Skip to content

Commit 7ed1de4

Browse files
authored
Added relative project path to the fix branch name (#1051)
* added full path to the branch hash name * after code review * go sec ignore * go sec ignore
1 parent 6771e25 commit 7ed1de4

File tree

5 files changed

+24
-13
lines changed

5 files changed

+24
-13
lines changed

scanrepository/scanrepository.go

Lines changed: 5 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -308,8 +308,9 @@ func (cfp *ScanRepositoryCmd) fixProjectVulnerabilities(repository *utils.Reposi
308308
}
309309

310310
// Fix every vulnerability in a separate pull request and branch
311+
projectPathFromRoot := projectWorkingDir
311312
for _, vulnerability := range vulnerabilities {
312-
if e := cfp.fixSinglePackageAndCreatePR(repository, vulnerability); e != nil {
313+
if e := cfp.fixSinglePackageAndCreatePR(repository, projectPathFromRoot, vulnerability); e != nil {
313314
err = errors.Join(err, cfp.handleUpdatePackageErrors(e))
314315
}
315316

@@ -386,10 +387,11 @@ func (cfp *ScanRepositoryCmd) handleUpdatePackageErrors(err error) error {
386387

387388
// Creates a branch for the fixed package and open pull request against the target branch.
388389
// In case a branch already exists on remote, we skip it.
389-
func (cfp *ScanRepositoryCmd) fixSinglePackageAndCreatePR(repository *utils.Repository, vulnDetails *utils.VulnerabilityDetails) (err error) {
390+
// projectPathFromRoot is the relative path of the project from the repository root (used for branch name uniqueness).
391+
func (cfp *ScanRepositoryCmd) fixSinglePackageAndCreatePR(repository *utils.Repository, projectPathFromRoot string, vulnDetails *utils.VulnerabilityDetails) (err error) {
390392
fixVersion := vulnDetails.SuggestedFixedVersion
391393
log.Debug("Attempting to fix", fmt.Sprintf("%s:%s", vulnDetails.ImpactedDependencyName, vulnDetails.ImpactedDependencyVersion), "with", fixVersion)
392-
fixBranchName, err := cfp.gitManager.GenerateFixBranchName(cfp.scanDetails.BaseBranch(), vulnDetails.ImpactedDependencyName, fixVersion)
394+
fixBranchName, err := cfp.gitManager.GenerateFixBranchName(cfp.scanDetails.BaseBranch(), vulnDetails.ImpactedDependencyName, fixVersion, projectPathFromRoot)
393395
if err != nil {
394396
return
395397
}

scanrepository/scanrepository_test.go

Lines changed: 11 additions & 6 deletions
Original file line numberDiff line numberDiff line change
@@ -15,8 +15,6 @@ import (
1515
"github.com/CycloneDX/cyclonedx-go"
1616
"github.com/google/go-github/v45/github"
1717
biutils "github.com/jfrog/build-info-go/utils"
18-
"github.com/jfrog/frogbot/v2/utils"
19-
"github.com/jfrog/frogbot/v2/utils/outputwriter"
2018
"github.com/jfrog/froggit-go/vcsclient"
2119
"github.com/jfrog/froggit-go/vcsutils"
2220
"github.com/jfrog/jfrog-cli-core/v2/utils/coreutils"
@@ -31,6 +29,9 @@ import (
3129
"github.com/jfrog/jfrog-client-go/xray/services"
3230
"github.com/stretchr/testify/assert"
3331
"github.com/stretchr/testify/require"
32+
33+
"github.com/jfrog/frogbot/v2/utils"
34+
"github.com/jfrog/frogbot/v2/utils/outputwriter"
3435
)
3536

