Specify custom ref with analyze_repo (#131)

rgmz · becojo · web-flow · commit 6f567c86fef9 · 2024-06-18T13:42:35.000-04:00
* feat(analyze_repo): specify ref

* add ref to package insights

* add ref to json

---------

Co-authored-by: Becojo &lt;Becojo@users.noreply.github.com&gt;
diff --git a/analyze/analyze.go b/analyze/analyze.go
@@ -4,13 +4,14 @@ package analyze
 import (
 	"context"
 	"fmt"
-	"github.com/boostsecurityio/poutine/models"
-	"golang.org/x/sync/semaphore"
 	"os"
 	"strings"
 	"sync"
 	"time"
 
+	"github.com/boostsecurityio/poutine/models"
+	"golang.org/x/sync/semaphore"
+
 	"github.com/boostsecurityio/poutine/opa"
 	"github.com/boostsecurityio/poutine/providers/pkgsupply"
 	"github.com/boostsecurityio/poutine/scanner"
@@ -129,14 +130,14 @@ func (a *Analyzer) AnalyzeOrg(ctx context.Context, org string, numberOfGoroutine
 				defer sem.Release(1)
 				defer wg.Done()
 				repoNameWithOwner := repo.GetRepoIdentifier()
-				tempDir, err := a.cloneRepoToTemp(ctx, repo.BuildGitURL(a.ScmClient.GetProviderBaseURL()), a.ScmClient.GetToken())
+				tempDir, err := a.cloneRepoToTemp(ctx, repo.BuildGitURL(a.ScmClient.GetProviderBaseURL()), a.ScmClient.GetToken(), "HEAD")
 				if err != nil {
 					log.Error().Err(err).Str("repo", repoNameWithOwner).Msg("failed to clone repo")
 					return
 				}
 				defer os.RemoveAll(tempDir)
 
-				pkg, err := a.generatePackageInsights(ctx, tempDir, repo)
+				pkg, err := a.generatePackageInsights(ctx, tempDir, repo, "HEAD")
 				if err != nil {
 					log.Error().Err(err).Str("repo", repoNameWithOwner).Msg("failed to generate package insights")
 					return
@@ -166,7 +167,7 @@ func (a *Analyzer) AnalyzeOrg(ctx context.Context, org string, numberOfGoroutine
 	return a.finalizeAnalysis(ctx, inventory)
 }
 
-func (a *Analyzer) AnalyzeRepo(ctx context.Context, repoString string) error {
+func (a *Analyzer) AnalyzeRepo(ctx context.Context, repoString string, ref string) error {
 	org, repoName, err := a.ScmClient.ParseRepoAndOrg(repoString)
 	if err != nil {
 		return fmt.Errorf("failed to parse repository: %w", err)
@@ -200,13 +201,13 @@ func (a *Analyzer) AnalyzeRepo(ctx context.Context, repoString string) error {
 		progressbar.OptionSetWriter(os.Stderr),
 	)
 
-	tempDir, err := a.cloneRepoToTemp(ctx, repo.BuildGitURL(a.ScmClient.GetProviderBaseURL()), a.ScmClient.GetToken())
+	tempDir, err := a.cloneRepoToTemp(ctx, repo.BuildGitURL(a.ScmClient.GetProviderBaseURL()), a.ScmClient.GetToken(), ref)
 	if err != nil {
 		return err
 	}
 	defer os.RemoveAll(tempDir)
 
-	pkg, err := a.generatePackageInsights(ctx, tempDir, repo)
+	pkg, err := a.generatePackageInsights(ctx, tempDir, repo, ref)
 	if err != nil {
 		return err
 	}
@@ -255,7 +256,7 @@ func (a *Analyzer) AnalyzeLocalRepo(ctx context.Context, repoPath string) error
 		progressbar.OptionSetWriter(os.Stderr),
 	)
 
-	pkg, err := a.generatePackageInsights(ctx, repoPath, repo)
+	pkg, err := a.generatePackageInsights(ctx, repoPath, repo, "")
 	if err != nil {
 		return err
 	}
@@ -288,7 +289,7 @@ func (a *Analyzer) finalizeAnalysis(ctx context.Context, inventory *scanner.Inve
 	return nil
 }
 
-func (a *Analyzer) generatePackageInsights(ctx context.Context, tempDir string, repo Repository) (*models.PackageInsights, error) {
+func (a *Analyzer) generatePackageInsights(ctx context.Context, tempDir string, repo Repository, ref string) (*models.PackageInsights, error) {
 	commitDate, err := a.GitClient.LastCommitDate(ctx, tempDir)
 	if err != nil {
 		return nil, fmt.Errorf("failed to get last commit date: %w", err)
@@ -299,9 +300,12 @@ func (a *Analyzer) generatePackageInsights(ctx context.Context, tempDir string,
 		return nil, fmt.Errorf("failed to get commit SHA: %w", err)
 	}
 
