Merge branch 'main' into pr/thepwagner/3354

Signed-off-by: Spencer Schrock <[email protected]>

.github/workflows/depsreview.yml

@@ -24,4 +24,4 @@ jobs:
       - name: 'Checkout Repository'
         uses: actions/checkout@3df4ab11eba7bda6032a0b82a6bb43b11571feac # v4.0.0
       - name: 'Dependency Review'
-        uses: actions/dependency-review-action@f6fff72a3217f580d5afd49a46826795305b63c7
+        uses: actions/dependency-review-action@6c5ccdad469c9f8a2996bfecaec55a631a347034

.github/workflows/docker.yml

@@ -40,7 +40,7 @@ jobs:
         fetch-depth: 2 # needed to diff changed files
     - id: files
       name: Get changed files
-      uses: tj-actions/changed-files@48566bbcc22ceb7c5809ebdd27377309f2c3de8c #v39.0.0
+      uses: tj-actions/changed-files@6ee9cdc5816333acda68e01cf12eedc619e28316 #v39.0.2
       with:
         files_ignore: '**.md'
     - id: docs_only_check

.github/workflows/gitlab.yml

@@ -52,7 +52,7 @@ jobs:
           echo "go-mod=$(go env GOMODCACHE)" >> "$GITHUB_OUTPUT"
       - name: Cache builds
         # https://github.com/mvdan/github-actions-golang#how-do-i-set-up-caching-between-builds
-        uses: actions/cache@88522ab9f39a2ea568f7027eddc7d8d8bc9d59c8 #v3.3.1
+        uses: actions/cache@704facf57e6136b1bc63b828d79edcd491f0ee84 #v3.3.2
         with:
           path: |
             ${{ steps.go-cache-paths.outputs.go-build }}

.github/workflows/integration.yml

@@ -63,7 +63,7 @@ jobs:
           echo "go-mod=$(go env GOMODCACHE)" >> "$GITHUB_OUTPUT"
       - name: Cache builds
         # https://github.com/mvdan/github-actions-golang#how-do-i-set-up-caching-between-builds
-        uses: actions/cache@88522ab9f39a2ea568f7027eddc7d8d8bc9d59c8 #v3.3.1
+        uses: actions/cache@704facf57e6136b1bc63b828d79edcd491f0ee84 #v3.3.2
         with:
           path: |
             ${{ steps.go-cache-paths.outputs.go-build }}

.github/workflows/main.yml

@@ -54,7 +54,7 @@ jobs:
         echo "go-mod=$(go env GOMODCACHE)" >> "$GITHUB_OUTPUT"
      - name: Cache builds
        # https://github.com/mvdan/github-actions-golang#how-do-i-set-up-caching-between-builds
-       uses: actions/cache@88522ab9f39a2ea568f7027eddc7d8d8bc9d59c8 #v3.3.1
+       uses: actions/cache@704facf57e6136b1bc63b828d79edcd491f0ee84 #v3.3.2
        with:
          path: |
           ${{ steps.go-cache-paths.outputs.go-build }}
@@ -106,7 +106,7 @@ jobs:
         repo-token: ${{ secrets.GITHUB_TOKEN }}
      - name: Cache builds
        # https://github.com/mvdan/github-actions-golang#how-do-i-set-up-caching-between-builds
-       uses: actions/cache@88522ab9f39a2ea568f7027eddc7d8d8bc9d59c8 # v3.3.1
+       uses: actions/cache@704facf57e6136b1bc63b828d79edcd491f0ee84 # v3.3.2
        with:
          path: |
            ~/go/pkg/mod
@@ -226,7 +226,7 @@ jobs:
          egress-policy: audit # TODO: change to 'egress-policy: block' after couple of runs
      - name: Cache builds
        # https://github.com/mvdan/github-actions-golang#how-do-i-set-up-caching-between-builds
-       uses: actions/cache@88522ab9f39a2ea568f7027eddc7d8d8bc9d59c8 # v3.3.1
+       uses: actions/cache@704facf57e6136b1bc63b828d79edcd491f0ee84 # v3.3.2
        with:
          path: |
            ~/go/pkg/mod
@@ -266,7 +266,7 @@ jobs:
 
      - name: Cache builds
        # https://github.com/mvdan/github-actions-golang#how-do-i-set-up-caching-between-builds
-       uses: actions/cache@88522ab9f39a2ea568f7027eddc7d8d8bc9d59c8 # v3.3.1
+       uses: actions/cache@704facf57e6136b1bc63b828d79edcd491f0ee84 # v3.3.2
        with:
          path: |
            ~/go/pkg/mod
@@ -313,7 +313,7 @@ jobs:
         repo-token: ${{ secrets.GITHUB_TOKEN }}
      - name: Cache builds
        # https://github.com/mvdan/github-actions-golang#how-do-i-set-up-caching-between-builds
-       uses: actions/cache@88522ab9f39a2ea568f7027eddc7d8d8bc9d59c8 # v3.3.1
+       uses: actions/cache@704facf57e6136b1bc63b828d79edcd491f0ee84 # v3.3.2
        with:
          path: |
            ~/go/pkg/mod

.github/workflows/scorecard-analysis.yml

@@ -40,7 +40,7 @@ jobs:
       # https://docs.github.com/en/actions/advanced-guides/storing-workflow-data-as-artifacts
       # Optional.
       - name: "Upload artifact"
-        uses: actions/upload-artifact@0b7f8abb1508181956e8e162db84b466c27e18ce # v3
+        uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 # v3
         with:
           name: SARIF file
           path: results.sarif

.github/workflows/stale.yml

@@ -34,7 +34,7 @@ jobs:
     - uses: actions/stale@1160a2240286f5da8ec72b1c0816ce2481aabf84 # v3.0.18
       with:
         repo-token: ${{ secrets.GITHUB_TOKEN }}
-        stale-issue-message: 'Stale issue message'
+        stale-issue-message: 'Stale issue message - this issue will be closed in 7 days'
         stale-pr-message: 'Stale pull request message'
         stale-issue-label: 'no-issue-activity'
         exempt-issue-labels: 'priority,bug,good first issue'
@@ -43,3 +43,4 @@ jobs:
         days-before-pr-stale: '10'
         days-before-pr-close: '20'
         days-before-issue-stale: '60'
+        days-before-issue-close: '67'

