New check: unpinned repo clone

[laurentsimon]

Is your feature request related to a problem? Please describe. detect git, hg and other source management tools used to clone repo without pinning by hash. This sometimes happens in Makefiles or shell scripts to pull dependencies.

This check is problematic because there are many legitimate reason to do this, especially for one's own repo. Example, for integration tests, etc. Maybe we could detect repo clones that are different from the repo itself. Note that dependabot probably does not support updating the version of a cloned repo.

Describe the solution you'd like need discussion Describe alternatives you've considered A clear and concise description of any alternative solutions or features you've considered. need discussion

Additional context Add any other context or screenshots about the feature request here.

[laurentsimon]

possible patterns to check for:

1. Git/hg repo clon
2. Curl github.com/bla/bla/releases/download/bla
3. Curl tarball

[ristomcgehee]

Here's my opinion: we should not do unpinned dependency checks for dependency types not supported by dependabot. If a developer modifies their code to clone a git repo at a certain commit hash, chances are that hash will not be updated for years, if ever. Yes, they will be protected from someone pushing malicious code to that git repo in the future, but they will also miss out on vulnerability and other bug fixes. Without dependabot, I would say the developer would be less secure by pinning a hash.

[laurentsimon]

it would be good to flag it nevertheless, because it's a potential risk. Any thoughts on warning without recommending pinning by hash?

[ristomcgehee]

Yeah, I think if we just noted this as a warning, but didn't recommend pinning, that would be a good approach.

[laurentsimon]

do you know if dependabot/renovatebot support commands within shell script/makefiles go install bla@something? I'm also curious about GCB's cloud.yaml files https://github.com/ossf/scorecard/issues/1503

cc @rarkins

[rarkins]

Right now we don't support arbitrary scripts unless you're self hosting. For the app it's too high risk

[laurentsimon]

@rarkins do you mean it's too risky to parse arbitrary shell scripts?

Let me give you a concrete example of what I meant. if I have a workflow using uses: some/action@somehash, renovate-bot is able to send PR to update the hash when a new action of released. If I use run: go install somepackage@hash, is renovaote-bot able to understand that I depend on somepackage, even though it's not in a go.sum file? It's pretty common to install CLI via a command, but we want these to be updated by renovate-bot when a new version is released.

More generally, is removate-bot capable of understanding cloud.yaml depedencies given via args, or commands such as git reset --hard SOME_HASH. (This one clearly looks harder)

[rarkins]

Sorry, I misunderstood.

Renovate attempts to understand as many patterns as it can out of the box, but it doesn't know those ones. For ones like that which it doesn't understand, users can add regex patterns to identify them for Renovate. The feature is know as the "regex manager": https://docs.renovatebot.com/modules/manager/regex/

So the short answer is that yes, Renovate probably already can update the examples you gave, but needs configuration to do so. It's a similar challenge for Dockerfiles, where there is no "standard" for defining dependencies and it's essentially similar in concept to bash scripts.

[laurentsimon]

Interesting, thanks for the info.

[github-actions[bot]]

This issue is stale because it has been open for 60 days with no activity.