ossf · jeffmendoza · Jul 26, 2021 · Jul 19, 2021 · Jul 19, 2021 · Jul 20, 2021
@@ -3,13 +3,18 @@ module github.com/ossf/allstar
 go 1.16
 
 require (
+	cloud.google.com/go v0.87.0 // indirect
 	github.com/bradleyfalzon/ghinstallation v1.1.1
-	github.com/google/go-github/v35 v35.2.0
-	github.com/google/go-querystring v1.1.0 // indirect
+	github.com/google/go-cmp v0.5.6 // indirect
+	github.com/google/go-github/v29 v29.0.3 // indirect
+	github.com/google/go-github/v32 v32.1.0
 	github.com/gregjones/httpcache v0.0.0-20190611155906-901d90724c79
-	github.com/niemeyer/pretty v0.0.0-20200227124842-a10e7caefd8e // indirect
-	github.com/rs/zerolog v1.22.0 // indirect
-	gocloud.dev v0.23.0 // indirect
-	gopkg.in/check.v1 v1.0.0-20200227125254-8fa46927fb4f // indirect
-	gopkg.in/yaml.v2 v2.2.8
+	github.com/ossf/scorecard v1.2.1-0.20210722153731-89c8e2af3131
+	github.com/rs/zerolog v1.22.0
+	gocloud.dev v0.23.0
+	golang.org/x/crypto v0.0.0-20210711020723-a769d52b0f97 // indirect
+	golang.org/x/net v0.0.0-20210716203947-853a461950ff // indirect
+	golang.org/x/sys v0.0.0-20210630005230-0f9fa26af87c // indirect
+	google.golang.org/genproto v0.0.0-20210719143636-1d5a45f8e492 // indirect
+	gopkg.in/yaml.v2 v2.4.0
 )
@@ -22,7 +22,7 @@ import (
 
 	"github.com/ossf/allstar/pkg/config/operator"
 
-	"github.com/google/go-github/v35/github"
+	"github.com/google/go-github/v32/github"
 	"github.com/rs/zerolog/log"
 	"gopkg.in/yaml.v2"
 )

@@ -17,10 +17,10 @@ package config
 import (
 	"context"
 	"encoding/base64"
-	"reflect"
 	"testing"
 
-	"github.com/google/go-github/v35/github"
+	"github.com/google/go-cmp/cmp"
+	"github.com/google/go-github/v32/github"
 )
 
 var getContents func(context.Context, string, string, string,
@@ -125,8 +125,8 @@ optConfig:
 			if err != nil {
 				t.Fatalf("Unexpected error: %v", err)
 			}
-			if !reflect.DeepEqual(test.Got, test.Expect) {
-				t.Errorf("Unexpected results. Got: %v, Expect: %v", test.Got, test.Expect)
+			if diff := cmp.Diff(test.Expect, test.Got); diff != "" {
+				t.Errorf("Unexpected results. (-want +got):\n%s", diff)
 			}
 		})
 	}

@@ -26,7 +26,7 @@ import (
 	"github.com/ossf/allstar/pkg/policies"
 	"github.com/ossf/allstar/pkg/policydef"
 
-	"github.com/google/go-github/v35/github"
+	"github.com/google/go-github/v32/github"
 	"github.com/rs/zerolog/log"
 )
 
@@ -80,7 +80,7 @@ func EnforceAll(ctx context.Context, ghc *ghclients.GHClients) error {
 			if err != nil {
 				return err
 			}
-			repos = append(repos, rs.Repositories...)
+			repos = append(repos, rs...)
 			if resp.NextPage == 0 {
 				break
 			}

@@ -18,7 +18,7 @@ import (
 	"context"
 	"testing"
 
-	"github.com/google/go-github/v35/github"
+	"github.com/google/go-github/v32/github"
 	"github.com/ossf/allstar/pkg/policydef"
 )
 

@@ -21,7 +21,7 @@ import (
 	"net/http"
 
 	"github.com/bradleyfalzon/ghinstallation"
-	"github.com/google/go-github/v35/github"
+	"github.com/google/go-github/v32/github"
 	"github.com/gregjones/httpcache"
 	"github.com/ossf/allstar/pkg/config/operator"
 	"gocloud.dev/runtimevar"

@@ -20,7 +20,7 @@ import (
 	"fmt"
 	"time"
 
-	"github.com/google/go-github/v35/github"
+	"github.com/google/go-github/v32/github"
 	"github.com/ossf/allstar/pkg/config/operator"
 )
 

@@ -21,7 +21,7 @@ import (
 	"testing"
 	"time"
 
-	"github.com/google/go-github/v35/github"
+	"github.com/google/go-github/v32/github"
 	"github.com/ossf/allstar/pkg/config/operator"
 )
 

@@ -0,0 +1,212 @@
+// Copyright 2021 Allstar Authors
+
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+
+//     http://www.apache.org/licenses/LICENSE-2.0
+
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+// Package binary implements the Binary Artifacts security policy check from
+// scorecard.
+package binary
+
+import (
+	"context"
+	"fmt"
+	"path"
+
+	"github.com/ossf/allstar/pkg/config"
+	"github.com/ossf/allstar/pkg/config/operator"
+	"github.com/ossf/allstar/pkg/policydef"
+
+	"github.com/google/go-github/v32/github"
+	"github.com/ossf/scorecard/checker"
+	"github.com/ossf/scorecard/checks"
+	"github.com/ossf/scorecard/clients/githubrepo"
+	"github.com/rs/zerolog/log"
+)
+
+const configFile = "binary_artifacts.yaml"
+const polName = "Binary Artifacts"
+
+// OrgConfig is the org-level config definition for this policy.
+type OrgConfig struct {
+	// OptConfig is the standard org-level opt in/out config, RepoOverride applies to all
+	// config.
+	OptConfig config.OrgOptConfig `yaml:"optConfig"`
+
+	// Action defines which action to take, default log, other: issue...
+	Action string `yaml:"action"`
+}
+
+// RepoConfig is the repo-level config for this policy.
+type RepoConfig struct {
+	// OptConfig is the standard repo-level opt in/out config.
+	OptConfig config.RepoOptConfig `yaml:"optConfig"`
+
+	// Action overrides the same setting in org-level, only if present.
+	Action *string `yaml:"action"`
+}
+
+type mergedConfig struct {
+	Action string
+}
+
+type details struct {
+	Messages []checker.CheckDetail
+}
+
+var configFetchConfig func(context.Context, *github.Client, string, string, string, interface{}) error
+
+func init() {
+	configFetchConfig = config.FetchConfig
+}
+
+// Binary is the Binary Artifacts policy object, implements policydef.Policy.
+type Binary bool
+
+// NewBinary returns a new Binary Artifacts policy.
+func NewBinary() policydef.Policy {
+	var b Binary
+	return b
+}
+
+// Name returns the name of this policy, implementing policydef.Policy.Name()
+func (b Binary) Name() string {
+	return polName
+}
+
+type logger struct {
+	Messages2 []checker.CheckDetail
+}
+
+func (l *logger) Info(desc string, args ...interface{}) {
+	cd := checker.CheckDetail{Type: checker.DetailInfo, Msg: fmt.Sprintf(desc, args...)}
+	l.Messages2 = append(l.Messages2, cd)
+}
+
+func (l *logger) Warn(desc string, args ...interface{}) {
+	cd := checker.CheckDetail{Type: checker.DetailWarn, Msg: fmt.Sprintf(desc, args...)}
+	l.Messages2 = append(l.Messages2, cd)
+}
+
+func (l *logger) Debug(desc string, args ...interface{}) {
+	cd := checker.CheckDetail{Type: checker.DetailDebug, Msg: fmt.Sprintf(desc, args...)}
+	l.Messages2 = append(l.Messages2, cd)
+}
+
+// Check performs the polcy check for this policy based on the
+// configuration stored in the org/repo, implementing policydef.Policy.Check()
+func (b Binary) Check(ctx context.Context, c *github.Client, owner,
+	repo string) (*policydef.Result, error) {
+	oc, rc := getConfig(ctx, c, owner, repo)
+	enabled := config.IsEnabled(oc.OptConfig, rc.OptConfig, repo)
+	log.Info().
+		Str("org", owner).
+		Str("repo", repo).
+		Str("area", polName).
+		Bool("enabled", enabled).
+		Msg("Check repo enabled")
+
+	repoClient := githubrepo.CreateGithubRepoClient(ctx, c)
+	if err := repoClient.InitRepo(owner, repo); err != nil {
+		return nil, err
+	}
+	l := logger{}
+	cr := &checker.CheckRequest{
+		Ctx:         ctx,
+		Client:      c,
+		RepoClient:  repoClient,
+		HTTPClient:  nil,
+		Owner:       owner,
+		Repo:        repo,
+		GraphClient: nil,
+		Dlogger:     &l,
+	}
+	// TODO, likely this should be a "scorecard" policy that runs multiple checks
+	// here, and uses config to enable/disable checks.
+	res := checks.BinaryArtifacts(cr)
+	if res.Error2 != nil {
+		return nil, res.Error2
+	}
+
+	var notify string
+	if res.Score < checker.MaxResultScore {
+		notify = fmt.Sprintf("Scorecard Check Binary Artifacts failed: %v\n"+
+			"Please run scorecard directly for details: https://github.com/ossf/scorecard\n",
+			res.Reason)
+	}
+
+	return &policydef.Result{
+		Enabled:    enabled,
+		Pass:       res.Score >= checker.MaxResultScore,
+		NotifyText: notify,
+		Details: details{
+			Messages: l.Messages2,
+		},
+	}, nil
+}
+
+// Fix implementing policydef.Policy.Fix(). Scorecard checks will not have a Fix option.
+func (b Binary) Fix(ctx context.Context, c *github.Client, owner, repo string) error {
+	log.Warn().
+		Str("org", owner).
+		Str("repo", repo).
+		Str("area", polName).
+		Msg("Action fix is configured, but not implemented.")
+	return nil
+}
+
+// GetAction returns the configured action from this policy's configuration
+// stored in the org-level repo, default log. Implementing
+// policydef.Policy.GetAction()
+func (b Binary) GetAction(ctx context.Context, c *github.Client, owner, repo string) string {
+	oc, rc := getConfig(ctx, c, owner, repo)
+	mc := mergeConfig(oc, rc, repo)
+	return mc.Action
+}
+
+func getConfig(ctx context.Context, c *github.Client, owner, repo string) (*OrgConfig, *RepoConfig) {
+	oc := &OrgConfig{ // Fill out non-zero defaults
+		Action: "log",
+	}
+	if err := configFetchConfig(ctx, c, owner, operator.OrgConfigRepo, configFile, oc); err != nil {
+		log.Error().
+			Str("org", owner).
+			Str("repo", operator.OrgConfigRepo).
+			Str("area", polName).
+			Str("file", configFile).
+			Err(err).
+			Msg("Unexpected config error, using defaults.")
+	}
+	rc := &RepoConfig{}
+	if err := configFetchConfig(ctx, c, owner, repo, path.Join(operator.RepoConfigDir, configFile), rc); err != nil {
+		log.Error().
+			Str("org", owner).
+			Str("repo", repo).
+			Str("area", polName).
+			Str("file", path.Join(operator.RepoConfigDir, configFile)).
+			Err(err).
+			Msg("Unexpected config error, using defaults.")
+	}
+	return oc, rc
+}
+
+func mergeConfig(oc *OrgConfig, rc *RepoConfig, repo string) *mergedConfig {
+	mc := &mergedConfig{
+		Action: oc.Action,
+	}
+
+	if !oc.OptConfig.DisableRepoOverride {
+		if rc.Action != nil {
+			mc.Action = *rc.Action
+		}
+	}
+	return mc
+}
@@ -25,7 +25,7 @@ import (
 	"github.com/ossf/allstar/pkg/config/operator"
 	"github.com/ossf/allstar/pkg/policydef"
 
