Skip to content

Commit

Permalink
Merge branch 'main' into commit-depth
Browse files Browse the repository at this point in the history
  • Loading branch information
spencerschrock authored Nov 15, 2023
2 parents 990c8f6 + a4ee314 commit e7545c0
Show file tree
Hide file tree
Showing 33 changed files with 340 additions and 643 deletions.
2 changes: 1 addition & 1 deletion .github/workflows/depsreview.yml
Original file line number Diff line number Diff line change
Expand Up @@ -24,4 +24,4 @@ jobs:
- name: 'Checkout Repository'
uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
- name: 'Dependency Review'
uses: actions/dependency-review-action@fde92acd0840415674c16b39c7d703fc28bc511e
uses: actions/dependency-review-action@7bbfa034e752445ea40215fff1c3bf9597993d3f # v3.1.3
4 changes: 0 additions & 4 deletions .golangci.yml
Original file line number Diff line number Diff line change
Expand Up @@ -80,10 +80,6 @@ linters-settings:
errcheck:
check-type-assertions: true
check-blank: true
errorlint:
# TODO remove this when project migrates to golang 1.20
# https://golangci-lint.run/usage/linters/#errorlint
errorf-multi: false
exhaustive:
# https://golangci-lint.run/usage/linters/#exhaustive
default-signifies-exhaustive: true
Expand Down
2 changes: 1 addition & 1 deletion CONTRIBUTING.md
Original file line number Diff line number Diff line change
Expand Up @@ -43,7 +43,7 @@ You must install these tools:
1. [`git`](https://help.github.com/articles/set-up-git/): For source control

1. [`go`](https://golang.org/doc/install): You need go version
[v1.19](https://golang.org/dl/) or higher.
[v1.21](https://golang.org/dl/) or higher.

1. [`docker`](https://docs.docker.com/engine/install/): `v18.9` or higher.

Expand Down
4 changes: 2 additions & 2 deletions checker/check_result.go
Original file line number Diff line number Diff line change
Expand Up @@ -107,7 +107,7 @@ func CreateProportionalScore(success, total int) int {
return 0
}

return int(math.Min(float64(MaxResultScore*success/total), float64(MaxResultScore)))
return min(MaxResultScore*success/total, MaxResultScore)
}

// CreateProportionalScoreWeighted creates the proportional score
Expand Down Expand Up @@ -141,7 +141,7 @@ func CreateProportionalScoreWeighted(scores ...ProportionalScoreWeighted) (int,
return MaxResultScore, nil
}

return int(math.Min(float64(MaxResultScore*ws/wt), float64(MaxResultScore))), nil
return min(MaxResultScore*ws/wt, MaxResultScore), nil
}

// AggregateScores adds up all scores
Expand Down
3 changes: 1 addition & 2 deletions checks/evaluation/code_review.go
Original file line number Diff line number Diff line change
Expand Up @@ -16,7 +16,6 @@ package evaluation

import (
"fmt"
"math"

