merge security-policy test branch with upstream:main

shissam · shissam · commit e0739b44ceec · 2022-11-02T13:19:51.000-05:00
Signed-off-by: Scott Hissam &lt;shissam@gmail.com&gt;
diff --git a/.github/workflows/integration.yml b/.github/workflows/integration.yml
@@ -77,8 +77,8 @@ jobs:
           timeout_minutes: 30
           command: make e2e-pat
 
-      - name: Run attestor e2e
-        run: make e2e-attestor
+      - name: Run attestor e2e  #using retry because the GitHub token is being throttled.
+        uses: nick-invision/retry@3e91a01664abd3c5cd539100d10d33b9c5b68482
         env:
           GITHUB_AUTH_TOKEN: ${{ secrets.GH_AUTH_TOKEN }}
         with:
@@ -90,13 +90,8 @@ jobs:
       - name: codecov
         uses: codecov/codecov-action@81cd2dc8148241f03f5839d295e000b8f761e378 # 2.1.0
         with:
-         files: ./e2e-coverage.out
-         verbose: true
-
-      - name: codecov attestor
-        uses: codecov/codecov-action@81cd2dc8148241f03f5839d295e000b8f761e378 # 2.1.0
-        with:
-         files: ./attestor/e2e/e2e-coverage.out
+         fail_ci_if_error: true
+         files: ./e2e-coverage.out,./attestor/e2e/e2e-coverage.out
          verbose: true
 
       - name: find comment
diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml
@@ -68,12 +68,8 @@ jobs:
      - name: Upload codecoverage
        uses: codecov/codecov-action@81cd2dc8148241f03f5839d295e000b8f761e378 # 2.1.0
        with:
-         files: ./unit-coverage.out
-         verbose: true
-     - name: Upload codecoverage attestor
-       uses: codecov/codecov-action@81cd2dc8148241f03f5839d295e000b8f761e378 # 2.1.0
-       with:
-         files: ./attestor/unit-coverage.out
+         fail_ci_if_error: true
+         files: ./unit-coverage.out,./attestor/unit-coverage.out
          verbose: true
   generate-mocks:
     name: generate-mocks
diff --git a/.github/workflows/scorecard-analysis.yml b/.github/workflows/scorecard-analysis.yml
@@ -26,7 +26,7 @@ jobs:
         uses: actions/checkout@93ea575cb5d8a053eaa0ac8fa3b40d7e05a33cc8
 
       - name: "Run analysis"
-        uses: ossf/scorecard-action@08dd0cebb088ac0fd6364339b1b3b68b75041ea8 # v2.0.0-alpha.2
+        uses: ossf/scorecard-action@99c53751e09b9529366343771cc321ec74e9bd3d # v2.0.6
         with:
           results_file: results.sarif
           results_format: sarif
diff --git a/attestor/go.mod b/attestor/go.mod
@@ -57,6 +57,7 @@ require (
 	golang.org/x/sync v0.1.0 // indirect
 	golang.org/x/term v0.1.0 // indirect
 	golang.org/x/time v0.0.0-20220922220347-f3bd1da661af // indirect
+	golang.org/x/tools v0.2.0 // indirect
 	gopkg.in/inf.v0 v0.9.1 // indirect
 	gopkg.in/yaml.v3 v3.0.1 // indirect
 	k8s.io/api v0.18.8 // indirect
diff --git a/attestor/go.sum b/attestor/go.sum
@@ -1206,6 +1206,8 @@ golang.org/x/tools v0.1.2/go.mod h1:o0xws9oXOQQZyjljx8fwUC0k7L1pTE6eaCbjGeHmOkk=
 golang.org/x/tools v0.1.3/go.mod h1:o0xws9oXOQQZyjljx8fwUC0k7L1pTE6eaCbjGeHmOkk=
 golang.org/x/tools v0.1.4/go.mod h1:o0xws9oXOQQZyjljx8fwUC0k7L1pTE6eaCbjGeHmOkk=
 golang.org/x/tools v0.1.5/go.mod h1:o0xws9oXOQQZyjljx8fwUC0k7L1pTE6eaCbjGeHmOkk=
+golang.org/x/tools v0.2.0 h1:G6AHpWxTMGY1KyEYoAQ5WTtIekUUvDNjan3ugu60JvE=
+golang.org/x/tools v0.2.0/go.mod h1:y4OqIKeOV/fWJetJ8bXPU1sEVniLMIyDAZWeHdV+NTA=
 golang.org/x/xerrors v0.0.0-20190410155217-1f06c39b4373/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
 golang.org/x/xerrors v0.0.0-20190513163551-3ee3066db522/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
 golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
diff --git a/checks/raw/binary_artifact.go b/checks/raw/binary_artifact.go
@@ -16,6 +16,8 @@ package raw
 
 import (
 	"fmt"
+	"log"
+	"os"
 	"path/filepath"
 	"regexp"
 	"strings"
@@ -25,6 +27,7 @@ import (
 	"github.com/h2non/filetype"
 	"github.com/h2non/filetype/types"
 	"github.com/rhysd/actionlint"
+	"golang.org/x/tools/godoc/util"
 
 	"github.com/ossf/scorecard/v4/checker"
 	"github.com/ossf/scorecard/v4/checks/fileparser"
@@ -155,7 +158,11 @@ var checkBinaryFileContent fileparser.DoWhileTrueOnFileContent = func(path strin
 	}
 
 	exists2 := binaryFileTypes[strings.ReplaceAll(filepath.Ext(path), ".", "")]
-	if !isText(content) && exists2 {
+	isTextFile := isText(content)
+	if _, enabled := os.LookupEnv("SCORECARD_COMPARE_ISTEXT"); enabled && isTextFile != util.IsText(content) {
+		log.Printf("isText implementations differ for file: %s", path)
+	}
+	if !isTextFile && exists2 {
 		*pfiles = append(*pfiles, checker.File{
 			Path:   path,
 			Type:   checker.FileTypeBinary,
diff --git a/cron/k8s/worker.release.yaml b/cron/k8s/worker.release.yaml
@@ -44,6 +44,8 @@ spec:
               value: "10.4.4.210:80"
             - name: "SCORECARD_API_RESULTS_BUCKET_URL"
               value: "gs://ossf-scorecard-cron-releasetest-results"
+            - name: SCORECARD_COMPARE_ISTEXT
+              value: "1"
           resources:
             requests:
               memory: 5Gi
