🐛 fix Docker remediations for unpinned GHA dependencies

Previously, as both the check for unpinned dependencies in GitHub Actions and the check for unpinned Docker dependencies contribute to d.Dependencies, the loop that created remediations for Docker dependencies would also create try to create Docker remediations for the unpinned GitHub Actions dependencies. This could get really slow, especially when scanning a repo with many GitHub Actions such as https://github.com/apache/beam.
ossf · May 29, 2024 · 789b16e · 789b16e
1 parent d99ae69
commit 789b16e
Showing 1 changed file with 2 additions and 2 deletions.
diff --git a/checks/raw/pinned_dependencies.go b/checks/raw/pinned_dependencies.go
@@ -230,7 +230,7 @@ func collectDockerfilePinning(c *checker.CheckRequest, r *checker.PinningDepende
 
 	for i := range r.Dependencies {
 		rr := &r.Dependencies[i]
-		if !*rr.Pinned {
+		if rr.Type == checker.DependencyUseTypeDockerfileContainerImage && !*rr.Pinned {
 			remediate := remediation.CreateDockerfilePinningRemediation(rr, remediation.CraneDigester{})
 			rr.Remediation = remediate
 		}
@@ -485,7 +485,7 @@ func collectGitHubActionsWorkflowPinning(c *checker.CheckRequest, r *checker.Pin
 
 	for i := range r.Dependencies {
 		rr := &r.Dependencies[i]
-		if !*rr.Pinned {
+		if rr.Type == checker.DependencyUseTypeGHAction && !*rr.Pinned {
 			remediate := remediationMetadata.CreateWorkflowPinningRemediation(rr.Location.Path)
 			rr.Remediation = remediate
 		}