Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Trusty: Support blocking PRs through reviews #3392

Merged
merged 1 commit into from
May 23, 2024

Conversation

puerco
Copy link
Contributor

@puerco puerco commented May 22, 2024

Summary

Minder now has the capability to request changes in PRs when it finds something odd based on Trusty dependency data.

This PR also introduces a new setting in the trusty ruletype configuration to disable blocking when malicious deps are detected (all power to the users, but why would you want that?!).

Fixes #3380
Part of #3379

Change Type

Mark the type of change your PR introduces:

  • Bug fix (resolves an issue without affecting existing features)
  • Feature (adds new functionality without breaking changes)
  • Breaking change (may impact existing functionalities or require documentation updates)
  • Documentation (updates or additions to documentation)
  • Refactoring or test improvements (no bug fixes or new functionality)

Testing

image

Review Checklist:

  • Reviewed my own code for quality and clarity.
  • Added comments to complex or tricky code sections.
  • Updated any affected documentation.
  • Included tests that validate the fix or feature.
  • Checked that related changes are merged.

@puerco puerco requested a review from a team as a code owner May 22, 2024 02:52
@coveralls
Copy link

coveralls commented May 22, 2024

Coverage Status

coverage: 51.877% (-0.04%) from 51.921%
when pulling 655058d on puerco:trusty-review
into cb61ff9 on stacklok:main.

dmjb
dmjb previously approved these changes May 22, 2024
Copy link
Member

@rdimitrov rdimitrov left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I don't have anything against, but I'll click the request changes in case someone decides to merge it before we resolve the comment 👍

Action: pr_actions.ActionSummary,
Action: pr_actions.ActionReviewPr,
Block: map[string]bool{
"malicious": true,
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Isn't it safer if we invert this and don't rely on initialising the bool with true?

Also I think we can even delete this option in the Review action. I mean turning it on kind of overlaps with the other actions and if someone doesn't want Minder to block the PR, they can use some of them, right?

I think this is how the vulnerability/OSV rule works like, right?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Ah so the idea is that this option is for the review action. In addition to malicious, we will have another entry to block (or not) when deprecated packages are found. This will let users control when they want to block or just get feedback from minder separately for those two specific dependency types.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Also note that this is initializing missing map entries from the default settings here.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'm actually fine with this config granularity @rdimitrov . The way I read it the action tells you the "what" to do with the PR and the "block" tells you which of the attributes to take into account when deciding whether to block. And I also think all of them should be on by default.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Ah, thanks for flipping the setting! 😃 Yeah, my motivation was to keep vulncheck and trusty behaviour similar, but I agree on the functionality of this + we'll be refactoring that part so we might as well make it available for all PR related Minder actions not just Trusty.

jhrozek
jhrozek previously approved these changes May 22, 2024
Copy link
Contributor

@jhrozek jhrozek left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

A test with a malicious package went fine. As discussed with @puerco it would be nice to display a list of alternatives to the user also when flagging a malicous package, but this can be done in a separate PR.

This commit adds to minder the capability to request changes in PRs when
minder finds something odd using trusty data.

We now also introduce a new setting to disable blocking on malicious deps
(all power to the users, but why would you want that?!).

Signed-off-by: Adolfo García Veytia (puerco) <[email protected]>
@puerco
Copy link
Contributor Author

puerco commented May 23, 2024

In the rush to write this yesterday I noticed that the configuration flags I added didn't match those in the PRD. I rewrote the logic to rename the options and to make them configurable per ecosystem. @rdimitrov you'll be glad to see that the logic of the blocking flags is now flipped :)

This is the config block now, note that with the last push it is now configurable per ecosystem:

      action: review
      ecosystem_config:
        - name: npm
          score: 5
          allow_malicious: false
        - name: pypi
          score: 5
          allow_malicious: false
        - name: go
          score: 5
          allow_malicious: false

See https://github.com/stacklok/minder-rules-and-profiles/pull/116 for the updated rule config

@puerco puerco merged commit 9ffe6bb into mindersec:main May 23, 2024
20 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

Trusty Integration: Mark a flagged pull request as requesting changes
5 participants