ossf · balteravishay · Dec 27, 2024 · Dec 12, 2024 · Dec 16, 2024 · Dec 16, 2024
diff --git a/docs/probes.md b/docs/probes.md
@@ -382,6 +382,21 @@ If collaborators, members or owners have NOT participated in issues in the last
 The probe returns 1 true outcome if the project has no workflows "write" permissions a the "job" level.
 
 
+## memorysafe
+
+**Lifecycle**: experimental
+
+**Description**: Flags non memory safe practices in this project.
+
+**Motivation**: Memory safety in software should be considered a continuum, rather than being binary. This probe does not consider a specific ecosystem more or less memory safe than another, but rather tries to surface non memory safe code or practices in the project, in the context of the ecosystems it is using.
+
+**Implementation**: The probe is ecosystem-specific and tries to flag non memory safe code blocks in the project by looking at the code and practices used in the project. It may look for specific memory safety practices, such as the use tools or non memory-safe patterns and code. The probe supports multiple checks for each ecosystem, and the outcome is based on the results of these checks.
+
+**Outcomes**: For supported ecosystem, the probe returns OutcomeTrue per safe method or tool.
+For supported ecosystem, the probe returns OutcomeFalse per unsafe code or method.
+If the project has no supported ecosystems, the probe returns OutcomeNotApplicable.
+
+
 ## packagedWithAutomatedWorkflow
 
 **Lifecycle**: stable

@@ -24,6 +24,7 @@ var errInvalidCsProjFile = errors.New("error parsing csproj file")
 type PropertyGroup struct {
 	XMLName           xml.Name `xml:"PropertyGroup"`
 	RestoreLockedMode bool     `xml:"RestoreLockedMode"`
+	AllowUnsafeBlocks bool     `xml:"AllowUnsafeBlocks"`
 }
 
 type Project struct {
@@ -32,6 +33,18 @@ type Project struct {
 }
 
 func IsRestoreLockedModeEnabled(content []byte) (bool, error) {
+	return isCsProjFilePropertyGroupEnabled(content, func(propertyGroup *PropertyGroup) bool {
+		return propertyGroup.RestoreLockedMode
+	})
+}
+
+func IsAllowUnsafeBlocksEnabled(content []byte) (bool, error) {
+	return isCsProjFilePropertyGroupEnabled(content, func(propertyGroup *PropertyGroup) bool {
+		return propertyGroup.AllowUnsafeBlocks
+	})
+}
+
+func isCsProjFilePropertyGroupEnabled(content []byte, predicate func(*PropertyGroup) bool) (bool, error) {
 	var project Project
 
 	err := xml.Unmarshal(content, &project)
@@ -40,7 +53,7 @@ func IsRestoreLockedModeEnabled(content []byte) (bool, error) {
 	}
 
 	for _, propertyGroup := range project.PropertyGroups {
-		if propertyGroup.RestoreLockedMode {
+		if predicate(&propertyGroup) {
 			return true, nil
 		}
 	}

@@ -44,6 +44,7 @@ import (
 	"github.com/ossf/scorecard/v5/probes/hasUnverifiedBinaryArtifacts"
 	"github.com/ossf/scorecard/v5/probes/issueActivityByProjectMember"
 	"github.com/ossf/scorecard/v5/probes/jobLevelPermissions"
+	"github.com/ossf/scorecard/v5/probes/memorysafe"
 	"github.com/ossf/scorecard/v5/probes/packagedWithAutomatedWorkflow"
 	"github.com/ossf/scorecard/v5/probes/pinsDependencies"
 	"github.com/ossf/scorecard/v5/probes/releasesAreSigned"
@@ -173,7 +174,9 @@ var (
 	}
 
 	// Probes which don't use pre-computed raw data but rather collect it themselves.
-	Independent = []IndependentProbeImpl{}
+	Independent = []IndependentProbeImpl{
+		memorysafe.Run,
+	}
 )
 
