BUG running scorecard on a new repo with no commits results in a panic SIGSEGV

[shissam]

Describe the bug Logged into GitHub, using the GitHub Web User Interface and selecting "New repository" to create a new repository and then running scorecard against that new repo causes:

panic: runtime error: invalid memory address or nil pointer dereference [signal SIGSEGV: segmentation violation code=0x1 addr=0x0 pc=0xda6966]

Reproduction steps Steps to reproduce the behavior:

1. Use the "New repository" menu option in the upper right corner to create a new repository (any name I guess)
2. Do nothing more, no commits, no initial file, nothing but the repo should appear in your list of repos
3. point scorecard to that repo, the version I am showing (via docker) is gcr.io/openssf/scorecard stable 3de671030a71 5 days ago 43.7MB
4. docker run -e GITHUB_AUTH_TOKEN= gcr.io/openssf/scorecard:stable --show-details --repo=https://github.com/shissam/BugsBunny

Expected behavior I expected to get a the scorecard to run against the repo and give me an aggregate score (i.e., 'Aggregate score: 4.7 / 10') with a detail of the results following

What did happen was:

$ docker run -e GITHUB_AUTH_TOKEN=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 gcr.io/openssf/scorecard:stable --show-details --repo=https://github.com/shissam/BugsBunny Starting [Packaging] Starting [Pinned-Dependencies] Starting [Token-Permissions] Starting [Contributors] Starting [CII-Best-Practices] Starting [Vulnerabilities] Starting [Branch-Protection] Starting [CI-Tests] Starting [License] Starting [Fuzzing] Starting [Security-Policy] Starting [Signed-Releases] Starting [Binary-Artifacts] Starting [Dependency-Update-Tool] Starting [Webhooks] Starting [Maintained] Starting [SAST] Starting [Code-Review] Starting [Dangerous-Workflow] 2022/06/28 21:08:11 unable to get tarball tarball not found: https://api.github.com/repos/shissam/BugsBunny/tarball/. Skipping... panic: runtime error: invalid memory address or nil pointer dereference [signal SIGSEGV: segmentation violation code=0x1 addr=0x0 pc=0xca8966]

goroutine 16 [running]: github.com/ossf/scorecard/v4/remediation.Setup.func1() github.com/ossf/scorecard/v4/remediation/remediations.go:58 +0x66 sync.(Once).doSlow(0xc000400b40, 0xc0000c2a00) sync/once.go:68 +0xec sync.(Once).Do(...) sync/once.go:59 github.com/ossf/scorecard/v4/remediation.Setup(0xc000012ab0, 0x0, 0xc0000c2a60) github.com/ossf/scorecard/v4/remediation/remediations.go:49 +0x7d github.com/ossf/scorecard/v4/checks.PinningDependencies(0xc000012ab0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, ...) github.com/ossf/scorecard/v4/checks/pinned_dependencies.go:44 +0x85 github.com/ossf/scorecard/v4/checker.(*Runner).Run(0xc0000c2ea8, 0x11d3bd8, 0xc0001e9ec0, 0x10d5328, 0xc000401620, 0x2, 0x2, 0x0, 0x0, 0x0, ...) github.com/ossf/scorecard/v4/checker/check_runner.go:111 +0x594 github.com/ossf/scorecard/v4/pkg.runEnabledChecks.func1(0xc0003d0b30, 0x108c9eb, 0x13, 0x11d9340, 0xc000500310, 0xc0000987e0, 0xc0004a05a0, 0x11d3bd8, 0xc00003e050, 0x10d5328, ...) github.com/ossf/scorecard/v4/pkg/scorecard.go:60 +0x172 created by github.com/ossf/scorecard/v4/pkg.runEnabledChecks github.com/ossf/scorecard/v4/pkg/scorecard.go:52 +0x308

Additional context The first version of this attempt was against https://github.com/shissam/YosemiteSam - it also failed in the same manner. BUT after creating (and committing) an initial file (e.g., README.md) and even after subsequently deleting that same file, the 'panic' never occurred again.

Both those repos, YosemiteSam and BugsBunny will remain for some time.

[azeemshaikh38]

Thanks for the report @shissam.

@laurentsimon assigning to you. Crash seems to be happening in the remediation code, could you PTAL? Also, let's add an empty (no commit) repo to ossf-tests for our e2e tests.

[laurentsimon]

I would swear I fixed this before, but apparently not! PR sent as https://github.com/ossf/scorecard/pull/2011

Thanks for the report!