Merge branch 'main' into commit-depth

ossf · Nov 15, 2023 · e7545c0 · e7545c0
2 parents 990c8f6 + a4ee314
commit e7545c0
Show file tree

Hide file tree

Showing 33 changed files with 340 additions and 643 deletions.
diff --git a/.github/workflows/depsreview.yml b/.github/workflows/depsreview.yml
@@ -24,4 +24,4 @@ jobs:
       - name: 'Checkout Repository'
         uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
       - name: 'Dependency Review'
-        uses: actions/dependency-review-action@fde92acd0840415674c16b39c7d703fc28bc511e
+        uses: actions/dependency-review-action@7bbfa034e752445ea40215fff1c3bf9597993d3f # v3.1.3
diff --git a/.golangci.yml b/.golangci.yml
@@ -80,10 +80,6 @@ linters-settings:
   errcheck:
     check-type-assertions: true
     check-blank: true
-  errorlint:
-    # TODO remove this when project migrates to golang 1.20
-    # https://golangci-lint.run/usage/linters/#errorlint
-    errorf-multi: false
   exhaustive:
     # https://golangci-lint.run/usage/linters/#exhaustive
     default-signifies-exhaustive: true

diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md
@@ -43,7 +43,7 @@ You must install these tools:
 1.  [`git`](https://help.github.com/articles/set-up-git/): For source control
 
 1.  [`go`](https://golang.org/doc/install): You need go version
-    [v1.19](https://golang.org/dl/) or higher.
+    [v1.21](https://golang.org/dl/) or higher.
 
 1.  [`docker`](https://docs.docker.com/engine/install/): `v18.9` or higher.
 

diff --git a/checker/check_result.go b/checker/check_result.go
@@ -107,7 +107,7 @@ func CreateProportionalScore(success, total int) int {
 		return 0
 	}
 
-	return int(math.Min(float64(MaxResultScore*success/total), float64(MaxResultScore)))
+	return min(MaxResultScore*success/total, MaxResultScore)
 }
 
 // CreateProportionalScoreWeighted creates the proportional score
@@ -141,7 +141,7 @@ func CreateProportionalScoreWeighted(scores ...ProportionalScoreWeighted) (int,
 		return MaxResultScore, nil
 	}
 
-	return int(math.Min(float64(MaxResultScore*ws/wt), float64(MaxResultScore))), nil
+	return min(MaxResultScore*ws/wt, MaxResultScore), nil
 }
 
 // AggregateScores adds up all scores

diff --git a/checks/evaluation/code_review.go b/checks/evaluation/code_review.go
@@ -16,7 +16,6 @@ package evaluation
 
 import (
 	"fmt"
-	"math"
 
 	"github.com/ossf/scorecard/v4/checker"
 	sce "github.com/ossf/scorecard/v4/errors"
@@ -74,7 +73,7 @@ func CodeReview(name string, dl checker.DetailLogger, r *checker.CodeReviewData)
 		return checker.CreateProportionalScoreResult(
 			name,
 			fmt.Sprintf("found %d unreviewed changesets out of %d", nUnreviewedChanges, nChanges),
-			int(math.Max(float64(nChanges-nUnreviewedChanges), 0)),
+			max(nChanges-nUnreviewedChanges, 0),
 			nChanges,
 		)
 	}

diff --git a/checks/evaluation/fuzzing.go b/checks/evaluation/fuzzing.go
@@ -24,7 +24,6 @@ import (
 	"github.com/ossf/scorecard/v4/probes/fuzzedWithGoNative"
 	"github.com/ossf/scorecard/v4/probes/fuzzedWithJavaJazzerFuzzer"
 	"github.com/ossf/scorecard/v4/probes/fuzzedWithOSSFuzz"
-	"github.com/ossf/scorecard/v4/probes/fuzzedWithOneFuzz"
 	"github.com/ossf/scorecard/v4/probes/fuzzedWithPropertyBasedHaskell"
 	"github.com/ossf/scorecard/v4/probes/fuzzedWithPropertyBasedJavascript"
 	"github.com/ossf/scorecard/v4/probes/fuzzedWithPropertyBasedTypescript"
@@ -47,7 +46,6 @@ func Fuzzing(name string,
 		fuzzedWithRustCargofuzz.Probe,
 		fuzzedWithSwiftLibFuzzer.Probe,
 		fuzzedWithJavaJazzerFuzzer.Probe,
-		fuzzedWithOneFuzz.Probe,
 		fuzzedWithOSSFuzz.Probe,
 		fuzzedWithPropertyBasedHaskell.Probe,
 		fuzzedWithPropertyBasedJavascript.Probe,

diff --git a/checks/evaluation/fuzzing_test.go b/checks/evaluation/fuzzing_test.go
@@ -64,10 +64,6 @@ func TestFuzzing(t *testing.T) {
 					Probe:   "fuzzedWithJavaJazzerFuzzer",
 					Outcome: finding.OutcomeNegative,
 				},
-				{
-					Probe:   "fuzzedWithOneFuzz",
-					Outcome: finding.OutcomeNegative,
-				},
 				{
 					Probe:   "fuzzedWithOSSFuzz",
 					Outcome: finding.OutcomeNegative,
@@ -87,7 +83,7 @@ func TestFuzzing(t *testing.T) {
 			},
 			result: scut.TestReturn{
 				Score:        checker.MinResultScore,
-				NumberOfWarn: 13,
+				NumberOfWarn: 12,
 			},
 		},
 		{
@@ -125,10 +121,6 @@ func TestFuzzing(t *testing.T) {
 					Probe:   "fuzzedWithJavaJazzerFuzzer",
 					Outcome: finding.OutcomeNegative,
 				},
-				{
-					Probe:   "fuzzedWithOneFuzz",
-					Outcome: finding.OutcomeNegative,
-				},
 				{
 					Probe:   "fuzzedWithOSSFuzz",
 					Outcome: finding.OutcomeNegative,
@@ -159,10 +151,6 @@ func TestFuzzing(t *testing.T) {
 					Probe:   "fuzzedWithClusterFuzzLite",
 					Outcome: finding.OutcomeNegative,
 				},
-				{
-					Probe:   "fuzzedWithOneFuzz",
-					Outcome: finding.OutcomeNegative,
-				},
 				{
 					Probe:   "fuzzedWithOSSFuzz",
 					Outcome: finding.OutcomeNegative,
@@ -196,10 +184,6 @@ func TestFuzzing(t *testing.T) {
 					Probe:   "fuzzedWithGoNative",
 					Outcome: finding.OutcomePositive,
 				},
-				{
-					Probe:   "fuzzedWithOneFuzz",
-					Outcome: finding.OutcomeNegative,
-				},
 				{
 					Probe:   "fuzzedWithOSSFuzz",
 					Outcome: finding.OutcomeNegative,

diff --git a/checks/fuzzing_test.go b/checks/fuzzing_test.go
@@ -53,7 +53,7 @@ func TestFuzzing(t *testing.T) {
 			wantErr: false,
 			expected: scut.TestReturn{
 				Error:         nil,
-				NumberOfWarn:  13,
+				NumberOfWarn:  12,
 				NumberOfDebug: 0,
 				NumberOfInfo:  0,
 				Score:         0,
@@ -110,7 +110,7 @@ func TestFuzzing(t *testing.T) {
 			wantFuzzErr: false,
 			expected: scut.TestReturn{
 				Error:         nil,
-				NumberOfWarn:  13,
+				NumberOfWarn:  12,
 				NumberOfDebug: 0,
 				NumberOfInfo:  0,
 				Score:         0,
@@ -121,7 +121,7 @@ func TestFuzzing(t *testing.T) {
 			wantFuzzErr: true,
 			expected: scut.TestReturn{
 				Error:         nil,
-				NumberOfWarn:  13,
+				NumberOfWarn:  12,
 				NumberOfDebug: 0,
 				NumberOfInfo:  0,
 				Score:         0,

diff --git a/checks/raw/fuzzing.go b/checks/raw/fuzzing.go
@@ -30,7 +30,6 @@ import (
 const (
 	fuzzerOSSFuzz                 = "OSSFuzz"
 	fuzzerClusterFuzzLite         = "ClusterFuzzLite"
-	oneFuzz                       = "OneFuzz"
 	fuzzerBuiltInGo               = "GoBuiltInFuzzer"
 	fuzzerPropertyBasedHaskell    = "HaskellPropertyBasedTesting"
 	fuzzerPropertyBasedJavaScript = "JavaScriptPropertyBasedTesting"
@@ -181,21 +180,6 @@ func Fuzzing(c *checker.CheckRequest) (checker.FuzzingData, error) {
 		)
 	}
 
-	usingOneFuzz, e := checkOneFuzz(c)
-	if e != nil {
-		return checker.FuzzingData{}, fmt.Errorf("%w", e)
-	}
-	if usingOneFuzz {
-		fuzzers = append(fuzzers,
-			checker.Tool{
-				Name: oneFuzz,
-				URL:  asPointer("https://github.com/microsoft/onefuzz"),
-				Desc: asPointer("Enables continuous developer-driven fuzzing to proactively harden software prior to release."),
-				// TODO: File.
-			},
-		)
-	}
-
 	usingOSSFuzz, e := checkOSSFuzz(c)
 	if e != nil {
 		return checker.FuzzingData{}, fmt.Errorf("%w", e)
@@ -251,22 +235,6 @@ func checkCFLite(c *checker.CheckRequest) (bool, error) {
 	return result, nil
 }
 
-func checkOneFuzz(c *checker.CheckRequest) (bool, error) {
-	result := false
-	e := fileparser.OnMatchingFileContentDo(c.RepoClient, fileparser.PathMatcher{
-		Pattern:       "^\\.onefuzz$",
-		CaseSensitive: true,
-	}, func(path string, content []byte, args ...interface{}) (bool, error) {
-		result = true
-		return false, nil
-	}, nil)
-	if e != nil {
-		return result, fmt.Errorf("%w", e)
-	}
-
-	return result, nil
-}
-
 func checkOSSFuzz(c *checker.CheckRequest) (bool, error) {
 	if c.OssFuzzRepo == nil {
 		return false, nil

diff --git a/checks/raw/fuzzing_test.go b/checks/raw/fuzzing_test.go
@@ -103,65 +103,6 @@ func Test_checkOSSFuzz(t *testing.T) {
 	}
 }
 
-// Test_checkOneFuzz is a test function for checkOneFuzz.
-func Test_checkOneFuzz(t *testing.T) {
-	t.Parallel()
-	//nolint
-	tests := []struct {
-		name     string
-		want     bool
-		wantErr  bool
-		fileName []string
-	}{
-		{
-			name:     "Test_checkOneFuzz success",
-			want:     true,
-			wantErr:  false,
-			fileName: []string{".onefuzz"},
-		},
-		{
-			name:     "Test_checkOneFuzz not found",
-			want:     false,
-			wantErr:  false,
-			fileName: []string{},
-		},
-		{
-			name:     "Test_checkOneFuzz failure",
-			want:     false,
-			wantErr:  true,
-			fileName: []string{".onefuzz"},
-		},
-	}
-	for _, tt := range tests {
-		tt := tt
-		t.Run(tt.name, func(t *testing.T) {
-			t.Parallel()
-			ctrl := gomock.NewController(t)
-			defer ctrl.Finish()
-			mockFuzz := mockrepo.NewMockRepoClient(ctrl)
-			mockFuzz.EXPECT().ListFiles(gomock.Any()).Return(tt.fileName, nil).AnyTimes()
-			mockFuzz.EXPECT().GetFileContent(gomock.Any()).DoAndReturn(func(f string) (string, error) {
-				if tt.wantErr {
-					//nolint
-					return "", errors.New("error")
-				}
-				return "", nil
-			}).AnyTimes()
-			req := checker.CheckRequest{
-				RepoClient: mockFuzz,
-			}
-			got, err := checkOneFuzz(&req)
-			if (err != nil) != tt.wantErr {
-				t.Errorf("checkOneFuzz() error = %v, wantErr %v", err, tt.wantErr)
-				return
-			}
-			if got != tt.want {
-				t.Errorf("checkOneFuzz() = %v, want %v for test %v", got, tt.want, tt.name)
-			}
-		})
-	}
-}
-
 // Test_checkCFLite is a test function for checkCFLite.
 func Test_checkCFLite(t *testing.T) {
 	t.Parallel()

diff --git a/checks/raw/shell_download_validate.go b/checks/raw/shell_download_validate.go
@@ -23,9 +23,9 @@ import (
 	"path"
 	"path/filepath"
 	"regexp"
+	"slices"
 	"strings"
 
-	"golang.org/x/exp/slices"
 	"mvdan.cc/sh/v3/syntax"
 
 	"github.com/ossf/scorecard/v4/checker"

diff --git a/clients/githubrepo/branches.go b/clients/githubrepo/branches.go
@@ -17,12 +17,12 @@ package githubrepo
 import (
 	"context"
 	"fmt"
+	"slices"
 	"strings"
 	"sync"
 
 	"github.com/google/go-github/v53/github"
 	"github.com/shurcooL/githubv4"
-	"golang.org/x/exp/slices"
 
 	"github.com/ossf/scorecard/v4/clients"
 	"github.com/ossf/scorecard/v4/clients/githubrepo/internal/fnmatch"

diff --git a/clients/githubrepo/tarball.go b/clients/githubrepo/tarball.go
@@ -153,7 +153,7 @@ func (handler *tarballHandler) getTarball() error {
 	defer repoFile.Close()
 	if _, err := io.Copy(repoFile, resp.Body); err != nil {
 		// This can happen if the incoming tarball is corrupted/server gateway times out.
-		return fmt.Errorf("%w io.Copy: %v", errTarballNotFound, err)
+		return fmt.Errorf("%w io.Copy: %w", errTarballNotFound, err)
 	}
 
 	handler.tempDir = tempDir
@@ -169,7 +169,7 @@ func (handler *tarballHandler) extractTarball() error {
 	}
 	gz, err := gzip.NewReader(in)
 	if err != nil {
-		return fmt.Errorf("%w: gzip.NewReader %v %v", errTarballCorrupted, handler.tempTarFile, err)
+		return fmt.Errorf("%w: gzip.NewReader %v %w", errTarballCorrupted, handler.tempTarFile, err)
 	}
 	tr := tar.NewReader(gz)
 	for {
@@ -178,7 +178,7 @@ func (handler *tarballHandler) extractTarball() error {
 			break
 		}
 		if err != nil {
-			return fmt.Errorf("%w tarReader.Next: %v", errTarballCorrupted, err)
+			return fmt.Errorf("%w tarReader.Next: %w", errTarballCorrupted, err)
 		}
 
 		switch header.Typeflag {
@@ -217,7 +217,7 @@ func (handler *tarballHandler) extractTarball() error {
 			// Potential for DoS vulnerability via decompression bomb.
 			// Since such an attack will only impact a single shard, ignoring this for now.
 			if _, err := io.Copy(outFile, tr); err != nil {
-				return fmt.Errorf("%w io.Copy: %v", errTarballCorrupted, err)
+				return fmt.Errorf("%w io.Copy: %w", errTarballCorrupted, err)
 			}
 			outFile.Close()
 			handler.files = append(handler.files,

diff --git a/clients/gitlabrepo/tarball.go b/clients/gitlabrepo/tarball.go
@@ -130,7 +130,7 @@ func (handler *tarballHandler) getTarball() error {
 	}
 	repoFile, err := os.CreateTemp(tempDir, repoFilename)
 	if err != nil {
-		return fmt.Errorf("%w io.Copy: %v", errTarballNotFound, err)
+		return fmt.Errorf("%w io.Copy: %w", errTarballNotFound, err)
 	}
 	defer repoFile.Close()
 	err = handler.apiFunction(url, tempDir, repoFile)
@@ -188,18 +188,18 @@ func (handler *tarballHandler) apiFunction(url, tempDir string, repoFile *os.Fil
 	req.Header.Set("PRIVATE-TOKEN", os.Getenv("GITLAB_AUTH_TOKEN"))
 	resp, err := http.DefaultClient.Do(req)
 	if err != nil {
-		return fmt.Errorf("%w io.Copy: %v", errTarballNotFound, err)
+		return fmt.Errorf("%w io.Copy: %w", errTarballNotFound, err)
 	}
 	defer resp.Body.Close()
 
 	// Handler 400/404 errors.
 	switch resp.StatusCode {
 	case http.StatusNotFound, http.StatusBadRequest:
-		return fmt.Errorf("%w io.Copy: %v", errTarballNotFound, err)
+		return fmt.Errorf("%w io.Copy: %w", errTarballNotFound, err)
 	}
 	if _, err := io.Copy(repoFile, resp.Body); err != nil {
 		// If the incoming tarball is corrupted or the server times out.
-		return fmt.Errorf("%w io.Copy: %v", errTarballNotFound, err)
+		return fmt.Errorf("%w io.Copy: %w", errTarballNotFound, err)
 	}
 	return nil
 }
@@ -212,7 +212,7 @@ func (handler *tarballHandler) extractTarball() error {
 	}
 	gz, err := gzip.NewReader(in)
 	if err != nil {
-		return fmt.Errorf("%w: gzip.NewReader %v %v", errTarballCorrupted, handler.tempTarFile, err)
+		return fmt.Errorf("%w: gzip.NewReader %v %w", errTarballCorrupted, handler.tempTarFile, err)
 	}
 	tr := tar.NewReader(gz)
 	for {
@@ -221,7 +221,7 @@ func (handler *tarballHandler) extractTarball() error {
 			break
 		}
 		if err != nil {
-			return fmt.Errorf("%w tarReader.Next: %v", errTarballCorrupted, err)
+			return fmt.Errorf("%w tarReader.Next: %w", errTarballCorrupted, err)
 		}
 
 		switch header.Typeflag {
@@ -260,7 +260,7 @@ func (handler *tarballHandler) extractTarball() error {
 			// Potential for DoS vulnerability via decompression bomb.
 			// Since such an attack will only impact a single shard, ignoring this for now.
 			if _, err := io.Copy(outFile, tr); err != nil {
-				return fmt.Errorf("%w io.Copy: %v", errTarballCorrupted, err)
+				return fmt.Errorf("%w io.Copy: %w", errTarballCorrupted, err)
 			}
 			outFile.Close()
 			handler.files = append(handler.files,