Merge branch 'main' into dependabot/github_actions/github-actions-603…

…4f0241a

.github/dependabot.yml

@@ -41,3 +41,12 @@ updates:
   rebase-strategy: disabled
   commit-message:
       prefix: ":seedling:"
+  # currently needed to get PRs which actually update multiple directories in a single PR
+  # https://github.com/dependabot/dependabot-core/issues/2178#issuecomment-2109164992
+  groups:
+    golang:
+      patterns:
+        - "golang"
+    distroless:
+      patterns:
+        - "distroless/base"

Dockerfile

@@ -12,7 +12,7 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.
 
-FROM golang:1.22.4@sha256:969349b8121a56d51c74f4c273ab974c15b3a8ae246a5cffc1df7d28b66cf978 AS base
+FROM golang:1.22.5@sha256:1a9b9cc9929106f9a24359581bcf35c7a6a3be442c1c53dc12c41a106c1daca8 AS base
 WORKDIR /src
 ENV CGO_ENABLED=0
 COPY go.* ./

SECURITY.md

@@ -1,11 +1,60 @@
-# Reporting Security Issues
+# OpenSSF Scorecard Security Policy
 
-To report a security issue, please email
-[[email protected]](mailto:[email protected])
-with a description of the issue, the steps you took to create the issue,
-affected versions, and, if known, mitigations for the issue.
+This document outlines security procedures and general policies for the
+OpenSSF Scorecard project.
 
-Our vulnerability management team will respond within 3 working days of your
-email. If the issue is confirmed as a vulnerability, we will open a
-Security Advisory and acknowledge your contributions as part of it. This project
-follows a 90 day disclosure timeline.
+This policy adheres to the [vulnerability management guidance](https://www.linuxfoundation.org/security)
+for Linux Foundation projects.
+
+- [Disclosing a security issue](#disclosing-a-security-issue)
+- [Vulnerability management](#vulnerability-management)
+- [Suggesting changes](#suggesting-changes)
+
+## Disclosing a security issue
+
+The OpenSSF Scorecard maintainers take all security issues in the project
+seriously. Thank you for improving the security of OpenSSF Scorecard. We
+appreciate your dedication to responsible disclosure and will make every effort
+to acknowledge your contributions.
+
+OpenSSF Scorecard leverages GitHub's private vulnerability reporting.
+
+To learn more about this feature and how to submit a vulnerability report,
+review [GitHub's documentation on private reporting](https://docs.github.com/code-security/security-advisories/guidance-on-reporting-and-writing-information-about-vulnerabilities/privately-reporting-a-security-vulnerability).
+
+Here are some helpful details to include in your report:
+
+- a detailed description of the issue
+- the steps required to reproduce the issue
+- versions of the project that may be affected by the issue
+- if known, any mitigations for the issue
+
+A maintainer will acknowledge the report within three (3) business days, and
+will send a more detailed response within an additional three (3) business days
+indicating the next steps in handling your report.
+
+If you've been unable to successfully draft a vulnerability report via GitHub
+or have not received a response during the alloted response window, please
+reach out via the [OpenSSF security contact email](mailto:[email protected]).
+
+After the initial reply to your report, the maintainers will endeavor to keep
+you informed of the progress towards a fix and full announcement, and may ask
+for additional information or guidance.
+
+## Vulnerability management
+
+When the maintainers receive a disclosure report, they will assign it to a
+primary handler.
+
+This person will coordinate the fix and release process, which involves the
+following steps:
+
+- confirming the issue
+- determining affected versions of the project
+- auditing code to find any potential similar problems
+- preparing fixes for all releases under maintenance
+
+## Suggesting changes
+
+If you have suggestions on how this process could be improved please submit an
+issue or pull request.

attestor/Dockerfile

@@ -12,7 +12,7 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.
 
-FROM golang:1.22.4@sha256:969349b8121a56d51c74f4c273ab974c15b3a8ae246a5cffc1df7d28b66cf978 AS base
+FROM golang:1.22.5@sha256:1a9b9cc9929106f9a24359581bcf35c7a6a3be442c1c53dc12c41a106c1daca8 AS base
 WORKDIR /src/scorecard
 COPY . ./
 

clients/githubrepo/roundtripper/tokens/server/Dockerfile

@@ -12,7 +12,7 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.
 
