Skip to content

Commit

Permalink
Merge branch 'main' into probe-remove-exp-gate
Browse files Browse the repository at this point in the history 
Signed-off-by: Spencer Schrock <[email protected]>
  • Loading branch information
@spencerschrock
spencerschrock committed Apr 12, 2024
2 parents c9b39f5 + f4c3025 commit ff538d6
Show file tree
Hide file tree
Showing 3 changed files with 34 additions and 103 deletions.
13 changes: 12 additions & 1 deletion checks/evaluation/signed_releases.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -29,6 +29,8 @@ import (
var errNoReleaseFound = errors.New("no release found")

// SignedReleases applies the score policy for the Signed-Releases check.
//
//nolint:gocognit // surpressing for now
func SignedReleases(name string,
findings []finding.Finding, dl checker.DetailLogger,
) checker.CheckResult {
Expand All @@ -42,6 +44,10 @@ func SignedReleases(name string,
return checker.CreateRuntimeErrorResult(name, e)
}

// keep track of releases which have provenance so we don't log about signatures
// on our second pass through below
hasProvenance := make(map[string]bool)

// Debug all releases and check for OutcomeNotApplicable
// All probes have OutcomeNotApplicable in case the project has no
// releases. Therefore, check for any finding with OutcomeNotApplicable.
Expand All @@ -67,7 +73,9 @@ func SignedReleases(name string,
loggedReleases = append(loggedReleases, releaseName)
}

// Check if outcome is NotApplicable
if f.Probe == releasesHaveProvenance.Probe && f.Outcome == finding.OutcomeTrue {
hasProvenance[releaseName] = true
}
}

totalTrue := 0
Expand Down Expand Up @@ -100,6 +108,9 @@ func SignedReleases(name string,
}
case finding.OutcomeFalse:
logLevel = checker.DetailWarn
if f.Probe == releasesAreSigned.Probe && hasProvenance[releaseName] {
continue
}
default:
logLevel = checker.DetailDebug
}
Expand Down
114 changes: 16 additions & 98 deletions checks/evaluation/signed_releases_test.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -105,167 +105,85 @@ func TestSignedReleases(t *testing.T) {
result: scut.TestReturn{
Score: checker.MaxResultScore,
NumberOfInfo: 1,
NumberOfWarn: 1,
NumberOfWarn: 0,
NumberOfDebug: 1,
},
},

