Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

✨ Binary artifact exception for gradle-wrapper.jar when using validation action #2039

Merged
merged 17 commits into from Jul 18, 2022
Merged

✨ Binary artifact exception for gradle-wrapper.jar when using validation action #2039

merged 17 commits into from Jul 18, 2022

Conversation

ethanent
Copy link
Contributor

@ethanent ethanent commented Jul 12, 2022
edited

What kind of change does this PR introduce?

Feature

What is the current behavior?

Scorecard considers gradle-wrapper.jar files to be harmful binary artifacts even when they are verified by the gradle/wrapper-validation-action action.

What is the new behavior (if this is a feature change)?**

gradle-wrapper.jar files will no longer be flagged by the binary artifacts check iff all conditions are met:

  • There is a workflow using the gradle/wrapper-validation-action action in a step in a job

  • That workflow passed for the latest commit on default branch

  • Tests for the changes have been added (for bug fixes/features)

Which issue(s) this PR fixes

Fixes #1815

Special notes for your reviewer

Does this PR introduce a user-facing change?

For user-facing changes, please add a concise, human-readable release note to
the release-note

(In particular, describe what changes users might need to make in their
application as a result of this pull request.)

gradle-wrapper.jar files are no longer flagged by the Binary Artifacts check if the Gradle Wrapper Validation Action is enabled as part of a passing workflow.

@ethanent ethanent temporarily deployed to integration-test July 12, 2022 01:41 Inactive
@codecov
Copy link

codecov bot commented Jul 12, 2022
edited

Codecov Report

Merging #2039 (6c92a63) into main (f1b182a) will increase coverage by 0.23%.
The diff coverage is 60.41%.

@@            Coverage Diff             @@
##             main    #2039      +/-   ##
==========================================
+ Coverage   42.17%   42.40%   +0.23%     
==========================================
  Files          89       89              
  Lines        7336     7430      +94     
==========================================
+ Hits         3094     3151      +57     
- Misses       4008     4033      +25     
- Partials      234      246      +12

@github-actions
Copy link

Integration tests success for
[db5744a]
(https://github.com/ossf/scorecard/actions/runs/2653573292)

@ethanent ethanent temporarily deployed to integration-test July 12, 2022 03:20 Inactive
@github-actions
Copy link

Integration tests success for
[afa21c4]
(https://github.com/ossf/scorecard/actions/runs/2653875365)

loosebazooka
loosebazooka reviewed Jul 12, 2022
View reviewed changes
Copy link
Contributor

@loosebazooka loosebazooka left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

nice work, people have been asking for this.

Is there a way to tell users that we found a gradle wrapper but no validation action in the issue presented to the user? Or point to a remediation faq?

checks/raw/binary_artifact.go Outdated Show resolved Hide resolved
checks/raw/binary_artifact.go Outdated Show resolved Hide resolved
checks/raw/binary_artifact_test.go Show resolved Hide resolved
checks/raw/binary_artifact.go Outdated Show resolved Hide resolved
laurentsimon
laurentsimon reviewed Jul 12, 2022
View reviewed changes
Copy link
Contributor

@laurentsimon laurentsimon left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for the PR. As @loosebazooka said, there is demand for this!

checks/raw/binary_artifact.go Show resolved Hide resolved
checks/raw/binary_artifact.go Outdated Show resolved Hide resolved
checks/raw/binary_artifact.go Outdated Show resolved Hide resolved
checks/raw/binary_artifact.go Outdated Show resolved Hide resolved
checks/raw/binary_artifact.go Outdated Show resolved Hide resolved
checks/raw/binary_artifact.go Outdated Show resolved Hide resolved
@ethanent ethanent mentioned this pull request Jul 13, 2022
Closed
@ethanent ethanent temporarily deployed to integration-test July 13, 2022 02:39 Inactive
@github-actions
Copy link

Integration tests success for
[54a33fd]
(https://github.com/ossf/scorecard/actions/runs/2660638220)

@ethanent ethanent temporarily deployed to integration-test July 13, 2022 10:27 Inactive
@github-actions
Copy link

Integration tests success for
[541126f]
(https://github.com/ossf/scorecard/actions/runs/2662747602)

laurentsimon
laurentsimon reviewed Jul 13, 2022
View reviewed changes
checks/raw/binary_artifact.go Outdated Show resolved Hide resolved
checks/raw/binary_artifact.go Outdated Show resolved Hide resolved
checks/raw/binary_artifact.go Outdated Show resolved Hide resolved
@ethanent ethanent temporarily deployed to integration-test July 13, 2022 22:41 Inactive
laurentsimon
laurentsimon approved these changes Jul 15, 2022
View reviewed changes
Copy link
Contributor

@laurentsimon laurentsimon left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks, LGTM!

checks/raw/binary_artifact.go Outdated Show resolved Hide resolved
@ethanent ethanent temporarily deployed to integration-test July 16, 2022 03:25 Inactive
@github-actions
Copy link

Integration tests success for
[d96378f]
(https://github.com/ossf/scorecard/actions/runs/2680476048)

@laurentsimon laurentsimon enabled auto-merge (squash) July 18, 2022 18:21
@laurentsimon laurentsimon temporarily deployed to integration-test July 18, 2022 18:21 Inactive
@github-actions
Copy link

Integration tests success for
[6c92a63]
(https://github.com/ossf/scorecard/actions/runs/2692612305)

@laurentsimon laurentsimon merged commit dd8fbc0 into ossf:main Jul 18, 2022
singhsaurabh pushed a commit to singhsaurabh/scorecard that referenced this pull request Jul 25, 2022
@ethanent @laurentsimon @singhsaurabh
✨ Binary artifact exception for gradle-wrapper.jar when using validat…
e07c630 
…ion action (ossf#2039)

* implement binary artifacts exception for validated gradle-wrapper.jar files

* add tests for binary artifact gradle wrapper verification exception

* fix issues for linter

* expect added jar in TestBinaryArtifacts Jar file test

* improve readability of raw/binary_artifact

* Binary-Artifact request types no longer includes FileBased

* add version requirement capability to gradle action check

* Refactor exception from checks/raw to checks/evaluation

* remove unnecessary len(files)

* flatten application of exception by moving to another function

* revert refactor to checks/evaluation

* flatten removal of validated wrappers

* create fileExists function

Co-authored-by: laurentsimon <64505099+laurentsimon@users.noreply.github.com>
loosebazooka added a commit to loosebazooka/.allstar that referenced this pull request Jul 28, 2022
@loosebazooka
Update binary_artifacts.yaml
df4acef 
Remove sigstore-java from exempt list, fixed with ossf/scorecard#2039
@loosebazooka loosebazooka mentioned this pull request Jul 28, 2022
Merged
loosebazooka added a commit to loosebazooka/.allstar that referenced this pull request Jul 28, 2022
@loosebazooka
Update binary_artifacts.yaml
e7d939f 
Remove sigstore-java from exempt list, fixed with ossf/scorecard#2039

Signed-off-by: Appu Goundan <appu@google.com>
@vlsi vlsi mentioned this pull request Aug 10, 2022
Open
abhiseksanyal pushed a commit to lineaje-labs/scorecard that referenced this pull request Oct 11, 2022
Enable Binary artifacts check for local repos
2d0f3eb 
Enable Binary artifacts check for local repositories that was disabled
in the PR ossf#2039 and revert the change done for empty repository handling
in the PR ossf#2207
@abhiseksanyal abhiseksanyal mentioned this pull request Oct 11, 2022
Merged
2 tasks
abhiseksanyal added a commit to lineaje-labs/scorecard that referenced this pull request Oct 11, 2022
@abhiseksanyal
Enable Binary artifacts check for local repos (#2)
6297b66 
Enable Binary artifacts check for local repositories that was disabled
in the PR ossf#2039 and revert the change done for empty repository handling
in the PR ossf#2207

