policies

package
v0.111.1 Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Dec 9, 2024 License: Apache-2.0 Imports: 31 Imported by: 0

Documentation

Index

Constants

View Source
const (
	DirectiveFilter string = "filter"

	FilterDirectivePackageName string = "package_name"
	FilterDirectivePackageType string = "package_type"
)

Variables

This section is empty.

Functions

func NewLinter added in v0.55.0

func NewLinter(paths []string) (linter.Linter, error)

func ReportPackages

func ReportPackages(ctx context.Context, logger *slog.Logger, sqlDB *sql.DB, platform string, org string, repo string, owner string, level string) (table.Writer, error)

Types

type EvaluationInput added in v0.65.2

type EvaluationInput struct {
	Project    EvaluationInputProject    `json:"project"`
	Dependency EvaluationInputDependency `json:"dependency"`
}

func (EvaluationInput) AsAstValue added in v0.75.2

func (i EvaluationInput) AsAstValue() ast.Value

type EvaluationInputDependency added in v0.65.2

type EvaluationInputDependency struct {
	// PackageName contains the name of the package
	PackageName string `json:"package_name"`
	// Version indicates the version of this dependency
	//
	// NOTE this could be a version constraint, such as any of:
	//
	//     <=1.3.4,>=1.3.0
	//     "~> 0.9"
	//     latest
	//     ^2.0.6
	//     =1.0.4
	//
	// As well as a specific value, such as:
	//
	//     1.0.4
	//     10
	//     latest
	//
	// This versioning will be implementation-specific for the `packageManager` in use
	Version string `json:"version"`
	// CurrentVersion defines the current version that this package's `version` resolves to
	//
	// If the `version` is an exact version number, such as `1.0.4`, then `currentVersion` will usually be the same value, `1.0.4`
	//
	// If the `version` is a version constraint, then this column MAY indicate the exact version that was resolved at the time of dependency analysis
	//
	// CurrentVersion may be empty
	CurrentVersion string `json:"current_version"`
	// PackageManager indicates the package manager that the Policy Violation will correspond to
	PackageManager string `json:"package_manager"`
	// packageFilePath defines the path within `repo` that defines the `packageName` as a dependency. For example:
	//
	//     .github/workflows/build.yml
	//     go.mod
	//     build/Dockerfile
	//
	// NOTE that this may be empty (https://gitlab.com/tanna.dev/dependency-management-data/-/issues/396)
	PackageFilePath string `json:"package_file_path"`
	// DepTypes defines the different dependency types that may be in use. This will always be a JSON array, with 0 or more string elements. For example:
	//
	//    []
	//    ["action"]
	//    ["dependencies","lockfile"]
	//    ["dependencies","missing-data"]
	//    ["lockfile","lockfile-yarn-pinning-^21.1.1"]
	//    ["engines"]
	//
	// Based on which datasource(s) (https://dmd.tanna.dev/concepts/datasource/) you are using, this will have different values and meanings
	//
	// NOTE that in the future these there will be a more consistent naming structure for these (https://gitlab.com/tanna.dev/dependency-management-data/-/issues/379)
	DepTypes []string `json:"dep_types"`
	// Licenses contains the SPDX Identifier(s) or SPDX License Expression(s) (https://spdx.dev/learn/handling-license-info/) that declares this package's license
	Licenses []string `json:"licenses"`

	Health *EvaluationInputDependencyHealth `json:"health,omitempty"`
}

type EvaluationInputDependencyHealth added in v0.76.0

type EvaluationInputDependencyHealth struct {
	SecurityScorecard *EvaluationInputDependencyHealthScorecard         `json:"security_scorecard,omitempty"`
	Ecosystems        *EvaluationInputDependencyHealthEcosystemsPackage `json:"ecosystems,omitempty"`
}

type EvaluationInputDependencyHealthEcosystemsPackage added in v0.76.0

type EvaluationInputDependencyHealthEcosystemsPackage struct {
	Repo                     *EvaluationInputDependencyHealthEcosystemsRepo `json:"repo,omitempty"`
	LatestReleasePublishedAt *string                                        `json:"latest_release_published_at,omitempty"`
	LastSyncedAt             *string                                        `json:"last_synced_at,omitempty"`
	Status                   *string                                        `json:"status,omitempty"`
}

type EvaluationInputDependencyHealthEcosystemsRepo added in v0.76.0

type EvaluationInputDependencyHealthEcosystemsRepo struct {
	Archived     *bool   `json:"archived,omitempty"`
	PushedAt     *string `json:"pushed_at,omitempty"`
	UpdatedAt    *string `json:"updated_at,omitempty"`
	LastSyncedAt *string `json:"last_synced_at,omitempty"`
}

type EvaluationInputDependencyHealthScorecard added in v0.76.0

type EvaluationInputDependencyHealthScorecard struct {
	Score              *float64 `json:"score"`
	CodeReview         *int     `json:"code_review,omitempty"`
	Maintained         *int     `json:"maintained"`
	CiiBestPractices   *int     `json:"cii_best_practices"`
	License            *int     `json:"license"`
	DangerousWorkflow  *int     `json:"dangerous_workflow"`
	Packaging          *int     `json:"packaging"`
	TokenPermissions   *int     `json:"token_permissions"`
	SignedReleases     *int     `json:"signed_releases"`
	BranchProtection   *int     `json:"branch_protection"`
	BinaryArtifacts    *int     `json:"binary_artifacts"`
	Fuzzing            *int     `json:"fuzzing"`
	SecurityPolicy     *int     `json:"security_policy"`
	Sast               *int     `json:"sast"`
	Vulnerabilities    *int     `json:"vulnerabilities"`
	PinnedDependencies *int     `json:"pinned_dependencies"`
}

