mirror of
https://github.com/ossf/scorecard.git
synced 2024-09-11 08:55:27 +03:00
✨ CLI for scorecard-attestor (#2309)
* Reorganize Signed-off-by: Raghav Kaul <raghavkaul@google.com> * Working commit Signed-off-by: Raghav Kaul <raghavkaul@google.com> * Compile with local scorecard; go mod tidy Signed-off-by: Raghav Kaul <raghavkaul@google.com> * Add signing code Heavily borrowed from https://github.com/grafeas/kritis/blob/master/cmd/kritis/signer/main.go Signed-off-by: Raghav Kaul <raghavkaul@google.com> * Update deps * Naming * Makefile Signed-off-by: Raghav Kaul <raghavkaul@google.com> * Edit license, add lint.yml Signed-off-by: Raghav Kaul <raghavkaul@google.com> * checks: go mod tidy, license Signed-off-by: Raghav Kaul <raghavkaul@google.com> * Address PR comments * Split into checker/signer files * Naming convention Signed-off-by: Raghav Kaul <raghavkaul@google.com> * License, remove golangci.yml Signed-off-by: Raghav Kaul <raghavkaul@google.com> * Address PR comments * Use cobra Signed-off-by: Raghav Kaul <raghavkaul@google.com> * Add tests for root command Signed-off-by: Raghav Kaul <raghavkaul@google.com> * Filter out checks that aren't needed for policy evaluation Signed-off-by: Raghav Kaul <raghavkaul@google.com> * Add `make` targets for attestor; submit coverage stats Signed-off-by: Raghav Kaul <raghavkaul@google.com> * Improvements * Use sclog instead of glog * Remove unneeded subcommands * Formatting Signed-off-by: Raghav Kaul <raghavkaul@google.com> * Flags: Make note-name constant and fix messaging Signed-off-by: Raghav Kaul <raghavkaul@google.com> * Remove SupportedRequestTypes Signed-off-by: Raghav Kaul <raghavkaul@google.com> * go mod tidy Signed-off-by: Raghav Kaul <raghavkaul@google.com> * go mod tidy, makefile Signed-off-by: Raghav Kaul <raghavkaul@google.com> * Fix GH actions run Signed-off-by: Raghav Kaul <raghavkaul@google.com> Signed-off-by: Raghav Kaul <raghavkaul@google.com>
This commit is contained in:
parent
1fa7910432
commit
a8f98be924
16
.github/workflows/integration.yml
vendored
16
.github/workflows/integration.yml
vendored
@ -76,6 +76,16 @@ jobs:
|
||||
retry_on: error
|
||||
timeout_minutes: 30
|
||||
command: make e2e-pat
|
||||
|
||||
- name: Run attestor e2e
|
||||
run: make e2e-attestor
|
||||
env:
|
||||
GITHUB_AUTH_TOKEN: ${{ secrets.GH_AUTH_TOKEN }}
|
||||
with:
|
||||
max_attempts: 3
|
||||
retry_on: error
|
||||
timeout_minutes: 10
|
||||
command: make e2e-attestor
|
||||
|
||||
- name: codecov
|
||||
uses: codecov/codecov-action@81cd2dc8148241f03f5839d295e000b8f761e378 # 2.1.0
|
||||
@ -83,6 +93,12 @@ jobs:
|
||||
files: ./e2e-coverage.out
|
||||
verbose: true
|
||||
|
||||
- name: codecov attestor
|
||||
uses: codecov/codecov-action@81cd2dc8148241f03f5839d295e000b8f761e378 # 2.1.0
|
||||
with:
|
||||
files: ./attestor/e2e/e2e-coverage.out
|
||||
verbose: true
|
||||
|
||||
- name: find comment
|
||||
uses: peter-evans/find-comment@b657a70ff16d17651703a84bee1cb9ad9d2be2ea # v2.0.1
|
||||
id: fc
|
||||
|
7
.github/workflows/main.yml
vendored
7
.github/workflows/main.yml
vendored
@ -64,12 +64,17 @@ jobs:
|
||||
check-latest: true
|
||||
cache: true
|
||||
- name: Run unit-tests
|
||||
run: make unit-test
|
||||
run: make unit-test unit-test-attestor
|
||||
- name: Upload codecoverage
|
||||
uses: codecov/codecov-action@81cd2dc8148241f03f5839d295e000b8f761e378 # 2.1.0
|
||||
with:
|
||||
files: ./unit-coverage.out
|
||||
verbose: true
|
||||
- name: Upload codecoverage attestor
|
||||
uses: codecov/codecov-action@81cd2dc8148241f03f5839d295e000b8f761e378 # 2.1.0
|
||||
with:
|
||||
files: ./attestor/unit-coverage.out
|
||||
verbose: true
|
||||
generate-mocks:
