scorecard/checks/signed_tags.go

// Copyright 2020 Security Scorecard Authors
//
// Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License.
// You may obtain a copy of the License at
//
//      http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
// See the License for the specific language governing permissions and
// limitations under the License.

package checks

import (
	"errors"

	"github.com/shurcooL/githubv4"

	"github.com/ossf/scorecard/checker"
)

const (
	// CheckSignedTags is the registered name for SignedTags.
	CheckSignedTags = "Signed-Tags"
	tagLookBack     = 5
)

// ErrorNoTags indicates no tags were found for this repo.
var ErrorNoTags = errors.New("no tags found")

//nolint:gochecknoinits
func init() {
	registerCheck(CheckSignedTags, SignedTags)
}

func SignedTags(c *checker.CheckRequest) checker.CheckResult {
	type ref struct {
		Name   githubv4.String
		Target struct {
			Oid githubv4.String
		}
	}
	var query struct {
		Repository struct {
			Refs struct {
				Nodes []ref
			} `graphql:"refs(refPrefix: \"refs/tags/\", last: $count)"`
		} `graphql:"repository(owner: $owner, name: $name)"`
	}

	variables := map[string]interface{}{
		"owner": githubv4.String(c.Owner),
		"name":  githubv4.String(c.Repo),
		"count": githubv4.Int(tagLookBack),
	}

	if err := c.GraphClient.Query(c.Ctx, &query, variables); err != nil {
		return checker.MakeRetryResult(CheckSignedTags, err)
	}
	totalTags := 0
	totalSigned := 0
	for _, t := range query.Repository.Refs.Nodes {
		sha := string(t.Target.Oid)
		totalTags++
		gt, _, err := c.Client.Git.GetTag(c.Ctx, c.Owner, c.Repo, sha)
		if err != nil {
			c.Logf("!! unable to find the annotated commit: %s", sha)
			continue
		}
		if gt.GetVerification().GetVerified() {
			c.Logf("verified tag found: %s, commit: %s", t.Name, sha)
			totalSigned++
		} else {
			c.Logf("!! unverified tag found: %s, commit: %s, reason: %s", t.Name, sha, gt.GetVerification().GetReason())
		}
	}

	if totalTags == 0 {
		c.Logf("no tags found")
		return checker.MakeInconclusiveResult(CheckSignedTags, ErrorNoTags)
	}

	c.Logf("found %d out of %d verified tags", totalSigned, totalTags)
	return checker.MakeProportionalResult(CheckSignedTags, totalSigned, totalTags, 0.8)
}
Add license header and code of conduct files. (#34) * Add license header and code of conduct files. * Fill missing field. 2020-10-26 23:22:13 +03:00			`// Copyright 2020 Security Scorecard Authors`
			`//`
			`// Licensed under the Apache License, Version 2.0 (the "License");`
			`// you may not use this file except in compliance with the License.`
			`// You may obtain a copy of the License at`
			`//`
			`// http://www.apache.org/licenses/LICENSE-2.0`
			`//`
			`// Unless required by applicable law or agreed to in writing, software`
			`// distributed under the License is distributed on an "AS IS" BASIS,`
			`// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.`
			`// See the License for the specific language governing permissions and`
			`// limitations under the License.`

Initial commit. 2020-10-09 17:47:59 +03:00			`package checks`

			`import (`
:sparkles: Add checks for workflow action pinning (#466) Patch by Laurent Simon <laurentsimon@google.com> Co-authored-by: Laurent Simon <laurentsimon@google.com> 2021-05-17 23:03:39 +03:00			`"errors"`

Use the GraphQL API to retrieve the list of tags in signed-tags. (#45) 2020-11-07 00:28:26 +03:00			`"github.com/shurcooL/githubv4"`
Add new linter: gci (#498) 2021-05-24 06:51:52 +03:00
			`"github.com/ossf/scorecard/checker"`
Initial commit. 2020-10-09 17:47:59 +03:00			`)`

