✨ Support more SAST tools #1487
Conversation
checks/packaging.go
Outdated
| @@ -17,7 +17,6 @@ package checks | |||
| import ( | |||
There was a problem hiding this comment.
ignore this file, it's mostly typo changes.
| return nil, err | ||
| } | ||
|
|
||
| req, err := handler.client.NewRequest("GET", u, nil) |
There was a problem hiding this comment.
go-github does not support check_suite_id as input https://github.com/google/go-github/blob/178169fc04bc4a05ca48f98709cdd02ab5b556e3/github/actions_workflow_runs.go#L56
So I've simply copied their code from https://github.com/google/go-github/blob/178169fc04bc4a05ca48f98709cdd02ab5b556e3/github/actions_workflow_runs.go#L91 until they add support. We should file an issue for it.
There was a problem hiding this comment.
Could you file an issue and add a TODO comment here to point to it?
clients/workflows.go
Outdated
|
|
||
| // Workflow represents a workflow. | ||
| type Workflow struct { | ||
| ID int64 |
There was a problem hiding this comment.
need discussion: pointer or not?
There was a problem hiding this comment.
Yes, let's use pointer (and also below for *string)
so much to discuss before I add the test. I'll add them at the end. |
|
cc @evverx |
I don't think that linters and supply-chain tools (combined) should outweigh SAST tools like LGTM, CodeQL or Coverity so it seems to me that they should be downgraded to 1 or something like that. I mean, systemd for example uses superlinter and it finds issues from time to time but I'm not sure it would be fair to say that in terms of security it's almost as important as LGTM or Coverity. It wouldn't be fair if projects using only LGTM received 4 while projects using only superlinter received 3 either. I'll try to take a closer look later. Thanks! |
It's not always feasible to run SAST tools on every PR but if they are run daily or weekly it's still useful and should be rewarded I think. For example it takes CodeQL about 40 minutes to analyze systemd so it doesn't make much sense to clog its GHActions pool on every PR but it's still run daily |
|
systemd runs LGTM and superlinter on every PR, CodeQL daily and Coverity Scan daily and with this PR applied its score went from 10 to 6. I'm not sure it's what it should get :-) |
|
FWIW The curl score went from 7 to 0 with this PR applied. Anyway, on the whole I think I like the idea of putting various tools into separate groups and assigning different "scores" to them. Though the way those "scores" are assigned depending on the group, frequency and so on needs tweaking I think. Thanks! |
|
Will take a closer look at this tomo. Overall LGTM. |
|
Thanks for the feedback @evverx I totally agree we need tweak the score; and also that tools that run on commits/schedules should be rewarded. Maybe give 70% of the points if run on commits vs PRs. Feel free to suggest. |
you'd actually get a 10 if you install scorecard as an action. It suffices for one linter and one static code analysis tool (LGTM in your case) to be run on all PRs + scorecard installed to get 10 - we don't advertise scorecard on PR because it requires a (read) PAT to be made available on PRs atm. That said, I don't disagree that we need to reward tools run on commit or on schedules. |
I think it depends on how frequent those runs are. If projects run SAST tools daily (or a few times a day) I think they should be scored higher than projects with weekly or monthly runs.
I get that :-) but it's complicated because on the one hand I think scorecard is helpful but on the other hand I don't want to promote OSSF. Other than that looking at a couple of checks that have already been introduced and issues where new checks are outlined it seems to me that scorecard is moving towards "consumers" instead of "producers" (which is understandable) but I'm not sure it will make sense for "producers" to keep it upstream at some point (time will tell I think). Just to clarify, I have absolutely no problems with this direction but somehow tools catered to "consumers" somehow shift things that should be done by "consumers" to "producers" (the latest example would be google/oss-fuzz#7146) and generally I wouldn't want to annoy maintainers. |
| Conclusion string | ||
| URL string | ||
| App CheckRunApp | ||
| Name string |
There was a problem hiding this comment.
Make Name as *string?
There was a problem hiding this comment.
Can you please add the reason as to why would like to change to a pointer?
Every change requested should have a reason as to why it is requested. It helps others understand the thought process and the reasoning. This is applicable across all these comments.
Pointer sematic has drawbacks we have to be clear on why we need it? Go doesn't encourage pointer semantics. Most of the standard library has value semantics
There was a problem hiding this comment.
Sure. As part of #1242, we are in the process of migrating the current data structure to a more consistent format. The consistent formatting lets us use a convention that implies nil == no data.
There was a problem hiding this comment.
If I make Name a pointer, shall I make everything else one too then?
| App CheckRunApp | ||
| Name string | ||
| CheckSuiteID *int64 | ||
| // PullRequests []PullRequest |
clients/workflows.go
Outdated
|
|
||
| // Workflow represents a workflow. | ||
| type Workflow struct { | ||
| ID int64 |
There was a problem hiding this comment.
Yes, let's use pointer (and also below for *string)
| }, nil | ||
| } | ||
|
|
||
| func addOptions(s string, opts interface{}) (string, error) { |
There was a problem hiding this comment.
Does opts need to be an interface{}? Can it simply be *ListWorkflowRunOptions?
There was a problem hiding this comment.
