-
Notifications
You must be signed in to change notification settings - Fork 495
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
✨ Add machine-readable patch to fix script injections in workflows #4218
base: main
Are you sure you want to change the base?
Commits on Oct 1, 2024
-
Merge pull request #1 from joycebrum/feature/setup-environment-for-dw…
…-fix create environment for patch on DW script injections Signed-off-by: Diogo Teles Sant'Anna <[email protected]> Signed-off-by: Pedro Kaj Kjellerup Nacht <[email protected]>
Configuration menu - View commit details
-
Copy full SHA for b4ec86d - Browse repository at this point
Copy the full SHA b4ec86dView commit details -
Merge pull request ossf#3 from joycebrum/feat/connect-patch-generator…
…-with-remediation-output Include the generated patch in the output Signed-off-by: Joyce Brum <[email protected]> Signed-off-by: Pedro Kaj Kjellerup Nacht <[email protected]>
Configuration menu - View commit details
-
Copy full SHA for 5ee165c - Browse repository at this point
Copy the full SHA 5ee165cView commit details -
Merge pull request ossf#2 from joycebrum/test/initial-tests-for-dw-fix
Signed-off-by: Pedro Kaj Kjellerup Nacht <[email protected]>
Configuration menu - View commit details
-
Copy full SHA for bcb159e - Browse repository at this point
Copy the full SHA bcb159eView commit details -
Merge pull request ossf#4 from joycebrum/feat/get-input-needed-to-gen…
…erate-patch Signed-off-by: Pedro Kaj Kjellerup Nacht <[email protected]>
Configuration menu - View commit details
-
Copy full SHA for 5bddd1a - Browse repository at this point
Copy the full SHA 5bddd1aView commit details -
impl.go: slight refactor to loop
Signed-off-by: Pedro Kaj Kjellerup Nacht <[email protected]>
Configuration menu - View commit details
-
Copy full SHA for 488d89a - Browse repository at this point
Copy the full SHA 488d89aView commit details -
Add envvars to existing or new env, still not replaced in
run
Signed-off-by: Pedro Kaj Kjellerup Nacht <[email protected]>
Configuration menu - View commit details
-
Copy full SHA for 93c2fba - Browse repository at this point
Copy the full SHA 93c2fbaView commit details -
Replace unsafe variables in run commands, generate git diff
Git diff created using hexops/gotextdiff, WHICH IS ARCHIVED. It is unfortunately the only package I found which could do it. To be discussed with Scorecard maintainers whether it's worth it. Signed-off-by: Pedro Kaj Kjellerup Nacht <[email protected]>
Configuration menu - View commit details
-
Copy full SHA for 0394b86 - Browse repository at this point
Copy the full SHA 0394b86View commit details -
- Test patchWorkflow instead of GeneratePatch. This avoids the complication of comparing diff files; we can instead simply compare the output workflow to an expected "fixed" workflow. - Examples with multiple findings must have separate "fixed" workflows for each finding, not a single file which covers all findings - Instead of hard-coding the finding details (snippet, line position), run raw.DangerousWorkflow() to get that data automatically. This does make these tests a bit more "integration-test-like", but makes them substantially easier to maintain. Signed-off-by: Pedro Kaj Kjellerup Nacht <[email protected]>
Configuration menu - View commit details
-
Copy full SHA for 3c7f9c6 - Browse repository at this point
Copy the full SHA 3c7f9c6View commit details -
- misc refactors - use go-git to generate diff - Most functions now return errors instead of bools. This can be later used for simpler logging - Existing environment variables are now detected by parsing the files as GH workflows. This is WIP to handle existing envvars in our patches. - Remove instances of C-style for-loops, unnecessarily dangerous! - Fixed proper detection of existing env, handling blank lines and comments. Signed-off-by: Pedro Kaj Kjellerup Nacht <[email protected]>
Configuration menu - View commit details
-
Copy full SHA for b299a47 - Browse repository at this point
Copy the full SHA b299a47View commit details -
- Fix inconsistencies between original and "fixed" versions - Store multiple "fixed" workflows for tests with multiple findings. Each "fixed" workflow fixes a single finding. The files are numbered according to the order in which the findings are found by moving down the file. - allKindsOfUserInput removed. Would require too many "fixed" workflows to test. The behavior can be tested more directly. Signed-off-by: Pedro Kaj Kjellerup Nacht <[email protected]>
Configuration menu - View commit details
-
Copy full SHA for 9a5e043 - Browse repository at this point
Copy the full SHA 9a5e043View commit details -
Use existing envvars, validate patched workflow
- If an envvar with our name and value already existed but simply wasn't used, the patch no longer duplicates it. - After the patched workflow is created, we validate that it is valid. Or, at least did not introduce any syntax errors that were not present in the original workflow. Signed-off-by: Pedro Kaj Kjellerup Nacht <[email protected]>
Configuration menu - View commit details
-
Copy full SHA for 3f8e2af - Browse repository at this point
Copy the full SHA 3f8e2afView commit details -
Test for same injection in same step, leading to duplicate findings
