* Refactor Dockerfile validation code to handle here-documents
Refactors the `validateDockerfileInsecureDownloads` function to handle
Dockerfiles that contain here-documents. This implementation handles the
basic use-case, namely shell commands. It does not manage other
interpreters that are specified through a she-bang, such as python.
Fixes https://github.com/ossf/scorecard/issues/3335
Signed-off-by: Jürgen Kreileder <jk@blackdown.de>
* Add test for empty run command case in validateDockerfileInsecureDownloads()
Signed-off-by: Jürgen Kreileder <jk@blackdown.de>
* Simplify end line calculation in validateDockerfileInsecureDownloads()
Signed-off-by: Jürgen Kreileder <jk@blackdown.de>
* Document why we have a python test case here
Signed-off-by: Jürgen Kreileder <jk@blackdown.de>
---------
Signed-off-by: Jürgen Kreileder <jk@blackdown.de>
* 🌱 refactor permissions
Signed-off-by: Adam Korczynski <adam@adalogics.com>
* change 'PermissionLocation' to 'PermissionLocationType'
Signed-off-by: Adam Korczynski <adam@adalogics.com>
* remove redundant length check
Signed-off-by: Adam Korczynski <adam@adalogics.com>
* return nil instead of findings in case of an error
Signed-off-by: Adam Korczynski <adam@adalogics.com>
* use OutcomeError instead of OutcomeNegative in case of PermissionLevelUnknown
Signed-off-by: Adam Korczynski <adam@adalogics.com>
* Fix lint issue
Signed-off-by: Adam Korczynski <adam@adalogics.com>
* change 'CreateInconclusiveResult' to 'CreateRuntimeErrorResult'
Signed-off-by: Adam Korczynski <adam@adalogics.com>
* add comment to wrapped error
Signed-off-by: Adam Korczynski <adam@adalogics.com>
* unexport enum values
Signed-off-by: Adam Korczynski <adam@adalogics.com>
* fix wrapped error
Signed-off-by: Adam Korczynski <adam@adalogics.com>
---------
Signed-off-by: Adam Korczynski <adam@adalogics.com>
* add space after link
the period (and possibly what came after it) was being interpreted as part of the link.
Signed-off-by: Spencer Schrock <sschrock@google.com>
* only use one ID in the osv.dev link
Signed-off-by: Spencer Schrock <sschrock@google.com>
* add/fix tests
Signed-off-by: Spencer Schrock <sschrock@google.com>
* make the remediation tests less fragile
this test would need to be fixed every time the phrasing is fixed.
by looking for substrings, we make this less likely to need changed.
Signed-off-by: Spencer Schrock <sschrock@google.com>
* move len check before any finding creation
small efficiency gain since the finding is discarded.
Signed-off-by: Spencer Schrock <sschrock@google.com>
---------
Signed-off-by: Spencer Schrock <sschrock@google.com>
the cron has witnessed a roughly 15% reduction in repo throughput,
this is partly due to increased osv.dev latency, increasing the Vulnerabilities check.
the pinned-dependencies check has also increased after 6d35c865e6.
Signed-off-by: Spencer Schrock <sschrock@google.com>
* fix: handle gitlab repos with no commits
Signed-off-by: Allen Shearin <allen.p.shearin@gmail.com>
* fix: gitlab listcommits tests, remove else in commit array length check
Signed-off-by: Allen Shearin <allen.p.shearin@gmail.com>
* rename test file, remove unneeded test
Signed-off-by: Allen Shearin <allen.p.shearin@gmail.com>
---------
Signed-off-by: Allen Shearin <allen.p.shearin@gmail.com>
* document scdiff in the release process
Signed-off-by: Spencer Schrock <sschrock@google.com>
* add TOC entry
Signed-off-by: Spencer Schrock <sschrock@google.com>
* add files to .gitignore
we dont want people following the instructions to commit the files accidentally
Signed-off-by: Spencer Schrock <sschrock@google.com>
---------
Signed-off-by: Spencer Schrock <sschrock@google.com>
* Add SAST Pysa probe
Signed-off-by: David Korczynski <david@adalogics.com>
* Add Pysa positive unit test
Signed-off-by: David Korczynski <david@adalogics.com>
* Add Qodana as well
Signed-off-by: David Korczynski <david@adalogics.com>
* fix some styling
Signed-off-by: David Korczynski <david@adalogics.com>
* fix some messaging
Signed-off-by: David Korczynski <david@adalogics.com>
* checks: raw: sast: dedup by way of regex
Ref: https://github.com/ossf/scorecard/issues/3745
Signed-off-by: David Korczynski <david@adalogics.com>
* deduplicate SAST score checker
Signed-off-by: David Korczynski <david@adalogics.com>
* fix styling
Signed-off-by: David Korczynski <david@adalogics.com>
* fix styling
Signed-off-by: David Korczynski <david@adalogics.com>
* Rename variables appropriately
Signed-off-by: David Korczynski <david@adalogics.com>
* fix error message
Signed-off-by: David Korczynski <david@adalogics.com>
* rename useRegex to usesRegex and add comment
Signed-off-by: David Korczynski <david@adalogics.com>
* Force regex to compile
Signed-off-by: David Korczynski <david@adalogics.com>
---------
Signed-off-by: David Korczynski <david@adalogics.com>
* 🐛 Fix signed release error for empty gitlab repo
- Fixed the issue where an empty gitlab repo is causing this error.
`Error: check runtime error: Signed-Releases: internal error: could not get release name
2023/12/27 18:07:19 error during command execution: check runtime error: Signed-Releases: internal error: could not get release name
exit status 1`
Signed-off-by: naveensrinivasan <172697+naveensrinivasan@users.noreply.github.com>
* Fixes based on review.
Signed-off-by: naveensrinivasan <172697+naveensrinivasan@users.noreply.github.com>
* Fixed codereview changes.
Signed-off-by: naveensrinivasan <172697+naveensrinivasan@users.noreply.github.com>
---------
Signed-off-by: naveensrinivasan <172697+naveensrinivasan@users.noreply.github.com>
- Update message for when no tokens are found
[checks/evaluation/permissions/permissions.go]
- Change the message for when no tokens are found from "no github tokens found" to "no tokens found"
Signed-off-by: naveensrinivasan <172697+naveensrinivasan@users.noreply.github.com>
The primary data is the configuration files and the search commit data
is just extra, so better to return some data than no data in this case.
Signed-off-by: Spencer Schrock <sschrock@google.com>
- Update go version from `1.19` to `1.21`
[tools/go.mod]
- Update go version from `1.19` to `1.21`
Signed-off-by: naveensrinivasan <172697+naveensrinivasan@users.noreply.github.com>
* 🌱 Add probes for Branch Protection
Signed-off-by: AdamKorcz <adam@adalogics.com>
* specify that Scorecard only considers default and releases branches
Signed-off-by: Adam Korczynski <adam@adalogics.com>
* reduce duplication in blocksDeleteOnBranches
Signed-off-by: Adam Korczynski <adam@adalogics.com>
* use helper to test for boolean values
Signed-off-by: Adam Korczynski <adam@adalogics.com>
* Fix typo, mention OutcomeNotAvailable
Signed-off-by: Adam Korczynski <adam@adalogics.com>
* fix typo and elaborate on effort
Signed-off-by: Adam Korczynski <adam@adalogics.com>
* fix typo. Specify which branches the probe considers
Signed-off-by: Adam Korczynski <adam@adalogics.com>
* Fix copy paste typo
Signed-off-by: Adam Korczynski <adam@adalogics.com>
* remove '/en' from url
Signed-off-by: Adam Korczynski <adam@adalogics.com>
* change effort from 'High' to 'Low' in the blocksForcePushOnBranches probe def
Signed-off-by: Adam Korczynski <adam@adalogics.com>
* fix remediation level
Signed-off-by: Adam Korczynski <adam@adalogics.com>
* Change probe package name
Signed-off-by: Adam Korczynski <adam@adalogics.com>
* improve probe definitions
Signed-off-by: Adam Korczynski <adam@adalogics.com>
* refactor test names
Signed-off-by: Adam Korczynski <adam@adalogics.com>
* Change motivation of two probes
Signed-off-by: Adam Korczynski <adam@adalogics.com>
* downgrade effort of runsStatusChecksBeforeMerging
Signed-off-by: Adam Korczynski <adam@adalogics.com>
* reduce complexity of blocksForcePushOnBranches
Signed-off-by: Adam Korczynski <adam@adalogics.com>
* simplify requiresCodeOwnersReview logic
Signed-off-by: Adam Korczynski <adam@adalogics.com>
* fix linter issues
Signed-off-by: Adam Korczynski <adam@adalogics.com>
* fix copy paste error
Signed-off-by: Adam Korczynski <adam@adalogics.com>
* differentiate trueMsg and falseMsg in requiresApproversForPullRequests
Signed-off-by: Adam Korczynski <adam@adalogics.com>
* fix text in requiresCodeOwnersReview
Signed-off-by: Adam Korczynski <adam@adalogics.com>
* change outcome in utils
Signed-off-by: Adam Korczynski <adam@adalogics.com>
* fix lint issues
Signed-off-by: Adam Korczynski <adam@adalogics.com>
* fix nit in text
Signed-off-by: Adam Korczynski <adam@adalogics.com>
* use standardized messages
Signed-off-by: Adam Korczynski <adam@adalogics.com>
* remove 'Uint32LargerThan0'
Signed-off-by: Adam Korczynski <adam@adalogics.com>
* Add number of required reviewers to values. Refactor to avoid nil-dereference
Signed-off-by: Adam Korczynski <adam@adalogics.com>
* fix nit log message
Signed-off-by: Adam Korczynski <adam@adalogics.com>
---------
Signed-off-by: AdamKorcz <adam@adalogics.com>
Signed-off-by: Adam Korczynski <adam@adalogics.com>
* SAST: add Snyk probe
Adds Snyk's GitHub action (https://github.com/snyk/actions) as a probe.
