From 3b9a29e2b5a073fadec4f1e2d06a0ac941010ba2 Mon Sep 17 00:00:00 2001 From: Christian Cwienk Date: Fri, 6 Dec 2024 14:37:06 +0100 Subject: [PATCH] refactor: import dataclasses from cc-utils / pipeline-template Reduce dependencies from delivery-service-repository towards cc-utils (in particular such dependenceis against cc-util's pipeline-template). As GithubIssueTemplateCfg is quite a trivial datastructure, copy it for now (will be deduplicated again by planned mv of upstream github.compliance-package - which is currently blocked by remaining, pipeline-based scans (CX + OS-id), yet to be migrated into ocm-gear-extensions). LicenseCfg was not longer used within cc-utils. --- bdba/scanning.py | 3 +- bdba/util.py | 4 +- config.py | 98 ++++++++++++++++++++++++++++++++---------------- 3 files changed, 68 insertions(+), 37 deletions(-) diff --git a/bdba/scanning.py b/bdba/scanning.py index 982bf691..bbdf6da2 100644 --- a/bdba/scanning.py +++ b/bdba/scanning.py @@ -14,7 +14,6 @@ import cnudie.access import cnudie.iter import cnudie.retrieve -import concourse.model.traits.image_scan as image_scan import delivery.client import dso.cvss import dso.labels @@ -283,7 +282,7 @@ def process( known_scan_results: tuple[bm.Product], processing_mode: bm.ProcessingMode, delivery_client: delivery.client.DeliveryServiceClient=None, - license_cfg: image_scan.LicenseCfg=None, + license_cfg: config.LicenseCfg=None, cve_rescoring_ruleset: rescore.model.CveRescoringRuleSet=None, auto_assess_max_severity: dso.cvss.CVESeverity=dso.cvss.CVESeverity.MEDIUM, use_product_cache: bool=True, diff --git a/bdba/util.py b/bdba/util.py index 19406a8d..80913232 100644 --- a/bdba/util.py +++ b/bdba/util.py @@ -9,12 +9,12 @@ import ci.log import cnudie.iter -import concourse.model.traits.image_scan as image_scan import delivery.client import dso.model import github.compliance.model as gcm import github.compliance.report as gcr +import config import bdba.model as bm @@ -47,7 +47,7 @@ def iter_existing_findings( def iter_artefact_metadata( scanned_element: cnudie.iter.ResourceNode, scan_result: bm.AnalysisResult, - license_cfg: image_scan.LicenseCfg=None, + license_cfg: config.LicenseCfg=None, delivery_client: delivery.client.DeliveryServiceClient=None, ) -> collections.abc.Generator[dso.model.ArtefactMetadata, None, None]: now = datetime.datetime.now(tz=datetime.timezone.utc) diff --git a/config.py b/config.py index a292c299..e6138cce 100644 --- a/config.py +++ b/config.py @@ -3,12 +3,12 @@ import datetime import enum import logging +import re import dacite import github3 import github3.repos -import concourse.model.traits.image_scan as image_scan import cnudie.iter import dso.cvss import dso.model @@ -94,6 +94,64 @@ class ClamAVConfig: artefact_types: tuple[str] +@dataclasses.dataclass(frozen=True) +class FindingTypeIssueReplicationCfgBase: + ''' + :param str finding_type: + finding type this configuration should be applied for + (see cc-utils dso/model.py for available "Datatype"s) + :param bool enable_issue_assignees + :param bool enable_issue_per_finding: + when set to true issues are created per finding for a + specific artefact as oppsed to a single issue with + all findings + ''' + finding_type: str + enable_issue_assignees: bool + enable_issue_per_finding: bool + + +@dataclasses.dataclass(frozen=True) +class VulnerabilityIssueReplicationCfg(FindingTypeIssueReplicationCfgBase): + ''' + :param int cve_threshold: + vulnerability findings below this threshold won't be reported in the issue(s) + ''' + cve_threshold: int + + +@dataclasses.dataclass(frozen=True) +class