🌱 : Reduce code duplication for follow-up cron refactoring (#338) * :sparkles: Refactor to reduce code duplication * :sparkles: * Move lib/ back to checker/ * Move lib/ back to checker/ * Move lib/ back to checker/ * Address PR comments. * Addressing PR comments. * Avoid printing `ShouldRetry` and `Error` in output JSON. * Fix JSON output. Co-authored-by: Azeem Shaikh <azeems@google.com> 2021-04-10 15:26:56 +03:00			`const (`
Export registered check names (#518) Co-authored-by: Azeem Shaikh <azeems@google.com> 2021-05-28 00:54:34 +03:00			`// CheckSignedTags is the registered name for SignedTags.`
			`CheckSignedTags = "Signed-Tags"`
			`tagLookBack = 5`
🌱 : Reduce code duplication for follow-up cron refactoring (#338) * :sparkles: Refactor to reduce code duplication * :sparkles: * Move lib/ back to checker/ * Move lib/ back to checker/ * Move lib/ back to checker/ * Address PR comments. * Addressing PR comments. * Avoid printing `ShouldRetry` and `Error` in output JSON. * Fix JSON output. Co-authored-by: Azeem Shaikh <azeems@google.com> 2021-04-10 15:26:56 +03:00			`)`
Fix issue with negative proportional result, also shorten tag lookback. (#13) 2020-10-16 19:55:25 +03:00
🌱 Fix lint issues: Replace golint with revive (#493) * Fix lint issues: Replace golint with revive golint is deprecated and recommended to be replaced with revive * Updating comments to be more accurate * Updating comments again Co-authored-by: Azeem Shaikh <azeemshaikh38@gmail.com> 2021-05-24 21:34:33 +03:00			`// ErrorNoTags indicates no tags were found for this repo.`
			`var ErrorNoTags = errors.New("no tags found")`
Fix lint issues: goerr113 linter (#491) Co-authored-by: Azeem Shaikh <azeemshaikh38@gmail.com> 2021-05-22 22:36:47 +03:00
🌱Fix lint issues: gochecknoinits linter (#485) * Fix lint issues: gochecknoinits linter * Fix lint issues: gochecknoinits linter 2021-05-22 20:19:52 +03:00			`//nolint:gochecknoinits`
Initial commit. 2020-10-09 17:47:59 +03:00			`func init() {`
Export registered check names (#518) Co-authored-by: Azeem Shaikh <azeems@google.com> 2021-05-28 00:54:34 +03:00			`registerCheck(CheckSignedTags, SignedTags)`
Initial commit. 2020-10-09 17:47:59 +03:00			`}`

:bug: Fix linting issues (1 of n) (#348) * Fix lint issues: whitespace linter * Fix lint issues: wrapcheck linter * Fix lint issues: errcheck linter * Fix lint issues: paralleltest linter * Fix lint issues: gocritic linter Most changes from this commit are from passing checker.CheckResult by reference and not by value. gocritic identified that as a huge parameter. gocritic also prefers regexp.MustCompile over Compile when the pattern is a const 2021-04-19 22:18:34 +03:00			`func SignedTags(c *checker.CheckRequest) checker.CheckResult {`
Use the GraphQL API to retrieve the list of tags in signed-tags. (#45) 2020-11-07 00:28:26 +03:00			`type ref struct {`
			`Name githubv4.String`
			`Target struct {`
			`Oid githubv4.String`
			`}`
			`}`
			`var query struct {`
			`Repository struct {`
			`Refs struct {`
			`Nodes []ref`
Bug fixes - Fix typo for default output function. - For signed tags, get the only required last 5. matches signed releases. 2020-11-10 05:13:59 +03:00			} `graphql:"refs(refPrefix: \"refs/tags/\", last: $count)"`
Use the GraphQL API to retrieve the list of tags in signed-tags. (#45) 2020-11-07 00:28:26 +03:00			} `graphql:"repository(owner: $owner, name: $name)"`
			`}`

			`variables := map[string]interface{}{`
			`"owner": githubv4.String(c.Owner),`
			`"name": githubv4.String(c.Repo),`
Bug fixes - Fix typo for default output function. - For signed tags, get the only required last 5. matches signed releases. 2020-11-10 05:13:59 +03:00			`"count": githubv4.Int(tagLookBack),`
Use the GraphQL API to retrieve the list of tags in signed-tags. (#45) 2020-11-07 00:28:26 +03:00			`}`

