From 4/22/2023 - 5/22/23

# From 4/22/2023 - 5/22/23 ## Code Coverage ![](https://hackmd.io/_uploads/HJyH7o7H3.png) https://app.codecov.io/gh/ossf/scorecard?trend=2%20months In the last 6 weeks, the code coverage went up from 49% to 58% ## Pull Requests Reviewed by Naveen Srinivasan | # | Title | URL | | --- | --- | --- | | 1 | :seedling: Bump github.com/google/go-containerregistry from 0.15.1 to 0.15.2 | https://github.com/ossf/scorecard/pull/3025 | | 2 | :seedling: Bump github.com/sirupsen/logrus from 1.9.0 to 1.9.1 | https://github.com/ossf/scorecard/pull/3024 | | 3 | :seedling: Bump sigstore/cosign-installer from 3.0.3 to 3.0.4 | https://github.com/ossf/scorecard/pull/3023 | | 4 | :seedling: Bump github.com/onsi/ginkgo/v2 from 2.9.4 to 2.9.5 in /tools | https://github.com/ossf/scorecard/pull/3017 | | 5 | :seedling: Bump github.com/onsi/ginkgo/v2 from 2.9.4 to 2.9.5 | https://github.com/ossf/scorecard/pull/3016 | | 6 | :seedling: Bump codecov/codecov-action from 3.1.3 to 3.1.4 | https://github.com/ossf/scorecard/pull/3015 | | 7 | :seedling: Bump actions/setup-go from 4.0.0 to 4.0.1 | https://github.com/ossf/scorecard/pull/3014 | | 8 | :seedling: Bump codecov/codecov-action from 3.1.3 to 3.1.4 | https://github.com/ossf/scorecard-action/pull/1147 | | 9 | :seedling: Bump actions/setup-go from 4.0.0 to 4.0.1 | https://github.com/ossf/scorecard-action/pull/1146 | | 10 | :seedling: Bump github.com/onsi/ginkgo/v2 from 2.9.4 to 2.9.5 | https://github.com/ossf/scorecard-webapp/pull/392 | | 11 | :seedling: Bump actions/setup-go from 4.0.0 to 4.0.1 | https://github.com/ossf/scorecard-webapp/pull/391 | | 12 | :seedling: Bump golang from `31a8f92` to `685a22e` in /cron/internal/cii | https://github.com/ossf/scorecard/pull/3011 | | 13 | :seedling: Bump golang from `31a8f92` to `685a22e` in /cron/internal/bq | https://github.com/ossf/scorecard/pull/3010 | | 14 | :seedling: Bump golang from `31a8f92` to `685a22e` in /cron/internal/controller | https://github.com/ossf/scorecard/pull/3009 | | 15 | :seedling: Bump golang from `31a8f92` to `685a22e` in /cron/internal/webhook | https://github.com/ossf/scorecard/pull/3008 | | 16 | :seedling: Bump golang from `31a8f92` to `685a22e` in /clients/githubrepo/roundtripper/tokens/server | https://github.com/ossf/scorecard/pull/3007 | | 17 | :seedling: Bump golang from `31a8f92` to `685a22e` in /cron/internal/worker | https://github.com/ossf/scorecard/pull/3006 | | 18 | :seedling: Bump golang.org/x/oauth2 from 0.7.0 to 0.8.0 | https://github.com/ossf/scorecard/pull/3005 | | 19 | :seedling: Bump golang from `31a8f92` to `685a22e` | https://github.com/ossf/scorecard/pull/3004 | | 20 | :seedling: Unit tests for Policy.go | https://github.com/ossf/scorecard/pull/3003 | | 21 | :seedling: Included directories that don't require coverage | https://github.com/ossf/scorecard/pull/3002 | | 22 | :seedling: E2E tests for clients/githubrepo/languages_e2e_test.go | https://github.com/ossf/scorecard/pull/3000 | | 23 | :seedling: Bump slsa-framework/slsa-verifier from 2.2.0 to 2.3.0 | https://github.com/ossf/scorecard/pull/2997 | | 24 | :seedling: Bump github.com/cloudflare/circl from 1.2.0 to 1.3.3 in /tools | https://github.com/ossf/scorecard/pull/2995 | | 25 | :seedling: Bump github.com/cloudflare/circl from 1.1.0 to 1.3.3 | https://github.com/ossf/scorecard/pull/2994 | | 26 | :seedling: Bump