Migrate trusty eval engine to Trusty v2 API.

blkt · blkt · commit c4601e06b6c6 · 2024-11-21T09:25:13.000+01:00
This change migrates `trusty` evaluation engine to use Trusty v2 API. Most of the changes apply to the intermediate representation we recently added to decouple Trusty from Minder, but some additional changes were required due to some fields becoming optional and nullable. Note: this change is again meant to be bug-compatible with the current evaluation engine, so we treat the lack of `"score"` as a score of `0`, thus triggering false positives as done by the current engine. The idea is to build on top of this to fix known issues of the engine before migrating it to Data Sources. Fixes stacklok/minder-stories#77
diff --git a/go.mod b/go.mod
@@ -70,7 +70,7 @@ require (
 	github.com/spf13/viper v1.19.0
 	github.com/sqlc-dev/pqtype v0.3.0
 	github.com/stacklok/frizbee v0.1.4
-	github.com/stacklok/trusty-sdk-go v0.2.2
+	github.com/stacklok/trusty-sdk-go v0.2.3-0.20241120172703-3643fb488d5e
 	github.com/stretchr/testify v1.9.0
 	github.com/styrainc/regal v0.29.2
 	github.com/thomaspoignant/go-feature-flag v1.38.0
@@ -381,7 +381,7 @@ require (
 	golang.org/x/mod v0.22.0
 	golang.org/x/net v0.31.0 // indirect
 	golang.org/x/sys v0.27.0 // indirect
-	golang.org/x/text v0.20.0
+	golang.org/x/text v0.20.0 // indirect
 	google.golang.org/genproto/googleapis/rpc v0.0.0-20241104194629-dd2ea8efbc28 // indirect
 	gopkg.in/ini.v1 v1.67.0 // indirect
 	gopkg.in/warnings.v0 v0.1.2 // indirect
diff --git a/go.sum b/go.sum
@@ -1019,8 +1019,8 @@ github.com/sqlc-dev/pqtype v0.3.0 h1:b09TewZ3cSnO5+M1Kqq05y0+OjqIptxELaSayg7bmqk
 github.com/sqlc-dev/pqtype v0.3.0/go.mod h1:oyUjp5981ctiL9UYvj1bVvCKi8OXkCa0u645hce7CAs=
 github.com/stacklok/frizbee v0.1.4 h1:00v6/2HBmwzNdOyVAP4e1isOeUAIWTlb5eggoNUpHmk=
 github.com/stacklok/frizbee v0.1.4/go.mod h1:rFA90VkGFYLb7qCiUniAihmkgXfZAj2BnfF6jR8Csro=
-github.com/stacklok/trusty-sdk-go v0.2.2 h1:55B2DrneLYZXxBaNEeyRMGac7mj+pFbrKomx/hSxUyI=
-github.com/stacklok/trusty-sdk-go v0.2.2/go.mod h1:BbXNVVT32meuxyJuO4pmXRzVPjc/9AXob2sBbOPiKpk=
+github.com/stacklok/trusty-sdk-go v0.2.3-0.20241120172703-3643fb488d5e h1:4fTGYQPNLex5VT4c4S7AifMJqUiM/r1B+J5qXUJMSFI=
+github.com/stacklok/trusty-sdk-go v0.2.3-0.20241120172703-3643fb488d5e/go.mod h1:QR01jLW/yfwcXY38dwDpgeEjVc2MAR1LycH1fXtoSXs=
 github.com/stoewer/go-strcase v1.3.0 h1:g0eASXYtp+yvN9fK8sH94oCIk0fau9uV1/ZdJ0AVEzs=
 github.com/stoewer/go-strcase v1.3.0/go.mod h1:fAH5hQ5pehh+j3nZfvwdk2RgEgQjAoM8wodgtPmh1xo=
 github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME=
diff --git a/internal/engine/eval/trusty/actions.go b/internal/engine/eval/trusty/actions.go
@@ -299,7 +299,7 @@ func (sph *summaryPrHandler) generateSummary() (string, error) {
 				malicious = append(malicious, maliciousTemplateData{
 					templatePackageData: packageData,
 					Summary:             alternative.trustyReply.Malicious.Summary,
-					Details:             preprocessDetails(alternative.trustyReply.Malicious.Details),
+					Details:             alternative.trustyReply.Malicious.Details,
 				})
 				continue
 			}
@@ -324,7 +324,7 @@ func (sph *summaryPrHandler) generateSummary() (string, error) {
 			// (2) we don't suggest malicious packages, I
 			// suggest getting rid of this check
 			// altogether.
-			if altData.Score != nil && *altData.Score <= lowScorePackages[alternative.Dependency.Name].Score {
+			if altData.Score != nil && *altData.Score != 0 && *altData.Score <= lowScorePackages[alternative.Dependency.Name].Score {
 				continue
 			}
 
