Comments (13)
carltonmason
commented on May 25, 2024
1
I believe they will @gal-legit . Thanks.
from legitify.
gal-legit
commented on May 25, 2024
1
@carltonmason, That's awesome! Thanks for the feedback! We hope that the report was helpful :)
We'll release a new official version shortly.
p.s. for security reasons, we recommend redacting the names of private repositories in your comment.
from legitify.
gal-legit
commented on May 25, 2024
After some research, we found that:
https://github.blog/changelog/2021-03-04-authentication-token-format-updates/
That means that for backward compatibility, we need to support either:
- 40 characters including the
ghp_prefix - 36 characters without any prefix
The other prefixes (gho_/ghu_/ghs_/ghr_) are irrelevant, as they cannot be used for legitify anyway.
@carltonmason can you please confirm that the rules defined above would work for your PAT?
from legitify.
gal-legit
commented on May 25, 2024
@carltonmason Great! I'm closing the issue for now.
Just note that in order to run the original command with your server you'd need to do either of the following:
go run main.go analyze --server-url https://github.ibm.com/ --org CICD-CPP-Ops --namespace repository
Or:
export SERVER_URL=https://github.ibm.com/
go run main.go analyze --org CICD-CPP-Ops --namespace repository
from legitify.
carltonmason
commented on May 25, 2024
@gal-legit thank, I just tried and it doesn't complain about my GH token any more. I didn't get any output related to pass or fail though...
go run main.go analyze --org CICD-CPP-Ops --namespace repository
___ _______ _______ ___ _______ ___ _______ __ __
| | | || || | | || | | || | | |
| | | ___|| ___|| | |_ _|| | | ___|| |_| |
| | | |___ | | __ | | | | | | | |___ | |
| |___ | ___|| || || | | | | | | ___||_ _|
| || |___ | |_| || | | | | | | | | |
|_______||_______||_______||___| |___| |___| |___| |___|
By Legit Security
Note: to get the OpenSSF scorecard results for the organization repositories use the --scorecard option
Gathering collection metadata...
repository 7 / 7 [==============================================================] 100 %
Findings summary:
+---+-----------+--------+----------+--------+--------+---------+
| # | Namespace | Policy | Severity | Passed | Failed | Skipped |
+---+-----------+--------+----------+--------+--------+---------+
from legitify.
noamd-legit
commented on May 25, 2024
Hey @carltonmason,
The issue is fixed in the main branch. Could you check it out? We want to make sure it works as expected before we publish a release with GHES support.
from legitify.
carltonmason
commented on May 25, 2024
@noamd-legit Sorry for the delay, I was out on vaca for a few days last week. I can't get it to build now.
go run main.go analyze --server-url https://github.ibm.com/ --org CICD-CPP-Ops --namespace repository
go: downloading github.com/google/go-github v17.0.0+incompatible
/Users/ckmason/.go/pkg/mod/github.com/ossf/scorecard/[email protected]/clients/githubrepo/branches.go:23:2: github.com/google/[email protected]+incompatible: reading https://proxy.golang.org/github.com/google/go-github/@v/v17.0.0+incompatible.zip: 401 Unauthorized
/Users/ckmason/.go/pkg/mod/github.com/bradleyfalzon/ghinstallation/[email protected]/transport.go:15:2: github.com/google/[email protected]+incompatible: reading https://proxy.golang.org/github.com/google/go-github/@v/v17.0.0+incompatible.zip: 401 Unauthorized
internal/collected/github/organization.go:7:2: github.com/google/[email protected]+incompatible: reading https://proxy.golang.org/github.com/google/go-github/@v/v17.0.0+incompatible.zip: 401 Unauthorized
from legitify.
gal-legit
commented on May 25, 2024
@carltonmason
the unauthorized responses are weird; I tried reaching those addresses without credentials, and they work for me. Maybe you have a mirror in your internal network?
Anyway, I ran mod vendor locally and pushed it on branch gofri/mod_vendor.
