Removed Sarif Results From Processing & Rekor Upload (#197)

* test action

* sign test data

* func to sign and upload workflow result

* added signScorecardResult func and test

* added signScorecardResult func and test

* moved signing code into main.go

* added call to signScorecardResult at the end of main

* added err checking

* comments and added global vars

* style changes

* updated test to use randomized payload

* check publish_results

* error logging for signScorecardResult call

* error logging

* entrypoint

* updated dockerfile

* dockerfile

* dockerfile

* EnvInputsResults vars added to Options

* resultsfile env var

* set PAT

* create results file with sudo

* sudo create resultsfile

* try os.Openfile

* fixed fileapth

* changed Distroless to debian

* get output format from env var

* fixed defaultpolicyfile path

* policy filepath

* copy policy.yml in dockerfile

* policyfile

* moved signing code to separate file

* dockerfile

* generate results.json file in preRun

* revert dockerfile to main

* json file creation check

* run scorecard again to produce json output

* testing

* entrypointJson

* print cmd

* alter env vars in main for json

* opts

* dockerfile uses entrypoint.go

* renamed make build

* produce both sarif and json

* sign json result

* sig verification api call

* go mod tidy

* readfile fix

* sign sarif instead of json

* http response code checking

* moved api call func into signing.go

* dont hardcode repo paths

* finalized signing + verif

* renamed sign test

* Bump debian from d5cd7e5 to 40f90ea

* removed unnecessary slash

* comments

* policy.yml -> /policy.yml

* refractored signing

* more refractoring + sig processing test

* fixed func call

* fixed sign test

* style + error fmt

* reverted dockerfile

* style fixes

* lint fixes

* linting errs

* test workflow permissions

* debug print

* commented out signing test

* linting errors

Co-authored-by: Azeem Shaikh <[email protected]>

Dockerfile

@@ -40,4 +40,4 @@ COPY policies/template.yml /policy.yml
 # Note: the file is executable in the repo
 # and permission carry over to the image.
 COPY entrypoint.sh /entrypoint.sh
-ENTRYPOINT ["/entrypoint.sh"]
+ENTRYPOINT ["/entrypoint.sh"]

go.mod

@@ -273,6 +273,7 @@ require (
  gopkg.in/square/go-jose.v2 v2.6.0 // indirect
  gopkg.in/yaml.v2 v2.4.0 // indirect
  gopkg.in/yaml.v3 v3.0.0-20210107192922-496545a6307b // indirect
+ gotest.tools/v3 v3.1.0 // indirect
  k8s.io/api v0.23.5 // indirect
  k8s.io/apimachinery v0.23.5 // indirect
  k8s.io/client-go v0.23.5 // indirect

go.sum

@@ -3607,7 +3607,6 @@ gopkg.in/yaml.v3 v3.0.0-20210107192922-496545a6307b/go.mod h1:K4uyk7z7BCEPqu6E+C
 gotest.tools v2.2.0+incompatible h1:VsBPFP1AI068pPrMxtb/S8Zkgf9xEmTLJjfM+P5UIEo=
 gotest.tools v2.2.0+incompatible/go.mod h1:DsYFclhRJ6vuDpmuTbkuFWG+y2sxOXAzmJt81HFBacw=
 gotest.tools/v3 v3.0.2/go.mod h1:3SzNCllyD9/Y+b5r9JIKQ474KzkZyqLqEfYqMsX94Bk=
-gotest.tools/v3 v3.0.3 h1:4AuOwCGf4lLR9u3YOe2awrHygurzhO/HeQ6laiA6Sx0=
 gotest.tools/v3 v3.0.3/go.mod h1:Z7Lb0S5l+klDB31fvDQX8ss/FlKDxtlFlw3Oa8Ymbl8=
 gotest.tools/v3 v3.1.0 h1:rVV8Tcg/8jHUkPUorwjaMTtemIMVXfIPKiOqnhEhakk=
 gotest.tools/v3 v3.1.0/go.mod h1:fHy7eyTmJFO5bQbUsEGQ1v4m2J3Jz9eWL54TP2/ZuYQ=

main.go

@@ -15,7 +15,6 @@
 package main
 
 import (
- "io/ioutil"
  "log"
  "os"
 
@@ -35,18 +34,6 @@ func main() {
  }
 
  if os.Getenv(options.EnvInputPublishResults) == "true" { //nolint
- sarifOutputFile := os.Getenv(options.EnvInputResultsFile)
- // Get sarif results from file.
- sarifPayload, err := ioutil.ReadFile(sarifOutputFile)
- if err != nil {
- log.Fatalf("error reading from sarif output file: %v", err)
- }
-
- // Sign sarif results.
- if err = signing.SignScorecardResult(sarifOutputFile); err != nil {
- log.Fatalf("error signing scorecard sarif results: %v", err)
- }
-
  // Get json results by re-running scorecard.
  jsonPayload, err := signing.GetJSONScorecardResults()
  if err != nil {
@@ -58,10 +45,10 @@ func main() {
  log.Fatalf("error signing scorecard json results: %v", err)
  }
 
- // Processes sarif & json results.
+ // Processes json results.
  repoName := os.Getenv(options.EnvGithubRepository)
  repoRef := os.Getenv(options.EnvGithubRef)
- if err := signing.ProcessSignature(sarifPayload, jsonPayload, repoName, repoRef); err != nil {
+ if err := signing.ProcessSignature(jsonPayload, repoName, repoRef); err != nil {
  log.Fatalf("error processing signature: %v", err)
  }
  }

signing/signing.go

@@ -70,19 +70,17 @@ func GetJSONScorecardResults() ([]byte, error) {
 }
 
 // ProcessSignature calls scorecard-api to process & upload signed scorecard results.
-func ProcessSignature(sarifPayload, jsonPayload []byte, repoName, repoRef string) error {
+func ProcessSignature(jsonPayload []byte, repoName, repoRef string) error {
  // Prepare HTTP request body for scorecard-webapp-api call.
  resultsPayload := struct {
- SarifOutput string
- JSONOutput string
+ JSONOutput string
  }{
- SarifOutput: string(sarifPayload),
- JSONOutput: string(jsonPayload),
+ JSONOutput: string(jsonPayload),
  }
 
  payloadBytes, err := json.Marshal(resultsPayload)
  if err != nil {
- return fmt.Errorf("reading scorecard json results from file: %w", err)
+ return fmt.Errorf("marshalling json results: %w", err)
  }
 
  // Call scorecard-webapp-api to process and upload signature.

signing/signing_test.go

@@ -60,16 +60,15 @@ import (
 func Test_ProcessSignature(t *testing.T) {
  t.Parallel()
 
- sarifPayload, serr := ioutil.ReadFile("testdata/results.sarif")
- jsonPayload, jerr := ioutil.ReadFile("testdata/results.json")
+ jsonPayload, err := ioutil.ReadFile("testdata/results.json")
  repoName := "rohankh532/scorecard-OIDC-test"
  repoRef := "refs/heads/main"
 
- if serr != nil || jerr != nil {
- t.Errorf("Error reading testdata:, %v, %v", serr, jerr)
+ if err != nil {
+ t.Errorf("Error reading testdata:, %v", err)
  }
 
- if err := ProcessSignature(sarifPayload, jsonPayload, repoName, repoRef); err != nil {
+ if err := ProcessSignature(jsonPayload, repoName, repoRef); err != nil {
  t.Errorf("ProcessSignature() error:, %v", err)
  return
  }