diff ingester: Allow configurable wildcards to match ecosystem file names, plus some cleanups

[jhrozek]

I started adding wildcard support for the package ecosystem matching in the
diff ingester and ended up doing a little cleanup after the code had been
rushed a bit to me demoable. I ended up adding pagination support, removed
some code that was just needed after a refactoring and added the wildcard
support with a basic test. More tests are incoming, there was only so much
time on the plane :-)

Fixes: #954

[JAORMX]

I dig the cleanup and tests, but let's move the github dependencies to one place as we prepare for the pluggable providers to land

[JAORMX]

Can we not use the github API directly? Instead, let's include it in the github provider implementation. This way, we'll be able to better abstract this in the future.

[jhrozek]

This is not the code calling the GH API directly, but just this line:

	listOpts := &github.ListOptions{PerPage: 30}

I can modify the ListFiles method to accept a generic parameter struct instead, that would get rid of the import, but note that the REST API currently returns GH specific types and there are other methods that accept GH specific types so maybe a bigger cleanup is in order?

[JAORMX]

We are indeed gonna need a bigger cleanup

[JAORMX]

Do we have a bug for migrating everything to zero log?

[jhrozek]

I don't think so, I think @evankanderson pointed me to code that showed that calling log triggers calling zerolog already? So far I've been just adding zerolog calls to code that I'm writing from scratch or cleaning up, but I don't think we track any systematical cleanup.

[evankanderson]

nit Long term, it would be nice to be able to use a channel to feed the results from reading the paginated list, but this seems fine for now. (Like using a generator in some other languages.)

[jhrozek]

I want to use channels in the vulnerability evaluator to have a pipeline between the database and the package repository, there is actually seems like it will cut down on the wait time quite a bit and even simplify the code. If you don't mind, in this module I would wait and implement that later (maybe we implement the pagination in the REST API module by returning a channel?)

For the moment a simple loop seems fine because 99% of the list results would be just discarded right away. (most PRs don't add deps..)

[evankanderson]

Yeah, my thought was that later we could implement lazy pagination (rather than the eager pagination here) by pulling from a channel and having the channel's capacity block further pagination calls.

Don't do this before November, though. We have bigger fish to fry.

[jhrozek]

and more fish :-)
I filed #996 in the meantime linking back here so we are reminded of this discussion later.

[evankanderson]

Do you want to extract this into a separate function?

[jhrozek]

done locally, will push after a round of testing

[evankanderson]

Did you mean to have this message here?

[jhrozek]

oops, I fixed this already locally, but /in a different branch/ (I have already been building more tests atop this other branch)
I did mean to leave a debug message there, but it shouldn't say that no ecosystem matched..

[evankanderson]

Do we need both this and the eco == DepEcosystemNone?

[jhrozek]

I guess not at the moment and not strictly needed, but at the same time I think it's better to check each call's return value (or alternatively we might want to encapsulate the two calls into one function)

[evankanderson]

Why do we use file.GetFilename() here, but *file.Filename on lines 88, 91, and 97?

[jhrozek]

no reason except inconsistency. Thanks, fixed.

[evankanderson]

I don't really understand what this is supposed to do -- it feels like this should be a glob (and maybe matching with regexp), but the code doesn't look like the code I'd expect for a glob.

[jhrozek]

if the code was difficult to parse, then please block the PR merge that's what reviews are for :-)

Does the current version with filepath.Match read better?
(I wasn't sure initially about fifepatch.Match matching in the middle of the path, seemed like a footgun, but in the end the code is readable and more generic with Match...)

[evankanderson]

Intentional to renumber these proto fields?

[jhrozek]

yes, this protobuf struct is only ever used between mediator server and the policy engine and not exposed to the clients, so I think it's better to renumber while removing the FilePatch attribute. When/if we send this struct to the clients, renumbering fields should probably be a hard nack.

[evankanderson]

Yeah, my thought was that later we could implement lazy pagination (rather than the eager pagination here) by pulling from a channel and having the channel's capacity block further pagination calls.

Don't do this before November, though. We have bigger fish to fry.

[evankanderson]

(Following up from the earlier comment)

My suggestion about the check for eco == DepEcosystemNone was, in fact, to merge the two function calls into one:

if parser == nil {
  logger.Debug().Str("filename", filename).Msg("No ecosystem found, skipping")
  return nil, nil
}

logger.Debug().Str("filename", filename).Str("package-ecosystem", parser.Ecosystem()).
  Msg("matched ecosystem")  // Can also use .Send() IIRC

[jhrozek]

done

[jhrozek]

@evankanderson would you mind approving this version again? There are no functional changes, just a rebase to resolve conflicts in the autogenerated protobuf files.