|
||||
name: generate-mocks
|
||||
runs-on: ubuntu-latest
|
||||
|
1
.gitignore
vendored
1
.gitignore
vendored
@ -1,5 +1,6 @@
|
||||
# binary.
|
||||
scorecard
|
||||
attestor/scorecard-attestor
|
||||
scorecard.docker
|
||||
scorecard.releaser
|
||||
gitblobcache
|
||||
|
10
Makefile
10
Makefile
@ -123,7 +123,7 @@ build-cron: build-controller build-worker build-cii-worker \
|
||||
build-shuffler build-bq-transfer build-github-server \
|
||||
build-webhook build-add-script build-validate-script build-update-script
|
||||
|
||||
build-targets = generate-mocks generate-docs build-scorecard build-cron build-proto
|
||||
build-targets = generate-mocks generate-docs build-scorecard build-cron build-proto build-attestor
|
||||
.PHONY: build $(build-targets)
|
||||
build: ## Build all binaries and images in the repo.
|
||||
build: $(build-targets)
|
||||
@ -239,6 +239,10 @@ cron/internal/bq/data-transfer.docker: cron/internal/bq/Dockerfile $(CRON_TRANSF
|
||||
--tag $(IMAGE_NAME)-bq-transfer && \
|
||||
touch cron/internal/bq/data-transfer.docker
|
||||
|
||||
build-attestor: ## Runs go build on scorecard attestor
|
||||
# Run go build on scorecard attestor
|
||||
cd attestor/; CGO_ENABLED=0 go build -trimpath -a -tags netgo -ldflags '$(LDFLAGS)' -o scorecard-attestor
|
||||
|
||||
TOKEN_SERVER_DEPS = $(shell find clients/githubrepo/roundtripper/tokens/ -iname "*.go")
|
||||
build-github-server: ## Build GitHub token server
|
||||
build-github-server: clients/githubrepo/roundtripper/tokens/server/github-auth-server
|
||||
@ -323,6 +327,10 @@ e2e-gh-token: ## Runs e2e tests. Requires GITHUB_AUTH_TOKEN env var to be set to
|
||||
e2e-gh-token: build-scorecard check-env | $(GINKGO)
|
||||
# Run e2e tests. GITHUB_AUTH_TOKEN set to secrets.GITHUB_TOKEN must be used to run this.
|
||||
TOKEN_TYPE="GITHUB_TOKEN" $(GINKGO) --race -p -v -cover -coverprofile=e2e-coverage.out --keep-separate-coverprofiles ./...
|
||||
|
||||
e2e-attestor: ## Runs e2e tests for scorecard-attestor
|
||||
cd attestor/e2e; go test -covermode=atomic -coverprofile=e2e-coverage.out; cd ../..
|
||||
|
||||
###############################################################################
|
||||
|
||||
##@ TODO(#744)
|
||||
|
104
attestor/command/check.go
Normal file
104
attestor/command/check.go
Normal file
@ -0,0 +1,104 @@
|
||||
// Copyright 2022 Security Scorecard Authors
|
||||
//
|
||||
// Licensed under the Apache License, Version 2.0 (the "License");
|
||||
// you may not use this file except in compliance with the License.
|
||||
// You may obtain a copy of the License at
|
||||
//
|
||||
// http://www.apache.org/licenses/LICENSE-2.0
|
||||
//
|
||||
// Unless required by applicable law or agreed to in writing, software
|
||||
// distributed under the License is distributed on an "AS IS" BASIS,
|
||||
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
// See the License for the specific language governing permissions and
|
||||
// limitations under the License.
