scorecard/checks/permissions.go

65 lines
2.1 KiB
Go
Raw Normal View History

// Copyright 2021 OpenSSF Scorecard Authors
//
// Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License.
// You may obtain a copy of the License at
//
// http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
// See the License for the specific language governing permissions and
// limitations under the License.
package checks
import (
"github.com/ossf/scorecard/v5/checker"
"github.com/ossf/scorecard/v5/checks/evaluation"
"github.com/ossf/scorecard/v5/checks/raw"
sce "github.com/ossf/scorecard/v5/errors"
"github.com/ossf/scorecard/v5/probes"
"github.com/ossf/scorecard/v5/probes/zrunner"
)
// CheckTokenPermissions is the exported name for Token-Permissions check.
const CheckTokenPermissions = "Token-Permissions"
//nolint:gochecknoinits
func init() {
supportedRequestTypes := []checker.RequestType{
checker.FileBased,
checker.CommitBased,
}
if err := registerCheck(CheckTokenPermissions, TokenPermissions, supportedRequestTypes); err != nil {
// This should never happen.
panic(err)
}
}
// TokenPermissions will run the Token-Permissions check.
func TokenPermissions(c *checker.CheckRequest) checker.CheckResult {
rawData, err := raw.TokenPermissions(c)
if err != nil {
e := sce.WithMessage(sce.ErrScorecardInternal, err.Error())
return checker.CreateRuntimeErrorResult(CheckTokenPermissions, e)
}
:seedling: migrate token permission check to probes (#3816) * :seedling: migrate token permission check to probes Signed-off-by: Adam Korczynski <adam@adalogics.com> * combine seperate write-probes into two that combine them all Signed-off-by: AdamKorcz <adam@adalogics.com> * change write probes to read and write Signed-off-by: AdamKorcz <adam@adalogics.com> * minor nit Signed-off-by: AdamKorcz <adam@adalogics.com> * remove WritaAll probes Signed-off-by: Adam Korczynski <adam@adalogics.com> * Merge read-perm probe with job/top probes Signed-off-by: Adam Korczynski <adam@adalogics.com> * minor refactoring Signed-off-by: Adam Korczynski <adam@adalogics.com> * fix copy paste error Signed-off-by: Adam Korczynski <adam@adalogics.com> * fix linter issues and restructure code Signed-off-by: Adam Korczynski <adam@adalogics.com> * remove hasGitHubWorkflowPermissionNone probe Signed-off-by: Adam Korczynski <adam@adalogics.com> * Remove 'hasGitHubWorkflowPermissionUndeclared' probe Signed-off-by: Adam Korczynski <adam@adalogics.com> * bit of clean up Signed-off-by: Adam Korczynski <adam@adalogics.com> * reduce code complexity and remove comment Signed-off-by: Adam Korczynski <adam@adalogics.com> * simplify file location Signed-off-by: Adam Korczynski <adam@adalogics.com> * change probe text Signed-off-by: Adam Korczynski <adam@adalogics.com> * invert name of probe Signed-off-by: Adam Korczynski <adam@adalogics.com> * OutcomeNotApplicable -> OutcomeError Signed-off-by: Adam Korczynski <adam@adalogics.com> * OutcomeNotAvailable -> OutcomeNotApplicable Signed-off-by: Adam Korczynski <adam@adalogics.com> * more OutcomeNotAvailable -> OutcomeNotApplicable Signed-off-by: Adam Korczynski <adam@adalogics.com> * change name of 'notAvailableOrNotApplicable' Signed-off-by: Adam Korczynski <adam@adalogics.com> * fix linter issues Signed-off-by: Adam Korczynski <adam@adalogics.com> * add comments to remediation fields Signed-off-by: Adam Korczynski <adam@adalogics.com> * add check for nil-dereference Signed-off-by: Adam Korczynski <adam@adalogics.com> * remove the permissionLocation finding value Signed-off-by: Adam Korczynski <adam@adalogics.com> * rename checkAndLogNotAvailableOrNotApplicable to isBothUndeclaredAndNotAvailableOrNotApplicable Signed-off-by: Adam Korczynski <adam@adalogics.com> * use raw metadata for remediation output Signed-off-by: Adam Korczynski <adam@adalogics.com> * change 'branch' to 'defaultBranch' Signed-off-by: Adam Korczynski <adam@adalogics.com> * remove unused fields in rule Remediation Signed-off-by: Adam Korczynski <adam@adalogics.com> * fix remediation Signed-off-by: Adam Korczynski <adam@adalogics.com> * change 'metadata.defaultBranch' to 'metadata.repository.defaultBranch' Signed-off-by: Adam Korczynski <adam@adalogics.com> --------- Signed-off-by: Adam Korczynski <adam@adalogics.com> Signed-off-by: AdamKorcz <adam@adalogics.com>
2024-03-22 20:38:02 +03:00
// Set the raw results.
pRawResults := getRawResults(c)
pRawResults.TokenPermissionsResults = rawData
// Evaluate the probes.
findings, err := zrunner.Run(pRawResults, probes.TokenPermissions)
if err != nil {
e := sce.WithMessage(sce.ErrScorecardInternal, err.Error())
return checker.CreateRuntimeErrorResult(CheckTokenPermissions, e)
}
// Return the score evaluation.
ret := evaluation.TokenPermissions(CheckTokenPermissions, findings, c.Dlogger)
ret.Findings = findings
return ret
}