Version v0.3.140

seal-community · Feb 17, 2025 · 8164955 · 8164955
1 parent 21ee26d
commit 8164955
Show file tree

Hide file tree

Showing 10 changed files with 334 additions and 60 deletions.
diff --git a/VERSION b/VERSION
@@ -1 +1 @@
-0.3.139
+0.3.140
diff --git a/internal/api/silence.go b/internal/api/silence.go
@@ -0,0 +1,19 @@
+package api
+
+import (
+	"cli/internal/common"
+)
+
+func GetSilencedMap(silenced []SilenceRule, allDependencies common.DependencyMap, manager string) map[string][]string {
+	silencedPackages := make(map[string][]string)
+	for _, rule := range silenced {
+		ruleDependencyId := common.DependencyId(manager, rule.Library, rule.Version)
+		silencedPaths := []string{}
+		for _, dep := range allDependencies[ruleDependencyId] {
+			silencedPaths = append(silencedPaths, dep.DiskPath)
+		}
+		silencedPackages[ruleDependencyId] = silencedPaths
+	}
+
+	return silencedPackages
+}
diff --git a/internal/common/fs.go b/internal/common/fs.go
@@ -178,17 +178,12 @@ func ConvertSymLinkToFile(path string) error {
 		return nil
 	}
 
-	opts := copy.Options{
-		PreserveTimes: true,
-		PreserveOwner: true,
-	}
-
 	if err := os.Remove(path); err != nil {
 		slog.Error("failed removing symlink", "err", err, "path", path)
 		return err
 	}
 
-	if err := copy.Copy(resolvedPath, path, opts); err != nil {
+	if err := CopyFile(resolvedPath, path); err != nil {
 		slog.Error("failed converting symlink to file", "err", err, "path", resolvedPath)
 		return err
 	}
@@ -210,3 +205,17 @@ func ListDir(path string) ([]string, error) {
 
 	return res, nil
 }
+
+func CopyFile(srcPath string, dstPath string) error {
+	opts := copy.Options{
+		PreserveTimes: true,
+		PreserveOwner: true,
+	}
+
+	err := copy.Copy(srcPath, dstPath, opts)
+	if err != nil {
+		slog.Error("failed copying file", "err", err, "src", srcPath, "dst", dstPath)
+	}
+
+	return err
+}
diff --git a/internal/common/rename.go b/internal/common/rename.go
@@ -5,8 +5,6 @@ import (
 	"log/slog"
 	"os"
 	"syscall"
-
-	"github.com/otiai10/copy"
 )
 
 // tries to use os.Rename first
@@ -36,13 +34,7 @@ func Move(source, destination string) error {
 	slog.Debug("Cross-device link detected (EXDEV).")
 	// Handle cross-device move logic here (e.g., copy and delete)
 
-	// Copy the file.
-	opts := copy.Options{
-		PreserveTimes: true,
-		PreserveOwner: true,
-	}
-
-	if err := copy.Copy(source, destination, opts); err != nil {
+	if err := CopyFile(source, destination); err != nil {
 		slog.Error("copy failed", "err", err, "src", source, "dst", destination)
 		if rmErr := os.RemoveAll(destination); rmErr != nil {
 			// attempting to clean if copy failed midway, nothing we can do if this fails

diff --git a/internal/ecosystem/apk/apk/manager.go b/internal/ecosystem/apk/apk/manager.go
@@ -151,14 +151,14 @@ func (m *APKPackageManager) NormalizePackageName(name string) string {
 }
 
 func (m *APKPackageManager) SilencePackages(silenceArray []api.SilenceRule, allDependencies common.DependencyMap) (map[string][]string, error) {
-	silencedPackages := make(map[string][]string)
 	dbContent, err := os.ReadFile(utils.ApkDBPath)
 	if err != nil {
 		slog.Error("failed to silence package", "err", err)
 		return nil, err
 	}
 
 	var wasRenamed bool
+	silenced := []api.SilenceRule{}
 	newDBContent := string(dbContent)
 	for _, rule := range silenceArray {
 		wasRenamed, newDBContent = utils.RenamePackage(newDBContent, rule)
@@ -168,13 +168,7 @@ func (m *APKPackageManager) SilencePackages(silenceArray []api.SilenceRule, allD
 			continue
 		}
 
