Merge branch 'main' into dependabot/github_actions/actions/setup-go-5

Signed-off-by: Jeff Mendoza <jlm@jlm.name>

.github/workflows/postmerge.yaml

@@ -10,7 +10,7 @@ jobs:
   codeql:
     runs-on: ubuntu-latest
     steps:
-    - uses: actions/checkout@v3
+    - uses: actions/checkout@v4
     - uses: github/codeql-action/init@v2
       with:
         languages: go
@@ -19,7 +19,7 @@ jobs:
   scorecard:
     runs-on: ubuntu-latest
     steps:
-    - uses: actions/checkout@v3
+    - uses: actions/checkout@v4
     - uses: ossf/scorecard-action@v2.1.3
       with:
         results_file: results.sarif

.github/workflows/pr.yaml

@@ -6,7 +6,7 @@ jobs:
   lint:
     runs-on: ubuntu-latest
     steps:
-    - uses: actions/checkout@v3
+    - uses: actions/checkout@v4
     - uses: actions/setup-go@v5
       with:
         go-version: '1.20'
@@ -17,7 +17,7 @@ jobs:
   build:
     runs-on: ubuntu-latest
     steps:
-    - uses: actions/checkout@v3
+    - uses: actions/checkout@v4
     - uses: actions/setup-go@v5
       with:
         go-version: '1.20'
@@ -26,7 +26,7 @@ jobs:
   test:
     runs-on: ubuntu-latest
     steps:
-    - uses: actions/checkout@v3
+    - uses: actions/checkout@v4
     - uses: actions/setup-go@v5
       with:
         go-version: '1.20'
@@ -36,5 +36,5 @@ jobs:
   dependency-review:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v3
+      - uses: actions/checkout@v4
       - uses: actions/dependency-review-action@v3

.github/workflows/release.yaml

@@ -14,14 +14,14 @@ jobs:
   release:
     runs-on: ubuntu-20.04
     steps:
-      - uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v3.5.2
+      - uses: actions/checkout@v4 # v3.5.2
 
       - uses: actions/setup-go@0c52d547c9bc32b1aa3301fd7a9cb496313a4491 # v5.0.0
         with:
           go-version: '1.20'
           check-latest: true
 
-      - uses: sigstore/cosign-installer@dd6b2e2b610a11fd73dd187a43d57cc1394e35f9 # v3.0.5
+      - uses: sigstore/cosign-installer@1fc5bd396d372bee37d608f955b336615edf79c8 # v3.2.0
 
       - uses: ko-build/setup-ko@ace48d793556083a76f1e3e6068850c1f4a369aa # v0.6
 

cmd/allstar/main.go

@@ -62,6 +62,8 @@ func main() {
 	specificPolicyArg := flag.String("policy", "", fmt.Sprintf("Run a specific policy check. Supported policies: %s", supportedPoliciesMsg))
 	specificRepoArg := flag.String("repo", "", "Run on a specific \"owner/repo\". For example \"ossf/allstar\"")
 
+	numWorkersArg := flag.Int("workers", 5, "maximum number of active goroutines for Allstar scans")
+
 	flag.Parse()
 
 	if *specificPolicyArg != "" {
@@ -81,7 +83,7 @@ func main() {
 	}
 
 	if runOnce {
-		_, err := enforce.EnforceAll(ctx, ghc, *specificPolicyArg, *specificRepoArg)
+		_, err := enforce.EnforceAll(ctx, ghc, *specificPolicyArg, *specificRepoArg, *numWorkersArg)
 		if err != nil {
 			log.Fatal().
 				Err(err).
@@ -94,7 +96,7 @@ func main() {
 		go func() {
 			defer wg.Done()
 			log.Info().
-				Err(enforce.EnforceJob(ctx, ghc, (5 * time.Minute), *specificPolicyArg, *specificRepoArg)).
+				Err(enforce.EnforceJob(ctx, ghc, (5 * time.Minute), *specificPolicyArg, *specificRepoArg, *numWorkersArg)).
 				Msg("Enforce job shutting down.")
 		}()
 		sigs := make(chan os.Signal, 1)

