Merge branch 'main' into cpp_fuzz_func

.github/workflows/integration.yml

@@ -75,7 +75,7 @@ jobs:
             go mod download
 
       - name: Run GITHUB_TOKEN E2E  #using retry because the GitHub token is being throttled. 
-        uses: nick-invision/retry@7f8f3d9f0f62fe5925341be21c2e8314fd4f7c7c 
+        uses: nick-invision/retry@616fa81820c9b34fd44f4a0cfeda436b4b8338d3 
         env:
           GITHUB_AUTH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
         with:
@@ -85,7 +85,7 @@ jobs:
           command: make e2e-gh-token
 
       - name: Run PAT E2E  #using retry because the GitHub token is being throttled. 
-        uses: nick-invision/retry@7f8f3d9f0f62fe5925341be21c2e8314fd4f7c7c 
+        uses: nick-invision/retry@616fa81820c9b34fd44f4a0cfeda436b4b8338d3 
         env:
           GITHUB_AUTH_TOKEN: ${{ secrets.GH_AUTH_TOKEN }}
         with:

.github/workflows/main.yml

@@ -105,7 +105,7 @@ jobs:
        with:
          go-version: ${{ env.GO_VERSION }}
      - name: generate mocks
-       uses: nick-invision/retry@7f8f3d9f0f62fe5925341be21c2e8314fd4f7c7c
+       uses: nick-invision/retry@616fa81820c9b34fd44f4a0cfeda436b4b8338d3
        with:
           max_attempts: 3
           retry_on: error
@@ -150,7 +150,7 @@ jobs:
        with:
          go-version: ${{ env.GO_VERSION }} 
      - name: generate docs
-       uses: nick-invision/retry@7f8f3d9f0f62fe5925341be21c2e8314fd4f7c7c
+       uses: nick-invision/retry@616fa81820c9b34fd44f4a0cfeda436b4b8338d3
        with:
           max_attempts: 3
           retry_on: error
@@ -194,7 +194,7 @@ jobs:
        with:
          go-version: ${{ env.GO_VERSION }}
      - name: build-proto
-       uses: nick-invision/retry@7f8f3d9f0f62fe5925341be21c2e8314fd4f7c7c
+       uses: nick-invision/retry@616fa81820c9b34fd44f4a0cfeda436b4b8338d3
        with:
           max_attempts: 3
           retry_on: error
@@ -239,7 +239,7 @@ jobs:
        with:
          go-version: ${{ env.GO_VERSION }}
      - name: Run build
-       uses: nick-invision/retry@7f8f3d9f0f62fe5925341be21c2e8314fd4f7c7c
+       uses: nick-invision/retry@616fa81820c9b34fd44f4a0cfeda436b4b8338d3
        with:
           max_attempts: 3
           retry_on: error
@@ -284,7 +284,7 @@ jobs:
        with:
          go-version: ${{ env.GO_VERSION }}
      - name: build cron
-       uses: nick-invision/retry@7f8f3d9f0f62fe5925341be21c2e8314fd4f7c7c
+       uses: nick-invision/retry@616fa81820c9b34fd44f4a0cfeda436b4b8338d3
        with:
           max_attempts: 3
           retry_on: error
@@ -329,7 +329,7 @@ jobs:
        with:
          go-version: ${{ env.GO_VERSION }}
      - name: build worker
-       uses: nick-invision/retry@7f8f3d9f0f62fe5925341be21c2e8314fd4f7c7c
+       uses: nick-invision/retry@616fa81820c9b34fd44f4a0cfeda436b4b8338d3
        with:
           max_attempts: 3
           retry_on: error
@@ -374,7 +374,7 @@ jobs:
        with:
          go-version: ${{ env.GO_VERSION }}
      - name: build cii-worker
-       uses: nick-invision/retry@7f8f3d9f0f62fe5925341be21c2e8314fd4f7c7c
+       uses: nick-invision/retry@616fa81820c9b34fd44f4a0cfeda436b4b8338d3
        with:
           max_attempts: 3
           retry_on: error
@@ -419,7 +419,7 @@ jobs:
        with:
          go-version: ${{ env.GO_VERSION }}
      - name: build shuffler
-       uses: nick-invision/retry@7f8f3d9f0f62fe5925341be21c2e8314fd4f7c7c
+       uses: nick-invision/retry@616fa81820c9b34fd44f4a0cfeda436b4b8338d3
        with:
           max_attempts: 3
           retry_on: error
@@ -464,7 +464,7 @@ jobs:
        with:
          go-version: ${{ env.GO_VERSION }}
      - name: build bq transfer
-       uses: nick-invision/retry@7f8f3d9f0f62fe5925341be21c2e8314fd4f7c7c
+       uses: nick-invision/retry@616fa81820c9b34fd44f4a0cfeda436b4b8338d3
        with:
           max_attempts: 3
           retry_on: error
@@ -509,7 +509,7 @@ jobs:
        with:
          go-version: ${{ env.GO_VERSION }}
      - name: build bq transfer
-       uses: nick-invision/retry@7f8f3d9f0f62fe5925341be21c2e8314fd4f7c7c
+       uses: nick-invision/retry@616fa81820c9b34fd44f4a0cfeda436b4b8338d3
        with:
           max_attempts: 3
           retry_on: error
@@ -554,7 +554,7 @@ jobs:
        with:
          go-version: ${{ env.GO_VERSION }}
      - name: build webhook
-       uses: nick-invision/retry@7f8f3d9f0f62fe5925341be21c2e8314fd4f7c7c
+       uses: nick-invision/retry@616fa81820c9b34fd44f4a0cfeda436b4b8338d3
        with:
           max_attempts: 3
           retry_on: error
@@ -599,7 +599,7 @@ jobs:
        with:
          go-version: ${{ env.GO_VERSION }}
      - name: build-add-script
-       uses: nick-invision/retry@7f8f3d9f0f62fe5925341be21c2e8314fd4f7c7c
+       uses: nick-invision/retry@616fa81820c9b34fd44f4a0cfeda436b4b8338d3
        with:
           max_attempts: 3
           retry_on: error
@@ -644,7 +644,7 @@ jobs:
        with:
          go-version: ${{ env.GO_VERSION }}
      - name: build-validate-script
-       uses: nick-invision/retry@7f8f3d9f0f62fe5925341be21c2e8314fd4f7c7c
+       uses: nick-invision/retry@616fa81820c9b34fd44f4a0cfeda436b4b8338d3
        with:
           max_attempts: 3
           retry_on: error
@@ -689,7 +689,7 @@ jobs:
        with:
          go-version: ${{ env.GO_VERSION }}
      - name: build-validate-script
-       uses: nick-invision/retry@7f8f3d9f0f62fe5925341be21c2e8314fd4f7c7c
+       uses: nick-invision/retry@616fa81820c9b34fd44f4a0cfeda436b4b8338d3
        with:
           max_attempts: 3
           retry_on: error
@@ -768,7 +768,7 @@ jobs:
        with:
          go-version: ${{ env.GO_VERSION }}
      - name: Run build
-       uses: nick-invision/retry@7f8f3d9f0f62fe5925341be21c2e8314fd4f7c7c
+       uses: nick-invision/retry@616fa81820c9b34fd44f4a0cfeda436b4b8338d3
        with:
           max_attempts: 3
           retry_on: error
@@ -812,7 +812,7 @@ jobs:
        with:
          go-version: ${{ env.GO_VERSION }}
      - name: Run build
-       uses: nick-invision/retry@7f8f3d9f0f62fe5925341be21c2e8314fd4f7c7c
+       uses: nick-invision/retry@616fa81820c9b34fd44f4a0cfeda436b4b8338d3
        with:
           max_attempts: 3
           retry_on: error
@@ -856,7 +856,7 @@ jobs:
        with:
          go-version: ${{ env.GO_VERSION }}
      - name: Run build
-       uses: nick-invision/retry@7f8f3d9f0f62fe5925341be21c2e8314fd4f7c7c
+       uses: nick-invision/retry@616fa81820c9b34fd44f4a0cfeda436b4b8338d3
        with:
           max_attempts: 3
           retry_on: error

