✨ Allow pip install with --require-hashes only (#1313)

* allow --require-hashes only

* comment

* rem log

* comment

* att test

* Update checks/shell_download_validate.go

Co-authored-by: Dustin Ingram <di@users.noreply.github.com>

* Update checks/shell_download_validate.go

Co-authored-by: Dustin Ingram <di@users.noreply.github.com>

* Update checks/shell_download_validate.go

Co-authored-by: Oliver Chang <oliverchang@users.noreply.github.com>

* Update checks/shell_download_validate.go

Co-authored-by: Dustin Ingram <di@users.noreply.github.com>

* Update checks/shell_download_validate.go

Co-authored-by: Dustin Ingram <di@users.noreply.github.com>

* Update checks/shell_download_validate.go

Co-authored-by: Dustin Ingram <di@users.noreply.github.com>

* comments

Co-authored-by: Dustin Ingram <di@users.noreply.github.com>
Co-authored-by: Oliver Chang <oliverchang@users.noreply.github.com>

checks/pinned_dependencies_test.go

@@ -641,7 +641,7 @@ func TestDockerfileScriptDownload(t *testing.T) {
 			expected: scut.TestReturn{
 				Error:         nil,
 				Score:         checker.MinResultScore,
-				NumberOfWarn:  31,
+				NumberOfWarn:  33,
 				NumberOfInfo:  0,
 				NumberOfDebug: 0,
 			},

checks/shell_download_validate.go

@@ -468,7 +468,9 @@ func isUnpinnedPipInstall(cmd []string) bool {
 	}
 
 	isInstall := false
-	hasWhl := false
+	hasRequireHashes := false
+	hasAdditionalArgs := false
+	hasWheel := false
 	for i := 1; i < len(cmd); i++ {
 		// Search for install commands.
 		if strings.EqualFold(cmd[i], "install") {
@@ -477,25 +479,47 @@ func isUnpinnedPipInstall(cmd []string) bool {
 		}
 
 		if !isInstall {
-			continue
+			break
 		}
 
-		// TODO(laurent): https://github.com/ossf/scorecard/pull/611#discussion_r660203476.
-		// Support -r <> --require-hashes.
+		// https://github.com/ossf/scorecard/issues/1306#issuecomment-974539197.
+		if strings.EqualFold(cmd[i], "--require-hashes") {
+			hasRequireHashes = true
+			break
+		}
 
 		// Exclude *.whl as they're mostly used
 		// for tests. See https://github.com/ossf/scorecard/pull/611.
 		if strings.HasSuffix(cmd[i], ".whl") {
-			hasWhl = true
+			// We continue because a command may contain
+			// multiple packages to install, not just `.whl` files.
+			hasWheel = true
 			continue
 		}
 
-		// Any other arguments are considered unpinned.
+		hasAdditionalArgs = true
+	}
+
+	// If hashes are required, it's pinned.
+	if hasRequireHashes {
+		return false
+	}
+
+	// With additional arguments, it's unpinned.
+	// Example: `pip install bla.whl pkg1`
+	if hasAdditionalArgs {
 		return true
 	}
 
-	// We get here only for `pip install [bla.whl ...]`.
-	return isInstall && !hasWhl
+	// No additional arguments and hashes are not required.
+	// The only pinned command is `pip install *.whl`
+	if hasWheel {
+		return false
+	}
+
+	// Any other form of install is unpinned,
+	// e.g. `pip install`.
+	return isInstall
 }
 
 func isPythonCommand(cmd []string) bool {

checks/testdata/Dockerfile-pkg-managers

@@ -37,6 +37,12 @@ RUN pip install
 RUN pip3 install
 RUN pip install -r any_file
 RUN pip3 install -r bla-requirements.txt
+RUN ["pip", "install", "-r", "requirements.txt", "--require-hashes"]
+RUN ["pip3", "install", "-r", "requirements.txt", "--require-hashes"]
+RUN ["/bin/pip", "install", "--upgrade", "-r", "requirements.txt"]
+RUN ["/bin/pip", "install", "--upgrade"]
+RUN pip3 install -r bla-requirements.txt --require-hashes
+RUN pip3 install --require-hashes -r bla-requirements.txt
 
 RUN pip install somepkg
 RUN pip3 install somepkg==1.2.3

checks/testdata/github-workflow-pkg-managers.yaml

@@ -42,6 +42,8 @@ jobs:
         run: npm i typescript
       - name:
         run: npm i -g typescript
+      - name:
+        run: pip3 install -r bla-requirements.txt --require-hashes && pip3 install --require-hashes -r bla-requirements.txt
       - name:
         run: go get github.com@some_tag
       - name:

checks/testdata/script-pkg-managers

@@ -34,6 +34,8 @@ pip3 install
 pip install
 pip install -r any_file
 pip3 install -r bla-requirements.txt
+pip3 install -r bla-requirements.txt --require-hashes
+pip3 install --require-hashes -r bla-requirements.txt
 
 pip install somepkg
 pip3 install somepkg==1.2.3