Merge branch 'main' into dependabot/github_actions/anchore/sbom-actio…

…n-0.17.1
mindersec · Aug 14, 2024 · 1ac5578 · 1ac5578
2 parents cdbf8d2 + ca27c5e
commit 1ac5578
Show file tree

Hide file tree

Showing 19 changed files with 141 additions and 75 deletions.
diff --git a/.trivyignore b/.trivyignore
@@ -0,0 +1,2 @@
+# We don't use the affected constructs and thus are not vulnerable.
+CVE-2024-42473
diff --git a/database/migrations/000091_entity_project_fk.down.sql b/database/migrations/000091_entity_project_fk.down.sql
@@ -0,0 +1,15 @@
+-- Copyright 2024 Stacklok, Inc
+--
+-- Licensed under the Apache License, Version 2.0 (the "License");
+-- you may not use this file except in compliance with the License.
+-- You may obtain a copy of the License at
+--
+--      http://www.apache.org/licenses/LICENSE-2.0
+--
+-- Unless required by applicable law or agreed to in writing, software
+-- distributed under the License is distributed on an "AS IS" BASIS,
+-- WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+-- See the License for the specific language governing permissions and
+-- limitations under the License.
+
+-- It doesn't make sense to remove this FK constraint
diff --git a/database/migrations/000091_entity_project_fk.up.sql b/database/migrations/000091_entity_project_fk.up.sql
@@ -0,0 +1,27 @@
+-- Copyright 2024 Stacklok, Inc
+--
+-- Licensed under the Apache License, Version 2.0 (the "License");
+-- you may not use this file except in compliance with the License.
+-- You may obtain a copy of the License at
+--
+--      http://www.apache.org/licenses/LICENSE-2.0
+--
+-- Unless required by applicable law or agreed to in writing, software
+-- distributed under the License is distributed on an "AS IS" BASIS,
+-- WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+-- See the License for the specific language governing permissions and
+-- limitations under the License.
+
+-- Drop the foreign key constraint and then recreate it with the ON DELETE CASCADE option
+BEGIN;
+
+ALTER TABLE entity_instances DROP CONSTRAINT entity_instances_project_id_fkey;
+
+ALTER TABLE entity_instances ADD CONSTRAINT entity_instances_project_id_fkey FOREIGN KEY (project_id) REFERENCES projects(id) ON DELETE CASCADE;
+
+-- Do the same for the provider ID, since deleting a provider should delete all entities associated with it
+ALTER TABLE entity_instances DROP CONSTRAINT entity_instances_provider_id_fkey;
+
+ALTER TABLE entity_instances ADD CONSTRAINT entity_instances_provider_id_fkey FOREIGN KEY (provider_id) REFERENCES providers(id) ON DELETE CASCADE;
+
+COMMIT;
diff --git a/internal/auth/jwt/jwtauth.go b/internal/auth/jwt/jwtauth.go
@@ -114,7 +114,9 @@ func NewJwtValidator(ctx context.Context, jwksUrl string, issUrl string, aud str
 	}, nil
 }
 
-var userTokenContextKey struct{}
+type userTokenContextKeyType struct{}
+
+var userTokenContextKey userTokenContextKeyType
 
 // GetUserSubjectFromContext returns the user subject from the context, or nil
 func GetUserSubjectFromContext(ctx context.Context) string {

diff --git a/internal/controlplane/handlers_authz.go b/internal/controlplane/handlers_authz.go
@@ -315,7 +315,7 @@ func (s *Server) AssignRole(ctx context.Context, req *minder.AssignRoleRequest)
 	// Parse role (this also validates)
 	authzRole, err := authz.ParseRole(role)
 	if err != nil {
-		return nil, util.UserVisibleError(codes.InvalidArgument, err.Error())
+		return nil, util.UserVisibleError(codes.InvalidArgument, "%s", err.Error())
 	}
 
 	// Ensure the target project exists
@@ -377,7 +377,7 @@ func (s *Server) RemoveRole(ctx context.Context, req *minder.RemoveRoleRequest)
 	// Parse role (this also validates)
 	authzRole, err := authz.ParseRole(role)
 	if err != nil {
-		return nil, util.UserVisibleError(codes.InvalidArgument, err.Error())
+		return nil, util.UserVisibleError(codes.InvalidArgument, "%s", err.Error())
 	}
 
