STRLCPY/scorecard

■ ■ ■ ■ ■ ■

.gitignore

		skipped 41 lines
42	42		.vscode/
43	43		*.iml
44	44		.idea
	45	+	.history
45	46
46	47		# tools
47	48		bin
		skipped 9 lines

■ ■ ■ ■ ■ ■

checker/client.go

		skipped 44 lines
45	45		localdir.CreateLocalDirClient(ctx, logger), /repoClient/
46	46		nil, /ossFuzzClient/
47	47		nil, /ciiClient/
48		-	nil, /vulnClient/
	48	+	clients.DefaultVulnerabilitiesClient(), /vulnClient/
49	49		retErr
50	50		}
51	51
		skipped 24 lines

■ ■ ■ ■ ■ ■

checks/evaluation/vulnerabilities.go

		skipped 17 lines
18	18		"fmt"
19	19		"strings"
20	20
	21	+	"github.com/google/osv-scanner/pkg/grouper"
	22	+
21	23		"github.com/ossf/scorecard/v4/checker"
22	24		sce "github.com/ossf/scorecard/v4/errors"
23	25		)
		skipped 7 lines
31	33		return checker.CreateRuntimeErrorResult(name, e)
32	34		}
33	35
34		-	score := checker.MaxResultScore
35		-	IDs := []string{}
	36	+	aliasVulnerabilities := []grouper.IDAliases{}
36	37		for _, vuln := range r.Vulnerabilities {
37		-	IDs = append(IDs, vuln.ID)
38		-	score--
	38	+	aliasVulnerabilities = append(aliasVulnerabilities, grouper.IDAliases(vuln))
39	39		}
40	40
	41	+	IDs := grouper.Group(aliasVulnerabilities)
	42	+	score := checker.MaxResultScore - len(IDs)
	43	+
41	44		if score < checker.MinResultScore {
42	45		score = checker.MinResultScore
43	46		}
44	47
45	48		if len(IDs) > 0 {
46		-	dl.Warn(&checker.LogMessage{
47		-	Text: fmt.Sprintf("HEAD is vulnerable to %s", strings.Join(IDs, ", ")),
48		-	})
	49	+	for _, v := range IDs {
	50	+	dl.Warn(&checker.LogMessage{
	51	+	Text: fmt.Sprintf("Project is vulnerable to: %s", strings.Join(v.IDs, " / ")),
	52	+	})
	53	+	}
	54	+
49	55		return checker.CreateResultWithScore(name,
50	56		fmt.Sprintf("%v existing vulnerabilities detected", len(IDs)), score)
51	57		}
		skipped 4 lines

■ ■ ■ ■ ■ ■

checks/raw/vulnerabilities.go

		skipped 22 lines
23	23
24	24		// Vulnerabilities retrieves the raw data for the Vulnerabilities check.
25	25		func Vulnerabilities(c *checker.CheckRequest) (checker.VulnerabilitiesData, error) {
	26	+	commitHash := ""
26	27		commits, err := c.RepoClient.ListCommits()
27		-	if err != nil {
28		-	return checker.VulnerabilitiesData{}, fmt.Errorf("repoClient.ListCommits: %w", err)
	28	+	if err == nil && len(commits) > 0 && !allOf(commits, hasEmptySHA) {
	29	+	commitHash = commits[0].SHA
29	30		}
30	31
31		-	if len(commits) < 1 \|\| allOf(commits, hasEmptySHA) {
32		-	return checker.VulnerabilitiesData{}, nil
	32	+	localPath, err := c.RepoClient.LocalPath()
	33	+	if err != nil {
	34	+	return checker.VulnerabilitiesData{}, fmt.Errorf("RepoClient.LocalPath: %w", err)
33	35		}
34		-
35		-	resp, err := c.VulnerabilitiesClient.HasUnfixedVulnerabilities(c.Ctx, commits[0].SHA)
	36	+	resp, err := c.VulnerabilitiesClient.ListUnfixedVulnerabilities(c.Ctx, commitHash, localPath)
36	37		if err != nil {
37		-	return checker.VulnerabilitiesData{}, fmt.Errorf("vulnerabilitiesClient.HasUnfixedVulnerabilities: %w", err)
	38	+	return checker.VulnerabilitiesData{}, fmt.Errorf("vulnerabilitiesClient.ListUnfixedVulnerabilities: %w", err)
38	39		}
39	40		return checker.VulnerabilitiesData{
40	41		Vulnerabilities: resp.Vulnerabilities,
		skipped 18 lines

■ ■ ■ ■ ■ ■

checks/raw/vulnerabilities_test.go

		skipped 84 lines
85	85		return []clients.Commit{{SHA: "test"}}, nil
86	86		}).AnyTimes()
87	87
	88	+	mockRepo.EXPECT().LocalPath().DoAndReturn(func() (string, error) {
	89	+	return "test_path", nil
	90	+	}).AnyTimes()
	91	+
88	92		mockVulnClient := mockrepo.NewMockVulnerabilitiesClient(ctrl)
89		-	mockVulnClient.EXPECT().HasUnfixedVulnerabilities(context.TODO(), gomock.Any()).DoAndReturn(
90		-	func(ctx context.Context, repo string) (clients.VulnerabilitiesResponse, error) {
	93	+	mockVulnClient.EXPECT().ListUnfixedVulnerabilities(context.TODO(), gomock.Any(), gomock.Any()).DoAndReturn(
	94	+	func(ctx context.Context, commit string, localPath string) (clients.VulnerabilitiesResponse, error) {
91	95		if tt.vulnsError {
92	96		//nolint
93	97		return clients.VulnerabilitiesResponse{}, errors.New("error")
		skipped 28 lines

■ ■ ■ ■ ■ ■

checks/vulnerabilities.go

		skipped 27 lines
28	28		func init() {
29	29		supportedRequestTypes := []checker.RequestType{
30	30		checker.CommitBased,
	31	+	checker.FileBased,
31	32		}
32	33		if err := registerCheck(CheckVulnerabilities, Vulnerabilities, supportedRequestTypes); err != nil {
33	34		// this should never happen
		skipped 20 lines

