🐛 Fix remediation text when Scorecard is run multiple times within a program

[spencerschrock]

What kind of change does this PR introduce?

bug fix for incorrect repo info in remediation text. the problem affected the weekly scorecard cron job

• PR title follows the guidelines defined in our pull request documentation

What is the current behavior?

The remediation text used to reflect the first repo / branch processed by a scorecard cron worker.

What is the new behavior (if this is a feature change)?**

The remediation text will now match the repo/branch being analyzed.

• Tests for the changes have been added (for bug fixes/features)

Which issue(s) this PR fixes

#2152

Special notes for your reviewer

This is a temporary fix, and modifies the function signatures for evaluation.PinningDependencies and evaluation.TokenPermissions. I don't think anyone besides ourselves are using these exported functions.

Does this PR introduce a user-facing change?

For user-facing changes, please add a concise, human-readable release note to
the release-note

(In particular, describe what changes users might need to make in their
application as a result of this pull request.)

NONE

[codecov]

Codecov Report

Merging #2168 (f51dee8) into main (c86a1aa) will increase coverage by 2.27%.
The diff coverage is 31.57%.

@@            Coverage Diff             @@
##             main    #2168      +/-   ##
==========================================
+ Coverage   42.39%   44.67%   +2.27%     
==========================================
  Files          94       95       +1     
  Lines        7824     7868      +44     
==========================================
+ Hits         3317     3515     +198     
+ Misses       4249     4086     -163     
- Partials      258      267       +9     

[azeemshaikh38]

Could we simply extend PinnedDepsRawData and TokenPermissionsRawData to include RemediationMetadata struct?

This isn't ideal, and really the raw data struct should have a common struct to hold this info. But atleast this avoids passing in the CheckRequest to evaluation.

[github-actions]

Integration tests success for
[14d5d7e]
(https://github.com/ossf/scorecard/actions/runs/2877641773)

[spencerschrock]

Could we simply extend PinnedDepsRawData and TokenPermissionsRawData to include RemediationMetadata struct?

This isn't ideal, and really the raw data struct should have a common struct to hold this info. But atleast this avoids passing in the CheckRequest to evaluation.

I was just following your quick fix comments in #2152. Also, I was hesitant to touch RawData for fear of messing up the json/cron job flow.

But I know it's not an easy change and might take time. So, let's remove the init() fn and all the global vars for now (that should solve the data race issue too). We need to fix this before EOW so that the cron job picks up the fix.
Once the fix is in, let's reconsider how to solve it the right way using RawData. Wdyt?

[azeemshaikh38]

Could we simply extend PinnedDepsRawData and TokenPermissionsRawData to include RemediationMetadata struct?
This isn't ideal, and really the raw data struct should have a common struct to hold this info. But atleast this avoids passing in the CheckRequest to evaluation.

I was just following your quick fix comments in #2152. Also, I was hesitant to touch RawData for fear of messing up the json/cron job flow.

But I know it's not an easy change and might take time. So, let's remove the init() fn and all the global vars for now (that should solve the data race issue too). We need to fix this before EOW so that the cron job picks up the fix.
Once the fix is in, let's reconsider how to solve it the right way using RawData. Wdyt?

SGTM, approved. Could we have a follow-up PR to address this?

[github-actions]

Integration tests success for
[f51dee8]
(https://github.com/ossf/scorecard/actions/runs/2878039771)

[spencerschrock]

SGTM, approved. Could we have a follow-up PR to address this?

👍

[laurentsimon]

nit: remediaitonMd