Skip to content

Commit

Permalink
fix(PSEC): check environment in periodic job before running
Browse files Browse the repository at this point in the history
  • Loading branch information
@tmu0
tmu0 committed Aug 21, 2024
1 parent 7b3981c commit b0ade55
Show file tree
Hide file tree
Showing 4 changed files with 80 additions and 57 deletions.
18 changes: 16 additions & 2 deletions gitlab-ci/src/dependencies/job/bazel_rust_ic_scanner_periodic_job.py
View file
Original file line number Diff line number Diff line change
@@ -1,7 +1,12 @@
import logging

from data_source.jira_finding_data_source import JiraFindingDataSource
from model.ic import get_ic_repo_ci_pipeline_base_url, get_ic_repo_for_rust, get_ic_repo_merge_request_base_url
from model.ic import (
get_ic_repo_ci_pipeline_base_url,
get_ic_repo_for_rust,
get_ic_repo_merge_request_base_url,
is_env_for_periodic_job,
)
from model.project import Project
from model.repository import Repository
from model.team import Team
Expand All @@ -20,8 +25,13 @@
Repository("ic-gateway", "https://github.com/dfinity/ic-gateway", [Project(name="ic-gateway", path="ic-gateway", owner=Team.BOUNDARY_NODE_TEAM)]),
]

if __name__ == "__main__":

def main():
logging.basicConfig(level=logging.WARNING)
if not is_env_for_periodic_job():
logging.warning("skipping periodic RUST job because it is run in the wrong environment")
return

scanner_job = ScannerJobType.PERIODIC_SCAN
notify_on_scan_job_succeeded, notify_on_scan_job_failed = {}, {}
for job_type in ScannerJobType:
Expand All @@ -48,3 +58,7 @@
BazelRustDependencyManager(), JiraFindingDataSource(finding_data_source_subscribers, app_owner_msg_subscriber=notifier), scanner_subscribers
)
scanner_job.do_periodic_scan([get_ic_repo_for_rust()] + REPOS_TO_SCAN)


if __name__ == "__main__":
main()
43 changes: 37 additions & 6 deletions gitlab-ci/src/dependencies/job/bazel_trivy_container_ic_scanner_periodic_job.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -4,15 +4,44 @@
from data_source.slack_findings_failover_data_store import SlackFindingsFailoverDataStore
from integration.slack.slack_default_notification_handler import SlackDefaultNotificationHandler
from integration.slack.slack_trivy_finding_notification_handler import SlackTrivyFindingNotificationHandler
from model.ic import get_ic_repo_ci_pipeline_base_url, get_ic_repo_for_trivy, get_ic_repo_merge_request_base_url
from model.ic import get_ic_repo_ci_pipeline_base_url, get_ic_repo_merge_request_base_url, is_env_for_periodic_job
from model.project import Project
from model.repository import Repository
from model.team import Team
from notification.notification_config import NotificationConfig
from notification.notification_creator import NotificationCreator
from scanner.dependency_scanner import DependencyScanner
from scanner.manager.bazel_trivy_dependency_manager import BazelTrivyContainer
from scanner.scanner_job_type import ScannerJobType

if __name__ == "__main__":
REPOS_TO_SCAN = [
Repository(
"ic",
"https://github.com/dfinity/ic",
[
Project(
name="boundary-guestos",
path="ic/ic-os/boundary-guestos/envs/prod",
link="https://github.com/dfinity/ic/tree/master/ic-os/boundary-guestos/context",
owner=Team.BOUNDARY_NODE_TEAM,
),
Project(
name="guestos",
path="ic/ic-os/guestos/envs/prod",
link="https://github.com/dfinity/ic/tree/master/ic-os/guestos/context",
owner=Team.NODE_TEAM,
),
],
)
]


def main():
logging.basicConfig(level=logging.WARNING)
if not is_env_for_periodic_job():
logging.warning("skipping periodic TRIVY job because it is run in the wrong environment")
return

scanner_job = ScannerJobType.PERIODIC_SCAN
notify_on_scan_job_succeeded, notify_on_scan_job_failed = {}, {}
for job_type in ScannerJobType:
Expand All @@ -36,12 +65,14 @@
notifier = NotificationCreator(config)
finding_data_source_subscribers = [notifier]
scanner_subscribers = [notifier]
ic_repo = get_ic_repo_for_trivy()
assert len(ic_repo) == 1
scanner_job = DependencyScanner(
BazelTrivyContainer(app_owner_msg_subscriber=notifier),
JiraFindingDataSource(finding_data_source_subscribers, app_owner_msg_subscriber=notifier),
scanner_subscribers,
SlackFindingsFailoverDataStore(projects=ic_repo[0].projects)
SlackFindingsFailoverDataStore(projects=REPOS_TO_SCAN[0].projects)
)
scanner_job.do_periodic_scan(get_ic_repo_for_trivy())
scanner_job.do_periodic_scan(REPOS_TO_SCAN)


