Implements the vulnerability report#1013
Conversation
git-hyagi
force-pushed
the
add-vuln-report
branch
from
099575e to
8928a17
Compare
| REPO=$(pulp python repository show --name security-scan-repo) | ||
| VERSION_HREF=$(echo $REPO | jq -r '.latest_version_href') | ||
|
|
||
| # 5. Scan for vulnerabilities | ||
| curl -XPOST -u <user>:<password> ${BASE_ADDR}${VERSION_HREF}scan/ |
There was a problem hiding this comment.
Let's get this into the cli. Do you need help with adding the command?
There was a problem hiding this comment.
hmm... I have never worked on the pulp-cli code. Let me study it a little :D
There was a problem hiding this comment.
pulp_python/app/viewsets.py
Outdated
| repo_version = await sync_to_async(RepositoryVersion.objects.get)(pk=repo_version_pk) | ||
| content_units = python_models.PythonPackageContent.objects.filter(pk__in=repo_version.content) |
There was a problem hiding this comment.
| repo_version = await sync_to_async(RepositoryVersion.objects.get)(pk=repo_version_pk) | |
| content_units = python_models.PythonPackageContent.objects.filter(pk__in=repo_version.content) | |
| repo_version = await RepositoryVersion.objects.aget(pk=repo_version_pk) | |
| content_units = python_models.PythonPackageContent.objects.filter(pk__in=repo_version.content).values("name", "version") |
There was a problem hiding this comment.
For the
content_units = python_models.PythonPackageContent.objects.filter(pk__in=repo_version.content).values("name", "version")
I think this will not work because we also need the content objects found:
https://github.com/pulp/pulp_python/pull/1013/files#diff-38cc3b67ebd1f8ea44002fc7897552b1674435d85771f6ab27a0c86e383d00aeR666
https://github.com/pulp/pulpcore/blob/d9651981e20ac5b2dc1997f181204924f5c36cce/pulpcore/app/tasks/vulnerability_report.py#L133-L134
pulp_python/app/viewsets.py
Outdated
| content_units = python_models.PythonPackageContent.objects.filter(pk__in=repo_version.content) | ||
| ecosystem = "PyPI" | ||
| async for content in sync_to_async_iterable(content_units): | ||
| repo_content_osv_data = _build_osv_data(content.name, ecosystem, content.version) |
There was a problem hiding this comment.
Do we know if the osv requires the package name to be normalize? e.g. Django->django, pulp_python->pulp-python
There was a problem hiding this comment.
it seems like we don't need it: https://github.com/google/osv.dev/pull/3088/files#diff-f0076c6d3c021f2596f325ce199b2781bfc3ef236eb3b854bab96d5641aa1087R193-R195
git-hyagi
force-pushed
the
add-vuln-report
branch
from
8928a17 to
3819f38
Compare
git-hyagi
force-pushed
the
add-vuln-report
branch
from
3819f38 to
be0622e
Compare
gerrod3
left a comment
gerrod3
left a comment
There was a problem hiding this comment.
This is looking good, two small changes and I think we can LGTM.
| Retrieve Python package content from a repository version for vulnerability scanning. | ||
| """ | ||
| repo_version = await RepositoryVersion.objects.aget(pk=repo_version_pk) | ||
| content_units = PythonPackageContent.objects.filter(pk__in=repo_version.content) |
There was a problem hiding this comment.
| content_units = PythonPackageContent.objects.filter(pk__in=repo_version.content) | |
| content_units = PythonPackageContent.objects.filter(pk__in=repo_version.content).only("name", "version") |
There's a lot of metadata on the Package object, but we only need these two fields. Also, this one is different from values as it creates the model instance rather than just a dictionary, but it only populates the specified fields and pk so it should work.
There was a problem hiding this comment.
awesome!! it worked!
| repo_version = python_bindings.RepositoriesPythonVersionsApi.read( | ||
| python_python_repository_version_href=latest_version_href | ||
| ) |
There was a problem hiding this comment.
| repo_version = python_bindings.RepositoriesPythonVersionsApi.read( | |
| python_python_repository_version_href=latest_version_href | |
| ) | |
| repo_version = python_bindings.RepositoriesPythonVersionsApi.read(latest_version_href) |
git-hyagi
force-pushed
the
add-vuln-report
branch
from
be0622e to
8db7f9a
Compare
pyproject.toml
Outdated
| requires-python = ">=3.11" | ||
| dependencies = [ | ||
| "pulpcore>=3.81.0,<3.100", | ||
| "pulpcore>=3.85.0,<3.100", |
There was a problem hiding this comment.
The bugfix we need for vuln reports will be in 3.85.3
git-hyagi
force-pushed
the
add-vuln-report
branch
from
8db7f9a to
a48b9fe
Compare
git-hyagi
force-pushed
the
add-vuln-report
branch
from
a48b9fe to
4f6c33f
Compare
3 participants
closes: #1012