mirror of
https://github.com/ossf/scorecard.git
synced 2024-09-17 11:57:12 +03:00
🐛 fix dangerous workflow test and workflow parsing (#1283)
* fix dangerous workflow Signed-off-by: Asra Ali <asraa@google.com> * check if removing label comment fixes Signed-off-by: Asra Ali <asraa@google.com> Co-authored-by: Azeem Shaikh <azeemshaikh38@gmail.com>
This commit is contained in:
parent
10ee2c069f
commit
730076fab1
@ -140,15 +140,9 @@ func checkPullRequestTrigger(config map[interface{}]interface{}) (bool, error) {
|
||||
if strings.EqualFold(val, "pull_request_target") {
|
||||
isPullRequestTrigger = true
|
||||
}
|
||||
case []string:
|
||||
case []interface{}:
|
||||
for _, onVal := range val {
|
||||
if strings.EqualFold(onVal, "pull_request_target") {
|
||||
isPullRequestTrigger = true
|
||||
}
|
||||
}
|
||||
case map[interface{}]interface{}:
|
||||
for k := range val {
|
||||
key, ok := k.(string)
|
||||
key, ok := onVal.(string)
|
||||
if !ok {
|
||||
return false, sce.WithMessage(sce.ErrScorecardInternal, errInvalidGitHubWorkflow.Error())
|
||||
}
|
||||
@ -156,6 +150,12 @@ func checkPullRequestTrigger(config map[interface{}]interface{}) (bool, error) {
|
||||
isPullRequestTrigger = true
|
||||
}
|
||||
}
|
||||
case map[string]interface{}:
|
||||
for key := range val {
|
||||
if strings.EqualFold(key, "pull_request_target") {
|
||||
isPullRequestTrigger = true
|
||||
}
|
||||
}
|
||||
default:
|
||||
return false, sce.WithMessage(sce.ErrScorecardInternal, errInvalidGitHubWorkflow.Error())
|
||||
}
|
||||
@ -258,7 +258,7 @@ func createResultForDangerousWorkflowPatterns(result patternCbData, err error) c
|
||||
"no dangerous workflow patterns detected")
|
||||
}
|
||||
|
||||
func testValidateGitHubActionDangerousWOrkflow(pathfn string,
|
||||
func testValidateGitHubActionDangerousWorkflow(pathfn string,
|
||||
content []byte, dl checker.DetailLogger) checker.CheckResult {
|
||||
data := patternCbData{
|
||||
workflowPattern: make(map[string]bool),
|
||||
|
@ -58,12 +58,8 @@ func TestGithubDangerousWorkflow(t *testing.T) {
|
||||
filename: "./testdata/github-workflow-dangerous-pattern-trusted-checkout.yml",
|
||||
expected: scut.TestReturn{
|
||||
Error: nil,
|
||||
// TODO(#1294): Fix the score calculation to return MaxScore.
|
||||
// Score: checker.MaxResultScore,
|
||||
Score: checker.MinResultScore,
|
||||
// TODO(#1294): NumberOfWarn should be 0.
|
||||
// NumberOfWarn: 0,
|
||||
NumberOfWarn: 1,
|
||||
Score: checker.MaxResultScore,
|
||||
NumberOfWarn: 0,
|
||||
NumberOfInfo: 0,
|
||||
NumberOfDebug: 0,
|
||||
},
|
||||
@ -106,7 +102,7 @@ func TestGithubDangerousWorkflow(t *testing.T) {
|
||||
}
|
||||
}
|
||||
dl := scut.TestDetailLogger{}
|
||||
r := testValidateGitHubActionDangerousWOrkflow(tt.filename, content, &dl)
|
||||
r := testValidateGitHubActionDangerousWorkflow(tt.filename, content, &dl)
|
||||
if !scut.ValidateTestReturn(t, tt.name, &tt.expected, &r, &dl) {
|
||||
t.Fail()
|
||||
}
|
||||
|
@ -21,7 +21,7 @@ jobs:
|
||||
steps:
|
||||
- uses: actions/checkout@v2
|
||||
with:
|
||||
ref: ${{ github.event.pull_request.head.sha }}
|
||||
ref: main
|
||||
|
||||
- uses: actions/setup-node@v1
|
||||
- run: |
|
||||
|
Loading…
Reference in New Issue
Block a user