Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

🐛 Add GitHub committer verification #1695

Merged
merged 4 commits into from
Mar 3, 2022

Conversation

laurentsimon
Copy link
Contributor

@laurentsimon laurentsimon commented Mar 2, 2022

PR verifies the commit's signature when the committer's name is "GitHub" and the committer's login for a merged PR is "".
See #1543 for more details

In addition, it fixes reviewer names that were not populated( I caught this problem when using --format raw)

closes #1543

Verify merged commits by GitHub are genuine

@laurentsimon laurentsimon temporarily deployed to integration-test March 2, 2022 00:18 Inactive
@laurentsimon laurentsimon temporarily deployed to integration-test March 2, 2022 00:21 Inactive
@codecov
Copy link

codecov bot commented Mar 2, 2022

Codecov Report

Merging #1695 (ef812a3) into main (57b4664) will increase coverage by 3.37%.
The diff coverage is 80.00%.

❗ Current head ef812a3 differs from pull request most recent head 844ca45. Consider uploading reports for the commit 844ca45 to get more accurate results

@@            Coverage Diff             @@
##             main    #1695      +/-   ##
==========================================
+ Coverage   58.39%   61.76%   +3.37%     
==========================================
  Files          58       58              
  Lines        5910     5940      +30     
==========================================
+ Hits         3451     3669     +218     
+ Misses       2219     2026     -193     
- Partials      240      245       +5     

@github-actions
Copy link

github-actions bot commented Mar 2, 2022

Integration tests success for
[ade2929]
(https://github.com/ossf/scorecard/actions/runs/1919463027)

@github-actions
Copy link

github-actions bot commented Mar 2, 2022

Integration tests success for
[816c7c4]
(https://github.com/ossf/scorecard/actions/runs/1919473087)

@laurentsimon laurentsimon temporarily deployed to integration-test March 2, 2022 02:32 Inactive
@github-actions
Copy link

github-actions bot commented Mar 2, 2022

Integration tests success for
[4503af5]
(https://github.com/ossf/scorecard/actions/runs/1919904755)

Comment on lines +208 to +211
} else if commit.Committer.Name != nil &&
// Username "GitHub" may indicate the commit was committed by GitHub.
// We verify that the commit is signed by GitHub, because the name can be spoofed.
*commit.Committer.Name == "GitHub" &&
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Any reason we want to check committer.name if we already have wasSignedByGitHub bool?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

just to verify our assumptions that the name should be "GitHub". Not exactly needed, agreed.

// TODO(#1543): Figure out a way to safely get committer if `User.Login` is `nil`.

if committer == "" {
return ret, fmt.Errorf("commit %s: %w", commit.Oid, errorInvalidCommitterLogin)
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Why not leave committer as nil if this is the case? This might cause a lot of errors in the cron job.

Copy link
Contributor Author

@laurentsimon laurentsimon Mar 2, 2022

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Let's try to see what happens in the integration tests before using this code for the weekly cron. It'd be great to be able to report the committer's login reliably.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

so I'll keep code as-is. Hope this does not backfire

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'm running with the latest main code, and I think this is causing an error for me:

$ ./scorecard --repo=dart-lang/sdk --checks=Fuzzing
Starting [Fuzzing]
2022/03/03 19:26:00 internal error: ListCommits:error during graphqlHandler.setup: commit d3e36fab5eb55706a36144fe41abc2546ffa0b55: cannot retrieve committer login
panic: internal error: ListCommits:error during graphqlHandler.setup: commit d3e36fab5eb55706a36144fe41abc2546ffa0b55: cannot retrieve committer login

goroutine 1 [running]:
log.Panic({0xc000667ab8, 0xc0002be1c0, 0x100df38})
        log/log.go:354 +0x65
github.com/ossf/scorecard/v4/cmd.rootCmd(0xc000470000)
        github.com/ossf/scorecard/v4/cmd/root.go:138 +0x751
github.com/ossf/scorecard/v4/cmd.New.func2(0xc000421680, {0xe9e91a, 0x2, 0x2})
        github.com/ossf/scorecard/v4/cmd/root.go:62 +0x1d
github.com/spf13/cobra.(*Command).execute(0xc000421680, {0xc0000a8160, 0x2, 0x2})
        github.com/spf13/[email protected]/command.go:860 +0x5f8
github.com/spf13/cobra.(*Command).ExecuteC(0xc000421680)
        github.com/spf13/[email protected]/command.go:974 +0x3bc
github.com/spf13/cobra.(*Command).Execute(...)
        github.com/spf13/[email protected]/command.go:902
main.main()
        github.com/ossf/scorecard/v4/main.go:27 +0x25

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Created #1710

clients/githubrepo/graphql.go Outdated Show resolved Hide resolved
associatedPR.Reviews = append(associatedPR.Reviews, clients.Review{
State: string(review.State),
State: string(review.State),
Author: &author,
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Nit: remove the author var and create the struct here directly.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

author is a pointer, I don't think you can assign a temporary pointer directly. If the compiler does not complain, I'll do that

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

And I was wrong, below seem to work just fine!

Author: &clients.User{
  Login: string(review.Author.Login),
},

@laurentsimon laurentsimon temporarily deployed to integration-test March 3, 2022 17:50 Inactive
@laurentsimon laurentsimon temporarily deployed to integration-test March 3, 2022 17:51 Inactive
@laurentsimon laurentsimon enabled auto-merge (squash) March 3, 2022 17:51
@laurentsimon laurentsimon temporarily deployed to integration-test March 3, 2022 17:55 Inactive
@github-actions
Copy link

github-actions bot commented Mar 3, 2022

Integration tests success for
[18f0677]
(https://github.com/ossf/scorecard/actions/runs/1929562811)

@github-actions
Copy link

github-actions bot commented Mar 3, 2022

Integration tests success for
[ef812a3]
(https://github.com/ossf/scorecard/actions/runs/1929566229)

@github-actions
Copy link

github-actions bot commented Mar 3, 2022

Integration tests success for
[844ca45]
(https://github.com/ossf/scorecard/actions/runs/1929568560)

@laurentsimon laurentsimon merged commit 3c92dec into ossf:main Mar 3, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

BUG: ListCommits() has empty committer name for "verified" commits
3 participants