Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

🐛 Trust pinned GitHub download URLs #3694

Merged
merged 6 commits into from
Nov 30, 2023

Conversation

martincostello
Copy link
Contributor

What kind of change does this PR introduce?

Bug fix

What is the current behavior?

Files that are downloaded and executed from raw.githubusercontent.com, even if they are addressed by a Git SHA, are marked as downloadThenRun dependencies that are not pinned by hash.

What is the new behavior?

Files that are downloaded from raw.githubusercontent.com and are addressed by a Git SHA, and therefore immutable, are considered to be pinned by hash.

  • Tests for the changes have been added (for bug fixes/features)

Which issue(s) this PR fixes

Fixes #3339

Special notes for your reviewer

Does this PR introduce a user-facing change?

Pinned-Dependencies: Files downloaded by Git SHA from GitHub and executed are no longer considered as not pinned by hash.

Copy link

codecov bot commented Nov 27, 2023

Codecov Report

Merging #3694 (d493588) into main (ce0b54e) will decrease coverage by 5.54%.
The diff coverage is 100.00%.

Additional details and impacted files
@@            Coverage Diff             @@
##             main    #3694      +/-   ##
==========================================
- Coverage   76.31%   70.78%   -5.54%     
==========================================
  Files         210      210              
  Lines       14371    14395      +24     
==========================================
- Hits        10967    10189     -778     
- Misses       2757     3614     +857     
+ Partials      647      592      -55     

Copy link
Member

@spencerschrock spencerschrock left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for the well tested PR! Left a few small comments

checks/raw/pinned_dependencies_test.go Outdated Show resolved Hide resolved
checks/raw/testdata/Dockerfile-curl-sh Show resolved Hide resolved
checks/raw/testdata/Dockerfile-wget-bin-sh Outdated Show resolved Hide resolved
checks/raw/shell_download_validate_test.go Show resolved Hide resolved
checks/raw/shell_download_validate_test.go Show resolved Hide resolved
@spencerschrock
Copy link
Member

/scdiff generate Pinned-Dependencies

Copy link

 Trust files that are downloaded from `raw.githubusercontent.com` where the file's ref is a Git SHA and therefore immutable.
Resolves #3339.
Signed-off-by: martincostello <martin@martincostello.com>
- Add `hasUnpinnedURLs` function.
- Add test cases for different URLs.
Signed-off-by: martincostello <martin@martincostello.com>
Appease the linter.
Signed-off-by: martincostello <martin@martincostello.com>
Suppress warning on three long URLs.
Signed-off-by: martincostello <martin@martincostello.com>
Address peer review feedback.
Signed-off-by: martincostello <martin@martincostello.com>
Fix lint warning.
Signed-off-by: martincostello <martin@martincostello.com>
@spencerschrock spencerschrock merged commit 0c40e14 into ossf:main Nov 30, 2023
38 checks passed
@martincostello martincostello deleted the issue-3339 branch November 30, 2023 19:41
ashearin pushed a commit to kgangerlm/scorecard-gitlab that referenced this pull request Dec 4, 2023
* Trust pinned GitHub download URLs

 Trust files that are downloaded from `raw.githubusercontent.com` where the file's ref is a Git SHA and therefore immutable.
Resolves ossf#3339.
Signed-off-by: martincostello <martin@martincostello.com>

* Move logic to function

- Add `hasUnpinnedURLs` function.
- Add test cases for different URLs.
Signed-off-by: martincostello <martin@martincostello.com>

* Fix formatting

Appease the linter.
Signed-off-by: martincostello <martin@martincostello.com>

* Suppress lint warnings

Suppress warning on three long URLs.
Signed-off-by: martincostello <martin@martincostello.com>

* Address peer review

Address peer review feedback.
Signed-off-by: martincostello <martin@martincostello.com>

* Fix lint warning

Fix lint warning.
Signed-off-by: martincostello <martin@martincostello.com>
Signed-off-by: Allen Shearin <allen.p.shearin@gmail.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

Pinned-Dependencies incorrectly flags a pinned dependency downloaded from GitHub
3 participants