Merge branch 'main' into haskell-fuzz

.github/workflows/integration.yml

@@ -67,7 +67,7 @@ jobs:
           command: make e2e-gh-token
 
       - name: codecov
-        uses: codecov/codecov-action@81cd2dc8148241f03f5839d295e000b8f761e378 # 2.1.0
+        uses: codecov/codecov-action@40a12dcee2df644d47232dde008099a3e9e4f865 # 2.1.0
         with:
          files: ./e2e-coverage.out
          verbose: true
@@ -81,7 +81,7 @@ jobs:
           command: make e2e-gitlab
 
       - name: codecov
-        uses: codecov/codecov-action@81cd2dc8148241f03f5839d295e000b8f761e378 # 2.1.0
+        uses: codecov/codecov-action@40a12dcee2df644d47232dde008099a3e9e4f865 # 2.1.0
         with:
          files: ./e2e-coverage.out
          verbose: true

.github/workflows/main.yml

@@ -66,7 +66,7 @@ jobs:
      - name: Run unit-tests
        run: make unit-test
      - name: Upload codecoverage
-       uses: codecov/codecov-action@81cd2dc8148241f03f5839d295e000b8f761e378 # 2.1.0
+       uses: codecov/codecov-action@40a12dcee2df644d47232dde008099a3e9e4f865 # 2.1.0
        with:
          files: ./unit-coverage.out
          verbose: true

checks/permissions_test.go

@@ -312,6 +312,17 @@ func TestGithubTokenPermissions(t *testing.T) {
 				NumberOfDebug: 4,
 			},
 		},
+		{
+			name:      "security-events write, known actions",
+			filenames: []string{"./testdata/.github/workflows/github-workflow-permissions-secevent-known-actions.yaml"},
+			expected: scut.TestReturn{
+				Error:         nil,
+				Score:         checker.MaxResultScore,
+				NumberOfWarn:  0,
+				NumberOfInfo:  2,  // This is constant.
+				NumberOfDebug: 8,  // This is 4 + (number of actions)
+			},
+		},
 		{
 			name: "two files mix run-level and top-level",
 			filenames: []string{

checks/raw/permissions.go

@@ -372,6 +372,10 @@ func isAllowedWorkflow(workflow *actionlint.Workflow, fp string, pdata *permissi
 		// allow our own action, which writes sarif files
 		// https://github.com/ossf/scorecard-action
 		"ossf/scorecard-action": true,
+
+		// Code scanning with HLint uploads a SARIF file to GitHub.
+		// https://github.com/haskell-actions/hlint-scan
+		"haskell-actions/hlint-scan": true,
 	}
 
 	tokenPermissions := checker.TokenPermission{

checks/testdata/.github/workflows/github-workflow-permissions-secevent-known-actions.yaml

@@ -0,0 +1,48 @@
+# Copyright 2021 OpenSSF Scorecard Authors
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+name: write-and-read workflow
+on: [push]
+permissions: read-all
+
+# All of the actions below are known to upload SARIF.
+# They should not trigger a warning about the security-events
+# write permission being enabled.
+jobs:
+  codeql-analyze:
+    runs-on: ubuntu-latest
+    permissions:
+      security-events: write
+    steps:
+      - uses: github/codeql-action/analyze@v1
+
+  codeql-upload:
+    runs-on: ubuntu-latest
+    permissions:
+      security-events: write
+    steps:
+      - uses: github/codeql-action/upload-sarif@v1
+
+  scorecard:
+    runs-on: ubuntu-latest
+    permissions:
+      security-events: write
+    steps:
+      - uses: ossf/scorecard-action@v1
+
+  haskell-hlint:
+    runs-on: ubuntu-latest
+    permissions:
+      security-events: write
+    steps:
+      - uses: haskell-actions/hlint-scan@v1

cron/internal/controller/main.go

@@ -105,7 +105,7 @@ func localFiles(filenames []string) (data.Iterator, error) {
 
 func main() {
 	ctx := context.Background()
-	t := time.Now()
+	t := time.Now().UTC()
 