3637
const rootTestDir = "scanrepository"
@@ -392,16 +393,20 @@ func TestGenerateFixBranchName(t *testing.T) {
392393
baseBranch string
393394
impactedPackage string
394395
fixVersion string
396+
projectPath string
395397
expectedName string
396398
}{
397-
{"dev", "gopkg.in/yaml.v3", "3.0.0", "frogbot-gopkg.in/yaml.v3-d61bde82dc594e5ccc5a042fe224bf7c"},
398-
{"master", "gopkg.in/yaml.v3", "3.0.0", "frogbot-gopkg.in/yaml.v3-41405528994061bd108e3bbd4c039a03"},
399-
{"dev", "replace:colons:colons", "3.0.0", "frogbot-replace_colons_colons-89e555131b4a70a32fe9d9c44d6ff0fc"},
399+
{"dev", "gopkg.in/yaml.v3", "3.0.0", "", "frogbot-gopkg.in/yaml.v3-d61bde82dc594e5ccc5a042fe224bf7c"},
400+
{"master", "gopkg.in/yaml.v3", "3.0.0", "", "frogbot-gopkg.in/yaml.v3-41405528994061bd108e3bbd4c039a03"},
401+
{"dev", "replace:colons:colons", "3.0.0", "", "frogbot-replace_colons_colons-89e555131b4a70a32fe9d9c44d6ff0fc"},
402+
{"main", "requests", "2.25.3", "", "frogbot-requests-ae6fef399c0fdd96441b0215f28147d2"},
403+
{"main", "requests", "2.25.3", "subfolder", "frogbot-requests-28662794aa63a6250dd9a80f7618f841"},
404+
{"main", "requests", "2.25.3", "other/project", "frogbot-requests-61eeddf6eda4b867a2b75fa5630875e8"},
400405
}
401406
gitManager := utils.GitManager{}
402407
for _, test := range tests {
403408
t.Run(test.expectedName, func(t *testing.T) {
404-
branchName, err := gitManager.GenerateFixBranchName(test.baseBranch, test.impactedPackage, test.fixVersion)
409+
branchName, err := gitManager.GenerateFixBranchName(test.baseBranch, test.impactedPackage, test.fixVersion, test.projectPath)
405410
assert.NoError(t, err)
406411
assert.Equal(t, test.expectedName, branchName)
407412
})

utils/git.go

Lines changed: 6 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -4,7 +4,6 @@ import (
44
"errors"
55
"fmt"
66
"net/http"
7-
87
"regexp"
98
"strings"
109
"time"
@@ -486,8 +485,12 @@ func formatStringWithPlaceHolders(str, impactedPackage, fixVersion, hash, baseBr
486485
return str
487486
}
488487

489-
func (gm *GitManager) GenerateFixBranchName(branch string, impactedPackage string, fixVersion string) (string, error) {
490-
hash, err := Md5Hash("frogbot", branch, impactedPackage, fixVersion)
488+
func (gm *GitManager) GenerateFixBranchName(branch string, impactedPackage string, fixVersion string, projectPath string) (string, error) {
489+
hashInputs := []string{"frogbot", branch, impactedPackage, fixVersion}
490+
if projectPath != "" {
491+
hashInputs = append(hashInputs, projectPath)
492+
}
493+
hash, err := Md5Hash(hashInputs...)
491494
if err != nil {
492495
return "", err
493496
}

utils/git_test.go

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -96,7 +96,7 @@ func TestGitManager_GenerateFixBranchName(t *testing.T) {
9696
}
9797
for _, test := range testCases {
9898
t.Run(test.expected, func(t *testing.T) {
99-
commitMessage, err := test.gitManager.GenerateFixBranchName("md5Branch", test.impactedPackage, test.fixVersion.SuggestedFixedVersion)
99+
commitMessage, err := test.gitManager.GenerateFixBranchName("md5Branch", test.impactedPackage, test.fixVersion.SuggestedFixedVersion, "")
100100
assert.NoError(t, err)
101101
assert.Equal(t, test.expected, commitMessage)
102102
})

utils/utils.go

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -561,6 +561,7 @@ func isUrlAccessible(url string) bool {
561561
return false
562562
}
563563
log.Debug(fmt.Sprintf("Sending HTTP %s request to: '%s'", req.Method, req.URL))
564+
// #nosec G704 -- URL is from Frogbot config (FrogbotRepoUrl), not user input
564565
resp, err := client.GetClient().Do(req)
565566
if errorutils.CheckError(err) != nil {
566567
log.Debug(fmt.Sprintf("Can't check access to '%s', error while sending request:\n%s", url, err.Error()))

0 commit comments

Comments
 (0)