Merge branch 'main' into repo-client-e2e

Signed-off-by: Spencer Schrock <sschrock@google.com>

.github/workflows/docker.yml

@@ -41,7 +41,7 @@ jobs:
         fetch-depth: 2
     - id: files
       name: Get changed files
-      uses: tj-actions/changed-files@74338865c1e73fee674ce5cfc5d28f4b9caa33bc #v35.5.4
+      uses: tj-actions/changed-files@5ce975c6021a0b11062c547acb6c26c96a34a8c5 #v35.6.2
       with:
         files_ignore: '**.md'
     - id: docs_only_check
@@ -70,7 +70,7 @@ jobs:
         repo-token: ${{ secrets.GITHUB_TOKEN }}
      - name: Cache builds
        # https://github.com/mvdan/github-actions-golang#how-do-i-set-up-caching-between-builds
-       uses: actions/cache@69d9d449aced6a2ede0bc19182fadc3a0a42d2b0 #v3.2.6
+       uses: actions/cache@940f3d7cf195ba83374c77632d1e2cbb2f24ae68 #v3.3.0
        with:
           # In order:
           # * Module download cache
@@ -118,7 +118,7 @@ jobs:
         repo-token: ${{ secrets.GITHUB_TOKEN }}
      - name: Cache builds
        # https://github.com/mvdan/github-actions-golang#how-do-i-set-up-caching-between-builds
-       uses: actions/cache@69d9d449aced6a2ede0bc19182fadc3a0a42d2b0 #v3.2.6
+       uses: actions/cache@940f3d7cf195ba83374c77632d1e2cbb2f24ae68 #v3.3.0
        with:
           # In order:
           # * Module download cache
@@ -166,7 +166,7 @@ jobs:
         repo-token: ${{ secrets.GITHUB_TOKEN }}
      - name: Cache builds
        # https://github.com/mvdan/github-actions-golang#how-do-i-set-up-caching-between-builds
-       uses: actions/cache@69d9d449aced6a2ede0bc19182fadc3a0a42d2b0 #v3.2.6
+       uses: actions/cache@940f3d7cf195ba83374c77632d1e2cbb2f24ae68 #v3.3.0
        with:
           # In order:
           # * Module download cache
@@ -214,7 +214,7 @@ jobs:
         repo-token: ${{ secrets.GITHUB_TOKEN }}
      - name: Cache builds
        # https://github.com/mvdan/github-actions-golang#how-do-i-set-up-caching-between-builds
-       uses: actions/cache@69d9d449aced6a2ede0bc19182fadc3a0a42d2b0 #v3.2.6
+       uses: actions/cache@940f3d7cf195ba83374c77632d1e2cbb2f24ae68 #v3.3.0
        with:
           # In order:
           # * Module download cache
@@ -262,7 +262,7 @@ jobs:
         repo-token: ${{ secrets.GITHUB_TOKEN }}
      - name: Cache builds
        # https://github.com/mvdan/github-actions-golang#how-do-i-set-up-caching-between-builds
-       uses: actions/cache@69d9d449aced6a2ede0bc19182fadc3a0a42d2b0 #v3.2.6
+       uses: actions/cache@940f3d7cf195ba83374c77632d1e2cbb2f24ae68 #v3.3.0
        with:
           # In order:
           # * Module download cache
@@ -310,7 +310,7 @@ jobs:
         repo-token: ${{ secrets.GITHUB_TOKEN }}
      - name: Cache builds
        # https://github.com/mvdan/github-actions-golang#how-do-i-set-up-caching-between-builds
-       uses: actions/cache@69d9d449aced6a2ede0bc19182fadc3a0a42d2b0 #v3.2.6
+       uses: actions/cache@940f3d7cf195ba83374c77632d1e2cbb2f24ae68 #v3.3.0
        with:
           # In order:
           # * Module download cache
@@ -358,7 +358,7 @@ jobs:
         repo-token: ${{ secrets.GITHUB_TOKEN }}
      - name: Cache builds
        # https://github.com/mvdan/github-actions-golang#how-do-i-set-up-caching-between-builds
-       uses: actions/cache@69d9d449aced6a2ede0bc19182fadc3a0a42d2b0 #v3.2.6
+       uses: actions/cache@940f3d7cf195ba83374c77632d1e2cbb2f24ae68 #v3.3.0
        with:
           # In order:
           # * Module download cache

.github/workflows/main.yml

@@ -43,7 +43,7 @@ jobs:
 
