Merge branch 'main' into sast-no-search

Signed-off-by: Spencer Schrock <[email protected]>
ossf · Apr 12, 2023 · 3fc6d1b · 3fc6d1b
2 parents f3deb66 + 4809b20
commit 3fc6d1b
Show file tree

Hide file tree

Showing 36 changed files with 1,261 additions and 156 deletions.
diff --git a/.codecov.yml b/.codecov.yml
@@ -7,6 +7,7 @@ codecov:
 ignore:
   - "cron/**/*"
   - "clients/mockclients/**/*"
+  - "attestor/command/**/*"
 coverage:
   precision: 2
   round: down

diff --git a/.github/workflows/docker.yml b/.github/workflows/docker.yml
@@ -41,7 +41,7 @@ jobs:
         fetch-depth: 2
     - id: files
       name: Get changed files
-      uses: tj-actions/changed-files@e9b5807e928fc8eea705c90da5524fd44b183ba1 #v35.7.8
+      uses: tj-actions/changed-files@b109d83a62e94cf7c522bf6c15cb25c175850b16 #v35.7.12
       with:
         files_ignore: '**.md'
     - id: docs_only_check

diff --git a/.github/workflows/integration.yml b/.github/workflows/integration.yml
@@ -67,7 +67,7 @@ jobs:
           command: make e2e-gh-token
 
       - name: codecov
-        uses: codecov/codecov-action@81cd2dc8148241f03f5839d295e000b8f761e378 # 2.1.0
+        uses: codecov/codecov-action@40a12dcee2df644d47232dde008099a3e9e4f865 # 2.1.0
         with:
          files: ./e2e-coverage.out
          verbose: true
@@ -81,7 +81,7 @@ jobs:
           command: make e2e-gitlab
 
       - name: codecov
-        uses: codecov/codecov-action@81cd2dc8148241f03f5839d295e000b8f761e378 # 2.1.0
+        uses: codecov/codecov-action@40a12dcee2df644d47232dde008099a3e9e4f865 # 2.1.0
         with:
          files: ./e2e-coverage.out
          verbose: true
diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml
@@ -66,7 +66,7 @@ jobs:
      - name: Run unit-tests
        run: make unit-test
      - name: Upload codecoverage
-       uses: codecov/codecov-action@81cd2dc8148241f03f5839d295e000b8f761e378 # 2.1.0
+       uses: codecov/codecov-action@40a12dcee2df644d47232dde008099a3e9e4f865 # 2.1.0
        with:
          files: ./unit-coverage.out
          verbose: true

diff --git a/.github/workflows/publishimage.yml b/.github/workflows/publishimage.yml
@@ -61,7 +61,7 @@ jobs:
             make install
             make scorecard-ko
      - name: Install Cosign
-       uses: sigstore/cosign-installer@c3667d99424e7e6047999fb6246c0da843953c65
+       uses: sigstore/cosign-installer@9e9de2292db7abb3f51b7f4808d98f0d347a8919
      - name: Sign image
        run: |
           cosign sign ghcr.io/${{github.repository_owner}}/scorecard/v4:${{ github.sha }}
diff --git a/.golangci.yml b/.golangci.yml
@@ -12,6 +12,12 @@ issues:
   # Default: 3
   max-same-issues: 0
   new-from-rev: ""
+  exclude-rules:
+    - path: '(.+)_test\.go'
+      linters:
+        - funlen
+        - goconst
+        - gocyclo
 skip-files:
   - cron/data/request.pb.go # autogenerated
 linters:

diff --git a/attestor/policy/attestation_policy.go b/attestor/policy/attestation_policy.go
@@ -71,8 +71,7 @@ type Dependency struct {
 	Version     string `yaml:"version"`
 }
 
-// Allows us to run fewer scorecard checks if some policy values
-// are don't-cares.
+// GetRequiredChecksForPolicy Allows us to run fewer scorecard checks if some policy values are don't-cares.
 func (ap *AttestationPolicy) GetRequiredChecksForPolicy() map[string]bool {
 	requiredChecks := make(map[string]bool)
 
