Skip to content

Commit

Permalink
chore: refactor for deps
Browse files Browse the repository at this point in the history
  • Loading branch information
@chrisdlangton
chrisdlangton committed Nov 19, 2024
1 parent 1126e46 commit e31015e
Show file tree
Hide file tree
Showing 27 changed files with 2,594 additions and 2,110 deletions.
13 changes: 10 additions & 3 deletions .repo/scratchad.sql
View file
Original file line number Diff line number Diff line change
Expand Up @@ -10,6 +10,13 @@
-- SELECT *
-- FROM Triage
-- WHERE findingUuid = "c00f2661-a1fc-4a72-83af-5894580ee510";
SELECT *
FROM Finding
WHERE affectedFunctions IS NOT NULL;
SELECT A."accessToken",
A."avatarUrl",
A."created",
A."expires",
A."installationId",
A."login",
A."memberEmail",
B."orgId"
FROM "GitHubApp" A
INNER JOIN "Member" B ON A."memberEmail" = B."email";
3 changes: 0 additions & 3 deletions functions/api/[analysisState]/issues.js
View file
Original file line number Diff line number Diff line change
Expand Up @@ -37,9 +37,6 @@ export async function onRequestGet(context) {
}
},
},
omit: {
memberEmail: true,
},
include: {
triage: true,
spdx: {
Expand Down
3 changes: 0 additions & 3 deletions functions/api/analytics.js
View file
Original file line number Diff line number Diff line change
Expand Up @@ -30,9 +30,6 @@ export async function onRequestGet(context) {
where: {
orgId: verificationResult.session.orgId,
},
omit: {
memberEmail: true,
},
include: {
triage: true,
spdx: {
Expand Down
3 changes: 0 additions & 3 deletions functions/api/archive.js
View file
Original file line number Diff line number Diff line change
Expand Up @@ -36,9 +36,6 @@ export async function onRequestGet(context) {
}
},
},
omit: {
memberEmail: true,
},
include: {
triage: {
orderBy: {
Expand Down
37 changes: 27 additions & 10 deletions functions/api/cdx.js
View file
Original file line number Diff line number Diff line change
@@ -1,3 +1,4 @@
import { parseCycloneDXComponents } from "@/finding";
import { AuthResult, ensureStrReqBody, hex, isCDX, OSV, saveArtifact, Server } from "@/utils";
import { PrismaD1 } from '@prisma/adapter-d1';
import { PrismaClient } from '@prisma/client';
Expand Down Expand Up @@ -31,9 +32,6 @@ export async function onRequestGet(context) {
where: {
orgId: verificationResult.session.orgId,
},
omit: {
memberEmail: true,
},
include: {
repo: true,
artifact: {
Expand Down Expand Up @@ -100,28 +98,47 @@ export async function onRequestPost(context) {
orgId: verificationResult.session.orgId,
}
})

