fix: Deduplicate findings due to anchors#1584
Draft
DarkaMaul wants to merge 3 commits intozizmorcore:mainfrom
Draft
fix: Deduplicate findings due to anchors#1584DarkaMaul wants to merge 3 commits intozizmorcore:mainfrom
DarkaMaul wants to merge 3 commits intozizmorcore:mainfrom
Conversation
Resolved conflict in anchors.rs test - kept deduplication fix behavior where findings from YAML anchors are correctly suppressed.
Contributor
Author
|
Still a WIP, because it fails much more tests than I expected. For instance, with patchcargo run -- --persona=pedantic crates/zizmor/tests/integration/test-data/use-trusted-publishing/nuget-push.yml
Compiling zizmor v1.22.0 (/Users/dm/Projects/STF/zizmor-duplicate-findings/crates/zizmor)
Finished `dev` profile [unoptimized + debuginfo] target(s) in 1.72s
Running `target/debug/zizmor --persona=pedantic crates/zizmor/tests/integration/test-data/use-trusted-publishing/nuget-push.yml`
🌈 zizmor v1.22.0
INFO audit: zizmor: 🌈 completed crates/zizmor/tests/integration/test-data/use-trusted-publishing/nuget-push.yml
warning[excessive-permissions]: overly broad permissions
--> crates/zizmor/tests/integration/test-data/use-trusted-publishing/nuget-push.yml:1:1
|
1 | / on: [push]
2 | |
3 | | name: use-trusted-publishing
... |
37 | | env:
38 | | NUGET_API_KEY: ${{ steps.login.outputs.NUGET_API_KEY }}
| |__________________________________________________________________^ default permissions used due to no permissions: block
|
= note: audit confidence → Medium
info[use-trusted-publishing]: prefer trusted publishing for authentication
--> crates/zizmor/tests/integration/test-data/use-trusted-publishing/nuget-push.yml:12:14
|
12 | run: nuget push foo.nupkg
| --- ^^^^^^^^^^^^^^^^^^^^ this command
| |
| this step
|
= note: audit confidence → High
info[use-trusted-publishing]: prefer trusted publishing for authentication
--> crates/zizmor/tests/integration/test-data/use-trusted-publishing/nuget-push.yml:15:14
|
15 | run: nuget.exe push foo.nupkg
| --- ^^^^^^^^^^^^^^^^^^^^^^^^ this command
| |
| this step
|
= note: audit confidence → High
info[use-trusted-publishing]: prefer trusted publishing for authentication
--> crates/zizmor/tests/integration/test-data/use-trusted-publishing/nuget-push.yml:18:14
|
18 | run: dotnet nuget push foo.nupkg
| --- ^^^^^^^^^^^^^^^^^^^^^^^^^^^ this command
| |
| this step
|
= note: audit confidence → High
help[undocumented-permissions]: permissions without explanatory comments
--> crates/zizmor/tests/integration/test-data/use-trusted-publishing/nuget-push.yml:24:7
|
24 | id-token: write
| ^^^^^^^^^^^^^^^ needs an explanatory comment
|
= note: audit confidence → High
help[concurrency-limits]: insufficient job-level concurrency limits
--> crates/zizmor/tests/integration/test-data/use-trusted-publishing/nuget-push.yml:1:1
|
1 | / on: [push]
2 | |
3 | | name: use-trusted-publishing
... |
37 | | env:
38 | | NUGET_API_KEY: ${{ steps.login.outputs.NUGET_API_KEY }}
| |__________________________________________________________________^ missing concurrency setting
|
= note: audit confidence → High
6 findings: 3 informational, 2 low, 1 medium, 0 highfrom maincargo run -- --persona=pedantic crates/zizmor/tests/integration/test-data/use-trusted-publishing/nuget-push.yml
Compiling zizmor v1.22.0 (/Users/dm/Projects/STF/zizmor/crates/zizmor)
Finished `dev` profile [unoptimized + debuginfo] target(s) in 1.67s
Running `target/debug/zizmor --persona=pedantic crates/zizmor/tests/integration/test-data/use-trusted-publishing/nuget-push.yml`
🌈 zizmor v1.22.0
INFO audit: zizmor: 🌈 completed crates/zizmor/tests/integration/test-data/use-trusted-publishing/nuget-push.yml
warning[excessive-permissions]: overly broad permissions
--> crates/zizmor/tests/integration/test-data/use-trusted-publishing/nuget-push.yml:1:1
|
1 | / on: [push]
2 | |
3 | | name: use-trusted-publishing
... |
37 | | env:
38 | | NUGET_API_KEY: ${{ steps.login.outputs.NUGET_API_KEY }}
| |__________________________________________________________________^ default permissions used due to no permissions: block
|
= note: audit confidence → Medium
info[use-trusted-publishing]: prefer trusted publishing for authentication
--> crates/zizmor/tests/integration/test-data/use-trusted-publishing/nuget-push.yml:12:14
|
12 | run: nuget push foo.nupkg
| --- ^^^^^^^^^^^^^^^^^^^^ this command
| |
| this step
|
= note: audit confidence → High
info[use-trusted-publishing]: prefer trusted publishing for authentication
--> crates/zizmor/tests/integration/test-data/use-trusted-publishing/nuget-push.yml:15:14
|
15 | run: nuget.exe push foo.nupkg
| --- ^^^^^^^^^^^^^^^^^^^^^^^^ this command
| |
| this step
|
= note: audit confidence → High
info[use-trusted-publishing]: prefer trusted publishing for authentication
--> crates/zizmor/tests/integration/test-data/use-trusted-publishing/nuget-push.yml:18:14
|
18 | run: dotnet nuget push foo.nupkg
| --- ^^^^^^^^^^^^^^^^^^^^^^^^^^^ this command
| |
| this step
|
= note: audit confidence → High
help[undocumented-permissions]: permissions without explanatory comments
--> crates/zizmor/tests/integration/test-data/use-trusted-publishing/nuget-push.yml:24:7
|
24 | id-token: write
| ^^^^^^^^^^^^^^^ needs an explanatory comment
|
= note: audit confidence → High
help[concurrency-limits]: insufficient job-level concurrency limits
--> crates/zizmor/tests/integration/test-data/use-trusted-publishing/nuget-push.yml:1:1
|
1 | / on: [push]
2 | |
3 | | name: use-trusted-publishing
... |
37 | | env:
38 | | NUGET_API_KEY: ${{ steps.login.outputs.NUGET_API_KEY }}
| |__________________________________________________________________^ missing concurrency setting
|
= note: audit confidence → High
help[concurrency-limits]: insufficient job-level concurrency limits
--> crates/zizmor/tests/integration/test-data/use-trusted-publishing/nuget-push.yml:1:1
|
1 | / on: [push]
2 | |
3 | | name: use-trusted-publishing
... |
37 | | env:
38 | | NUGET_API_KEY: ${{ steps.login.outputs.NUGET_API_KEY }}
| |__________________________________________________________________^ missing concurrency setting
|
= note: audit confidence → High
7 findings: 3 informational, 3 low, 1 medium, 0 highThe |
Contributor
Author
|
Blocked by #1626 |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Pre-submission checks
Please check these boxes:
Mandatory: This PR corresponds to an issue (if not, please create
one first).
I hereby disclose the use of an LLM or other AI coding assistant in the
creation of this PR. PRs will not be rejected for using AI tools, but
will be rejected for undisclosed use.
If a checkbox is not applicable, you can leave it unchecked.
Summary
Deduplicate findings due to anchors
Test Plan
(to be addressed due to #1583 )