Support renamed gradle verification action

From gradle/wrapper-validation-action's readme: "As of v3 this action has been superceded by gradle/actions/wrapper-validation" Also support actions pinned to a hash. Signed-off-by: Spencer Schrock <sschrock@google.com>
ossf · May 9, 2024 · 630ddf7 · 630ddf7
1 parent f842292
commit 630ddf7
Show file tree

Hide file tree

Showing 3 changed files with 19 additions and 33 deletions.
diff --git a/checks/raw/binary_artifact.go b/checks/raw/binary_artifact.go
@@ -19,11 +19,9 @@ import (
 	"fmt"
 	"io"
 	"path/filepath"
-	"regexp"
 	"strings"
 	"unicode/utf8"
 
-	semver "github.com/Masterminds/semver/v3"
 	"github.com/h2non/filetype"
 	"github.com/h2non/filetype/types"
 	"github.com/rhysd/actionlint"
@@ -35,23 +33,9 @@ import (
 	"github.com/ossf/scorecard/v5/finding"
 )
 
-var (
-	gradleWrapperValidationActionRegex             = regexp.MustCompile(`^gradle\/wrapper-validation-action@v?(.+)$`)
-	gradleWrapperValidationActionVersionConstraint = mustParseConstraint(`>= 1.0.0`)
-)
-
 // how many bytes are considered when determining if a file is text or binary.
 const binaryTestLen = 1024
 
-// mustParseConstraint attempts parse of semver constraint, panics if fail.
-func mustParseConstraint(c string) *semver.Constraints {
-	if c, err := semver.NewConstraint(c); err != nil {
-		panic(fmt.Errorf("failed to parse constraint: %w", err))
-	} else {
-		return c
-	}
-}
-
 // BinaryArtifacts retrieves the raw data for the Binary-Artifacts check.
 func BinaryArtifacts(req *checker.CheckRequest) (checker.BinaryArtifactData, error) {
 	c := req.RepoClient
@@ -266,18 +250,8 @@ func checkWorkflowValidatesGradleWrapper(path string, content []byte, args ...in
 			if ea.Uses == nil {
 				continue
 			}
-			sms := gradleWrapperValidationActionRegex.FindStringSubmatch(ea.Uses.Value)
-			if len(sms) > 1 {
-				v, err := semver.NewVersion(sms[1])
-				if err != nil {
-					// Couldn't parse version, hopefully another step has
-					// a correct one.
-					continue
-				}
-				if !gradleWrapperValidationActionVersionConstraint.Check(v) {
-					// Version out of acceptable range.
-					continue
-				}
+			if strings.HasPrefix(ea.Uses.Value, "gradle/wrapper-validation-action@") ||
+				strings.HasPrefix(ea.Uses.Value, "gradle/actions/wrapper-validation@") {
 				// OK! This is it.
 				*validatingWorkflowFile = filepath.Base(path)
 				return false, nil

diff --git a/checks/raw/binary_artifact_test.go b/checks/raw/binary_artifact_test.go
@@ -164,13 +164,26 @@ func TestBinaryArtifacts(t *testing.T) {
 			expect:              1,
 		},
 		{
-			name: "gradle-wrapper.jar with outdated verification action",
+			name: "gradle-wrapper.jar with new verification action",
 			err:  nil,
 			files: [][]string{
 				{"../testdata/binaryartifacts/jars/gradle-wrapper.jar"},
 				{
 					"../testdata/binaryartifacts/workflows/nonverify.yaml",
-					"../testdata/binaryartifacts/workflows/verify-outdated-action.yaml",
+					"../testdata/binaryartifacts/workflows/verify-new-gradle-name.yaml",
+				},
+			},
+			successfulWorkflowRuns: []clients.WorkflowRun{
+				{
+					HeadSHA: strptr("sha-a"),
+				},
+			},
+			commits: []clients.Commit{
+				{
+					SHA: "sha-a",
+				},
+				{
+					SHA: "sha-old",
 				},
 			},
 			getFileContentCount: 3,

diff --git a/...cts/workflows/verify-outdated-action.yaml → ...cts/workflows/verify-new-gradle-name.yaml b/...cts/workflows/verify-outdated-action.yaml → ...cts/workflows/verify-new-gradle-name.yaml
@@ -6,7 +6,6 @@ jobs:
     name: "GW Validate Job"
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v2
+      - uses: actions/checkout@v4
       - name: GW Validate Step
-        # this is a made-up outdated version of the action:
-        uses: gradle/wrapper-validation-action@v0.1.0
+        uses: gradle/actions/wrapper-validation@v3