 	// Validate the subject and email - decide if it's about removing an invitation or a role assignment
@@ -433,7 +433,7 @@ func (s *Server) UpdateRole(ctx context.Context, req *minder.UpdateRoleRequest)
 	// Parse role (this also validates)
 	authzRole, err := authz.ParseRole(role)
 	if err != nil {
-		return nil, util.UserVisibleError(codes.InvalidArgument, err.Error())
+		return nil, util.UserVisibleError(codes.InvalidArgument, "%s", err.Error())
 	}
 
 	// Validate the subject and email - decide if it's about updating an invitation or a role assignment

diff --git a/internal/controlplane/handlers_authz_test.go b/internal/controlplane/handlers_authz_test.go
@@ -256,7 +256,7 @@ func TestProjectAuthorizationInterceptor(t *testing.T) {
 			},
 			rpcErr: util.UserVisibleError(
 				codes.PermissionDenied,
-				fmt.Sprintf("user %q is not authorized to perform this operation on project %q", "subject1", projectID)),
+				"user %q is not authorized to perform this operation on project %q", "subject1", projectID),
 		},
 		{
 			name:     "authorized on project",

diff --git a/internal/controlplane/handlers_oauth.go b/internal/controlplane/handlers_oauth.go
@@ -299,7 +299,7 @@ func (s *Server) processOAuthCallback(ctx context.Context, w http.ResponseWriter
 		zerolog.Ctx(ctx).Info().Str("provider", provider).Msg("Provider already exists")
 	} else if errors.As(err, &errConfig) {
 		return newHttpError(http.StatusBadRequest, "Invalid provider config").SetContents(
-			"The provider configuration is invalid: " + errConfig.Details)
+			"The provider configuration is invalid: %s", errConfig.Details)
 	} else if err != nil {
 		return fmt.Errorf("error creating provider: %w", err)
 	}
@@ -376,7 +376,7 @@ func (s *Server) processAppCallback(ctx context.Context, w http.ResponseWriter,
 		if err != nil {
 			if errors.As(err, &confErr) {
 				return newHttpError(http.StatusBadRequest, "Invalid provider config").SetContents(
-					"The provider configuration is invalid: " + confErr.Details)
+					"The provider configuration is invalid: %s", confErr.Details)
 			}
 			if errors.Is(err, service.ErrInvalidTokenIdentity) {
 				return newHttpError(http.StatusForbidden, "User token mismatch").SetContents(

diff --git a/internal/controlplane/handlers_providers.go b/internal/controlplane/handlers_providers.go
@@ -71,7 +71,7 @@ func (s *Server) CreateProvider(
 		return nil, util.UserVisibleError(codes.AlreadyExists, "provider already exists")
 	} else if errors.As(err, &configErr) {
 		zerolog.Ctx(ctx).Error().Err(err).Msg("provider config does not validate")
-		return nil, util.UserVisibleError(codes.InvalidArgument, "invalid provider config: "+configErr.Details)
+		return nil, util.UserVisibleError(codes.InvalidArgument, "invalid provider config: %s", configErr.Details)
 	} else if err != nil {
 		return nil, status.Errorf(codes.Internal, "error creating provider: %v", err)
 	}

diff --git a/internal/controlplane/handlers_repositories.go b/internal/controlplane/handlers_repositories.go
@@ -84,7 +84,7 @@ func (s *Server) RegisterRepository(
 	newRepo, err := s.repos.CreateRepository(ctx, provider, projectID, githubRepo.GetOwner(), githubRepo.GetName())
 	if err != nil {
 		if errors.Is(err, ghrepo.ErrPrivateRepoForbidden) || errors.Is(err, ghrepo.ErrArchivedRepoForbidden) {
-			return nil, util.UserVisibleError(codes.InvalidArgument, err.Error())
+			return nil, util.UserVisibleError(codes.InvalidArgument, "%s", err.Error())
 		}
 		return nil, util.UserVisibleError(codes.Internal, "unable to register repository: %v", err)
 	}
@@ -115,7 +115,7 @@ func (s *Server) ListRepositories(ctx context.Context,
 
