ossf/scorecard
1
1
Fork 0
mirror of https://github.com/ossf/scorecard.git synced 2024-09-11 00:45:36 +03:00
Code Issues Actions 6 Packages Projects Releases Wiki Activity

Make permission check aware of GH Pages Action (#1902)

Browse Source 
* update

* update

* update
This commit is contained in:
laurentsimon 2022-05-11 18:41:37 -07:00 committed by GitHub
parent 2fc6fbb196
commit 0f30f4eec7
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
4 changed files with 83 additions and 29 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

17
checks/permissions.go
View File

@ -566,7 +566,22 @@ func requiresPackagesPermissions(workflow *actionlint.Workflow, fp string, dl ch
// requiresContentsPermissions returns true if the workflow requires the `contents: write` permission.
func requiresContentsPermissions(workflow *actionlint.Workflow, fp string, dl checker.DetailLogger) bool {
return isReleasingWorkflow(workflow, fp, dl)
return isReleasingWorkflow(workflow, fp, dl) || isGitHubPagesDeploymentWorkflow(workflow, fp, dl)
}
// isGitHubPagesDeploymentWorkflow returns true if the workflow involves pushing static pages to GitHub pages.
func isGitHubPagesDeploymentWorkflow(workflow *actionlint.Workflow, fp string, dl checker.DetailLogger) bool {
jobMatchers := []fileparser.JobMatcher{
{
Steps: []*fileparser.JobMatcherStep{
{
Uses: "peaceiris/actions-gh-pages",
},
},
LogText: "candidate GitHub page deployment workflow using peaceiris/actions-gh-pages",
},
}
return fileparser.AnyJobsMatch(workflow, jobMatchers, fp, dl, "not a GitHub Pages deployment workflow")
}
// isReleasingWorkflow returns true if the workflow involves creating a release on GitHub.