{
name: "3 releases. One release has one signed, and one release has two provenance.",
name: "3 releases. One release has one signed, and one release has provenance.",
findings: []finding.Finding{
// Release 1:
// Asset 1:
signedProbe(release0, asset0, finding.OutcomeFalse),
provenanceProbe(release0, asset0, finding.OutcomeFalse),
// Asset 2:
signedProbe(release0, asset1, finding.OutcomeTrue),
provenanceProbe(release0, asset1, finding.OutcomeFalse),
provenanceProbe(release0, asset0, finding.OutcomeFalse),
// Release 2
// Asset 1:
signedProbe(release1, asset0, finding.OutcomeFalse),
provenanceProbe(release1, asset0, finding.OutcomeFalse),
// Release 2
// Asset 2:
signedProbe(release1, asset1, finding.OutcomeFalse),
provenanceProbe(release1, asset1, finding.OutcomeFalse),
// Release 2
// Asset 3:
signedProbe(release1, asset2, finding.OutcomeFalse),
provenanceProbe(release1, asset2, finding.OutcomeFalse),
// Release 3
// Asset 1:
signedProbe(release2, asset0, finding.OutcomeFalse),
provenanceProbe(release2, asset0, finding.OutcomeTrue),
// Asset 2:
signedProbe(release2, asset1, finding.OutcomeFalse),
provenanceProbe(release2, asset1, finding.OutcomeTrue),
// Asset 3:
signedProbe(release2, asset2, finding.OutcomeFalse),
provenanceProbe(release2, asset2, finding.OutcomeFalse),
},
result: scut.TestReturn{
Score: 6,
NumberOfInfo: 3,
NumberOfWarn: 13,
NumberOfInfo: 2,
NumberOfWarn: 3,
NumberOfDebug: 3,
},
},
{
name: "5 releases. Two releases have one signed each, and two releases have one provenance each.",
findings: []finding.Finding{
// Release 1:
// Release 1, Asset 1:
signedProbe(release0, asset0, finding.OutcomeFalse),
provenanceProbe(release0, asset0, finding.OutcomeFalse),
signedProbe(release0, asset1, finding.OutcomeTrue),
provenanceProbe(release0, asset1, finding.OutcomeFalse),
// Release 2:
// Release 2, Asset 1:
signedProbe(release1, asset1, finding.OutcomeTrue),
signedProbe(release1, asset0, finding.OutcomeTrue),
provenanceProbe(release1, asset0, finding.OutcomeFalse),
// Release 2, Asset 2:
signedProbe(release1, asset1, finding.OutcomeFalse),
provenanceProbe(release1, asset1, finding.OutcomeFalse),
// Release 2, Asset 3:
signedProbe(release1, asset2, finding.OutcomeFalse),
provenanceProbe(release1, asset2, finding.OutcomeFalse),
// Release 3, Asset 1:
// Release 3:
signedProbe(release2, asset0, finding.OutcomeFalse),
provenanceProbe(release2, asset0, finding.OutcomeTrue),
// Release 3, Asset 2:
signedProbe(release2, asset1, finding.OutcomeFalse),
provenanceProbe(release2, asset1, finding.OutcomeFalse),
// Release 3, Asset 3:
signedProbe(release2, asset2, finding.OutcomeFalse),
provenanceProbe(release2, asset2, finding.OutcomeFalse),
// Release 4, Asset 1:
signedProbe(release3, asset0, finding.OutcomeFalse),
provenanceProbe(release3, asset0, finding.OutcomeTrue),
// Release 4, Asset 2:
signedProbe(release3, asset1, finding.OutcomeFalse),
provenanceProbe(release3, asset1, finding.OutcomeFalse),
// Release 4, Asset 3:
signedProbe(release3, asset2, finding.OutcomeFalse),
provenanceProbe(release3, asset2, finding.OutcomeFalse),
// Release 5, Asset 1:
signedProbe(release4, asset0, finding.OutcomeFalse),
provenanceProbe(release4, asset0, finding.OutcomeFalse),
// Release 5, Asset 2:
signedProbe(release4, asset1, finding.OutcomeFalse),
provenanceProbe(release4, asset1, finding.OutcomeFalse),
// Release 5, Asset 3:
signedProbe(release4, asset2, finding.OutcomeFalse),
provenanceProbe(release4, asset2, finding.OutcomeFalse),
// Release 5, Asset 4:
signedProbe(release4, asset3, finding.OutcomeFalse),
provenanceProbe(release4, asset3, finding.OutcomeFalse),
},
result: scut.TestReturn{
Score: 7,
NumberOfInfo: 4,
NumberOfWarn: 26,
NumberOfWarn: 4,
NumberOfDebug: 5,
},
},
{
name: "5 releases. All have one signed artifact.",
findings: []finding.Finding{
// Release 1:
// Release 1, Asset 1:
signedProbe(release0, asset0, finding.OutcomeFalse),
provenanceProbe(release0, asset0, finding.OutcomeFalse),
signedProbe(release0, asset1, finding.OutcomeTrue),
provenanceProbe(release0, asset1, finding.OutcomeFalse),
// Release 2:
// Release 2, Asset 1:
signedProbe(release1, asset0, finding.OutcomeTrue),
provenanceProbe(release1, asset0, finding.OutcomeFalse),
// Release 2, Asset 2:
signedProbe(release1, asset1, finding.OutcomeFalse),
provenanceProbe(release1, asset1, finding.OutcomeFalse),
// Release 2, Asset 3:
signedProbe(release1, asset2, finding.OutcomeFalse),
provenanceProbe(release1, asset2, finding.OutcomeFalse),
// Release 3, Asset 1:
// Release 3:
signedProbe(release2, asset0, finding.OutcomeTrue),
provenanceProbe(release2, asset0, finding.OutcomeTrue),
// Release 3, Asset 2:
signedProbe(release2, asset1, finding.OutcomeFalse),
provenanceProbe(release2, asset1, finding.OutcomeFalse),
// Release 3, Asset 3:
signedProbe(release2, asset2, finding.OutcomeFalse),
provenanceProbe(release2, asset2, finding.OutcomeFalse),
// Release 4, Asset 1:
provenanceProbe(release2, asset0, finding.OutcomeFalse),
// Release 4:
signedProbe(release3, asset0, finding.OutcomeTrue),
provenanceProbe(release3, asset0, finding.OutcomeTrue),
// Release 4, Asset 2:
signedProbe(release3, asset1, finding.OutcomeFalse),
provenanceProbe(release3, asset1, finding.OutcomeFalse),
// Release 4, Asset 3:
signedProbe(release3, asset2, finding.OutcomeFalse),
provenanceProbe(release3, asset2, finding.OutcomeFalse),
// Release 5, Asset 1:
provenanceProbe(release3, asset0, finding.OutcomeFalse),
// Release 5:
signedProbe(release4, asset0, finding.OutcomeTrue),
provenanceProbe(release4, asset0, finding.OutcomeFalse),
// Release 5, Asset 2:
signedProbe(release4, asset1, finding.OutcomeFalse),
provenanceProbe(release4, asset1, finding.OutcomeFalse),
// Release 5, Asset 3:
signedProbe(release4, asset2, finding.OutcomeFalse),
provenanceProbe(release4, asset2, finding.OutcomeFalse),
// Release 5, Asset 4:
signedProbe(release4, asset3, finding.OutcomeFalse),
provenanceProbe(release4, asset3, finding.OutcomeFalse),
},
result: scut.TestReturn{
Score: 8,
NumberOfInfo: 7,
NumberOfWarn: 23,
NumberOfInfo: 5,
NumberOfWarn: 5,
NumberOfDebug: 5,
},
},
{
name: "too many releases (6 when lookback is 5)",
name: "too many releases is an error (6 when lookback is 5)",
findings: []finding.Finding{
// Release 1:
// Release 1, Asset 1:
Expand Down
10 changes: 6 additions & 4 deletions probes/internal/utils/permissions/permissions.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -90,11 +90,13 @@ func ReadTrueLevelFinding(probe string,
r checker.TokenPermission,
metadata map[string]string,
) (*finding.Finding, error) {
f, err := finding.NewWith(fs, probe,
"found token with 'read' permissions",
nil, finding.OutcomeTrue)
text, err := createText(r)
if err != nil {
return nil, fmt.Errorf("%w", err)
return nil, err
}
f, err := finding.NewWith(fs, probe, text, nil, finding.OutcomeTrue)
if err != nil {
return nil, fmt.Errorf("create finding: %w", err)
}
if r.File != nil {
f = f.WithLocation(r.File.Location())
Expand Down

0 comments on commit ff538d6

Please sign in to comment.