slsa-framework/slsa-github-generator from 1.5.0 to 1.6.0 | https://github.com/ossf/scorecard/pull/2990 | | 27 | :bug: Skip cosign confirmation prompt when publishing scorecard results. | https://github.com/ossf/scorecard-action/pull/1143 | | 28 | :seedling: Bump golang from `31a8f92` to `685a22e` | https://github.com/ossf/scorecard-webapp/pull/390 | | 29 | 🐛 Tests: Fix condition for Branch E2E Test | https://github.com/ossf/scorecard/pull/2987 | | 30 | :seedling: Bump cloud.google.com/go/bigquery from 1.51.1 to 1.51.2 | https://github.com/ossf/scorecard/pull/2984 | | 31 | :seedling: Bump golang.org/x/tools from 0.9.0 to 0.9.1 | https://github.com/ossf/scorecard/pull/2983 | | 32 | :seedling: Unit tests log/log.go | https://github.com/ossf/scorecard/pull/2980 | | 33 | bump cosign to v2.0.2 and use v2 golang module | https://github.com/ossf/scorecard-action/pull/1140 | | 34 | :seedling: Bump golang.org/x/tools from 0.8.0 to 0.9.0 | https://github.com/ossf/scorecard/pull/2976 | | 35 | :seedling: Bump github/codeql-action from 2.3.2 to 2.3.3 | https://github.com/ossf/scorecard-action/pull/1139 | | 36 | :seedling: Bump step-security/harden-runner from 2.3.1 to 2.4.0 | https://github.com/ossf/scorecard-action/pull/1138 | | 37 | :seedling: Bump golang.org/x/net from 0.9.0 to 0.10.0 | https://github.com/ossf/scorecard-action/pull/1137 | | 38 | :seedling: Unit tests for checks/evaluation/pinned_dependencies.go | https://github.com/ossf/scorecard/pull/2975 | | 39 | :seedling: Bump golang from `403f486` to `31a8f92` in /cron/internal/cii | https://github.com/ossf/scorecard/pull/2974 | | 40 | :seedling: Bump github.com/goreleaser/goreleaser from 1.18.1 to 1.18.2 in /tools | https://github.com/ossf/scorecard/pull/2973 | | 41 | :seedling: Bump golang from `403f486` to `31a8f92` in /cron/internal/bq | https://github.com/ossf/scorecard/pull/2972 | | 42 | :seedling: Bump golang from `403f486` to `31a8f92` in /cron/internal/worker | https://github.com/ossf/scorecard/pull/2971 | | 43 | :seedling: Bump golang from `403f486` to `31a8f92` in /cron/internal/controller | https://github.com/ossf/scorecard/pull/2970 | | 44 | :seedling: Bump distroless/base from `e406b1d` to `10985f0` in /clients/githubrepo/roundtripper/tokens/server | https://github.com/ossf/scorecard/pull/2969 | | 45 | :seedling: Bump golang from `403f486` to `31a8f92` in /clients/githubrepo/roundtripper/tokens/server | https://github.com/ossf/scorecard/pull/2968 | | 46 | :seedling: Bump github.com/google/go-containerregistry from 0.12.1 to 0.15.1 | https://github.com/ossf/scorecard/pull/2966 | | 47 | :seedling: Bump golang from `403f486` to `31a8f92` in /cron/internal/webhook | https://github.com/ossf/scorecard/pull/2967 | | 48 | :seedling: Bump golang from `403f486` to `31a8f92` | https://github.com/ossf/scorecard/pull/2965 | | 49 | :book: Capitalize proper nouns like Dependabot, Renovate, and GitHub | https://github.com/ossf/scorecard/pull/2962 | | 50 | :seedling: Bump github.com/transparency-dev/merkle from 0.0.1 to 0.0.2 | https://github.com/ossf/scorecard-webapp/pull/388 | | 51 | :seedling: Bump golang from `4dd688d` to `31a8f92` | https://github.com/ossf/scorecard-webapp/pull/387 | | 52 | 🐛 Add npm installs to Pinned-Dependencies score | https://github.com/ossf/scorecard/pull/2960 | | 53 | :seedling: Bump github.com/goreleaser/goreleaser from 1.17.2 to 1.18.1 in /tools | https://github.com/ossf/scorecard/pull/2959 | | 54 | :seedling: Bump cloud.google.com/go/bigquery from 1.51.0 to 1.51.1 | https://github.com/ossf/scorecard/pull/2958 | | 55 | :seedling: Bump step-security/harden-runner from 2.3.0 to 2.4.0 | https://github.com/ossf/scorecard/pull/2957 | | 56 | :seedling: Bump github/codeql-action from 2.3.2 to 2.3.3 | https://github.com/ossf/scorecard/pull/2956 | | 57 | :seedling: Bump github.com/onsi/ginkgo/v2 from 2.9.3 to 2.9.4 | https://github.com/ossf/scorecard-webapp/pull/386 | | 58 | :seedling: Bump golang from `039d15b` to `4dd688d` | https://github.com/ossf/scorecard-webapp/pull/385 | | 59 | :seedling: Bump github/codeql-action from 2.3.2 to 2.3.3 | https://github.com/ossf/scorecard-webapp/pull/384 | | 60 | :seedling: Included e2e tests for push to main | https://github.com/ossf/scorecard/pull/2951 | | 61 | :seedling: Bump github.com/onsi/ginkgo/v2 from 2.9.3 to 2.9.4 in /tools | https://github.com/ossf/scorecard/pull/2949 | | 62 | :seedling: Bump cloud.google.com/go/pubsub from 1.30.0 to 1.30.1 | https://github.com/ossf/scorecard/pull/2948 | | 63 | :seedling: Bump github.com/onsi/ginkgo/v2 from 2.9.3 to 2.9.4 | https://github.com/ossf/scorecard/pull/2947 | | 64 | :seedling: Bump github.com/sigstore/rekor from 0.12.1-0.20220915152154-4bb6f441c1b2 to 1.1.1 | https://github.com/ossf/scorecard-action/pull/1136 | | 65 | :seedling: Bump github.com/sigstore/rekor from 1.0.1 to 1.1.1 in /tools | https://github.com/ossf/scorecard/pull/2943 | | 66 | :seedling: Bump github.com/onsi/ginkgo/v2 from 2.9.2 to 2.9.3 | https://github.com/ossf/scorecard-webapp/pull/383 | | 67 | :seedling: Bump golang from 1.19.5 to 1.20.4 | https://github.com/ossf/scorecard-webapp/pull/382 | | 68 | :seedling: E2E for clients/githubrepo/contributors.go | https://github.com/ossf/scorecard/pull/2939 | | 69 | :seedling: Bump github.com/onsi/ginkgo/v2 from 2.9.2 to 2.9.3 in /tools | https://github.com/ossf/scorecard/pull/2938 | | 70 | :seedling: Bump github.com/onsi/ginkgo/v2 from 2.9.2 to 2.9.3 | https://github.com/ossf/scorecard/pull/2937 | | 71 | :bug: Add nil check before accessing a step's uses value. | https://github.com/ossf/scorecard/pull/2935 | | 72 | :seedling: Additional e2e clients/githubrepo/checkruns.go | https://github.com/ossf/scorecard/pull/2934 | | 73 | :seedling: Bump tj-actions/changed-files from 35.9.1 to 35.9.2 | https://github.com/ossf/scorecard/pull/2933 | | 74 | :seedling: Bump distroless/base from `e711a71` to `df13a91` | https://github.com/ossf/scorecard-action/pull/1135 | | 75 | :seedling: Bump github/codeql-action from 2.3.0 to 2.3.2 | https://github.com/ossf/scorecard-action/pull/1134 | | 76 | :seedling: Bump slsa-framework/slsa-verifier from 2.1.0 to 2.2.0 | https://github.com/ossf/scorecard/pull/2930 | | 77 | :seedling: Bump tj-actions/changed-files from 35.9.0 to 35.9.1 | https://github.com/ossf/scorecard/pull/2925 | | 78 | :seedling: Bump github/codeql-action from 2.3.1 to 2.3.2 | https://github.com/ossf/scorecard/pull/2924 | | 79 | :seedling: Bump github/codeql-action from 2.3.0 to 2.3.2 | https://github.com/ossf/scorecard-webapp/pull/381 | | 80 | 📖 Add new frequently asked question to FAQ | https://github.com/ossf/scorecard/pull/2923 | | 81 | 🐛 Add pip installs to Pinned-Dependencies score | https://github.com/ossf/scorecard/pull/2922 | | 82 | :seedling: Unit tests