ossf/scorecard
1
1
Fork 0
mirror of https://github.com/ossf/scorecard.git synced 2024-09-17 11:57:12 +03:00
Code Issues Actions 6 Packages Projects Releases Wiki Activity

Comply with GH-specific rules for SARIF (#1379)

Browse Source 
* GH-specific validation rules

* fix

* fix
This commit is contained in:
laurentsimon 2021-12-13 17:47:57 -08:00 committed by GitHub
parent a0513aa877
commit ca97581538
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
9 changed files with 54 additions and 39 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

27
pkg/sarif.go
View File

@ -25,6 +25,7 @@ import (
"go.uber.org/zap/zapcore"
"github.com/ossf/scorecard/v3/checker"
"github.com/ossf/scorecard/v3/checks"
docs "github.com/ossf/scorecard/v3/docs/checks"
sce "github.com/ossf/scorecard/v3/errors"
spol "github.com/ossf/scorecard/v3/policy"
@ -457,11 +458,15 @@ func contains(l []string, elt string) bool {
return false
}
func computeCategory(repos []string) (string, error) {
func computeCategory(checkName string, repos []string) (string, error) {
// In terms of sets, local < Git-local < GitHub.
switch {
default:
return "", sce.WithMessage(sce.ErrScorecardInternal, fmt.Sprintf("repo types not supported: %v", repos))
case checkName == checks.CheckBranchProtection:
// This is a special case to be give us more flexibility to move this check around
// and run it on different GitHub triggers.
return strings.ToLower(checks.CheckBranchProtection), nil
case contains(repos, "local"):
return "local", nil
// Note: Git-local is not supported by any checks yet.
@ -489,6 +494,13 @@ func createSARIFRuns(runs map[string]*run) []run {
return res
}
func createCheckIdentifiers(name string) (string, string) {
// Identifier must be in Pascal case.
// We keep the check name the same as the one used in the documentation.
n := strings.ReplaceAll(name, "-", "")
return name, fmt.Sprintf("%sID", n)
}
// AsSARIF outputs ScorecardResult in SARIF 2.1.0 format.
func (r *ScorecardResult) AsSARIF(showDetails bool, logLevel zapcore.Level,
writer io.Writer, checkDocs docs.Doc, policy *spol.ScorecardPolicy) error {
@ -507,11 +519,13 @@ func (r *ScorecardResult) AsSARIF(showDetails bool, logLevel zapcore.Level,
return sce.WithMessage(sce.ErrScorecardInternal, fmt.Sprintf("GetCheck: %v: %s", err, check.Name))
}
sarifCheckName, sarifCheckID := createCheckIdentifiers(check.Name)
// We need to create a run entry even if the check is disabled or the policy is satisfied.
// The reason is the following: if a check has findings and is later fixed by a user,
// the absence of run for the check will indicate that the check was *not* run,
// so GitHub would keep the findings in the dahsboard. We don't want that.
category, err := computeCategory(doc.GetSupportedRepoTypes())
category, err := computeCategory(sarifCheckName, doc.GetSupportedRepoTypes())
if err != nil {
return sce.WithMessage(sce.ErrScorecardInternal, fmt.Sprintf("computeCategory: %v: %s", err, check.Name))
}
@ -521,14 +535,15 @@ func (r *ScorecardResult) AsSARIF(showDetails bool, logLevel zapcore.Level,
// Always add rules to indicate which checks were run.
// We don't have so many rules, so this should not clobber the output too much.
// See https://github.com/github/codeql-action/issues/810.
checkID := check.Name
rule := createSARIFRule(check.Name, checkID,
rule := createSARIFRule(sarifCheckName, sarifCheckID,
doc.GetDocumentationURL(r.Scorecard.CommitSHA),
doc.GetDescription(), doc.GetShort(), doc.GetRisk(),
doc.GetRemediation(), doc.GetTags())
run.Tool.Driver.Rules = append(run.Tool.Driver.Rules, rule)
// Check the policy configuration.
// Here we need to use check.Name instead of sarifCheckName since
// we need to original check's name.
minScore, enabled, err := getCheckPolicyInfo(policy, check.Name)
if err != nil {
return err
@ -562,12 +577,12 @@ func (r *ScorecardResult) AsSARIF(showDetails bool, logLevel zapcore.Level,
if len(locs) == 0 {
locs = addDefaultLocation(locs, "no file available")
// Use the `reason` as message.
cr := createSARIFCheckResult(RuleIndex, checkID, check.Reason, &locs[0])
cr := createSARIFCheckResult(RuleIndex, sarifCheckID, check.Reason, &locs[0])
run.Results = append(run.Results, cr)
} else {
for _, loc := range locs {
// Use the location's message (check's detail's message) as message.
cr := createSARIFCheckResult(RuleIndex, checkID, loc.Message.Text, &loc)
cr := createSARIFCheckResult(RuleIndex, sarifCheckID, loc.Message.Text, &loc)
run.Results = append(run.Results, cr)
}
}

