Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Verify yaml #4639

Merged
merged 16 commits into from
Dec 13, 2024
Merged

Verify yaml #4639

Show file tree
Hide file tree
Changes from 14 commits
Commits
Show all changes
16 commits
Select commit Hold shift + click to select a range
5ec2c0f
add script to verify plugin yaml
bengl Aug 29, 2024
7df1784
add github actions job to verify yaml
bengl Aug 29, 2024
8fff568
fix instrumentations
bengl Aug 29, 2024
8fbf028
fix up aerospike
bengl Aug 29, 2024
3dfa423
better version ranges for aerospike
bengl Aug 29, 2024
8a86280
fix ci script
bengl Aug 30, 2024
0010953
make it pass hopefully
bengl Aug 30, 2024
4db06d6
update license 3rdparty
bengl Aug 30, 2024
0cd676f
fix it no longer assuming nodejs versions
bengl Sep 11, 2024
a6e20ca
fix aerospike
bengl Sep 11, 2024
7b29bd8
since node version is now ignored, run on only one version of node
bengl Sep 12, 2024
b406d23
fix next
bengl Dec 12, 2024
ebcf4ef
remove 12.0.0 to 12.1.x from next version range
bengl Dec 12, 2024
2fcd426
lint
bengl Dec 13, 2024
b5c8eb2
remove explit 12.0 and 12.1 tests for next.js
bengl Dec 13, 2024
72bf1cc
remove version of aerospike that we don't actually support
bengl Dec 13, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 1 addition & 1 deletion .github/workflows/appsec.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -210,7 +210,7 @@ jobs:
version:
- 18
- latest
range: ['9.5.0', '11.1.4', '13.2.0', '>=14.0.0 <=14.2.6', '>=14.2.7 <15', '>=15.0.0']
range: ['>=10.2.0 <11', '>=11.0.0 <12', '11.1.4', '>=12.2.0 <13', '>=13.0.0 <14', '13.2.0', '>=14.0.0 <=14.2.6', '>=14.2.7 <15', '>=15.0.0']
runs-on: ubuntu-latest
env:
PLUGINS: next
Expand Down
79 changes: 24 additions & 55 deletions .github/workflows/plugins.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -15,54 +15,34 @@ concurrency:


jobs:
aerospike-node-16:
runs-on: ubuntu-latest
services:
aerospike:
image: aerospike:ce-5.7.0.15
ports:
- "127.0.0.1:3000-3002:3000-3002"
env:
PLUGINS: aerospike
SERVICES: aerospike
PACKAGE_VERSION_RANGE: '>=4.0.0 <5.2.0'
steps:
- uses: actions/checkout@v4
- uses: ./.github/actions/testagent/start
- uses: ./.github/actions/node/setup
- id: pkg
run: |
content=`cat ./package.json | tr '\n' ' '`
echo "json=$content" >> $GITHUB_OUTPUT
- id: extract
run: |
version="${{fromJson(steps.pkg.outputs.json).version}}"
majorVersion=$(echo "$version" | cut -d '.' -f 1)
echo "Major Version: $majorVersion"
echo "MAJOR_VERSION=$majorVersion" >> $GITHUB_ENV
- uses: ./.github/actions/node/oldest
- name: Install dependencies
if: env.MAJOR_VERSION == '4'
uses: ./.github/actions/install
- name: Run tests
if: env.MAJOR_VERSION == '4'
run: yarn test:plugins:ci
- if: always()
uses: ./.github/actions/testagent/logs
- uses: codecov/codecov-action@v3

aerospike-node-18-20:
aerospike:
strategy:
matrix:
node-version: [18]
range: ['5.2.0 - 5.7.0']
node-version: [16]
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Seems like node-version is not actually used?

Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yeah, it's for validation in the script. I'm gonna try to work out a better way of expressing this though.

range: ['>=4.0.0 <5.2.0']
aerospike-image: [ce-5.7.0.15]
test-image: [ubuntu-latest]
include:
- node-version: 14 # yes, out of range, but the only way to test the oldest version
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Doesn't that mean that this version isn't supported anymore?

Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We'd have to take it out of instrumentation as well, not just the GitHub yaml. Meaning we'd never attempt to to instrument those versions. Is that fine?