 	flag.Parse()
 	if err := config.ReadConfig(); err != nil {

cron/internal/emulator/README.md

@@ -0,0 +1,91 @@
+# Configuring a local environment to test the Scorecard Cron Job
+
+This emulator focuses on being able to test the `worker`, which pulls messages from a pubsub, processes them, and writes the results to a Google Cloud Storage (GCS) bucket.
+It's necessary to support pubsub, gcs, and the `controller` to get the `worker` working.
+
+In general, you'll need 4-5 terminals (or tmux) to run everything needed.
+
+## GCS emulator
+
+[fake-gcs-server](https://github.com/fsouza/fake-gcs-server) meets our needs and is written in Go. 
+We may be able to use it as a library for unit tests in the future.
+
+For now, the binary is good enough, so install it from source (or [Releases](https://github.com/fsouza/fake-gcs-server/releases)):
+
+```
+go install github.com/fsouza/fake-gcs-server@latest
+```
+
+Now you can run the fake from the root of the Scorecard repo in your first window:
+```
+fake-gcs-server -scheme http -public-host 0.0.0.0:4443 \
+    -backend filesystem -filesystem-root cron/internal/emulator/fakegcs
+```
+
+## pubsub emulator:
+Google Cloud has a [pubsub emulator](https://cloud.google.com/pubsub/docs/emulator) with complete install ininstructions.
+I've summarized some of them below.
+
+
+### One time setup
+
+```
+gcloud components install pubsub-emulator
+gcloud components update
+```
+
+Anywhere outside your scorecard repo:
+```
+git clone https://github.com/googleapis/python-pubsub
+cd python-pubsub/samples/snippet
+pip install -r requirements.txt
+```
+
+### Running the pubsub emulator (needed to do everytime)
+
+In a second window from any directory, run the emulator itself:
+
+```
+export PUBSUB_PROJECT_ID=test
+gcloud beta emulators pubsub start --project=$PUBSUB_PROJECT_ID
+```
+
+In a third window (from the `samples/snippet` directory wherever you cloned `python-pubsub`) create the topic and subscription:
+
+```
+export PUBSUB_PROJECT_ID=test
+export TOPIC_ID=scorecard-batch-requests
+export SUBSCRIPTION_ID=scorecard-batch-worker
+$(gcloud beta emulators pubsub env-init)
+python3 publisher.py $PUBSUB_PROJECT_ID create $TOPIC_ID
+python3 subscriber.py $PUBSUB_PROJECT_ID create $TOPIC_ID $SUBSCRIPTION_ID
+alias drain-pubsub="python3 subscriber.py $PUBSUB_PROJECT_ID receive $SUBSCRIPTION_ID"
+```
+
+At any point you can drain the queue by running the following in the same window. Make sure to stop the command when testing the `worker`:
+```
+drain-pubsub
+```
+
+## run Scorecard cron components
+
+Commands intended to be run from the base of the Scorecard repo. Since this is intended to be used during development, `go run` is used but there's no reason you can't use `go build`. 
+The repos in `cron/internal/emulator/projects.csv` and the `cron/internal/emulator/config.yaml` file can be changed as needed.
+
+### controller
+```
+$(gcloud beta emulators pubsub env-init)
+export STORAGE_EMULATOR_HOST=0.0.0.0:4443
+go run $(ls cron/internal/controller/*.go | grep -v _test.go) \
+    --config cron/internal/emulator/config.yaml \
+    cron/internal/emulator/projects.csv
+```
+
+### worker
+```
+$(gcloud beta emulators pubsub env-init)
+export STORAGE_EMULATOR_HOST=0.0.0.0:4443
+go run $(ls cron/internal/worker/*.go | grep -v _test.go) \
+    --ignoreRuntimeErrors=true \
+    --config cron/internal/emulator/config.yaml
+```

cron/internal/emulator/config.yaml

@@ -0,0 +1,47 @@
+# Copyright 2023 OpenSSF Scorecard Authors
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+project-id: test
+request-topic-url: gcppubsub://projects/test/topics/scorecard-batch-requests
+request-subscription-url: gcppubsub://projects/test/subscriptions/scorecard-batch-worker
+bigquery-dataset: scorecardcron
+bigquery-table: scorecard-v2
+completion-threshold: 0.99
+shard-size: 10
+webhook-url: 
+metric-exporter: printer
+metric-stackdriver-prefix: scorecard-cron
+result-data-bucket-url: gs://ossf-scorecard-data2
+
+additional-params:
+  input-bucket:
+    url: gs://ossf-scorecard-input-projects
+    # Optional prefix to limit files used as input files within a bucket (e.g. a specific file or directory)
+    prefix:
+    # Optional file to read a prefix from, instead of statically defining prefix above (note: prefix must be blank to use this option)
+    # This is good in situations where the prefix changes frequently (e.g. always using the most recent folder in a bucket)
+    prefix-file:
+
+  scorecard:
+    # API results bucket
+    api-results-bucket-url: gs://ossf-scorecard-cron-results
+    # TODO: Temporarily remove SAST and CI-Tests which require lot of GitHub API tokens.
+    # TODO(#859): Re-add Contributors after fixing inconsistencies.
+    # TODO: Dependency-Update-Tool and SAST are search heavy
+    # TODO: Vulnerabilities is slow on repos with lots of dependencies
+    blacklisted-checks: CI-Tests,Contributors,Dependency-Update-Tool,SAST,Vulnerabilities
+    cii-data-bucket-url: gs://ossf-scorecard-cii-data
+    # Raw results.
+    raw-bigquery-table: scorecard-rawdata
+    raw-result-data-bucket-url: gs://ossf-scorecard-rawdata

