Merge branch 'main' into new-github-actions-repos-2023-12-13

.github/workflows/depsreview.yml

@@ -24,4 +24,4 @@ jobs:
       - name: 'Checkout Repository'
         uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
       - name: 'Dependency Review'
-        uses: actions/dependency-review-action@01bc87099ba56df1e897b6874784491ea6309bc4 # v3.1.4
+        uses: actions/dependency-review-action@c74b580d73376b7750d3d2a50bfb8adc2c937507 # v3.1.5

.github/workflows/docker.yml

@@ -40,7 +40,7 @@ jobs:
         fetch-depth: 2 # needed to diff changed files
     - id: files
       name: Get changed files
-      uses: tj-actions/changed-files@94549999469dbfa032becf298d95c87a14c34394 #v40.2.2
+      uses: tj-actions/changed-files@716b1e13042866565e00e85fd4ec490e186c4a2f #v41.0.1
       with:
         files_ignore: '**.md'
     - id: docs_only_check
@@ -78,7 +78,7 @@ jobs:
        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
      - name: Setup Go # needed for some of the Makefile evaluations, even if building happens in Docker 
        if: (needs.docs_only_check.outputs.docs_only != 'true')
-       uses: actions/setup-go@93397bea11091df50f3d7e59dc26a7711a8bcfbe # v4.1.0
+       uses: actions/setup-go@0c52d547c9bc32b1aa3301fd7a9cb496313a4491 # v5.0.0
        with:
          go-version: ${{ env.GO_VERSION }}
          check-latest: true

.github/workflows/gitlab.yml

@@ -41,7 +41,7 @@ jobs:
         with:
           ref: ${{ github.event.pull_request.head.sha || github.sha }} # head SHA if PR, else fallback to push SHA
       - name: Setup Go
-        uses: actions/setup-go@93397bea11091df50f3d7e59dc26a7711a8bcfbe # v4.1.0
+        uses: actions/setup-go@0c52d547c9bc32b1aa3301fd7a9cb496313a4491 # v5.0.0
         with:
           go-version: ${{ env.GO_VERSION }}
           check-latest: true

.github/workflows/goreleaser.yaml

@@ -43,7 +43,7 @@ jobs:
         with:
           fetch-depth: 0
       - name: Set up Go
-        uses: actions/setup-go@93397bea11091df50f3d7e59dc26a7711a8bcfbe # v2.2.0
+        uses: actions/setup-go@0c52d547c9bc32b1aa3301fd7a9cb496313a4491 # v2.2.0
         with:
           go-version: ${{ env.GO_VERSION }}
           check-latest: true

.github/workflows/integration.yml

@@ -52,7 +52,7 @@ jobs:
         with:
           ref: ${{ github.event.pull_request.head.sha }}
       - name: Setup Go
-        uses: actions/setup-go@93397bea11091df50f3d7e59dc26a7711a8bcfbe # v4.1.0
+        uses: actions/setup-go@0c52d547c9bc32b1aa3301fd7a9cb496313a4491 # v5.0.0
         with:
           go-version: ${{ env.GO_VERSION }}
           check-latest: true

.github/workflows/lint.yml

@@ -23,7 +23,7 @@ jobs:
         with:
           egress-policy: audit # TODO: change to 'egress-policy: block' after couple of runs
       - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
-      - uses: actions/setup-go@93397bea11091df50f3d7e59dc26a7711a8bcfbe # v4.1.0
+      - uses: actions/setup-go@0c52d547c9bc32b1aa3301fd7a9cb496313a4491 # v5.0.0
         with:
           go-version: ${{ env.GO_VERSION }}
           cache: false # golangci-lint maintains its own cache

.github/workflows/main.yml

@@ -43,7 +43,7 @@ jobs:
      - name: Clone the code
        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
      - name: Setup Go
-       uses: actions/setup-go@93397bea11091df50f3d7e59dc26a7711a8bcfbe # v4.1.0
+       uses: actions/setup-go@0c52d547c9bc32b1aa3301fd7a9cb496313a4491 # v5.0.0
        with:
          go-version: ${{ env.GO_VERSION }}
          check-latest: true
@@ -121,7 +121,7 @@ jobs:
        with:
           fetch-depth: 0
      - name: Setup Go
-       uses: actions/setup-go@93397bea11091df50f3d7e59dc26a7711a8bcfbe # v2.2.0
+       uses: actions/setup-go@0c52d547c9bc32b1aa3301fd7a9cb496313a4491 # v2.2.0
        with:
          go-version: ${{ env.GO_VERSION }}
          check-latest: true
@@ -149,7 +149,7 @@ jobs:
      - name: Clone the code
        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
      - name: Setup Go
-       uses: actions/setup-go@93397bea11091df50f3d7e59dc26a7711a8bcfbe # v4.1.0
+       uses: actions/setup-go@0c52d547c9bc32b1aa3301fd7a9cb496313a4491 # v5.0.0
        with:
          go-version: ${{ env.GO_VERSION }}
          check-latest: true
@@ -186,7 +186,7 @@ jobs:
        with:
           fetch-depth: 0
      - name: Setup Go
-       uses: actions/setup-go@93397bea11091df50f3d7e59dc26a7711a8bcfbe # v2.2.0
+       uses: actions/setup-go@0c52d547c9bc32b1aa3301fd7a9cb496313a4491 # v2.2.0
        with:
          go-version: ${{ env.GO_VERSION }}
          check-latest: true
@@ -239,7 +239,7 @@ jobs:
      - name: Clone the code
        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
      - name: Setup Go
-       uses: actions/setup-go@93397bea11091df50f3d7e59dc26a7711a8bcfbe # v4.1.0
+       uses: actions/setup-go@0c52d547c9bc32b1aa3301fd7a9cb496313a4491 # v5.0.0
        with:
          go-version: ${{ env.GO_VERSION }}
          check-latest: true
@@ -281,7 +281,7 @@ jobs:
        with:
           fetch-depth: 0
      - name: Setup Go
-       uses: actions/setup-go@93397bea11091df50f3d7e59dc26a7711a8bcfbe # v2.2.0
+       uses: actions/setup-go@0c52d547c9bc32b1aa3301fd7a9cb496313a4491 # v2.2.0
        with:
          go-version: ${{ env.GO_VERSION }}
          check-latest: true
@@ -328,7 +328,7 @@ jobs:
        with:
           fetch-depth: 0
      - name: Setup Go
-       uses: actions/setup-go@93397bea11091df50f3d7e59dc26a7711a8bcfbe # v2.2.0
+       uses: actions/setup-go@0c52d547c9bc32b1aa3301fd7a9cb496313a4491 # v2.2.0
        with:
          go-version: ${{ env.GO_VERSION }}
          check-latest: true
@@ -363,7 +363,7 @@ jobs:
        with:
           fetch-depth: 0
      - name: Setup Go
-       uses: actions/setup-go@93397bea11091df50f3d7e59dc26a7711a8bcfbe # v2.2.0
+       uses: actions/setup-go@0c52d547c9bc32b1aa3301fd7a9cb496313a4491 # v2.2.0
        with:
          go-version: ${{ env.GO_VERSION }}
          check-latest: true
@@ -389,7 +389,7 @@ jobs:
           egress-policy: audit # TODO: change to 'egress-policy: block' after couple of runs
 
       - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
-      - uses: actions/setup-go@93397bea11091df50f3d7e59dc26a7711a8bcfbe # v2.2.0
+      - uses: actions/setup-go@0c52d547c9bc32b1aa3301fd7a9cb496313a4491 # v2.2.0
         with:
           go-version: ${{ env.GO_VERSION }}
           check-latest: true

.github/workflows/publishimage.yml

@@ -44,7 +44,7 @@ jobs:
        with:
           fetch-depth: 0
      - name: Setup Go
-       uses: actions/setup-go@93397bea11091df50f3d7e59dc26a7711a8bcfbe
+       uses: actions/setup-go@0c52d547c9bc32b1aa3301fd7a9cb496313a4491
        with:
          go-version: ${{ env.GO_VERSION }}
          check-latest: true
@@ -61,7 +61,7 @@ jobs:
             make install
             make scorecard-ko
      - name: Install Cosign
-       uses: sigstore/cosign-installer@1fc5bd396d372bee37d608f955b336615edf79c8
+       uses: sigstore/cosign-installer@9614fae9e5c5eddabb09f90a270fcb487c9f7149
      - name: Sign image
        run: |
           cosign sign --yes ghcr.io/${{github.repository_owner}}/scorecard/v4:${{ github.sha }}

