Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

CI: Check Patch Audit Compliance #167

Merged
merged 5 commits into from
Dec 13, 2023
Merged

CI: Check Patch Audit Compliance #167

merged 5 commits into from
Dec 13, 2023

Conversation

reneme
Copy link
Collaborator

@reneme reneme commented Dec 12, 2023
edited
Loading

This adds an automated check to ensure that all referenced patches in the audit document are sufficiently denoted to assume that an audit was performed on it.

Note that I had to install pyyaml for auditinfo. Therefore, I needed to poetry update all downstream dependencies. Hence: sorry for the poetry.lock clutter in this PR.

Currently, this checks:

  1. Is the patch authored, approved or audited by at least one authorative auditor, registered in config/auditors.yml
  2. Is the patch classified regarding its relevance to the library's overall security

Note that we should not merge this until all currently registered patches are properly audited. Otherwise the main branch won't build anymore. As a side-effect this will also fail the Auto-Update pull request after the Bot created it. It will only turn green once an auditor clones it and performs an audit on the detected upstream patches.

@reneme reneme added the enhancement New feature or request label Dec 12, 2023
@reneme reneme requested review from lieser and FAlbertDev December 12, 2023 13:46
@reneme reneme self-assigned this Dec 12, 2023
@reneme reneme marked this pull request as draft December 12, 2023 13:46
@reneme reneme force-pushed the ci/check_patch_compliance branch 2 times, most recently from b75dbeb to 8c89a77 Compare December 12, 2023 13:57
@reneme
Copy link
Collaborator Author

reneme commented Dec 12, 2023
edited
Loading

For reference: the current result is this:

In topic 'Continuous Integration', the patch 'GH #3830 (92e5dd71e[25](https://github.com/sehlen-bsi/botan-docs/actions/runs/7182391225/job/19558798762?pr=167#step:9:26)f2121a22402e5ae590873d2ac0831)' is not sufficiently audited, because: Not classified
In topic 'Command Line Interface', the patch 'GH #3749 (73088f7b2ffdbf068e3022746b1437a9fab76a42)' is not sufficiently audited, because: Not classified
In topic 'Command Line Interface', the patch 'GH #3763 (5f502c695ab0cd38cab519e9da663e453fdf14ef)' is not sufficiently audited, because: Not classified
In topic 'Command Line Interface', the patch 'GH #3791 (84a828af77a98f2d03144a0ebb0c6d0cff383bd9)' is not sufficiently audited, because: Not classified
In topic 'Command Line Interface', the patch 'GH #3820 (6a6ba96a6a5d2e112b53c9c9b9cf66d62cdf5fef)' is not sufficiently audited, because: Not classified
In topic 'Documentation', the patch 'GH #3828 (79c8e235a6dce9d09df1cc605d283a4f735e0481)' is not sufficiently audited, because: Not classified
In topic 'PKI and Asymmetric Crypto', the patch 'GH #3770 (11b5d80790a65d6a7f8[26](https://github.com/sehlen-bsi/botan-docs/actions/runs/7182391225/job/19558798762?pr=167#step:9:27)7a95224f9e8c5ac0080)' is not sufficiently audited, because: Not classified
In topic 'PKI and Asymmetric Crypto', the patch 'GH #3786 (55b92d1af51591838[27](https://github.com/sehlen-bsi/botan-docs/actions/runs/7182391225/job/19558798762?pr=167#step:9:28)3ad[28](https://github.com/sehlen-bsi/botan-docs/actions/runs/7182391225/job/19558798762?pr=167#step:9:29)77b3b2ab2d1d51dc)' is not sufficiently audited, because: Not classified
In topic 'PKI and Asymmetric Crypto', the patch 'GH #3782 (7713fa936f3903f4d5ba2fd6b83702b4e3804d01)' is not sufficiently audited, because: Not classified
In topic 'PKI and Asymmetric Crypto', the patch 'GH #3784 (cef8f13347fe7f60b7e66519b0813e4c2c93d9af)' is not sufficiently audited, because: Not classified
In topic 'PKI and Asymmetric Crypto', the patch 'GH #3821 (b7c737ff816148fc05f634d2e3b25974bfd19452)' is not sufficiently audited, because: Not classified
In topic 'Release Preparation', the patch 'c2a2c0e6d8a1093493ec4931ffa09ba98ee66a12' is not sufficiently audited, because: No registered authorative auditor was involved in this patch
In topic 'TLS Improvements and Extensions', the patch 'GH #3764 (0981814435c005c02ebfdc312642c1414492efd1)' is not sufficiently audited, because: Not classified
In topic 'TLS Improvements and Extensions', the patch 'GH #3762 (565774637336a120ab818161cdb7755c87fbd6d8)' is not sufficiently audited, because: Not classified
In topic 'TLS Improvements and Extensions', the patch 'GH #3765 (fa143ad1484cca9b234b4e4ed41d4fa8d31e4366)' is not sufficiently audited, because: Not classified
In topic 'TLS Improvements and Extensions', the patch 'GH #3771 (20279c6b5115740b7987f9d5c6c[29](https://github.com/sehlen-bsi/botan-docs/actions/runs/7182391225/job/19558798762?pr=167#step:9:30)c[31](https://github.com/sehlen-bsi/botan-docs/actions/runs/7182391225/job/19558798762?pr=167#step:9:32)1d093bae)' is not sufficiently audited, because: Not classified
In topic 'TLS Improvements and Extensions', the patch 'GH #[38](https://github.com/sehlen-bsi/botan-docs/actions/runs/7182391225/job/19558798762?pr=167#step:9:39)20 (6a6ba96a6a5d2e112b53c9c9b9cf66d62cdf5fef)' is not sufficiently audited, because: Not classified