GithubIssueTemplateCfg: + ''' + a github-issue-template specific for an issue-type + + note: this class was copy-pasted from https://github.com/gardener/cc-utils (where it is + planned for removal). Should not be changed incompatibly until removal is done upstream. + ''' + body: str + type: str + + +@dataclasses.dataclass +class LicenseCfg: + ''' + configures license policies for discovered licences + + licenses are configured as lists of regular expressions (matching is done case-insensitive) + ''' + prohibited_licenses: list[str] = None + + def is_allowed(self, license: str): + if not self.prohibited_licenses: + return True + + for prohibited in self.prohibited_licenses: + if re.fullmatch(prohibited, license, re.IGNORECASE): + return False + else: + return True + + @dataclasses.dataclass(frozen=True) class BDBAConfig: ''' @@ -141,37 +199,11 @@ class BDBAConfig: node_filter: collections.abc.Callable[[cnudie.iter.Node], bool] cve_rescoring_ruleset: rescore.model.CveRescoringRuleSet | None auto_assess_max_severity: dso.cvss.CVESeverity - license_cfg: image_scan.LicenseCfg + license_cfg: LicenseCfg delete_inactive_products_after_seconds: int blacklist_finding_types: set[str] -@dataclasses.dataclass(frozen=True) -class FindingTypeIssueReplicationCfgBase: - ''' - :param str finding_type: - finding type this configuration should be applied for - (see cc-utils dso/model.py for available "Datatype"s) - :param bool enable_issue_assignees - :param bool enable_issue_per_finding: - when set to true issues are created per finding for a - specific artefact as oppsed to a single issue with - all findings - ''' - finding_type: str - enable_issue_assignees: bool - enable_issue_per_finding: bool - - -@dataclasses.dataclass(frozen=True) -class VulnerabilityIssueReplicationCfg(FindingTypeIssueReplicationCfgBase): - ''' - :param int cve_threshold: - vulnerability findings below this threshold won't be reported in the issue(s) - ''' - cve_threshold: int - - @dataclasses.dataclass(frozen=True) class IssueReplicatorConfig: ''' @@ -206,11 +238,11 @@ class IssueReplicatorConfig: delivery_dashboard_url: str replication_interval: int lookup_new_backlog_item_interval: int - license_cfg: image_scan.LicenseCfg + license_cfg: LicenseCfg max_processing_days: github.compliance.model.MaxProcessingTimesDays github_api_lookup: collections.abc.Callable[[str], github3.GitHub] github_issues_repository: github3.repos.Repository - github_issue_template_cfgs: tuple[image_scan.GithubIssueTemplateCfg] + github_issue_template_cfgs: tuple[GithubIssueTemplateCfg] github_issue_labels_to_preserve: set[str] number_included_closed_issues: int artefact_types: tuple[str] @@ -617,7 +649,7 @@ def deserialise_bdba_config( default_config=default_config, default_value=[], ) - license_cfg = image_scan.LicenseCfg(prohibited_licenses=prohibited_licenses) + license_cfg = LicenseCfg(prohibited_licenses=prohibited_licenses) delete_inactive_products_after_seconds = deserialise_config_property( config=bdba_config, @@ -799,7 +831,7 @@ def deserialise_issue_replicator_config( default_config=default_config, default_value=[], ) - license_cfg = image_scan.LicenseCfg(prohibited_licenses=prohibited_licenses) + license_cfg = LicenseCfg(prohibited_licenses=prohibited_licenses) max_processing_days_raw = deserialise_config_property( config=issue_replicator_config, @@ -836,7 +868,7 @@ def deserialise_issue_replicator_config( ) github_issue_template_cfgs = tuple( dacite.from_dict( - data_class=image_scan.GithubIssueTemplateCfg, + data_class=GithubIssueTemplateCfg, data=ghit, ) for ghit in github_issue_templates )