Can you please use this branch and run the following commands to see if it works?
git fetch && git checkout gofri/mod_vendor
go build -mod vendor
./legitify analyze --server-url https://github.ibm.com/ --org CICD-CPP-Ops --namespace repository
p.s. as @noamd-legit mentioned, we plan on releasing an official release once we confirm that it works for you, so you'll be able to take the binaries off-the-shelf.
from legitify.
carltonmason
commented on May 25, 2024
@gal-legit thanks, I was able to build everything but, not getting any output:
./legitify analyze --server-url https://github.ibm.com/ --org CICD-CPP-Ops --namespace repository
___ _______ _______ ___ _______ ___ _______ __ __
| | | || || | | || | | || | | |
| | | ___|| ___|| | |_ _|| | | ___|| |_| |
| | | |___ | | __ | | | | | | | |___ | |
| |___ | ___|| || || | | | | | | ___||_ _|
| || |___ | |_| || | | | | | | | | |
|_______||_______||_______||___| |___| |___| |___| |___|
By Legit Security
Note: to get the OpenSSF scorecard results for the organization repositories use the --scorecard option
Gathering collection metadata...
Findings summary:
+---+-----------+--------+----------+--------+--------+---------+
| # | Namespace | Policy | Severity | Passed | Failed | Skipped |
+---+-----------+--------+----------+--------+--------+---------+
I tried using a different GHE org and it at least shows "Gathering collection metadata"... but no real report.
./legitify analyze --server-url https://github.ibm.com/ --org Tron --namespace repository --scorecard yes
___ _______ _______ ___ _______ ___ _______ __ __
| | | || || | | || | | || | | |
| | | ___|| ___|| | |_ _|| | | ___|| |_| |
| | | |___ | | __ | | | | | | | |___ | |
| |___ | ___|| || || | | | | | | ___||_ _|
| || |___ | |_| || | | | | | | | | |
|_______||_______||_______||___| |___| |___| |___| |___|
By Legit Security
Gathering collection metadata...
repository 135 / 135 [==============================================================] 100 %
Findings summary:
+---+-----------+--------+----------+--------+--------+---------+
| # | Namespace | Policy | Severity | Passed | Failed | Skipped |
+---+-----------+--------+----------+--------+--------+---------+
from legitify.
gal-legit
commented on May 25, 2024
@carltonmason
That's weird. We tried to test it on several different instances and didn't get any problems.
Can you please share the error.log file you get?
p.s. feel free to contact us at [email protected] or [email protected] if the logs contain anything confidential.
from legitify.
carltonmason
commented on May 25, 2024
OK, getting further now, the error.log was helpful.
2022/11/29 08:15:42 Using Github Enterprise Endpoint: https://github.ibm.com
2022/11/29 08:15:42 failed to collect organization User has no access to the requested organization: ckmason
I fixed by GITHUB_TOKEN value and can now re-run. Not getting any output to stdout but the error.log contains some hopefully useful content:
./legitify analyze --server-url https://github.ibm.com/ --org CICD-CPP-Ops --namespace repository
___ _______ _______ ___ _______ ___ _______ __ __
| | | || || | | || | | || | | |
| | | ___|| ___|| | |_ _|| | | ___|| |_| |
| | | |___ | | __ | | | | | | | |___ | |
| |___ | ___|| || || | | | | | | ___||_ _|
| || |___ | |_| || | | | | | | | | |
|_______||_______||_______||___| |___| |___| |___| |___|
By Legit Security
Note: to get the OpenSSF scorecard results for the organization repositories use the --scorecard option
Gathering collection metadata...