 	reqRepoCursor, err := cursorutil.NewRepoCursor(in.GetCursor())
 	if err != nil {
-		return nil, util.UserVisibleError(codes.InvalidArgument, err.Error())
+		return nil, util.UserVisibleError(codes.InvalidArgument, "%s", err.Error())
 	}
 
 	repoId := sql.NullInt64{}

diff --git a/internal/controlplane/handlers_ruletype.go b/internal/controlplane/handlers_ruletype.go
@@ -245,7 +245,7 @@ func (s *Server) DeleteRuleType(
 	if err == nil {
 		if len(profiles) > 0 {
 			return nil, util.UserVisibleError(codes.FailedPrecondition,
-				fmt.Sprintf("cannot delete: rule type %s is used by profiles %s", in.GetId(), strings.Join(profiles, ", ")))
+				"cannot delete: rule type %s is used by profiles %s", in.GetId(), strings.Join(profiles, ", "))
 		}
 	} else if !errors.Is(err, sql.ErrNoRows) {
 		// If we failed for another reason, return an error

diff --git a/internal/engine/eval/jq/jq.go b/internal/engine/eval/jq/jq.go
@@ -97,7 +97,7 @@ func (jqe *Evaluator) Eval(ctx context.Context, pol map[string]any, res *engif.R
 				msg = fmt.Sprintf("%s\nassertion: %s", msg, string(marshalledAssertion))
 			}
 
-			return evalerrors.NewErrEvaluationFailed(msg)
+			return evalerrors.NewErrEvaluationFailed("%s", msg)
 		}
 	}
 

diff --git a/internal/engine/eval/rego/result.go b/internal/engine/eval/rego/result.go
@@ -246,5 +246,5 @@ func (jrb *jsonResultBuilder) formatResults() error {
 		return fmt.Errorf("failed to marshal violations: %w", err)
 	}
 
-	return engerrors.NewErrEvaluationFailed(string(jsonArray))
+	return engerrors.NewErrEvaluationFailed("%s", string(jsonArray))
 }
diff --git a/internal/engine/eval/trusty/trusty.go b/internal/engine/eval/trusty/trusty.go
@@ -216,7 +216,7 @@ func buildEvalResult(prSummary *summaryPrHandler) error {
 	}
 
 	if failedEvalMsg != "" {
-		return evalerrors.NewErrEvaluationFailed(failedEvalMsg)
+		return evalerrors.NewErrEvaluationFailed("%s", failedEvalMsg)
 	}
 
 	return nil

diff --git a/internal/engine/eval/vulncheck/vulncheck.go b/internal/engine/eval/vulncheck/vulncheck.go
@@ -58,7 +58,7 @@ func (e *Evaluator) Eval(ctx context.Context, pol map[string]any, res *engif.Res
 	}
 
 	if len(vulnerablePackages) > 0 {
-		return evalerrors.NewErrEvaluationFailed(fmt.Sprintf("vulnerable packages: %s", strings.Join(vulnerablePackages, ",")))
+		return evalerrors.NewErrEvaluationFailed("vulnerable packages: %s", strings.Join(vulnerablePackages, ","))
 	}
 
 	return nil

diff --git a/internal/repositories/github/service.go b/internal/repositories/github/service.go
@@ -327,9 +327,24 @@ func (r *repositoryService) deleteRepository(ctx context.Context, client ghclien
 		}
 	}
 
-	// then remove the entry in the DB
-	if err = r.store.DeleteRepository(ctx, repo.ID); err != nil {
-		return fmt.Errorf("error deleting repository from DB: %w", err)
+	_, err = db.WithTransaction(r.store, func(t db.ExtendQuerier) (*pb.Repository, error) {
+		// then remove the entry in the DB
+		if err := t.DeleteRepository(ctx, repo.ID); err != nil {
+			return nil, fmt.Errorf("error deleting repository from DB: %w", err)
+		}
+
+		if err := t.DeleteEntity(ctx, db.DeleteEntityParams{
+			ID:        repo.ID,
+			ProjectID: repo.ProjectID,
+		}); err != nil {
+			return nil, fmt.Errorf("error deleting entity from DB: %w", err)
+		}
+
+		return nil, nil
+	})
+
+	if err != nil {
+		return fmt.Errorf("error deleting repository: %w", err)
 	}
 
 	return nil

diff --git a/internal/repositories/github/service_test.go b/internal/repositories/github/service_test.go
@@ -465,15 +465,25 @@ func withFailedWebhookDelete(mock whMock) {
 }
 
 func withFailedDelete(mock dbMock) {
+	mock.EXPECT().GetQuerierWithTransaction(gomock.Any()).Return(mock)
+	mock.EXPECT().BeginTransaction().Return(nil, nil)
 	mock.EXPECT().
 		DeleteRepository(gomock.Any(), gomock.Eq(repoID)).
 		Return(errDefault)
+	mock.EXPECT().Rollback(gomock.Any()).Return(nil)
 }
 
 func withSuccessfulDelete(mock dbMock) {
+	mock.EXPECT().GetQuerierWithTransaction(gomock.Any()).Return(mock)
+	mock.EXPECT().BeginTransaction().Return(nil, nil)
 	mock.EXPECT().
 		DeleteRepository(gomock.Any(), gomock.Eq(repoID)).
 		Return(nil)
+	mock.EXPECT().
+		DeleteEntity(gomock.Any(), gomock.Any()).
+		Return(nil)
+	mock.EXPECT().Commit(gomock.Any()).Return(nil)
+	mock.EXPECT().Rollback(gomock.Any()).Return(nil)
 }
 
 func withFailedGetById(mock dbMock) {

diff --git a/internal/roles/service.go b/internal/roles/service.go
@@ -130,7 +130,7 @@ func (_ *roleService) UpdateRoleAssignment(ctx context.Context, qtx db.Querier,
 		if a.Subject == identity.String() {
 			roleToDelete, err := authz.ParseRole(a.Role)
 			if err != nil {
-				return nil, util.UserVisibleError(codes.Internal, err.Error())
+				return nil, util.UserVisibleError(codes.Internal, "%s", err.Error())
 			}
 			if err := authzClient.Delete(ctx, identity.String(), roleToDelete, targetProject); err != nil {
 				return nil, status.Errorf(codes.Internal, "error deleting previous role assignment: %v", err)

