Skip to content

Commit

Permalink
🌱 Small refactor and test for remediations
Browse files Browse the repository at this point in the history 
Signed-off-by: Arnout Engelen <arnout@bzzt.net>
  • Loading branch information
@raboof
raboof committed May 29, 2024
1 parent fcdfdb7 commit fa6b0df
Show file tree
Hide file tree
Showing 2 changed files with 86 additions and 7 deletions.
23 changes: 16 additions & 7 deletions checks/raw/pinned_dependencies.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -228,14 +228,18 @@ func collectDockerfilePinning(c *checker.CheckRequest, r *checker.PinningDepende
return err
}

for i := range r.Dependencies {
rr := &r.Dependencies[i]
applyDockerfilePinningRemediations(r.Dependencies)
return nil
}

func applyDockerfilePinningRemediations(d []checker.Dependency) {
for i := range d {
rr := &d[i]
if rr.Type == checker.DependencyUseTypeDockerfileContainerImage && !*rr.Pinned {
remediate := remediation.CreateDockerfilePinningRemediation(rr, remediation.CraneDigester{})
rr.Remediation = remediate
}
}
return nil
}

var validateDockerfilesPinning fileparser.DoWhileTrueOnFileContent = func(
Expand Down Expand Up @@ -483,14 +487,19 @@ func collectGitHubActionsWorkflowPinning(c *checker.CheckRequest, r *checker.Pin
//nolint:errcheck
remediationMetadata, _ := remediation.New(c)

for i := range r.Dependencies {
rr := &r.Dependencies[i]
applyWorkflowPinningRemediations(remediationMetadata, r.Dependencies)
return nil
}

func applyWorkflowPinningRemediations(rm *remediation.RemediationMetadata, d []checker.Dependency) {
for i := range d {
rr := &d[i]
if rr.Type == checker.DependencyUseTypeGHAction && !*rr.Pinned {
remediate := remediationMetadata.CreateWorkflowPinningRemediation(rr.Location.Path)
remediate := rm.CreateWorkflowPinningRemediation(rr.Location.Path)
rr.Remediation = remediate
}
}
return nil

}

// validateGitHubActionWorkflow checks if the workflow file contains unpinned actions. Returns true if the check
Expand Down
70 changes: 70 additions & 0 deletions checks/raw/pinned_dependencies_test.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -28,6 +28,7 @@ import (
"github.com/ossf/scorecard/v5/checker"
mockrepo "github.com/ossf/scorecard/v5/clients/mockclients"
"github.com/ossf/scorecard/v5/finding"
"github.com/ossf/scorecard/v5/remediation"
scut "github.com/ossf/scorecard/v5/utests"
)

Expand Down Expand Up @@ -415,6 +416,75 @@ func TestDockerfilePinning(t *testing.T) {
}
}

func TestMixedPinning(t *testing.T) {
t.Parallel()

workflowDependency := checker.Dependency{
Name: stringAsPointer("actions/checkout"),
PinnedAt: stringAsPointer("daadedc81d5f9d3c06d2c92f49202a3cc2b919ba"),
Location: &checker.File{
Path: ".github/workflows/workflow-not-pinned.yaml",
Snippet: "actions/checkout@daadedc81d5f9d3c06d2c92f49202a3cc2b919ba",
Offset: 31,
EndOffset: 31,
FileSize: 0,
Type: 1,
},
Pinned: boolAsPointer(false),
Type: "GitHubAction",
Remediation: nil,
}
dockerDependency := checker.Dependency{
Name: stringAsPointer("python"),
PinnedAt: stringAsPointer("3.7"),
Location: &checker.File{
Path: "./testdata/Dockerfile-not-pinned",
Snippet: "FROM python:3.7",
Offset: 17,
EndOffset: 17,
Type: 0,
},
Pinned: boolAsPointer(false),
Type: "containerImage",
}
dependencies := []checker.Dependency{
workflowDependency,
dockerDependency,
}

//nolint:errcheck
remediationMetadata, _ := remediation.New(nil)
remediationMetadata.Branch = "mybranch"
remediationMetadata.Repo = "myrepo"

applyWorkflowPinningRemediations(remediationMetadata, dependencies)
if dependencies[0].Remediation == nil {
t.Errorf("No remediation added to workflow dependency")
return
}
if !strings.Contains(dependencies[0].Remediation.Text, "update your workflow") {
t.Errorf("Unexpected workflow remediation text")
}
if dependencies[1].Remediation != nil {
t.Errorf("Unexpected docker remediation")
return
}
applyDockerfilePinningRemediations(dependencies)
if dependencies[0].Remediation == nil {
t.Errorf("Remediation disappeared from workflow dependency")
}
if !strings.Contains(dependencies[0].Remediation.Text, "update your workflow") {
t.Errorf("Unexpected workflow remediation text")
}
if dependencies[1].Remediation == nil {
t.Errorf("No remediation added to docker dependency")
return
}
if !strings.Contains(dependencies[1].Remediation.Text, "Docker") {
t.Errorf("Unexpected Docker remediation text")
}
}

func TestFileIsInVendorDir(t *testing.T) {
t.Parallel()
tests := []struct {
Expand Down

0 comments on commit fa6b0df

Please sign in to comment.