@@ -95,7 +94,7 @@ func (ap *AttestationPolicy) GetRequiredChecksForPolicy() map[string]bool {
 	return requiredChecks
 }
 
-// Run attestation policy checks on raw data.
+// EvaluateResults Run attestation policy checks on raw data.
 func (ap *AttestationPolicy) EvaluateResults(raw *checker.RawResults) (PolicyResult, error) {
 	logger := sclog.NewLogger(sclog.DefaultLevel)
 	if ap.PreventBinaryArtifacts {
@@ -291,7 +290,7 @@ func isUnpinnedDependencyAllowed(d checker.Dependency, allowed []Dependency) boo
 	return false
 }
 
-// ParseFromFile takes a policy file and returns an AttestationPolicy.
+// ParseAttestationPolicyFromFile takes a policy file and returns an AttestationPolicy.
 func ParseAttestationPolicyFromFile(policyFile string) (*AttestationPolicy, error) {
 	if policyFile != "" {
 		data, err := os.ReadFile(policyFile)
@@ -315,7 +314,7 @@ func ParseAttestationPolicyFromFile(policyFile string) (*AttestationPolicy, erro
 	return nil, nil
 }
 
-// Parses a policy file and returns a AttestationPolicy.
+// ParseAttestationPolicyFromYAML parses a policy file and returns a AttestationPolicy.
 func ParseAttestationPolicyFromYAML(b []byte) (*AttestationPolicy, error) {
 	ap := AttestationPolicy{}
 

diff --git a/attestor/policy/attestation_policy_test.go b/attestor/policy/attestation_policy_test.go
@@ -20,6 +20,8 @@ import (
 	"fmt"
 	"testing"
 
