Open chuglo opened 1 year ago
I don't know for 1.1.17, but for 1.1.16 the program has wrong.
Actual Result (if "allow_force_push": true in protected branch of gitlab):
1.1.16 Ensure force pushes code to branches is denied Failed
Excepted Result:
1.1.16 Ensure force pushes code to branches is denied Passed
And Actual Result (if "allow_force_push": false in protected branch of gitlab):
1.1.16 Ensure force pushes code to branches is denied Passed
Excepted Result:
1.1.16 Ensure force pushes code to branches is denied Failed
If we look others rules (for instance 1.1.12), the method to check the rule is always negative.
So for 1.1.16, the rule must be:
CbPolicy[msg] {
not is_no_branch_protection
is_branch_protection_not_restrict_force_push
msg := {"ids": ["1.1.16"], "status": constsLib.status.Failed}
}
with is_branch_protection_not_restrict_force_push:
is_branch_protection_not_restrict_force_push {
input.BranchProtections.AllowForcePushes == true
}
Description
1.1.16 states that for each repository in use, we must validate that no one can “force push” code.
1.1.17 states that for each repository that is being used, we must verify that protected branches cannot be deleted.
The rule logic for these two benchmarks appears to be written in such a way that it produces false positives. When
Allow force pushes
andAllow deletions
are checked, thus permitting the ability to force pushes and/or delete branches, Chain-Bench outputs aPassed
where aFailed
would be expected.The opposite will happen if you have them unchecked - you'll get a
Failed
result.Looking at the rule logic in question
this reads to say "when the branch is protected and disallows force pushes or deletions (in other words, if AllowForcePushes and AllowDeletions == false), produce a
Failed
result. In my mind, this should read as "when the branch is protected and allows force pushes or deletes, produce aFailed
result.Prepending
not
to both L226 and L233 causes Chain-Bench to produce an expected result.