|
||||
|
||||
package command
|
||||
|
||||
import (
|
||||
"context"
|
||||
"fmt"
|
||||
"os"
|
||||
|
||||
"github.com/ossf/scorecard-attestor/policy"
|
||||
"github.com/ossf/scorecard/v4/checker"
|
||||
"github.com/ossf/scorecard/v4/checks"
|
||||
sclog "github.com/ossf/scorecard/v4/log"
|
||||
"github.com/ossf/scorecard/v4/pkg"
|
||||
)
|
||||
|
||||
func runCheck() error {
|
||||
ctx := context.Background()
|
||||
logger := sclog.NewLogger(sclog.DefaultLevel)
|
||||
|
||||
// Read the Binauthz attestation policy
|
||||
if policyPath == "" {
|
||||
return fmt.Errorf("policy path is empty")
|
||||
}
|
||||
attestationPolicy, err := policy.ParseAttestationPolicyFromFile(policyPath)
|
||||
if err != nil {
|
||||
return fmt.Errorf("fail to load scorecard attestation policy: %v", err)
|
||||
}
|
||||
|
||||
if repoURL == "" {
|
||||
buildRepo := os.Getenv("REPO_NAME")
|
||||
if buildRepo == "" {
|
||||
return fmt.Errorf("repoURL not specified")
|
||||
}
|
||||
repoURL = buildRepo
|
||||
logger.Info(fmt.Sprintf("Found repo URL %s Cloud Build environment", repoURL))
|
||||
} else {
|
||||
logger.Info(fmt.Sprintf("Running scorecard on %s", repoURL))
|
||||
}
|
||||
|
||||
if commitSHA == "" {
|
||||
buildSHA := os.Getenv("COMMIT_SHA")
|
||||
if buildSHA == "" {
|
||||
logger.Info("commit not specified, running on HEAD")
|
||||
} else {
|
||||
commitSHA = buildSHA
|
||||
logger.Info(fmt.Sprintf("Found revision %s Cloud Build environment", commitSHA))
|
||||
}
|
||||
}
|
||||
|
||||
repo, repoClient, ossFuzzRepoClient, ciiClient, vulnsClient, err := checker.GetClients(
|
||||
ctx, repoURL, "", logger)
|
||||
|
||||
requiredChecks := attestationPolicy.GetRequiredChecksForPolicy()
|
||||
|
||||
enabledChecks := map[string]checker.Check{
|
||||
"BinaryArtifacts": {
|
||||
Fn: checks.BinaryArtifacts,
|
||||
},
|
||||
}
|
||||
|
||||
// Filter out checks that won't be needed for policy-evaluation time
|
||||
for name := range enabledChecks {
|
||||
if _, isRequired := requiredChecks[name]; !isRequired {
|
||||
delete(enabledChecks, name)
|
||||
}
|
||||
}
|
||||
|
||||
repoResult, err := pkg.RunScorecards(
|
||||
ctx,
|
||||
repo,
|
||||
commitSHA,
|
||||
enabledChecks,
|
||||
repoClient,
|
||||
ossFuzzRepoClient,
|
||||
ciiClient,
|
||||
vulnsClient,
|
||||
)
|
||||
if err != nil {
|
||||
return fmt.Errorf("RunScorecards: %w", err)
|
||||
}
|
||||
|
||||
result, err := attestationPolicy.EvaluateResults(&repoResult.RawResults)
|
||||
if err != nil {
|
||||
return fmt.Errorf("error when evaluating image %q against policy", image)
|
||||
}
|
||||
if result != policy.Pass {
|
||||
return fmt.Errorf("image failed policy check %s:", image)
|
||||
}
|
||||
logger.Info("Policy check passed")
|
||||
return nil
|
||||
}
|
108
attestor/command/cli.go
Normal file
108
attestor/command/cli.go
Normal file
@ -0,0 +1,108 @@
|
||||
// Copyright 2022 Security Scorecard Authors
|
||||
//
|
||||
// Licensed under the Apache License, Version 2.0 (the "License");
|
||||
// you may not use this file except in compliance with the License.
|
||||
// You may obtain a copy of the License at
|
||||
//
|
||||
// http://www.apache.org/licenses/LICENSE-2.0
|
||||
//
|
||||
// Unless required by applicable law or agreed to in writing, software
|
||||
// distributed under the License is distributed on an "AS IS" BASIS,
|
||||
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
// See the License for the specific language governing permissions and
|
||||
// limitations under the License.
|
||||
|
||||
// Package pkg defines fns for running Scorecard checks on a Repo.
