From 26fe0ec2027d12f1be6bf743d7eb969fa6276920 Mon Sep 17 00:00:00 2001 From: Douglas Coburn Date: Thu, 3 Oct 2024 07:35:56 -0700 Subject: [PATCH 1/2] Fixed issue where diff scan was running when there were no changed manifest files --- socketsecurity/__init__.py | 2 +- socketsecurity/core/__init__.py | 1 - socketsecurity/socketcli.py | 44 ++++++++++++++++++--------------- 3 files changed, 25 insertions(+), 22 deletions(-) diff --git a/socketsecurity/__init__.py b/socketsecurity/__init__.py index 469804b..7e85bf6 100644 --- a/socketsecurity/__init__.py +++ b/socketsecurity/__init__.py @@ -1,2 +1,2 @@ __author__ = 'socket.dev' -__version__ = '1.0.24' +__version__ = '1.0.26' diff --git a/socketsecurity/core/__init__.py b/socketsecurity/core/__init__.py index 538841e..66ff5f6 100644 --- a/socketsecurity/core/__init__.py +++ b/socketsecurity/core/__init__.py @@ -410,7 +410,6 @@ def find_files(path: str) -> list: Globs the path for supported manifest files. Note: Might move the source to a JSON file :param path: Str - path to where the manifest files are located - :param files: override finding the manifest files using the glob matcher :return: """ log.debug("Starting Find Files") diff --git a/socketsecurity/socketcli.py b/socketsecurity/socketcli.py index 2423aad..4a4242d 100644 --- a/socketsecurity/socketcli.py +++ b/socketsecurity/socketcli.py @@ -163,25 +163,27 @@ def output_console_comments(diff_report: Diff, sbom_file_name: str = None) -> None: - console_security_comment = Messages.create_console_security_alert_table(diff_report) - save_sbom_file(diff_report, sbom_file_name) - log.info(f"Socket Full Scan ID: {diff_report.id}") - if not report_pass(diff_report): - log.info("Security issues detected by Socket Security") - msg = f"\n{console_security_comment}" - log.info(msg) - if not blocking_disabled: - sys.exit(1) - else: - log.info("No New Security issues detected by Socket Security") + if diff_report.id != "NO_DIFF_RAN": + console_security_comment = Messages.create_console_security_alert_table(diff_report) + save_sbom_file(diff_report, sbom_file_name) + log.info(f"Socket Full Scan ID: {diff_report.id}") + if not report_pass(diff_report): + log.info("Security issues detected by Socket Security") + msg = f"\n{console_security_comment}" + log.info(msg) + if not blocking_disabled: + sys.exit(1) + else: + log.info("No New Security issues detected by Socket Security") def output_console_json(diff_report: Diff, sbom_file_name: str = None) -> None: - console_security_comment = Messages.create_security_comment_json(diff_report) - save_sbom_file(diff_report, sbom_file_name) - print(json.dumps(console_security_comment)) - if not report_pass(diff_report) and not blocking_disabled: - sys.exit(1) + if diff_report.id != "NO_DIFF_RAN": + console_security_comment = Messages.create_security_comment_json(diff_report) + save_sbom_file(diff_report, sbom_file_name) + print(json.dumps(console_security_comment)) + if not report_pass(diff_report) and not blocking_disabled: + sys.exit(1) def report_pass(diff_report: Diff) -> bool: @@ -299,7 +301,7 @@ def main_code(): default_branch = scm.is_default_branch base_api_url = os.getenv("BASE_API_URL") or None - core = Core(token=api_token, request_timeout=1200, base_api_url=base_api_url) + core = Core(token=api_token, request_timeout=1200, base_api_url=base_api_url, allow_unverified=allow_unverified) no_change = True if ignore_commit_files: no_change = False @@ -319,7 +321,8 @@ def main_code(): make_default_branch=default_branch, set_as_pending_head=set_as_pending_head ) - diff = None + diff = Diff() + diff.id = "NO_DIFF_RAN" if scm is not None and scm.check_event_type() == "comment": log.info("Comment initiated flow") log.debug(f"Getting comments for Repo {scm.repository} for PR {scm.pr_number}") @@ -329,10 +332,11 @@ def main_code(): elif scm is not None and scm.check_event_type() != "comment": log.info("Push initiated flow") diff: Diff - diff = core.create_new_diff(target_path, params, workspace=target_path, no_change=no_change) if no_change: - log.info("No dependency changes") + log.info("No manifest files changes, skipping scan") + # log.info("No dependency changes") elif scm.check_event_type() == "diff": + diff = core.create_new_diff(target_path, params, workspace=target_path, no_change=no_change) log.info("Starting comment logic for PR/MR event") log.debug(f"Getting comments for Repo {scm.repository} for PR {scm.pr_number}") comments = scm.get_comments_for_pr(repo, str(pr_number)) From 4f1a1ad2ceffada56ca07b4c02bd7b23ed349b62 Mon Sep 17 00:00:00 2001 From: Douglas Coburn Date: Thu, 3 Oct 2024 11:59:37 -0700 Subject: [PATCH 2/2] Fixes for run time detection of changed files --- socketsecurity/__init__.py | 2 +- socketsecurity/core/__init__.py | 9 +++++---- socketsecurity/core/classes.py | 9 +++++++-- socketsecurity/core/github.py | 3 ++- socketsecurity/socketcli.py | 12 ++++++++++-- 5 files changed, 25 insertions(+), 10 deletions(-) diff --git a/socketsecurity/__init__.py b/socketsecurity/__init__.py index 7e85bf6..f65493a 100644 --- a/socketsecurity/__init__.py +++ b/socketsecurity/__init__.py @@ -1,2 +1,2 @@ __author__ = 'socket.dev' -__version__ = '1.0.26' +__version__ = '1.0.30' diff --git a/socketsecurity/core/__init__.py b/socketsecurity/core/__init__.py index 66ff5f6..c192a1b 100644 --- a/socketsecurity/core/__init__.py +++ b/socketsecurity/core/__init__.py @@ -749,10 +749,11 @@ def create_issue_alerts(package: Package, alerts: dict, packages: dict) -> dict: if alert.type in security_policy: action = security_policy[alert.type]['action'] setattr(issue_alert, action, True) - if issue_alert.key not in alerts: - alerts[issue_alert.key] = [issue_alert] - else: - alerts[issue_alert.key].append(issue_alert) + if issue_alert.type != 'licenseSpdxDisj': + if issue_alert.key not in alerts: + alerts[issue_alert.key] = [issue_alert] + else: + alerts[issue_alert.key].append(issue_alert) return alerts @staticmethod diff --git a/socketsecurity/core/classes.py b/socketsecurity/core/classes.py index ad0ae85..8b93826 100644 --- a/socketsecurity/core/classes.py +++ b/socketsecurity/core/classes.py @@ -161,10 +161,15 @@ def __init__(self, **kwargs): if hasattr(self, "created_at"): self.created_at = self.created_at.strip(" (Coordinated Universal Time)") - if not hasattr(self, "introduced_by"): - self.introduced_by = [] if not hasattr(self, "manifests"): self.manifests = "" + if not hasattr(self, "introduced_by"): + self.introduced_by = [] + else: + for item in self.introduced_by: + pkg, manifest = item + self.manifests += f"{manifest};" + self.manifests = self.manifests.rstrip(";") if not hasattr(self, "error"): self.error = False if not hasattr(self, "warn"): diff --git a/socketsecurity/core/github.py b/socketsecurity/core/github.py index bb0c136..bd24339 100644 --- a/socketsecurity/core/github.py +++ b/socketsecurity/core/github.py @@ -116,7 +116,8 @@ def check_event_type() -> str: else: event_type = "diff" elif github_event_name.lower() == "pull_request": - if event_action is not None and event_action != "" and event_action.lower() == "opened": + if event_action is not None and event_action != "" and ( + event_action.lower() == "opened" or event_action.lower() == 'synchronize'): event_type = "diff" else: log.info(f"Pull Request Action {event_action} is not a supported type") diff --git a/socketsecurity/socketcli.py b/socketsecurity/socketcli.py index 4a4242d..d89d9f1 100644 --- a/socketsecurity/socketcli.py +++ b/socketsecurity/socketcli.py @@ -167,12 +167,16 @@ def output_console_comments(diff_report: Diff, sbom_file_name: str = None) -> No console_security_comment = Messages.create_console_security_alert_table(diff_report) save_sbom_file(diff_report, sbom_file_name) log.info(f"Socket Full Scan ID: {diff_report.id}") - if not report_pass(diff_report): + if len(diff_report.new_alerts) > 0: log.info("Security issues detected by Socket Security") msg = f"\n{console_security_comment}" log.info(msg) - if not blocking_disabled: + if not report_pass(diff_report) and not blocking_disabled: sys.exit(1) + else: + # Means only warning alerts with no blocked + if not blocking_disabled: + sys.exit(5) else: log.info("No New Security issues detected by Socket Security") @@ -184,6 +188,9 @@ def output_console_json(diff_report: Diff, sbom_file_name: str = None) -> None: print(json.dumps(console_security_comment)) if not report_pass(diff_report) and not blocking_disabled: sys.exit(1) + elif len(diff_report.new_alerts) > 0 and not blocking_disabled: + # Means only warning alerts with no blocked + sys.exit(5) def report_pass(diff_report: Diff) -> bool: @@ -306,6 +313,7 @@ def main_code(): if ignore_commit_files: no_change = False elif is_repo and files is not None and len(files) > 0: + log.info(files) no_change = core.match_supported_files(files) set_as_pending_head = False