Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

🐛 fix risk factors missing in inmemory w/ upstream #1224

Merged
merged 1 commit into from
Apr 4, 2024
Merged

Conversation

arlimus
Copy link
Member

@arlimus arlimus commented Apr 4, 2024

When running against upstream policies, we don't get risk factors from the policy bundle, since we generally don't need the bundle to run the scan. However, we do require basic risk factor info to help score everything before we send data up.

In this change we pull risk info from the resolved policy and inject it into the inmemory datastore before the scan is started (unless the risk factor exists for any reason, like prior policy bundles). It has enough information for scoring.

For any later reporting step we may still inject all risk factor metadata into the inmemory store before printing the output.

When running against upstream policies, we don't get risk factors from
the policy bundle, since we generally don't need the bundle to run the
scan. However, we do require basic risk factor info to help score
everything before we send data up.

In this change we pull risk info from the resolved policy and inject it
into the inmemory datastore before the scan is started (unless the risk
factor exists for any reason, like prior policy bundles). It has enough
information for scoring.

For any later reporting step we may still inject all risk factor
metadata into the inmemory store before printing the output.

Signed-off-by: Dominik Richter <[email protected]>
// We need the risk factors for initial reporting, but don't require all
// their metadata. The risk factors in the resolved policy provides everything
// we need for scoring. If we fetch a full risk factor we can replace it.
for mrn, rf := range resolvedPolicy.CollectorJob.RiskFactors {
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

"For any later reporting step we may still inject all risk factor metadata into the inmemory store before printing the output."
i.e. since we only pull from the resolved policy here it only has super limited metadata. Whenever we can we want to pull from the bundle. Just in this case, we don't get a bundle until we start printing - or not at all if we are in serve mode.

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for considering it!! could have easily been a miss on my part

Copy link
Contributor

github-actions bot commented Apr 4, 2024

Test Results

  1 files  ±0   24 suites  ±0   18s ⏱️ ±0s
322 tests ±0  321 ✅ ±0  1 💤 ±0  0 ❌ ±0 
323 runs  ±0  322 ✅ ±0  1 💤 ±0  0 ❌ ±0 

Results for commit a832885. ± Comparison against base commit bef1cb3.

@arlimus arlimus merged commit 8d5b7c5 into main Apr 4, 2024
13 checks passed
@arlimus arlimus deleted the dom/rf-inmemory branch April 4, 2024 09:33
@github-actions github-actions bot locked and limited conversation to collaborators Apr 4, 2024
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

2 participants