|
||||
|
||||
package command
|
||||
|
||||
import (
|
||||
"fmt"
|
||||
"os"
|
||||
|
||||
"github.com/spf13/cobra"
|
||||
)
|
||||
|
||||
var (
|
||||
// input flags
|
||||
repoURL string
|
||||
commitSHA string
|
||||
mode string
|
||||
image string
|
||||
policyPath string
|
||||
attestationProject string
|
||||
overwrite bool
|
||||
// input flags: pgp key flags
|
||||
pgpPriKeyPath string
|
||||
pgpPassphrase string
|
||||
// pkix key flags
|
||||
pkixPriKeyPath string
|
||||
pkixAlg string
|
||||
|
||||
// input flags: kms flags
|
||||
kmsKeyName string
|
||||
kmsDigestAlg string
|
||||
)
|
||||
|
||||
func addCheckFlags(cmd *cobra.Command) {
|
||||
cmd.PersistentFlags().StringVar(&policyPath, "policy", "", "(required for check) scorecard attestation policy file path, e.g., /tmp/policy-binauthz.yml")
|
||||
cmd.MarkPersistentFlagRequired("policy")
|
||||
cmd.PersistentFlags().StringVar(&repoURL, "repo-url", "", "Repo URL from which source was built")
|
||||
cmd.MarkPersistentFlagRequired("repo-url")
|
||||
cmd.PersistentFlags().StringVar(&commitSHA, "commit", "", "Git SHA at which image was built")
|
||||
}
|
||||
|
||||
func addSignFlags(cmd *cobra.Command) {
|
||||
cmd.PersistentFlags().StringVar(&image, "image", "", "Image url, e.g., gcr.io/foo/bar@sha256:abcd")
|
||||
cmd.MarkPersistentFlagRequired("image")
|
||||
cmd.PersistentFlags().StringVar(&attestationProject, "attestation-project", "", "project id for GCP project that stores attestation, use image project if set to empty")
|
||||
cmd.PersistentFlags().BoolVar(&overwrite, "overwrite", false, "overwrite attestation if already existed (default false)")
|
||||
cmd.PersistentFlags().StringVar(&kmsKeyName, "kms-key-name", "", "kms key name, in the format of in the format projects/*/locations/*/keyRings/*/cryptoKeys/*/cryptoKeyVersions/*")
|
||||
cmd.PersistentFlags().StringVar(&kmsDigestAlg, "kms-digest-alg", "", "kms digest algorithm, must be one of SHA256|SHA384|SHA512, and the same as specified by the key version's algorithm")
|
||||
cmd.PersistentFlags().StringVar(&pgpPriKeyPath, "pgp-private-key", "", "pgp private signing key path, e.g., /dev/shm/key.pgp")
|
||||
cmd.PersistentFlags().StringVar(&pgpPassphrase, "pgp-passphrase", "", "passphrase for pgp private key, if any")
|
||||
cmd.PersistentFlags().StringVar(&pkixPriKeyPath, "pkix-private-key", "", "pkix private signing key path, e.g., /dev/shm/key.pem")
|
||||
cmd.PersistentFlags().StringVar(&pkixAlg, "pkix-alg", "", "pkix signature algorithm, e.g., ecdsa-p256-sha256")
|
||||
|
||||
}
|
||||
|
||||
// Export for testability
|
||||
var RootCmd = &cobra.Command{
|
||||
Use: "scorecard-attestor",
|
||||
Short: "scorecard-attestor generates attestations based on scorecard results",
|
||||
}
|
||||
|
||||
var checkAndSignCmd = &cobra.Command{
|
||||
Use: "attest",
|
||||
Short: "Run scorecard and sign a container image according to policy",
|
||||
RunE: func(cmd *cobra.Command, args []string) error {
|
||||
if err := runCheck(); err != nil {
|
||||
return err
|
||||
}
|
||||
return runSign()
|
||||
},
|
||||
}
|
||||
|
||||
var checkCmd = &cobra.Command{
|
||||
Use: "verify",
|
||||
Short: "Run scorecard and check an image against a policy",
|
||||
RunE: func(cmd *cobra.Command, args []string) error {
|
||||
return runCheck()
|
||||
},
|
||||
}
|
||||
|
||||
func init() {
|
||||
RootCmd.AddCommand(checkCmd, checkAndSignCmd)
|
||||
|
||||
addCheckFlags(checkAndSignCmd)
|
||||
addSignFlags(checkAndSignCmd)
|
||||
|
||||
addCheckFlags(checkCmd)
|
||||
}
|
||||
|
||||
func Execute() {
|
||||
if err := RootCmd.Execute(); err != nil {
|
||||
fmt.Println(err)
|
||||
os.Exit(1)
|
||||
}
|
||||
}
|
105
attestor/command/sign.go
Normal file
105
attestor/command/sign.go
Normal file
@ -0,0 +1,105 @@
|
||||
// Copyright 2022 Security Scorecard Authors
|
||||
//
|
||||
// Licensed under the Apache License, Version 2.0 (the "License");
|
||||
// you may not use this file except in compliance with the License.
|
||||
// You may obtain a copy of the License at
|
||||
//
|
||||
// http://www.apache.org/licenses/LICENSE-2.0
|
||||
//
|
||||
// Unless required by applicable law or agreed to in writing, software
|
||||
// distributed under the License is distributed on an "AS IS" BASIS,
|
||||
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
// See the License for the specific language governing permissions and
|
||||
// limitations under the License.