repository 7 / 7 [==============================================================] 100 %
Findings summary:
+---+-----------+--------+----------+--------+--------+---------+
| # | Namespace | Policy | Severity | Passed | Failed | Skipped |
+---+-----------+--------+----------+--------+--------+---------+
ckmason@cartons-mbp:legitify (gofri/mod_vendor)$ cat error.log
2022/11/29 08:18:50 Using Github Enterprise Endpoint: https://github.ibm.com
2022/11/29 08:18:51 attempt 1/5 failed: collect repositories for CICD-CPP-Ops with err: Field 'blocksCreations' doesn't exist on type 'BranchProtectionRule'
2022/11/29 08:18:51 attempt 2/5 failed: collect repositories for CICD-CPP-Ops with err: Field 'blocksCreations' doesn't exist on type 'BranchProtectionRule'
2022/11/29 08:18:51 attempt 3/5 failed: collect repositories for CICD-CPP-Ops with err: Field 'blocksCreations' doesn't exist on type 'BranchProtectionRule'
2022/11/29 08:18:51 attempt 4/5 failed: collect repositories for CICD-CPP-Ops with err: Field 'blocksCreations' doesn't exist on type 'BranchProtectionRule'
2022/11/29 08:18:51 attempt 5/5 failed: collect repositories for CICD-CPP-Ops with err: Field 'blocksCreations' doesn't exist on type 'BranchProtectionRule'
2022/11/29 08:18:51 all 5 attempts failed (collect repositories for CICD-CPP-Ops) with err: Field 'blocksCreations' doesn't exist on type 'BranchProtectionRule'
2022/11/29 08:18:51
from legitify.
gal-legit
commented on May 25, 2024
@carltonmason thanks for sharing the logs.
Looks like you're using EE version <3.5 (v3.4 vs v3.5).
we'll add backward compatibility for that as well. meanwhile, I pushed a commit that removes this field to gofri/mod_vendor, please pull and retry.
@noamd-legit FYI, I think we can omit it altogether for now since we don't have a policy for that anyway
from legitify.
carltonmason
commented on May 25, 2024
Alright, it worked! Finally get to see a report. FYI, contents of error.log below. Note also that our version of GHE doesn't yet support GH Actions.
cat error.log
2022/11/29 08:58:48 Using Github Enterprise Endpoint: https://github.ibm.com
2022/11/29 08:58:50 error getting repository actions settings for CICD-CPP-Ops/docs: GET https://github.ibm.com/api/v3/repos/CICD-CPP-Ops/docs/actions/permissions/workflow: 404 Not Found []
2022/11/29 08:58:50 error getting repository actions settings for CICD-CPP-Ops/scd-argocd-backup-and-restore-evidence: GET https://github.ibm.com/api/v3/repos/CICD-CPP-Ops/scd-argocd-backup-and-restore-evidence/actions/permissions/workflow: 404 Not Found []
2022/11/29 08:58:50 error getting repository actions settings for CICD-CPP-Ops/scd-argocd-backup-and-restore-ci: GET https://github.ibm.com/api/v3/repos/CICD-CPP-Ops/scd-argocd-backup-and-restore-ci/actions/permissions/workflow: 404 Not Found []
2022/11/29 08:58:50 error getting repository actions settings for CICD-CPP-Ops/scd-argocd-backup-and-restore: GET https://github.ibm.com/api/v3/repos/CICD-CPP-Ops/scd-argocd-backup-and-restore/actions/permissions/workflow: 404 Not Found []
2022/11/29 08:58:50 error getting repository actions settings for CICD-CPP-Ops/scd-argocd-backup-and-restore-issues: GET https://github.ibm.com/api/v3/repos/CICD-CPP-Ops/scd-argocd-backup-and-restore-issues/actions/permissions/workflow: 404 Not Found []
2022/11/29 08:58:50 error getting repository dependency manifests for CICD-CPP-Ops/scd-argocd-backup-and-restore-evidence: Field 'dependencyGraphManifests' doesn't exist on type 'Repository'
2022/11/29 08:58:50 error getting repository actions settings for CICD-CPP-Ops/argocd-install: GET https://github.ibm.com/api/v3/repos/CICD-CPP-Ops/argocd-install/actions/permissions/workflow: 404 Not Found []
2022/11/29 08:58:50 error getting repository actions settings for CICD-CPP-Ops/scd-argocd-backup-and-restore-inventory: GET https://github.ibm.com/api/v3/repos/CICD-CPP-Ops/scd-argocd-backup-and-restore-inventory/actions/permissions/workflow: 404 Not Found []
2022/11/29 08:58:50 error getting repository dependency manifests for CICD-CPP-Ops/docs: Field 'dependencyGraphManifests' doesn't exist on type 'Repository'
