Merge branch 'main' into cpp_fuzz_func

.github/workflows/goreleaser.yaml

@@ -50,7 +50,7 @@ jobs:
       -
         name: Import GPG key
         id: import_gpg
-        uses: crazy-max/ghaction-import-gpg@34ea557550c84ea665cae5c61c3b084feac7e042 # v3.1.0
+        uses: crazy-max/ghaction-import-gpg@c8bb57c57e8df1be8c73ff3d59deab1dbc00e0d1 # v3.1.0
         with:
           gpg_private_key: ${{ secrets.GPG_PRIVATE_KEY }}
           passphrase: ${{ secrets.PASSPHRASE }}

.github/workflows/publishimage.yml

@@ -48,7 +48,7 @@ jobs:
        with:
          go-version: ${{ env.GO_VERSION }}
      - name: install ko
-       uses: imjasonh/setup-ko@2c3450ca27f6e6f2b02e72a40f2163c281a1f675
+       uses: imjasonh/setup-ko@78eea08f10db87a7a23a666a4a6fe2734f2eeb8d
      - name: publishimage
        uses: nick-invision/retry@7f8f3d9f0f62fe5925341be21c2e8314fd4f7c7c
        with:
@@ -60,7 +60,7 @@ jobs:
             make install
             make scorecard-ko
      - name: Install Cosign
-       uses: sigstore/cosign-installer@f700e6fbbab82f6897758a3af7a8dede4e308656
+       uses: sigstore/cosign-installer@09a077b27eb1310dcfb21981bee195b30ce09de0
      - name: Sign image
        run: |
           cosign sign ghcr.io/${{github.repository_owner}}/scorecard/v4:${{ github.sha }}

.github/workflows/scorecard-analysis.yml

@@ -19,18 +19,14 @@ jobs:
     runs-on: ubuntu-latest
     permissions:
       security-events: write
+      id-token: write
 
     steps:
-      - name: Harden Runner
-        uses: step-security/harden-runner@74b568e8591fbb3115c70f3436a0c6b0909a8504 # v1
-        with:
-          egress-policy: audit # TODO: change to 'egress-policy: block' after couple of runs
-
       - name: "Checkout code"
         uses: actions/checkout@2541b1294d2704b0964813337f33b291d3f8596b
 
       - name: "Run analysis"
-        uses: ossf/scorecard-action@ce330fde6b1a5c9c75b417e7efc510b822a35564
+        uses: ossf/scorecard-action@3155d134e59d8f47261b1ae9d143034c69572227 # v2.0.0-beta.1
         with:
           results_file: results.sarif
           results_format: sarif

.github/workflows/stale.yml

@@ -31,7 +31,7 @@ jobs:
       with:
         egress-policy: audit # TODO: change to 'egress-policy: block' after couple of runs
 
-    - uses: actions/stale@3cc123766321e9f15a6676375c154ccffb12a358 # v3.0.18
+    - uses: actions/stale@9c1b1c6e115ca2af09755448e0dbba24e5061cc8 # v3.0.18
       with:
         repo-token: ${{ secrets.GITHUB_TOKEN }}
         stale-issue-message: 'Stale issue message'

README.md

@@ -1,5 +1,6 @@
 # Security Scorecards
 
+[![OpenSSF Scorecard](https://api.securityscorecards.dev/projects/github.com/ossf/scorecard/badge)](https://api.securityscorecards.dev/projects/github.com/ossf/scorecard)
 [![OpenSSF Best Practices](https://bestpractices.coreinfrastructure.org/projects/5621/badge)](https://bestpractices.coreinfrastructure.org/projects/5621)
 ![build](https://github.com/ossf/scorecard/workflows/build/badge.svg?branch=main)
 ![CodeQL](https://github.com/ossf/scorecard/workflows/CodeQL/badge.svg?branch=main)

checks/raw/fuzzing.go

@@ -108,7 +108,6 @@ func Fuzzing(c *checker.CheckRequest) (checker.FuzzingData, error) {
 		return checker.FuzzingData{}, fmt.Errorf("cannot get langs of repo: %w", err)
 	}
 	prominentLangs := getProminentLanguages(langs)
-
 	for _, lang := range prominentLangs {
 		usingFuzzFunc, files, e := checkFuzzFunc(c, lang)
 		if e != nil {
@@ -234,18 +233,20 @@ func getProminentLanguages(langs []clients.Language) []clients.LanguageName {
 		return nil
 	}
 	totalLoC := 0
+	// Use a map to record languages and their lines of code to drop potential duplicates.
+	langMap := map[clients.LanguageName]int{}
 	for _, l := range langs {
 		totalLoC += l.NumLines
+		langMap[l.Name] += l.NumLines
 	}
-	// Var avgLoC calculates the average lines of code in the current repo,
-	// and it can stay as an int, no need for a float value.
+	// Calculate the average lines of code in the current repo.
+	// This var can stay as an int, no need for a precise float value.
 	avgLoC := totalLoC / numLangs
-
 	// Languages that have lines of code above average will be considered prominent.
 	ret := []clients.LanguageName{}
-	for _, l := range langs {
-		if l.NumLines >= avgLoC {
-			lang := clients.LanguageName(strings.ToLower(string(l.Name)))
+	for lName, loC := range langMap {
+		if loC >= avgLoC {
+			lang := clients.LanguageName(strings.ToLower(string(lName)))
 			ret = append(ret, lang)
 		}
 	}

