mirror of
https://github.com/ossf/scorecard.git
synced 2024-09-17 11:57:12 +03:00
✨ Reduce false positives in Token-Permissions for contents permission (#1253)
* fix * tests
This commit is contained in:
parent
63e3b92466
commit
4502dfb557
@ -374,6 +374,9 @@ func createIgnoredPermissions(s, fp string, dl checker.DetailLogger) map[string]
|
|||||||
if requiresPackagesPermissions(s, fp, dl) {
|
if requiresPackagesPermissions(s, fp, dl) {
|
||||||
ignoredPermissions["packages"] = true
|
ignoredPermissions["packages"] = true
|
||||||
}
|
}
|
||||||
|
if requiresContentsPermissions(s, fp, dl) {
|
||||||
|
ignoredPermissions["contents"] = true
|
||||||
|
}
|
||||||
if isSARIFUploadWorkflow(s, fp, dl) {
|
if isSARIFUploadWorkflow(s, fp, dl) {
|
||||||
ignoredPermissions["security-events"] = true
|
ignoredPermissions["security-events"] = true
|
||||||
}
|
}
|
||||||
@ -463,3 +466,11 @@ func requiresPackagesPermissions(s, fp string, dl checker.DetailLogger) bool {
|
|||||||
// workflow is a packaging workflow.
|
// workflow is a packaging workflow.
|
||||||
return isPackagingWorkflow(s, fp, dl)
|
return isPackagingWorkflow(s, fp, dl)
|
||||||
}
|
}
|
||||||
|
|
||||||
|
// Note: this needs to be improved.
|
||||||
|
// Currently we don't differentiate between publishing on GitHub vs
|
||||||
|
// pubishing on registries. In terms of risk, both are similar, as
|
||||||
|
// an attacker would gain the ability to push a package.
|
||||||
|
func requiresContentsPermissions(s, fp string, dl checker.DetailLogger) bool {
|
||||||
|
return requiresPackagesPermissions(s, fp, dl)
|
||||||
|
}
|
||||||
|
@ -40,7 +40,7 @@ func TestGithubTokenPermissions(t *testing.T) {
|
|||||||
Score: checker.MaxResultScore,
|
Score: checker.MaxResultScore,
|
||||||
NumberOfWarn: 0,
|
NumberOfWarn: 0,
|
||||||
NumberOfInfo: 1,
|
NumberOfInfo: 1,
|
||||||
NumberOfDebug: 3,
|
NumberOfDebug: 4,
|
||||||
},
|
},
|
||||||
},
|
},
|
||||||
{
|
{
|
||||||
@ -51,7 +51,7 @@ func TestGithubTokenPermissions(t *testing.T) {
|
|||||||
Score: checker.MaxResultScore - 1,
|
Score: checker.MaxResultScore - 1,
|
||||||
NumberOfWarn: 1,
|
NumberOfWarn: 1,
|
||||||
NumberOfInfo: 1,
|
NumberOfInfo: 1,
|
||||||
NumberOfDebug: 3,
|
NumberOfDebug: 4,
|
||||||
},
|
},
|
||||||
},
|
},
|
||||||
{
|
{
|
||||||
@ -62,7 +62,7 @@ func TestGithubTokenPermissions(t *testing.T) {
|
|||||||
Score: checker.MinResultScore,
|
Score: checker.MinResultScore,
|
||||||
NumberOfWarn: 3,
|
NumberOfWarn: 3,
|
||||||
NumberOfInfo: 2,
|
NumberOfInfo: 2,
|
||||||
NumberOfDebug: 3,
|
NumberOfDebug: 4,
|
||||||
},
|
},
|
||||||
},
|
},
|
||||||
{
|
{
|
||||||
@ -72,7 +72,7 @@ func TestGithubTokenPermissions(t *testing.T) {
|
|||||||
Error: nil,
|
Error: nil,
|
||||||
Score: checker.MaxResultScore,
|
Score: checker.MaxResultScore,
|
||||||
NumberOfWarn: 0,
|
NumberOfWarn: 0,
|
||||||
NumberOfInfo: 2,
|
NumberOfInfo: 3,
|
||||||
NumberOfDebug: 3,
|
NumberOfDebug: 3,
|
||||||
},
|
},
|
||||||
},
|
},
|
||||||
@ -84,7 +84,7 @@ func TestGithubTokenPermissions(t *testing.T) {
|
|||||||
Score: checker.MinResultScore,
|
Score: checker.MinResultScore,
|
||||||
NumberOfWarn: 1,
|
NumberOfWarn: 1,
|
||||||
NumberOfInfo: 1,
|
NumberOfInfo: 1,
|
||||||
NumberOfDebug: 3,
|
NumberOfDebug: 4,
|
||||||
},
|
},
|
||||||
},
|
},
|
||||||
{
|
{
|
||||||
@ -95,7 +95,7 @@ func TestGithubTokenPermissions(t *testing.T) {
|
|||||||
Score: checker.MaxResultScore,
|
Score: checker.MaxResultScore,
|
||||||
NumberOfWarn: 0,
|
NumberOfWarn: 0,
|
||||||
NumberOfInfo: 1,
|
NumberOfInfo: 1,
|
||||||
NumberOfDebug: 4,
|
NumberOfDebug: 5,
|
||||||
},
|
},
|
||||||
},
|
},
|
||||||
{
|
{
|
||||||
@ -106,7 +106,7 @@ func TestGithubTokenPermissions(t *testing.T) {
|
|||||||
Score: checker.MinResultScore,
|
Score: checker.MinResultScore,
|
||||||
NumberOfWarn: 1,
|
NumberOfWarn: 1,
|
||||||
NumberOfInfo: 0,
|
NumberOfInfo: 0,
|
||||||
NumberOfDebug: 4,
|
NumberOfDebug: 5,
|
||||||
},
|
},
|
||||||
},
|
},
|
||||||
{
|
{
|
||||||
@ -117,7 +117,7 @@ func TestGithubTokenPermissions(t *testing.T) {
|
|||||||
Score: checker.MaxResultScore,
|
Score: checker.MaxResultScore,
|
||||||
NumberOfWarn: 0,
|
NumberOfWarn: 0,
|
||||||
NumberOfInfo: 1,
|
NumberOfInfo: 1,
|
||||||
NumberOfDebug: 4,
|
NumberOfDebug: 5,
|
||||||
},
|
},
|
||||||
},
|
},
|
||||||
{
|
{
|
||||||
@ -128,7 +128,7 @@ func TestGithubTokenPermissions(t *testing.T) {
|
|||||||
Score: checker.MinResultScore,
|
Score: checker.MinResultScore,
|
||||||
NumberOfWarn: 1,
|
NumberOfWarn: 1,
|
||||||
NumberOfInfo: 0,
|
NumberOfInfo: 0,
|
||||||
NumberOfDebug: 4,
|
NumberOfDebug: 5,
|
||||||
},
|
},
|
||||||
},
|
},
|
||||||
{
|
{
|
||||||
@ -139,7 +139,7 @@ func TestGithubTokenPermissions(t *testing.T) {
|
|||||||
Score: checker.MaxResultScore,
|
Score: checker.MaxResultScore,
|
||||||
NumberOfWarn: 0,
|
NumberOfWarn: 0,
|
||||||
NumberOfInfo: 1,
|
NumberOfInfo: 1,
|
||||||
NumberOfDebug: 5,
|
NumberOfDebug: 6,
|
||||||
},
|
},
|
||||||
},
|
},
|
||||||
{
|
{
|
||||||
@ -150,7 +150,7 @@ func TestGithubTokenPermissions(t *testing.T) {
|
|||||||
Score: checker.MaxResultScore,
|
Score: checker.MaxResultScore,
|
||||||
NumberOfWarn: 0,
|
NumberOfWarn: 0,
|
||||||
NumberOfInfo: 10,
|
NumberOfInfo: 10,
|
||||||
NumberOfDebug: 4,
|
NumberOfDebug: 5,
|
||||||
},
|
},
|
||||||
},
|
},
|
||||||
{
|
{
|
||||||
@ -161,7 +161,7 @@ func TestGithubTokenPermissions(t *testing.T) {
|
|||||||
Score: checker.MaxResultScore,
|
Score: checker.MaxResultScore,
|
||||||
NumberOfWarn: 0,
|
NumberOfWarn: 0,
|
||||||
NumberOfInfo: 10,
|
NumberOfInfo: 10,
|
||||||
NumberOfDebug: 4,
|
NumberOfDebug: 5,
|
||||||
},
|
},
|
||||||
},
|
},
|
||||||
{
|
{
|
||||||
@ -172,7 +172,7 @@ func TestGithubTokenPermissions(t *testing.T) {
|
|||||||
Score: checker.MaxResultScore,
|
Score: checker.MaxResultScore,
|
||||||
NumberOfWarn: 0,
|
NumberOfWarn: 0,
|
||||||
NumberOfInfo: 1,
|
NumberOfInfo: 1,
