Skip to content

Commit

Permalink
🐛 Add go installs to Pinned-Dependencies score (ossf#3424)
Browse files Browse the repository at this point in the history
* feat: Add go install to pinned dependencies score

Signed-off-by: Gabriela Gutierrez <[email protected]>

* test: Fix info logs count

Considering the new go installs dependencies in Pinned-Dependencies score, there are some changes. Now, all tests generate one more Info log for "go installs are all pinned".

Signed-off-by: Gabriela Gutierrez <[email protected]>

* test: Fix "download then run pinned debug and warn"

Considering the new go installs dependencies in Pinned-Dependencies score, there are some changes. Now, all tests have to weight 7 scores instead of 6.

For "download then run pinned debug and warn", we have a 0 for 2 groups, `dockerDownloadScore` and `scriptScore`. Previously, it scored 4/6 =~ 6, and now it scores 5/7 =~ 7.

Signed-off-by: Gabriela Gutierrez <[email protected]>

* test: Fix "various warnings"

Considering the new go installs dependencies in Pinned-Dependencies score, there are some changes. Now, all tests have to weight 7 scores instead of 6.

For "various warnings", we have a 0 for 4 groups, `pipScore`, `dockerDownloadScore`, `scriptScore` and `dockerFromScore`. Previously, it scored 2/6 =~ 3, and now it scores 3/7 =~ 4.

Signed-off-by: Gabriela Gutierrez <[email protected]>

* test: Fix "Validate various warnings and info"

Considering the new go installs dependencies in Pinned-Dependencies score, there are some changes. Now, all tests have to weight 7 scores instead of 6.

For "Validate various warnings and info", we have a 0 for 4 groups, `pipScore`, `dockerDownloadScore`, `scriptScore` and `dockerFromScore`. Previously, it scored 2/6 =~ 3, and now it scores 3/7 =~ 4.

Signed-off-by: Gabriela Gutierrez <[email protected]>

* test: Fix "ossf-tests/scorecard-check-pinned-dependencies-e2e"

Considering the new go installs dependencies in Pinned-Dependencies score, there are some changes. The repo being tested, `ossf-tests/scorecard-check-pinned-dependencies-e2e`, has third-party GitHub actions pinned, no npm installs, multiple go installs all pinned, and all other dependencies types are unpinned. This gives us 8 for actionScore, 10 for npm score, 10 for goScore, and 0 for all other scores. Previously the total score was 18/6 =~ 3, and now the total score is 28/7 =~ 4. Since all go installs are pinned, there's an additional info log for "go installs are pinned".

Signed-off-by: Gabriela Gutierrez <[email protected]>

* test: Unpinned go install score

When having one unpinned go install and all other dependencies pinned, the score should be 60/7 =~ 8. Also, it should raise 1 warning for the unpinned go install, 7 infos saying the other dependency types are pinned (2 for GHAs, 2 for dockerfile image and downdloads, 1 for script downdloads, 1 for pip installs and 1 for npm installs), and 0 debug logs since the go install dependency does not have an error message.

Signed-off-by: Gabriela Gutierrez <[email protected]>

---------

Signed-off-by: Gabriela Gutierrez <[email protected]>
Signed-off-by: Allen Shearin <[email protected]>
  • Loading branch information
gabibguti authored and ashearin committed Nov 13, 2023
1 parent dbc3d98 commit be40c99
Show file tree
Hide file tree
Showing 3 changed files with 50 additions and 18 deletions.
18 changes: 17 additions & 1 deletion checks/evaluation/pinned_dependencies.go
Original file line number Diff line number Diff line change
Expand Up @@ -133,16 +133,23 @@ func PinningDependencies(name string, c *checker.CheckRequest,
return checker.CreateRuntimeErrorResult(name, err)
}

// Go installs.
goScore, err := createReturnForIsGoInstallPinned(pr, dl)
if err != nil {
return checker.CreateRuntimeErrorResult(name, err)
}

// Scores may be inconclusive.
actionScore = maxScore(0, actionScore)
dockerFromScore = maxScore(0, dockerFromScore)
dockerDownloadScore = maxScore(0, dockerDownloadScore)
scriptScore = maxScore(0, scriptScore)
pipScore = maxScore(0, pipScore)
npmScore = maxScore(0, npmScore)
goScore = maxScore(0, goScore)

score := checker.AggregateScores(actionScore, dockerFromScore,
dockerDownloadScore, scriptScore, pipScore, npmScore)
dockerDownloadScore, scriptScore, pipScore, npmScore, goScore)

if score == checker.MaxResultScore {
return checker.CreateMaxScoreResult(name, "all dependencies are pinned")
Expand Down Expand Up @@ -276,6 +283,15 @@ func createReturnForIsNpmInstallPinned(pr map[checker.DependencyUseType]pinnedRe
dl)
}

