Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

BUG: github workflow actions not parsed right? #1500

Closed
richsalz opened this issue Jan 20, 2022 · 9 comments
Closed

BUG: github workflow actions not parsed right? #1500

richsalz opened this issue Jan 20, 2022 · 9 comments
Labels
kind/bug Something isn't working

Comments

@richsalz
Copy link

Describe the bug
I am seeing a warning on every line in .github/workflows/** that has uses: actions/checkout@v2
I was running it on my local clone via --local=openssl flag.

Reproduction steps
Look at the output for something like openssl.

Expected behavior
I don't expect to see warnings. Is the tool thinking the @v2 is like a pinned hash?

Or am I just wrong?
@richsalz richsalz added the kind/bug Something isn't working label Jan 20, 2022
@laurentsimon
Copy link
Contributor

laurentsimon commented Jan 21, 2022
edited
Loading

@v2 is a pinned version: those are not immutable and can change under the hood.
The check Pinned-Dependencies looks for hash pins, which ensure the exact same copy of a dependency is used each time. If an action were to be compromised, you would not be immediately vulnerable and giving an attacker RCE.

Hash pins also help during incidence response in general: it help identify the commits at which your repo has run a malicious code.

We warn for both GitHub-owned actions and third-party actions. In terms of score, we give 8 if all third-party actions are pinned by hash, and 10 if the GitHub-owned actions are also pinned by hash. Actions don't change very often, so updating the hash is not a real burden in practice. In order to be notified when a new version of an action is available, you can install a tool on your repo: this is checked and explained in the Update-Dependency-Tool check.

Does this clarify things? Is this something we need to improve in the documentation?

@richsalz
Copy link
Author

I think something should be said, since in my experience @v2 is often used. Is there a way to find out what the hash value would be, so that I could use it instead of @v2?

@azeemshaikh38
Copy link
Contributor

The simplest way to find out the hash value would be to go to the release page and find the associated commit SHA:

image

image

Hope that helps. Let me know if that fixes the issue.

@laurentsimon @olivekl assigning to you both for now to track any documentation work that might be pending here.

@richsalz
Copy link
Author

Thanks. I agree this is a doc bug. The doc should explain how to find the URLs. For some it's easier, as in all GitHub actions can be found in https://github.com/orgs/actions/repositories and look for the tag that you need. Not sure how to find others, such as

main.yml:      uses: google/oss-fuzz/infra/cifuzz/actions/build_fuzzers@master

so that I can fix that.

@laurentsimon
Copy link
Contributor

laurentsimon commented Jan 21, 2022
edited
Loading

Thanks. I agree this is a doc bug. The doc should explain how to find the URLs. For some it's easier, as in all GitHub actions can be found in https://github.com/orgs/actions/repositories and look for the tag that you need. Not sure how to find others, such as

in the doc https://github.com/ossf/scorecard/blob/main/docs/checks.md#pinned-dependencies in the Remediation steps section, we link to https://app.stepsecurity.io/ which allows you to copy/paste your workflow and get the pinned version automatically. Today the doc has a lot for Pinned-Dependencies because it's a big check, so I understand the information is a little hard to get at. We're going to address this in the next releases.

main.yml:      uses: google/oss-fuzz/infra/cifuzz/actions/build_fuzzers@master

unfortunately, oss-fuzz does not release versions because of the way it's structured - integrations commit to head.
I suppose you could pin by the hash of the latest head commit you see now. Dependabot won't notify you to update the hash though, since they is no release associated with it. For the moment, the best may be to ignore the warning.

cc @oliverchang @jonathanmetzman from OSS-Fuzz

so that I can fix that.

@richsalz
Copy link
Author

Great, thank you.

If you want me to open a separate issue for oss-fuzz (either here or somewhere else), let me know. I hope that gets fixed.

@laurentsimon
Copy link
Contributor

@oliverchang and @jonathanmetzman have this on their roadmap to see what we can do. I suggest you create a tracking issue on the OSS-Fuzz repo and add a link to this Scorecard issue?

Meanwhile, I'll close this issue. Please re-open if needed. Thanks again for reporting the problem!

@richsalz richsalz mentioned this issue Jan 21, 2022
Closed
@richsalz
Copy link
Author

We're going to address this in the next releases.

And yet the bug is closed? Shrug. Not a big deal, I was curious.

@laurentsimon laurentsimon reopened this Jan 21, 2022
@laurentsimon
Copy link
Contributor

laurentsimon commented Jan 21, 2022
edited
Loading

Can you file a new issue for that specifically? Sorry, I forgot about the early part of the conversation. My bad!

@laurentsimon laurentsimon mentioned this issue Jan 21, 2022
Closed
@richsalz richsalz mentioned this issue Jan 24, 2022
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
kind/bug Something isn't working
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@azeemshaikh38 @richsalz @laurentsimon