.CheckName{probes.Packaging}) + probes.MustRegister(Probe, Run, []checknames.CheckName{checknames.Packaging}) } //go:embed *.yml diff --git a/probes/pinsDependencies/def.yml b/probes/pinsDependencies/def.yml index a1ea8a5148e..e715b7b4ef7 100644 --- a/probes/pinsDependencies/def.yml +++ b/probes/pinsDependencies/def.yml @@ -13,6 +13,7 @@ # limitations under the License. id: pinsDependencies +lifecycle: stable short: Check that the project pins dependencies to a specific digest. motivation: > Pinned dependencies ensure that checking and deployment are all done with the same software, reducing deployment risks, simplifying debugging, and enabling reproducibility. They can help mitigate compromised dependencies from undermining the security of the project (in the case where you've evaluated the pinned dependency, you are confident it's not compromised, and a later version is released that is compromised). diff --git a/probes/pinsDependencies/impl.go b/probes/pinsDependencies/impl.go index d8a6a1a116c..b393050265f 100644 --- a/probes/pinsDependencies/impl.go +++ b/probes/pinsDependencies/impl.go @@ -23,12 +23,13 @@ import ( "github.com/ossf/scorecard/v5/checks/fileparser" sce "github.com/ossf/scorecard/v5/errors" "github.com/ossf/scorecard/v5/finding" + "github.com/ossf/scorecard/v5/internal/checknames" "github.com/ossf/scorecard/v5/internal/probes" "github.com/ossf/scorecard/v5/probes/internal/utils/uerror" ) func init() { - probes.MustRegister(Probe, Run, []probes.CheckName{probes.PinnedDependencies}) + probes.MustRegister(Probe, Run, []checknames.CheckName{checknames.PinnedDependencies}) } //go:embed *.yml diff --git a/probes/releasesAreSigned/def.yml b/probes/releasesAreSigned/def.yml index 633b79ca915..825f4697971 100644 --- a/probes/releasesAreSigned/def.yml +++ b/probes/releasesAreSigned/def.yml @@ -13,6 +13,7 @@ # limitations under the License. id: releasesAreSigned +lifecycle: stable short: Check that the projects GitHub and GitLab releases are signed. motivation: > Signed releases allow consumers to verify their artifacts before consuming them. diff --git a/probes/releasesAreSigned/impl.go b/probes/releasesAreSigned/impl.go index 217f50af633..66efdbaec4e 100644 --- a/probes/releasesAreSigned/impl.go +++ b/probes/releasesAreSigned/impl.go @@ -22,12 +22,13 @@ import ( "github.com/ossf/scorecard/v5/checker" "github.com/ossf/scorecard/v5/finding" + "github.com/ossf/scorecard/v5/internal/checknames" "github.com/ossf/scorecard/v5/internal/probes" "github.com/ossf/scorecard/v5/probes/internal/utils/uerror" ) func init() { - probes.MustRegister(Probe, Run, []probes.CheckName{probes.SignedReleases}) + probes.MustRegister(Probe, Run, []checknames.CheckName{checknames.SignedReleases}) } //go:embed *.yml diff --git a/probes/releasesHaveProvenance/def.yml b/probes/releasesHaveProvenance/def.yml index fa2e2f659dc..8cd133a9121 100644 --- a/probes/releasesHaveProvenance/def.yml +++ b/probes/releasesHaveProvenance/def.yml @@ -13,6 +13,7 @@ # limitations under the License. id: releasesHaveProvenance +lifecycle: stable short: Check that the projects releases on GitHub and GitLab have provenance. motivation: > Provenance give users security-critical, verifiable information so that consumers can verify their artifacts before consuming them. diff --git a/probes/releasesHaveProvenance/impl.go b/probes/releasesHaveProvenance/impl.go