Add more tests

Signed-off-by: AdamKorcz <[email protected]>
ossf · Oct 14, 2023 · d61d1ce · d61d1ce
1 parent be9dc13
commit d61d1ce
Show file tree

Hide file tree

Showing 6 changed files with 363 additions and 3 deletions.
diff --git a/checks/evaluation/sast.go b/checks/evaluation/sast.go
@@ -40,15 +40,14 @@ func SAST(name string,
 	}
 
 	var sastScore, codeQlScore, sonarScore int
-
 	// Compute the score.
 	for i := range findings {
 		f := &findings[i]
 		switch f.Probe {
 		case sastToolRunsOnAllCommits.Probe:
 			sastScore = getSASTScore(f, dl)
 		case sastToolCodeQLInstalled.Probe:
-			sastScore = getCodeQLScore(f, dl)
+			codeQlScore = getCodeQLScore(f, dl)
 		case sastToolSonarInstalled.Probe:
 			if f.Outcome == finding.OutcomePositive {
 				sonarScore = checker.MaxResultScore

diff --git a/checks/raw/sast.go b/checks/raw/sast.go
@@ -53,6 +53,7 @@ func SAST(c *checker.CheckRequest) (checker.SASTData, error) {
 	if err != nil {
 		return data, err
 	}
+
 	data.Workflows = append(data.Workflows, codeQLWorkflows...)
 
 	sonarWorkflows, err := getSonarWorkflows(c)
@@ -128,7 +129,6 @@ func codeQLInCheckDefinitions(c *checker.CheckRequest) ([]checker.SASTWorkflow,
 	if err != nil {
 		return sastWorkflows, err
 	}
-
 	for _, path := range workflowPaths {
 		sastWorkflow := checker.SASTWorkflow{
 			File: checker.File{

diff --git a/checks/raw/sast_test.go b/checks/raw/sast_test.go
@@ -103,6 +103,29 @@ func TestSAST(t *testing.T) {
 				Workflows: nil,
 			},
 		},
+		{
+			name:  "Airflows CodeQL workflow - Has CodeQL",
+			files: []string{".github/workflows/airflows-codeql.yaml"},
+			commits: []clients.Commit{
+				{
+					AssociatedMergeRequest: clients.PullRequest{
+						Number: 1,
+					},
+				},
+			},
+			expected: checker.SASTData{
+				Workflows: []checker.SASTWorkflow{
+					{
+						Type: checker.CodeQLWorkflow,
+						File: checker.File{
+							Path:   ".github/workflows/airflows-codeql.yaml",
+							Offset: checker.OffsetDefault,
+							Type:   finding.FileTypeSource,
+						},
+					},
+				},
+			},
+		},
 	}
 	for _, tt := range tests {
 		tt := tt // Re-initializing variable so it is not changed while executing the closure below

