-
Notifications
You must be signed in to change notification settings - Fork 508
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
🐛 Add GitHub committer verification #1695
Changes from all commits
File filter
Filter by extension
Conversations
Jump to
Diff view
Diff view
There are no files selected for viewing
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -16,6 +16,7 @@ package githubrepo | |
|
||
import ( | ||
"context" | ||
"errors" | ||
"fmt" | ||
"strings" | ||
"sync" | ||
|
@@ -36,6 +37,8 @@ const ( | |
commitsToAnalyze = 30 | ||
) | ||
|
||
var errorInvalidCommitterLogin = errors.New("cannot retrieve committer login") | ||
|
||
// nolint: govet | ||
type graphqlData struct { | ||
Repository struct { | ||
|
@@ -58,6 +61,10 @@ type graphqlData struct { | |
Login *string | ||
} | ||
} | ||
Signature struct { | ||
IsValid bool | ||
WasSignedByGitHub bool | ||
} | ||
AssociatedPullRequests struct { | ||
Nodes []struct { | ||
Repository struct { | ||
|
@@ -191,15 +198,26 @@ func (handler *graphqlHandler) isArchived() (bool, error) { | |
return handler.archived, nil | ||
} | ||
|
||
// nolint: unparam | ||
func commitsFrom(data *graphqlData, repoOwner, repoName string) ([]clients.Commit, error) { | ||
ret := make([]clients.Commit, 0) | ||
for _, commit := range data.Repository.Object.Commit.History.Nodes { | ||
var committer string | ||
if commit.Committer.User.Login != nil { | ||
// Find the commit's committer. | ||
if commit.Committer.User.Login != nil && *commit.Committer.User.Login != "" { | ||
committer = *commit.Committer.User.Login | ||
} else if commit.Committer.Name != nil && | ||
// Username "GitHub" may indicate the commit was committed by GitHub. | ||
// We verify that the commit is signed by GitHub, because the name can be spoofed. | ||
*commit.Committer.Name == "GitHub" && | ||
commit.Signature.IsValid && | ||
commit.Signature.WasSignedByGitHub { | ||
committer = "github" | ||
} | ||
// TODO(#1543): Figure out a way to safely get committer if `User.Login` is `nil`. | ||
|
||
if committer == "" { | ||
return ret, fmt.Errorf("commit %s: %w", commit.Oid, errorInvalidCommitterLogin) | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Why not leave There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Let's try to see what happens in the integration tests before using this code for the weekly cron. It'd be great to be able to report the committer's login reliably. There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. so I'll keep code as-is. Hope this does not backfire There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. I'm running with the latest main code, and I think this is causing an error for me: $ ./scorecard --repo=dart-lang/sdk --checks=Fuzzing
Starting [Fuzzing]
2022/03/03 19:26:00 internal error: ListCommits:error during graphqlHandler.setup: commit d3e36fab5eb55706a36144fe41abc2546ffa0b55: cannot retrieve committer login
panic: internal error: ListCommits:error during graphqlHandler.setup: commit d3e36fab5eb55706a36144fe41abc2546ffa0b55: cannot retrieve committer login
goroutine 1 [running]:
log.Panic({0xc000667ab8, 0xc0002be1c0, 0x100df38})
log/log.go:354 +0x65
github.com/ossf/scorecard/v4/cmd.rootCmd(0xc000470000)
github.com/ossf/scorecard/v4/cmd/root.go:138 +0x751
github.com/ossf/scorecard/v4/cmd.New.func2(0xc000421680, {0xe9e91a, 0x2, 0x2})
github.com/ossf/scorecard/v4/cmd/root.go:62 +0x1d
github.com/spf13/cobra.(*Command).execute(0xc000421680, {0xc0000a8160, 0x2, 0x2})
github.com/spf13/[email protected]/command.go:860 +0x5f8
github.com/spf13/cobra.(*Command).ExecuteC(0xc000421680)
github.com/spf13/[email protected]/command.go:974 +0x3bc
github.com/spf13/cobra.(*Command).Execute(...)
github.com/spf13/[email protected]/command.go:902
main.main()
github.com/ossf/scorecard/v4/main.go:27 +0x25 There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Created #1710 |
||
} | ||
|
||
var associatedPR clients.PullRequest | ||
for i := range commit.AssociatedPullRequests.Nodes { | ||
pr := commit.AssociatedPullRequests.Nodes[i] | ||
|
@@ -226,6 +244,9 @@ func commitsFrom(data *graphqlData, repoOwner, repoName string) ([]clients.Commi | |
for _, review := range pr.Reviews.Nodes { | ||
associatedPR.Reviews = append(associatedPR.Reviews, clients.Review{ | ||
State: string(review.State), | ||
Author: &clients.User{ | ||
Login: string(review.Author.Login), | ||
}, | ||
}) | ||
} | ||
break | ||
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Any reason we want to check
committer.name
if we already havewasSignedByGitHub
bool?There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
just to verify our assumptions that the name should be "GitHub". Not exactly needed, agreed.