🌱 Add dependency remediation in raw results instead of at log time

[AdamKorcz]

What kind of change does this PR introduce?

This moves the creation of remediation for dependencies to the part where the raw results get created instead of in the evaluation.

This is an intermediary PR to prepare the pinned dependencies check for being migrated to probes; for that purpose, client calls should not be in the evaluation phase.

(Is it a bug fix, feature, docs update, something else?)

• PR title follows the guidelines defined in our pull request documentation

What is the current behavior?

What is the new behavior (if this is a feature change)?**

• Tests for the changes have been added (for bug fixes/features)

Which issue(s) this PR fixes

NONE

Special notes for your reviewer

Does this PR introduce a user-facing change?

NONE

[codecov]

Codecov Report

Merging #3632 (0547949) into main (0fc8296) will decrease coverage by 5.68%.
Report is 1 commits behind head on main.
The diff coverage is 76.00%.

Additional details and impacted files

@@            Coverage Diff             @@
##             main    #3632      +/-   ##
==========================================
- Coverage   76.13%   70.45%   -5.68%     
==========================================
  Files         206      206              
  Lines       14053    14065      +12     
==========================================
- Hits        10699     9910     -789     
- Misses       2726     3578     +852     
+ Partials      628      577      -51     

[spencerschrock]

Ah surfacing the error is causing the e2e to fail.

• [FAILED] [0.359 seconds]
E2E TEST:Pinned-Dependencies E2E TEST:Validating dependencies check is working [It] Should return dependencies check for a local repoClient
/home/runner/work/scorecard/scorecard/e2e/pinned_dependencies_test.go:86

  Captured StdOut/StdErr Output >>
  2023/10/31 23:18:37 dependencies check:   utests.TestReturn{
  - 	Error:         nil,
  + 	Error:         e"internal error: failed to create remediation metadata: GetDefaultBranchName: GetDefaultBranchName: unsupported feature",

Maybe something like this? We used to ignore the unsupported features like this.

diff --git a/remediation/remediations.go b/remediation/remediations.go
index b5713f7f..ab1dcd4d 100644
--- a/remediation/remediations.go
+++ b/remediation/remediations.go
@@ -22,6 +22,7 @@ import (
        "github.com/google/go-containerregistry/pkg/crane"
 
        "github.com/ossf/scorecard/v4/checker"
+       "github.com/ossf/scorecard/v4/clients"
        "github.com/ossf/scorecard/v4/rule"
 )
 
@@ -49,6 +50,9 @@ func New(c *checker.CheckRequest) (*RemediationMetadata, error) {
        // Get the branch for remediation.
        branch, err := c.RepoClient.GetDefaultBranchName()
        if err != nil {
+               if errors.Is(err, clients.ErrUnsupportedFeature) {
+                       return nil, nil
+               }
                return &RemediationMetadata{}, fmt.Errorf("GetDefaultBranchName: %w", err)
        }
 
@@ -63,6 +67,9 @@ func New(c *checker.CheckRequest) (*RemediationMetadata, error) {
 
 // CreateWorkflowPinningRemediation create remediaiton for pinninn GH Actions.
 func (r *RemediationMetadata) CreateWorkflowPinningRemediation(filepath string) *rule.Remediation {
+       if r == nil {
+               return nil
+       }
        return r.createWorkflowRemediation(filepath, "pin")
 }

This causes other e2e test(s) to fail. Up to you if you want to deal with it or maybe we just say "oops" and revert the error checking and tackle it in another PR