.github/workflows/publishimage.yml

@@ -50,7 +50,7 @@ jobs:
      - name: install ko
        uses: imjasonh/setup-ko@78eea08f10db87a7a23a666a4a6fe2734f2eeb8d
      - name: publishimage
-       uses: nick-invision/retry@7f8f3d9f0f62fe5925341be21c2e8314fd4f7c7c
+       uses: nick-invision/retry@616fa81820c9b34fd44f4a0cfeda436b4b8338d3
        with:
           max_attempts: 3
           retry_on: error

README.md

@@ -91,7 +91,12 @@ This data is available in the public BigQuery dataset
 `openssf:scorecardcron.scorecard-v2`. The latest results are available in the
 BigQuery view `openssf:scorecardcron.scorecard-v2_latest`.
 
-You can query the data using [BigQuery Explorer](http://console.cloud.google.com/bigquery) by navigating to Add Data > Pin a Project > Enter Project Name > 'openssf'
+You can query the data using [BigQuery Explorer](http://console.cloud.google.com/bigquery) by navigating to Add Data > Pin a Project > Enter Project Name > 'openssf'.
+For example, you may be interested in how a project's score has changed over time:
+
+```sql
+SELECT date, score FROM `openssf.scorecardcron.scorecard-v2` WHERE repo.name="github.com/ossf/scorecard" ORDER BY date ASC
+```
 
 You can extract the latest results to Google Cloud storage in JSON format using
 the [`bq`](https://cloud.google.com/bigquery/docs/bq-command-line-tool) tool:

checks/raw/fuzzing_test.go

@@ -401,7 +401,6 @@ func Test_getProminentLanguages(t *testing.T) {
 					got, tt.expected,
 				)
 			}
-
 		})
 	}
 }

checks/sast.go

@@ -15,16 +15,25 @@
 package checks
 
 import (
+	"bufio"
+	"bytes"
+	"errors"
 	"fmt"
+	"path"
+	"regexp"
+	"strings"
 
