Add package vulnerability reporting API #9552
Conversation
|
/cc @di @oliverchang |
|
Tests are passing, but <100% coverage. Please direct hatred at the changelist |
|
Woo, I'm seeing a lot of interactions with the Token Disclosure code I contributed :)
|
dekkagaijin
force-pushed
the
vulnz-api
branch
7 times, most recently
from
683ff3d
to
3f01152
Compare
|
/assign @di |
|
@di This is in a reviewable state, at least for a first pass. I'll be adding more using tests for 100% coverage of what exists and modeling retrieve_public_key_payload and extract_public_keys after what exists or the token leak API |
warehouse/packaging/models.py
Outdated
| vulnerabilities = orm.relationship( | ||
| Vulnerability, | ||
| backref="releases", | ||
| secondary=lambda: release_vulnerabilities, | ||
| passive_deletes=True, | ||
| ) | ||
|
|
There was a problem hiding this comment.
Should probably define this on the Vulnerability model instead.
There was a problem hiding this comment.
Would we not want both?
| class VulnerabilityReport: | ||
| def __init__( | ||
| self, | ||
| project: str, | ||
| versions: List[str], | ||
| vulnerability_id: str, | ||
| advisory_link: str, | ||
| aliases: List[str], | ||
| ): |
There was a problem hiding this comment.
I think we can probably condense the Vulnerability database model and this class into a single class. The class can also live at warehouse/integrations/vulnerabilities/models.py instead, and be imported into warehouse.packaging.models.
There was a problem hiding this comment.
As in, do the model representation, report validating, and DB interaction in a single class?
dekkagaijin
force-pushed
the
vulnz-api
branch
3 times, most recently
from
e912f0b
to
1f71f43
Compare
dekkagaijin
force-pushed
the
vulnz-api
branch
8 times, most recently
from
14e463d
to
2eb2332
Compare
|
@di I'm still finishing up the last few test cases, but please TAL |
dekkagaijin
force-pushed
the
vulnz-api
branch
3 times, most recently
from
f10a17f
to
2e7d51a
Compare
dekkagaijin
changed the title
|
|
||
| def test_retrieve_public_key_payload_json_error(self): | ||
| response = pretend.stub( | ||
| text="Still a non-json teapot", |
There was a problem hiding this comment.
(Is it bad that I laughed at this given this is a copy of a joke I made :D ) (👍)(🍵)
|
(Finished this round of review. I forgot to make a general comment. I appreciate that there was a lot of code inspired from my PR, but if we need to do this a 3rd time, I'm afraid that will start to make quite a lot of duplication. This is by no means a way to block this PR (https://en.wikipedia.org/wiki/Rule_of_three_(computer_programming)) but we can think already about how we can avoid duplicating that much code next time) |
dekkagaijin
force-pushed
the
vulnz-api
branch
2 times, most recently
from
76e70ff
to
91ae897
Compare
Tagging? |
see the comment that is in reply to #9552 (comment) |
Signed-off-by: Jake Sanders <jsand@google.com>
Signed-off-by: Jake Sanders <jsand@google.com>
…tructor Signed-off-by: Jake Sanders <jsand@google.com>
done |
| revision = "1dbb95161e5a" | ||
| down_revision = "08ccc59d9857" | ||
|
|
||
| # Note: It is VERY important to ensure that a migration does not lock for a |
There was a problem hiding this comment.
comment(s) from template can be removed (not critical)
|
|
||
|
|
||
| def downgrade(): | ||
| # ### commands auto generated by Alembic - please adjust! ### |
There was a problem hiding this comment.
comment(s) from template can be removed (not critical)
|
|
||
|
|
||
| def upgrade(): | ||
| # ### commands auto generated by Alembic - please adjust! ### |
There was a problem hiding this comment.
comment(s) from template can be removed (not critical)
| def analyze_vulnerability(request, vulnerability_report, origin, metrics): | ||
| metrics.increment("warehouse.vulnerabilities.received", tags=[f"origin:{origin}"]) | ||
| try: | ||
| _analyze_vulnerability( |
There was a problem hiding this comment.
let's wrap this call in with metrics.timed('warehouse.vulnerabilities.analysis', tags=[f"origin:{origin}"]):
this will emit timing metrics so we can keep tabs on this programatically.
There was a problem hiding this comment.
done, good idea
Signed-off-by: Jake Sanders <jsand@google.com>
Signed-off-by: Jake Sanders <jsand@google.com>
* Add package vulnerability reporting API Signed-off-by: Jake Sanders <jsand@google.com> * genericize vuln report handling, split osv into a subpackage Signed-off-by: Jake Sanders <jsand@google.com> * use kwargs instead of positionals for VulnerabilityReportRequest constructor Signed-off-by: Jake Sanders <jsand@google.com> * use tags rather than namespacing metrics by origin * also load all releases when loading vulnerability records * add description for vuln report model columns * remove comments from vulnerability migration Signed-off-by: Jake Sanders <jsand@google.com> * instrument `_analyze_vulnerability` Signed-off-by: Jake Sanders <jsand@google.com> Co-authored-by: Dustin Ingram <di@users.noreply.github.com>
PyPI today does not store information about known vulnerabilities. We’d like to build the necessary changes such that known vulnerabilities can be associated with package releases. The ultimate goal is that users of “pip” will be automatically warned if their dependencies are vulnerable.
See: #9407, https://discuss.python.org/t/proposing-a-community-maintained-database-of-pypi-package-vulnerabilities/8374
Signed-off-by: Jake Sanders jsand@google.com