cron/internal/emulator/fakegcs/ossf-scorecard-cii-data/.gitignore

@@ -0,0 +1,2 @@
+*
+!.gitignore

cron/internal/emulator/fakegcs/ossf-scorecard-cron-results/.gitignore

@@ -0,0 +1,2 @@
+*
+!.gitignore

cron/internal/emulator/fakegcs/ossf-scorecard-data2/.gitignore

@@ -0,0 +1,2 @@
+*
+!.gitignore

cron/internal/emulator/fakegcs/ossf-scorecard-rawdata/.gitignore

@@ -0,0 +1,2 @@
+*
+!.gitignore

cron/internal/emulator/projects.csv

@@ -0,0 +1,4 @@
+repo,metadata
+github.com/ossf/scorecard,
+github.com/ossf/scorecard-action,
+github.com/ossf/scorecard-webapp,

cron/internal/pubsub/subscriber.go

@@ -18,6 +18,7 @@ import (
 	"context"
 	"errors"
 	"fmt"
+	"os"
 
 	"google.golang.org/protobuf/encoding/protojson"
 
@@ -38,6 +39,10 @@ type Subscriber interface {
 // CreateSubscriber returns an implementation of Subscriber interface.
 // Currently returns an instance of gcsSubscriber.
 func CreateSubscriber(ctx context.Context, subscriptionURL string) (Subscriber, error) {
+	// the gocloud clients respect PUBSUB_EMULATOR_HOST, but our custom GCS subscriber does not
+	if os.Getenv("PUBSUB_EMULATOR_HOST") != "" {
+		return createGocloudSubscriber(ctx, subscriptionURL)
+	}
 	return createGCSSubscriber(ctx, subscriptionURL)
 }
 

cron/internal/worker/main.go

@@ -266,6 +266,9 @@ func startMetricsExporter() (monitoring.Exporter, error) {
 
 func main() {
 	flag.Parse()
+	if err := config.ReadConfig(); err != nil {
+		panic(err)
+	}
 	sw, err := newScorecardWorker()
 	if err != nil {
 		panic(err)

cron/worker/worker.go

@@ -151,7 +151,7 @@ func ResultFilename(sbr *data.ScorecardBatchRequest) string {
 }
 
 func hasMetadataFile(ctx context.Context, req *data.ScorecardBatchRequest, bucketURL string) (bool, error) {
-	filename := data.GetShardMetadataFilename(req.GetJobTime().AsTime())
+	filename := data.GetShardMetadataFilename(req.GetJobTime().AsTime().UTC())
 	exists, err := data.BlobExists(ctx, bucketURL, filename)
 	if err != nil {
 		return false, fmt.Errorf("data.BlobExists: %w", err)

docs/faq.md

@@ -64,18 +64,18 @@ For more information, see the [Fuzzing check description](https://github.com/oss
 
 ### Pinned-Dependencies: Will Scorecard detect unpinned dependencies in tests with Dockerfiles?
 
-Scorecard can show the dependencies that are referred to in tests like Dockerfiles, so it could be a great way for you to fix those dependencies and avoid the vulnerabilities related to version pinning dependencies. To see more about the benefits of hash pinning instead of version pinning, please see the [Pinned-Dependencies check description](/checks.md#pinned-dependencies)
+Scorecard can show the dependencies that are referred to in tests like Dockerfiles, so it could be a great way for you to fix those dependencies and avoid the vulnerabilities related to version pinning dependencies. To see more about the benefits of hash pinning instead of version pinning, please see the [Pinned-Dependencies check description](checks.md#pinned-dependencies)
 
 ### Pinned-Dependencies: Can I use version pinning instead of hash pinning?
 Version pinning is a significant improvement over not pinning your dependencies. However, it still leaves your project vulnerable to tag-renaming attacks (where a dependency's tags are deleted and recreated to point to a malicious commit).
 
 The OpenSSF therefore recommends hash pinning instead of version pinning, along with the use of dependency update tools such as dependabot to keep your dependencies up-to-date.
 
-Please see the [Pinned-Dependencies check description](/checks.md#pinned-dependencies) for a better understanding of the benefits of the Hash Pinning.
+Please see the [Pinned-Dependencies check description](checks.md#pinned-dependencies) for a better understanding of the benefits of the Hash Pinning.
 
