Migrate trusty eval engine to Trusty v2 API. (#5013)

* Migrate trusty eval engine to Trusty v2 API. This change migrates `trusty` evaluation engine to use Trusty v2 API. Most of the changes apply to the intermediate representation we recently added to decouple Trusty from Minder, but some additional changes were required due to some fields becoming optional and nullable. Note: this change is again meant to be bug-compatible with the current evaluation engine, so we treat the lack of `"score"` as a score of `0`, thus triggering false positives as done by the current engine. The idea is to build on top of this to fix known issues of the engine before migrating it to Data Sources. Fixes stacklok/minder-stories#77 * Refactor package comparison in a separate routine. * Address PR comments.
mindersec · Nov 25, 2024 · 3fbc363 · 3fbc363
1 parent 7a14cac
commit 3fbc363
Show file tree

Hide file tree

Showing 5 changed files with 212 additions and 119 deletions.
diff --git a/go.mod b/go.mod
@@ -70,7 +70,7 @@ require (
 	github.com/spf13/viper v1.19.0
 	github.com/sqlc-dev/pqtype v0.3.0
 	github.com/stacklok/frizbee v0.1.4
-	github.com/stacklok/trusty-sdk-go v0.2.2
+	github.com/stacklok/trusty-sdk-go v0.2.3-0.20241121160719-089f44e88687
 	github.com/std-uritemplate/std-uritemplate/go/v2 v2.0.1
 	github.com/stretchr/testify v1.10.0
 	github.com/styrainc/regal v0.29.2
@@ -382,7 +382,7 @@ require (
 	golang.org/x/mod v0.22.0
 	golang.org/x/net v0.31.0 // indirect
 	golang.org/x/sys v0.27.0 // indirect
-	golang.org/x/text v0.20.0
+	golang.org/x/text v0.20.0 // indirect
 	google.golang.org/genproto/googleapis/rpc v0.0.0-20241118233622-e639e219e697 // indirect
 	gopkg.in/ini.v1 v1.67.0 // indirect
 	gopkg.in/warnings.v0 v0.1.2 // indirect

diff --git a/go.sum b/go.sum
@@ -1019,8 +1019,8 @@ github.com/sqlc-dev/pqtype v0.3.0 h1:b09TewZ3cSnO5+M1Kqq05y0+OjqIptxELaSayg7bmqk
 github.com/sqlc-dev/pqtype v0.3.0/go.mod h1:oyUjp5981ctiL9UYvj1bVvCKi8OXkCa0u645hce7CAs=
 github.com/stacklok/frizbee v0.1.4 h1:00v6/2HBmwzNdOyVAP4e1isOeUAIWTlb5eggoNUpHmk=
 github.com/stacklok/frizbee v0.1.4/go.mod h1:rFA90VkGFYLb7qCiUniAihmkgXfZAj2BnfF6jR8Csro=
-github.com/stacklok/trusty-sdk-go v0.2.2 h1:55B2DrneLYZXxBaNEeyRMGac7mj+pFbrKomx/hSxUyI=
-github.com/stacklok/trusty-sdk-go v0.2.2/go.mod h1:BbXNVVT32meuxyJuO4pmXRzVPjc/9AXob2sBbOPiKpk=
+github.com/stacklok/trusty-sdk-go v0.2.3-0.20241121160719-089f44e88687 h1:TIZiO871n9V6sSN+bKsG5SwQ4ZHwGtxcmfcL3siimcY=
+github.com/stacklok/trusty-sdk-go v0.2.3-0.20241121160719-089f44e88687/go.mod h1:QR01jLW/yfwcXY38dwDpgeEjVc2MAR1LycH1fXtoSXs=
 github.com/std-uritemplate/std-uritemplate/go/v2 v2.0.1 h1:/m2cTZHpqgofDsrwPqsASI6fSNMNhb+9EmUYtHEV2Uk=
 github.com/std-uritemplate/std-uritemplate/go/v2 v2.0.1/go.mod h1:Z5KcoM0YLC7INlNhEezeIZ0TZNYf7WSNO0Lvah4DSeQ=
 github.com/stoewer/go-strcase v1.3.0 h1:g0eASXYtp+yvN9fK8sH94oCIk0fau9uV1/ZdJ0AVEzs=

diff --git a/internal/engine/eval/trusty/actions.go b/internal/engine/eval/trusty/actions.go
@@ -299,7 +299,7 @@ func (sph *summaryPrHandler) generateSummary() (string, error) {
 				malicious = append(malicious, maliciousTemplateData{
 					templatePackageData: packageData,
 					Summary:             alternative.trustyReply.Malicious.Summary,
-					Details:             preprocessDetails(alternative.trustyReply.Malicious.Details),
+					Details:             alternative.trustyReply.Malicious.Details,
 				})
 				continue
 			}
@@ -323,8 +323,9 @@ func (sph *summaryPrHandler) generateSummary() (string, error) {
 			// Since (1) we don't have score anymore, and
 			// (2) we don't suggest malicious packages, I
 			// suggest getting rid of this check
-			// altogether.
-			if altData.Score != nil && *altData.Score <= lowScorePackages[alternative.Dependency.Name].Score {
+			// altogether and always report all available
+			// alternatives.
+			if comparePackages(altData, lowScorePackages[alternative.Dependency.Name]) == worse {
 				continue
 			}
 
@@ -333,9 +334,11 @@ func (sph *summaryPrHandler) generateSummary() (string, error) {
 					Ecosystem:   altData.PackageType,
 					PackageName: altData.PackageName,
 					TrustyURL:   altData.TrustyURL,
-					Score:       *altData.Score,
 				},
 			}
+			if altData.Score != nil {
+				altPackageData.templatePackageData.Score = *altData.Score
+			}
 
 			dep := lowScorePackages[alternative.Dependency.Name]
 			dep.Alternatives = append(dep.Alternatives, altPackageData)
@@ -346,6 +349,23 @@ func (sph *summaryPrHandler) generateSummary() (string, error) {
 	return sph.compileTemplate(malicious, lowScorePackages)
 }
 
+type packageComparison int
+
+const (
+	better packageComparison = iota
+	worse
+)
+
+// comparePackages compares two packages to determine whether the
+// first argument is better or worse than the second one. It does so
+// by checking Trusty scores.
+func comparePackages(alt alternative, examined templatePackage) packageComparison {
+	if alt.Score != nil && *alt.Score != 0 && *alt.Score <= examined.Score {
+		return worse
+	}
+	return better
+}
+
 // buildProvenanceStruct builds the provenance data structure for the PR template
 func buildProvenanceStruct(r *trustyReport) *templateProvenance {
 	if r == nil || r.Provenance == nil {
@@ -428,8 +448,12 @@ func newSummaryPrHandler(
 	}, nil
 }
 
-func preprocessDetails(s string) string {
-	scanner := bufio.NewScanner(strings.NewReader(s))
+func preprocessDetails(s *string) string {
+	if s == nil {
+		return ""
+	}
+
+	scanner := bufio.NewScanner(strings.NewReader(*s))
 	text := ""
 	for scanner.Scan() {
 		if strings.HasPrefix(scanner.Text(), "#") {