checks/evaluation/signedrelease.go | https://github.com/ossf/scorecard/pull/2921 | | 83 | :seedling: Bump github/codeql-action from 2.3.0 to 2.3.1 | https://github.com/ossf/scorecard/pull/2920 | | 84 | :seedling: Bump github.com/bradleyfalzon/ghinstallation/v2 from 2.3.0 to 2.4.0 | https://github.com/ossf/scorecard/pull/2915 | | 85 | :seedling: Bump github.com/google/osv-scanner from 1.3.2-0.20230418234519-2c101c1b0e63 to 1.3.2 | https://github.com/ossf/scorecard/pull/2914 | | 86 | :seedling: Bump sigstore/cosign-installer from 3.0.2 to 3.0.3 | https://github.com/ossf/scorecard/pull/2913 | | 87 | :seedling: Use Go version as specified by our go.mod file for publishimage. | https://github.com/ossf/scorecard/pull/2912 | | 88 | :seedling: Included coverage metrics from other e2e | https://github.com/ossf/scorecard/pull/2905 | | 89 | :seedling: Bump step-security/harden-runner from 2.3.0 to 2.3.1 | https://github.com/ossf/scorecard-action/pull/1131 | | 90 | :seedling: Bump github/codeql-action from 2.2.12 to 2.3.0 | https://github.com/ossf/scorecard-action/pull/1130 | | 91 | :seedling: Bump codecov/codecov-action from 3.1.2 to 3.1.3 | https://github.com/ossf/scorecard-action/pull/1129 | | 92 | :seedling: Bump github.com/go-openapi/spec from 0.20.8 to 0.20.9 | https://github.com/ossf/scorecard-webapp/pull/379 | | 93 | :seedling: Match JSON output produced by Scorecard | https://github.com/ossf/scorecard-webapp/pull/377 | | 94 | :seedling: Bump tj-actions/changed-files from 35.8.0 to 35.9.0 | https://github.com/ossf/scorecard/pull/2901 | | 95 | :seedling: Unit tests for checks/ci_tests | https://github.com/ossf/scorecard/pull/2899 | ## Pull Requests Created by Naveen Srinivasan | # | Title | URL | | --- | --- | --- | | 1 | :seedling: Improve workflow pinning remediation tests | https://github.com/ossf/scorecard/pull/3021 | | 2 | :seedling: Unit tests for Policy.go | https://github.com/ossf/scorecard/pull/3003 | | 3 | :seedling: Included directories that don't require coverage | https://github.com/ossf/scorecard/pull/3002 | | 4 | :seedling: Increase test coverage and enable GitHub checks | https://github.com/ossf/scorecard/pull/3001 | | 5 | :seedling: E2E tests for clients/githubrepo/languages_e2e_test.go | https://github.com/ossf/scorecard/pull/3000 | | 6 | :seedling: Unit tests for checks/raw/contributors.go | https://github.com/ossf/scorecard/pull/2998 | | 7 | :seedling: Unit tests for checks/raw/maintained.go | https://github.com/ossf/scorecard/pull/2996 | | 8 | :seedling: Unit tests log/log.go | https://github.com/ossf/scorecard/pull/2980 | | 9 | :seedling: Unit tests errors/internal.go | https://github.com/ossf/scorecard/pull/2977 | | 10 | :seedling: Unit tests for checks/evaluation/pinned_dependencies.go | https://github.com/ossf/scorecard/pull/2975 | | 11 | :seedling: Included e2e tests for push to main | https://github.com/ossf/scorecard/pull/2951 | | 12 | :seedling: Unit test clients/githubrepo/copy.go | https://github.com/ossf/scorecard/pull/2950 | | 13 | :seedling: E2E for clients/githubrepo/contributors.go | https://github.com/ossf/scorecard/pull/2939 | | 14 | :seedling: Additional e2e clients/githubrepo/checkruns.go | https://github.com/ossf/scorecard/pull/2934 | | 15 | :seedling: Additional e2e clients/githubrepo/branches.go | https://github.com/ossf/scorecard/pull/2931 | | 16 | :seedling: Unitest