mirror of
https://github.com/ossf/scorecard.git
synced 2024-09-17 11:57:12 +03:00
✨ Comply with GH-specific rules for SARIF (#1379)
* GH-specific validation rules * fix * fix
This commit is contained in:
parent
a0513aa877
commit
ca97581538
27
pkg/sarif.go
27
pkg/sarif.go
@ -25,6 +25,7 @@ import (
|
||||
"go.uber.org/zap/zapcore"
|
||||
|
||||
"github.com/ossf/scorecard/v3/checker"
|
||||
"github.com/ossf/scorecard/v3/checks"
|
||||
docs "github.com/ossf/scorecard/v3/docs/checks"
|
||||
sce "github.com/ossf/scorecard/v3/errors"
|
||||
spol "github.com/ossf/scorecard/v3/policy"
|
||||
@ -457,11 +458,15 @@ func contains(l []string, elt string) bool {
|
||||
return false
|
||||
}
|
||||
|
||||
func computeCategory(repos []string) (string, error) {
|
||||
func computeCategory(checkName string, repos []string) (string, error) {
|
||||
// In terms of sets, local < Git-local < GitHub.
|
||||
switch {
|
||||
default:
|
||||
return "", sce.WithMessage(sce.ErrScorecardInternal, fmt.Sprintf("repo types not supported: %v", repos))
|
||||
case checkName == checks.CheckBranchProtection:
|
||||
// This is a special case to be give us more flexibility to move this check around
|
||||
// and run it on different GitHub triggers.
|
||||
return strings.ToLower(checks.CheckBranchProtection), nil
|
||||
case contains(repos, "local"):
|
||||
return "local", nil
|
||||
// Note: Git-local is not supported by any checks yet.
|
||||
@ -489,6 +494,13 @@ func createSARIFRuns(runs map[string]*run) []run {
|
||||
return res
|
||||
}
|
||||
|
||||
func createCheckIdentifiers(name string) (string, string) {
|
||||
// Identifier must be in Pascal case.
|
||||
// We keep the check name the same as the one used in the documentation.
|
||||
n := strings.ReplaceAll(name, "-", "")
|
||||
return name, fmt.Sprintf("%sID", n)
|
||||
}
|
||||
|
||||
// AsSARIF outputs ScorecardResult in SARIF 2.1.0 format.
|
||||
func (r *ScorecardResult) AsSARIF(showDetails bool, logLevel zapcore.Level,
|
||||
writer io.Writer, checkDocs docs.Doc, policy *spol.ScorecardPolicy) error {
|
||||
@ -507,11 +519,13 @@ func (r *ScorecardResult) AsSARIF(showDetails bool, logLevel zapcore.Level,
|
||||
return sce.WithMessage(sce.ErrScorecardInternal, fmt.Sprintf("GetCheck: %v: %s", err, check.Name))
|
||||
}
|
||||
|
||||
sarifCheckName, sarifCheckID := createCheckIdentifiers(check.Name)
|
||||
|
||||
// We need to create a run entry even if the check is disabled or the policy is satisfied.
|
||||
// The reason is the following: if a check has findings and is later fixed by a user,
|
||||
// the absence of run for the check will indicate that the check was *not* run,
|
||||
// so GitHub would keep the findings in the dahsboard. We don't want that.
|
||||
category, err := computeCategory(doc.GetSupportedRepoTypes())
|
||||
category, err := computeCategory(sarifCheckName, doc.GetSupportedRepoTypes())
|
||||
if err != nil {
|
||||
return sce.WithMessage(sce.ErrScorecardInternal, fmt.Sprintf("computeCategory: %v: %s", err, check.Name))
|
||||
}
|
||||
@ -521,14 +535,15 @@ func (r *ScorecardResult) AsSARIF(showDetails bool, logLevel zapcore.Level,
|
||||
// Always add rules to indicate which checks were run.
|
||||
// We don't have so many rules, so this should not clobber the output too much.
|
||||
// See https://github.com/github/codeql-action/issues/810.
|
||||
checkID := check.Name
|
||||
rule := createSARIFRule(check.Name, checkID,
|
||||
rule := createSARIFRule(sarifCheckName, sarifCheckID,
|
||||
doc.GetDocumentationURL(r.Scorecard.CommitSHA),
|
||||
doc.GetDescription(), doc.GetShort(), doc.GetRisk(),
|
||||
doc.GetRemediation(), doc.GetTags())
|
||||
run.Tool.Driver.Rules = append(run.Tool.Driver.Rules, rule)
|
||||
|
||||
// Check the policy configuration.
|
||||
// Here we need to use check.Name instead of sarifCheckName since
|
||||
// we need to original check's name.
