Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[analyze] Add Analyzer interface for Gitlab #3232

Merged
merged 14 commits into from
Oct 30, 2024

Conversation

abmussani
Copy link
Contributor

Description:

This PR implements the analyzer interface for Gitlab.

Checklist:

  • Tests passing (make test-community)?
  • Lint passing (make lint this requires golangci-lint)?

@abmussani abmussani requested review from a team as code owners August 19, 2024 15:58
@abmussani abmussani force-pushed the impl-data-model-gitlab branch from ccc7f7c to ca8ac04 Compare August 28, 2024 16:27
Copy link
Collaborator

@mcastorina mcastorina left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The code looks good but the test isn't passing. It looks like the gitlab token is expired:

» curl 'https://gitlab.com/api/v4/personal_access_tokens/self' -H "Private-Token: $GITLAB_TOKEN"
{
  "error": "invalid_token",
  "error_description": "Token is expired. You can either do re-authorization or token refresh."
}

@abmussani abmussani force-pushed the impl-data-model-gitlab branch from 3b5b769 to 051aadf Compare September 9, 2024 16:25
to make more unique FullyQualifiedName, Ids are added for resources.
@abmussani abmussani requested a review from mcastorina September 9, 2024 16:45
@abmussani
Copy link
Contributor Author

@mcastorina I have updated the active gitlab key in vault. Also There are some changes to make resource unique. Re-requesting this PR to get view

Bindings: []analyzers.Binding{},
}

// Add token and it's permissions to bindings
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Are we sure token should be a resource here? Does the credential we're analyzing grant permission to perform actions on the token?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yup, The permission determine what action can be perform using that token.

Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Permissions operate on a resource though, so in this case the permissions would describe operations that could be performed on the token itself, which seems wrong to me..

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@mcastorina I had gone through the login. PAT token does belongs to user and we do get userID in response. So, resource can be a User with those permissions. What do you think ?

pkg/analyzer/analyzers/gitlab/gitlab.go Outdated Show resolved Hide resolved
pkg/analyzer/analyzers/gitlab/gitlab.go Outdated Show resolved Hide resolved
pkg/analyzer/analyzers/gitlab/gitlab.go Outdated Show resolved Hide resolved
Copy link
Collaborator

@mcastorina mcastorina left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

lgtm!

Some of the tests are failing though - I think it's because we removed analyzerpb? You might have to update your branch to fix those errors

* main: (76 commits)
  update aws descriptions (trufflesecurity#3529)
  enforce timeout on circleci test (trufflesecurity#3528)
  rm snifftest (trufflesecurity#3527)
  Redact more source credentials (trufflesecurity#3526)
  Create global log redaction capability (trufflesecurity#3522)
  Adding basic "what is trufflehog" to the readme (trufflesecurity#3514)
  Handle custom detector response and include in extra data (trufflesecurity#3411)
  fix: fixed validation logic for `calendarific` (trufflesecurity#3480)
  fix(deps): update github.com/tailscale/depaware digest to 3d7f3b3 (trufflesecurity#3518)
  Move DecoderType into ResultWithMetadata trufflesecurity#3502
  Addeded 403 account block status code handling for gitlab (trufflesecurity#3471)
  updated gcpapplicationdefaultcredentials detector results with RawV2 (trufflesecurity#3499)
  fix(deps): update module github.com/brianvoe/gofakeit/v7 to v7.1.1 (trufflesecurity#3512)
  fix(deps): update module github.com/schollz/progressbar/v3 to v3.17.0 (trufflesecurity#3510)
  fix(deps): update module cloud.google.com/go/secretmanager to v1.14.2 (trufflesecurity#3498)
  Adds a logging section in the contributing guidelines (trufflesecurity#3509)
  fix: fixed verifcation pattern logic for `bulksms` (trufflesecurity#3478)
  Extend `algoliaadminkey` with additional checks (trufflesecurity#3459)
  fix(deps): update module google.golang.org/api to v0.203.0 (trufflesecurity#3497)
  fix: added correct api endpoint for verification & logic for Aeroworkflow (trufflesecurity#3435)
  ...
@abmussani
Copy link
Contributor Author

lgtm!

Some of the tests are failing though - I think it's because we removed analyzerpb? You might have to update your branch to fix those errors

Thanks @mcastorina for letting me. I have fixed the breaking changes. Seems like Github Action is facing downtime. I will wait for the check queues to get completed.

@abmussani abmussani merged commit 9b2cef5 into trufflesecurity:main Oct 30, 2024
13 checks passed
@abmussani abmussani deleted the impl-data-model-gitlab branch October 30, 2024 13:46
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Development

Successfully merging this pull request may close these issues.

3 participants