const artifactUuid = originalCdx?.artifactUuid || cdx.serialNumber.startsWith('urn:uuid:') ? cdx.serialNumber.substring(9) : crypto.randomUUID()
const artifactUuid = originalCdx?.artifactUuid || (cdx?.serialNumber?.startsWith('urn:uuid:') ? cdx.serialNumber.substring(9) : crypto.randomUUID())
if (!cdx?.serialNumber) {
cdx.serialNumber = `urn:uuid:${artifactUuid}`
}
const dependencies = []
for (const dep of parseCycloneDXComponents(cdx)) {
const info = await prisma.Dependency.upsert({
where: {
cdx_dep: {
cdxId,
name: dep.name,
version: dep.version,
}
},
update: {
license: dep.license,
dependsOnUuid: dep.dependsOnUuid
},
create: { ...dep, cdxId }
})
dependencies.push({ ...dep, cdxId })
console.log(`Dependency ${dep.name}@${dep.version}`, info)
}
const cdxStr = JSON.stringify(cdx)
const artifact = await saveArtifact(prisma, env.r2artifacts, cdxStr, artifactUuid, `cyclonedx`)
const cdxData = {
cdxId,
artifactUuid,
source: 'upload',
orgId: verificationResult.session.orgId,
memberEmail: verificationResult.session.memberEmail,
cdxVersion: cdx.specVersion,
serialNumber: cdx.serialNumber,
name: cdx.metadata?.component?.name,
version: cdx.metadata?.component?.version,
createdAt: (new Date(cdx.metadata.timestamp)).getTime(),
createdAt: cdx.metadata?.timestamp ? new Date(cdx.metadata.timestamp).getTime() : new Date().getTime(),
toolName: cdx.metadata.tools.map(t => `${t?.vendor} ${t?.name} ${t?.version}`.trim()).join(', '),
externalReferencesCount: cdx.metadata.component?.externalReferences?.length || 0,
}
const info = await prisma.CycloneDXInfo.upsert({
where: {
cdxId,
memberEmail: verificationResult.session.memberEmail,
orgId: verificationResult.session.orgId,
},
update: {
createdAt: cdxData.createdAt,
Expand All @@ -130,6 +147,7 @@ export async function onRequestPost(context) {
create: cdxData
})
console.log(`/upload/cdx ${cdxId} kid=${verificationResult.session.kid}`, info)
cdxData.dependencies = dependencies
files.push(cdxData)

const osvQueries = cdx.components.map(component => {
Expand All @@ -155,7 +173,6 @@ export async function onRequestPost(context) {
const findingData = {
findingId,
orgId: verificationResult.session.orgId,
memberEmail: verificationResult.session.memberEmail,
source: 'osv.dev',
category: 'sca',
createdAt: (new Date()).getTime(),
Expand Down
3 changes: 0 additions & 3 deletions functions/api/exploitable.js
View file
Original file line number Diff line number Diff line change
Expand Up @@ -32,9 +32,6 @@ export async function onRequestGet(context) {
orgId: verificationResult.session.orgId,
triage: { every: { analysisState: 'exploitable' } }
},
omit: {
memberEmail: true,
},
include: {
triage: {
orderBy: {
Expand Down
2 changes: 1 addition & 1 deletion functions/api/github/[installation_id]/uninstall.js
View file
Original file line number Diff line number Diff line change
Expand Up @@ -26,7 +26,7 @@ export async function onRequestGet(context) {

try {
const where = {
memberEmail: verificationResult.session.memberEmail,
orgId: verificationResult.session.orgId,
installationId: parseInt(params.installation_id, 10),
}
const app = await prisma.GitHubApp.findUniqueOrThrow({ where })
Expand Down
7 changes: 3 additions & 4 deletions functions/api/github/repos.js
View file
Original file line number Diff line number Diff line change
Expand Up @@ -36,7 +36,7 @@ export async function onRequestGet(context) {
const gitRepos = []
const installs = await prisma.GitHubApp.findMany({
where: {
memberEmail: verificationResult.session.memberEmail,
orgId: verificationResult.session.orgId,
AND: { expires: { gte: (new Date()).getTime(), } }
},
})
Expand All @@ -53,14 +53,14 @@ export async function onRequestGet(context) {
await prisma.GitHubApp.update({
where: {
installationId: parseInt(app.installationId, 10),
AND: { memberEmail: app.memberEmail, },
AND: { orgId: app.orgId, },
},
data: app,
})
continue
}
delete app.accessToken
delete app.memberEmail