Why pointer semantics *ListWorkflowRunOptions? I would recommend it being value sematics.
There was a problem hiding this comment.
I made it a pointer. Pointers are better for large structure, right? Otherwise it's copying around data for calls, etc, I think
| return nil, err | ||
| } | ||
|
|
||
| req, err := handler.client.NewRequest("GET", u, nil) |
There was a problem hiding this comment.
Could you file an issue and add a TODO comment here to point to it?
|
LGTM. 2 open issues would be - unit tests and addressing @evverx's comment. |
checks/fileparser/github_workflow.go
Outdated
| @@ -298,6 +298,10 @@ func IsWorkflowFile(pathfn string) bool { | |||
| } | |||
| } | |||
|
|
|||
| func IsWorkflowFileCb(filename string) (bool, error) { | |||
There was a problem hiding this comment.
Why have a func that never returns error as part of the return?
There was a problem hiding this comment.
Could we remove the error?
One line go funcs are discouraged. Is there a specific reason to have this in a separate func?
| checkRun.CheckSuite.ID != nil { | ||
| cr.CheckSuiteID = checkRun.CheckSuite.ID | ||
| } | ||
| /* |
There was a problem hiding this comment.
Could we please remove this commented code?
| WorkflowID: workflowRun.WorkflowID, | ||
| } | ||
|
|
||
| /*prs := workflowRun.PullRequests |
There was a problem hiding this comment.
Could we please remove this commented code?
| @@ -35,6 +35,8 @@ type RepoClient interface { | |||
| ListReleases() ([]Release, error) | |||
| ListContributors() ([]Contributor, error) | |||
| ListSuccessfulWorkflowRuns(filename string) ([]WorkflowRun, error) | |||
| ListWorkflowRuns(opts *ListWorkflowRunOptions) ([]WorkflowRun, error) | |||
There was a problem hiding this comment.
Could this not be pointer *ListWorkflowRunOption? Makes the API cleaner.
|
Stale pull request message |
|
update: I've not tweaked the logic for score computation as follows:
Wdut? |
I think supply chain tools should follow the same rules as static analyzers in the sense that if they can't be run on PRs they should be downgraded to 1. It should help to prompt the developers of those tools to make them compatible with the PR workflow (which is supposed to catch issues as early as possible). |
good point. I'll do that then. Thank you for your feedback! |
|
thoughts on rate limiting https://docs.github.com/en/rest/overview/resources-in-the-rest-api#requests-from-github-actions That's fine since each commit should have a different token. For PAT, https://docs.github.com/en/developers/apps/building-github-apps/rate-limits-for-github-apps For a repository like FYI, we hope to be able to support GITHUB_TOKEN in the future. For cron job, highly unlikely we'll ever be able to run SAST check if we apply the changes proposed here. @azeemshaikh38 any further thought? |
1 similar comment
|
thoughts on rate limiting https://docs.github.com/en/rest/overview/resources-in-the-rest-api#requests-from-github-actions That's fine since each commit should have a different token. For PAT, https://docs.github.com/en/developers/apps/building-github-apps/rate-limits-for-github-apps For a repository like FYI, we hope to be able to support GITHUB_TOKEN in the future. For cron job, highly unlikely we'll ever be able to run SAST check if we apply the changes proposed here. @azeemshaikh38 any further thought? |
|
@azeemshaikh38 take a final look before I merge. Ignore the comments, I'm going to remove them before the merge. |
|
FWIW Looking at #1816 I think by that logic the SAST check should be inconclusive as well when scorecard can't find static analyzers it's aware of. Coverity is often hidden in bash scripts sending data to the scanner and it's unlikely that |
|
@laurentsimon are we blocked on anything to get this merged? |
|
no real blocker, mostly delayed to fix the e2e tests. |
- removed the old json format from cron fix #1487 Signed-off-by: naveensrinivasan <[email protected]>
- removed the old json format from cron fix #1487 Signed-off-by: naveensrinivasan <[email protected]>
|
Please don't close, Im going to get to this PR sometimes after I've migrated other checks to raw results. |
I apologize it was a mistake. |
np, happens to me all the time :) |
|
@laurentsimon What do we want to do about this PR? |
|
Let's keep it open if you don't mind. The code uses too many API calls, but I think if we relax some of checks, a large part of the code can be re-used. I'm not working on it atm, though. |
OK, sounds good! Thanks |
|
Hi @laurentsimon, I wondered if keeping this Pull Request open would be beneficial, considering it is over a year old. |
A friendly ping @laurentsimon |
Up to you. There's a lot of useful code someone may be able to re-use to implement the SAST. But we can close it a search for it if need be. |
Thanks for keeping it clean. I will close it. |
This PR addresses #1420, where we came to the conclusion that we want more granularity in the SAST check.
This PR does not contain unit tests yet, because there's a lot to discuss and I want to see if we're all OK with this changes.
WARNING: please ignore the comments and the calls to Println(): I will clean up once we have agreed everything else is fine.
This PR does look for:
This PR gives no additional points if a tool is declared in a workflow but not run on PRs - with the exception of scorecard above.
closes #1380
closes #1420
closes #1580