-		ruleDependencyId := common.DependencyId(mappings.ApkManager, rule.Library, rule.Version)
-
-		silencedPaths := []string{}
-		for _, dep := range allDependencies[ruleDependencyId] {
-			silencedPaths = append(silencedPaths, dep.DiskPath)
-		}
-		silencedPackages[ruleDependencyId] = silencedPaths
+		silenced = append(silenced, rule)
 	}
 
 	err = common.DumpBytes(utils.ApkDBPath, []byte(newDBContent))
@@ -183,7 +177,7 @@ func (m *APKPackageManager) SilencePackages(silenceArray []api.SilenceRule, allD
 		return nil, err
 	}
 
-	return silencedPackages, nil
+	return api.GetSilencedMap(silenced, allDependencies, mappings.ApkManager), nil
 }
 
 func (m *APKPackageManager) ConsolidateVulnerabilities(vulnerablePackages *[]api.PackageVersion, allDependencies common.DependencyMap) (*[]api.PackageVersion, error) {

diff --git a/internal/ecosystem/golang/fixer.go b/internal/ecosystem/golang/fixer.go
@@ -5,7 +5,6 @@ import (
 	"bytes"
 	"cli/internal/common"
 	"cli/internal/ecosystem/shared"
-	"fmt"
 	"log/slog"
 	"os"
 	"path/filepath"
@@ -31,6 +30,19 @@ type fixer struct {
 	workdir             string
 	vendorAlreadyExists bool
 	vendorDir           string
+	tmpGoModPath        string
+}
+
+func (f *fixer) saveGoModFile() error {
+	origModPath := filepath.Join(f.projectDir, "go.mod")
+	tmpGoModPath := filepath.Join(f.workdir, "go.mod")
+	err := common.CopyFile(origModPath, tmpGoModPath)
+	if err != nil {
+		return err
+	}
+
+	f.tmpGoModPath = tmpGoModPath
+	return nil
 }
 
 // Run `go mod vendor` to create a vendor directory with all dependencies
@@ -42,31 +54,18 @@ func (f *fixer) Prepare() error {
 		return err
 	}
 
-	f.vendorDir = filepath.Join(f.projectDir, vendorDir)
-	exists, err := common.DirExists(f.vendorDir)
+	err := f.saveGoModFile()
 	if err != nil {
-		slog.Error("failed checking if vendor directory exists", "err", err)
+		slog.Error("failed copying go.mod file", "err", err)
 		return err
 	}
 
-	if exists {
-		slog.Info("vendor directory already exists, will not create", "vendorDir", f.vendorDir)
-		f.vendorAlreadyExists = true
-		return nil
-	}
-
-	slog.Info("running go mod vendor", "vendorDir", f.vendorDir)
-	pr, err := common.RunCmdWithArgs(f.projectDir, "go", "mod", "vendor")
+	err = PrepareVendorDir(f.projectDir)
 	if err != nil {
-		slog.Error("failed running go mod vendor", "err", err)
-		return err
-	}
-	if pr.Code != 0 {
-		slog.Error("running go mod vendor returned non-zero", "result", pr)
-		return fmt.Errorf("running go mod vendor returned non-zero")
+		slog.Error("failed preparing vendor dir", "err", err)
 	}
 
-	return nil
+	return err
 }
 
 // files in zip include the module's version, but should appear without it in the vendor folder
@@ -119,6 +118,15 @@ func (f *fixer) Fix(entry shared.DependencyDescriptor, dep *common.Dependency, p
 // If it already existed before the fix, rollback each dependency to previous state
 // Otherwise, remove it entirely
 func (f *fixer) Rollback() bool {
+	success := true
+
+	goModPath := filepath.Join(f.projectDir, goModFilename)
+	err := common.CopyFile(f.tmpGoModPath, goModPath)
+	if err != nil {
+		slog.Error("failed rolling back go.mod file", "err", err) // Try and rollback the other changes
+		success = false
+	}
+
 	if !f.vendorAlreadyExists {
 		// remove `vendor` folder entirely
 		slog.Info("rollback, removing vendor directory", "vendorDir", f.vendorDir)
@@ -132,15 +140,17 @@ func (f *fixer) Rollback() bool {
 		for orig, tmp := range f.rollback {
 			if err := os.RemoveAll(orig); err != nil {
 				slog.Error("failed removing original version dir", "dir", orig)
+				success = false
 			}
 
 			if err := common.Move(tmp, orig); err != nil {
 				slog.Error("failed renaming tmp to original version dir", "tmp", tmp, "orig", orig)
+				success = false
 			}
 		}
 	}
 
-	return true
+	return success
 }
 
 // Remove workdir
@@ -153,10 +163,12 @@ func (f *fixer) Cleanup() bool {
 	return true
 }
 
-func NewFixer(projectDir string, workdir string) shared.DependencyFixer {
+func newFixer(projectDir string, workdir string, vendorDirPath string, vendorAlreadyExists bool) shared.DependencyFixer {
 	return &fixer{
-		projectDir: projectDir,
-		workdir:    workdir,
-		rollback:   make(map[string]string, 100),
+		projectDir:          projectDir,
+		workdir:             workdir,
+		rollback:            make(map[string]string, 100),
+		vendorDir:           vendorDirPath,
+		vendorAlreadyExists: vendorAlreadyExists,
 	}
 }
diff --git a/internal/ecosystem/golang/manager.go b/internal/ecosystem/golang/manager.go
@@ -24,14 +24,29 @@ const goExe = "go"
 const MinimalSupportedVersion = "1.17.0"
 
 type GolangPackageManager struct {
-	Config           *config.Config
-	golangTargetFile string
-	targetDir        string
-	goMod            *modfile.File
+	Config              *config.Config
+	golangTargetFile    string
+	targetDir           string
+	goMod               *modfile.File
+	vendorDir           string
+	vendorAlreadyExists bool
 }
 
 func NewGolangManager(config *config.Config, targetFile string, targetDir string) *GolangPackageManager {
-	return &GolangPackageManager{Config: config, golangTargetFile: targetFile, targetDir: targetDir}
+	vendorDirPath := filepath.Join(targetDir, vendorDir)
+	vendorAlreadyExists, err := isVendorDirExist(targetDir)
+	if err != nil {
+		slog.Error("failed checking vendor dir exists", "err", err)
+		return nil
+	}
+
+	return &GolangPackageManager{
+		Config:              config,
+		golangTargetFile:    targetFile,
+		targetDir:           targetDir,
+		vendorDir:           vendorDirPath,
+		vendorAlreadyExists: vendorAlreadyExists,
+	}
 }
 
 func (m *GolangPackageManager) Name() string {
@@ -100,7 +115,7 @@ func (m *GolangPackageManager) GetProjectName() string {
 }
 
 func (m *GolangPackageManager) GetFixer(workdir string) shared.DependencyFixer {
-	return NewFixer(m.targetDir, workdir)
+	return newFixer(m.targetDir, workdir, m.vendorDir, m.vendorAlreadyExists)
 }
 
 func (m *GolangPackageManager) GetEcosystem() string {
@@ -116,9 +131,19 @@ func (m *GolangPackageManager) DownloadPackage(server api.ArtifactServer, descri
 }
 
 func (m *GolangPackageManager) HandleFixes(fixes []shared.DependencyDescriptor) error {
-	if m.Config.UseSealedNames {
-		slog.Warn("using sealed names in golang is not supported yet")
+	if !m.Config.UseSealedNames {
+		return nil
 	}
+
+	slog.Info("using sealed names")
+	for _, fix := range fixes {
+		err := renamePackage(m.vendorDir, fix.VulnerablePackage.Library.Name, fix.VulnerablePackage.Version)
+		if err != nil {
+			slog.Error("failed renaming package", "package", fix.VulnerablePackage.Library.Name, "version", fix.VulnerablePackage.Version, "err", err)
+			return err
+		}
+	}
+
 	return nil
 }
 
@@ -157,8 +182,32 @@ func GetPackageManager(config *config.Config, targetDir string, targetFile strin
 }
 
 func (m *GolangPackageManager) SilencePackages(silenceArray []api.SilenceRule, allDependencies common.DependencyMap) (map[string][]string, error) {
-	slog.Warn("Silencing packages is not support for golang")
-	return nil, nil
+	exists, err := isVendorDirExist(m.vendorDir)
+	if err != nil {
+		slog.Error("failed checking vendor dir exists", "err", err)
+		return nil, err
+	}
+
+	if !exists {
+		err := PrepareVendorDir(m.targetDir) // prepare if was not done already when applied fixes
+		if err != nil {
+			slog.Error("failed preparing vendor dir", "err", err)
+			return nil, err
+		}
+	}
+
+	silenced := []api.SilenceRule{}
+	for _, rule := range silenceArray {
+		err = renamePackage(m.vendorDir, rule.Library, rule.Version)
+		if err != nil {
+			slog.Error("failed renaming package", "package", rule.Library, "version", rule.Version, "err", err)
+			break
+		}
+
+		silenced = append(silenced, rule)
+	}
+
+	return api.GetSilencedMap(silenced, allDependencies, mappings.GolangManager), err
 }
 
 func (m *GolangPackageManager) ConsolidateVulnerabilities(vulnerablePackages *[]api.PackageVersion, allDependencies common.DependencyMap) (*[]api.PackageVersion, error) {