Adjusted to max score with warning if job content are set to write (#2355)

Eddie Knight · web-flow · commit c40859202d73 · 2022-10-17T18:19:04.000Z
Signed-off-by: Eddie Knight &lt;iv.eddieknight@gmail.com&gt;

Signed-off-by: Eddie Knight &lt;iv.eddieknight@gmail.com&gt;
diff --git a/checks/evaluation/permissions.go b/checks/evaluation/permissions.go
@@ -241,8 +241,9 @@ func calculateScore(result map[string]permissions) int {
 
 		// contents.
 		// Allows attacker to commit unreviewed code.
+		// Scoring does not apply to job-level permissions, as this is a common place to use third-party actions.
 		// High risk: -10
-		if permissionIsPresent(perms, "contents") {
+		if permissionIsPresentInTopLevel(perms, "contents") {
 			score -= checker.MaxResultScore
 		}
 
diff --git a/checks/permissions_test.go b/checks/permissions_test.go
@@ -251,7 +251,7 @@ func TestGithubTokenPermissions(t *testing.T) {
 			filenames: []string{"./testdata/.github/workflows/github-workflow-permissions-contents-writes-no-release.yaml"},
 			expected: scut.TestReturn{
 				Error:         nil,
-				Score:         checker.MinResultScore,
+				Score:         checker.MaxResultScore,
 				NumberOfWarn:  1,
 				NumberOfInfo:  1,
 				NumberOfDebug: 4,

Original file line number	Diff line number	Diff line change
`@@ -241,8 +241,9 @@ func calculateScore(result map[string]permissions) int {`
`241`	`241`
`242`	`242`	`// contents.`
`243`	`243`	`// Allows attacker to commit unreviewed code.`
	`244`	`+ // Scoring does not apply to job-level permissions, as this is a common place to use third-party actions.`
`244`	`245`	`// High risk: -10`
`245`		`- if permissionIsPresent(perms, "contents") {`
	`246`	`+ if permissionIsPresentInTopLevel(perms, "contents") {`
`246`	`247`	`score -= checker.MaxResultScore`
`247`	`248`	`}`
`248`	`249`