Release v1.3.2 (#2095)

Author: varunsh-coder

.github/workflows/codeql.yml

@@ -43,7 +43,7 @@ jobs:
       - name: Harden Runner
         uses: step-security/harden-runner@ebacdc22ef6c2cfb85ee5ded8f2e640f4c776dd5
         with:
-          egress-policy: audit # TODO: change to 'egress-policy: block' after couple of runs
+          egress-policy: audit
 
       - name: Checkout repository
         uses: actions/checkout@2541b1294d2704b0964813337f33b291d3f8596b

.github/workflows/kbanalysis.yml

@@ -24,7 +24,7 @@ jobs:
       - name: Harden Runner
         uses: step-security/harden-runner@ebacdc22ef6c2cfb85ee5ded8f2e640f4c776dd5
         with:
-          egress-policy: audit # TODO: change to 'egress-policy: block' after couple of runs
+          egress-policy: audit
 
       - uses: actions/checkout@d0651293c4a5a52e711f25b41b05b2212f385d28
         with:

remediation/workflow/hardenrunner/addaction.go

@@ -83,7 +83,7 @@ func addAction(inputYaml, jobName, action string) (string, error) {
 	output = append(output, spaces+fmt.Sprintf("- name: %s", HardenRunnerActionName))
 	output = append(output, spaces+fmt.Sprintf("  uses: %s", action))
 	output = append(output, spaces+"  with:")
-	output = append(output, spaces+"    egress-policy: audit # TODO: change to 'egress-policy: block' after couple of runs")
+	output = append(output, spaces+"    egress-policy: audit")
 	output = append(output, "")
 
 	for i := jobNode.Line - 1; i < len(inputLines); i++ {

remediation/workflow/permissions/permissions.go

@@ -101,6 +101,9 @@ func AddWorkflowLevelPermissions(inputYaml string, addProjectComment bool) (stri
 	line := 0
 	column := 0
 	topNode := t.Content
+	if len(topNode) == 0 {
+		return inputYaml, fmt.Errorf("Workflow file provided is Empty")
+	}
 	for _, n := range topNode[0].Content {
 		if n.Value == "jobs" && n.Tag == "!!str" {
 			line = n.Line

remediation/workflow/pin/pinactions.go

@@ -76,6 +76,34 @@ func PinAction(action, inputYaml string) (string, bool) {
 	pinnedAction := fmt.Sprintf("%s@%s # %s", leftOfAt[0], commitSHA, tagOrBranch)
 	updated = !strings.EqualFold(action, pinnedAction)
 	inputYaml = strings.ReplaceAll(inputYaml, action, pinnedAction)
+	yamlWithPreviousActionCommentsRemoved, wasModified := removePreviousActionComments(pinnedAction, inputYaml)
+	if wasModified {
+		return yamlWithPreviousActionCommentsRemoved, updated
+	}
+	return inputYaml, updated
+}
+
+// It may be that there was already a comment next to the action
+// In this case we want to remove the earlier comment
+// we add a comment with the Action version so dependabot/ renovatebot can update it
+// if there was no comment next to any action, updated will be false
+func removePreviousActionComments(pinnedAction, inputYaml string) (string, bool) {
+	updated := false
+	stringParts := strings.Split(inputYaml, pinnedAction)
+	if len(stringParts) > 1 {
+		inputYaml = ""
+		inputYaml = stringParts[0]
+		for idx := 1; idx < len(stringParts); idx++ {
+			trimmedString := strings.SplitN(stringParts[idx], "\n", 2)
+			if len(trimmedString) > 1 {
+				if strings.Contains(trimmedString[0], "#") {
+					updated = true
+				}
+				inputYaml = inputYaml + pinnedAction + "\n" + trimmedString[1]
+			}
+		}
+	}
+
 	return inputYaml, updated
 }
 

remediation/workflow/pin/pinactions_test.go

@@ -182,6 +182,8 @@ func TestPinActions(t *testing.T) {
 		{fileName: "basic.yml", wantUpdated: true},
 		{fileName: "dockeraction.yml", wantUpdated: true},
 		{fileName: "multipleactions.yml", wantUpdated: true},
+		{fileName: "actionwithcomment.yml", wantUpdated: true},
+		{fileName: "repeatedactionwithcomment.yml", wantUpdated: true},
 	}
 	for _, tt := range tests {
 		input, err := ioutil.ReadFile(path.Join(inputDirectory, tt.fileName))

remediation/workflow/secureworkflow_test.go

@@ -120,6 +120,7 @@ func TestSecureWorkflow(t *testing.T) {
 		{fileName: "nopin.yml", wantPinnedActions: false, wantAddedHardenRunner: true, wantAddedPermissions: true},
 		{fileName: "allperms.yml", wantPinnedActions: false, wantAddedHardenRunner: false, wantAddedPermissions: true},
 		{fileName: "multiplejobperms.yml", wantPinnedActions: false, wantAddedHardenRunner: false, wantAddedPermissions: true},
+		{fileName: "error.yml", wantPinnedActions: false, wantAddedHardenRunner: false, wantAddedPermissions: false},
 	}
 	for _, test := range tests {
 		input, err := ioutil.ReadFile(path.Join(inputDirectory, test.fileName))

testfiles/addaction/input/alreadypresent_2.yml

@@ -13,6 +13,6 @@ jobs:
      - name: Harden Runner
        uses: step-security/harden-runner@v2
        with:
-         egress-policy: audit # TODO: change to 'egress-policy: block' after couple of runs
+         egress-policy: audit
 
      - run: ls -R

testfiles/addaction/output/2jobs.yml

@@ -8,7 +8,7 @@ jobs:
      - name: Harden Runner
        uses: step-security/harden-runner@v2
        with:
-         egress-policy: audit # TODO: change to 'egress-policy: block' after couple of runs
+         egress-policy: audit
 
      - run: ls -R
   list-directory1:
@@ -17,6 +17,6 @@ jobs:
      - name: Harden Runner
        uses: step-security/harden-runner@v2
        with:
-         egress-policy: audit # TODO: change to 'egress-policy: block' after couple of runs
+         egress-policy: audit
 
      - run: ls -R

testfiles/addaction/output/action-issues.yml

@@ -12,7 +12,7 @@ jobs:
     - name: Harden Runner
       uses: step-security/harden-runner@v2
       with:
-        egress-policy: audit # TODO: change to 'egress-policy: block' after couple of runs
+        egress-policy: audit
 
     - name: Close Issue
       uses: peter-evans/close-issue@v1