type EvaluationInputOpts added in v0.102.0

type EvaluationInputOpts struct {
	WithRepoKey                           bool
	WithRepoMetadata                      bool
	WithLicenses                          bool
	WithDependencyHealthSecurityScorecard bool
	WithDependencyHealthEcosystems        bool
	// NOTE that this is a pointer so we can use it as a map key
	Filters *EvaluationInputOptsFilters
}

func PreparePackageQuery

func PreparePackageQuery(ctx context.Context, module Module, logger *slog.Logger) (rego.PreparedEvalQuery, EvaluationInputOpts, error)

func (EvaluationInputOpts) QueryCount added in v0.102.0

func (opts EvaluationInputOpts) QueryCount() (string, error)

func (EvaluationInputOpts) QueryForOffset added in v0.102.0

func (opts EvaluationInputOpts) QueryForOffset() (string, error)

type EvaluationInputOptsFilters added in v0.102.0

type EvaluationInputOptsFilters struct {
	PackageName []string
	PackageType []string
}

type EvaluationInputProject added in v0.65.2

type EvaluationInputProject struct {
	// Platform describes the source hosting platform this dependency's repository is found on, i.e. `github`, `gitlab`, `gitea`, etc
	Platform string `json:"platform"`
	// Organisation describes the organisation this dependency's repository is found on. Can include `/` for nested organisations
	Organisation string `json:"organisation"`
	// Repo is the repo name
	Repo string `json:"repo"`
	// Metadata tracks metadata about the repository, which is sourced from the `repository_metadata` table
	Metadata *EvaluationInputRepositoryMetadata `json:"metadata,omitempty"`
}

type EvaluationInputRepositoryMetadata added in v0.67.0

type EvaluationInputRepositoryMetadata struct {
	// IsMonorepo indicates whether the repository is treated as a monorepo
	IsMonorepo bool `json:"is_monorepo"`
	// IsFork indicates whether this is a forked repository. This could indicate that this is a temporary repository, a long-standing fork for security + supply-chain hygiene purposes, or some other reason.
	IsFork bool `json:"is_fork"`
	// RepositoryType is a free-form field to create enum-style data, for instance `LIBRARY` or `SERVICE`, or `EXAMPLE_CODE`.
	//
	// This may track with your Developer Portal's own definition of a repository's type.
	RepositoryType string `json:"repository_type"`
	// RepositoryUsage is a free-form field to note additional information around the repository's usage, which is organisation-specific.
	//
	// For instance, this may be enum-style data, a space-separated list of enum-style data, or a long human-readable description.
	RepositoryUsage *string `json:"repository_usage,omitempty"`
	// Visibility indicates the repository's visibility in the source forge
	//
	// NOTE that this may be straightforward if you're using a publicly hosted source forge, but if you're running on an internally run, i.e. VPN'd off source force, this field may have a slightly different interpretation
	Visibility string `json:"visibility"`
	// Description is a textual description of the repo for more context, which can include links out to other systems i.e. a Service Catalog. The contents will be shown verbatim to a user, and will not be interpreted as markup
	Description *string `json:"description,omitempty"`
	// AdditionalMetadata contains additional key-value data that can be used to provide custom organisation-specific configuration, and augment any queries for data with information around this additional metadata.
	//
	// For instance:
	//
	// - `last_commit_date` - the last commit date to the project
	// - `pci_environment` - the PCI environment the application is deployed to
	// - `customer_type` - i.e. whether it's used for government, financial
	//   users, etc
	AdditionalMetadata map[string]string `json:"additional_metadata,omitempty"`
}

type Level added in v0.60.0

type Level string
const (
	LevelError   Level = "ERROR"
	LevelWarning Level = "WARN"
)

func (Level) String added in v0.60.0

func (l Level) String() string

type Module

type Module struct {
	Filepath string
	Contents string
}

type ModuleToEvaluate added in v0.102.0

type ModuleToEvaluate struct {
	Filepath string
	Query    rego.PreparedEvalQuery
}

type Orchestrator added in v0.102.0

type Orchestrator struct {
	// contains filtered or unexported fields
}

func NewEvaluator added in v0.102.0

func NewEvaluator(regoCache cache.InterQueryCache) Orchestrator

func (Orchestrator) CountRows added in v0.102.0

func (b Orchestrator) CountRows(ctx context.Context, sqlDB *sql.DB, opts EvaluationInputOpts) (int64, error)

func (Orchestrator) Evaluate added in v0.102.0

func (b Orchestrator) Evaluate(ctx context.Context, sqlDB *sql.DB, pw progress.Writer, modules []ModuleToEvaluate, opts EvaluationInputOpts, returnLimit int) ([]PolicyViolation, int64, error)

func (Orchestrator) EvaluateAndPersist added in v0.102.0

func (b Orchestrator) EvaluateAndPersist(ctx context.Context, sqlDB *sql.DB, tx *sql.Tx, pw progress.Writer, modules []ModuleToEvaluate, opts EvaluationInputOpts) (int64, error)

type PolicyViolation

type PolicyViolation struct {
	domain.Dependency
	DepTypes []string

	Level          Level
	AdvisoryType   advisory.AdvisoryType
	Description    string
	SupportedUntil *string
	EndOfLifeFrom  *string
}

func (PolicyViolation) DepTypesAsString

func (v PolicyViolation) DepTypesAsString() string

Directories

Path Synopsis

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL