-
Notifications
You must be signed in to change notification settings - Fork 43
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add support for detecting vulnerable Go packages in PRs #1024
Conversation
Builds atop PR #1012 by supporting lookup of Go dependencies in OVS as well as their checksums in the Go sum database. Because we need to do another lookup in the go sum database, we also need to keep state during the lookups, so I collapsed the two methods of the RepoQuerier interface into one. Fixes: #912
When I renamed the PR scan actions, I forgot to rename the associated constant in the code. This was not caught by unit tests because the unit tests use the constant directly, but using a policy that set the "review" action would have triggered an error.
…onstant to string on every iteration OSV itself is case-sensitive, but that doesn't make a whole lot of sense for us, let's just treat the package databases in a case-insensitive manner.
This was a remnant of adopting Luke's old code - the way we looked up which part of the PR to patch was specific to JS. Let's add a method to the patch object that is able to find where to apply the patch.
Just some code hardening
@@ -98,7 +108,7 @@ func newNpmRepository(endpoint string) *npmRepository { | |||
// check that npmRepository implements RepoQuerier | |||
var _ RepoQuerier = (*npmRepository)(nil) | |||
|
|||
func (n *npmRepository) NewRequest(ctx context.Context, dep *pb.Dependency) (*http.Request, error) { | |||
func (n *npmRepository) newRequest(ctx context.Context, dep *pb.Dependency) (*http.Request, error) { | |||
pkgUrl := fmt.Sprintf("%s/%s/latest", n.endpoint, dep.Name) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I know it's not from this PR, but can we change from Sprintf
to using url.Url
instead in the near future? Having manual string operations like this could backfire since we're relying on rule authors fore these parameters. Lets treat it as untrusted input and validate instead.
var _ RepoQuerier = (*goProxyRepository)(nil) | ||
|
||
func (r *goProxyRepository) goProxyRequest(ctx context.Context, dep *pb.Dependency) (*http.Request, error) { | ||
pkgUrl := fmt.Sprintf("%s/%s/@latest", r.proxyEndpoint, dep.Name) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
should we use url.Url
here instead? https://pkg.go.dev/net/url#URL
} | ||
|
||
func (r *goProxyRepository) goSumRequest(ctx context.Context, depName, depVersion string) (*http.Request, error) { | ||
sumUrl := fmt.Sprintf("%s/lookup/%s@%s", r.sumEndpoint, depName, depVersion) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
same here https://pkg.go.dev/net/url#URL
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Not tested out, but code looks good.
vulncheck: Support Go depenndecies in PR vulnerability scanner
Builds atop PR #1012 by supporting lookup of Go dependencies in OVS as well as their checksums in the Go sum database.
Because we need to do another lookup in the go sum database, we also need to keep state during the lookups, so I collapsed the two methods of the RepoQuerier interface into one.
Fixes: #912
The other patches in the PR fix issues that I found during testing.
To view the new code in action, see
jakubtestorg/bad-go#3 - you might want to click the
show resolved to see the diff that Mediator was suggesting.