-
Notifications
You must be signed in to change notification settings - Fork 73
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Enable conan support #781
base: dev
Are you sure you want to change the base?
Enable conan support #781
Conversation
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Overall looks good! Most of the comments are "cosmetics" and things we talked about that we can further discuss
📦 Vulnerable Dependencies✍️ Summary
🔬 Research DetailsDescription: |
@@ -9,9 +9,9 @@ require ( | |||
github.com/jfrog/build-info-go v1.10.3 | |||
github.com/jfrog/froggit-go v1.16.2 | |||
github.com/jfrog/gofrog v1.7.6 | |||
github.com/jfrog/jfrog-cli-core/v2 v2.56.3 |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
upgrade all to latest versions
if !isAnyDescriptorFileChanged { | ||
err = fmt.Errorf("impacted package '%s' was not found or could not be fixed in all descriptor files", vulnDetails.ImpactedDependencyName) | ||
} | ||
conan.logNoInstallationMessage() |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I'd put this call in an 'else' section ("if !isAnyDescriptorFileChanges") since if no update was performed, logging that "Requirements file was updated" can be a bit confusing
func (conan *ConanPackageHandler) updateConanFile(conanFile string, vulnDetails *utils.VulnerabilityDetails) (isFileChanged bool, err error) { | ||
data, err := os.ReadFile(conanFile) | ||
if err != nil { | ||
return false, errors.New("an error occurred while attempting to read the requirements file:\n" + err.Error()) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
return false, errors.New("an error occurred while attempting to read the requirements file:\n" + err.Error()) | |
return false, fmt.Errorf("an error occurred while attempting to read the requirements file '%s': %s\n", conanFile, err.Error()) |
From previous bugs investigations I learned we have to be as specific as we can and if we have an issue with some descriptor we must indicate exactly which descriptor it is
fixedFile := strings.Replace(currentFile, impactedDependency, strings.ToLower(fixedPackage), 1) | ||
|
||
if fixedFile == currentFile { | ||
return false, fmt.Errorf("impacted dependency '%s' not found in descriptor '%s', fix failed vulnerability", impactedDependency, conanFile) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
return false, fmt.Errorf("impacted dependency '%s' not found in descriptor '%s', fix failed vulnerability", impactedDependency, conanFile) | |
log.Info(fmt.Sprintf("impacted dependency '%s' not found in descriptor '%s', moving to the next descriptor if exists...", impactedDependency, conanFile)) | |
return false, nil |
Currently, since allow-partial-results is not applied on all package managers, we wish to fail the flow over every issue that arises during the fixing process. Therefore, it is correct to return an error and make the flow fail if you couldn't read the descriptor to to write the corrected string to it.
With that, not finding a vulnerable dependency in some descriptor is not really an error, but rather a case that is most likely to happen (think about a case where we have 3 descriptors, and vulnerability X is found only in one of them - we don't want to fail the flow because we didn't find X in descriptor 1, since it might be only in descriptor 2 or 3).
In the future, we can make this Info to an error and to prevent failing the process if allow-partial-results is enabled
@@ -344,6 +344,43 @@ func TestUpdateDependency(t *testing.T) { | |||
descriptorsToCheck: []string{"package.json"}, | |||
}, | |||
}, | |||
|
|||
// Conan test cases |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
General change:
We don't want 3 copies of similar files just so we can check a different descriptor each time. We can achieve that with a single test project.
Please unify all 3 conan test projects into a single project (and you can also remove testDirName from each test case).
In order to check a fix only in conanfile.txt please insert a vulnerability that exists only in conanfile.txt and not conanfile.py.
In order to check a fix only in conanfile.py please insert a vulnerability that exists only in conanfile.py and not conanfile.txt.
You already checked correctly about a vulnerability that requires a fix in both files.
In addition please add a test case that will not fix a vulnerability: IsDirectDependency = false
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Please review my comments
This PR includes support of conan requirements file update. It does not support installation of the suggested fixes. In order to update the dependencies, the user should run a 'conan install' command with the suggested conan file..