|
||||
|
||||
package command
|
||||
|
||||
import (
|
||||
"fmt"
|
||||
"io/ioutil"
|
||||
|
||||
"github.com/grafeas/kritis/pkg/attestlib"
|
||||
"github.com/grafeas/kritis/pkg/kritis/metadata/containeranalysis"
|
||||
"github.com/grafeas/kritis/pkg/kritis/signer"
|
||||
"github.com/grafeas/kritis/pkg/kritis/util"
|
||||
sclog "github.com/ossf/scorecard/v4/log"
|
||||
)
|
||||
|
||||
const scorecardNoteID = "ossf-scorecard-attestation"
|
||||
|
||||
func runSign() error {
|
||||
logger := sclog.NewLogger(sclog.DefaultLevel)
|
||||
|
||||
// Create a client
|
||||
client, err := containeranalysis.New()
|
||||
if err != nil {
|
||||
return fmt.Errorf("could not initialize the client %v", err)
|
||||
}
|
||||
|
||||
// Read the signing credentials
|
||||
// Either kmsKeyName or pgpPriKeyPath needs to be set
|
||||
if kmsKeyName == "" && pgpPriKeyPath == "" && pkixPriKeyPath == "" {
|
||||
return fmt.Errorf("neither kms_key_name, pgp_private_key, or pkix_private_key is specified")
|
||||
}
|
||||
var cSigner attestlib.Signer
|
||||
if kmsKeyName != "" {
|
||||
logger.Info(fmt.Sprintf("Using kms key %s for signing.", kmsKeyName))
|
||||
if kmsDigestAlg == "" {
|
||||
return fmt.Errorf("kms_digest_alg is unspecified, must be one of SHA256|SHA384|SHA512, and the same as specified by the key version's algorithm")
|
||||
}
|
||||
cSigner, err = signer.NewCloudKmsSigner(kmsKeyName, signer.DigestAlgorithm(kmsDigestAlg))
|
||||
if err != nil {
|
||||
return fmt.Errorf("creating kms signer failed: %v\n", err)
|
||||
}
|
||||
} else if pgpPriKeyPath != "" {
|
||||
logger.Info("Using pgp key for signing.")
|
||||
signerKey, err := ioutil.ReadFile(pgpPriKeyPath)
|
||||
if err != nil {
|
||||
return fmt.Errorf("fail to read signer key: %v\n", err)
|
||||
}
|
||||
// Create a cryptolib signer
|
||||
cSigner, err = attestlib.NewPgpSigner(signerKey, pgpPassphrase)
|
||||
if err != nil {
|
||||
return fmt.Errorf("creating pgp signer failed: %v\n", err)
|
||||
}
|
||||
} else {
|
||||
logger.Info("Using pkix key for signing.")
|
||||
signerKey, err := ioutil.ReadFile(pkixPriKeyPath)
|
||||
if err != nil {
|
||||
return fmt.Errorf("fail to read signer key: %v\n", err)
|
||||
}
|
||||
sAlg := attestlib.ParseSignatureAlgorithm(pkixAlg)
|
||||
if sAlg == attestlib.UnknownSigningAlgorithm {
|
||||
return fmt.Errorf("empty or unknown PKIX signature algorithm: %s\n", pkixAlg)
|
||||
}
|
||||
cSigner, err = attestlib.NewPkixSigner(signerKey, sAlg, "")
|
||||
if err != nil {
|
||||
return fmt.Errorf("creating pkix signer failed: %v\n", err)
|
||||
}
|
||||
}
|
||||
|
||||
// Parse attestation project
|
||||
if attestationProject == "" {
|
||||
attestationProject = util.GetProjectFromContainerImage(image)
|
||||
logger.Info(fmt.Sprintf("Using image project as attestation project: %s\n", attestationProject))
|
||||
} else {
|
||||
logger.Info(fmt.Sprintf("Using specified attestation project: %s\n", attestationProject))
|
||||
}
|
||||
|
||||
// Check note name
|
||||
scorecardNoteName := fmt.Sprintf("projects/%s/notes/%s", attestationProject, scorecardNoteID)
|
||||
|
||||
err = util.CheckNoteName(scorecardNoteName)
|
||||
if err != nil {
|
||||
return fmt.Errorf("note name is invalid %v", err)
|
||||
}
|
||||
|
||||
// Create signer
|
||||
r := signer.New(client, cSigner, scorecardNoteName, attestationProject, overwrite)
|
||||
// Sign image
|
||||
err = r.SignImage(image)
|
||||
if err != nil {
|
||||
return fmt.Errorf("signing image failed: %v", err)
|
||||
}
|
||||
return nil
|
||||
}
|
59
attestor/e2e/command_test.go
Normal file
59
attestor/e2e/command_test.go
Normal file
@ -0,0 +1,59 @@
|
||||
// Copyright 2022 Security Scorecard Authors
|
||||
//
|
||||
// Licensed under the Apache License, Version 2.0 (the "License");
|
||||
// you may not use this file except in compliance with the License.