+	"github.com/google/go-cmp/cmp"
+
 	"github.com/ossf/scorecard/v4/checker"
 	"github.com/ossf/scorecard/v4/clients"
 	sce "github.com/ossf/scorecard/v4/errors"
@@ -538,3 +540,165 @@ func TestAttestationPolicyRead(t *testing.T) {
 		})
 	}
 }
+
+func TestAttestationPolicy_GetRequiredChecksForPolicy(t *testing.T) {
+	t.Parallel()
+	type fields struct { //nolint:govet
+		PreventBinaryArtifacts      bool
+		AllowedBinaryArtifacts      []string
+		PreventKnownVulnerabilities bool
+		PreventUnpinnedDependencies bool
+		AllowedUnpinnedDependencies []Dependency
+		EnsureCodeReviewed          bool
+		CodeReviewRequirements      CodeReviewRequirements
+	}
+	tests := []struct { //nolint:govet
+		name   string
+		fields fields
+		want   map[string]bool
+	}{
+		{
+			name: "all checks",
+			fields: fields{
+				PreventBinaryArtifacts:      true,
+				AllowedBinaryArtifacts:      []string{},
+				PreventKnownVulnerabilities: true,
+				PreventUnpinnedDependencies: true,
+				AllowedUnpinnedDependencies: []Dependency{},
+				EnsureCodeReviewed:          true,
+				CodeReviewRequirements:      CodeReviewRequirements{MinReviewers: 1},
+			},
+		},
+	}
+	for _, tt := range tests {
+		tt := tt
+		t.Run(tt.name, func(t *testing.T) {
+			t.Parallel()
+			ap := &AttestationPolicy{
+				PreventBinaryArtifacts:      tt.fields.PreventBinaryArtifacts,
+				AllowedBinaryArtifacts:      tt.fields.AllowedBinaryArtifacts,
+				PreventKnownVulnerabilities: tt.fields.PreventKnownVulnerabilities,
+				PreventUnpinnedDependencies: tt.fields.PreventUnpinnedDependencies,
+				AllowedUnpinnedDependencies: tt.fields.AllowedUnpinnedDependencies,
+				EnsureCodeReviewed:          tt.fields.EnsureCodeReviewed,
+				CodeReviewRequirements:      tt.fields.CodeReviewRequirements,
+			}
+			if got := ap.GetRequiredChecksForPolicy(); cmp.Equal(got, tt.want) {
+				t.Errorf("GetRequiredChecksForPolicy() %v, want %v", cmp.Diff(got, tt.want), tt.want)
+			}
+		})
+	}
+}
+
+func TestAttestationPolicy_EvaluateResults(t *testing.T) {
+	t.Parallel()
+	type fields struct { //nolint:govet
+		PreventBinaryArtifacts      bool
+		AllowedBinaryArtifacts      []string
+		PreventKnownVulnerabilities bool
+		PreventUnpinnedDependencies bool
+		AllowedUnpinnedDependencies []Dependency
+		EnsureCodeReviewed          bool
+		CodeReviewRequirements      CodeReviewRequirements
+	}
+	type args struct {
+		raw *checker.RawResults
+	}
+	tests := []struct { //nolint:govet
+		name    string
+		fields  fields
+		args    args
+		want    PolicyResult
+		wantErr bool
+	}{
+		{
+			name: "vulnerabilities",
+			fields: fields{
+				PreventKnownVulnerabilities: true,
+			},
+			args: args{
+				raw: &checker.RawResults{
+					VulnerabilitiesResults: checker.VulnerabilitiesData{
+						Vulnerabilities: []clients.Vulnerability{
+							{ID: "foo"},
+						},
+					},
+				},
+			},
+			want: false,
+		},
+		{
+			name: "binary artifacts",
+			fields: fields{
+				PreventBinaryArtifacts: true,
+			},
+			args: args{
+				raw: &checker.RawResults{
+					BinaryArtifactResults: checker.BinaryArtifactData{Files: []checker.File{
+						{Path: "a"},
+						{Path: "b"},
+					}},
+				},
+			},
+			want: false,
+		},
+		{
+			name: "unpinned dependencies",
+			fields: fields{
+				PreventUnpinnedDependencies: true,
+			},
+			args: args{
+				raw: &checker.RawResults{
+					PinningDependenciesResults: checker.PinningDependenciesData{
+						Dependencies: []checker.Dependency{
+							{Name: asPointer("foo"), PinnedAt: asPointer("abcdef")},
+						},
+					},
+				},
+			},
+			want: true,
+		},
+		{
+			name: "code review",
+			fields: fields{
+				EnsureCodeReviewed: true,
+			},
+			args: args{
+				raw: &checker.RawResults{
+					CodeReviewResults: checker.CodeReviewData{
+						DefaultBranchChangesets: []checker.Changeset{
+							{
+								RevisionID: "1",
+								Commits:    []clients.Commit{{SHA: "a"}},
+							},
+						},
+					},
+				},
+			},
+			want: false,
+		},
+	}
+	for _, tt := range tests {
+		tt := tt
+		t.Run(tt.name, func(t *testing.T) {
+			t.Parallel()
+			ap := &AttestationPolicy{
+				PreventBinaryArtifacts:      tt.fields.PreventBinaryArtifacts,
+				AllowedBinaryArtifacts:      tt.fields.AllowedBinaryArtifacts,
+				PreventKnownVulnerabilities: tt.fields.PreventKnownVulnerabilities,
+				PreventUnpinnedDependencies: tt.fields.PreventUnpinnedDependencies,
+				AllowedUnpinnedDependencies: tt.fields.AllowedUnpinnedDependencies,
+				EnsureCodeReviewed:          tt.fields.EnsureCodeReviewed,
+				CodeReviewRequirements:      tt.fields.CodeReviewRequirements,
+			}
+			got, err := ap.EvaluateResults(tt.args.raw)
+			if (err != nil) != tt.wantErr {
+				t.Errorf("EvaluateResults() error = %v, wantErr %v", err, tt.wantErr)
+				return
+			}
+			if got != tt.want {
+				t.Errorf("EvaluateResults() got = %v, want %v", got, tt.want)
+			}
+		})
+	}
+}