feat: orchestrion pin can track enabled integrations

[RomainMuller]

Initial changes to how orchestrion pin works to support incremental edits to the file. This is in preparation to moving the aspects/integration definitions from orchestrion itself to the tracer library.

[datadog-datadog-prod-us1]

🟠 Code Vulnerability

Check command call and ensure there is no unsanitized data used. The variable `command` may need to be validated (...read more)

In Go, the exec.Command function is used to run external commands. Using this function carelessly can lead to command injection vulnerabilities.

Command injection occurs when untrusted input is passed directly to a system shell, allowing an attacker to execute arbitrary commands. This can result in unauthorized access to the system, data leaks, or other security breaches.

To prevent command injection vulnerabilities when using exec.Command in Go, follow these coding best practices:

1. Sanitize User Input: Always validate and sanitize user inputs before passing them to exec.Command. Avoid executing commands constructed using user-provided data.
2. Avoid using Shell Expansion: If possible, pass the command and arguments as separate strings to exec.Command. This prevents the shell from interpreting special characters in a potentially malicious way.
3. Use Absolute Paths: When specifying the command to be executed, use absolute paths for executables whenever possible. This reduces the risk of inadvertently running a similarly named malicious command from the system's PATH.
4. Avoid String Concatenation: Refrain from dynamically constructing commands by concatenating strings. Instead, use the arg ...string parameter of exec.Command to pass arguments safely.
5. Limit Privileges: Run commands with the least privilege required to carry out the task. Avoid running commands with elevated privileges unnecessarily.

By following these practices, you can reduce the risk of command injection vulnerabilities when using exec.Command in Go and enhance the security of your application.

    

[eliottness]

Fix #161 ?

[RomainMuller]

I'm not sure that bug still reproduces today (before this change).

[codecov]

Codecov Report

Attention: Patch coverage is 64.06250% with 161 lines in your changes missing coverage. Please review.

Project coverage is 60.81%. Comparing base (c91c3e9) to head (a3364d8).
Report is 4 commits behind head on main.

Files with missing lines	Patch %	Lines
internal/pin/pin.go	61.32%	54 Missing and 16 partials ⚠️
internal/pin/importset.go	64.84%	38 Missing and 7 partials ⚠️
internal/pin/gomod.go	55.73%	23 Missing and 4 partials ⚠️
internal/pin/auto.go	69.35%	17 Missing and 2 partials ⚠️

Additional details and impacted files

@@            Coverage Diff             @@
##             main     #376      +/-   ##
==========================================
+ Coverage   60.28%   60.81%   +0.52%     
==========================================
  Files         166      174       +8     
  Lines       11973    12302     +329     
==========================================
+ Hits         7218     7481     +263     
- Misses       4280     4340      +60     
- Partials      475      481       +6     

Components	Coverage Δ
Generators	76.98% <ø> (ø)
Instruments	88.05% <ø> (ø)
Go Driver	73.46% <ø> (+0.32%)	⬆️
Toolexec Driver	70.64% <100.00%> (ø)
Aspects	71.73% <ø> (ø)
Injector	73.72% <ø> (ø)
Job Server	64.02% <ø> (+0.56%)	⬆️
Integration Test Suite	54.24% <ø> (+0.69%)	⬆️
Other	60.81% <64.06%> (+0.52%)	⬆️

Files with missing lines	Coverage Δ
internal/cmd/pin.go	100.00% <100.00%> (+100.00%)	⬆️
internal/toolexec/proxy/link.flags.go	100.00% <100.00%> (ø)
main.go	26.35% <100.00%> (+1.15%)	⬆️
internal/pin/auto.go	69.35% <69.35%> (ø)
internal/pin/gomod.go	55.73% <55.73%> (ø)
internal/pin/importset.go	64.84% <64.84%> (ø)
internal/pin/pin.go	57.86% <61.32%> (-0.39%)	⬇️

... and 60 files with indirect coverage changes