mirror of
https://github.com/ossf/scorecard.git
synced 2024-09-17 11:57:12 +03:00
🐛 fix dangerous workflow test and workflow parsing (#1283)
* fix dangerous workflow Signed-off-by: Asra Ali <asraa@google.com> * check if removing label comment fixes Signed-off-by: Asra Ali <asraa@google.com> Co-authored-by: Azeem Shaikh <azeemshaikh38@gmail.com>
This commit is contained in:
parent
10ee2c069f
commit
730076fab1
2
.github/workflows/integration.yml
vendored
2
.github/workflows/integration.yml
vendored
@ -67,4 +67,4 @@ jobs:
|
|||||||
body: |
|
body: |
|
||||||
Integration tests ${{ job.status }} for
|
Integration tests ${{ job.status }} for
|
||||||
[${{ github.event.client_payload.slash_command.args.named.sha || github.event.pull_request.head.sha }}]
|
[${{ github.event.client_payload.slash_command.args.named.sha || github.event.pull_request.head.sha }}]
|
||||||
(https://github.com/ossf/scorecard/actions/runs/${{ github.run_id }})
|
(https://github.com/ossf/scorecard/actions/runs/${{ github.run_id }})
|
@ -140,15 +140,9 @@ func checkPullRequestTrigger(config map[interface{}]interface{}) (bool, error) {
|
|||||||
if strings.EqualFold(val, "pull_request_target") {
|
if strings.EqualFold(val, "pull_request_target") {
|
||||||
isPullRequestTrigger = true
|
isPullRequestTrigger = true
|
||||||
}
|
}
|
||||||
case []string:
|
case []interface{}:
|
||||||
for _, onVal := range val {
|
for _, onVal := range val {
|
||||||
if strings.EqualFold(onVal, "pull_request_target") {
|
key, ok := onVal.(string)
|
||||||
isPullRequestTrigger = true
|
|
||||||
}
|
|
||||||
}
|
|
||||||
case map[interface{}]interface{}:
|
|
||||||
for k := range val {
|
|
||||||
key, ok := k.(string)
|
|
||||||
if !ok {
|
if !ok {
|
||||||
return false, sce.WithMessage(sce.ErrScorecardInternal, errInvalidGitHubWorkflow.Error())
|
return false, sce.WithMessage(sce.ErrScorecardInternal, errInvalidGitHubWorkflow.Error())
|
||||||
}
|
}
|
||||||
@ -156,6 +150,12 @@ func checkPullRequestTrigger(config map[interface{}]interface{}) (bool, error) {
|
|||||||
isPullRequestTrigger = true
|
isPullRequestTrigger = true
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
case map[string]interface{}:
|
||||||
|
for key := range val {
|
||||||
|
if strings.EqualFold(key, "pull_request_target") {
|
||||||
|
isPullRequestTrigger = true
|
||||||
|
}
|
||||||
|
}
|
||||||
default:
|
default:
|
||||||
return false, sce.WithMessage(sce.ErrScorecardInternal, errInvalidGitHubWorkflow.Error())
|
return false, sce.WithMessage(sce.ErrScorecardInternal, errInvalidGitHubWorkflow.Error())
|
||||||
}
|
}
|
||||||
@ -258,7 +258,7 @@ func createResultForDangerousWorkflowPatterns(result patternCbData, err error) c
|
|||||||
"no dangerous workflow patterns detected")
|
"no dangerous workflow patterns detected")
|
||||||
}
|
}
|
||||||
|
|
||||||
func testValidateGitHubActionDangerousWOrkflow(pathfn string,
|
func testValidateGitHubActionDangerousWorkflow(pathfn string,
|
||||||
content []byte, dl checker.DetailLogger) checker.CheckResult {
|
content []byte, dl checker.DetailLogger) checker.CheckResult {
|
||||||
data := patternCbData{
|
data := patternCbData{
|
||||||
workflowPattern: make(map[string]bool),
|
workflowPattern: make(map[string]bool),
|
||||||
|
@ -57,13 +57,9 @@ func TestGithubDangerousWorkflow(t *testing.T) {
|
|||||||
name: "run trusted code checkout test",
|
name: "run trusted code checkout test",
|
||||||
filename: "./testdata/github-workflow-dangerous-pattern-trusted-checkout.yml",
|
filename: "./testdata/github-workflow-dangerous-pattern-trusted-checkout.yml",
|
||||||
expected: scut.TestReturn{
|
expected: scut.TestReturn{
|
||||||
Error: nil,
|
Error: nil,
|
||||||
// TODO(#1294): Fix the score calculation to return MaxScore.
|
Score: checker.MaxResultScore,
|
||||||
// Score: checker.MaxResultScore,
|
NumberOfWarn: 0,
|
||||||
Score: checker.MinResultScore,
|
|
||||||
// TODO(#1294): NumberOfWarn should be 0.
|
|
||||||
// NumberOfWarn: 0,
|
|
||||||
NumberOfWarn: 1,
|
|
||||||
NumberOfInfo: 0,
|
NumberOfInfo: 0,
|
||||||
NumberOfDebug: 0,
|
NumberOfDebug: 0,
|
||||||
},
|
},
|
||||||
@ -106,7 +102,7 @@ func TestGithubDangerousWorkflow(t *testing.T) {
|
|||||||
}
|
}
|
||||||
}
|
}
|
||||||
dl := scut.TestDetailLogger{}
|
dl := scut.TestDetailLogger{}
|
||||||
r := testValidateGitHubActionDangerousWOrkflow(tt.filename, content, &dl)
|
r := testValidateGitHubActionDangerousWorkflow(tt.filename, content, &dl)
|
||||||
if !scut.ValidateTestReturn(t, tt.name, &tt.expected, &r, &dl) {
|
if !scut.ValidateTestReturn(t, tt.name, &tt.expected, &r, &dl) {
|
||||||
t.Fail()
|
t.Fail()
|
||||||
}
|
}
|
||||||
|
@ -21,7 +21,7 @@ jobs:
|
|||||||
steps:
|
steps:
|
||||||
- uses: actions/checkout@v2
|
- uses: actions/checkout@v2
|
||||||
with:
|
with:
|
||||||
ref: ${{ github.event.pull_request.head.sha }}
|
ref: main
|
||||||
|
|
||||||
- uses: actions/setup-node@v1
|
- uses: actions/setup-node@v1
|
||||||
- run: |
|
- run: |
|
||||||
|
Loading…
Reference in New Issue
Block a user