feat: warning errors to bubble up as cli exit code

Author: sacha-c

internal/cli/patrol.go

@@ -144,7 +144,7 @@ func PatrolAction(cCtx *cli.Context) error {
 	patrolService := patrol.New(gitlabService, slackService, gitService, osvService)
 
 	// Run the scan
-	if err := patrolService.Patrol(
+	if warn, err := patrolService.Patrol(
 		cCtx.StringSlice(groupsFlag),
 		cCtx.StringSlice(projectsFlag),
 		cCtx.Bool(reportGitlabFlag),
@@ -154,6 +154,8 @@ func PatrolAction(cCtx *cli.Context) error {
 		verbose,
 	); err != nil {
 		return errors.Join(errors.New("failed to scan"), err)
+	} else if warn != nil {
+		return cli.Exit("Scan was partially successful, some errors occurred. Check the logs for more information.", 1)
 	}
 
 	return nil

internal/gitlab/gitlab.go

@@ -15,7 +15,7 @@ const VulnerabilityIssueTitle = "Sheriff - 🚨 Vulnerability report"
 
 // IService is the interface of the GitLab service as needed by sheriff
 type IService interface {
-	GetProjectList(groupPaths []string, projectPaths []string) ([]gitlab.Project, error)
+	GetProjectList(groupPaths []string, projectPaths []string) (projects []gitlab.Project, warn error)
 	CloseVulnerabilityIssue(project gitlab.Project) error
 	OpenVulnerabilityIssue(project gitlab.Project, report string) (*gitlab.Issue, error)
 }
@@ -36,28 +36,28 @@ func New(gitlabToken string) (IService, error) {
 	return &s, nil
 }
 
-func (s *service) GetProjectList(groupPaths []string, projectPaths []string) (projects []gitlab.Project, err error) {
-	projects, err = s.gatherProjects(projectPaths)
-	if err != nil {
-		log.Error().Err(err).Msg("Failed to fetch projects")
-		err = nil
+func (s *service) GetProjectList(groupPaths []string, projectPaths []string) (projects []gitlab.Project, warn error) {
+	projects, pwarn := s.gatherProjects(projectPaths)
+	if pwarn != nil {
+		pwarn = errors.Join(errors.New("errors occured when gathering projects"), pwarn)
+		warn = errors.Join(pwarn, warn)
 	}
 
-	groupsProjects, err := s.gatherGroupsProjects(groupPaths)
-	if err != nil {
-		log.Error().Err(err).Msg("Failed to fetch projects from groups")
-		err = nil
-	} else {
-		projects = append(projects, groupsProjects...)
+	groupsProjects, gpwarn := s.gatherGroupsProjects(groupPaths)
+	if gpwarn != nil {
+		gpwarn = errors.Join(errors.New("errors occured when gathering groups projects"), gpwarn)
+		warn = errors.Join(gpwarn, warn)
 	}
 
+	projects = append(projects, groupsProjects...)
+
 	// Filter unique projects -- there may be duplicates between groups, other groups and projects
 	projects = filterUniqueProjects(projects)
 
 	projectsNamespaces := pie.Map(projects, func(p gitlab.Project) string { return p.PathWithNamespace })
 	log.Info().Strs("projects", projectsNamespaces).Msg("Projects to scan")
 
-	return
+	return projects, warn
 }
 
 // CloseVulnerabilityIssue closes the vulnerability issue for the given project
@@ -160,11 +160,10 @@ func (s *service) getProject(path string) (*gitlab.Project, error) {
 		return nil, errors.Join(fmt.Errorf("failed to fetch group %v", groupPath), err)
 	}
 
-	projects, err := s.listGroupProjects(group.ID)
-	if err != nil {
+	projects, _, lgerr := s.listGroupProjects(group.ID)
+	if lgerr != nil {
 		return nil, errors.Join(fmt.Errorf("failed to fetch list of projects like %v", path), err)
 	}
-
 	for _, project := range projects {
 		if project.PathWithNamespace == path {
 			return &project, nil
@@ -174,35 +173,41 @@ func (s *service) getProject(path string) (*gitlab.Project, error) {
 	return nil, fmt.Errorf("project %v not found", path)
 }
 
-func (s *service) gatherGroupsProjects(groupPaths []string) (projects []gitlab.Project, err error) {
+func (s *service) gatherGroupsProjects(groupPaths []string) (projects []gitlab.Project, warn error) {
 	for _, groupPath := range groupPaths {
-		group, err := s.getGroup(groupPath)
-		if err != nil {
-			log.Error().Err(err).Str("group", groupPath).Msg("Failed to fetch group")
-			err = nil
+		group, gerr := s.getGroup(groupPath)
+		if gerr != nil {
+			log.Error().Err(gerr).Str("group", groupPath).Msg("Failed to fetch group")
+			gerr = errors.Join(fmt.Errorf("failed to fetch group %v", groupPath), gerr)
+			warn = errors.Join(gerr, warn)
 			continue
 		}
 
-		groupProjects, err := s.listGroupProjects(group.ID)
-		if err != nil {
-			log.Error().Err(err).Str("group", groupPath).Msg("Failed to fetch projects of group")
-			err = nil
-			continue
+		if groupProjects, gpwarn, gperr := s.listGroupProjects(group.ID); gperr != nil {
+			log.Error().Err(gpwarn).Str("group", groupPath).Msg("Failed to fetch projects of group")
+			gperr = errors.Join(fmt.Errorf("failed to fetch projects of group %v", groupPath), gperr)
+			warn = errors.Join(gperr, warn)
+		} else if gpwarn != nil {
+			gpwarn = errors.Join(fmt.Errorf("failed to fetch projects of group %v", groupPath), gpwarn)
+			warn = errors.Join(gpwarn, warn)
+
+			projects = append(projects, groupProjects...)
+		} else {
+			projects = append(projects, groupProjects...)
 		}
-
-		projects = append(projects, groupProjects...)
 	}
 
 	return
 }
 
-func (s *service) gatherProjects(projectPaths []string) (projects []gitlab.Project, err error) {
+func (s *service) gatherProjects(projectPaths []string) (projects []gitlab.Project, warn error) {
 	for _, projectPath := range projectPaths {
 		log.Info().Str("project", projectPath).Msg("Getting project")
 		p, err := s.getProject(projectPath)
 		if err != nil {
 			log.Error().Err(err).Str("project", projectPath).Msg("Failed to fetch project")
-			err = nil
+			err = errors.Join(fmt.Errorf("failed to fetch project %v", projectPath), err)
+			warn = errors.Join(err, warn)
 			continue
 		}
 
@@ -230,7 +235,7 @@ func (s *service) getVulnerabilityIssue(project gitlab.Project) (issue *gitlab.I
 }
 
 // listGroupProjects returns the list of projects for the given group ID
-func (s *service) listGroupProjects(groupID int) (projects []gitlab.Project, err error) {
+func (s *service) listGroupProjects(groupID int) (projects []gitlab.Project, warn error, err error) {
 	projectPtrs, response, err := s.client.ListGroupProjects(groupID,
 		&gitlab.ListGroupProjectsOptions{
 			Archived:         gitlab.Ptr(false),
@@ -242,18 +247,19 @@ func (s *service) listGroupProjects(groupID int) (projects []gitlab.Project, err
 			},
 		})
 	if err != nil {
-		return projects, errors.Join(errors.New("failed to fetch list of projects"), err)
+		return nil, nil, errors.Join(errors.New("failed to fetch list of projects"), err)
 	}
 
 	projects, errCount := dereferenceProjectsPointers(projectPtrs)
 	if errCount > 0 {
-		log.Error().Int("groupID", groupID).Int("count", errCount).Msg("Found nil projects, skipping them.")
+		log.Warn().Int("groupID", groupID).Int("count", errCount).Msg("Found nil projects, skipping them.")
 	}
 
 	if response.TotalPages > 1 {
-		nextProjects, err := s.listGroupNextProjects(groupID, response.TotalPages)
-		if err != nil {
-			return nil, err
+		nextProjects, lgwarn := s.listGroupNextProjects(groupID, response.TotalPages)
+		if lgwarn != nil {
+			lgwarn = errors.Join(errors.New("errors occured when fetching next pages"), lgwarn)
+			warn = errors.Join(lgwarn, warn)
 		}
 
 		projects = append(projects, nextProjects...)
@@ -262,10 +268,20 @@ func (s *service) listGroupProjects(groupID int) (projects []gitlab.Project, err
 	return
 }
 