README.md

@@ -1,7 +1,7 @@
 # OpenSSF Scorecard
 
 [![OpenSSF Scorecard](https://api.securityscorecards.dev/projects/github.com/ossf/scorecard/badge)](https://securityscorecards.dev/viewer/?uri=github.com/ossf/scorecard)
-[![OpenSSF Best Practices](https://bestpractices.coreinfrastructure.org/projects/5621/badge)](https://bestpractices.coreinfrastructure.org/projects/5621)
+[![OpenSSF Best Practices](https://www.bestpractices.dev/projects/5621/badge)](https://www.bestpractices.dev/projects/5621)
 ![build](https://github.com/ossf/scorecard/workflows/build/badge.svg?branch=main)
 ![CodeQL](https://github.com/ossf/scorecard/workflows/CodeQL/badge.svg?branch=main)
 [![Go Reference](https://pkg.go.dev/badge/github.com/ossf/scorecard/v4.svg)](https://pkg.go.dev/github.com/ossf/scorecard/v4)
@@ -472,7 +472,7 @@ Name        | Description                               | Risk Level | Token Req
 [Binary-Artifacts](docs/checks.md#binary-artifacts)             | Is the project free of checked-in binaries?     | High               | PAT, GITHUB_TOKEN   | Supported |
 [Branch-Protection](docs/checks.md#branch-protection)           | Does the project use [Branch Protection](https://docs.github.com/en/free-pro-team@latest/github/administering-a-repository/about-protected-branches) ?                                                                                                                                                                       | High | PAT (`repo` or `repo> public_repo`), GITHUB_TOKEN    | Supported (see notes) | certain settings are only supported with a maintainer PAT
 [CI-Tests](docs/checks.md#ci-tests)                             | Does the project run tests in CI, e.g. [GitHub Actions](https://docs.github.com/en/free-pro-team@latest/actions), [Prow](https://github.com/kubernetes/test-infra/tree/master/prow)?                                                                                                                                         | Low | PAT, GITHUB_TOKEN   | Supported
-[CII-Best-Practices](docs/checks.md#cii-best-practices)         | Has the project earned an [OpenSSF (formerly CII) Best Practices Badge](https://bestpractices.coreinfrastructure.org) at the passing, silver, or gold level?                                                                                                                                                                 | Low  | PAT, GITHUB_TOKEN   | Validating |
+[CII-Best-Practices](docs/checks.md#cii-best-practices)         | Has the project earned an [OpenSSF (formerly CII) Best Practices Badge](https://www.bestpractices.dev) at the passing, silver, or gold level?                                                                                                                                                                 | Low  | PAT, GITHUB_TOKEN   | Validating |
 [Code-Review](docs/checks.md#code-review)                       | Does the project practice code review before code is merged?                                                                                                                                                                                                                                                                 | High | PAT, GITHUB_TOKEN   | Validating |
 [Contributors](docs/checks.md#contributors)                     | Does the project have contributors from at least two different organizations?                                                                                                                                                                                                                                                | Low | PAT, GITHUB_TOKEN   | Validating |
 [Dangerous-Workflow](docs/checks.md#dangerous-workflow)         | Does the project avoid dangerous coding patterns in GitHub Action workflows?                                                                                                                                                                                                                                                 | Critical | PAT, GITHUB_TOKEN   | Unsupported |

checker/check_result.go

@@ -195,7 +195,7 @@ func CreateRuntimeErrorResult(name string, e error) CheckResult {
 }
 
 // LogFindings logs the list of findings.
-func LogFindings(findings []finding.Finding, dl DetailLogger) error {
+func LogFindings(findings []finding.Finding, dl DetailLogger) {
 	for i := range findings {
 		f := &findings[i]
 		switch f.Outcome {
@@ -213,6 +213,4 @@ func LogFindings(findings []finding.Finding, dl DetailLogger) error {
 			})
 		}
 	}
-
-	return nil
 }

checks/dependency_update_tool.go

@@ -20,6 +20,7 @@ import (
 	"github.com/ossf/scorecard/v4/checks/raw"
 	sce "github.com/ossf/scorecard/v4/errors"
 	"github.com/ossf/scorecard/v4/probes"
+	"github.com/ossf/scorecard/v4/probes/zrunner"
 )
 
 // CheckDependencyUpdateTool is the exported name for Automatic-Depdendency-Update.
@@ -49,12 +50,12 @@ func DependencyUpdateTool(c *checker.CheckRequest) checker.CheckResult {
 	pRawResults.DependencyUpdateToolResults = rawData
 
 	// Evaluate the probes.
-	findings, err := evaluateProbes(c, pRawResults, probes.DependencyToolUpdates)
+	findings, err := zrunner.Run(pRawResults, probes.DependencyToolUpdates)
 	if err != nil {
 		e := sce.WithMessage(sce.ErrScorecardInternal, err.Error())
 		return checker.CreateRuntimeErrorResult(CheckDependencyUpdateTool, e)
 	}
 
