From 4/10/2023 - 4/22/23

# From 4/10/2023 - 4/22/23 ## Pull Requests Reviewed by Naveen Srinivasan | # | Title | URL | | --- | --- | --- | | 1 | 🐛 Give inconclusive Vulnerabilities score when osv-scanner panics | https://github.com/ossf/scorecard/pull/2896 | | 2 | :seedling: Bump github.com/moby/buildkit from 0.11.5 to 0.11.6 | https://github.com/ossf/scorecard/pull/2895 | | 3 | :seedling: Bump codecov/codecov-action from 3.1.2 to 3.1.3 | https://github.com/ossf/scorecard/pull/2894 | | 4 | 🐛 Reset stored error when handler is re-inited or setup is re-run. | https://github.com/ossf/scorecard/pull/2893 | | 5 | :seedling: Bump github.com/otiai10/copy from 1.10.0 to 1.11.0 | https://github.com/ossf/scorecard/pull/2890 | | 6 | :seedling: Bump step-security/harden-runner from 2.3.0 to 2.3.1 | https://github.com/ossf/scorecard/pull/2889 | | 7 | :seedling: Bump github.com/goreleaser/goreleaser from 1.17.1 to 1.17.2 in /tools | https://github.com/ossf/scorecard/pull/2886 | | 8 | :seedling: Bump github.com/go-openapi/runtime from 0.25.0 to 0.26.0 | https://github.com/ossf/scorecard-webapp/pull/372 | | 9 | :seedling: Bump github.com/xanzy/go-gitlab from 0.82.0 to 0.83.0 | https://github.com/ossf/scorecard/pull/2884 | | 10 | :seedling: Bump cloud.google.com/go/bigquery from 1.50.0 to 1.51.0 | https://github.com/ossf/scorecard/pull/2883 | | 11 | :seedling: Bump github/codeql-action from 2.2.11 to 2.2.12 | https://github.com/ossf/scorecard-action/pull/1128 | | 12 | :seedling: Bump actions/checkout from 3.5.0 to 3.5.2 | https://github.com/ossf/scorecard-action/pull/1127 | | 13 | :seedling: Bump codecov/codecov-action from 3.1.1 to 3.1.2 | https://github.com/ossf/scorecard-action/pull/1126 | | 14 | 🌱 Disable auto-fix in golangci-lint config and re-enable linter in CI. | https://github.com/ossf/scorecard-webapp/pull/371 | | 15 | Bump ua-parser-js from 0.7.31 to 0.7.35 in /scorecards-site | https://github.com/ossf/scorecard-webapp/pull/369 | | 16 | :seedling: Unit test for Contributors | https://github.com/ossf/scorecard/pull/2881 | | 17 | :seedling: Bump github.com/goreleaser/goreleaser from 1.17.0 to 1.17.1 in /tools | https://github.com/ossf/scorecard/pull/2880 | | 18 | :seedling: Bump golang from `25de7b6` to `403f486` in /cron/internal/cii | https://github.com/ossf/scorecard/pull/2879 | | 19 | :seedling: Bump golang from `25de7b6` to `403f486` in /cron/internal/worker | https://github.com/ossf/scorecard/pull/2878 | | 20 | :seedling: Bump golang from `25de7b6` to `403f486` in /cron/internal/webhook | https://github.com/ossf/scorecard/pull/2877 | | 21 | :seedling: Bump distroless/base from `4b22ca3` to `e406b1d` in /clients/githubrepo/roundtripper/tokens/server | https://github.com/ossf/scorecard/pull/2876 | | 22 | :seedling: Bump golang from `25de7b6` to `403f486` in /cron/internal/controller | https://github.com/ossf/scorecard/pull/2875 | | 23 | :seedling: Bump golang from `ea3d912` to `403f486` in /clients/githubrepo/roundtripper/tokens/server | https://github.com/ossf/scorecard/pull/2874 | | 24 | :seedling: Bump golang from `25de7b6` to `403f486` in /cron/internal/bq | https://github.com/ossf/scorecard/pull/2873 | | 25 | :seedling: Bump golang from `25de7b6` to `403f486` | https://github.com/ossf/scorecard/pull/2872 | | 26 | :seedling: Included unit tests for CII Best practices | https://github.com/ossf/scorecard/pull/2870 | | 27 | :seedling: Bump actions/checkout from 3.5.1 to 3.5.2 | https://github.com/ossf/scorecard/pull/2869 | | 28 | :seedling: Bump github/codeql-action from 2.2.11 to 2.2.12 | https://github.com/ossf/scorecard/pull/2868 | | 29 | :seedling: Bump github.com/rs/cors from 1.8.3 to 1.9.0 | https://github.com/ossf/scorecard-webapp/pull/368 | | 30 | :seedling: Bump github/codeql-action from 2.2.7 to 2.2.12 | https://github.com/ossf/scorecard-webapp/pull/367 | | 31 | :seedling: Bump actions/checkout from 3.4.0 to 3.5.2 | https://github.com/ossf/scorecard-webapp/pull/366 | | 32 | :seedling: Bump actions/checkout from 3.5.0 to 3.5.1 | https://github.com/ossf/scorecard/pull/2864 | | 33 | :seedling: Bump tj-actions/changed-files from 35.7.12 to 35.8.0 | https://github.com/ossf/scorecard/pull/2863 | | 34 | :seedling: Bump github.com/spf13/cobra from 1.6.1 to 1.7.0 | https://github.com/ossf/scorecard/pull/2862 | | 35 | :seedling: Bump github.com/Masterminds/semver/v3 