-
Notifications
You must be signed in to change notification settings - Fork 508
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Binary Artifact detection gradle-wrapper.jar Incorrect logic #2357
Comments
Thanks, @anantshri. Would you like to send a PR to solve this issue? |
Like i said not good at programming. wont want to commit on doing something which i dont understand. |
Also affecting all my Gradle based repos. :'( I don't think its as simple as removing the https://github.com/ossf/scorecard/blob/main/checks/raw/binary_artifact.go#L37 |
Is the solution here to verify that it is a digest after the |
The issue is the regex accepts a version or commit SHA:
But the later on we always try to parse it as a version. This check was added here, but I don't see the significance of it. I think it was this comment:
|
What is the expected behaviour? Ie: Should the check pass with either version or digest? |
Ideally it should only pass with digest coz overall guidance is not to have version tags. but if we want to be atomic in nature then it should pass for both version or digest. As there is another check which fails if it sees version tags. |
This is hilarious bug, took me a few tries to get to the exact issue.
The issue gets closed only when following conditions are met.
gradle/wrapper-validation-action@v<version_number> is specified
The issue is not closed in following conditions.
2. Config is in part of other files
3.
gradle/wrapper-validation-action@<hash> is specified
: Hash pinning which is the recommended action by scorecard and gets raised if my action doesnt have hashes is raised and if we fix that binary artifact issue reappearsI am no golang expert but if i am looking at the right file then there is a very specific
@v
condition check in this code.https://github.com/ossf/scorecard/blob/main/checks/raw/binary_artifact.go#L36
The text was updated successfully, but these errors were encountered: