From a97d9aeff1d37c2c56f92c4932f01fbad72300f4 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?St=C3=A9phane=20Brunner?= Date: Sun, 9 Jun 2024 18:23:18 +0200 Subject: [PATCH 1/2] Audit: Make timeout configurable --- github_app_geo_project/module/audit/utils.py | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/github_app_geo_project/module/audit/utils.py b/github_app_geo_project/module/audit/utils.py index dce806e6f25..3db8e78c70c 100644 --- a/github_app_geo_project/module/audit/utils.py +++ b/github_app_geo_project/module/audit/utils.py @@ -68,7 +68,7 @@ async def snyk( continue if file in local_config.get("files-no-install", config.get("files-no-install", [])): continue - async with asyncio.timeout(1200): + async with asyncio.timeout(int(os.environ.get("GHCI_PYTHON_INSTALL_TIMEOUT", "1200"))): try: command = [ "pip", @@ -119,7 +119,7 @@ async def snyk( continue directory = os.path.dirname(os.path.abspath(file)) - async with asyncio.timeout(600): + async with asyncio.timeout(int(os.environ.get("GHCI_PYTHON_INSTALL_TIMEOUT", "1200"))): try: command = [ "pipenv", @@ -174,7 +174,7 @@ async def snyk( continue if file in local_config.get("files-no-install", config.get("files-no-install", [])): continue - async with asyncio.timeout(600): + async with asyncio.timeout(int(os.environ.get("GHCI_PYTHON_INSTALL_TIMEOUT", "1200"))): try: command = ["poetry", "install"] async_proc = await asyncio.create_subprocess_exec( @@ -216,7 +216,7 @@ async def snyk( command = ["snyk", "monitor", f"--target-reference={branch}"] + config.get( "monitor-arguments", configuration.SNYK_MONITOR_ARGUMENTS_DEFAULT ) - async with asyncio.timeout(300): + async with asyncio.timeout(int(os.environ.get("GHCI_SNYK_TIMEOUT", "300"))): async_proc = await asyncio.create_subprocess_exec( *command, env=env, stdout=asyncio.subprocess.PIPE, stderr=asyncio.subprocess.PIPE ) @@ -236,7 +236,7 @@ async def snyk( command = ["snyk", "test", "--json"] + config.get( "test-arguments", configuration.SNYK_TEST_ARGUMENTS_DEFAULT ) - async with asyncio.timeout(300): + async with asyncio.timeout(int(os.environ.get("GHCI_SNYK_TIMEOUT", "300"))): test_proc = await asyncio.create_subprocess_exec( *command, env=env_no_debug, stdout=asyncio.subprocess.PIPE, stderr=asyncio.subprocess.PIPE ) @@ -319,7 +319,7 @@ async def snyk( snyk_fix_message = None if fixable_vulnerabilities: command = ["snyk", "fix"] + config.get("fix-arguments", configuration.SNYK_FIX_ARGUMENTS_DEFAULT) - async with asyncio.timeout(300): + async with asyncio.timeout(int(os.environ.get("GHCI_SNYK_TIMEOUT", "300"))): snyk_fix_proc = await asyncio.create_subprocess_exec( *command, env=env_no_debug, stdout=asyncio.subprocess.PIPE, stderr=asyncio.subprocess.PIPE ) From 86f3644111308f53158860c250ccc9b0e10eeb6f Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?St=C3=A9phane=20Brunner?= Date: Sun, 9 Jun 2024 18:31:00 +0200 Subject: [PATCH 2/2] Audit: Some configurations fix --- AUDIT-CONFIG.md | 4 +- .../module/audit/configuration.py | 11 +++++- .../module/audit/schema.json | 11 +++++- github_app_geo_project/module/audit/utils.py | 38 +++++++++++++++---- 4 files changed, 52 insertions(+), 12 deletions(-) diff --git a/AUDIT-CONFIG.md b/AUDIT-CONFIG.md index 77a3d060d80..b3e186a0016 100644 --- a/AUDIT-CONFIG.md +++ b/AUDIT-CONFIG.md @@ -7,10 +7,12 @@ - **`enabled`** _(boolean)_: Enable Snyk audit. Default: `true`. - **`files-no-install`** _(array)_: Dependency files that will not be installed. Default: `[]`. - **Items** _(string)_ - - **`pip-install-arguments`** _(array)_: Arguments to pass to pip install. Default: `["--user"]`. + - **`pip-install-arguments`** _(array)_: Arguments to pass to pip install. Default: `[]`. - **Items** _(string)_ - **`pipenv-sync-arguments`** _(array)_: Arguments to pass to pipenv sync. Default: `[]`. - **Items** _(string)_ + - **`poetry-install-arguments`** _(array)_: Arguments to pass to pip install. Default: `[]`. + - **Items** _(string)_ - **`monitor-arguments`** _(array)_: Arguments to pass to Snyk monitor. Default: `["--all-projects"]`. - **Items** _(string)_ - **`test-arguments`** _(array)_: Arguments to pass to Snyk test. Default: `["--all-projects", "--severity-threshold=medium"]`. diff --git a/github_app_geo_project/module/audit/configuration.py b/github_app_geo_project/module/audit/configuration.py