 ### Signed-Releases: Why sign releases?
 
-Currently, the main benefit of [signed releases](/checks.md#signed-releases) is the guarantee that a specific artifact was released by a source that you approve or attest is reliable.
+Currently, the main benefit of [signed releases](checks.md#signed-releases) is the guarantee that a specific artifact was released by a source that you approve or attest is reliable.
 
 However, there are already moves to make it even more relevant. For example, the OpenSSF is working on [implementing signature verification for NPM packages](https://github.blog/2022-08-08-new-request-for-comments-on-improving-npm-security-with-sigstore-is-now-open/) which would allow a consumer to automatically verify if the package they are downloading was generated through a reliable builder and if it is correctly signed.
 

go.mod

@@ -14,7 +14,7 @@ require (
 	cloud.google.com/go/trace v1.9.0 // indirect
 	contrib.go.opencensus.io/exporter/stackdriver v0.13.14
 	github.com/bombsimon/logrusr/v2 v2.0.1
-	github.com/bradleyfalzon/ghinstallation/v2 v2.2.0
+	github.com/bradleyfalzon/ghinstallation/v2 v2.3.0
 	github.com/go-git/go-git/v5 v5.6.1
 	github.com/go-logr/logr v1.2.4
 	github.com/golang/mock v1.6.0
@@ -34,8 +34,8 @@ require (
 	github.com/xeipuuv/gojsonschema v1.2.0
 	go.opencensus.io v0.24.0
 	gocloud.dev v0.29.0
-	golang.org/x/text v0.8.0
-	golang.org/x/tools v0.7.0
+	golang.org/x/text v0.9.0
+	golang.org/x/tools v0.8.0
 	google.golang.org/genproto v0.0.0-20230330154414-c0448cd141ea // indirect
 	google.golang.org/protobuf v1.30.0
 	gopkg.in/yaml.v2 v2.4.0
@@ -50,7 +50,7 @@ require (
 	github.com/google/osv-scanner v1.3.1
 	github.com/mcuadros/go-jsonschema-generator v0.0.0-20200330054847-ba7a369d4303
 	github.com/onsi/ginkgo/v2 v2.9.2
-	github.com/otiai10/copy v1.9.0
+	github.com/otiai10/copy v1.10.0
 	sigs.k8s.io/release-utils v0.6.0
 )
 
@@ -75,7 +75,7 @@ require (
 	github.com/golang/snappy v0.0.4 // indirect
 	github.com/google/flatbuffers v2.0.8+incompatible // indirect
 	github.com/google/gnostic v0.5.7-v3refs // indirect
-	github.com/google/go-github/v50 v50.1.0 // indirect
+	github.com/google/go-github/v50 v50.2.0 // indirect
 	github.com/google/gofuzz v1.2.0 // indirect
 	github.com/google/pprof v0.0.0-20230111200839-76d1ae5aea2b // indirect
 	github.com/hashicorp/go-cleanhttp v0.5.2 // indirect
@@ -99,8 +99,8 @@ require (
 	github.com/spdx/gordf v0.0.0-20221230105357-b735bd5aac89 // indirect
 	github.com/spdx/tools-golang v0.4.0 // indirect
 	github.com/zeebo/xxh3 v1.0.2 // indirect
-	golang.org/x/mod v0.9.0 // indirect
-	golang.org/x/term v0.6.0 // indirect
+	golang.org/x/mod v0.10.0 // indirect
+	golang.org/x/term v0.7.0 // indirect
 	golang.org/x/time v0.3.0 // indirect
 	golang.org/x/vuln v0.0.0-20230303230808-d3042fecc4e3 // indirect
 	gopkg.in/inf.v0 v0.9.1 // indirect
@@ -167,12 +167,12 @@ require (
 	github.com/xanzy/ssh-agent v0.3.3 // indirect
 	github.com/xeipuuv/gojsonpointer v0.0.0-20180127040702-4e3ac2762d5f // indirect
 	github.com/xeipuuv/gojsonreference v0.0.0-20180127040603-bd5ef7bd5415 // indirect
-	golang.org/x/crypto v0.6.0 // indirect
+	golang.org/x/crypto v0.7.0 // indirect
 	golang.org/x/exp v0.0.0-20230321023759-10a507213a29
-	golang.org/x/net v0.8.0 // indirect
+	golang.org/x/net v0.9.0 // indirect
 	golang.org/x/oauth2 v0.6.0 // indirect
 	golang.org/x/sync v0.1.0 // indirect
-	golang.org/x/sys v0.6.0 // indirect
+	golang.org/x/sys v0.7.0 // indirect
 	golang.org/x/xerrors v0.0.0-20220907171357-04be3eba64a2 // indirect
 	google.golang.org/api v0.114.0 // indirect
 	google.golang.org/appengine v1.6.7 // indirect