return Response.json({ error, app })
}
for (const repo of content) {
Expand Down Expand Up @@ -107,7 +107,6 @@ const store = async (prisma, session, repo) => {
pushedAt: (new Date(repo.pushed_at)).getTime(),
defaultBranch: repo.default_branch,
ownerId: repo.owner.id,
memberEmail: session.memberEmail,
licenseSpdxId: repo.license?.spdx_id || '',
licenseName: repo.license?.name || '',
fork: repo.fork ? 1 : 0,
Expand Down
7 changes: 2 additions & 5 deletions functions/api/github/repos/[org]/[repo]/sarif.js
View file
Original file line number Diff line number Diff line change
Expand Up @@ -35,7 +35,7 @@ export async function onRequestGet(context) {
const errors = []
const githubApps = await prisma.GitHubApp.findMany({
where: {
memberEmail: verificationResult.session.memberEmail,
orgId: verificationResult.session.orgId,
},
})
const repoName = `${params.org}/${params.repo}`
Expand All @@ -54,14 +54,13 @@ export async function onRequestGet(context) {
await prisma.GitHubApp.update({
where: {
installationId: parseInt(app.installationId, 10),
AND: { memberEmail: app.memberEmail, },
AND: { orgId: app.orgId },
},
data: app,
})
continue
}
delete app.accessToken
delete app.memberEmail
errors.push({ error, app })
continue
}
Expand Down Expand Up @@ -116,7 +115,6 @@ const process = async (prisma, session, data, fullName) => {
fullName,
source: 'GitHub',
orgId: session.orgId,
memberEmail: session.memberEmail,
commitSha: data.report.commit_sha,
ref: data.report.ref,
createdAt: (new Date(data.report.created_at)).getTime(),
Expand Down Expand Up @@ -215,7 +213,6 @@ const process = async (prisma, session, data, fullName) => {
reportId: data.report.id.toString(),
artifactUuid: sarifId,
fullName,
memberEmail: session.memberEmail,
commitSha: data.report.commit_sha,
ref: data.report.commit_sha,
createdAt: (new Date(data.report.created_at)).getTime(),
Expand Down
40 changes: 33 additions & 7 deletions functions/api/github/repos/[org]/[repo]/spdx.js
View file
Original file line number Diff line number Diff line change
@@ -1,3 +1,4 @@
import { createPurlFromUrl, parsePackageRef, parseSPDXComponents } from "@/finding";
import { GitHub, hex, isSPDX, OSV, saveArtifact, Server } from "@/utils";
import { PrismaD1 } from '@prisma/adapter-d1';
import { PrismaClient } from '@prisma/client';
Expand Down Expand Up @@ -39,7 +40,7 @@ export async function onRequestGet(context) {

const githubApps = await prisma.GitHubApp.findMany({
where: {
memberEmail: verificationResult.session.memberEmail,
orgId: verificationResult.session.orgId,
},
})
for (const app of githubApps) {
Expand All @@ -55,14 +56,13 @@ export async function onRequestGet(context) {
await prisma.GitHubApp.update({
where: {
installationId: parseInt(app.installationId, 10),
AND: { memberEmail: app.memberEmail, },
AND: { orgId: app.orgId },
},
data: app,
})
continue
}
delete app.accessToken
delete app.memberEmail
errors.push({ error, app })
continue
}
Expand All @@ -88,6 +88,26 @@ export async function onRequestGet(context) {
}
const findingIds = await process(prisma, verificationResult.session, repoName, spdx, spdxId, originalSpdx?.artifactUuid || artifact?.uuid)
findings = [...findings, ...findingIds]
const dependencies = []
for (const dep of parseSPDXComponents(spdx)) {
const info = await prisma.Dependency.upsert({
where: {
spdx_dep: {
spdxId,
name: dep.name,
version: dep.version,
}
},
update: {
license: dep.license,
dependsOnUuid: dep.dependsOnUuid
},
create: { ...dep, spdxId }
})
dependencies.push({ ...dep, spdxId })
console.log(`Dependency ${dep.name}@${dep.version}`, info)
}
spdx.dependencies = dependencies
files.push({ spdx, errors })
}
const memberKeys = await prisma.MemberKey.findMany({
Expand Down Expand Up @@ -142,7 +162,6 @@ const process = async (prisma, session, repoName, spdx, spdxId, artifactUuid) =>
artifactUuid,
source: 'GitHub',
orgId: session.orgId,
memberEmail: session.memberEmail,
repoName,
spdxVersion: spdx.spdxVersion,
dataLicense: spdx.dataLicense,
Expand All @@ -168,13 +187,21 @@ const process = async (prisma, session, repoName, spdx, spdxId, artifactUuid) =>