"github.com/ossf/scorecard/v4/checker"
sce "github.com/ossf/scorecard/v4/errors"
Expand Down Expand Up @@ -74,7 +73,7 @@ func CodeReview(name string, dl checker.DetailLogger, r *checker.CodeReviewData)
return checker.CreateProportionalScoreResult(
name,
fmt.Sprintf("found %d unreviewed changesets out of %d", nUnreviewedChanges, nChanges),
int(math.Max(float64(nChanges-nUnreviewedChanges), 0)),
max(nChanges-nUnreviewedChanges, 0),
nChanges,
)
}
Expand Down
2 changes: 0 additions & 2 deletions checks/evaluation/fuzzing.go
Original file line number Diff line number Diff line change
Expand Up @@ -24,7 +24,6 @@ import (
"github.com/ossf/scorecard/v4/probes/fuzzedWithGoNative"
"github.com/ossf/scorecard/v4/probes/fuzzedWithJavaJazzerFuzzer"
"github.com/ossf/scorecard/v4/probes/fuzzedWithOSSFuzz"
"github.com/ossf/scorecard/v4/probes/fuzzedWithOneFuzz"
"github.com/ossf/scorecard/v4/probes/fuzzedWithPropertyBasedHaskell"
"github.com/ossf/scorecard/v4/probes/fuzzedWithPropertyBasedJavascript"
"github.com/ossf/scorecard/v4/probes/fuzzedWithPropertyBasedTypescript"
Expand All @@ -47,7 +46,6 @@ func Fuzzing(name string,
fuzzedWithRustCargofuzz.Probe,
fuzzedWithSwiftLibFuzzer.Probe,
fuzzedWithJavaJazzerFuzzer.Probe,
fuzzedWithOneFuzz.Probe,
fuzzedWithOSSFuzz.Probe,
fuzzedWithPropertyBasedHaskell.Probe,
fuzzedWithPropertyBasedJavascript.Probe,
Expand Down
18 changes: 1 addition & 17 deletions checks/evaluation/fuzzing_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -64,10 +64,6 @@ func TestFuzzing(t *testing.T) {
Probe: "fuzzedWithJavaJazzerFuzzer",
Outcome: finding.OutcomeNegative,
},
{
Probe: "fuzzedWithOneFuzz",
Outcome: finding.OutcomeNegative,
},
{
Probe: "fuzzedWithOSSFuzz",
Outcome: finding.OutcomeNegative,
Expand All @@ -87,7 +83,7 @@ func TestFuzzing(t *testing.T) {
},
result: scut.TestReturn{
Score: checker.MinResultScore,
NumberOfWarn: 13,
NumberOfWarn: 12,
},
},
{
Expand Down Expand Up @@ -125,10 +121,6 @@ func TestFuzzing(t *testing.T) {
Probe: "fuzzedWithJavaJazzerFuzzer",
Outcome: finding.OutcomeNegative,
},
{
Probe: "fuzzedWithOneFuzz",
Outcome: finding.OutcomeNegative,
},
{
Probe: "fuzzedWithOSSFuzz",
Outcome: finding.OutcomeNegative,
Expand Down Expand Up @@ -159,10 +151,6 @@ func TestFuzzing(t *testing.T) {
Probe: "fuzzedWithClusterFuzzLite",
Outcome: finding.OutcomeNegative,
},
{
Probe: "fuzzedWithOneFuzz",
Outcome: finding.OutcomeNegative,
},
{
Probe: "fuzzedWithOSSFuzz",
Outcome: finding.OutcomeNegative,
Expand Down Expand Up @@ -196,10 +184,6 @@ func TestFuzzing(t *testing.T) {
Probe: "fuzzedWithGoNative",
Outcome: finding.OutcomePositive,
},
{
Probe: "fuzzedWithOneFuzz",
Outcome: finding.OutcomeNegative,
},
{
Probe: "fuzzedWithOSSFuzz",
Outcome: finding.OutcomeNegative,
Expand Down
6 changes: 3 additions & 3 deletions checks/fuzzing_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -53,7 +53,7 @@ func TestFuzzing(t *testing.T) {
wantErr: false,
expected: scut.TestReturn{
Error: nil,
NumberOfWarn: 13,
NumberOfWarn: 12,
NumberOfDebug: 0,
NumberOfInfo: 0,
Score: 0,
Expand Down Expand Up @@ -110,7 +110,7 @@ func TestFuzzing(t *testing.T) {
wantFuzzErr: false,
expected: scut.TestReturn{
Error: nil,
NumberOfWarn: 13,
NumberOfWarn: 12,
NumberOfDebug: 0,
NumberOfInfo: 0,
Score: 0,
Expand All @@ -121,7 +121,7 @@ func TestFuzzing(t *testing.T) {
wantFuzzErr: true,
expected: scut.TestReturn{
Error: nil,
NumberOfWarn: 13,
NumberOfWarn: 12,
NumberOfDebug: 0,
NumberOfInfo: 0,
Score: 0,
Expand Down
32 changes: 0 additions & 32 deletions checks/raw/fuzzing.go
Original file line number Diff line number Diff line change
Expand Up @@ -30,7 +30,6 @@ import (
const (
fuzzerOSSFuzz = "OSSFuzz"
fuzzerClusterFuzzLite = "ClusterFuzzLite"
oneFuzz = "OneFuzz"
fuzzerBuiltInGo = "GoBuiltInFuzzer"
fuzzerPropertyBasedHaskell = "HaskellPropertyBasedTesting"
fuzzerPropertyBasedJavaScript = "JavaScriptPropertyBasedTesting"
Expand Down Expand Up @@ -181,21 +180,6 @@ func Fuzzing(c *checker.CheckRequest) (checker.FuzzingData, error) {
)
}

usingOneFuzz, e := checkOneFuzz(c)
if e != nil {
return checker.FuzzingData{}, fmt.Errorf("%w", e)
}
if usingOneFuzz {
fuzzers = append(fuzzers,
checker.Tool{
Name: oneFuzz,
URL: asPointer("https://github.com/microsoft/onefuzz"),
Desc: asPointer("Enables continuous developer-driven fuzzing to proactively harden software prior to release."),
// TODO: File.
},
)
}

