ossf/scorecard
1
1
Fork 0
mirror of https://github.com/ossf/scorecard.git synced 2024-09-17 11:57:12 +03:00
Code Issues Actions 6 Packages Projects Releases Wiki Activity

🐛 Disable pinning lock file search in repo (#1315)

Browse Source 
* fix

* linter

* linter

* linter

* comment
This commit is contained in:
laurentsimon 2021-12-03 16:44:09 -08:00 committed by GitHub
parent 9f7e682fe6
commit afe55a83c1
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
2 changed files with 9 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

10
checks/pinned_dependencies.go
View File

@ -45,10 +45,15 @@ func init() {
// PinnedDependencies will check the repository if it contains frozen dependecies.
func PinnedDependencies(c *checker.CheckRequest) checker.CheckResult {
// Lock file.
/* WARNING: this code is inherently incorrect:
- does not differentiate between libs and main
- only looks at root folder.
=> disabling to avoid false positives.
lockScore, lockErr := isPackageManagerLockFilePresent(c)
if lockErr != nil {
return checker.CreateRuntimeErrorResult(CheckPinnedDependencies, lockErr)
}
*/
// GitHub actions.
actionScore, actionErr := isGitHubActionsWorkflowPinned(c)
@ -81,13 +86,12 @@ func PinnedDependencies(c *checker.CheckRequest) checker.CheckResult {
}
// Scores may be inconclusive.
lockScore = maxScore(0, lockScore)
actionScore = maxScore(0, actionScore)
dockerFromScore = maxScore(0, dockerFromScore)
dockerDownloadScore = maxScore(0, dockerDownloadScore)
scriptScore = maxScore(0, scriptScore)
actionScriptScore = maxScore(0, actionScriptScore)
score := checker.AggregateScores(lockScore, actionScore, dockerFromScore,
score := checker.AggregateScores(actionScore, dockerFromScore,
dockerDownloadScore, scriptScore, actionScriptScore)
if score == checker.MaxResultScore {
@ -629,6 +633,7 @@ func addWorkflowPinnedResult(w *worklowPinningResult, to, isGitHub bool) {
}
// Check presence of lock files thru validatePackageManagerFile().
//nolint:unused,deadcode
func isPackageManagerLockFilePresent(c *checker.CheckRequest) (int, error) {
var r pinnedResult
err := fileparser.CheckIfFileExists(CheckPinnedDependencies, c, validatePackageManagerFile, &r)
@ -646,6 +651,7 @@ func isPackageManagerLockFilePresent(c *checker.CheckRequest) (int, error) {
// validatePackageManagerFile will validate the if frozen dependecies file name exists.
// TODO(laurent): need to differentiate between libraries and programs.
// TODO(laurent): handle multi-language repos.
//nolint:unused
func validatePackageManagerFile(name string, dl checker.DetailLogger, data fileparser.FileCbData) (bool, error) {
switch strings.ToLower(name) {
// TODO(laurent): "go.mod" is for libraries

2
e2e/pinned_dependencies_test.go
View File

@ -46,7 +46,7 @@ var _ = Describe("E2E TEST:"+checks.CheckPinnedDependencies, func() {
expected := scut.TestReturn{
Error: nil,
Score: 3,
NumberOfWarn: 150,
NumberOfWarn: 149,
NumberOfInfo: 2,
NumberOfDebug: 0,
}