diff --git a/checks/evaluation/permissions/permissions.go b/checks/evaluation/permissions/permissions.go index 8f0c1be5d2b..b8ca06796aa 100644 --- a/checks/evaluation/permissions/permissions.go +++ b/checks/evaluation/permissions/permissions.go @@ -63,6 +63,16 @@ func TokenPermissions(name string, c *checker.CheckRequest, r *checker.TokenPerm "GitHub workflow tokens follow principle of least privilege") } +// avoid memory aliasing by returning a new copy. +func newUint(u uint) *uint { + return &u +} + +// avoid memory aliasing by returning a new copy. +func newStr(s string) *string { + return &s +} + func applyScorePolicy(results *checker.TokenPermissionsData, c *checker.CheckRequest) (int, error) { // See list https://github.blog/changelog/2021-04-20-github-actions-control-permissions-for-github_token/. // Note: there are legitimate reasons to use some of the permissions like checks, deployments, etc. @@ -83,10 +93,10 @@ func applyScorePolicy(results *checker.TokenPermissionsData, c *checker.CheckReq loc = &finding.Location{ Type: r.File.Type, Path: r.File.Path, - LineStart: &r.File.Offset, + LineStart: newUint(r.File.Offset), } if r.File.Snippet != "" { - loc.Snippet = &r.File.Snippet + loc.Snippet = newStr(r.File.Snippet) } } diff --git a/clients/git/client_test.go b/clients/git/client_test.go index a51c5445120..98e132b9c9f 100644 --- a/clients/git/client_test.go +++ b/clients/git/client_test.go @@ -77,7 +77,7 @@ func createTestRepo(t *testing.T) (path string) { return dir } -//nolint:testparallel +//nolint:paralleltest func TestInitRepo(t *testing.T) { tests := []struct { //nolint:govet name string @@ -147,7 +147,7 @@ func TestListCommits(t *testing.T) { } } -//nolint:testparallel +//nolint:paralleltest func TestSearch(t *testing.T) { testCases := []struct { name string diff --git a/clients/gitlabrepo/issues_test.go b/clients/gitlabrepo/issues_test.go index 09008842827..f61ee63fb0d 100644 --- a/clients/gitlabrepo/issues_test.go +++ b/clients/gitlabrepo/issues_test.go @@ -50,10 +50,6 @@ func (s suffixStubTripper) RoundTrip(r *http.Request) (*http.Response, error) { }, nil } -func strptr(s string) *string { - return &s -} - func associationptr(r clients.RepoAssociation) *clients.RepoAssociation { return &r } diff --git a/clients/gitlabrepo/workflows.go b/clients/gitlabrepo/workflows.go index e90ef5e86d0..ff558b56d36 100644 --- a/clients/gitlabrepo/workflows.go +++ b/clients/gitlabrepo/workflows.go @@ -44,6 +44,11 @@ func (handler *workflowsHandler) listSuccessfulWorkflowRuns(filename string) ([] return workflowsRunsFrom(jobs, filename), nil } +// avoid memory aliasing by returning a new copy. +func strptr(s string) *string { + return &s +} + func workflowsRunsFrom(data []*gitlab.Job, filename string) []clients.WorkflowRun { var workflowRuns []clients.WorkflowRun for _, job := range data { @@ -51,7 +56,7 @@ func workflowsRunsFrom(data []*gitlab.Job, filename string) []clients.WorkflowRu for _, artifact := range job.Artifacts { if strings.EqualFold(artifact.Filename, filename) { workflowRuns = append(workflowRuns, clients.WorkflowRun{ - HeadSHA: &job.Pipeline.Sha, + HeadSHA: strptr(job.Pipeline.Sha), URL: job.WebURL, }) continue diff --git a/pkg/json_raw_results.go b/pkg/json_raw_results.go index 4be011aabd7..629bee123b9 100644 --- a/pkg/json_raw_results.go +++ b/pkg/json_raw_results.go @@ -331,7 +331,7 @@ func (r *jsonScorecardRawResult) addTokenPermissionsRawResults(tp *checker.Token Offset: t.File.Offset, } if t.File.Snippet != "" { - p.File.Snippet = &t.File.Snippet + p.File.Snippet = asPointer(t.File.Snippet) } } @@ -361,7 +361,7 @@ func (r *jsonScorecardRawResult) addPackagingRawResults(pk *checker.PackagingDat } if p.File.Snippet != "" { - jpk.File.Snippet = &p.File.Snippet + jpk.File.Snippet = asPointer(p.File.Snippet) } for _, run := range p.Runs { @@ -419,7 +419,7 @@ func (r *jsonScorecardRawResult) addDangerousWorkflowRawResults(df *checker.Dang Type: string(e.Type), } if e.File.Snippet != "" { - v.File.Snippet = &e.File.Snippet + v.File.Snippet = asPointer(e.File.Snippet) } if e.Job != nil { v.Job = &jsonWorkflowJob{