search

ossf / scorecard

OpenSSF Scorecard - Security health metrics for Open Source
https://scorecard.dev
Apache License 2.0
4.26k stars 462 forks source link

BUG: Pinned-Dependencies fails for jobs with complex matrix-defined OS #3075

Open pnacht opened 1 year ago

pnacht commented 1 year ago

Describe the bug Jobs with matrix-defined OS can cause an internal error in Pinned-Dependencies.

Reproduction steps Steps to reproduce the behavior:

  1. scorecard --repo apache/beam --checks Pinned-Dependencies --show-details --format json
Error: check runtime error: Pinned-Dependencies: internal error: internal error: unable to determine OS for job: Build python wheels on ${{matrix.arch}} for ${{ matrix.os_python.os }}
...
  "checks": [
    {
      "details": null,
      "score": -1,
      "reason": "internal error: internal error: unable to determine OS for job: Build python wheels on ${{matrix.arch}} for ${{ matrix.os_python.os }}",
      "name": "Pinned-Dependencies",
      ...
    }
  ],
...

The relevant job is here and is defined below. Note that the OS isn't simply a value of the matrix, but a component of a JSON object defined by the matrix:

  build_wheels:
    name: Build python wheels on ${{matrix.arch}} for ${{ matrix.os_python.os }}
    needs:
      - check_env_variables
      - build_source
    env:
      CIBW_ARCHS_LINUX: ${{matrix.arch}}
    runs-on: ${{ matrix.os_python.os }}
    strategy:
      matrix:
        os_python: [
          {"os": "ubuntu-latest", "python": "${{ needs.check_env_variables.outputs.py-versions-full }}" },
          {"os": "macos-latest", "python": "${{ needs.check_env_variables.outputs.py-versions-test }}" },
          {"os": "windows-latest", "python": "${{ needs.check_env_variables.outputs.py-versions-test }}" },
        ]
        arch: [auto]
        include:
          - os_python: {"os": "ubuntu-latest", "python": "${{ needs.check_env_variables.outputs.py-versions-test }}" }
            arch: aarch64
    # ...

Expected behavior The case should be handled normally (why does Scorecard need to determine the OS?).

If this edge case is too complex to be worth the effort, Scorecard should then ignore failed jobs (with a warning in the details) but run the rest of the Pinned-Dependencies check normally.

abs007 commented 1 year ago

GetOSesForJob() checks the OS'es a particular job's steps runs on. If it's all windows, then the pwsh shell doesnt get matched here.

For taking care of the edge case (which seems to be an issue in parsing the workflow yaml), the err message: unable to determine OS for job can be checked over here and then continue if its this error.

Of course, the better soln would be to improve yaml parsing inside the GetOSesForJob() func.

diogoteles08 commented 10 months ago

Same issue is happening when running Scorecard for github.com/AcademySoftwareFoundation/openexr. For this project, the bug is happening because of this job.

This was discussed in https://github.com/AcademySoftwareFoundation/openexr/pull/1535 , cc @cary-ilm

diogoteles08 commented 10 months ago

Also, this issue is related to #3316