Merge branch 'main' into issue1807

.github/workflows/depsreview.yml

@@ -0,0 +1,27 @@
+# Copyright 2021 Security Scorecard Authors
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+name: 'Dependency Review'
+on: [pull_request]
+
+permissions:
+  contents: read
+
+jobs:
+  dependency-review:
+    runs-on: ubuntu-latest
+    steps:
+      - name: 'Checkout Repository'
+        uses: actions/checkout@a12a3943b4bdde767164f792f33f40b04645d846
+      - name: 'Dependency Review'
+        uses: actions/dependency-review-action@3f943b86c9a289f4e632c632695e2e0898d9d67d

.github/workflows/docker.yml

@@ -50,7 +50,7 @@ jobs:
         version: 3.17.3
      - name: Cache builds
        # https://github.com/mvdan/github-actions-golang#how-do-i-set-up-caching-between-builds
-       uses: actions/cache@136d96b4aee02b1f0de3ba493b1d47135042d9c0 #v2.1.7
+       uses: actions/cache@48af2dc4a9e8278b89d7fa154b955c30c6aaab09 #v2.1.7
        with:
           # In order:
           # * Module download cache
@@ -92,7 +92,7 @@ jobs:
         version: 3.17.3
      - name: Cache builds
        # https://github.com/mvdan/github-actions-golang#how-do-i-set-up-caching-between-builds
-       uses: actions/cache@136d96b4aee02b1f0de3ba493b1d47135042d9c0 #v2.1.7
+       uses: actions/cache@48af2dc4a9e8278b89d7fa154b955c30c6aaab09 #v2.1.7
        with:
           # In order:
           # * Module download cache
@@ -134,7 +134,7 @@ jobs:
         version: 3.17.3
      - name: Cache builds
        # https://github.com/mvdan/github-actions-golang#how-do-i-set-up-caching-between-builds
-       uses: actions/cache@136d96b4aee02b1f0de3ba493b1d47135042d9c0 #v2.1.7
+       uses: actions/cache@48af2dc4a9e8278b89d7fa154b955c30c6aaab09 #v2.1.7
        with:
           # In order:
           # * Module download cache
@@ -176,7 +176,7 @@ jobs:
         version: 3.17.3
      - name: Cache builds
        # https://github.com/mvdan/github-actions-golang#how-do-i-set-up-caching-between-builds
-       uses: actions/cache@136d96b4aee02b1f0de3ba493b1d47135042d9c0 #v2.1.7
+       uses: actions/cache@48af2dc4a9e8278b89d7fa154b955c30c6aaab09 #v2.1.7
        with:
           # In order:
           # * Module download cache
@@ -218,7 +218,7 @@ jobs:
         version: 3.17.3
      - name: Cache builds
        # https://github.com/mvdan/github-actions-golang#how-do-i-set-up-caching-between-builds
-       uses: actions/cache@136d96b4aee02b1f0de3ba493b1d47135042d9c0 #v2.1.7
+       uses: actions/cache@48af2dc4a9e8278b89d7fa154b955c30c6aaab09 #v2.1.7
        with:
           # In order:
           # * Module download cache
@@ -260,7 +260,7 @@ jobs:
         version: 3.17.3
      - name: Cache builds
        # https://github.com/mvdan/github-actions-golang#how-do-i-set-up-caching-between-builds
-       uses: actions/cache@136d96b4aee02b1f0de3ba493b1d47135042d9c0 #v2.1.7
+       uses: actions/cache@48af2dc4a9e8278b89d7fa154b955c30c6aaab09 #v2.1.7
        with:
           # In order:
           # * Module download cache
@@ -302,7 +302,7 @@ jobs:
         version: 3.17.3
      - name: Cache builds
        # https://github.com/mvdan/github-actions-golang#how-do-i-set-up-caching-between-builds
-       uses: actions/cache@136d96b4aee02b1f0de3ba493b1d47135042d9c0 #v2.1.7
+       uses: actions/cache@48af2dc4a9e8278b89d7fa154b955c30c6aaab09 #v2.1.7
        with:
           # In order:
           # * Module download cache

.github/workflows/integration.yml

@@ -54,7 +54,7 @@ jobs:
 
       - name: Cache builds
         # https://github.com/mvdan/github-actions-golang#how-do-i-set-up-caching-between-builds
-        uses: actions/cache@136d96b4aee02b1f0de3ba493b1d47135042d9c0 #v2.1.7
+        uses: actions/cache@48af2dc4a9e8278b89d7fa154b955c30c6aaab09 #v2.1.7
         with:
           # In order:
           # * Module download cache
@@ -74,18 +74,28 @@ jobs:
         run: |
             go mod download
 
