Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

🐛 Support renamed gradle verification action and callers which pin to hash #4097

Merged
merged 2 commits into from
May 9, 2024
Merged

🐛 Support renamed gradle verification action and callers which pin to hash #4097

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
630ddf7
Support renamed gradle verification action
spencerschrock May 9, 2024
5e349c5
remove unneeded dependency
spencerschrock May 9, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Jump to
Jump to file
Failed to load files.
Diff view
Diff view
30 changes: 2 additions & 28 deletions checks/raw/binary_artifact.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -19,11 +19,9 @@ import (
"fmt"
"io"
"path/filepath"
"regexp"
"strings"
"unicode/utf8"

semver "github.com/Masterminds/semver/v3"
"github.com/h2non/filetype"
"github.com/h2non/filetype/types"
"github.com/rhysd/actionlint"
Expand All @@ -35,23 +33,9 @@ import (
"github.com/ossf/scorecard/v5/finding"
)

var (
gradleWrapperValidationActionRegex = regexp.MustCompile(`^gradle\/wrapper-validation-action@v?(.+)$`)
gradleWrapperValidationActionVersionConstraint = mustParseConstraint(`>= 1.0.0`)
)

// how many bytes are considered when determining if a file is text or binary.
const binaryTestLen = 1024

// mustParseConstraint attempts parse of semver constraint, panics if fail.
func mustParseConstraint(c string) *semver.Constraints {
if c, err := semver.NewConstraint(c); err != nil {
panic(fmt.Errorf("failed to parse constraint: %w", err))
} else {
return c
}
}

// BinaryArtifacts retrieves the raw data for the Binary-Artifacts check.
func BinaryArtifacts(req *checker.CheckRequest) (checker.BinaryArtifactData, error) {
c := req.RepoClient
Expand Down Expand Up @@ -266,18 +250,8 @@ func checkWorkflowValidatesGradleWrapper(path string, content []byte, args ...in
if ea.Uses == nil {
continue
}
sms := gradleWrapperValidationActionRegex.FindStringSubmatch(ea.Uses.Value)
if len(sms) > 1 {
v, err := semver.NewVersion(sms[1])
if err != nil {
// Couldn't parse version, hopefully another step has
// a correct one.
continue
}
if !gradleWrapperValidationActionVersionConstraint.Check(v) {
// Version out of acceptable range.
continue
}
if strings.HasPrefix(ea.Uses.Value, "gradle/wrapper-validation-action@") ||
strings.HasPrefix(ea.Uses.Value, "gradle/actions/wrapper-validation@") {
// OK! This is it.
*validatingWorkflowFile = filepath.Base(path)
return false, nil
Expand Down
17 changes: 15 additions & 2 deletions checks/raw/binary_artifact_test.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -164,13 +164,26 @@ func TestBinaryArtifacts(t *testing.T) {
expect: 1,
},
{
name: "gradle-wrapper.jar with outdated verification action",
name: "gradle-wrapper.jar with new verification action",
err: nil,
files: [][]string{
{"../testdata/binaryartifacts/jars/gradle-wrapper.jar"},
{
"../testdata/binaryartifacts/workflows/nonverify.yaml",
"../testdata/binaryartifacts/workflows/verify-outdated-action.yaml",
"../testdata/binaryartifacts/workflows/verify-new-gradle-name.yaml",
},
},
successfulWorkflowRuns: []clients.WorkflowRun{
{
HeadSHA: strptr("sha-a"),
},
},
commits: []clients.Commit{
{
SHA: "sha-a",
},
{
SHA: "sha-old",
},
},
getFileContentCount: 3,
Expand Down
5 changes: 2 additions & 3 deletions ...cts/workflows/verify-outdated-action.yaml → ...cts/workflows/verify-new-gradle-name.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -6,7 +6,6 @@ jobs:
name: "GW Validate Job"
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v2
- uses: actions/checkout@v4
- name: GW Validate Step
# this is a made-up outdated version of the action:
uses: gradle/wrapper-validation-action@v0.1.0
uses: gradle/actions/wrapper-validation@v3
1 change: 0 additions & 1 deletion go.mod
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -39,7 +39,6 @@ require (
)

require (
github.com/Masterminds/semver/v3 v3.2.1
github.com/caarlos0/env/v6 v6.10.0
github.com/gobwas/glob v0.2.3
github.com/google/go-github/v53 v53.2.0
Expand Down
2 changes: 0 additions & 2 deletions go.sum
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -89,8 +89,6 @@ github.com/BurntSushi/xgb v0.0.0-20160522181843-27f122750802/go.mod h1:IVnqGOEym
github.com/CycloneDX/cyclonedx-go v0.8.0 h1:FyWVj6x6hoJrui5uRQdYZcSievw3Z32Z88uYzG/0D6M=
github.com/CycloneDX/cyclonedx-go v0.8.0/go.mod h1:K2bA+324+Og0X84fA8HhN2X066K7Bxz4rpMQ4ZhjtSk=
github.com/GoogleCloudPlatform/k8s-cloud-provider v0.0.0-20190822182118-27a4ced34534/go.mod h1:iroGtC8B3tQiqtds1l+mgk/BBOrxbqjH+eUfFQYRc14=
github.com/Masterminds/semver/v3 v3.2.1 h1:RN9w6+7QoMeJVGyfmbcgs28Br8cvmnucEXnY0rYXWg0=
github.com/Masterminds/semver/v3 v3.2.1/go.mod h1:qvl/7zhW3nngYb5+80sSMF+FG2BjYrf8m9wsX0PNOMQ=
github.com/Microsoft/go-winio v0.4.14/go.mod h1:qXqCSQ3Xa7+6tgxaGTIe4Kpcdsi+P8jBhyzoq1bpyYA=
github.com/Microsoft/go-winio v0.5.2/go.mod h1:WpS1mjBmmwHBEWmogvA2mj8546UReBk4v8QkMxJ6pZY=
github.com/Microsoft/go-winio v0.6.1 h1:9/kr64B9VUZrLm5YYwbGtUJnMgqWVOdUAXu6Migciow=
Expand Down