■ ■ ■ ■ ■ ■

checks/vulnerabilities_test.go

		skipped 54 lines
55	55		return []clients.Commit{{SHA: "test"}}, nil
56	56		}).MinTimes(1)
57	57
	58	+	mockRepo.EXPECT().LocalPath().DoAndReturn(func() (string, error) {
	59	+	return "test_path", nil
	60	+	}).AnyTimes()
	61	+
58	62		mockVulnClient := mockrepo.NewMockVulnerabilitiesClient(ctrl)
59		-	mockVulnClient.EXPECT().HasUnfixedVulnerabilities(context.TODO(), gomock.Any()).DoAndReturn(
60		-	func(ctx context.Context, repo string) (clients.VulnerabilitiesResponse, error) {
	63	+	mockVulnClient.EXPECT().ListUnfixedVulnerabilities(context.TODO(), gomock.Any(), gomock.Any()).DoAndReturn(
	64	+	func(ctx context.Context, commit string, localPath string) (clients.VulnerabilitiesResponse, error) {
61	65		return tt.expected, tt.err
62	66		}).MinTimes(1)
63	67
		skipped 16 lines

■ ■ ■ ■ ■ ■

clients/githubrepo/client.go

		skipped 129 lines
130	130		return fmt.Sprintf("github.com/%s/%s", client.repourl.owner, client.repourl.repo)
131	131		}
132	132
	133	+	// LocalPath implements RepoClient.LocalPath.
	134	+	func (client *Client) LocalPath() (string, error) {
	135	+	return client.tarball.getLocalPath()
	136	+	}
	137	+
133	138		// ListFiles implements RepoClient.ListFiles.
134	139		func (client *Client) ListFiles(predicate func(string) (bool, error)) ([]string, error) {
135	140		return client.tarball.listFiles(predicate)
		skipped 186 lines

■ ■ ■ ■ ■ ■

clients/githubrepo/tarball.go

		skipped 242 lines
243	243		return ret, nil
244	244		}
245	245
	246	+	func (handler *tarballHandler) getLocalPath() (string, error) {
	247	+	if err := handler.setup(); err != nil {
	248	+	return "", fmt.Errorf("error during tarballHandler.setup: %w", err)
	249	+	}
	250	+	absTempDir, err := filepath.Abs(handler.tempDir)
	251	+	if err != nil {
	252	+	return "", fmt.Errorf("error during filepath.Abs: %w", err)
	253	+	}
	254	+	return absTempDir, nil
	255	+	}
	256	+
246	257		func (handler *tarballHandler) getFileContent(filename string) ([]byte, error) {
247	258		if err := handler.setup(); err != nil {
248	259		return nil, fmt.Errorf("error during tarballHandler.setup: %w", err)
		skipped 17 lines

■ ■ ■ ■ ■ ■

clients/gitlabrepo/client.go

		skipped 135 lines
136	136		return fmt.Sprintf("%s/%s/%s", client.repourl.hostname, client.repourl.owner, client.repourl.projectID)
137	137		}
138	138
	139	+	func (client *Client) LocalPath() (string, error) {
	140	+	return "", nil
	141	+	}
	142	+
139	143		func (client *Client) ListFiles(predicate func(string) (bool, error)) ([]string, error) {
140	144		return nil, nil
141	145		}
		skipped 134 lines

■ ■ ■ ■ ■ ■

clients/localdir/client.go

		skipped 141 lines
142	142		return files, nil
143	143		}
144	144
	145	+	// LocalPath implements RepoClient.LocalPath.
	146	+	func (client *localDirClient) LocalPath() (string, error) {
	147	+	clientPath, err := filepath.Abs(client.path)
	148	+	if err != nil {
	149	+	return "", fmt.Errorf("error during filepath.Abs: %w", err)
	150	+	}
	151	+	return clientPath, nil
	152	+	}
	153	+
145	154		// ListFiles implements RepoClient.ListFiles.
146	155		func (client *localDirClient) ListFiles(predicate func(string) (bool, error)) ([]string, error) {
147	156		client.once.Do(func() {
		skipped 113 lines

■ ■ ■ ■ ■ ■

clients/mockclients/repo_client.go

		skipped 332 lines
333	333		return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "ListWebhooks", reflect.TypeOf((*MockRepoClient)(nil).ListWebhooks))
334	334		}
335	335
	336	+	// LocalPath mocks base method.
	337	+	func (m *MockRepoClient) LocalPath() (string, error) {
	338	+	m.ctrl.T.Helper()
	339	+	ret := m.ctrl.Call(m, "LocalPath")
	340	+	ret0, _ := ret[0].(string)
	341	+	ret1, _ := ret[1].(error)
	342	+	return ret0, ret1
	343	+	}
	344	+
	345	+	// LocalPath indicates an expected call of LocalPath.
	346	+	func (mr MockRepoClientMockRecorder) LocalPath() gomock.Call {
	347	+	mr.mock.ctrl.T.Helper()
	348	+	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "LocalPath", reflect.TypeOf((*MockRepoClient)(nil).LocalPath))
	349	+	}
	350	+
336	351		// Search mocks base method.
337	352		func (m *MockRepoClient) Search(request clients.SearchRequest) (clients.SearchResponse, error) {
338	353		m.ctrl.T.Helper()
		skipped 41 lines

■ ■ ■ ■ ■ ■

clients/mockclients/vulnerabilities.go

		skipped 49 lines
50	50		return m.recorder
51	51		}
52	52
53		-	// HasUnfixedVulnerabilities mocks base method.
54		-	func (m *MockVulnerabilitiesClient) HasUnfixedVulnerabilities(context context.Context, commit string) (clients.VulnerabilitiesResponse, error) {
	53	+	// ListUnfixedVulnerabilities mocks base method.
	54	+	func (m *MockVulnerabilitiesClient) ListUnfixedVulnerabilities(context context.Context, commit, localDir string) (clients.VulnerabilitiesResponse, error) {
55	55		m.ctrl.T.Helper()
56		-	ret := m.ctrl.Call(m, "HasUnfixedVulnerabilities", context, commit)
	56	+	ret := m.ctrl.Call(m, "ListUnfixedVulnerabilities", context, commit, localDir)
57	57		ret0, _ := ret[0].(clients.VulnerabilitiesResponse)
58	58		ret1, _ := ret[1].(error)
59	59		return ret0, ret1
60	60		}
61	61
62		-	// HasUnfixedVulnerabilities indicates an expected call of HasUnfixedVulnerabilities.
63		-	func (mr MockVulnerabilitiesClientMockRecorder) HasUnfixedVulnerabilities(context, commit interface{}) gomock.Call {
	62	+	// ListUnfixedVulnerabilities indicates an expected call of ListUnfixedVulnerabilities.
	63	+	func (mr MockVulnerabilitiesClientMockRecorder) ListUnfixedVulnerabilities(context, commit, localDir interface{}) gomock.Call {
64	64		mr.mock.ctrl.T.Helper()
65		-	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "HasUnfixedVulnerabilities", reflect.TypeOf((*MockVulnerabilitiesClient)(nil).HasUnfixedVulnerabilities), context, commit)
	65	+	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "ListUnfixedVulnerabilities", reflect.TypeOf((*MockVulnerabilitiesClient)(nil).ListUnfixedVulnerabilities), context, commit, localDir)
66	66		}
67	67

■ ■ ■ ■ ■ ■

clients/osv.go

		skipped 14 lines
15	15		package clients
16	16
17	17		import (
18		-	"bytes"
19	18		"context"
20		-	"encoding/json"
21		-	"net/http"
	19	+	"fmt"
22	20
23		-	"github.com/ossf/scorecard/v4/errors"
	21	+	"github.com/google/osv-scanner/pkg/osvscanner"
24	22		)
25	23
26	24		var _ VulnerabilitiesClient = osvClient{}
27	25
28	26		type osvClient struct{}
29	27
30		-	const osvQueryEndpoint = "https://api.osv.dev/v1/query"
31		-
32		-	type osvQuery struct {
33		-	Commit string `json:"commit"`
34		-	}
35		-
36		-	type osvResp struct {
37		-	Vulns []struct {
38		-	ID string `json:"id"`
39		-	} `json:"vulns"`
40		-	}
41		-
42		-	// HasUnfixedVulnerabilities implements VulnerabilityClient.HasUnfixedVulnerabilities.
43		-	func (v osvClient) HasUnfixedVulnerabilities(ctx context.Context, commit string) (VulnerabilitiesResponse, error) {
44		-	query, err := json.Marshal(&osvQuery{
45		-	Commit: commit,
46		-	})
47		-	if err != nil {
48		-	return VulnerabilitiesResponse{}, errors.WithMessage(err, "failed to marshal query")
	28	+	// ListUnfixedVulnerabilities implements VulnerabilityClient.ListUnfixedVulnerabilities.
	29	+	func (v osvClient) ListUnfixedVulnerabilities(
	30	+	ctx context.Context,
	31	+	commit,
	32	+	localPath string,
	33	+	) (VulnerabilitiesResponse, error) {
	34	+	directoryPaths := []string{}
	35	+	if localPath != "" {
	36	+	directoryPaths = append(directoryPaths, localPath)
49	37		}
50		-
51		-	req, err := http.NewRequestWithContext(ctx, http.MethodPost, osvQueryEndpoint, bytes.NewReader(query))
52		-	if err != nil {
53		-	return VulnerabilitiesResponse{}, errors.WithMessage(err, "failed to create request")
	38	+	gitCommits := []string{}
	39	+	if commit != "" {
	40	+	gitCommits = append(gitCommits, commit)
54	41		}
55		-
56		-	httpClient := &http.Client{}
57		-	resp, err := httpClient.Do(req)
	42	+	res, err := osvscanner.DoScan(osvscanner.ScannerActions{
	43	+	DirectoryPaths: directoryPaths,
	44	+	SkipGit: true,
	45	+	Recursive: true,
	46	+	GitCommits: gitCommits,
	47	+	}, nil) // TODO: Do logging?
58	48		if err != nil {
59		-	return VulnerabilitiesResponse{}, errors.WithMessage(err, "failed to send request")
	49	+	return VulnerabilitiesResponse{}, fmt.Errorf("osvscanner.DoScan: %w", err)
60	50		}
61		-	defer resp.Body.Close()
62	51
63		-	var osvresp osvResp
64		-	decoder := json.NewDecoder(resp.Body)
65		-	if err := decoder.Decode(&osvresp); err != nil {
66		-	return VulnerabilitiesResponse{}, errors.WithMessage(err, "failed to decode response")
	52	+	response := VulnerabilitiesResponse{}
	53	+	vulns := res.Flatten()
	54	+	for i := range vulns {
	55	+	response.Vulnerabilities = append(response.Vulnerabilities, Vulnerability{
	56	+	ID: vulns[i].Vulnerability.ID,
	57	+	Aliases: vulns[i].Vulnerability.Aliases,
	58	+	})
	59	+	// Remove duplicate vulnerability IDs for now as we don't report information
	60	+	// on the source of each vulnerability yet, therefore having multiple identical
	61	+	// vuln IDs might be confusing.
	62	+	response.Vulnerabilities = removeDuplicate(
	63	+	response.Vulnerabilities,
	64	+	func(key Vulnerability) string { return key.ID },
	65	+	)
67	66		}
	67	+	return response, nil
	68	+	}
68	69
69		-	var ret VulnerabilitiesResponse
70		-	for _, vuln := range osvresp.Vulns {
71		-	ret.Vulnerabilities = append(ret.Vulnerabilities, Vulnerability{
72		-	ID: vuln.ID,
73		-	})
	70	+	// RemoveDuplicate removes duplicate entries from a slice.
	71	+	func removeDuplicate[T any, K comparable](sliceList []T, keyExtract func(T) K) []T {
	72	+	allKeys := make(map[K]bool)
	73	+	list := []T{}
	74	+	for _, item := range sliceList {
	75	+	key := keyExtract(item)
	76	+	if _, value := allKeys[key]; !value {
	77	+	allKeys[key] = true
	78	+	list = append(list, item)
	79	+	}
74	80		}
75		-	return ret, nil
	81	+	return list
76	82		}
77	83

■ ■ ■ ■ ■ ■

clients/osv_test.go

1	+	// Copyright 2022 OpenSSF Scorecard Authors
2	+	//
3	+	// Licensed under the Apache License, Version 2.0 (the "License");
4	+	// you may not use this file except in compliance with the License.
5	+	// You may obtain a copy of the License at
6	+	//
7	+	// http://www.apache.org/licenses/LICENSE-2.0
8	+	//
9	+	// Unless required by applicable law or agreed to in writing, software
10	+	// distributed under the License is distributed on an "AS IS" BASIS,
11	+	// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12	+	// See the License for the specific language governing permissions and
13	+	// limitations under the License.
14	+	package clients
15	+
16	+	import (
17	+	"reflect"
18	+	"testing"
19	+	)
20	+
21	+	func TestRemoveDuplicate(t *testing.T) {
22	+	t.Parallel()
23	+	tests := []struct {
24	+	name string
25	+	keyExtract func(string) string
26	+	list []string
27	+	want []string
28	+	}{
29	+	{
30	+	name: "Basic list with dup items",
31	+	list: []string{"A", "B", "C", "B"},
32	+	want: []string{"A", "B", "C"},
33	+	keyExtract: func(in string) string {
34	+	return in
35	+	},
36	+	},
37	+	}
38	+	for _, tt := range tests {
39	+	tt := tt
40	+	t.Run(tt.name, func(t *testing.T) {
41	+	t.Parallel()
42	+	got := removeDuplicate(tt.list, tt.keyExtract)
43	+	if !reflect.DeepEqual(tt.want, got) {
44	+	t.Errorf("got %v, want %v", got, tt.want)
45	+	}
46	+	})
47	+	}
48	+	}
49	+

■ ■ ■ ■ ■ ■

clients/repo_client.go

		skipped 31 lines
32	32		URI() string
33	33		IsArchived() (bool, error)
34	34		ListFiles(predicate func(string) (bool, error)) ([]string, error)
	35	+	// Returns an absolute path to the local repository
	36	+	// in the format that matches the local OS
	37	+	LocalPath() (string, error)
35	38		GetFileContent(filename string) ([]byte, error)
36	39		GetBranch(branch string) (*BranchRef, error)
37	40		GetCreatedAt() (time.Time, error)
		skipped 17 lines

■ ■ ■ ■ ■ ■

clients/vulnerabilities.go

		skipped 19 lines
20	20
21	21		// VulnerabilitiesClient checks for vulnerabilities in vuln DB.
22	22		type VulnerabilitiesClient interface {
23		-	HasUnfixedVulnerabilities(context context.Context, commit string) (VulnerabilitiesResponse, error)
	23	+	ListUnfixedVulnerabilities(
	24	+	context context.Context,
	25	+	commit string,
	26	+	localDir string,
	27	+	) (VulnerabilitiesResponse, error)
	28	+	}
	29	+
	30	+	// DefaultVulnerabilitiesClient returns a new OSV Vulnerabilities client.
	31	+	func DefaultVulnerabilitiesClient() VulnerabilitiesClient {
	32	+	return osvClient{}
24	33		}
25	34
26	35		// VulnerabilitiesResponse is the response from the vuln DB.
		skipped 3 lines
30	39
31	40		// Vulnerability uniquely identifies a reported security vuln.
32	41		type Vulnerability struct {
33		-	ID string
34		-	}
35		-
36		-	// DefaultVulnerabilitiesClient returns a new OSV Vulnerabilities client.
37		-	func DefaultVulnerabilitiesClient() VulnerabilitiesClient {
38		-	return osvClient{}
	42	+	ID string
	43	+	Aliases []string
39	44		}
40	45

■ ■ ■ ■ ■ ■

docs/checks/internal/checks.yaml

		skipped 691 lines
692	692		Risk: `High` (known vulnerabilities)
693	693
694	694		This check determines whether the project has open, unfixed vulnerabilities
695		-	using the [OSV (Open Source Vulnerabilities)](https://osv.dev/) service. An open
696		-	vulnerability is readily exploited by attackers and should be fixed as soon as
	695	+	in its own codebase or its dependencies using the [OSV (Open Source Vulnerabilities)](https://osv.dev/) service.
	696	+	An open vulnerability is readily exploited by attackers and should be fixed as soon as
697	697		possible.
698	698		remediation:
699	699		- >-
700		-	Fix the vulnerabilities. The details of each vulnerability can be found
	700	+	Fix the vulnerabilities in your own code base. The details of each vulnerability can be found
701	701		on <https://osv.dev>.
	702	+	- >-
	703	+	If the vulnerability is in a dependency, update the dependency to a non-vulnerable version. If no update is available, consider whether to remove the dependency.
	704	+	- >-
	705	+	If you believe the vulnerability does not affect your project, the
	706	+	vulnerability can be ignored.
	707	+	To ignore, create an `osv-scanner.toml` file next to the dependency manifest (e.g. package-lock.json) and specify the ID to ignore and reason.
	708	+	Details on the structure of `osv-scanner.toml` can be found on
	709	+	[OSV-Scanner repository](https://github.com/google/osv-scanner#ignore-vulnerabilities-by-id).
702	710
703	711		Dangerous-Workflow:
704	712		risk: Critical
		skipped 105 lines

■ ■ ■ ■ ■ ■

docs/checks.md

		skipped 644 lines
645	645		Risk: `High` (known vulnerabilities)
646	646
647	647		This check determines whether the project has open, unfixed vulnerabilities
648		-	using the [OSV (Open Source Vulnerabilities)](https://osv.dev/) service. An open
649		-	vulnerability is readily exploited by attackers and should be fixed as soon as
	648	+	in its own codebase or its dependencies using the [OSV (Open Source Vulnerabilities)](https://osv.dev/) service.
	649	+	An open vulnerability is readily exploited by attackers and should be fixed as soon as
650	650		possible.
651	651
652	652
653	653		Remediation steps
654		-	- Fix the vulnerabilities. The details of each vulnerability can be found on <https://osv.dev>.
	654	+	- Fix the vulnerabilities in your own code base. The details of each vulnerability can be found on <https://osv.dev>.
	655	+	- If the vulnerability is in a dependency, update the dependency to a non-vulnerable version. If no update is available, consider whether to remove the dependency.
	656	+	- If you believe the vulnerability does not affect your project, the vulnerability can be ignored. To ignore, create an `osv-scanner.toml` file next to the dependency manifest (e.g. package-lock.json) and specify the ID to ignore and reason. Details on the structure of `osv-scanner.toml` can be found on [OSV-Scanner repository](https://github.com/google/osv-scanner#ignore-vulnerabilities-by-id).
655	657
656	658		## Webhooks
657	659
		skipped 11 lines

