🌱 convert vulnerabilities check to probe #3487

AdamKorcz · 2023-09-18T16:11:34Z

What kind of change does this PR introduce?

Migration of Vulnerabilities check to probe.

PR title follows the guidelines defined in our pull request documentation
Tests for the changes have been added (for bug fixes/features)

Which issue(s) this PR fixes

NONE

Special notes for your reviewer

Does this PR introduce a user-facing change?

No

checks/evaluation/vulnerabilities.go

checks/evaluation/vulnerabilities_test.go

checks/vulnerabilities.go

probes/hasKnownVulnerabilities/def.yml

probes/hasKnownVulnerabilities/impl.go

codecov · 2023-09-18T19:58:00Z

Codecov Report

Merging #3487 (e0ff285) into main (f2bbd0a) will decrease coverage by 12.65%.
The diff coverage is 79.66%.

Additional details and impacted files

@@             Coverage Diff             @@
##             main    #3487       +/-   ##
===========================================
- Coverage   76.12%   63.48%   -12.65%     
===========================================
  Files         198      187       -11     
  Lines       13700    12914      -786     
===========================================
- Hits        10429     8198     -2231     
- Misses       2663     4198     +1535     
+ Partials      608      518       -90

AdamKorcz · 2023-10-09T19:25:22Z

@laurentsimon @spencerschrock PTAL again.

checks/evaluation/finding.go

checks/evaluation/vulnerabilities.go

checks/evaluation/vulnerabilities_test.go

probes/hasOSVVulnerabilities/def.yml

probes/hasOSVVulnerabilities/impl.go

checks/evaluation/vulnerabilities.go

probes/hasOSVVulnerabilities/def.yml

probes/hasOSVVulnerabilities/impl_test.go

Signed-off-by: AdamKorcz <adam@adalogics.com>

laurentsimon · 2023-10-25T17:46:11Z

probes/hasOSVVulnerabilities/impl.go

+		f = f.WithMessage(fmt.Sprintf("Project is vulnerable to: %s",
+			strings.Join(vuln.IDs, " / ")))
+		f = f.WithRemediationMetadata(map[string]string{
+			"osvid": strings.Join(vuln.IDs[:], ","),


are there multiple IDs returned for each vulnerability? Will the URL work properly?

There can be, depending on if there are aliases, in which case we'd want to grab just one.

Let's fix in a follow-up PR then. Created #3609 for tracking

* 🌱 convert vulnerabilities check to probe Signed-off-by: AdamKorcz <adam@adalogics.com> * rename probe + nits Signed-off-by: AdamKorcz <adam@adalogics.com> * edit def.yml Signed-off-by: AdamKorcz <adam@adalogics.com> * Add vuln ID dynamically to def.yml Signed-off-by: AdamKorcz <adam@adalogics.com> * Elaborate the purpose of test data in unit test Signed-off-by: AdamKorcz <adam@adalogics.com> * Move logging out of loop and change logic of negativeFindings() Signed-off-by: AdamKorcz <adam@adalogics.com> * preserve number of vulns found in output Signed-off-by: AdamKorcz <adam@adalogics.com> * Preserve grouping of vulns Signed-off-by: AdamKorcz <adam@adalogics.com> * fix linter issues Signed-off-by: AdamKorcz <adam@adalogics.com> * Add remediation data Signed-off-by: AdamKorcz <adam@adalogics.com> * use checker.LogFindings() Signed-off-by: AdamKorcz <adam@adalogics.com> --------- Signed-off-by: AdamKorcz <adam@adalogics.com> Signed-off-by: Diogo Teles Sant'Anna <diogoteles@google.com>

