ossf/scorecard
1
1
Fork 0
mirror of https://github.com/ossf/scorecard.git synced 2024-11-04 03:52:31 +03:00
Code Issues Actions 1 Packages Projects Releases Wiki Activity

update msg (#1457)

Browse Source
This commit is contained in:
laurentsimon 2022-01-10 14:22:39 -08:00 committed by GitHub
parent d2a14e0f2b
commit 993e9c1010
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 11 additions and 11 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

22
checks/permissions.go
View File

@ -28,7 +28,7 @@ import (
// CheckTokenPermissions is the exported name for Token-Permissions check.
const (
CheckTokenPermissions = "Token-Permissions"
runLevelPermission = "run level"
jobLevelPermission = "job level"
topLevelPermission = "top level"
)
@ -61,7 +61,7 @@ func init() {
// will hold true if declared non-write, false otherwise.
type permissions struct {
topLevelWritePermissions map[permission]bool
runLevelWritePermissions map[permission]bool
jobLevelWritePermissions map[permission]bool
}
type permissionCbData struct {
@ -141,11 +141,11 @@ func getWritePermissionsMap(p *permissionCbData, path, permLevel string) map[per
if _, exists := p.workflows[path]; !exists {
p.workflows[path] = permissions{
topLevelWritePermissions: make(map[permission]bool),
runLevelWritePermissions: make(map[permission]bool),
jobLevelWritePermissions: make(map[permission]bool),
}
}
if permLevel == runLevelPermission {
return p.workflows[path].runLevelWritePermissions
if permLevel == jobLevelPermission {
return p.workflows[path].jobLevelWritePermissions
}
return p.workflows[path].topLevelWritePermissions
}
@ -217,7 +217,7 @@ func validateTopLevelPermissions(workflow *actionlint.Workflow, path string,
pdata, map[permission]bool{})
}
func validateRunLevelPermissions(workflow *actionlint.Workflow, path string,
func validatejobLevelPermissions(workflow *actionlint.Workflow, path string,
dl checker.DetailLogger, pdata *permissionCbData,
ignoredPermissions map[permission]bool) error {
for _, job := range workflow.Jobs {
@ -229,12 +229,12 @@ func validateRunLevelPermissions(workflow *actionlint.Workflow, path string,
Path: path,
Type: checker.FileTypeSource,
Offset: fileparser.GetLineNumber(job.Pos),
Text: fmt.Sprintf("no %s permission defined", runLevelPermission),
Text: fmt.Sprintf("no %s permission defined", jobLevelPermission),
})
recordAllPermissionsWrite(pdata, runLevelPermission, path)
recordAllPermissionsWrite(pdata, jobLevelPermission, path)
continue
}
err := validatePermissions(job.Permissions, runLevelPermission,
err := validatePermissions(job.Permissions, jobLevelPermission,
path, dl, pdata, ignoredPermissions)
if err != nil {
return err
@ -264,7 +264,7 @@ func permissionIsPresentInTopLevel(perms permissions, name permission) bool {
}
func permissionIsPresentInRunLevel(perms permissions, name permission) bool {
_, ok := perms.runLevelWritePermissions[name]
_, ok := perms.jobLevelWritePermissions[name]
return ok
}
@ -405,7 +405,7 @@ func validateGitHubActionTokenPermissions(path string, content []byte,
// 2. Run-level permission definitions,
// see https://docs.github.com/en/actions/reference/workflow-syntax-for-github-actions#jobsjob_idpermissions.
ignoredPermissions := createIgnoredPermissions(workflow, path, dl)
if err := validateRunLevelPermissions(workflow, path, dl, pdata, ignoredPermissions); err != nil {
if err := validatejobLevelPermissions(workflow, path, dl, pdata, ignoredPermissions); err != nil {
return false, err
}