if __name__ == "__main__":
main()
13 changes: 11 additions & 2 deletions gitlab-ci/src/dependencies/job/npm_scanner_periodic_job.py
View file
Original file line number Diff line number Diff line change
@@ -1,7 +1,7 @@
import logging

from data_source.jira_finding_data_source import JiraFindingDataSource
from model.ic import get_ic_repo_ci_pipeline_base_url, get_ic_repo_merge_request_base_url
from model.ic import get_ic_repo_ci_pipeline_base_url, get_ic_repo_merge_request_base_url, is_env_for_periodic_job
from model.project import Project
from model.repository import Repository
from model.team import Team
Expand Down Expand Up @@ -140,8 +140,13 @@
# ),
]

if __name__ == "__main__":

def main():
logging.basicConfig(level=logging.WARNING)
if not is_env_for_periodic_job():
logging.warning("skipping periodic NPM job because it is run in the wrong environment")
return

scanner_job = ScannerJobType.PERIODIC_SCAN
notify_on_scan_job_succeeded, notify_on_scan_job_failed = {}, {}
for job_type in ScannerJobType:
Expand All @@ -168,3 +173,7 @@
NPMDependencyManager(), JiraFindingDataSource(finding_data_source_subscribers, app_owner_msg_subscriber=notifier), scanner_subscribers
)
scanner_job.do_periodic_scan(REPOS_TO_SCAN)


if __name__ == "__main__":
main()
63 changes: 16 additions & 47 deletions gitlab-ci/src/dependencies/model/ic.py
View file
Original file line number Diff line number Diff line change
@@ -1,11 +1,25 @@
from typing import List
import os

from model.project import Project
from model.repository import Repository
from model.team import Team
from scanner.dependency_scanner import PROJECT_ROOT

IS_PRIVATE = PROJECT_ROOT.name == "ic-private"
GITHUB_REPOSITORY = os.environ.get("GITHUB_REPOSITORY", "dfinity/ic")
GITHUB_REF = os.environ.get("GITHUB_REF", "refs/heads/master")


def is_running_in_ic_repo() -> bool:
return GITHUB_REPOSITORY == "dfinity/ic"


def is_running_on_main_branch() -> bool:
return GITHUB_REF == "refs/heads/master"


def is_env_for_periodic_job() -> bool:
return is_running_in_ic_repo() and is_running_on_main_branch()


def get_ic_repo_for_rust() -> Repository:
Expand All @@ -15,51 +29,6 @@ def get_ic_repo_for_rust() -> Repository:
return Repository("ic", "https://github.com/dfinity/ic", [Project(name="ic", path="ic", owner_by_path={"ic/rs/crypto": [Team.CRYPTO_TEAM], "ic/rs/validator": [Team.CRYPTO_TEAM], "ic/rs/canonical_state": [Team.CRYPTO_TEAM]})])


def get_ic_repo_for_trivy() -> List[Repository]:
if IS_PRIVATE:
return [
Repository(
"ic",
"https://github.com/dfinity/ic-private",
[
Project(
name="boundary-guestos",
path="ic-private/ic-os/boundary-guestos/envs/prod",
link="https://github.com/dfinity/ic-private/tree/master-private/ic-os/boundary-guestos/context",
owner=Team.BOUNDARY_NODE_TEAM,
),
Project(
name="guestos",
path="ic-private/ic-os/guestos/envs/prod",
link="https://github.com/dfinity/ic-private/tree/master-private/ic-os/guestos/context",
owner=Team.NODE_TEAM,
),
],
)
]

return [
Repository(
"ic",
"https://github.com/dfinity/ic",
[
Project(
name="boundary-guestos",
path="ic/ic-os/boundary-guestos/envs/prod",
link="https://github.com/dfinity/ic/tree/master/ic-os/boundary-guestos/context",
owner=Team.BOUNDARY_NODE_TEAM,
),
Project(
name="guestos",
path="ic/ic-os/guestos/envs/prod",
link="https://github.com/dfinity/ic/tree/master/ic-os/guestos/context",
owner=Team.NODE_TEAM,
),
],
)
]


def get_ic_repo_merge_request_base_url() -> str:
if IS_PRIVATE:
return "https://github.com/dfinity/ic-private/pull/"
Expand All @@ -72,7 +41,7 @@ def get_ic_repo_ci_pipeline_base_url() -> str:
return "https://github.com/dfinity/ic/actions/runs/"


def __test_get_ic_path() :
def __test_get_ic_path():
if IS_PRIVATE:
return "ic-private"
return "ic"

0 comments on commit b0ade55

Please sign in to comment.