      - name: Cache builds
        # https://github.com/mvdan/github-actions-golang#how-do-i-set-up-caching-between-builds
-       uses: actions/cache@69d9d449aced6a2ede0bc19182fadc3a0a42d2b0 #v3.2.6
+       uses: actions/cache@940f3d7cf195ba83374c77632d1e2cbb2f24ae68 #v3.3.0
        with:
          path: |
            ~/go/pkg/mod
@@ -88,7 +88,7 @@ jobs:
         repo-token: ${{ secrets.GITHUB_TOKEN }}
      - name: Cache builds
        # https://github.com/mvdan/github-actions-golang#how-do-i-set-up-caching-between-builds
-       uses: actions/cache@69d9d449aced6a2ede0bc19182fadc3a0a42d2b0 # v3.2.6
+       uses: actions/cache@940f3d7cf195ba83374c77632d1e2cbb2f24ae68 # v3.3.0
        with:
          path: |
            ~/go/pkg/mod
@@ -136,7 +136,7 @@ jobs:
         repo-token: ${{ secrets.GITHUB_TOKEN }}
      - name: Cache builds
        # https://github.com/mvdan/github-actions-golang#how-do-i-set-up-caching-between-builds
-       uses: actions/cache@69d9d449aced6a2ede0bc19182fadc3a0a42d2b0 # v3.2.6
+       uses: actions/cache@940f3d7cf195ba83374c77632d1e2cbb2f24ae68 # v3.3.0
        with:
          path: |
            ~/go/pkg/mod
@@ -219,7 +219,7 @@ jobs:
         repo-token: ${{ secrets.GITHUB_TOKEN }}
      - name: Cache builds
        # https://github.com/mvdan/github-actions-golang#how-do-i-set-up-caching-between-builds
-       uses: actions/cache@69d9d449aced6a2ede0bc19182fadc3a0a42d2b0 # v3.2.6
+       uses: actions/cache@940f3d7cf195ba83374c77632d1e2cbb2f24ae68 # v3.3.0
        with:
          path: |
            ~/go/pkg/mod
@@ -267,7 +267,7 @@ jobs:
         repo-token: ${{ secrets.GITHUB_TOKEN }}
      - name: Cache builds
        # https://github.com/mvdan/github-actions-golang#how-do-i-set-up-caching-between-builds
-       uses: actions/cache@69d9d449aced6a2ede0bc19182fadc3a0a42d2b0 # v3.2.6
+       uses: actions/cache@940f3d7cf195ba83374c77632d1e2cbb2f24ae68 # v3.3.0
        with:
          path: |
            ~/go/pkg/mod
@@ -315,7 +315,7 @@ jobs:
         repo-token: ${{ secrets.GITHUB_TOKEN }}
      - name: Cache builds
        # https://github.com/mvdan/github-actions-golang#how-do-i-set-up-caching-between-builds
-       uses: actions/cache@69d9d449aced6a2ede0bc19182fadc3a0a42d2b0 # v3.2.6
+       uses: actions/cache@940f3d7cf195ba83374c77632d1e2cbb2f24ae68 # v3.3.0
        with:
          path: |
            ~/go/pkg/mod
@@ -363,7 +363,7 @@ jobs:
         repo-token: ${{ secrets.GITHUB_TOKEN }}
      - name: Cache builds
        # https://github.com/mvdan/github-actions-golang#how-do-i-set-up-caching-between-builds
-       uses: actions/cache@69d9d449aced6a2ede0bc19182fadc3a0a42d2b0 # v3.2.6
+       uses: actions/cache@940f3d7cf195ba83374c77632d1e2cbb2f24ae68 # v3.3.0
        with:
          path: |
            ~/go/pkg/mod
@@ -411,7 +411,7 @@ jobs:
         repo-token: ${{ secrets.GITHUB_TOKEN }}
      - name: Cache builds
        # https://github.com/mvdan/github-actions-golang#how-do-i-set-up-caching-between-builds
-       uses: actions/cache@69d9d449aced6a2ede0bc19182fadc3a0a42d2b0 # v3.2.6
+       uses: actions/cache@940f3d7cf195ba83374c77632d1e2cbb2f24ae68 # v3.3.0
        with:
          path: |
            ~/go/pkg/mod
@@ -459,7 +459,7 @@ jobs:
         repo-token: ${{ secrets.GITHUB_TOKEN }}
      - name: Cache builds
        # https://github.com/mvdan/github-actions-golang#how-do-i-set-up-caching-between-builds
-       uses: actions/cache@69d9d449aced6a2ede0bc19182fadc3a0a42d2b0 # v3.2.6
+       uses: actions/cache@940f3d7cf195ba83374c77632d1e2cbb2f24ae68 # v3.3.0
        with:
          path: |
            ~/go/pkg/mod
@@ -507,7 +507,7 @@ jobs:
         repo-token: ${{ secrets.GITHUB_TOKEN }}
      - name: Cache builds
        # https://github.com/mvdan/github-actions-golang#how-do-i-set-up-caching-between-builds
-       uses: actions/cache@69d9d449aced6a2ede0bc19182fadc3a0a42d2b0 # v3.2.6
+       uses: actions/cache@940f3d7cf195ba83374c77632d1e2cbb2f24ae68 # v3.3.0
        with:
          path: |
            ~/go/pkg/mod
@@ -555,7 +555,7 @@ jobs:
         repo-token: ${{ secrets.GITHUB_TOKEN }}
      - name: Cache builds
        # https://github.com/mvdan/github-actions-golang#how-do-i-set-up-caching-between-builds
-       uses: actions/cache@69d9d449aced6a2ede0bc19182fadc3a0a42d2b0 # v3.2.6
+       uses: actions/cache@940f3d7cf195ba83374c77632d1e2cbb2f24ae68 # v3.3.0
        with:
          path: |
            ~/go/pkg/mod
@@ -603,7 +603,7 @@ jobs:
         repo-token: ${{ secrets.GITHUB_TOKEN }}
      - name: Cache builds
        # https://github.com/mvdan/github-actions-golang#how-do-i-set-up-caching-between-builds
-       uses: actions/cache@69d9d449aced6a2ede0bc19182fadc3a0a42d2b0 # v3.2.6
+       uses: actions/cache@940f3d7cf195ba83374c77632d1e2cbb2f24ae68 # v3.3.0
        with:
          path: |
            ~/go/pkg/mod
@@ -651,7 +651,7 @@ jobs:
         repo-token: ${{ secrets.GITHUB_TOKEN }}
      - name: Cache builds
        # https://github.com/mvdan/github-actions-golang#how-do-i-set-up-caching-between-builds
-       uses: actions/cache@69d9d449aced6a2ede0bc19182fadc3a0a42d2b0 # v3.2.6
+       uses: actions/cache@940f3d7cf195ba83374c77632d1e2cbb2f24ae68 # v3.3.0
        with:
          path: |
            ~/go/pkg/mod
@@ -699,7 +699,7 @@ jobs:
         repo-token: ${{ secrets.GITHUB_TOKEN }}
      - name: Cache builds
        # https://github.com/mvdan/github-actions-golang#how-do-i-set-up-caching-between-builds
-       uses: actions/cache@69d9d449aced6a2ede0bc19182fadc3a0a42d2b0 # v3.2.6
+       uses: actions/cache@940f3d7cf195ba83374c77632d1e2cbb2f24ae68 # v3.3.0
        with:
          path: |
            ~/go/pkg/mod
@@ -771,7 +771,7 @@ jobs:
 
