Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

make it easier to deny "some" packages from a dependency #63

Closed
thaJeztah opened this issue Sep 1, 2023 · 3 comments
Closed

make it easier to deny "some" packages from a dependency #63

thaJeztah opened this issue Sep 1, 2023 · 3 comments
Labels
enhancement New feature or request
Milestone
v2.2.0

Comments

@thaJeztah
Copy link

I am trying to configure depguard to prevent introduction of additional packages from a dependencies in our project (https://github.com/containerd/containerd), but so far I haven't found a good way to construct this in golangci-lint's configuration. It's very possible that I just didin't find the right combination, so let me try to describe our case;

We currently depend on the libcontainer/user package from runc (github.com/opencontainers/runc/libcontainer/user), want to prevent additional packages being used from that depository (libcontainer should only be used for existing code, and not for new things).

The containerd maintainers have put effort into moving away from libcontainer dependencies, with the exception of the libcontainer/user package (which is pending to be moved to a separate module).

We want to use depguard to prevent accidentally re-introducing further (indirect) dependencies from runc, and want to "deny" all of github.com/opencontainers/runc, with the exeception of the existing libcontainer/user package.

My initial attempt was to create a rule that denies all of github.com/opencontainers/runc, and allows github.com/opencontainers/runc/libcontainer/user;

linters-settings:
  depguard:
    rules:
      libcontainer:
        allow:
          - "github.com/opencontainers/runc/libcontainer/user$"
        deny:
          - pkg: github.com/opencontainers/runc
            desc: We don't want to introduce more dependencies on runc (libcontainer), unless there is no other option.

Unfortunately, this doesn't work, because (IIUC);

  • rules with a deny list default "allow all"
  • unless an allow is configured, in which case only packages in the allow list are accepted (and are not part of the deny list

While there is a convenience variable for stdlib ($gostd), there is no equivalent for "all" dependencies (the default), and because our project has many dependencies; constructing a list of all allowed (existing) packages would result in a very long (and hard to maintain) configuration.

Likewise, a deny list for the github.com/opencontainers/runc dependency (and anything inside it) is also hard to maintain, as it would require us to maintain a full list of all packages in the repository (to prevent missing any new package added to that repository). To illustrate; this is what that would look like just for the libcontainer package in runc;

rules:
  libcontainer:
    deny:
      - pkg: "github.com/opencontainers/runc"
      - pkg: "github.com/opencontainers/runc/libcontainer"
      - pkg: "github.com/opencontainers/runc/libcontainer/apparmor"
      - pkg: "github.com/opencontainers/runc/libcontainer/capabilities"
      - pkg: "github.com/opencontainers/runc/libcontainer/cgroups"
      - pkg: "github.com/opencontainers/runc/libcontainer/configs"
      - pkg: "github.com/opencontainers/runc/libcontainer/devices"
      - pkg: "github.com/opencontainers/runc/libcontainer/integration"
      - pkg: "github.com/opencontainers/runc/libcontainer/intelrdt"
      - pkg: "github.com/opencontainers/runc/libcontainer/keys"
      - pkg: "github.com/opencontainers/runc/libcontainer/keys"
      - pkg: "github.com/opencontainers/runc/libcontainer/logs"
      - pkg: "github.com/opencontainers/runc/libcontainer/nsenter"
      - pkg: "github.com/opencontainers/runc/libcontainer/seccomp"
      - pkg: "github.com/opencontainers/runc/libcontainer/specconv"
      - pkg: "github.com/opencontainers/runc/libcontainer/system"
      - pkg: "github.com/opencontainers/runc/libcontainer/userns"
      - pkg: "github.com/opencontainers/runc/libcontainer/utils"

Perhaps I overlooked existing ones! So if there are options I overlooked, I'm "all ears" 😄
@thaJeztah thaJeztah mentioned this issue Sep 5, 2023
Merged
2 tasks
@dixonwille
Copy link
Member

#56

Would something like the LAX vs STRICT variable work? Instead of saying in allow AND not in deny, but in allow OR not in deny.

I believe that would give the appearance of the "all" you are specifying.

@dixonwille dixonwille mentioned this issue Oct 8, 2023
Merged
2 tasks
@dixonwille dixonwille added the enhancement New feature or request label Oct 31, 2023
@dixonwille
Copy link
Member

If you pull the latest of the V2 branch and try with listMode = Lax, I believe this covers your situation where it is allowed by default.

Specifically these tests seem to handle what you are trying to do.
https://github.com/OpenPeeDeeP/depguard/blob/f7542dc092be642d323fe22d8ec405580c53e5a8/settings_test.go#L834C1-L839C6
https://github.com/OpenPeeDeeP/depguard/blob/f7542dc092be642d323fe22d8ec405580c53e5a8/settings_test.go#L823C1-L827C6

I'll close this ticket once this repo is tagged.

@dixonwille dixonwille added this to the v2.2.0 milestone Oct 31, 2023
@dixonwille
Copy link
Member

I am actually going to close for now. I've got a few other things I want to push in v2.2.0. So added a milestone to track it.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement New feature or request
Projects
None yet
Milestone
v2.2.0
Development

No branches or pull requests
2 participants
@thaJeztah @dixonwille