■ ■ ■ ■ ■ ■

e2e/attestor_policy_test.go

		skipped 140 lines
141	141		commit: "fa0592fab28aa92560f04e1ae8649dfff566ae2b",
142	142		policy: policy.AttestationPolicy{
143	143		PreventBinaryArtifacts: true,
144		-	PreventKnownVulnerabilities: true,
	144	+	PreventKnownVulnerabilities: false,
145	145		PreventUnpinnedDependencies: true,
146	146		EnsureCodeReviewed: true,
147	147		CodeReviewRequirements: policy.CodeReviewRequirements{
		skipped 8 lines
156	156		commit: "fa0592fab28aa92560f04e1ae8649dfff566ae2b",
157	157		policy: policy.AttestationPolicy{
158	158		PreventBinaryArtifacts: true,
159		-	PreventKnownVulnerabilities: true,
	159	+	PreventKnownVulnerabilities: false,
160	160		PreventUnpinnedDependencies: true,
161	161		EnsureCodeReviewed: true,
162	162		CodeReviewRequirements: policy.CodeReviewRequirements{
		skipped 9 lines
172	172		commit: "fa0592fab28aa92560f04e1ae8649dfff566ae2b",
173	173		policy: policy.AttestationPolicy{
174	174		PreventBinaryArtifacts: true,
175		-	PreventKnownVulnerabilities: true,
	175	+	PreventKnownVulnerabilities: false,
176	176		PreventUnpinnedDependencies: true,
177	177		EnsureCodeReviewed: true,
178	178		CodeReviewRequirements: policy.CodeReviewRequirements{
		skipped 29 lines

■ ■ ■ ■ ■ ■

e2e/vulnerabilities_test.go

		skipped 28 lines
29	29
30	30		var _ = Describe("E2E TEST:"+checks.CheckVulnerabilities, func() {
31	31		Context("E2E TEST:Validating vulnerabilities status", func() {
32		-	It("Should return that there are no vulnerabilities", func() {
33		-	repo, err := githubrepo.MakeGithubRepo("ossf/scorecard")
	32	+	It("Should return that there are vulnerabilities", func() {
	33	+	repo, err := githubrepo.MakeGithubRepo("ossf-tests/scorecard-check-vulnerabilities-open62541")
34	34		Expect(err).Should(BeNil())
35	35		repoClient := githubrepo.CreateGithubRepoClient(context.Background(), logger)
36	36		err = repoClient.InitRepo(repo, clients.HeadSHA, 0)
37	37		Expect(err).Should(BeNil())
38	38
39	39		dl := scut.TestDetailLogger{}
40		-	req := checker.CheckRequest{
	40	+	checkRequest := checker.CheckRequest{
41	41		Ctx: context.Background(),
42	42		RepoClient: repoClient,
43	43		VulnerabilitiesClient: clients.DefaultVulnerabilitiesClient(),
		skipped 2 lines
46	46		}
47	47		expected := scut.TestReturn{
48	48		Error: nil,
49		-	Score: checker.MaxResultScore,
50		-	NumberOfWarn: 0,
	49	+	Score: checker.MaxResultScore - 3, // 3 vulnerabilities remove 3 points.
	50	+	NumberOfWarn: 3,
51	51		NumberOfInfo: 0,
52	52		NumberOfDebug: 0,
53	53		}
54		-
55		-	result := checks.Vulnerabilities(&req)
	54	+	result := checks.Vulnerabilities(&checkRequest)
56	55		// New version.
57		-	Expect(scut.ValidateTestReturn(nil, "no osv vulnerabilities", &expected, &result, &dl)).Should(BeTrue())
	56	+	Expect(scut.ValidateTestReturn(nil, "osv vulnerabilities", &expected, &result, &dl)).Should(BeTrue())
58	57		Expect(repoClient.Close()).Should(BeNil())
59	58		})
60		-
61		-	It("Should return that there are vulnerabilities", func() {
	59	+	It("Should return that there are vulnerabilities at commit", func() {
62	60		repo, err := githubrepo.MakeGithubRepo("ossf-tests/scorecard-check-vulnerabilities-open62541")
63	61		Expect(err).Should(BeNil())
64	62		repoClient := githubrepo.CreateGithubRepoClient(context.Background(), logger)
65		-	err = repoClient.InitRepo(repo, clients.HeadSHA, 0)
	63	+	err = repoClient.InitRepo(repo, "de6367caa31b59e2156f83b04c2f30611b7ac393", 0)
66	64		Expect(err).Should(BeNil())
67	65
68	66		dl := scut.TestDetailLogger{}
		skipped 7 lines
76	74		expected := scut.TestReturn{
77	75		Error: nil,
78	76		Score: checker.MaxResultScore - 3, // 3 vulnerabilities remove 3 points.
79		-	NumberOfWarn: 1,
	77	+	NumberOfWarn: 3,
80	78		NumberOfInfo: 0,
81	79		NumberOfDebug: 0,
82	80		}
		skipped 2 lines
85	83		Expect(scut.ValidateTestReturn(nil, "osv vulnerabilities", &expected, &result, &dl)).Should(BeTrue())
86	84		Expect(repoClient.Close()).Should(BeNil())
87	85		})
88		-	It("Should return that there are vulnerabilities at commit", func() {
89		-	repo, err := githubrepo.MakeGithubRepo("ossf-tests/scorecard-check-vulnerabilities-open62541")
	86	+	It("Should return that there are vulnerable packages", func() {
	87	+	repo, err := githubrepo.MakeGithubRepo("ossf-tests/scorecard-check-osv-e2e")
90	88		Expect(err).Should(BeNil())
91	89		repoClient := githubrepo.CreateGithubRepoClient(context.Background(), logger)
92		-	err = repoClient.InitRepo(repo, "de6367caa31b59e2156f83b04c2f30611b7ac393", 0)
	90	+	err = repoClient.InitRepo(repo, "2a81bfbc691786d6b8226a4092cca4f1509c842d", 0)
93	91		Expect(err).Should(BeNil())
94	92
95	93		dl := scut.TestDetailLogger{}
		skipped 6 lines
102	100		}
103	101		expected := scut.TestReturn{
104	102		Error: nil,
105		-	Score: checker.MaxResultScore - 3, // 3 vulnerabilities remove 3 points.
106		-	NumberOfWarn: 1,
	103	+	Score: checker.MaxResultScore - 2, // 2 vulnerabilities remove 2 points.
	104	+	NumberOfWarn: 2,
107	105		NumberOfInfo: 0,
108	106		NumberOfDebug: 0,
109	107		}
		skipped 8 lines

