This repository has been archived by the owner on Jan 27, 2023. It is now read-only.
Multiple policy bundle dirs #862
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
dspalmer99
force-pushed
the
multiple_policy_bundle_dirs
branch
from
e9d4a41
to
b81e3d6
Compare
dspalmer99
changed the title
dspalmer99
commented
Jan 26, 2021
| def register_policy_bundle_source_dir(source_dir): | ||
| global POLICY_BUNDLE_SOURCE_DIRS | ||
| POLICY_BUNDLE_SOURCE_DIRS.append(source_dir) | ||
| load_policy_bundle_paths() |
There was a problem hiding this comment.
I'd like to refactor this to not have this extra call here, but as the config/bootstrapping currently exists this is necessary because in
anchore-engine/anchore_engine/twisted.py
Line 217 in e4d21c6
load_policy_bundle_paths() below is called before the service is initialized, so if the service adds policy bundles to the config object via a handler it will be to late, even if with a pre_config handler.
This is maybe slightly hacky, but multiple calls to load_policy_bundle_paths() will have no effect on existing bundles in the case where subsequent calls are just adding more bundles.
alfredodeza
reviewed
Jan 26, 2021
Comment on lines
197
to
201
| if ( | ||
| src_dirs is not None | ||
| and len(src_dirs) > 0 | ||
| and policy_bundles_dir is not None | ||
| ): |
There was a problem hiding this comment.
in Python a None or an empty data structure like a list, will evaluate to False so this could be:
Suggested change
| if ( | |
| src_dirs is not None | |
| and len(src_dirs) > 0 | |
| and policy_bundles_dir is not None | |
| ): | |
| if policy_bundles_dir is not None and src_dirs: |
There was a problem hiding this comment.
In that case, couldn't it also further be simplified to if policy_bundles_dir and src_dirs: ?
There was a problem hiding this comment.
I wasn't sure what policy_bundles_dir were (was not clear if that was a list as well). Sometimes the logic may want to really ensure it isn't a None so that is valid. If you know that it doesn't need to check for a None just if it is empty, then your suggestion works!
| } | ||
| ) | ||
| copy_config_file(file, file_name, src_dir) | ||
| except Exception as e: |
There was a problem hiding this comment.
what exception are we catching here?
There was a problem hiding this comment.
Looking through the commit history, it looks like it was originally intended to catch an exception in the line you called out above.
There was a problem hiding this comment.
Right. I mean, it is catching any exception that may show up. If this is existing code, feel free to ignore. For reference, this issue captures the problems with broad exceptions: #867
There was a problem hiding this comment.
Yeah I had looked at 867 this morning. Totally agree that making that more targeted is a good thing to do, but this is existing code.
| for src_dir in src_dirs: | ||
| for file_name in os.listdir(src_dir): | ||
| try: | ||
| file = os.path.join(policy_bundles_dir_full_path, file_name) |
There was a problem hiding this comment.
this line will probably not bubble up an exception
There was a problem hiding this comment.
From the docs it doesn't look like it does. I'll simplify.
| ) | ||
| copy_config_file(file, file_name, src_dir) | ||
| except Exception as e: | ||
| logger.warn( |
There was a problem hiding this comment.
using logger.warn eats the traceback. Are we trying to fully obscure the traceback?
| assert len(config["policy_bundles"]) == len(config_filenames) | ||
| for config_filename in config_filenames: | ||
| assert len(config["policy_bundles"]) == len(config_filenames_flat) | ||
| for config_filename in config_filenames_flat: |
There was a problem hiding this comment.
I know you aren't adding this change in the PR, but loops in tests are not good because they don't allow to see the failures in each item of the loop
There was a problem hiding this comment.
I agree that could be refactored but I'm not sure I want to pick that up as part of this PR. Also, when this failed on me (occasionally) during dev it tended to be all or nothing. Not saying that would always be the case though.
