fix: GHES intergration (#51)

* separate get deps graph api call to support gh versions that dont support it

internal/collected/github/repository.go

@@ -28,17 +28,16 @@ type GitHubQLRepositoryCollaborators struct {
 }
 
 type GitHubQLRepository struct {
-	Name                     string `json:"name"`
-	RebaseMergeAllowed       bool
-	Url                      string
-	DatabaseId               int64
-	IsPrivate                bool                              `json:"is_private"`
-	ForkingAllowed           bool                              `json:"allow_forking"`
-	IsArchived               bool                              `json:"is_archived"`
-	DefaultBranchRef         *GitHubQLBranch                   `json:"default_branch"`
-	DependencyGraphManifests *GitHubQLDependencyGraphManifests `json:"dependency_graph_manifests" graphql:"dependencyGraphManifests(first: 1)"`
-	PushedAt                 *githubv4.DateTime                `json:"pushed_at"`
-	ViewerPermission         string                            `json:"viewerPermission"`
+	Name               string `json:"name"`
+	RebaseMergeAllowed bool
+	Url                string
+	DatabaseId         int64
+	IsPrivate          bool               `json:"is_private"`
+	ForkingAllowed     bool               `json:"allow_forking"`
+	IsArchived         bool               `json:"is_archived"`
+	DefaultBranchRef   *GitHubQLBranch    `json:"default_branch"`
+	PushedAt           *githubv4.DateTime `json:"pushed_at"`
+	ViewerPermission   string             `json:"viewerPermission"`
 }
 
 type GitHubQLBranchProtectionRule struct {
@@ -64,13 +63,14 @@ type GitHubQLBranch struct {
 }
 
 type Repository struct {
-	Repository                   *GitHubQLRepository     `json:"repository"`
-	VulnerabilityAlertsEnabled   *bool                   `json:"vulnerability_alerts_enabled"`
-	NoBranchProtectionPermission bool                    `json:"no_branch_protection_permission"`
-	Scorecard                    *scorecard.Result       `json:"scorecard,omitempty"`
-	Hooks                        []*github.Hook          `json:"hooks"`
-	Collaborators                []*github.User          `json:"collaborators"`
-	ActionsTokenPermissions      *types.TokenPermissions `json:"actions_token_permissions"`
+	Repository                   *GitHubQLRepository               `json:"repository"`
+	VulnerabilityAlertsEnabled   *bool                             `json:"vulnerability_alerts_enabled"`
+	NoBranchProtectionPermission bool                              `json:"no_branch_protection_permission"`
+	Scorecard                    *scorecard.Result                 `json:"scorecard,omitempty"`
+	Hooks                        []*github.Hook                    `json:"hooks"`
+	Collaborators                []*github.User                    `json:"collaborators"`
+	ActionsTokenPermissions      *types.TokenPermissions           `json:"actions_token_permissions"`
+	DependencyGraphManifests     *GitHubQLDependencyGraphManifests `json:"dependency_graph_manifests"`
 }
 
 func (r Repository) ViolationEntityType() string {

internal/collectors/repository_collector.go

@@ -259,27 +259,32 @@ func (rc *repositoryCollector) collectExtraData(login string,
 		Repository: repository,
 	}
 
-	repo, err = rc.getVulnerabilityAlerts(repo, login)
+	repo, err = rc.withVulnerabilityAlerts(repo, login)
 	if err != nil {
 		// If we can't get vulnerability alerts, rego will ignore it (as nil)
 		log.Printf("error getting vulnerability alerts for %s: %s", fullRepoName(login, repo.Repository.Name), err)
 	}
 
-	repo, err = rc.getRepositoryHooks(repo, login)
+	repo, err = rc.withRepositoryHooks(repo, login)
 	if err != nil {
 		log.Printf("error getting repository hooks for %s: %s", fullRepoName(login, repo.Repository.Name), err)
 	}
 
-	repo, err = rc.getRepoCollaborators(repo, login)
+	repo, err = rc.withRepoCollaborators(repo, login)
 	if err != nil {
 		log.Printf("error getting repository collaborators for %s: %s", fullRepoName(login, repo.Repository.Name), err)
 	}
 
-	repo, err = rc.getActionsSettings(repo, login)
+	repo, err = rc.withActionsSettings(repo, login)
 	if err != nil {
 		log.Printf("error getting repository actions settings for %s: %s", fullRepoName(login, repo.Repository.Name), err)
 	}
 
+	repo, err = rc.withDependencyGraphManifestsCount(repo, login)
+	if err != nil {
+		log.Printf("error getting repository dependency manifests for %s: %s", fullRepoName(login, repo.Repository.Name), err)
+	}
+
 	if context.IsBranchProtectionSupported() {
 		repo, err = rc.fixBranchProtectionInfo(repo, login)
 		if err != nil {
@@ -303,7 +308,31 @@ func (rc *repositoryCollector) collectExtraData(login string,
 	return repo
 }
 
