From 2f4299efba1c8830acfa3889918e53105f364c40 Mon Sep 17 00:00:00 2001 From: Curtis Castrapel Date: Tue, 28 Feb 2023 07:32:47 -0800 Subject: [PATCH 01/22] EN-1741: Small PR to respond to iambic apply/plan in PR comments --- iambic/plugins/v0_1_0/github/github.py | 10 ++++++++-- iambic/plugins/v0_1_0/github/github_app.py | 3 ++- 2 files changed, 10 insertions(+), 3 deletions(-) diff --git a/iambic/plugins/v0_1_0/github/github.py b/iambic/plugins/v0_1_0/github/github.py index 49f7833d8..b927a09ad 100644 --- a/iambic/plugins/v0_1_0/github/github.py +++ b/iambic/plugins/v0_1_0/github/github.py @@ -322,7 +322,9 @@ def handle_iambic_git_apply( if pull_request.mergeable_state != MERGEABLE_STATE_CLEAN: # TODO log error and also make a comment to PR pull_request.create_issue_comment( - "mergeable_state is {0}".format(pull_request.mergeable_state) + "Mergable state is {0}. This probably means that the necessary approvals have not been granted for the request.".format( + pull_request.mergeable_state + ) ) return HandleIssueCommentReturnCode.MERGEABLE_STATE_NOT_CLEAN @@ -557,7 +559,9 @@ def _handle_expire(repo_url: str, default_branch: str) -> None: log.info("handle_expire ran", **log_params) default_branch = get_remote_default_branch(repo) - repo.remotes.origin.push(refspec=f"HEAD:{default_branch}").raise_if_error() # FIXME + repo.remotes.origin.push( + refspec=f"HEAD:{default_branch}" + ).raise_if_error() # FIXME else: log.info("handle_expire no changes") except Exception as e: @@ -582,6 +586,8 @@ def _handle_expire(repo_url: str, default_branch: str) -> None: COMMENT_DISPATCH_MAP: dict[str, Callable] = { "iambic git-apply": handle_iambic_git_apply, "iambic git-plan": handle_iambic_git_plan, + "iambic apply": handle_iambic_git_apply, + "iambic plan": handle_iambic_git_plan, } if __name__ == "__main__": diff --git a/iambic/plugins/v0_1_0/github/github_app.py b/iambic/plugins/v0_1_0/github/github_app.py index 9c65cf1cf..6053070eb 100644 --- a/iambic/plugins/v0_1_0/github/github_app.py +++ b/iambic/plugins/v0_1_0/github/github_app.py @@ -17,7 +17,6 @@ import jwt from botocore.exceptions import ClientError -from iambic.core.git import get_remote_default_branch import iambic.core.utils import iambic.plugins.v0_1_0.github.github from iambic.core.logger import log @@ -297,6 +296,8 @@ def handle_workflow_run( COMMENT_DISPATCH_MAP: dict[str, Callable] = { "iambic git-apply": handle_iambic_git_apply, "iambic git-plan": handle_iambic_git_plan, + "iambic apply": handle_iambic_git_apply, + "iambic plan": handle_iambic_git_plan, } WORKFLOW_DISPATCH_MAP: dict[str, Callable] = { From 964a04747eae35b013b9e2f07472322b184b5998 Mon Sep 17 00:00:00 2001 From: Version Auto Bump Date: Tue, 28 Feb 2023 17:33:49 +0000 Subject: [PATCH 02/22] Bump version --- pyproject.toml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/pyproject.toml b/pyproject.toml index 2355123bd..78397e908 100644 --- a/pyproject.toml +++ b/pyproject.toml @@ -4,7 +4,7 @@ build-backend = "poetry.core.masonry.api" [tool.poetry] name = "iambic" -version = "0.1.57" +version = "0.1.58" description = "The python package used to generate, parse, and execute noqform yaml templates." authors = ["Noq Software "] readme = "README.md" From 5012aecc0f6bf46ef1257f79ef017ffbe7c64882 Mon Sep 17 00:00:00 2001 From: Steven Moy Date: Tue, 28 Feb 2023 10:32:18 -0800 Subject: [PATCH 03/22] Implement traceback in the git plan/apply workflow --- iambic/plugins/v0_1_0/github/github.py | 22 ++++++++++++--------- test/plugins/v0_1_0/github/test_github.py | 24 +++++++++++++++++++++++ test/test_utils.py | 12 ++++++++++++ 3 files changed, 49 insertions(+), 9 deletions(-) diff --git a/iambic/plugins/v0_1_0/github/github.py b/iambic/plugins/v0_1_0/github/github.py index b927a09ad..6a7073449 100644 --- a/iambic/plugins/v0_1_0/github/github.py +++ b/iambic/plugins/v0_1_0/github/github.py @@ -8,6 +8,7 @@ import sys import tempfile import time +import traceback from enum import Enum from typing import Any, Callable from urllib.parse import urlparse @@ -377,10 +378,11 @@ def handle_iambic_git_apply( return HandleIssueCommentReturnCode.MERGED except Exception as e: - log.error("fault", exception=str(e)) + captured_traceback = traceback.format_exc() + log.error("fault", exception=captured_traceback) pull_request.create_issue_comment( - "exception during git-apply is {0} \n {1}".format( - pull_request.mergeable_state, e + "exception during apply is {0} \n ```{1}```".format( + pull_request.mergeable_state, captured_traceback ) ) raise e @@ -418,10 +420,11 @@ def handle_iambic_git_plan( copy_data_to_data_directory() return HandleIssueCommentReturnCode.PLANNED except Exception as e: - log.error("fault", exception=str(e)) + captured_traceback = traceback.format_exc() + log.error("fault", exception=captured_traceback) pull_request.create_issue_comment( - "exception during git-plan is {0} \n {1}".format( - pull_request.mergeable_state, e + "exception during plan is {0} \n ```{1}```".format( + pull_request.mergeable_state, captured_traceback ) ) raise e @@ -442,10 +445,11 @@ def handle_pull_request(github_client: github.Github, context: dict[str, Any]) - try: pull_request.create_issue_comment("iambic git-plan") except Exception as e: - log.error("fault", exception=str(e)) + captured_traceback = traceback.format_exc() + log.error("fault", exception=captured_traceback) pull_request.create_issue_comment( - "exception during pull-request is {0} \n {1}".format( - pull_request.mergeable_state, e + "exception during pull-request is {0} \n ```{1}```".format( + pull_request.mergeable_state, captured_traceback ) ) raise e diff --git a/test/plugins/v0_1_0/github/test_github.py b/test/plugins/v0_1_0/github/test_github.py index bfeeb5a61..e52ae244d 100644 --- a/test/plugins/v0_1_0/github/test_github.py +++ b/test/plugins/v0_1_0/github/test_github.py @@ -146,6 +146,30 @@ def test_issue_comment_with_clean_mergeable_state_and_lambda_handler_crashed( with pytest.raises(Exception): handle_issue_comment(mock_github_client, issue_comment_git_apply_context) assert mock_lambda_run_handler.called + assert mock_pull_request.create_issue_comment.called + assert "Traceback" in mock_pull_request.create_issue_comment.call_args[0][0] + assert not mock_pull_request.merge.called + + +# invariant: PR is only merged if and only if git-apply is successful +def test_plan_issue_comment_with_clean_mergeable_state_and_lambda_handler_crashed( + mock_github_client, + issue_comment_git_plan_context, + mock_lambda_run_handler, + mock_repository, +): + mock_pull_request = mock_github_client.get_repo.return_value.get_pull.return_value + mock_pull_request.mergeable_state = MERGEABLE_STATE_CLEAN + mock_pull_request.head.sha = issue_comment_git_plan_context["sha"] + mock_repository.clone_from.return_value.head.commit.hexsha = ( + issue_comment_git_plan_context["sha"] + ) + mock_lambda_run_handler.side_effect = Exception("unexpected failure") + with pytest.raises(Exception): + handle_issue_comment(mock_github_client, issue_comment_git_plan_context) + assert mock_lambda_run_handler.called + assert mock_pull_request.create_issue_comment.called + assert "Traceback" in mock_pull_request.create_issue_comment.call_args[0][0] assert not mock_pull_request.merge.called diff --git a/test/test_utils.py b/test/test_utils.py index 62c41df0e..314df1e05 100644 --- a/test/test_utils.py +++ b/test/test_utils.py @@ -1,6 +1,7 @@ from __future__ import annotations import asyncio +import traceback import pytest @@ -24,6 +25,17 @@ async def test_async_gather_behavior(): assert isinstance(results[1], Exception) +def test_exception_traceback_behavior(): + def raise_exception(): + raise Exception("hello") + + try: + raise_exception() + except Exception: + captured_message = traceback.format_exc() + assert "raise_exception" in captured_message + + def test_valid_characters(): # Test that only valid characters are kept unsanitized_str = "abc123$%^" From 5b7663b57f3d1f73db29dbf00292108c1142e068 Mon Sep 17 00:00:00 2001 From: Version Auto Bump Date: Tue, 28 Feb 2023 18:47:49 +0000 Subject: [PATCH 04/22] Bump version --- pyproject.toml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/pyproject.toml b/pyproject.toml index 78397e908..9f36016f6 100644 --- a/pyproject.toml +++ b/pyproject.toml @@ -4,7 +4,7 @@ build-backend = "poetry.core.masonry.api" [tool.poetry] name = "iambic" -version = "0.1.58" +version = "0.1.59" description = "The python package used to generate, parse, and execute noqform yaml templates." authors = ["Noq Software "] readme = "README.md" From 8e2b2537c2acc96d42767a13007b87bb826120d1 Mon Sep 17 00:00:00 2001 From: Curtis Date: Tue, 28 Feb 2023 10:49:55 -0800 Subject: [PATCH 05/22] Trivy Scan and SBOM support --- .github/workflows/build-container.yml | 12 ++++++++++-- .github/workflows/detect-secrets.yml | 2 +- Dockerfile | 2 +- Dockerfile.base_image | 2 +- Makefile | 8 ++++++++ 5 files changed, 21 insertions(+), 5 deletions(-) diff --git a/.github/workflows/build-container.yml b/.github/workflows/build-container.yml index a9512e45b..29dc49861 100644 --- a/.github/workflows/build-container.yml +++ b/.github/workflows/build-container.yml @@ -31,7 +31,8 @@ jobs: - name: bootstrap run: | python3.10 -m venv build-env - . build-env/bin/activate && pip install poetry + . build-env/bin/activate && pip install poetry setuptools pip --upgrade + curl -sfL https://raw.githubusercontent.com/aquasecurity/trivy/main/contrib/install.sh | sh -s -- -b /usr/local/bin v0.37.3 - name: set git identity run: | git config user.name "Version Auto Bump" @@ -56,6 +57,13 @@ jobs: id: build-container run: | aws ecr-public get-login-password --region us-east-1 | docker login --username AWS --password-stdin public.ecr.aws/o4z3c2v2 - . build-env/bin/activate && make build_docker upload_docker + . build-env/bin/activate && make build_docker + make trivy_scan + make trivy_sbom + make upload_docker docker logout public.ecr.aws/o4z3c2v2 docker buildx prune --filter=until=96h -f + - name: Upload Trivy scan results to GitHub Security tab + uses: github/codeql-action/upload-sarif@v2 + with: + sarif_file: 'iambic.sbom.sarif' diff --git a/.github/workflows/detect-secrets.yml b/.github/workflows/detect-secrets.yml index 0c4b07664..b85a63175 100644 --- a/.github/workflows/detect-secrets.yml +++ b/.github/workflows/detect-secrets.yml @@ -18,4 +18,4 @@ jobs: path: ./ base: ${{ github.event.repository.default_branch }} head: HEAD - extra_args: --debug --only-verified --max_depth=1000 \ No newline at end of file + extra_args: --debug --only-verified --max_depth=1000 diff --git a/Dockerfile b/Dockerfile index d865e7dc7..13b5ee3d4 100644 --- a/Dockerfile +++ b/Dockerfile @@ -5,7 +5,7 @@ FROM public.ecr.aws/o4z3c2v2/iambic_container_base:1.0 as runtime-layer ######## ############################### ######################## # Install Requirements # Install the function's dependencies -RUN pip3 install poetry awslambdaric argh watchdog +RUN pip3 install poetry awslambdaric argh watchdog setuptools pip --upgrade WORKDIR ${FUNCTION_DIR} COPY pyproject.toml ${FUNCTION_DIR} # Do not create virtualenv diff --git a/Dockerfile.base_image b/Dockerfile.base_image index c3fa71981..7adf34f12 100644 --- a/Dockerfile.base_image +++ b/Dockerfile.base_image @@ -53,7 +53,7 @@ FROM base-layer as build-layer ######## ########################### ######################## # install lambda runtime interface client for python -RUN pip3 install awslambdaric --target "${FUNCTION_DIR}" +RUN pip3 install awslambdaric setuptools pip --target "${FUNCTION_DIR}" --upgrade FROM base-layer as runtime-layer diff --git a/Makefile b/Makefile index 879bc1594..f879f47eb 100644 --- a/Makefile +++ b/Makefile @@ -28,6 +28,14 @@ upload_docker: @echo "--> Uploading Iambic Docker image" $(docker_buildx) --push . +.PHONY: trivy_scan +trivy_scan: + trivy image --exit-code 1 --secret-config trivy-secret.yaml --severity HIGH,CRITICAL public.ecr.aws/${IAMBIC_PUBLIC_ECR_ALIAS}/iambic:latest + +.PHONY: trivy_sbom +trivy_sbom: + trivy image --severity HIGH,CRITICAL --format sarif --output iambic.sbom.sarif public.ecr.aws/${IAMBIC_PUBLIC_ECR_ALIAS}/iambic:latest + .PHONY: create_manifest create_manifest: docker manifest create public.ecr.aws/${IAMBIC_PUBLIC_ECR_ALIAS}/iambic public.ecr.aws/${IAMBIC_PUBLIC_ECR_ALIAS}/iambic:latest From 070a78d41da3673d5d3451e187ea5511bfbd69f4 Mon Sep 17 00:00:00 2001 From: Curtis Date: Tue, 28 Feb 2023 10:58:25 -0800 Subject: [PATCH 06/22] Test temp GHA --- .github/workflows/run-test.yml | 50 ++++++++++++++++----------------- .github/workflows/temp-sbom.yml | 28 ++++++++++++++++++ 2 files changed, 53 insertions(+), 25 deletions(-) create mode 100644 .github/workflows/temp-sbom.yml diff --git a/.github/workflows/run-test.yml b/.github/workflows/run-test.yml index ca5fd5de2..81f901117 100644 --- a/.github/workflows/run-test.yml +++ b/.github/workflows/run-test.yml @@ -26,28 +26,28 @@ jobs: contents: read steps: - uses: actions/checkout@v3 - - name: bootstrap - id: bootstrap - run: | - python3.10 -m venv env - . env/bin/activate && pip install poetry && poetry install && make test - - name: Configure AWS Credentials for building itest image - uses: aws-actions/configure-aws-credentials@v1 - with: - role-to-assume: arn:aws:iam::442632209887:role/iambic_image_builder - aws-region: us-east-1 - # Disable image builder for now since we are not using it - #- name: build-itest-image - # id: build-itest-image - # run: | - # aws ecr-public get-login-password --region us-east-1 | docker login --username AWS --password-stdin public.ecr.aws/l1s5s8m2 - # . env/bin/activate && make -f Makefile.itest build_docker_itest upload_docker_itest - - name: Configure AWS Credentials - uses: aws-actions/configure-aws-credentials@v1 - with: - role-to-assume: arn:aws:iam::580605962305:role/IambicHubRole - aws-region: us-east-1 - - name: run-functional-test - id: run-functional-test - run: | - . env/bin/activate && make functional_test + # - name: bootstrap + # id: bootstrap + # run: | + # python3.10 -m venv env + # . env/bin/activate && pip install poetry && poetry install && make test + # - name: Configure AWS Credentials for building itest image + # uses: aws-actions/configure-aws-credentials@v1 + # with: + # role-to-assume: arn:aws:iam::442632209887:role/iambic_image_builder + # aws-region: us-east-1 + # # Disable image builder for now since we are not using it + # #- name: build-itest-image + # # id: build-itest-image + # # run: | + # # aws ecr-public get-login-password --region us-east-1 | docker login --username AWS --password-stdin public.ecr.aws/l1s5s8m2 + # # . env/bin/activate && make -f Makefile.itest build_docker_itest upload_docker_itest + # - name: Configure AWS Credentials + # uses: aws-actions/configure-aws-credentials@v1 + # with: + # role-to-assume: arn:aws:iam::580605962305:role/IambicHubRole + # aws-region: us-east-1 + # - name: run-functional-test + # id: run-functional-test + # run: | + # . env/bin/activate && make functional_test diff --git a/.github/workflows/temp-sbom.yml b/.github/workflows/temp-sbom.yml new file mode 100644 index 000000000..18861198a --- /dev/null +++ b/.github/workflows/temp-sbom.yml @@ -0,0 +1,28 @@ +name: SBOM +# This builds the container upon a push event in noqdev/iambic repository +on: + pull_request: +jobs: + sbom-temp: + runs-on: self-hosted + name: Run sbom + permissions: + id-token: write + contents: read + steps: + - uses: actions/checkout@v3 + - name: bootstrap + run: | + python3.10 -m venv build-env + . build-env/bin/activate && pip install poetry setuptools pip --upgrade + curl -sfL https://raw.githubusercontent.com/aquasecurity/trivy/main/contrib/install.sh | sh -s -- -b /usr/local/bin v0.37.3 + - name: build container + id: build-container + run: | + . build-env/bin/activate && make build_docker + make trivy_scan + make trivy_sbom + - name: Upload Trivy scan results to GitHub Security tab + uses: github/codeql-action/upload-sarif@v2 + with: + sarif_file: 'iambic.sbom.sarif' From e928b3c663651ca03b453607c4d650b3e188682e Mon Sep 17 00:00:00 2001 From: Curtis Date: Tue, 28 Feb 2023 11:05:44 -0800 Subject: [PATCH 07/22] NT --- .github/workflows/temp-sbom.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/temp-sbom.yml b/.github/workflows/temp-sbom.yml index 18861198a..f4f7d1c8b 100644 --- a/.github/workflows/temp-sbom.yml +++ b/.github/workflows/temp-sbom.yml @@ -15,7 +15,7 @@ jobs: run: | python3.10 -m venv build-env . build-env/bin/activate && pip install poetry setuptools pip --upgrade - curl -sfL https://raw.githubusercontent.com/aquasecurity/trivy/main/contrib/install.sh | sh -s -- -b /usr/local/bin v0.37.3 + curl -sfL https://raw.githubusercontent.com/aquasecurity/trivy/main/contrib/install.sh | sudo sh -s -- -b /usr/local/bin v0.37.3 - name: build container id: build-container run: | From 25fb588fd17bb91b41b79db65e1d23f0dbc8f81c Mon Sep 17 00:00:00 2001 From: Curtis Date: Tue, 28 Feb 2023 11:08:56 -0800 Subject: [PATCH 08/22] give write access to content --- .github/workflows/build-container.yml | 2 +- .github/workflows/run-test.yml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/build-container.yml b/.github/workflows/build-container.yml index 29dc49861..3cbfb7e45 100644 --- a/.github/workflows/build-container.yml +++ b/.github/workflows/build-container.yml @@ -32,7 +32,7 @@ jobs: run: | python3.10 -m venv build-env . build-env/bin/activate && pip install poetry setuptools pip --upgrade - curl -sfL https://raw.githubusercontent.com/aquasecurity/trivy/main/contrib/install.sh | sh -s -- -b /usr/local/bin v0.37.3 + curl -sfL https://raw.githubusercontent.com/aquasecurity/trivy/main/contrib/install.sh | sudo sh -s -- -b /usr/local/bin v0.37.3 - name: set git identity run: | git config user.name "Version Auto Bump" diff --git a/.github/workflows/run-test.yml b/.github/workflows/run-test.yml index 81f901117..eea57bd99 100644 --- a/.github/workflows/run-test.yml +++ b/.github/workflows/run-test.yml @@ -23,7 +23,7 @@ jobs: needs: [run-unit-test] permissions: id-token: write - contents: read + contents: write steps: - uses: actions/checkout@v3 # - name: bootstrap From a29c2413bb3bc32c954b15ff7319a3ac06fb1929 Mon Sep 17 00:00:00 2001 From: Curtis Date: Tue, 28 Feb 2023 11:13:52 -0800 Subject: [PATCH 09/22] logout docker --- .github/workflows/temp-sbom.