			`if err := c.GraphClient.Query(c.Ctx, &query, variables); err != nil {`
Export registered check names (#518) Co-authored-by: Azeem Shaikh <azeems@google.com> 2021-05-28 00:54:34 +03:00			`return checker.MakeRetryResult(CheckSignedTags, err)`
Initial commit. 2020-10-09 17:47:59 +03:00			`}`
Adjust details logging on a few checks Log positive results in Pull-Requests and update log messages in Signed-Releases and Signed-Tags. 2020-12-21 01:10:05 +03:00			`totalTags := 0`
Initial commit. 2020-10-09 17:47:59 +03:00			`totalSigned := 0`
Use the GraphQL API to retrieve the list of tags in signed-tags. (#45) 2020-11-07 00:28:26 +03:00			`for _, t := range query.Repository.Refs.Nodes {`
			`sha := string(t.Target.Oid)`
Adjust details logging on a few checks Log positive results in Pull-Requests and update log messages in Signed-Releases and Signed-Tags. 2020-12-21 01:10:05 +03:00			`totalTags++`
Use the GraphQL API to retrieve the list of tags in signed-tags. (#45) 2020-11-07 00:28:26 +03:00			`gt, _, err := c.Client.Git.GetTag(c.Ctx, c.Owner, c.Repo, sha)`
Initial commit. 2020-10-09 17:47:59 +03:00			`if err != nil {`
Add colon before sha. 2021-02-12 22:25:13 +03:00			`c.Logf("!! unable to find the annotated commit: %s", sha)`
Fixes - verifiedtag checks The reason the tags aren't working for certain repositories is that because the Lightweight Tags vs Annotated Tags >Basically, lightweight tags are just pointers to specific commits. No further information is saved; on the other hand, annotated tags are regular objects, which have an author and a date and can be referred because they have their own SHA key. https://api.github.com/repos/ossf/scorecard/git/refs/tags ``` [ { "ref": "refs/tags/v1.0.0", "node_id": "MDM6UmVmMzAyNjcwNzk3OnJlZnMvdGFncy92MS4wLjA=", "url": "https://api.github.com/repos/ossf/scorecard/git/refs/tags/v1.0.0", "object": { "sha": "87997ffb5724cb479223a08a2890c60b0ea4bfbd", "type": "commit", "url": "https://api.github.com/repos/ossf/scorecard/git/commits/87997ffb5724cb479223a08a2890c60b0ea4bfbd" } }, { "ref": "refs/tags/v1.1.0", "node_id": "MDM6UmVmMzAyNjcwNzk3OnJlZnMvdGFncy92MS4xLjA=", "url": "https://api.github.com/repos/ossf/scorecard/git/refs/tags/v1.1.0", "object": { "sha": "f2c633854602cf0c8f33164a169fb0a8454bee01", "type": "tag", "url": "https://api.github.com/repos/ossf/scorecard/git/tags/f2c633854602cf0c8f33164a169fb0a8454bee01" } } ] ``` Annotated tags https://api.github.com/repos/kubernetes/kubernetes/git/refs/tags ``` [ { "ref": "refs/tags/v0.2", "node_id": "MDM6UmVmMjA1ODA0OTg6cmVmcy90YWdzL3YwLjI=", "url": "https://api.github.com/repos/kubernetes/kubernetes/git/refs/tags/v0.2", "object": { "sha": "64dbf9ae21dd0deb485f88b79b96eb35ca855138", "type": "tag", "url": "https://api.github.com/repos/kubernetes/kubernetes/git/tags/64dbf9ae21dd0deb485f88b79b96eb35ca855138" } } ] ``` The look for the tag fails because of there isn't a tag object but only a commit object. https://api.github.com/repos/ossf/scorecard/git/commits/87997ffb5724cb479223a08a2890c60b0ea4bfbd fixes #107 2021-02-12 20:51:11 +03:00			`continue`
Initial commit. 2020-10-09 17:47:59 +03:00			`}`
			`if gt.GetVerification().GetVerified() {`
Show negative results in Signed-Tags details Negative results logged with a "!!" prefix. Updates #95 $ go run . --repo=github.com/cilium/cilium --show-details --checks=Signed-Tags Starting [Signed-Tags] Finished [Signed-Tags] RESULTS ------- Signed-Tags: Fail 4 verified tag found: v1.9.0-rc1, commit: a46b5c308779b00676bcbffe6847701984fb7ec7 !! unverified tag found: v1.9.0-rc2, commit: 2ee8e4659ad4050154eb83008ba6434bddad44eb, reason: unsigned verified tag found: v1.9.0-rc3, commit: ee77e846a9b85e318d6d077c801e2615d5e7dbe3 !! unverified tag found: v1.9.0, commit: 1cdd547dce26adb046d117494d559c64007365fd, reason: unsigned verified tag found: v1.9.1, commit: bb4abe1720cb56c6a5f74d0567665555ad8434f1 found 3 of 5 verified tags 2020-12-20 23:28:45 +03:00			`c.Logf("verified tag found: %s, commit: %s", t.Name, sha)`
Initial commit. 2020-10-09 17:47:59 +03:00			`totalSigned++`
Show negative results in Signed-Tags details Negative results logged with a "!!" prefix. Updates #95 $ go run . --repo=github.com/cilium/cilium --show-details --checks=Signed-Tags Starting [Signed-Tags] Finished [Signed-Tags] RESULTS ------- Signed-Tags: Fail 4 verified tag found: v1.9.0-rc1, commit: a46b5c308779b00676bcbffe6847701984fb7ec7 !! unverified tag found: v1.9.0-rc2, commit: 2ee8e4659ad4050154eb83008ba6434bddad44eb, reason: unsigned verified tag found: v1.9.0-rc3, commit: ee77e846a9b85e318d6d077c801e2615d5e7dbe3 !! unverified tag found: v1.9.0, commit: 1cdd547dce26adb046d117494d559c64007365fd, reason: unsigned verified tag found: v1.9.1, commit: bb4abe1720cb56c6a5f74d0567665555ad8434f1 found 3 of 5 verified tags 2020-12-20 23:28:45 +03:00			`} else {`
			`c.Logf("!! unverified tag found: %s, commit: %s, reason: %s", t.Name, sha, gt.GetVerification().GetReason())`
Initial commit. 2020-10-09 17:47:59 +03:00			`}`
			`}`