 	// Return the score evaluation.
-	return evaluation.DependencyUpdateTool(CheckDependencyUpdateTool, findings)
+	return evaluation.DependencyUpdateTool(CheckDependencyUpdateTool, findings, c.Dlogger)
 }

checks/dependency_update_tool_test.go

@@ -51,7 +51,7 @@ func TestDependencyUpdateTool(t *testing.T) {
 			CallSearchCommits: 0,
 			expected: scut.TestReturn{
 				NumberOfInfo: 1,
-				NumberOfWarn: 3,
+				NumberOfWarn: 0,
 				Score:        10,
 			},
 		},
@@ -64,7 +64,7 @@ func TestDependencyUpdateTool(t *testing.T) {
 			CallSearchCommits: 0,
 			expected: scut.TestReturn{
 				NumberOfInfo: 1,
-				NumberOfWarn: 3,
+				NumberOfWarn: 0,
 				Score:        10,
 			},
 		},
@@ -103,7 +103,7 @@ func TestDependencyUpdateTool(t *testing.T) {
 			CallSearchCommits: 1,
 			expected: scut.TestReturn{
 				NumberOfInfo: 1,
-				NumberOfWarn: 3,
+				NumberOfWarn: 0,
 				Score:        10,
 			},
 		},
@@ -118,7 +118,7 @@ func TestDependencyUpdateTool(t *testing.T) {
 			CallSearchCommits: 1,
 			expected: scut.TestReturn{
 				NumberOfInfo: 1,
-				NumberOfWarn: 3,
+				NumberOfWarn: 0,
 				Score:        10,
 			},
 		},
@@ -136,7 +136,7 @@ func TestDependencyUpdateTool(t *testing.T) {
 			CallSearchCommits: 1,
 			expected: scut.TestReturn{
 				NumberOfInfo: 1,
-				NumberOfWarn: 3,
+				NumberOfWarn: 0,
 				Score:        10,
 			},
 		},

checks/evaluation/dependency_update_tool.go

@@ -24,9 +24,10 @@ import (
 	"github.com/ossf/scorecard/v4/probes/toolSonatypeLiftInstalled"
 )
 
-// DependencyUpdateTool applies the score policy for the Dependency-Update-Tool check.
+// DependencyUpdateTool applies the score policy and logs the details
+// for the Dependency-Update-Tool check.
 func DependencyUpdateTool(name string,
-	findings []finding.Finding,
+	findings []finding.Finding, dl checker.DetailLogger,
 ) checker.CheckResult {
 	expectedProbes := []string{
 		toolDependabotInstalled.Probe,
@@ -42,9 +43,13 @@ func DependencyUpdateTool(name string,
 	for i := range findings {
 		f := &findings[i]
 		if f.Outcome == finding.OutcomePositive {
+			// Log all findings except the negative ones.
+			checker.LogFindings(nonNegativeFindings(findings), dl)
 			return checker.CreateMaxScoreResult(name, "update tool detected")
 		}
 	}
 
+	// Log all findings.
+	checker.LogFindings(findings, dl)
 	return checker.CreateMinScoreResult(name, "no update tool detected")
 }

checks/evaluation/dependency_update_tool_test.go

@@ -18,6 +18,7 @@ import (
 	"testing"
 