|
||||||
NumberOfDebug: 4,
|
NumberOfDebug: 5,
|
||||||
},
|
},
|
||||||
},
|
},
|
||||||
{
|
{
|
||||||
@ -183,7 +183,7 @@ func TestGithubTokenPermissions(t *testing.T) {
|
|||||||
Score: checker.MaxResultScore - 1,
|
Score: checker.MaxResultScore - 1,
|
||||||
NumberOfWarn: 2,
|
NumberOfWarn: 2,
|
||||||
NumberOfInfo: 2,
|
NumberOfInfo: 2,
|
||||||
NumberOfDebug: 5,
|
NumberOfDebug: 6,
|
||||||
},
|
},
|
||||||
},
|
},
|
||||||
{
|
{
|
||||||
@ -194,7 +194,7 @@ func TestGithubTokenPermissions(t *testing.T) {
|
|||||||
Score: checker.MaxResultScore - 2,
|
Score: checker.MaxResultScore - 2,
|
||||||
NumberOfWarn: 2,
|
NumberOfWarn: 2,
|
||||||
NumberOfInfo: 3,
|
NumberOfInfo: 3,
|
||||||
NumberOfDebug: 4,
|
NumberOfDebug: 5,
|
||||||
},
|
},
|
||||||
},
|
},
|
||||||
{
|
{
|
||||||
@ -205,7 +205,7 @@ func TestGithubTokenPermissions(t *testing.T) {
|
|||||||
Score: checker.MinResultScore,
|
Score: checker.MinResultScore,
|
||||||
NumberOfWarn: 1,
|
NumberOfWarn: 1,
|
||||||
NumberOfInfo: 2,
|
NumberOfInfo: 2,
|
||||||
NumberOfDebug: 4,
|
NumberOfDebug: 5,
|
||||||
},
|
},
|
||||||
},
|
},
|
||||||
{
|
{
|
||||||
@ -216,7 +216,7 @@ func TestGithubTokenPermissions(t *testing.T) {
|
|||||||
Score: checker.MinResultScore,
|
Score: checker.MinResultScore,
|
||||||
NumberOfWarn: 1,
|
NumberOfWarn: 1,
|
||||||
NumberOfInfo: 2,
|
NumberOfInfo: 2,
|
||||||
NumberOfDebug: 4,
|
NumberOfDebug: 5,
|
||||||
},
|
},
|
||||||
},
|
},
|
||||||
{
|
{
|
||||||
@ -227,7 +227,7 @@ func TestGithubTokenPermissions(t *testing.T) {
|
|||||||
Score: checker.MinResultScore,
|
Score: checker.MinResultScore,
|
||||||
NumberOfWarn: 1,
|
NumberOfWarn: 1,
|
||||||
NumberOfInfo: 1,
|
NumberOfInfo: 1,
|
||||||
NumberOfDebug: 4,
|
NumberOfDebug: 5,
|
||||||
},
|
},
|
||||||
},
|
},
|
||||||
{
|
{
|
||||||
@ -241,6 +241,28 @@ func TestGithubTokenPermissions(t *testing.T) {
|
|||||||
NumberOfDebug: 0,
|
NumberOfDebug: 0,
|
||||||
},
|
},
|
||||||
},
|
},
|
||||||
|
{
|
||||||
|
name: "release workflow write",
|
||||||
|
filename: "./testdata/github-workflow-permissions-release-writes.yaml",
|
||||||
|
expected: scut.TestReturn{
|
||||||
|
Error: nil,
|
||||||
|
Score: checker.MaxResultScore,
|
||||||
|
NumberOfWarn: 0,
|
||||||
|
NumberOfInfo: 3,
|
||||||
|
NumberOfDebug: 3,
|
||||||
|
},
|
||||||
|
},
|
||||||
|
{
|
||||||
|
name: "package workflow write",
|
||||||
|
filename: "./testdata/github-workflow-permissions-packages-writes.yaml",
|
||||||
|
expected: scut.TestReturn{
|
||||||
|
Error: nil,
|
||||||
|
Score: checker.MaxResultScore,
|
||||||
|
NumberOfWarn: 0,
|
||||||
|
NumberOfInfo: 3,
|
||||||
|
NumberOfDebug: 3,
|
||||||
|
},
|
||||||
|
},
|
||||||
}
|
}
|
||||||
for _, tt := range tests {
|
for _, tt := range tests {
|
||||||
tt := tt // Re-initializing variable so it is not changed while executing the closure below
|
tt := tt // Re-initializing variable so it is not changed while executing the closure below
|
||||||
|
28
checks/testdata/github-workflow-permissions-packages-writes.yaml
vendored
Normal file
28
checks/testdata/github-workflow-permissions-packages-writes.yaml
vendored
Normal file
@ -0,0 +1,28 @@
|
|||||||
|
# Copyright 2021 Security Scorecard Authors
|
||||||
|
#
|
||||||
|
# Licensed under the Apache License, Version 2.0 (the "License");
|
||||||
|
# you may not use this file except in compliance with the License.
|
||||||
|
# You may obtain a copy of the License at
|
||||||
|
#
|
||||||
|
# http://www.apache.org/licenses/LICENSE-2.0
|
||||||
|
#
|
||||||
|
# Unless required by applicable law or agreed to in writing, software
|
||||||
|
# distributed under the License is distributed on an "AS IS" BASIS,
|
||||||
|
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||||
|
# See the License for the specific language governing permissions and
|
||||||
|
# limitations under the License.
|
||||||
|
name: release workflow
|
||||||
|
on: [push]
|
||||||
|
permissions:
|
||||||
|
|
||||||
|
jobs:
|
||||||
|
Explore-GitHub-Actions:
|
||||||
|
runs-on: ubuntu-latest
|
||||||
|
permissions:
|
||||||
|
packages: write
|
||||||
|
steps:
|
||||||
|
- name: setup
|
||||||
|
uses: actions/setup-java@
|
||||||
|
- name: publish
|
||||||
|
run: |
|
||||||
|
mvn deploy bla
|
28
checks/testdata/github-workflow-permissions-release-writes.yaml
vendored
Normal file
28
checks/testdata/github-workflow-permissions-release-writes.yaml
vendored
Normal file
@ -0,0 +1,28 @@
|
|||||||
|
# Copyright 2021 Security Scorecard Authors
|
||||||
|
#
|
||||||
|
# Licensed under the Apache License, Version 2.0 (the "License");
|
||||||
|
# you may not use this file except in compliance with the License.
|
||||||
|
# You may obtain a copy of the License at
|
||||||
|
#
|
||||||
|
# http://www.apache.org/licenses/LICENSE-2.0
|
||||||
|
#
|
||||||
|
# Unless required by applicable law or agreed to in writing, software
|
||||||
|
# distributed under the License is distributed on an "AS IS" BASIS,
|
||||||
|
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||||
|
# See the License for the specific language governing permissions and
|
||||||
|
# limitations under the License.
|
||||||
|
name: release workflow
|
||||||
|
on: [push]
|
||||||
|
permissions:
|
||||||
|
|
||||||
|
jobs:
|
||||||
|
Explore-GitHub-Actions:
|
||||||
|
runs-on: ubuntu-latest
|
||||||
|
permissions:
|
||||||
|
contents: write
|
||||||
|
steps:
|
||||||
|
- name: setup
|
||||||
|
uses: actions/setup-java@
|
||||||
|
- name: publish
|
||||||
|
run: |
|
||||||
|
mvn deploy bla
|
@ -123,7 +123,7 @@ func ValidateTestReturn(t *testing.T, name string, expected *TestReturn,
|
|||||||
panic(err)
|
panic(err)
|
||||||
}
|
}
|
||||||
if !cmp.Equal(*expected, *actualTestReturn, cmp.Comparer(errCmp)) {
|
if !cmp.Equal(*expected, *actualTestReturn, cmp.Comparer(errCmp)) {
|
||||||
log.Println(cmp.Diff(*expected, *actualTestReturn))
|
log.Println(name+":", cmp.Diff(*expected, *actualTestReturn))
|
||||||
return false
|
return false
|
||||||
}
|
}
|
||||||
return true
|
return true
|
||||||
|
Loading…
Reference in New Issue
Block a user