Decouple Trusty engine from Trusty SDK structs.

go.mod

@@ -381,7 +381,7 @@ require (
 	golang.org/x/mod v0.22.0
 	golang.org/x/net v0.31.0 // indirect
 	golang.org/x/sys v0.27.0 // indirect
-	golang.org/x/text v0.20.0 // indirect
+	golang.org/x/text v0.20.0
 	google.golang.org/genproto/googleapis/rpc v0.0.0-20241104194629-dd2ea8efbc28 // indirect
 	gopkg.in/ini.v1 v1.67.0 // indirect
 	gopkg.in/warnings.v0 v0.1.2 // indirect

internal/engine/eval/trusty/actions.go

@@ -13,11 +13,9 @@ import (
 	"slices"
 	"strings"
 	template "text/template"
-	"unicode"
 
 	"github.com/google/go-github/v63/github"
 	"github.com/rs/zerolog"
-	trustytypes "github.com/stacklok/trusty-sdk-go/pkg/v1/types"
 
 	"github.com/mindersec/minder/internal/constants"
 	"github.com/mindersec/minder/internal/engine/eval/pr_actions"
@@ -194,7 +192,7 @@ type dependencyAlternatives struct {
 	BlockPR bool
 
 	// trustyReply is the complete response from trusty for this package
-	trustyReply *trustytypes.Reply
+	trustyReply *trustyReport
 }
 
 // summaryPrHandler is a prStatusHandler that adds a summary text to the PR as a comment.
@@ -276,8 +274,8 @@ func (sph *summaryPrHandler) generateSummary() (string, error) {
 	for _, alternative := range sph.trackedAlternatives {
 		if _, ok := lowScorePackages[alternative.Dependency.Name]; !ok {
 			var score float64
-			if alternative.trustyReply.Summary.Score != nil {
-				score = *alternative.trustyReply.Summary.Score
+			if alternative.trustyReply.Score != nil {
+				score = *alternative.trustyReply.Score
 			}
 
 			packageUIURL, err := url.JoinPath(
@@ -300,37 +298,42 @@ func (sph *summaryPrHandler) generateSummary() (string, error) {
 			if slices.Contains(alternative.Reasons, TRUSTY_MALICIOUS_PKG) {
 				malicious = append(malicious, maliciousTemplateData{
 					templatePackageData: packageData,
-					Summary:             alternative.trustyReply.PackageData.Malicious.Summary,
-					Details:             preprocessDetails(alternative.trustyReply.PackageData.Malicious.Details),
+					Summary:             alternative.trustyReply.Malicious.Summary,
+					Details:             preprocessDetails(alternative.trustyReply.Malicious.Details),
 				})
 				continue
 			}
 
 			lowScorePackages[alternative.Dependency.Name] = templatePackage{
 				templatePackageData: packageData,
-				Deprecated:          alternative.trustyReply.PackageData.Deprecated,
-				Archived:            alternative.trustyReply.PackageData.Archived,
-				ScoreComponents:     buildScoreMatrix(alternative),
+				Deprecated:          alternative.trustyReply.IsDeprecated,
+				Archived:            alternative.trustyReply.IsArchived,
+				ScoreComponents:     buildScoreMatrix(alternative.trustyReply.ScoreComponents),
 				Alternatives:        []templateAlternative{},
 				Provenance:          buildProvenanceStruct(alternative.trustyReply),
 			}
 		}
 
-		for _, altData := range alternative.trustyReply.Alternatives.Packages {
-			if altData.Score <= lowScorePackages[alternative.Dependency.Name].Score {
+		for _, altData := range alternative.trustyReply.Alternatives {
+			// Note: now that the score is deprecated and
+			// effectively `nil` for all packages, this
+			// loop will always discard all alternatives,
+			// rendering the whole block dead code.
+			//
+			// Since (1) we don't have score anymore, and
+			// (2) we don't suggest malicious packages, I
+			// suggest getting rid of this check
+			// altogether.
+			if altData.Score != nil && *altData.Score <= lowScorePackages[alternative.Dependency.Name].Score {
 				continue
 			}
 
 			altPackageData := templateAlternative{
 				templatePackageData: templatePackageData{
-					Ecosystem:   alternative.Dependency.Ecosystem.AsString(),
+					Ecosystem:   altData.PackageType,
 					PackageName: altData.PackageName,
-					TrustyURL: fmt.Sprintf(
-						"%s%s/%s", constants.TrustyHttpURL,
-						strings.ToLower(alternative.Dependency.Ecosystem.AsString()),
-						url.PathEscape(altData.PackageName),
-					),
-					Score: altData.Score,
+					TrustyURL:   altData.TrustyURL,
+					Score:       *altData.Score,
 				},
 			}
 
