From 0ae3adeaf1cf722fc75ae2c53e88500acd0c1825 Mon Sep 17 00:00:00 2001
From: Rohan Khandelwal <98796241+rohankh532@users.noreply.github.com>
Date: Fri, 22 Apr 2022 12:42:26 -0700
Subject: [PATCH] Removed Sarif Results From Processing & Rekor Upload (#197)

* test action

* sign test data

* func to sign and upload workflow result

* added signScorecardResult func and test

* added signScorecardResult func and test

* moved signing code into main.go

* added call to signScorecardResult at the end of main

* added err checking

* comments and added global vars

* style changes

* updated test to use randomized payload

* check publish_results

* error logging for signScorecardResult call

* error logging

* entrypoint

* updated dockerfile

* dockerfile

* dockerfile

* EnvInputsResults vars added to Options

* resultsfile env var

* set PAT

* create results file with sudo

* sudo create resultsfile

* try os.Openfile

* fixed fileapth

* changed Distroless to debian

* get output format from env var

* fixed defaultpolicyfile path

* policy filepath

* copy policy.yml in dockerfile

* policyfile

* moved signing code to separate file

* dockerfile

* generate results.json file in preRun

* revert dockerfile to main

* json file creation check

* run scorecard again to produce json output

* testing

* entrypointJson

* print cmd

* alter env vars in main for json

* opts

* dockerfile uses entrypoint.go

* renamed make build

* produce both sarif and json

* sign json result

* sig verification api call

* go mod tidy

* readfile fix

* sign sarif instead of json

* http response code checking

* moved api call func into signing.go

* dont hardcode repo paths

* finalized signing + verif

* renamed sign test

* Bump debian from d5cd7e5 to 40f90ea

* removed unnecessary slash

* comments

* policy.yml -> /policy.yml

* refractored signing

* more refractoring + sig processing test

* fixed func call

* fixed sign test

* style + error fmt

* reverted dockerfile

* style fixes

* lint fixes

* linting errs

* test workflow permissions

* debug print

* commented out signing test

* linting errors

Co-authored-by: Azeem Shaikh <azeemshaikh38@gmail.com>
---
 Dockerfile              |  2 +-
 go.mod                  |  1 +
 go.sum                  |  1 -
 main.go                 | 17 ++---------------
 signing/signing.go      | 10 ++++------
 signing/signing_test.go |  9 ++++-----
 6 files changed, 12 insertions(+), 28 deletions(-)

diff --git a/Dockerfile b/Dockerfile
index b590eb00..ab73fc44 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -40,4 +40,4 @@ COPY policies/template.yml  /policy.yml
 # Note: the file is executable in the repo
 # and permission carry over to the image.
 COPY entrypoint.sh /entrypoint.sh
-ENTRYPOINT ["/entrypoint.sh"]
\ No newline at end of file
+ENTRYPOINT ["/entrypoint.sh"]
diff --git a/go.mod b/go.mod
index 3f72eef2..0ea3e6a7 100644
--- a/go.mod
+++ b/go.mod
@@ -273,6 +273,7 @@ require (
 	gopkg.in/square/go-jose.v2 v2.6.0 // indirect
 	gopkg.in/yaml.v2 v2.4.0 // indirect
 	gopkg.in/yaml.v3 v3.0.0-20210107192922-496545a6307b // indirect
+	gotest.tools/v3 v3.1.0 // indirect
 	k8s.io/api v0.23.5 // indirect
 	k8s.io/apimachinery v0.23.5 // indirect
 	k8s.io/client-go v0.23.5 // indirect
diff --git a/go.sum b/go.sum
index b6e92b93..a65116ac 100644
--- a/go.sum
+++ b/go.sum
@@ -3607,7 +3607,6 @@ gopkg.in/yaml.v3 v3.0.0-20210107192922-496545a6307b/go.mod h1:K4uyk7z7BCEPqu6E+C
 gotest.tools v2.2.0+incompatible h1:VsBPFP1AI068pPrMxtb/S8Zkgf9xEmTLJjfM+P5UIEo=
 gotest.tools v2.2.0+incompatible/go.mod h1:DsYFclhRJ6vuDpmuTbkuFWG+y2sxOXAzmJt81HFBacw=
 gotest.tools/v3 v3.0.2/go.mod h1:3SzNCllyD9/Y+b5r9JIKQ474KzkZyqLqEfYqMsX94Bk=
-gotest.tools/v3 v3.0.3 h1:4AuOwCGf4lLR9u3YOe2awrHygurzhO/HeQ6laiA6Sx0=
 gotest.tools/v3 v3.0.3/go.mod h1:Z7Lb0S5l+klDB31fvDQX8ss/FlKDxtlFlw3Oa8Ymbl8=
 gotest.tools/v3 v3.1.0 h1:rVV8Tcg/8jHUkPUorwjaMTtemIMVXfIPKiOqnhEhakk=
 gotest.tools/v3 v3.1.0/go.mod h1:fHy7eyTmJFO5bQbUsEGQ1v4m2J3Jz9eWL54TP2/ZuYQ=
diff --git a/main.go b/main.go
index a9f3cefe..d917a6d7 100644
--- a/main.go
+++ b/main.go
@@ -15,7 +15,6 @@
 package main
 
