Merge branch 'main' into feat/lastapproval

ossf · Dec 9, 2022 · 0fe8e14 · 0fe8e14
2 parents 0bfe533 + ac8c575
commit 0fe8e14
Show file tree

Hide file tree

Showing 6 changed files with 40 additions and 16 deletions.
diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml
@@ -62,7 +62,7 @@ jobs:
     # Initializes the CodeQL tools for scanning.
     - name: Initialize CodeQL
 
-      uses: github/codeql-action/init@b2a92eb56d8cb930006a1c6ed86b0782dd8a4297 # v1
+      uses: github/codeql-action/init@a669cc5936cc5e1b6a362ec1ff9e410dc570d190 # v1
       with:
         languages: ${{ matrix.language }}
         queries: +security-extended
@@ -74,7 +74,7 @@ jobs:
     # Autobuild attempts to build any compiled languages  (C/C++, C#, or Java).
     # If this step fails, then you should remove it and run the build manually (see below)
     - name: Autobuild
-      uses: github/codeql-action/autobuild@b2a92eb56d8cb930006a1c6ed86b0782dd8a4297 # v1
+      uses: github/codeql-action/autobuild@a669cc5936cc5e1b6a362ec1ff9e410dc570d190 # v1
 
     # ℹ️ Command-line programs to run using the OS shell.
     # 📚 https://git.io/JvXDl
@@ -88,4 +88,4 @@ jobs:
     #   make release
 
     - name: Perform CodeQL Analysis
-      uses: github/codeql-action/analyze@b2a92eb56d8cb930006a1c6ed86b0782dd8a4297 # v1
+      uses: github/codeql-action/analyze@a669cc5936cc5e1b6a362ec1ff9e410dc570d190 # v1
diff --git a/.github/workflows/scorecard-analysis.yml b/.github/workflows/scorecard-analysis.yml
@@ -47,6 +47,6 @@ jobs:
           retention-days: 5
 
       - name: "Upload SARIF results"
-        uses: github/codeql-action/upload-sarif@b2a92eb56d8cb930006a1c6ed86b0782dd8a4297 # v1
+        uses: github/codeql-action/upload-sarif@a669cc5936cc5e1b6a362ec1ff9e410dc570d190 # v1
         with:
           sarif_file: results.sarif
diff --git a/.golangci.yml b/.golangci.yml
@@ -49,7 +49,6 @@ linters:
     - misspell
     - nakedret
     - nestif
-    - paralleltest
     - predeclared
     - staticcheck
     - stylecheck

diff --git a/README.md b/README.md
@@ -35,6 +35,9 @@
 -   [Detailed Check Documentation](docs/checks.md) (Scoring Criteria, Risks, and
     Remediation)
 
+## Other Important Recommendations
+-   [Two-factor Authentication (2FA)](#two-factor-authentication-2fa)
+
 ## Scoring
 -   [Aggregate Score](#aggregate-score)
 
@@ -457,6 +460,34 @@ Name        | Description                               | Risk Level | Token Req
 To see detailed information about each check, its scoring criteria, and
 remediation steps, check out the [checks documentation page](docs/checks.md).
 
