Address peer review

Address peer review feedback. Signed-off-by: martincostello <martin@martincostello.com>
ossf · Nov 30, 2023 · c88c741 · c88c741
1 parent 6d0b106
commit c88c741
Show file tree

Hide file tree

Showing 4 changed files with 12 additions and 2 deletions.
diff --git a/checks/raw/pinned_dependencies_test.go b/checks/raw/pinned_dependencies_test.go
@@ -729,7 +729,7 @@ func TestDockerfileInsecureDownloadsLineNumber(t *testing.T) {
 					t:         checker.DependencyUseTypePipCommand,
 				},
 				{
-					snippet:   "bash <(curl --silent --show-error \"https://raw.githubusercontent.com/rhysd/actionlint/main/scripts/download-actionlint.bash\")",
+					snippet:   `bash <(curl --silent --show-error "https://raw.githubusercontent.com/rhysd/actionlint/main/scripts/download-actionlint.bash")`,
 					startLine: 68,
 					endLine:   68,
 					t:         checker.DependencyUseTypeDownloadThenRun,
@@ -994,7 +994,7 @@ func TestShellscriptInsecureDownloadsLineNumber(t *testing.T) {
 					t:         checker.DependencyUseTypeNugetCommand,
 				},
 				{
-					snippet:   "bash <(curl --silent --show-error \"https://raw.githubusercontent.com/rhysd/actionlint/main/scripts/download-actionlint.bash\")",
+					snippet:   `bash <(curl --silent --show-error "https://raw.githubusercontent.com/rhysd/actionlint/main/scripts/download-actionlint.bash")`,
 					startLine: 69,
 					endLine:   69,
 					t:         checker.DependencyUseTypeDownloadThenRun,

diff --git a/checks/raw/shell_download_validate_test.go b/checks/raw/shell_download_validate_test.go
@@ -314,6 +314,7 @@ func Test_isNpmUnpinnedDownload(t *testing.T) {
 }
 
 func Test_hasUnpinnedURLs(t *testing.T) {
+	t.Parallel()
 	type args struct {
 		cmd []string
 	}
@@ -431,6 +432,7 @@ func Test_hasUnpinnedURLs(t *testing.T) {
 	}
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
+			t.Parallel()
 			if actual := hasUnpinnedURLs(tt.args.cmd); actual != tt.expected {
 				t.Errorf("hasUnpinnedURLs() = %v, expected %v for %v", actual, tt.expected, tt.name)
 			}

diff --git a/checks/raw/testdata/Dockerfile-curl-sh b/checks/raw/testdata/Dockerfile-curl-sh
@@ -19,7 +19,11 @@ RUN echo hello && curl -s /etc/file | sh
 RUN echo hello && curl -s file-with-sudo2 | sudo bash
 RUN echo hello && sudo curl -s file-with-sudo | bash | bla
 RUN ["echo", "hello", "&&", "curl", "-s", "/etc/file2", "|", "sh"]
+
+# Unpinned
 RUN curl -sSL https://raw.githubusercontent.com/dotnet/install-scripts/main/src/dotnet-install.sh | bash /dev/stdin
+
+# Pinned
 RUN curl -sSL https://raw.githubusercontent.com/dotnet/install-scripts/5b142a1e445a6f060d6430b661408989e9580b85/src/dotnet-install.sh | bash /dev/stdin
 
 FROM scratch

diff --git a/checks/raw/testdata/Dockerfile-wget-bin-sh b/checks/raw/testdata/Dockerfile-wget-bin-sh
@@ -18,7 +18,11 @@ FROM python:3.7@sha256:45b23dee08af5e43a7fea6c4cf9c25ccf269ee113168c19722f878766
 RUN echo hello && wget -0 - http://ifconfig.co/json | /bin/sh
 RUN ["echo", "hello", "&&", "wget", "-0", "-", "http://ifconfig.co/json", "|", "/bin/sh"]
 RUN ["sh", "-c", "\"wget -0 - http://ifconfig.co/json | /bin/sh\""]
+
+# Unpinned
 RUN wget -0 - https://raw.githubusercontent.com/dotnet/install-scripts/main/src/dotnet-install.sh | /bin/sh
+
+# Pinned
 RUN wget -0 - https://raw.githubusercontent.com/dotnet/install-scripts/5b142a1e445a6f060d6430b661408989e9580b85/src/dotnet-install.sh | /bin/sh
 
 FROM scratch