 	"github.com/ossf/scorecard/v4/checker"
+	"github.com/ossf/scorecard/v4/checks/fileparser"
 	"github.com/ossf/scorecard/v4/clients"
 	sce "github.com/ossf/scorecard/v4/errors"
 )
 
 // CheckSAST is the registered name for SAST.
 const CheckSAST = "SAST"
 
+var errInvalid = errors.New("invalid")
+
 var sastTools = map[string]bool{"github-code-scanning": true, "lgtm-com": true, "sonarcloud": true}
 
 var allowedConclusions = map[string]bool{"success": true, "neutral": true}
@@ -48,6 +57,14 @@ func SAST(c *checker.CheckRequest) checker.CheckResult {
 	if codeQlErr != nil {
 		return checker.CreateRuntimeErrorResult(CheckSAST, codeQlErr)
 	}
+	sonarScore, sonarErr := sonarEnabled(c)
+	if sonarErr != nil {
+		return checker.CreateRuntimeErrorResult(CheckSAST, sonarErr)
+	}
+
+	if sonarScore == checker.MaxResultScore {
+		return checker.CreateMaxScoreResult(CheckSAST, "SAST tool detected")
+	}
 
 	// Both results are inconclusive.
 	// Can never happen.
@@ -143,7 +160,7 @@ func sastToolInCheckRuns(c *checker.CheckRequest) (int, error) {
 				c.Dlogger.Debug(&checker.LogMessage{
 					Path: cr.URL,
 					Type: checker.FileTypeURL,
-					Text: "tool detected",
+					Text: fmt.Sprintf("tool detected: %v", cr.App.Slug),
 				})
 				totalTested++
 				break
@@ -205,3 +222,107 @@ func codeQLInCheckDefinitions(c *checker.CheckRequest) (int, error) {
 	})
 	return checker.MinResultScore, nil
 }
+
+type sonarConfig struct {
+	url  string
+	file checker.File
+}
+
+// nolint
+func sonarEnabled(c *checker.CheckRequest) (int, error) {
+	var config []sonarConfig
+	err := fileparser.OnMatchingFileContentDo(c.RepoClient, fileparser.PathMatcher{
+		Pattern:       "*",
+		CaseSensitive: false,
+	}, validateSonarConfig, &config)
+	if err != nil {
+		return checker.InconclusiveResultScore, err
+	}
+	for _, result := range config {
+		c.Dlogger.Info(&checker.LogMessage{
+			Path:      result.file.Path,
+			Type:      result.file.Type,
+			Offset:    result.file.Offset,
+			EndOffset: result.file.EndOffset,
+			Text:      "Sonar configuration detected",
+			Snippet:   result.url,
+		})
+	}
+
+	if len(config) > 0 {
+		return checker.MaxResultScore, nil
+	}
+
+	return checker.MinResultScore, nil
+}
+
+// Check file content.
+var validateSonarConfig fileparser.DoWhileTrueOnFileContent = func(pathfn string,
+	content []byte,
+	args ...interface{},
+) (bool, error) {
+	if !strings.EqualFold(path.Base(pathfn), "pom.xml") {
+		return true, nil
+	}
+
+	if len(args) != 1 {
+		return false, fmt.Errorf(
+			"validateSonarConfig requires exactly 1 argument: %w", errInvalid)
+	}
+
+	// Verify the type of the data.
+	pdata, ok := args[0].(*[]sonarConfig)
+	if !ok {
+		return false, fmt.Errorf(
+			"validateSonarConfig expects arg[0] of type *[]sonarConfig]: %w", errInvalid)
+	}
+
+	regex := regexp.MustCompile(`<sonar\.host\.url>\s*(\S+)\s*<\/sonar\.host\.url>`)
+	match := regex.FindSubmatch(content)
+
+	if len(match) < 2 {
+		return true, nil
+	}
+
+	offset, err := findLine(content, []byte("<sonar.host.url>"))
+	if err != nil {
+		return false, err
+	}
+
+	endOffset, err := findLine(content, []byte("</sonar.host.url>"))
+	if err != nil {
+		return false, err
+	}
+
+	*pdata = append(*pdata, sonarConfig{
+		url: string(match[1]),
+		file: checker.File{
+			Path:      pathfn,
+			Type:      checker.FileTypeSource,
+			Offset:    offset,
+			EndOffset: endOffset,
+		},
+	})
+
+	return true, nil
+}
+
+func findLine(content, data []byte) (uint, error) {
+	r := bytes.NewReader(content)
+	scanner := bufio.NewScanner(r)
+
+	line := 0
+	// https://golang.org/pkg/bufio/#Scanner.Scan
+	for scanner.Scan() {
+		line++
+		if strings.Contains(scanner.Text(), string(data)) {
+			return uint(line), nil
+		}
+	}
+
+	if err := scanner.Err(); err != nil {
+		return 0, fmt.Errorf("scanner.Err(): %w", err)
+	}
+
+	return 0, nil
+}