pip install with --hash is throwing PinnedDependenciesID

ossf / scorecard

OpenSSF Scorecard - Security health metrics for Open Source

https://scorecard.dev

Apache License 2.0

4.46k stars 488 forks source link

pip install with --hash is throwing PinnedDependenciesID #4189

Closed pdxjohnny closed 3 months ago

pdxjohnny commented 3 months ago

            {
               "ruleId": "PinnedDependenciesID",
               "ruleIndex": 4,
               "message": {
                  "text": "score is 4: pipCommand not pinned by hash\nClick Remediation section below to solve this issue"
               },
               "locations": [
                  {
                     "physicalLocation": {
                        "region": {
                           "startLine": 8,
                           "endLine": 20,
                           "snippet": {
                              "text": "python3 -m pip install -U pip==24.1 --hash=sha256:a775837439bf5da2c1a0c2fa43d5744854497c689ddbd9344cf3ea6d00598540 --hash=sha256:bdae551038c0ce6a83030b4aedef27fc95f0daa683593fea22fa05e55ed8e317"
                           }
                        },
                        "artifactLocation": {
                           "uri": "operations/image/Dockerfile",
                           "uriBaseId": "%SRCROOT%"
                        }
                     },
                     "message": {
                        "text": "pipCommand not pinned by hash"
                     }
                  }
               ]
            }

pdxjohnny commented 3 months ago

It looks like this is because any pip install without a requirements.txt will trigger a pinning finding.

https://github.com/ossf/scorecard/pull/604

pdxjohnny commented 3 months ago

            {
               "ruleId": "PinnedDependenciesID",
               "ruleIndex": 4,
               "message": {
                  "text": "score is 4: pipCommand not pinned by hash\nClick Remediation section below to solve this issue"
               },
               "locations": [
                  {
                     "physicalLocation": {
                        "region": {
                           "startLine": 8,
                           "endLine": 22,
                           "snippet": {
                              "text": "python -m pip install -r requirements-lock.txt"
                           }
                        },
                        "artifactLocation": {
                           "uri": "operations/image/Dockerfile",
                           "uriBaseId": "%SRCROOT%"
                        }
                     },
                     "message": {
                        "text": "pipCommand not pinned by hash"
                     }
                  }
               ]
            }

pdxjohnny commented 3 months ago

I don't understand, how can one pin dependencies with pip in a way scorecard recognizes? There is no example in testdata/ can someone please help?

pnacht commented 3 months ago

Scorecard expects the following:

python -m pip install -r requirements-lock.txt --require-hashes

The --requre-hashes means pip will fail if the requirements file isn't hashed. Scorecard doesn't actually open the requirements file itself.

Though it probably should detect the --hash format you tried as well...

pdxjohnny commented 3 months ago

Okay great, thank you!