range: '^3.16.2'
aerospike-image: ce-5.7.0.15
test-image: ubuntu-20.04
- node-version: 18
range: '>=5.2.0'
aerospike-image: ce-6.4.0.3
test-image: ubuntu-latest
- node-version: 20
range: '>=5.8.0'
runs-on: ubuntu-latest
range: '>=5.5.0'
aerospike-image: ce-6.4.0.3
test-image: ubuntu-latest
- node-version: 22
range: '>=5.12.1'
aerospike-image: ce-6.4.0.3
test-image: ubuntu-latest
runs-on: ${{ matrix.test-image }}
services:
aerospike:
image: aerospike:ce-6.4.0.3
image: aerospike:${{ matrix.aerospike-image }}
ports:
- "127.0.0.1:3000-3002:3000-3002"
env:
Expand All @@ -73,24 +53,13 @@ jobs:
- uses: actions/checkout@v4
- uses: ./.github/actions/testagent/start
- uses: ./.github/actions/node/setup
- id: pkg
run: |
content=`cat ./package.json | tr '\n' ' '`
echo "json=$content" >> $GITHUB_OUTPUT
- id: extract
run: |
version="${{fromJson(steps.pkg.outputs.json).version}}"
majorVersion=$(echo "$version" | cut -d '.' -f 1)
echo "Major Version: $majorVersion"
echo "MAJOR_VERSION=$majorVersion" >> $GITHUB_ENV
- uses: actions/setup-node@v3
with:
node-version: ${{ matrix.node-version }}
- run: yarn config set ignore-engines true
- name: Install dependencies
if: env.MAJOR_VERSION == '5'
uses: ./.github/actions/install
- name: Run tests
if: env.MAJOR_VERSION == '5'
run: yarn test:plugins:ci
- if: always()
uses: ./.github/actions/testagent/logs
Expand Down Expand Up @@ -759,7 +728,7 @@ jobs:
version:
- 18
- latest
range: ['9.5.0', '11.1.4', '13.2.0', '>=14.0.0 <=14.2.6', '>=14.2.7 <15', '>=15.0.0']
range: ['>=10.2.0 <11', '>=11.0.0 <12', '11.1.4', '>=12.2.0 <13', '>=13.0.0 <14', '13.2.0', '>=14.0.0 <=14.2.6', '>=14.2.7 <15', '>=15.0.0']
runs-on: ubuntu-latest
env:
PLUGINS: next
Expand Down
7 changes: 7 additions & 0 deletions .github/workflows/project.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -162,3 +162,10 @@ jobs:
- run: yarn type:test
- run: yarn type:doc

verify-yaml:
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think this (and the name of the script file too) could use a more descriptive name of what it's doing. Something like verify-plugin-versions or anything more descriptive.

runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🟠 Code Vulnerability

Workflow depends on a GitHub actions pinned by tag (...read more)

Pin third party actions by hash, or at least by tag for trusted sources

When using a third party action, one needs to provide its GitHub path (owner/project) and can eventually pin it to a git ref (a branch name, a git tag, or a commit hash).

No pinned git ref means the action will use the latest commit of the default branch each time it runs, eventually running newer versions of the code that were not audited by Datadog. Specifying a git tag is better, but since they are not immutable, using a full length hash is recommended to make sure the action content is actually frozen to some reviewed state.

Be careful however, as even pinning an action by hash can be circumvented by attackers still. For instance, if an action relies on a Docker image which is itself not pinned to a digest, it becomes possible to alter its behaviour through the Docker image without actually changing its hash. You can learn more about this kind of attacks in Unpinnable Actions: How Malicious Code Can Sneak into Your GitHub Actions Workflows. Pinning actions by hash is still a good first line of defense against supply chain attacks.

Additionally, pinning by hash or tag means the action won’t benefit from newer version updates if any, including eventual security patches. Make sure to regularly check if newer versions for an action you use are available. For actions coming from a very trustworthy source, it can make sense to use a laxer pinning policy to benefit from updates as soon as possible.

View in Datadog  Leave us feedback  Documentation

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Shouldn't actions always be a trusted org? If we can't trust GitHub then why is our code on GitHub?

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Can we just disable this entirely? It just complains about everything, making it effectively useless as it just pollutes PRs with dozens of comments like this constantly everywhere.

- uses: ./.github/actions/node/setup
- uses: ./.github/actions/install
- run: node scripts/verify-ci-config.js
1 change: 1 addition & 0 deletions LICENSE-3rdparty.csv
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -72,6 +72,7 @@ dev,sinon,BSD-3-Clause,Copyright 2010-2017 Christian Johansen
dev,sinon-chai,WTFPL and BSD-2-Clause,Copyright 2004 Sam Hocevar 2012–2017 Domenic Denicola
dev,tap,ISC,Copyright 2011-2022 Isaac Z. Schlueter and Contributors
dev,tiktoken,MIT,Copyright (c) 2022 OpenAI, Shantanu Jain
dev,yaml,ISC,Copyright Eemeli Aro <[email protected]>
file,aws-lambda-nodejs-runtime-interface-client,Apache 2.0,Copyright 2019 Amazon.com Inc. or its affiliates. All Rights Reserved.
file,profile.proto,Apache license 2.0,Copyright 2016 Google Inc.
file,is-git-url,MIT,Copyright (c) 2017 Jon Schlinkert.
3 changes: 2 additions & 1 deletion package.json
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -155,6 +155,7 @@
"sinon": "^16.1.3",
"sinon-chai": "^3.7.0",
"tap": "^16.3.7",
"tiktoken": "^1.0.15"
"tiktoken": "^1.0.15",
"yaml": "^2.5.0"
}
}
18 changes: 12 additions & 6 deletions packages/datadog-instrumentations/src/next.js
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -2,7 +2,6 @@