4
pkg/testdata/check1.sarif vendored
View File

@ -13,7 +13,7 @@
"semanticVersion": "1.2.3",
"rules": [
{
"id": "Check-Name",
"id": "CheckNameID",
"name": "Check-Name",
"helpUri": "https://github.com/ossf/scorecard/blob/main/docs/checks.md#check-name",
"shortDescription": {
@ -44,7 +44,7 @@
},
"results": [
{
"ruleId": "Check-Name",
"ruleId": "CheckNameID",
"ruleIndex": 0,
"message": {
"text": "warn message"

4
pkg/testdata/check2.sarif vendored
View File

@ -13,7 +13,7 @@
"semanticVersion": "1.2.3",
"rules": [
{
"id": "Check-Name",
"id": "CheckNameID",
"name": "Check-Name",
"helpUri": "https://github.com/ossf/scorecard/blob/main/docs/checks.md#check-name",
"shortDescription": {
@ -44,7 +44,7 @@
},
"results": [
{
"ruleId": "Check-Name",
"ruleId": "CheckNameID",
"ruleIndex": 0,
"message": {
"text": "warn message"

12
pkg/testdata/check3.sarif vendored
View File

@ -13,7 +13,7 @@
"semanticVersion": "1.2.3",
"rules": [
{
"id": "Check-Name",
"id": "CheckNameID",
"name": "Check-Name",
"helpUri": "https://github.com/ossf/scorecard/blob/main/docs/checks.md#check-name",
"shortDescription": {
@ -40,7 +40,7 @@
}
},
{
"id": "Check-Name2",
"id": "CheckName2ID",
"name": "Check-Name2",
"helpUri": "https://github.com/ossf/scorecard/blob/main/docs/checks.md#check-name2",
"shortDescription": {
@ -68,7 +68,7 @@
}
},
{
"id": "Check-Name3",
"id": "CheckName3ID",
"name": "Check-Name3",
"helpUri": "https://github.com/ossf/scorecard/blob/main/docs/checks.md#check-name3",
"shortDescription": {
@ -101,7 +101,7 @@
},
"results": [
{
"ruleId": "Check-Name",
"ruleId": "CheckNameID",
"ruleIndex": 0,
"message": {
"text": "warn message"
@ -124,7 +124,7 @@
]
},
{
"ruleId": "Check-Name2",
"ruleId": "CheckName2ID",
"ruleIndex": 1,
"message": {
"text": "warn message"
@ -150,7 +150,7 @@
]
},
{
"ruleId": "Check-Name3",
"ruleId": "CheckName3ID",
"ruleIndex": 2,
"message": {
"text": "warn message"

12
pkg/testdata/check4.sarif vendored
View File

@ -13,7 +13,7 @@
"semanticVersion": "1.2.3",
"rules": [
{
"id": "Check-Name",
"id": "CheckNameID",
"name": "Check-Name",
"helpUri": "https://github.com/ossf/scorecard/blob/main/docs/checks.md#check-name",
"shortDescription": {
@ -40,7 +40,7 @@
}
},
{
"id": "Check-Name2",
"id": "CheckName2ID",
"name": "Check-Name2",
"helpUri": "https://github.com/ossf/scorecard/blob/main/docs/checks.md#check-name2",
"shortDescription": {
@ -68,7 +68,7 @@
}
},
{
"id": "Check-Name3",
"id": "CheckName3ID",
"name": "Check-Name3",
"helpUri": "https://github.com/ossf/scorecard/blob/main/docs/checks.md#check-name3",
"shortDescription": {
@ -101,7 +101,7 @@
},
"results": [
{
"ruleId": "Check-Name",
"ruleId": "CheckNameID",
"ruleIndex": 0,
"message": {
"text": "warn message"
@ -124,7 +124,7 @@
]
},
{
"ruleId": "Check-Name2",
"ruleId": "CheckName2ID",
"ruleIndex": 1,
"message": {
"text": "warn message"
@ -150,7 +150,7 @@
]
},
{
"ruleId": "Check-Name3",
"ruleId": "CheckName3ID",
"ruleIndex": 2,
"message": {
"text": "warn message"