|
||||
minScore, enabled, err := getCheckPolicyInfo(policy, check.Name)
|
||||
if err != nil {
|
||||
return err
|
||||
@ -562,12 +577,12 @@ func (r *ScorecardResult) AsSARIF(showDetails bool, logLevel zapcore.Level,
|
||||
if len(locs) == 0 {
|
||||
locs = addDefaultLocation(locs, "no file available")
|
||||
// Use the `reason` as message.
|
||||
cr := createSARIFCheckResult(RuleIndex, checkID, check.Reason, &locs[0])
|
||||
cr := createSARIFCheckResult(RuleIndex, sarifCheckID, check.Reason, &locs[0])
|
||||
run.Results = append(run.Results, cr)
|
||||
} else {
|
||||
for _, loc := range locs {
|
||||
// Use the location's message (check's detail's message) as message.
|
||||
cr := createSARIFCheckResult(RuleIndex, checkID, loc.Message.Text, &loc)
|
||||
cr := createSARIFCheckResult(RuleIndex, sarifCheckID, loc.Message.Text, &loc)
|
||||
run.Results = append(run.Results, cr)
|
||||
}
|
||||
}
|
||||
|
4
pkg/testdata/check1.sarif
vendored
4
pkg/testdata/check1.sarif
vendored
@ -13,7 +13,7 @@
|
||||
"semanticVersion": "1.2.3",
|
||||
"rules": [
|
||||
{
|
||||
"id": "Check-Name",
|
||||
"id": "CheckNameID",
|
||||
"name": "Check-Name",
|
||||
"helpUri": "https://github.com/ossf/scorecard/blob/main/docs/checks.md#check-name",
|
||||
"shortDescription": {
|
||||
@ -44,7 +44,7 @@
|
||||
},
|
||||
"results": [
|
||||
{
|
||||
"ruleId": "Check-Name",
|
||||
"ruleId": "CheckNameID",
|
||||
"ruleIndex": 0,
|
||||
"message": {
|
||||
"text": "warn message"
|
||||
|
4
pkg/testdata/check2.sarif
vendored
4
pkg/testdata/check2.sarif
vendored
@ -13,7 +13,7 @@
|
||||
"semanticVersion": "1.2.3",
|
||||
"rules": [
|
||||
{
|
||||
"id": "Check-Name",
|
||||
"id": "CheckNameID",
|
||||
"name": "Check-Name",
|
||||
"helpUri": "https://github.com/ossf/scorecard/blob/main/docs/checks.md#check-name",
|
||||
"shortDescription": {
|
||||
@ -44,7 +44,7 @@
|
||||
},
|
||||
"results": [
|
||||
{
|
||||
"ruleId": "Check-Name",
|
||||
"ruleId": "CheckNameID",
|
||||
"ruleIndex": 0,
|
||||
"message": {
|
||||
"text": "warn message"
|
||||
|
12
pkg/testdata/check3.sarif
vendored
12
pkg/testdata/check3.sarif
vendored
@ -13,7 +13,7 @@
|
||||
"semanticVersion": "1.2.3",
|
||||
"rules": [
|
||||
{
|
||||
"id": "Check-Name",
|
||||
"id": "CheckNameID",
|
||||
"name": "Check-Name",
|
||||
"helpUri": "https://github.com/ossf/scorecard/blob/main/docs/checks.md#check-name",
|
||||
"shortDescription": {
|
||||
@ -40,7 +40,7 @@
|
||||
}
|
||||
},
|
||||
{
|
||||
"id": "Check-Name2",
|
||||
"id": "CheckName2ID",
|
||||
"name": "Check-Name2",
|
||||
"helpUri": "https://github.com/ossf/scorecard/blob/main/docs/checks.md#check-name2",
|
||||
"shortDescription": {
|
||||
@ -68,7 +68,7 @@
|
||||
}
|
||||
},
|
||||
{
|
||||
"id": "Check-Name3",
|
||||
"id": "CheckName3ID",
|
||||
"name": "Check-Name3",
|
||||
"helpUri": "https://github.com/ossf/scorecard/blob/main/docs/checks.md#check-name3",
|
||||
"shortDescription": {
|
||||
@ -101,7 +101,7 @@
|
||||
},
|
||||
"results": [
|
||||
{
|
||||
"ruleId": "Check-Name",
|
||||
"ruleId": "CheckNameID",
|
||||
"ruleIndex": 0,
|
||||
"message": {
|
||||
"text": "warn message"
|
||||
@ -124,7 +124,7 @@
