🌱 bump project minimum Go version to go1.21 (#3661)

* upgrade go.mod to 1.21

Signed-off-by: Spencer Schrock <sschrock@google.com>

* use slices from stdlib

Signed-off-by: Spencer Schrock <sschrock@google.com>

* use max/min builtins

Signed-off-by: Spencer Schrock <sschrock@google.com>

* multierrors

possibly spin this off into its own PR

Signed-off-by: Spencer Schrock <sschrock@google.com>

* dont call rand.Seed

As of Go 1.20, the generator is seeded randomly at startup.
https://pkg.go.dev/math/rand#Seed

Signed-off-by: Spencer Schrock <sschrock@google.com>

* update minimum Go version in documentation

Signed-off-by: Spencer Schrock <sschrock@google.com>

---------

Signed-off-by: Spencer Schrock <sschrock@google.com>

.golangci.yml

@@ -80,10 +80,6 @@ linters-settings:
   errcheck:
     check-type-assertions: true
     check-blank: true
-  errorlint:
-    # TODO remove this when project migrates to golang 1.20
-    # https://golangci-lint.run/usage/linters/#errorlint
-    errorf-multi: false
   exhaustive:
     # https://golangci-lint.run/usage/linters/#exhaustive
     default-signifies-exhaustive: true

CONTRIBUTING.md

@@ -43,7 +43,7 @@ You must install these tools:
 1.  [`git`](https://help.github.com/articles/set-up-git/): For source control
 
 1.  [`go`](https://golang.org/doc/install): You need go version
-    [v1.19](https://golang.org/dl/) or higher.
+    [v1.21](https://golang.org/dl/) or higher.
 
 1.  [`docker`](https://docs.docker.com/engine/install/): `v18.9` or higher.
 

checker/check_result.go

@@ -107,7 +107,7 @@ func CreateProportionalScore(success, total int) int {
 		return 0
 	}
 
-	return int(math.Min(float64(MaxResultScore*success/total), float64(MaxResultScore)))
+	return min(MaxResultScore*success/total, MaxResultScore)
 }
 
 // CreateProportionalScoreWeighted creates the proportional score
@@ -141,7 +141,7 @@ func CreateProportionalScoreWeighted(scores ...ProportionalScoreWeighted) (int,
 		return MaxResultScore, nil
 	}
 
-	return int(math.Min(float64(MaxResultScore*ws/wt), float64(MaxResultScore))), nil
+	return min(MaxResultScore*ws/wt, MaxResultScore), nil
 }
 
 // AggregateScores adds up all scores

checks/evaluation/code_review.go

@@ -16,7 +16,6 @@ package evaluation
 
 import (
 	"fmt"
-	"math"
 
 	"github.com/ossf/scorecard/v4/checker"
 	sce "github.com/ossf/scorecard/v4/errors"
@@ -74,7 +73,7 @@ func CodeReview(name string, dl checker.DetailLogger, r *checker.CodeReviewData)
 		return checker.CreateProportionalScoreResult(
 			name,
 			fmt.Sprintf("found %d unreviewed changesets out of %d", nUnreviewedChanges, nChanges),
-			int(math.Max(float64(nChanges-nUnreviewedChanges), 0)),
+			max(nChanges-nUnreviewedChanges, 0),
 			nChanges,
 		)
 	}

checks/raw/shell_download_validate.go

@@ -23,9 +23,9 @@ import (
 	"path"
 	"path/filepath"
 	"regexp"
+	"slices"
 	"strings"
 
-	"golang.org/x/exp/slices"
 	"mvdan.cc/sh/v3/syntax"
 
 	"github.com/ossf/scorecard/v4/checker"

clients/githubrepo/branches.go

@@ -17,12 +17,12 @@ package githubrepo
 import (
 	"context"
 	"fmt"
+	"slices"
 	"strings"
 	"sync"
 
 	"github.com/google/go-github/v53/github"
 	"github.com/shurcooL/githubv4"
-	"golang.org/x/exp/slices"
 
