Add ruletype for OSPS-QA-03 #307
Conversation
| skip if { | ||
| # Skip if no package manager file exists | ||
| every package_manager in package_manager_files { | ||
| required_files := file.ls_glob(sprintf("./%s", [package_manager.name])) |
There was a problem hiding this comment.
Unfortunately the glob library we're using in Minder doesn't support ** patterns, which is why this only looks at the root directory. This is probably something we want to change in the Minder code.
There was a problem hiding this comment.
Yeah -- we could also use file.walk for this:
| required_files := file.ls_glob(sprintf("./%s", [package_manager.name])) | |
| all_files := file.walk(".") | |
| package_manager_files = [ filepath | | |
| filepath := all_files[_]; | |
| glob.match("**/" + package_manager[_].name, ["/"], filepath) | |
| ] |
| skip if { | ||
| # Skip if no package manager file exists | ||
| every package_manager in package_manager_files { | ||
| required_files := file.ls_glob(sprintf("./%s", [package_manager.name])) |
There was a problem hiding this comment.
Yeah -- we could also use file.walk for this:
| required_files := file.ls_glob(sprintf("./%s", [package_manager.name])) | |
| all_files := file.walk(".") | |
| package_manager_files = [ filepath | | |
| filepath := all_files[_]; | |
| glob.match("**/" + package_manager[_].name, ["/"], filepath) | |
| ] |
| allow if { | ||
| # Ensure that we find the required file | ||
| some package_manager in package_manager_files | ||
| package_files := file.ls_glob(sprintf("./%s", [package_manager.name])) | ||
| count(package_files) > 0 | ||
|
|
||
| # Get the directory for the package file | ||
| some package_path in package_files | ||
| dir := trim_suffix(package_path, sprintf("/%s", [package_manager.name])) | ||
|
|
||
| # Ensure a lockfile exists for the required file in the same directory | ||
| lockfile_exists(dir, package_manager.lockfiles) | ||
| } |
There was a problem hiding this comment.
Is this an allow if or a constraints if the lockfile is missing? i.e. if I have:
./go.mod
./go.sum
./package.json
(No lockfile for NPM)
Is this a "pass" or a "fail"? I suspect it's a fail for the NPM ecosystem, even if it's a pass for the Go ecosystem.
| ] | ||
|
|
||
| skip if { | ||
| # Skip if no package manager file exists |
There was a problem hiding this comment.
Looking at QA-03, I think if there's a language in the repo identified by GitHub, we should be ensuring that there are package files, rather than ignoring repos that also don't check in Gemfile/etc.
We could find the set of detected languages with a call to the repo config data source. At least for npm and Go, I know that a go.mod / package.json is needed to declare a module at all, whether or not it has dependencies, so checking for those files makes sense.
Fix #289
I intentionally didn't add it to the profile because the definition isn't final.