Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

✨ probe: releases with verified provenance #4141

Merged
merged 9 commits into from
Jun 7, 2024
Merged

✨ probe: releases with verified provenance #4141

merged 9 commits into from
Jun 7, 2024

Conversation

raghavkaul
Copy link
Contributor

What kind of change does this PR introduce?

Add a probe to check for verified provenance. Look up the package associated with the GitHub/GitLab project, and check if the package. In the current version, this check only supports NPM packages.

Which issue(s) this PR fixes

Closes #3038.

Addresses #1776 and #298.

Special notes for your reviewer

For now, treating "No package found" the same as "this ecosystem doesn't have packages / doesn't support publishing provenance" - with finding.NotAvailable. In the future, we might add ecosystem detection to make the latter scenario finding.NotApplicable.

Does this PR introduce a user-facing change?

probe: verified package provenance using package manager metadata

@raghavkaul
add projectpackageversions to signed releases raw results
8bbb4b0 
Signed-off-by: Raghav Kaul <raghavkaul+github@google.com>
@raghavkaul
finding: add NewNot* helpers, fix error msg
b61b28c 
Signed-off-by: Raghav Kaul <raghavkaul+github@google.com>
@raghavkaul
probe: releasesHaveVerifiedProvenance
afbb35a 
Signed-off-by: Raghav Kaul <raghavkaul+github@google.com>
@raghavkaul
logging
779bbb1 
Signed-off-by: Raghav Kaul <raghavkaul+github@google.com>
@raghavkaul raghavkaul requested a review from a team as a code owner June 4, 2024 18:23
@raghavkaul raghavkaul requested review from naveensrinivasan and justaugustus and removed request for a team June 4, 2024 18:23
@raghavkaul
fix tests and lint
7df77ec 
Signed-off-by: Raghav Kaul <raghavkaul+github@google.com>
@codecov Codecov
Copy link

codecov bot commented Jun 4, 2024

Codecov Report

Attention: Patch coverage is 48.14815% with 28 lines in your changes missing coverage. Please review.

Project coverage is 59.97%. Comparing base (02f72e0) to head (7df77ec).
Report is 4 commits behind head on main.

Additional details and impacted files 
@@            Coverage Diff             @@
##             main    #4141      +/-   ##
==========================================
- Coverage   66.11%   59.97%   -6.14%     
==========================================
  Files         232      215      -17     
  Lines       16567    15637     -930     
==========================================
- Hits        10954     9379    -1575     
- Misses       4925     5564     +639     
- Partials      688      694       +6

spencerschrock
spencerschrock reviewed Jun 5, 2024
View reviewed changes
checks/evaluation/signed_releases.go Outdated Show resolved Hide resolved
checks/raw/signed_releases.go Outdated Show resolved Hide resolved
probes/entries.go Outdated Show resolved Hide resolved
probes/releasesHaveVerifiedProvenance/def.yml Outdated Show resolved Hide resolved
probes/releasesHaveVerifiedProvenance/impl.go Outdated Show resolved Hide resolved
@raghavkaul
address comments
3e50703 
Signed-off-by: Raghav Kaul <raghavkaul+github@google.com>
@raghavkaul
remove unused
67eed67 
Signed-off-by: Raghav Kaul <raghavkaul+github@google.com>
@raghavkaul
fix merge conflict
6130970 
Signed-off-by: Raghav Kaul <raghavkaul+github@google.com>
@raghavkaul raghavkaul enabled auto-merge (squash) June 6, 2024 22:12
@raghavkaul raghavkaul merged commit bfaa9fe into ossf:main Jun 7, 2024
36 checks passed
balteravishay pushed a commit to balteravishay/scorecard that referenced this pull request Jun 12, 2024
@raghavkaul @balteravishay
✨ probe: releases with verified provenance (ossf#4141)
8501824 
* add projectpackageversions to signed releases raw results

Signed-off-by: Raghav Kaul <raghavkaul+github@google.com>

* finding: add NewNot* helpers, fix error msg

Signed-off-by: Raghav Kaul <raghavkaul+github@google.com>

* probe: releasesHaveVerifiedProvenance

Signed-off-by: Raghav Kaul <raghavkaul+github@google.com>

* logging

Signed-off-by: Raghav Kaul <raghavkaul+github@google.com>

* fix tests and lint

Signed-off-by: Raghav Kaul <raghavkaul+github@google.com>

* address comments

Signed-off-by: Raghav Kaul <raghavkaul+github@google.com>

* remove unused

Signed-off-by: Raghav Kaul <raghavkaul+github@google.com>

* fix merge conflict

Signed-off-by: Raghav Kaul <raghavkaul+github@google.com>

---------

Signed-off-by: Raghav Kaul <raghavkaul+github@google.com>
Signed-off-by: balteraivshay <avishay.balter@gmail.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@spencerschrock spencerschrock spencerschrock approved these changes

@naveensrinivasan naveensrinivasan Awaiting requested review from naveensrinivasan naveensrinivasan is a code owner automatically assigned from ossf/scorecard-maintainers

@justaugustus justaugustus Awaiting requested review from justaugustus justaugustus is a code owner automatically assigned from ossf/scorecard-maintainers

Assignees
No one assigned
Labels
None yet
Projects
Scorecard - NEW
Status: Done
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Feature: Improve Signed-release for npm package
2 participants
@raghavkaul @spencerschrock