From 7ce8609469289d5f3b1bf5ee3122f42b4e3054fb Mon Sep 17 00:00:00 2001 From: Spencer Schrock Date: Thu, 9 May 2024 11:27:34 -0700 Subject: [PATCH] :bug: Support renamed gradle verification action and callers which pin to hash (#4097) * Support renamed gradle verification action From gradle/wrapper-validation-action's readme: "As of v3 this action has been superceded by gradle/actions/wrapper-validation" Also support actions pinned to a hash. Signed-off-by: Spencer Schrock * remove unneeded dependency Signed-off-by: Spencer Schrock --------- Signed-off-by: Spencer Schrock --- checks/raw/binary_artifact.go | 30 ++----------------- checks/raw/binary_artifact_test.go | 17 +++++++++-- ...ction.yaml => verify-new-gradle-name.yaml} | 5 ++-- go.mod | 1 - go.sum | 2 -- 5 files changed, 19 insertions(+), 36 deletions(-) rename checks/testdata/binaryartifacts/workflows/{verify-outdated-action.yaml => verify-new-gradle-name.yaml} (53%) diff --git a/checks/raw/binary_artifact.go b/checks/raw/binary_artifact.go index 2d1ded74..370b0d85 100644 --- a/checks/raw/binary_artifact.go +++ b/checks/raw/binary_artifact.go @@ -19,11 +19,9 @@ import ( "fmt" "io" "path/filepath" - "regexp" "strings" "unicode/utf8" - semver "github.com/Masterminds/semver/v3" "github.com/h2non/filetype" "github.com/h2non/filetype/types" "github.com/rhysd/actionlint" @@ -35,23 +33,9 @@ import ( "github.com/ossf/scorecard/v5/finding" ) -var ( - gradleWrapperValidationActionRegex = regexp.MustCompile(`^gradle\/wrapper-validation-action@v?(.+)$`) - gradleWrapperValidationActionVersionConstraint = mustParseConstraint(`>= 1.0.0`) -) - // how many bytes are considered when determining if a file is text or binary. const binaryTestLen = 1024 -// mustParseConstraint attempts parse of semver constraint, panics if fail. -func mustParseConstraint(c string) *semver.Constraints { - if c, err := semver.NewConstraint(c); err != nil { - panic(fmt.Errorf("failed to parse constraint: %w", err)) - } else { - return c - } -} - // BinaryArtifacts retrieves the raw data for the Binary-Artifacts check. func BinaryArtifacts(req *checker.CheckRequest) (checker.BinaryArtifactData, error) { c := req.RepoClient @@ -266,18 +250,8 @@ func checkWorkflowValidatesGradleWrapper(path string, content []byte, args ...in if ea.Uses == nil { continue } - sms := gradleWrapperValidationActionRegex.FindStringSubmatch(ea.Uses.Value) - if len(sms) > 1 { - v, err := semver.NewVersion(sms[1]) - if err != nil { - // Couldn't parse version, hopefully another step has - // a correct one. - continue - } - if !gradleWrapperValidationActionVersionConstraint.Check(v) { - // Version out of acceptable range. - continue - } + if strings.HasPrefix(ea.Uses.Value, "gradle/wrapper-validation-action@") || + strings.HasPrefix(ea.Uses.Value, "gradle/actions/wrapper-validation@") { // OK! This is it. *validatingWorkflowFile = filepath.Base(path) return false, nil diff --git a/checks/raw/binary_artifact_test.go b/checks/raw/binary_artifact_test.go index b352892c..fff2c5d4 100644 --- a/checks/raw/binary_artifact_test.go +++ b/checks/raw/binary_artifact_test.go @@ -164,13 +164,26 @@ func TestBinaryArtifacts(t *testing.T) { expect: 1, }, { - name: "gradle-wrapper.jar with outdated verification action", + name: "gradle-wrapper.jar with new verification action", err: nil, files: [][]string{ {"../testdata/binaryartifacts/jars/gradle-wrapper.jar"}, { "../testdata/binaryartifacts/workflows/nonverify.yaml", - "../testdata/binaryartifacts/workflows/verify-outdated-action.yaml", + "../testdata/binaryartifacts/workflows/verify-new-gradle-name.yaml", + }, + }, + successfulWorkflowRuns: []clients.WorkflowRun{ + { + HeadSHA: strptr("sha-a"), + }, + }, + commits: []clients.Commit{ + { + SHA: "sha-a", + }, + { + SHA: "sha-old", }, }, getFileContentCount: 3, diff --git a/checks/testdata/binaryartifacts/workflows/verify-outdated-action.yaml b/checks/testdata/binaryartifacts/workflows/verify-new-gradle-name.yaml similarity index 53% rename from checks/testdata/binaryartifacts/workflows/verify-outdated-action.yaml rename to checks/testdata/binaryartifacts/workflows/verify-new-gradle-name.yaml index 477c45ff..27dc62d2 100644 --- a/checks/testdata/binaryartifacts/workflows/verify-outdated-action.yaml +++ b/checks/testdata/binaryartifacts/workflows/verify-new-gradle-name.yaml @@ -6,7 +6,6 @@ jobs: name: "GW Validate Job" runs-on: ubuntu-latest steps: - - uses: actions/checkout@v2 + - uses: actions/checkout@v4 - name: GW Validate Step - # this is a made-up outdated version of the action: - uses: gradle/wrapper-validation-action@v0.1.0 + uses: gradle/actions/wrapper-validation@v3 diff --git a/go.mod b/go.mod index 5ca8fd65..59a1b01a 100644 --- a/go.mod +++ b/go.mod @@ -39,7 +39,6 @@ require ( ) require ( - github.com/Masterminds/semver/v3 v3.2.1 github.com/caarlos0/env/v6 v6.10.0 github.com/gobwas/glob v0.2.3 github.com/google/go-github/v53 v53.2.0 diff --git a/go.sum b/go.sum index 6113f498..3c546a19 100644 --- a/go.sum +++ b/go.sum @@ -89,8 +89,6 @@ github.com/BurntSushi/xgb v0.0.0-20160522181843-27f122750802/go.mod h1:IVnqGOEym github.com/CycloneDX/cyclonedx-go v0.8.0 h1:FyWVj6x6hoJrui5uRQdYZcSievw3Z32Z88uYzG/0D6M= github.com/CycloneDX/cyclonedx-go v0.8.0/go.mod h1:K2bA+324+Og0X84fA8HhN2X066K7Bxz4rpMQ4ZhjtSk= github.com/GoogleCloudPlatform/k8s-cloud-provider v0.0.0-20190822182118-27a4ced34534/go.mod h1:iroGtC8B3tQiqtds1l+mgk/BBOrxbqjH+eUfFQYRc14= -github.com/Masterminds/semver/v3 v3.2.1 h1:RN9w6+7QoMeJVGyfmbcgs28Br8cvmnucEXnY0rYXWg0= -github.com/Masterminds/semver/v3 v3.2.1/go.mod h1:qvl/7zhW3nngYb5+80sSMF+FG2BjYrf8m9wsX0PNOMQ= github.com/Microsoft/go-winio v0.4.14/go.mod h1:qXqCSQ3Xa7+6tgxaGTIe4Kpcdsi+P8jBhyzoq1bpyYA= github.com/Microsoft/go-winio v0.5.2/go.mod h1:WpS1mjBmmwHBEWmogvA2mj8546UReBk4v8QkMxJ6pZY= github.com/Microsoft/go-winio v0.6.1 h1:9/kr64B9VUZrLm5YYwbGtUJnMgqWVOdUAXu6Migciow=