Add basic support for PR vulnerability scanning #899
Conversation
|
CC @lukehinds @JAORMX for the demo |
|
Awesome, I'll test this out in the morning |
|
Note that at the moment you need to submit the PR as a different identity that the one who enrolled repos in mediator - GH API won't let you review your own code. I'll address that in a follow up |
| ) | ||
|
|
||
| // NewRuleEvaluator creates a new rule data evaluator | ||
| func NewRuleEvaluator(rt *pb.RuleType) (engif.Evaluator, error) { | ||
| func NewRuleEvaluator(rt *pb.RuleType, cli ghclient.RestAPI) (engif.Evaluator, error) { |
There was a problem hiding this comment.
Not a fan of this, but we can refactor it out later.
There was a problem hiding this comment.
me neither, but at leat the client was already passed to the ingester, so we don't add a new parameter to the top-level policy eval, but just reuse a param that was pointed to the ingester.
Just defines a bunch of type in our protobuf API that would be used later to handle pull requests.
Extens the entity handling machinery to handle pull request types and the associated protobuf type so that we can pass around internal events describing pull requests.
We'll need these methods later when we deal with PRs
Adds a new handler that at the moment only listens to PRs being opened, extracts the needed information and passes that info by executing an internal event.
…tity
Run with:
```
AUTH_TOKEN="sikrit" go run cmd/dev/main.go rule \
--policy examples/github/policies/pr_vuln_check.yaml \
--rule-type examples/github/rule-types/pr_vulnerability_check.yaml \
--entity examples/github/pull_request.yaml
```
The PR diff ingester sorts out PR files into those that match a name for a specific package ecosystem and returns a list of files for a given ecosystem.
It was recommended during review that we keep all the policies in one file.
|
I'm fine with merging this as is and iterating on top |
great, thanks. btw the code in this PR should be quite self-contained (should..famous last words) so I hope it wouldn't break anything if merged. That said, @lukehinds would you prefer to land a large PR like this after Tuesday to keep main stable? |
This PR adds support for scanning pull requests for vulnerabilities. The
idea and PoC implementation was Luke's, I took his PoC code and wrapped it in
mediator's policy engine.
At the moment, only NPM is supported as far as package ecosystems go and
only OSV is supported as the package database but the rules are designed
to be pluggable.
Note that I didn't have much (any) time to read the code and prettify it after I had written the code.
I'm submitting the PR so that it can be useful for a mediator demo in the
near future. There are also almost no tests and several TODOs sprinkled
around, but the code as-is works and can be used to show the feature.
To test the feature, create the appropriate rule_type and the rule (see
examples/github/policies/pr_vuln_check.yaml), then enroll a repoand open a PR with a vulnerability (see
jakubtestorg/bad-npm#5 for an example)
Fixes: #833
Fixes: #835
Fixes: #836
Fixes: #837
Related: #838 (the review comment is added, but I haven't tested the reviews past them being added..)