🐛 fix dangerous workflow test and workflow parsing (#1283)

* fix dangerous workflow Signed-off-by: Asra Ali <asraa@google.com> * check if removing label comment fixes Signed-off-by: Asra Ali <asraa@google.com> Co-authored-by: Azeem Shaikh <azeemshaikh38@gmail.com>
2024-09-11 08:55:27 +03:00 · 2021-11-19 18:16:02 -06:00 · 2021-11-19 18:16:02 -06:00 · 730076fab1
commit 730076fab1
parent 10ee2c069f
4 changed files with 15 additions and 19 deletions
--- a/.github/workflows/integration.yml
+++ b/.github/workflows/integration.yml
@ -67,4 +67,4 @@ jobs:
          body: |
            Integration tests ${{ job.status }} for
            [${{ github.event.client_payload.slash_command.args.named.sha || github.event.pull_request.head.sha }}]
-            (https://github.com/ossf/scorecard/actions/runs/${{ github.run_id }})
+            (https://github.com/ossf/scorecard/actions/runs/${{ github.run_id }})
--- a/checks/dangerous_workflow.go
+++ b/checks/dangerous_workflow.go
@ -140,15 +140,9 @@ func checkPullRequestTrigger(config map[interface{}]interface{}) (bool, error) {
 		if strings.EqualFold(val, "pull_request_target") {
 			isPullRequestTrigger = true
 		}
-	case []string:
+	case []interface{}:
 		for _, onVal := range val {
-			if strings.EqualFold(onVal, "pull_request_target") {
-				isPullRequestTrigger = true
-			}
-		}
-	case map[interface{}]interface{}:
-		for k := range val {
-			key, ok := k.(string)
+			key, ok := onVal.(string)
 			if !ok {
 				return false, sce.WithMessage(sce.ErrScorecardInternal, errInvalidGitHubWorkflow.Error())
 			}
@ -156,6 +150,12 @@ func checkPullRequestTrigger(config map[interface{}]interface{}) (bool, error) {
 				isPullRequestTrigger = true
 			}
 		}
+	case map[string]interface{}:
+		for key := range val {
+			if strings.EqualFold(key, "pull_request_target") {
+				isPullRequestTrigger = true
+			}
+		}
 	default:
 		return false, sce.WithMessage(sce.ErrScorecardInternal, errInvalidGitHubWorkflow.Error())
 	}
@ -258,7 +258,7 @@ func createResultForDangerousWorkflowPatterns(result patternCbData, err error) c
 		"no dangerous workflow patterns detected")
 }

-func testValidateGitHubActionDangerousWOrkflow(pathfn string,
+func testValidateGitHubActionDangerousWorkflow(pathfn string,
 	content []byte, dl checker.DetailLogger) checker.CheckResult {
 	data := patternCbData{
 		workflowPattern: make(map[string]bool),
--- a/checks/dangerous_workflow_test.go
+++ b/checks/dangerous_workflow_test.go
@ -57,13 +57,9 @@ func TestGithubDangerousWorkflow(t *testing.T) {
 			name:     "run trusted code checkout test",
 			filename: "./testdata/github-workflow-dangerous-pattern-trusted-checkout.yml",
 			expected: scut.TestReturn{
-				Error: nil,
-				// TODO(#1294): Fix the score calculation to return MaxScore.
-				// Score:         checker.MaxResultScore,
-				Score: checker.MinResultScore,
-				// TODO(#1294): NumberOfWarn should be 0.
-				// NumberOfWarn:  0,
-				NumberOfWarn:  1,
+				Error:         nil,
+				Score:         checker.MaxResultScore,
+				NumberOfWarn:  0,
 				NumberOfInfo:  0,
 				NumberOfDebug: 0,
 			},
@ -106,7 +102,7 @@ func TestGithubDangerousWorkflow(t *testing.T) {
 				}
 			}
 			dl := scut.TestDetailLogger{}
-			r := testValidateGitHubActionDangerousWOrkflow(tt.filename, content, &dl)
+			r := testValidateGitHubActionDangerousWorkflow(tt.filename, content, &dl)
 			if !scut.ValidateTestReturn(t, tt.name, &tt.expected, &r, &dl) {
 				t.Fail()
 			}
--- a/checks/testdata/github-workflow-dangerous-pattern-trusted-checkout.yml
+++ b/checks/testdata/github-workflow-dangerous-pattern-trusted-checkout.yml
@ -21,7 +21,7 @@ jobs:
    steps:
    - uses: actions/checkout@v2
      with:
-        ref: ${{ github.event.pull_request.head.sha }}
+        ref: main
        
    - uses: actions/setup-node@v1
    - run: |