@@ -333,9 +333,11 @@ func (sph *summaryPrHandler) generateSummary() (string, error) {
 					Ecosystem:   altData.PackageType,
 					PackageName: altData.PackageName,
 					TrustyURL:   altData.TrustyURL,
-					Score:       *altData.Score,
 				},
 			}
+			if altData.Score != nil {
+				altPackageData.templatePackageData.Score = *altData.Score
+			}
 
 			dep := lowScorePackages[alternative.Dependency.Name]
 			dep.Alternatives = append(dep.Alternatives, altPackageData)
@@ -428,8 +430,12 @@ func newSummaryPrHandler(
 	}, nil
 }
 
-func preprocessDetails(s string) string {
-	scanner := bufio.NewScanner(strings.NewReader(s))
+func preprocessDetails(s *string) string {
+	if s == nil {
+		return ""
+	}
+
+	scanner := bufio.NewScanner(strings.NewReader(*s))
 	text := ""
 	for scanner.Scan() {
 		if strings.HasPrefix(scanner.Text(), "#") {
diff --git a/internal/engine/eval/trusty/trusty.go b/internal/engine/eval/trusty/trusty.go
@@ -12,10 +12,8 @@ import (
 	"strings"
 
 	"github.com/rs/zerolog"
-	trusty "github.com/stacklok/trusty-sdk-go/pkg/v1/client"
-	trustytypes "github.com/stacklok/trusty-sdk-go/pkg/v1/types"
-	"golang.org/x/text/cases"
-	"golang.org/x/text/language"
+	trusty "github.com/stacklok/trusty-sdk-go/pkg/v2/client"
+	trustytypes "github.com/stacklok/trusty-sdk-go/pkg/v2/types"
 	"google.golang.org/protobuf/reflect/protoreflect"
 
 	"github.com/mindersec/minder/internal/constants"
@@ -39,7 +37,7 @@ const (
 type Evaluator struct {
 	cli      provifv1.GitHub
 	endpoint string
-	client   *trusty.Trusty
+	client   trusty.Trusty
 }
 
 // NewTrustyEvaluator creates a new trusty evaluator
@@ -296,135 +294,201 @@ type alternative struct {
 
 func getDependencyScore(
 	ctx context.Context,
-	trustyClient *trusty.Trusty,
+	trustyClient trusty.Trusty,
 	dep *pbinternal.PrDependencies_ContextualDependency,
 ) (*trustyReport, error) {
 	// Call the Trusty API
-	resp, err := trustyClient.Report(ctx, &trustytypes.Dependency{
-		Name:      dep.Dep.Name,
-		Version:   dep.Dep.Version,
-		Ecosystem: trustytypes.Ecosystem(dep.Dep.Ecosystem),
-	})
+	packageType := dep.Dep.Ecosystem.AsString()
+	input := &trustytypes.Dependency{
+		PackageName:    dep.Dep.Name,
+		PackageVersion: &dep.Dep.Version,
+		PackageType:    &packageType,
+	}
+
+	respSummary, err := trustyClient.Summary(ctx, input)
+	if err != nil {
+		return nil, fmt.Errorf("failed getting summary: %w", err)
+	}
+
+	respPkg, err := trustyClient.PackageMetadata(ctx, input)
+	if err != nil {
+		return nil, fmt.Errorf("failed getting package metadata: %w", err)
+	}
+
+	respAlternatives, err := trustyClient.Alternatives(ctx, input)
 	if err != nil {
-		return nil, fmt.Errorf("failed to send request: %w", err)
+		return nil, fmt.Errorf("failed getting alternatives: %w", err)
 	}
 
-	res := makeTrustyReport(dep, resp)
+	respProvenance, err := trustyClient.Provenance(ctx, input)
+	if err != nil {
+		return nil, fmt.Errorf("failed getting provenance: %w", err)
+	}
+
+	res := makeTrustyReport(dep,
+		respSummary,
+		respPkg,
+		respAlternatives,
+		respProvenance,
+	)
 
 	return res, nil
 }
 
 func makeTrustyReport(
 	dep *pbinternal.PrDependencies_ContextualDependency,
-	resp *trustytypes.Reply,
+	respSummary *trustytypes.PackageSummaryAnnotation,
+	respPkg *trustytypes.TrustyPackageData,
+	respAlternatives *trustytypes.PackageAlternatives,
+	respProvenance *trustytypes.Provenance,
 ) *trustyReport {
 	res := &trustyReport{
-		PackageName:     dep.Dep.Name,
-		PackageVersion:  dep.Dep.Version,
-		PackageType:     dep.Dep.Ecosystem.AsString(),
-		TrustyURL:       makeTrustyURL(dep.Dep.Name, strings.ToLower(dep.Dep.Ecosystem.AsString())),
-		Score:           resp.Summary.Score,
-		IsDeprecated:    resp.PackageData.Deprecated,
-		IsArchived:      resp.PackageData.Archived,
-		ActivityScore:   getValueFromMap[float64](resp.Summary.Description, "activity"),
-		ProvenanceScore: getValueFromMap[float64](resp.Summary.Description, "provenance"),
-	}
-
-	res.ScoreComponents = makeScoreComponents(resp.Summary.Description)
-	res.Alternatives = makeAlternatives(dep.Dep.Ecosystem.AsString(), resp.Alternatives.Packages)
-
-	if getValueFromMap[bool](resp.Summary.Description, "malicious") {
-		res.Malicious = &malicious{
-			Summary: resp.PackageData.Malicious.Summary,
-			Details: preprocessDetails(resp.PackageData.Malicious.Details),
-		}
+		PackageName:    dep.Dep.Name,
+		PackageVersion: dep.Dep.Version,
+		PackageType:    dep.Dep.Ecosystem.AsString(),
+		TrustyURL:      makeTrustyURL(dep.Dep.Name, strings.ToLower(dep.Dep.Ecosystem.AsString())),
 	}
 
-	res.Provenance = makeProvenance(resp.Provenance)
+	addSummaryDetails(res, respSummary)
+	addMetadataDetails(res, respPkg)
+
+	res.ScoreComponents = makeScoreComponents(respSummary.Description)
+	res.Alternatives = makeAlternatives(dep.Dep.Ecosystem.AsString(), respAlternatives.Packages)
+
+	if respSummary.Description.Malicious {
+		res.Malicious = makeMaliciousDetails(respPkg.Malicious)
+	}
+
+	res.Provenance = makeProvenance(respProvenance)
 
 	return res
 }
 
-func makeScoreComponents(descr map[string]any) []scoreComponent {
+func addSummaryDetails(res *trustyReport, resp *trustytypes.PackageSummaryAnnotation) {
+	if resp == nil {
+		return
+	}
+
+	res.Score = resp.Score
+	res.ActivityScore = resp.Description.Activity
+	res.ProvenanceScore = resp.Description.Provenance
+}
+
+func addMetadataDetails(res *trustyReport, resp *trustytypes.TrustyPackageData) {
+	if resp == nil {
+		return
+	}
+
+	res.IsDeprecated = resp.IsDeprecated != nil && *resp.IsDeprecated
+	res.IsArchived = resp.Archived != nil && *resp.Archived
+}
+
+func makeScoreComponents(resp trustytypes.SummaryDescription) []scoreComponent {
 	scoreComponents := make([]scoreComponent, 0)
 
-	if descr == nil {
-		return scoreComponents
-	}
-
-	caser := cases.Title(language.Und, cases.NoLower)
-	for l, v := range descr {
-		switch l {
-		case "activity":
-			l = "Package activity"
-		case "activity_repo":
-			l = "Repository activity"
-		case "activity_user":
-			l = "User activity"
-		case "provenance_type":
-			l = "Provenance"
-		case "typosquatting":
-			if f, ok := v.(float64); ok && f > 5.0 {
-				// skip typosquatting entry
-				continue
-			}
-			l = "Typosquatting"
-			v = "⚠️ Dependency may be trying to impersonate a well known package"
-		}
+	// activity scores
+	if resp.Activity != 0 {
+		scoreComponents = append(scoreComponents, scoreComponent{
+			Label: "Package activity",
+			Value: resp.Activity,
+		})
+	}
+	if resp.ActivityRepo != 0 {
+		scoreComponents = append(scoreComponents, scoreComponent{
+			Label: "Repository activity",
+			Value: resp.ActivityRepo,
+		})
+	}
+	if resp.ActivityUser != 0 {
+		scoreComponents = append(scoreComponents, scoreComponent{
+			Label: "User activity",
+			Value: resp.ActivityUser,
+		})
+	}
 