checks/raw/fuzzing_test.go

@@ -275,7 +275,6 @@ func Test_checkFuzzFunc(t *testing.T) {
 		fileContent string
 	}{
 		{
-			// TODO: more test cases needed. @aidenwang9867
 			name:    "Test_checkFuzzFunc failure",
 			want:    false,
 			wantErr: false,
@@ -319,3 +318,112 @@ func Test_checkFuzzFunc(t *testing.T) {
 		})
 	}
 }
+
+func Test_getProminentLanguages(t *testing.T) {
+	t.Parallel()
+	//nolint
+	tests := []struct {
+		name      string
+		languages []clients.Language
+		expected  []clients.LanguageName
+	}{
+		{
+			name: "case1",
+			languages: []clients.Language{
+				{
+					Name:     clients.Go,
+					NumLines: 1000,
+				},
+				{
+					Name:     clients.Python,
+					NumLines: 40,
+				}, {
+					Name:     clients.JavaScript,
+					NumLines: 800,
+				},
+			},
+			expected: []clients.LanguageName{
+				clients.Go, clients.JavaScript,
+			},
+		},
+		{
+			// This test case simulates the situation when the GitHub language API returns
+			// duplicated languages, but we can still drop them and get the correct result.
+			name: "case2: drop duplicates",
+			languages: []clients.Language{
+				{
+					Name:     clients.Go,
+					NumLines: 1000,
+				},
+				{
+					Name:     clients.Python,
+					NumLines: 40,
+				}, {
+					Name:     clients.JavaScript,
+					NumLines: 800,
+				},
+				{
+					Name:     clients.Go,
+					NumLines: 1000,
+				},
+				{
+					Name:     clients.Python,
+					NumLines: 40,
+				}, {
+					Name:     clients.JavaScript,
+					NumLines: 800,
+				},
+				{
+					Name:     clients.Go,
+					NumLines: 1000,
+				},
+				{
+					Name:     clients.Python,
+					NumLines: 40,
+				}, {
+					Name:     clients.JavaScript,
+					NumLines: 800,
+				},
+			},
+			expected: []clients.LanguageName{
+				clients.Go, clients.JavaScript,
+			},
+		},
+	}
+	for _, tt := range tests {
+		tt := tt
+		t.Run(tt.name, func(t *testing.T) {
+			t.Parallel()
+			got := getProminentLanguages(tt.languages)
+			if !unorderedEqual(got, tt.expected) {
+				t.Errorf(
+					"got (%s) != expected (%s)",
+					got, tt.expected,
+				)
+			}
+
+		})
+	}
+}
+
+func unorderedEqual(l1, l2 []clients.LanguageName) bool {
+	if len(l1) != len(l2) {
+		return false
+	}
+	l1Map, l2Map := map[clients.LanguageName]bool{}, map[clients.LanguageName]bool{}
+	for _, l := range l1 {
+		l1Map[l] = true
+	}
+	for _, l := range l2 {
+		l2Map[l] = true
+		if !l1Map[l] {
+			return false
+		}
+	}
+	for k := range l1Map {
+		if !l2Map[k] {
+			return false
+		}
+	}
+	return true
+}

checks/write.md

@@ -1,14 +1,14 @@
 # Requirements for a check
 
-If you'd like to add a check, make sure it is something that meets the following
-criteria and then create a new GitHub Issue to discuss with the team:
+If you'd like to add a check, make sure it meets the following criteria and then
+create a new GitHub Issue to discuss with the team:
 
 -   The scorecard must only be composed of automate-able, objective data. For
     example, a project having 10 contributors doesn’t necessarily mean it’s more
-    secure than a project with say 50 contributors. But, having two maintainers
+    secure than a project with 50 contributors. But, having two maintainers
     might be preferable to only having one - the larger bus factor and ability
     to provide code reviews is objectively better.
--   The scorecard criteria can be as specific as possible and not limited
+-   The scorecard criteria can be as specific as possible and are not limited to
     general recommendations. For example, for Go, we can recommend/require
     specific linters and analyzers to be run on the codebase.
 -   The scorecard can be populated for any open source project without any work
@@ -24,60 +24,58 @@ criteria and then create a new GitHub Issue to discuss with the team:
 
