Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

⚠️ Allow probes to specify their own bad outcomes #4020

Merged
merged 11 commits into from
Apr 10, 2024
Merged

⚠️ Allow probes to specify their own bad outcomes #4020

merged 11 commits into from
Apr 10, 2024

Conversation

spencerschrock
Copy link
Contributor

@spencerschrock spencerschrock commented Apr 10, 2024
edited

What kind of change does this PR introduce?

structured result breaking change

What is the current behavior?

OutcomeNegative which was always assumed to be negative, got changed to OutcomeFalse, which isn't always a bad thing. Some probes detect dangerous behaviors, which would mean the remediation should be applied to OutcomeTrue.

What is the new behavior (if this is a feature change)?**

The github.com/ossf/scorecard/v4/finding/probe package was merged into github.com/ossf/scorecard/v4/finding.

Probes can declare in their YAML which outcome should cause the findings to have a remediation. This is done by specifying a onOutcome field under remediation in the yaml:

remediation:
  # can be True or False depending on how the probe is phrased
  onOutcome: True

This enables fixing the outcome/probe names for some probes.

  1. Several probes were phrased in a way that the conversion from OutcomePositive/Negative to True/False made the returned outcomes wrong because they identified bad behaviors. These were fixed so OutcomeTrue is interpreted negatively.
  • hasOSVVulnerabilities
  • hasDangerousWorkflowScriptInjection
  • hasDangerousWorkflowUntrustedCheckout
  1. Other probes were phrased in a way to avoid confusion mentioned in Feature: Rename OutcomePositive/Negative to something more aligned with the security implication of a probe finding #3866. These probes have been chnaged as follows:
  • notCreatedRecently -> createdRecently
  • freeOfAnyBinaryArtifacts -> hasBinaryArtifacts
  • freeOfUnverifiedBinaryArtifacts -> hasUnverifiedBinaryArtifacts
  • notArchived -> archived
  • Tests for the changes have been added (for bug fixes/features)

Which issue(s) this PR fixes

Fixes #3654

Special notes for your reviewer

Does this PR introduce a user-facing change?

For user-facing changes, please add a concise, human-readable release note to
the release-note

(In particular, describe what changes users might need to make in their
application as a result of this pull request.)

NONE

@spencerschrock
merge probe and finding packages
998aba3 
No one interacts with the probes directly,
and having them in the same package helps with follow up commits

Signed-off-by: Spencer Schrock <sschrock@google.com>
@spencerschrock
add extra field to indicate the outcome a probe should show remediati…
eec4665 
…on for

Signed-off-by: Spencer Schrock <sschrock@google.com>
@spencerschrock
start all probes with remediate on 'False'
5784350 
Signed-off-by: Spencer Schrock <sschrock@google.com>
@spencerschrock
make OutcomeTrue bad for hasOSVVulnerabilities
2ba19ac 
Signed-off-by: Spencer Schrock <sschrock@google.com>
@spencerschrock
Copy link
Contributor Author

@laurentsimon this is still a WIP as I need to switch around more probes.

But this commit (eec4665) shows the new field
and this commit (2ba19ac) shows an example of the swap for hasOSVVulnerabilities

Does this generally match what you mentioned in our meeting today?

@laurentsimon
Copy link
Contributor

laurentsimon commented Apr 10, 2024
edited

@laurentsimon this is still a WIP as I need to switch around more probes.

But this commit (eec4665) shows the new field

I was thinking we'd create a new field in the def.yml:

- remediation
  on: true | false
  text: bla 
  ...

and use that to determine when remediation needs to be populated. Having in def.yml also helps with documentation

@laurentsimon
Copy link
Contributor

@laurentsimon this is still a WIP as I need to switch around more probes.
But this commit (eec4665) shows the new field

I was thinking we'd create a new field in the def.yml:

- remediation
  on: true | false
  text: bla 
  ...

and use that to determine when remediation needs to be populated. Having in def.yml also helps with documentation

Sorry, that's basically what you did - I missed the example .yml files and was looking for a def.yml. Yeah We're on the same page. +1 on having badOutcome private!

@spencerschrock
Copy link
Contributor Author

spencerschrock commented Apr 10, 2024
edited

@laurentsimon this is still a WIP as I need to switch around more probes.
But this commit (eec4665) shows the new field

I was thinking we'd create a new field in the def.yml:

- remediation
  on: true | false
  text: bla 
  ...

and use that to determine when remediation needs to be populated. Having in def.yml also helps with documentation

Sorry, that's basically what you did - I missed the example .yml files and was looking for a def.yml. Yeah We're on the same page. +1 on having badOutcome private!

For the yaml, I like the nested on: field better. Although it pollutes the Remediation struct which is used elsewhere. I'll play around with changes tomorrow.

@spencerschrock
nest outcome trigger under remediation in yaml
afda3aa 
Signed-off-by: Spencer Schrock <sschrock@google.com>
@spencerschrock
invert outcomes for dangerous workflow probes
c598756 
Signed-off-by: Spencer Schrock <sschrock@google.com>
@spencerschrock
rename notArchived probe to archived
5441485 
with the swap, the true outcome is now the bad outcome.

Signed-off-by: Spencer Schrock <sschrock@google.com>
@spencerschrock
rename notCreatedRecently probe to createRecently
c67cf2c 
with the rename, the true outcome is now bad

Signed-off-by: Spencer Schrock <sschrock@google.com>
@spencerschrock
switch binary artifact probes so detecting binaries is a true outcome
bb7e8a6 
Signed-off-by: Spencer Schrock <sschrock@google.com>
@spencerschrock
appease the linter
5358953 
Signed-off-by: Spencer Schrock <sschrock@google.com>
@spencerschrock
dont export probe type
1dc80d6 
we can always make it public again later

Signed-off-by: Spencer Schrock <sschrock@google.com>
@spencerschrock
Copy link
Contributor Author

/scdiff generate Pinned-Dependencies,Contributors,Security-Policy,Vulnerabilities,Branch-Protection,SAST,CII-Best-Practices,Dangerous-Workflow,Code-Review,Token-Permissions,Signed-Releases,Fuzzing,License,CI-Tests,Binary-Artifacts,Dependency-Update-Tool,Maintained,Packaging

@github-actions GitHub Actions
Copy link

Here's a link to the scdiff run

@spencerschrock spencerschrock marked this pull request as ready for review April 10, 2024 20:29
@spencerschrock spencerschrock requested a review from a team as a code owner April 10, 2024 20:29
@spencerschrock spencerschrock requested review from naveensrinivasan and removed request for a team April 10, 2024 20:29
@spencerschrock spencerschrock merged commit 6b071ed into ossf:main Apr 10, 2024
40 checks passed
@spencerschrock spencerschrock deleted the remediation-outcome branch April 10, 2024 21:12
This was referenced Apr 10, 2024
Closed
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@laurentsimon laurentsimon laurentsimon approved these changes

@naveensrinivasan naveensrinivasan Awaiting requested review from naveensrinivasan naveensrinivasan is a code owner automatically assigned from ossf/scorecard-maintainers

Assignees
No one assigned
Labels
None yet
Projects
Scorecard - NEW
Status: Done
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

evaluate probe outcomes for probes identifying negative behaviors
2 participants
@spencerschrock @laurentsimon