Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

✨ Use crane to add hash suggestion to unpinned Docker images #2037

Merged
merged 7 commits into from Jul 19, 2022
Merged

✨ Use crane to add hash suggestion to unpinned Docker images #2037

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
7 commits
Select commit Hold shift + click to select a range
529008d
Use crane to add hash suggestion to unpinned Docker images
spencerschrock Jul 11, 2022
1efab91
Add nil check before dereferencing name for image digest
spencerschrock Jul 11, 2022
203809a
Reformat changes to comply with linter
spencerschrock Jul 13, 2022
cfafacd
Add basic remediation for dockerfile pinning
spencerschrock Jul 13, 2022
c4a2dd3
Deduplicate remediation code
spencerschrock Jul 15, 2022
e56e743
Remove reference to linux/amd64, as crane digest should be universal
spencerschrock Jul 15, 2022
d2df929
add remediation info to scorecard output. switch to using strings.Bui…
spencerschrock Jul 15, 2022
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Jump to
Jump to file
Failed to load files.
Diff view
Diff view
8 changes: 6 additions & 2 deletions checks/evaluation/pinned_dependencies.go
View file
Open in desktop
Expand Up @@ -134,10 +134,14 @@ func PinningDependencies(name string, dl checker.DetailLogger,
}

func generateRemediation(rr *checker.Dependency) *checker.Remediation {
if rr.Type == checker.DependencyUseTypeGHAction {
switch rr.Type {
case checker.DependencyUseTypeGHAction:
return remediation.CreateWorkflowPinningRemediation(rr.Location.Path)
case checker.DependencyUseTypeDockerfileContainerImage:
return remediation.CreateDockerfilePinningRemediation(rr.Name)
default:
return nil
}
return nil
}

func updatePinningResults(rr *checker.Dependency,
Expand Down
26 changes: 17 additions & 9 deletions pkg/common.go
View file
Open in desktop
Expand Up @@ -32,16 +32,24 @@ func DetailToString(d *checker.CheckDetail, logLevel log.Level) string {
return ""
}

switch {
case d.Msg.Path != "" && d.Msg.Offset != 0 && d.Msg.EndOffset != 0 && d.Msg.Offset < d.Msg.EndOffset:
return fmt.Sprintf("%s: %s: %s:%d-%d", typeToString(d.Type), d.Msg.Text, d.Msg.Path, d.Msg.Offset, d.Msg.EndOffset)
case d.Msg.Path != "" && d.Msg.Offset != 0:
return fmt.Sprintf("%s: %s: %s:%d", typeToString(d.Type), d.Msg.Text, d.Msg.Path, d.Msg.Offset)
case d.Msg.Path != "" && d.Msg.Offset == 0:
return fmt.Sprintf("%s: %s: %s", typeToString(d.Type), d.Msg.Text, d.Msg.Path)
default:
return fmt.Sprintf("%s: %s", typeToString(d.Type), d.Msg.Text)
var sb strings.Builder
spencerschrock marked this conversation as resolved.
Show resolved Hide resolved
sb.WriteString(fmt.Sprintf("%s: %s", typeToString(d.Type), d.Msg.Text))

if d.Msg.Path != "" {
sb.WriteString(fmt.Sprintf(": %s", d.Msg.Path))
if d.Msg.Offset != 0 {
sb.WriteString(fmt.Sprintf(":%d", d.Msg.Offset))
}
if d.Msg.EndOffset != 0 && d.Msg.Offset < d.Msg.EndOffset {
sb.WriteString(fmt.Sprintf("-%d", d.Msg.EndOffset))
}
}

if d.Msg.Remediation != nil {
sb.WriteString(fmt.Sprintf(": %s", d.Msg.Remediation.HelpText))
}

return sb.String()
}

func detailsToString(details []checker.CheckDetail, logLevel log.Level) (string, bool) {
Expand Down
144 changes: 144 additions & 0 deletions pkg/common_test.go
View file
Open in desktop
@@ -0,0 +1,144 @@
// Copyright 2022 Security Scorecard Authors
//
// Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License.
// You may obtain a copy of the License at
//
// http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
// See the License for the specific language governing permissions and
// limitations under the License.

package pkg

import (
"testing"

"github.com/ossf/scorecard/v4/checker"
"github.com/ossf/scorecard/v4/log"
)

func TestDetailString(t *testing.T) {
t.Parallel()
tests := []struct {
name string
detail checker.CheckDetail
log log.Level
want string
}{
{
name: "ignoreDebug",
detail: checker.CheckDetail{
Msg: checker.LogMessage{
Text: "should not appear",
},
Type: checker.DetailDebug,
},
log: log.DefaultLevel,
want: "",
},
{
name: "includeDebug",
detail: checker.CheckDetail{
Msg: checker.LogMessage{
Text: "should appear",
},
Type: checker.DetailDebug,
},
log: log.DebugLevel,
want: "Debug: should appear",
},
{
name: "onlyType",
detail: checker.CheckDetail{
Msg: checker.LogMessage{
Text: "some meaningful text",
},
Type: checker.DetailWarn,
},
log: log.DefaultLevel,
want: "Warn: some meaningful text",
},
{
name: "displayPath",
detail: checker.CheckDetail{
Msg: checker.LogMessage{
Text: "some meaningful text",
Path: "Dockerfile",
},
Type: checker.DetailWarn,
},
log: log.DefaultLevel,
want: "Warn: some meaningful text: Dockerfile",
},
{
name: "displayStartOffset",
detail: checker.CheckDetail{
Msg: checker.LogMessage{
Text: "some meaningful text",
Path: "Dockerfile",
Offset: 1,
},
Type: checker.DetailWarn,
},
log: log.DefaultLevel,
want: "Warn: some meaningful text: Dockerfile:1",
},
{
name: "displayEndOffset",
detail: checker.CheckDetail{
Msg: checker.LogMessage{
Text: "some meaningful text",
Path: "Dockerfile",
Offset: 1,
EndOffset: 7,
},
Type: checker.DetailWarn,
},
log: log.DefaultLevel,
want: "Warn: some meaningful text: Dockerfile:1-7",
},
{
name: "ignoreInvalidEndOffset",
detail: checker.CheckDetail{
Msg: checker.LogMessage{
Text: "some meaningful text",
Path: "Dockerfile",
Offset: 3,
EndOffset: 2,
},
Type: checker.DetailWarn,
},
log: log.DefaultLevel,
want: "Warn: some meaningful text: Dockerfile:3",
},
{
name: "includeRemediation",
detail: checker.CheckDetail{
Msg: checker.LogMessage{
Text: "some meaningful text",
Path: "Dockerfile",
Remediation: &checker.Remediation{
HelpText: "fix x by doing y",
},
},
Type: checker.DetailWarn,
},
log: log.DefaultLevel,
want: "Warn: some meaningful text: Dockerfile: fix x by doing y",
},
}
for _, tt := range tests {
tt := tt
t.Run(tt.name, func(t *testing.T) {
t.Parallel()
got := DetailToString(&tt.detail, tt.log)
if got != tt.want {
t.Errorf("got %v, want %v", got, tt.want)
}
})
}
}
24 changes: 23 additions & 1 deletion remediation/remediations.go
View file
Open in desktop
Expand Up @@ -20,6 +20,8 @@ import (
"strings"
"sync"

"github.com/google/go-containerregistry/pkg/crane"

"github.com/ossf/scorecard/v4/checker"
"github.com/ossf/scorecard/v4/clients"
)
Expand All @@ -36,7 +38,8 @@ var errInvalidArg = errors.New("invalid argument")
var (
workflowText = "update your workflow using https://app.stepsecurity.io/secureworkflow/%s/%s/%s?enable=%s"
//nolint
workflowMarkdown = "update your workflow using [https://app.stepsecurity.io](https://app.stepsecurity.io/secureworkflow/%s/%s/%s?enable=%s)"
workflowMarkdown = "update your workflow using [https://app.stepsecurity.io](https://app.stepsecurity.io/secureworkflow/%s/%s/%s?enable=%s)"
dockerfilePinText = "pin your Docker image by updating %[1]s to %[1]s@%s"
)

//nolint:gochecknoinits
Expand Down Expand Up @@ -94,3 +97,22 @@ func createWorkflowRemediation(path, t string) *checker.Remediation {
HelpMarkdown: markdown,
}
}

// CreateDockerfilePinningRemediation create remediaiton for pinning Dockerfile images.
func CreateDockerfilePinningRemediation(name *string) *checker.Remediation {
if name == nil {
return nil
}
hash, err := crane.Digest(*name)
if err != nil {
return nil
}

text := fmt.Sprintf(dockerfilePinText, *name, hash)
markdown := text

return &checker.Remediation{
HelpText: text,
HelpMarkdown: markdown,
}
}