for rule/rule.go | https://github.com/ossf/scorecard/pull/2926 | | 17 | :seedling: Unit tests checks/evaluation/signedrelease.go | https://github.com/ossf/scorecard/pull/2921 | | 18 | :seedling: Unit tests checks/evaluation/security_policy.go | https://github.com/ossf/scorecard/pull/2916 | | 19 | :seedling: Included coverage metrics from other e2e | https://github.com/ossf/scorecard/pull/2905 | | 20 | :seedling: Unit tests for checks/ci_tests | https://github.com/ossf/scorecard/pull/2899 | ## Issues Labeled or Updated by Naveen Srinivasan | | Title | URL | |------|-------|-----| | 1 | Question RE value of Contributors Check | [https://github.com/ossf/scorecard/issues/62](https://github.com/ossf/scorecard/issues/62) | | 2 | Rename "CII Best Practices Badge" to "OpenSSF Best Practices Badge" | [https://github.com/ossf/scorecard/issues/1549](https://github.com/ossf/scorecard/issues/1549) | | 3 | BUG number of required reviewers is only 0 alert even though is set to 1 | [https://github.com/ossf/scorecard/issues/1614](https://github.com/ossf/scorecard/issues/1614) | | 4 | BUG: dangerous workflow alerts when code is not run | [https://github.com/ossf/scorecard/issues/1771](https://github.com/ossf/scorecard/issues/1771) | | 5 | BUG: Code-Review does not understand un-squashed commits | [https://github.com/ossf/scorecard/issues/1777](https://github.com/ossf/scorecard/issues/1777) | | 6 | BUG: Webhook check complains about inactive webhooks | [https://github.com/ossf/scorecard/issues/1848](https://github.com/ossf/scorecard/issues/1848) | | 7 | Capitalize proper nouns like Dependabot, Renovate, and GitHub | [https://github.com/ossf/scorecard/issues/2055](https://github.com/ossf/scorecard/issues/2055) | | 8 | BUG api.securityscorecards.dev returning wrong documentation link for CII best practices | [https://github.com/ossf/scorecard/issues/2119](https://github.com/ossf/scorecard/issues/2119) | | 9 | BUG: checks Signed-Releases and Packaging returning ? when the repo actually has releases on GitHub | [https://github.com/ossf/scorecard/issues/2763](https://github.com/ossf/scorecard/issues/2763) | | 10 | BUG (?): Large changes to Code-Review scores between 4.10.2 and 4.10.5 | [https://github.com/ossf/scorecard/issues/2812](https://github.com/ossf/scorecard/issues/2812) | | 11 | e2e tests: use ginkgo's --flake-attempts flag instead of nick-invision/retry | [https://github.com/ossf/scorecard/issues/2897](https://github.com/ossf/scorecard/issues/2897) | | 12 | BUG:Error: check runtime error: CII-Best-Practices: internal error: error during json parsing: error during json.Unmarshal: invalid character '<' looking for beginning of value | [https://github.com/ossf/scorecard/issues/2902](https://github.com/ossf/scorecard/issues/2902) | | 13 | Feature: Remove CII-Best-Practices check | [https://github.com/ossf/scorecard/issues/2904](https://github.com/ossf/scorecard/issues/2904) | | 14 | BUG: Dockerfile named build stages with incomplete remediation report | [https://github.com/ossf/scorecard/issues/2906](https://github.com/ossf/scorecard/issues/2906) | | 15 | BUG: pipCommand not pinned by hash is not affecting the score | [https://github.com/ossf/scorecard/issues/2908](https://github.com/ossf/scorecard/issues/2908) | | 16 | Move big .csv files to a separate repo | [https://github.com/ossf/scorecard/issues/2909](https://github.com/ossf/scorecard/issues/2909) | | 17 | BUG: Pinned-Dependencies assumes that Dockerfile commands can be parsed as sh | [https://github.com/ossf/scorecard/issues/2911](https://github.com/ossf/scorecard/issues/2911) | | 18 | Feature: Token-Permissions should be more forgiving with permission declarations for single-job workflows | [https://github.com/ossf/scorecard/issues/2927](https://github.com/ossf/scorecard/issues/2927) | | 19 | Feature: re-visit outcome definition in findings | [https://github.com/ossf/scorecard/issues/2928](https://github.com/ossf/scorecard/issues/2928) | | 20 | BUG: internal error parsing Dockerfile | [https://github.com/ossf/scorecard/issues/2932](https://github.com/ossf/scorecard/issues/2932) | | 21 | Feature: Enable gitlab Packaging Reporting | [https://github.com/ossf/scorecard/issues/2940](https://github.com/ossf/scorecard/issues/2940) | | 22 | BUG: runtime error when checking Vulnerabilities | [https://github.com/ossf/scorecard/issues/2942](https://github.com/ossf/scorecard/issues/2942) | | 23 | QUESTION:What is the scorecard interface request rate? | [https://github.com/ossf/scorecard/issues/2945](https://github.com/ossf/scorecard/issues/2945) | | 24 | Feature: Improve error message when branch protection check fails because of the use of GITHUB_TOKEN | [https://github.com/ossf/scorecard/issues/2946](https://github.com/ossf/scorecard/issues/2946) | | 25 | Feature: Code-Review does not detect zappr enforcement | [https://github.com/ossf/scorecard/issues/2952](https://github.com/ossf/scorecard/issues/2952) | | 26 | Update Scorecard documentation to clarify stance of AI code review/generation | [https://github.com/ossf/scorecard/issues/2954](https://github.com/ossf/scorecard/issues/2954) | | 27 | Allow configuring the path of the osv-scanner.toml file | [https://github.com/ossf/scorecard/issues/2963](https://github.com/ossf/scorecard/issues/2963) | | 28 | Introducing Scorecard result viewer | [https://github.com/ossf/scorecard/issues/2979](https://github.com/ossf/scorecard/issues/2979) | | 29 | Any plan for supporting other platform? | [https://github.com/ossf/scorecard/issues/2982](https://github.com/ossf/scorecard/issues/2982) | | 30 | Search: unsupported feature | [https://github.com/ossf/scorecard/issues/2985](https://github.com/ossf/scorecard/issues/2985) | | 31 | make public data set available outside GCP | [https://github.com/ossf/scorecard/issues/2986](https://github.com/ossf/scorecard/issues/2986) | | 32 | Feature: Pinned-Dependencies do not understand variables in Dockerfile | [https://github.com/ossf/scorecard/issues/2988](https://github.com/ossf/scorecard/issues/2988) | | 33 | BUG: Token-Permissions check not reducing score for job-level contents: write permission | [https://github.com/ossf/scorecard/issues/2991](https://github.com/ossf/scorecard/issues/2991) | | 34 | BUG: GitLab: Query Commit Users Errors when User Is Not Found | [https://github.com/ossf/scorecard/issues/3018](https://github.com/ossf/scorecard/issues/3018) | | 35 | BUG: Gitlab - Paging Needs to Introduced to Contributors | [https://github.com/ossf/scorecard/issues/3019](https://github.com/ossf/scorecard/issues/3019) | | 36 | Feature: allow job-level write-permissions only when job steps are properly hash-pinned | [https://github.com/ossf/scorecard/issues/3022](https://github.com/ossf/scorecard/issues/3022) |