-FROM golang:1.22.4@sha256:969349b8121a56d51c74f4c273ab974c15b3a8ae246a5cffc1df7d28b66cf978 AS base
+FROM golang:1.22.5@sha256:1a9b9cc9929106f9a24359581bcf35c7a6a3be442c1c53dc12c41a106c1daca8 AS base
 WORKDIR /src
 ENV CGO_ENABLED=0
 COPY go.* ./

clients/osv.go

@@ -58,7 +58,8 @@ func (v osvClient) ListUnfixedVulnerabilities(
 		Recursive:      true,
 		GitCommits:     gitCommits,
 		ExperimentalScannerActions: osvscanner.ExperimentalScannerActions{
-			CompareLocally: v.local,
+			CompareOffline:    v.local,
+			DownloadDatabases: v.local,
 		},
 	}, nil) // TODO: Do logging?
 

cmd/internal/scdiff/app/runner/runner.go

@@ -17,36 +17,22 @@ package runner
 import (
 	"context"
 	"errors"
-	"strings"
 
-	"github.com/ossf/scorecard/v5/checker"
-	"github.com/ossf/scorecard/v5/checks"
 	"github.com/ossf/scorecard/v5/clients"
 	"github.com/ossf/scorecard/v5/clients/githubrepo"
 	"github.com/ossf/scorecard/v5/clients/gitlabrepo"
-	"github.com/ossf/scorecard/v5/clients/ossfuzz"
 	sce "github.com/ossf/scorecard/v5/errors"
-	"github.com/ossf/scorecard/v5/internal/packageclient"
 	"github.com/ossf/scorecard/v5/log"
 	"github.com/ossf/scorecard/v5/pkg"
 )
 
-const (
-	commit      = clients.HeadSHA
-	commitDepth = 0 // default
-)
-
 // Runner holds the clients and configuration needed to run Scorecard on multiple repos.
 type Runner struct {
 	ctx           context.Context
-	logger        *log.Logger
-	enabledChecks checker.CheckNameToFnMap
 	githubClient  clients.RepoClient
 	gitlabClient  clients.RepoClient
-	ossFuzz       clients.RepoClient
-	cii           clients.CIIBestPracticesClient
-	vuln          clients.VulnerabilitiesClient
-	deps          packageclient.ProjectPackageClient
+	logger        *log.Logger
+	enabledChecks []string
 }
 
 // Creates a Runner which will run the listed checks. If no checks are provided, all will run.
@@ -62,11 +48,7 @@ func New(enabledChecks []string) Runner {
 		logger:        logger,
 		githubClient:  githubrepo.CreateGithubRepoClient(ctx, logger),
 		gitlabClient:  gitlabClient,
-		ossFuzz:       ossfuzz.CreateOSSFuzzClient(ossfuzz.StatusURL),
-		cii:           clients.DefaultCIIBestPracticesClient(),
-		vuln:          clients.DefaultVulnerabilitiesClient(),
-		deps:          packageclient.CreateDepsDevClient(),
-		enabledChecks: parseChecks(enabledChecks),
+		enabledChecks: enabledChecks,
 	}
 }
 
@@ -82,8 +64,9 @@ func (r *Runner) Run(repoURI string) (pkg.ScorecardResult, error) {
 	if err != nil {
 		return pkg.ScorecardResult{}, err
 	}
-	return pkg.RunScorecard(
-		r.ctx, repo, commit, commitDepth, r.enabledChecks, repoClient, r.ossFuzz, r.cii, r.vuln, r.deps,
+	return pkg.Run(r.ctx, repo,
+		pkg.WithRepoClient(repoClient),
+		pkg.WithChecks(r.enabledChecks),
 	)
 }
 