diff --git a/checks/raw/testdata/.github/workflows/airflows-codeql.yaml b/checks/raw/testdata/.github/workflows/airflows-codeql.yaml
@@ -0,0 +1,109 @@
+# Licensed to the Apache Software Foundation (ASF) under one
+# or more contributor license agreements.  See the NOTICE file
+# distributed with this work for additional information
+# regarding copyright ownership.  The ASF licenses this file
+# to you under the Apache License, Version 2.0 (the
+# "License"); you may not use this file except in compliance
+# with the License.  You may obtain a copy of the License at
+#
+#   http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing,
+# software distributed under the License is distributed on an
+# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+# KIND, either express or implied.  See the License for the
+# specific language governing permissions and limitations
+# under the License.
+#
+---
+name: "CodeQL"
+
+on:  # yamllint disable-line rule:truthy
+  push:
+    branches: [main]
+  schedule:
+    - cron: '0 2 * * *'
+
+permissions:
+  contents: read
+concurrency:
+  group: codeql-${{ github.event.pull_request.number || github.ref }}
+  cancel-in-progress: true
+
+jobs:
+  selective-checks:
+    name: Selective checks
+    runs-on: ubuntu-20.04
+    outputs:
+      needs-python-scans: ${{ steps.selective-checks.outputs.needs-python-scans }}
+      needs-javascript-scans: ${{ steps.selective-checks.outputs.needs-javascript-scans }}
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v2
+        with:
+          fetch-depth: 2
+          persist-credentials: false
+      - name: Selective checks
+        id: selective-checks
+        env:
+          EVENT_NAME: ${{ github.event_name }}
+          TARGET_COMMIT_SHA: ${{ github.sha }}
+        run: |
+          if [[ ${EVENT_NAME} == "pull_request" ]]; then
+            # Run selective checks
+            ./scripts/ci/selective_ci_checks.sh "${TARGET_COMMIT_SHA}"
+          else
+            # Run all checks
+            ./scripts/ci/selective_ci_checks.sh
+          fi
+
+  analyze:
+    name: Analyze
+    runs-on: ubuntu-20.04
+    needs: [selective-checks]
+    strategy:
+      fail-fast: false
+      matrix:
+        # Override automatic language detection by changing the below list
+        # Supported options are ['csharp', 'cpp', 'go', 'java', 'javascript', 'python']
+        language: ['python', 'javascript']
+    permissions:
+      actions: read
+      contents: read
+      pull-requests: read
+      security-events: write
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v2
+        with:
+          persist-credentials: false
+        if: |
+          matrix.language == 'python' && needs.selective-checks.outputs.needs-python-scans == 'true' ||
+          matrix.language == 'javascript' && needs.selective-checks.outputs.needs-javascript-scans == 'true'
+
+      # Initializes the CodeQL tools for scanning.
+      - name: Initialize CodeQL
+        uses: github/codeql-action/init@v1
+        with:
+          languages: ${{ matrix.language }}
+          # If you wish to specify custom queries, you can do so here or in a config file.
+          # By default, queries listed here will override any specified in a config file.
+          # Prefix the list here with "+" to use these queries and those in the config file.
+          # queries: ./path/to/local/query, your-org/your-repo/queries@main
+        if: |
+          matrix.language == 'python' && needs.selective-checks.outputs.needs-python-scans == 'true' ||
+          matrix.language == 'javascript' && needs.selective-checks.outputs.needs-javascript-scans == 'true'
+
+      # Autobuild attempts to build any compiled languages  (C/C++, C#, or Java).
+      # If this step fails, then you should remove it and run the build manually (see below)
+      - name: Autobuild
+        uses: github/codeql-action/autobuild@v1
+        if: |
+          matrix.language == 'python' && needs.selective-checks.outputs.needs-python-scans == 'true' ||
+          matrix.language == 'javascript' && needs.selective-checks.outputs.needs-javascript-scans == 'true'
+
+      - name: Perform CodeQL Analysis
+        uses: github/codeql-action/analyze@v1
+        if: |
+          matrix.language == 'python' && needs.selective-checks.outputs.needs-python-scans == 'true' ||
+          matrix.language == 'javascript' && needs.selective-checks.outputs.needs-javascript-scans == 'true'
diff --git a/checks/sast_test.go b/checks/sast_test.go
@@ -64,10 +64,130 @@ func Test_SAST(t *testing.T) {
 					},
 				},
 			},
+			path: "",
 			expected: checker.CheckResult{
 				Score: 10,
 			},
 		},
+		{
+			name: "Airflow Workflow has CodeQL but has no check runs.",
+			err:  nil,
+			commits: []clients.Commit{
+				{
+					AssociatedMergeRequest: clients.PullRequest{
+						MergedAt: time.Now().Add(time.Hour - 1),
+					},
+				},
+			},
+			searchresult: clients.SearchResponse{},
+			path:         ".github/workflows/airflow-codeql-workflow.yaml",
+			expected: checker.CheckResult{
+				Score: 7,
+			},
+		},
+		{
+			name: "Airflow Workflow has CodeQL and two check runs.",
+			err:  nil,
+			commits: []clients.Commit{
+				{
+					AssociatedMergeRequest: clients.PullRequest{
+						MergedAt: time.Now().Add(time.Hour - 1),
+					},
+				},
+			},
+			searchresult: clients.SearchResponse{},
+			checkRuns: []clients.CheckRun{
+				{
+					Status:     "completed",
+					Conclusion: "success",
+					App: clients.CheckRunApp{
+						Slug: "lgtm-com",
+					},
+				},
+				{
+					Status:     "completed",
+					Conclusion: "success",
+					App: clients.CheckRunApp{
+						Slug: "lgtm-com",
+					},
+				},
+			},
+			path: ".github/workflows/airflow-codeql-workflow.yaml",
+			expected: checker.CheckResult{
+				Score: 10,
+			},
+		},
+		{
+			name: `Airflow Workflow has CodeQL and two check runs one of 
+			which has wrong type of conlusion. The other is 'success'`,
+			err: nil,
+			commits: []clients.Commit{
+				{
+					AssociatedMergeRequest: clients.PullRequest{
+						MergedAt: time.Now().Add(time.Hour - 1),
+					},
+				},
+			},
+			searchresult: clients.SearchResponse{},
+			checkRuns: []clients.CheckRun{
+				{
+					Status:     "completed",
+					Conclusion: "wrongConclusionValue",
+					App: clients.CheckRunApp{
+						Slug: "lgtm-com",
+					},
+				},
+				{
+					Status:     "completed",
+					Conclusion: "success",
+					App: clients.CheckRunApp{
+						Slug: "lgtm-com",
+					},
+				},
+			},
+			path: ".github/workflows/airflow-codeql-workflow.yaml",
+			expected: checker.CheckResult{
+				Score: 10,
+			},
+		},
+		{
+			name: `Airflow Workflow has CodeQL and two commits none of which 
+			ran the workflow.`,
+			err: nil,
+			commits: []clients.Commit{
+				{
+					AssociatedMergeRequest: clients.PullRequest{
+						MergedAt: time.Now().Add(time.Hour - 1),
+					},
+				},
+				{
+					AssociatedMergeRequest: clients.PullRequest{
+						MergedAt: time.Now().Add(time.Hour - 2),
+					},
+				},
+			},
+			searchresult: clients.SearchResponse{},
+			checkRuns: []clients.CheckRun{
+				{
+					Status:     "notCompletedForTestingOnly",
+					Conclusion: "notSuccessForTestingOnly",
+					App: clients.CheckRunApp{
+						Slug: "lgtm-com",
+					},
+				},
+				{
+					Status:     "notCompletedForTestingOnly",
+					Conclusion: "notSuccessForTestingOnly",
+					App: clients.CheckRunApp{
+						Slug: "lgtm-com",
+					},
+				},
+			},
+			path: ".github/workflows/airflow-codeql-workflow.yaml",
+			expected: checker.CheckResult{
+				Score: 7,
+			},
+		},
 	}
 	for _, tt := range tests {
 		tt := tt