const { channel, addHook } = require('./helpers/instrument')
const shimmer = require('../../datadog-shimmer')
const { DD_MAJOR } = require('../../../version')

const startChannel = channel('apm:next:request:start')
const finishChannel = channel('apm:next:request:finish')
Expand Down Expand Up @@ -215,17 +214,17 @@ addHook({

addHook({
name: 'next',
versions: ['>=11.1'],
versions: ['>=11.1 <12.0.0', '>=12.2.0'],
file: 'dist/server/serve-static.js'
}, serveStatic => shimmer.wrap(serveStatic, 'serveStatic', wrapServeStatic))

addHook({
name: 'next',
versions: DD_MAJOR >= 4 ? ['>=10.2 <11.1'] : ['>=9.5 <11.1'],
versions: ['>=10.2 <11.1'],
file: 'dist/next-server/server/serve-static.js'
}, serveStatic => shimmer.wrap(serveStatic, 'serveStatic', wrapServeStatic))

addHook({ name: 'next', versions: ['>=11.1'], file: 'dist/server/next-server.js' }, nextServer => {
addHook({ name: 'next', versions: ['>=11.1 <12.0.0', '>=12.2.0'], file: 'dist/server/next-server.js' }, nextServer => {
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is a breaking change.

Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

For the versions removed from the range (12.0.x and 12.1.x), next build fails, so the tests fail. It doesn't appear that we can test these versions (or that we ever could) so the claim of support was always incorrect.

const Server = nextServer.default

shimmer.wrap(Server.prototype, 'handleRequest', wrapHandleRequest)
Expand All @@ -248,15 +247,22 @@ addHook({ name: 'next', versions: ['>=13.2'], file: 'dist/server/next-server.js'
return nextServer
})

addHook({ name: 'next', versions: ['>=11.1 <13.2'], file: 'dist/server/next-server.js' }, nextServer => {
addHook({
name: 'next',
versions: [
'>=11.1 <12.0.0',
'>=12.2.0 <13.2'
],
file: 'dist/server/next-server.js'
}, nextServer => {
const Server = nextServer.default
shimmer.wrap(Server.prototype, 'handleApiRequest', wrapHandleApiRequest)
return nextServer
})

addHook({
name: 'next',
versions: DD_MAJOR >= 4 ? ['>=10.2 <11.1'] : ['>=9.5 <11.1'],
versions: ['>=10.2 <11.1'],
file: 'dist/next-server/server/next-server.js'
}, nextServer => {
const Server = nextServer.default
Expand Down
156 changes: 156 additions & 0 deletions scripts/verify-ci-config.js
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,156 @@
'use strict'
/* eslint-disable no-console */

const fs = require('fs')
const path = require('path')
const util = require('util')
const proxyquire = require('proxyquire')
const yaml = require('yaml')
const semver = require('semver')
const { execSync } = require('child_process')
const Module = require('module')
if (!Module.isBuiltin) {
Module.isBuiltin = mod => Module.builtinModules.includes(mod)
}

const nodeMajor = Number(process.versions.node.split('.')[0])

const names = fs.readdirSync(path.join(__dirname, '..', 'packages', 'datadog-instrumentations', 'src'))
.filter(file => file.endsWith('.js'))
.map(file => file.slice(0, -3))

const instrumentations = names.reduce((acc, key) => {
let instrumentations = []
const name = key

try {
loadInstFile(`${name}/server.js`, instrumentations)
loadInstFile(`${name}/client.js`, instrumentations)
} catch (e) {
loadInstFile(`${name}.js`, instrumentations)
}

instrumentations = instrumentations.filter(i => i.versions)
if (instrumentations.length) {
acc[key] = instrumentations
}

return acc
}, {})

const versions = {}

function checkYaml (yamlPath) {
const yamlContent = yaml.parse(fs.readFileSync(yamlPath, 'utf8'))

const rangesPerPluginFromYaml = {}
const rangesPerPluginFromInst = {}
for (const jobName in yamlContent.jobs) {
const job = yamlContent.jobs[jobName]
if (!job.env || !job.env.PLUGINS) continue