|
||||
// You may obtain a copy of the License at
|
||||
//
|
||||
// http://www.apache.org/licenses/LICENSE-2.0
|
||||
//
|
||||
// Unless required by applicable law or agreed to in writing, software
|
||||
// distributed under the License is distributed on an "AS IS" BASIS,
|
||||
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
// See the License for the specific language governing permissions and
|
||||
// limitations under the License.
|
||||
package e2e
|
||||
|
||||
import (
|
||||
"bytes"
|
||||
"strings"
|
||||
"testing"
|
||||
|
||||
"github.com/ossf/scorecard-attestor/command"
|
||||
"github.com/spf13/cobra"
|
||||
)
|
||||
|
||||
func execute(t *testing.T, c *cobra.Command, args ...string) (string, error) {
|
||||
t.Helper()
|
||||
|
||||
buf := new(bytes.Buffer)
|
||||
c.SetOut(buf)
|
||||
c.SetErr(buf)
|
||||
c.SetArgs(args)
|
||||
|
||||
err := c.Execute()
|
||||
return strings.TrimSpace(buf.String()), err
|
||||
}
|
||||
|
||||
func TestRootCmd(t *testing.T) {
|
||||
tt := []struct {
|
||||
name string
|
||||
args []string
|
||||
}{
|
||||
{
|
||||
name: "test check-only from root",
|
||||
args: []string{
|
||||
"verify",
|
||||
"--policy=../policy/testdata/policy-binauthz.yaml",
|
||||
"--repo-url=https://github.com/ossf-tests/scorecard",
|
||||
},
|
||||
},
|
||||
}
|
||||
|
||||
for _, tc := range tt {
|
||||
_, err := execute(t, command.RootCmd, tc.args...)
|
||||
|
||||
if err != nil {
|
||||
t.Fatalf("%s: %s", tc.name, err)
|
||||
}
|
||||
}
|
||||
}
|
102
attestor/go.mod
102
attestor/go.mod
@ -4,44 +4,112 @@ go 1.19
|
||||
|
||||
require (
|
||||
github.com/ossf/scorecard/v4 v4.6.0
|
||||
github.com/spf13/cobra v1.6.1
|
||||
gopkg.in/yaml.v2 v2.4.0
|
||||
)
|
||||
|
||||
require (
|
||||
cloud.google.com/go v0.102.1 // indirect
|
||||
cloud.google.com/go/compute v1.7.0 // indirect
|
||||
cloud.google.com/go/iam v0.3.0 // indirect
|
||||
cloud.google.com/go/storage v1.23.0 // indirect
|
||||
cloud.google.com/go/kms v1.4.0 // indirect
|
||||
github.com/Azure/go-autorest v14.2.0+incompatible // indirect
|
||||
github.com/Azure/go-autorest/autorest v0.11.22 // indirect
|
||||
github.com/Azure/go-autorest/autorest/adal v0.9.17 // indirect
|
||||
github.com/Azure/go-autorest/autorest/date v0.3.0 // indirect
|
||||
github.com/Azure/go-autorest/logger v0.2.1 // indirect
|
||||
github.com/Azure/go-autorest/tracing v0.6.0 // indirect
|
||||
github.com/Masterminds/semver/v3 v3.1.1 // indirect
|
||||
github.com/caarlos0/env/v6 v6.10.0 // indirect
|
||||
github.com/common-nighthawk/go-figure v0.0.0-20210622060536-734e95fb86be // indirect
|
||||
github.com/containerd/stargz-snapshotter/estargz v0.12.1 // indirect
|
||||
github.com/containerd/typeurl v1.0.2 // indirect
|
||||
github.com/davecgh/go-spew v1.1.1 // indirect
|
||||
github.com/docker/cli v20.10.20+incompatible // indirect
|
||||
github.com/docker/distribution v2.8.1+incompatible // indirect
|
||||
github.com/docker/docker v20.10.20+incompatible // indirect
|
||||
github.com/docker/docker-credential-helpers v0.7.0 // indirect
|
||||
github.com/fatih/color v1.13.0 // indirect
|
||||
github.com/gogo/protobuf v1.3.2 // indirect
|
||||
github.com/google/go-containerregistry v0.12.0 // indirect
|
||||
github.com/google/gofuzz v1.1.0 // indirect
|
||||
github.com/googleapis/gnostic v0.2.2 // indirect
|
||||
github.com/gophercloud/gophercloud v0.1.0 // indirect
|
||||
github.com/h2non/filetype v1.1.3 // indirect
|
||||
github.com/hashicorp/golang-lru v0.5.4 // indirect
|
||||
github.com/imdario/mergo v0.3.12 // indirect
|
||||