... should all be adressed in #167, #168, #169, #170.

@reneme reneme marked this pull request as ready for review December 12, 2023 14:13
@reneme reneme mentioned this pull request Dec 12, 2023
Merged
FAlbertDev
FAlbertDev approved these changes Dec 13, 2023
View reviewed changes
Copy link
Collaborator

@FAlbertDev FAlbertDev left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Nice! Exactly what I was looking for 👍

@reneme
Install pyyaml in auditinfo and update downstream deps
f9c414d
@reneme
Authorative Auditors are defined in config/auditors.yml
4323dc0
@reneme
genaudit.cli verify_audits checks sufficiency of all patches
7fafe62 
Currently, it validates:

1. Is the patch authored, approved or audited by at least one
   authorative auditor, registered in config/auditors.yml
2. Is the patch classified regarding its relevance to the
   library's overall security
@reneme
add missing auditor information
165ad67
@reneme
Integrate patch audit verify into CI
881b792
@reneme reneme force-pushed the ci/check_patch_compliance branch from 16fd067 to 881b792 Compare December 13, 2023 08:14
@reneme
Copy link
Collaborator Author

reneme commented Dec 13, 2023
edited
Loading

After merging all remaining audit pull requests, I rebased to main and will now wait for the new checks to turn green in CI.

Edit: worked!

INFO:root:Found configuration for 'Changes since last Audit'
INFO:root:Read 11 topic files for 'Changes since last Audit'
WARNING:root:Fetching '/repos/randombit/botan' without caching
WARNING:root:Fetching '/rate_limit' without caching
INFO:root:Current GitHub API rate limit: 985/1000 (will reset in: 0 hours 52 minutes)

\\\\\\
INFO:root:Found 0 insufficiently audited patches
//////

INFO:root:Performed [18](https://github.com/sehlen-bsi/botan-docs/actions/runs/7192446797/job/19588903308?pr=167#step:9:19)3 API requests (98.9% cache hits)

@reneme reneme merged commit 39e18af into main Dec 13, 2023
20 checks passed
@reneme reneme deleted the ci/check_patch_compliance branch December 13, 2023 08:20
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@FAlbertDev FAlbertDev FAlbertDev approved these changes

@lieser lieser Awaiting requested review from lieser

Assignees

@reneme reneme

Labels
enhancement New feature or request
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@reneme @FAlbertDev