Merge branch 'main' into branch-protection/move-enforce-admin

.github/workflows/codeql-analysis.yml

@@ -57,7 +57,7 @@ jobs:
         egress-policy: audit # TODO: change to 'egress-policy: block' after couple of runs
 
     - name: Checkout repository
-      uses: actions/checkout@3df4ab11eba7bda6032a0b82a6bb43b11571feac # v4.0.0
+      uses: actions/checkout@8ade135a41bc03ea155e62e844d188df1ea18608 # v4.1.0
 
     # Initializes the CodeQL tools for scanning.
     - name: Initialize CodeQL

.github/workflows/depsreview.yml

@@ -22,6 +22,6 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: 'Checkout Repository'
-        uses: actions/checkout@3df4ab11eba7bda6032a0b82a6bb43b11571feac # v4.0.0
+        uses: actions/checkout@8ade135a41bc03ea155e62e844d188df1ea18608 # v4.1.0
       - name: 'Dependency Review'
         uses: actions/dependency-review-action@6c5ccdad469c9f8a2996bfecaec55a631a347034

.github/workflows/docker.yml

@@ -35,12 +35,12 @@ jobs:
       docs_only: ${{ steps.docs_only_check.outputs.docs_only }}
     steps:
     - name: Check out code
-      uses: actions/checkout@3df4ab11eba7bda6032a0b82a6bb43b11571feac #v4.0.0
+      uses: actions/checkout@8ade135a41bc03ea155e62e844d188df1ea18608 #v4.1.0
       with:
         fetch-depth: 2 # needed to diff changed files
     - id: files
       name: Get changed files
-      uses: tj-actions/changed-files@8e79ba7ab9fee9984275219aeb2c8db47bcb8a2d #v39.1.0
+      uses: tj-actions/changed-files@41960309398d165631f08c5df47a11147e14712b #v39.1.2
       with:
         files_ignore: '**.md'
     - id: docs_only_check
@@ -75,7 +75,7 @@ jobs:
          egress-policy: audit # TODO: change to 'egress-policy: block' after couple of runs
      - name: Clone the code
        if: (needs.docs_only_check.outputs.docs_only != 'true')
-       uses: actions/checkout@3df4ab11eba7bda6032a0b82a6bb43b11571feac # v4.0.0
+       uses: actions/checkout@8ade135a41bc03ea155e62e844d188df1ea18608 # v4.1.0
      - name: Setup Go # needed for some of the Makefile evaluations, even if building happens in Docker 
        if: (needs.docs_only_check.outputs.docs_only != 'true')
        uses: actions/setup-go@93397bea11091df50f3d7e59dc26a7711a8bcfbe # v4.1.0

.github/workflows/gitlab.yml

@@ -37,7 +37,7 @@ jobs:
         with:
           egress-policy: audit # TODO: change to 'egress-policy: block' after couple of runs
       - name: Clone the code
-        uses: actions/checkout@3df4ab11eba7bda6032a0b82a6bb43b11571feac # v4.0.0
+        uses: actions/checkout@8ade135a41bc03ea155e62e844d188df1ea18608 # v4.1.0
         with:
           ref: ${{ github.event.pull_request.head.sha || github.sha }} # head SHA if PR, else fallback to push SHA
       - name: Setup Go

.github/workflows/goreleaser.yaml

@@ -39,7 +39,7 @@ jobs:
           egress-policy: audit # TODO: change to 'egress-policy: block' after couple of runs
 
       - name: Checkout
-        uses: actions/checkout@3df4ab11eba7bda6032a0b82a6bb43b11571feac # v4.0.0
+        uses: actions/checkout@8ade135a41bc03ea155e62e844d188df1ea18608 # v4.1.0
         with:
           fetch-depth: 0
       - name: Set up Go

.github/workflows/integration.yml

@@ -48,7 +48,7 @@ jobs:
         with:
           egress-policy: audit # TODO: change to 'egress-policy: block' after couple of runs
       - name: Clone the code
-        uses: actions/checkout@3df4ab11eba7bda6032a0b82a6bb43b11571feac # v4.0.0
+        uses: actions/checkout@8ade135a41bc03ea155e62e844d188df1ea18608 # v4.1.0
         with:
           ref: ${{ github.event.pull_request.head.sha }}
       - name: Setup Go

.github/workflows/lint.yml

@@ -22,7 +22,7 @@ jobs:
       - uses: step-security/harden-runner@8ca2b8b2ece13480cda6dacd3511b49857a23c09 # v2.5.1
         with:
           egress-policy: audit # TODO: change to 'egress-policy: block' after couple of runs
-      - uses: actions/checkout@3df4ab11eba7bda6032a0b82a6bb43b11571feac # v4.0.0
+      - uses: actions/checkout@8ade135a41bc03ea155e62e844d188df1ea18608 # v4.1.0
       - uses: actions/setup-go@93397bea11091df50f3d7e59dc26a7711a8bcfbe # v4.1.0
         with:
           go-version: ${{ env.GO_VERSION }}

.github/workflows/main.yml

@@ -41,7 +41,7 @@ jobs:
        with:
          egress-policy: audit # TODO: change to 'egress-policy: block' after couple of runs
      - name: Clone the code
-       uses: actions/checkout@3df4ab11eba7bda6032a0b82a6bb43b11571feac # v4.0.0
+       uses: actions/checkout@8ade135a41bc03ea155e62e844d188df1ea18608 # v4.1.0
      - name: Setup Go
        uses: actions/setup-go@93397bea11091df50f3d7e59dc26a7711a8bcfbe # v4.1.0
        with:
@@ -117,7 +117,7 @@ jobs:
          restore-keys: |
            ${{ runner.os }}-go-
      - name: Clone the code
-       uses: actions/checkout@3df4ab11eba7bda6032a0b82a6bb43b11571feac # v4.0.0
+       uses: actions/checkout@8ade135a41bc03ea155e62e844d188df1ea18608 # v4.1.0
        with:
           fetch-depth: 0
      - name: Setup Go
@@ -147,7 +147,7 @@ jobs:
        with:
          egress-policy: audit # TODO: change to 'egress-policy: block' after couple of runs
      - name: Clone the code
-       uses: actions/checkout@3df4ab11eba7bda6032a0b82a6bb43b11571feac # v4.0.0
+       uses: actions/checkout@8ade135a41bc03ea155e62e844d188df1ea18608 # v4.1.0
      - name: Setup Go
        uses: actions/setup-go@93397bea11091df50f3d7e59dc26a7711a8bcfbe # v4.1.0
        with:
@@ -182,7 +182,7 @@ jobs:
         version: ${{ env.PROTOC_VERSION }}
         repo-token: ${{ secrets.GITHUB_TOKEN }}
      - name: Clone the code
-       uses: actions/checkout@3df4ab11eba7bda6032a0b82a6bb43b11571feac # v4.0.0
+       uses: actions/checkout@8ade135a41bc03ea155e62e844d188df1ea18608 # v4.1.0
        with:
           fetch-depth: 0
      - name: Setup Go
@@ -237,7 +237,7 @@ jobs:
          restore-keys: |
            ${{ runner.os }}-go-
      - name: Clone the code
-       uses: actions/checkout@3df4ab11eba7bda6032a0b82a6bb43b11571feac # v4.0.0
+       uses: actions/checkout@8ade135a41bc03ea155e62e844d188df1ea18608 # v4.1.0
      - name: Setup Go
        uses: actions/setup-go@93397bea11091df50f3d7e59dc26a7711a8bcfbe # v4.1.0
        with:
@@ -277,7 +277,7 @@ jobs:
          restore-keys: |
            ${{ runner.os }}-go-
      - name: Clone the code
-       uses: actions/checkout@3df4ab11eba7bda6032a0b82a6bb43b11571feac # v4.0.0
+       uses: actions/checkout@8ade135a41bc03ea155e62e844d188df1ea18608 # v4.1.0
        with:
           fetch-depth: 0
      - name: Setup Go
@@ -324,7 +324,7 @@ jobs:
          restore-keys: |
            ${{ runner.os }}-go-
      - name: Clone the code
-       uses: actions/checkout@3df4ab11eba7bda6032a0b82a6bb43b11571feac # v4.0.0
+       uses: actions/checkout@8ade135a41bc03ea155e62e844d188df1ea18608 # v4.1.0
        with:
           fetch-depth: 0
      - name: Setup Go
@@ -359,7 +359,7 @@ jobs:
         version: ${{ env.PROTOC_VERSION }}
         repo-token: ${{ secrets.GITHUB_TOKEN }}
      - name: Clone the code
-       uses: actions/checkout@3df4ab11eba7bda6032a0b82a6bb43b11571feac # v4.0.0
+       uses: actions/checkout@8ade135a41bc03ea155e62e844d188df1ea18608 # v4.1.0
        with:
           fetch-depth: 0
      - name: Setup Go
@@ -388,7 +388,7 @@ jobs:
         with:
           egress-policy: audit # TODO: change to 'egress-policy: block' after couple of runs
 
-      - uses: actions/checkout@3df4ab11eba7bda6032a0b82a6bb43b11571feac # v4.0.0
+      - uses: actions/checkout@8ade135a41bc03ea155e62e844d188df1ea18608 # v4.1.0
       - uses: actions/setup-go@93397bea11091df50f3d7e59dc26a7711a8bcfbe # v2.2.0
         with:
           go-version: ${{ env.GO_VERSION }}

.github/workflows/publishimage.yml

@@ -40,7 +40,7 @@ jobs:
          egress-policy: audit # TODO: change to 'egress-policy: block' after couple of runs
 
      - name: Clone the code
-       uses: actions/checkout@3df4ab11eba7bda6032a0b82a6bb43b11571feac # v4.0.0
+       uses: actions/checkout@8ade135a41bc03ea155e62e844d188df1ea18608 # v4.1.0
        with:
           fetch-depth: 0
      - name: Setup Go

.github/workflows/scorecard-analysis.yml

@@ -22,7 +22,7 @@ jobs:
 
     steps:
       - name: "Checkout code"
-        uses: actions/checkout@3df4ab11eba7bda6032a0b82a6bb43b11571feac # v4.0.0
+        uses: actions/checkout@8ade135a41bc03ea155e62e844d188df1ea18608 # v4.1.0
 
       - name: "Run analysis"
         uses: ossf/scorecard-action@08b4669551908b1024bb425080c797723083c031 # v2.2.0

.github/workflows/slsa-goreleaser.yml

@@ -19,7 +19,7 @@ jobs:
       go-binary-name: ${{ steps.build.outputs.go-binary-name }}
     steps:
       - id: checkout
-        uses: actions/checkout@3df4ab11eba7bda6032a0b82a6bb43b11571feac # v4.0.0
+        uses: actions/checkout@8ade135a41bc03ea155e62e844d188df1ea18608 # v4.1.0
         with:
           fetch-depth: 0
       - id: ldflags

.github/workflows/stale.yml

@@ -34,7 +34,7 @@ jobs:
     - uses: actions/stale@1160a2240286f5da8ec72b1c0816ce2481aabf84 # v3.0.18
       with:
         repo-token: ${{ secrets.GITHUB_TOKEN }}
-        stale-issue-message: 'Stale issue message - this issue will be closed in 7 days'
+        stale-issue-message: 'This issue is stale because it has been open for 60 days with no activity.'
         stale-pr-message: 'Stale pull request message'
         stale-issue-label: 'no-issue-activity'
         exempt-issue-labels: 'priority,bug,good first issue'
@@ -43,4 +43,5 @@ jobs:
         days-before-pr-stale: '10'
         days-before-pr-close: '20'
         days-before-issue-stale: '60'
+        days-before-issue-close: -1
         operations-per-run: '100'

checks/fileparser/github_workflow_test.go

@@ -20,8 +20,8 @@ import (
 	"strings"
 	"testing"
 
+	"github.com/google/go-cmp/cmp"
 	"github.com/rhysd/actionlint"
-	"gotest.tools/assert/cmp"
 )
 
 func TestGitHubWorkflowShell(t *testing.T) {
@@ -142,7 +142,7 @@ func TestGitHubWorkflowShell(t *testing.T) {
 					actualShells = append(actualShells, shell)
 				}
 			}
-			if !cmp.DeepEqual(tt.expectedShells, actualShells)().Success() {
+			if !cmp.Equal(tt.expectedShells, actualShells) {
 				t.Errorf("%v: Got (%v) expected (%v)", tt.name, actualShells, tt.expectedShells)
 			}
 		})

cmd/internal/scdiff/app/compare.go

@@ -36,18 +36,15 @@ func init() {
 }
 
 var (
-	errMissingInputFiles = errors.New("must provide at least two files from scdiff generate")
-	errResultsDiffer     = errors.New("results differ")
-	errNumResults        = errors.New("number of results being compared differ")
+	errResultsDiffer = errors.New("results differ")
+	errNumResults    = errors.New("number of results being compared differ")
 
 	compareCmd = &cobra.Command{
 		Use:   "compare [flags] FILE1 FILE2",
 		Short: "Compare Scorecard results",
 		Long:  `Compare Scorecard results`,
+		Args:  cobra.MinimumNArgs(2),
 		RunE: func(cmd *cobra.Command, args []string) error {
-			if len(args) < 2 {
-				return errMissingInputFiles
-			}
 			f1, err := os.Open(args[0])
 			if err != nil {
 				return fmt.Errorf("opening %q: %w", args[0], err)
@@ -68,7 +65,9 @@ var (
 func compareReaders(x, y io.Reader, output io.Writer) error {
 	// results are currently newline delimited
 	xs := bufio.NewScanner(x)
+	xs.Buffer(nil, maxResultSize)
 	ys := bufio.NewScanner(y)
+	ys.Buffer(nil, maxResultSize)
 	for {
 		if shouldContinue, err := advanceScanners(xs, ys); err != nil {
 			return err
@@ -90,11 +89,11 @@ func compareReaders(x, y io.Reader, output io.Writer) error {
 }
 
 func loadResults(x, y *bufio.Scanner) (pkg.ScorecardResult, pkg.ScorecardResult, error) {
-	xResult, err := pkg.ExperimentalFromJSON2(strings.NewReader(x.Text()))
+	xResult, _, err := pkg.ExperimentalFromJSON2(strings.NewReader(x.Text()))
 	if err != nil {
 		return pkg.ScorecardResult{}, pkg.ScorecardResult{}, fmt.Errorf("parsing first result: %w", err)
 	}
-	yResult, err := pkg.ExperimentalFromJSON2(strings.NewReader(y.Text()))
+	yResult, _, err := pkg.ExperimentalFromJSON2(strings.NewReader(y.Text()))
 	if err != nil {
 		return pkg.ScorecardResult{}, pkg.ScorecardResult{}, fmt.Errorf("parsing second result: %w", err)
 	}

cmd/internal/scdiff/app/stats.go

@@ -0,0 +1,127 @@
+// Copyright 2023 OpenSSF Scorecard Authors
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package app
+
+import (
+	"bufio"
+	"errors"
+	"fmt"
+	"io"
+	"os"
+	"strings"
+	"text/tabwriter"
+
+	"github.com/spf13/cobra"
+	"golang.org/x/exp/slices"
+
+	"github.com/ossf/scorecard/v4/checker"
+	"github.com/ossf/scorecard/v4/pkg"
+)
+
+//nolint:gochecknoinits // common for cobra apps
+func init() {
+	rootCmd.AddCommand(statsCmd)
+	statsCmd.PersistentFlags().StringVarP(&statsCheck, "check", "c", "", "Analyze breakdown of a single check")
+}
+
+// 1 MiB size limit for individual results. This currently works,
+// but bufio.Scanner always has a limit, may need to change approach in the future.
+const maxResultSize = 1024 * 1024
+
+var (
+	statsCheck string
+	statsCmd   = &cobra.Command{
+		Use:   "stats [flags] FILE",
+		Short: "Summarize stats for a golden file",
+		Long:  `Summarize stats for a golden file`,
+		Args:  cobra.MinimumNArgs(1),
+		RunE: func(cmd *cobra.Command, args []string) error {
+			f1, err := os.Open(args[0])
+			if err != nil {
+				return fmt.Errorf("opening %q: %w", args[0], err)
+			}
+			defer f1.Close()
+			return calcStats(f1, os.Stdout)
+		},
+	}
+
+	errCheckNotPresent = errors.New("requested check not present")
+	errInvalidScore    = errors.New("invalid score")
+)
+
+// countScores quantizes the scores into 12 buckets, from [-1, 10]
+// If a check is provided, that check score is used, otherwise the aggregate score is used.
+func countScores(input io.Reader, check string) ([12]int, error) {
+	var counts [12]int // [-1, 10] inclusive
+	var score int
+	scanner := bufio.NewScanner(input)
+	scanner.Buffer(nil, maxResultSize)
+	for scanner.Scan() {
+		result, aggregateScore, err := pkg.ExperimentalFromJSON2(strings.NewReader(scanner.Text()))
+		if err != nil {
+			return [12]int{}, fmt.Errorf("parsing result: %w", err)
+		}
+		if check == "" {
+			score = int(aggregateScore)
+		} else {
+			i := slices.IndexFunc(result.Checks, func(c checker.CheckResult) bool {
+				return strings.EqualFold(c.Name, check)
+			})
+			if i == -1 {
+				return [12]int{}, errCheckNotPresent
+			}
+			score = result.Checks[i].Score
+		}
+		if score < -1 || score > 10 {
+			return [12]int{}, errInvalidScore
+		}
+		bucket := score + 1 // score of -1 is index 0, score of 0 is index 1, etc.
+		counts[bucket]++
+	}
+	if err := scanner.Err(); err != nil {
+		return [12]int{}, fmt.Errorf("parsing golden file: %w", err)
+	}
+	return counts, nil
+}
+
+func calcStats(input io.Reader, output io.Writer) error {
+	counts, err := countScores(input, statsCheck)
+	if err != nil {
+		return err
+	}
+	name := statsCheck
+	if name == "" {
+		name = "Aggregate"
+	}
+	summary(name, &counts, output)
+	return nil
+}
+
+func summary(name string, counts *[12]int, output io.Writer) {
+	const (
+		minWidth = 0
+		tabWidth = 4
+		padding  = 1
+		padchar  = ' '
+		flags    = tabwriter.AlignRight
+	)
+	w := tabwriter.NewWriter(output, minWidth, tabWidth, padding, padchar, flags)
+	fmt.Fprintf(w, "%s Score\tCount\t\n", name)
+	for i, c := range counts {
+		scoreBucket := i - 1
+		fmt.Fprintf(w, "%d\t%d\t\n", scoreBucket, c)
+	}
+	w.Flush()
+}