Removed Sarif Results From Processing & Rekor Upload (ossf/scorecard-…

…action#197) * test action * sign test data * func to sign and upload workflow result * added signScorecardResult func and test * added signScorecardResult func and test * moved signing code into main.go * added call to signScorecardResult at the end of main * added err checking * comments and added global vars * style changes * updated test to use randomized payload * check publish_results * error logging for signScorecardResult call * error logging * entrypoint * updated dockerfile * dockerfile * dockerfile * EnvInputsResults vars added to Options * resultsfile env var * set PAT * create results file with sudo * sudo create resultsfile * try os.Openfile * fixed fileapth * changed Distroless to debian * get output format from env var * fixed defaultpolicyfile path * policy filepath * copy policy.yml in dockerfile * policyfile * moved signing code to separate file * dockerfile * generate results.json file in preRun * revert dockerfile to main * json file creation check * run scorecard again to produce json output * testing * entrypointJson * print cmd * alter env vars in main for json * opts * dockerfile uses entrypoint.go * renamed make build * produce both sarif and json * sign json result * sig verification api call * go mod tidy * readfile fix * sign sarif instead of json * http response code checking * moved api call func into signing.go * dont hardcode repo paths * finalized signing + verif * renamed sign test * Bump debian from d5cd7e5 to 40f90ea * removed unnecessary slash * comments * policy.yml -> /policy.yml * refractored signing * more refractoring + sig processing test * fixed func call * fixed sign test * style + error fmt * reverted dockerfile * style fixes * lint fixes * linting errs * test workflow permissions * debug print * commented out signing test * linting errors Co-authored-by: Azeem Shaikh <azeemshaikh38@gmail.com>
justaugustus · May 25, 2022 · 485b898 · 485b898
1 parent 5fa13cd
commit 485b898
Show file tree

Hide file tree

Showing 3 changed files with 10 additions and 26 deletions.
diff --git a/action/main.go b/action/main.go
@@ -15,7 +15,6 @@
 package main
 
 import (
-	"io/ioutil"
 	"log"
 	"os"
 
@@ -35,18 +34,6 @@ func main() {
 	}
 
 	if os.Getenv(options.EnvInputPublishResults) == "true" { //nolint
-		sarifOutputFile := os.Getenv(options.EnvInputResultsFile)
-		// Get sarif results from file.
-		sarifPayload, err := ioutil.ReadFile(sarifOutputFile)
-		if err != nil {
-			log.Fatalf("error reading from sarif output file: %v", err)
-		}
-
-		// Sign sarif results.
-		if err = signing.SignScorecardResult(sarifOutputFile); err != nil {
-			log.Fatalf("error signing scorecard sarif results: %v", err)
-		}
-
 		// Get json results by re-running scorecard.
 		jsonPayload, err := signing.GetJSONScorecardResults()
 		if err != nil {
@@ -58,10 +45,10 @@ func main() {
 			log.Fatalf("error signing scorecard json results: %v", err)
 		}
 
-		// Processes sarif & json results.
+		// Processes json results.
 		repoName := os.Getenv(options.EnvGithubRepository)
 		repoRef := os.Getenv(options.EnvGithubRef)
-		if err := signing.ProcessSignature(sarifPayload, jsonPayload, repoName, repoRef); err != nil {
+		if err := signing.ProcessSignature(jsonPayload, repoName, repoRef); err != nil {
 			log.Fatalf("error processing signature: %v", err)
 		}
 	}

diff --git a/action/signing/signing.go b/action/signing/signing.go
@@ -70,19 +70,17 @@ func GetJSONScorecardResults() ([]byte, error) {
 }
 
 // ProcessSignature calls scorecard-api to process & upload signed scorecard results.
-func ProcessSignature(sarifPayload, jsonPayload []byte, repoName, repoRef string) error {
+func ProcessSignature(jsonPayload []byte, repoName, repoRef string) error {
 	// Prepare HTTP request body for scorecard-webapp-api call.
 	resultsPayload := struct {
-		SarifOutput string
-		JSONOutput  string
+		JSONOutput string
 	}{
-		SarifOutput: string(sarifPayload),
-		JSONOutput:  string(jsonPayload),
+		JSONOutput: string(jsonPayload),
 	}
 
 	payloadBytes, err := json.Marshal(resultsPayload)
 	if err != nil {
-		return fmt.Errorf("reading scorecard json results from file: %w", err)
+		return fmt.Errorf("marshalling json results: %w", err)
 	}
 
 	// Call scorecard-webapp-api to process and upload signature.

diff --git a/action/signing/signing_test.go b/action/signing/signing_test.go
@@ -60,16 +60,15 @@ import (
 func Test_ProcessSignature(t *testing.T) {
 	t.Parallel()
 
-	sarifPayload, serr := ioutil.ReadFile("testdata/results.sarif")
-	jsonPayload, jerr := ioutil.ReadFile("testdata/results.json")
+	jsonPayload, err := ioutil.ReadFile("testdata/results.json")
 	repoName := "rohankh532/scorecard-OIDC-test"
 	repoRef := "refs/heads/main"
 
-	if serr != nil || jerr != nil {
-		t.Errorf("Error reading testdata:, %v, %v", serr, jerr)
+	if err != nil {
+		t.Errorf("Error reading testdata:, %v", err)
 	}
 
-	if err := ProcessSignature(sarifPayload, jsonPayload, repoName, repoRef); err != nil {
+	if err := ProcessSignature(jsonPayload, repoName, repoRef); err != nil {
 		t.Errorf("ProcessSignature() error:, %v", err)
 		return
 	}