Signed-off-by: Pedro Kaj Kjellerup Nacht <[email protected]>
Configuration menu - View commit details
-
Copy full SHA for 8b47fdd - Browse repository at this point
Copy the full SHA 8b47fddView commit details -
Use existing envvars with different name but same meaning
Signed-off-by: Pedro Kaj Kjellerup Nacht <[email protected]>
Configuration menu - View commit details
-
Copy full SHA for c632590 - Browse repository at this point
Copy the full SHA c632590View commit details -
Avoid conflicts with irrelevant but existing envvars
Signed-off-by: Pedro Kaj Kjellerup Nacht <[email protected]>
Configuration menu - View commit details
-
Copy full SHA for 5c986e8 - Browse repository at this point
Copy the full SHA 5c986e8View commit details -
Use first job's indent to define envvar indent
Signed-off-by: Pedro Kaj Kjellerup Nacht <[email protected]>
Configuration menu - View commit details
-
Copy full SHA for 6534155 - Browse repository at this point
Copy the full SHA 6534155View commit details -
- Create helper function `readWorkflow` - Improved error handling in case of failed workflow validation - Allow the declaration of duplicate findings (cases where 2+ findings have the same patch) Signed-off-by: Pedro Kaj Kjellerup Nacht <[email protected]>
Configuration menu - View commit details
-
Copy full SHA for bf26120 - Browse repository at this point
Copy the full SHA bf26120View commit details -
patch/impl: Simplify unsafePatterns, use errors, docs, lint
- Simplify use of unsafePatterns - Replaced boolean returns with errors, for easier log/debugging - Improved documentation - Changes to satisfy linter, adoption of 120-char line limit Signed-off-by: Pedro Kaj Kjellerup Nacht <[email protected]>
Configuration menu - View commit details
-
Copy full SHA for 31ea054 - Browse repository at this point
Copy the full SHA 31ea054View commit details -
Fix panic in hasScriptInjection test due to missing file
Signed-off-by: Pedro Kaj Kjellerup Nacht <[email protected]>
Configuration menu - View commit details
-
Copy full SHA for e61d79a - Browse repository at this point
Copy the full SHA e61d79aView commit details -
Avoid duplicate envvars dealing with array variables
Signed-off-by: Pedro Kaj Kjellerup Nacht <[email protected]>
Configuration menu - View commit details
-
Copy full SHA for bbe6c85 - Browse repository at this point
Copy the full SHA bbe6c85View commit details -
Adopt existing inter-block spacing for new env
Signed-off-by: Pedro Kaj Kjellerup Nacht <[email protected]>
Configuration menu - View commit details
-
Copy full SHA for 09d4b47 - Browse repository at this point
Copy the full SHA 09d4b47View commit details -
chore: Tidy up function order, remove unused files
Signed-off-by: Pedro Kaj Kjellerup Nacht <[email protected]>
Configuration menu - View commit details
-
Copy full SHA for 89b73a3 - Browse repository at this point
Copy the full SHA 89b73a3View commit details -
Define localPath in runScorecard
Signed-off-by: Pedro Kaj Kjellerup Nacht <[email protected]>
Configuration menu - View commit details
-
Copy full SHA for 71d73a4 - Browse repository at this point
Copy the full SHA 71d73a4View commit details -
Assert valid offset, use TrimSpace, drop unused struct member
Signed-off-by: Pedro Kaj Kjellerup Nacht <[email protected]>
Configuration menu - View commit details
-
Copy full SHA for 938a59c - Browse repository at this point
Copy the full SHA 938a59cView commit details -
Just use []bytes instead of string
Signed-off-by: Pedro Kaj Kjellerup Nacht <[email protected]>
Configuration menu - View commit details
-
Copy full SHA for fa8e16b - Browse repository at this point
Copy the full SHA fa8e16bView commit details -
Signed-off-by: Pedro Kaj Kjellerup Nacht <[email protected]>
Configuration menu - View commit details
-
Copy full SHA for 42cf837 - Browse repository at this point
Copy the full SHA 42cf837View commit details -
Signed-off-by: Pedro Kaj Kjellerup Nacht <[email protected]>
Configuration menu - View commit details
-
Copy full SHA for 10e6589 - Browse repository at this point
Copy the full SHA 10e6589View commit details -
Signed-off-by: Pedro Kaj Kjellerup Nacht <[email protected]>
Configuration menu - View commit details
-
Copy full SHA for fb31f93 - Browse repository at this point
Copy the full SHA fb31f93View commit details -
Move /patch to /internal/patch
Signed-off-by: Pedro Kaj Kjellerup Nacht <[email protected]>
Configuration menu - View commit details
-
Copy full SHA for d6e4fd1 - Browse repository at this point
Copy the full SHA d6e4fd1View commit details -
Document patch behavior and add patch to remediation in def.yml
Signed-off-by: Pedro Kaj Kjellerup Nacht <[email protected]>
Configuration menu - View commit details
-
Copy full SHA for 5a7b390 - Browse repository at this point
Copy the full SHA 5a7b390View commit details -
Signed-off-by: Pedro Kaj Kjellerup Nacht <[email protected]>
Configuration menu - View commit details
-
Copy full SHA for 557a1b4 - Browse repository at this point
Copy the full SHA 557a1b4View commit details
Commits on Oct 3, 2024
-
Add patch to finding before adding to list of findings
Signed-off-by: Pedro Kaj Kjellerup Nacht <[email protected]>
Configuration menu - View commit details
-
Copy full SHA for 892c442 - Browse repository at this point
Copy the full SHA 892c442View commit details