Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Bump github.com/ossf/scorecard/v5 from 5.0.0-rc2 to 5.0.0 #544

Merged
merged 2 commits into from
Jul 22, 2024
Merged

Bump github.com/ossf/scorecard/v5 from 5.0.0-rc2 to 5.0.0 #544

merged 2 commits into from
Jul 22, 2024

Conversation

dependabot[bot]
Copy link
Contributor

@dependabot dependabot bot commented on behalf of github Jul 22, 2024

Bumps github.com/ossf/scorecard/v5 from 5.0.0-rc2 to 5.0.0.

Release notes

Sourced from github.com/ossf/scorecard/v5's releases.

v5.0.0

What's Changed

We’ll highlight the major changes between v4.13.1 and v5.0.0 below, as well as some of the changes between v5.0.0-rc2 and v5.0.0. For a more complete picture, see the v5.0.0-rc1 and v5.0.0-rc2 changelogs as well.

Structured Results

Structured Results is the main feature from this release. At a high level, structured results involve breaking the existing 19 Scorecard Checks into individual heuristics so users can pick and choose which ones they care about. You can see a list of all supported probes by checking out our documentation (paying attention to lifecycle / stability guarantees). To run individual probes, use the --probes CLI flag with a comma separated list of names. You must also specify the --format probe option to see the results. Please run scorecard --help if you need more details. Example:

scorecard --repo github.com/ossf/scorecard --probes archived,fuzzed,hasLicenseFile --format probe

For more details on the feature, please check out our blog post or the talk given at Open Source Summit NA 2024: Structured Scorecard Results: Tailor Your Own Supply-Chain Security Policies.

Maintainer Annotations

Maintainer Annotations let maintainers add context to display alongside Scorecard check results. Annotations can provide users additional information when Scorecard has an incomplete assessment of a project's security practices. To see the maintainers annotations for each check, if present, use the --show-annotations option. For example, the not-detected annotation can annotate when a maintainer fulfills a check or probe in a way that is supported by Scorecard but not identified.

For more details, check out our documentation for the feature.

Breaking Changes

API changes

The biggest change is that everything in github.com/ossf/scorecard/v4/pkg now lives in github.com/ossf/scorecard/v5/pkg/scorecard. This allows renaming of some function names and types to be less repetitive.

  • RunScorecard is now Run
  • ScorecardResult is now Result

Expected changes:

pkg.ScorecardRun() -> scorecard.Run()
pkg.ScorecardResult -> scorecard.Result

The signature of RunScorecard (now called Run) has changed to allow for fewer breaking changes in the future. For full motivation, see the associated issue. There should be fewer setup code needed than before. Callers no longer need to pass in all clients and arguments and can rely on sensible default behavior. Callers that want to customize the analysis can influence the results with our Option types.

A similar change was done with formatting the results, which now accept an option struct pointer. Using a nil pointer will use default values.

Unlikely to cause issues

These changes are technically breaking in a semver sense, but we don’t expect most users to depend on them or require changes.

  • Dependency diff functionality has been removed in #4146.
  • clients.Repo must now implement Path in #4104

... (truncated)

Commits
  • ea7e27e 🌱 Bump github.com/google/go-containerregistry (#4244)
  • a74ffc3 🌱 Bump github.com/goreleaser/goreleaser/v2 from 2.0.1 to 2.1.0 in /t...
  • af8fd32 🌱 Bump github.com/xanzy/go-gitlab from 0.106.0 to 0.107.0 (#4243)
  • bc30d0f 📖 mark codeApproved and sastToolRunsOnAllCommits as experimental (#4242)
  • b48bdbf 🌱 Bump github.com/moby/buildkit from 0.14.1 to 0.15.0 (#4236)
  • 7563971 docs: maintainer annotations (#4235)
  • c75c63c 🌱 Update active cisco projects, remove cisco-open projects (#4226)
  • 09b58e4 ✨ Add important Go packages to projects.csv (#4176)
  • 78115de ✨ Add support for Nuget restore (#4157)
  • 32c4a43 🌱 Bump github.com/google/osv-scanner from 1.8.1 to 1.8.2 (#4234)
  • Additional commits viewable in compare view

Dependabot compatibility score

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot merge will merge this PR after your CI passes on it
  • @dependabot squash and merge will squash and merge this PR after your CI passes on it
  • @dependabot cancel merge will cancel a previously requested merge and block automerging
  • @dependabot reopen will reopen this PR if it is closed
  • @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

@dependabot
Bump github.com/ossf/scorecard/v5 from 5.0.0-rc2 to 5.0.0
b768862 
Bumps [github.com/ossf/scorecard/v5](https://github.com/ossf/scorecard) from 5.0.0-rc2 to 5.0.0.
- [Release notes](https://github.com/ossf/scorecard/releases)
- [Changelog](https://github.com/ossf/scorecard/blob/main/RELEASE.md)
- [Commits](ossf/scorecard@v5.0.0-rc2...v5.0.0)

---
updated-dependencies:
- dependency-name: github.com/ossf/scorecard/v5
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot bot requested a review from a team as a code owner July 22, 2024 13:36
@dependabot dependabot bot added dependencies Pull requests that update a dependency file go Pull requests that update Go code labels Jul 22, 2024
@justaugustus
go.mod: Update go directive to go1.12.12
440b7ba 
Signed-off-by: Stephen Augustus <foo@auggie.dev>
justaugustus
justaugustus approved these changes Jul 22, 2024
View reviewed changes
Copy link
Member

@justaugustus justaugustus left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@dependabot merge

FYI @ossf/allstar-maintainers

@dependabot dependabot bot merged commit 38d990d into main Jul 22, 2024
7 checks passed
@dependabot dependabot bot deleted the dependabot/go_modules/github.com/ossf/scorecard/v5-5.0.0 branch July 22, 2024 14:56
@justaugustus
Copy link
Member

Calling out that this also updates toolchain to go1.22.5 (the most recent stable Golang release).

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@justaugustus justaugustus justaugustus approved these changes

Assignees
No one assigned
Labels
dependencies Pull requests that update a dependency file go Pull requests that update Go code
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
1 participant
@justaugustus