const pluginName = job.env.PLUGINS
if (Module.isBuiltin(pluginName)) continue
const rangesFromYaml = getRangesFromYaml(job)
if (rangesFromYaml) {
if (!rangesPerPluginFromYaml[pluginName]) {
rangesPerPluginFromYaml[pluginName] = new Set()
}
rangesFromYaml.forEach(range => rangesPerPluginFromYaml[pluginName].add(range))
const plugin = instrumentations[pluginName]
const allRangesForPlugin = new Set(plugin.map(x => x.versions).flat())
rangesPerPluginFromInst[pluginName] = allRangesForPlugin
}
}
for (const pluginName in rangesPerPluginFromYaml) {
const yamlRanges = Array.from(rangesPerPluginFromYaml[pluginName])
const instRanges = Array.from(rangesPerPluginFromInst[pluginName])
const yamlVersions = getMatchingVersions(pluginName, yamlRanges)
const instVersions = getMatchingVersions(pluginName, instRanges)
if (!util.isDeepStrictEqual(yamlVersions, instVersions)) {
const opts = { colors: true }
const colors = x => util.inspect(x, opts)
errorMsg(pluginName, 'Mismatch', `
Valid version ranges from YAML: ${colors(yamlRanges)}
Valid version ranges from INST: ${colors(instRanges)}
${mismatching(yamlVersions, instVersions)}
Note that versions may be dependent on Node.js version. This is Node.js v${colors(nodeMajor)}

> These don't match the same sets of versions in npm.
>
> Please check ${yamlPath} and the instrumentations
> for ${pluginName} to see that the version ranges match.`.trim())
}
}
}

function loadInstFile (file, instrumentations) {
const instrument = {
addHook (instrumentation) {
instrumentations.push(instrumentation)
}
}

const instPath = path.join(__dirname, `../packages/datadog-instrumentations/src/${file}`)

proxyquire.noPreserveCache()(instPath, {
'./helpers/instrument': instrument,
'../helpers/instrument': instrument
})
}

function getRangesFromYaml (job) {
// eslint-disable-next-line no-template-curly-in-string
if (job.env && job.env.PACKAGE_VERSION_RANGE && job.env.PACKAGE_VERSION_RANGE !== '${{ matrix.range }}') {
errorMsg(job.env.PLUGINS, 'ERROR in YAML', 'You must use matrix.range instead of env.PACKAGE_VERSION_RANGE')
process.exitCode = 1
}
if (job.strategy && job.strategy.matrix && job.strategy.matrix.range) {
const possibilities = [job.strategy.matrix]
if (job.strategy.matrix.include) {
possibilities.push(...job.strategy.matrix.include)
}
return possibilities.map(possibility => {
if (possibility.range) {
return [possibility.range].flat()
} else {
return undefined
}
}).flat()
}

return null
}

function getMatchingVersions (name, ranges) {
if (!versions[name]) {
versions[name] = JSON.parse(execSync('npm show ' + name + ' versions --json').toString())
}
return versions[name].filter(version => ranges.some(range => semver.satisfies(version, range)))
}

checkYaml(path.join(__dirname, '..', '.github', 'workflows', 'plugins.yml'))
checkYaml(path.join(__dirname, '..', '.github', 'workflows', 'appsec.yml'))

function mismatching (yamlVersions, instVersions) {
const yamlSet = new Set(yamlVersions)
const instSet = new Set(instVersions)

const onlyInYaml = yamlVersions.filter(v => !instSet.has(v))
const onlyInInst = instVersions.filter(v => !yamlSet.has(v))

const opts = { colors: true }
return [
`Versions only in YAML: ${util.inspect(onlyInYaml, opts)}`,
`Versions only in INST: ${util.inspect(onlyInInst, opts)}`
].join('\n')
}

function errorMsg (pluginName, title, message) {
console.log('===========================================')
console.log(title + ' for ' + pluginName)
console.log('-------------------------------------------')
console.log(message)
console.log('\n')
process.exitCode = 1
}
5 changes: 5 additions & 0 deletions yarn.lock
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -5252,6 +5252,11 @@ yaml@^1.10.2:
resolved "https://registry.npmjs.org/yaml/-/yaml-1.10.2.tgz"
integrity sha512-r3vXyErRCYJ7wg28yvBY5VSoAF8ZvlcW9/BwUzEtUsjvX/DKs24dIkuwjtuprwJJHsbyUbLApepYTR1BN4uHrg==

yaml@^2.5.0:
version "2.5.0"
resolved "https://registry.yarnpkg.com/yaml/-/yaml-2.5.0.tgz#c6165a721cf8000e91c36490a41d7be25176cf5d"
integrity sha512-2wWLbGbYDiSqqIKoPjar3MPgB94ErzCtrNE1FdqGuaO0pi2JGjmE8aW8TDZwzU7vuxcGRdL/4gPQwQ7hD5AMSw==

[email protected]:
version "20.2.4"
resolved "https://registry.npmjs.org/yargs-parser/-/yargs-parser-20.2.4.tgz"
Expand Down
Loading