mirror of
https://github.com/ossf/scorecard.git
synced 2024-09-17 11:57:12 +03:00
update msg (#1457)
This commit is contained in:
parent
d2a14e0f2b
commit
993e9c1010
@ -28,7 +28,7 @@ import (
|
|||||||
// CheckTokenPermissions is the exported name for Token-Permissions check.
|
// CheckTokenPermissions is the exported name for Token-Permissions check.
|
||||||
const (
|
const (
|
||||||
CheckTokenPermissions = "Token-Permissions"
|
CheckTokenPermissions = "Token-Permissions"
|
||||||
runLevelPermission = "run level"
|
jobLevelPermission = "job level"
|
||||||
topLevelPermission = "top level"
|
topLevelPermission = "top level"
|
||||||
)
|
)
|
||||||
|
|
||||||
@ -61,7 +61,7 @@ func init() {
|
|||||||
// will hold true if declared non-write, false otherwise.
|
// will hold true if declared non-write, false otherwise.
|
||||||
type permissions struct {
|
type permissions struct {
|
||||||
topLevelWritePermissions map[permission]bool
|
topLevelWritePermissions map[permission]bool
|
||||||
runLevelWritePermissions map[permission]bool
|
jobLevelWritePermissions map[permission]bool
|
||||||
}
|
}
|
||||||
|
|
||||||
type permissionCbData struct {
|
type permissionCbData struct {
|
||||||
@ -141,11 +141,11 @@ func getWritePermissionsMap(p *permissionCbData, path, permLevel string) map[per
|
|||||||
if _, exists := p.workflows[path]; !exists {
|
if _, exists := p.workflows[path]; !exists {
|
||||||
p.workflows[path] = permissions{
|
p.workflows[path] = permissions{
|
||||||
topLevelWritePermissions: make(map[permission]bool),
|
topLevelWritePermissions: make(map[permission]bool),
|
||||||
runLevelWritePermissions: make(map[permission]bool),
|
jobLevelWritePermissions: make(map[permission]bool),
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
if permLevel == runLevelPermission {
|
if permLevel == jobLevelPermission {
|
||||||
return p.workflows[path].runLevelWritePermissions
|
return p.workflows[path].jobLevelWritePermissions
|
||||||
}
|
}
|
||||||
return p.workflows[path].topLevelWritePermissions
|
return p.workflows[path].topLevelWritePermissions
|
||||||
}
|
}
|
||||||
@ -217,7 +217,7 @@ func validateTopLevelPermissions(workflow *actionlint.Workflow, path string,
|
|||||||
pdata, map[permission]bool{})
|
pdata, map[permission]bool{})
|
||||||
}
|
}
|
||||||
|
|
||||||
func validateRunLevelPermissions(workflow *actionlint.Workflow, path string,
|
func validatejobLevelPermissions(workflow *actionlint.Workflow, path string,
|
||||||
dl checker.DetailLogger, pdata *permissionCbData,
|
dl checker.DetailLogger, pdata *permissionCbData,
|
||||||
ignoredPermissions map[permission]bool) error {
|
ignoredPermissions map[permission]bool) error {
|
||||||
for _, job := range workflow.Jobs {
|
for _, job := range workflow.Jobs {
|
||||||
@ -229,12 +229,12 @@ func validateRunLevelPermissions(workflow *actionlint.Workflow, path string,
|
|||||||
Path: path,
|
Path: path,
|
||||||
Type: checker.FileTypeSource,
|
Type: checker.FileTypeSource,
|
||||||
Offset: fileparser.GetLineNumber(job.Pos),
|
Offset: fileparser.GetLineNumber(job.Pos),
|
||||||
Text: fmt.Sprintf("no %s permission defined", runLevelPermission),
|
Text: fmt.Sprintf("no %s permission defined", jobLevelPermission),
|
||||||
})
|
})
|
||||||
recordAllPermissionsWrite(pdata, runLevelPermission, path)
|
recordAllPermissionsWrite(pdata, jobLevelPermission, path)
|
||||||
continue
|
continue
|
||||||
}
|
}
|
||||||
err := validatePermissions(job.Permissions, runLevelPermission,
|
err := validatePermissions(job.Permissions, jobLevelPermission,
|
||||||
path, dl, pdata, ignoredPermissions)
|
path, dl, pdata, ignoredPermissions)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return err
|
return err
|
||||||
@ -264,7 +264,7 @@ func permissionIsPresentInTopLevel(perms permissions, name permission) bool {
|
|||||||
}
|
}
|
||||||
|
|
||||||
func permissionIsPresentInRunLevel(perms permissions, name permission) bool {
|
func permissionIsPresentInRunLevel(perms permissions, name permission) bool {
|
||||||
_, ok := perms.runLevelWritePermissions[name]
|
_, ok := perms.jobLevelWritePermissions[name]
|
||||||
return ok
|
return ok
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -405,7 +405,7 @@ func validateGitHubActionTokenPermissions(path string, content []byte,
|
|||||||
// 2. Run-level permission definitions,
|
// 2. Run-level permission definitions,
|
||||||
// see https://docs.github.com/en/actions/reference/workflow-syntax-for-github-actions#jobsjob_idpermissions.
|
// see https://docs.github.com/en/actions/reference/workflow-syntax-for-github-actions#jobsjob_idpermissions.
|
||||||
ignoredPermissions := createIgnoredPermissions(workflow, path, dl)
|
ignoredPermissions := createIgnoredPermissions(workflow, path, dl)
|
||||||
if err := validateRunLevelPermissions(workflow, path, dl, pdata, ignoredPermissions); err != nil {
|
if err := validatejobLevelPermissions(workflow, path, dl, pdata, ignoredPermissions); err != nil {
|
||||||
return false, err
|
return false, err
|
||||||
}
|
}
|
||||||
|
|
||||||
|
Loading…
Reference in New Issue
Block a user