Skip to content

✨ Support for detecting choco installer without required hash#1810

Merged
laurentsimon merged 6 commits intoossf:mainfrom
Alan-Jowett:issue1807
Apr 25, 2022
Merged

✨ Support for detecting choco installer without required hash#1810
laurentsimon merged 6 commits intoossf:mainfrom
Alan-Jowett:issue1807

Conversation

@Alan-Jowett
Copy link
Copy Markdown
Contributor

@Alan-Jowett Alan-Jowett commented Apr 2, 2022

Signed-off-by: Alan Jowett alanjo@microsoft.com

What kind of change does this PR introduce?

Add support for detecting unpinned install using https://chocolatey.org/

What is the current behavior?

Scorecard ignores choco installs.

What is the new behavior (if this is a feature change)?**

Scorecard warns for choco installs with out required hash.

  • Tests for the changes have been added (for bug fixes/features)

Which issue(s) this PR fixes

Fixes: #1807

Special notes for your reviewer

Does this PR introduce a user-facing change?

For user-facing changes, please add a concise, human-readable release note to
the release-note

(In particular, describe what changes users might need to make in their
application as a result of this pull request.)

Scorecard will issue a warning when installing packages using the Chocolatey installer but not pinning the install with a hash.

@Alan-Jowett
Initial support for choco installer
0ff239c 
#1807

Signed-off-by: Alan Jowett <alanjo@microsoft.com>
@Alan-Jowett Alan-Jowett temporarily deployed to integration-test April 2, 2022 16:21 Inactive
@github-actions
Copy link
Copy Markdown

github-actions bot commented Apr 2, 2022

Integration tests success for
[0ff239c]
(https://github.com/ossf/scorecard/actions/runs/2082599351)

@codecov
Copy link
Copy Markdown

codecov bot commented Apr 2, 2022
edited
Loading

Codecov Report

Merging #1810 (b7ef74c) into main (44ad5f5) will increase coverage by 3.15%.
The diff coverage is 85.29%.

@@            Coverage Diff             @@
##             main    #1810      +/-   ##
==========================================
+ Coverage   52.13%   55.28%   +3.15%     
==========================================
  Files          77       77              
  Lines        6823     6857      +34     
==========================================
+ Hits         3557     3791     +234     
+ Misses       3023     2815     -208     
- Partials      243      251       +8

naveensrinivasan
naveensrinivasan reviewed Apr 2, 2022
View reviewed changes
Copy link
Copy Markdown
Member

@naveensrinivasan naveensrinivasan left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks!

Comment thread checks/shell_download_validate.go
laurentsimon
laurentsimon reviewed Apr 4, 2022
View reviewed changes
Copy link
Copy Markdown
Contributor

@laurentsimon laurentsimon left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LG overall, thanks for the quick turnaround!
You just need to add a few more example in the files I provided in comment.

Thanks!

Comment thread checks/shell_download_validate.go
@Alan-Jowett
PR feedback
dee6de5 
Signed-off-by: Alan Jowett <alanjo@microsoft.com>
@Alan-Jowett Alan-Jowett temporarily deployed to integration-test April 6, 2022 23:03 Inactive
@Alan-Jowett Alan-Jowett temporarily deployed to integration-test April 6, 2022 23:04 Inactive
@github-actions
Copy link
Copy Markdown

github-actions bot commented Apr 6, 2022

Integration tests success for
[b4e304e]
(https://github.com/ossf/scorecard/actions/runs/2105572689)

@github-actions
Copy link
Copy Markdown

github-actions bot commented Apr 6, 2022

Integration tests success for
[dee6de5]
(https://github.com/ossf/scorecard/actions/runs/2105565636)

laurentsimon
laurentsimon approved these changes Apr 6, 2022
View reviewed changes
Comment thread checks/shell_download_validate.go Outdated
@Alan-Jowett Alan-Jowett temporarily deployed to integration-test April 14, 2022 14:49 Inactive
@github-actions
Copy link
Copy Markdown

github-actions bot commented Apr 14, 2022

Integration tests success for
[644ca64]
(https://github.com/ossf/scorecard/actions/runs/2167911938)

@github-actions
Copy link
Copy Markdown

github-actions bot commented Apr 25, 2022

Stale pull request message

@laurentsimon laurentsimon enabled auto-merge (squash) April 25, 2022 16:14
@laurentsimon laurentsimon temporarily deployed to integration-test April 25, 2022 16:14 Inactive
@github-actions
Copy link
Copy Markdown

github-actions bot commented Apr 25, 2022

Integration tests success for
[b7ef74c]
(https://github.com/ossf/scorecard/actions/runs/2221448992)

@laurentsimon laurentsimon merged commit fe6e091 into ossf:main Apr 25, 2022
@laurentsimon
Copy link
Copy Markdown
Contributor

laurentsimon commented Apr 25, 2022

Merged! Congrats on the PR!

@github-actions
Copy link
Copy Markdown

github-actions bot commented Apr 25, 2022

Integration tests success for
[9d28e1b]
(https://github.com/ossf/scorecard/actions/runs/2221446814)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@azeemshaikh38 azeemshaikh38 Awaiting requested review from azeemshaikh38

@justaugustus justaugustus Awaiting requested review from justaugustus

2 more reviewers

@naveensrinivasan naveensrinivasan naveensrinivasan left review comments

@laurentsimon laurentsimon laurentsimon approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

ossf/scorecard should detect unpinned dependencies via chocolatey installer

3 participants

@Alan-Jowett @laurentsimon @naveensrinivasan