console.log(`/github/repos/spdx ${repoName} kid=${session.kid}`, info)
const osvQueries = spdx.packages.flatMap(pkg => {
if (!pkg?.externalRefs) { return }
const { version } = parsePackageRef(pkg.SPDXID, pkg.name)
if (!pkg?.externalRefs && pkg?.downloadLocation) {
return [{
purl: createPurlFromUrl(pkg.downloadLocation, pkg.name, pkg?.versionInfo ? pkg.versionInfo : version),
name: pkg.name,
version: pkg?.versionInfo ? pkg.versionInfo : version,
license: pkg?.licenseConcluded || pkg?.licenseDeclared,
}]
}
return pkg.externalRefs
.filter(ref => ref?.referenceType === 'purl')
.map(ref => ({
purl: ref.referenceLocator,
name: pkg.name,
version: pkg?.versionInfo,
version: pkg?.versionInfo ? pkg.versionInfo : version,
license: pkg?.licenseConcluded || pkg?.licenseDeclared,
}))
}).filter(q => q?.purl)
Expand All @@ -192,7 +219,6 @@ const process = async (prisma, session, repoName, spdx, spdxId, artifactUuid) =>
const findingData = {
findingId,
orgId: session.orgId,
memberEmail: session.memberEmail,
repoName,
source: 'osv.dev',
category: 'sca',
Expand Down
3 changes: 0 additions & 3 deletions functions/api/github/repos/cached.js
View file
Original file line number Diff line number Diff line change
Expand Up @@ -30,9 +30,6 @@ export async function onRequestGet(context) {
where: {
orgId: verificationResult.session.orgId,
},
omit: {
memberEmail: true,
},
take,
skip,
orderBy: {
Expand Down
7 changes: 3 additions & 4 deletions functions/api/issue/[uuid].js
View file
Original file line number Diff line number Diff line change
Expand Up @@ -7,9 +7,9 @@ import {
VexAnalysisResponse,
VexAnalysisState
} from "@/utils";
import { CVSS30, CVSS31, CVSS40 } from '@pandatix/js-cvss';
import { PrismaD1 } from '@prisma/adapter-d1';
import { PrismaClient } from '@prisma/client';
import { CVSS30, CVSS31, CVSS40 } from '@pandatix/js-cvss';

export async function onRequestPost(context) {
const {
Expand Down Expand Up @@ -163,14 +163,12 @@ export async function onRequestGet(context) {
uuid,
AND: { orgId: verificationResult.session.orgId }
},
omit: {
memberEmail: true,
},
include: {
triage: true,
spdx: {
include: {
repo: true,
dependencies: true,
artifact: {
include: {
downloadLinks: true,
Expand All @@ -181,6 +179,7 @@ export async function onRequestGet(context) {
cdx: {
include: {
repo: true,
dependencies: true,
artifact: {
include: {
downloadLinks: true,
Expand Down
4 changes: 2 additions & 2 deletions functions/api/login/github/[code].js
View file
Original file line number Diff line number Diff line change
Expand Up @@ -143,7 +143,7 @@ export async function onRequestGet(context) {
})
console.log(`/github/install session kid=${token}`, sessionInfo)
const githubApp = await prisma.GitHubApp.findFirst({
where: { memberEmail: response.member.email },
where: { orgId: response.member.orgId },
})
let installationId = githubApp?.installationId
if (!installationId) {
Expand All @@ -170,7 +170,7 @@ export async function onRequestGet(context) {
},
create: {
installationId: parseInt(installationId, 10),
memberEmail: response.member.email,
orgId: response.member.orgId,
accessToken: oauthData.access_token,
login: content.login,
created,
Expand Down
Loading

0 comments on commit e31015e

Please sign in to comment.