Signed-off-by: Daniel Palmer <dan.palmer@anchore.com>
Signed-off-by: Daniel Palmer <dan.palmer@anchore.com>
Signed-off-by: Daniel Palmer <dan.palmer@anchore.com>
Signed-off-by: Daniel Palmer <dan.palmer@anchore.com>
Signed-off-by: Daniel Palmer <dan.palmer@anchore.com>
Signed-off-by: Daniel Palmer <dan.palmer@anchore.com>
dspalmer99
force-pushed
the
multiple_policy_bundle_dirs
branch
from
afc1617
to
b81ed55
Compare
|
Thanks for the feedback @alfredodeza . I've made the changes you asked for, and added a little extra logging and another test as well. |
|
I'm going to squash-merge this since it's into the release branch and has 10 commits many of which are linting updates. |
|
Ack, thanks @zhill |
robertp
pushed a commit
that referenced
this pull request
Feb 3, 2021
* Allow for localconfig to read policy bundles from multiple dirs. Signed-off-by: Daniel Palmer <dan.palmer@anchore.com> * Expect fully-qualifed policy bundle dirs. Signed-off-by: Daniel Palmer <dan.palmer@anchore.com> * Reload policy bundle from file whenever a new bundle dir is added. Signed-off-by: Daniel Palmer <dan.palmer@anchore.com> * Linting Signed-off-by: Daniel Palmer <dan.palmer@anchore.com> * Linting, again. Signed-off-by: Daniel Palmer <dan.palmer@anchore.com> * Linting commas Signed-off-by: Daniel Palmer <dan.palmer@anchore.com> * Fix test. Signed-off-by: Daniel Palmer <dan.palmer@anchore.com> * Code review comments, add some extra logging and another test. Signed-off-by: Daniel Palmer <dan.palmer@anchore.com> * Linting Signed-off-by: Daniel Palmer <dan.palmer@anchore.com> Signed-off-by: Robert Prince <robert.prince@anchore.com>
robertp
pushed a commit
that referenced
this pull request
Feb 3, 2021
* Allow for localconfig to read policy bundles from multiple dirs. Signed-off-by: Daniel Palmer <dan.palmer@anchore.com> * Expect fully-qualifed policy bundle dirs. Signed-off-by: Daniel Palmer <dan.palmer@anchore.com> * Reload policy bundle from file whenever a new bundle dir is added. Signed-off-by: Daniel Palmer <dan.palmer@anchore.com> * Linting Signed-off-by: Daniel Palmer <dan.palmer@anchore.com> * Linting, again. Signed-off-by: Daniel Palmer <dan.palmer@anchore.com> * Linting commas Signed-off-by: Daniel Palmer <dan.palmer@anchore.com> * Fix test. Signed-off-by: Daniel Palmer <dan.palmer@anchore.com> * Code review comments, add some extra logging and another test. Signed-off-by: Daniel Palmer <dan.palmer@anchore.com> * Linting Signed-off-by: Daniel Palmer <dan.palmer@anchore.com> Signed-off-by: Robert Prince <robert.prince@anchore.com>
dakaneye
pushed a commit
that referenced
this pull request
Mar 10, 2021
* Allow for localconfig to read policy bundles from multiple dirs. Signed-off-by: Daniel Palmer <dan.palmer@anchore.com> * Expect fully-qualifed policy bundle dirs. Signed-off-by: Daniel Palmer <dan.palmer@anchore.com> * Reload policy bundle from file whenever a new bundle dir is added. Signed-off-by: Daniel Palmer <dan.palmer@anchore.com> * Linting Signed-off-by: Daniel Palmer <dan.palmer@anchore.com> * Linting, again. Signed-off-by: Daniel Palmer <dan.palmer@anchore.com> * Linting commas Signed-off-by: Daniel Palmer <dan.palmer@anchore.com> * Fix test. Signed-off-by: Daniel Palmer <dan.palmer@anchore.com> * Code review comments, add some extra logging and another test. Signed-off-by: Daniel Palmer <dan.palmer@anchore.com> * Linting Signed-off-by: Daniel Palmer <dan.palmer@anchore.com> Signed-off-by: Samuel Dacanay <sam.dacanay@anchore.com>
robertp
pushed a commit
that referenced
this pull request
Mar 11, 2021
* Improve the message and description for vulnerability_data_unavailable and stale_feed_data triggers in the vulnerabilities gate. Fixes #879 Signed-off-by: Zach Hill <zach@anchore.com> * Bump version numbers for 0.9.1 Signed-off-by: Robert Prince <robert.prince@anchore.com> * Multiple policy bundle dirs (#862) * Allow for localconfig to read policy bundles from multiple dirs. Signed-off-by: Daniel Palmer <dan.palmer@anchore.com> * Expect fully-qualifed policy bundle dirs. Signed-off-by: Daniel Palmer <dan.palmer@anchore.com> * Reload policy bundle from file whenever a new bundle dir is added. Signed-off-by: Daniel Palmer <dan.palmer@anchore.com> * Linting Signed-off-by: Daniel Palmer <dan.palmer@anchore.com> * Linting, again. Signed-off-by: Daniel Palmer <dan.palmer@anchore.com> * Linting commas Signed-off-by: Daniel Palmer <dan.palmer@anchore.com> * Fix test. Signed-off-by: Daniel Palmer <dan.palmer@anchore.com> * Code review comments, add some extra logging and another test. Signed-off-by: Daniel Palmer <dan.palmer@anchore.com> * Linting Signed-off-by: Daniel Palmer <dan.palmer@anchore.com> * Fix method name to match parent class Signed-off-by: Samuel Dacanay <sam.dacanay@anchore.com> * Removed ui from swagger url Signed-off-by: Zane Burstein <zane.burstein@anchore.com> * Add ability to support multiple grant types for the oauth client Signed-off-by: Zach Hill <zach@anchore.com> * Update Dockerfile to use UBI 8.3. Fixes #888 