usingOSSFuzz, e := checkOSSFuzz(c)
if e != nil {
return checker.FuzzingData{}, fmt.Errorf("%w", e)
Expand Down Expand Up @@ -251,22 +235,6 @@ func checkCFLite(c *checker.CheckRequest) (bool, error) {
return result, nil
}

func checkOneFuzz(c *checker.CheckRequest) (bool, error) {
result := false
e := fileparser.OnMatchingFileContentDo(c.RepoClient, fileparser.PathMatcher{
Pattern: "^\\.onefuzz$",
CaseSensitive: true,
}, func(path string, content []byte, args ...interface{}) (bool, error) {
result = true
return false, nil
}, nil)
if e != nil {
return result, fmt.Errorf("%w", e)
}

return result, nil
}

func checkOSSFuzz(c *checker.CheckRequest) (bool, error) {
if c.OssFuzzRepo == nil {
return false, nil
Expand Down
59 changes: 0 additions & 59 deletions checks/raw/fuzzing_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -103,65 +103,6 @@ func Test_checkOSSFuzz(t *testing.T) {
}
}

// Test_checkOneFuzz is a test function for checkOneFuzz.
func Test_checkOneFuzz(t *testing.T) {
t.Parallel()
//nolint
tests := []struct {
name string
want bool
wantErr bool
fileName []string
}{
{
name: "Test_checkOneFuzz success",
want: true,
wantErr: false,
fileName: []string{".onefuzz"},
},
{
name: "Test_checkOneFuzz not found",
want: false,
wantErr: false,
fileName: []string{},
},
{
name: "Test_checkOneFuzz failure",
want: false,
wantErr: true,
fileName: []string{".onefuzz"},
},
}
for _, tt := range tests {
tt := tt
t.Run(tt.name, func(t *testing.T) {
t.Parallel()
ctrl := gomock.NewController(t)
defer ctrl.Finish()
mockFuzz := mockrepo.NewMockRepoClient(ctrl)
mockFuzz.EXPECT().ListFiles(gomock.Any()).Return(tt.fileName, nil).AnyTimes()
mockFuzz.EXPECT().GetFileContent(gomock.Any()).DoAndReturn(func(f string) (string, error) {
if tt.wantErr {
//nolint
return "", errors.New("error")
}
return "", nil
}).AnyTimes()
req := checker.CheckRequest{
RepoClient: mockFuzz,
}
got, err := checkOneFuzz(&req)
if (err != nil) != tt.wantErr {
t.Errorf("checkOneFuzz() error = %v, wantErr %v", err, tt.wantErr)
return
}
if got != tt.want {
t.Errorf("checkOneFuzz() = %v, want %v for test %v", got, tt.want, tt.name)
}
})
}
}

// Test_checkCFLite is a test function for checkCFLite.
func Test_checkCFLite(t *testing.T) {
t.Parallel()
Expand Down
2 changes: 1 addition & 1 deletion checks/raw/shell_download_validate.go
Original file line number Diff line number Diff line change
Expand Up @@ -23,9 +23,9 @@ import (
"path"
"path/filepath"
"regexp"
"slices"
"strings"

"golang.org/x/exp/slices"
"mvdan.cc/sh/v3/syntax"

"github.com/ossf/scorecard/v4/checker"
Expand Down
2 changes: 1 addition & 1 deletion clients/githubrepo/branches.go
Original file line number Diff line number Diff line change
Expand Up @@ -17,12 +17,12 @@ package githubrepo
import (
"context"
"fmt"
"slices"
"strings"
"sync"

"github.com/google/go-github/v53/github"
"github.com/shurcooL/githubv4"
"golang.org/x/exp/slices"

"github.com/ossf/scorecard/v4/clients"
"github.com/ossf/scorecard/v4/clients/githubrepo/internal/fnmatch"
Expand Down
8 changes: 4 additions & 4 deletions clients/githubrepo/tarball.go
Original file line number Diff line number Diff line change
Expand Up @@ -153,7 +153,7 @@ func (handler *tarballHandler) getTarball() error {
defer repoFile.Close()
if _, err := io.Copy(repoFile, resp.Body); err != nil {
// This can happen if the incoming tarball is corrupted/server gateway times out.
return fmt.Errorf("%w io.Copy: %v", errTarballNotFound, err)
return fmt.Errorf("%w io.Copy: %w", errTarballNotFound, err)
}