from 3.2.0 to 3.2.1 | https://github.com/ossf/scorecard/pull/2861 | | 36 | :seedling: Bump github.com/xanzy/go-gitlab from 0.81.0 to 0.82.0 | https://github.com/ossf/scorecard/pull/2856 | | 37 | :seedling: Bump golang.org/x/tools from 0.7.0 to 0.8.0 | https://github.com/ossf/scorecard/pull/2855 | | 38 | :seedling: Bump codecov/codecov-action from 3.1.0 to 3.1.2 | https://github.com/ossf/scorecard/pull/2854 | | 39 | :seedling: Unit tests for checker/detail_logger_impl | https://github.com/ossf/scorecard/pull/2852 | | 40 | :seedling: Unit Tests for checker/client | https://github.com/ossf/scorecard/pull/2851 | | 41 | :seedling: Bump github.com/goreleaser/goreleaser from 1.16.2 to 1.17.0 in /tools | https://github.com/ossf/scorecard/pull/2849 | | 42 | :seedling: Bump github.com/otiai10/copy from 1.9.0 to 1.10.0 | https://github.com/ossf/scorecard/pull/2848 | | 43 | :seedling: Bump github.com/bradleyfalzon/ghinstallation/v2 from 2.2.0 to 2.3.0 | https://github.com/ossf/scorecard/pull/2847 | | 44 | :seedling: Bump step-security/harden-runner from 2.2.1 to 2.3.0 | https://github.com/ossf/scorecard-action/pull/1123 | | 45 | :seedling: Bump github/codeql-action from 2.2.7 to 2.2.11 | https://github.com/ossf/scorecard-action/pull/1122 | | 46 | :seedling: Unit tests for checker result and request | https://github.com/ossf/scorecard/pull/2844 | | 47 | :seedling: Bump sigstore/cosign-installer from 3.0.1 to 3.0.2 | https://github.com/ossf/scorecard/pull/2842 | ## Pull Requests Created by Naveen Srinivasan | # | Title | URL | | --- | --- | --- | | 1 | :seedling: Unit tests for checks/evaluation/packaging.go | https://github.com/ossf/scorecard/pull/2891 | | 2 | :seedling: Unit tests checks/evaluation/maintained.go | https://github.com/ossf/scorecard/pull/2887 | | 3 | :seedling: Unit tests for checks/evaluation/license.go | https://github.com/ossf/scorecard/pull/2885 | | 4 | Fixing the failing builds | https://github.com/ossf/scorecard-webapp/pull/370 | | 5 | :seedling: Unit test for Contributors | https://github.com/ossf/scorecard/pull/2881 | | 6 | :seedling: Included unit tests for CII Best practices | https://github.com/ossf/scorecard/pull/2870 | | 7 | :seedling: Unit tests Fuzzing Checker | https://github.com/ossf/scorecard/pull/2867 | | 8 | :seedling: Unit tests for dangerous workflows | https://github.com/ossf/scorecard/pull/2866 | | 9 | :seedling: Unit tests for attestor policy | https://github.com/ossf/scorecard/pull/2857 | | 10 | :seedling: Unit tests for checker/detail_logger_impl | https://github.com/ossf/scorecard/pull/2852 | | 11 | :seedling: Unit Tests for checker/client | https://github.com/ossf/scorecard/pull/2851 | | 12 | :seedling: Unit tests for checker result and request | https://github.com/ossf/scorecard/pull/2844 | ## Issues Labeled or Updated by Naveen Srinivasan | # | Title | URL | |------|-------|-----| | 1 | Dependabot link in alert is 404, and false positive | [https://github.com/ossf/scorecard/issues/1903](https://github.com/ossf/scorecard/issues/1903) | | 2 | Bug Fix Request: Re-enable 3 checks in cron job | [https://github.com/ossf/scorecard/issues/1916](https://github.com/ossf/scorecard/issues/1916) | | 3 | BUG: False negative CI-Test on androidx repo | [https://github.com/ossf/scorecard/issues/1921](https://github.com/ossf/scorecard/issues/1921) | | 4 | :bug: BUG found in the Security-Policy unit test & more testcases are needed | [https://github.com/ossf/scorecard/issues/1954](https://github.com/ossf/scorecard/issues/1954) | | 5 | Using Scorecard GitHub Action reduces the Token-Permissions score | [https://github.com/ossf/scorecard/issues/2152](https://github.com/ossf/scorecard/issues/2152) | | 6 | BUG: Scorecard does not penalize unpinned third party actions in local composite / docker actions | [https://github.com/ossf/scorecard/issues/2189](https://github.com/ossf/scorecard/issues/2189) | | 7 | BUG: Fuzzing check mismatch repo name in OSS-Fuzz list | [https://github.com/ossf/scorecard/issues/2325](https://github.com/ossf/scorecard/issues/2325) | | 8 | Binary Artifact detection gradle-wrapper.jar Incorrect logic | [https://github.com/ossf/scorecard/issues/2357](https://github.com/ossf/scorecard/issues/2357) | | 9 | BUG - "403 The history or contributor list is too large to list contributors for this repository via the