Skip to content

verify: exempt gradle-wrapper.jar from in-tree binary check #951

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
potiuk wants to merge 1 commit into
base: main
Choose a base branch
from
+33 −0
Open

verify: exempt gradle-wrapper.jar from in-tree binary check #951

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
16 changes: 16 additions & 0 deletions utils/tests/verify_action_build/test_security.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -1405,6 +1405,22 @@ def test_licenses_txt_exempt(self):
assert _looks_like_in_tree_binary("dist/licenses.txt") is False
assert _looks_like_in_tree_binary("licenses.txt") is False

def test_gradle_wrapper_jar_exempt(self):
# gradle/wrapper/gradle-wrapper.jar is Gradle's build wrapper:
# build-time tooling of the upstream repo, never executed on a
# consumer's runner, and checksum-verifiable in its own right.
# JetBrains/qodana-action (a node24 action) ships it and was
# false-flagged before this exemption.
assert _looks_like_in_tree_binary("gradle/wrapper/gradle-wrapper.jar") is False
# Exempt under a nested action sub-path too.
assert _looks_like_in_tree_binary(
"subdir/gradle/wrapper/gradle-wrapper.jar"
) is False
# Precision: a stray jar of the same name elsewhere is still caught,
# as is any other .jar (the suffix match needs the canonical path).
assert _looks_like_in_tree_binary("dist/gradle-wrapper.jar") is True
assert _looks_like_in_tree_binary("Library.jar") is True

def test_matlab_platform_dir_naming(self):
# MATLAB's launcher convention: dist/bin/<platform>/run-matlab-command
# where <platform> is MATLAB's own arch identifier and the file has
Expand Down
17 changes: 17 additions & 0 deletions utils/verify_action_build/security.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -1694,6 +1694,21 @@ def analyze_repo_metadata(
"licenses.txt",
}

# Repo-relative path suffixes for binaries that are build-time tooling of
# the *upstream* repo rather than action-runtime code, and are themselves
# independently verifiable — so flagging them as opaque runtime binaries
# is a false positive. Matched by full canonical suffix (not bare name)
# so a same-named blob dropped elsewhere is still caught.
_IN_TREE_BINARY_EXEMPT_PATH_SUFFIXES = (
# Gradle's build wrapper, committed to virtually every Gradle project.
# It is invoked by ``./gradlew`` during the upstream repo's own build —
# never executed on a consumer's runner when the action runs — and is
# checksum-verifiable against Gradle's published list (cf.
# gradle/wrapper-validation-action). Seen on JetBrains/qodana-action,
# a node24 action that never shells out to Gradle at runtime.
"gradle/wrapper/gradle-wrapper.jar",
)


def _looks_like_in_tree_binary(path: str) -> bool:
"""Return True if ``path`` (a repo-relative blob path) looks like a
Expand All @@ -1707,6 +1722,8 @@ def _looks_like_in_tree_binary(path: str) -> bool:
name = path.rsplit("/", 1)[-1]
if name in _IN_TREE_BINARY_EXEMPT_NAMES:
return False
if path.lower().endswith(_IN_TREE_BINARY_EXEMPT_PATH_SUFFIXES):
return False
lower = name.lower()
if lower.endswith(_IN_TREE_BINARY_EXTENSIONS):
return True
Expand Down