Tags: ossf/gemara
Tags
feat: add layer 1 loaders (#187) * feat: add file loaders for layer 1 Signed-off-by: George Vauter <[email protected]> * update exporter to use layer 1 loader Signed-off-by: George Vauter <[email protected]> --------- Signed-off-by: George Vauter <[email protected]>
feat: introducing checklist evaluation plan export (#173) * feat: adds functionality for checklist export Signed-off-by: Hannah Braswell <[email protected]> * fix: updating for structured data separation Signed-off-by: Hannah Braswell <[email protected]> * fix: updating based on review Signed-off-by: Hannah Braswell <[email protected]> * fix: adding suggestions from review Co-authored-by: Jennifer Power <[email protected]> Signed-off-by: Hannah Braswell <[email protected]> --------- Signed-off-by: Hannah Braswell <[email protected]> Signed-off-by: Hannah Braswell <[email protected]> Co-authored-by: Jennifer Power <[email protected]>
chore(deps): bump github/ospo-reusable-workflows/.github/workflows/au… …to-labeler.yaml (#179) Bumps [github/ospo-reusable-workflows/.github/workflows/auto-labeler.yaml](https://github.com/github/ospo-reusable-workflows) from 23b65d1475caa2c0979cb746b301358c2f7dd9ab to 8f81b19525b174210351d8c53b2efe6a316984f8. - [Release notes](https://github.com/github/ospo-reusable-workflows/releases) - [Changelog](https://github.com/github/ospo-reusable-workflows/blob/main/docs/release-discussion.md) - [Commits](github/ospo-reusable-workflows@23b65d1...8f81b19) --- updated-dependencies: - dependency-name: github/ospo-reusable-workflows/.github/workflows/auto-labeler.yaml dependency-version: 8f81b19525b174210351d8c53b2efe6a316984f8 dependency-type: direct:production ... Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
feat: enrich sarif with catalog data (#177) * Filter out NotRun and NotApplicable results from SARIF output Only include Passed, Failed, NeedsReview, and Unknown results in SARIF. This prevents assessments that weren't evaluated (due to applicability) from appearing as alerts in GitHub Code Scanning. Signed-off-by: Zohayb Bhatti <[email protected]> * feat: enrich SARIF output with catalog data - Add optional catalog parameter to ToSARIF() function - Enhance ReportingDescriptor with ShortDescription, FullDescription, Help, and HelpUri fields - Implement findControlAndRequirement() to lookup catalog data by control/requirement IDs - Implement buildOSPSBaselineURI() to generate documentation links - Update all tests to include catalog parameter - Add Test_ToSARIF_WithCatalogEnrichment to verify catalog enrichment works - Maintain backward compatibility when catalog is nil Signed-off-by: Zohayb Bhatti <[email protected]> * docs: fix function documentation to remove misleading 'documentation links' mention - Update catalog parameter docs to remove 'documentation links' reference - Fix test comment to accurately say 'help text' instead of 'help URI' Addresses feedback about preserving accurate documentation when removing code. Signed-off-by: Zohayb Bhatti <[email protected]> --------- Signed-off-by: Zohayb Bhatti <[email protected]> Signed-off-by: Zohayb Bhatti <[email protected]> Co-authored-by: Zohayb Bhatti <[email protected]> Co-authored-by: Zohayb Bhatti <[email protected]>
Filter out NotRun and NotApplicable results from SARIF output (#176) Only include Passed, Failed, NeedsReview, and Unknown results in SARIF. This prevents assessments that weren't evaluated (due to applicability) from appearing as alerts in GitHub Code Scanning. Signed-off-by: Zohayb Bhatti <[email protected]> Co-authored-by: Zohayb Bhatti <[email protected]>
feat: add PhysicalLocation support to SARIF output (#171) * feat: add PhysicalLocation support to SARIF output - Add SARIF type structs: PhysicalLocation, ArtifactLocation, Region, Snippet - Extend Location struct to include optional PhysicalLocation field - Update ToSARIF() to populate PhysicalLocation using Metadata.Author.Uri - Add tests to verify PhysicalLocation is included correctly - Handle case when Metadata.Author.Uri is empty (nil PhysicalLocation) Fixes missing PhysicalLocation required by GitHub Code Scanning. Signed-off-by: Zohayb Bhatti <[email protected]> * docs: clean up comments in ToSARIF() Signed-off-by: Zohayb Bhatti <[email protected]> * refactor: add artifactURI parameter and use AssessmentStep for LogicalLocation - Add optional artifactURI parameter to ToSARIF() for configurable PhysicalLocation - Use AssessmentStep function address for LogicalLocation (step is the originator) - Consolidate comments about Region being nil - Add documentation clarifying physicalLocation vs logicalLocation distinction - Add test for artifactURI parameter usage Addresses reviewer feedback from PR #171 Signed-off-by: Zohayb Bhatti <[email protected]> * refactor: change artifactURI from variadic to single string parameter Eddie correctly pointed out that variadic parameters allow multiple values but we only use the first. Changed to single string parameter for clarity. Callers pass empty string for default behavior, or specific URI otherwise. Addresses review feedback from PR #171 Signed-off-by: Zohayb Bhatti <[email protected]> * fix: remove fallback to Metadata.Author.Uri for PhysicalLocation Jennifer correctly pointed out that Metadata.Author.Uri represents the tool/evaluator (gemara), not the resource being assessed. Using it as a fallback for PhysicalLocation was incorrect. Now PhysicalLocation is only set when artifactURI is explicitly provided. If artifactURI is empty, PhysicalLocation will be nil. Addresses review feedback from PR #171 Signed-off-by: Zohayb Bhatti <[email protected]> * fix: use last AssessmentStep for LogicalLocation Eddie correctly pointed out that the location is for the entire evaluation, not just where it started. Using the first step was misleading. Changed from log.Steps[0] to log.Steps[len(log.Steps)-1] to use the last step that was run, which better represents the final evaluation state. Addresses review feedback from PR #171 Signed-off-by: Zohayb Bhatti <[email protected]> --------- Signed-off-by: Zohayb Bhatti <[email protected]>
feat: Added mapping logic to layer 4 (#159) * feat: Added mapping logic to layer 4 Signed-off-by: Eddie Knight <[email protected]> * linting Signed-off-by: Eddie Knight <[email protected]> * cue fmt Signed-off-by: Eddie Knight <[email protected]> --------- Signed-off-by: Eddie Knight <[email protected]>
PreviousNext