KEMBAR78
🐛 do not include asName when creating digest of FROM name as asName by AdamKorcz · Pull Request #4683 · ossf/scorecard · GitHub
Skip to content

🐛 do not include asName when creating digest of FROM name as asName #4683

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 2 commits into from
Sep 10, 2025
Merged

🐛 do not include asName when creating digest of FROM name as asName #4683

merged 2 commits into from
Sep 10, 2025

Conversation

AdamKorcz
Copy link
Contributor

What kind of change does this PR introduce?

(Is it a bug fix, feature, docs update, something else?)

bug fix

What is the current behavior?

When calculating the digest in remediation, Scorecard would do that from python:3.7:build when the line was FROM python:3.7 as build. This would lead to issues such as #2906.

We are creating the digest on the following lines:

scorecard/remediation/remediations.go

Lines 105 to 113 in f96f4f4

name, ok := dockerImageName(dep)
if !ok {
return nil
}
hash, err := digester.Digest(name)
if err != nil {
return nil
}

From the PR, it should be clear that d.PinnedAt is assigned the wrong value; it gets assigned asPointer(asName) which is the root cause of the bug. digester.Digest(name) throws an error like: parsing reference "python:3.7:build": could not parse reference: python:3.7:build because of this.

What is the new behavior (if this is a feature change)?**

With this change, we create the digest from python:3.7 in the same line as above.

  • Tests for the changes have been added (for bug fixes/features)

Which issue(s) this PR fixes

Fixes #2906

Special notes for your reviewer

Does this PR introduce a user-facing change?

NONE

Ignore as-name with creating digest.

@AdamKorcz
🐛 do not include asName when creating digest of FROM name as asName
a554b83 
Signed-off-by: Adam Korczynski <adam@adalogics.com>
@AdamKorcz AdamKorcz requested a review from a team as a code owner June 27, 2025 20:10
@AdamKorcz AdamKorcz requested review from justaugustus and raghavkaul and removed request for a team June 27, 2025 20:10
@AdamKorcz AdamKorcz temporarily deployed to integration-test June 27, 2025 20:11 — with GitHub Actions Inactive
@codecov
Copy link

codecov bot commented Jun 27, 2025
edited
Loading

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 67.88%. Comparing base (353ed60) to head (861a2b9).
⚠️ Report is 233 commits behind head on main.

Additional details and impacted files 
@@            Coverage Diff             @@
##             main    #4683      +/-   ##
==========================================
+ Coverage   66.80%   67.88%   +1.07%     
==========================================
  Files         230      249      +19     
  Lines       16602    19081    +2479     
==========================================
+ Hits        11091    12953    +1862     
- Misses       4808     5268     +460     
- Partials      703      860     +157
🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
  • 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

@github-actions
Copy link

github-actions bot commented Jul 8, 2025

This pull request has been marked stale because it has been open for 10 days with no activity

@github-actions github-actions bot added the Stale label Jul 8, 2025
@github-actions github-actions bot closed this Jul 28, 2025
@AdamKorcz
Copy link
Contributor Author

Please reopen

@justaugustus justaugustus reopened this Aug 3, 2025
@justaugustus justaugustus removed the Stale label Aug 3, 2025
@github-actions
Copy link

This pull request has been marked stale because it has been open for 10 days with no activity

@github-actions github-actions bot added Stale and removed Stale labels Aug 14, 2025
@github-actions
Copy link

This pull request has been marked stale because it has been open for 10 days with no activity

@github-actions github-actions bot added the Stale label Aug 26, 2025
spencerschrock
spencerschrock approved these changes Sep 10, 2025
View reviewed changes
Copy link
Member

@spencerschrock spencerschrock left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

/scdiff generate Pinned-Dependencies

@spencerschrock
Copy link
Member

/scdiff generate Pinned-Dependencies

@github-actions
Copy link

Here's a link to the scdiff run

@spencerschrock spencerschrock enabled auto-merge (squash) September 10, 2025 22:21
@spencerschrock spencerschrock merged commit 954b5f7 into ossf:main Sep 10, 2025
38 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@spencerschrock spencerschrock spencerschrock approved these changes

@justaugustus justaugustus Awaiting requested review from justaugustus justaugustus is a code owner automatically assigned from ossf/scorecard-maintainers

@raghavkaul raghavkaul Awaiting requested review from raghavkaul raghavkaul is a code owner automatically assigned from ossf/scorecard-maintainers

Assignees

No one assigned

Labels

Stale

Projects

OpenSSF Scorecard
Status: Done

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

BUG: Dockerfile named build stages with incomplete remediation report

3 participants

@AdamKorcz @spencerschrock @justaugustus