go.mod

@@ -4,18 +4,19 @@ go 1.16
 
 require (
 	github.com/Masterminds/semver/v3 v3.2.1
-	github.com/bradleyfalzon/ghinstallation/v2 v2.4.0
+	github.com/bradleyfalzon/ghinstallation/v2 v2.7.0
 	github.com/evanphx/json-patch v5.6.0+incompatible
 	github.com/gobwas/glob v0.2.3
+	github.com/golang-jwt/jwt v3.2.2+incompatible // indirect
 	github.com/google/go-cmp v0.5.9
 	github.com/google/go-github/v50 v50.2.0
 	github.com/gregjones/httpcache v0.0.0-20190611155906-901d90724c79
 	github.com/matryer/is v1.4.0 // indirect
-	github.com/ossf/scorecard/v4 v4.10.5
-	github.com/rhysd/actionlint v1.6.24
+	github.com/ossf/scorecard/v4 v4.13.0
+	github.com/rhysd/actionlint v1.6.26
 	github.com/rs/zerolog v1.29.1
 	github.com/shurcooL/githubv4 v0.0.0-20210725200734-83ba7b4c9228
-	gocloud.dev v0.29.0
-	golang.org/x/sync v0.2.0
+	gocloud.dev v0.34.0
+	golang.org/x/sync v0.3.0
 	sigs.k8s.io/yaml v1.3.0
 )

pkg/enforce/enforce.go

@@ -67,7 +67,7 @@ func init() {
 //
 // TBD: determine if this should remain exported, or if it will only be called
 // from EnforceJob.
-func EnforceAll(ctx context.Context, ghc ghclients.GhClientsInterface, specificPolicyArg string, specificRepoArg string) (EnforceAllResults, error) {
+func EnforceAll(ctx context.Context, ghc ghclients.GhClientsInterface, specificPolicyArg string, specificRepoArg string, numWorkersArg int) (EnforceAllResults, error) {
 	var repoCount int
 	var enforceAllResults = make(EnforceAllResults)
 	ac, err := ghc.Get(0)
@@ -85,7 +85,7 @@ func EnforceAll(ctx context.Context, ghc ghclients.GhClientsInterface, specificP
 		Msg("Enforcing policies on installations.")
 
 	g, ctx := errgroup.WithContext(ctx)
-	g.SetLimit(5)
+	g.SetLimit(numWorkersArg)
 	var mu sync.Mutex
 
 	for _, i := range insts {
@@ -302,9 +302,9 @@ func getAppInstallationReposReal(ctx context.Context, ic *github.Client) ([]*git
 
 // EnforceJob is a reconciliation job that enforces policies on all repos every
 // d duration. It runs forever until the context is done.
-func EnforceJob(ctx context.Context, ghc *ghclients.GHClients, d time.Duration, specificPolicyArg string, specificRepoArg string) error {
+func EnforceJob(ctx context.Context, ghc *ghclients.GHClients, d time.Duration, specificPolicyArg string, specificRepoArg string, numWorkersArg int) error {
 	for {
-		_, err := EnforceAll(ctx, ghc, specificPolicyArg, specificRepoArg)
+		_, err := EnforceAll(ctx, ghc, specificPolicyArg, specificRepoArg, numWorkersArg)
 		if err != nil {
 			log.Error().
 				Err(err).

pkg/enforce/enforce_test.go

@@ -549,7 +549,8 @@ func TestEnforceAll(t *testing.T) {
 			policy1Results = test.Policy1Results
 			policy2Results = test.Policy2Results
 
-			enforceAllResults, err := EnforceAll(context.Background(), mockGhc, "", "")
+			numWorkers := 1
+			enforceAllResults, err := EnforceAll(context.Background(), mockGhc, "", "", numWorkers)
 			if err != nil {
 				t.Fatalf("Unexpected error: %v", err)
 			}
@@ -581,15 +582,16 @@ func TestSuspendedEnforce(t *testing.T) {
 	}
 	suspended = false
 	gaicalled = false
-	if _, err := EnforceAll(context.Background(), &MockGhClients{}, "", ""); err != nil {
+	numWorkers := 1
+	if _, err := EnforceAll(context.Background(), &MockGhClients{}, "", "", numWorkers); err != nil {
 		t.Fatalf("Unexpected error: %v", err)
 	}
 	if !gaicalled {
 		t.Errorf("Expected getAppInstallationRepos() to be called, but wasn't")
 	}
 	suspended = true
 	gaicalled = false
-	if _, err := EnforceAll(context.Background(), &MockGhClients{}, "", ""); err != nil {
+	if _, err := EnforceAll(context.Background(), &MockGhClients{}, "", "", numWorkers); err != nil {
 		t.Fatalf("Unexpected error: %v", err)
 	}
 	if gaicalled {

pkg/policies/scorecard/scorecard.go

@@ -230,7 +230,7 @@ func convertLogs(logs []checker.CheckDetail) []string {
 			if l.Msg.Finding.Location == nil {
 				s = append(s, fmt.Sprintf("%v", l.Msg.Finding.Message))
 			} else {
-				s = append(s, fmt.Sprintf("%v[%v]:%v", l.Msg.Finding.Location.Value, *l.Msg.Finding.Location.LineStart, l.Msg.Finding.Message))
+				s = append(s, fmt.Sprintf("%v[%v]:%v", *l.Msg.Finding.Location.Snippet, *l.Msg.Finding.Location.LineStart, l.Msg.Finding.Message))
 			}
 		} else {
 			s = append(s, fmt.Sprintf("%v[%v]:%v", l.Msg.Path, l.Msg.Offset, l.Msg.Text))

pkg/policies/workflow/workflow.go

@@ -136,7 +136,7 @@ func (b Workflow) Check(ctx context.Context, c *github.Client, owner,
 	}
 
 	logs := convertLogs(l.Flush())
-	pass := res.Score >= checker.MaxResultScore
+	pass := res.Score >= checker.MaxResultScore || res.Score == checker.InconclusiveResultScore
 	var notify string
 	if !pass {
 		notify = fmt.Sprintf(`Project is out of compliance with Dangerous Workflow policy: %v

pkg/scorecard/scorecard.go

@@ -36,7 +36,7 @@ type ScClient struct {
 	ScRepoClient clients.RepoClient
 }
 
-var scClients map[string]*ScClient
+var scClients map[string]*ScClient = make(map[string]*ScClient)
 var mMutex sync.RWMutex
 
 const defaultGitRef = "HEAD"
@@ -53,26 +53,16 @@ func init() {
 // exist. The github repo is initialized, which means the tarball is
 // downloaded.
 func Get(ctx context.Context, fullRepo string, tr http.RoundTripper) (*ScClient, error) {
-	mMutex.RLock()
-	if scClients == nil {
-		mMutex.RUnlock()
-		mMutex.Lock()
-		scClients = make(map[string]*ScClient)
-		mMutex.Unlock()
-	} else {
-		mMutex.RUnlock()
-	}
-	mMutex.RLock()
+	mMutex.Lock()
 	if scc, ok := scClients[fullRepo]; ok {
-		mMutex.RUnlock()
+		mMutex.Unlock()
 		return scc, nil
 	}
-	mMutex.RUnlock()
 	scc, err := create(ctx, fullRepo, tr)
 	if err != nil {
+		mMutex.Unlock()
 		return nil, err
 	}
-	mMutex.Lock()
 	scClients[fullRepo] = scc
 	mMutex.Unlock()
 	return scc, nil
@@ -81,18 +71,13 @@ func Get(ctx context.Context, fullRepo string, tr http.RoundTripper) (*ScClient,
 // Function Close will close the scorecard clients. This cleans up the
 // downloaded tarball.
 func Close(fullRepo string) {
-	mMutex.RLock()
-	if scClients == nil {
-		mMutex.RUnlock()
-		return
-	}
+	mMutex.Lock()
 	scc, ok := scClients[fullRepo]
-	mMutex.RUnlock()
 	if !ok {
+		mMutex.Unlock()
 		return
 	}
 	scc.ScRepoClient.Close()
-	mMutex.Lock()
 	delete(scClients, fullRepo)
 	mMutex.Unlock()
 }