Adjust details logging on a few checks Log positive results in Pull-Requests and update log messages in Signed-Releases and Signed-Tags. 2020-12-21 01:10:05 +03:00			`if totalTags == 0 {`
			`c.Logf("no tags found")`
Export registered check names (#518) Co-authored-by: Azeem Shaikh <azeems@google.com> 2021-05-28 00:54:34 +03:00			`return checker.MakeInconclusiveResult(CheckSignedTags, ErrorNoTags)`
Show negative results in Signed-Tags details Negative results logged with a "!!" prefix. Updates #95 $ go run . --repo=github.com/cilium/cilium --show-details --checks=Signed-Tags Starting [Signed-Tags] Finished [Signed-Tags] RESULTS ------- Signed-Tags: Fail 4 verified tag found: v1.9.0-rc1, commit: a46b5c308779b00676bcbffe6847701984fb7ec7 !! unverified tag found: v1.9.0-rc2, commit: 2ee8e4659ad4050154eb83008ba6434bddad44eb, reason: unsigned verified tag found: v1.9.0-rc3, commit: ee77e846a9b85e318d6d077c801e2615d5e7dbe3 !! unverified tag found: v1.9.0, commit: 1cdd547dce26adb046d117494d559c64007365fd, reason: unsigned verified tag found: v1.9.1, commit: bb4abe1720cb56c6a5f74d0567665555ad8434f1 found 3 of 5 verified tags 2020-12-20 23:28:45 +03:00			`}`

Adjust details logging on a few checks Log positive results in Pull-Requests and update log messages in Signed-Releases and Signed-Tags. 2020-12-21 01:10:05 +03:00			`c.Logf("found %d out of %d verified tags", totalSigned, totalTags)`
Export registered check names (#518) Co-authored-by: Azeem Shaikh <azeems@google.com> 2021-05-28 00:54:34 +03:00			`return checker.MakeProportionalResult(CheckSignedTags, totalSigned, totalTags, 0.8)`
Initial commit. 2020-10-09 17:47:59 +03:00			`}`