2022/11/29 08:58:51 error getting repository dependency manifests for CICD-CPP-Ops/scd-argocd-backup-and-restore-ci: Field 'dependencyGraphManifests' doesn't exist on type 'Repository'
2022/11/29 08:58:51 error getting scorecard result for scd-argocd-backup-and-restore-ci: getting local directory client: error in IsValid: unsupported host: github.ibm.com
2022/11/29 08:58:51 error getting repository dependency manifests for CICD-CPP-Ops/scd-argocd-backup-and-restore: Field 'dependencyGraphManifests' doesn't exist on type 'Repository'
2022/11/29 08:58:51 error getting scorecard result for scd-argocd-backup-and-restore: getting local directory client: error in IsValid: unsupported host: github.ibm.com
2022/11/29 08:58:51 error getting repository dependency manifests for CICD-CPP-Ops/scd-argocd-backup-and-restore-issues: Field 'dependencyGraphManifests' doesn't exist on type 'Repository'
2022/11/29 08:58:51 error getting repository dependency manifests for CICD-CPP-Ops/scd-argocd-backup-and-restore-inventory: Field 'dependencyGraphManifests' doesn't exist on type 'Repository'
2022/11/29 08:58:51 error getting scorecard result for scd-argocd-backup-and-restore-evidence: getting local directory client: error in IsValid: unsupported host: github.ibm.com
2022/11/29 08:58:51 error getting repository dependency manifests for CICD-CPP-Ops/argocd-install: Field 'dependencyGraphManifests' doesn't exist on type 'Repository'
2022/11/29 08:58:51 error getting scorecard result for argocd-install: getting local directory client: error in IsValid: unsupported host: github.ibm.com
2022/11/29 08:58:51 error getting scorecard result for docs: getting local directory client: error in IsValid: unsupported host: github.ibm.com
2022/11/29 08:58:51 error getting scorecard result for scd-argocd-backup-and-restore-issues: getting local directory client: error in IsValid: unsupported host: github.ibm.com
2022/11/29 08:58:51 error getting scorecard result for scd-argocd-backup-and-restore-inventory: getting local directory client: error in IsValid: unsupported host: github.ibm.com
2022/11/29 08:58:51 missing permission: "repo" on:
- repository:CICD-CPP-Ops/argocd-install [Cannot read repository actions settings]
- repository:CICD-CPP-Ops/docs [Cannot read repository actions settings]
- repository:CICD-CPP-Ops/scd-argocd-backup-and-restore [Cannot read repository actions settings]
- repository:CICD-CPP-Ops/scd-argocd-backup-and-restore-ci [Cannot read repository actions settings]
- repository:CICD-CPP-Ops/scd-argocd-backup-and-restore-evidence [Cannot read repository actions settings]
- repository:CICD-CPP-Ops/scd-argocd-backup-and-restore-inventory [Cannot read repository actions settings]
- repository:CICD-CPP-Ops/scd-argocd-backup-and-restore-issues [Cannot read repository actions settings]
from legitify.
Related Issues (20)
- Premium GitLab accounts with skipped tests HOT 9
- Ignore invalid or expired certificate
- Reduce GitLab API Calls HOT 6
- Report Script HOT 1
- Policy Skip Support for GitHub Action HOT 1
- Parameterize output report name in GH action HOT 2
- legitify analyze --repo doesn't support gitlab projects within subgroups HOT 5
- When the "ignore-policies" option is enabled, GitHub Action disregards the "extra" parameter HOT 4
- SARIF format results do no supply the actual violation results? HOT 2
- legitify doesn't support nested GitLab projects completely HOT 8
- "organization_has_too_many_admins" policy doesn't flag an organization with 8 owners HOT 5
- Add the needed permissions/scopes to the custom action documentation HOT 4
- Running the GitHub action with ` scorecard: verbose` fails with error `failed to enrich scorecard: expecting []ScorecardCheck` HOT 1
- Support using legitify action with GITHUB_TOKEN
- 1.0.5 release did not get completed HOT 2
- "Reaching out" Message comes with every usage of legitify convert HOT 1
- Unmet prerequisite: premium, but premium license is used HOT 6
- Restricting email notifications (GitHub) HOT 2
- Skip evaluating archived GitHub repos in an org HOT 2
- GHA - unable to add extra: --namespace -unknown flag HOT 2
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from legitify.