@@ -344,27 +347,27 @@ func (sph *summaryPrHandler) generateSummary() (string, error) {
 }
 
 // buildProvenanceStruct builds the provenance data structure for the PR template
-func buildProvenanceStruct(r *trustytypes.Reply) *templateProvenance {
+func buildProvenanceStruct(r *trustyReport) *templateProvenance {
 	if r == nil || r.Provenance == nil {
 		return nil
 	}
 	var provenance *templateProvenance
 	if r.Provenance != nil {
 		provenance = &templateProvenance{}
-		if r.Provenance.Description.Historical.Overlap != 0 {
+		if r.Provenance.Historical != nil && r.Provenance.Historical.Overlap != 0 {
 			provenance.Historical = &templateHistoricalProvenance{
-				NumVersions:     int(r.Provenance.Description.Historical.Versions),
-				NumTags:         int(r.Provenance.Description.Historical.Tags),
-				MatchedVersions: int(r.Provenance.Description.Historical.Common),
+				NumVersions:     int(r.Provenance.Historical.Versions),
+				NumTags:         int(r.Provenance.Historical.Tags),
+				MatchedVersions: int(r.Provenance.Historical.Common),
 			}
 		}
 
-		if r.Provenance.Description.Sigstore.Issuer != "" {
+		if r.Provenance.Sigstore != nil && r.Provenance.Sigstore.Issuer != "" {
 			provenance.Sigstore = &templateSigstoreProvenance{
-				SourceRepository: r.Provenance.Description.Sigstore.SourceRepository,
-				Workflow:         r.Provenance.Description.Sigstore.Workflow,
-				Issuer:           r.Provenance.Description.Sigstore.Issuer,
-				RekorURI:         r.Provenance.Description.Sigstore.Transparency,
+				SourceRepository: r.Provenance.Sigstore.SourceRepository,
+				Workflow:         r.Provenance.Sigstore.Workflow,
+				Issuer:           r.Provenance.Sigstore.Issuer,
+				RekorURI:         r.Provenance.Sigstore.RekorURI,
 			}
 		}
 
@@ -377,35 +380,12 @@ func buildProvenanceStruct(r *trustytypes.Reply) *templateProvenance {
 
 // buildScoreMatrix builds the score components matrix that populates
 // the score table in the PR comment template
-func buildScoreMatrix(alternative dependencyAlternatives) []templateScoreComponent {
+//
+//nolint:gosimple // This code is legacy and should be removed
+func buildScoreMatrix(components []scoreComponent) []templateScoreComponent {
 	scoreComp := []templateScoreComponent{}
-	if alternative.trustyReply.Summary.Description != nil {
-		for l, v := range alternative.trustyReply.Summary.Description {
-			switch l {
-			case "activity":
-				l = "Package activity"
-			case "activity_user":
-				l = "User activity"
-			case "provenance":
-				l = "Provenance"
-			case "typosquatting":
-				if v.(float64) > 5.00 {
-					continue
-				}
-				v = "⚠️ Dependency may be trying to impersonate a well known package"
-				l = "Typosquatting"
-			case "activity_repo":
-				l = "Repository activity"
-			default:
-				if len(l) > 1 {
-					l = string(unicode.ToUpper([]rune(l)[0])) + l[1:]
-				}
-			}
-			scoreComp = append(scoreComp, templateScoreComponent{
-				Label: l,
-				Value: v,
-			})
-		}
+	for _, component := range components {
+		scoreComp = append(scoreComp, templateScoreComponent(component))
 	}
 	return scoreComp
 }

internal/engine/eval/trusty/actions_test.go

@@ -7,7 +7,6 @@ package trusty
 import (
 	"testing"
 