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/.github/workflows/temp-sbom.yml b/.github/workflows/temp-sbom.yml index f4f7d1c8b..6303fd6ea 100644 --- a/.github/workflows/temp-sbom.yml +++ b/.github/workflows/temp-sbom.yml @@ -20,6 +20,7 @@ jobs: id: build-container run: | . build-env/bin/activate && make build_docker + docker logout ghcr.io make trivy_scan make trivy_sbom - name: Upload Trivy scan results to GitHub Security tab From 0900b0cb26ca9be410e7a008d51a6933d0a6bcd0 Mon Sep 17 00:00:00 2001 From: Curtis Date: Tue, 28 Feb 2023 11:53:58 -0800 Subject: [PATCH 10/22] skip aws.mdx --- Makefile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Makefile b/Makefile index f879f47eb..0931a91ce 100644 --- a/Makefile +++ b/Makefile @@ -30,7 +30,7 @@ upload_docker: .PHONY: trivy_scan trivy_scan: - trivy image --exit-code 1 --secret-config trivy-secret.yaml --severity HIGH,CRITICAL public.ecr.aws/${IAMBIC_PUBLIC_ECR_ALIAS}/iambic:latest + trivy image --exit-code 1 --skip-files /app/docs/web/docs/getting_started/aws/aws.mdx --secret-config trivy-secret.yaml --severity HIGH,CRITICAL public.ecr.aws/${IAMBIC_PUBLIC_ECR_ALIAS}/iambic:latest .PHONY: trivy_sbom trivy_sbom: From 4875e86a9bb49c3f1e233b16a1335ff402eaa432 Mon Sep 17 00:00:00 2001 From: Curtis Date: Tue, 28 Feb 2023 12:01:54 -0800 Subject: [PATCH 11/22] give security-events write --- .github/workflows/temp-sbom.yml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/.github/workflows/temp-sbom.yml b/.github/workflows/temp-sbom.yml index 6303fd6ea..4f18e83e8 100644 --- a/.github/workflows/temp-sbom.yml +++ b/.github/workflows/temp-sbom.yml @@ -8,7 +8,8 @@ jobs: name: Run sbom permissions: id-token: write - contents: read + contents: write + security-events: write steps: - uses: actions/checkout@v3 - name: bootstrap From 36ff023a7bf05756c1047f4bec79d5d0b43c14b7 Mon Sep 17 00:00:00 2001 From: Curtis Date: Tue, 28 Feb 2023 12:08:14 -0800 Subject: [PATCH 12/22] Upload artifact --- .github/workflows/temp-sbom.yml | 12 +++++++++--- 1 file changed, 9 insertions(+), 3 deletions(-) diff --git a/.github/workflows/temp-sbom.yml b/.github/workflows/temp-sbom.yml index 4f18e83e8..c72d60aa3 100644 --- a/.github/workflows/temp-sbom.yml +++ b/.github/workflows/temp-sbom.yml @@ -10,6 +10,7 @@ jobs: id-token: write contents: write security-events: write + statuses: write steps: - uses: actions/checkout@v3 - name: bootstrap @@ -24,7 +25,12 @@ jobs: docker logout ghcr.io make trivy_scan make trivy_sbom - - name: Upload Trivy scan results to GitHub Security tab - uses: github/codeql-action/upload-sarif@v2 + - uses: actions/upload-artifact@v3 with: - sarif_file: 'iambic.sbom.sarif' + name: trivy-sbom + path: iambic.sbom.sarif + # Uncomment after OSS (Requires for GH Advanced Security): + # - name: Upload Trivy scan results to GitHub Security tab + # uses: github/codeql-action/upload-sarif@v2 + # with: + # sarif_file: 'iambic.sbom.sarif' From 36a43796d38ab7404703f3066821f3e25a0fff79 Mon Sep 17 00:00:00 2001 From: Steven Moy Date: Tue, 28 Feb 2023 12:09:47 -0800 Subject: [PATCH 13/22] Wrap ValidationError with file path information --- iambic/core/parser.py | 7 +- .../plugins/v0_1_0/example/iambic_plugin.py | 10 +- .../v0_1_0/example/local_database/__init__.py | 0 .../v0_1_0/example/local_database/models.py | 57 ++++++++++ .../v0_1_0/example/local_file/models.py | 2 +- test/core/test_parser.py | 107 ++++++++++++++++++ 6 files changed, 176 insertions(+), 7 deletions(-) create mode 100644 iambic/plugins/v0_1_0/example/local_database/__init__.py create mode 100644 iambic/plugins/v0_1_0/example/local_database/models.py create mode 100644 test/core/test_parser.py diff --git a/iambic/core/parser.py b/iambic/core/parser.py index e55047455..1a25d7a1a 100644 --- a/iambic/core/parser.py +++ b/iambic/core/parser.py @@ -1,10 +1,11 @@ from __future__ import annotations +from pydantic import ValidationError + from iambic.config.templates import TEMPLATES from iambic.core.logger import log from iambic.core.models import BaseTemplate from iambic.core.utils import transform_comments, yaml -from pydantic import ValidationError def load_templates( @@ -33,6 +34,8 @@ def load_templates( "Invalid template structure", file_path=template_path, error=repr(err) ) if raise_validation_err: - raise + raise ValueError( + f"{template_path} template has validation error" + ) from err return templates diff --git a/iambic/plugins/v0_1_0/example/iambic_plugin.py b/iambic/plugins/v0_1_0/example/iambic_plugin.py index 4e20b8e5a..0780538ac 100644 --- a/iambic/plugins/v0_1_0/example/iambic_plugin.py +++ b/iambic/plugins/v0_1_0/example/iambic_plugin.py @@ -1,10 +1,14 @@ from __future__ import annotations +from pydantic import BaseModel + from iambic.core.iambic_plugin import ProviderPlugin from iambic.plugins.v0_1_0 import PLUGIN_VERSION from iambic.plugins.v0_1_0.example.handlers import import_example_resources, load +from iambic.plugins.v0_1_0.example.local_database.models import ( + ExampleLocalDatabaseTemplate, +) from iambic.plugins.v0_1_0.example.local_file.models import ExampleLocalFileTemplate -from pydantic import BaseModel class ExampleConfig(BaseModel): @@ -18,7 +22,5 @@ class ExampleConfig(BaseModel): requires_secret=True, async_import_callable=import_example_resources, async_load_callable=load, - templates=[ - ExampleLocalFileTemplate, - ], + templates=[ExampleLocalFileTemplate, ExampleLocalDatabaseTemplate], ) diff --git a/iambic/plugins/v0_1_0/example/local_database/__init__.py b/iambic/plugins/v0_1_0/example/local_database/__init__.py new file mode 100644 index 000000000..e69de29bb diff --git a/iambic/plugins/v0_1_0/example/local_database/models.py b/iambic/plugins/v0_1_0/example/local_database/models.py new file mode 100644 index 000000000..32a4d442f --- /dev/null +++ b/iambic/plugins/v0_1_0/example/local_database/models.py @@ -0,0 +1,57 @@ +from __future__ import annotations + +from typing import TYPE_CHECKING + +from pydantic import Field + +from iambic.core.context import