Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Enable conan support #781

Open
wants to merge 16 commits into
base: dev
Choose a base branch
from
Open

Enable conan support #781

wants to merge 16 commits into from

Conversation

orto17
Copy link
Contributor

@orto17 orto17 commented Nov 6, 2024

This PR includes support of conan requirements file update. It does not support installation of the suggested fixes. In order to update the dependencies, the user should run a 'conan install' command with the suggested conan file..

  • All tests passed. If this feature is not already covered by the tests, I added new tests.
  • This pull request is on the dev branch.
  • I used gofmt for formatting the code before submitting the pull request.
  • Update documentation about new features / new supported technologies

@orto17 orto17 added the safe to test Approve running integration tests on a pull request label Nov 6, 2024
@github-actions github-actions bot removed the safe to test Approve running integration tests on a pull request label Nov 6, 2024
@orto17 orto17 added the safe to test Approve running integration tests on a pull request label Nov 6, 2024
@github-actions github-actions bot removed the safe to test Approve running integration tests on a pull request label Nov 6, 2024
@orto17 orto17 added the safe to test Approve running integration tests on a pull request label Nov 10, 2024
@github-actions github-actions bot removed the safe to test Approve running integration tests on a pull request label Nov 10, 2024
@orto17 orto17 added the safe to test Approve running integration tests on a pull request label Nov 10, 2024
@github-actions github-actions bot removed the safe to test Approve running integration tests on a pull request label Nov 10, 2024
Copy link
Contributor

@eranturgeman eranturgeman left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Overall looks good! Most of the comments are "cosmetics" and things we talked about that we can further discuss

@orto17 orto17 added the safe to test Approve running integration tests on a pull request label Dec 1, 2024
@github-actions github-actions bot removed the safe to test Approve running integration tests on a pull request label Dec 1, 2024
@orto17 orto17 added the safe to test Approve running integration tests on a pull request label Dec 1, 2024
@github-actions github-actions bot removed the safe to test Approve running integration tests on a pull request label Dec 1, 2024
Copy link
Contributor

github-actions bot commented Dec 1, 2024

🚨 Frogbot scanned this pull request and found the below:

📦 Vulnerable Dependencies

✍️ Summary

SEVERITY CONTEXTUAL ANALYSIS DIRECT DEPENDENCIES IMPACTED DEPENDENCY FIXED VERSIONS CVES

Low
Not Covered github.com/golang-jwt/jwt/v4:v4.5.0
github.com/jfrog/jfrog-cli-core/v2:v2.56.4
github.com/jfrog/jfrog-cli-security:v1.12.3
github.com/jfrog/jfrog-client-go:v1.47.3
github.com/golang-jwt/jwt/v4 v4.5.0 [4.5.1] CVE-2024-51744

🔬 Research Details

Description:
golang-jwt is a Go implementation of JSON Web Tokens. Unclear documentation of the error behavior in ParseWithClaims can lead to situation where users are potentially not checking errors in the way they should be. Especially, if a token is both expired and invalid, the errors returned by ParseWithClaims return both error codes. If users only check for the jwt.ErrTokenExpired using error.Is, they will ignore the embedded jwt.ErrTokenSignatureInvalid and thus potentially accept invalid tokens. A fix has been back-ported with the error handling logic from the v5 branch to the v4 branch. In this logic, the ParseWithClaims function will immediately return in "dangerous" situations (e.g., an invalid signature), limiting the combined errors only to situations where the signature is valid, but further validation failed (e.g., if the signature is valid, but is expired AND has the wrong audience). This fix is part of the 4.5.1 release. We are aware that this changes the behaviour of an established function and is not 100 % backwards compatible, so updating to 4.5.1 might break your code. In case you cannot update to 4.5.0, please make sure that you are properly checking for all errors ("dangerous" ones first), so that you are not running in the case detailed above.


@@ -9,9 +9,9 @@ require (
github.com/jfrog/build-info-go v1.10.3
github.com/jfrog/froggit-go v1.16.2
github.com/jfrog/gofrog v1.7.6
github.com/jfrog/jfrog-cli-core/v2 v2.56.3
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

upgrade all to latest versions

if !isAnyDescriptorFileChanged {
err = fmt.Errorf("impacted package '%s' was not found or could not be fixed in all descriptor files", vulnDetails.ImpactedDependencyName)
}
conan.logNoInstallationMessage()
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'd put this call in an 'else' section ("if !isAnyDescriptorFileChanges") since if no update was performed, logging that "Requirements file was updated" can be a bit confusing

func (conan *ConanPackageHandler) updateConanFile(conanFile string, vulnDetails *utils.VulnerabilityDetails) (isFileChanged bool, err error) {
data, err := os.ReadFile(conanFile)
if err != nil {
return false, errors.New("an error occurred while attempting to read the requirements file:\n" + err.Error())
Copy link
Contributor

@eranturgeman eranturgeman Dec 2, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
return false, errors.New("an error occurred while attempting to read the requirements file:\n" + err.Error())
return false, fmt.Errorf("an error occurred while attempting to read the requirements file '%s': %s\n", conanFile, err.Error())

From previous bugs investigations I learned we have to be as specific as we can and if we have an issue with some descriptor we must indicate exactly which descriptor it is

fixedFile := strings.Replace(currentFile, impactedDependency, strings.ToLower(fixedPackage), 1)

if fixedFile == currentFile {
return false, fmt.Errorf("impacted dependency '%s' not found in descriptor '%s', fix failed vulnerability", impactedDependency, conanFile)
Copy link
Contributor

@eranturgeman eranturgeman Dec 2, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
return false, fmt.Errorf("impacted dependency '%s' not found in descriptor '%s', fix failed vulnerability", impactedDependency, conanFile)
log.Info(fmt.Sprintf("impacted dependency '%s' not found in descriptor '%s', moving to the next descriptor if exists...", impactedDependency, conanFile))
return false, nil

Currently, since allow-partial-results is not applied on all package managers, we wish to fail the flow over every issue that arises during the fixing process. Therefore, it is correct to return an error and make the flow fail if you couldn't read the descriptor to to write the corrected string to it.
With that, not finding a vulnerable dependency in some descriptor is not really an error, but rather a case that is most likely to happen (think about a case where we have 3 descriptors, and vulnerability X is found only in one of them - we don't want to fail the flow because we didn't find X in descriptor 1, since it might be only in descriptor 2 or 3).
In the future, we can make this Info to an error and to prevent failing the process if allow-partial-results is enabled

@@ -344,6 +344,43 @@ func TestUpdateDependency(t *testing.T) {
descriptorsToCheck: []string{"package.json"},
},
},

// Conan test cases
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

General change:
We don't want 3 copies of similar files just so we can check a different descriptor each time. We can achieve that with a single test project.
Please unify all 3 conan test projects into a single project (and you can also remove testDirName from each test case).
In order to check a fix only in conanfile.txt please insert a vulnerability that exists only in conanfile.txt and not conanfile.py.
In order to check a fix only in conanfile.py please insert a vulnerability that exists only in conanfile.py and not conanfile.txt.
You already checked correctly about a vulnerability that requires a fix in both files.

In addition please add a test case that will not fix a vulnerability: IsDirectDependency = false

Copy link
Contributor

@eranturgeman eranturgeman left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Please review my comments

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

2 participants