github.com/inconshreveable/mousetrap v1.0.1 // indirect
|
||||
github.com/json-iterator/go v1.1.11 // indirect
|
||||
github.com/klauspost/compress v1.15.11 // indirect
|
||||
github.com/mattn/go-colorable v0.1.12 // indirect
|
||||
github.com/mattn/go-isatty v0.0.14 // indirect
|
||||
github.com/mattn/go-runewidth v0.0.13 // indirect
|
||||
github.com/mitchellh/go-homedir v1.1.0 // indirect
|
||||
github.com/moby/buildkit v0.10.3 // indirect
|
||||
github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd // indirect
|
||||
github.com/modern-go/reflect2 v1.0.1 // indirect
|
||||
github.com/olekukonko/tablewriter v0.0.5 // indirect
|
||||
github.com/opencontainers/go-digest v1.0.0 // indirect
|
||||
github.com/opencontainers/image-spec v1.1.0-rc2 // indirect
|
||||
github.com/pkg/errors v0.9.1 // indirect
|
||||
github.com/rhysd/actionlint v1.6.15 // indirect
|
||||
github.com/rivo/uniseg v0.2.0 // indirect
|
||||
github.com/robfig/cron v1.2.0 // indirect
|
||||
github.com/spf13/pflag v1.0.5 // indirect
|
||||
github.com/vbatts/tar-split v0.11.2 // indirect
|
||||
golang.org/x/sync v0.1.0 // indirect
|
||||
golang.org/x/term v0.1.0 // indirect
|
||||
golang.org/x/time v0.0.0-20220922220347-f3bd1da661af // indirect
|
||||
gopkg.in/inf.v0 v0.9.1 // indirect
|
||||
gopkg.in/yaml.v3 v3.0.1 // indirect
|
||||
k8s.io/api v0.18.8 // indirect
|
||||
k8s.io/apimachinery v0.18.8 // indirect
|
||||
k8s.io/client-go v0.18.8 // indirect
|
||||
k8s.io/klog v1.0.0 // indirect
|
||||
k8s.io/klog/v2 v2.80.1 // indirect
|
||||
k8s.io/utils v0.0.0-20211116205334-6203023598ed // indirect
|
||||
mvdan.cc/sh/v3 v3.5.1 // indirect
|
||||
sigs.k8s.io/release-utils v0.6.0 // indirect
|
||||
sigs.k8s.io/structured-merge-diff/v3 v3.0.0 // indirect
|
||||
sigs.k8s.io/yaml v1.2.0 // indirect
|
||||
)
|
||||
|
||||
require (
|
||||
cloud.google.com/go v0.104.0 // indirect
|
||||
cloud.google.com/go/compute v1.10.0 // indirect
|
||||
cloud.google.com/go/containeranalysis v0.6.0 // indirect
|
||||
cloud.google.com/go/iam v0.5.0 // indirect
|
||||
cloud.google.com/go/storage v1.27.0 // indirect
|
||||
github.com/bombsimon/logrusr/v2 v2.0.1 // indirect
|
||||
github.com/bradleyfalzon/ghinstallation/v2 v2.1.0 // indirect
|
||||
github.com/go-logr/logr v1.2.3 // indirect
|
||||
github.com/gobwas/glob v0.2.3
|
||||
github.com/golang-jwt/jwt/v4 v4.4.1 // indirect
|
||||
github.com/golang/glog v1.0.0 // indirect
|
||||
github.com/golang/groupcache v0.0.0-20210331224755-41bb18bfe9da // indirect
|
||||
github.com/golang/protobuf v1.5.2 // indirect
|
||||
github.com/google/go-cmp v0.5.8 // indirect
|
||||
github.com/google/go-cmp v0.5.9 // indirect
|
||||
github.com/google/go-github/v38 v38.1.0 // indirect
|
||||
github.com/google/go-github/v45 v45.2.0 // indirect
|
||||
github.com/google/go-querystring v1.1.0 // indirect
|
||||
github.com/google/uuid v1.3.0 // indirect
|
||||
github.com/google/wire v0.5.0 // indirect
|
||||
github.com/googleapis/enterprise-certificate-proxy v0.1.0 // indirect
|
||||
github.com/googleapis/gax-go/v2 v2.5.1 // indirect
|
||||
github.com/googleapis/go-type-adapters v1.0.0 // indirect
|
||||
github.com/googleapis/enterprise-certificate-proxy v0.2.0 // indirect
|
||||
github.com/googleapis/gax-go/v2 v2.6.0 // indirect
|
||||
github.com/grafeas/kritis v0.2.3-0.20210120183821-faeba81c520c
|
||||
github.com/shurcooL/githubv4 v0.0.0-20201206200315-234843c633fa // indirect
|
||||
github.com/shurcooL/graphql v0.0.0-20200928012149-18c5c3165e3a // indirect
|
||||
github.com/sirupsen/logrus v1.9.0 // indirect
|
||||
go.opencensus.io v0.23.0 // indirect
