search

ossf / scorecard

OpenSSF Scorecard - Security health metrics for Open Source
https://scorecard.dev
Apache License 2.0
4.63k stars 504 forks source link

BUG githubrepo.Client.GetOrgRepoClient() does not use parent Client transport #4255

Closed jeffmendoza closed 4 months ago

jeffmendoza commented 4 months ago

Describe the bug githubrepo.Client.GetOrgRepoClient() simply calls CreateGithubRepoClient(). Instead it should call CreateGithubRepoClientWithTransport() and pass in its own client's transport client.repoClient.Client().Transport.

Reproduction steps Have an authenticated transport, say it

rc := githubrepo.CreateGithubRepoClientWithTransport(ctx, it)
res, err := scorecard.Run(ctx, repo,
    scorecard.WithRepoClient(rc),
    scorecard.WithChecks([]string{"Security-Policy"}),
)

This should work, but you get:

ERRO[0001] GitHub token env var is not set. Please read https://github.com/ossf/scorecard#authentication  error="an error occurred while getting GitHub credentials"

due to: https://github.com/ossf/scorecard/blob/main/checks/raw/security_policy.go#L63

Expected behavior Auth works.

spencerschrock commented 4 months ago

Thanks for filing the bug. To clarify, this is older behavior right? You should have seen this prior to upgrading to v5?

I had the same thought when providing feedback in #4254, so this seems like a sensible change to make. Do you have time/desire to send a PR?

jeffmendoza commented 4 months ago

I am seeing this with v5 and the sample code. I'll send a PR

jeffmendoza commented 4 months ago

Oh, Not sure about before v5. I assume so