index 8a87696ff0c..6fbf4fb52d3 100644 --- a/probes/releasesHaveProvenance/impl.go +++ b/probes/releasesHaveProvenance/impl.go @@ -22,12 +22,13 @@ import ( "github.com/ossf/scorecard/v5/checker" "github.com/ossf/scorecard/v5/finding" + "github.com/ossf/scorecard/v5/internal/checknames" "github.com/ossf/scorecard/v5/internal/probes" "github.com/ossf/scorecard/v5/probes/internal/utils/uerror" ) func init() { - probes.MustRegister(Probe, Run, []probes.CheckName{probes.SignedReleases}) + probes.MustRegister(Probe, Run, []checknames.CheckName{checknames.SignedReleases}) } //go:embed *.yml diff --git a/probes/releasesHaveVerifiedProvenance/def.yml b/probes/releasesHaveVerifiedProvenance/def.yml index 698c520bf3d..977df01dc73 100644 --- a/probes/releasesHaveVerifiedProvenance/def.yml +++ b/probes/releasesHaveVerifiedProvenance/def.yml @@ -13,6 +13,7 @@ # limitations under the License. id: releasesHaveVerifiedProvenance +lifecycle: experimental short: Checks if the project releases with provenance attestations that have been verified motivation: > Package provenance attestations provide a greater guarantee of authenticity and integrity than package signatures alone, since the attestation can be performed over a hash of both the package contents and metadata. Developers can attest to particular qualities of the build, such as the build environment, build steps or builder identity. diff --git a/probes/releasesHaveVerifiedProvenance/impl.go b/probes/releasesHaveVerifiedProvenance/impl.go index f73b20fcc56..7839fb93888 100644 --- a/probes/releasesHaveVerifiedProvenance/impl.go +++ b/probes/releasesHaveVerifiedProvenance/impl.go @@ -21,11 +21,12 @@ import ( "github.com/ossf/scorecard/v5/checker" "github.com/ossf/scorecard/v5/finding" + "github.com/ossf/scorecard/v5/internal/checknames" "github.com/ossf/scorecard/v5/internal/probes" ) func init() { - probes.MustRegister(Probe, Run, []probes.CheckName{probes.SignedReleases}) + probes.MustRegister(Probe, Run, []checknames.CheckName{checknames.SignedReleases}) } //go:embed *.yml diff --git a/probes/requiresApproversForPullRequests/def.yml b/probes/requiresApproversForPullRequests/def.yml index 246563078e7..93a24667f1f 100644 --- a/probes/requiresApproversForPullRequests/def.yml +++ b/probes/requiresApproversForPullRequests/def.yml @@ -13,6 +13,7 @@ # limitations under the License. id: requiresApproversForPullRequests +lifecycle: stable short: Check that the project requires approvers for pull requests. motivation: > Requiring approvers for pull requests makes it harder to introduce vulnerable code to the project. diff --git a/probes/requiresApproversForPullRequests/impl.go b/probes/requiresApproversForPullRequests/impl.go index 3c307df567a..4d16e945dea 100644 --- a/probes/requiresApproversForPullRequests/impl.go +++ b/probes/requiresApproversForPullRequests/impl.go @@ -23,12 +23,13 @@ import ( "github.com/ossf/scorecard/v5/checker" "github.com/ossf/scorecard/v5/finding" + "github.com/ossf/scorecard/v5/internal/checknames" "github.com/ossf/scorecard/v5/internal/probes" "github.com/ossf/scorecard/v5/probes/internal/utils/uerror" ) func init() { - probes.MustRegister(Probe, Run, []probes.CheckName{probes.BranchProtection}) + probes.MustRegister(Probe, Run, []checknames.CheckName{checknames.BranchProtection}) } //go:embed *.yml diff --git a/probes/requiresCodeOwnersReview/def.yml