diff --git a/tools/go.mod b/tools/go.mod
@@ -7,7 +7,7 @@ require (
 	github.com/daixiang0/gci v0.13.4
 	github.com/deepmap/oapi-codegen/v2 v2.2.0
 	github.com/go-critic/go-critic v0.11.4
-	github.com/golangci/golangci-lint v1.59.1
+	github.com/golangci/golangci-lint v1.60.1
 	github.com/gotesttools/gotestfmt/v2 v2.5.0
 	github.com/grpc-ecosystem/grpc-gateway/v2 v2.21.0
 	github.com/mikefarah/yq/v4 v4.44.3
@@ -36,12 +36,12 @@ require (
 	github.com/Abirdcfly/dupword v0.0.14 // indirect
 	github.com/Antonboom/errname v0.1.13 // indirect
 	github.com/Antonboom/nilnil v0.1.9 // indirect
-	github.com/Antonboom/testifylint v1.3.1 // indirect
+	github.com/Antonboom/testifylint v1.4.3 // indirect
 	github.com/Azure/go-ansiterm v0.0.0-20230124172434-306776ec8161 // indirect
-	github.com/BurntSushi/toml v1.4.0 // indirect
-	github.com/Crocmagnon/fatcontext v0.2.2 // indirect
+	github.com/BurntSushi/toml v1.4.1-0.20240526193622-a339e1f7089c // indirect
+	github.com/Crocmagnon/fatcontext v0.4.0 // indirect
 	github.com/Djarvur/go-err113 v0.0.0-20210108212216-aea10b59be24 // indirect
-	github.com/GaijinEntertainment/go-exhaustruct/v3 v3.2.0 // indirect
+	github.com/GaijinEntertainment/go-exhaustruct/v3 v3.3.0 // indirect
 	github.com/Masterminds/goutils v1.1.1 // indirect
 	github.com/Masterminds/semver v1.5.0 // indirect
 	github.com/Masterminds/semver/v3 v3.2.1 // indirect
@@ -62,7 +62,7 @@ require (
 	github.com/beorn7/perks v1.0.1 // indirect
 	github.com/bkielbasa/cyclop v1.2.1 // indirect
 	github.com/blizzy78/varnamelen v0.8.0 // indirect
-	github.com/bombsimon/wsl/v4 v4.2.1 // indirect
+	github.com/bombsimon/wsl/v4 v4.4.1 // indirect
 	github.com/breml/bidichk v0.2.7 // indirect
 	github.com/breml/errchkjson v0.3.6 // indirect
 	github.com/bufbuild/protocompile v0.14.0 // indirect
@@ -128,7 +128,7 @@ require (
 	github.com/gocarina/gocsv v0.0.0-20240520201108-78e41c74b4b1 // indirect
 	github.com/goccy/go-json v0.10.3 // indirect
 	github.com/goccy/go-yaml v1.12.0 // indirect
-	github.com/gofrs/flock v0.8.1 // indirect
+	github.com/gofrs/flock v0.12.1 // indirect
 	github.com/gofrs/uuid/v5 v5.2.0 // indirect
 	github.com/gogo/protobuf v1.3.2 // indirect
 	github.com/golang/protobuf v1.5.4 // indirect
@@ -171,7 +171,7 @@ require (
 	github.com/jinzhu/copier v0.4.0 // indirect
 	github.com/jinzhu/inflection v1.0.0 // indirect
 	github.com/jirfag/go-printf-func-name v0.0.0-20200119135958-7558a9eaa5af // indirect
-	github.com/jjti/go-spancheck v0.6.1 // indirect
+	github.com/jjti/go-spancheck v0.6.2 // indirect
 	github.com/josharian/intern v1.0.0 // indirect
 	github.com/julz/importas v0.1.0 // indirect
 	github.com/karamaru-alpha/copyloopvar v1.1.0 // indirect
@@ -197,7 +197,7 @@ require (
 	github.com/mattn/go-colorable v0.1.13 // indirect
 	github.com/mattn/go-isatty v0.0.20 // indirect
 	github.com/mattn/go-runewidth v0.0.9 // indirect
-	github.com/mgechev/revive v1.3.7 // indirect
+	github.com/mgechev/revive v1.3.9 // indirect
 	github.com/mitchellh/colorstring v0.0.0-20190213212951-d06e56a500db // indirect
 	github.com/mitchellh/copystructure v1.2.0 // indirect
 	github.com/mitchellh/go-homedir v1.1.0 // indirect
@@ -206,7 +206,7 @@ require (
 	github.com/moby/docker-image-spec v1.3.1 // indirect
 	github.com/moby/term v0.5.0 // indirect
 	github.com/mohae/deepcopy v0.0.0-20170929034955-c48cc78d4826 // indirect
-	github.com/moricho/tparallel v0.3.1 // indirect
+	github.com/moricho/tparallel v0.3.2 // indirect
 	github.com/morikuni/aec v1.0.0 // indirect
 	github.com/muesli/mango v0.2.0 // indirect
 	github.com/muesli/mango-cobra v1.2.0 // indirect