-      - name: Run E2E  #using retry because the GitHub token is being throttled. 
+      - name: Run GITHUB_TOKEN E2E  #using retry because the GitHub token is being throttled. 
+        uses: nick-invision/retry@7f8f3d9f0f62fe5925341be21c2e8314fd4f7c7c 
+        env:
+          GITHUB_AUTH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        with:
+          max_attempts: 3
+          retry_on: error
+          timeout_minutes: 30
+          command: make e2e-gh-token
+
+      - name: Run PAT E2E  #using retry because the GitHub token is being throttled. 
         uses: nick-invision/retry@7f8f3d9f0f62fe5925341be21c2e8314fd4f7c7c 
         env:
           GITHUB_AUTH_TOKEN: ${{ secrets.GH_AUTH_TOKEN }}
         with:
           max_attempts: 3
           retry_on: error
           timeout_minutes: 30
-          command: make e2e
+          command: make e2e-pat
 
       - name: codecov
-        uses: codecov/codecov-action@f32b3a3741e1053eb607407145bc9619351dc93b # 2.1.0
+        uses: codecov/codecov-action@e3c560433a6cc60aec8812599b7844a7b4fa0d71 # 2.1.0
         with:
          files: ./e2e-coverage.out
          verbose: true

.github/workflows/main.yml

@@ -43,7 +43,7 @@ jobs:
 
      - name: Cache builds
        # https://github.com/mvdan/github-actions-golang#how-do-i-set-up-caching-between-builds
-       uses: actions/cache@136d96b4aee02b1f0de3ba493b1d47135042d9c0 #v2.1.7
+       uses: actions/cache@48af2dc4a9e8278b89d7fa154b955c30c6aaab09 #v2.1.7
        with:
          path: |
            ~/go/pkg/mod
@@ -64,7 +64,7 @@ jobs:
      - name: Run unit-tests
        run: make unit-test
      - name: Upload codecoverage
-       uses: codecov/codecov-action@f32b3a3741e1053eb607407145bc9619351dc93b # 2.1.0
+       uses: codecov/codecov-action@e3c560433a6cc60aec8812599b7844a7b4fa0d71 # 2.1.0
        with:
          files: ./unit-coverage.out
          verbose: true
@@ -86,7 +86,7 @@ jobs:
         repo-token: ${{ secrets.GITHUB_TOKEN }}
      - name: Cache builds
        # https://github.com/mvdan/github-actions-golang#how-do-i-set-up-caching-between-builds
-       uses: actions/cache@136d96b4aee02b1f0de3ba493b1d47135042d9c0 #v2.1.7
+       uses: actions/cache@48af2dc4a9e8278b89d7fa154b955c30c6aaab09 #v2.1.7
        with:
          path: |
            ~/go/pkg/mod
@@ -131,7 +131,7 @@ jobs:
         version: ${{ env.PROTOC_VERSION }}
      - name: Cache builds
        # https://github.com/mvdan/github-actions-golang#how-do-i-set-up-caching-between-builds
-       uses: actions/cache@136d96b4aee02b1f0de3ba493b1d47135042d9c0 #v2.1.7
+       uses: actions/cache@48af2dc4a9e8278b89d7fa154b955c30c6aaab09 #v2.1.7
        with:
          path: |
            ~/go/pkg/mod
@@ -175,7 +175,7 @@ jobs:
         version: ${{ env.PROTOC_VERSION }}
      - name: Cache builds
        # https://github.com/mvdan/github-actions-golang#how-do-i-set-up-caching-between-builds
-       uses: actions/cache@136d96b4aee02b1f0de3ba493b1d47135042d9c0 #v2.1.7
+       uses: actions/cache@48af2dc4a9e8278b89d7fa154b955c30c6aaab09 #v2.1.7
        with:
          path: |
            ~/go/pkg/mod
@@ -220,7 +220,7 @@ jobs:
         version: ${{ env.PROTOC_VERSION }}
      - name: Cache builds
        # https://github.com/mvdan/github-actions-golang#how-do-i-set-up-caching-between-builds
-       uses: actions/cache@136d96b4aee02b1f0de3ba493b1d47135042d9c0 #v2.1.7
+       uses: actions/cache@48af2dc4a9e8278b89d7fa154b955c30c6aaab09 #v2.1.7
        with:
          path: |
            ~/go/pkg/mod
@@ -265,7 +265,7 @@ jobs:
         version: ${{ env.PROTOC_VERSION }}
      - name: Cache builds
        # https://github.com/mvdan/github-actions-golang#how-do-i-set-up-caching-between-builds
-       uses: actions/cache@136d96b4aee02b1f0de3ba493b1d47135042d9c0 #v2.1.7
+       uses: actions/cache@48af2dc4a9e8278b89d7fa154b955c30c6aaab09 #v2.1.7
        with:
          path: |
            ~/go/pkg/mod
@@ -310,7 +310,7 @@ jobs:
         version: ${{ env.PROTOC_VERSION }}
      - name: Cache builds
        # https://github.com/mvdan/github-actions-golang#how-do-i-set-up-caching-between-builds
-       uses: actions/cache@136d96b4aee02b1f0de3ba493b1d47135042d9c0 #v2.1.7
+       uses: actions/cache@48af2dc4a9e8278b89d7fa154b955c30c6aaab09 #v2.1.7
        with:
          path: |
            ~/go/pkg/mod
@@ -355,7 +355,7 @@ jobs:
         version: ${{ env.PROTOC_VERSION }}
      - name: Cache builds
        # https://github.com/mvdan/github-actions-golang#how-do-i-set-up-caching-between-builds
-       uses: actions/cache@136d96b4aee02b1f0de3ba493b1d47135042d9c0 #v2.1.7
+       uses: actions/cache@48af2dc4a9e8278b89d7fa154b955c30c6aaab09 #v2.1.7
        with:
          path: |
            ~/go/pkg/mod
@@ -400,7 +400,7 @@ jobs:
         version: ${{ env.PROTOC_VERSION }}
      - name: Cache builds
        # https://github.com/mvdan/github-actions-golang#how-do-i-set-up-caching-between-builds
-       uses: actions/cache@136d96b4aee02b1f0de3ba493b1d47135042d9c0 #v2.1.7
+       uses: actions/cache@48af2dc4a9e8278b89d7fa154b955c30c6aaab09 #v2.1.7
        with:
          path: |
            ~/go/pkg/mod
@@ -445,7 +445,7 @@ jobs:
         version: ${{ env.PROTOC_VERSION }}
      - name: Cache builds
        # https://github.com/mvdan/github-actions-golang#how-do-i-set-up-caching-between-builds
-       uses: actions/cache@136d96b4aee02b1f0de3ba493b1d47135042d9c0 #v2.1.7
+       uses: actions/cache@48af2dc4a9e8278b89d7fa154b955c30c6aaab09 #v2.1.7
        with:
          path: |
            ~/go/pkg/mod
@@ -490,7 +490,7 @@ jobs:
         version: ${{ env.PROTOC_VERSION }}
      - name: Cache builds
        # https://github.com/mvdan/github-actions-golang#how-do-i-set-up-caching-between-builds
-       uses: actions/cache@136d96b4aee02b1f0de3ba493b1d47135042d9c0 #v2.1.7
+       uses: actions/cache@48af2dc4a9e8278b89d7fa154b955c30c6aaab09 #v2.1.7
        with:
          path: |
            ~/go/pkg/mod
@@ -535,7 +535,7 @@ jobs:
         version: ${{ env.PROTOC_VERSION }}
      - name: Cache builds
        # https://github.com/mvdan/github-actions-golang#how-do-i-set-up-caching-between-builds
-       uses: actions/cache@136d96b4aee02b1f0de3ba493b1d47135042d9c0 #v2.1.7
+       uses: actions/cache@48af2dc4a9e8278b89d7fa154b955c30c6aaab09 #v2.1.7
        with:
          path: |
            ~/go/pkg/mod
@@ -580,7 +580,7 @@ jobs:
         version: ${{ env.PROTOC_VERSION }}
      - name: Cache builds
        # https://github.com/mvdan/github-actions-golang#how-do-i-set-up-caching-between-builds
-       uses: actions/cache@136d96b4aee02b1f0de3ba493b1d47135042d9c0 #v2.1.7
+       uses: actions/cache@48af2dc4a9e8278b89d7fa154b955c30c6aaab09 #v2.1.7
        with:
          path: |
            ~/go/pkg/mod
@@ -625,7 +625,7 @@ jobs:
         version: ${{ env.PROTOC_VERSION }}
      - name: Cache builds
        # https://github.com/mvdan/github-actions-golang#how-do-i-set-up-caching-between-builds
-       uses: actions/cache@136d96b4aee02b1f0de3ba493b1d47135042d9c0 #v2.1.7
+       uses: actions/cache@48af2dc4a9e8278b89d7fa154b955c30c6aaab09 #v2.1.7
        with:
          path: |
            ~/go/pkg/mod
@@ -670,7 +670,7 @@ jobs:
         version: ${{ env.PROTOC_VERSION }}
      - name: Cache builds
        # https://github.com/mvdan/github-actions-golang#how-do-i-set-up-caching-between-builds
-       uses: actions/cache@136d96b4aee02b1f0de3ba493b1d47135042d9c0 #v2.1.7
+       uses: actions/cache@48af2dc4a9e8278b89d7fa154b955c30c6aaab09 #v2.1.7
        with:
          path: |
            ~/go/pkg/mod
@@ -714,7 +714,7 @@ jobs:
         version: ${{ env.PROTOC_VERSION }}
      - name: Cache builds
        # https://github.com/mvdan/github-actions-golang#how-do-i-set-up-caching-between-builds
-       uses: actions/cache@136d96b4aee02b1f0de3ba493b1d47135042d9c0 #v2.1.7
+       uses: actions/cache@48af2dc4a9e8278b89d7fa154b955c30c6aaab09 #v2.1.7
        with:
          path: |
            ~/go/pkg/mod
@@ -749,7 +749,7 @@ jobs:
 
      - name: Cache builds
        # https://github.com/mvdan/github-actions-golang#how-do-i-set-up-caching-between-builds
-       uses: actions/cache@136d96b4aee02b1f0de3ba493b1d47135042d9c0 #v2.1.7
+       uses: actions/cache@48af2dc4a9e8278b89d7fa154b955c30c6aaab09 #v2.1.7
        with:
          path: |
            ~/go/pkg/mod
@@ -793,7 +793,7 @@ jobs:
         version: ${{ env.PROTOC_VERSION }}
      - name: Cache builds
        # https://github.com/mvdan/github-actions-golang#how-do-i-set-up-caching-between-builds
-       uses: actions/cache@136d96b4aee02b1f0de3ba493b1d47135042d9c0 #v2.1.7
+       uses: actions/cache@48af2dc4a9e8278b89d7fa154b955c30c6aaab09 #v2.1.7
        with:
          path: |
            ~/go/pkg/mod
@@ -833,7 +833,7 @@ jobs:
 
      - name: Cache builds
        # https://github.com/mvdan/github-actions-golang#how-do-i-set-up-caching-between-builds
-       uses: actions/cache@136d96b4aee02b1f0de3ba493b1d47135042d9c0 #v2.1.7
+       uses: actions/cache@48af2dc4a9e8278b89d7fa154b955c30c6aaab09 #v2.1.7
        with:
          path: |
            ~/go/pkg/mod

Makefile

@@ -277,7 +277,7 @@ cron-github-server-docker:
 
 ##@ Tests
 ################################# make test ###################################
-test-targets = unit-test e2e ci-e2e
+test-targets = unit-test e2e-pat e2e-gh-token ci-e2e
 .PHONY: test $(test-targets)
 test: $(test-targets)
 
@@ -293,8 +293,13 @@ ifndef GITHUB_AUTH_TOKEN
 	$(error GITHUB_AUTH_TOKEN is undefined)
 endif
 
-e2e: ## Runs e2e tests. Requires GITHUB_AUTH_TOKEN env var to be set to GitHub personal access token
-e2e: build-scorecard check-env | $(GINKGO)
+e2e-pat: ## Runs e2e tests. Requires GITHUB_AUTH_TOKEN env var to be set to GitHub personal access token
+e2e-pat: build-scorecard check-env | $(GINKGO)
 	# Run e2e tests. GITHUB_AUTH_TOKEN with personal access token must be exported to run this
-	$(GINKGO) --race -p -v -cover -coverprofile=e2e-coverage.out ./...
+	TOKEN_TYPE="PAT" $(GINKGO) --race -p -v -cover -coverprofile=e2e-coverage.out ./...
+
+e2e-gh-token: ## Runs e2e tests. Requires GITHUB_AUTH_TOKEN env var to be set to default GITHUB_TOKEN
+e2e-gh-token: build-scorecard check-env | $(GINKGO)
+	# Run e2e tests. GITHUB_AUTH_TOKEN set to secrets.GITHUB_TOKEN must be used to run this.
+	TOKEN_TYPE="GITHUB_TOKEN" $(GINKGO) --race -p -v -cover -coverprofile=e2e-coverage.out ./...
 ###############################################################################

checker/raw_result.go

@@ -29,6 +29,7 @@ type RawResults struct {
 	WebhookResults              WebhooksData
 	MaintainedResults           MaintainedData
 	SignedReleasesResults       SignedReleasesData
+	LicenseResults              LicenseData
 }
 
 // MaintainedData contains the raw results
@@ -39,6 +40,12 @@ type MaintainedData struct {
 	ArchivedStatus       ArchivedStatus
 }
 
+// LicenseData contains the raw results
+// for the License check.
+type LicenseData struct {
+	Files []File
+}
+
 // CodeReviewData contains the raw results
 // for the Code-Review check.
 type CodeReviewData struct {