From 6c5d964fcde4b83fa5ad5e40060e9e5ba920cd2f Mon Sep 17 00:00:00 2001
From: Naveen <172697+naveensrinivasan@users.noreply.github.com>
Date: Sat, 17 Dec 2022 20:55:46 -0600
Subject: [PATCH] :bug: Fix broken go mod download check (#2550)

- Fixed the https://github.com/ossf/scorecard/issues/2549

Signed-off-by: naveensrinivasan <172697+naveensrinivasan@users.noreply.github.com>

Signed-off-by: naveensrinivasan <172697+naveensrinivasan@users.noreply.github.com>
---
 checks/raw/shell_download_validate.go      |  5 +++-
 checks/raw/shell_download_validate_test.go | 33 ++++++++++++++++++++++
 2 files changed, 37 insertions(+), 1 deletion(-)

diff --git a/checks/raw/shell_download_validate.go b/checks/raw/shell_download_validate.go
index 2dfc020a1f6..39b3293be26 100644
--- a/checks/raw/shell_download_validate.go
+++ b/checks/raw/shell_download_validate.go
@@ -425,7 +425,6 @@ func isGoUnpinnedDownload(cmd []string) bool {
 	if !isBinaryName("go", cmd[0]) {
 		return false
 	}
-
 	// `Go install` will automatically look up the
 	// go.mod and go.sum, so we don't flag it.
 	if len(cmd) <= 2 {
@@ -456,6 +455,10 @@ func isGoUnpinnedDownload(cmd []string) bool {
 			i++
 		}
 
+		if i+1 >= len(cmd) {
+			// this is case go get -d -v
+			return false
+		}
 		// TODO check more than one package
 		pkg := cmd[i+1]
 		// Consider strings that are not URLs as local folders
diff --git a/checks/raw/shell_download_validate_test.go b/checks/raw/shell_download_validate_test.go
index b40912f46b7..a38115aad34 100644
--- a/checks/raw/shell_download_validate_test.go
+++ b/checks/raw/shell_download_validate_test.go
@@ -106,3 +106,36 @@ func TestValidateShellFile(t *testing.T) {
 		t.Errorf("failed to detect shell parsing error: %v", err)
 	}
 }
+
+func Test_isGoUnpinnedDownload(t *testing.T) {
+	type args struct {
+		cmd []string
+	}
+	tests := []struct {
+		name string
+		args args
+		want bool
+	}{
+		{
+			name: "go get",
+			args: args{
+				cmd: []string{"go", "get", "github.com/ossf/scorecard"},
+			},
+			want: true,
+		},
+		{
+			name: "go get with -d -v",
+			args: args{
+				cmd: []string{"go", "get", "-d", "-v"},
+			},
+			want: false,
+		},
+	}
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			if got := isGoUnpinnedDownload(tt.args.cmd); got != tt.want {
+				t.Errorf("isGoUnpinnedDownload() = %v, want %v", got, tt.want)
+			}
+		})
+	}
+}