 //nolint:gochecknoinits

@@ -0,0 +1,41 @@
+# Copyright 2025 OpenSSF Scorecard Authors
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+id: memorysafe
+lifecycle: experimental
+short: Flags non memory safe practices in this project.
+motivation: >
+  Memory safety in software should be considered a continuum, rather than being binary.
+  This probe does not consider a specific ecosystem more or less memory safe than another, but rather tries to surface non memory safe code or practices in the project, in the context of the ecosystems it is using.
+implementation: >
+  The probe is ecosystem-specific and tries to flag non memory safe code blocks in the project by looking at the code and practices used in the project.
+  It may look for specific memory safety practices, such as the use tools or non memory-safe patterns and code.
+  The probe supports multiple checks for each ecosystem, and the outcome is based on the results of these checks.
+outcome:
+  - For supported ecosystem, the probe returns OutcomeTrue per safe method or tool.
+  - For supported ecosystem, the probe returns OutcomeFalse per unsafe code or method.
+  - If the project has no supported ecosystems, the probe returns OutcomeNotApplicable.
+remediation:
+  onOutcome: False
+  effort: Medium
+  text:
+    - Visit the OpenSSF Memory Safety SIG guidance on how to make your project memory safe.
+    - Guidance for [Memory-Safe By Default Languages](https://github.com/ossf/Memory-Safety/blob/main/docs/best-practice-memory-safe-by-default-languages.md)
+    - Guidance for [Non Memory-Safe By Default Languages](https://github.com/ossf/Memory-Safety/blob/main/docs/best-practice-non-memory-safe-by-default-languages.md)
+ecosystem:
+  languages:
+    - go
+    - c#
+  clients:
+    - github
@@ -0,0 +1,229 @@
+// Copyright 2025 OpenSSF Scorecard Authors
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//      http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package memorysafe
+
+import (
+	"embed"
+	"fmt"
+	"go/parser"
+	"go/token"
+	"reflect"
+	"strings"
+
+	"github.com/ossf/scorecard/v5/checker"
+	"github.com/ossf/scorecard/v5/checks/fileparser"
+	"github.com/ossf/scorecard/v5/clients"
+	"github.com/ossf/scorecard/v5/finding"
+	"github.com/ossf/scorecard/v5/internal/dotnet/csproj"
+	"github.com/ossf/scorecard/v5/internal/probes"
+)
+
+//go:embed *.yml
+var fs embed.FS
+
+const (
+	Probe = "memorysafe"
+)
+
+type languageMemoryCheckConfig struct {
+	Desc string
+
+	funcPointers []func(client *checker.CheckRequest) ([]finding.Finding, error)
+}
+
+var languageMemorySafeSpecs = map[clients.LanguageName]languageMemoryCheckConfig{
+	clients.Go: {
+		funcPointers: []func(client *checker.CheckRequest) ([]finding.Finding, error){
+			checkGoUnsafePackage,
+		},
+		Desc: "Check if Go code uses the unsafe package",
+	},
+
+	clients.CSharp: {
+		funcPointers: []func(client *checker.CheckRequest) ([]finding.Finding, error){
+			checkDotnetAllowUnsafeBlocks,
+		},
+		Desc: "Check if C# code uses unsafe blocks",
+	},
+}
+
+func init() {
+	probes.MustRegisterIndependent(Probe, Run)
+}
+
+func Run(raw *checker.CheckRequest) (found []finding.Finding, probeName string, err error) {
+	prominentLangs := getRepositoryLanguageChecks(raw)
+	findings := []finding.Finding{}
+
+	for _, lang := range prominentLangs {
+		for _, langFunc := range lang.funcPointers {
+			if langFunc == nil {
+				raw.Dlogger.Warn(&checker.LogMessage{
+					Text: fmt.Sprintf("no function pointer found for language %s", lang.Desc),
+				})
+			}
+			langFindings, err := langFunc(raw)
+			if err != nil {
+				return nil, Probe, fmt.Errorf("error while running function for language %s: %w", lang.Desc, err)
+			}
+			findings = append(findings, langFindings...)
+		}
+	}
+	return findings, Probe, nil
+}
+
+func getRepositoryLanguageChecks(raw *checker.CheckRequest) []languageMemoryCheckConfig {
+	langs, err := raw.RepoClient.ListProgrammingLanguages()
+	if err != nil {
+		raw.Dlogger.Warn(&checker.LogMessage{
+			Text: fmt.Sprintf("RepoClient retured error for ListProgrammingLanguages: %v", err),
+		})
+		return nil
+	}
+	if len(langs) == 0 {
+		return []languageMemoryCheckConfig{}
+	}
+	if len(langs) == 1 && langs[0].Name == clients.All {
+		return getAllLanguages()
+	}
+	ret := []languageMemoryCheckConfig{}
+	for _, language := range langs {
+		if lang, ok := languageMemorySafeSpecs[clients.LanguageName(strings.ToLower(string(language.Name)))]; ok {
+			ret = append(ret, lang)
+		}
+	}
+	return ret
+}
+
+func getAllLanguages() []languageMemoryCheckConfig {
+	allLanguages := make([]languageMemoryCheckConfig, 0, len(languageMemorySafeSpecs))
+	for l := range languageMemorySafeSpecs {
+		allLanguages = append(allLanguages, languageMemorySafeSpecs[l])
+	}
+	return allLanguages
+}
+
+// Golang
+
+func checkGoUnsafePackage(client *checker.CheckRequest) ([]finding.Finding, error) {
+	findings := []finding.Finding{}
+
+	if err := fileparser.OnMatchingFileContentDo(client.RepoClient, fileparser.PathMatcher{
+		Pattern:       "*.go",
+		CaseSensitive: false,
+	}, goCodeUsesUnsafePackage, &findings, client.Dlogger); err != nil {
+		return nil, err
+	}
+	if len(findings) == 0 {
+		found, err := finding.NewWith(fs, Probe,
+			"Golang code does not use the unsafe package", nil, finding.OutcomeTrue)
+		if err != nil {
+			return nil, fmt.Errorf("create finding: %w", err)
+		}
+		findings = append(findings, *found)
+	}
+	return findings, nil
+}
+
+func goCodeUsesUnsafePackage(path string, content []byte, args ...interface{}) (bool, error) {
+	findings, ok := args[0].(*[]finding.Finding)
+	if !ok {
+		// panic if it is not correct type
+		panic(fmt.Sprintf("expected type findings, got %v", reflect.TypeOf(args[0])))
+	}
+	fset := token.NewFileSet()
+	f, err := parser.ParseFile(fset, "", content, parser.ImportsOnly)
+	if err != nil {
+		dl, ok := args[1].(checker.DetailLogger)
+		if !ok {
+			// panic if it is not correct type
+			panic(fmt.Sprintf("expected type checker.DetailLogger, got %v", reflect.TypeOf(args[1])))
+		}
+
+		dl.Warn(&checker.LogMessage{
+			Text: fmt.Sprintf("malformed golang file: %v", err),
+		})
+		return true, nil
+	}
+	for _, i := range f.Imports {
+		if i.Path.Value == `"unsafe"` {
+			found, err := finding.NewWith(fs, Probe,
+				"Golang code uses the unsafe package", &finding.Location{
+					Path: path,
+				}, finding.OutcomeFalse)
+			if err != nil {
+				return false, fmt.Errorf("create finding: %w", err)
+			}
+			*findings = append(*findings, *found)
+		}
+	}
+
+	return true, nil
+}
+
+// CSharp
+
+func checkDotnetAllowUnsafeBlocks(client *checker.CheckRequest) ([]finding.Finding, error) {
+	findings := []finding.Finding{}
+
+	if err := fileparser.OnMatchingFileContentDo(client.RepoClient, fileparser.PathMatcher{
+		Pattern:       "*.csproj",
+		CaseSensitive: false,
+	}, csProjAllosUnsafeBlocks, &findings, client.Dlogger); err != nil {
+		return nil, err
+	}
+	if len(findings) == 0 {
+		found, err := finding.NewWith(fs, Probe,
+			"C# code does not allow unsafe blocks", nil, finding.OutcomeTrue)
+		if err != nil {
+			return nil, fmt.Errorf("create finding: %w", err)
+		}
+		findings = append(findings, *found)
+	}
+	return findings, nil
+}
+
+func csProjAllosUnsafeBlocks(path string, content []byte, args ...interface{}) (bool, error) {
+	findings, ok := args[0].(*[]finding.Finding)
+	if !ok {
+		// panic if it is not correct type
+		panic(fmt.Sprintf("expected type findings, got %v", reflect.TypeOf(args[0])))
+	}
+	unsafe, err := csproj.IsAllowUnsafeBlocksEnabled(content)
+	if err != nil {
+		dl, ok := args[1].(checker.DetailLogger)
+		if !ok {
+			// panic if it is not correct type
+			panic(fmt.Sprintf("expected type checker.DetailLogger, got %v", reflect.TypeOf(args[1])))
+		}
+
+		dl.Warn(&checker.LogMessage{
+			Text: fmt.Sprintf("malformed csproj file: %v", err),
+		})
+		return true, nil
+	}
+	if unsafe {
+		found, err := finding.NewWith(fs, Probe,
+			"C# code allows the use of unsafe blocks", &finding.Location{
+				Path: path,
+			}, finding.OutcomeFalse)
+		if err != nil {
+			return false, fmt.Errorf("create finding: %w", err)
+		}
+		*findings = append(*findings, *found)
+	}
+
+	return true, nil
+}