@@ -93,20 +76,3 @@ func (r *Runner) log(msg string) {
 		r.logger.Info(msg)
 	}
 }
-
-func parseChecks(c []string) checker.CheckNameToFnMap {
-	all := checks.GetAll()
-	if len(c) == 0 {
-		return all
-	}
-
-	ret := checker.CheckNameToFnMap{}
-	for _, requested := range c {
-		for key, fn := range all {
-			if strings.EqualFold(key, requested) {
-				ret[key] = fn
-			}
-		}
-	}
-	return ret
-}

cmd/internal/scdiff/app/runner/runner_test.go

@@ -15,23 +15,20 @@
 package runner
 
 import (
+	"context"
 	"testing"
 
 	"github.com/golang/mock/gomock"
 
-	"github.com/ossf/scorecard/v5/checker"
 	"github.com/ossf/scorecard/v5/clients"
 	mockrepo "github.com/ossf/scorecard/v5/clients/mockclients"
+	"github.com/ossf/scorecard/v5/internal/checknames"
 )
 
 func TestNew(t *testing.T) {
 	t.Parallel()
-	r := New(nil)
-	if len(r.enabledChecks) == 0 {
-		t.Errorf("runner has no checks to run: %v", r.enabledChecks)
-	}
 	requestedChecks := []string{"Code-Review"}
-	r = New(requestedChecks)
+	r := New(requestedChecks)
 	if len(r.enabledChecks) != len(requestedChecks) {
 		t.Errorf("requested %d checks but only got: %v", len(requestedChecks), r.enabledChecks)
 	}
@@ -43,11 +40,14 @@ func TestRunner_Run(t *testing.T) {
 	mockRepo := mockrepo.NewMockRepoClient(ctrl)
 	commit := []clients.Commit{{SHA: "foo"}}
 	mockRepo.EXPECT().ListCommits().Return(commit, nil)
+	mockRepo.EXPECT().ListFiles(gomock.Any()).Return(nil, nil)
 	mockRepo.EXPECT().InitRepo(gomock.Any(), gomock.Any(), gomock.Any()).Return(nil)
 	mockRepo.EXPECT().GetDefaultBranchName().Return("main", nil)
 	mockRepo.EXPECT().Close().Return(nil)
 	r := Runner{
-		enabledChecks: checker.CheckNameToFnMap{},
+		ctx: context.Background(),
+		// use a check which works locally, but we declare no files above so no-op
+		enabledChecks: []string{checknames.BinaryArtifacts},
 		githubClient:  mockRepo,
 	}
 	const repo = "github.com/foo/bar"

config/config.go

@@ -23,6 +23,7 @@ import (
 	"gopkg.in/yaml.v3"
 
 	sce "github.com/ossf/scorecard/v5/errors"
+	"github.com/ossf/scorecard/v5/internal/checknames"
 )
 
 var (
@@ -45,19 +46,19 @@ func parseFile(c *Config, content []byte) error {
 	return nil
 }
 
-func isValidCheck(check string, checks []string) bool {
-	for _, validCheck := range checks {
-		if strings.EqualFold(check, validCheck) {
+func isValidCheck(check string) bool {
+	for _, c := range checknames.AllValidChecks {
+		if strings.EqualFold(c, check) {
 			return true
 		}
 	}
 	return false
 }
 
-func validate(c Config, checks []string) error {
+func validate(c Config) error {
 	for _, annotation := range c.Annotations {
 		for _, check := range annotation.Checks {
-			if !isValidCheck(check, checks) {
+			if !isValidCheck(check) {
 				return fmt.Errorf("%w: %s", errInvalidCheck, check)
 			}
 		}
@@ -71,7 +72,7 @@ func validate(c Config, checks []string) error {
 }
 
 // Parse reads the configuration file from the repo, stored in scorecard.yml, and returns a `Config`.
-func Parse(r io.Reader, checks []string) (Config, error) {
+func Parse(r io.Reader) (Config, error) {
 	c := Config{}
 	// Find scorecard.yml file in the repository's root
 	content, err := io.ReadAll(r)
@@ -84,7 +85,7 @@ func Parse(r io.Reader, checks []string) (Config, error) {
 		return Config{}, fmt.Errorf("fail to parse configuration file: %w", err)
 	}
 
-	err = validate(c, checks)
+	err = validate(c)
 	if err != nil {
 		return Config{}, fmt.Errorf("configuration file is not valid: %w", err)
 	}