From 383e5566d0b87323edaef9a091cc34493f7a65d5 Mon Sep 17 00:00:00 2001 From: Gabriela Gutierrez Date: Fri, 25 Aug 2023 13:53:22 -0300 Subject: [PATCH] =?UTF-8?q?=F0=9F=90=9B=20Add=20go=20installs=20to=20Pinne?= =?UTF-8?q?d-Dependencies=20score=20(#3424)?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit * feat: Add go install to pinned dependencies score Signed-off-by: Gabriela Gutierrez * test: Fix info logs count Considering the new go installs dependencies in Pinned-Dependencies score, there are some changes. Now, all tests generate one more Info log for "go installs are all pinned". Signed-off-by: Gabriela Gutierrez * test: Fix "download then run pinned debug and warn" Considering the new go installs dependencies in Pinned-Dependencies score, there are some changes. Now, all tests have to weight 7 scores instead of 6. For "download then run pinned debug and warn", we have a 0 for 2 groups, `dockerDownloadScore` and `scriptScore`. Previously, it scored 4/6 =~ 6, and now it scores 5/7 =~ 7. Signed-off-by: Gabriela Gutierrez * test: Fix "various warnings" Considering the new go installs dependencies in Pinned-Dependencies score, there are some changes. Now, all tests have to weight 7 scores instead of 6. For "various warnings", we have a 0 for 4 groups, `pipScore`, `dockerDownloadScore`, `scriptScore` and `dockerFromScore`. Previously, it scored 2/6 =~ 3, and now it scores 3/7 =~ 4. Signed-off-by: Gabriela Gutierrez * test: Fix "Validate various warnings and info" Considering the new go installs dependencies in Pinned-Dependencies score, there are some changes. Now, all tests have to weight 7 scores instead of 6. For "Validate various warnings and info", we have a 0 for 4 groups, `pipScore`, `dockerDownloadScore`, `scriptScore` and `dockerFromScore`. Previously, it scored 2/6 =~ 3, and now it scores 3/7 =~ 4. Signed-off-by: Gabriela Gutierrez * test: Fix "ossf-tests/scorecard-check-pinned-dependencies-e2e" Considering the new go installs dependencies in Pinned-Dependencies score, there are some changes. The repo being tested, `ossf-tests/scorecard-check-pinned-dependencies-e2e`, has third-party GitHub actions pinned, no npm installs, multiple go installs all pinned, and all other dependencies types are unpinned. This gives us 8 for actionScore, 10 for npm score, 10 for goScore, and 0 for all other scores. Previously the total score was 18/6 =~ 3, and now the total score is 28/7 =~ 4. Since all go installs are pinned, there's an additional info log for "go installs are pinned". Signed-off-by: Gabriela Gutierrez * test: Unpinned go install score When having one unpinned go install and all other dependencies pinned, the score should be 60/7 =~ 8. Also, it should raise 1 warning for the unpinned go install, 7 infos saying the other dependency types are pinned (2 for GHAs, 2 for dockerfile image and downdloads, 1 for script downdloads, 1 for pip installs and 1 for npm installs), and 0 debug logs since the go install dependency does not have an error message. Signed-off-by: Gabriela Gutierrez --------- Signed-off-by: Gabriela Gutierrez --- checks/evaluation/pinned_dependencies.go | 18 ++++++++- checks/evaluation/pinned_dependencies_test.go | 38 +++++++++++++------ e2e/pinned_dependencies_test.go | 12 +++--- 3 files changed, 50 insertions(+), 18 deletions(-) diff --git a/checks/evaluation/pinned_dependencies.go b/checks/evaluation/pinned_dependencies.go index a8e98be8e17..c05038fa7ec 100644 --- a/checks/evaluation/pinned_dependencies.go +++ b/checks/evaluation/pinned_dependencies.go @@ -133,6 +133,12 @@ func PinningDependencies(name string, c *checker.CheckRequest, return checker.CreateRuntimeErrorResult(name, err) } + // Go installs. + goScore, err := createReturnForIsGoInstallPinned(pr, dl) + if err != nil { + return checker.CreateRuntimeErrorResult(name, err) + } + // Scores may be inconclusive. actionScore = maxScore(0, actionScore) dockerFromScore = maxScore(0, dockerFromScore) @@ -140,9 +146,10 @@ func PinningDependencies(name string, c *checker.CheckRequest, scriptScore = maxScore(0, scriptScore) pipScore = maxScore(0, pipScore) npmScore = maxScore(0, npmScore) + goScore = maxScore(0, goScore) score := checker.AggregateScores(actionScore, dockerFromScore, - dockerDownloadScore, scriptScore, pipScore, npmScore) + dockerDownloadScore, scriptScore, pipScore, npmScore, goScore) if score == checker.MaxResultScore { return checker.CreateMaxScoreResult(name, "all dependencies are pinned") @@ -276,6 +283,15 @@ func createReturnForIsNpmInstallPinned(pr map[checker.DependencyUseType]pinnedRe dl) } +// Create the result for go install commands. +func createReturnForIsGoInstallPinned(pr map[checker.DependencyUseType]pinnedResult, + dl checker.DetailLogger, +) (int, error) { + return createReturnValues(pr, checker.DependencyUseTypeGoCommand, + "go installs are pinned", + dl) +} + func createReturnValues(pr map[checker.DependencyUseType]pinnedResult, t checker.DependencyUseType, infoMsg string, dl checker.DetailLogger, diff --git a/checks/evaluation/pinned_dependencies_test.go b/checks/evaluation/pinned_dependencies_test.go index 5e3e369a314..0a40c0da9a0 100644 --- a/checks/evaluation/pinned_dependencies_test.go +++ b/checks/evaluation/pinned_dependencies_test.go @@ -111,7 +111,7 @@ func Test_PinningDependencies(t *testing.T) { Error: nil, Score: checker.MaxResultScore, NumberOfWarn: 0, - NumberOfInfo: 7, + NumberOfInfo: 8, NumberOfDebug: 1, }, }, @@ -130,9 +130,9 @@ func Test_PinningDependencies(t *testing.T) { }, expected: scut.TestReturn{ Error: nil, - Score: 6, + Score: 7, NumberOfWarn: 1, - NumberOfInfo: 5, + NumberOfInfo: 6, NumberOfDebug: 1, }, }, @@ -158,9 +158,9 @@ func Test_PinningDependencies(t *testing.T) { }, expected: scut.TestReturn{ Error: nil, - Score: 3, + Score: 4, NumberOfWarn: 3, - NumberOfInfo: 3, + NumberOfInfo: 4, NumberOfDebug: 1, }, }, @@ -176,7 +176,7 @@ func Test_PinningDependencies(t *testing.T) { Error: nil, Score: 8, NumberOfWarn: 1, - NumberOfInfo: 6, + NumberOfInfo: 7, NumberOfDebug: 0, }, }, @@ -193,7 +193,7 @@ func Test_PinningDependencies(t *testing.T) { Error: nil, Score: 10, NumberOfWarn: 0, - NumberOfInfo: 7, + NumberOfInfo: 8, NumberOfDebug: 1, }, }, @@ -203,7 +203,7 @@ func Test_PinningDependencies(t *testing.T) { Error: nil, Score: 10, NumberOfWarn: 0, - NumberOfInfo: 7, + NumberOfInfo: 8, NumberOfDebug: 0, }, }, @@ -229,9 +229,9 @@ func Test_PinningDependencies(t *testing.T) { }, expected: scut.TestReturn{ Error: nil, - Score: 3, + Score: 4, NumberOfWarn: 3, - NumberOfInfo: 3, + NumberOfInfo: 4, NumberOfDebug: 1, }, }, @@ -247,7 +247,23 @@ func Test_PinningDependencies(t *testing.T) { Error: nil, Score: 8, NumberOfWarn: 1, - NumberOfInfo: 6, + NumberOfInfo: 7, + NumberOfDebug: 0, + }, + }, + { + name: "unpinned go install", + dependencies: []checker.Dependency{ + { + Location: &checker.File{}, + Type: checker.DependencyUseTypeGoCommand, + }, + }, + expected: scut.TestReturn{ + Error: nil, + Score: 8, + NumberOfWarn: 1, + NumberOfInfo: 7, NumberOfDebug: 0, }, }, diff --git a/e2e/pinned_dependencies_test.go b/e2e/pinned_dependencies_test.go index 8253abf49cc..c49357d337e 100644 --- a/e2e/pinned_dependencies_test.go +++ b/e2e/pinned_dependencies_test.go @@ -49,9 +49,9 @@ var _ = Describe("E2E TEST:"+checks.CheckPinnedDependencies, func() { } expected := scut.TestReturn{ Error: nil, - Score: 3, + Score: 4, NumberOfWarn: 139, - NumberOfInfo: 2, + NumberOfInfo: 3, NumberOfDebug: 0, } result := checks.PinningDependencies(&req) @@ -74,9 +74,9 @@ var _ = Describe("E2E TEST:"+checks.CheckPinnedDependencies, func() { } expected := scut.TestReturn{ Error: nil, - Score: 3, + Score: 4, NumberOfWarn: 139, - NumberOfInfo: 2, + NumberOfInfo: 3, NumberOfDebug: 0, } result := checks.PinningDependencies(&req) @@ -110,9 +110,9 @@ var _ = Describe("E2E TEST:"+checks.CheckPinnedDependencies, func() { } expected := scut.TestReturn{ Error: nil, - Score: 3, + Score: 4, NumberOfWarn: 139, - NumberOfInfo: 2, + NumberOfInfo: 3, NumberOfDebug: 0, } result := checks.PinningDependencies(&req)