-
Notifications
You must be signed in to change notification settings - Fork 12
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add packages support for security policy #189
Add packages support for security policy #189
Conversation
…ng face and oci and remove unsupported types
…ge_type and package_versions with pack and unpack and also added rules for diff
…d general creation
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Good start. Just a few minor things to fix, as well as updating the doc.
@@ -17,37 +17,28 @@ import ( | |||
|
|||
var validPackageTypes = []string{ | |||
"alpine", | |||
"bower", | |||
//"bower", |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Let's delete these commented out lines.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
We need to generate updated documentation. You can do this by:
make doc
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Is this list the same as the one for security policy? We may need 2 separate lists if they aren't the same.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Is this list the same as the one for security policy? We may need 2 separate lists if they aren't the same.
Lists should be the same according to product.
Currently, the commented-out package types are for some reason not supported in v2/policies API (Product could not give me an answer as to why). We can include them for future support or remove them and create separate lists for both APIs. Also might consider moving validPackageTypes to another file if both APIs are using it.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think having 2 separate lists is best for now until we know for sure they are same list.
} | ||
} | ||
} | ||
}` |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think the tests for invalid attributes combos are missing, i.e. logic from the custom diff func.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Very small one, please fix the typo.
@@ -188,6 +188,9 @@ Optional: | |||
- `fix_version_dependant` (Boolean) Default value is `false`. Issues that do not have a fixed version are not generated until a fixed version is available. Must be `false` with `malicious_package` enabled. | |||
- `malicious_package` (Boolean) Default value is `false`. Generating a violation on a malicious package. | |||
- `min_severity` (String) The minimum security vulnerability severity that will be impacted by the policy. Valid values: `All Severities`, `Critical`, `High`, `Medium`, `Low` | |||
- `package_name` (String) The package name to create a rule for | |||
- `package_type` (String) The package type to create a rule for | |||
- `package_versions` (Set of String) package versions to apply the rule on can be (,) for any version or a open range (1,4) or closed [1,4] or one version [1] |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
a open range -> an open range
CLA Assistant Lite bot All contributors have signed the CLA ✍️ ✅ |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
One more typo!
Elem: &schema.Schema{ | ||
Type: schema.TypeString, | ||
ValidateDiagFunc: validation.ToDiagFunc( | ||
validation.StringMatch(regexp.MustCompile(`((^(\(|\[)((\d+\.)?(\d+\.)?(\*|\d+)|(\s*))\,((\d+\.)?(\d+\.)?(\*|\d+)|(\s*))(\)|\])$|^\[(\d+\.)?(\d+\.)?(\*|\d+)\]$))`), "invalid Range, must be one of the follows: Any Version: (,) or Speciific Version: [1.2], [3] or Range: (1,), [,1.2.3], (4.5.0,6.5.2]"), |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Sorry, just spotted Speciific
typo 😄
37cfb94
to
3454bbb
Compare
Added package_name, package_type, and package_versions which are available from Xray 3.87.5 to security policy criteria.