Conversation
git-hyagi
force-pushed
the
vuln-report
branch
2 times, most recently
from
7d21d69 to
20bad99
Compare
|
I think you should write a new section in the dev docs, e.g. here for a plugin writer showing example code of say the python vuln reporting as an example. |
git-hyagi
force-pushed
the
vuln-report
branch
5 times, most recently
from
7434120 to
a2b4b22
Compare
|
@git-hyagi @bmbouter I would like to work on implementing this functionality in pulp python once this PR is done. |
git-hyagi
force-pushed
the
vuln-report
branch
4 times, most recently
from
195dfce to
5fa343b
Compare
jobselko
left a comment
jobselko
left a comment
There was a problem hiding this comment.
I would appreciate it if someone could take a look at the queue and threading parts. The rest (aside from the things I already mentioned) looks good to me.
git-hyagi
force-pushed
the
vuln-report
branch
5 times, most recently
from
d2391f8 to
7710156
Compare
There was a problem hiding this comment.
Maybe I'm missing how this is used in pulp-services, but it feels like this is currently missing the features needed to be useful for a user. e.g. How do I see what python/npm/rpm content is vulnerable? How do I see what vulnerabilities are in my repo-version?
| if created: | ||
| await CreatedResource.objects.acreate(content_object=vuln_report) |
There was a problem hiding this comment.
I think this is going to create a lot of CreatedResources, but I guess this is the only way to see what Vulnerabilites are in a repo-version?
git-hyagi
force-pushed
the
vuln-report
branch
4 times, most recently
from
de9a627 to
9bdca7e
Compare
gerrod3
left a comment
gerrod3
left a comment
There was a problem hiding this comment.
Final nits. No more refactors after this, I promise 😅
| from pulpcore.plugin import viewsets as core_viewsets | ||
| from pulpcore.plugin.tasking import check_content, dispatch | ||
|
|
||
| class MyPluginRepositoryVersionViewSet(core_viewsets.RepositoryVersionViewSet): |
There was a problem hiding this comment.
Either we continue using pulp_python as an example or we change the get_content_from_repo_version to be more generic.
| async for content in func(*args): | ||
| tasks.append(asyncio.create_task(vuln_report_scanner.scan_packages(content))) | ||
| await asyncio.gather(*tasks) |
There was a problem hiding this comment.
Let's do one last change to make this cleaner. Rename scan_packages to scan_package. Then create a new scan_packages method inside VulnerabilityReportScanner and move this async for logic + the progress report updating inside of the new method. i.e
class VulnerabilityReportScanner:
def __init__(self, semaphore, generator, session=None):
self.semaphore = semaphore
self.generator = generator
...
async def scan_packages(self):
tasks = []
async for content in self.generator:
tasks.append(asyncio.create_task(self.scan_package(content))
await asyncio.gather(*tasks)
await self.session.close() # This should remove that warning message we saw in the logs
if self.created.done > 0:
...
# now in check_content
def check_content(func, args):
...
semaphore = asyncio.Semaphore(settings.VULN_REPORT_TASK_LIMITER)
vuln_report_scanner = VulnerabilityReportScanner(semaphore, func(*args))
await vuln_report_scanner.scan_packages()| OSV_QUERY_URL = "https://api.osv.dev/v1/query" | ||
|
|
||
| # Timeout when waiting on tasks scan thread queue to avoid indefinite blocking. | ||
| VULNERABILITY_TASK_THREAD_TIMEOUT = 60 |
There was a problem hiding this comment.
Don't think we are using this anywhere.
| VULNERABILITY_TASK_THREAD_TIMEOUT = 60 |
gerrod3
left a comment
gerrod3
left a comment
There was a problem hiding this comment.
This looks good. 🎉 Thanks for all the hard work on this!
5 participants
closes: #6773