b/probes/requiresCodeOwnersReview/def.yml index 12d1937ce33..978930cd7f6 100644 --- a/probes/requiresCodeOwnersReview/def.yml +++ b/probes/requiresCodeOwnersReview/def.yml @@ -13,6 +13,7 @@ # limitations under the License. id: requiresCodeOwnersReview +lifecycle: stable short: Check that the project requires dedicated code owners to review PRs. motivation: > Code owners are expected to have deep knowledge about a code; Having experienced reviewers for PRs is expected to prevent security issues. diff --git a/probes/requiresCodeOwnersReview/impl.go b/probes/requiresCodeOwnersReview/impl.go index 2e7ae0dac82..68e9e638e97 100644 --- a/probes/requiresCodeOwnersReview/impl.go +++ b/probes/requiresCodeOwnersReview/impl.go @@ -21,12 +21,13 @@ import ( "github.com/ossf/scorecard/v5/checker" "github.com/ossf/scorecard/v5/finding" + "github.com/ossf/scorecard/v5/internal/checknames" "github.com/ossf/scorecard/v5/internal/probes" "github.com/ossf/scorecard/v5/probes/internal/utils/uerror" ) func init() { - probes.MustRegister(Probe, Run, []probes.CheckName{probes.BranchProtection}) + probes.MustRegister(Probe, Run, []checknames.CheckName{checknames.BranchProtection}) } //go:embed *.yml diff --git a/probes/requiresLastPushApproval/def.yml b/probes/requiresLastPushApproval/def.yml index d5b3350d3b5..e8bd9fcf7d4 100644 --- a/probes/requiresLastPushApproval/def.yml +++ b/probes/requiresLastPushApproval/def.yml @@ -13,6 +13,7 @@ # limitations under the License. id: requiresLastPushApproval +lifecycle: stable short: Check that the project requires approval of the most recent push. motivation: > Requiring approval of the most recent push prevents contributors from sneaking malicious commits into a PR after it has been approved. diff --git a/probes/requiresLastPushApproval/impl.go b/probes/requiresLastPushApproval/impl.go index 97ab18e289d..0cedbeace0e 100644 --- a/probes/requiresLastPushApproval/impl.go +++ b/probes/requiresLastPushApproval/impl.go @@ -21,13 +21,14 @@ import ( "github.com/ossf/scorecard/v5/checker" "github.com/ossf/scorecard/v5/finding" + "github.com/ossf/scorecard/v5/internal/checknames" "github.com/ossf/scorecard/v5/internal/probes" "github.com/ossf/scorecard/v5/probes/internal/utils/branchprotection" "github.com/ossf/scorecard/v5/probes/internal/utils/uerror" ) func init() { - probes.MustRegister(Probe, Run, []probes.CheckName{probes.BranchProtection}) + probes.MustRegister(Probe, Run, []checknames.CheckName{checknames.BranchProtection}) } //go:embed *.yml diff --git a/probes/requiresPRsToChangeCode/def.yml b/probes/requiresPRsToChangeCode/def.yml index 1c80b2f1d94..36a1eee176c 100644 --- a/probes/requiresPRsToChangeCode/def.yml +++ b/probes/requiresPRsToChangeCode/def.yml @@ -13,6 +13,7 @@ # limitations under the License. id: requiresPRsToChangeCode +lifecycle: stable short: Check that the project requires pull requests to change code. motivation: > Changing code through pull requests promotes testing and reviews of the suggested change. diff --git a/probes/requiresPRsToChangeCode/impl.go b/probes/requiresPRsToChangeCode/impl.go index 589e4d374cd..8d7bcf1becc 100644 --- a/probes/requiresPRsToChangeCode/impl.go +++ b/probes/requiresPRsToChangeCode/impl.go @@ -22,12 +22,13 @@ import ( "github.com/ossf/scorecard/v5/checker" "github.com/ossf/scorecard/v5/finding" + "github.com/ossf/scorecard/v5/internal/checknames" "github.com/ossf/scorecard/v5/internal/probes" "github.com/ossf/scorecard/v5/probes/internal/utils/uerror" ) func init() { - probes.MustRegister(Probe, Run, []probes.CheckName{probes.BranchProtection}) + probes.MustRegister(Probe, Run, []checknames.CheckName{checknames.BranchProtection}) } //go:embed *.yml diff --git a/probes/requiresUpToDateBranches/def.yml b/probes/requiresUpToDateBranches/def.yml index e0690498c4c..db7dd19aa14 100644 --- a/probes/requiresUpToDateBranches/def.yml +++ b/probes/requiresUpToDateBranches/def.yml @@ -13,6 +13,7 @@ # limitations under the License. id: requiresUpToDateBranches +lifecycle: stable short: Check that the project requires PRs to be in sync with the base branch. motivation: > Requiring PRs to be in sync with the base branch is good practice. diff --git a/probes/requiresUpToDateBranches/impl.go b/probes/requiresUpToDateBranches/impl.go index 228c0e6c752..8c86839f750 100644 --- a/probes/requiresUpToDateBranches/impl.go +++ b/probes/requiresUpToDateBranches/impl.go @@ -21,13 +21,14 @@ import ( "github.com/ossf/scorecard/v5/checker" "github.com/ossf/scorecard/v5/finding" + "github.com/ossf/scorecard/v5/internal/checknames" "github.com/ossf/scorecard/v5/internal/probes" "github.com/ossf/scorecard/v5/probes/internal/utils/branchprotection" "github.com/ossf/scorecard/v5/probes/internal/utils/uerror" ) func init() { - probes.MustRegister(Probe, Run, []probes.CheckName{probes.BranchProtection}) + probes.MustRegister(Probe, Run, []checknames.CheckName{checknames.BranchProtection}) } //go:embed *.yml diff --git a/probes/runsStatusChecksBeforeMerging/def.yml b/probes/runsStatusChecksBeforeMerging/def.yml index 510150789a6..0809ea59cc6 100644 --- a/probes/runsStatusChecksBeforeMerging/def.yml +++ b/probes/runsStatusChecksBeforeMerging/def.yml @@ -13,6 +13,7 @@ # limitations under the License. id: runsStatusChecksBeforeMerging +lifecycle: stable short: Check that the project runs required status checks motivation: > Required status checks can check for common errors and resolve issues in PRs. diff --git a/probes/runsStatusChecksBeforeMerging/impl.go b/probes/runsStatusChecksBeforeMerging/impl.go index 7eae9673e7f..a1d4fcddc1c 100644 --- a/probes/runsStatusChecksBeforeMerging/impl.go +++ b/probes/runsStatusChecksBeforeMerging/impl.go @@ -21,12 +21,13 @@ import ( "github.com/ossf/scorecard/v5/checker" "github.com/ossf/scorecard/v5/finding" + "github.com/ossf/scorecard/v5/internal/checknames" "github.com/ossf/scorecard/v5/internal/probes" "github.com/ossf/scorecard/v5/probes/internal/utils/uerror" ) func init() { - probes.MustRegister(Probe, Run, []probes.CheckName{probes.BranchProtection}) + probes.MustRegister(Probe, Run, []checknames.CheckName{checknames.BranchProtection}) } //go:embed *.yml diff --git a/probes/sastToolConfigured/def.yml b/probes/sastToolConfigured/def.yml index cfecd7bcd9d..7d8336d7d5b 100644 --- a/probes/sastToolConfigured/def.yml +++ b/probes/sastToolConfigured/def.yml @@ -13,6 +13,7 @@ # limitations under the License. id: sastToolConfigured +lifecycle: stable short: Check that the project uses a SAST tool motivation: > SAST is testing run on source code before the application is run. Using SAST tools can prevent known classes of bugs from being inadvertently introduced in the codebase. diff --git a/probes/sastToolConfigured/impl.go