BUG: panic: runtime error: index out of range [4] with length 4 #2549
Description
We are seeing panic in the scorecard-action v2.1.0 for our scheduled runs.
See this scheduled run:
https://github.com/slsa-framework/slsa-github-generator/actions/runs/3719005620/jobs/6307584758
panic: runtime error: index out of range [4] with length 4
goroutine 9 [running]:
github.com/ossf/scorecard/v4/checks/raw.isGoUnpinnedDownload({0xc000d04540, 0x4, 0x2565ec0?})
github.com/ossf/scorecard/[email protected]/checks/raw/shell_download_validate.go:460 +0x5a7
github.com/ossf/scorecard/v4/checks/raw.collectUnpinnedPakageManagerDownload(0xc0008cbc80?, 0xc000db8a80?, {0x2565ec0?, 0xc000db8a80}, {0xc000a00840, 0xc}, {0xc0003b7494, 0x2a}, 0xc0008cbc80)
github.com/ossf/scorecard/[email protected]/checks/raw/shell_download_validate.go:647 +0xf9
github.com/ossf/scorecard/v4/checks/raw.validateShellFileAndRecord.func1({0x2565ec0, 0xc000db8a80})
github.com/ossf/scorecard/[email protected]/checks/raw/shell_download_validate.go:932 +0x31f
mvdan.cc/sh/v3/syntax.Walk({0x2565ec0?, 0xc000db8a80?}, 0xc000e88640)
mvdan.cc/sh/[email protected]/syntax/walk.go:32 +0x56
mvdan.cc/sh/v3/syntax.Walk({0x2566208?, 0xc0011de000?}, 0xc000e88640)
mvdan.cc/sh/[email protected]/syntax/walk.go:49 +0x1605
mvdan.cc/sh/v3/syntax.walkStmts({0xc0010c9000, 0x1, 0x203000?}, {0x0, 0x0, 0xc000db8000?}, 0xc000db8608?)
mvdan.cc/sh/[email protected]/syntax/walk.go:14 +0x4d
mvdan.cc/sh/v3/syntax.Walk({0x2566028?, 0xc000d043c0?}, 0xc000e88640)
mvdan.cc/sh/[email protected]/syntax/walk.go:38 +0x536
github.com/ossf/scorecard/v4/checks/raw.validateShellFileAndRecord({0xc0003b7494, 0x2a}, 0x13, 0x13, {0xc000a007d0?, 0x3eb?, 0x3ec?}, 0xc000e87800, 0xc0008cbc80)
github.com/ossf/scorecard/[email protected]/checks/raw/shell_download_validate.go:898 +0x24a
github.com/ossf/scorecard/v4/checks/raw.validateShellFile(...)
github.com/ossf/scorecard/[email protected]/checks/raw/shell_download_validate.go:1029
github.com/ossf/scorecard/v4/checks/raw.glob..func8({0xc0003b7494, 0x2a}, {0xc00061dc00, 0x3eb, 0x3ec}, {0xc000b5c670?, 0x7f6ae76d55b8?, 0x10?})
github.com/ossf/scorecard/[email protected]/checks/raw/pinned_dependencies.go:164 +0x457
github.com/ossf/scorecard/v4/checks/fileparser.OnMatchingFileContentDo({0x258a7b0, 0xc00057cb40}, {{0x221194c?, 0x1ea21c0?}, 0x20?}, 0x[233](https://github.com/slsa-framework/slsa-github-generator/actions/runs/3719005620/jobs/6307584758#step:4:234)7298, {0xc000b5c670, 0x1, 0x1})
github.com/ossf/scorecard/[email protected]/checks/fileparser/listing.go:100 +0x1c3
github.com/ossf/scorecard/v4/checks/raw.collectDockerfileInsecureDownloads(...)
github.com/ossf/scorecard/[email protected]/checks/raw/pinned_dependencies.go:105
github.com/ossf/scorecard/v4/checks/raw.PinningDependencies(0xc000184c60)
github.com/ossf/scorecard/[email protected]/checks/raw/pinned_dependencies.go:46 +0x19c
github.com/ossf/scorecard/v4/checks.PinningDependencies(0xc000184c60)
github.com/ossf/scorecard/[email protected]/checks/pinned_dependencies.go:41 +0x5e
github.com/ossf/scorecard/v4/checker.(*Runner).Run(0xc000aaff18, {0x[257](https://github.com/slsa-framework/slsa-github-generator/actions/runs/3719005620/jobs/6307584758#step:4:258)5a00, 0xc0001[260](https://github.com/slsa-framework/slsa-github-generator/actions/runs/3719005620/jobs/6307584758#step:4:261)00}, {0x23371d8?, {0xc000560500?, 0x0?, 0x0?}})
github.com/ossf/scorecard/[email protected]/checker/check_runner.go:111 +0x574
github.com/ossf/scorecard/v4/pkg.runEnabledChecks.func1()
github.com/ossf/scorecard/[email protected]/pkg/scorecard.go:60 +0x1d0
created by github.com/ossf/scorecard/v4/pkg.runEnabledChecks
github.com/ossf/scorecard/[email protected]/pkg/scorecard.go:52 +0x216