■ ■ ■ ■ ■ ■

go.mod

		skipped 46 lines
47	47		github.com/Masterminds/semver/v3 v3.2.0
48	48		github.com/caarlos0/env/v6 v6.10.0
49	49		github.com/gobwas/glob v0.2.3
	50	+	github.com/google/osv-scanner v0.0.0-20221212045131-8aef1778b823
50	51		github.com/mcuadros/go-jsonschema-generator v0.0.0-20200330054847-ba7a369d4303
51	52		github.com/onsi/ginkgo/v2 v2.5.1
52	53		sigs.k8s.io/release-utils v0.6.0
		skipped 9 lines
62	63		github.com/Azure/go-autorest/autorest/date v0.3.0 // indirect
63	64		github.com/Azure/go-autorest/logger v0.2.1 // indirect
64	65		github.com/Azure/go-autorest/tracing v0.6.0 // indirect
	66	+	github.com/BurntSushi/toml v1.2.0 // indirect
	67	+	github.com/CycloneDX/cyclonedx-go v0.7.0 // indirect
65	68		github.com/davecgh/go-spew v1.1.1 // indirect
66	69		github.com/golang/glog v0.0.0-20160126235308-23def4e6c14b // indirect
67	70		github.com/google/gofuzz v1.1.0 // indirect
		skipped 2 lines
70	73		github.com/hashicorp/go-cleanhttp v0.5.2 // indirect
71	74		github.com/hashicorp/go-retryablehttp v0.7.1 // indirect
72	75		github.com/hashicorp/golang-lru v0.5.3 // indirect
	76	+	github.com/jedib0t/go-pretty/v6 v6.4.0 // indirect
73	77		github.com/json-iterator/go v1.1.10 // indirect
74	78		github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd // indirect
75	79		github.com/modern-go/reflect2 v1.0.1 // indirect
	80	+	github.com/package-url/packageurl-go v0.1.0 // indirect
	81	+	github.com/spdx/gordf v0.0.0-20201111095634-7098f93598fb // indirect
	82	+	github.com/spdx/tools-golang v0.3.0 // indirect
76	83		golang.org/x/mod v0.7.0 // indirect
77	84		golang.org/x/term v0.2.0 // indirect
78	85		golang.org/x/time v0.1.0 // indirect
		skipped 63 lines
142	149		github.com/xeipuuv/gojsonpointer v0.0.0-20180127040702-4e3ac2762d5f // indirect
143	150		github.com/xeipuuv/gojsonreference v0.0.0-20180127040603-bd5ef7bd5415 // indirect
144	151		golang.org/x/crypto v0.1.0 // indirect
145		-	golang.org/x/exp v0.0.0-20220909182711-5c715a9e8561
	152	+	golang.org/x/exp v0.0.0-20221031165847-c99f073a8326
146	153		golang.org/x/net v0.2.0 // indirect
147	154		golang.org/x/oauth2 v0.1.0 // indirect
148	155		golang.org/x/sync v0.1.0 // indirect
		skipped 23 lines
172	179		github.com/satori/go.uuid => github.com/satori/go.uuid v1.2.1-0.20181016170032-d91630c85102
173	180		// This replace is for https://github.com/advisories/GHSA-25xm-hr59-7c27
174	181		github.com/ulikunitz/xz => github.com/ulikunitz/xz v0.5.8
175		-
176	182		)
177	183