b/probes/sastToolConfigured/impl.go index fb5e8098ca7..a549cf9bbd4 100644 --- a/probes/sastToolConfigured/impl.go +++ b/probes/sastToolConfigured/impl.go @@ -21,12 +21,13 @@ import ( "github.com/ossf/scorecard/v5/checker" "github.com/ossf/scorecard/v5/finding" + "github.com/ossf/scorecard/v5/internal/checknames" "github.com/ossf/scorecard/v5/internal/probes" "github.com/ossf/scorecard/v5/probes/internal/utils/uerror" ) func init() { - probes.MustRegister(Probe, Run, []probes.CheckName{probes.SAST}) + probes.MustRegister(Probe, Run, []checknames.CheckName{checknames.SAST}) } //go:embed *.yml diff --git a/probes/sastToolRunsOnAllCommits/def.yml b/probes/sastToolRunsOnAllCommits/def.yml index bfe00129cc0..16bcb2b409a 100644 --- a/probes/sastToolRunsOnAllCommits/def.yml +++ b/probes/sastToolRunsOnAllCommits/def.yml @@ -13,6 +13,7 @@ # limitations under the License. id: sastToolRunsOnAllCommits +lifecycle: stable short: Checks that a SAST tool runs on all commits in the projects CI. motivation: > SAST is testing run on source code before the application is run. Using SAST tools can prevent known classes of bugs from being inadvertently introduced in the codebase. diff --git a/probes/sastToolRunsOnAllCommits/impl.go b/probes/sastToolRunsOnAllCommits/impl.go index e88b0f6f202..6925385900c 100644 --- a/probes/sastToolRunsOnAllCommits/impl.go +++ b/probes/sastToolRunsOnAllCommits/impl.go @@ -22,12 +22,13 @@ import ( "github.com/ossf/scorecard/v5/checker" "github.com/ossf/scorecard/v5/finding" + "github.com/ossf/scorecard/v5/internal/checknames" "github.com/ossf/scorecard/v5/internal/probes" "github.com/ossf/scorecard/v5/probes/internal/utils/uerror" ) func init() { - probes.MustRegister(Probe, Run, []probes.CheckName{probes.SAST}) + probes.MustRegister(Probe, Run, []checknames.CheckName{checknames.SAST}) } //go:embed *.yml diff --git a/probes/securityPolicyContainsLinks/def.yml b/probes/securityPolicyContainsLinks/def.yml index d19fd1d1d71..8070f0bf460 100644 --- a/probes/securityPolicyContainsLinks/def.yml +++ b/probes/securityPolicyContainsLinks/def.yml @@ -13,6 +13,7 @@ # limitations under the License. id: securityPolicyContainsLinks +lifecycle: stable short: Check that the security policy contains web or email links. motivation: > URLs point users to additional information as well as online disclosure forms. diff --git a/probes/securityPolicyContainsLinks/impl.go b/probes/securityPolicyContainsLinks/impl.go index 14a5979dfa1..c5d9f486a75 100644 --- a/probes/securityPolicyContainsLinks/impl.go +++ b/probes/securityPolicyContainsLinks/impl.go @@ -21,13 +21,14 @@ import ( "github.com/ossf/scorecard/v5/checker" "github.com/ossf/scorecard/v5/finding" + "github.com/ossf/scorecard/v5/internal/checknames" "github.com/ossf/scorecard/v5/internal/probes" "github.com/ossf/scorecard/v5/probes/internal/utils/secpolicy" "github.com/ossf/scorecard/v5/probes/internal/utils/uerror" ) func init() { - probes.MustRegister(Probe, Run, []probes.CheckName{probes.SecurityPolicy}) + probes.MustRegister(Probe, Run, []checknames.CheckName{checknames.SecurityPolicy}) } //go:embed *.yml diff --git a/probes/securityPolicyContainsText/def.yml b/probes/securityPolicyContainsText/def.yml index a3e2e764f25..1e3ed325374 100644 --- a/probes/securityPolicyContainsText/def.yml +++ b/probes/securityPolicyContainsText/def.yml @@ -13,6 +13,7 @@ # limitations under the License. id: securityPolicyContainsText +lifecycle: stable short: Check that the security policy contains enough text and not just links. motivation: > Telling security researchers how to privately disclose problems with your project is important. The more details available, the better. diff --git a/probes/securityPolicyContainsText/impl.go b/probes/securityPolicyContainsText/impl.go index 862b8adc980..4399a5b8d33 100644 --- a/probes/securityPolicyContainsText/impl.go +++ b/probes/securityPolicyContainsText/impl.go @@ -21,13 +21,14 @@ import ( "github.com/ossf/scorecard/v5/checker" "github.com/ossf/scorecard/v5/finding" + "github.com/ossf/scorecard/v5/internal/checknames" "github.com/ossf/scorecard/v5/internal/probes" "github.com/ossf/scorecard/v5/probes/internal/utils/secpolicy" "github.com/ossf/scorecard/v5/probes/internal/utils/uerror" ) func init() { - probes.MustRegister(Probe, Run, []probes.CheckName{probes.SecurityPolicy}) + probes.MustRegister(Probe, Run, []checknames.CheckName{checknames.SecurityPolicy}) } //go:embed *.yml diff --git a/probes/securityPolicyContainsVulnerabilityDisclosure/def.yml b/probes/securityPolicyContainsVulnerabilityDisclosure/def.yml index 29b5d80f74a..1ae026e6632 100644 --- a/probes/securityPolicyContainsVulnerabilityDisclosure/def.yml +++ b/probes/securityPolicyContainsVulnerabilityDisclosure/def.yml @@ -13,6 +13,7 @@ # limitations under the License. id: securityPolicyContainsVulnerabilityDisclosure +lifecycle: stable short: Check that the security policy indicates a vulnerability disclosure process. motivation: > If someone finds a vulnerability in the project, it is important for them to be able to communicate it to the maintainers. diff --git a/probes/securityPolicyContainsVulnerabilityDisclosure/impl.go b/probes/securityPolicyContainsVulnerabilityDisclosure/impl.go index 3847d04834c..daf03236167 100644 --- a/probes/securityPolicyContainsVulnerabilityDisclosure/impl.go +++ b/probes/securityPolicyContainsVulnerabilityDisclosure/impl.go @@ -21,13 +21,14 @@ import ( "github.com/ossf/scorecard/v5/checker" "github.com/ossf/scorecard/v5/finding" + "github.com/ossf/scorecard/v5/internal/checknames" "github.com/ossf/scorecard/v5/internal/probes" "github.com/ossf/scorecard/v5/probes/internal/utils/secpolicy" "github.com/ossf/scorecard/v5/probes/internal/utils/uerror" ) func init() { - probes.MustRegister(Probe, Run, []probes.CheckName{probes.SecurityPolicy}) + probes.MustRegister(Probe, Run, []checknames.CheckName{checknames.SecurityPolicy}) } //go:embed *.yml diff --git a/probes/securityPolicyPresent/def.yml b/probes/securityPolicyPresent/def.yml index bb51cb0960f..3f3d9258b0d 100644 --- a/probes/securityPolicyPresent/def.yml +++ b/probes/securityPolicyPresent/def.yml @@ -13,6 +13,7 @@ # limitations under the License. id: securityPolicyPresent +lifecycle: stable short: Check if a security policy is defined in the repository or in the org's .github repository. motivation: > A security policy (typically a SECURITY.md file) can give users information about what constitutes a vulnerability and how to report one securely so that information about a bug is not publicly visible. diff --git a/probes/securityPolicyPresent/impl.go b/probes/securityPolicyPresent/impl.go index c4200e9c0f7..b08465337b6 100644 --- a/probes/securityPolicyPresent/impl.go +++ b/probes/securityPolicyPresent/impl.go @@ -21,12 +21,13 @@ import ( "github.com/ossf/scorecard/v5/checker" "github.com/ossf/scorecard/v5/finding" + "github.com/ossf/scorecard/v5/internal/checknames" "github.com/ossf/scorecard/v5/internal/probes" "github.com/ossf/scorecard/v5/probes/internal/utils/uerror" ) func init() { - probes.MustRegister(Probe, Run, []probes.CheckName{probes.SecurityPolicy}) + probes.MustRegister(Probe, Run, []checknames.CheckName{checknames.SecurityPolicy}) } //go:embed *.yml diff --git a/probes/testsRunInCI/def.yml b/probes/testsRunInCI/def.yml index 576cb8c2a2c..51f5ab84b7c 100644 --- a/probes/testsRunInCI/def.yml +++ b/probes/testsRunInCI/def.yml @@ -13,6 +13,7 @@ # limitations under the License. id: testsRunInCI +lifecycle: stable short: Checks that the project runs tests in the CI for example with GitHub Actions or Prow. motivation: > Running tests helps developers catch mistakes early on, which can reduce the number of vulnerabilities that find their way into a project. diff --git a/probes/testsRunInCI/impl.go b/probes/testsRunInCI/impl.go index 538bf353417..dd77c424ac1 100644 --- a/probes/testsRunInCI/impl.go +++ b/probes/testsRunInCI/impl.go @@ -22,12 +22,13 @@ import ( "github.com/ossf/scorecard/v5/checker" "github.com/ossf/scorecard/v5/finding" + "github.com/ossf/scorecard/v5/internal/checknames" "github.com/ossf/scorecard/v5/internal/probes" "github.com/ossf/scorecard/v5/probes/internal/utils/uerror" ) func init() { - probes.MustRegister(Probe, Run, []probes.CheckName{probes.CITests}) + probes.MustRegister(Probe, Run, []checknames.CheckName{checknames.CITests}) } //go:embed *.yml diff --git a/probes/topLevelPermissions/def.yml b/probes/topLevelPermissions/def.yml index ebc102abad7..d9c4cb0ed82 100644 --- a/probes/topLevelPermissions/def.yml +++ b/probes/topLevelPermissions/def.yml @@ -13,6 +13,7 @@ # limitations under the License. id: topLevelPermissions +lifecycle: experimental short: Checks that the project does not have any top-level write permissions in its workflows. motivation: > In some circumstances, having "write" permissions at the "top" level may enable attackers to escalate privileges. diff --git a/probes/webhooksUseSecrets/def.yml b/probes/webhooksUseSecrets/def.yml index ee26a05c72d..d0c1e40a7d2 100644 --- a/probes/webhooksUseSecrets/def.yml +++ b/probes/webhooksUseSecrets/def.yml @@ -13,6 +13,7 @@ # limitations under the License. id: webhooksUseSecrets +lifecycle: experimental short: This check determines whether the webhooks defined in the repository have secrets configured to authenticate the origins of requests. motivation: > Webhooks without secret authorization have the potential to make projects accessible to third-parties. diff --git a/probes/webhooksUseSecrets/impl.go b/probes/webhooksUseSecrets/impl.go index 4ef1778d7f9..987e2b2d8b3 100644 --- a/probes/webhooksUseSecrets/impl.go +++ b/probes/webhooksUseSecrets/impl.go @@ -21,12 +21,13 @@ import ( "github.com/ossf/scorecard/v5/checker" "github.com/ossf/scorecard/v5/finding" + "github.com/ossf/scorecard/v5/internal/checknames" "github.com/ossf/scorecard/v5/internal/probes" "github.com/ossf/scorecard/v5/probes/internal/utils/uerror" ) func init() { - probes.MustRegister(Probe, Run, []probes.CheckName{probes.Webhooks}) + probes.MustRegister(Probe, Run, []checknames.CheckName{checknames.Webhooks}) } //go:embed *.yml