-func (rc *repositoryCollector) getActionsSettings(repo ghcollected.Repository, org string) (ghcollected.Repository, error) {
+func (rc *repositoryCollector) withDependencyGraphManifestsCount(repo ghcollected.Repository, org string) (ghcollected.Repository, error) {
+	var dependencyGraphQuery struct {
+		RepositoryOwner struct {
+			Repository struct {
+				DependencyGraphManifests *ghcollected.GitHubQLDependencyGraphManifests `json:"dependency_graph_manifests" graphql:"dependencyGraphManifests(first: 1)"`
+			} `graphql:"repository(name: $name)"`
+		} `graphql:"repositoryOwner(login: $login)"`
+	}
+
+	variables := map[string]interface{}{
+		"login": githubv4.String(org),
+		"name":  githubv4.String(repo.Name()),
+	}
+
+	err := rc.Client.GraphQLClient().Query(rc.Context, &dependencyGraphQuery, variables)
+
+	if err != nil {
+		return repo, err
+	}
+
+	repo.DependencyGraphManifests = dependencyGraphQuery.RepositoryOwner.Repository.DependencyGraphManifests
+	return repo, nil
+}
+
+func (rc *repositoryCollector) withActionsSettings(repo ghcollected.Repository, org string) (ghcollected.Repository, error) {
 	settings, err := rc.Client.GetActionsTokenPermissionsForRepository(org, repo.Name())
 	if err != nil {
 		perm := newMissingPermission(permissions.RepoAdmin, fullRepoName(org, repo.Repository.Name),
@@ -315,7 +344,7 @@ func (rc *repositoryCollector) getActionsSettings(repo ghcollected.Repository, o
 	return repo, nil
 }
 
-func (rc *repositoryCollector) getRepositoryHooks(repo ghcollected.Repository, org string) (ghcollected.Repository, error) {
+func (rc *repositoryCollector) withRepositoryHooks(repo ghcollected.Repository, org string) (ghcollected.Repository, error) {
 	var result []*github.Hook
 
 	err := ghclient.PaginateResults(func(opts *github.ListOptions) (*github.Response, error) {
@@ -342,7 +371,7 @@ func (rc *repositoryCollector) getRepositoryHooks(repo ghcollected.Repository, o
 	return repo, nil
 }
 
-func (rc *repositoryCollector) getVulnerabilityAlerts(repo ghcollected.Repository, org string) (ghcollected.Repository, error) {
+func (rc *repositoryCollector) withVulnerabilityAlerts(repo ghcollected.Repository, org string) (ghcollected.Repository, error) {
 	enabled, _, err := rc.Client.Client().Repositories.GetVulnerabilityAlerts(rc.Context, org, repo.Repository.Name)
 
 	if err != nil {
@@ -354,7 +383,7 @@ func (rc *repositoryCollector) getVulnerabilityAlerts(repo ghcollected.Repositor
 	return repo, nil
 }
 
-func (rc *repositoryCollector) getRepoCollaborators(repo ghcollected.Repository, org string) (ghcollected.Repository, error) {
+func (rc *repositoryCollector) withRepoCollaborators(repo ghcollected.Repository, org string) (ghcollected.Repository, error) {
 	users, _, err := rc.Client.Client().Repositories.ListCollaborators(rc.Context, org, repo.Repository.Name, &github.ListCollaboratorsOptions{})
 
 	if err != nil {
@@ -404,7 +433,7 @@ func (rc *repositoryCollector) fixBranchProtectionInfo(repository ghcollected.Re
 }
 
 func (rc *repositoryCollector) checkMissingPermissions(repo ghcollected.Repository, entityName string) []missingPermission {
-	missingPermissions := []missingPermission{}
+	var missingPermissions []missingPermission
 	if repo.NoBranchProtectionPermission {
 		effect := "Cannot read repository branch protection information"
 		perm := newMissingPermission(permissions.RepoAdmin, entityName, effect, namespace.Repository)

policies/github/repository.rego

@@ -322,7 +322,7 @@ vulnerability_alerts_not_enabled {
 #      - "A user can add dependencies to vulnerable third-party dependencies therefore introducing vulnerabilities to your application."
 default ghas_dependency_review_not_enabled = false
 ghas_dependency_review_not_enabled {
-    input.repository.dependency_graph_manifests.total_count == 0
+    input.dependency_graph_manifests.total_count == 0
 }
 
 # METADATA

test/repository_test.go

@@ -16,11 +16,15 @@ func repositoryTestTemplate(t *testing.T, name string, mockData interface{}, tes
 
 var bools = []bool{true, false}
 
-func makeRepo(repo githubcollected.GitHubQLRepository) githubcollected.Repository {
+func makeRepoWithDeps(repo githubcollected.GitHubQLRepository, deps *githubcollected.GitHubQLDependencyGraphManifests) githubcollected.Repository {
 	return githubcollected.Repository{
-		Repository: &repo,
+		Repository:               &repo,
+		DependencyGraphManifests: deps,
 	}
 }
+func makeRepo(repo githubcollected.GitHubQLRepository) githubcollected.Repository {
+	return makeRepoWithDeps(repo, &githubcollected.GitHubQLDependencyGraphManifests{})
+}
 
 func makeRepoForBranch(branch githubcollected.GitHubQLBranch) githubcollected.Repository {
 	return makeRepo(githubcollected.GitHubQLRepository{
@@ -241,12 +245,9 @@ func TestRepositoryDepGraph(t *testing.T) {
 	name := "repository should have github advanced security disabled"
 	testedPolicyName := "ghas_dependency_review_not_enabled"
 	makeMockData := func(count int) githubcollected.Repository {
-		return makeRepo(githubcollected.GitHubQLRepository{
-			Name: "REPO",
-			DependencyGraphManifests: &githubcollected.GitHubQLDependencyGraphManifests{
-				TotalCount: count,
-			},
-		})
+		return makeRepoWithDeps(githubcollected.GitHubQLRepository{Name: "REPO"},
+			&githubcollected.GitHubQLDependencyGraphManifests{TotalCount: count},
+		)
 	}
 
 	counts := []int{