■ ■ ■ ■ ■ ■

go.sum

		skipped 152 lines
153	153		github.com/Azure/go-autorest/tracing v0.6.0 h1:TYi4+3m5t6K48TGI9AUdb+IzbnSxvnvUMfuitfgcfuo=
154	154		github.com/Azure/go-autorest/tracing v0.6.0/go.mod h1:+vhtPC754Xsa23ID7GlGsrdKBpUA79WCAKPPZVC2DeU=
155	155		github.com/BurntSushi/toml v0.3.1/go.mod h1:xHWCNGjB5oqiDr8zfno3MHue2Ht5sIBksp03qcyfWMU=
	156	+	github.com/BurntSushi/toml v1.2.0 h1:Rt8g24XnyGTyglgET/PRUNlrUeu9F5L+7FilkXfZgs0=
	157	+	github.com/BurntSushi/toml v1.2.0/go.mod h1:CxXYINrC8qIiEnFrOxCa7Jy5BFHlXnUU2pbicEuybxQ=
156	158		github.com/BurntSushi/xgb v0.0.0-20160522181843-27f122750802/go.mod h1:IVnqGOEym/WlBOVXweHU+Q+/VP0lqqI8lqeDx9IjBqo=
	159	+	github.com/CycloneDX/cyclonedx-go v0.7.0 h1:jNxp8hL7UpcvPDFXjY+Y1ibFtsW+e5zyF9QoSmhK/zg=
	160	+	github.com/CycloneDX/cyclonedx-go v0.7.0/go.mod h1:W5Z9w8pTTL+t+yG3PCiFRGlr8PUlE0pGWzKSJbsyXkg=
157	161		github.com/GoogleCloudPlatform/cloudsql-proxy v1.29.0/go.mod h1:spvB9eLJH9dutlbPSRmHvSXXHOwGRyeXh1jVdquA2G8=
158	162		github.com/GoogleCloudPlatform/k8s-cloud-provider v0.0.0-20190822182118-27a4ced34534/go.mod h1:iroGtC8B3tQiqtds1l+mgk/BBOrxbqjH+eUfFQYRc14=
159	163		github.com/Masterminds/semver/v3 v3.1.1/go.mod h1:VPu/7SZ7ePZ3QOrcuXROw5FAcLl4a0cBrbBpGY/8hQs=
		skipped 79 lines
239	243		github.com/bombsimon/logrusr/v2 v2.0.1/go.mod h1:ByVAX+vHdLGAfdroiMg6q0zgq2FODY2lc5YJvzmOJio=
240	244		github.com/bradleyfalzon/ghinstallation/v2 v2.1.0 h1:5+NghM1Zred9Z078QEZtm28G/kfDfZN/92gkDlLwGVA=
241	245		github.com/bradleyfalzon/ghinstallation/v2 v2.1.0/go.mod h1:Xg3xPRN5Mcq6GDqeUVhFbjEWMb4JHCyWEeeBGEYQoTU=
	246	+	github.com/bradleyjkemp/cupaloy/v2 v2.8.0 h1:any4BmKE+jGIaMpnU8YgH/I2LPiLBufr6oMMlVBbn9M=
242	247		github.com/caarlos0/env/v6 v6.10.0 h1:lA7sxiGArZ2KkiqpOQNf8ERBRWI+v8MWIH+eGjSN22I=
243	248		github.com/caarlos0/env/v6 v6.10.0/go.mod h1:hvp/ryKXKipEkcuYjs9mI4bBCg+UI0Yhgm5Zu0ddvwc=
244	249		github.com/census-instrumentation/opencensus-proto v0.2.1/go.mod h1:f6KPmirojxKA12rnyqOA5BBL4O983OfeGPqjHWSTneU=
		skipped 247 lines
492	497		github.com/google/martian/v3 v3.2.1/go.mod h1:oBOf6HBosgwRXnUGWUB05QECsc6uvmMiJ3+6W4l/CUk=
493	498		github.com/google/martian/v3 v3.3.2 h1:IqNFLAmvJOgVlpdEBiQbDc2EwKW77amAycfTuWKdfvw=
494	499		github.com/google/martian/v3 v3.3.2/go.mod h1:oBOf6HBosgwRXnUGWUB05QECsc6uvmMiJ3+6W4l/CUk=
	500	+	github.com/google/osv-scanner v0.0.0-20221212045131-8aef1778b823 h1:gmZSgbjnj2XPX2jz1VY8QAUFqiHrYJDajG72CODinuc=
	501	+	github.com/google/osv-scanner v0.0.0-20221212045131-8aef1778b823/go.mod h1:/pyEWUK+MMC8/CxgHmZNjtCq0pts7KYc6bXJEA9UPNE=
495	502		github.com/google/pprof v0.0.0-20181206194817-3ea8567a2e57/go.mod h1:zfwlbNMJ+OItoe0UupaVj+oy1omPYYDuagoSzA8v9mc=
496	503		github.com/google/pprof v0.0.0-20190515194954-54271f7e092f/go.mod h1:zfwlbNMJ+OItoe0UupaVj+oy1omPYYDuagoSzA8v9mc=
497	504		github.com/google/pprof v0.0.0-20191218002539-d4f498aebedc/go.mod h1:ZgVRPoUq/hfqzAqh7sHMqb3I9Rq5C59dIz2SbBwJ4eM=
		skipped 130 lines
628	635		github.com/jackc/puddle v1.2.1/go.mod h1:m4B5Dj62Y0fbyuIc15OsIqK0+JU8nkqQjsgx7dvjSWk=
629	636		github.com/jbenet/go-context v0.0.0-20150711004518-d14ea06fba99 h1:BQSFePA1RWJOlocH6Fxy8MmwDt+yVQYULKfN0RoTN8A=
630	637		github.com/jbenet/go-context v0.0.0-20150711004518-d14ea06fba99/go.mod h1:1lJo3i6rXxKeerYnT8Nvf0QmHCRC1n8sfWVwXF2Frvo=
	638	+	github.com/jedib0t/go-pretty/v6 v6.4.0 h1:YlI/2zYDrweA4MThiYMKtGRfT+2qZOO65ulej8GTcVI=
	639	+	github.com/jedib0t/go-pretty/v6 v6.4.0/go.mod h1:MgmISkTWDSFu0xOqiZ0mKNntMQ2mDgOcwOkwBEkMDJI=
631	640		github.com/jessevdk/go-flags v1.4.0/go.mod h1:4FA24M0QyGHXBuZZK/XkWh8h0e1EYbRYJSGM75WSRxI=
632	641		github.com/jessevdk/go-flags v1.5.0/go.mod h1:Fw0T6WPc1dYxT4mKEZRfG5kJhaTDP9pj1c2EWnYs/m4=
633	642		github.com/jmespath/go-jmespath v0.0.0-20160202185014-0b12d6b521d8/go.mod h1:Nht3zPeWKUH0NzdCt2Blrr5ys8VGpn0CEB0cQHVjt7k=
		skipped 136 lines
770	779		github.com/opencontainers/go-digest v1.0.0/go.mod h1:0JzlMkj0TRzQZfJkVvzbP0HBR3IKzErnv2BNG4W4MAM=
771	780		github.com/opencontainers/image-spec v1.0.2 h1:9yCKha/T5XdGtO0q9Q9a6T5NUCsTn/DrBg0D7ufOcFM=
772	781		github.com/opencontainers/image-spec v1.0.2/go.mod h1:BtxoFyWECRxE4U/7sNtV5W15zMzWCbyJoFRP3s7yZA0=