Signed-off-by: Zach Hill <zach@anchore.com> * Update CHANGELOG.md for 0.9.1 Signed-off-by: Zach Hill <zach@anchore.com> * Fix confusing typo in changelog Signed-off-by: Zach Hill <zach@anchore.com> * Update syft to v0.12.5 Signed-off-by: Dan Luhring <dan.luhring@anchore.com> * add bundles/ dir to anchore_service_dir Signed-off-by: Brady Todhunter <bradyt@anchore.com> * Updates to vulnerability listing dedup logic - prioritize vulnerabilities from other namespaces over nvd out vulnerabilities - filter duplicates Fixes #893 Signed-off-by: Swathi Gangisetty <swathi@anchore.com> * Set the python package location according to the package key, which is the absolute path (#895) Signed-off-by: Samuel Dacanay <sam.dacanay@anchore.com> * Update the scanner config method in policy engine for providing overr… (#896) * Update the scanner config method in policy engine for providing overridable functions for vuln and cpe results. Adds use of that in the vulnerability policy gate Signed-off-by: Zach Hill <zach@anchore.com> * first draft at a dedup pass Signed-off-by: Swathi Gangisetty <swathi@anchore.com> * Try to load Policy Engine ImageCpes from syft generated cpes, with fallback to fuzzy matching Signed-off-by: Samuel Dacanay <sam.dacanay@anchore.com> * Add unit test for loader paths Signed-off-by: Samuel Dacanay <sam.dacanay@anchore.com> * include update and meta into cpe comparison Signed-off-by: Samuel Dacanay <sam.dacanay@anchore.com> * fix return type Signed-off-by: Samuel Dacanay <sam.dacanay@anchore.com> * Unit tests for cpe comparisons used for vulnerability dedup Signed-off-by: Swathi Gangisetty <swathi@anchore.com> * Downgrade empty content log message to debug level Signed-off-by: Swathi Gangisetty <swathi@anchore.com> * tests: change previous invalid schema for integers/floats According to draft-6 which the new jsonschema supports 1.0 is considered an integer. Relevant doc from the draft: In draft-04, "integer" is listed as a primitive type and defined as “a JSON number without a fraction or exponent part”; in draft-06, "integer" is not considered a primitive type and is only defined in the section for keyword "type" as “any number with a zero fractional part”; 1.0 is thus not a valid "integer" type in draft-04 and earlier, but is a valid "integer" type in draft-06 and later; note that both drafts say that integers SHOULD be encoded in JSON without fractional parts Link https://json-schema.org/draft-06/json-schema-release-notes.html Signed-off-by: Alfredo Deza <adeza@anchore.com> (cherry picked from commit 2f859a1) * requirements: bump jsonschema to avoid legacy validator import issues Signed-off-by: Alfredo Deza <adeza@anchore.com> (cherry picked from commit 99dcb10) * Update syft to 0.12.7 to fix analysis failure due to syft parsing issue. Fixes #910 Signed-off-by: Zach Hill <zach@anchore.com> * Update cryptography lib to 3.3.2 from 3.3.1. Fixes #909 Signed-off-by: Zach Hill <zach@anchore.com> * add package filtering by relationships Signed-off-by: Alex Goodman <alex.goodman@anchore.com> * Fix the client metadata merge process during oauth init. Fixes #931 Signed-off-by: Zach Hill <zach@anchore.com> * Bump version Signed-off-by: Robert Prince <robert.prince@anchore.com> * Add default admin pw to e2e test values file Signed-off-by: Robert Prince <robert.prince@anchore.com> * Make sure to return content correctly for manifest and dockerfile content types Signed-off-by: Samuel Dacanay <sam.dacanay@anchore.com> * [docs] 0.9.2 release notes and changelog updates. includes missing release notes for 0.9.1 (#939) Updates CHANGELOG for 0.9.2 and adds 0.9.1 and 0.9.2 release notes Also fixes ordering problem in release notes page Signed-off-by: Zach Hill <zach@anchore.com> * Update Quickstart Docker-Compose image tag to v0.9.2 Signed-off-by: Samuel Dacanay <sam.dacanay@anchore.com> * Iterate API patch version 0.1.16->0.1.17 Signed-off-by: Samuel Dacanay <sam.dacanay@anchore.com> * Add distro mapping from "redhat" to "rhel" for vuln matching Signed-off-by: Zach Hill <zach@anchore.com> * Adds distro mapper in import path to ensure rhel instead of redhat distro name Signed-off-by: Zach Hill <zach@anchore.com> * Fix integration tests that used redhat as a negative test example Signed-off-by: Zach Hill <zach@anchore.com> Co-authored-by: Zach Hill <zach@anchore.com> Co-authored-by: Dan Palmer <dan.palmer@anchore.com> Co-authored-by: Samuel Dacanay <sam.dacanay@anchore.com> Co-authored-by: Zane Burstein <zane.burstein@anchore.com> Co-authored-by: Dan Luhring <dan.luhring@anchore.com> Co-authored-by: Brady Todhunter <bradyt@anchore.com> Co-authored-by: Swathi Gangisetty <swathi@anchore.com> Co-authored-by: Alfredo Deza <adeza@anchore.com> Co-authored-by: Alex Goodman <alex.goodman@anchore.com> Co-authored-by: Alex Goodman <wagoodman@users.noreply.github.com>
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This PR updates localconfig to allow multiple folly-qualified dirs containing policy bundles to be passed in during bootstrap.