From a4a31b7e80bf8c97c6f6a9615ec68fbb66ae700c Mon Sep 17 00:00:00 2001 From: Pedro Pombeiro Date: Thu, 24 Jan 2019 14:24:57 +0100 Subject: [PATCH] Check Gopkg.toml constraints too --- src/dependency-check-gopkg.ts | 76 ++++++++++++++++++++++++----------- src/dependency-check-json.ts | 2 +- src/dependency.ts | 4 +- src/utils.ts | 6 ++- 4 files changed, 61 insertions(+), 27 deletions(-) diff --git a/src/dependency-check-gopkg.ts b/src/dependency-check-gopkg.ts index 841efe4..d9ae641 100644 --- a/src/dependency-check-gopkg.ts +++ b/src/dependency-check-gopkg.ts @@ -4,7 +4,31 @@ import toml from 'toml' import { AnalysisResult } from './analysis-result' import { createAnnotation } from './annotation-result' import { AnnotationSource } from './annotation-source' -import { Dependency } from './dependency' +import { Dependency, GitRefType } from './dependency' + +type RawGopkgRefType = 'version' | 'branch' | 'revision' + +interface GopkgLockProject { + digest: string, + name: string, + source?: string, + packages: string[], + pruneopts?: string, + + revision: string, + branch?: string, + version?: string, +} + +interface GopkgTomlOverride { + name: string, + source?: string, + metadata?: any, + + revision?: string, + branch?: string, + version?: string, +} export async function checkGopkgFileAsync( analysisResult: AnalysisResult, @@ -23,46 +47,52 @@ export async function checkGopkgFileAsync( const gopkgTomlContents = Buffer.from(gopkgTomlContentsResponse.data.content, 'base64').toString('utf8') const gopkgLockContents = Buffer.from(gopkgLockContentsResponse.data.content, 'base64').toString('utf8') - const gopkgLockContentsToml = toml.parse(gopkgLockContents) + const gopkgTomlContentsJson = toml.parse(gopkgTomlContents) + const gopkgLockContentsJson = toml.parse(gopkgLockContents) await checkGoDependenciesAsync( gopkgTomlContents, gopkgLockContents, - getDependenciesFromGopkg(gopkgLockContentsToml), + getDependenciesFromGopkg(gopkgTomlContentsJson, gopkgLockContentsJson), gopkgTomlFilename, gopkgLockFilename, analysisResult) } -interface GopkgLockProject { - digest: string, - name: string, - source?: string, - packages: string[], - pruneopts?: string, - - revision: string, - branch?: string, - version?: string, -} - -function getDependenciesFromGopkg(gopkgLockContentsToml: any): Dependency[] { +function getDependenciesFromGopkg(gopkgTomlContentsJson: any, gopkgLockContentsJson: any): Dependency[] { const dependencies: Dependency[] = [] - for (const tomlDep of gopkgLockContentsToml.projects as GopkgLockProject[]) { - const rawRefType = getRawRefType(tomlDep) + for (const tomlDep of gopkgLockContentsJson.projects as GopkgLockProject[]) { + const rawRefType = getRawRefType(gopkgTomlContentsJson, tomlDep) dependencies.push({ name: tomlDep.name, url: tomlDep.source ? tomlDep.source : tomlDep.name, rawRefType, refName: rawRefType ? (tomlDep as any)[rawRefType] : undefined, - refType: getRefType(tomlDep), + refType: getRefType(rawRefType), }) } return dependencies } -function getRawRefType(tomlDep: GopkgLockProject): string | undefined { +function getRawRefType(gopkgTomlContentsJson: any, tomlDep: GopkgLockProject): RawGopkgRefType | undefined { + const findConstraint = + (constraints: GopkgTomlOverride[], depName: string) => + (constraints ? constraints.find((o: GopkgTomlOverride) => o.name === depName) : undefined) + + const constraint: GopkgTomlOverride | undefined = + findConstraint(gopkgTomlContentsJson.constraint, tomlDep.name) || + findConstraint(gopkgTomlContentsJson.override, tomlDep.name) + if (constraint) { + if (constraint.version) { + return 'version' + } else if (constraint.branch) { + return 'branch' + } else if (constraint.revision) { + return 'revision' + } + } + if (tomlDep.version) { return 'version' } else if (tomlDep.branch) { @@ -74,8 +104,8 @@ function getRawRefType(tomlDep: GopkgLockProject): string | undefined { return undefined } -function getRefType(tomlDep: GopkgLockProject): 'commit' | 'tag' | 'branch' | 'unknown' { - switch (getRawRefType(tomlDep)) { +function getRefType(rawRefType: RawGopkgRefType | undefined): GitRefType | undefined { + switch (rawRefType) { case 'version': return 'tag' case 'branch': @@ -83,7 +113,7 @@ function getRefType(tomlDep: GopkgLockProject): 'commit' | 'tag' | 'branch' | 'u case 'revision': return 'commit' default: - return 'unknown' + return undefined } } diff --git a/src/dependency-check-json.ts b/src/dependency-check-json.ts index 2287e3e..027263a 100644 --- a/src/dependency-check-json.ts +++ b/src/dependency-check-json.ts @@ -103,7 +103,7 @@ async function checkDependenciesAsync( `${url} is not a deterministic dependency locator. If the branch advances, it will be impossible to rebuild the same output in the future.`, ) - } else if (refType === 'unknown') { + } else if (refType === undefined) { newAnnotation('failure', `Dependency is locked with an unknown ref-spec (\`${tag}\`).`, `Please check that the tag \`${tag}\` exists in the target repository ${address}.`, ) diff --git a/src/dependency.ts b/src/dependency.ts index d2dd702..201ce5c 100644 --- a/src/dependency.ts +++ b/src/dependency.ts @@ -1,7 +1,9 @@ +export type GitRefType = 'commit' | 'tag' | 'branch' + export interface Dependency { name: string url: string rawRefType?: string, - refType?: 'commit' | 'tag' | 'branch' | 'unknown' + refType?: GitRefType | undefined refName?: string } diff --git a/src/utils.ts b/src/utils.ts index d2c4197..6d5eb13 100644 --- a/src/utils.ts +++ b/src/utils.ts @@ -1,6 +1,8 @@ import Octokit from '@octokit/rest' import { Context } from 'probot' +import { GitRefType } from './dependency' + export function findLineInFileContent(contents: string, substring: string): number { const index = contents.indexOf(substring) if (index < 0) { @@ -25,7 +27,7 @@ export async function slowGetRefTypeAsync( context: Context, address: string, tag: string, -): Promise<'commit' | 'tag' | 'branch' | 'unknown'> { +): Promise { if (!tag) { return 'branch' } @@ -65,7 +67,7 @@ export async function slowGetRefTypeAsync( } // probably not existing? - return 'unknown' + return undefined } // Educated guess