API" | [https://github.com/ossf/scorecard/issues/2372](https://github.com/ossf/scorecard/issues/2372) | | 10 | ? values in default ASCII table format are translated to -1 in JSON format | [https://github.com/ossf/scorecard/issues/2425](https://github.com/ossf/scorecard/issues/2425) | | 11 | Gradle wrapper action check for binary artifact exception does not recognize actions pinned by hash | [https://github.com/ossf/scorecard/issues/2477](https://github.com/ossf/scorecard/issues/2477) | | 12 | BUG: False negative for Security Policy check on [Laravel](https://github.com/laravel/framework) project | [https://github.com/ossf/scorecard/issues/2489](https://github.com/ossf/scorecard/issues/2489) | | 13 | "dependency not pinned by hash detected -- score normalized to 5" does not distinguish dev-time dependencies | [https://github.com/ossf/scorecard/issues/2518](https://github.com/ossf/scorecard/issues/2518) | | 14 | BUG: Scorecards fails to detect publishing workflow for Elixir | [https://github.com/ossf/scorecard/issues/2564](https://github.com/ossf/scorecard/issues/2564) | | 15 | Missing pin-by-hash in requirements.txt (python) not recognized | [https://github.com/ossf/scorecard/issues/2602](https://github.com/ossf/scorecard/issues/2602) | | 16 | Scorecard attestor: add policy for CI-Tests that have passed | [https://github.com/ossf/scorecard/issues/2717](https://github.com/ossf/scorecard/issues/2717) | | 17 | BUG - Publish image is broken | [https://github.com/ossf/scorecard/issues/2726](https://github.com/ossf/scorecard/issues/2726) | | 18 | BUG OSS-Fuzz does not detect multiple repos fuzzed under a project | [https://github.com/ossf/scorecard/issues/2745](https://github.com/ossf/scorecard/issues/2745) | | 19 | BUG: CI-Tests doesn't detect all recent PRs in a repo | [https://github.com/ossf/scorecard/issues/2750](https://github.com/ossf/scorecard/issues/2750) | | 20 | BUG: checks Signed-Releases and Packaging returning ? when the repo actually has releases on GitHub | [https://github.com/ossf/scorecard/issues/2763](https://github.com/ossf/scorecard/issues/2763) | | 21 | Provide some way for smaller Javascript projects to pass the Fuzzing check | [https://github.com/ossf/scorecard/issues/2792](https://github.com/ossf/scorecard/issues/2792) | | 22 | BUG (?): Large changes to Code-Review scores between 4.10.2 and 4.10.5 | [https://github.com/ossf/scorecard/issues/2812](https://github.com/ossf/scorecard/issues/2812) | | 23 | Feature: Recognize Kokoro for CI-Tests check | [https://github.com/ossf/scorecard/issues/2819](https://github.com/ossf/scorecard/issues/2819) | | 24 | Use the presence of property-based testing in Haskell to detect fuzzing | [https://github.com/ossf/scorecard/issues/2830](https://github.com/ossf/scorecard/issues/2830) | | 25 | Feature: clarify meaning of Dangerous Workflow | [https://github.com/ossf/scorecard/issues/2831](https://github.com/ossf/scorecard/issues/2831) | | 26 | haskell-actions/hlint-scan is not considered a code scanning action | [https://github.com/ossf/scorecard/issues/2840](https://github.com/ossf/scorecard/issues/2840) | | 27 | Separate scanning alerts for vulnerabilities | [https://github.com/ossf/scorecard/issues/2841](https://github.com/ossf/scorecard/issues/2841) | | 28 | BUG: Scoring Dependecy-Update-Tool when there isn't file-based evidence | [https://github.com/ossf/scorecard/issues/2845](https://github.com/ossf/scorecard/issues/2845) | | 29 | Feature: Token-Permissions should ignore on: pull_request workflows | [https://github.com/ossf/scorecard/issues/2850](https://github.com/ossf/scorecard/issues/2850) | | 30 | BUG: docker-compose file with YAML directive breaking | [https://github.com/ossf/scorecard/issues/2853](https://github.com/ossf/scorecard/issues/2853) | | 31 | Feature: Add support for Nuget commands which use lock files | [https://github.com/ossf/scorecard/issues/2865](https://github.com/ossf/scorecard/issues/2865) | | 32 | Feature: Decrease score of Dependency-Update Tool check if dependabot is not configured to run on GitHub Actions | [https://github.com/ossf/scorecard/issues/2888](https://github.com/ossf/scorecard/issues/2888) | | 33 | e2e tests: use ginkgo's --flake-attempts flag instead of nick-invision/retry | [https://github.com/ossf/scorecard/issues/2897](https://github.com/ossf/scorecard/issues/2897) |