From 1c99e0a121e2d82e407965789931a85a755538ca Mon Sep 17 00:00:00 2001 From: Spencer Schrock Date: Wed, 13 Jul 2022 20:28:03 +0000 Subject: [PATCH] Add basic remediation for dockerfile pinning --- checks/evaluation/pinned_dependencies.go | 11 +++++++++-- remediation/remediations.go | 19 +++++++++++++++++++ 2 files changed, 28 insertions(+), 2 deletions(-) diff --git a/checks/evaluation/pinned_dependencies.go b/checks/evaluation/pinned_dependencies.go index 5adbfa14b3bb..da6ae5914d46 100644 --- a/checks/evaluation/pinned_dependencies.go +++ b/checks/evaluation/pinned_dependencies.go @@ -136,10 +136,17 @@ func PinningDependencies(name string, dl checker.DetailLogger, } func generateRemediation(rr *checker.Dependency) *checker.Remediation { - if rr.Type == checker.DependencyUseTypeGHAction { + switch rr.Type { + case checker.DependencyUseTypeGHAction: return remediation.CreateWorkflowPinningRemediation(rr.Location.Path) + case checker.DependencyUseTypeDockerfileContainerImage: + if rr.Name == nil { + return nil + } + return remediation.CreateDockerfilePinningRemediation(*rr.Name) + default: + return nil } - return nil } func updatePinningResults(rr *checker.Dependency, diff --git a/remediation/remediations.go b/remediation/remediations.go index 1d6c832c496c..c9ecbedba54b 100644 --- a/remediation/remediations.go +++ b/remediation/remediations.go @@ -20,6 +20,8 @@ import ( "strings" "sync" + "github.com/google/go-containerregistry/pkg/crane" + "github.com/ossf/scorecard/v4/checker" "github.com/ossf/scorecard/v4/clients" ) @@ -37,6 +39,7 @@ var ( workflowText = "update your workflow using https://app.stepsecurity.io/secureworkflow/%s/%s/%s?enable=%s" //nolint workflowMarkdown = "update your workflow using [https://app.stepsecurity.io](https://app.stepsecurity.io/secureworkflow/%s/%s/%s?enable=%s)" + dockerfileText = "pin your Docker image (%[1]s). For linux/amd64 update to %[1]s@%s" ) //nolint:gochecknoinits @@ -95,3 +98,19 @@ func createWorkflowRemediation(path, t string) *checker.Remediation { HelpMarkdown: markdown, } } + +// CreateDockerfilePinningRemediation create remediaiton for pinning Dockerfile images. +func CreateDockerfilePinningRemediation(image string) *checker.Remediation { + hash, err := crane.Digest(image) + if err != nil { + return nil + } + + text := fmt.Sprintf(dockerfileText, image, hash) + markdown := text + + return &checker.Remediation{ + HelpText: text, + HelpMarkdown: markdown, + } +}