New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
✨ Binary artifact exception for gradle-wrapper.jar when using validation action #2039
✨ Binary artifact exception for gradle-wrapper.jar when using validation action #2039
Conversation
Codecov Report
@@ Coverage Diff @@
## main #2039 +/- ##
==========================================
+ Coverage 42.17% 42.40% +0.23%
==========================================
Files 89 89
Lines 7336 7430 +94
==========================================
+ Hits 3094 3151 +57
- Misses 4008 4033 +25
- Partials 234 246 +12 |
Integration tests success for |
Integration tests success for |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
nice work, people have been asking for this.
Is there a way to tell users that we found a gradle wrapper but no validation action in the issue presented to the user? Or point to a remediation faq?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks for the PR. As @loosebazooka said, there is demand for this!
Integration tests success for |
Integration tests success for |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks, LGTM!
Integration tests success for |
Integration tests success for |
…ion action (ossf#2039) * implement binary artifacts exception for validated gradle-wrapper.jar files * add tests for binary artifact gradle wrapper verification exception * fix issues for linter * expect added jar in TestBinaryArtifacts Jar file test * improve readability of raw/binary_artifact * Binary-Artifact request types no longer includes FileBased * add version requirement capability to gradle action check * Refactor exception from checks/raw to checks/evaluation * remove unnecessary len(files) * flatten application of exception by moving to another function * revert refactor to checks/evaluation * flatten removal of validated wrappers * create fileExists function Co-authored-by: laurentsimon <64505099+laurentsimon@users.noreply.github.com>
Remove sigstore-java from exempt list, fixed with ossf/scorecard#2039
Remove sigstore-java from exempt list, fixed with ossf/scorecard#2039 Signed-off-by: Appu Goundan <appu@google.com>
New functionality added as part of the PR ossf#2039 is not supported for local repositories. When this code path is hit, it will check if it is an unsupported error and not fail the Binary Artifacts check. Fallback to existing behavior for any other type of errors
New functionality added as part of the PR ossf#2039 is not supported for local repositories. When this code path is hit, it will check if it is an unsupported error and not fail the Binary Artifacts check. Fallback to existing behavior for any other type of errors Co-authored-by: Abhisek Sanyal <abhisek@veedna.com>
New functionality added as part of the PR ossf#2039 is not supported for local repositories. When this code path is hit, it will check if it is an unsupported error and not fail the Binary Artifacts check. Fallback to existing behavior for any other type of errors Co-authored-by: Abhisek Sanyal <abhisek@veedna.com>
New functionality added as part of the PR ossf#2039 is not supported for local repositories. When this code path is hit, it will check if it is an unsupported error and not fail the Binary Artifacts check. Fallback to existing behavior for any other type of errors
New functionality added as part of the PR ossf#2039 is not supported for local repositories. When this code path is hit, it will check if it is an unsupported error and not fail the Binary Artifacts check. Fallback to existing behavior for any other type of errors
What kind of change does this PR introduce?
Feature
What is the current behavior?
Scorecard considers
gradle-wrapper.jar
files to be harmful binary artifacts even when they are verified by the gradle/wrapper-validation-action action.What is the new behavior (if this is a feature change)?**
gradle-wrapper.jar
files will no longer be flagged by the binary artifacts check iff all conditions are met:There is a workflow using the gradle/wrapper-validation-action action in a step in a job
That workflow passed for the latest commit on default branch
Tests for the changes have been added (for bug fixes/features)
Which issue(s) this PR fixes
Fixes #1815
Special notes for your reviewer
Does this PR introduce a user-facing change?
For user-facing changes, please add a concise, human-readable release note to
the
release-note
(In particular, describe what changes users might need to make in their
application as a result of this pull request.)