mirror of
https://github.com/ossf/scorecard.git
synced 2024-09-17 11:57:12 +03:00
Including line number: Dockerfile FROM not pinned (#1258)
Co-authored-by: laurentsimon <64505099+laurentsimon@users.noreply.github.com>
This commit is contained in:
parent
86835fcfd6
commit
4bd24b8291
@ -391,14 +391,26 @@ func validateDockerfileIsPinned(pathfn string, content []byte,
|
||||
|
||||
// Not pinned.
|
||||
ret = false
|
||||
dl.Warn("dependency not pinned by hash %v: '%v'", pathfn, name)
|
||||
dl.Warn3(&checker.LogMessage{
|
||||
Path: pathfn,
|
||||
Type: checker.FileTypeSource,
|
||||
Offset: child.StartLine,
|
||||
Text: fmt.Sprintf("dependency not pinned by hash: '%v'", name),
|
||||
Snippet: child.Original,
|
||||
})
|
||||
|
||||
// FROM name.
|
||||
case len(valueList) == 1:
|
||||
name := valueList[0]
|
||||
if !regex.Match([]byte(name)) {
|
||||
ret = false
|
||||
dl.Warn("dependency not pinned by hash %v: '%v'", pathfn, name)
|
||||
dl.Warn3(&checker.LogMessage{
|
||||
Path: pathfn,
|
||||
Type: checker.FileTypeSource,
|
||||
Offset: child.StartLine,
|
||||
Text: fmt.Sprintf("dependency not pinned by hash: '%v'", name),
|
||||
Snippet: child.Original,
|
||||
})
|
||||
}
|
||||
|
||||
default:
|
||||
|
@ -383,6 +383,79 @@ func TestDockerfilePinning(t *testing.T) {
|
||||
}
|
||||
}
|
||||
|
||||
func TestDockerfilePinningFromLineNumber(t *testing.T) {
|
||||
t.Parallel()
|
||||
tests := []struct {
|
||||
name string
|
||||
filename string
|
||||
expected []struct {
|
||||
snippet string
|
||||
lineNumber int
|
||||
}
|
||||
}{
|
||||
{
|
||||
name: "Non-pinned dockerfile as",
|
||||
filename: "./testdata/Dockerfile-not-pinned-as",
|
||||
expected: []struct {
|
||||
snippet string
|
||||
lineNumber int
|
||||
}{
|
||||
{
|
||||
snippet: "FROM python:3.7 as build",
|
||||
lineNumber: 17,
|
||||
},
|
||||
{
|
||||
snippet: "FROM build",
|
||||
lineNumber: 23,
|
||||
},
|
||||
{
|
||||
snippet: "FROM base2",
|
||||
lineNumber: 29,
|
||||
},
|
||||
},
|
||||
},
|
||||
{
|
||||
name: "Non-pinned dockerfile",
|
||||
filename: "./testdata/Dockerfile-not-pinned",
|
||||
expected: []struct {
|
||||
snippet string
|
||||
lineNumber int
|
||||
}{
|
||||
{
|
||||
snippet: "FROM python:3.7",
|
||||
lineNumber: 17,
|
||||
},
|
||||
},
|
||||
},
|
||||
}
|
||||
for _, tt := range tests {
|
||||
tt := tt // Re-initializing variable so it is not changed while executing the closure below
|
||||
t.Run(tt.name, func(t *testing.T) {
|
||||
t.Parallel()
|
||||
content, err := os.ReadFile(tt.filename)
|
||||
if err != nil {
|
||||
t.Errorf("cannot read file: %v", err)
|
||||
}
|
||||
dl := scut.TestDetailLogger{}
|
||||
var pinned pinnedResult
|
||||
_, err = validateDockerfileIsPinned(tt.filename, content, &dl, &pinned)
|
||||
if err != nil {
|
||||
t.Errorf("error during validateDockerfileIsPinned: %v", err)
|
||||
}
|
||||
for _, expectedLog := range tt.expected {
|
||||
isExpectedLog := func(logMessage checker.LogMessage, logType checker.DetailType) bool {
|
||||
return logMessage.Offset == expectedLog.lineNumber && logMessage.Path == tt.filename &&
|
||||
logMessage.Snippet == expectedLog.snippet && logType == checker.DetailWarn &&
|
||||
strings.Contains(logMessage.Text, "dependency not pinned by hash")
|
||||
}
|
||||
if !scut.ValidateLogMessage(isExpectedLog, &dl) {
|
||||
t.Errorf("test failed: log message not present: %+v", tt.expected)
|
||||
}
|
||||
}
|
||||
})
|
||||
}
|
||||
}
|
||||
|
||||
func TestDockerfilePinningWihoutHash(t *testing.T) {
|
||||
t.Parallel()
|
||||
tests := []struct {
|
||||
|
Loading…
Reference in New Issue
Block a user