Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

✨ Add dangerous workflow check with untrusted code checkout pattern #1168

Merged
merged 21 commits into from
Nov 15, 2021

Conversation

asraa
Copy link
Contributor

@asraa asraa commented Oct 27, 2021

Signed-off-by: Asra Ali [email protected]

  • Please check if the PR fulfills these requirements
  • What kind of change does this PR introduce? (Bug fix, feature, docs update, ...)
    Adds a new check Dangerous-Workflow that checks if a github workflow uses dangerous coding patterns.
    The first pattern implemented is a check for an untrusted code checkout.

This is described in #426

  • What is the current behavior? (You can also link to an open issue here)

  • What is the new behavior (if this is a feature change)?

  • Does this PR introduce a breaking change? (What changes might users need to make in their application due to this PR?)
    No

  • Other information:

Copy link
Contributor

@azeemshaikh38 azeemshaikh38 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM. Thanks @asraa !

checks/dangerous_workflow.go Show resolved Hide resolved
Copy link
Member

@naveensrinivasan naveensrinivasan left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks!

Copy link
Contributor

@laurentsimon laurentsimon left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

another great PR, thanks @asraa !

checks/dangerous_workflow.go Show resolved Hide resolved
checks/dangerous_workflow.go Outdated Show resolved Hide resolved
checks/dangerous_workflow.go Outdated Show resolved Hide resolved
checks/dangerous_workflow.go Outdated Show resolved Hide resolved
docs/checks.md Outdated
@@ -522,3 +522,18 @@ possible.
**Remediation steps**
- Fix the vulnerabilities. The details of each vulnerability can be found on <https://osv.dev>.

## Dangerous
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@olivekl comments?

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

A couple suggestions:

"This check determines whether the project has dangerous code patterns. ADD: Some examples of these patterns are [X] and [Y]."

"The first check is misuse of..." Why the reference to first? Is there a second part to the check that I'm not seeing?

Related: is this check looking for other dangerous patterns aside from the pull_request_target trigger used with an explicit pull request checkout? If not, would this test be better named as something specific to this particular pattern, if it's the only one being detected?

Nit: are we using "PR" or trying to stick to the more platform agnostic "merge request"? Or is this test only applicable to GitHub (in which case, let's add that)?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yay thanks!!

"This check determines whether the project has dangerous code patterns. ADD: Some examples of these patterns are [X] and [Y]."

added

Is there a second part to the check that I'm not seeing?

Yep, I've only added one so far but the plan is to add a series of checks (#426 (comment)). I tried to rephrase this with The first code pattern checked. So I think it makes sense to keep this more general.

Or is this test only applicable to GitHub (in which case, let's add that)?

The check will have a lot of GitHub Actions dependent style and relies on it's particular default behavior, so I added this clarification Determines if the project's GitHub Action workflows avoid dangerous patterns.

Signed-off-by: Asra Ali <[email protected]>
@azeemshaikh38
Copy link
Contributor

Given recent discussion about Scorecard data change affecting clients, let's disable this check from running by default in CLI and cron job for now. If clients specifically want to invoke this check, that's ok.

@laurentsimon
Copy link
Contributor

Given recent discussion about Scorecard data change affecting clients, let's disable this check from running by default in CLI and cron job for now. If clients specifically want to invoke this check, that's ok.

@asraa use an env variable to guard the access to this check. You can update the code in cmd/root.go, function getEnabledChecks()

@azeemshaikh38
Copy link
Contributor

Given recent discussion about Scorecard data change affecting clients, let's disable this check from running by default in CLI and cron job for now. If clients specifically want to invoke this check, that's ok.

@asraa use an env variable to guard the access to this check. You can update the code in cmd/root.go, function getEnabledChecks()

Just delete(enabledchecks, checks.CheckDangerousWorkflow) here should be enough :)
Same for cron job here.

@laurentsimon
Copy link
Contributor

Given recent discussion about Scorecard data change affecting clients, let's disable this check from running by default in CLI and cron job for now. If clients specifically want to invoke this check, that's ok.

@asraa use an env variable to guard the access to this check. You can update the code in cmd/root.go, function getEnabledChecks()

Just delete(enabledchecks, checks.CheckDangerousWorkflow) here should be enough :)

I want to be able to use and test the local repo interface with all checks (without providing a long list of --checks), so I'd prefer an env variable.

Same for cron job here.

@azeemshaikh38
Copy link
Contributor

I want to be able to use and test the local repo interface with all checks (without providing a long list of --checks), so I'd prefer an env variable.

Same for cron job here.

If its only needed for testing, you can simply remove the line locally? ;)

Signed-off-by: Asra Ali <[email protected]>
@asraa
Copy link
Contributor Author

asraa commented Nov 1, 2021

I went with the ENV var solution, but only because I imagine future checks might just want to add to the list? And it would centralize where the code could be removed before the next cut but let me know if I should change that

Signed-off-by: Asra Ali <[email protected]>
@laurentsimon
Copy link
Contributor

@asraa heads up. #1195 got merged. You're going to have to update the checks.yaml file and add a repos field with a list of interfaces that are supported by your check. See example checks.yaml#L78.

The doc generation will also validate that your check does not use APIs that are inconsistent with the repos field. If you find a problem with the validation, let me know. (Note: validation happens automatically as you re-generate the .md)

@asraa
Copy link
Contributor Author

asraa commented Nov 4, 2021

thanks for the review @chrismcgehee!

@asraa
Copy link
Contributor Author

asraa commented Nov 9, 2021

ping? anything else to do here?

@laurentsimon
Copy link
Contributor

ping? anything else to do here?

license check is failing. apart from that, I think we're good to merge. If anyone disagrees, please reply.

@asraa
Copy link
Contributor Author

asraa commented Nov 9, 2021

oops, something funky with the merge -- one second will update

@olivekl
Copy link
Contributor

olivekl commented Nov 9, 2021

ping? anything else to do here?

license check is failing. apart from that, I think we're good to merge. If anyone disagrees, please reply.

I'd just had a couple comments above on the documentation description. We could also address them after the merge, though.

@laurentsimon
Copy link
Contributor

ping? anything else to do here?

license check is failing. apart from that, I think we're good to merge. If anyone disagrees, please reply.

I'd just had a couple comments above on the documentation description. We could also address them after the merge, though.

I think there's time to add your suggestions in this PR, since the pre-submit tests are still failing.

Signed-off-by: Asra Ali <[email protected]>
@asraa
Copy link
Contributor Author

asraa commented Nov 9, 2021

Yeah! Happy to address more comments -- merge issue fixed

@laurentsimon
Copy link
Contributor

did you update the cron job

delete(checksToRun, checks.CheckContributors)
?

Signed-off-by: Asra Ali <[email protected]>
@asraa
Copy link
Contributor Author

asraa commented Nov 9, 2021

did you update the cron job

Oops -- good catch, I had assumed that it would call the root command, but it doesn't. Updated

Copy link
Contributor

@olivekl olivekl left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Just a few comments!

docs/checks.md Outdated
@@ -522,3 +522,18 @@ possible.
**Remediation steps**
- Fix the vulnerabilities. The details of each vulnerability can be found on <https://osv.dev>.

## Dangerous
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

A couple suggestions:

"This check determines whether the project has dangerous code patterns. ADD: Some examples of these patterns are [X] and [Y]."

"The first check is misuse of..." Why the reference to first? Is there a second part to the check that I'm not seeing?

Related: is this check looking for other dangerous patterns aside from the pull_request_target trigger used with an explicit pull request checkout? If not, would this test be better named as something specific to this particular pattern, if it's the only one being detected?

Nit: are we using "PR" or trying to stick to the more platform agnostic "merge request"? Or is this test only applicable to GitHub (in which case, let's add that)?

Signed-off-by: Asra Ali <[email protected]>
secrets. With the PR checkout, PR authors may compromise the repository, for
example, by using build scripts controlled by the author of the PR or reading
token in memory. This check does not detect whether untrusted code checkouts are
used safely, for example, only on pull request that have been assigned a label.
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

this check is only supported on GitHub. @olivekl do we need to use merge request instead of pull request in this sentence?

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Since it's only on GitHub I think pull request is fine.

@laurentsimon
Copy link
Contributor

I fixed the pre-submit error

--- FAIL: TestSARIFOutput (0.00s)
    --- FAIL: TestSARIFOutput/check-8 (0.00s)
        sarif_test.go:800: check-8: invalid result: 1

in #1233
Once you push the error should go away

@asraa
Copy link
Contributor Author

asraa commented Nov 15, 2021

ping? anything else to do here?
(assuming I'll update this to use the github workflow parser next)

@laurentsimon
Copy link
Contributor

laurentsimon commented Nov 15, 2021

ping? anything else to do here? (assuming I'll update this to use the github workflow parser next)

nop, go ahead update with workflow parser. Unless it's a trivial change, do it in a follow-up PR. Let me know which option you prefer.

@azeemshaikh38
Copy link
Contributor

ping? anything else to do here? (assuming I'll update this to use the github workflow parser next)

nop, go ahead update with workflow parser. Unless it's a trivial change, do it in a follow-up PR. Let me know which option you prefer.

+1

@dota17
Copy link
Contributor

dota17 commented Nov 25, 2021

It is recommended that the Readme of the project be updated synchronously. Currently, there are 17 check items, whereas the Readme has only 16 check items.
https://github.com/ossf/scorecard/blob/main/README.md

@naveensrinivasan
Copy link
Member

Thanks, we would appreciate if you can do PR to fix the issue.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

7 participants