-
Notifications
You must be signed in to change notification settings - Fork 504
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
🐛 Trust pinned GitHub download URLs #3694
Merged
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
martincostello
temporarily deployed
to
gitlab
November 27, 2023 16:04
— with
GitHub Actions
Inactive
martincostello
temporarily deployed
to
integration-test
November 27, 2023 16:04
— with
GitHub Actions
Inactive
Codecov Report
Additional details and impacted files@@ Coverage Diff @@
## main #3694 +/- ##
==========================================
- Coverage 76.31% 70.78% -5.54%
==========================================
Files 210 210
Lines 14371 14395 +24
==========================================
- Hits 10967 10189 -778
- Misses 2757 3614 +857
+ Partials 647 592 -55 |
martincostello
temporarily deployed
to
gitlab
November 27, 2023 16:15
— with
GitHub Actions
Inactive
martincostello
temporarily deployed
to
integration-test
November 27, 2023 16:16
— with
GitHub Actions
Inactive
martincostello
force-pushed
the
issue-3339
branch
from
November 27, 2023 16:16
3d96833
to
3dfa68c
Compare
martincostello
temporarily deployed
to
gitlab
November 27, 2023 16:16
— with
GitHub Actions
Inactive
martincostello
temporarily deployed
to
integration-test
November 27, 2023 16:16
— with
GitHub Actions
Inactive
martincostello
requested review from
raghavkaul and
laurentsimon
and removed request for
a team
November 27, 2023 16:27
martincostello
temporarily deployed
to
gitlab
November 27, 2023 17:29
— with
GitHub Actions
Inactive
martincostello
temporarily deployed
to
integration-test
November 27, 2023 17:30
— with
GitHub Actions
Inactive
martincostello
temporarily deployed
to
gitlab
November 27, 2023 17:35
— with
GitHub Actions
Inactive
martincostello
temporarily deployed
to
integration-test
November 27, 2023 17:35
— with
GitHub Actions
Inactive
martincostello
temporarily deployed
to
gitlab
November 27, 2023 17:40
— with
GitHub Actions
Inactive
martincostello
temporarily deployed
to
integration-test
November 27, 2023 17:40
— with
GitHub Actions
Inactive
martincostello
force-pushed
the
issue-3339
branch
from
November 27, 2023 18:11
aefb0dd
to
06c9966
Compare
martincostello
temporarily deployed
to
gitlab
November 27, 2023 18:11
— with
GitHub Actions
Inactive
martincostello
temporarily deployed
to
integration-test
November 27, 2023 18:11
— with
GitHub Actions
Inactive
martincostello
force-pushed
the
issue-3339
branch
from
November 28, 2023 07:15
06c9966
to
3b2ce51
Compare
martincostello
temporarily deployed
to
gitlab
November 28, 2023 07:15
— with
GitHub Actions
Inactive
martincostello
temporarily deployed
to
integration-test
November 28, 2023 07:15
— with
GitHub Actions
Inactive
martincostello
force-pushed
the
issue-3339
branch
from
November 28, 2023 17:53
3b2ce51
to
9232db8
Compare
martincostello
temporarily deployed
to
gitlab
November 28, 2023 17:54
— with
GitHub Actions
Inactive
martincostello
temporarily deployed
to
integration-test
November 28, 2023 17:54
— with
GitHub Actions
Inactive
martincostello
force-pushed
the
issue-3339
branch
from
November 29, 2023 07:49
9232db8
to
8f63819
Compare
martincostello
temporarily deployed
to
gitlab
November 29, 2023 07:49
— with
GitHub Actions
Inactive
martincostello
temporarily deployed
to
integration-test
November 29, 2023 07:50
— with
GitHub Actions
Inactive
spencerschrock
approved these changes
Nov 29, 2023
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks for the well tested PR! Left a few small comments
/scdiff generate Pinned-Dependencies |
2 tasks
martincostello
temporarily deployed
to
gitlab
November 30, 2023 09:22
— with
GitHub Actions
Inactive
martincostello
temporarily deployed
to
integration-test
November 30, 2023 09:22
— with
GitHub Actions
Inactive
Trust files that are downloaded from `raw.githubusercontent.com` where the file's ref is a Git SHA and therefore immutable. Resolves #3339. Signed-off-by: martincostello <martin@martincostello.com>
- Add `hasUnpinnedURLs` function. - Add test cases for different URLs. Signed-off-by: martincostello <martin@martincostello.com>
Appease the linter. Signed-off-by: martincostello <martin@martincostello.com>
Suppress warning on three long URLs. Signed-off-by: martincostello <martin@martincostello.com>
Address peer review feedback. Signed-off-by: martincostello <martin@martincostello.com>
martincostello
force-pushed
the
issue-3339
branch
from
November 30, 2023 09:23
ce6dee1
to
c88c741
Compare
martincostello
temporarily deployed
to
gitlab
November 30, 2023 09:23
— with
GitHub Actions
Inactive
martincostello
temporarily deployed
to
integration-test
November 30, 2023 09:24
— with
GitHub Actions
Inactive
Fix lint warning. Signed-off-by: martincostello <martin@martincostello.com>
martincostello
temporarily deployed
to
gitlab
November 30, 2023 09:33
— with
GitHub Actions
Inactive
martincostello
temporarily deployed
to
integration-test
November 30, 2023 09:33
— with
GitHub Actions
Inactive
spencerschrock
approved these changes
Nov 30, 2023
ashearin
pushed a commit
to kgangerlm/scorecard-gitlab
that referenced
this pull request
Dec 4, 2023
* Trust pinned GitHub download URLs Trust files that are downloaded from `raw.githubusercontent.com` where the file's ref is a Git SHA and therefore immutable. Resolves ossf#3339. Signed-off-by: martincostello <martin@martincostello.com> * Move logic to function - Add `hasUnpinnedURLs` function. - Add test cases for different URLs. Signed-off-by: martincostello <martin@martincostello.com> * Fix formatting Appease the linter. Signed-off-by: martincostello <martin@martincostello.com> * Suppress lint warnings Suppress warning on three long URLs. Signed-off-by: martincostello <martin@martincostello.com> * Address peer review Address peer review feedback. Signed-off-by: martincostello <martin@martincostello.com> * Fix lint warning Fix lint warning. Signed-off-by: martincostello <martin@martincostello.com> Signed-off-by: Allen Shearin <allen.p.shearin@gmail.com>
2 tasks
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
What kind of change does this PR introduce?
Bug fix
What is the current behavior?
Files that are downloaded and executed from
raw.githubusercontent.com
, even if they are addressed by a Git SHA, are marked asdownloadThenRun
dependencies that are not pinned by hash.What is the new behavior?
Files that are downloaded from
raw.githubusercontent.com
and are addressed by a Git SHA, and therefore immutable, are considered to be pinned by hash.Which issue(s) this PR fixes
Fixes #3339
Special notes for your reviewer
Does this PR introduce a user-facing change?