Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

WIP: enable OSH integration #2

Closed
wants to merge 1 commit into from
Closed

WIP: enable OSH integration #2

wants to merge 1 commit into from

Conversation

mrc0mmand
Copy link
Member

No description provided.

@mrc0mmand mrc0mmand marked this pull request as ready for review October 31, 2024 13:27
evverx
evverx reviewed Oct 31, 2024
View reviewed changes
.packit.yaml
@@ -14,6 +14,9 @@ upstream_package_name: polkit
# downstream (Fedora) RPM package name
downstream_package_name: polkit

# Enable Open Scan Hub integration
osh_diff_scan_after_copr_build: true
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I thought it wasn't necessary: https://packit.dev/posts/openscanhub-prototype. Did anything change on their side?

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It's indeed not necessary, that was just an extra precaution given the prototype warning (https://packit.dev/docs/configuration#osh_diff_scan_after_copr_build) and also an excuse to not post a completely empty PR :)

But I'll probably drop it before I propose this to upstream, since only 41da136 should be needed.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Empty PRs are better than PRs with a gazillion bugs :-)

only 41da136 should be needed

Makes sense. I didn't notice it's missing upstream.

By the way I opened polkit-org#517 and I wonder if the polkit project has access to that at all? If not I guess it should be possible to create a new project there to get the token.

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

By the way I opened polkit-org#517 and I wonder if the polkit project has access to that at all? If not I guess it should be possible to create a new project there to get the token.

Given the Coverity project uses even the pre-gitlab URL I have my doubts about that, but maybe someone from the original maintainer team will still be available.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Got it. If all else fails it usually takes a couple of days for Coverity to approve new projects so access to that project isn't critical.

Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Please put a comment here saying osh_diff_scan_after_copr_build is not mandatory and should be removed in the future (or before merging).

Copy link
Member Author

@mrc0mmand mrc0mmand Nov 13, 2024
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

No worries, when I submit the changes to the polkit's upstream I'll drop this hunk completely.

Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Seems to work as expected: https://github.com/systemd-ci-incubator/polkit/pull/2/checks?check_run_id=32919432974

UI for new findings would look something like https://github.com/lbarcziova/ogr/pull/1/checks?check_run_id=32709387417

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

FWIW @siteshwar I'm not sure if Packit/OSH is interested in that or not but since it's essentially a SAST check it should be possible to add a probe to scorecard by analogy with how Packit itself is detected (ossf/scorecard#1293). This way projects using OSH would get more security points :-) and OSH would be listed there as well making it a bit more visible in general. (I'm not saying it's important or anything like that. It's just something I remembered for no reason)

@evverx evverx mentioned this pull request Nov 6, 2024
Closed
mrc0mmand added a commit that referenced this pull request Nov 11, 2024
@mrc0mmand @jrybar-rh
Free the credentials iterator as well
5cce296 
Otherwise it gets leaked:

[356645.511913] systemd[1]: Stopping polkit.service - Authorization Manager...
[356645.514024] polkitd[15468]: Handling SIGTERM
[356645.514024] polkitd[15468]: Shutting down
[356645.519238] polkitd[15468]: Exiting with code 0
[356645.618456] polkitd[15468]: =================================================================
[356645.618456] polkitd[15468]: ==15468==ERROR: LeakSanitizer: detected memory leaks
[356645.618456] polkitd[15468]: Direct leak of 4000 byte(s) in 50 object(s) allocated from:
[356645.619128] polkitd[15468]:     #0 0x0000004a1a33 in malloc (/usr/lib/polkit-1/polkitd+0x4a1a33) (BuildId: a927b98f2ddc1b57773bec4e0f8a537fe46632b1)
[356645.619128] polkitd[15468]:     #1 0x7f1b20324039 in g_malloc (/lib64/libglib-2.0.so.0+0x47039) (BuildId: c18bb9dc5295ff894f6098fa33e9ba39341c5bc1)
[356645.619128] polkitd[15468]:     #2 0x7f1b2033d4d4 in g_slice_alloc (/lib64/libglib-2.0.so.0+0x604d4) (BuildId: c18bb9dc5295ff894f6098fa33e9ba39341c5bc1)
[356645.619128] polkitd[15468]:     polkit-org#3 0x7f1b2036b547 in g_variant_iter_new (/lib64/libglib-2.0.so.0+0x8e547) (BuildId: c18bb9dc5295ff894f6098fa33e9ba39341c5bc1)
[356645.619128] polkitd[15468]:     polkit-org#4 0x7f1b2036dc5d  (/lib64/libglib-2.0.so.0+0x90c5d) (BuildId: c18bb9dc5295ff894f6098fa33e9ba39341c5bc1)
[356645.619128] polkitd[15468]:     polkit-org#5 0x7f1b2036d8b7  (/lib64/libglib-2.0.so.0+0x908b7) (BuildId: c18bb9dc5295ff894f6098fa33e9ba39341c5bc1)
[356645.619128] polkitd[15468]:     polkit-org#6 0x7f1b2036de0f in g_variant_get_va (/lib64/libglib-2.0.so.0+0x90e0f) (BuildId: c18bb9dc5295ff894f6098fa33e9ba39341c5bc1)
[356645.619128] polkitd[15468]:     polkit-org#7 0x7f1b2036df88 in g_variant_get (/lib64/libglib-2.0.so.0+0x90f88) (BuildId: c18bb9dc5295ff894f6098fa33e9ba39341c5bc1)
[356645.619128] polkitd[15468]:     polkit-org#8 0x7f1b2067ce85 in polkit_system_bus_name_get_creds_sync /root/polkit/build/../src/polkit/polkitsystembusname.c:542:3
[356645.619128] polkitd[15468]:     polkit-org#9 0x7f1b2067c997 in polkit_system_bus_name_get_process_sync /root/polkit/build/../src/polkit/polkitsystembusname.c:629:8
[356645.619128] polkitd[15468]:     polkit-org#10 0x0000005069af in polkit_backend_session_monitor_get_session_for_subject /root/polkit/build/../src/polkitbackend/polkitbackendsessionmonitor-systemd.c:365:41
[356645.619128] polkitd[15468]:     polkit-org#11 0x0000004f11b5 in polkit_backend_interactive_authority_revoke_temporary_authorization_by_id /root/polkit/build/../src/polkitbackend/polkitbackendinteractiveauthority.c:3567:24
[356645.619128] polkitd[15468]:     polkit-org#12 0x0000004ea2c8 in server_handle_revoke_temporary_authorization_by_id /root/polkit/build/../src/polkitbackend/polkitbackendauthority.c:1292:8
[356645.619128] polkitd[15468]:     polkit-org#13 0x0000004e805c in server_handle_method_call /root/polkit/build/../src/polkitbackend/polkitbackendauthority.c:1346:5
[356645.619128] polkitd[15468]:     polkit-org#14 0x7f1b20565195  (/lib64/libgio-2.0.so.0+0xd9195) (BuildId: d06dc1cc6f8ddbb3cda89ef05ecf83d6fe037ae7)
[356645.619332] polkitd[15468]:     polkit-org#15 0x7f1b20323e5c  (/lib64/libglib-2.0.so.0+0x46e5c) (BuildId: c18bb9dc5295ff894f6098fa33e9ba39341c5bc1)
[356645.619332] polkitd[15468]:     polkit-org#16 0x7f1b2031d60b  (/lib64/libglib-2.0.so.0+0x4060b) (BuildId: c18bb9dc5295ff894f6098fa33e9ba39341c5bc1)
[356645.619332] polkitd[15468]:     polkit-org#17 0x7f1b2037db37  (/lib64/libglib-2.0.so.0+0xa0b37) (BuildId: c18bb9dc5295ff894f6098fa33e9ba39341c5bc1)
[356645.619332] polkitd[15468]:     polkit-org#18 0x7f1b203236f6 in g_main_loop_run (/lib64/libglib-2.0.so.0+0x466f6) (BuildId: c18bb9dc5295ff894f6098fa33e9ba39341c5bc1)
[356645.619332] polkitd[15468]:     polkit-org#19 0x0000004e3619 in main /root/polkit/build/../src/polkitbackend/polkitd.c:298:3
[356645.619332] polkitd[15468]:     polkit-org#20 0x7f1b1fe59447 in __libc_start_call_main (/lib64/libc.so.6+0x3447) (BuildId: f3ac204eaa4ceed81438c80e80998209f828bb1a)
[356645.619332] polkitd[15468]:     polkit-org#21 0x7f1b1fe5950a in __libc_start_main@GLIBC_2.2.5 (/lib64/libc.so.6+0x350a) (BuildId: f3ac204eaa4ceed81438c80e80998209f828bb1a)
[356645.619332] polkitd[15468]:     polkit-org#22 0x000000401c04 in _start (/usr/lib/polkit-1/polkitd+0x401c04) (BuildId: a927b98f2ddc1b57773bec4e0f8a537fe46632b1)
...

Follow-up for 8cabb11.
mrc0mmand added a commit that referenced this pull request Nov 11, 2024
@mrc0mmand @jrybar-rh
Don't leak the error object
b709b69 
[357268.621800] systemd[1]: Stopping polkit.service - Authorization Manager...
[357268.623321] polkitd[15601]: Handling SIGTERM
[357268.623321] polkitd[15601]: Shutting down
[357268.629022] polkitd[15601]: Exiting with code 0
[357268.748206] polkitd[15601]: =================================================================
[357268.748455] polkitd[15601]: ==15601==ERROR: LeakSanitizer: detected memory leaks
[357268.748455] polkitd[15601]: Direct leak of 48 byte(s) in 3 object(s) allocated from:
[357268.749382] polkitd[15601]:     #0 0x0000004a1a33 in malloc (/usr/lib/polkit-1/polkitd+0x4a1a33) (BuildId: a927b98f2ddc1b57773bec4e0f8a537fe46632b1)
[357268.749382] polkitd[15601]:     #1 0x7fe21ebe5039 in g_malloc (/lib64/libglib-2.0.so.0+0x47039) (BuildId: c18bb9dc5295ff894f6098fa33e9ba39341c5bc1)
[357268.749382] polkitd[15601]:     #2 0x7fe21ebfe4d4 in g_slice_alloc (/lib64/libglib-2.0.so.0+0x604d4) (BuildId: c18bb9dc5295ff894f6098fa33e9ba39341c5bc1)
[357268.749382] polkitd[15601]:     polkit-org#3 0x7fe21ebfe5c4 in g_slice_alloc0 (/lib64/libglib-2.0.so.0+0x605c4) (BuildId: c18bb9dc5295ff894f6098fa33e9ba39341c5bc1)
[357268.749382] polkitd[15601]:     polkit-org#4 0x7fe21ebc6910  (/lib64/libglib-2.0.so.0+0x28910) (BuildId: c18bb9dc5295ff894f6098fa33e9ba39341c5bc1)
[357268.749382] polkitd[15601]:     polkit-org#5 0x7fe21ebc70a4 in g_error_new_valist (/lib64/libglib-2.0.so.0+0x290a4) (BuildId: c18bb9dc5295ff894f6098fa33e9ba39341c5bc1)
[357268.749382] polkitd[15601]:     polkit-org#6 0x7fe21ebc72e0 in g_set_error (/lib64/libglib-2.0.so.0+0x292e0) (BuildId: c18bb9dc5295ff894f6098fa33e9ba39341c5bc1)
[357268.749382] polkitd[15601]:     polkit-org#7 0x7fe21ee50b52  (/lib64/libgio-2.0.so.0+0x103b52) (BuildId: d06dc1cc6f8ddbb3cda89ef05ecf83d6fe037ae7)
[357268.749382] polkitd[15601]:     polkit-org#8 0x000000508a88 in ensure_all_files /root/polkit/build/../src/polkitbackend/polkitbackendactionpool.c:572:18
[357268.749382] polkitd[15601]:     polkit-org#9 0x0000005097c1 in polkit_backend_action_pool_get_all_actions /root/polkit/build/../src/polkitbackend/polkitbackendactionpool.c:456:3
[357268.749382] polkitd[15601]:     polkit-org#10 0x0000004e80fd in server_handle_enumerate_actions /root/polkit/build/../src/polkitbackend/polkitbackendauthority.c:689:13
[357268.749382] polkitd[15601]:     polkit-org#11 0x0000004e80fd in server_handle_method_call /root/polkit/build/../src/polkitbackend/polkitbackendauthority.c:1326:5
[357268.749382] polkitd[15601]:     polkit-org#12 0x7fe21ee26195  (/lib64/libgio-2.0.so.0+0xd9195) (BuildId: d06dc1cc6f8ddbb3cda89ef05ecf83d6fe037ae7)
[357268.749382] polkitd[15601]:     polkit-org#13 0x7fe21ebe4e5c  (/lib64/libglib-2.0.so.0+0x46e5c) (BuildId: c18bb9dc5295ff894f6098fa33e9ba39341c5bc1)
[357268.749382] polkitd[15601]:     polkit-org#14 0x7fe21ebde60b  (/lib64/libglib-2.0.so.0+0x4060b) (BuildId: c18bb9dc5295ff894f6098fa33e9ba39341c5bc1)
[357268.749382] polkitd[15601]:     polkit-org#15 0x7fe21ec3eb37  (/lib64/libglib-2.0.so.0+0xa0b37) (BuildId: c18bb9dc5295ff894f6098fa33e9ba39341c5bc1)
[357268.749382] polkitd[15601]:     polkit-org#16 0x7fe21ebe46f6 in g_main_loop_run (/lib64/libglib-2.0.so.0+0x466f6) (BuildId: c18bb9dc5295ff894f6098fa33e9ba39341c5bc1)
[357268.749797] polkitd[15601]:     polkit-org#17 0x0000004e3619 in main /root/polkit/build/../src/polkitbackend/polkitd.c:298:3
[357268.749797] polkitd[15601]:     polkit-org#18 0x7fe21e71a447 in __libc_start_call_main (/lib64/libc.so.6+0x3447) (BuildId: f3ac204eaa4ceed81438c80e80998209f828bb1a)
[357268.749797] polkitd[15601]:     polkit-org#19 0x7fe21e71a50a in __libc_start_main@GLIBC_2.2.5 (/lib64/libc.so.6+0x350a) (BuildId: f3ac204eaa4ceed81438c80e80998209f828bb1a)
[357268.749797] polkitd[15601]:     polkit-org#20 0x000000401c04 in _start (/usr/lib/polkit-1/polkitd+0x401c04) (BuildId: a927b98f2ddc1b57773bec4e0f8a537fe46632b1)

Follow-up for 9958c25.
@mrc0mmand
Copy link
Member Author

-> polkit-org#527

@mrc0mmand mrc0mmand closed this Nov 13, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@evverx evverx evverx left review comments

@siteshwar siteshwar siteshwar left review comments

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@mrc0mmand @siteshwar @evverx