Change Secure analyzers/command library in order to fail when vulnerabilities detected and new exit codes enabled
Problem to solve
Secure analyzers implemented in Go need to be be changed so that the run
command return a non-zero exit code when vulnerabilities are found, but this new behavior shouldn't be enabled by default, to ensure backward compatibility.
Further details
Most Secure analyzers implemented in Go rely on the analyzers/command Go package to implement the run
command. Currently this function returns no error when the scan is successful, even if the generated JSON report contains vulnerabilities.
analyzers/command was extracted from analyzers/common, and some analyzers still use this other repo.
Proposal
- Declare a new CLI flag and environment variable, to control the exit codes
- Change the
Run
function so that it returns an error when vulnerabilities are found, depending on the aforementioned environment variable; make the error implement theExitCoder
interface ofurfave/cli
to communicate the exit code. - Fetch the exit code from map, using a constant specific to that scenario
- Define exit code maps that correspond to the existing behavior and the new one
- Switch between the exit code maps/tables based on the environment variable defined in #324634 (closed)
A new Go package named exitcodes
gathers all the code needed to throw the correct exit code, based on the environment variables. This package is used by the command
package and by the analyzers that implement their own run
command.
TBD: Is exitcodes
a new repo, or is it a sub-package of command
?
Implementation plan
-
Create a new exitcodes
package that contains:- CLI flag for the exit codes version
- constants for the supported error cases, like "vulnerabilities detected"
- helper functions to resolve constants to errors to be returned, using the CLI context
-
Update the run
command in thecommand
package- include CLI flag exported by
exitcodes
- use helper functions and constants exported by
exitcodes
to return the correct exit code when the generated report contains at least one vulnerabilities
- include CLI flag exported by
Availability & Testing
This will be tested in the integration tests of the Secure analyzers using the common
library, when checking the exit code.
Is this a cross-stage feature?
This is stage-wide.
Links / references
- implementation plan: #324634 (closed)
- @adamcohen's experiments: #324634 (comment 530145822)
- @gonzoyumo's proposal: #324634 (comment 530604706)