-	headBranchName, err := a.GitClient.GetRepoHeadBranchName(ctx, tempDir)
-	if err != nil {
-		return nil, fmt.Errorf("failed to get head branch name: %w", err)
+	switch ref {
+	case "HEAD", "":
+		ref, err = a.GitClient.GetRepoHeadBranchName(ctx, tempDir)
+		if err != nil {
+			return nil, fmt.Errorf("failed to get head branch name: %w", err)
+		}
 	}
 
 	purl := fmt.Sprintf("pkg:%s/%s", repo.GetProviderName(), strings.ToLower(repo.GetRepoIdentifier()))
@@ -311,7 +315,7 @@ func (a *Analyzer) generatePackageInsights(ctx context.Context, tempDir string,
 		SourceGitCommitSha: commitSha,
 		SourceScmType:      repo.GetProviderName(),
 		SourceGitRepo:      repo.GetRepoIdentifier(),
-		SourceGitRef:       headBranchName,
+		SourceGitRef:       ref,
 	}
 	err = pkg.NormalizePurl()
 	if err != nil {
@@ -320,13 +324,13 @@ func (a *Analyzer) generatePackageInsights(ctx context.Context, tempDir string,
 	return pkg, nil
 }
 
-func (a *Analyzer) cloneRepoToTemp(ctx context.Context, gitURL string, token string) (string, error) {
+func (a *Analyzer) cloneRepoToTemp(ctx context.Context, gitURL string, token string, ref string) (string, error) {
 	tempDir, err := os.MkdirTemp("", TEMP_DIR_PREFIX)
 	if err != nil {
 		return "", fmt.Errorf("failed to create temp directory: %w", err)
 	}
 
-	err = a.GitClient.Clone(ctx, tempDir, gitURL, token, "HEAD")
+	err = a.GitClient.Clone(ctx, tempDir, gitURL, token, ref)
 	if err != nil {
 		os.RemoveAll(tempDir) // Clean up if cloning fails
 		return "", fmt.Errorf("failed to clone repo: %s", err)
diff --git a/cmd/analyzeRepo.go b/cmd/analyzeRepo.go
@@ -2,10 +2,13 @@ package cmd
 
 import (
 	"fmt"
+
 	"github.com/spf13/cobra"
 	"github.com/spf13/viper"
 )
 
+var ref string
+
 // analyzeRepoCmd represents the analyzeRepo command
 var analyzeRepoCmd = &cobra.Command{
 	Use:   "analyze_repo",
@@ -23,7 +26,7 @@ Example Scanning a remote Github Repository: poutine analyze_repo org/repo --tok
 
 		repo := args[0]
 
-		err = analyzer.AnalyzeRepo(ctx, repo)
+		err = analyzer.AnalyzeRepo(ctx, repo, ref)
 		if err != nil {
 			return fmt.Errorf("failed to analyze repo %s: %w", repo, err)
 		}
@@ -36,6 +39,7 @@ func init() {
 	rootCmd.AddCommand(analyzeRepoCmd)
 
 	analyzeRepoCmd.Flags().StringVarP(&token, "token", "t", "", "SCM access token (env: GH_TOKEN)")
+	analyzeRepoCmd.Flags().StringVarP(&ref, "ref", "r", "HEAD", "Commit or branch to analyze (defaults to HEAD)")
 
 	viper.BindPFlag("token", analyzeOrgCmd.Flags().Lookup("token"))
 	viper.BindEnv("token", "GH_TOKEN")
diff --git a/opa/rego/poutine/format/json.rego b/opa/rego/poutine/format/json.rego
@@ -10,6 +10,7 @@ dependencies[pkg.purl] contains dep if {
 packages[pkg.purl] = {
 	"dependencies": object.get(dependencies, pkg.purl, []),
 	"commit_sha": pkg.source_git_commit_sha,
+	"ref": pkg.source_git_ref,
 } if {
 	pkg := input.packages[_]
 }

Original file line number	Diff line number	Diff line change
`@@ -10,6 +10,7 @@ dependencies[pkg.purl] contains dep if {`
`10`	`10`	`packages[pkg.purl] = {`
`11`	`11`	`"dependencies": object.get(dependencies, pkg.purl, []),`
`12`	`12`	`"commit_sha": pkg.source_git_commit_sha,`
	`13`	`+ "ref": pkg.source_git_ref,`
`13`	`14`	`} if {`
`14`	`15`	`pkg := input.packages[_]`
`15`	`16`	`}`