      - name: Cache builds
        # https://github.com/mvdan/github-actions-golang#how-do-i-set-up-caching-between-builds
-       uses: actions/cache@69d9d449aced6a2ede0bc19182fadc3a0a42d2b0 # v3.2.6
+       uses: actions/cache@940f3d7cf195ba83374c77632d1e2cbb2f24ae68 # v3.3.0
        with:
          path: |
            ~/go/pkg/mod
@@ -818,7 +818,7 @@ jobs:
         repo-token: ${{ secrets.GITHUB_TOKEN }}
      - name: Cache builds
        # https://github.com/mvdan/github-actions-golang#how-do-i-set-up-caching-between-builds
-       uses: actions/cache@69d9d449aced6a2ede0bc19182fadc3a0a42d2b0 # v3.2.6
+       uses: actions/cache@940f3d7cf195ba83374c77632d1e2cbb2f24ae68 # v3.3.0
        with:
          path: |
            ~/go/pkg/mod

.github/workflows/publishimage.yml

@@ -61,7 +61,7 @@ jobs:
             make install
             make scorecard-ko
      - name: Install Cosign
-       uses: sigstore/cosign-installer@9becc617647dfa20ae7b1151972e9b3a2c338a2b
+       uses: sigstore/cosign-installer@c3667d99424e7e6047999fb6246c0da843953c65
      - name: Sign image
        run: |
           cosign sign ghcr.io/${{github.repository_owner}}/scorecard/v4:${{ github.sha }}

Makefile

@@ -314,7 +314,7 @@ test: $(test-targets)
 unit-test: ## Runs unit test without e2e
 	# Run unit tests, ignoring e2e tests
 	# run the go tests and gen the file coverage-all used to do the integration with codecov
-	SKIP_GINKGO=1 go test -race -covermode=atomic  -coverprofile=unit-coverage.out `go list ./...`
+	SKIP_GINKGO=1 go test -race -covermode=atomic  -coverprofile=unit-coverage.out -coverpkg=./... `go list ./...`
 
 unit-test-attestor: ## Runs unit tests on scorecard-attestor
 	cd attestor; SKIP_GINKGO=1 go test -covermode=atomic -coverprofile=unit-coverage.out `go list ./...`; cd ..;

README.md

@@ -101,7 +101,7 @@ This data is available in the public BigQuery dataset
 `openssf:scorecardcron.scorecard-v2`. The latest results are available in the
 BigQuery view `openssf:scorecardcron.scorecard-v2_latest`.
 