63
checks/permissions_test.go
View File

@ -63,7 +63,7 @@ func TestGithubTokenPermissions(t *testing.T) {
Score: checker.MaxResultScore,
NumberOfWarn: 0,
NumberOfInfo: 1,
NumberOfDebug: 4,
NumberOfDebug: 5,
},
},
{
@ -74,7 +74,7 @@ func TestGithubTokenPermissions(t *testing.T) {
Score: checker.MaxResultScore - 1,
NumberOfWarn: 1,
NumberOfInfo: 1,
NumberOfDebug: 4,
NumberOfDebug: 5,
},
},
{
@ -85,7 +85,7 @@ func TestGithubTokenPermissions(t *testing.T) {
Score: checker.MinResultScore,
NumberOfWarn: 3,
NumberOfInfo: 2,
NumberOfDebug: 4,
NumberOfDebug: 5,
},
},
{
@ -96,7 +96,7 @@ func TestGithubTokenPermissions(t *testing.T) {
Score: checker.MaxResultScore,
NumberOfWarn: 0,
NumberOfInfo: 2,
NumberOfDebug: 4,
NumberOfDebug: 5,
},
},
{
@ -107,7 +107,7 @@ func TestGithubTokenPermissions(t *testing.T) {
Score: checker.MinResultScore,
NumberOfWarn: 1,
NumberOfInfo: 1,
NumberOfDebug: 4,
NumberOfDebug: 5,
},
},
{
@ -118,7 +118,7 @@ func TestGithubTokenPermissions(t *testing.T) {
Score: checker.MaxResultScore,
NumberOfWarn: 0,
NumberOfInfo: 1,
NumberOfDebug: 5,
NumberOfDebug: 6,
},
},
{
@ -129,7 +129,7 @@ func TestGithubTokenPermissions(t *testing.T) {
Score: checker.MinResultScore,
NumberOfWarn: 1,
NumberOfInfo: 0,
NumberOfDebug: 5,
NumberOfDebug: 6,
},
},
{
@ -140,7 +140,7 @@ func TestGithubTokenPermissions(t *testing.T) {
Score: checker.MaxResultScore,
NumberOfWarn: 0,
NumberOfInfo: 1,
NumberOfDebug: 5,
NumberOfDebug: 6,
},
},
{
@ -151,7 +151,7 @@ func TestGithubTokenPermissions(t *testing.T) {
Score: checker.MinResultScore,
NumberOfWarn: 1,
NumberOfInfo: 0,
NumberOfDebug: 5,
NumberOfDebug: 6,
},
},
{
@ -162,7 +162,7 @@ func TestGithubTokenPermissions(t *testing.T) {
Score: checker.MaxResultScore,
NumberOfWarn: 0,
NumberOfInfo: 1,
NumberOfDebug: 6,
NumberOfDebug: 7,
},
},
{
@ -173,7 +173,7 @@ func TestGithubTokenPermissions(t *testing.T) {
Score: checker.MaxResultScore,
NumberOfWarn: 0,
NumberOfInfo: 10,
NumberOfDebug: 5,
NumberOfDebug: 6,
},
},
{
@ -184,7 +184,7 @@ func TestGithubTokenPermissions(t *testing.T) {
Score: checker.MaxResultScore,
NumberOfWarn: 0,
NumberOfInfo: 10,
NumberOfDebug: 5,
NumberOfDebug: 6,
},
},
{
@ -195,7 +195,7 @@ func TestGithubTokenPermissions(t *testing.T) {
Score: checker.MaxResultScore,
NumberOfWarn: 0,
NumberOfInfo: 1,
NumberOfDebug: 5,
NumberOfDebug: 6,
},
},
{
@ -206,7 +206,7 @@ func TestGithubTokenPermissions(t *testing.T) {
Score: checker.MaxResultScore - 1,
NumberOfWarn: 2,
NumberOfInfo: 2,
NumberOfDebug: 6,
NumberOfDebug: 7,
},
},
{
@ -217,7 +217,7 @@ func TestGithubTokenPermissions(t *testing.T) {
Score: checker.MaxResultScore - 2,
NumberOfWarn: 2,
NumberOfInfo: 3,
NumberOfDebug: 5,
NumberOfDebug: 6,
},
},
{
@ -228,7 +228,7 @@ func TestGithubTokenPermissions(t *testing.T) {
Score: checker.MinResultScore,
NumberOfWarn: 1,
NumberOfInfo: 2,
NumberOfDebug: 5,
NumberOfDebug: 6,
},
},
{
@ -239,7 +239,7 @@ func TestGithubTokenPermissions(t *testing.T) {
Score: checker.MinResultScore,
NumberOfWarn: 1,
NumberOfInfo: 2,
NumberOfDebug: 5,
NumberOfDebug: 6,
},
},
{
@ -250,7 +250,7 @@ func TestGithubTokenPermissions(t *testing.T) {
Score: checker.MinResultScore,
NumberOfWarn: 1,
NumberOfInfo: 1,
NumberOfDebug: 5,
NumberOfDebug: 6,
},
},
{
@ -272,7 +272,7 @@ func TestGithubTokenPermissions(t *testing.T) {
Score: checker.MinResultScore,
NumberOfWarn: 1,
NumberOfInfo: 2,
NumberOfDebug: 3,
NumberOfDebug: 4,
},
},
{
@ -294,7 +294,7 @@ func TestGithubTokenPermissions(t *testing.T) {
Score: checker.MaxResultScore,
NumberOfWarn: 0,
NumberOfInfo: 2,
NumberOfDebug: 4,
NumberOfDebug: 5,
},
},
{
@ -305,7 +305,7 @@ func TestGithubTokenPermissions(t *testing.T) {
Score: 9,
NumberOfWarn: 1,
NumberOfInfo: 3,
NumberOfDebug: 4,
NumberOfDebug: 5,
},
},
{
@ -316,7 +316,7 @@ func TestGithubTokenPermissions(t *testing.T) {
Score: checker.MaxResultScore - 1,
NumberOfWarn: 1,
NumberOfInfo: 1,
NumberOfDebug: 4,
NumberOfDebug: 5,
},
},
{
@ -330,7 +330,7 @@ func TestGithubTokenPermissions(t *testing.T) {
Score: checker.MaxResultScore - 1,
NumberOfWarn: 1,
NumberOfInfo: 2,
NumberOfDebug: 9,
NumberOfDebug: 11,
},
},
{
@ -344,7 +344,7 @@ func TestGithubTokenPermissions(t *testing.T) {
Score: checker.MinResultScore,
NumberOfWarn: 2,
NumberOfInfo: 1,
NumberOfDebug: 9,
NumberOfDebug: 11,
},
},
{
@ -358,7 +358,20 @@ func TestGithubTokenPermissions(t *testing.T) {
Score: checker.MinResultScore,
NumberOfWarn: 1,
NumberOfInfo: 1,
NumberOfDebug: 10,
NumberOfDebug: 12,
},
},
{
name: "read permission with GitHub pages write",
filenames: []string{
"./testdata/.github/workflows/github-workflow-permissions-gh-pages.yaml",
},
expected: scut.TestReturn{
Error: nil,
Score: checker.MaxResultScore,
NumberOfWarn: 0,
NumberOfInfo: 2,
NumberOfDebug: 5,
},
},
}

26
checks/testdata/.github/workflows/github-workflow-permissions-gh-pages.yaml vendored Normal file
View File

@ -0,0 +1,26 @@
# Copyright 2021 Security Scorecard Authors
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
name: write-and-read workflow
on: [push]
permissions: read-all
jobs:
Explore-GitHub-Actions:
runs-on: ubuntu-latest
permissions:
contents: write
steps:
- run: echo "write-and-read workflow"
- uses: peaceiris/actions-gh-pages@v3

6
e2e/permissions_test.go
View File

@ -50,7 +50,7 @@ var _ = Describe("E2E TEST:"+checks.CheckTokenPermissions, func() {
Score: checker.MinResultScore,
NumberOfWarn: 1,
NumberOfInfo: 2,
NumberOfDebug: 5,
NumberOfDebug: 6,
}
result := checks.TokenPermissions(&req)
// New version.
@ -75,7 +75,7 @@ var _ = Describe("E2E TEST:"+checks.CheckTokenPermissions, func() {
Score: checker.MinResultScore,
NumberOfWarn: 1,
NumberOfInfo: 2,
NumberOfDebug: 5,
NumberOfDebug: 6,
}
result := checks.TokenPermissions(&req)
// New version.
@ -112,7 +112,7 @@ var _ = Describe("E2E TEST:"+checks.CheckTokenPermissions, func() {
Score: checker.MinResultScore,
NumberOfWarn: 1,
NumberOfInfo: 2,
NumberOfDebug: 5,
NumberOfDebug: 6,
}
result := checks.TokenPermissions(&req)
// New version.