Merge pull request #29 from GitHubSecurityLab/unknown

Don't put unknown permissions into the generated yaml

Author: JarLob

advisor/dist/index.js

@@ -35140,6 +35140,7 @@ async function analyze(name, count, token, owner, repo, branch) {
   });
 
   let permissions = new Map();
+  let wasUnknown = false;
 
   for (const run of runs.data.workflow_runs) {
     debug(`Analyzing run ${run.id}...`);
@@ -35209,6 +35210,11 @@ async function analyze(name, count, token, owner, repo, branch) {
 
           const p = permissions.get(jobName);
           for (const [kind, perm] of jobPermissions) {
+            if (kind === 'unknown') {
+              wasUnknown = true;
+              continue;
+            }
+
             if (p.has(kind)) {
               if (perm === "write") {
                 p.set(kind, perm)
@@ -35222,16 +35228,21 @@ async function analyze(name, count, token, owner, repo, branch) {
     }
   }
 
-  return permissions;
+  return [permissions, wasUnknown];
 }
 
 async function run(token, name, count, owner, repo, branch, format) {
-  const permissions = await analyze(name, count, token, owner, repo, branch);
+  const [permissions, wasUnknown] = await analyze(name, count, token, owner, repo, branch);
 
   let summary = core.summary.addHeading(`Minimal required permissions for ${name}:`);
   log(`Minimal required permissions for ${name}:`);
 
   try {
+    if (wasUnknown) {
+      summary.addRaw("\nAt least one call wasn't recognized. Some permissions are unknown. Check the workflow runs.\n");
+      throw new Error("At least one call wasn't recognized. Some permissions are unknown. Check the workflow runs.");
+    }
+
     if (permissions.size === 0) {
       summary = summary.addRaw('No permissions logs were found.');
       throw new Error('No permissions logs were found.');

advisor/index.js

@@ -21,6 +21,7 @@ async function analyze(name, count, token, owner, repo, branch) {
   });
 
   let permissions = new Map();
+  let wasUnknown = false;
 
   for (const run of runs.data.workflow_runs) {
     debug(`Analyzing run ${run.id}...`);
@@ -90,6 +91,11 @@ async function analyze(name, count, token, owner, repo, branch) {
 
           const p = permissions.get(jobName);
           for (const [kind, perm] of jobPermissions) {
+            if (kind === 'unknown') {
+              wasUnknown = true;
+              continue;
+            }
+
             if (p.has(kind)) {
               if (perm === "write") {
                 p.set(kind, perm)
@@ -103,16 +109,21 @@ async function analyze(name, count, token, owner, repo, branch) {
     }
   }
 
-  return permissions;
+  return [permissions, wasUnknown];
 }
 
 async function run(token, name, count, owner, repo, branch, format) {
-  const permissions = await analyze(name, count, token, owner, repo, branch);
+  const [permissions, wasUnknown] = await analyze(name, count, token, owner, repo, branch);
 
   let summary = core.summary.addHeading(`Minimal required permissions for ${name}:`);
   log(`Minimal required permissions for ${name}:`);
 
   try {
+    if (wasUnknown) {
+      summary.addRaw("\nAt least one call wasn't recognized. Some permissions are unknown. Check the workflow runs.\n");
+      throw new Error("At least one call wasn't recognized. Some permissions are unknown. Check the workflow runs.");
+    }
+
     if (permissions.size === 0) {
       summary = summary.addRaw('No permissions logs were found.');
       throw new Error('No permissions logs were found.');

monitor/dist/index.js

@@ -121806,6 +121806,7 @@ async function run() {
       const results = JSON.parse(`[${data.trim().replace(/\r?\n|\r/g, ',')}]`);
 
       let permissions = new Map();
+      let wasUnknown = false;
       for (const result of results) {
         if (!hosts.has(result.host.toLowerCase()))
           continue;
@@ -121815,7 +121816,9 @@ async function run() {
           const perm = p[kind];
 
           if (kind === 'unknown') {
-            console.log(`The github token was used to call ${result.method} ${result.host}${result.path} but the permission is unknown. Please report this to the action author.`);
+            core.warning(`The github token was used to call ${result.method} ${result.host}${result.path} but the permission is unknown. Please report this to the action author.`);
+            wasUnknown = true;
+            continue;
           }
 
           if (permissions.has(kind)) {
@@ -121838,6 +121841,10 @@ async function run() {
         }
       }
 
+      if (wasUnknown) {
+        summary += "\nAt least one call wasn't recognized. Please check the logs and report this to the action author.";
+      }
+
       core.summary
         .addRaw('#### Minimal required permissions:\n')
         .addCodeBlock(summary, 'yaml')
@@ -121871,7 +121878,7 @@ async function run() {
         }
       })
       command.stderr.on('data', output => {
-        console.log(output.toString())
+        core.warning(output.toString())
       })
       command.on('exit', code => {
         if (code !== 0) {

monitor/index.js

@@ -64,6 +64,7 @@ async function run() {
       const results = JSON.parse(`[${data.trim().replace(/\r?\n|\r/g, ',')}]`);
 
       let permissions = new Map();
+      let wasUnknown = false;
       for (const result of results) {
         if (!hosts.has(result.host.toLowerCase()))
           continue;
@@ -73,7 +74,9 @@ async function run() {
           const perm = p[kind];
 
           if (kind === 'unknown') {
-            console.log(`The github token was used to call ${result.method} ${result.host}${result.path} but the permission is unknown. Please report this to the action author.`);
+            core.warning(`The github token was used to call ${result.method} ${result.host}${result.path} but the permission is unknown. Please report this to the action author.`);
+            wasUnknown = true;
+            continue;
           }
 
           if (permissions.has(kind)) {
@@ -96,6 +99,10 @@ async function run() {
         }
       }
 
+      if (wasUnknown) {
+        summary += "\nAt least one call wasn't recognized. Please check the logs and report this to the action author.";
+      }
+
       core.summary
         .addRaw('#### Minimal required permissions:\n')
         .addCodeBlock(summary, 'yaml')
@@ -129,7 +136,7 @@ async function run() {
         }
       })
       command.stderr.on('data', output => {
-        console.log(output.toString())
+        core.warning(output.toString())
       })
       command.on('exit', code => {
         if (code !== 0) {