Update based on feedback

funnelfiasco · funnelfiasco · commit 60afb21cedb3 · 2024-11-26T12:33:48.000-05:00
Signed-off-by: Ben Cotton &lt;ben@kusari.dev&gt;
diff --git a/src/audit/unpinned_uses.rs b/src/audit/unpinned_uses.rs
@@ -2,18 +2,16 @@ use crate::finding::{Confidence, Severity};
 
 use super::{audit_meta, AuditState, Finding, Step, WorkflowAudit};
 
-pub(crate) struct UnpinnedUses {
-    pub(crate) state: AuditState,
-}
+pub(crate) struct UnpinnedUses;
 
 audit_meta!(UnpinnedUses, "unpinned-uses", "unpinned action reference");
 
 impl WorkflowAudit for UnpinnedUses {
-    fn new(state: AuditState) -> anyhow::Result<Self>
+    fn new(_state: AuditState) -> anyhow::Result<Self>
     where
         Self: Sized,
     {
-        Ok(Self { state })
+        Ok(Self)
     }
 
     fn audit_step<'w>(&self, step: &Step<'w>) -> anyhow::Result<Vec<Finding<'w>>> {
@@ -23,27 +21,22 @@ impl WorkflowAudit for UnpinnedUses {
             return Ok(vec![]);
         };
 
-        // Check twice, complain once
-        let mut found_unpinned = false;
-        let mut annotation = "";
-        if self.state.pedantic {
-            if uses.unpinned_sha() {
-                found_unpinned = true;
-                annotation = "action is not pinned to a hash ref";
-            }
+        let (annotation, severity) = if uses.unpinned() {
+            (
+                "action is not pinned to a tag, branch, or hash ref",
+                Severity::Medium,
+            )
+        } else if uses.unhashed() {
+            ("action is not pinned to a hash ref", Severity::Low)
         } else {
-            if uses.unpinned() {
-                found_unpinned = true;
-                annotation = "action is not pinned to a tag, branch, or hash ref";
-            }
-        }
+            ("", Severity::Informational)
+        };
 
-        // If one of the checks failed, add a finding
-        if found_unpinned {
+        if !annotation.is_empty() {
             findings.push(
                 Self::finding()
                     .confidence(Confidence::High)
-                    .severity(Severity::Informational)
+                    .severity(severity)
                     .add_location(
                         step.location()
                             .with_keys(&["uses".into()])
diff --git a/src/models.rs b/src/models.rs
@@ -11,7 +11,6 @@ use github_actions_models::workflow::{
     job::{NormalJob, StepBody},
     Trigger,
 };
-use regex::Regex;
 
 /// Represents an entire GitHub Actions workflow.
 ///
@@ -435,11 +434,10 @@ impl<'a> Uses<'a> {
         }
     }
 
-    pub(crate) fn unpinned_sha(&self) -> bool {
-        let regex = Regex::new("^[a-fA-F0-9]{40}$").unwrap();
+    pub(crate) fn unhashed(&self) -> bool {
         match self {
-            Uses::Docker(docker) => ! docker.hash.is_none(),
-            Uses::Repository(repo) => repo.git_ref.is_none() || ! regex.is_match(repo.git_ref.unwrap()),
+            Uses::Docker(docker) => docker.hash.is_some(),
+            Uses::Repository(repo) => !repo.ref_is_commit(),
         }
     }
 }

Original file line number	Diff line number	Diff line change
`@@ -11,7 +11,6 @@ use github_actions_models::workflow::{`
`11`	`11`	`job::{NormalJob, StepBody},`
`12`	`12`	`Trigger,`
`13`	`13`	`};`
`14`		`-use regex::Regex;`
`15`	`14`
`16`	`15`	`/// Represents an entire GitHub Actions workflow.`
`17`	`16`	`///`
`@@ -435,11 +434,10 @@ impl<'a> Uses<'a> {`
`435`	`434`	`}`
`436`	`435`	`}`
`437`	`436`
`438`		`- pub(crate) fn unpinned_sha(&self) -> bool {`
`439`		`- let regex = Regex::new("^[a-fA-F0-9]{40}$").unwrap();`
	`437`	`+ pub(crate) fn unhashed(&self) -> bool {`
`440`	`438`	`match self {`
`441`		`- Uses::Docker(docker) => ! docker.hash.is_none(),`
`442`		`- Uses::Repository(repo) => repo.git_ref.is_none() \|\| ! regex.is_match(repo.git_ref.unwrap()),`
	`439`	`+ Uses::Docker(docker) => docker.hash.is_some(),`
	`440`	`+ Uses::Repository(repo) => !repo.ref_is_commit(),`
`443`	`441`	`}`
`444`	`442`	`}`
`445`	`443`	`}`