|
||||
gocloud.dev v0.26.0 // indirect
|
||||
golang.org/x/crypto v0.0.0-20220331220935-ae2d96664a29 // indirect
|
||||
golang.org/x/net v0.0.0-20220722155237-a158d28d115b // indirect
|
||||
golang.org/x/oauth2 v0.0.0-20220718184931-c8730f7fcb92 // indirect
|
||||
golang.org/x/sys v0.0.0-20220722155257-8c9f86f7a55f // indirect
|
||||
golang.org/x/text v0.3.7 // indirect
|
||||
golang.org/x/xerrors v0.0.0-20220609144429-65e65417b02f // indirect
|
||||
google.golang.org/api v0.92.0 // indirect
|
||||
golang.org/x/crypto v0.1.0 // indirect
|
||||
golang.org/x/net v0.1.0 // indirect
|
||||
golang.org/x/oauth2 v0.1.0 // indirect
|
||||
golang.org/x/sys v0.1.0 // indirect
|
||||
golang.org/x/text v0.4.0 // indirect
|
||||
golang.org/x/xerrors v0.0.0-20220907171357-04be3eba64a2 // indirect
|
||||
google.golang.org/api v0.99.0 // indirect
|
||||
google.golang.org/appengine v1.6.7 // indirect
|
||||
google.golang.org/genproto v0.0.0-20220812140447-cec7f5303424 // indirect
|
||||
google.golang.org/grpc v1.48.0 // indirect
|
||||
google.golang.org/genproto v0.0.0-20221014173430-6e2ab493f96b // indirect
|
||||
google.golang.org/grpc v1.50.1 // indirect
|
||||
google.golang.org/protobuf v1.28.1 // indirect
|
||||
)
|
||||
|
||||
replace github.com/ossf/scorecard/v4 => ../
|
||||
|
622
attestor/go.sum
622
attestor/go.sum
File diff suppressed because it is too large
Load Diff
@ -36,12 +36,23 @@ type AttestationPolicy struct {
|
||||
AllowedBinaryArtifacts []string `yaml:"allowedBinaryArtifacts"`
|
||||
}
|
||||
|
||||
// Run attestation policy checks on raw data.
|
||||
func RunChecksForPolicy(policy *AttestationPolicy, raw *checker.RawResults,
|
||||
dl checker.DetailLogger,
|
||||
) (PolicyResult, error) {
|
||||
if policy.PreventBinaryArtifacts {
|
||||
checkResult, err := CheckPreventBinaryArtifacts(policy.AllowedBinaryArtifacts, raw, dl)
|
||||
// Allows us to run fewer scorecard checks if some policy values
|
||||
// are don't-cares
|
||||
func (ap *AttestationPolicy) GetRequiredChecksForPolicy() map[string]bool {
|
||||
requiredChecks := make(map[string]bool)
|
||||
|
||||
if ap.PreventBinaryArtifacts {
|
||||
requiredChecks["BinaryArtifacts"] = true
|
||||
}
|
||||
|
||||
return requiredChecks
|
||||
}
|
||||
|
||||
// Run attestation policy checks on raw data
|
||||
func (ap *AttestationPolicy) EvaluateResults(raw *checker.RawResults) (PolicyResult, error) {
|
||||
dl := checker.NewLogger()
|
||||
if ap.PreventBinaryArtifacts {
|
||||
checkResult, err := CheckPreventBinaryArtifacts(ap.AllowedBinaryArtifacts, raw, dl)
|
||||
|
||||
if !checkResult || err != nil {
|
||||
return checkResult, err
|
21
attestor/root.go
Normal file
21
attestor/root.go
Normal file
@ -0,0 +1,21 @@
|
||||
// Copyright 2022 Security Scorecard Authors
|
||||
//
|
||||
// Licensed under the Apache License, Version 2.0 (the "License");
|
||||
// you may not use this file except in compliance with the License.
|
||||
// You may obtain a copy of the License at
|
||||
//
|
||||
// http://www.apache.org/licenses/LICENSE-2.0
|
||||
//
|
||||
// Unless required by applicable law or agreed to in writing, software
|
||||
// distributed under the License is distributed on an "AS IS" BASIS,
|
||||
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
// See the License for the specific language governing permissions and
|
||||
// limitations under the License.
|
||||
|
||||
package main
|
||||
|
||||
import "github.com/ossf/scorecard-attestor/command"
|
||||
|
||||
func main() {
|
||||
command.Execute()
|
||||
}
|
Loading…
Reference in New Issue
Block a user