New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
implement filtering by packages through the config #944
base: main
Are you sure you want to change the base?
Conversation
I think I need a better way to filter based on semver parts. I know think deps.dev/util/semver does this, I will come back to it once I'm back from leave. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks! Main comment is that I think we can consolidate the two overrides into one, so they can share the package matching logic.
pkg/config/config.go
Outdated
LoadPath string `toml:"LoadPath"` | ||
GoVersionOverride string `toml:"GoVersionOverride"` | ||
IgnoredVulns []IgnoreEntry `toml:"IgnoredVulns"` | ||
IgnoredPackageVersions []IgnorePackageVersionEntry `toml:"IgnoredPackageVersions"` |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I feel like ignore package versions and override package versions both could have the same "package matching" logic.
Can we consolidate them into the same field, and just have a bool ignore
which if true ignores the package entirely, otherwise an override field where someone can override the license.
E.g.
[[Package]]
name = "pkg-name"
exactVersion = "1.0.0"
ecosystem = "Go"
ignore = false # if true ignores the package entirely
licenseOverride = ["MIT", "0BSD"]
# In the future, if someone requests we can also add a versionOverride field here, or other overrides
reason = "abc"
# major ...
# minor ...
# ...
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
+1.
version
(Which I think we should exactVersion
to) is optional right?
Additionally, would it make sense to make license
a structured field of some sort instead?
I.e.
[[Package]]
[[Package.license]]
override = ["MIT"]
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This makes sense to me! done.
Allowlist: []models.License{models.License("MIT"), models.License("0BSD")}, | ||
}, | ||
}, | ||
Results: []models.PackageSource{ |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
For maintainability, can we just use the snapshot library here to store/match the results?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
should be done but check my code just in case I'm not understanding the snapshot library correctly
pkg/config/config.go
Outdated
LoadPath string `toml:"LoadPath"` | ||
GoVersionOverride string `toml:"GoVersionOverride"` | ||
IgnoredVulns []IgnoreEntry `toml:"IgnoredVulns"` | ||
IgnoredPackageVersions []IgnorePackageVersionEntry `toml:"IgnoredPackageVersions"` |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
+1.
version
(Which I think we should exactVersion
to) is optional right?
Additionally, would it make sense to make license
a structured field of some sort instead?
I.e.
[[Package]]
[[Package.license]]
override = ["MIT"]
Codecov ReportAttention: Patch coverage is
Additional details and impacted files@@ Coverage Diff @@
## main #944 +/- ##
==========================================
+ Coverage 63.71% 63.75% +0.03%
==========================================
Files 146 146
Lines 11958 12000 +42
==========================================
+ Hits 7619 7650 +31
- Misses 3875 3885 +10
- Partials 464 465 +1 ☔ View full report in Codecov by Sentry. |
Was I supposed to provide a token? https://github.com/google/osv-scanner/actions/runs/8978083643/job/24657957118
|
We seem to be getting these errors every now and then, current workaround is just rerun the tests |
I'd like feedback on the config yaml schema, the filter message and it's behaviour if the version is empty (it filters any version of that package).
This is in response to #814