Merge branch 'main' into naveen/feat/binary_artifact-test

ossf · Jan 27, 2022 · 63a8d2f · 63a8d2f
2 parents c151c95 + 15a204f
commit 63a8d2f
Show file tree

Hide file tree

Showing 43 changed files with 2,286 additions and 546 deletions.
diff --git a/.github/CODEOWNERS b/.github/CODEOWNERS
@@ -1,5 +1,15 @@
-# https://docs.github.com/en/repositories/managing-your-repositorys-settings-and-features/customizing-your-repository/about-code-owners
+# CODEOWNERS reference: https://docs.github.com/en/repositories/managing-your-repositorys-settings-and-features/customizing-your-repository/about-code-owners
 
-.github/workflows/*       @inferno-chromium @naveensrinivasan @azeemshaikh38 @laurentsimon
-*.md    @olivekl
-docs/checks/internal/checks.yaml    @olivekl
+# These owners will be the default owners for everything in
+# the repo. Unless a later match takes precedence,
+# the following users/teams will be requested for
+# review when someone opens a pull request.
+# TODO(owners): For ease of management, this should eventually shift to a
+#               defined GitHub team instead of individual usernames
+* @azeemshaikh38 @inferno-chromium @justaugustus @laurentsimon @naveensrinivasan
+
+# Docs
+# TODO(owners): For ease of management, this should eventually shift to a
+#               defined GitHub team instead of individual usernames
+*.md @olivekl
+/docs/ @olivekl
diff --git a/.github/dependabot.yml b/.github/dependabot.yml
@@ -7,6 +7,13 @@ updates:
   commit-message:
       prefix: ":seedling:"
   open-pull-requests-limit: 10
+- package-ecosystem: gomod
+  directory: "/tools"
+  schedule:
+    interval: daily
+  commit-message:
+      prefix: ":seedling:"
+  open-pull-requests-limit: 10
 - package-ecosystem: "github-actions"
   directory: "/"
   schedule:

diff --git a/.github/workflows/scorecard-analysis.yml b/.github/workflows/scorecard-analysis.yml
@@ -24,7 +24,7 @@ jobs:
         uses: actions/checkout@ec3a7ce113134d7a93b817d10a8272cb61118579
 
       - name: "Run analysis"
-        uses: ossf/scorecard-action@e3e75cf2ffbf9364bbff86cdbdf52b23176fe492
+        uses: ossf/scorecard-action@c8416b0b2bf627c349ca92fc8e3de51a64b005cf
         with:
           policy_file: .github/scorecard-policy.yml
           results_file: results.sarif

diff --git a/README.md b/README.md
@@ -4,6 +4,7 @@
 ![CodeQL](https://github.com/ossf/scorecard/workflows/CodeQL/badge.svg?branch=main)
 [![Go Report Card](https://goreportcard.com/badge/github.com/ossf/scorecard)](https://goreportcard.com/report/github.com/ossf/scorecard)
 [![codecov](https://codecov.io/gh/ossf/scorecard/branch/main/graph/badge.svg?token=PMJ6NAN9J3)](https://codecov.io/gh/ossf/scorecard)
+[![Slack](https://slack.babeljs.io/badge.svg)](https://slack.openssf.org/#security_scorecards)
 
 <img align="right" src="artwork/openssf_security_compressed.png" width="200" height="400">
 
@@ -456,10 +457,11 @@ Slack Channel                 | [#security_scorecards](https://slack.openssf.org
 
 &nbsp;                                                           | Facilitators      | Company | Profile
 ---------------------------------------------------------------- | ----------------- | ------- | -------
-<img width="30px" src="https://github.com/azeemshaikh38.png">    | Azeem Shaik       | Google  | [azeemshaikh38](https://github.com/azeemshaikh38)
+<img width="30px" src="https://github.com/azeemshaikh38.png">    | Azeem Shaikh      | Google  | [azeemshaikh38](https://github.com/azeemshaikh38)
 <img width="30px" src="https://github.com/laurentsimon.png">     | Laurent Simon     | Google  | [laurentsimon](https://github.com/laurentsimon)
 <img width="30px" src="https://github.com/naveensrinivasan.png"> | Naveen Srinivasan |         | [naveensrinivasan](https://github.com/naveensrinivasan)
 <img width="30px" src="https://github.com/chrismcgehee.png">     | Chris McGehee     | Datto   | [chrismcgehee](https://github.com/chrismcgehee)
+<img width="30px" src="https://github.com/justaugustus.png">     | Justin Augustus   | Cisco   | [justaugustus](https://github.com/justaugutus)
 
 ### Report a Security Issue
 

diff --git a/checker/raw_result.go b/checker/raw_result.go
@@ -17,12 +17,19 @@ package checker
 // RawResults contains results before a policy
 // is applied.
 type RawResults struct {
+	VulnerabilitiesResults      VulnerabilitiesData
 	BinaryArtifactResults       BinaryArtifactData
 	SecurityPolicyResults       SecurityPolicyData
 	DependencyUpdateToolResults DependencyUpdateToolData
 	BranchProtectionResults     BranchProtectionsData
 }
 
+// VulnerabilitiesData contains the raw results
+// for the Vulnerabilities check.
+type VulnerabilitiesData struct {
+	Vulnerabilities []Vulnerability
+}
+
 // SecurityPolicyData contains the raw results
 // for the Security-Policy check.
 type SecurityPolicyData struct {
@@ -111,3 +118,12 @@ type File struct {
 	Type    FileType // Type of file.
 	// TODO: add hash.
 }
+
+// Vulnerability defines a vulnerability
+// from a database.
+type Vulnerability struct {
+	// For OSV: OSV-2020-484
+	// For CVE: CVE-2022-23945
+	ID string
+	// TODO(vuln): Add additional fields, if needed.
+}
diff --git a/checks/binary_artifact_test.go b/checks/binary_artifact_test.go
@@ -22,7 +22,6 @@ import (
 	"github.com/golang/mock/gomock"
 
 	"github.com/ossf/scorecard/v4/checker"
-	"github.com/ossf/scorecard/v4/clients/githubrepo"
 	"github.com/ossf/scorecard/v4/clients/localdir"
 	"github.com/ossf/scorecard/v4/log"
 	scut "github.com/ossf/scorecard/v4/utests"
@@ -60,13 +59,7 @@ func TestBinaryArtifacts(t *testing.T) {
 		t.Run(tt.name, func(t *testing.T) {
 			t.Parallel()
 
-			logger, err := githubrepo.NewLogger(log.DebugLevel)
-			if err != nil {
-				t.Errorf("githubrepo.NewLogger: %v", err)
-			}
-
-			// nolint
-			defer logger.Zap.Sync()
+			logger := log.NewLogger(log.DebugLevel)
 
 			ctrl := gomock.NewController(t)
 			repo, err := localdir.MakeLocalDirRepo(tt.inputFolder)