+func ToChan[T any](s []T) <-chan T {
+	ch := make(chan T, len(s))
+	for _, e := range s {
+		ch <- e
+	}
+	close(ch)
+	return ch
+}
+
 // listGroupNextProjects returns the list of projects for the given group ID from the next pages
-func (s *service) listGroupNextProjects(groupID int, totalPages int) (projects []gitlab.Project, err error) {
+func (s *service) listGroupNextProjects(groupID int, totalPages int) (projects []gitlab.Project, warn error) {
 	var wg sync.WaitGroup
 	nextProjectsChan := make(chan []gitlab.Project, totalPages)
+	warnChan := make(chan error, totalPages)
 	for p := 2; p <= totalPages; p++ {
 		wg.Add(1)
 
@@ -284,24 +300,31 @@ func (s *service) listGroupNextProjects(groupID int, totalPages int) (projects [
 				})
 			if err != nil {
 				log.Error().Err(err).Int("groupID", groupID).Int("page", p).Msg("Failed to fetch projects of next page, these projects will be missing.")
+				warnChan <- err
 			}
 
 			projects, errCount := dereferenceProjectsPointers(projectPtrs)
 			if errCount > 0 {
-				log.Error().Int("groupID", groupID).Int("page", p).Int("count", errCount).Msg("Found nil projects, skipping them.")
+				log.Warn().Int("groupID", groupID).Int("page", p).Int("count", errCount).Msg("Found nil projects, skipping them.")
 			}
 
 			nextProjectsChan <- projects
 		}(nextProjectsChan)
 	}
 	wg.Wait()
 	close(nextProjectsChan)
+	close(warnChan)
 
 	// Collect projects
 	for nextProjects := range nextProjectsChan {
 		projects = append(projects, nextProjects...)
 	}
 
+	// Collect warnings
+	for w := range warnChan {
+		warn = errors.Join(w, warn)
+	}
+
 	return
 }
 

internal/patrol/patrol.go

@@ -24,7 +24,7 @@ const projectConfigFileName = "sheriff.toml"
 // securityPatroller is the interface of the main security scanner service of this tool.
 type securityPatroller interface {
 	// Scans the given Gitlab groups and projects, creates and publishes the necessary reports
-	Patrol(grouiPaths []string, projectPaths []string, gitlabIssue bool, slackChannel string, reportProjectSlack bool, silentReport bool, verbose bool) error
+	Patrol(grouiPaths []string, projectPaths []string, gitlabIssue bool, slackChannel string, reportProjectSlack bool, silentReport bool, verbose bool) (warn error, err error)
 }
 
 // sheriffService is the implementation of the SecurityPatroller interface.
@@ -48,20 +48,28 @@ func New(gitlabService gitlab.IService, slackService slack.IService, gitService
 }
 
 // Patrol scans the given Gitlab groups and projects, creates and publishes the necessary reports.
-func (s *sheriffService) Patrol(groupPaths []string, projectPaths []string, gitlabIssue bool, slackChannel string, reportProjectSlack bool, silentReport bool, verbose bool) error {
-	scanReports, err := s.scanAndGetReports(groupPaths, projectPaths)
+func (s *sheriffService) Patrol(groupPaths []string, projectPaths []string, gitlabIssue bool, slackChannel string, reportProjectSlack bool, silentReport bool, verbose bool) (warn error, err error) {
+	scanReports, swarn, err := s.scanAndGetReports(groupPaths, projectPaths)
 	if err != nil {
-		return errors.Join(errors.New("failed to scan projects"), err)
+		return nil, errors.Join(errors.New("failed to scan projects"), err)
+	}
+	if swarn != nil {
+		swarn = errors.Join(errors.New("errors occured when scanning projects"), swarn)
+		warn = errors.Join(swarn, warn)
 	}
 
 	if len(scanReports) == 0 {
 		log.Warn().Msg("No reports found. Check if projects and group paths are correct, and check the logs for any earlier errors.")
-		return nil
+		return swarn, nil
 	}
 
 	if gitlabIssue {
 		log.Info().Msg("Creating issue in affected projects")
-		publish.PublishAsGitlabIssues(scanReports, s.gitlabService)
+		if gwarn := publish.PublishAsGitlabIssues(scanReports, s.gitlabService); gwarn != nil {
+			gwarn = errors.Join(errors.New("errors occured when creating issues"), gwarn)
+			warn = errors.Join(gwarn, warn)
+		}
+
 	}
 
 	if s.slackService != nil {
@@ -70,33 +78,40 @@ func (s *sheriffService) Patrol(groupPaths []string, projectPaths []string, gitl
 
 			if err := publish.PublishAsGeneralSlackMessage(slackChannel, scanReports, groupPaths, projectPaths, s.slackService); err != nil {
 				log.Error().Err(err).Msg("Failed to post slack report")
+				err = errors.Join(errors.New("failed to post slack report"), err)
+				warn = errors.Join(err, warn)
 			}
 		}
 
 		if reportProjectSlack {
 			log.Info().Msg("Posting report to project slack channel")
-			publish.PublishAsSpecificChannelSlackMessage(scanReports, s.slackService)
+			if swarn := publish.PublishAsSpecificChannelSlackMessage(scanReports, s.slackService); swarn != nil {
+				swarn = errors.Join(errors.New("errors occured when posting to project slack channel"), swarn)
+				warn = errors.Join(swarn, warn)
+			}
+
 		}
 	}
 
 	publish.PublishToConsole(scanReports, silentReport)
 
-	return nil
+	return warn, nil
 }
 
-func (s *sheriffService) scanAndGetReports(groupPaths []string, projectPaths []string) (reports []scanner.Report, err error) {
+func (s *sheriffService) scanAndGetReports(groupPaths []string, projectPaths []string) (reports []scanner.Report, warn error, err error) {
 	// Create a temporary directory to store the scans
 	err = os.MkdirAll(tempScanDir, os.ModePerm)
 	if err != nil {
-		return nil, errors.New("could not create temporary directory")
+		return nil, nil, errors.New("could not create temporary directory")
 	}
 	defer os.RemoveAll(tempScanDir)
 	log.Info().Str("path", tempScanDir).Msg("Created temporary directory")
 	log.Info().Strs("groups", groupPaths).Strs("projects", projectPaths).Msg("Getting the list of projects to scan")
 
-	projects, err := s.gitlabService.GetProjectList(groupPaths, projectPaths)
-	if err != nil {
-		return nil, errors.Join(errors.New("could not get project list"), err)
+	projects, pwarn := s.gitlabService.GetProjectList(groupPaths, projectPaths)
+	if pwarn != nil {
+		pwarn = errors.Join(errors.New("errors occured when getting project list"), pwarn)
+		warn = errors.Join(pwarn, warn)
 	}
 
 	// Scan all projects in parallel
@@ -109,6 +124,8 @@ func (s *sheriffService) scanAndGetReports(groupPaths []string, projectPaths []s
 			log.Info().Str("project", project.Name).Msg("Scanning project")
 			if report, err := s.scanProject(project); err != nil {
 				log.Error().Err(err).Str("project", project.Name).Msg("Failed to scan project, skipping.")
+				err = errors.Join(fmt.Errorf("failed to scan project %v", project.Name), err)
+				warn = errors.Join(err, warn)
 				reportsChan <- scanner.Report{Project: project, Error: true}
 			} else {
 				reportsChan <- *report

internal/patrol/patrol_test.go

@@ -30,9 +30,10 @@ func TestScanNoProjects(t *testing.T) {
 
 	svc := New(mockGitlabService, mockSlackService, mockGitService, mockOSVService)
 
-	err := svc.Patrol([]string{"group/to/scan"}, []string{}, true, "channel", true, false, false)
+	warn, err := svc.Patrol([]string{"group/to/scan"}, []string{}, true, "channel", true, false, false)
 
 	assert.Nil(t, err)
+	assert.Nil(t, warn)
 	mockGitlabService.AssertExpectations(t)
 	mockSlackService.AssertExpectations(t)
 }
@@ -54,9 +55,10 @@ func TestScanNonVulnerableProject(t *testing.T) {
 
 	svc := New(mockGitlabService, mockSlackService, mockGitService, mockOSVService)
 
-	err := svc.Patrol([]string{"group/to/scan"}, []string{}, true, "channel", true, false, false)
+	warn, err := svc.Patrol([]string{"group/to/scan"}, []string{}, true, "channel", true, false, false)
 
 	assert.Nil(t, err)
+	assert.Nil(t, warn)
 	mockGitlabService.AssertExpectations(t)
 	mockSlackService.AssertExpectations(t)
 }
@@ -86,9 +88,10 @@ func TestScanVulnerableProject(t *testing.T) {
 
 	svc := New(mockGitlabService, mockSlackService, mockGitService, mockOSVService)
 
-	err := svc.Patrol([]string{"group/to/scan"}, []string{}, true, "channel", true, false, false)
+	warn, err := svc.Patrol([]string{"group/to/scan"}, []string{}, true, "channel", true, false, false)
 
 	assert.Nil(t, err)
+	assert.Nil(t, warn)
 	mockGitlabService.AssertExpectations(t)
 	mockSlackService.AssertExpectations(t)
 }