 	"github.com/ossf/scorecard/v4/clients"
 	"github.com/ossf/scorecard/v4/clients/githubrepo/internal/fnmatch"

clients/githubrepo/tarball.go

@@ -153,7 +153,7 @@ func (handler *tarballHandler) getTarball() error {
 	defer repoFile.Close()
 	if _, err := io.Copy(repoFile, resp.Body); err != nil {
 		// This can happen if the incoming tarball is corrupted/server gateway times out.
-		return fmt.Errorf("%w io.Copy: %v", errTarballNotFound, err)
+		return fmt.Errorf("%w io.Copy: %w", errTarballNotFound, err)
 	}
 
 	handler.tempDir = tempDir
@@ -169,7 +169,7 @@ func (handler *tarballHandler) extractTarball() error {
 	}
 	gz, err := gzip.NewReader(in)
 	if err != nil {
-		return fmt.Errorf("%w: gzip.NewReader %v %v", errTarballCorrupted, handler.tempTarFile, err)
+		return fmt.Errorf("%w: gzip.NewReader %v %w", errTarballCorrupted, handler.tempTarFile, err)
 	}
 	tr := tar.NewReader(gz)
 	for {
@@ -178,7 +178,7 @@ func (handler *tarballHandler) extractTarball() error {
 			break
 		}
 		if err != nil {
-			return fmt.Errorf("%w tarReader.Next: %v", errTarballCorrupted, err)
+			return fmt.Errorf("%w tarReader.Next: %w", errTarballCorrupted, err)
 		}
 
 		switch header.Typeflag {
@@ -217,7 +217,7 @@ func (handler *tarballHandler) extractTarball() error {
 			// Potential for DoS vulnerability via decompression bomb.
 			// Since such an attack will only impact a single shard, ignoring this for now.
 			if _, err := io.Copy(outFile, tr); err != nil {
-				return fmt.Errorf("%w io.Copy: %v", errTarballCorrupted, err)
+				return fmt.Errorf("%w io.Copy: %w", errTarballCorrupted, err)
 			}
 			outFile.Close()
 			handler.files = append(handler.files,

clients/gitlabrepo/tarball.go

@@ -130,7 +130,7 @@ func (handler *tarballHandler) getTarball() error {
 	}
 	repoFile, err := os.CreateTemp(tempDir, repoFilename)
 	if err != nil {
-		return fmt.Errorf("%w io.Copy: %v", errTarballNotFound, err)
+		return fmt.Errorf("%w io.Copy: %w", errTarballNotFound, err)
 	}
 	defer repoFile.Close()
 	err = handler.apiFunction(url, tempDir, repoFile)
@@ -188,18 +188,18 @@ func (handler *tarballHandler) apiFunction(url, tempDir string, repoFile *os.Fil
 	req.Header.Set("PRIVATE-TOKEN", os.Getenv("GITLAB_AUTH_TOKEN"))
 	resp, err := http.DefaultClient.Do(req)
 	if err != nil {
-		return fmt.Errorf("%w io.Copy: %v", errTarballNotFound, err)
+		return fmt.Errorf("%w io.Copy: %w", errTarballNotFound, err)
 	}
 	defer resp.Body.Close()
 
 	// Handler 400/404 errors.
 	switch resp.StatusCode {
 	case http.StatusNotFound, http.StatusBadRequest:
-		return fmt.Errorf("%w io.Copy: %v", errTarballNotFound, err)
+		return fmt.Errorf("%w io.Copy: %w", errTarballNotFound, err)
 	}
 	if _, err := io.Copy(repoFile, resp.Body); err != nil {
 		// If the incoming tarball is corrupted or the server times out.
-		return fmt.Errorf("%w io.Copy: %v", errTarballNotFound, err)
+		return fmt.Errorf("%w io.Copy: %w", errTarballNotFound, err)
 	}
 	return nil
 }
@@ -212,7 +212,7 @@ func (handler *tarballHandler) extractTarball() error {
 	}
 	gz, err := gzip.NewReader(in)
 	if err != nil {
-		return fmt.Errorf("%w: gzip.NewReader %v %v", errTarballCorrupted, handler.tempTarFile, err)
+		return fmt.Errorf("%w: gzip.NewReader %v %w", errTarballCorrupted, handler.tempTarFile, err)
 	}
 	tr := tar.NewReader(gz)
 	for {
@@ -221,7 +221,7 @@ func (handler *tarballHandler) extractTarball() error {
 			break
 		}
 		if err != nil {
-			return fmt.Errorf("%w tarReader.Next: %v", errTarballCorrupted, err)
+			return fmt.Errorf("%w tarReader.Next: %w", errTarballCorrupted, err)
 		}
 
 		switch header.Typeflag {
@@ -260,7 +260,7 @@ func (handler *tarballHandler) extractTarball() error {
 			// Potential for DoS vulnerability via decompression bomb.
 			// Since such an attack will only impact a single shard, ignoring this for now.
 			if _, err := io.Copy(outFile, tr); err != nil {
-				return fmt.Errorf("%w io.Copy: %v", errTarballCorrupted, err)
+				return fmt.Errorf("%w io.Copy: %w", errTarballCorrupted, err)
 			}
 			outFile.Close()
 			handler.files = append(handler.files,

cmd/internal/nuget/client.go

@@ -22,10 +22,9 @@ import (
 	"io"
 	"net/http"
 	"regexp"
+	"slices"
 	"strings"
 