@@ -240,7 +240,7 @@ require (
 	github.com/pkg/errors v0.9.1 // indirect
 	github.com/pkg/profile v1.7.0 // indirect
 	github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2 // indirect
-	github.com/polyfloyd/go-errorlint v1.5.2 // indirect
+	github.com/polyfloyd/go-errorlint v1.6.0 // indirect
 	github.com/prometheus/client_golang v1.19.1 // indirect
 	github.com/prometheus/client_model v0.6.1 // indirect
 	github.com/prometheus/common v0.55.0 // indirect
@@ -256,21 +256,21 @@ require (
 	github.com/riza-io/grpc-go v0.2.0 // indirect
 	github.com/rs/cors v1.11.0 // indirect
 	github.com/russross/blackfriday/v2 v2.1.0 // indirect
-	github.com/ryancurrah/gomodguard v1.3.2 // indirect
+	github.com/ryancurrah/gomodguard v1.3.3 // indirect
 	github.com/ryanrolds/sqlclosecheck v0.5.1 // indirect
 	github.com/sagikazarmark/locafero v0.6.0 // indirect
 	github.com/sagikazarmark/slog-shim v0.1.0 // indirect
 	github.com/sanposhiho/wastedassign/v2 v2.0.7 // indirect
 	github.com/santhosh-tekuri/jsonschema/v5 v5.3.1 // indirect
 	github.com/sashamelentyev/interfacebloat v1.1.0 // indirect
-	github.com/sashamelentyev/usestdlibvars v1.26.0 // indirect
+	github.com/sashamelentyev/usestdlibvars v1.27.0 // indirect
 	github.com/schollz/progressbar/v3 v3.14.6 // indirect
 	github.com/securego/gosec/v2 v2.20.1-0.20240525090044-5f0084eb01a9 // indirect
 	github.com/shazow/go-diff v0.0.0-20160112020656-b6b7b6733b8c // indirect
 	github.com/shopspring/decimal v1.3.1 // indirect
 	github.com/sirupsen/logrus v1.9.3 // indirect
 	github.com/sivchari/containedctx v1.0.3 // indirect
-	github.com/sivchari/tenv v1.7.1 // indirect
+	github.com/sivchari/tenv v1.10.0 // indirect
 	github.com/sonatard/noctx v0.0.2 // indirect
 	github.com/sourcegraph/conc v0.3.0 // indirect
 	github.com/sourcegraph/go-diff v0.7.0 // indirect
@@ -285,7 +285,6 @@ require (
 	github.com/stretchr/objx v0.5.2 // indirect
 	github.com/stretchr/testify v1.9.0 // indirect
 	github.com/subosito/gotenv v1.6.0 // indirect
-	github.com/t-yuki/gocover-cobertura v0.0.0-20180217150009-aaee18c8195c // indirect
 	github.com/tdakkota/asciicheck v0.2.0 // indirect
 	github.com/tetafro/godot v1.4.16 // indirect
 	github.com/tetratelabs/wazero v1.7.3 // indirect
@@ -295,7 +294,7 @@ require (
 	github.com/tommy-muehle/go-mnd/v2 v2.5.1 // indirect
 	github.com/ultraware/funlen v0.1.0 // indirect
 	github.com/ultraware/whitespace v0.1.1 // indirect
-	github.com/uudashr/gocognit v1.1.2 // indirect
+	github.com/uudashr/gocognit v1.1.3 // indirect
 	github.com/vbatts/tar-split v0.11.5 // indirect
 	github.com/wasilibs/go-pgquery v0.0.0-20240606042535-c0843d6592cc // indirect
 	github.com/wasilibs/wazero-helpers v0.0.0-20240604052452-61d7981e9a38 // indirect
@@ -306,7 +305,7 @@ require (
 	github.com/yuin/gopher-lua v1.1.1 // indirect
 	gitlab.com/bosi/decorder v0.4.2 // indirect
 	go-simpler.org/musttag v0.12.2 // indirect
-	go-simpler.org/sloglint v0.7.1 // indirect
+	go-simpler.org/sloglint v0.7.2 // indirect
 	go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.51.0 // indirect
 	go.opentelemetry.io/otel v1.28.0 // indirect
 	go.opentelemetry.io/otel/exporters/otlp/otlptrace v1.28.0 // indirect
@@ -339,7 +338,7 @@ require (
 	gopkg.in/yaml.v2 v2.4.0 // indirect
 	gopkg.in/yaml.v3 v3.0.1 // indirect
 	helm.sh/helm/v3 v3.15.2 // indirect
-	honnef.co/go/tools v0.4.7 // indirect
+	honnef.co/go/tools v0.5.0 // indirect
 	modernc.org/gc/v3 v3.0.0-20240107210532-573471604cb6 // indirect
 	modernc.org/libc v1.55.3 // indirect
 	modernc.org/mathutil v1.6.0 // indirect