search

ossf / scorecard

OpenSSF Scorecard - Security health metrics for Open Source
https://scorecard.dev
Apache License 2.0
4.56k stars 496 forks source link

SAST analyzer does not find CodeQL run via 'uses' directive #3600

Closed intelfisz closed 1 year ago

intelfisz commented 1 year ago

Describe the bug In opi-intel-bridge repo I have run CodeQL scans for a long time - see https://github.com/opiproject/opi-intel-bridge/blob/main/.github/workflows/codeql.yml. The action reuses action defined in actions repo - see https://github.com/opiproject/actions/blob/main/.github/workflows/codeql.yml. However, OSSF score shows 0/10 points since it can't detect that CodeQL is actually run.

Reproduction steps Steps to reproduce the behavior:

  1. Create codeql action on any repo
  2. Create another codeql action on a different repo which uses the one defined in 1. by 'uses' directive
  3. See that repo in 2. gets no points for the SAST category

Expected behavior I expect that the evaluation has more intelligence to detect factual CodeQL scan runs since it is a common practise to reduce code duplication in an organization and reuse actions between different repos.

Additional context It seems that a change has happened recently or SAST was introduced as this score penalty was not observed before and we run CodeQL scans for a long time already.

raghavkaul commented 1 year ago

Which version of scorecard are you using? With the latest scorecard, https://github.com/opiproject/opi-intel-bridge scores 10/10 on SAST. You're right that CodeQL is not detected (we don't parse GitHub composite actions or transitive action steps) but we should detect the existence of CodeQL as a check run on PRs.

Starting [SAST]
Finished [SAST]

RESULTS
-------
Aggregate score: 10.0 / 10

Check scores:
|---------|------|--------------------------------|--------------------------------|-----------------------------------------------------------------|
|  SCORE  | NAME |             REASON             |            DETAILS             |                    DOCUMENTATION/REMEDIATION                    |
|---------|------|--------------------------------|--------------------------------|-----------------------------------------------------------------|
| 10 / 10 | SAST | SAST tool is run on all        | Info: all commits (30) are     | https://github.com/ossf/scorecard/blob/main/docs/checks.md#sast |
|         |      | commits                        | checked with a SAST tool Warn: |                                                                 |
|         |      |                                | CodeQL tool not detected       |                                                                 |
|---------|------|--------------------------------|--------------------------------|-----------------------------------------------------------------|
spencerschrock commented 1 year ago

Please see https://github.com/ossf/scorecard/pull/3591, GitHub changed a string we were using for CodeQL detection. Make sure you're using Scorecard v4.13.1 or Scorecard Action v2.3.1

intelfisz commented 1 year ago

Thanks for the clarifications - indeed, this seems to be related to the recent change and works fine with the latest version. I am closing the issue.