Skip to content

fix: Deduplicate findings due to anchors#1584

Draft
DarkaMaul wants to merge 3 commits intozizmorcore:mainfrom
trail-of-forks:dm/duplicate-findings
Draft

fix: Deduplicate findings due to anchors#1584
DarkaMaul wants to merge 3 commits intozizmorcore:mainfrom
trail-of-forks:dm/duplicate-findings

Conversation

@DarkaMaul
Copy link
Contributor

Pre-submission checks

Please check these boxes:

  • Mandatory: This PR corresponds to an issue (if not, please create
    one first).

  • I hereby disclose the use of an LLM or other AI coding assistant in the
    creation of this PR. PRs will not be rejected for using AI tools, but
    will be rejected for undisclosed use.

If a checkbox is not applicable, you can leave it unchecked.

Summary

Deduplicate findings due to anchors

Test Plan

(to be addressed due to #1583 )

Resolved conflict in anchors.rs test - kept deduplication fix behavior
where findings from YAML anchors are correctly suppressed.
@DarkaMaul
Copy link
Contributor Author

Still a WIP, because it fails much more tests than I expected.

For instance,

with patch

cargo run -- --persona=pedantic crates/zizmor/tests/integration/test-data/use-trusted-publishing/nuget-push.yml
   Compiling zizmor v1.22.0 (/Users/dm/Projects/STF/zizmor-duplicate-findings/crates/zizmor)
    Finished `dev` profile [unoptimized + debuginfo] target(s) in 1.72s
     Running `target/debug/zizmor --persona=pedantic crates/zizmor/tests/integration/test-data/use-trusted-publishing/nuget-push.yml`
🌈 zizmor v1.22.0
 INFO audit: zizmor: 🌈 completed crates/zizmor/tests/integration/test-data/use-trusted-publishing/nuget-push.yml
warning[excessive-permissions]: overly broad permissions
  --> crates/zizmor/tests/integration/test-data/use-trusted-publishing/nuget-push.yml:1:1
   |
 1 | / on: [push]
 2 | |
 3 | | name: use-trusted-publishing
...  |
37 | |         env:
38 | |           NUGET_API_KEY: ${{ steps.login.outputs.NUGET_API_KEY }}
   | |__________________________________________________________________^ default permissions used due to no permissions: block
   |
   = note: audit confidence → Medium

info[use-trusted-publishing]: prefer trusted publishing for authentication
  --> crates/zizmor/tests/integration/test-data/use-trusted-publishing/nuget-push.yml:12:14
   |
12 |         run: nuget push foo.nupkg
   |         ---  ^^^^^^^^^^^^^^^^^^^^ this command
   |         |
   |         this step
   |
   = note: audit confidence → High

info[use-trusted-publishing]: prefer trusted publishing for authentication
  --> crates/zizmor/tests/integration/test-data/use-trusted-publishing/nuget-push.yml:15:14
   |
15 |         run: nuget.exe push foo.nupkg
   |         ---  ^^^^^^^^^^^^^^^^^^^^^^^^ this command
   |         |
   |         this step
   |
   = note: audit confidence → High

info[use-trusted-publishing]: prefer trusted publishing for authentication
  --> crates/zizmor/tests/integration/test-data/use-trusted-publishing/nuget-push.yml:18:14
   |
18 |         run: dotnet nuget push foo.nupkg
   |         ---  ^^^^^^^^^^^^^^^^^^^^^^^^^^^ this command
   |         |
   |         this step
   |
   = note: audit confidence → High

help[undocumented-permissions]: permissions without explanatory comments
  --> crates/zizmor/tests/integration/test-data/use-trusted-publishing/nuget-push.yml:24:7
   |
24 |       id-token: write
   |       ^^^^^^^^^^^^^^^ needs an explanatory comment
   |
   = note: audit confidence → High

help[concurrency-limits]: insufficient job-level concurrency limits
  --> crates/zizmor/tests/integration/test-data/use-trusted-publishing/nuget-push.yml:1:1
   |
 1 | / on: [push]
 2 | |
 3 | | name: use-trusted-publishing
...  |
37 | |         env:
38 | |           NUGET_API_KEY: ${{ steps.login.outputs.NUGET_API_KEY }}
   | |__________________________________________________________________^ missing concurrency setting
   |
   = note: audit confidence → High

6 findings: 3 informational, 2 low, 1 medium, 0 high

from main

cargo run -- --persona=pedantic crates/zizmor/tests/integration/test-data/use-trusted-publishing/nuget-push.yml
   Compiling zizmor v1.22.0 (/Users/dm/Projects/STF/zizmor/crates/zizmor)
    Finished `dev` profile [unoptimized + debuginfo] target(s) in 1.67s
     Running `target/debug/zizmor --persona=pedantic crates/zizmor/tests/integration/test-data/use-trusted-publishing/nuget-push.yml`
🌈 zizmor v1.22.0
 INFO audit: zizmor: 🌈 completed crates/zizmor/tests/integration/test-data/use-trusted-publishing/nuget-push.yml
warning[excessive-permissions]: overly broad permissions
  --> crates/zizmor/tests/integration/test-data/use-trusted-publishing/nuget-push.yml:1:1
   |
 1 | / on: [push]
 2 | |
 3 | | name: use-trusted-publishing
...  |
37 | |         env:
38 | |           NUGET_API_KEY: ${{ steps.login.outputs.NUGET_API_KEY }}
   | |__________________________________________________________________^ default permissions used due to no permissions: block
   |
   = note: audit confidence → Medium

info[use-trusted-publishing]: prefer trusted publishing for authentication
  --> crates/zizmor/tests/integration/test-data/use-trusted-publishing/nuget-push.yml:12:14
   |
12 |         run: nuget push foo.nupkg
   |         ---  ^^^^^^^^^^^^^^^^^^^^ this command
   |         |
   |         this step
   |
   = note: audit confidence → High

info[use-trusted-publishing]: prefer trusted publishing for authentication
  --> crates/zizmor/tests/integration/test-data/use-trusted-publishing/nuget-push.yml:15:14
   |
15 |         run: nuget.exe push foo.nupkg
   |         ---  ^^^^^^^^^^^^^^^^^^^^^^^^ this command
   |         |
   |         this step
   |
   = note: audit confidence → High

info[use-trusted-publishing]: prefer trusted publishing for authentication
  --> crates/zizmor/tests/integration/test-data/use-trusted-publishing/nuget-push.yml:18:14
   |
18 |         run: dotnet nuget push foo.nupkg
   |         ---  ^^^^^^^^^^^^^^^^^^^^^^^^^^^ this command
   |         |
   |         this step
   |
   = note: audit confidence → High

help[undocumented-permissions]: permissions without explanatory comments
  --> crates/zizmor/tests/integration/test-data/use-trusted-publishing/nuget-push.yml:24:7
   |
24 |       id-token: write
   |       ^^^^^^^^^^^^^^^ needs an explanatory comment
   |
   = note: audit confidence → High

help[concurrency-limits]: insufficient job-level concurrency limits
  --> crates/zizmor/tests/integration/test-data/use-trusted-publishing/nuget-push.yml:1:1
   |
 1 | / on: [push]
 2 | |
 3 | | name: use-trusted-publishing
...  |
37 | |         env:
38 | |           NUGET_API_KEY: ${{ steps.login.outputs.NUGET_API_KEY }}
   | |__________________________________________________________________^ missing concurrency setting
   |
   = note: audit confidence → High

help[concurrency-limits]: insufficient job-level concurrency limits
  --> crates/zizmor/tests/integration/test-data/use-trusted-publishing/nuget-push.yml:1:1
   |
 1 | / on: [push]
 2 | |
 3 | | name: use-trusted-publishing
...  |
37 | |         env:
38 | |           NUGET_API_KEY: ${{ steps.login.outputs.NUGET_API_KEY }}
   | |__________________________________________________________________^ missing concurrency setting
   |
   = note: audit confidence → High

7 findings: 3 informational, 3 low, 1 medium, 0 high

The concurrency-limits seems to be a duplicate here, but I'm not sure yet why it appears twice.

@DarkaMaul
Copy link
Contributor Author

Blocked by #1626

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant

Comments