-	"golang.org/x/exp/slices"
-
 	pmc "github.com/ossf/scorecard/v4/cmd/internal/packagemanager"
 	sce "github.com/ossf/scorecard/v4/errors"
 )

cmd/internal/nuget/client_test.go

@@ -22,11 +22,11 @@ import (
 	"io"
 	"net/http"
 	"os"
+	"slices"
 	"strings"
 	"testing"
 
 	"github.com/golang/mock/gomock"
-	"golang.org/x/exp/slices"
 
 	pmc "github.com/ossf/scorecard/v4/cmd/internal/packagemanager"
 )

cmd/internal/scdiff/app/stats.go

@@ -20,11 +20,11 @@ import (
 	"fmt"
 	"io"
 	"os"
+	"slices"
 	"strings"
 	"text/tabwriter"
 
 	"github.com/spf13/cobra"
-	"golang.org/x/exp/slices"
 
 	"github.com/ossf/scorecard/v4/checker"
 	"github.com/ossf/scorecard/v4/pkg"

cron/data/blob.go

@@ -156,7 +156,7 @@ func ParseBlobFilename(key string) (time.Time, string, error) {
 	objectName := key[len(filePrefixFormat):]
 	t, err := time.Parse(filePrefixFormat, prefix)
 	if err != nil {
-		return t, "", fmt.Errorf("%w: %v", errParseBlobName, err)
+		return t, "", fmt.Errorf("%w: %w", errParseBlobName, err)
 	}
 	return t, objectName, nil
 }

cron/internal/shuffle/main.go

@@ -19,7 +19,6 @@ import (
 	"math/rand"
 	"os"
 	"strconv"
-	"time"
 
 	"github.com/ossf/scorecard/v4/cron/data"
 )
@@ -56,7 +55,6 @@ func main() {
 		repoURLs = append(repoURLs, repo)
 	}
 
-	rand.Seed(time.Now().UnixNano())
 	rand.Shuffle(len(repoURLs), func(i, j int) {
 		repoURLs[i], repoURLs[j] = repoURLs[j], repoURLs[i]
 	})

finding/probe/probe.go

@@ -141,7 +141,7 @@ func parseFromYAML(content []byte) (*yamlProbe, error) {
 
 	err := yaml.Unmarshal(content, &r)
 	if err != nil {
-		return nil, fmt.Errorf("%w: %v", errInvalid, err)
+		return nil, fmt.Errorf("%w: %w", errInvalid, err)
 	}
 	return &r, nil
 }
@@ -151,7 +151,7 @@ func parseFromYAML(content []byte) (*yamlProbe, error) {
 func (r *RemediationEffort) UnmarshalYAML(n *yaml.Node) error {
 	var str string
 	if err := n.Decode(&str); err != nil {
-		return fmt.Errorf("%w: %v", errInvalid, err)
+		return fmt.Errorf("%w: %w", errInvalid, err)
 	}
 
 	// nolint:goconst

go.mod

@@ -1,6 +1,6 @@
 module github.com/ossf/scorecard/v4
 
-go 1.19
+go 1.21
 
 require (
 	cloud.google.com/go/bigquery v1.57.1
@@ -174,7 +174,7 @@ require (
 	github.com/xeipuuv/gojsonpointer v0.0.0-20180127040702-4e3ac2762d5f // indirect
 	github.com/xeipuuv/gojsonreference v0.0.0-20180127040603-bd5ef7bd5415 // indirect
 	golang.org/x/crypto v0.14.0 // indirect
-	golang.org/x/exp v0.0.0-20231006140011-7918f672742d
+	golang.org/x/exp v0.0.0-20231006140011-7918f672742d // indirect
 	golang.org/x/net v0.17.0 // indirect
 	golang.org/x/oauth2 v0.13.0
 	golang.org/x/sync v0.4.0 // indirect