ExecutionContext +from iambic.core.models import ( + BaseModel, + BaseTemplate, + ExpiryModel, + TemplateChangeDetails, +) + +EXAMPLE_LOCAL_DATABASE_TEMPLATE_TYPE = "NOQ::Example::LocalDatabase" + +if TYPE_CHECKING: + from iambic.plugins.v0_1_0.example.iambic_plugin import ExampleConfig + + +class ExampleLocalDatabaseTemplateProperties(BaseModel): + name: str = Field(..., description="name of Local Database") + + @property + def resource_type(self) -> str: + return "example:local_database:properties" + + @property + def resource_id(self) -> str: + return self.name + + +class ExampleLocalDatabaseTemplate(BaseTemplate, ExpiryModel): + template_type = EXAMPLE_LOCAL_DATABASE_TEMPLATE_TYPE + properties: ExampleLocalDatabaseTemplateProperties = Field( + ..., description="Properties for Example Local Database Template" + ) + name: str = Field(..., description="name of Local Database") + + @property + def resource_type(self) -> str: + return "example:local_database" + + @property + def resource_id(self) -> str: + return self.name + + async def apply( + self, config: ExampleConfig, context: ExecutionContext + ) -> TemplateChangeDetails: + template_changes = TemplateChangeDetails( + resource_id=self.resource_id, + resource_type=self.template_type, + template_path=self.file_path, + ) + template_changes.proposed_changes = [] + return template_changes diff --git a/iambic/plugins/v0_1_0/example/local_file/models.py b/iambic/plugins/v0_1_0/example/local_file/models.py index 3c9690bbc..cb77f2990 100644 --- a/iambic/plugins/v0_1_0/example/local_file/models.py +++ b/iambic/plugins/v0_1_0/example/local_file/models.py @@ -15,7 +15,7 @@ EXAMPLE_LOCAL_FILE_TEMPLATE_TYPE = "NOQ::Example::LocalFile" if TYPE_CHECKING: - from iambic.plugins.v0_1_0.okta.iambic_plugin import ExampleConfig + from iambic.plugins.v0_1_0.example.iambic_plugin import ExampleConfig class ExampleLocalFileTemplateProperties(BaseModel): diff --git a/test/core/test_parser.py b/test/core/test_parser.py new file mode 100644 index 000000000..69a63ec21 --- /dev/null +++ b/test/core/test_parser.py @@ -0,0 +1,107 @@ +from __future__ import annotations + +import asyncio +import os +import shutil +import tempfile +import traceback + +import pytest + +import iambic.plugins.v0_1_0.example +from iambic.config.dynamic_config import load_config +from iambic.core.parser import load_templates + +BAD_TEMPLATE_YAML = """template_type: NOQ::Example::LocalDatabase +expires_at: tomorrow +""" + +TEST_TEMPLATE_YAML = """template_type: NOQ::Example::LocalDatabase +name: test_template +expires_at: tomorrow +properties: + name: {name}""" + +TEST_TEMPLATE_DIR = "resources/example/" +TEST_TEMPLATE_PATH = "resources/example/test_template.yaml" +BAD_TEMPLATE_PATH = "resources/example/bad_template.yaml" +TEST_CONFIG_DIR = "config/" +TEST_CONFIG_PATH = "config/test_config.yaml" + +TEST_CONFIG_YAML = """template_type: NOQ::Core::Config +version: '1' + +plugins: + - type: DIRECTORY_PATH + location: {example_plugin_location} + version: v0_1_0 +example: + random: 1 +""" + +EXAMPLE_PLUGIN_PATH = iambic.plugins.v0_1_0.example.__path__[0] + + +@pytest.fixture +def example_test_filesystem(): + temp_templates_directory = tempfile.mkdtemp( + prefix="iambic_test_temp_templates_directory" + ) + + try: + + os.makedirs(f"{temp_templates_directory}/{TEST_TEMPLATE_DIR}") + os.makedirs(f"{temp_templates_directory}/{TEST_CONFIG_DIR}") + + with open(f"{temp_templates_directory}/{TEST_TEMPLATE_PATH}", "w") as f: + f.write(TEST_TEMPLATE_YAML.format(name="before")) + + with open(f"{temp_templates_directory}/{BAD_TEMPLATE_PATH}", "w") as f: + f.write(BAD_TEMPLATE_YAML) + + with open(f"{temp_templates_directory}/{TEST_CONFIG_PATH}", "w") as f: + f.write( + TEST_CONFIG_YAML.format(example_plugin_location=EXAMPLE_PLUGIN_PATH) + ) + + yield f"{temp_templates_directory}/{TEST_CONFIG_PATH}", temp_templates_directory + finally: + try: + shutil.rmtree(temp_templates_directory) + except Exception as e: + print(e) + + +def test_load_templates(example_test_filesystem): + config_path, repo_dir = example_test_filesystem + with open(f"{repo_dir}/{TEST_TEMPLATE_PATH}", "r") as f: + before_template_content = "\n".join(f.readlines()) + assert "tomorrow" in before_template_content + + asyncio.run(load_config(config_path)) + templates = [f"{repo_dir}/{TEST_TEMPLATE_PATH}"] + templates = load_templates(templates, raise_validation_err=True) + assert len(templates) > 0 + + +def test_load_bad_templates(example_test_filesystem): + config_path, repo_dir = example_test_filesystem + with open(f"{repo_dir}/{TEST_TEMPLATE_PATH}", "r") as f: + before_template_content = "\n".join(f.readlines()) + assert "tomorrow" in before_template_content + + asyncio.run(load_config(config_path)) + templates = [f"{repo_dir}/{BAD_TEMPLATE_PATH}"] + template_instances = [] + with pytest.raises(ValueError) as exc_info: + template_instances = load_templates(templates, raise_validation_err=True) + assert len(template_instances) == 0 + captured_traceback_lines = traceback.format_exception( + exc_info.value + ) # this is a pytest specific format + captured_traceback = "\n".join(captured_traceback_lines) + assert "template has validation error" in captured_traceback + assert ( + "ValidationError" in captured_traceback + ) # checking the underlying Pydantic info is captured + print(captured_traceback) From 0f386c329f1f00aebf14c304cf5a5e7651a37304 Mon Sep 17 00:00:00 2001 From: Curtis Date: Tue, 28 Feb 2023 12:17:37 -0800 Subject: [PATCH 14/22] Publish job --- .github/workflows/publish-release.yml | 29 +++++++++++++++++++++++++++ .github/workflows/temp-sbom.yml | 1 + 2 files changed, 30 insertions(+) create mode 100644 .github/workflows/publish-release.yml diff --git a/.github/workflows/publish-release.yml b/.github/workflows/publish-release.yml new file mode 100644 index 000000000..a6c763409 --- /dev/null +++ b/.github/workflows/publish-release.yml @@ -0,0 +1,29 @@ +name: Publish Release +on: + push: + tags: + - 'v*' +jobs: + build: + runs-on: ubuntu-latest + permissions: + id-token: write + contents: write + security-events: write + statuses: write + discussions: write + steps: + - name: bootstrap + run: | + curl -sfL https://raw.githubusercontent.com/aquasecurity/trivy/main/contrib/install.sh | sudo sh -s -- -b /usr/local/bin v0.37.3 + - uses: actions/checkout@v3 + - name: scan container + id: scan-container + run: | + make trivy_scan + make trivy_sbom + - name: Release + uses: softprops/action-gh-release@v1 + if: startsWith(github.ref, 'refs/tags/') + with: + files: iambic.sbom.sarif \ No newline at end of file diff --git a/.github/workflows/temp-sbom.yml b/.github/workflows/temp-sbom.yml index c72d60aa3..1b129adfa 100644 --- a/.github/workflows/temp-sbom.yml +++ b/.github/workflows/temp-sbom.yml @@ -11,6 +11,7 @@ jobs: contents: write security-events: write statuses: write + discussions: write steps: - uses: actions/checkout@v3 - name: bootstrap From c66dd0be3944238e08d8da02ac778457a4ec4ce0 Mon Sep 17 00:00:00 2001 From: Curtis Date: Tue, 28 Feb 2023 12:27:25 -0800 Subject: [PATCH 15/22] Clean up action files --- .github/workflows/build-container.yml | 12 +++++-- .github/workflows/publish-release.yml | 3 +- .github/workflows/run-test.yml | 52 +++++++++++++-------------- .github/workflows/temp-sbom.yml | 37 ------------------- Makefile | 2 +- 5 files changed, 38 insertions(+), 68 deletions(-) delete mode 100644 .github/workflows/temp-sbom.yml diff --git a/.github/workflows/build-container.yml b/.github/workflows/build-container.yml index 3cbfb7e45..cb6cbcae8 100644 --- a/.github/workflows/build-container.yml +++ b/.github/workflows/build-container.yml @@ -56,6 +56,7 @@ jobs: - name: build container id: build-container run: | + docker logout ghcr.io aws ecr-public get-login-password --region us-east-1 | docker login --username AWS --password-stdin public.ecr.aws/o4z3c2v2 . build-env/bin/activate && make build_docker make trivy_scan @@ -63,7 +64,12 @@ jobs: make upload_docker docker logout public.ecr.aws/o4z3c2v2 docker buildx prune --filter=until=96h -f - - name: Upload Trivy scan results to GitHub Security tab - uses: github/codeql-action/upload-sarif@v2 + - uses: actions/upload-artifact@v3 with: - sarif_file: 'iambic.sbom.sarif' + name: trivy-sbom + path: iambic.sbom.sarif + # Uncomment after OSS (Requires for GH Advanced Security): + # - name: Upload Trivy scan results to GitHub Security tab + # uses: github/codeql-action/upload-sarif@v2 + # with: + # sarif_file: 'iambic.sbom.sarif' diff --git a/.github/workflows/publish-release.yml b/.github/workflows/publish-release.yml index a6c763409..0c5cae0bf 100644 --- a/.github/workflows/publish-release.yml +++ b/.github/workflows/publish-release.yml @@ -20,10 +20,11 @@ jobs: - name: scan container id: scan-container run: | + docker logout ghcr.io make trivy_scan make trivy_sbom - name: Release uses: softprops/action-gh-release@v1 if: startsWith(github.ref, 'refs/tags/') with: - files: iambic.sbom.sarif \ No newline at end of file + files: iambic.sbom.sarif diff --git a/.github/workflows/run-test.yml b/.github/workflows/run-test.yml index eea57bd99..ca5fd5de2 100644 --- a/.github/workflows/run-test.yml +++ b/.github/workflows/run-test.yml @@ -23,31 +23,31 @@ jobs: needs: [run-unit-test] permissions: id-token: write - contents: write + contents: read steps: - uses: actions/checkout@v3 - # - name: bootstrap - # id: bootstrap - # run: | - # python3.10 -m venv env - # . env/bin/activate && pip install poetry && poetry install && make test - # - name: Configure AWS Credentials for building itest image - # uses: aws-actions/configure-aws-credentials@v1 - # with: - # role-to-assume: arn:aws:iam::442632209887:role/iambic_image_builder - # aws-region: us-east-1 - # # Disable image builder for now since we are not using it - # #- name: build-itest-image - # # id: build-itest-image - # # run: | - # # aws ecr-public get-login-password --region us-east-1 | docker login --username AWS --password-stdin public.ecr.aws/l1s5s8m2 - # # . env/bin/activate && make -f Makefile.itest build_docker_itest upload_docker_itest - # - name: Configure AWS Credentials - # uses: aws-actions/configure-aws-credentials@v1 - # with: - # role-to-assume: arn:aws:iam::580605962305:role/IambicHubRole - # aws-region: us-east-1 - # - name: run-functional-test - # id: run-functional-test - # run: | - # . env/bin/activate && make functional_test + - name: bootstrap + id: bootstrap + run: | + python3.10 -m venv env + . env/bin/activate && pip install poetry && poetry install && make test + - name: Configure AWS Credentials for building itest image + uses: aws-actions/configure-aws-credentials@v1 + with: + role-to-assume: arn:aws:iam::442632209887:role/iambic_image_builder + aws-region: us-east-1 + # Disable image builder for now since we are not using it + #- name: build-itest-image + # id: build-itest-image + # run: | + # aws ecr-public get-login-password --region us-east-1 | docker login --username AWS --password-stdin public.ecr.aws/l1s5s8m2 + # . env/bin/activate && make -f Makefile.itest build_docker_itest upload_docker_itest + - name: Configure AWS Credentials + uses: aws-actions/configure-aws-credentials@v1 + with: + role-to-assume: arn:aws:iam::580605962305:role/IambicHubRole + aws-region: us-east-1 + - name: run-functional-test + id: run-functional-test + run: | + . env/bin/activate && make functional_test diff --git a/.github/workflows/temp-sbom.yml b/.github/workflows/temp-sbom.yml deleted file mode 100644 index 1b129adfa..000000000 --- a/.github/workflows/temp-sbom.yml +++ /dev/null @@ -1,37 +0,0 @@ -name: SBOM -# This builds the container upon a push event in noqdev/iambic repository -on: - pull_request: -jobs: - sbom-temp: - runs-on: self-hosted - name: Run sbom - permissions: - id-token: write - contents: write - security-events: write - statuses: write - discussions: write - steps: - - uses: actions/checkout@v3 - - name: bootstrap - run: | - python3.10 -m venv build-env - . build-env/bin/activate && pip install poetry setuptools pip --upgrade - curl -sfL https://raw.githubusercontent.com/aquasecurity/trivy/main/contrib/install.sh | sudo sh -s -- -b /usr/local/bin v0.37.3 - - name: build container - id: build-container - run: | - . build-env/bin/activate && make build_docker - docker logout ghcr.io - make trivy_scan - make trivy_sbom - - uses: actions/upload-artifact@v3 - with: - name: trivy-sbom - path: iambic.sbom.sarif - # Uncomment after OSS (Requires for GH Advanced Security): - # - name: Upload Trivy scan results to GitHub Security tab - # uses: github/codeql-action/upload-sarif@v2 - # with: - # sarif_file: 'iambic.sbom.sarif' diff --git a/Makefile b/Makefile index 0931a91ce..54b5d3b8d 100644 --- a/Makefile +++ b/Makefile @@ -30,7 +30,7 @@ upload_docker: .PHONY: trivy_scan trivy_scan: - trivy image --exit-code 1 --skip-files /app/docs/web/docs/getting_started/aws/aws.mdx --secret-config trivy-secret.yaml --severity HIGH,CRITICAL public.ecr.aws/${IAMBIC_PUBLIC_ECR_ALIAS}/iambic:latest + trivy image --exit-code 1 --output iambic.trivy.scan.txt --skip-files /app/docs/web/docs/getting_started/aws/aws.mdx --secret-config trivy-secret.yaml --severity HIGH,CRITICAL public.ecr.aws/${IAMBIC_PUBLIC_ECR_ALIAS}/iambic:latest .PHONY: trivy_sbom trivy_sbom: From 0a21b6eda6301b448c50fcbced44ea603e928b6c Mon Sep 17 00:00:00 2001 From: Version Auto Bump Date: Tue, 28 Feb 2023 21:14:48 +0000 Subject: [PATCH 16/22] Bump version --- pyproject.toml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/pyproject.toml b/pyproject.toml index 9f36016f6..efb47538d 100644 --- a/pyproject.toml +++ b/pyproject.toml @@ -4,7 +4,7 @@ build-backend = "poetry.core.masonry.api" [tool.poetry] name = "iambic" -version = "0.1.59" +version = "0.1.60" description = "The python package used to generate, parse, and execute noqform yaml templates." authors = ["Noq Software "] readme = "README.md" From bfcd7df88ccdbf87a63b5bc3a0418a8aa554133f Mon Sep 17 00:00:00 2001 From: Steven Moy Date: Tue, 28 Feb 2023 13:24:48 -0800 Subject: [PATCH 17/22] Use load_templates which support wrapping yaml problems and validation problems --- iambic/core/git.py | 6 ++++-- iambic/core/parser.py | 9 +++++---- test/core/test_parser.py | 42 +++++++++++++++++++++++++++++++++------- 3 files changed, 44 insertions(+), 13 deletions(-) diff --git a/iambic/core/git.py b/iambic/core/git.py index 26b3f9c32..bd50a3c18 100644 --- a/iambic/core/git.py +++ b/iambic/core/git.py @@ -12,6 +12,7 @@ from iambic.config.templates import TEMPLATES from iambic.core.logger import log +from iambic.core.parser import load_templates from iambic.core.utils import NOQ_TEMPLATE_REGEX, file_regex_search, yaml if TYPE_CHECKING: @@ -232,8 +233,9 @@ def create_templates_for_modified_files( main_template = template_cls(file_path=git_diff.path, **main_template_dict) - template_dict = yaml.load(open(git_diff.path)) - template = template_cls(file_path=git_diff.path, **template_dict) + # template_dict = yaml.load(open(git_diff.path)) + # template = template_cls(file_path=git_diff.path, **template_dict) + template = load_templates([git_diff.path])[0] # EN-1634 dealing with providers that have no concept of multi-accounts # a hack to just ignore template that does not have included_accounts attribute diff --git a/iambic/core/parser.py b/iambic/core/parser.py index 1a25d7a1a..303b5bd35 100644 --- a/iambic/core/parser.py +++ b/iambic/core/parser.py @@ -1,6 +1,7 @@ from __future__ import annotations from pydantic import ValidationError +from ruamel.yaml.scanner import ScannerError from iambic.config.templates import TEMPLATES from iambic.core.logger import log @@ -14,10 +15,10 @@ def load_templates( templates = [] for template_path in template_paths: - template_dict = transform_comments(yaml.load(open(template_path))) - if template_dict["template_type"] in ["NOQ::Core::Config"]: - continue try: + template_dict = transform_comments(yaml.load(open(template_path))) + if template_dict["template_type"] in ["NOQ::Core::Config"]: + continue template_cls = TEMPLATES.template_map[template_dict["template_type"]] template_cls.update_forward_refs() templates.append(template_cls(file_path=template_path, **template_dict)) @@ -29,7 +30,7 @@ def load_templates( ) # We should allow to continue to allow unknown template type; otherwise, # we cannot support forward or backward compatibility during version changes. - except ValidationError as err: + except (ValidationError, ScannerError) as err: log.critical( "Invalid template structure", file_path=template_path, error=repr(err) ) diff --git a/test/core/test_parser.py b/test/core/test_parser.py index 69a63ec21..96a772537 100644 --- a/test/core/test_parser.py +++ b/test/core/test_parser.py @@ -12,10 +12,14 @@ from iambic.config.dynamic_config import load_config from iambic.core.parser import load_templates -BAD_TEMPLATE_YAML = """template_type: NOQ::Example::LocalDatabase +MISSING_REQUIRED_FIELDS_TEMPLATE_YAML = """template_type: NOQ::Example::LocalDatabase expires_at: tomorrow """ +MALFORMED_YAML = """template_type: NOQ::Example::LocalDatabase + expires_at: tomorrow +""" + TEST_TEMPLATE_YAML = """template_type: NOQ::Example::LocalDatabase name: test_template expires_at: tomorrow @@ -24,7 +28,8 @@ TEST_TEMPLATE_DIR = "resources/example/" TEST_TEMPLATE_PATH = "resources/example/test_template.yaml" -BAD_TEMPLATE_PATH = "resources/example/bad_template.yaml" +MISSING_REQUIRED_FIELDS_TEMPLATE_PATH = "resources/example/bad_template.yaml" +MALFORMED_YAML_PATH = "resources/example/malformed_yaml.yaml" TEST_CONFIG_DIR = "config/" TEST_CONFIG_PATH = "config/test_config.yaml" @@ -56,8 +61,13 @@ def example_test_filesystem(): with open(f"{temp_templates_directory}/{TEST_TEMPLATE_PATH}", "w") as f: f.write(TEST_TEMPLATE_YAML.format(name="before")) - with open(f"{temp_templates_directory}/{BAD_TEMPLATE_PATH}", "w") as f: - f.write(BAD_TEMPLATE_YAML) + with open( + f"{temp_templates_directory}/{MISSING_REQUIRED_FIELDS_TEMPLATE_PATH}", "w" + ) as f: + f.write(MISSING_REQUIRED_FIELDS_TEMPLATE_YAML) + + with open(f"{temp_templates_directory}/{MALFORMED_YAML_PATH}", "w") as f: + f.write(MALFORMED_YAML) with open(f"{temp_templates_directory}/{TEST_CONFIG_PATH}", "w") as f: f.write( @@ -84,14 +94,14 @@ def