 import (
-	"io/ioutil"
 	"log"
 	"os"
 
@@ -35,18 +34,6 @@ func main() {
 	}
 
 	if os.Getenv(options.EnvInputPublishResults) == "true" { //nolint
-		sarifOutputFile := os.Getenv(options.EnvInputResultsFile)
-		// Get sarif results from file.
-		sarifPayload, err := ioutil.ReadFile(sarifOutputFile)
-		if err != nil {
-			log.Fatalf("error reading from sarif output file: %v", err)
-		}
-
-		// Sign sarif results.
-		if err = signing.SignScorecardResult(sarifOutputFile); err != nil {
-			log.Fatalf("error signing scorecard sarif results: %v", err)
-		}
-
 		// Get json results by re-running scorecard.
 		jsonPayload, err := signing.GetJSONScorecardResults()
 		if err != nil {
@@ -58,10 +45,10 @@ func main() {
 			log.Fatalf("error signing scorecard json results: %v", err)
 		}
 
-		// Processes sarif & json results.
+		// Processes json results.
 		repoName := os.Getenv(options.EnvGithubRepository)
 		repoRef := os.Getenv(options.EnvGithubRef)
-		if err := signing.ProcessSignature(sarifPayload, jsonPayload, repoName, repoRef); err != nil {
+		if err := signing.ProcessSignature(jsonPayload, repoName, repoRef); err != nil {
 			log.Fatalf("error processing signature: %v", err)
 		}
 	}
diff --git a/signing/signing.go b/signing/signing.go
index e462a31c..a80291fd 100644
--- a/signing/signing.go
+++ b/signing/signing.go
@@ -70,19 +70,17 @@ func GetJSONScorecardResults() ([]byte, error) {
 }
 
 // ProcessSignature calls scorecard-api to process & upload signed scorecard results.
-func ProcessSignature(sarifPayload, jsonPayload []byte, repoName, repoRef string) error {
+func ProcessSignature(jsonPayload []byte, repoName, repoRef string) error {
 	// Prepare HTTP request body for scorecard-webapp-api call.
 	resultsPayload := struct {
-		SarifOutput string
-		JSONOutput  string
+		JSONOutput string
 	}{
-		SarifOutput: string(sarifPayload),
-		JSONOutput:  string(jsonPayload),
+		JSONOutput: string(jsonPayload),
 	}
 
 	payloadBytes, err := json.Marshal(resultsPayload)
 	if err != nil {
-		return fmt.Errorf("reading scorecard json results from file: %w", err)
+		return fmt.Errorf("marshalling json results: %w", err)
 	}
 
 	// Call scorecard-webapp-api to process and upload signature.
diff --git a/signing/signing_test.go b/signing/signing_test.go
index 962da7aa..359d1b3b 100644
--- a/signing/signing_test.go
+++ b/signing/signing_test.go
@@ -60,16 +60,15 @@ import (
 func Test_ProcessSignature(t *testing.T) {
 	t.Parallel()
 
-	sarifPayload, serr := ioutil.ReadFile("testdata/results.sarif")
-	jsonPayload, jerr := ioutil.ReadFile("testdata/results.json")
+	jsonPayload, err := ioutil.ReadFile("testdata/results.json")
 	repoName := "rohankh532/scorecard-OIDC-test"
 	repoRef := "refs/heads/main"
 
-	if serr != nil || jerr != nil {
-		t.Errorf("Error reading testdata:, %v, %v", serr, jerr)
+	if err != nil {
+		t.Errorf("Error reading testdata:, %v", err)
 	}
 
-	if err := ProcessSignature(sarifPayload, jsonPayload, repoName, repoRef); err != nil {
+	if err := ProcessSignature(jsonPayload, repoName, repoRef); err != nil {
 		t.Errorf("ProcessSignature() error:, %v", err)
 		return
 	}