Merge branch 'main' into naveen/feat/fix/integration-permissions

ossf · Oct 4, 2021 · 08f673d · 08f673d
2 parents 0f1e291 + c39672b
commit 08f673d
Show file tree

Hide file tree

Showing 89 changed files with 169,410 additions and 61,142 deletions.
diff --git a/.github/scorecard-policy.yml b/.github/scorecard-policy.yml
@@ -0,0 +1,64 @@
+# Copyright 2021 Security Scorecard Authors
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+version: 1
+policies:
+  Token-Permissions:
+      score: 10
+      mode: enforced
+  Branch-Protection:
+      score: 10
+      mode: enforced
+  Code-Review:
+      score: 10
+      mode: enforced
+  Pinned-Dependencies:
+      score: 10
+      mode: enforced
+  Security-Policy:
+      score: 10
+      mode: enforced
+  SAST:
+      score: 10
+      mode: enforced
+  Contributors:
+      score: 10
+      mode: enforced
+  Packaging:
+      score: 10
+      mode: enforced
+  Binary-Artifacts:
+      score: 10
+      mode: enforced
+  Signed-Releases:
+      score: 10
+      mode: enforced
+  Dependency-Update-Tool:
+      score: 10
+      mode: enforced
+  Fuzzing:
+      score: 10
+      mode: enforced
+  CII-Best-Practices:
+      score: 10
+      mode: enforced
+  Vulnerabilities:
+      score: 10
+      mode: enforced
+  CI-Tests:
+      score: 10
+      mode: enforced
+  Maintained:
+      score: 10
+      mode: enforced
diff --git a/.github/workflows/goreleaser.yaml b/.github/workflows/goreleaser.yaml
@@ -42,7 +42,7 @@ jobs:
         id: import_gpg
         uses: crazy-max/ghaction-import-gpg@8c43807e82148a7bafc633cc9584d04bf54be8d0 # v3.1.0
         with:
-          gpg-private-key: ${{ secrets.GPG_PRIVATE_KEY }}
+          gpg_private_key: ${{ secrets.GPG_PRIVATE_KEY }}
           passphrase: ${{ secrets.PASSPHRASE }}
       -
         name: Run GoReleaser

diff --git a/.github/workflows/integration.yml b/.github/workflows/integration.yml
@@ -129,7 +129,7 @@ jobs:
             Integration tests ${{ job.status }} for [${{ github.event.client_payload.slash_command.args.named.sha || github.event.pull_request.head.sha }}](https://github.com/ossf/scorecard/actions/runs/${{ github.run_id }})
 
       - name: set fork job status
-        uses: actions/github-script@f891eff65186019cbb3f7190c4590bc0a1b76fbc # v4.0.2
+        uses: actions/github-script@441359b1a30438de65712c2fbca0abe4816fa667 # v5.0.0
         if: ${{ always() }}
         id: update-check-run
         env:

diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml
@@ -18,6 +18,8 @@ jobs:
   validate:
     name: Validate
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
     steps:
      - name: Install Protoc
        uses: arduino/setup-protoc@64c0c85d18e984422218383b81c52f8b077404d3 # v1.1.2
@@ -38,6 +40,8 @@ jobs:
   license-check:
     name: license boilerplate check
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
     steps:
       - uses: actions/checkout@5a4ac9002d0be2fb38bd78e4b4dbde5606d7042f # v2.3.4
       - uses: actions/setup-go@331ce1d993939866bb63c32c6cbbfd48fa76fc57 # v2.1.3

diff --git a/.github/workflows/scorecard-analysis.yml b/.github/workflows/scorecard-analysis.yml
@@ -0,0 +1,47 @@
+name: Scorecard analysis workflow
+on: 
+  push:
+    # Only the default branch is supported.
+    branches: [main, master]
+  # TODO: Re-enable after implementing the local RepoClient.
+  #pull_request:
+    # All branches are supported.
+    #branches: [main]
+
+permissions: read-all
+
+jobs:
+  analysis:
+    name: Scorecard analysis
+    runs-on: ubuntu-latest
+    permissions:
+      security-events: write
+
+    steps:
+      - name: "Checkout code"
+        uses: actions/checkout@v1
+
+      - name: "Run analysis"
+        # This is temporary for dogfooding.
+        # We will remove the use of container and
+        # pin the dependency by hash.
+        # https://github.com/ossf/scorecard/issues/1072. 
+        uses: docker://laurentsimon/scorecard-action:dogfood
+        with:
+          policy_file: .github/scorecard-policy.yml
+          sarif_file: results.sarif
+          repo_token: ${{ secrets.GITHUB_TOKEN }}
+
+      # https://docs.github.com/en/actions/advanced-guides/storing-workflow-data-as-artifacts
+      # Optional.
+      - name: "Upload artifact"
+        uses: actions/upload-artifact@v2
+        with:
+          name: SARIF file
+          path: results.sarif
+          retention-days: 5
+
+      - name: "Upload SARIF results"
+        uses: github/codeql-action/upload-sarif@v1
+        with:
+          sarif_file: results.sarif
diff --git a/.golangci.yml b/.golangci.yml
@@ -149,5 +149,4 @@ linters-settings:
       - paramTypeCombine
       - ptrToRefParam
       - typeUnparen
-      - unnamedResult
       - unnecessaryBlock
diff --git a/Dockerfile b/Dockerfile
@@ -24,6 +24,6 @@ ARG TARGETOS
 ARG TARGETARCH
 RUN CGO_ENABLED=0 make build-scorecard
 
-FROM gcr.io/distroless/base:nonroot@sha256:a74f307185001c69bc362a40dbab7b67d410a872678132b187774fa21718fa13
+FROM gcr.io/distroless/base:nonroot@sha256:56d73a61ea1135c28f2be9afe2be88fc360e5fa1a892d600512a10eb2e028fa5
 COPY --from=build /src/scorecard /
 ENTRYPOINT [ "/scorecard" ]
diff --git a/Makefile b/Makefile
@@ -8,8 +8,8 @@ PROTOC := $(shell which protoc)
 IMAGE_NAME = scorecard
 OUTPUT = output
 IGNORED_CI_TEST="E2E TEST:blob|E2E TEST:executable"
-
 VERSION_LDFLAGS=$(shell ./scripts/version-ldflags)
+LDFLAGS=$(shell echo "-w -extldflags \"-static\" $(VERSION_LDFLAGS)")
 
 ############################### make help #####################################
 .PHONY: help
@@ -45,7 +45,7 @@ $(PROTOC):
 
 ################################## make all ###################################
 all:  ## Runs build, test and verify
-all-targets = update-dependencies build check-linter unit-test add-projects validate-projects tree-status
+all-targets = update-dependencies build check-linter check-osv unit-test add-projects validate-projects tree-status 
 .PHONY: all $(all-targets)
 all: $(all-targets)
 
@@ -61,6 +61,16 @@ check-linter: $(GOLANGGCI_LINT)
 	# Run golangci-lint linter
 	golangci-lint run -c .golangci.yml
 
+check-osv: ## Checks osv.dev for any vulnerabilities
+check-osv: $(install)
+	# Run stunning-tribble for checking the dependencies have any OSV
+	go list -m -f '{{if not (or  .Main)}}{{.Path}}@{{.Version}}_{{.Replace}}{{end}}' all \
+			| stunning-tribble GO-2020-0016,GO-2020-0018,GO-2020-0008
+	# Checking the tools which also has go.mod
+	cd tools 
+	go list -m -f '{{if not (or  .Main)}}{{.Path}}@{{.Version}}_{{.Replace}}{{end}}' all \
+			| stunning-tribble GO-2020-0016,GO-2020-0018,GO-2020-0008
+
 add-projects: ## Adds new projects to ./cron/data/projects.csv
 add-projects: ./cron/data/projects.csv | build-add-script
 	# Add new projects to ./cron/data/projects.csv
@@ -105,53 +115,52 @@ docs/checks.md: docs/checks/internal/checks.yaml docs/checks/internal/*.go docs/
 
 build-scorecard: ## Runs go build on repo
 	# Run go build and generate scorecard executable
-	CGO_ENABLED=0 go build -a -tags netgo -ldflags '-w -extldflags "-static" $(VERSION_LDFLAGS)'
+	CGO_ENABLED=0 go build -trimpath -a -tags netgo -ldflags '$(LDFLAGS)'
 
