-
Notifications
You must be signed in to change notification settings - Fork 508
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
BUG: ListCommits() has empty committer name for "verified" commits #1543
Comments
When I looked at the commits which returned empty committer - What we can do is, pull-in either |
You're saying
If you agree on the above, no need for a follow-up PR :-) |
My concern here is we'll bake in the assumption that So, we can explicitly return |
good point.
+1 let's do that! Let's set it to |
Wfm. My thinking in choosing |
it's the platform's name though, the one that's used to run as GitHub user. For example, github-actions are run under user |
I'm curious about |
I was quite wrong here. Looks like you can fake criticalmanufacturing/dev-tasks@a781f66 Basically, if GitHub is unable to assign a GH userID to a commit, it takes the name and email from the Git commit. This is very easily spoof-able and someone can also commit using a |
I've created a support ticket for it. @azeemshaikh38 do you want to file an issue on GitHub for them to update their doc? This behavior should be explained. In which context does GH not know who authored a merge request? Only auto-merge. or are there other corner cases? @josepalafox appreciate any input from your team. |
Sent out #1576 to revert this change for now since it'll be erroring out for wrong reasons. |
the commits we get from graphql when querying only the commits don't have the login information (https://github.com/ossf/scorecard/blob/main/clients/githubrepo/graphql.go#L247). But it looks like the CommitMerge.Committer.Login is correct when querying the AssociatedPullRequests (https://github.com/ossf/scorecard/blob/main/clients/githubrepo/graphql.go#L212). By looking at the commit hash, we can match one against the other and recover the login: this may be a workaround to the problem. @azeemshaikh38 please tell me if you can reproduce my results. |
ah yes. But for a commit to the main branch, the committer is the author of the merge commit (if there is one). Right? Let's try for me to create a PR and for you to auto-merge it. I'd like to see what the results will be. That should validate whether the node's author (in your image) is the committer's author or not - sorry, this is hard to follow :-) Maybe you have a link to the doc, which may be easier. |
according to https://docs.github.com/en/graphql/reference/objects#commit, there's both an |
The commits we don't have author for today are all authored by GH and have the "verified" keyword next to it, because they were signed. So one way to ensure it's a commit authored by GH is to query the Fyi, there's also a |
follow-up. We don't need to verify the signature to start with, we can simply use |
additional info: REST API's Meta endpoint which provides GitHub's SSH key fingerprints: https://api.github.com/meta. Doc is https://docs.github.com/en/rest/reference/meta Those are/should be the same fingerprints included in our documentation: More about commit signature verification here: It is currently not possible to retrieve revoked/older keys :/ |
Is looking for Maybe we could trust GitHub to have done the signature verification for us? |
Yes |
Makes sense, thanks for finding this! Do you want to send a PR for this? |
unless someone else wants to do it, happy to. |
Thanks, assigning this to you. |
The repo client's code https://github.com/ossf/scorecard/blob/main/clients/githubrepo/graphql.go#L218 contains empty string for the committer name for certain commits.
Here are example commits that have an empty committer name:
d50788f
5f9fff3
7a6eb28
16c0d37
and more.
Looking at https://github.com/ossf/scorecard/commits/main, all these PRs have one thing in common: they are marked "verified"
This commit was created on GitHub.com
. Not sure why this changes the behavior though.This blocks #1524
@azeemsgoogle assigning to you since you've played with graphql and you may know an easy fix.
The text was updated successfully, but these errors were encountered: