Add ignore config by CUE

m-mizutani · Jun 15, 2024 · 4029044 · 4029044
1 parent 08b2643
commit 4029044
Show file tree

Hide file tree

Showing 6 changed files with 186 additions and 2 deletions.
diff --git a/go.mod b/go.mod
@@ -7,6 +7,7 @@ toolchain go1.22.0
 require (
 	cloud.google.com/go/bigquery v1.61.0
 	cloud.google.com/go/storage v1.41.0
+	cuelang.org/go v0.9.1
 	github.com/bradleyfalzon/ghinstallation/v2 v2.11.0
 	github.com/fatih/color v1.17.0
 	github.com/getsentry/sentry-go v0.28.0
@@ -39,6 +40,7 @@ require (
 	github.com/beorn7/perks v1.0.1 // indirect
 	github.com/cespare/xxhash/v2 v2.3.0 // indirect
 	github.com/cloudflare/circl v1.3.8 // indirect
+	github.com/cockroachdb/apd/v3 v3.2.1 // indirect
 	github.com/cpuguy83/go-md2man/v2 v2.0.4 // indirect
 	github.com/felixge/httpsnoop v1.0.4 // indirect
 	github.com/go-ini/ini v1.67.0 // indirect
@@ -100,5 +102,6 @@ require (
 	google.golang.org/genproto/googleapis/rpc v0.0.0-20240604185151-ef581f913117 // indirect
 	google.golang.org/grpc v1.64.0 // indirect
 	gopkg.in/yaml.v2 v2.4.0 // indirect
+	gopkg.in/yaml.v3 v3.0.1 // indirect
 	sigs.k8s.io/yaml v1.4.0 // indirect
 )
diff --git a/go.sum b/go.sum
@@ -17,6 +17,10 @@ cloud.google.com/go/longrunning v0.5.7 h1:WLbHekDbjK1fVFD3ibpFFVoyizlLRl73I7YKuA
 cloud.google.com/go/longrunning v0.5.7/go.mod h1:8GClkudohy1Fxm3owmBGid8W0pSgodEMwEAztp38Xng=
 cloud.google.com/go/storage v1.41.0 h1:RusiwatSu6lHeEXe3kglxakAmAbfV+rhtPqA6i8RBx0=
 cloud.google.com/go/storage v1.41.0/go.mod h1:J1WCa/Z2FcgdEDuPUY8DxT5I+d9mFKsCepp5vR6Sq80=
+cuelabs.dev/go/oci/ociregistry v0.0.0-20240404174027-a39bec0462d2 h1:BnG6pr9TTr6CYlrJznYUDj6V7xldD1W+1iXPum0wT/w=
+cuelabs.dev/go/oci/ociregistry v0.0.0-20240404174027-a39bec0462d2/go.mod h1:pK23AUVXuNzzTpfMCA06sxZGeVQ/75FdVtW249de9Uo=
+cuelang.org/go v0.9.1 h1:SkNkBFMcGpDjjYbbEthAogVP86VA48vRt/KvZ2Xb5OU=
+cuelang.org/go v0.9.1/go.mod h1:qpAYsLOf7gTM1YdEg6cxh553uZ4q9ZDWlPbtZr9q1Wk=
 github.com/BurntSushi/toml v0.3.1/go.mod h1:xHWCNGjB5oqiDr8zfno3MHue2Ht5sIBksp03qcyfWMU=
 github.com/OneOfOne/xxhash v1.2.8 h1:31czK/TI9sNkxIKfaUfGlU47BAxQ0ztGgd9vPyqimf8=
 github.com/OneOfOne/xxhash v1.2.8/go.mod h1:eZbhyaAYD41SGSSsnmcpxVoRiQ/MPUTjUdIIOT9Um7Q=
@@ -47,6 +51,8 @@ github.com/cloudflare/circl v1.3.3/go.mod h1:5XYMA4rFBvNIrhs50XuiBJ15vF2pZn4nnUK
