update (#2011)

laurentsimon · web-flow · commit 3957460c2b20 · 2022-06-29T10:10:15.000-07:00
diff --git a/checks/permissions.go b/checks/permissions.go
@@ -23,6 +23,7 @@ import (
 	"github.com/ossf/scorecard/v4/checker"
 	"github.com/ossf/scorecard/v4/checks/fileparser"
 	sce "github.com/ossf/scorecard/v4/errors"
+	"github.com/ossf/scorecard/v4/remediation"
 )
 
 // CheckTokenPermissions is the exported name for Token-Permissions check.
@@ -83,7 +84,7 @@ func TokenPermissions(c *checker.CheckRequest) checker.CheckResult {
 		workflows: make(map[string]permissions),
 	}
 
-	if err := remdiationSetup(c); err != nil {
+	if err := remediation.Setup(c); err != nil {
 		createResultForLeastPrivilegeTokens(data, err)
 	}
 
@@ -167,7 +168,7 @@ func validatePermission(permissionKey permission, permissionValue *actionlint.Pe
 				Offset:      lineNumber,
 				Text:        fmt.Sprintf("%s '%v' permission set to '%v'", permLevel, permissionKey, val),
 				Snippet:     val,
-				Remediation: createWorkflowPermissionRemediation(path),
+				Remediation: remediation.CreateWorkflowPermissionRemediation(path),
 			})
 			recordPermissionWrite(pPermissions, permissionKey)
 		} else {
@@ -179,7 +180,7 @@ func validatePermission(permissionKey permission, permissionValue *actionlint.Pe
 				Offset:      lineNumber,
 				Text:        fmt.Sprintf("%s '%v' permission set to '%v'", permLevel, permissionKey, val),
 				Snippet:     val,
-				Remediation: createWorkflowPermissionRemediation(path),
+				Remediation: remediation.CreateWorkflowPermissionRemediation(path),
 			})
 		}
 		return nil
@@ -255,7 +256,7 @@ func validatePermissions(permissions *actionlint.Permissions, permLevel, path st
 				Offset:      lineNumber,
 				Text:        fmt.Sprintf("%s permissions set to '%v'", permLevel, val),
 				Snippet:     val,
-				Remediation: createWorkflowPermissionRemediation(path),
+				Remediation: remediation.CreateWorkflowPermissionRemediation(path),
 			})
 			recordAllPermissionsWrite(pdata, permLevel, path)
 			return nil
@@ -267,7 +268,7 @@ func validatePermissions(permissions *actionlint.Permissions, permLevel, path st
 			Offset:      lineNumber,
 			Text:        fmt.Sprintf("%s permissions set to '%v'", permLevel, val),
 			Snippet:     val,
-			Remediation: createWorkflowPermissionRemediation(path),
+			Remediation: remediation.CreateWorkflowPermissionRemediation(path),
 		})
 	} else /* scopeIsSet == true */ if err := validateMapPermissions(permissions.Scopes,
 		permLevel, path, dl, getWritePermissionsMap(pdata, path, permLevel), ignoredPermissions); err != nil {
@@ -286,7 +287,7 @@ func validateTopLevelPermissions(workflow *actionlint.Workflow, path string,
 			Type:        checker.FileTypeSource,
 			Offset:      checker.OffsetDefault,
 			Text:        fmt.Sprintf("no %s permission defined", topLevelPermission),
-			Remediation: createWorkflowPermissionRemediation(path),
+			Remediation: remediation.CreateWorkflowPermissionRemediation(path),
 		})
 		recordAllPermissionsWrite(pdata, topLevelPermission, path)
 		return nil
@@ -310,7 +311,7 @@ func validatejobLevelPermissions(workflow *actionlint.Workflow, path string,
 				Type:        checker.FileTypeSource,
 				Offset:      fileparser.GetLineNumber(job.Pos),
 				Text:        fmt.Sprintf("no %s permission defined", jobLevelPermission),
-				Remediation: createWorkflowPermissionRemediation(path),
+				Remediation: remediation.CreateWorkflowPermissionRemediation(path),
 			})
 			recordAllPermissionsWrite(pdata, jobLevelPermission, path)
 			continue
@@ -615,7 +616,7 @@ func isReleasingWorkflow(workflow *actionlint.Workflow, fp string, dl checker.De
 }
 
