Relax token permission check or not

[laurentsimon]

When calculating the score for the token permission check, we reduce the score when certain dangerous permissions are used, see permissions.go#L262

An alternative implementation would be to only check whether the permissions are defined explicitly or no via permissions: keyword. There are pros and cons to both approaches.

Checking only for the presence of permission definition permissions: is simpler but does not catch overly-broad permissions (e.g. if a user declared all permissions are write).

Reducing score based on dangerous permissions is more granular but prone to false positive, and will likely never be 100% accurate, see #1099.

[naveensrinivasan]

@laurentsimon IMO some detailed notes on what needs to be fixed would be helpful for a good first issue, Thanks

[laurentsimon]

@laurentsimon IMO some detailed notes on what needs to be fixed would be helpful for a good first issue, Thanks

I've updated the description. I meant to tag this as needs discussion, not good first issue. I've updated the label too. Thanks for catching the mistake.

[laurentsimon]

We discussed last meeting. We will separate out data/result gathering and policy/score calculation. So we'll keep our calculation as it is today and move to the policy calculation over time.