scorecard icon indicating copy to clipboard operation
scorecard copied to clipboard

Published 20 hours ago verified publisher icon ossf

Detect more unpinned golang commands

Open laurentsimon opened this issue 3 years ago • 4 comments

There are several commands https://go.dev/ref/mod that update the go.mod/go.sum and may patch the sum file.

We should detect them in the Pinned-Dependencies check.

laurentsimon avatar Feb 05 '22 01:02 laurentsimon

other examples go test -mod=vendor

laurentsimon avatar Feb 15 '22 22:02 laurentsimon

Note that a command such as go install [email protected] may be considered pinned, because of the logs used to cache packages. However, this would not updated by tools like renovatebot / dependabot because they cannot parse commands, so we may still want to discourage this practice.

laurentsimon avatar Aug 25 '22 02:08 laurentsimon

This issue is stale because it has been open for 60 days with no activity.

github-actions[bot] avatar Nov 02 '23 01:11 github-actions[bot]

This issue has been marked stale because it has been open for 60 days with no activity.

github-actions[bot] avatar Mar 03 '24 01:03 github-actions[bot]