Merge branch 'main' into delete-project-update

Author: spencerschrock

.github/workflows/docker.yml

@@ -42,7 +42,7 @@ jobs:
         fetch-depth: 2 # needed to diff changed files
     - id: files
       name: Get changed files
-      uses: tj-actions/changed-files@1f20fb83f05eabed6e12ba0329edac8b6ec8e207 #v37.1.1
+      uses: tj-actions/changed-files@2a968ff601949c81b47d9c1fdb789b0d25ddeea2 #v37.1.2
       with:
         files_ignore: '**.md'
     - id: docs_only_check

.github/workflows/main.yml

@@ -82,7 +82,7 @@ jobs:
           command: make e2e-pat
      - name: codecov
        uses: codecov/codecov-action@eaaf4bedf32dbdc6b720b63067d99c4d77d6047d # 2.1.0
-       if: ${{ github.event_name != 'pull_request' }}
+       if: ${{ github.event_name != 'pull_request' || github.actor != 'dependabot[bot]' }}
        with:
          files: "*e2e-coverage.out"
          verbose: true

Makefile

@@ -330,7 +330,7 @@ endif
 e2e-pat: ## Runs e2e tests. Requires GITHUB_AUTH_TOKEN env var to be set to GitHub personal access token
 e2e-pat: build-scorecard check-env | $(GINKGO)
 	# Run e2e tests. GITHUB_AUTH_TOKEN with personal access token must be exported to run this
-	TOKEN_TYPE="PAT" $(GINKGO) --race -p -v -cover -coverprofile=e2e-coverage.out --keep-separate-coverprofiles ./...
+	TOKEN_TYPE="PAT" $(GINKGO) --race -p -v  -coverprofile=e2e-coverage.out -coverpkg=./... -r ./... 
 
 e2e-gh-token: ## Runs e2e tests. Requires GITHUB_AUTH_TOKEN env var to be set to default GITHUB_TOKEN
 e2e-gh-token: build-scorecard check-env | $(GINKGO)
@@ -444,4 +444,4 @@ cron-github-server-ko: | $(KO) $(KOCACHE_PATH)
 			   --tags latest,$(GIT_VERSION),$(GIT_HASH) \
 			   github.com/ossf/scorecard/v4/clients/githubrepo/roundtripper/tokens/server
 
-###############################################################################
+###############################################################################

README.md

@@ -1,6 +1,6 @@
 # OpenSSF Scorecard
 
-[![OpenSSF Scorecard](https://api.securityscorecards.dev/projects/github.com/ossf/scorecard/badge)](https://api.securityscorecards.dev/projects/github.com/ossf/scorecard)
+[![OpenSSF Scorecard](https://api.securityscorecards.dev/projects/github.com/ossf/scorecard/badge)](https://securityscorecards.dev/viewer/?uri=github.com/ossf/scorecard)
 [![OpenSSF Best Practices](https://bestpractices.coreinfrastructure.org/projects/5621/badge)](https://bestpractices.coreinfrastructure.org/projects/5621)
 ![build](https://github.com/ossf/scorecard/workflows/build/badge.svg?branch=main)
 ![CodeQL](https://github.com/ossf/scorecard/workflows/CodeQL/badge.svg?branch=main)
@@ -154,12 +154,12 @@ in the Scorecard GitHub Action setting.
 
 Enabling [`publish_results: true`](https://github.com/ossf/scorecard-action/blob/dd5015aaf9688596b0e6d11e7f24fff566aa366b/action.yaml#L35)
 in Scorecard GitHub Actions also allows maintainers to display a Scorecard badge on their repository to show off their
-hard work. This badge also auto-updates for every change made to the repository.
+hard work. This badge also auto-updates for every change made to the repository. See more details on [this OSSF blogpost](https://openssf.org/blog/2022/09/08/show-off-your-security-score-announcing-scorecards-badges/).
+
 To include a badge on your project's repository, simply add the following markdown to your README:
 
 ```
-[![OpenSSF
-Scorecard](https://api.securityscorecards.dev/projects/github.com/{owner}/{repo}/badge)](https://api.securityscorecards.dev/projects/github.com/{owner}/{repo})
+[![OpenSSF Scorecard](https://api.securityscorecards.dev/projects/github.com/{owner}/{repo}/badge)](https://securityscorecards.dev/viewer/?uri=github.com/{owner}/{repo})
 ```
 
 ### Scorecard Command Line Interface

checks/sast.go

@@ -100,7 +100,7 @@ func SAST(c *checker.CheckRequest) checker.CheckResult {
 				Text: getNonCompliantPRMessage(nonCompliantPRs),
 			})
 			score := checker.AggregateScoresWithWeight(map[int]int{sastScore: sastWeight, codeQlScore: codeQlWeight})
-			return checker.CreateResultWithScore(CheckSAST, "SAST tool detected but not run on all commmits", score)
+			return checker.CreateResultWithScore(CheckSAST, "SAST tool detected but not run on all commits", score)
 		default:
 			return checker.CreateRuntimeErrorResult(CheckSAST, sce.WithMessage(sce.ErrScorecardInternal, "contact team"))
 		}

clients/githubrepo/branches.go

@@ -190,7 +190,16 @@ func copyAdminSettings(src *branchProtectionRule, dst *clients.BranchProtectionR
 	copyBoolPtr(src.DismissesStaleReviews, &dst.RequiredPullRequestReviews.DismissStaleReviews)
 	if src.RequiresStatusChecks != nil {
 		copyBoolPtr(src.RequiresStatusChecks, &dst.CheckRules.RequiresStatusChecks)
-		copyBoolPtr(src.RequiresStrictStatusChecks, &dst.CheckRules.UpToDateBeforeMerge)
+		// TODO(#3255): Update when GitHub GraphQL bug is fixed
+		// Workaround for GitHub GraphQL bug https://github.com/orgs/community/discussions/59471
+		// The setting RequiresStrictStatusChecks should tell if the branch is required
+		// to be up to date before merge, but it only returns the correct value if
+		// RequiresStatusChecks is true. If RequiresStatusChecks is false, RequiresStrictStatusChecks
+		// is wrongly retrieved as true.
+		if src.RequiresStrictStatusChecks != nil {
+			upToDateBeforeMerge := *src.RequiresStatusChecks && *src.RequiresStrictStatusChecks
+			copyBoolPtr(&upToDateBeforeMerge, &dst.CheckRules.UpToDateBeforeMerge)
+		}
 	}
 }
 

cmd/internal/scdiff/app/format/format.go

@@ -0,0 +1,34 @@
+// Copyright 2023 OpenSSF Scorecard Authors
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//      http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package format
+
+import (
+	"os"
+
+	"github.com/ossf/scorecard/v4/docs/checks"
+	"github.com/ossf/scorecard/v4/log"
+	"github.com/ossf/scorecard/v4/pkg"
+)
+
+//nolint:wrapcheck
+func JSON(r *pkg.ScorecardResult) error {
+	const details = true
+	docs, err := checks.Read()
+	if err != nil {
+		return err
+	}
+	// TODO standardize the input, and output it to a file
+	return r.AsJSON2(details, log.DefaultLevel, docs, os.Stdout)
+}