Co-authored-by: Abhisek Sanyal <abhisek@veedna.com>
abhiseksanyal pushed a commit to lineaje-labs/scorecard that referenced this pull request Oct 14, 2022
Handle Unsupported Binary Artifacts check
17efa7b 
New functionality added as part of the PR ossf#2039 is not supported for
local repositories. When this code path is hit, it will check if it is
an unsupported error and not fail the Binary Artifacts check.
Fallback to existing behavior for any other type of errors
@abhiseksanyal abhiseksanyal mentioned this pull request Oct 14, 2022
Merged
2 tasks
abhiseksanyal added a commit to lineaje-labs/scorecard that referenced this pull request Oct 14, 2022
@abhiseksanyal
Handle Unsupported Binary Artifacts check (#4)
fe8c6fe 
New functionality added as part of the PR ossf#2039 is not supported for
local repositories. When this code path is hit, it will check if it is
an unsupported error and not fail the Binary Artifacts check.
Fallback to existing behavior for any other type of errors

Co-authored-by: Abhisek Sanyal <abhisek@veedna.com>
abhiseksanyal added a commit to lineaje-labs/scorecard that referenced this pull request Jul 6, 2023
@abhiseksanyal
Enable Binary artifacts check for local repos (#2)
35ceedd 
Enable Binary artifacts check for local repositories that was disabled
in the PR ossf#2039 and revert the change done for empty repository handling
in the PR ossf#2207

Co-authored-by: Abhisek Sanyal <abhisek@veedna.com>
abhiseksanyal added a commit to lineaje-labs/scorecard that referenced this pull request Jul 6, 2023
@abhiseksanyal
Handle Unsupported Binary Artifacts check (#4)
c38b167 
New functionality added as part of the PR ossf#2039 is not supported for
local repositories. When this code path is hit, it will check if it is
an unsupported error and not fail the Binary Artifacts check.
Fallback to existing behavior for any other type of errors

Co-authored-by: Abhisek Sanyal <abhisek@veedna.com>
abhiseksanyal added a commit to lineaje-labs/scorecard that referenced this pull request Jul 6, 2023
@abhiseksanyal
Enable Binary artifacts check for local repos (#2)
5e70240 
Enable Binary artifacts check for local repositories that was disabled
in the PR ossf#2039 and revert the change done for empty repository handling
in the PR ossf#2207
abhiseksanyal added a commit to lineaje-labs/scorecard that referenced this pull request Jul 6, 2023
@abhiseksanyal
Handle Unsupported Binary Artifacts check (#4)
6fe07b3 
New functionality added as part of the PR ossf#2039 is not supported for
local repositories. When this code path is hit, it will check if it is
an unsupported error and not fail the Binary Artifacts check.
Fallback to existing behavior for any other type of errors
abhiseksanyal added a commit to lineaje-labs/scorecard that referenced this pull request Aug 22, 2023
@abhiseksanyal
Enable Binary artifacts check for local repos (#2)
32168b4 
Enable Binary artifacts check for local repositories that was disabled
in the PR ossf#2039 and revert the change done for empty repository handling
in the PR ossf#2207
abhiseksanyal added a commit to lineaje-labs/scorecard that referenced this pull request Aug 22, 2023
@abhiseksanyal
Handle Unsupported Binary Artifacts check (#4)
8f60ded 
New functionality added as part of the PR ossf#2039 is not supported for
local repositories. When this code path is hit, it will check if it is
an unsupported error and not fail the Binary Artifacts check.
Fallback to existing behavior for any other type of errors
@spencerschrock spencerschrock mentioned this pull request Aug 22, 2023
Merged
2 tasks
@jobarr-amzn jobarr-amzn mentioned this pull request Sep 19, 2023
Merged
abhiseksanyal added a commit to lineaje-labs/scorecard that referenced this pull request Nov 18, 2023
@abhiseksanyal
Enable Binary artifacts check for local repos (#2)
3369bf2 
Enable Binary artifacts check for local repositories that was disabled
in the PR ossf#2039 and revert the change done for empty repository handling
in the PR ossf#2207
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@loosebazooka loosebazooka loosebazooka left review comments

@laurentsimon laurentsimon laurentsimon approved these changes

@azeemshaikh38 azeemshaikh38 Awaiting requested review from azeemshaikh38

@justaugustus justaugustus Awaiting requested review from justaugustus

@naveensrinivasan naveensrinivasan Awaiting requested review from naveensrinivasan

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Binary Artifacts should allow well-known artifacts, if best practices are followed
3 participants
@ethanent @laurentsimon @loosebazooka