2
pkg/testdata/check5.sarif vendored
View File

@ -13,7 +13,7 @@
"semanticVersion": "1.2.3",
"rules": [
{
"id": "Check-Name",
"id": "CheckNameID",
"name": "Check-Name",
"helpUri": "https://github.com/ossf/scorecard/blob/main/docs/checks.md#check-name",
"shortDescription": {

4
pkg/testdata/check6.sarif vendored
View File

@ -13,7 +13,7 @@
"semanticVersion": "1.2.3",
"rules": [
{
"id": "Check-Name",
"id": "CheckNameID",
"name": "Check-Name",
"helpUri": "https://github.com/ossf/scorecard/blob/main/docs/checks.md#check-name",
"shortDescription": {
@ -44,7 +44,7 @@
},
"results": [
{
"ruleId": "Check-Name",
"ruleId": "CheckNameID",
"ruleIndex": 0,
"message": {
"text": "six score reason"

8
pkg/testdata/check7.sarif vendored
View File

@ -13,7 +13,7 @@
"semanticVersion": "1.2.3",
"rules": [
{
"id": "Check-Name",
"id": "CheckNameID",
"name": "Check-Name",
"helpUri": "https://github.com/ossf/scorecard/blob/main/docs/checks.md#check-name",
"shortDescription": {
@ -40,7 +40,7 @@
}
},
{
"id": "Check-Name2",
"id": "CheckName2ID",
"name": "Check-Name2",
"helpUri": "https://github.com/ossf/scorecard/blob/main/docs/checks.md#check-name2",
"shortDescription": {
@ -68,7 +68,7 @@
}
},
{
"id": "Check-Name3",
"id": "CheckName3ID",
"name": "Check-Name3",
"helpUri": "https://github.com/ossf/scorecard/blob/main/docs/checks.md#check-name3",
"shortDescription": {
@ -101,7 +101,7 @@
},
"results": [
{
"ruleId": "Check-Name",
"ruleId": "CheckNameID",
"ruleIndex": 0,
"message": {
"text": "warn message"

20
pkg/testdata/check8.sarif vendored
View File

@ -13,7 +13,7 @@
"semanticVersion": "1.2.3",
"rules": [
{
"id": "Check-Name",
"id": "CheckNameID",
"name": "Check-Name",
"helpUri": "https://github.com/ossf/scorecard/blob/main/docs/checks.md#check-name",
"shortDescription": {
@ -40,7 +40,7 @@
}
},
{
"id": "Check-Name5",
"id": "CheckName5ID",
"name": "Check-Name5",
"helpUri": "https://github.com/ossf/scorecard/blob/main/docs/checks.md#check-name5",
"shortDescription": {
@ -73,7 +73,7 @@
},
"results": [
{
"ruleId": "Check-Name",
"ruleId": "CheckNameID",
"ruleIndex": 0,
"message": {
"text": "warn message"
@ -99,7 +99,7 @@
]
},
{
"ruleId": "Check-Name",
"ruleId": "CheckNameID",
"ruleIndex": 0,
"message": {
"text": "warn message"
@ -125,7 +125,7 @@
]
},
{
"ruleId": "Check-Name5",
"ruleId": "CheckName5ID",
"ruleIndex": 1,
"message": {
"text": "warn message"
@ -151,7 +151,7 @@
]
},
{
"ruleId": "Check-Name5",
"ruleId": "CheckName5ID",
"ruleIndex": 1,
"message": {
"text": "warn message"
@ -189,7 +189,7 @@
"semanticVersion": "1.2.3",
"rules": [
{
"id": "Check-Name6",
"id": "CheckName6ID",
"name": "Check-Name6",
"helpUri": "https://github.com/ossf/scorecard/blob/main/docs/checks.md#check-name6",
"shortDescription": {
@ -222,7 +222,7 @@
},
"results": [
{
"ruleId": "Check-Name6",
"ruleId": "CheckName6ID",
"ruleIndex": 0,
"message": {
"text": "warn message"
@ -260,7 +260,7 @@
"semanticVersion": "1.2.3",
"rules": [
{
"id": "Check-Name4",
"id": "CheckName4ID",
"name": "Check-Name4",
"helpUri": "https://github.com/ossf/scorecard/blob/main/docs/checks.md#check-name4",
"shortDescription": {
@ -293,7 +293,7 @@
},
"results": [
{
"ruleId": "Check-Name4",
"ruleId": "CheckName4ID",
"ruleIndex": 0,
"message": {
"text": "warn message"