	782	+	github.com/package-url/packageurl-go v0.1.0 h1:efWBc98O/dBZRg1pw2xiDzovnlMjCa9NPnfaiBduh8I=
	783	+	github.com/package-url/packageurl-go v0.1.0/go.mod h1:C/ApiuWpmbpni4DIOECf6WCjFUZV7O1Fx7VAzrZHgBw=
773	784		github.com/pascaldekloe/goe v0.0.0-20180627143212-57f6aae5913c/go.mod h1:lzWF7FIEvWOWxwDKqyGYQf6ZUaNfKdP144TG7ZOy1lc=
774	785		github.com/pelletier/go-toml v1.2.0/go.mod h1:5z9KED0ma1S8pY6P1sdut58dfprrGBbd/94hg7ilaic=
775	786		github.com/peterbourgon/diskv v2.0.1+incompatible/go.mod h1:uqqh8zWWbv1HBMNONnaR/tNboyR3/BZd58JJSHlUSCU=
		skipped 2 lines
778	789		github.com/pkg/errors v0.8.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0=
779	790		github.com/pkg/errors v0.9.1 h1:FEBLx1zS214owpjy7qsBeixbURkuhQAwrK5UwLGTwt4=
780	791		github.com/pkg/errors v0.9.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0=
	792	+	github.com/pkg/profile v1.6.0/go.mod h1:qBsxPvzyUincmltOk6iyRVxHYg4adc0OFOv72ZdLa18=
781	793		github.com/pmezard/go-difflib v0.0.0-20151028094244-d8ed2627bdf0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=
782	794		github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZbAQM=
783	795		github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=
		skipped 57 lines
841	853		github.com/smartystreets/goconvey v1.6.4/go.mod h1:syvi0/a8iFYH4r/RixwvyeAJjdLS9QV7WQ/tjFTllLA=
842	854		github.com/soheilhy/cmux v0.1.4/go.mod h1:IM3LyeVVIOuxMH7sFAkER9+bJ4dT7Ms6E4xg4kGIyLM=
843	855		github.com/spaolacci/murmur3 v0.0.0-20180118202830-f09979ecbc72/go.mod h1:JwIasOWyU6f++ZhiEuf87xNszmSA2myDM2Kzu9HwQUA=
	856	+	github.com/spdx/gordf v0.0.0-20201111095634-7098f93598fb h1:bLo8hvc8XFm9J47r690TUKBzcjSWdJDxmjXJZ+/f92U=
	857	+	github.com/spdx/gordf v0.0.0-20201111095634-7098f93598fb/go.mod h1:uKWaldnbMnjsSAXRurWqqrdyZen1R7kxl8TkmWk2OyM=
	858	+	github.com/spdx/tools-golang v0.3.0 h1:rtm+DHk3aAt74Fh0Wgucb4pCxjXV8SqHCPEb2iBd30k=
	859	+	github.com/spdx/tools-golang v0.3.0/go.mod h1:RO4Y3IFROJnz+43JKm1YOrbtgQNljW4gAPpA/sY2eqo=
844	860		github.com/spf13/afero v1.1.2/go.mod h1:j4pytiNVoe2o6bmDsKpLACNPDBIoEAkihy7loJ1B0CQ=
845	861		github.com/spf13/afero v1.2.2/go.mod h1:9ZxEEn6pIJ8Rxe320qSDBk6AsU0r9pR7Q4OcevTdifk=
846	862		github.com/spf13/cast v1.3.0/go.mod h1:Qx5cxh0v+4UWYiBimWS+eyWzqEqokIECu5etghLkUJE=
		skipped 23 lines
870	886		github.com/stretchr/testify v1.6.1/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg=
871	887		github.com/stretchr/testify v1.7.0/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg=
872	888		github.com/stretchr/testify v1.7.1/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg=
	889	+	github.com/stretchr/testify v1.7.4/go.mod h1:yNjHg4UonilssWZ8iaSj1OCr/vHnekPRkoO+kdMU+MU=
873	890		github.com/stretchr/testify v1.8.0/go.mod h1:yNjHg4UonilssWZ8iaSj1OCr/vHnekPRkoO+kdMU+MU=
874	891		github.com/stretchr/testify v1.8.1 h1:w7B6lhMri9wdJUVmEZPGGhZzrYTPvgJArz7wNPgYKsk=
875	892		github.com/stretchr/testify v1.8.1/go.mod h1:w2LPCIKwWwSfY2zedu0+kehJoqGctiVI29o6fzry7u4=
		skipped 101 lines
977	994		golang.org/x/exp v0.0.0-20200119233911-0405dc783f0a/go.mod h1:2RIsYlXP63K8oxa1u096TMicItID8zy7Y6sNkU49FU4=
978	995		golang.org/x/exp v0.0.0-20200207192155-f17229e696bd/go.mod h1:J/WKrq2StrnmMY6+EHIKF9dgMWnmCNThgcyBT1FY9mM=
979	996		golang.org/x/exp v0.0.0-20200224162631-6cc2880d07d6/go.mod h1:3jZMyOhIsHpP37uCMkUooju7aAi5cS1Q23tOzKc+0MU=
980		-	golang.org/x/exp v0.0.0-20220909182711-5c715a9e8561 h1:MDc5xs78ZrZr3HMQugiXOAkSZtfTpbJLDr/lwfgO53E=
981		-	golang.org/x/exp v0.0.0-20220909182711-5c715a9e8561/go.mod h1:cyybsKvd6eL0RnXn6p/Grxp8F5bW7iYuBgsNCOHpMYE=
	997	+	golang.org/x/exp v0.0.0-20221031165847-c99f073a8326 h1:QfTh0HpN6hlw6D3vu8DAwC8pBIwikq0AI1evdm+FksE=
	998	+	golang.org/x/exp v0.0.0-20221031165847-c99f073a8326/go.mod h1:CxIveKay+FTh1D0yPZemJVgC/95VzuuOLq5Qi4xnoYc=
982	999		golang.org/x/image v0.0.0-20190227222117-0694c2d4d067/go.mod h1:kZ7UVZpmo3dzQBMxlp+ypCbDeSB+sBbTgSJuh5dn5js=
983	1000		golang.org/x/image v0.0.0-20190802002840-cff245a6509b/go.mod h1:FeLwcggjj3mMvU+oOTbSwawSJRM1uh48EjtB4UJZlP0=
984	1001		golang.org/x/lint v0.0.0-20181026193005-c67002cb31c3/go.mod h1:UVdnD1Gm6xHRNCYTkRU2/jEulfH38KcIWyp/GAMgvoE=
		skipped 610 lines

⚠️ OSV scanner integration (#2509)