 build-pubsub: ## Runs go build on the PubSub cron job
 	# Run go build and the PubSub cron job
-	cd cron/controller && CGO_ENABLED=0 go build -a -ldflags '-w -extldflags "static"' -o controller
-	cd cron/worker && CGO_ENABLED=0 go build -a -ldflags '-w -extldflags "-static" $(VERSION_LDFLAGS)' -o worker
+	cd cron/controller && CGO_ENABLED=0 go build -trimpath -a -ldflags '$(LDFLAGS)' -o controller
+	cd cron/worker && CGO_ENABLED=0 go build -trimpath -a -ldflags '$(LDFLAGS)' -o worker
 
 build-bq-transfer: ## Runs go build on the BQ transfer cron job
 build-bq-transfer: ./cron/bq/*.go
 	# Run go build on the Copier cron job
-	cd cron/bq && CGO_ENABLED=0 go build -a -ldflags '-w -extldflags "static"' -o data-transfer
+	cd cron/bq && CGO_ENABLED=0 go build -trimpath -a -ldflags '$(LDFLAGS)' -o data-transfer
 
 build-webhook: ## Runs go build on the cron webhook
 	# Run go build on the cron webhook
-	cd cron/webhook && CGO_ENABLED=0 go build -a -ldflags '-w -extldflags "static"' -o webhook
+	cd cron/webhook && CGO_ENABLED=0 go build -trimpath -a -ldflags '$(LDFLAGS)' -o webhook
 
 build-add-script: ## Runs go build on the add script
 build-add-script: cron/data/add/add
 cron/data/add/add: cron/data/add/*.go cron/data/*.go repos/*.go cron/data/projects.csv
 	# Run go build on the add script
-	cd cron/data/add && CGO_ENABLED=0 go build -a -ldflags '-w -extldflags "-static"' -o add
+	cd cron/data/add && CGO_ENABLED=0 go build -trimpath -a -ldflags '$(LDFLAGS)' -o add
 
 build-validate-script: ## Runs go build on the validate script
 build-validate-script: cron/data/validate/validate
 cron/data/validate/validate: cron/data/validate/*.go cron/data/*.go cron/data/projects.csv
 	# Run go build on the validate script
-	cd cron/data/validate && CGO_ENABLED=0 go build -a -ldflags '-w -extldflags "-static"' -o validate
+	cd cron/data/validate && CGO_ENABLED=0 go build -trimpath -a -ldflags '$(LDFLAGS)' -o validate
 
 build-update-script: ## Runs go build on the update script
 build-update-script: cron/data/update/projects-update
 cron/data/update/projects-update:  cron/data/update/*.go cron/data/*.go
 	# Run go build on the update script
-	cd cron/data/update && CGO_ENABLED=0 go build -a -tags netgo -ldflags '-w -extldflags "-static"'  -o projects-update
+	cd cron/data/update && CGO_ENABLED=0 go build -trimpath -a -tags netgo -ldflags '$(LDFLAGS)'  -o projects-update
 
 dockerbuild: ## Runs docker build
 	# Build all Docker images in the Repo
 	$(call ndef, GITHUB_AUTH_TOKEN)
 	DOCKER_BUILDKIT=1 docker build . --file Dockerfile --tag $(IMAGE_NAME)
-	DOCKER_BUILDKIT=1 docker build . --file cron/controller/Dockerfile \
-			--build-arg=COMMIT_SHA=$(GIT_HASH) --tag $(IMAGE_NAME)-batch-controller
-	DOCKER_BUILDKIT=1 docker build . --file cron/worker/Dockerfile  --tag $(IMAGE_NAME)-batch-worker
+	DOCKER_BUILDKIT=1 docker build . --file cron/controller/Dockerfile --tag $(IMAGE_NAME)-batch-controller
+	DOCKER_BUILDKIT=1 docker build . --file cron/worker/Dockerfile --tag $(IMAGE_NAME)-batch-worker
 	DOCKER_BUILDKIT=1 docker build . --file cron/bq/Dockerfile --tag $(IMAGE_NAME)-bq-transfer
 	DOCKER_BUILDKIT=1 docker build . --file cron/webhook/Dockerfile --tag ${IMAGE_NAME}-webhook
 ###############################################################################
 
 ################################# make test ###################################
-test-targets = unit-test e2e ci-e2e 
+test-targets = unit-test e2e ci-e2e
 .PHONY: test $(test-targets)
 test: $(test-targets)