Signed-off-by: David Korczynski <david@adalogics.com>
* nit
Signed-off-by: David Korczynski <david@adalogics.com>
* e2e: adjust sast test to additional probe
Signed-off-by: David Korczynski <david@adalogics.com>
* checks: sast: nit, fix e2e test
Signed-off-by: DavidKorczynski <david@adalogics.com>
* Add test with positive outcome
Signed-off-by: David Korczynski <david@adalogics.com>
* fix comment
Signed-off-by: David Korczynski <david@adalogics.com>
* sast: snyk: add workflow test
Signed-off-by: David Korczynski <david@adalogics.com>
* address review
Signed-off-by: David Korczynski <david@adalogics.com>
* sast: adjust snyk to be the same with sonar
Signed-off-by: David Korczynski <david@adalogics.com>
* provide path to WF file
Signed-off-by: David Korczynski <david@adalogics.com>
* adjust path for finding
Signed-off-by: David Korczynski <david@adalogics.com>
* use prefix rather than contains
Signed-off-by: David Korczynski <david@adalogics.com>
---------
Signed-off-by: David Korczynski <david@adalogics.com>
Signed-off-by: DavidKorczynski <david@adalogics.com>
* fix: differentiate between refs and sha gitab listcheckrunsforref
Signed-off-by: Allen Shearin <allen.p.shearin@gmail.com>
* address pr comments
Signed-off-by: Allen Shearin <allen.p.shearin@gmail.com>
* style: move gitlab call to one line
Signed-off-by: Allen Shearin <allen.p.shearin@gmail.com>
* update gitlab api comments
Signed-off-by: Allen Shearin <allen.p.shearin@gmail.com>
---------
Signed-off-by: Allen Shearin <allen.p.shearin@gmail.com>
Adding the Required field to PullRequestReviewRule made BranchRef slightly too big for the linter.
This code isn't highly used, so just ignoring the inefficiency for now.
Not sure why the staticcheck linter started complaining about the date error checking,
but fixed it while I was here.
Signed-off-by: Spencer Schrock <sschrock@google.com>
* convert Signed Releases to probes
Signed-off-by: AdamKorcz <adam@adalogics.com>
* Specify that probe is for Github and Gitlab only
Signed-off-by: AdamKorcz <adam@adalogics.com>
* use in loop instead of
Signed-off-by: AdamKorcz <adam@adalogics.com>
* fix linter issues
Signed-off-by: AdamKorcz <adam@adalogics.com>
* fix more linter issues
Signed-off-by: AdamKorcz <adam@adalogics.com>
* specify Github and Gitlab in provenance def.yml
Signed-off-by: AdamKorcz <adam@adalogics.com>
* Add link to slsa-github-generator
Signed-off-by: AdamKorcz <adam@adalogics.com>
* Add instructions on signing with Cosign
Signed-off-by: AdamKorcz <adam@adalogics.com>
* refactor evaluation
Signed-off-by: Adam Korczynski <adam@adalogics.com>
* debug failing integration test
Signed-off-by: Adam Korczynski <adam@adalogics.com>
* remove unused nolints
Signed-off-by: Adam Korczynski <adam@adalogics.com>
* expose release name asset names in finding values
Signed-off-by: Adam Korczynski <adam@adalogics.com>
* fix failed integration test
Signed-off-by: Adam Korczynski <adam@adalogics.com>
* remove 'totalReleases' value from findings
Signed-off-by: Adam Korczynski <adam@adalogics.com>
* remove left-over cases of "totalReleases" values in findings
Signed-off-by: Adam Korczynski <adam@adalogics.com>
* remove remaining totalReleases values
Signed-off-by: Adam Korczynski <adam@adalogics.com>
* use const probe names instead of hard-coded strings
Signed-off-by: Adam Korczynski <adam@adalogics.com>
* remove totalReleases from test helper arguments
Signed-off-by: Adam Korczynski <adam@adalogics.com>
* merge test helpers
Signed-off-by: Adam Korczynski <adam@adalogics.com>
---------
Signed-off-by: AdamKorcz <adam@adalogics.com>
Signed-off-by: Adam Korczynski <adam@adalogics.com>
* revert the change which made RequiredPullRequestReviews a pointer
While the current approach works with the tiered scoring,
it wont work for probes or if we remove tiers. Making the struct nil to
signal that PRs aren't required hides some of the data we do have.
This is especially problematic for repo rules, where we can infer all
settings by what we see or dont see.
Signed-off-by: Spencer Schrock <sschrock@google.com>
* add helper to deref pointers
Signed-off-by: Spencer Schrock <sschrock@google.com>
* clarify comments and keep code consistent
Signed-off-by: Spencer Schrock <sschrock@google.com>
---------
Signed-off-by: Spencer Schrock <sschrock@google.com>