-		// Note: if none of the cases above match, we still
-		// add the value to the list along with its
-		// capitalized label.
+	// provenance information
+	if resp.ProvenanceType != nil {
+		scoreComponents = append(scoreComponents, scoreComponent{
+			Label: "Provenance",
+			Value: string(*resp.ProvenanceType),
+		})
+	}
 
+	// typosquatting information
+	if resp.TypoSquatting != 0 && resp.TypoSquatting <= 5.0 {
 		scoreComponents = append(scoreComponents, scoreComponent{
-			Label: fmt.Sprintf("%s%s", caser.String(l[0:1]), l[1:]),
-			Value: v,
+			Label: "Typosquatting",
+			Value: "⚠️ Dependency may be trying to impersonate a well known package",
 		})
 	}
 
+	// Note: in the previous implementation based on Trusty v1
+	// API, if new fields were added to the `"description"` field
+	// of a package they were implicitly added to the table of
+	// score components.
+	//
+	// This was possible because the `Description` field of the go
+	// struct was defined as `map[string]any`.
+	//
+	// This is not the case with v2 API, so we need to keep track
+	// of new measures being added to the API.
+
 	return scoreComponents
 }
 
 func makeAlternatives(
 	ecosystem string,
-	trustyAlternatives []trustytypes.Alternative,
+	trustyAlternatives []*trustytypes.PackageBasicInfo,
 ) []alternative {
 	alternatives := []alternative{}
 	for _, alt := range trustyAlternatives {
 		alternatives = append(alternatives, alternative{
 			PackageName: alt.PackageName,
 			PackageType: ecosystem,
-			Score:       &alt.Score,
+			Score:       alt.Score,
 			TrustyURL:   makeTrustyURL(alt.PackageName, ecosystem),
 		})
 	}
 
 	return alternatives
 }
 
+func makeMaliciousDetails(
+	maliciousInfo *trustytypes.PackageMaliciousPayload,
+) *malicious {
+	if maliciousInfo == nil {
+		return nil
+	}
+
+	return &malicious{
+		Summary: maliciousInfo.Summary,
+		Details: preprocessDetails(maliciousInfo.Details),
+	}
+}
+
 func makeProvenance(
-	trustyProvenance *trustytypes.Provenance,
+	resp *trustytypes.Provenance,
 ) *provenance {
-	if trustyProvenance == nil {
+	if resp == nil {
 		return nil
 	}
 
 	prov := &provenance{}
-	if trustyProvenance.Description.Historical.Overlap != 0 {
+	if resp.Historical.Overlap != 0 {
 		prov.Historical = &historicalProvenance{
-			Versions: int(trustyProvenance.Description.Historical.Versions),
-			Tags:     int(trustyProvenance.Description.Historical.Tags),
-			Common:   int(trustyProvenance.Description.Historical.Common),
-			Overlap:  trustyProvenance.Description.Historical.Overlap,
+			Versions: int(resp.Historical.Versions),
+			Tags:     int(resp.Historical.Tags),
+			Common:   int(resp.Historical.Common),
+			Overlap:  resp.Historical.Overlap,
 		}
 	}
 
-	if trustyProvenance.Description.Sigstore.Issuer != "" {
+	if resp.Sigstore.Issuer != "" {
 		prov.Sigstore = &sigstoreProvenance{
-			SourceRepository: trustyProvenance.Description.Sigstore.SourceRepository,
-			Workflow:         trustyProvenance.Description.Sigstore.Workflow,
-			Issuer:           trustyProvenance.Description.Sigstore.Issuer,
-			RekorURI:         trustyProvenance.Description.Sigstore.Transparency,
+			SourceRepository: resp.Sigstore.SourceRepo,
+			Workflow:         resp.Sigstore.Workflow,
+			Issuer:           resp.Sigstore.Issuer,
+			RekorURI:         resp.Sigstore.Transparency,
 		}
 	}
 
@@ -440,19 +504,6 @@ func makeTrustyURL(packageName string, ecosystem string) string {
 	return trustyURL
 }
 
-func getValueFromMap[T any](coll map[string]any, field string) T {
-	var t T
-	v, ok := coll[field]
-	if !ok {
-		return t
-	}
-	res, ok := v.(T)
-	if !ok {
-		return t
-	}
-	return res
-}
-
 // classifyDependency checks the dependencies from the PR for maliciousness or
 // low scores and adds them to the summary if needed
 func classifyDependency(
diff --git a/internal/engine/eval/trusty/trusty_test.go b/internal/engine/eval/trusty/trusty_test.go
