mindersec · eleftherias · Jan 31, 2025 · evankanderson · Jan 31, 2025 · eleftherias
@@ -0,0 +1,43 @@
+tests:
+  - name: go.mod with no go.sum
+    def: {}
+    params: {}
+    expect: "fail"
+    git:
+      repo_base: go_mod_no_go_sum
+  - name: go.mod with go.sum
+    def: {}
+    params: {}
+    expect: "pass"
+    git:
+      repo_base: go_mod_with_go_sum
+  - name: Gemfile with no Gemfile.lock
+    def: {}
+    params: {}
+    expect: "fail"
+    git:
+      repo_base: gemfile_no_lock
+  - name: Gemfile with Gemfile.lock
+    def: {}
+    params: {}
+    expect: "pass"
+    git:
+      repo_base: gemfile_with_lock
+  - name: package.json with package-lock.json
+    def: {}
+    params: {}
+    expect: "pass"
+    git:
+      repo_base: package_json_with_package_lock
+  - name: package.json with yarn.lock
+    def: {}
+    params: {}
+    expect: "pass"
+    git:
+      repo_base: package_json_with_yarn_lock
+  - name: package.json with no lockfile
+    def: {}
+    params: {}
+    expect: "fail"
+    git:
+      repo_base: package_json_no_lock
@@ -0,0 +1,4 @@
+source 'https://rubygems.org'
+
+gem 'rails', '~> 7.0'
+gem 'sqlite3', '~> 1.4'
@@ -0,0 +1,4 @@
+source 'https://rubygems.org'
+
+gem 'rails', '~> 7.0'
+gem 'sqlite3', '~> 1.4'
@@ -0,0 +1,25 @@
+GEM
+  remote: https://rubygems.org/
+  specs:
+    rails (7.0.4)
+      actioncable (= 7.0.4)
+      actionmailer (= 7.0.4)
+      actionpack (= 7.0.4)
+      actionview (= 7.0.4)
+      activejob (= 7.0.4)
+      activemodel (= 7.0.4)
+      activerecord (= 7.0.4)
+      activestorage (= 7.0.4)
+      activesupport (= 7.0.4)
+      railties (= 7.0.4)
+    sqlite3 (1.4.2)
+
+PLATFORMS
+  ruby
+
+DEPENDENCIES
+  rails (~> 7.0)
+  sqlite3 (~> 1.4)
+
+BUNDLED WITH
+   2.2.19
@@ -0,0 +1,7 @@
+module github.com/mindersec/minder-rules-and-profiles
+
+go 1.23.4
+
+require (
+	github.com/rs/zerolog v1.33.0
+)
@@ -0,0 +1,7 @@
+module github.com/mindersec/minder-rules-and-profiles
+
+go 1.23.4
+
+require (
+	github.com/rs/zerolog v1.33.0
+)
@@ -0,0 +1,11 @@
+github.com/coreos/go-systemd/v22 v22.5.0/go.mod h1:Y58oyj3AT4RCenI/lSvhwexgC+NSVTIJ3seZv2GcEnc=
+github.com/godbus/dbus/v5 v5.0.4/go.mod h1:xhWf0FNVPg57R7Z0UbKHbJfkEywrmjJnf7w5xrFpKfA=
+github.com/mattn/go-colorable v0.1.13/go.mod h1:7S9/ev0klgBDR4GtXTXX8a3vIGJpMovkB8vQcUbaXHg=
+github.com/mattn/go-isatty v0.0.16/go.mod h1:kYGgaQfpe5nmfYZH+SKPsOc2e4SrIfOl2e/yFXSvRLM=
+github.com/mattn/go-isatty v0.0.19/go.mod h1:W+V8PltTTMOvKvAeJH7IuucS94S2C6jfK/D7dTCTo3Y=
+github.com/pkg/errors v0.9.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0=
+github.com/rs/xid v1.5.0/go.mod h1:trrq9SKmegXys3aeAKXMUTdJsYXVwGY3RLcfgqegfbg=
+github.com/rs/zerolog v1.33.0/go.mod h1:/7mN4D5sKwJLZQ2b/znpjC3/GQWY/xaDXUM0kKWRHss=
+golang.org/x/sys v0.0.0-20220811171246-fbc7d0a398ab/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
+golang.org/x/sys v0.6.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
+golang.org/x/sys v0.12.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
@@ -0,0 +1,15 @@
+{
+  "name": "my-app",
+  "version": "1.0.0",
+  "description": "A simple project with one dependency",
+  "main": "index.js",
+  "dependencies": {
+    "lodash": "^4.17.21"
+  },
+  "devDependencies": {},
+  "scripts": {
+    "start": "node index.js"
+  },
+  "author": "Your Name",
+  "license": "MIT"
+}
@@ -0,0 +1,15 @@
+{
+  "name": "my-app",
+  "version": "1.0.0",
+  "description": "A simple project with one dependency",
+  "main": "index.js",
+  "dependencies": {
+    "lodash": "^4.17.21"
+  },
+  "devDependencies": {},
+  "scripts": {
+    "start": "node index.js"
+  },
+  "author": "Your Name",
+  "license": "MIT"
+}
@@ -0,0 +1,15 @@
+{
+  "name": "my-app",
+  "version": "1.0.0",
+  "description": "A simple project with one dependency",
+  "main": "index.js",
+  "dependencies": {
+    "lodash": "^4.17.21"
+  },
+  "devDependencies": {},
+  "scripts": {
+    "start": "node index.js"
+  },
+  "author": "Your Name",
+  "license": "MIT"
+}
@@ -0,0 +1,4 @@
+lodash@^4.17.21:
+  version "4.17.21"
+  resolved "https://registry.npmjs.org/lodash/-/lodash-4.17.21.tgz"
+  integrity sha512-KnxlP5n7gOxlXj1SxxWnWy0xQQjjfgtA5r+DRfdGp1P0FBrw6zEhmL+u90hQH2JszQXOxj6MSL
@@ -0,0 +1,73 @@
+---
+version: v1
+release_phase: alpha
+type: rule-type
+name: osps-qa-03
+display_name: Package management file listing dependencies is present
+short_failure_message: No package management file listing dependencies was found
+severity:
+  value: info
+context:
+  provider: github
+description: |
+  This rule ensures that the repository provides a dependency list that accounts 
+  for the direct language dependencies when the package management system supports it.
+  It checks for the presence of a Gemfile.lock, go.sum, package-lock.json or 
+  Cargo.toml according to the package management system used.
+guidance: |
+  Ensure that the repository provides a dependency list that accounts for the direct
+  language dependencies in the form of a lockfile, for example Gemfile.lock, go.sum,
+  package-lock.json etc.
+  Ensure the lockfile is in the same directory as the package file.
+def:
+  in_entity: repository
+  rule_schema: {}
+  ingest:
+    type: git
+  eval:
+    type: rego
+    rego:
+      type: deny-by-default
+      def: |
+        package minder
+
+        import rego.v1
+
+        default allow := false
+        default skip := false
+        default message := "Cannot find lockfile in the same directory as the package file"
+
+        package_manager_files := [
+          {"name": "Gemfile", "lockfiles": ["Gemfile.lock"]},
+          {"name": "go.mod", "lockfiles": ["go.sum"]},
+          {"name": "package.json", "lockfiles": ["package-lock.json", "yarn.lock"]},
+          {"name": "Cargo.toml", "lockfiles": ["Cargo.lock"]},
+        ]
+
+        skip if {
+          # Skip if no package manager file exists
+          every package_manager in package_manager_files {
+            required_files := file.ls_glob(sprintf("./%s", [package_manager.name]))
-            required_files := file.ls_glob(sprintf("./%s", [package_manager.name]))
+            all_files := file.walk(".")
+            package_manager_files = [ filepath |
+              filepath := all_files[_];
+              glob.match("**/" + package_manager[_].name, ["/"], filepath)
+            ]
-            required_files := file.ls_glob(sprintf("./%s", [package_manager.name]))
+            all_files := file.walk(".")
+            package_manager_files = [ filepath |
+              filepath := all_files[_];
+              glob.match("**/" + package_manager[_].name, ["/"], filepath)
+            ]
+            count(required_files) == 0
+          }
+        }
+
+        allow if {
+          # Ensure that we find the required file
+          some package_manager in package_manager_files
+          package_files := file.ls_glob(sprintf("./%s", [package_manager.name]))
+          count(package_files) > 0
+
+          # Get the directory for the package file
+          some package_path in package_files
+          dir := trim_suffix(package_path, sprintf("/%s", [package_manager.name]))
+
+          # Ensure a lockfile exists for the required file in the same directory
+          lockfile_exists(dir, package_manager.lockfiles) 
+        }
+
+        lockfile_exists(dir, lockfiles) if {
+          some lockfile in lockfiles
+          count(file.ls_glob(sprintf("%s/%s", [dir, lockfile]))) > 0
+        }
+