-	"github.com/google/go-github/v35/github"
+	"github.com/google/go-github/v32/github"
 	"github.com/rs/zerolog/log"
 )
 

@@ -18,10 +18,10 @@ import (
 	"context"
 	"errors"
 	"net/http"
-	"reflect"
 	"testing"
 
-	"github.com/google/go-github/v35/github"
+	"github.com/google/go-cmp/cmp"
+	"github.com/google/go-github/v32/github"
 	"github.com/ossf/allstar/pkg/config"
 	"github.com/ossf/allstar/pkg/policydef"
 )
@@ -325,8 +325,8 @@ func TestCheck(t *testing.T) {
 			if err != nil {
 				t.Fatalf("Unexpected error: %v", err)
 			}
-			if !reflect.DeepEqual(res, &test.Exp) {
-				t.Errorf("Unexpected results. Got: %v, Expect: %v", res, &test.Exp)
+			if diff := cmp.Diff(&test.Exp, res); diff != "" {
+				t.Errorf("Unexpected results. (-want +got):\n%s", diff)
 			}
 		})
 	}
@@ -344,8 +344,8 @@ func TestCheck(t *testing.T) {
 			Pass:       true,
 			NotifyText: "No branches to protect",
 		}
-		if !reflect.DeepEqual(res, expect) {
-			t.Errorf("Unexpected results. Got: %v, Expect: %v", res, expect)
+		if diff := cmp.Diff(expect, res); diff != "" {
+			t.Errorf("Unexpected results. (-want +got):\n%s", diff)
 		}
 	})
 }
-Original file line number
+Diff line change
@@ Expand Up / @@ -20,7 +20,7 @@ import ( @@
     	"fmt"
     	"time"
-    	"github.com/google/go-github/v35/github"
+    	"github.com/google/go-github/v32/github"
     	"github.com/ossf/allstar/pkg/config/operator"
     )
@@ Expand Down @@