Skip to content
Snippets Groups Projects
  1. Jan 31, 2024
  2. Jan 27, 2024
  3. Jan 16, 2024
    • Jamie Tanna's avatar
      feat: add `advisories` table for all advisories data · fe4efc69
      Jamie Tanna authored and Jamie Tanna's avatar Jamie Tanna committed
      Similar to the `policy_violations` table, this introduces a single view
      of all Advisories data that affects the dependencies in the database.
      
      This makes it simpler to query all package advisories by "simply"
      querying the `advisories` table, which includes all relevant information
      for package advisories.
      
      This allows us to remove a lot of duplication in our SQL queries for
      looking up advisories data, making sure that it's a much simpler process
      for querying data.
      
      We can still directly query the tables as before - following the example
      from `RetrievePackageAdvisoriesFromSeparateTables` - if we need to.
      
      We can also remove the references in `policy_violations` that indicates
      that `policy_violations` is better than `advisories`, as it no longer
      is!
      
      Because we want to make it easier to surface the `eol_from` and
      `supported_until` dates, too, we should add them as nullable fields to
      `advisories` - and defaulting it as `NULL` for tables that don't surface
      the data.
      
      Closes #414.
    • Jamie Tanna's avatar
      refactor!: rename `advisories` to `custom_advisories` · fe328384
      Jamie Tanna authored and Jamie Tanna's avatar Jamie Tanna committed
      BREAKING CHANGE:
      
      For some time, I've regretted the naming choice, as it can be a little
      confusing because the `advisories` table doesn't include all the
      advisories present in the dependency trees.
      
      This now makes it more explicit by using the new name
      `custom_advisories`.
      fe328384
    • Jamie Tanna's avatar
    • Jamie Tanna's avatar
      3a53dc45
  4. Jan 12, 2024
    • Jamie Tanna's avatar
      feat(OPA): expose Repository Metadata in policies · 5ea741ee
      Jamie Tanna authored
      To allow us to more appropriately target organisational policies around
      i.e. whether a repository is public, used for sensitive purposes, or
      otherwise, we can now consume the data available in
      `repository_metadata` with our Policies.
      5ea741ee
  5. Jan 09, 2024
  6. Jan 06, 2024
  7. Jan 05, 2024
  8. Jan 04, 2024
  9. Nov 29, 2023
    • Jamie Tanna's avatar
      Add ability to `warn` in policies · 8ec66df7
      Jamie Tanna authored
      As part of #277, we want to introduce the ability to `warn` in policies,
      as well as `deny`.
      
      This requires we introduce the new level, and make it possible to
      retrieve the `warn` rule out of policies.
      
      We can also refactor the key logic for evaluating policies' evaluation
      results into a helper method, simplifying the work that needs to be done
      and making it clearer in what cases something happens.
      
      Closes #277.
      8ec66df7
    • Jamie Tanna's avatar
      Introduce the `level` concept for policies · 53184723
      Jamie Tanna authored
      As part of #277, we want to introduce the ability to `warn` in policies,
      as well as `deny`.
      
      This is a good prefactor, as it's a rather sizeable change, and requires
      we:
      
      - wire in the level to queries
      - require that it's a single value, `ERROR`
      - require that it is included in making a violation unique
      53184723
    • Jamie Tanna's avatar
      Prefer `external_licenses` over `depsdev_licenses` · 1a994e01
      Jamie Tanna authored
      In queries to report licensing data, we should prioritise the data
      inserted into `external_licenses`, whether it's parsed by DMD, or has
      provided by the user, as it is assumed that `external_licenses` is more
      reliable.
      
      We need to handle the cases where one or both tables have the data,
      preferring `external_licenses`, as well as avoid returning any data when
      both tables are absent.
      
      This also amends how we retrieve data for policy evaluations, where we
      need to make sure we add a per-dependency `group by`s as we're now doing
      a `group_concat`, and otherwise we'll get invalid results. We want to
      make sure the lack of licenses does not cause any issues with lookups,
      as a dependency is still valid if no licensing data is made available.
      1a994e01
  10. Nov 27, 2023
    • Jamie Tanna's avatar
      Provide licensing data to OPA policies · fded60a6
      Jamie Tanna authored
      As part of #282, it'd be useful to be able to provide policy
      requirements based on whether a given dependency has a license that
      isn't organisationally allowed.
      
      To future-proof this, we can make sure it's an array of `licences`, even
      though right now we only have a single entry.
      
      This requires we `left join`, in the case that there's no license found.
      
      Additionally, document how to use it.
      
      Closes #282.
      fded60a6
  11. Nov 24, 2023
    • Jamie Tanna's avatar
      Add a report for policy violations · df99b73e
      Jamie Tanna authored
      Now we've produced policy violations in #258 and #268, we should also
      make them easily queryable.
      
      We can also expose this in a new report, `policy-violations`, which
      allows us to view these as-is, which may be important for certain users
      interacting with DMD.
      
      As we want to allow filtering on the CLI and the web, we should allow
      tweaking the parameters, requiring we have a separate query for
      performing `Like`s.
      
      This also provides the wiring for both the CLI's reporting, and for
      `dmd-web`.
      
      Closes #275.
      df99b73e
    • Jamie Tanna's avatar
      Add CLI to write policy violations to the DB · a6b11039
      Jamie Tanna authored
      As well as performing ad-hoc evaluations on the command-line with
      `dmd policy evaluate`, we should also make it possible to store the
      state in the DB.
      
      This introduces a new command-line call, `dmd db generate
      policy-violations`, which allows us to process each policy file in the
      specified directory.
      
      This introduces the new `policy_violations` table, instead of reusing
      `advisories`, as the `policy_violations` can have more detail than
      `advisories`. This was chosen to avoid trying to make `advisories` too
      complicated with lookups, and instead focus on a separate
      fit-for-purpose model.
      
      As this introduces a table, we need to provide the plumbing for a new
      `Repository`. We'll implement the anonymisation functionality in #283,
      as it needs some thinking before implementation.
      
      Closes #268.
      a6b11039
    • Jamie Tanna's avatar
      Add support for evaluating OPA policies · 674ddc64
      Jamie Tanna authored and Jamie Tanna's avatar Jamie Tanna committed
      As part of #258, we can introduce the `policy evaluate` command to give
      an indication of the impact of a given Policy being introduced.
      
      This requires we:
      
      - list all the repos and packages (so we can perform per-repo tuning of
        policies if needed) from Renovate and SBOM datasources
      - evaluate the policy, across many Goroutines due to the expected size
        of the returned list of dependencies
      
      Although the scope of #273 was for this to be a `--dry-run` flag, it
      makes more sense to be by default.
      
      Closes #273.
      674ddc64
Loading