Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

SARIF difference in golang-staging #236

Closed
laurentsimon opened this issue May 3, 2022 · 1 comment
Closed

SARIF difference in golang-staging #236

laurentsimon opened this issue May 3, 2022 · 1 comment
Assignees
@azeemshaikh38
Projects
Scorecard

Comments

@laurentsimon
Copy link
Contributor

laurentsimon commented May 3, 2022
edited

See results ossf-tests/scorecard-action-results#2
Workflow that generated it is https://github.com/ossf-tests/scorecard-action/runs/6187072538?check_suite_focus=true

The results are odd and wrong. Consider https://github.com/ossf-tests/scorecard-action-results/blob/a61cd2ab16265c0dad77b7fc9eb3fa0e7f7fa6b3/scorecard-action-main.sarif#L271-L311 or more specifically https://github.com/ossf-tests/scorecard-action-results/blob/a61cd2ab16265c0dad77b7fc9eb3fa0e7f7fa6b3/scorecard-action-main.sarif#L274

We see that the text contains both the scorecard detail text and the location information, concatenated: score is 8: dependency not pinned by hash detected -- score normalized to 8:\nWarn: third-party action not pinned by hash: .github/workflows/scorecards-golang.yml:

I ran scorecard at HEAD and at the v4.1.0 release on the same repo (ossf-tests/scorecard-action), and the results are identical but are different from the results of the run above for golang-staging:

{
          "ruleId": "PinnedDependenciesID",
          "ruleIndex": 4,
          "message": {
            "text": "third-party action not pinned by hash\nClick Remediation section below to solve this issue"
          },
          "locations": [
            {
              "physicalLocation": {
                "region": {
                  "startLine": 30,
                  "endLine": 30,
                  "snippet": {
                    "text": "ossf/scorecard-action@golang-staging"
                  }
                },
                "artifactLocation": {
                  "uri": ".github/workflows/Scorecards-with-default-GH-Token-golang-staging.yml",
                  "uriBaseId": "%SRCROOT%"
                }
              },
              "message": {
                "text": "third-party action not pinned by hash"
              }
            }
          ]
        },

You see that the text message only contains the text and the file-based results appear within the locations instead.

@naveensrinivasan can you confirm I'm understanding this correctly? It's possible I missed something
@laurentsimon laurentsimon mentioned this issue May 25, 2022
Closed
@justaugustus justaugustus added this to Backlog in Scorecard via automation May 25, 2022
@azeemshaikh38 azeemshaikh38 self-assigned this Jun 6, 2022
@azeemshaikh38
Copy link
Contributor

Fixed in #431

Scorecard automation moved this from Backlog to Done Jun 16, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@azeemshaikh38 azeemshaikh38

Labels
None yet
Projects
Scorecard
Done
Milestone
No milestone
Development

No branches or pull requests
2 participants
@azeemshaikh38 @laurentsimon