Merge branch 'main' into probes/code-review

.github/workflows/depsreview.yml

@@ -24,4 +24,4 @@ jobs:
       - name: 'Checkout Repository'
         uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
       - name: 'Dependency Review'
-        uses: actions/dependency-review-action@01bc87099ba56df1e897b6874784491ea6309bc4 # v3.1.4
+        uses: actions/dependency-review-action@c74b580d73376b7750d3d2a50bfb8adc2c937507 # v3.1.5

.github/workflows/docker.yml

@@ -40,7 +40,7 @@ jobs:
         fetch-depth: 2 # needed to diff changed files
     - id: files
       name: Get changed files
-      uses: tj-actions/changed-files@94549999469dbfa032becf298d95c87a14c34394 #v40.2.2
+      uses: tj-actions/changed-files@62f4729b5df35e6e0e01265fa70a82ccaf196b4b #v41.1.1
       with:
         files_ignore: '**.md'
     - id: docs_only_check
@@ -78,7 +78,7 @@ jobs:
        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
      - name: Setup Go # needed for some of the Makefile evaluations, even if building happens in Docker 
        if: (needs.docs_only_check.outputs.docs_only != 'true')
-       uses: actions/setup-go@93397bea11091df50f3d7e59dc26a7711a8bcfbe # v4.1.0
+       uses: actions/setup-go@0c52d547c9bc32b1aa3301fd7a9cb496313a4491 # v5.0.0
        with:
          go-version: ${{ env.GO_VERSION }}
          check-latest: true

.github/workflows/gitlab.yml

@@ -41,7 +41,7 @@ jobs:
         with:
           ref: ${{ github.event.pull_request.head.sha || github.sha }} # head SHA if PR, else fallback to push SHA
       - name: Setup Go
-        uses: actions/setup-go@93397bea11091df50f3d7e59dc26a7711a8bcfbe # v4.1.0
+        uses: actions/setup-go@0c52d547c9bc32b1aa3301fd7a9cb496313a4491 # v5.0.0
         with:
           go-version: ${{ env.GO_VERSION }}
           check-latest: true
@@ -52,7 +52,7 @@ jobs:
           echo "go-mod=$(go env GOMODCACHE)" >> "$GITHUB_OUTPUT"
       - name: Cache builds
         # https://github.com/mvdan/github-actions-golang#how-do-i-set-up-caching-between-builds
-        uses: actions/cache@704facf57e6136b1bc63b828d79edcd491f0ee84 #v3.3.2
+        uses: actions/cache@e12d46a63a90f2fae62d114769bbf2a179198b5c #v3.3.3
         with:
           path: |
             ${{ steps.go-cache-paths.outputs.go-build }}

.github/workflows/goreleaser.yaml

@@ -43,7 +43,7 @@ jobs:
         with:
           fetch-depth: 0
       - name: Set up Go
-        uses: actions/setup-go@93397bea11091df50f3d7e59dc26a7711a8bcfbe # v2.2.0
+        uses: actions/setup-go@0c52d547c9bc32b1aa3301fd7a9cb496313a4491 # v2.2.0
         with:
           go-version: ${{ env.GO_VERSION }}
           check-latest: true

.github/workflows/integration.yml

@@ -52,7 +52,7 @@ jobs:
         with:
           ref: ${{ github.event.pull_request.head.sha }}
       - name: Setup Go
-        uses: actions/setup-go@93397bea11091df50f3d7e59dc26a7711a8bcfbe # v4.1.0
+        uses: actions/setup-go@0c52d547c9bc32b1aa3301fd7a9cb496313a4491 # v5.0.0
         with:
           go-version: ${{ env.GO_VERSION }}
           check-latest: true
@@ -63,7 +63,7 @@ jobs:
           echo "go-mod=$(go env GOMODCACHE)" >> "$GITHUB_OUTPUT"
       - name: Cache builds
         # https://github.com/mvdan/github-actions-golang#how-do-i-set-up-caching-between-builds
-        uses: actions/cache@704facf57e6136b1bc63b828d79edcd491f0ee84 #v3.3.2
+        uses: actions/cache@e12d46a63a90f2fae62d114769bbf2a179198b5c #v3.3.3
         with:
           path: |
             ${{ steps.go-cache-paths.outputs.go-build }}

.github/workflows/lint.yml

@@ -23,7 +23,7 @@ jobs:
         with:
           egress-policy: audit # TODO: change to 'egress-policy: block' after couple of runs
       - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
-      - uses: actions/setup-go@93397bea11091df50f3d7e59dc26a7711a8bcfbe # v4.1.0
+      - uses: actions/setup-go@0c52d547c9bc32b1aa3301fd7a9cb496313a4491 # v5.0.0
         with:
           go-version: ${{ env.GO_VERSION }}
           cache: false # golangci-lint maintains its own cache

.github/workflows/main.yml

@@ -43,7 +43,7 @@ jobs:
      - name: Clone the code
        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
      - name: Setup Go
-       uses: actions/setup-go@93397bea11091df50f3d7e59dc26a7711a8bcfbe # v4.1.0
+       uses: actions/setup-go@0c52d547c9bc32b1aa3301fd7a9cb496313a4491 # v5.0.0
        with:
          go-version: ${{ env.GO_VERSION }}
          check-latest: true
@@ -54,7 +54,7 @@ jobs:
         echo "go-mod=$(go env GOMODCACHE)" >> "$GITHUB_OUTPUT"
      - name: Cache builds
        # https://github.com/mvdan/github-actions-golang#how-do-i-set-up-caching-between-builds
-       uses: actions/cache@704facf57e6136b1bc63b828d79edcd491f0ee84 #v3.3.2
+       uses: actions/cache@e12d46a63a90f2fae62d114769bbf2a179198b5c #v3.3.3
        with:
          path: |
           ${{ steps.go-cache-paths.outputs.go-build }}
@@ -106,7 +106,7 @@ jobs:
         repo-token: ${{ secrets.GITHUB_TOKEN }}
      - name: Cache builds
        # https://github.com/mvdan/github-actions-golang#how-do-i-set-up-caching-between-builds
-       uses: actions/cache@704facf57e6136b1bc63b828d79edcd491f0ee84 # v3.3.2
+       uses: actions/cache@e12d46a63a90f2fae62d114769bbf2a179198b5c # v3.3.3
        with:
          path: |
            ~/go/pkg/mod
@@ -121,7 +121,7 @@ jobs:
        with:
           fetch-depth: 0
      - name: Setup Go
-       uses: actions/setup-go@93397bea11091df50f3d7e59dc26a7711a8bcfbe # v2.2.0
+       uses: actions/setup-go@0c52d547c9bc32b1aa3301fd7a9cb496313a4491 # v2.2.0
        with:
          go-version: ${{ env.GO_VERSION }}
          check-latest: true
@@ -149,7 +149,7 @@ jobs:
      - name: Clone the code
        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
      - name: Setup Go
-       uses: actions/setup-go@93397bea11091df50f3d7e59dc26a7711a8bcfbe # v4.1.0
+       uses: actions/setup-go@0c52d547c9bc32b1aa3301fd7a9cb496313a4491 # v5.0.0
        with:
          go-version: ${{ env.GO_VERSION }}
          check-latest: true
@@ -186,7 +186,7 @@ jobs:
        with:
           fetch-depth: 0
      - name: Setup Go
-       uses: actions/setup-go@93397bea11091df50f3d7e59dc26a7711a8bcfbe # v2.2.0
+       uses: actions/setup-go@0c52d547c9bc32b1aa3301fd7a9cb496313a4491 # v2.2.0
        with:
          go-version: ${{ env.GO_VERSION }}
          check-latest: true
@@ -226,7 +226,7 @@ jobs:
          egress-policy: audit # TODO: change to 'egress-policy: block' after couple of runs
      - name: Cache builds
        # https://github.com/mvdan/github-actions-golang#how-do-i-set-up-caching-between-builds
-       uses: actions/cache@704facf57e6136b1bc63b828d79edcd491f0ee84 # v3.3.2
+       uses: actions/cache@e12d46a63a90f2fae62d114769bbf2a179198b5c # v3.3.3
        with:
          path: |
            ~/go/pkg/mod
@@ -239,7 +239,7 @@ jobs:
      - name: Clone the code
        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
      - name: Setup Go
-       uses: actions/setup-go@93397bea11091df50f3d7e59dc26a7711a8bcfbe # v4.1.0
+       uses: actions/setup-go@0c52d547c9bc32b1aa3301fd7a9cb496313a4491 # v5.0.0
        with:
          go-version: ${{ env.GO_VERSION }}
          check-latest: true
@@ -266,7 +266,7 @@ jobs:
 
      - name: Cache builds
        # https://github.com/mvdan/github-actions-golang#how-do-i-set-up-caching-between-builds
-       uses: actions/cache@704facf57e6136b1bc63b828d79edcd491f0ee84 # v3.3.2
+       uses: actions/cache@e12d46a63a90f2fae62d114769bbf2a179198b5c # v3.3.3
        with:
          path: |
            ~/go/pkg/mod
@@ -281,7 +281,7 @@ jobs:
        with:
           fetch-depth: 0
      - name: Setup Go
-       uses: actions/setup-go@93397bea11091df50f3d7e59dc26a7711a8bcfbe # v2.2.0
+       uses: actions/setup-go@0c52d547c9bc32b1aa3301fd7a9cb496313a4491 # v2.2.0
        with:
          go-version: ${{ env.GO_VERSION }}
          check-latest: true
@@ -313,7 +313,7 @@ jobs:
         repo-token: ${{ secrets.GITHUB_TOKEN }}
      - name: Cache builds
        # https://github.com/mvdan/github-actions-golang#how-do-i-set-up-caching-between-builds
-       uses: actions/cache@704facf57e6136b1bc63b828d79edcd491f0ee84 # v3.3.2
+       uses: actions/cache@e12d46a63a90f2fae62d114769bbf2a179198b5c # v3.3.3
        with:
          path: |
            ~/go/pkg/mod
@@ -328,7 +328,7 @@ jobs:
        with:
           fetch-depth: 0
      - name: Setup Go
-       uses: actions/setup-go@93397bea11091df50f3d7e59dc26a7711a8bcfbe # v2.2.0
+       uses: actions/setup-go@0c52d547c9bc32b1aa3301fd7a9cb496313a4491 # v2.2.0
        with:
          go-version: ${{ env.GO_VERSION }}
          check-latest: true
@@ -363,7 +363,7 @@ jobs:
        with:
           fetch-depth: 0
      - name: Setup Go
-       uses: actions/setup-go@93397bea11091df50f3d7e59dc26a7711a8bcfbe # v2.2.0
+       uses: actions/setup-go@0c52d547c9bc32b1aa3301fd7a9cb496313a4491 # v2.2.0
        with:
          go-version: ${{ env.GO_VERSION }}
          check-latest: true
@@ -389,7 +389,7 @@ jobs:
           egress-policy: audit # TODO: change to 'egress-policy: block' after couple of runs
 
       - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
-      - uses: actions/setup-go@93397bea11091df50f3d7e59dc26a7711a8bcfbe # v2.2.0
+      - uses: actions/setup-go@0c52d547c9bc32b1aa3301fd7a9cb496313a4491 # v2.2.0
         with:
           go-version: ${{ env.GO_VERSION }}
           check-latest: true

.github/workflows/publishimage.yml

@@ -44,7 +44,7 @@ jobs:
        with:
           fetch-depth: 0
      - name: Setup Go
-       uses: actions/setup-go@93397bea11091df50f3d7e59dc26a7711a8bcfbe
+       uses: actions/setup-go@0c52d547c9bc32b1aa3301fd7a9cb496313a4491
        with:
          go-version: ${{ env.GO_VERSION }}
          check-latest: true
@@ -61,7 +61,7 @@ jobs:
             make install
             make scorecard-ko
      - name: Install Cosign
-       uses: sigstore/cosign-installer@1fc5bd396d372bee37d608f955b336615edf79c8
+       uses: sigstore/cosign-installer@9614fae9e5c5eddabb09f90a270fcb487c9f7149
      - name: Sign image
        run: |
           cosign sign --yes ghcr.io/${{github.repository_owner}}/scorecard/v4:${{ github.sha }}

.github/workflows/scdiff.yml

@@ -82,7 +82,7 @@ jobs:
         with:
           ref: ${{ steps.config.outputs.base }}
       - name: Setup Go
-        uses: actions/setup-go@93397bea11091df50f3d7e59dc26a7711a8bcfbe # v4.1.0
+        uses: actions/setup-go@0c52d547c9bc32b1aa3301fd7a9cb496313a4491 # v5.0.0
         with:
           go-version: ${{ env.GO_VERSION }}
           check-latest: true

.github/workflows/scorecard-analysis.yml

@@ -40,7 +40,7 @@ jobs:
       # https://docs.github.com/en/actions/advanced-guides/storing-workflow-data-as-artifacts
       # Optional.
       - name: "Upload artifact"
-        uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 # v3
+        uses: actions/upload-artifact@1eb3cb2b3e0f29609092a73eb033bb759a334595 # v3
         with:
           name: SARIF file
           path: results.sarif

.github/workflows/slsa-goreleaser.yml

@@ -47,12 +47,12 @@ jobs:
         uses: slsa-framework/slsa-verifier/actions/installer@v2.4.1
 
       - name: Download the artifact
-        uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3.0.2
+        uses: actions/download-artifact@6b208ae046db98c579e8a3aa621ab581ff575935 # v4.1.1
         with:
           name: "${{ needs.build.outputs.go-binary-name }}.intoto.jsonl"
 
       - name: Download the artifact
-        uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3.0.2
+        uses: actions/download-artifact@6b208ae046db98c579e8a3aa621ab581ff575935 # v4.1.1
         with:
           name: ${{ needs.build.outputs.go-binary-name }}
 

.gitignore

@@ -53,3 +53,8 @@ githubrepo.tar.gz
 
 # goreleaser
 dist/*
+
+# scdiff, ensure the files detailed in RELEASE.md aren't committed
+repos.txt
+oldRelease.json
+newRelease.json

README.md

@@ -517,7 +517,7 @@ For a guide to the checks you should use when getting started, see the [beginner
 
 [Two-factor Authentication (2FA)](https://docs.github.com/en/authentication/securing-your-account-with-two-factor-authentication-2fa/about-two-factor-authentication) adds an extra layer of security when logging into websites or apps. 2FA protects your account if your password is compromised by requiring a second form of authentication, such as codes sent via SMS or authentication app, or touching a physical security key.
 
-We strongly recommend that you enable 2FA on GitHub and any important account where it is available. 2FA is not a Scorecard check because GitHub does not make that data about user accounts public. Arguably, this data should always remain private, since accounts without 2FA are so vulnerable to attack.
+We strongly recommend that you enable 2FA on any important accounts where it is available. 2FA is not a Scorecard check because GitHub and GitLab do not make that data about user accounts public. Arguably, this data should always remain private, since accounts without 2FA are so vulnerable to attack.
 
 Though it is not an official check, we urge all project maintainers to enable 2FA to protect their projects from compromise.
 
@@ -585,9 +585,9 @@ Artifact                      | Link
 ----------------------------- | ----
 Scorecard Dev Forum           | [ossf-scorecard-dev@](https://groups.google.com/g/ossf-scorecard-dev)
 Scorecard Announcements Forum | [ossf-scorecard-announce@](https://groups.google.com/g/ossf-scorecard-announce)
-Community Meeting VC          | [Link to z o o m meeting](https://zoom.us/j/98835923979)
-Community Meeting Calendar    | Biweekly Thursdays, 1:00pm-2:00pm PST <br>[Calendar](https://calendar.google.com/calendar?cid=czYzdm9lZmhwNWk5cGZsdGI1cTY3bmdwZXNAZ3JvdXAuY2FsZW5kYXIuZ29vZ2xlLmNvbQ)
-Meeting Notes                 | [Notes](https://docs.google.com/document/d/1dB2U7_qZpNW96vtuoG7ShmgKXzIg6R5XT5Tc-0yz6kE/edit#heading=h.4k8ml0qkh7tl)
+Community Meeting VC          | [Link to z o o m meeting](https://zoom-lfx.platform.linuxfoundation.org/meeting/95007214146?password=250040c3-80c0-48c4-80c1-07a373116d54)
+Community Meeting Calendar    | **_APAC-friendly_** Biweekly on Thursdays at 1:00-2:00 PM Pacific ([OSSF Public Calendar](https://calendar.google.com/calendar/u/0/embed?height=600&wkst=1&bgcolor=%238E24AA&showTitle=1&mode=WEEK&showCalendars=0&showTabs=1&showPrint=0&title=OpenSSF+Community+Calendar&src=czYzdm9lZmhwNWk5cGZsdGI1cTY3bmdwZXNAZ3JvdXAuY2FsZW5kYXIuZ29vZ2xlLmNvbQ&color=%238E24AA)) <br>Video Call: [LFX Zoom](https://zoom-lfx.platform.linuxfoundation.org/meeting/95007214146?password=250040c3-80c0-48c4-80c1-07a373116d54) <br> **_EMEA-friendly_** Every 4 Mondays at 7:00-8:00 AM Pacific ([OSSF Public Calendar](https://calendar.google.com/calendar/u/0/embed?height=600&wkst=1&bgcolor=%238E24AA&showTitle=1&mode=WEEK&showCalendars=0&showTabs=1&showPrint=0&title=OpenSSF+Community+Calendar&src=czYzdm9lZmhwNWk5cGZsdGI1cTY3bmdwZXNAZ3JvdXAuY2FsZW5kYXIuZ29vZ2xlLmNvbQ&color=%238E24AA)) <br> Video Call: [LFX Zoom](https://zoom-lfx.platform.linuxfoundation.org/meeting/93377638314?password=d53af562-d908-4100-8ae1-52686756cc5d)
+Meeting Notes                 | [Notes](https://docs.google.com/document/d/1b6d3CVJLsl7YnTE7ZaZQHdkdYIvuOQ8rzAmvVdypOWM/edit?usp=sharing)
 Slack Channel                 | [#security_scorecards](https://slack.openssf.org/#security_scorecards)
 
 __Maintainers__ are listed in the [CODEOWNERS file](.github/CODEOWNERS).
@@ -600,7 +600,13 @@ To report a security issue, please follow instructions [here](SECURITY.md).
 
 #### Zoom
 
-We meet every other Thursday - 4p ET on this [zoom link](https://zoom.us/j/98835923979?pwd=RG5JZ3czZEtmRDlGdms0ZktmMFQvUT09).
+**_APAC-friendly_** Biweekly on Thursdays at 1:00-2:00 PM Pacific ([OSSF Public Calendar](https://calendar.google.com/calendar/u/0/embed?height=600&wkst=1&bgcolor=%238E24AA&showTitle=1&mode=WEEK&showCalendars=0&showTabs=1&showPrint=0&title=OpenSSF+Community+Calendar&src=czYzdm9lZmhwNWk5cGZsdGI1cTY3bmdwZXNAZ3JvdXAuY2FsZW5kYXIuZ29vZ2xlLmNvbQ&color=%238E24AA)) 
+
+Video Call: [LFX z o o m](https://zoom-lfx.platform.linuxfoundation.org/meeting/95007214146?password=250040c3-80c0-48c4-80c1-07a373116d54)   
+
+**_EMEA-friendly_** Every 4 Mondays at 7:00-8:00 AM Pacific ([OSSF Public Calendar](https://calendar.google.com/calendar/u/0/embed?height=600&wkst=1&bgcolor=%238E24AA&showTitle=1&mode=WEEK&showCalendars=0&showTabs=1&showPrint=0&title=OpenSSF+Community+Calendar&src=czYzdm9lZmhwNWk5cGZsdGI1cTY3bmdwZXNAZ3JvdXAuY2FsZW5kYXIuZ29vZ2xlLmNvbQ&color=%238E24AA))
+
+Video Call: [LFX z o o m](https://zoom-lfx.platform.linuxfoundation.org/meeting/93377638314?password=d53af562-d908-4100-8ae1-52686756cc5d)   
 
 #### Agenda
 

RELEASE.md

@@ -9,6 +9,7 @@ pull request to discuss.)
 - [Tracking](#tracking)
 - [Preparing the release](#preparing-the-release)
   - [Validate tests](#validate-tests)
+  - [Validate the changes with scdiff](#validate-the-changes-with-scdiff)
 - [Drafting release notes](#drafting-release-notes)
 - [Release](#release)
   - [Create a tag](#create-a-tag)
@@ -37,6 +38,46 @@ be merged before releasing the scorecard GitHub Action.
 
 Check the unit tests and integration tests are passing for the planned release commit, either locally or for the GitHub workflows.
 
+### Validate the changes with scdiff
+1. Create the list of repos to use for the analysis if you don't have it already:
+```console
+cat <<EOF > repos.txt
+https://github.com/airbnb/lottie-web
+https://github.com/apache/tomcat
+https://github.com/Azure/azure-functions-dotnet-worker
+https://github.com/cncf/xds
+https://github.com/google/go-cmp
+https://github.com/google/highwayhash
+https://github.com/googleapis/google-api-php-client
+https://github.com/jacoco/jacoco
+https://github.com/ossf/scorecard
+https://github.com/pallets/jinja
+https://github.com/polymer/polymer
+https://github.com/rust-random/getrandom
+https://github.com/yaml/libyaml
+https://gitlab.com/baserow/baserow
+https://gitlab.com/cryptsetup/cryptsetup
+EOF
+```
+2. Run `scdiff` on the previous release:
+```console
+git checkout <old release tag>
+go run cmd/internal/scdiff/main.go generate --repos repos.txt --output oldRelease.json
+```
+3. Run `scdiff` on the commit to be tagged:
+```console
+git checkout <commit to be tagged>
+go run cmd/internal/scdiff/main.go generate --repos repos.txt --output newRelease.json
+```
+4. Compare the results:
+```console
+go run cmd/internal/scdiff/main.go compare oldRelease.json newRelease.json
+```
+5. Evaluating results:
+There will be differences! That's ok, but please pay attention to what they are and use your judgement when evaluating them.
+Compare the changes against the release notes you're expecting below.
+
+
 ## Drafting release notes
 
 Release notes are a semi-automated process. We often start by opening [drafting a new release on GitHub](https://github.com/ossf/scorecard/releases/new).

checker/raw_result.go

@@ -259,6 +259,10 @@ const (
 	SonarWorkflow SASTWorkflowType = "Sonar"
 	// SnykWorkflow represents a workflow that runs Snyk.
 	SnykWorkflow SASTWorkflowType = "Snyk"
+	// PysaWorkflow represents a workflow that runs Pysa.
+	PysaWorkflow SASTWorkflowType = "Pysa"
+	// QodanaWorkflow represents a workflow that runs Qodana.
+	QodanaWorkflow SASTWorkflowType = "Qodana"
 )
 
 // SASTWorkflow represents a SAST workflow.

checks/all_checks_test.go

@@ -23,15 +23,13 @@ import (
 
 func Test_registerCheck(t *testing.T) {
 	t.Parallel()
-	//nolint:govet
 	type args struct {
-		name string
 		fn   checker.CheckFn
+		name string
 	}
-	//nolint:govet
 	tests := []struct {
-		name    string
 		args    args
+		name    string
 		wanterr bool
 	}{
 		{