search

ossf / scorecard

OpenSSF Scorecard - Security health metrics for Open Source
https://scorecard.dev
Apache License 2.0
4.37k stars 481 forks source link

BUG: bad credentials running standalone Scorecard CLI against a public GitHub repo #2559

Closed mmaraya closed 1 year ago

mmaraya commented 1 year ago

Describe the bug Starting sometime after 2022-12-09, the command-line version of the Scorecard client returns this error message when running against any public GitHub repository:

$ ./scorecard version
         __  ____     ____    ___    ____    _____    ____      _      ____    ____
        / / / ___|   / ___|  / _ \  |  _ \  | ____|  / ___|    / \    |  _ \  |  _ \
       / /  \___ \  | |     | | | | | |_) | |  _|   | |       / _ \   | |_) | | | | |
  _   / /    ___) | | |___  | |_| | |  _ <  | |___  | |___   / ___ \  |  _ <  | |_| |
 (_) /_/    |____/   \____|  \___/  |_| \_\ |_____|  \____| /_/   \_\ |_| \_\ |____/
./scorecard: OpenSSF Scorecard

GitVersion:    v4.10.2
GitCommit:     unknown
GitTreeState:  unknown
BuildDate:     unknown
GoVersion:     go1.19.4
Compiler:      gc
Platform:      linux/amd64

$ ./scorecard --repo=github.com/ossf-tests/scorecard-check-branch-protection-e2e
Error: GetClients: getting OSS-Fuzz repo client: error during InitRepo: repo unreachable: GET https://api.github.com/repos/google/oss-fuzz: 401 Bad credentials []
2022/12/21 22:42:02 error during command execution: GetClients: getting OSS-Fuzz repo client: error during InitRepo: repo unreachable: GET https://api.github.com/repos/google/oss-fuzz: 401 Bad credentials []

I have exported a valid classic personal access token via $GITHUB_AUTH_TOKEN.

Reproduction steps Steps to reproduce the behavior:

  1. download latest release from https://github.com/ossf/scorecard/releases/tag/v4.10.2
  2. confirm that $GITHUB_AUTH_TOKEN has a valid value
  3. ./scorecard --repo=github.com/ossf-tests/scorecard-check-branch-protection-e2e

Expected behavior Prior to 2022-12-09, the scorecard CLI would execute correctly against any public GitHub repo (and without $GITHUB_AUTH_TOKEN)

Additional context Add any other context about the problem here.

spencerschrock commented 1 year ago

I'm unable to replicate.

wget https://github.com/ossf/scorecard/releases/download/v4.10.2/scorecard_4.10.2_linux_amd64.tar.gz
tar xzfv scorecard_4.10.2_linux_amd64.tar.gz
./scorecard-linux-amd64 --repo=ossf-tests/scorecard-check-branch-protection-e2e --format=json

401 Bad credentials

Are you sure that the GITHUB_AUTH_TOKEN you're using hasn't expired or been revoked?

mmaraya commented 1 year ago

Hi Spencer! Thanks for the quick response! I created two new PATs yesterday (one classic, the other fine-grained) and confirmed that they are still active just now. Both show as never being used. I couldn't get either PAT to work.

mmaraya commented 1 year ago

I suspect the problem was caused by using a GH account that did not have a verified email address (I wasn't comfortable creating a classic PAT against my main GH account). And the PAT has to be classic, not fine-grained. Everything's working again. Thanks for confirming that the issue was on my end. 💯

mmaraya commented 1 year ago

Update: it turns out that I did have a verified email address so that wasn't the problem. Apparently, GitHub returns a "Bad credentials" error if the PAT is not associated with the email address in ~/.gitconfig. If you have multiple GitHub identities, you can get around this by adding [includeIf "gitdir:~/<some other directory"] directive at the end of ~/.gitconfig and having a new .gitconfig in that folder with the GitHub identity that is associated with your PAT.