.github/workflows/scdiff.yml

@@ -82,7 +82,7 @@ jobs:
         with:
           ref: ${{ steps.config.outputs.base }}
       - name: Setup Go
-        uses: actions/setup-go@93397bea11091df50f3d7e59dc26a7711a8bcfbe # v4.1.0
+        uses: actions/setup-go@0c52d547c9bc32b1aa3301fd7a9cb496313a4491 # v5.0.0
         with:
           go-version: ${{ env.GO_VERSION }}
           check-latest: true

.github/workflows/scorecard-analysis.yml

@@ -40,7 +40,7 @@ jobs:
       # https://docs.github.com/en/actions/advanced-guides/storing-workflow-data-as-artifacts
       # Optional.
       - name: "Upload artifact"
-        uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 # v3
+        uses: actions/upload-artifact@c7d193f32edcb7bfad88892161225aeda64e9392 # v3
         with:
           name: SARIF file
           path: results.sarif

.github/workflows/slsa-goreleaser.yml

@@ -47,12 +47,12 @@ jobs:
         uses: slsa-framework/slsa-verifier/actions/installer@v2.4.1
 
       - name: Download the artifact
-        uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3.0.2
+        uses: actions/download-artifact@f44cd7b40bfd40b6aa1cc1b9b5b7bf03d3c67110 # v4.1.0
         with:
           name: "${{ needs.build.outputs.go-binary-name }}.intoto.jsonl"
 
       - name: Download the artifact
-        uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3.0.2
+        uses: actions/download-artifact@f44cd7b40bfd40b6aa1cc1b9b5b7bf03d3c67110 # v4.1.0
         with:
           name: ${{ needs.build.outputs.go-binary-name }}
 

.gitignore

@@ -53,3 +53,8 @@ githubrepo.tar.gz
 
 # goreleaser
 dist/*
+
+# scdiff, ensure the files detailed in RELEASE.md aren't committed
+repos.txt
+oldRelease.json
+newRelease.json

README.md

@@ -585,9 +585,9 @@ Artifact                      | Link
 ----------------------------- | ----
 Scorecard Dev Forum           | [ossf-scorecard-dev@](https://groups.google.com/g/ossf-scorecard-dev)
 Scorecard Announcements Forum | [ossf-scorecard-announce@](https://groups.google.com/g/ossf-scorecard-announce)
-Community Meeting VC          | [Link to z o o m meeting](https://zoom.us/j/98835923979)
-Community Meeting Calendar    | Biweekly Thursdays, 1:00pm-2:00pm PST <br>[Calendar](https://calendar.google.com/calendar?cid=czYzdm9lZmhwNWk5cGZsdGI1cTY3bmdwZXNAZ3JvdXAuY2FsZW5kYXIuZ29vZ2xlLmNvbQ)
-Meeting Notes                 | [Notes](https://docs.google.com/document/d/1dB2U7_qZpNW96vtuoG7ShmgKXzIg6R5XT5Tc-0yz6kE/edit#heading=h.4k8ml0qkh7tl)
+Community Meeting VC          | [Link to z o o m meeting](https://zoom-lfx.platform.linuxfoundation.org/meeting/95007214146?password=250040c3-80c0-48c4-80c1-07a373116d54)
+Community Meeting Calendar    | **_APAC-friendly_** Biweekly on Thursdays at 1:00-2:00 PM Pacific ([OSSF Public Calendar](https://calendar.google.com/calendar/u/0/embed?height=600&wkst=1&bgcolor=%238E24AA&showTitle=1&mode=WEEK&showCalendars=0&showTabs=1&showPrint=0&title=OpenSSF+Community+Calendar&src=czYzdm9lZmhwNWk5cGZsdGI1cTY3bmdwZXNAZ3JvdXAuY2FsZW5kYXIuZ29vZ2xlLmNvbQ&color=%238E24AA)) <br>Video Call: [LFX Zoom](https://zoom-lfx.platform.linuxfoundation.org/meeting/95007214146?password=250040c3-80c0-48c4-80c1-07a373116d54) <br> **_EMEA-friendly_** Every 4 Mondays at 7:00-8:00 AM Pacific ([OSSF Public Calendar](https://calendar.google.com/calendar/u/0/embed?height=600&wkst=1&bgcolor=%238E24AA&showTitle=1&mode=WEEK&showCalendars=0&showTabs=1&showPrint=0&title=OpenSSF+Community+Calendar&src=czYzdm9lZmhwNWk5cGZsdGI1cTY3bmdwZXNAZ3JvdXAuY2FsZW5kYXIuZ29vZ2xlLmNvbQ&color=%238E24AA)) <br> Video Call: [LFX Zoom](https://zoom-lfx.platform.linuxfoundation.org/meeting/93377638314?password=d53af562-d908-4100-8ae1-52686756cc5d)
+Meeting Notes                 | [Notes](https://docs.google.com/document/d/1b6d3CVJLsl7YnTE7ZaZQHdkdYIvuOQ8rzAmvVdypOWM/edit?usp=sharing)
 Slack Channel                 | [#security_scorecards](https://slack.openssf.org/#security_scorecards)
 
 __Maintainers__ are listed in the [CODEOWNERS file](.github/CODEOWNERS).
@@ -600,7 +600,13 @@ To report a security issue, please follow instructions [here](SECURITY.md).
 
 #### Zoom
 
-We meet every other Thursday - 4p ET on this [zoom link](https://zoom.us/j/98835923979?pwd=RG5JZ3czZEtmRDlGdms0ZktmMFQvUT09).
+**_APAC-friendly_** Biweekly on Thursdays at 1:00-2:00 PM Pacific ([OSSF Public Calendar](https://calendar.google.com/calendar/u/0/embed?height=600&wkst=1&bgcolor=%238E24AA&showTitle=1&mode=WEEK&showCalendars=0&showTabs=1&showPrint=0&title=OpenSSF+Community+Calendar&src=czYzdm9lZmhwNWk5cGZsdGI1cTY3bmdwZXNAZ3JvdXAuY2FsZW5kYXIuZ29vZ2xlLmNvbQ&color=%238E24AA)) 
+
+Video Call: [LFX z o o m](https://zoom-lfx.platform.linuxfoundation.org/meeting/95007214146?password=250040c3-80c0-48c4-80c1-07a373116d54)   
+
+**_EMEA-friendly_** Every 4 Mondays at 7:00-8:00 AM Pacific ([OSSF Public Calendar](https://calendar.google.com/calendar/u/0/embed?height=600&wkst=1&bgcolor=%238E24AA&showTitle=1&mode=WEEK&showCalendars=0&showTabs=1&showPrint=0&title=OpenSSF+Community+Calendar&src=czYzdm9lZmhwNWk5cGZsdGI1cTY3bmdwZXNAZ3JvdXAuY2FsZW5kYXIuZ29vZ2xlLmNvbQ&color=%238E24AA))
+
+Video Call: [LFX z o o m](https://zoom-lfx.platform.linuxfoundation.org/meeting/93377638314?password=d53af562-d908-4100-8ae1-52686756cc5d)   
 
 #### Agenda
 

RELEASE.md

@@ -9,6 +9,7 @@ pull request to discuss.)
 - [Tracking](#tracking)
 - [Preparing the release](#preparing-the-release)
   - [Validate tests](#validate-tests)
+  - [Validate the changes with scdiff](#validate-the-changes-with-scdiff)
 - [Drafting release notes](#drafting-release-notes)
 - [Release](#release)
   - [Create a tag](#create-a-tag)
@@ -37,6 +38,46 @@ be merged before releasing the scorecard GitHub Action.
 
 Check the unit tests and integration tests are passing for the planned release commit, either locally or for the GitHub workflows.
 
+### Validate the changes with scdiff
+1. Create the list of repos to use for the analysis if you don't have it already:
+```console
+cat <<EOF > repos.txt
+https://github.com/airbnb/lottie-web
+https://github.com/apache/tomcat
+https://github.com/Azure/azure-functions-dotnet-worker
+https://github.com/cncf/xds
+https://github.com/google/go-cmp
+https://github.com/google/highwayhash
+https://github.com/googleapis/google-api-php-client
+https://github.com/jacoco/jacoco
+https://github.com/ossf/scorecard
+https://github.com/pallets/jinja
+https://github.com/polymer/polymer
+https://github.com/rust-random/getrandom
+https://github.com/yaml/libyaml
+https://gitlab.com/baserow/baserow
+https://gitlab.com/cryptsetup/cryptsetup
+EOF
+```
+2. Run `scdiff` on the previous release:
+```console
+git checkout <old release tag>
+go run cmd/internal/scdiff/main.go generate --repos repos.txt --output oldRelease.json
+```
+3. Run `scdiff` on the commit to be tagged:
+```console
+git checkout <commit to be tagged>
+go run cmd/internal/scdiff/main.go generate --repos repos.txt --output newRelease.json
+```
+4. Compare the results:
+```console
+go run cmd/internal/scdiff/main.go compare oldRelease.json newRelease.json
+```
+5. Evaluating results:
+There will be differences! That's ok, but please pay attention to what they are and use your judgement when evaluating them.
+Compare the changes against the release notes you're expecting below.
+
+
 ## Drafting release notes
 
 Release notes are a semi-automated process. We often start by opening [drafting a new release on GitHub](https://github.com/ossf/scorecard/releases/new).

checker/raw_result.go

@@ -259,6 +259,10 @@ const (
 	SonarWorkflow SASTWorkflowType = "Sonar"
 	// SnykWorkflow represents a workflow that runs Snyk.
 	SnykWorkflow SASTWorkflowType = "Snyk"
+	// PysaWorkflow represents a workflow that runs Pysa.
+	PysaWorkflow SASTWorkflowType = "Pysa"
+	// QodanaWorkflow represents a workflow that runs Qodana.
+	QodanaWorkflow SASTWorkflowType = "Qodana"
 )
 
 // SASTWorkflow represents a SAST workflow.

checks/dependency_update_tool_test.go

@@ -162,3 +162,21 @@ func TestDependencyUpdateTool(t *testing.T) {
 		})
 	}
 }
+
+func TestDependencyUpdateTool_noSearchCommits(t *testing.T) {
+	t.Parallel()
+	ctrl := gomock.NewController(t)
+	mockRepo := mockrepo.NewMockRepoClient(ctrl)
+	files := []string{"README.md"}
+	mockRepo.EXPECT().ListFiles(gomock.Any()).Return(files, nil)
+	mockRepo.EXPECT().SearchCommits(gomock.Any()).Return(nil, clients.ErrUnsupportedFeature)
+	dl := scut.TestDetailLogger{}
+	c := &checker.CheckRequest{
+		RepoClient: mockRepo,
+		Dlogger:    &dl,
+	}
+	got := DependencyUpdateTool(c)
+	if got.Error != nil {
+		t.Errorf("got: %v, wanted ErrUnsupportedFeature not to propagate", got.Error)
+	}
+}

checks/evaluation/permissions/permissions.go

@@ -46,7 +46,7 @@ func TokenPermissions(name string, c *checker.CheckRequest, r *checker.TokenPerm
 	}
 
 	if r.NumTokens == 0 {
-		return checker.CreateInconclusiveResult(name, "no github tokens found")
+		return checker.CreateInconclusiveResult(name, "no tokens found")
 	}
 
 	score, err := applyScorePolicy(r, c)

checks/evaluation/pinned_dependencies.go

@@ -49,6 +49,9 @@ const (
 	gitHubOwnedActionWeight int = 2
 	thirdPartyActionWeight  int = 8
 	normalWeight            int = gitHubOwnedActionWeight + thirdPartyActionWeight
+
+	// depTypeKey is the Values map key used to fetch the dependency type.
+	depTypeKey = "dependencyType"
 )
 
 var (
@@ -172,7 +175,7 @@ func dependenciesToFindings(r *checker.PinningDependenciesData) ([]finding.Findi
 				f.Remediation = ruleRemToProbeRem(rr.Remediation)
 			}
 			f = f.WithValues(map[string]int{
-				"dependencyType": dependencyTypes[rr.Type],
+				depTypeKey: dependencyTypes[rr.Type],
 			})
 			findings = append(findings, *f)
 		} else {
@@ -189,7 +192,7 @@ func dependenciesToFindings(r *checker.PinningDependenciesData) ([]finding.Findi
 				Location: loc,
 			}
 			f = f.WithValues(map[string]int{
-				"dependencyType": dependencyTypes[rr.Type],
+				depTypeKey: dependencyTypes[rr.Type],
 			})
 			findings = append(findings, *f)
 		}
@@ -256,7 +259,7 @@ func PinningDependencies(name string, c *checker.CheckRequest,
 		default:
 			// ignore
 		}
-		updatePinningResults(intToDepType[f.Values["dependencyType"]],
+		updatePinningResults(intToDepType[f.Values[depTypeKey]],
 			f.Outcome, f.Location.Snippet,
 			&wp, pr)
 	}