 github.com/cloudflare/circl v1.3.8 h1:j+V8jJt09PoeMFIu2uh5JUyEaIHTXVOHslFoLNAKqwI=
 github.com/cloudflare/circl v1.3.8/go.mod h1:PDRU+oXvdD7KCtgKxW95M5Z8BpSCJXQORiZFnBQS5QU=
 github.com/cncf/udpa/go v0.0.0-20191209042840-269d4d468f6f/go.mod h1:M8M6+tZqaGXZJjfX53e64911xZQV5JYwmTeXPW+k8Sc=
+github.com/cockroachdb/apd/v3 v3.2.1 h1:U+8j7t0axsIgvQUqthuNm82HIrYXodOV2iWLWtEaIwg=
+github.com/cockroachdb/apd/v3 v3.2.1/go.mod h1:klXJcjp+FffLTHlhIG69tezTDvdP065naDsHzKhYSqc=
 github.com/cpuguy83/go-md2man/v2 v2.0.4 h1:wfIWP927BUkWJb2NmU/kNDYIBTh/ziUX91+lVfRxZq4=
 github.com/cpuguy83/go-md2man/v2 v2.0.4/go.mod h1:tgQtvFlXSQOSOSIRvRPT7W67SCa46tRHOmNcaadrF8o=
 github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
@@ -61,6 +67,8 @@ github.com/dgryski/trifles v0.0.0-20200323201526-dd97f9abfb48 h1:fRzb/w+pyskVMQ+
 github.com/dgryski/trifles v0.0.0-20200323201526-dd97f9abfb48/go.mod h1:if7Fbed8SFyPtHLHbg49SI7NAdJiC5WIA09pe59rfAA=
 github.com/dustin/go-humanize v1.0.1 h1:GzkhY7T5VNhEkwH0PVJgjz+fX1rhBrR7pRT3mDkpeCY=
 github.com/dustin/go-humanize v1.0.1/go.mod h1:Mu1zIs6XwVuF/gI1OepvI0qD18qycQx+mFykh5fBlto=
+github.com/emicklei/proto v1.10.0 h1:pDGyFRVV5RvV+nkBK9iy3q67FBy9Xa7vwrOTE+g5aGw=
+github.com/emicklei/proto v1.10.0/go.mod h1:rn1FgRS/FANiZdD2djyH7TMA9jdRDcYQ9IEN9yvjX0A=
 github.com/envoyproxy/go-control-plane v0.9.0/go.mod h1:YTl/9mNaCwkRvm6d1a2C3ymFceY/DCBVvsKhRF0iEA4=
 github.com/envoyproxy/go-control-plane v0.9.1-0.20191026205805-5f8ba28d4473/go.mod h1:YTl/9mNaCwkRvm6d1a2C3ymFceY/DCBVvsKhRF0iEA4=
 github.com/envoyproxy/go-control-plane v0.9.4/go.mod h1:6rpuAdCZL397s3pYoYcLgu1mIlRU8Am5FuJP05cCM98=
@@ -86,6 +94,8 @@ github.com/go-logr/logr v1.4.2 h1:6pFjapn8bFcIbiKo3XT4j/BhANplGihG6tvd+8rYgrY=
 github.com/go-logr/logr v1.4.2/go.mod h1:9T104GzyrTigFIr8wt5mBrctHMim0Nb2HLGrmQ40KvY=
 github.com/go-logr/stdr v1.2.2 h1:hSWxHoqTgW2S2qGc0LTAI563KZ5YKYRhT3MFKZMbjag=
 github.com/go-logr/stdr v1.2.2/go.mod h1:mMo/vtBO5dYbehREoey6XUKy/eSumjCCveDpRre4VKE=
+github.com/go-quicktest/qt v1.101.0 h1:O1K29Txy5P2OK0dGo59b7b0LR6wKfIhttaAhHUyn7eI=
+github.com/go-quicktest/qt v1.101.0/go.mod h1:14Bz/f7NwaXPtdYEgzsx46kqSxVwTbzVZsDC26tQJow=
 github.com/gobwas/glob v0.2.3 h1:A4xDbljILXROh+kObIiy5kIaPYD8e96x1tgBhUI5J+Y=
 github.com/gobwas/glob v0.2.3/go.mod h1:d3Ez4x06l9bZtSvzIay5+Yzi0fmZzPgnTbPcKjJAkT8=
 github.com/goccy/go-json v0.10.3 h1:KZ5WoDbxAIgm2HNbYckL0se1fHD6rz5j4ywS6ebzDqA=
@@ -180,8 +190,14 @@ github.com/mattn/go-isatty v0.0.20 h1:xfD0iDuEKnDkl03q4limB+vH+GxLEtL/jb4xVJSWWE
 github.com/mattn/go-isatty v0.0.20/go.mod h1:W+V8PltTTMOvKvAeJH7IuucS94S2C6jfK/D7dTCTo3Y=
 github.com/miekg/dns v1.1.57 h1:Jzi7ApEIzwEPLHWRcafCN9LZSBbqQpxjt/wpgvg7wcM=
 github.com/miekg/dns v1.1.57/go.mod h1:uqRjCRUuEAA6qsOiJvDd+CFo/vW+y5WR6SNmHE55hZk=
+github.com/mitchellh/go-wordwrap v1.0.1 h1:TLuKupo69TCn6TQSyGxwI1EblZZEsQ0vMlAFQflz0v0=
+github.com/mitchellh/go-wordwrap v1.0.1/go.mod h1:R62XHJLzvMFRBbcrT7m7WgmE1eOyTSsCt+hzestvNj0=
 github.com/open-policy-agent/opa v0.65.0 h1:wnEU0pEk80YjFi3yoDbFTMluyNssgPI4VJNJetD9a4U=
 github.com/open-policy-agent/opa v0.65.0/go.mod h1:CNoLL44LuCH1Yot/zoeZXRKFylQtCJV+oGFiP2TeeEc=
+github.com/opencontainers/go-digest v1.0.0 h1:apOUWs51W5PlhuyGyz9FCeeBIOUDA/6nW8Oi/yOhh5U=
+github.com/opencontainers/go-digest v1.0.0/go.mod h1:0JzlMkj0TRzQZfJkVvzbP0HBR3IKzErnv2BNG4W4MAM=
+github.com/opencontainers/image-spec v1.1.0 h1:8SG7/vwALn54lVB/0yZ/MMwhFrPYtpEHQb2IpWsCzug=
+github.com/opencontainers/image-spec v1.1.0/go.mod h1:W4s4sFTMaBeK1BQLXbG4AdM2szdn85PY75RI83NrTrM=
 github.com/pierrec/lz4/v4 v4.1.21 h1:yOVMLb6qSIDP67pl/5F7RepeKYu/VmTyEXvuMI5d9mQ=
 github.com/pierrec/lz4/v4 v4.1.21/go.mod h1:gZWDp/Ze/IJXGXf23ltt2EXimqmTUXEy0GFuRQyBid4=
 github.com/pingcap/errors v0.11.4 h1:lFuQV/oaUMGcD2tqt+01ROSmJs75VG1ToEOkZIZ4nE4=
@@ -199,10 +215,12 @@ github.com/prometheus/common v0.54.0 h1:ZlZy0BgJhTwVZUn7dLOkwCZHUkrAqd3WYtcFCWnM
 github.com/prometheus/common v0.54.0/go.mod h1:/TQgMJP5CuVYveyT7n/0Ix8yLNNXy9yRSkhnLTHPDIQ=
 github.com/prometheus/procfs v0.15.1 h1:YagwOFzUgYfKKHX6Dr+sHT7km/hxC76UB0learggepc=
 github.com/prometheus/procfs v0.15.1/go.mod h1:fB45yRUv8NstnjriLhBQLuOUt+WW4BsoGhij/e3PBqk=
+github.com/protocolbuffers/txtpbfmt v0.0.0-20230328191034-3462fbc510c0 h1:sadMIsgmHpEOGbUs6VtHBXRR1OHevnj7hLx9ZcdNGW4=
+github.com/protocolbuffers/txtpbfmt v0.0.0-20230328191034-3462fbc510c0/go.mod h1:jgxiZysxFPM+iWKwQwPR+y+Jvo54ARd4EisXxKYpB5c=
 github.com/rcrowley/go-metrics v0.0.0-20201227073835-cf1acfcdf475 h1:N/ElC8H3+5XpJzTSTfLsJV/mx9Q9g7kxmchpfZyxgzM=
 github.com/rcrowley/go-metrics v0.0.0-20201227073835-cf1acfcdf475/go.mod h1:bCqnVzQkZxMG4s8nGwiZ5l3QUCyqpo9Y+/ZMZ9VjZe4=
-github.com/rogpeppe/go-internal v1.10.0 h1:TMyTOH3F/DB16zRVcYyreMH6GnZZrwQVAoYjRBZyWFQ=
-github.com/rogpeppe/go-internal v1.10.0/go.mod h1:UQnix2H7Ngw/k4C5ijL5+65zddjncjaFoBhdsK/akog=
+github.com/rogpeppe/go-internal v1.12.0 h1:exVL4IDcn6na9z1rAb56Vxr+CgyK3nn3O+epU5NdKM8=
+github.com/rogpeppe/go-internal v1.12.0/go.mod h1:E+RYuTGaKKdloAfM02xzb0FW3Paa99yedzYV+kq4uf4=
 github.com/russross/blackfriday/v2 v2.1.0 h1:JIOH55/0cWyOuilr9/qlrm0BSXldqnqwMsf35Ld67mk=
 github.com/russross/blackfriday/v2 v2.1.0/go.mod h1:+Rmxgy9KzJVeS9/2gXHxylqXiyQDYRxCVz55jmeOWTM=
 github.com/sirupsen/logrus v1.9.3 h1:dueUQJ1C2q9oE3F7wvmSGAaVtTmUizReu6fjN8uqzbQ=

diff --git a/pkg/domain/model/config.go b/pkg/domain/model/config.go
@@ -0,0 +1,80 @@
+package model
+
+import (
+	_ "embed"
+	"time"
+
+	"cuelang.org/go/cue/cuecontext"
+	"github.com/m-mizutani/goerr"
+)
+
+type Config struct {
+	IgnoreTargets []IgnoreTarget
+}
+
+//go:embed schema/ignore.cue
+var ignoreCue []byte
+
+type IgnoreTarget struct {
+	File  string
+	Vulns []IgnoreVuln
+}
+
+func (x *IgnoreTarget) Validate() error {
+	for _, v := range x.Vulns {
+		if err := v.Validate(); err != nil {
+			return err
+		}
+	}
+
+	return nil
+}
+
+type IgnoreVuln struct {
+	ID          string
+	Description string
+	ExpiresAt   time.Time
+}
+
+func (x *IgnoreVuln) Validate() error {
+	maxExpiresAt := time.Now().Add(time.Hour * 24 * 90)
+	if x.ExpiresAt.After(maxExpiresAt) {
+		return goerr.New("expiresAt is too far in the future, must be within 90 days from now")
+	}
+
+	return nil
+}
+
+func LoadConfig(configData ...[]byte) (*Config, error) {
+	ctx := cuecontext.New()
+
+	// Load the schema
+	schemaInstance := ctx.CompileBytes(ignoreCue)
+	if schemaInstance.Err() != nil {
+		return nil, goerr.Wrap(schemaInstance.Err(), "failed to compile schema")
+	}
+
+	for _, data := range configData {
+		// Load the configuration
+		configInstance := ctx.CompileBytes(data)
+		if configInstance.Err() != nil {
+			return nil, goerr.Wrap(configInstance.Err(), "failed to compile configuration")
+		}
+
+		// Merge the schema and config
+		mergedInstance := schemaInstance.Unify(configInstance)
+		if mergedInstance.Err() != nil {
+			return nil, goerr.Wrap(mergedInstance.Err(), "failed to unify schema and config")
+		}
+
+		schemaInstance = mergedInstance
+	}
+
+	// Extract the configuration into a Go struct
+	var config Config