+## Other Important Recommendations
+
+### Two-factor Authentication (2FA)
+
+[Two-factor Authentication (2FA)](https://docs.github.com/en/authentication/securing-your-account-with-two-factor-authentication-2fa/about-two-factor-authentication) adds an extra layer of security when logging into websites or apps. 2FA protects your account if your password is compromised by requiring a second form of authentication, such as codes sent via SMS or authentication app, or touching a physical security key.
+
+We strongly recommend that you enable 2FA on GitHub and any important account where it is available. 2FA is not a Scorecard check because GitHub does not make that data about user accounts public. Arguably, this data should always remain private, since accounts without 2FA are so vulnerable to attack.
+
+Though it is not an official check, we urge all project maintainers to enable 2FA to protect their projects from compromise.
+
+#### Enabling 2FA
+
+##### For users
+
+Follow the steps described at [Configuring two-factor authentication](https://docs.github.com/en/authentication/securing-your-account-with-two-factor-authentication-2fa/configuring-two-factor-authentication)
+
+If possible, use either:
+
+- physical security key (preferred), such as Titan or Yubikey
+- recovery codes, stored in an access protected and encrypted vault
+
+As a last option, use SMS. Beware: 2FA using SMS is vulnerable to [SIM swap attack](https://en.wikipedia.org/wiki/SIM_swap_scam).
+
+##### For an organization
+
+1. [Prepare to require 2FA in your organization](https://docs.github.com/en/organizations/keeping-your-organization-secure/managing-two-factor-authentication-for-your-organization/preparing-to-require-two-factor-authentication-in-your-organization)
+2. [Require 2FA in your organization](https://docs.github.com/en/organizations/keeping-your-organization-secure/managing-two-factor-authentication-for-your-organization/requiring-two-factor-authentication-in-your-organization)
+
 ## Scoring
 
 ### Aggregate Score

diff --git a/dependencydiff/dependencydiff_test.go b/dependencydiff/dependencydiff_test.go
@@ -27,8 +27,7 @@ import (
 
 // Test_fetchRawDependencyDiffData is a test function for fetchRawDependencyDiffData.
 func Test_fetchRawDependencyDiffData(t *testing.T) {
-	t.Parallel()
-
+	//nolint
 	tests := []struct {
 		name      string
 		dCtx      dependencydiffContext
@@ -69,7 +68,6 @@ func Test_fetchRawDependencyDiffData(t *testing.T) {
 }
 
 func Test_initRepoAndClientByChecks(t *testing.T) {
-	t.Parallel()
 	//nolint
 	tests := []struct {
 		name                           string
@@ -129,8 +127,7 @@ func Test_initRepoAndClientByChecks(t *testing.T) {
 }
 
 func Test_getScorecardCheckResults(t *testing.T) {
-	t.Parallel()
-
+	//nolint
 	tests := []struct {
 		name    string
 		dCtx    dependencydiffContext
@@ -161,7 +158,6 @@ func Test_getScorecardCheckResults(t *testing.T) {
 }
 
 func Test_mapDependencyEcosystemNaming(t *testing.T) {
-	t.Parallel()
 	//nolint
 	tests := []struct {
 		name      string
@@ -217,7 +213,7 @@ func Test_mapDependencyEcosystemNaming(t *testing.T) {
 	for _, tt := range tests {
 		tt := tt
 		t.Run(tt.name, func(t *testing.T) {
-			t.Parallel()
+			//nolint
 			err := mapDependencyEcosystemNaming(tt.deps)
 			if tt.errWanted != nil && errors.Is(tt.errWanted, err) {
 				t.Errorf("not a wanted error, want:%v, got:%v", tt.errWanted, err)
@@ -228,8 +224,7 @@ func Test_mapDependencyEcosystemNaming(t *testing.T) {
 }
 
 func Test_isSpecifiedByUser(t *testing.T) {
-	t.Parallel()
-
+	//nolint
 	tests := []struct {
 		name               string
 		ct                 pkg.ChangeType
@@ -267,7 +262,7 @@ func Test_isSpecifiedByUser(t *testing.T) {
 	for _, tt := range tests {
 		tt := tt
 		t.Run(tt.name, func(t *testing.T) {
-			t.Parallel()
+			//nolint
 			result := isSpecifiedByUser(tt.ct, tt.changeTypesToCheck)
 			if result != tt.resultWanted {
 				t.Errorf("result (%v) != result wanted (%v)", result, tt.resultWanted)

diff --git a/e2e/e2e_suite_test.go b/e2e/e2e_suite_test.go
@@ -29,7 +29,6 @@ func TestE2e(t *testing.T) {
 	if val, exists := os.LookupEnv("SKIP_GINKGO"); exists && val == "1" {
 		t.Skip()
 	}
-	t.Parallel()
 	RegisterFailHandler(Fail)
 	RunSpecs(t, "E2e Suite")
 }