PR attestation enhancement (#514)

* Implement optional flag and loop to poll SonarQube and wait for scan to complete

* Add missing argument to NewSonarConfig

* Add 'IN_PROGRESS' status to sleep loop

* Add more thorough error message to attest sonar command

* Change --allow-wait flag to take number of seconds to wait as parameter

* Clean up leftover comment

* Add more details on new flag to attest sonar description

* Change --allow-wait flag to --max-retries

* Change --allow-wait flag in example commands for docs

* Fix typo

* Start implementing GraphQL for Github PRs

* