Merge pull request #141 from safedep/chore/misc-enhancements-2023-11-02

Multiple Misc Fixes and Enhancements

.github/workflows/golangci-lint.yml

@@ -1,4 +1,4 @@
-name: golangci-lint
+name: Go Linter
 on:
   pull_request:
     branches:

.github/workflows/goreleaser.yml

@@ -1,4 +1,4 @@
-name: goreleaser
+name: Release Automation
 
 on:
   push:
@@ -8,6 +8,10 @@ on:
 permissions:
   contents: read
 
+env:
+  OSX_CROSS_TOOLCHAIN_REPOSITORY: https://github.com/abhisek/osxcross
+  OSX_CROSS_MACOS_SDK_VERSION: "12.3"
+
 jobs:
   goreleaser:
     outputs:
@@ -37,6 +41,35 @@ jobs:
           registry: ghcr.io
           username: ${{ github.repository_owner }}
           password: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Install OSX Cross Compiler Build Tools
+        run: sudo apt-get install -y -qq clang gcc g++ zlib1g-dev libmpc-dev libmpfr-dev libgmp-dev cmake libxml2-dev libssl-dev xz-utils
+
+      - name: Setup OSX Cross Compiler Tool Chain Environment
+        run: |
+          echo "OSXCROSS_DIR=$(dirname $GITHUB_WORKSPACE)/osxcross" >> $GITHUB_ENV
+
+      - name: Clone OSX Cross Compiler Tool Chain
+        run: git clone $OSX_CROSS_TOOLCHAIN_REPOSITORY $OSXCROSS_DIR
+
+      - name: Setup Cache for OSX Cross Compiler Tool Chain
+        id: osxcross-cache
+        uses: actions/cache@v3
+        with:
+          key: ${{ runner.os }}-osxcross-${{ env.OSX_CROSS_MACOS_SDK_VERSION }}
+          path: |
+            ${{ env.OSXCROSS_DIR }}/target/bin
+
+      - name: Build OSX Cross Compiler Tool Chain
+        if: steps.osxcross-cache.outputs.cache-hit != 'true'
+        run: |
+          cd $OSXCROSS_DIR
+          SDK_VERSION=$OSX_CROSS_MACOS_SDK_VERSION UNATTENDED=yes ./build.sh
+
+      - name: Add OSX Cross Compiler Tool Chain to Path
+        run: |
+          echo "$OSXCROSS_DIR/target/bin" >> $GITHUB_PATH
+
       - name: Run GoReleaser
         id: run-goreleaser
         uses: goreleaser/goreleaser-action@8f67e590f2d095516493f017008adc464e63adb1 # v4.1.0
@@ -45,6 +78,7 @@ jobs:
           args: release --clean
         env:
           GITHUB_TOKEN: ${{ secrets.GORELEASER_GITHUB_TOKEN }}
+
       - name: Generate subject
         id: hash
         env:

.goreleaser.yaml

@@ -15,20 +15,29 @@ builds:
       - linux
     goarch:
       - amd64
+    env:
+      - CC=x86_64-linux-gnu-gcc
+      - CXX=x86_64-linux-gnu-g++
 
   - id: darwin-amd64
     binary: vet
     goos:
       - darwin
     goarch:
       - amd64
+    env:
+      - CC=o64-clang
+      - CXX=o64-clang++
 
   - id: darwin-arm64
     binary: vet
     goos:
       - darwin
     goarch:
       - arm64
+    env:
+      - CC=o64-clang
+      - CXX=o64-clang++
 
 release:
   # for prerelease it doesn't build and distribute

main.go

@@ -16,6 +16,7 @@ import (
 var (
 	verbose              bool
 	debug                bool
+	noBanner             bool
 	logFile              string
 	globalExceptionsFile string
 )
@@ -51,6 +52,7 @@ func main() {
 
 	cmd.PersistentFlags().BoolVarP(&verbose, "verbose", "v", false, "Show verbose logs")
 	cmd.PersistentFlags().BoolVarP(&debug, "debug", "d", false, "Show debug logs")
+	cmd.PersistentFlags().BoolVarP(&noBanner, "no-banner", "", false, "Do not display the vet banner")
 	cmd.PersistentFlags().StringVarP(&logFile, "log", "l", "", "Write command logs to file")
 	cmd.PersistentFlags().StringVarP(&globalExceptionsFile, "exceptions", "e", "", "Load exceptions from file")
 
@@ -86,10 +88,16 @@ func loadExceptions() {
 }
 
 func printBanner() {
+	if noBanner {
+		return
+	}
+
 	bRet, err := strconv.ParseBool(os.Getenv("VET_DISABLE_BANNER"))
-	if (err != nil) || (!bRet) {
-		ui.PrintBanner(banner)
+	if (err == nil) && (bRet) {
+		return
 	}
+
+	ui.PrintBanner(banner)
 }
 
 // Redirect to file or discard log if empty

pkg/analyzer/cel_filter_suite.go

@@ -14,8 +14,8 @@ import (
 )
 
 type celFilterMatchedPackage struct {
-	pkg        *models.Package
-	filterName string
+	pkg *models.Package
+	flt *filtersuite.Filter
 }
 
 type celFilterSuiteAnalyzer struct {
@@ -106,7 +106,7 @@ func (f *celFilterSuiteAnalyzer) renderMatchTable() {
 	tbl.SetStyle(table.StyleLight)
 	tbl.SetOutputMirror(os.Stdout)
 	tbl.AppendHeader(table.Row{"Ecosystem", "Package", "Latest",
-		"Filter"})
+		"Filter", "Summary"})
 
 	for _, mp := range f.matchedPackages {
 		insights := utils.SafelyGetValue(mp.pkg.Insights)
@@ -115,7 +115,8 @@ func (f *celFilterSuiteAnalyzer) renderMatchTable() {
 			fmt.Sprintf("%s@%s", mp.pkg.PackageDetails.Name,
 				mp.pkg.PackageDetails.Version),
 			utils.SafelyGetValue(insights.PackageCurrentVersion),
-			mp.filterName,
+			mp.flt.GetName(),
+			mp.flt.GetSummary(),
 		})
 	}
 
@@ -145,8 +146,8 @@ func (f *celFilterSuiteAnalyzer) handleMatchedPkg(pkg *models.Package,
 
 	f.stat.IncMatchedPackage()
 	f.matchedPackages[pkg.Id()] = &celFilterMatchedPackage{
-		filterName: filter.GetName(),
-		pkg:        pkg,
+		flt: filter,
+		pkg: pkg,
 	}
 }
 

pkg/parser/parser.go

@@ -48,7 +48,7 @@ var customExperimentalParsers map[string]lockfile.PackageDetailsParser = map[str
 
 type Parser interface {
 	Ecosystem() string
-	Parse(lockfilePath string) (models.PackageManifest, error)
+	Parse(lockfilePath string) (*models.PackageManifest, error)
 }
 
 type parserWrapper struct {
@@ -152,15 +152,15 @@ func (pw *parserWrapper) Ecosystem() string {
 	}
 }
 
-func (pw *parserWrapper) Parse(lockfilePath string) (models.PackageManifest, error) {
+func (pw *parserWrapper) Parse(lockfilePath string) (*models.PackageManifest, error) {
 	pm := models.PackageManifest{Path: lockfilePath,
 		Ecosystem: pw.Ecosystem()}
 
 	logger.Infof("[%s] Parsing %s", pw.parseAs, lockfilePath)
 
 	packages, err := pw.parser(lockfilePath)
 	if err != nil {
-		return pm, err
+		return &pm, err
 	}
 
 	for _, pkg := range packages {
@@ -170,5 +170,5 @@ func (pw *parserWrapper) Parse(lockfilePath string) (models.PackageManifest, err
 		})
 	}
 
-	return pm, nil
+	return &pm, nil
 }

pkg/readers/dir_reader.go

@@ -72,8 +72,8 @@ func (p *directoryReader) EnumManifests(handler func(*models.PackageManifest,
 			return nil
 		}
 
-		return handler(&manifest,
-			NewManifestModelReader(&manifest))
+		return handler(manifest,
+			NewManifestModelReader(manifest))
 	})
 
 	return err

pkg/readers/github_reader.go

@@ -58,7 +58,7 @@ func (p *githubReader) EnumManifests(handler func(*models.PackageManifest,
 			return err
 		}
 
-		err = processRemoteLockfile(ctx, p.client, gitURL, handler)
+		err = p.processRemoteDependencyGraph(ctx, p.client, gitURL, handler)
 		if err != nil {
 			return err
 		}
@@ -67,17 +67,18 @@ func (p *githubReader) EnumManifests(handler func(*models.PackageManifest,
 	return nil
 }
 
-func processRemoteLockfile(ctx context.Context, client *github.Client,
+func (p *githubReader) processRemoteDependencyGraph(ctx context.Context, client *github.Client,
 	gitUrl giturl.IGitURL, handler func(*models.PackageManifest,
 		PackageReader) error) error {
 
 	org := gitUrl.GetOwnerName()
 	repo := gitUrl.GetRepoName()
 
-	lf, err := fetchRemoteFile(ctx, client, org, repo)
+	lf, err := p.fetchRemoteDependencyGraphToFile(ctx, client, org, repo)
 	if err != nil {
 		return err
 	}
+
 	defer os.Remove(lf)
 
 	lfParser, err := parser.FindParser(lf, parser.LockfileAsBomSpdx)
@@ -90,7 +91,7 @@ func processRemoteLockfile(ctx context.Context, client *github.Client,
 		return err
 	}
 
-	err = handler(&manifest, NewManifestModelReader(&manifest))
+	err = handler(manifest, NewManifestModelReader(manifest))
 	if err != nil {
 		return err
 	}
@@ -110,7 +111,7 @@ func processRemoteLockfile(ctx context.Context, client *github.Client,
  *
  * Note: The caller should remove the filepath returned when done.
  **/
-func fetchRemoteFile(ctx context.Context, client *github.Client,
+func (p *githubReader) fetchRemoteDependencyGraphToFile(ctx context.Context, client *github.Client,
 	org, repo string) (string, error) {
 	sbom, _, err := client.DependencyGraph.GetSBOM(ctx, org, repo)
 	if err != nil {

pkg/readers/lockfile_reader.go

@@ -42,7 +42,7 @@ func (p *lockfileReader) EnumManifests(handler func(*models.PackageManifest,
 			return err
 		}
 
-		err = handler(&manifest, NewManifestModelReader(&manifest))
+		err = handler(manifest, NewManifestModelReader(manifest))
 		if err != nil {
 			return err
 		}

pkg/reporter/markdown.go

@@ -66,7 +66,10 @@ type markdownReportGenerator struct {
 }
 
 func NewMarkdownReportGenerator(config MarkdownReportingConfig) (Reporter, error) {
-	summaryReporter, _ := NewSummaryReporter()
+	summaryReporter, _ := NewSummaryReporter(SummaryReporterConfig{
+		MaxAdvice: summaryReportMaxUpgradeAdvice,
+	})
+
 	return &markdownReportGenerator{
 		config:          config,
 		summaryReporter: summaryReporter,

pkg/reporter/summary.go

@@ -2,6 +2,10 @@ package reporter
 
 import (
 	"fmt"
+	"os"
+	"sort"
+	"strings"
+
 	"github.com/jedib0t/go-pretty/v6/table"
 	"github.com/jedib0t/go-pretty/v6/text"
 	"github.com/safedep/dry/semver"
@@ -12,9 +16,6 @@ import (
 	"github.com/safedep/vet/pkg/models"
 	"github.com/safedep/vet/pkg/policy"
 	"github.com/safedep/vet/pkg/readers"
-	"os"
-	"sort"
-	"strings"
 )
 
 const (
@@ -46,7 +47,13 @@ type summaryReporterRemediationData struct {
 	tags  []string
 }
 
+type SummaryReporterConfig struct {
+	MaxAdvice int
+}
+
 type summaryReporter struct {
+	config SummaryReporterConfig
+
 	summary struct {
 		manifests int
 		packages  int
@@ -69,8 +76,13 @@ type summaryReporter struct {
 	violations        map[string]*summaryReporterInputViolationData
 }
 
-func NewSummaryReporter() (Reporter, error) {
+func NewSummaryReporter(config SummaryReporterConfig) (Reporter, error) {
+	if config.MaxAdvice == 0 {
+		config.MaxAdvice = summaryReportMaxUpgradeAdvice
+	}
+
 	return &summaryReporter{
+		config:            config,
 		remediationScores: make(map[string]*summaryReporterRemediationData),
 		violations:        make(map[string]*summaryReporterInputViolationData),
 	}, nil
@@ -83,6 +95,7 @@ func (r *summaryReporter) Name() string {
 func (r *summaryReporter) AddManifest(manifest *models.PackageManifest) {
 	readers.NewManifestModelReader(manifest).EnumPackages(func(pkg *models.Package) error {
 		r.processForVulns(pkg)
+		r.processForMalware(pkg)
 		r.processForPopularity(pkg)
 		r.processForVersionDrift(pkg)
 
@@ -170,9 +183,25 @@ func (r *summaryReporter) processForPopularity(pkg *models.Package) {
 	}
 }
 
+func (r *summaryReporter) processForMalware(pkg *models.Package) {
+	insight := utils.SafelyGetValue(pkg.Insights)
+	vulns := utils.SafelyGetValue(insight.Vulnerabilities)
+
+	for _, vuln := range vulns {
+		// OSV API follows the convention of using MAL-YYYY-ID convention
+		// as generated by https://github.com/ossf/malicious-packages
+		if strings.HasPrefix(utils.SafelyGetValue(vuln.Id), "MAL-") {
+			r.summary.vulns.critical += 1
+			r.addPkgForRemediationAdvice(pkg, summaryWeightCriticalVuln, "malware")
+		}
+	}
+}
+
 func (r *summaryReporter) processForVulns(pkg *models.Package) {
 	insight := utils.SafelyGetValue(pkg.Insights)
-	for _, vuln := range utils.SafelyGetValue(insight.Vulnerabilities) {
+	vulns := utils.SafelyGetValue(insight.Vulnerabilities)
+
+	for _, vuln := range vulns {
 		for _, s := range utils.SafelyGetValue(vuln.Severities) {
 			sevType := utils.SafelyGetValue(s.Type)
 			risk := utils.SafelyGetValue(s.Risk)
@@ -277,8 +306,10 @@ func (r *summaryReporter) renderRemediationAdvice() {
 	tbl.SetStyle(table.StyleLight)
 
 	tbl.AppendHeader(table.Row{"Ecosystem", "Package", "Update To", "Impact"})
+
+	maxAdvice := r.config.MaxAdvice
 	for idx, sp := range sortedPackages {
-		if idx >= summaryReportMaxUpgradeAdvice {
+		if idx >= maxAdvice {
 			break
 		}