test_load_templates(example_test_filesystem): assert len(templates) > 0 -def test_load_bad_templates(example_test_filesystem): +def test_missing_required_fields_templates(example_test_filesystem): config_path, repo_dir = example_test_filesystem with open(f"{repo_dir}/{TEST_TEMPLATE_PATH}", "r") as f: before_template_content = "\n".join(f.readlines()) assert "tomorrow" in before_template_content asyncio.run(load_config(config_path)) - templates = [f"{repo_dir}/{BAD_TEMPLATE_PATH}"] + templates = [f"{repo_dir}/{MISSING_REQUIRED_FIELDS_TEMPLATE_PATH}"] template_instances = [] with pytest.raises(ValueError) as exc_info: template_instances = load_templates(templates, raise_validation_err=True) @@ -104,4 +114,22 @@ def test_load_bad_templates(example_test_filesystem): assert ( "ValidationError" in captured_traceback ) # checking the underlying Pydantic info is captured - print(captured_traceback) + + +def test_malformed_yaml(example_test_filesystem): + config_path, repo_dir = example_test_filesystem + + asyncio.run(load_config(config_path)) + templates = [f"{repo_dir}/{MALFORMED_YAML_PATH}"] + template_instances = [] + with pytest.raises(ValueError) as exc_info: + template_instances = load_templates(templates, raise_validation_err=True) + assert len(template_instances) == 0 + captured_traceback_lines = traceback.format_exception( + exc_info.value + ) # this is a pytest specific format + captured_traceback = "\n".join(captured_traceback_lines) + assert "template has validation error" in captured_traceback + assert ( + "ScannerError" in captured_traceback + ) # checking the underlying raumel info is captured From e362c714d2b6b01c03a84e57ba96c8c55283666b Mon Sep 17 00:00:00 2001 From: Curtis Date: Tue, 28 Feb 2023 13:42:48 -0800 Subject: [PATCH 18/22] Trivy without exit code --- Makefile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Makefile b/Makefile index 54b5d3b8d..ba10a5418 100644 --- a/Makefile +++ b/Makefile @@ -30,7 +30,7 @@ upload_docker: .PHONY: trivy_scan trivy_scan: - trivy image --exit-code 1 --output iambic.trivy.scan.txt --skip-files /app/docs/web/docs/getting_started/aws/aws.mdx --secret-config trivy-secret.yaml --severity HIGH,CRITICAL public.ecr.aws/${IAMBIC_PUBLIC_ECR_ALIAS}/iambic:latest + trivy image --output iambic.trivy.scan.txt --skip-files /app/docs/web/docs/getting_started/aws/aws.mdx --secret-config trivy-secret.yaml --severity HIGH,CRITICAL public.ecr.aws/${IAMBIC_PUBLIC_ECR_ALIAS}/iambic:latest .PHONY: trivy_sbom trivy_sbom: From 107f44c3b5447a49e7a6df246c693d3bba4cdbec Mon Sep 17 00:00:00 2001 From: Version Auto Bump Date: Tue, 28 Feb 2023 21:43:27 +0000 Subject: [PATCH 19/22] Bump version --- pyproject.toml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/pyproject.toml b/pyproject.toml index efb47538d..9201e2026 100644 --- a/pyproject.toml +++ b/pyproject.toml @@ -4,7 +4,7 @@ build-backend = "poetry.core.masonry.api" [tool.poetry] name = "iambic" -version = "0.1.60" +version = "0.1.61" description = "The python package used to generate, parse, and execute noqform yaml templates." authors = ["Noq Software "] readme = "README.md" From 12f02635e8e42cf44c2a10e7c0228154f5371660 Mon Sep 17 00:00:00 2001 From: Version Auto Bump Date: Tue, 28 Feb 2023 21:48:39 +0000 Subject: [PATCH 20/22] Bump version --- pyproject.toml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/pyproject.toml b/pyproject.toml index 9201e2026..401d23940 100644 --- a/pyproject.toml +++ b/pyproject.toml @@ -4,7 +4,7 @@ build-backend = "poetry.core.masonry.api" [tool.poetry] name = "iambic" -version = "0.1.61" +version = "0.1.62" description = "The python package used to generate, parse, and execute noqform yaml templates." authors = ["Noq Software "] readme = "README.md" From a4fd527ea601844f42dedb28d29bfaa9cf89020b Mon Sep 17 00:00:00 2001 From: Curtis Date: Tue, 28 Feb 2023 13:57:02 -0800 Subject: [PATCH 21/22] Change sbom to json --- .github/workflows/build-container.yml | 4 ++-- .github/workflows/publish-release.yml | 2 +- Makefile | 2 +- 3 files changed, 4 insertions(+), 4 deletions(-) diff --git a/.github/workflows/build-container.yml b/.github/workflows/build-container.yml index cb6cbcae8..ef33f695b 100644 --- a/.github/workflows/build-container.yml +++ b/.github/workflows/build-container.yml @@ -67,9 +67,9 @@ jobs: - uses: actions/upload-artifact@v3 with: name: trivy-sbom - path: iambic.sbom.sarif + path: iambic.sbom.json # Uncomment after OSS (Requires for GH Advanced Security): # - name: Upload Trivy scan results to GitHub Security tab # uses: github/codeql-action/upload-sarif@v2 # with: - # sarif_file: 'iambic.sbom.sarif' + # sarif_file: 'iambic.sbom.json' diff --git a/.github/workflows/publish-release.yml b/.github/workflows/publish-release.yml index 0c5cae0bf..6e91760bd 100644 --- a/.github/workflows/publish-release.yml +++ b/.github/workflows/publish-release.yml @@ -27,4 +27,4 @@ jobs: uses: softprops/action-gh-release@v1 if: startsWith(github.ref, 'refs/tags/') with: - files: iambic.sbom.sarif + files: iambic.sbom.json diff --git a/Makefile b/Makefile index ba10a5418..f34912023 100644 --- a/Makefile +++ b/Makefile @@ -34,7 +34,7 @@ trivy_scan: .PHONY: trivy_sbom trivy_sbom: - trivy image --severity HIGH,CRITICAL --format sarif --output iambic.sbom.sarif public.ecr.aws/${IAMBIC_PUBLIC_ECR_ALIAS}/iambic:latest + trivy image --format spdx-json --output iambic.sbom.json public.ecr.aws/${IAMBIC_PUBLIC_ECR_ALIAS}/iambic:latest .PHONY: create_manifest create_manifest: From b9d1b09d6cf4af4adde3cae35946774188bf599f Mon Sep 17 00:00:00 2001 From: Version Auto Bump Date: Tue, 28 Feb 2023 21:57:50 +0000 Subject: [PATCH 22/22] Bump version --- pyproject.toml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/pyproject.toml b/pyproject.toml index 401d23940..1ddd94a83 100644 --- a/pyproject.toml +++ b/pyproject.toml @@ -4,7 +4,7 @@ build-backend = "poetry.core.masonry.api" [tool.poetry] name = "iambic" -version = "0.1.62" +version = "0.1.63" description = "The python package used to generate, parse, and execute noqform yaml templates." authors = ["Noq Software "] readme = "README.md"