chore: merge staging to main

.github/dependabot.yaml

@@ -1,4 +1,4 @@
-# Copyright (c) 2022 - 2022, Oracle and/or its affiliates. All rights reserved.
+# Copyright (c) 2022 - 2023, Oracle and/or its affiliates. All rights reserved.
 # Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl/.
 
 # This configuration file enables Dependabot version updates.
@@ -36,3 +36,18 @@ updates:
   # https://docs.github.com/en/code-security/dependabot/dependabot-version-updates/configuration-options-for-the-dependabot.yml-file#reviewers
   # reviewers:
   # -
+
+- package-ecosystem: gomod
+  directory: /
+  schedule:
+    interval: weekly
+  commit-message:
+    prefix: chore
+    prefix-development: chore
+    include: scope
+  open-pull-requests-limit: 13
+  target-branch: staging
+  # Add additional reviewers for PRs opened by Dependabot. For more information, see:
+  # https://docs.github.com/en/code-security/dependabot/dependabot-version-updates/configuration-options-for-the-dependabot.yml-file#reviewers
+  # reviewers:
+  # -

.github/workflows/_build.yaml

@@ -51,12 +51,12 @@ jobs:
     steps:
 
     - name: Check out repository
-      uses: actions/checkout@93ea575cb5d8a053eaa0ac8fa3b40d7e05a33cc8 # v3.1.0
+      uses: actions/checkout@ac593985615ec2ede58e132d2e21d2b1cbd6127c # v3.3.0
       with:
         fetch-depth: 0
 
     - name: Set up Python
-      uses: actions/setup-python@13ae5bb136fac2878aff31522b9efb785519f984 # v4.3.0
+      uses: actions/setup-python@d27e3f3d7c64b4bbf8e4abfb9b63b83e846e0435 # v4.5.0
       with:
         python-version: ${{ matrix.python }}
 
@@ -123,7 +123,7 @@ jobs:
     # Currently reusable workflows do not support setting strategy property from the caller workflow.
     - name: Upload the package artifact for debugging and release
       if: matrix.os == env.ARTIFACT_OS && matrix.python == env.ARTIFACT_PYTHON
-      uses: actions/upload-artifact@83fd05a356d7e2593de66fc9913b3002723633cb # v3.1.1
+      uses: actions/upload-artifact@0b7f8abb1508181956e8e162db84b466c27e18ce # v3.1.2
       with:
         name: artifact-${{ matrix.os }}-python-${{ matrix.python }}
         path: |

.github/workflows/codeql-analysis.yaml

@@ -1,4 +1,4 @@
-# Copyright (c) 2022 - 2022, Oracle and/or its affiliates. All rights reserved.
+# Copyright (c) 2022 - 2023, Oracle and/or its affiliates. All rights reserved.
 # Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl/.
 
 # Run CodeQL over the package. For more configuration options see codeql/codeql-config.yaml
@@ -17,6 +17,7 @@ on:
     # Avoid unnecessary scans of pull requests.
     paths:
     - '**/*.py'
+    - '**/*.go'
   schedule:
   - cron: 20 15 * * 3
 permissions:
@@ -35,17 +36,16 @@ jobs:
       matrix:
         # CodeQL supports [ 'cpp', 'csharp', 'go', 'java', 'javascript', 'python', 'ruby' ]
         # Learn more about CodeQL language support at https://git.io/codeql-language-support
-        language: [python]
-        python: ['3.11']
+        language: [python, go]
     steps:
 
     - name: Checkout repository
-      uses: actions/checkout@93ea575cb5d8a053eaa0ac8fa3b40d7e05a33cc8 # v3.1.0
+      uses: actions/checkout@ac593985615ec2ede58e132d2e21d2b1cbd6127c # v3.3.0
 
     - name: Set up Python ${{ matrix.python }}
-      uses: actions/setup-python@13ae5bb136fac2878aff31522b9efb785519f984 # v4.3.0
+      uses: actions/setup-python@d27e3f3d7c64b4bbf8e4abfb9b63b83e846e0435 # v4.5.0
       with:
-        python-version: ${{ matrix.python }}
+        python-version: '3.11'
 
     # For more details see the comment in _build.yaml.
     - name: Create empty virtual environment for Actions
@@ -55,7 +55,7 @@ jobs:
 