 // TODO: remove when migrated to raw results.
-// Should be using the definition in raw/packaging.go
+// Should be using the definition in raw/packaging.go.
 func isPackagingWorkflow(workflow *actionlint.Workflow, fp string, dl checker.DetailLogger) bool {
 	jobMatchers := []fileparser.JobMatcher{
 		{
diff --git a/checks/raw/fuzzing.go b/checks/raw/fuzzing.go
@@ -42,7 +42,7 @@ type filesWithPatternStr struct {
 type languageFuzzConfig struct {
 	URL, Desc                      *string
 	filePattern, funcPattern, Name string
-	//TODO: add more language fuzzing-related fields.
+	// TODO: add more language fuzzing-related fields.
 }
 
 // Contains fuzzing speficications for programming languages.
@@ -190,7 +190,8 @@ func checkFuzzFunc(c *checker.CheckRequest, lang clients.LanguageName) (bool, []
 // used for matching fuzz functions in the file content,
 // and return a list of files (or nil for not found).
 var getFuzzFunc fileparser.DoWhileTrueOnFileContent = func(
-	path string, content []byte, args ...interface{}) (bool, error) {
+	path string, content []byte, args ...interface{},
+) (bool, error) {
 	if len(args) != 1 {
 		return false, fmt.Errorf("getFuzzFunc requires exactly one argument: %w", errInvalidArgLength)
 	}
diff --git a/checks/remediations.go b/checks/remediations.go
diff --git a/e2e/permissions_test.go b/e2e/permissions_test.go
@@ -57,6 +57,30 @@ var _ = Describe("E2E TEST:"+checks.CheckTokenPermissions, func() {
 			Expect(scut.ValidateTestReturn(nil, "token permissions", &expected, &result, &dl)).Should(BeTrue())
 			Expect(repoClient.Close()).Should(BeNil())
 		})
+		It("Should return token permission works on empty repo", func() {
+			dl := scut.TestDetailLogger{}
+			repo, err := githubrepo.MakeGithubRepo("ossf-tests/scorecard-empty-repo")
+			Expect(err).Should(BeNil())
+			repoClient := githubrepo.CreateGithubRepoClient(context.Background(), logger)
+			err = repoClient.InitRepo(repo, clients.HeadSHA)
+			Expect(err).Should(BeNil())
+			req := checker.CheckRequest{
+				Ctx:        context.Background(),
+				RepoClient: repoClient,
+				Repo:       repo,
+				Dlogger:    &dl,
+			}
+			expected := scut.TestReturn{
+				Error:         nil,
+				Score:         checker.MaxResultScore,
+				NumberOfWarn:  0,
+				NumberOfInfo:  0,
+				NumberOfDebug: 0,
+			}
+			result := checks.TokenPermissions(&req)
+			Expect(scut.ValidateTestReturn(nil, "token permissions", &expected, &result, &dl)).Should(BeTrue())
+			Expect(repoClient.Close()).Should(BeNil())
+		})
 		It("Should return token permission at commit", func() {
 			dl := scut.TestDetailLogger{}
 			repo, err := githubrepo.MakeGithubRepo("ossf-tests/scorecard-check-token-permissions-e2e")
diff --git a/remediation/remediations.go b/remediation/remediations.go
@@ -55,7 +55,8 @@ func Setup(c *checker.CheckRequest) error {
 			}
 			return
 		}
-		if b.Name != nil {
+
+		if b != nil && b.Name != nil {
 			branch = *b.Name
 			uri := c.Repo.URI()
 			parts := strings.Split(uri, "/")

Original file line number	Diff line number	Diff line change
`@@ -55,7 +55,8 @@ func Setup(c *checker.CheckRequest) error {`
`55`	`55`	`}`
`56`	`56`	`return`
`57`	`57`	`}`
`58`		`- if b.Name != nil {`
	`58`	`+`
	`59`	`+ if b != nil && b.Name != nil {`
`59`	`60`	`branch = *b.Name`
`60`	`61`	`uri := c.Repo.URI()`
`61`	`62`	`parts := strings.Split(uri, "/")`