 	"github.com/ossf/scorecard/v4/checker"
+	sce "github.com/ossf/scorecard/v4/errors"
 	"github.com/ossf/scorecard/v4/finding"
 	scut "github.com/ossf/scorecard/v4/utests"
 )
@@ -28,9 +29,7 @@ func TestDependencyUpdateTool(t *testing.T) {
 	tests := []struct {
 		name     string
 		findings []finding.Finding
-		err      bool
-		want     checker.CheckResult
-		expected scut.TestReturn
+		result   scut.TestReturn
 	}{
 		{
 			name: "dependabot",
@@ -52,8 +51,9 @@ func TestDependencyUpdateTool(t *testing.T) {
 					Outcome: finding.OutcomeNegative,
 				},
 			},
-			want: checker.CheckResult{
-				Score: 10,
+			result: scut.TestReturn{
+				Score:        checker.MaxResultScore,
+				NumberOfInfo: 1,
 			},
 		},
 		{
@@ -76,8 +76,9 @@ func TestDependencyUpdateTool(t *testing.T) {
 					Outcome: finding.OutcomeNegative,
 				},
 			},
-			want: checker.CheckResult{
-				Score: 10,
+			result: scut.TestReturn{
+				Score:        checker.MaxResultScore,
+				NumberOfInfo: 1,
 			},
 		},
 		{
@@ -100,8 +101,9 @@ func TestDependencyUpdateTool(t *testing.T) {
 					Outcome: finding.OutcomeNegative,
 				},
 			},
-			want: checker.CheckResult{
-				Score: 10,
+			result: scut.TestReturn{
+				Score:        checker.MaxResultScore,
+				NumberOfInfo: 1,
 			},
 		},
 		{
@@ -128,8 +130,9 @@ func TestDependencyUpdateTool(t *testing.T) {
 					Outcome: finding.OutcomeNegative,
 				},
 			},
-			want: checker.CheckResult{
-				Score: 10,
+			result: scut.TestReturn{
+				Score:        checker.MaxResultScore,
+				NumberOfInfo: 1,
 			},
 		},
 		{
@@ -152,8 +155,9 @@ func TestDependencyUpdateTool(t *testing.T) {
 					Outcome: finding.OutcomeNegative,
 				},
 			},
-			want: checker.CheckResult{
-				Score: 0,
+			result: scut.TestReturn{
+				Score:        checker.MinResultScore,
+				NumberOfWarn: 4,
 			},
 		},
 		{
@@ -172,9 +176,9 @@ func TestDependencyUpdateTool(t *testing.T) {
 					Outcome: finding.OutcomeNegative,
 				},
 			},
-			err: true,
-			want: checker.CheckResult{
-				Score: -1,
+			result: scut.TestReturn{
+				Score: checker.InconclusiveResultScore,
+				Error: sce.ErrScorecardInternal,
 			},
 		},
 		{
@@ -201,8 +205,9 @@ func TestDependencyUpdateTool(t *testing.T) {
 					Outcome: finding.OutcomeNegative,
 				},
 			},
-			want: checker.CheckResult{
-				Score: -1,
+			result: scut.TestReturn{
+				Score: checker.InconclusiveResultScore,
+				Error: sce.ErrScorecardInternal,
 			},
 		},
 	}
@@ -211,13 +216,10 @@ func TestDependencyUpdateTool(t *testing.T) {
 		t.Run(tt.name, func(t *testing.T) {
 			t.Parallel()
 
-			got := DependencyUpdateTool(tt.name, tt.findings)
-			if tt.want.Score != got.Score {
-				t.Errorf("DependencyUpdateTool() got Score = %v, want %v for %v", got.Score, tt.want.Score, tt.name)
-			}
-			if tt.err && got.Error == nil {
-				t.Errorf("DependencyUpdateTool() error = %v, want %v for %v", got.Error, tt.want.Error, tt.name)
-				return
+			dl := scut.TestDetailLogger{}
+			got := DependencyUpdateTool(tt.name, tt.findings, &dl)
+			if !scut.ValidateTestReturn(t, tt.name, &tt.result, &got, &dl) {
+				t.Errorf("got %v, expected %v", got, tt.result)
 			}
 		})
 	}

checks/evaluation/finding.go

@@ -0,0 +1,31 @@
+// Copyright 2023 OpenSSF Scorecard Authors
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//      http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package evaluation
+
+import (
+	"github.com/ossf/scorecard/v4/finding"
+)
+
+func nonNegativeFindings(findings []finding.Finding) []finding.Finding {
+	var ff []finding.Finding
+	for i := range findings {
+		f := &findings[i]
+		if f.Outcome == finding.OutcomeNegative {
+			continue
+		}
+		ff = append(ff, *f)
+	}
+	return ff
+}