-	trustytypes "github.com/stacklok/trusty-sdk-go/pkg/v1/types"
 	"github.com/stretchr/testify/require"
 
 	v1 "github.com/mindersec/minder/pkg/api/protobuf/go/minder/v1"
@@ -26,28 +25,25 @@ func TestBuildProvenanceStruct(t *testing.T) {
 	t.Parallel()
 	for _, tc := range []struct {
 		name     string
-		sut      *trustytypes.Reply
+		sut      *trustyReport
 		mustNil  bool
 		expected *templateProvenance
 	}{
 		{
 			name: "full-response",
-			sut: &trustytypes.Reply{
-				Provenance: &trustytypes.Provenance{
-					Score: 8.0,
-					Description: trustytypes.ProvenanceDescription{
-						Historical: trustytypes.HistoricalProvenance{
-							Tags:     10,
-							Common:   8,
-							Overlap:  80,
-							Versions: 10,
-						},
-						Sigstore: trustytypes.SigstoreProvenance{
-							Issuer:           "CN=sigstore-intermediate,O=sigstore.dev",
-							Workflow:         ".github/workflows/build_and_deploy.yml",
-							SourceRepository: "https://github.com/vercel/next.js",
-							Transparency:     "https://search.sigstore.dev/?logIndex=88381843",
-						},
+			sut: &trustyReport{
+				Provenance: &provenance{
+					Historical: &historicalProvenance{
+						Tags:     10,
+						Common:   8,
+						Overlap:  80,
+						Versions: 10,
+					},
+					Sigstore: &sigstoreProvenance{
+						Issuer:           "CN=sigstore-intermediate,O=sigstore.dev",
+						Workflow:         ".github/workflows/build_and_deploy.yml",
+						SourceRepository: "https://github.com/vercel/next.js",
+						RekorURI:         "https://search.sigstore.dev/?logIndex=88381843",
 					},
 				},
 			},
@@ -68,16 +64,13 @@ func TestBuildProvenanceStruct(t *testing.T) {
 		},
 		{
 			name: "only-historical",
-			sut: &trustytypes.Reply{
-				Provenance: &trustytypes.Provenance{
-					Score: 8.0,
-					Description: trustytypes.ProvenanceDescription{
-						Historical: trustytypes.HistoricalProvenance{
-							Tags:     10,
-							Common:   8,
-							Overlap:  80,
-							Versions: 10,
-						},
+			sut: &trustyReport{
+				Provenance: &provenance{
+					Historical: &historicalProvenance{
+						Tags:     10,
+						Common:   8,
+						Overlap:  80,
+						Versions: 10,
 					},
 				},
 			},
@@ -92,16 +85,13 @@ func TestBuildProvenanceStruct(t *testing.T) {
 		},
 		{
 			name: "only-sigstore",
-			sut: &trustytypes.Reply{
-				Provenance: &trustytypes.Provenance{
-					Score: 8.0,
-					Description: trustytypes.ProvenanceDescription{
-						Sigstore: trustytypes.SigstoreProvenance{
-							Issuer:           "CN=sigstore-intermediate,O=sigstore.dev",
-							Workflow:         ".github/workflows/build_and_deploy.yml",
-							SourceRepository: "https://github.com/vercel/next.js",
-							Transparency:     "https://search.sigstore.dev/?logIndex=88381843",
-						},
+			sut: &trustyReport{
+				Provenance: &provenance{
+					Sigstore: &sigstoreProvenance{
+						Issuer:           "CN=sigstore-intermediate,O=sigstore.dev",
+						Workflow:         ".github/workflows/build_and_deploy.yml",
+						SourceRepository: "https://github.com/vercel/next.js",
+						RekorURI:         "https://search.sigstore.dev/?logIndex=88381843",
 					},
 				},
 			},
@@ -122,7 +112,7 @@ func TestBuildProvenanceStruct(t *testing.T) {
 		},
 		{
 			name:    "no-provenance",
-			sut:     &trustytypes.Reply{},
+			sut:     &trustyReport{},
 			mustNil: true,
 		},
 	} {