Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

🐛 Trust pinned GitHub download URLs #3694

Merged
merged 6 commits into from
Nov 30, 2023
Merged

🐛 Trust pinned GitHub download URLs #3694

merged 6 commits into from
Nov 30, 2023

Conversation

martincostello
Copy link
Contributor

What kind of change does this PR introduce?

Bug fix

What is the current behavior?

Files that are downloaded and executed from raw.githubusercontent.com, even if they are addressed by a Git SHA, are marked as downloadThenRun dependencies that are not pinned by hash.

What is the new behavior?

Files that are downloaded from raw.githubusercontent.com and are addressed by a Git SHA, and therefore immutable, are considered to be pinned by hash.

  • Tests for the changes have been added (for bug fixes/features)

Which issue(s) this PR fixes

Fixes #3339

Special notes for your reviewer

Does this PR introduce a user-facing change?

Pinned-Dependencies: Files downloaded by Git SHA from GitHub and executed are no longer considered as not pinned by hash.

@codecov Codecov
Copy link

codecov bot commented Nov 27, 2023
edited
Loading

Codecov Report

Merging #3694 (d493588) into main (ce0b54e) will decrease coverage by 5.54%.
The diff coverage is 100.00%.

Additional details and impacted files 
@@            Coverage Diff             @@
##             main    #3694      +/-   ##
==========================================
- Coverage   76.31%   70.78%   -5.54%     
==========================================
  Files         210      210              
  Lines       14371    14395      +24     
==========================================
- Hits        10967    10189     -778     
- Misses       2757     3614     +857     
+ Partials      647      592      -55

@martincostello martincostello marked this pull request as ready for review November 27, 2023 16:27
@martincostello martincostello requested a review from a team as a code owner November 27, 2023 16:27
@martincostello martincostello requested review from raghavkaul and laurentsimon and removed request for a team November 27, 2023 16:27
spencerschrock
spencerschrock approved these changes Nov 29, 2023
View reviewed changes
Copy link
Contributor

@spencerschrock spencerschrock left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for the well tested PR! Left a few small comments

checks/raw/pinned_dependencies_test.go Outdated Show resolved Hide resolved
checks/raw/testdata/Dockerfile-curl-sh Show resolved Hide resolved
checks/raw/testdata/Dockerfile-wget-bin-sh Outdated Show resolved Hide resolved
checks/raw/shell_download_validate_test.go Show resolved Hide resolved
checks/raw/shell_download_validate_test.go Show resolved Hide resolved
@spencerschrock
Copy link
Contributor

/scdiff generate Pinned-Dependencies

@github-actions GitHub Actions
Copy link

Here's a link to the scdiff run

@spencerschrock spencerschrock mentioned this pull request Nov 29, 2023
Merged
2 tasks
@martincostello
Trust pinned GitHub download URLs
dfa618e 
 Trust files that are downloaded from `raw.githubusercontent.com` where the file's ref is a Git SHA and therefore immutable.
Resolves ossf#3339.
Signed-off-by: martincostello <martin@martincostello.com>
@martincostello
Move logic to function
e6e5e2b 
- Add `hasUnpinnedURLs` function.
- Add test cases for different URLs.
Signed-off-by: martincostello <martin@martincostello.com>
@martincostello
Fix formatting
ecf0582 
Appease the linter.
Signed-off-by: martincostello <martin@martincostello.com>
@martincostello
Suppress lint warnings
6d0b106 
Suppress warning on three long URLs.
Signed-off-by: martincostello <martin@martincostello.com>
@martincostello
Address peer review
c88c741 
Address peer review feedback.
Signed-off-by: martincostello <martin@martincostello.com>
@martincostello
Fix lint warning
d493588 
Fix lint warning.
Signed-off-by: martincostello <martin@martincostello.com>
@spencerschrock spencerschrock merged commit 0c40e14 into ossf:main Nov 30, 2023
38 checks passed
@martincostello martincostello deleted the issue-3339 branch November 30, 2023 19:41
ashearin pushed a commit to kgangerlm/scorecard-gitlab that referenced this pull request Dec 4, 2023
@martincostello @ashearin
🐛 Trust pinned GitHub download URLs (ossf#3694)
794b7ef 
* Trust pinned GitHub download URLs

 Trust files that are downloaded from `raw.githubusercontent.com` where the file's ref is a Git SHA and therefore immutable.
Resolves ossf#3339.
Signed-off-by: martincostello <martin@martincostello.com>

* Move logic to function

- Add `hasUnpinnedURLs` function.
- Add test cases for different URLs.
Signed-off-by: martincostello <martin@martincostello.com>

* Fix formatting

Appease the linter.
Signed-off-by: martincostello <martin@martincostello.com>

* Suppress lint warnings

Suppress warning on three long URLs.
Signed-off-by: martincostello <martin@martincostello.com>

* Address peer review

Address peer review feedback.
Signed-off-by: martincostello <martin@martincostello.com>

* Fix lint warning

Fix lint warning.
Signed-off-by: martincostello <martin@martincostello.com>
Signed-off-by: Allen Shearin <allen.p.shearin@gmail.com>
@spencerschrock spencerschrock mentioned this pull request Dec 4, 2023
Merged
2 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@spencerschrock spencerschrock spencerschrock approved these changes

@raghavkaul raghavkaul Awaiting requested review from raghavkaul raghavkaul is a code owner automatically assigned from ossf/scorecard-maintainers

@laurentsimon laurentsimon Awaiting requested review from laurentsimon

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Pinned-Dependencies incorrectly flags a pinned dependency downloaded from GitHub
3 participants
@martincostello @spencerschrock @laurentsimon