small yamlpath fixups

woodruffw · Sep 8, 2024 · 4cc8c92 · 4cc8c92
1 parent 03398be
commit 4cc8c92
Show file tree

Hide file tree

Showing 2 changed files with 9 additions and 19 deletions.
diff --git a/src/audit/excessive_permissions.rs b/src/audit/excessive_permissions.rs
@@ -98,22 +98,11 @@ impl<'a> ExcessivePermissions<'a> {
     ) -> Vec<(Severity, Confidence, String)> {
         match permissions {
             Permissions::Base(base) => match base {
-                // If no explicit permissions are specified, our behavior
-                // depends on the presence of a parent (workflow) permission
-                // specifier.
-                BasePermission::Default => match parent {
-                    // If there's a parent permissions block, this job inherits
-                    // from it and has nothing new to report.
-                    Some(_) => vec![],
-                    // If there's no parent permissions block, we're at the workflow
-                    // level and should report the default permissions as potentially
-                    // being too broad.
-                    None => vec![(
-                        Severity::Medium,
-                        Confidence::Low,
-                        "workflow uses default permissions, which may be excessive".into(),
-                    )],
-                },
+                // TODO: Think more about what to do here. Flagging default
+                // permissions is likely to be noisy and is annoying to do,
+                // since it involves the *absence* of a key in the YAML
+                // rather than its presence.
+                BasePermission::Default => vec![],
                 BasePermission::ReadAll => vec![(
                     Severity::Medium,
                     Confidence::High,

diff --git a/src/finding/locate.rs b/src/finding/locate.rs
@@ -20,16 +20,17 @@ impl Locator {
     ) -> Result<Feature<'w>> {
         let mut path = vec![];
 
-        dbg!(location);
-
         if let Some(job) = &location.job {
             path.extend([
                 yamlpath::Component::Key("jobs".into()),
                 yamlpath::Component::Key(job.id.into()),
             ]);
 
             if let Some(step) = &job.step {
-                path.push(yamlpath::Component::Index(step.index));
+                path.extend([
+                    yamlpath::Component::Key("steps".into()),
+                    yamlpath::Component::Index(step.index),
+                ]);
             } else if let Some(key) = &job.key {
                 path.push(yamlpath::Component::Key(key.to_string()));
             }