* 🌱 convert vulnerabilities check to probe Signed-off-by: AdamKorcz <adam@adalogics.com> * rename probe + nits Signed-off-by: AdamKorcz <adam@adalogics.com> * edit def.yml Signed-off-by: AdamKorcz <adam@adalogics.com> * Add vuln ID dynamically to def.yml Signed-off-by: AdamKorcz <adam@adalogics.com> * Elaborate the purpose of test data in unit test Signed-off-by: AdamKorcz <adam@adalogics.com> * Move logging out of loop and change logic of negativeFindings() Signed-off-by: AdamKorcz <adam@adalogics.com> * preserve number of vulns found in output Signed-off-by: AdamKorcz <adam@adalogics.com> * Preserve grouping of vulns Signed-off-by: AdamKorcz <adam@adalogics.com> * fix linter issues Signed-off-by: AdamKorcz <adam@adalogics.com> * Add remediation data Signed-off-by: AdamKorcz <adam@adalogics.com> * use checker.LogFindings() Signed-off-by: AdamKorcz <adam@adalogics.com> --------- Signed-off-by: AdamKorcz <adam@adalogics.com> Signed-off-by: Allen Shearin <allen.p.shearin@gmail.com>

AdamKorcz requested review from azeemshaikh38, justaugustus, laurentsimon, naveensrinivasan, spencerschrock and raghavkaul as code owners September 18, 2023 16:11

AdamKorcz temporarily deployed to gitlab September 18, 2023 16:11 — with GitHub Actions Inactive

AdamKorcz had a problem deploying to integration-test September 18, 2023 16:12 — with GitHub Actions Failure

laurentsimon reviewed Sep 18, 2023

View reviewed changes

AdamKorcz force-pushed the vulnerabilities-probe branch from 8748930 to bcc7d62 Compare September 18, 2023 19:54

AdamKorcz temporarily deployed to gitlab September 18, 2023 19:54 — with GitHub Actions Inactive

AdamKorcz had a problem deploying to integration-test September 18, 2023 19:55 — with GitHub Actions Failure

AdamKorcz temporarily deployed to gitlab September 29, 2023 09:38 — with GitHub Actions Inactive

AdamKorcz had a problem deploying to integration-test September 29, 2023 09:38 — with GitHub Actions Failure

AdamKorcz temporarily deployed to gitlab September 29, 2023 10:21 — with GitHub Actions Inactive

AdamKorcz had a problem deploying to integration-test September 29, 2023 10:21 — with GitHub Actions Failure

AdamKorcz temporarily deployed to gitlab October 3, 2023 13:18 — with GitHub Actions Inactive

AdamKorcz had a problem deploying to integration-test October 3, 2023 13:19 — with GitHub Actions Failure

spencerschrock reviewed Oct 10, 2023

View reviewed changes

AdamKorcz force-pushed the vulnerabilities-probe branch from 55cd468 to f86b51e Compare October 11, 2023 11:21

AdamKorcz temporarily deployed to gitlab October 11, 2023 11:21 — with GitHub Actions Inactive

AdamKorcz had a problem deploying to integration-test October 11, 2023 11:21 — with GitHub Actions Failure

AdamKorcz temporarily deployed to gitlab October 11, 2023 11:36 — with GitHub Actions Inactive

AdamKorcz had a problem deploying to integration-test October 11, 2023 11:36 — with GitHub Actions Failure

AdamKorcz temporarily deployed to gitlab October 11, 2023 13:41 — with GitHub Actions Inactive

AdamKorcz temporarily deployed to integration-test October 11, 2023 13:42 — with GitHub Actions Inactive

AdamKorcz force-pushed the vulnerabilities-probe branch from 6745b35 to f75ff38 Compare October 11, 2023 13:49

AdamKorcz temporarily deployed to gitlab October 11, 2023 13:49 — with GitHub Actions Inactive

AdamKorcz had a problem deploying to integration-test October 24, 2023 21:35 — with GitHub Actions Failure

AdamKorcz force-pushed the vulnerabilities-probe branch from 23e051f to e9688ee Compare October 24, 2023 21:41

AdamKorcz temporarily deployed to gitlab October 24, 2023 21:41 — with GitHub Actions Inactive

AdamKorcz temporarily deployed to integration-test October 24, 2023 21:41 — with GitHub Actions Inactive

spencerschrock approved these changes Oct 24, 2023

View reviewed changes

checks/evaluation/vulnerabilities.go Outdated Show resolved Hide resolved

laurentsimon reviewed Oct 25, 2023

View reviewed changes

probes/hasOSVVulnerabilities/def.yml Show resolved Hide resolved

probes/hasOSVVulnerabilities/impl_test.go Show resolved Hide resolved

AdamKorcz added 10 commits October 25, 2023 10:58

🌱 convert vulnerabilities check to probe

9b9cefd

Signed-off-by: AdamKorcz <adam@adalogics.com>

rename probe + nits

078bd24

Signed-off-by: AdamKorcz <adam@adalogics.com>

edit def.yml

cb99709

Signed-off-by: AdamKorcz <adam@adalogics.com>

Add vuln ID dynamically to def.yml

4010f4b

Signed-off-by: AdamKorcz <adam@adalogics.com>

Elaborate the purpose of test data in unit test

cb08e67

Signed-off-by: AdamKorcz <adam@adalogics.com>

Move logging out of loop and change logic of negativeFindings()

c2b9a0b

Signed-off-by: AdamKorcz <adam@adalogics.com>

preserve number of vulns found in output

463c513

Signed-off-by: AdamKorcz <adam@adalogics.com>

Preserve grouping of vulns

1683b90

Signed-off-by: AdamKorcz <adam@adalogics.com>

fix linter issues

c36b5d1

Signed-off-by: AdamKorcz <adam@adalogics.com>

Add remediation data

eeced8d

Signed-off-by: AdamKorcz <adam@adalogics.com>

AdamKorcz force-pushed the vulnerabilities-probe branch from e9688ee to eeced8d Compare October 25, 2023 10:36

AdamKorcz temporarily deployed to gitlab October 25, 2023 10:36 — with GitHub Actions Inactive

AdamKorcz temporarily deployed to integration-test October 25, 2023 10:36 — with GitHub Actions Inactive

AdamKorcz temporarily deployed to gitlab October 25, 2023 10:40 — with GitHub Actions Inactive

AdamKorcz temporarily deployed to integration-test October 25, 2023 10:40 — with GitHub Actions Inactive

use checker.LogFindings()

e0ff285

Signed-off-by: AdamKorcz <adam@adalogics.com>

AdamKorcz force-pushed the vulnerabilities-probe branch from 67d44ff to e0ff285 Compare October 25, 2023 10:41

AdamKorcz temporarily deployed to gitlab October 25, 2023 10:41 — with GitHub Actions Inactive

AdamKorcz temporarily deployed to integration-test October 25, 2023 10:42 — with GitHub Actions Inactive

spencerschrock merged commit de022da into ossf:main Oct 25, 2023
38 checks passed

laurentsimon reviewed Oct 25, 2023

View reviewed changes

laurentsimon mentioned this pull request Oct 25, 2023

Fix URI in OSVVulnerability probe #3609

Closed

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

🌱 convert vulnerabilities check to probe #3487

🌱 convert vulnerabilities check to probe #3487

AdamKorcz commented Sep 18, 2023

codecov bot commented Sep 18, 2023 •

edited

Loading

AdamKorcz commented Oct 9, 2023

laurentsimon Oct 25, 2023 •

edited

Loading

spencerschrock Oct 25, 2023

laurentsimon Oct 25, 2023 •

edited

Loading

🌱 convert vulnerabilities check to probe #3487

🌱 convert vulnerabilities check to probe #3487

Conversation

AdamKorcz commented Sep 18, 2023

What kind of change does this PR introduce?

Which issue(s) this PR fixes

Special notes for your reviewer

Does this PR introduce a user-facing change?

codecov bot commented Sep 18, 2023 • edited Loading

Codecov Report

AdamKorcz commented Oct 9, 2023

laurentsimon Oct 25, 2023 • edited Loading

Choose a reason for hiding this comment

spencerschrock Oct 25, 2023

Choose a reason for hiding this comment

laurentsimon Oct 25, 2023 • edited Loading

Choose a reason for hiding this comment

codecov bot commented Sep 18, 2023 •

edited

Loading

laurentsimon Oct 25, 2023 •

edited

Loading

laurentsimon Oct 25, 2023 •

edited

Loading