Skip to content

Commit

Permalink
Merge branch 'main' into test/more-policy-tests
Browse files Browse the repository at this point in the history
  • Loading branch information
kairoaraujo authored Oct 8, 2024
2 parents 71d7cbb + 192d5d8 commit 7949d4a
Show file tree
Hide file tree
Showing 14 changed files with 260 additions and 109 deletions.
8 changes: 4 additions & 4 deletions .github/workflows/codeql.yml
Original file line number Diff line number Diff line change
Expand Up @@ -60,11 +60,11 @@ jobs:
egress-policy: audit

- name: Checkout repository
uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938 # v4.2.0

# Initializes the CodeQL tools for scanning.
- name: Initialize CodeQL
uses: github/codeql-action/init@8214744c546c1e5c8f03dde8fab3a7353211988d # v3.26.7
uses: github/codeql-action/init@e2b3eafc8d227b0241d48be5f425d47c2d750a13 # v3.26.10
with:
languages: ${{ matrix.language }}
# If you wish to specify custom queries, you can do so here or in a config file.
Expand All @@ -74,7 +74,7 @@ jobs:
# Autobuild attempts to build any compiled languages (C/C++, C#, or Java).
# If this step fails, then you should remove it and run the build manually (see below)
- name: Autobuild
uses: github/codeql-action/autobuild@8214744c546c1e5c8f03dde8fab3a7353211988d # v3.26.7
uses: github/codeql-action/autobuild@e2b3eafc8d227b0241d48be5f425d47c2d750a13 # v3.26.10

# ℹ️ Command-line programs to run using the OS shell.
# 📚 See https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#jobsjob_idstepsrun
Expand All @@ -87,6 +87,6 @@ jobs:
# ./location_of_script_within_repo/buildscript.sh

- name: Perform CodeQL Analysis
uses: github/codeql-action/analyze@8214744c546c1e5c8f03dde8fab3a7353211988d # v3.26.7
uses: github/codeql-action/analyze@e2b3eafc8d227b0241d48be5f425d47c2d750a13 # v3.26.10
with:
category: "/language:${{matrix.language}}"
2 changes: 1 addition & 1 deletion .github/workflows/dependency-review.yml
Original file line number Diff line number Diff line change
Expand Up @@ -36,6 +36,6 @@ jobs:
egress-policy: audit

- name: 'Checkout Repository'
uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938 # v4.2.0
- name: 'Dependency Review'
uses: actions/dependency-review-action@5a2ce3f5b92ee19cbb1541a4984c76d921601d7c # v4.3.4
2 changes: 1 addition & 1 deletion .github/workflows/fossa.yml
Original file line number Diff line number Diff line change
Expand Up @@ -20,7 +20,7 @@ jobs:
steps:
- if: ${{ env.FOSSA_API_KEY != '' }}
name: "Checkout Code"
uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938 # v4.2.0
- if: ${{ env.FOSSA_API_KEY != '' }}
name: "Run FOSSA Scan"
uses: fossas/fossa-action@09bcf127dc0ccb4b5a023f6f906728878e8610ba # v1.4.0
Expand Down
2 changes: 1 addition & 1 deletion .github/workflows/golangci-lint.yml
Original file line number Diff line number Diff line change
Expand Up @@ -34,7 +34,7 @@ jobs:
with:
egress-policy: audit

- uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
- uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938 # v4.2.0
- uses: actions/setup-go@0a12ed9d6a96ab950c8f026ed9f722fe0da7ef32 # v5.0.2
with:
go-version-file: "go.mod"
Expand Down
2 changes: 1 addition & 1 deletion .github/workflows/release.yml
Original file line number Diff line number Diff line change
Expand Up @@ -64,6 +64,6 @@ jobs:
contents: write # This is required for the action to work correctly
steps:
- name: Checkout
uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938 # v4.2.0
- name: Release
uses: softprops/action-gh-release@c062e08bd532815e2082a85e87e3ef29c3e6d191 # v2.0.8
4 changes: 2 additions & 2 deletions .github/workflows/scorecards.yml
Original file line number Diff line number Diff line change
Expand Up @@ -50,7 +50,7 @@ jobs:
egress-policy: audit

- name: "Checkout code"
uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938 # v4.2.0
with:
persist-credentials: false

Expand Down Expand Up @@ -85,6 +85,6 @@ jobs:

# Upload the results to GitHub's code scanning dashboard.
- name: "Upload to code-scanning"
uses: github/codeql-action/upload-sarif@8214744c546c1e5c8f03dde8fab3a7353211988d # v3.26.7
uses: github/codeql-action/upload-sarif@e2b3eafc8d227b0241d48be5f425d47c2d750a13 # v3.26.10
with:
sarif_file: results.sarif
2 changes: 1 addition & 1 deletion .github/workflows/verify-licence.yml
Original file line number Diff line number Diff line change
Expand Up @@ -31,7 +31,7 @@ jobs:
with:
egress-policy: audit

- uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
- uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938 # v4.2.0
- uses: actions/setup-go@0a12ed9d6a96ab950c8f026ed9f722fe0da7ef32 # v5.0.2
with:
go-version: '1.22.x'
Expand Down
2 changes: 1 addition & 1 deletion .github/workflows/verify-schemagen.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -13,7 +13,7 @@ jobs:
runs-on: ubuntu-latest

steps:
- uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
- uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938 # v4.2.0
- uses: actions/setup-go@0a12ed9d6a96ab950c8f026ed9f722fe0da7ef32 # v5.0.2
with:
go-version: "1.22.x"
Expand Down
2 changes: 1 addition & 1 deletion .github/workflows/witness.yml
Original file line number Diff line number Diff line change
Expand Up @@ -55,7 +55,7 @@ jobs:
with:
egress-policy: audit

- uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
- uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938 # v4.2.0
- uses: actions/setup-go@0a12ed9d6a96ab950c8f026ed9f722fe0da7ef32 # v5.0.2
with:
go-version: 1.22.x
Expand Down
43 changes: 39 additions & 4 deletions attestation/git/git.go
Original file line number Diff line number Diff line change
Expand Up @@ -79,6 +79,9 @@ type Tag struct {
}

type Attestor struct {
GitTool string `json:"gittool"`
GitBinPath string `json:"gitbinpath,omitempty"`
GitBinHash cryptoutil.DigestSet `json:"gitbinhash,omitempty"`
CommitHash string `json:"commithash"`
Author string `json:"author"`
AuthorEmail string `json:"authoremail"`
Expand Down Expand Up @@ -221,14 +224,46 @@ func (a *Attestor) Attest(ctx *attestation.AttestationContext) error {

a.TreeHash = commit.TreeHash.String()

if GitExists() {
a.GitTool = "go-git+git-bin"

a.GitBinPath, err = GitGetBinPath()
if err != nil {
return err
}

a.GitBinHash, err = GitGetBinHash(ctx)
if err != nil {
return err
}

a.Status, err = GitGetStatus(ctx.WorkingDir())
if err != nil {
return err
}
} else {
a.GitTool = "go-git"

a.Status, err = GoGitGetStatus(repo)
if err != nil {
return err
}
}

return nil
}

func GoGitGetStatus(repo *git.Repository) (map[string]Status, error) {
var gitStatuses map[string]Status = make(map[string]Status)

worktree, err := repo.Worktree()
if err != nil {
return err
return map[string]Status{}, err
}

status, err := worktree.Status()
if err != nil {
return err
return map[string]Status{}, err
}

for file, status := range status {
Expand All @@ -241,10 +276,10 @@ func (a *Attestor) Attest(ctx *attestation.AttestationContext) error {
Staging: statusCodeString(status.Staging),
}

a.Status[file] = attestStatus
gitStatuses[file] = attestStatus
}

return nil
return gitStatuses, nil
}

func (a *Attestor) Data() *Attestor {
Expand Down
104 changes: 104 additions & 0 deletions attestation/git/git_bin.go
Original file line number Diff line number Diff line change
@@ -0,0 +1,104 @@
// Copyright 2024 The Witness Contributors
//
// Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License.
// You may obtain a copy of the License at
//
// http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
// See the License for the specific language governing permissions and
// limitations under the License.

package git

import (
"os/exec"
"strings"

"github.com/go-git/go-git/v5"
"github.com/in-toto/go-witness/attestation"
"github.com/in-toto/go-witness/cryptoutil"
)

// GitExists checks if the git binary is available.
// This can be used to fall back to go-git implementation.
func GitExists() bool {

_, err := exec.LookPath("git")
if err != nil {
return false
} else {
return true
}
}

// GitGetBinPath retrieves the path to the git binary that is used by the attestor.
func GitGetBinPath() (string, error) {
path, err := exec.LookPath("git")
if err != nil {
return "", err
} else {
return path, nil
}
}

// GitGetBinHash retrieves a sha256 hash of the git binary that is located on the system.
// The path is determined based on exec.LookPath().
func GitGetBinHash(ctx *attestation.AttestationContext) (cryptoutil.DigestSet, error) {
path, err := exec.LookPath("git")
if err != nil {
return cryptoutil.DigestSet{}, err
}

gitBinDigest, err := cryptoutil.CalculateDigestSetFromFile(path, ctx.Hashes())
if err != nil {
return cryptoutil.DigestSet{}, err
}

if err != nil {
return cryptoutil.DigestSet{}, err
}

return gitBinDigest, nil
}

// GitGetStatus retrieves the status of staging and worktree
// from the git status --porcelain output
func GitGetStatus(workDir string) (map[string]Status, error) {

// Execute the git status --porcelain command
cmd := exec.Command("git", "-C", workDir, "status", "--porcelain")
outputBytes, err := cmd.Output()
if err != nil {
return map[string]Status{}, err
}

// Convert the output to a string and split into lines
output := string(outputBytes)
lines := strings.Split(output, "\n")

// Iterate over the lines and parse the status
var gitStatuses map[string]Status = make(map[string]Status)
for _, line := range lines {
// Skip empty lines
if len(line) == 0 {
continue
}

// The first two characters are the status codes
repoStatus := statusCodeString(git.StatusCode(line[0]))
worktreeStatus := statusCodeString(git.StatusCode(line[1]))
filePath := strings.TrimSpace(line[2:])

// Append the parsed status to the list
gitStatuses[filePath] = Status{
Staging: repoStatus,
Worktree: worktreeStatus,
}
}

return gitStatuses, nil
}
Loading

0 comments on commit 7949d4a

Please sign in to comment.