+	if err := schemaInstance.Value().Decode(&config); err != nil {
+		return nil, goerr.Wrap(err, "failed to decode configuration")
+	}
+
+	return &config, nil
+}
diff --git a/pkg/domain/model/config_test.go b/pkg/domain/model/config_test.go
@@ -0,0 +1,38 @@
+package model_test
+
+import (
+	_ "embed"
+	"testing"
+
+	"github.com/m-mizutani/gt"
+	"github.com/m-mizutani/octovy/pkg/domain/model"
+)
+
+//go:embed testdata/config/ignore.cue
+var testConfigIgnoreCue []byte
+
+func TestIgnoreConfig(t *testing.T) {
+	cfg, err := model.LoadConfig(testConfigIgnoreCue)
+	gt.NoError(t, err)
+	gt.A(t, cfg.IgnoreTargets).Length(2).
+		At(0, func(t testing.TB, v model.IgnoreTarget) {
+			gt.Equal(t, v.File, "test.data")
+			gt.A(t, v.Vulns).Length(1).At(0, func(t testing.TB, v model.IgnoreVuln) {
+				gt.Equal(t, v.ID, "CVE-2017-9999")
+				gt.Equal(t, v.Description, "This is test data")
+				gt.Equal(t, v.ExpiresAt.Year(), 2018)
+			})
+		}).
+		At(1, func(t testing.TB, v model.IgnoreTarget) {
+			gt.Equal(t, v.File, "test2.data")
+			gt.A(t, v.Vulns).Length(2).
+				At(0, func(t testing.TB, v model.IgnoreVuln) {
+					gt.Equal(t, v.ID, "CVE-2017-11423")
+					gt.Equal(t, v.ExpiresAt.Year(), 2022)
+				}).
+				At(1, func(t testing.TB, v model.IgnoreVuln) {
+					gt.Equal(t, v.ID, "CVE-2023-11423")
+					gt.Equal(t, v.ExpiresAt.Year(), 2023)
+				})
+		})
+}
diff --git a/pkg/domain/model/schema/ignore.cue b/pkg/domain/model/schema/ignore.cue
@@ -0,0 +1,16 @@
+package octovy
+
+import "time"
+
+#IgnoreTarget: {
+	File: string
+	Vulns: [...#IgnoreVuln] @go(,[]IgnoreVuln)
+}
+
+#IgnoreVuln: {
+	ID:           string
+	Description?: string
+	ExpiresAt:    time.Time
+}
+
+IgnoreTargets?: [...#IgnoreTarget]
diff --git a/pkg/domain/model/testdata/config/ignore.cue b/pkg/domain/model/testdata/config/ignore.cue
@@ -0,0 +1,29 @@
+package octovy
+
+IgnoreTargets: [
+	{
+		File: "test.data"
+		Vulns: [
+			{
+				ID:          "CVE-2017-9999"
+				Description: "This is test data"
+				ExpiresAt:   "2018-01-01T00:00:00Z"
+			},
+		]
+	},
+	{
+		File: "test2.data"
+		Vulns: [
+			{
+				ID:          "CVE-2017-11423"
+				Description: "Hoge"
+				ExpiresAt:   "2022-03-04T00:00:00Z"
+			},
+						{
+				ID:          "CVE-2023-11423"
+				Description: "Hoge"
+				ExpiresAt:   "2023-03-04T00:00:00Z"
+			},
+		]
+	},
+]