handler.tempDir = tempDir
Expand All @@ -169,7 +169,7 @@ func (handler *tarballHandler) extractTarball() error {
}
gz, err := gzip.NewReader(in)
if err != nil {
return fmt.Errorf("%w: gzip.NewReader %v %v", errTarballCorrupted, handler.tempTarFile, err)
return fmt.Errorf("%w: gzip.NewReader %v %w", errTarballCorrupted, handler.tempTarFile, err)
}
tr := tar.NewReader(gz)
for {
Expand All @@ -178,7 +178,7 @@ func (handler *tarballHandler) extractTarball() error {
break
}
if err != nil {
return fmt.Errorf("%w tarReader.Next: %v", errTarballCorrupted, err)
return fmt.Errorf("%w tarReader.Next: %w", errTarballCorrupted, err)
}

switch header.Typeflag {
Expand Down Expand Up @@ -217,7 +217,7 @@ func (handler *tarballHandler) extractTarball() error {
// Potential for DoS vulnerability via decompression bomb.
// Since such an attack will only impact a single shard, ignoring this for now.
if _, err := io.Copy(outFile, tr); err != nil {
return fmt.Errorf("%w io.Copy: %v", errTarballCorrupted, err)
return fmt.Errorf("%w io.Copy: %w", errTarballCorrupted, err)
}
outFile.Close()
handler.files = append(handler.files,
Expand Down
14 changes: 7 additions & 7 deletions clients/gitlabrepo/tarball.go
Original file line number Diff line number Diff line change
Expand Up @@ -130,7 +130,7 @@ func (handler *tarballHandler) getTarball() error {
}
repoFile, err := os.CreateTemp(tempDir, repoFilename)
if err != nil {
return fmt.Errorf("%w io.Copy: %v", errTarballNotFound, err)
return fmt.Errorf("%w io.Copy: %w", errTarballNotFound, err)
}
defer repoFile.Close()
err = handler.apiFunction(url, tempDir, repoFile)
Expand Down Expand Up @@ -188,18 +188,18 @@ func (handler *tarballHandler) apiFunction(url, tempDir string, repoFile *os.Fil
req.Header.Set("PRIVATE-TOKEN", os.Getenv("GITLAB_AUTH_TOKEN"))
resp, err := http.DefaultClient.Do(req)
if err != nil {
return fmt.Errorf("%w io.Copy: %v", errTarballNotFound, err)
return fmt.Errorf("%w io.Copy: %w", errTarballNotFound, err)
}
defer resp.Body.Close()

// Handler 400/404 errors.
switch resp.StatusCode {
case http.StatusNotFound, http.StatusBadRequest:
return fmt.Errorf("%w io.Copy: %v", errTarballNotFound, err)
return fmt.Errorf("%w io.Copy: %w", errTarballNotFound, err)
}
if _, err := io.Copy(repoFile, resp.Body); err != nil {
// If the incoming tarball is corrupted or the server times out.
return fmt.Errorf("%w io.Copy: %v", errTarballNotFound, err)
return fmt.Errorf("%w io.Copy: %w", errTarballNotFound, err)
}
return nil
}
Expand All @@ -212,7 +212,7 @@ func (handler *tarballHandler) extractTarball() error {
}
gz, err := gzip.NewReader(in)
if err != nil {
return fmt.Errorf("%w: gzip.NewReader %v %v", errTarballCorrupted, handler.tempTarFile, err)
return fmt.Errorf("%w: gzip.NewReader %v %w", errTarballCorrupted, handler.tempTarFile, err)
}
tr := tar.NewReader(gz)
for {
Expand All @@ -221,7 +221,7 @@ func (handler *tarballHandler) extractTarball() error {
break
}
if err != nil {
return fmt.Errorf("%w tarReader.Next: %v", errTarballCorrupted, err)
return fmt.Errorf("%w tarReader.Next: %w", errTarballCorrupted, err)
}

switch header.Typeflag {
Expand Down Expand Up @@ -260,7 +260,7 @@ func (handler *tarballHandler) extractTarball() error {
// Potential for DoS vulnerability via decompression bomb.
// Since such an attack will only impact a single shard, ignoring this for now.
if _, err := io.Copy(outFile, tr); err != nil {
return fmt.Errorf("%w io.Copy: %v", errTarballCorrupted, err)
return fmt.Errorf("%w io.Copy: %w", errTarballCorrupted, err)
}
outFile.Close()
handler.files = append(handler.files,
Expand Down
Loading

0 comments on commit e7545c0

Please sign in to comment.