 # How to write a check
 
-The steps to writting a check are as follow:
+The steps to writing a check are as follows:
 
-1.  Create a file under `checks/` folder, say `checks/mycheck.go`
+1.  Create a file under the `checks/` folder, say `checks/mycheck.go`
 2.  Give the check a name and register the check:
 
-    ```
-    // Note: export the name: start its name with an upper-case letter.
+    ```go
+    // Note: export the name by starting it with an upper-case letter.
     const CheckMyCheckName string = "My-Check"
 
     func init() {
         registerCheck(CheckMyCheckName, EntryPointMyCheck)
     }
     ```
 
-3.  Log information that is benfical to the user using `checker.DetailLogger`:
+3.  Log useful information with `checker.DetailLogger`:
 
     *   Use `checker.DetailLogger.Warn()` to provide detail on low-score
-        results. This is showed when the user supplies the `show-results`
-        option.
+        results. This is shown when the user supplies the `show-results` option.
     *   Use `checker.DetailLogger.Info()` to provide detail on high-score
-        results. This is showed when the user supplies the `show-results`
-        option.
+        results. This is shown when the user supplies the `show-results` option.
     *   Use `checker.DetailLogger.Debug()` to provide detail in verbose mode:
-        this is showed only when the user supplies the `--verbosity Debug`
+        this is shown only when the user supplies the `--verbosity Debug`
         option.
     *   If your message relates to a file, try to provide information such as
         the `Path`, line number `Offset` and `Snippet`.
 
-4.  If the checks fails in a way that is irrecoverable, return a result with
-    `checker.CreateRuntimeErrorResult()` function: For example, if an error is
-    returned from an API you call, use the function.
+4.  If the check fails in a way that is irrecoverable, return a result with the
+    `checker.CreateRuntimeErrorResult()` function. For example, if an error is
+    returned from an API you call, use this function.
 
-5.  Create the result of the check as follow:
+5.  Create the result of the check as follows:
 
-    *   Always provide a high-level sentence explaining the result/score of the
-        check.
+    *   Always provide a high-level sentence explaining the check's
+        result/score.
     *   If the check runs properly but is unable to determine a score, use
-        `checker.CreateInconclusiveResult()` function.
+        `checker.CreateInconclusiveResult()`.
     *   For proportional results, use `checker.CreateProportionalScoreResult()`.
-    *   For maximum score, use `checker.CreateMaxScoreResult()`; for min score
-        use `checker.CreateMinScoreResult()`.
+    *   For maximum and minimum scores, use `checker.CreateMaxScoreResult()` and
+        `checker.CreateMinScoreResult()`, respectively.
     *   If you need more flexibility and need to set a specific score, use
         `checker.CreateResultWithScore()` with one of the constants declared,
         such as `checker.HalfResultScore`.
 
 6.  Dealing with errors: see [errors/errors.md](/errors/errors.md).
 
-7.  Create unit tests for both low, high and inconclusive score. Put them in a
-    file `checks/mycheck_test.go`.
+7.  Create unit tests for low, high and inconclusive scores. Put them in a file
+    `checks/mycheck_test.go`.
 
 8.  Create e2e tests in `e2e/mycheck_test.go`. Use a dedicated repo that will
     not change over time, so that it's reliable for the tests.
 
-9.  Update the `checks/checks.yaml` with the description of your check.
+9.  Update the `checks/checks.yaml` with a description of your check.
 
 10. Generate `docs/check.md` using `make generate-docs`. This will validate and
     generate `docs/check.md`.

clients/githubrepo/client.go

@@ -180,7 +180,7 @@ func (client *Client) ListStatuses(ref string) ([]clients.Status, error) {
 	return client.statuses.listStatuses(ref)
 }
 
-//ListProgrammingLanguages implements RepoClient.ListProgrammingLanguages.
+// ListProgrammingLanguages implements RepoClient.ListProgrammingLanguages.
 func (client *Client) ListProgrammingLanguages() ([]clients.Language, error) {
 	return client.languages.listProgrammingLanguages()
 }

clients/localdir/client.go

@@ -219,7 +219,7 @@ func (client *localDirClient) Close() error {
 }
 
 // ListProgrammingLanguages implements RepoClient.ListProgrammingLanguages.
-// TODO: add ListProgrammingLanguages support for local directories
+// TODO: add ListProgrammingLanguages support for local directories.
 func (client *localDirClient) ListProgrammingLanguages() ([]clients.Language, error) {
 	return nil, fmt.Errorf("ListProgrammingLanguages: %w", clients.ErrUnsupportedFeature)
 }