     # Initializes the CodeQL tools for scanning.
     - name: Initialize CodeQL
-      uses: github/codeql-action/init@c3b6fce4ee2ca25bc1066aa3bf73962fda0e8898 # v2.1.31
+      uses: github/codeql-action/init@a34ca99b4610d924e04c68db79e503e1f79f9f02 # v2.1.39
       with:
         languages: ${{ matrix.language }}
         config-file: .github/codeql/codeql-config.yaml
@@ -68,4 +68,4 @@ jobs:
         # queries: ./path/to/local/query, your-org/your-repo/queries@main
 
     - name: Perform CodeQL Analysis
-      uses: github/codeql-action/analyze@c3b6fce4ee2ca25bc1066aa3bf73962fda0e8898 # v2.1.31
+      uses: github/codeql-action/analyze@a34ca99b4610d924e04c68db79e503e1f79f9f02 # v2.1.39

.github/workflows/pr-conventional-commits.yaml

@@ -25,12 +25,12 @@ jobs:
     steps:
 
     - name: Check out repository
-      uses: actions/checkout@93ea575cb5d8a053eaa0ac8fa3b40d7e05a33cc8 # v3.1.0
+      uses: actions/checkout@ac593985615ec2ede58e132d2e21d2b1cbd6127c # v3.3.0
       with:
         fetch-depth: 0
 
     - name: Set up Python
-      uses: actions/setup-python@13ae5bb136fac2878aff31522b9efb785519f984 # v4.3.0
+      uses: actions/setup-python@d27e3f3d7c64b4bbf8e4abfb9b63b83e846e0435 # v4.5.0
       with:
         python-version: '3.11'
 

.github/workflows/release.yaml

@@ -1,4 +1,4 @@
-# Copyright (c) 2022 - 2022, Oracle and/or its affiliates. All rights reserved.
+# Copyright (c) 2022 - 2023, Oracle and/or its affiliates. All rights reserved.
 # Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl/.
 
 # We run checks on pushing to the specified branches.
@@ -38,13 +38,13 @@ jobs:
     steps:
 
     - name: Check out repository
-      uses: actions/checkout@93ea575cb5d8a053eaa0ac8fa3b40d7e05a33cc8 # v3.1.0
+      uses: actions/checkout@ac593985615ec2ede58e132d2e21d2b1cbd6127c # v3.3.0
       with:
         fetch-depth: 0
         token: ${{ secrets.REPO_ACCESS_TOKEN }}
 
     - name: Set up Python
-      uses: actions/setup-python@13ae5bb136fac2878aff31522b9efb785519f984 # v4.3.0
+      uses: actions/setup-python@d27e3f3d7c64b4bbf8e4abfb9b63b83e846e0435 # v4.5.0
       with:
         python-version: '3.11'
 
@@ -88,12 +88,12 @@ jobs:
     steps:
 
     - name: Check out repository
-      uses: actions/checkout@93ea575cb5d8a053eaa0ac8fa3b40d7e05a33cc8 # v3.1.0
+      uses: actions/checkout@ac593985615ec2ede58e132d2e21d2b1cbd6127c # v3.3.0
       with:
         fetch-depth: 0
 
     - name: Download artifact
-      uses: actions/download-artifact@9782bd6a9848b53b110e712e20e42d89988822b7 # v3.0.1
+      uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3.0.2
       with:
         name: ${{ env.ARTIFACT_NAME }}
         path: dist
@@ -110,7 +110,7 @@ jobs:
 
     # Create the Release Notes using commitizen.
     - name: Set up Python
-      uses: actions/setup-python@13ae5bb136fac2878aff31522b9efb785519f984 # v4.3.0
+      uses: actions/setup-python@d27e3f3d7c64b4bbf8e4abfb9b63b83e846e0435 # v4.5.0
       with:
         python-version: '3.11'
 
@@ -183,12 +183,12 @@ jobs:
     steps:
 
     - name: Check out repository
-      uses: actions/checkout@2541b1294d2704b0964813337f33b291d3f8596b # v3.0.2
+      uses: actions/checkout@ac593985615ec2ede58e132d2e21d2b1cbd6127c # v3.3.0
       with:
         fetch-depth: 0
 
     - name: Download provenance
-      uses: actions/download-artifact@9782bd6a9848b53b110e712e20e42d89988822b7 # v3.0.1
+      uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3.0.2
       with:
         name: ${{ needs.provenance.outputs.provenance-name }}
 

.github/workflows/scorecards-analysis.yaml

@@ -29,12 +29,12 @@ jobs:
     steps:
 
     - name: Check out repository
-      uses: actions/checkout@93ea575cb5d8a053eaa0ac8fa3b40d7e05a33cc8 # v3.1.0
+      uses: actions/checkout@ac593985615ec2ede58e132d2e21d2b1cbd6127c # v3.3.0
       with:
         persist-credentials: false
 
     - name: Run analysis
-      uses: ossf/scorecard-action@99c53751e09b9529366343771cc321ec74e9bd3d # v2.0.6
+      uses: ossf/scorecard-action@e38b1902ae4f44df626f11ba0734b14fb91f8f86 # v2.1.2
       with:
         results_file: results.sarif
         results_format: sarif
@@ -49,13 +49,13 @@ jobs:
 
     # Upload the results as artifacts (optional).
     - name: Upload artifact
-      uses: actions/upload-artifact@83fd05a356d7e2593de66fc9913b3002723633cb # v3.1.1
+      uses: actions/upload-artifact@0b7f8abb1508181956e8e162db84b466c27e18ce # v3.1.2
       with:
         name: SARIF file
         path: results.sarif
 
     # Upload the results to GitHub's code scanning dashboard.
     - name: Upload to code-scanning
-      uses: github/codeql-action/upload-sarif@c3b6fce4ee2ca25bc1066aa3bf73962fda0e8898 # v2.1.31
+      uses: github/codeql-action/upload-sarif@a34ca99b4610d924e04c68db79e503e1f79f9f02 # v2.1.39
       with:
         sarif_file: results.sarif

Makefile

@@ -1,4 +1,4 @@
-# Copyright (c) 2022 - 2022, Oracle and/or its affiliates. All rights reserved.
+# Copyright (c) 2022 - 2023, Oracle and/or its affiliates. All rights reserved.
 # Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl/.
 
 # Use bash as the shell when executing a rule's recipe. For more details:
@@ -83,25 +83,27 @@ venv:
 # The _build.yaml GitHub Actions workflow expects dist directory to exist.
 # So we create the dist dir if it doesn't exist in the setup target.
 # See https://packaging.python.org/en/latest/tutorials/packaging-projects/#generating-distribution-archives.
-# We also install SLSA verifier, mvnw, cyclonedx-go, and compile the Go modules.
+# We also install cyclonedx-go to generate SBOM for Go, compile the Go modules,
+# install SLSA verifier binary, and download mvnw.
 .PHONY: setup
-setup: force-upgrade setup-go
+setup: force-upgrade setup-go setup-binaries
 	pre-commit install
 	mkdir -p dist
+	go install github.com/CycloneDX/cyclonedx-gomod/cmd/[email protected]
+setup-go:
+	go build -o $(MACARON_PATH)/bin/ $(MACARON_PATH)/golang/cmd/...
+setup-binaries: $(MACARON_PATH)/bin/slsa-verifier $(MACARON_PATH)/resources/mvnw
+$(MACARON_PATH)/bin/slsa-verifier:
 	git clone --depth 1 https://github.com/slsa-framework/slsa-verifier.git -b v2.0.1
 	cd slsa-verifier/cli/slsa-verifier && go build -o $(MACARON_PATH)/bin/
 	cd $(MACARON_PATH) && rm -rf slsa-verifier
-	go install github.com/CycloneDX/cyclonedx-gomod/cmd/[email protected]
-	echo "GOPATH=$$GOPATH"
-	ls $$HOME/go/bin
+$(MACARON_PATH)/resources/mvnw:
 	cd resources \
 		&& wget https://repo.maven.apache.org/maven2/org/apache/maven/wrapper/maven-wrapper-distribution/3.1.1/maven-wrapper-distribution-3.1.1-bin.zip \
 		&& unzip -o maven-wrapper-distribution-3.1.1-bin.zip \
 		&& rm -r maven-wrapper-distribution-3.1.1-bin.zip \
 		&& echo -e "distributionUrl=https://repo.maven.apache.org/maven2/org/apache/maven/apache-maven/3.8.6/apache-maven-3.8.6-bin.zip\nwrapperUrl=https://repo.maven.apache.org/maven2/org/apache/maven/wrapper/maven-wrapper/3.1.1/maven-wrapper-3.1.1.jar" > .mvn/wrapper/maven-wrapper.properties \
 		&& cd $(MACARON_PATH)
-setup-go:
-	go build -o $(MACARON_PATH)/bin/ $(MACARON_PATH)/golang/cmd/...
 
 # Install or upgrade an existing virtual environment based on the
 # package dependencies declared in pyproject.toml and go.mod.
@@ -160,14 +162,12 @@ requirements.txt: pyproject.toml
 # editable mode (like the one in development here) because they may not have
 # a PyPI entry; also print out CVE description and potential fixes if audit
 # found an issue.
-# TODO: do not ignore GHSA-hcpj-qp55-gfph once the patch is out.
-# See: https://github.com/gitpython-developers/GitPython/issues/1515.
 .PHONY: audit
 audit:
 	if ! $$(python -c "import pip_audit" &> /dev/null); then \
 	  echo "No package pip_audit installed, upgrade your environment!" && exit 1; \
 	fi;
-	python -m pip_audit --skip-editable --desc on --fix --dry-run --ignore-vuln GHSA-hcpj-qp55-gfph
+	python -m pip_audit --skip-editable --desc on --fix --dry-run
 
 # Run some or all checks over the package code base.
 .PHONY: check check-code check-bandit check-flake8 check-lint check-mypy check-go
@@ -260,7 +260,11 @@ clean: dist-clean bin-clean
 nuke-caches: clean
 	find src/ -type d -name __pycache__ -exec rm -fr {} +
 	find tests/ -type d -name __pycache__ -exec rm -fr {} +
-nuke: nuke-caches
+nuke-mvnw:
+	cd $(MACARON_PATH)/resources \
+	&& rm mvnw mvnw.cmd mvnwDebug mvnwDebug.cmd \
+	&& cd $(MACARON_PATH)
+nuke: nuke-caches nuke-mvnw
 	if [ ! -z "${VIRTUAL_ENV}" ]; then \
 	  echo "Please deactivate the virtual environment first!" && exit 1; \
 	fi

pyproject.toml

@@ -25,7 +25,7 @@ dependencies = [
     "requests >=2.28.0,<3.0.0",
     "pydriller >=2.0,<3.0.0",
     "yamale >=4.0.3,<5.0.0",
-    "packaging >=21.3,<22.0.0",
+    "packaging >=21.3,<24.0.0",
     "jinja2 >=3.1.2,<4.0.0"
 ]
 keywords = []
@@ -64,21 +64,21 @@ dev = [
     # Exclude pip-audit v2.4.9 because it has a bug.
     # See https://github.com/pypa/pip-audit/commit/22d7e4c7f5acd20852c57b52b46e861a716ab09f.
     "pip-audit >=2.4.8,<3.0.0,!=2.4.9",
-    "pylint >=2.9.3,<2.15.8",
+    "pylint >=2.9.3,<2.15.11",
     "cyclonedx-bom >=3.5.0,<4.0.0",
 ]
 docs = [
-    "sphinx >=5.3.0,<6.0.0",
+    "sphinx >=5.3.0,<7.0.0",
     "sphinx-autodoc-typehints >=1.19.4,<2.0.0",
     "sphinx-rtd-theme >=1.0.0,<2.0.0",
     "numpydoc >=1.5.0,<2.0.0",
 ]
 hooks = [
-    "pre-commit >=2.18.0,<=2.20.0",
+    "pre-commit >=2.18.0,<2.22.0",
 ]
 # Note that the `custom_exit_code` and `env` plugins may currently be unmaintained.
 test = [
-    "hypothesis >=6.21.0,<6.58.2",
+    "hypothesis >=6.21.0,<6.64.1",
     "pytest >=7.2.0,<8.0.0",
     "pytest-custom_exit_code >=0.3.0,<1.0.0",
     "pytest-cov >=4.0.0,<5.0.0",

scripts/dev_scripts/copyright-checker.sh

@@ -1,6 +1,6 @@
 #!/usr/bin/env bash
 
-# Copyright (c) 2022 - 2022, Oracle and/or its affiliates. All rights reserved.
+# Copyright (c) 2022 - 2023, Oracle and/or its affiliates. All rights reserved.
 # Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl/.
 
 #
@@ -10,6 +10,7 @@
 files=$(git diff --cached --name-only)
 currentyear=$(date +"%Y")
 missing_copyright_files=()
+license_note="Licensed under the Universal Permissive License v 1.0 as shown at https:\/\/oss\.oracle\.com\/licenses\/upl\/\."
 
 
 for f in $files; do
@@ -21,33 +22,54 @@ for f in $files; do
         startyear=$currentyear
     fi
     if ! grep -i -e "Copyright (c) $startyear - $currentyear, Oracle and/or its affiliates. All rights reserved." "$f" 1>/dev/null;then
-        if [[ $f =~ .*\.(js$|py$|java$|tf$|go$|sh$|dl$|yaml$) ]] || [[ "${f##*/}" = "Dockerfile" ]];then
+        if [[ $f =~ .*\.(js$|py$|java$|tf$|go$|sh$|dl$|yaml$) ]] || [[ "${f##*/}" = "Dockerfile" ]] || [[ "${f##*/}" = "Makefile" ]];then
           missing_copyright_files+=("$f")
         fi
     fi
 done
 
 if [ ${#missing_copyright_files[@]} -ne 0 ]; then
     for f in "${missing_copyright_files[@]}"; do
+
+        # Don't allow this script to run on itself.
+        if [[ $0 == $f ]];then
+            echo "Cannot run the $0 on itself. Please fix the headers in this file manually."
+            exit 1
+        fi
+        missing_license_note=$(grep -i "$license_note" "$f")
         startyear=$(git log --format=%ad --date=format:%Y "$f" | tail -1)
         if [[ -z "${startyear// }" ]]; then
             startyear=$currentyear
         fi
         if [[ $f =~ .*\.(js$|java$|go$|dl$) ]]; then
             expected="\/\* Copyright \(c\) $startyear - $currentyear, Oracle and\/or its affiliates\. All rights reserved\. \*\/"
-            expected="$expected\n\/\* Licensed under the Universal Permissive License v 1.0 as shown at https:\/\/oss\.oracle\.com\/licenses\/upl\/\. \*\/"
-        elif [[ $f =~ .*\.(py$|tf$|sh$|yaml$) ]] || [[ "${f##*/}" = "Dockerfile" ]]; then
+            if [ ${#missing_license_note} -eq 0 ]; then
+                expected="$expected\n\/\* $license_note \*\/"
+            fi
+        elif [[ $f =~ .*\.(py$|tf$|sh$|yaml$) ]] || [[ "${f##*/}" = "Dockerfile" ]] || [[ "${f##*/}" = "Makefile" ]]; then
             expected="# Copyright \(c\) $startyear - $currentyear, Oracle and\/or its affiliates\. All rights reserved\."
-            expected="$expected\n# Licensed under the Universal Permissive License v 1.0 as shown at https:\/\/oss\.oracle\.com\/licenses\/upl\/\."
-
+            if [ ${#missing_license_note} -eq 0 ]; then
+                expected="$expected\n# $license_note"
+            fi
         fi
 
-        if ! grep -i -e "Copyright (c) .* Oracle and/or its affiliates. All rights reserved" "$f" 1>/dev/null;then
-            echo "Copyright header missing for $f"
-            sed -i "1s/^/$expected\n\n/" "$f"
+        # Find the first matching copyright line.
+        line_number=$(grep -m 1 -n -i -e "Copyright (c) .* Oracle and/or its affiliates. All rights reserved" "$f" | cut -d : -f 1)
+        if [[ -z "$line_number" ]]; then
+            echo "Copyright header missing for $f."
+
+            # Check for executable scripts and don't replace the first line starting with shebang.
+            shebang_line=$(grep -m 1 -n "#!" "$f")
+            if [[ -z "$shebang_line" ]];then
+                # If there is no shebang, insert at the first line.
+                sed -i "1s/^/$expected\n\n/" "$f"
+            else
+                # If there is a shebang, append to the end of the line.
+                sed -i "$(echo $shebang_line | cut -d : -f 1)""s/$/\n\n$expected/" "$f"
+            fi
         else
-            echo "Copyright header needs update for $f"
-            sed -i "1s/^.*/$expected/" "$f"
+            echo "Copyright header needs update for $f."
+            sed -i "$line_number""s/^.*/$expected/" "$f"
         fi
     done
     echo "Copyright headers have been automatically added/updated. Please review and stage the changes before running git commit again."