Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

add github dependency analysis #197

Merged
merged 29 commits into from
Nov 26, 2024
Merged

add github dependency analysis #197

merged 29 commits into from
Nov 26, 2024

Conversation

yazgoo
Copy link
Contributor

@yazgoo yazgoo commented Jun 14, 2024

This adds a new command for interactive usage:

githubAnalyzeDependencies usage:
  githubAnalyzeDependencies [get|list|alerts|cves] [pattern]   Analyze the dependencies based on a search pattern:
  get: search for a pattern in the dependencies (requires githubGenerateSnapshot)
  list: list all dependencies matching a pattern (requires githubGenerateSnapshot)
  alerts: download and display CVEs alerts from Github (use hub or gh local config or GIT_TOKEN env var to authenticate)
  cves: analyze CVEs alerts against the dependencies (requires githubGenerateSnapshot and githubAnalyzeDependencies alerts

This aims at making dependency analysis easier and more in sync with what the snapshot actually contains.

Here is an example of session on this repo https://github.com/yazgoo/scala-meetup-june-2024

sbt:scala-meetup-june-2024> githubGenerateSnapshot
[info] Dependency snapshot written to /tmp/dependency-snapshot-1170344267975636835.json

retrieve github alerts

sbt:scala-meetup-june-2024> githubAnalyzeDependencies alerts
Extract token from /home/yazgoo/.config/gh-yazgoo/hosts.yml
[info] Downloading alerts from https://api.github.com/repos/yazgoo/scala-meetup-june-2024/dependabot/alerts
software.amazon.ion:ion-java [ < 1.10.5 ] fixed:  high
com.fasterxml.jackson.core:jackson-databind [ >= 2.4.0-rc1, < 2.12.7.1 ] fixed: 2.12.7.1 high
com.fasterxml.jackson.core:jackson-databind [ >= 2.10.0, < 2.12.6 ] fixed: 2.12.6 high
com.fasterxml.jackson.core:jackson-databind [ < 2.12.7.1 ] fixed: 2.12.7.1 high
com.fasterxml.jackson.core:jackson-databind [ <= 2.12.6.0 ] fixed: 2.12.6.1 high

check snapshot against alerts

sbt:scala-meetup-june-2024> githubAnalyzeDependencies cves
software.amazon.ion:ion-java [ < 1.10.5 ] fixed:  high
    🔴 1.0.2
com.fasterxml.jackson.core:jackson-databind [ >= 2.4.0-rc1, < 2.12.7.1 ] fixed: 2.12.7.1 high
    🟢 2.15.1
    🔴 2.12.3
com.fasterxml.jackson.core:jackson-databind [ >= 2.10.0, < 2.12.6 ] fixed: 2.12.6 high
    🟢 2.15.1
    🔴 2.12.3
com.fasterxml.jackson.core:jackson-databind [ < 2.12.7.1 ] fixed: 2.12.7.1 high
    🟢 2.15.1
    🔴 2.12.3
com.fasterxml.jackson.core:jackson-databind [ <= 2.12.6.0 ] fixed: 2.12.6.1 high
    🟢 2.15.1
    🔴 2.12.3

list versions of libs in snapshot:

sbt:scala-meetup-june-2024> githubAnalyzeDependencies list jackson-databind
com.fasterxml.jackson.core:jackson-databind:2.15.1
com.fasterxml.jackson.core:jackson-databind:2.12.3

find what pulls the broken dependency

sbt:scala-meetup-june-2024> githubAnalyzeDependencies get jackson-databind:2.12.3
📁 default:scala-meetup-june-2024_3:0.1
  com.fasterxml.jackson.core:jackson-databind:2.12.3
  com.fasterxml.jackson.core:jackson-databind:2.12.3
  com.fasterxml.jackson.core:jackson-databind:2.12.3
    com.amazonaws:aws-java-sdk-core:1.12.148
      com.amazonaws:aws-java-sdk-secretsmanager:1.12.148
    com.amazonaws:aws-java-sdk-core:1.12.148

@adpi2
Copy link
Member

adpi2 commented Jun 17, 2024

Thanks @yazgoo. That looks like a great improvement. I'll take a closer look at it soon.

@yazgoo
Copy link
Contributor Author

yazgoo commented Jul 3, 2024

Hi @adpi2 , is there something I can do to improve this PR ?

@adpi2
Copy link
Member

adpi2 commented Jul 3, 2024

Sorry, I did not get the time to review it yet. But it is near the top of my todo list. I will probably have time to review it next week.

@adpi2
Copy link
Member

adpi2 commented Jul 9, 2024

@yazgoo here is my feedback. I think that githubAnalyzeDependencies is useful but too powerful/flexible, which makes it hard to use. For me its main value is to download the CVEs and to compare them with local dependencies. The rest of it (list and get) is not really specific to Github and is already available in other plugins.

So I suggest that githubAnalyzeDependencies should be a single command that downloads CVEs, and print a report based on the current snapshot.

To find what pulls the vulnerable dependencies, one can use whatDependsOn from the sbt-dependency-graph plugin.

@yazgoo
Copy link
Contributor Author

yazgoo commented Jul 10, 2024

The issue with sbt-dependency-graph (and other dependency/CVE analysis tools I used) is that I don't get the same exact results as this plugin, this is why I implemented those functionalities.

Another possibility is that I write a separate plugin with these functionaliities, but I'd like to use the snapshot in sbt state for this.

group "alerts" and "cve" command in one command to make it easier to
use.
@yazgoo
Copy link
Contributor Author

yazgoo commented Oct 29, 2024

@adpi2 does it look good to you with these latest changes ?

Copy link
Member

@adpi2 adpi2 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hi @yazgoo

Thank you for your work on this PR. I think it is good in term of functionality and I am okay to integrate it in.

Here are a few comments about the implementation, to improve its readability.

Comment on lines 39 to 43
case "critical" => "\u001b[31m"
case "high" => "\u001b[31m"
case "medium" => "\u001b[33m"
case "low" => "\u001b[32m"
case _ => "\u001b[0m"
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

For these you can use Console.RED, Console.YELLOW etc, which are much easier to understand. There is Console.RESET too.

@yazgoo
Copy link
Contributor Author

yazgoo commented Nov 12, 2024

does it LGTY @adpi2 ?

Copy link
Member

@adpi2 adpi2 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks @yazgoo, I feel like this is almost ready to merge. Could you write the documentation in the readme file though, with an example maybe, that shows the output.

@adpi2
Copy link
Member

adpi2 commented Nov 25, 2024

Scalafmt check is failing

@yazgoo
Copy link
Contributor Author

yazgoo commented Nov 25, 2024

How can I run scalafmt locally ?

I tryied scalafixAll with no success.

@adpi2
Copy link
Member

adpi2 commented Nov 26, 2024

You need to install scalafmt command: https://scalameta.org/scalafmt/docs/installation.html#cli

Then you should be able to run it:

> scalafmt

@adpi2 adpi2 merged commit bb3df76 into scalacenter:main Nov 26, 2024
5 of 6 checks passed
@yazgoo
Copy link
Contributor Author

yazgoo commented Nov 26, 2024

Cool, thanks !

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

2 participants