|
||||
]
|
||||
},
|
||||
{
|
||||
"ruleId": "Check-Name2",
|
||||
"ruleId": "CheckName2ID",
|
||||
"ruleIndex": 1,
|
||||
"message": {
|
||||
"text": "warn message"
|
||||
@ -150,7 +150,7 @@
|
||||
]
|
||||
},
|
||||
{
|
||||
"ruleId": "Check-Name3",
|
||||
"ruleId": "CheckName3ID",
|
||||
"ruleIndex": 2,
|
||||
"message": {
|
||||
"text": "warn message"
|
||||
|
12
pkg/testdata/check4.sarif
vendored
12
pkg/testdata/check4.sarif
vendored
@ -13,7 +13,7 @@
|
||||
"semanticVersion": "1.2.3",
|
||||
"rules": [
|
||||
{
|
||||
"id": "Check-Name",
|
||||
"id": "CheckNameID",
|
||||
"name": "Check-Name",
|
||||
"helpUri": "https://github.com/ossf/scorecard/blob/main/docs/checks.md#check-name",
|
||||
"shortDescription": {
|
||||
@ -40,7 +40,7 @@
|
||||
}
|
||||
},
|
||||
{
|
||||
"id": "Check-Name2",
|
||||
"id": "CheckName2ID",
|
||||
"name": "Check-Name2",
|
||||
"helpUri": "https://github.com/ossf/scorecard/blob/main/docs/checks.md#check-name2",
|
||||
"shortDescription": {
|
||||
@ -68,7 +68,7 @@
|
||||
}
|
||||
},
|
||||
{
|
||||
"id": "Check-Name3",
|
||||
"id": "CheckName3ID",
|
||||
"name": "Check-Name3",
|
||||
"helpUri": "https://github.com/ossf/scorecard/blob/main/docs/checks.md#check-name3",
|
||||
"shortDescription": {
|
||||
@ -101,7 +101,7 @@
|
||||
},
|
||||
"results": [
|
||||
{
|
||||
"ruleId": "Check-Name",
|
||||
"ruleId": "CheckNameID",
|
||||
"ruleIndex": 0,
|
||||
"message": {
|
||||
"text": "warn message"
|
||||
@ -124,7 +124,7 @@
|
||||
]
|
||||
},
|
||||
{
|
||||
"ruleId": "Check-Name2",
|
||||
"ruleId": "CheckName2ID",
|
||||
"ruleIndex": 1,
|
||||
"message": {
|
||||
"text": "warn message"
|
||||
@ -150,7 +150,7 @@
|
||||
]
|
||||
},
|
||||
{
|
||||
"ruleId": "Check-Name3",
|
||||
"ruleId": "CheckName3ID",
|
||||
"ruleIndex": 2,
|
||||
"message": {
|
||||
"text": "warn message"
|
||||
|
2
pkg/testdata/check5.sarif
vendored
2
pkg/testdata/check5.sarif
vendored
@ -13,7 +13,7 @@
|
||||
"semanticVersion": "1.2.3",
|
||||
"rules": [
|
||||
{
|
||||
"id": "Check-Name",
|
||||
"id": "CheckNameID",
|
||||
"name": "Check-Name",
|
||||
"helpUri": "https://github.com/ossf/scorecard/blob/main/docs/checks.md#check-name",
|
||||
"shortDescription": {
|
||||
|
4
pkg/testdata/check6.sarif
vendored
4
pkg/testdata/check6.sarif
vendored
@ -13,7 +13,7 @@
|
||||
"semanticVersion": "1.2.3",
|
||||
"rules": [
|
||||
{
|
||||
"id": "Check-Name",
|
||||
"id": "CheckNameID",
|
||||
"name": "Check-Name",
|
||||
"helpUri": "https://github.com/ossf/scorecard/blob/main/docs/checks.md#check-name",
|
||||
"shortDescription": {
|
||||
@ -44,7 +44,7 @@
|
||||
},
|
||||
"results": [
|
||||
{
|
||||
"ruleId": "Check-Name",
|
||||
"ruleId": "CheckNameID",
|
||||
"ruleIndex": 0,
|
||||
"message": {
|
||||
"text": "six score reason"
|
||||
|
8
pkg/testdata/check7.sarif
vendored
8
pkg/testdata/check7.sarif
vendored
@ -13,7 +13,7 @@
|
||||
"semanticVersion": "1.2.3",
|
||||
"rules": [
|
||||
{
|
||||
"id": "Check-Name",
|
||||
"id": "CheckNameID",
|
||||
"name": "Check-Name",
|
||||
"helpUri": "https://github.com/ossf/scorecard/blob/main/docs/checks.md#check-name",
|
||||
"shortDescription": {
|
||||
@ -40,7 +40,7 @@