-You can query the data using [BigQuery Explorer](http://console.cloud.google.com/bigquery) by navigating to Add Data > Pin a Project > Enter Project Name > 'openssf'.
+You can query the data using [BigQuery Explorer](http://console.cloud.google.com/bigquery) by navigating to Add Data > Star a project by name > 'openssf'.
 For example, you may be interested in how a project's score has changed over time:
 
 ```sql
@@ -203,7 +203,7 @@ Add the binary to your `GOPATH/bin` directory (use `go env GOPATH` to identify y
 
 ###### Verifying SLSA provenance for downloaded releases
 
-We generate [SLSA3 signatures](slsa.dev) using the OpenSSF's [slsa-framework/slsa-github-generator](https://github.com/slsa-framework/slsa-github-generator) during the release process. To verify a release binary:
+We generate [SLSA3 signatures](https://slsa.dev) using the OpenSSF's [slsa-framework/slsa-github-generator](https://github.com/slsa-framework/slsa-github-generator) during the release process. To verify a release binary:
 1. Install the verification tool from [slsa-framework/slsa-verifier#installation](https://github.com/slsa-framework/slsa-verifier#installation).
 2. Download the signature file `attestation.intoto.jsonl` from the [GitHub releases page](https://github.com/GoogleContainerTools/jib/releases/latest).
 3. Run the verifier:

checker/client.go

@@ -21,6 +21,7 @@ import (
 	"github.com/ossf/scorecard/v4/clients"
 	ghrepo "github.com/ossf/scorecard/v4/clients/githubrepo"
 	"github.com/ossf/scorecard/v4/clients/localdir"
+	"github.com/ossf/scorecard/v4/clients/ossfuzz"
 	"github.com/ossf/scorecard/v4/log"
 )
 
@@ -59,16 +60,10 @@ func GetClients(ctx context.Context, repoURI, localURI string, logger *log.Logge
 			fmt.Errorf("getting local directory client: %w", errGitHub)
 	}
 
-	ossFuzzRepoClient, errOssFuzz := ghrepo.CreateOssFuzzRepoClient(ctx, logger)
-	var retErr error
-	if errOssFuzz != nil {
-		retErr = fmt.Errorf("getting OSS-Fuzz repo client: %w", errOssFuzz)
-	}
-	// TODO(repo): Should we be handling the OSS-Fuzz client error like this?
 	return githubRepo, /*repo*/
 		ghrepo.CreateGithubRepoClient(ctx, logger), /*repoClient*/
-		ossFuzzRepoClient, /*ossFuzzClient*/
+		ossfuzz.CreateOSSFuzzClient(ossfuzz.StatusURL), /*ossFuzzClient*/
 		clients.DefaultCIIBestPracticesClient(), /*ciiClient*/
 		clients.DefaultVulnerabilitiesClient(), /*vulnClient*/
-		retErr
+		nil
 }

checks/fileparser/listing.go

@@ -52,7 +52,9 @@ func isMatchingPath(fullpath string, matchPathTo PathMatcher) (bool, error) {
 func isTestdataFile(fullpath string) bool {
 	// testdata/ or /some/dir/testdata/some/other
 	return strings.HasPrefix(fullpath, "testdata/") ||
-		strings.Contains(fullpath, "/testdata/")
+		strings.Contains(fullpath, "/testdata/") ||
+		strings.HasPrefix(fullpath, "src/test/") ||
+		strings.Contains(fullpath, "/src/test/")
 }
 
 // PathMatcher represents a query for a filepath.

checks/fileparser/listing_test.go

@@ -375,6 +375,13 @@ func Test_isTestdataFile(t *testing.T) {
 			},
 			want: true,
 		},
+		{
+			name: "testdata file",
+			args: args{
+				fullpath: "archiva-modules/archiva-base/archiva-checksum/src/test/resources/examples/redback-authz-open.jar",
+			},
+			want: true,
+		},
 	}
 	for _, tt := range tests {
 		tt := tt // Re-initializing variable so it is not changed while executing the closure below