index 77fae23d6ed..19f4c5d7c71 100644 --- a/github_app_geo_project/module/audit/configuration.py +++ b/github_app_geo_project/module/audit/configuration.py @@ -222,7 +222,7 @@ class DpkgConfiguration(TypedDict, total=False): """ Default value of the field path 'Snyk configuration pipenv-sync-arguments' """ -PIP_INSTALL_ARGUMENTS_DEFAULT = ["--user"] +PIP_INSTALL_ARGUMENTS_DEFAULT: list[Any] = [] """ Default value of the field path 'Snyk configuration pip-install-arguments' """ @@ -260,7 +260,7 @@ class DpkgConfiguration(TypedDict, total=False): # Arguments to pass to pip install # # default: - # - --user + # [] "pip-install-arguments": list[str], # Pipenv sync arguments. # @@ -269,6 +269,13 @@ class DpkgConfiguration(TypedDict, total=False): # default: # [] "pipenv-sync-arguments": list[str], + # Pip install arguments. + # + # Arguments to pass to pip install + # + # default: + # [] + "poetry-install-arguments": list[str], # Snyk monitor arguments. # # Arguments to pass to Snyk monitor diff --git a/github_app_geo_project/module/audit/schema.json b/github_app_geo_project/module/audit/schema.json index effd5c43388..63cbddaf46a 100644 --- a/github_app_geo_project/module/audit/schema.json +++ b/github_app_geo_project/module/audit/schema.json @@ -34,7 +34,7 @@ "type": "array", "title": "Pip install arguments", "description": "Arguments to pass to pip install", - "default": ["--user"], + "default": [], "items": { "type": "string" } @@ -48,6 +48,15 @@ "type": "string" } }, + "poetry-install-arguments": { + "type": "array", + "title": "Pip install arguments", + "description": "Arguments to pass to pip install", + "default": [], + "items": { + "type": "string" + } + }, "monitor-arguments": { "type": "array", "title": "Snyk monitor arguments", diff --git a/github_app_geo_project/module/audit/utils.py b/github_app_geo_project/module/audit/utils.py index 3db8e78c70c..0cd1060419e 100644 --- a/github_app_geo_project/module/audit/utils.py +++ b/github_app_geo_project/module/audit/utils.py @@ -176,7 +176,13 @@ async def snyk( continue async with asyncio.timeout(int(os.environ.get("GHCI_PYTHON_INSTALL_TIMEOUT", "1200"))): try: - command = ["poetry", "install"] + command = [ + "poetry", + "install", + *local_config.get( + "poetry-install-arguments", config.get("poetry-install-arguments", []) + ), + ] async_proc = await asyncio.create_subprocess_exec( *command, cwd=os.path.dirname(os.path.abspath(file)), @@ -213,9 +219,14 @@ async def snyk( env_no_debug = {**env} env["DEBUG"] = "*snyk*" # debug mode - command = ["snyk", "monitor", f"--target-reference={branch}"] + config.get( - "monitor-arguments", configuration.SNYK_MONITOR_ARGUMENTS_DEFAULT - ) + command = [ + "snyk", + "monitor", + f"--target-reference={branch}", + *local_config.get( + "monitor-arguments", config.get("monitor-arguments", configuration.SNYK_MONITOR_ARGUMENTS_DEFAULT) + ), + ] async with asyncio.timeout(int(os.environ.get("GHCI_SNYK_TIMEOUT", "300"))): async_proc = await asyncio.create_subprocess_exec( *command, env=env, stdout=asyncio.subprocess.PIPE, stderr=asyncio.subprocess.PIPE @@ -233,9 +244,14 @@ async def snyk( message.title = "Project monitored" _LOGGER.debug(message) - command = ["snyk", "test", "--json"] + config.get( - "test-arguments", configuration.SNYK_TEST_ARGUMENTS_DEFAULT - ) + command = [ + "snyk", + "test", + "--json", + *local_config.get( + "test-arguments", config.get("test-arguments", configuration.SNYK_TEST_ARGUMENTS_DEFAULT) + ), + ] async with asyncio.timeout(int(os.environ.get("GHCI_SNYK_TIMEOUT", "300"))): test_proc = await asyncio.create_subprocess_exec( *command, env=env_no_debug, stdout=asyncio.subprocess.PIPE, stderr=asyncio.subprocess.PIPE @@ -318,7 +334,13 @@ async def snyk( snyk_fix_success = True snyk_fix_message = None if fixable_vulnerabilities: - command = ["snyk", "fix"] + config.get("fix-arguments", configuration.SNYK_FIX_ARGUMENTS_DEFAULT) + command = [ + "snyk", + "fix", + *local_config.get( + "fix-arguments", config.get("fix-arguments", configuration.SNYK_FIX_ARGUMENTS_DEFAULT) + ), + ] async with asyncio.timeout(int(os.environ.get("GHCI_SNYK_TIMEOUT", "300"))): snyk_fix_proc = await asyncio.create_subprocess_exec( *command, env=env_no_debug, stdout=asyncio.subprocess.PIPE, stderr=asyncio.subprocess.PIPE