// Create the result for go install commands.
func createReturnForIsGoInstallPinned(pr map[checker.DependencyUseType]pinnedResult,
dl checker.DetailLogger,
) (int, error) {
return createReturnValues(pr, checker.DependencyUseTypeGoCommand,
"go installs are pinned",
dl)
}

func createReturnValues(pr map[checker.DependencyUseType]pinnedResult,
t checker.DependencyUseType, infoMsg string,
dl checker.DetailLogger,
Expand Down
38 changes: 27 additions & 11 deletions checks/evaluation/pinned_dependencies_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -111,7 +111,7 @@ func Test_PinningDependencies(t *testing.T) {
Error: nil,
Score: checker.MaxResultScore,
NumberOfWarn: 0,
NumberOfInfo: 7,
NumberOfInfo: 8,
NumberOfDebug: 1,
},
},
Expand All @@ -130,9 +130,9 @@ func Test_PinningDependencies(t *testing.T) {
},
expected: scut.TestReturn{
Error: nil,
Score: 6,
Score: 7,
NumberOfWarn: 1,
NumberOfInfo: 5,
NumberOfInfo: 6,
NumberOfDebug: 1,
},
},
Expand All @@ -158,9 +158,9 @@ func Test_PinningDependencies(t *testing.T) {
},
expected: scut.TestReturn{
Error: nil,
Score: 3,
Score: 4,
NumberOfWarn: 3,
NumberOfInfo: 3,
NumberOfInfo: 4,
NumberOfDebug: 1,
},
},
Expand All @@ -176,7 +176,7 @@ func Test_PinningDependencies(t *testing.T) {
Error: nil,
Score: 8,
NumberOfWarn: 1,
NumberOfInfo: 6,
NumberOfInfo: 7,
NumberOfDebug: 0,
},
},
Expand All @@ -193,7 +193,7 @@ func Test_PinningDependencies(t *testing.T) {
Error: nil,
Score: 10,
NumberOfWarn: 0,
NumberOfInfo: 7,
NumberOfInfo: 8,
NumberOfDebug: 1,
},
},
Expand All @@ -203,7 +203,7 @@ func Test_PinningDependencies(t *testing.T) {
Error: nil,
Score: 10,
NumberOfWarn: 0,
NumberOfInfo: 7,
NumberOfInfo: 8,
NumberOfDebug: 0,
},
},
Expand All @@ -229,9 +229,9 @@ func Test_PinningDependencies(t *testing.T) {
},
expected: scut.TestReturn{
Error: nil,
Score: 3,
Score: 4,
NumberOfWarn: 3,
NumberOfInfo: 3,
NumberOfInfo: 4,
NumberOfDebug: 1,
},
},
Expand All @@ -247,7 +247,23 @@ func Test_PinningDependencies(t *testing.T) {
Error: nil,
Score: 8,
NumberOfWarn: 1,
NumberOfInfo: 6,
NumberOfInfo: 7,
NumberOfDebug: 0,
},
},
{
name: "unpinned go install",
dependencies: []checker.Dependency{
{
Location: &checker.File{},
Type: checker.DependencyUseTypeGoCommand,
},
},
expected: scut.TestReturn{
Error: nil,
Score: 8,
NumberOfWarn: 1,
NumberOfInfo: 7,
NumberOfDebug: 0,
},
},
Expand Down
12 changes: 6 additions & 6 deletions e2e/pinned_dependencies_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -49,9 +49,9 @@ var _ = Describe("E2E TEST:"+checks.CheckPinnedDependencies, func() {
}
expected := scut.TestReturn{
Error: nil,
Score: 3,
Score: 4,
NumberOfWarn: 139,
NumberOfInfo: 2,
NumberOfInfo: 3,
NumberOfDebug: 0,
}
result := checks.PinningDependencies(&req)
Expand All @@ -74,9 +74,9 @@ var _ = Describe("E2E TEST:"+checks.CheckPinnedDependencies, func() {
}
expected := scut.TestReturn{
Error: nil,
Score: 3,
Score: 4,
NumberOfWarn: 139,
NumberOfInfo: 2,
NumberOfInfo: 3,
NumberOfDebug: 0,
}
result := checks.PinningDependencies(&req)
Expand Down Expand Up @@ -110,9 +110,9 @@ var _ = Describe("E2E TEST:"+checks.CheckPinnedDependencies, func() {
}
expected := scut.TestReturn{
Error: nil,
Score: 3,
Score: 4,
NumberOfWarn: 139,
NumberOfInfo: 2,
NumberOfInfo: 3,
NumberOfDebug: 0,
}
result := checks.PinningDependencies(&req)
Expand Down

0 comments on commit be40c99

Please sign in to comment.