ossf/scorecard
1
1
Fork 0
mirror of https://github.com/ossf/scorecard.git synced 2024-09-17 11:57:12 +03:00
Code Issues Actions 6 Packages Projects Releases Wiki Activity

update msg (#1457)

Browse Source
This commit is contained in:
laurentsimon 2022-01-10 14:22:39 -08:00 committed by GitHub
parent d2a14e0f2b
commit 993e9c1010
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 11 additions and 11 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

22
checks/permissions.go
View File

@ -28,7 +28,7 @@ import (
// CheckTokenPermissions is the exported name for Token-Permissions check. // CheckTokenPermissions is the exported name for Token-Permissions check.
const ( const (
CheckTokenPermissions = "Token-Permissions" CheckTokenPermissions = "Token-Permissions"
runLevelPermission = "run level" jobLevelPermission = "job level"
topLevelPermission = "top level" topLevelPermission = "top level"
) )
@ -61,7 +61,7 @@ func init() {
// will hold true if declared non-write, false otherwise. // will hold true if declared non-write, false otherwise.
type permissions struct { type permissions struct {
topLevelWritePermissions map[permission]bool topLevelWritePermissions map[permission]bool
runLevelWritePermissions map[permission]bool jobLevelWritePermissions map[permission]bool
} }
type permissionCbData struct { type permissionCbData struct {
@ -141,11 +141,11 @@ func getWritePermissionsMap(p *permissionCbData, path, permLevel string) map[per
if _, exists := p.workflows[path]; !exists { if _, exists := p.workflows[path]; !exists {
p.workflows[path] = permissions{ p.workflows[path] = permissions{
topLevelWritePermissions: make(map[permission]bool), topLevelWritePermissions: make(map[permission]bool),
runLevelWritePermissions: make(map[permission]bool), jobLevelWritePermissions: make(map[permission]bool),
} }
} }
if permLevel == runLevelPermission { if permLevel == jobLevelPermission {
return p.workflows[path].runLevelWritePermissions return p.workflows[path].jobLevelWritePermissions
} }
return p.workflows[path].topLevelWritePermissions return p.workflows[path].topLevelWritePermissions
} }
@ -217,7 +217,7 @@ func validateTopLevelPermissions(workflow *actionlint.Workflow, path string,
pdata, map[permission]bool{}) pdata, map[permission]bool{})
} }
func validateRunLevelPermissions(workflow *actionlint.Workflow, path string, func validatejobLevelPermissions(workflow *actionlint.Workflow, path string,
dl checker.DetailLogger, pdata *permissionCbData, dl checker.DetailLogger, pdata *permissionCbData,
ignoredPermissions map[permission]bool) error { ignoredPermissions map[permission]bool) error {
for _, job := range workflow.Jobs { for _, job := range workflow.Jobs {
@ -229,12 +229,12 @@ func validateRunLevelPermissions(workflow *actionlint.Workflow, path string,
Path: path, Path: path,
Type: checker.FileTypeSource, Type: checker.FileTypeSource,
Offset: fileparser.GetLineNumber(job.Pos), Offset: fileparser.GetLineNumber(job.Pos),
Text: fmt.Sprintf("no %s permission defined", runLevelPermission), Text: fmt.Sprintf("no %s permission defined", jobLevelPermission),
}) })
recordAllPermissionsWrite(pdata, runLevelPermission, path) recordAllPermissionsWrite(pdata, jobLevelPermission, path)
continue continue
} }
err := validatePermissions(job.Permissions, runLevelPermission, err := validatePermissions(job.Permissions, jobLevelPermission,
path, dl, pdata, ignoredPermissions) path, dl, pdata, ignoredPermissions)
if err != nil { if err != nil {
return err return err
@ -264,7 +264,7 @@ func permissionIsPresentInTopLevel(perms permissions, name permission) bool {
} }
func permissionIsPresentInRunLevel(perms permissions, name permission) bool { func permissionIsPresentInRunLevel(perms permissions, name permission) bool {
_, ok := perms.runLevelWritePermissions[name] _, ok := perms.jobLevelWritePermissions[name]
return ok return ok
} }
@ -405,7 +405,7 @@ func validateGitHubActionTokenPermissions(path string, content []byte,
// 2. Run-level permission definitions, // 2. Run-level permission definitions,
// see https://docs.github.com/en/actions/reference/workflow-syntax-for-github-actions#jobsjob_idpermissions. // see https://docs.github.com/en/actions/reference/workflow-syntax-for-github-actions#jobsjob_idpermissions.
ignoredPermissions := createIgnoredPermissions(workflow, path, dl) ignoredPermissions := createIgnoredPermissions(workflow, path, dl)
if err := validateRunLevelPermissions(workflow, path, dl, pdata, ignoredPermissions); err != nil { if err := validatejobLevelPermissions(workflow, path, dl, pdata, ignoredPermissions); err != nil {
return false, err return false, err
} }