cmd/internal/scdiff/app/generate.go

@@ -0,0 +1,64 @@
+// Copyright 2023 OpenSSF Scorecard Authors
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package app
+
+import (
+	"bufio"
+	"fmt"
+	"os"
+
+	"github.com/spf13/cobra"
+
+	"github.com/ossf/scorecard/v4/cmd/internal/scdiff/app/format"
+	"github.com/ossf/scorecard/v4/cmd/internal/scdiff/app/runner"
+)
+
+//nolint:gochecknoinits // common for cobra apps
+func init() {
+	rootCmd.AddCommand(generateCmd)
+	generateCmd.PersistentFlags().StringVarP(&repoFile, "repos", "r", "", "path to newline-delimited repo file")
+}
+
+var (
+	repoFile string
+
+	generateCmd = &cobra.Command{
+		Use:   "generate [flags] repofile",
+		Short: "Generate Scorecard results for diffing",
+		Long:  `Generate Scorecard results for diffing`,
+		RunE: func(cmd *cobra.Command, args []string) error {
+			f, err := os.Open(repoFile)
+			if err != nil {
+				return fmt.Errorf("unable to open repo file: %w", err)
+			}
+			scorecardRunner := runner.New()
+			scanner := bufio.NewScanner(f)
+			for scanner.Scan() {
+				results, err := scorecardRunner.Run(scanner.Text())
+				if err != nil {
+					return fmt.Errorf("running scorecard on %s: %w", scanner.Text(), err)
+				}
+				err = format.JSON(&results)
+				if err != nil {
+					return fmt.Errorf("formatting results: %w", err)
+				}
+			}
+			if err := scanner.Err(); err != nil {
+				return fmt.Errorf("reading repo file: %w", err)
+			}
+			return nil
+		},
+	}
+)

cmd/internal/scdiff/app/root.go

@@ -0,0 +1,35 @@
+// Copyright 2023 OpenSSF Scorecard Authors
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package app
+
+import (
+	"fmt"
+	"os"
+
+	"github.com/spf13/cobra"
+)
+
+var rootCmd = &cobra.Command{
+	Use:   "scdiff",
+	Short: "Scorecard Diff",
+	Long:  `Scorecard result diffing command line interface tool`,
+}
+
+func Execute() {
+	if err := rootCmd.Execute(); err != nil {
+		fmt.Fprintln(os.Stderr, err)
+		os.Exit(1)
+	}
+}

cmd/internal/scdiff/app/runner/runner.go

@@ -0,0 +1,75 @@
+// Copyright 2023 OpenSSF Scorecard Authors
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//      http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package runner
+
+import (
+	"context"
+
+	"github.com/ossf/scorecard/v4/checker"
+	"github.com/ossf/scorecard/v4/checks"
+	"github.com/ossf/scorecard/v4/clients"
+	"github.com/ossf/scorecard/v4/clients/githubrepo"
+	"github.com/ossf/scorecard/v4/clients/ossfuzz"
+	"github.com/ossf/scorecard/v4/log"
+	"github.com/ossf/scorecard/v4/pkg"
+)
+
+const (
+	commit      = clients.HeadSHA
+	commitDepth = 0 // default
+)
+
+// Runner holds the clients and configuration needed to run Scorecard on multiple repos.
+type Runner struct {
+	ctx           context.Context
+	logger        *log.Logger
+	enabledChecks checker.CheckNameToFnMap
+	repoClient    clients.RepoClient
+	ossFuzz       clients.RepoClient
+	cii           clients.CIIBestPracticesClient
+	vuln          clients.VulnerabilitiesClient
+}
+
+func New() Runner {
+	ctx := context.Background()
+	logger := log.NewLogger(log.DefaultLevel)
+	return Runner{
+		ctx:           ctx,
+		logger:        logger,
+		repoClient:    githubrepo.CreateGithubRepoClient(ctx, logger),
+		ossFuzz:       ossfuzz.CreateOSSFuzzClient(ossfuzz.StatusURL),
+		cii:           clients.DefaultCIIBestPracticesClient(),
+		vuln:          clients.DefaultVulnerabilitiesClient(),
+		enabledChecks: checks.GetAll(),
+	}
+}
+
+//nolint:wrapcheck
+func (r *Runner) Run(repoURI string) (pkg.ScorecardResult, error) {
+	r.log("processing repo: " + repoURI)
+	// TODO (gitlab?)
+	repo, err := githubrepo.MakeGithubRepo(repoURI)
+	if err != nil {
+		return pkg.ScorecardResult{}, err
+	}
+	return pkg.RunScorecard(r.ctx, repo, commit, commitDepth, r.enabledChecks, r.repoClient, r.ossFuzz, r.cii, r.vuln)
+}
+
+// logs only if logger is set.
+func (r *Runner) log(msg string) {
+	if r.logger != nil {
+		r.logger.Info(msg)
+	}
+}