|
||||
}
|
||||
},
|
||||
{
|
||||
"id": "Check-Name2",
|
||||
"id": "CheckName2ID",
|
||||
"name": "Check-Name2",
|
||||
"helpUri": "https://github.com/ossf/scorecard/blob/main/docs/checks.md#check-name2",
|
||||
"shortDescription": {
|
||||
@ -68,7 +68,7 @@
|
||||
}
|
||||
},
|
||||
{
|
||||
"id": "Check-Name3",
|
||||
"id": "CheckName3ID",
|
||||
"name": "Check-Name3",
|
||||
"helpUri": "https://github.com/ossf/scorecard/blob/main/docs/checks.md#check-name3",
|
||||
"shortDescription": {
|
||||
@ -101,7 +101,7 @@
|
||||
},
|
||||
"results": [
|
||||
{
|
||||
"ruleId": "Check-Name",
|
||||
"ruleId": "CheckNameID",
|
||||
"ruleIndex": 0,
|
||||
"message": {
|
||||
"text": "warn message"
|
||||
|
20
pkg/testdata/check8.sarif
vendored
20
pkg/testdata/check8.sarif
vendored
@ -13,7 +13,7 @@
|
||||
"semanticVersion": "1.2.3",
|
||||
"rules": [
|
||||
{
|
||||
"id": "Check-Name",
|
||||
"id": "CheckNameID",
|
||||
"name": "Check-Name",
|
||||
"helpUri": "https://github.com/ossf/scorecard/blob/main/docs/checks.md#check-name",
|
||||
"shortDescription": {
|
||||
@ -40,7 +40,7 @@
|
||||
}
|
||||
},
|
||||
{
|
||||
"id": "Check-Name5",
|
||||
"id": "CheckName5ID",
|
||||
"name": "Check-Name5",
|
||||
"helpUri": "https://github.com/ossf/scorecard/blob/main/docs/checks.md#check-name5",
|
||||
"shortDescription": {
|
||||
@ -73,7 +73,7 @@
|
||||
},
|
||||
"results": [
|
||||
{
|
||||
"ruleId": "Check-Name",
|
||||
"ruleId": "CheckNameID",
|
||||
"ruleIndex": 0,
|
||||
"message": {
|
||||
"text": "warn message"
|
||||
@ -99,7 +99,7 @@
|
||||
]
|
||||
},
|
||||
{
|
||||
"ruleId": "Check-Name",
|
||||
"ruleId": "CheckNameID",
|
||||
"ruleIndex": 0,
|
||||
"message": {
|
||||
"text": "warn message"
|
||||
@ -125,7 +125,7 @@
|
||||
]
|
||||
},
|
||||
{
|
||||
"ruleId": "Check-Name5",
|
||||
"ruleId": "CheckName5ID",
|
||||
"ruleIndex": 1,
|
||||
"message": {
|
||||
"text": "warn message"
|
||||
@ -151,7 +151,7 @@
|
||||
]
|
||||
},
|
||||
{
|
||||
"ruleId": "Check-Name5",
|
||||
"ruleId": "CheckName5ID",
|
||||
"ruleIndex": 1,
|
||||
"message": {
|
||||
"text": "warn message"
|
||||
@ -189,7 +189,7 @@
|
||||
"semanticVersion": "1.2.3",
|
||||
"rules": [
|
||||
{
|
||||
"id": "Check-Name6",
|
||||
"id": "CheckName6ID",
|
||||
"name": "Check-Name6",
|
||||
"helpUri": "https://github.com/ossf/scorecard/blob/main/docs/checks.md#check-name6",
|
||||
"shortDescription": {
|
||||
@ -222,7 +222,7 @@
|
||||
},
|
||||
"results": [
|
||||
{
|
||||
"ruleId": "Check-Name6",
|
||||
"ruleId": "CheckName6ID",
|
||||
"ruleIndex": 0,
|
||||
"message": {
|
||||
"text": "warn message"
|
||||
@ -260,7 +260,7 @@
|
||||
"semanticVersion": "1.2.3",
|
||||
"rules": [
|
||||
{
|
||||
"id": "Check-Name4",
|
||||
"id": "CheckName4ID",
|
||||
"name": "Check-Name4",
|
||||
"helpUri": "https://github.com/ossf/scorecard/blob/main/docs/checks.md#check-name4",
|
||||
"shortDescription": {
|
||||
@ -293,7 +293,7 @@
|
||||
},
|
||||
"results": [
|
||||
{
|
||||
"ruleId": "Check-Name4",
|
||||
"ruleId": "CheckName4ID",
|
||||
"ruleIndex": 0,
|
||||
"message": {
|
||||
"text": "warn message"
|
||||
|
Loading…
Reference in New Issue
Block a user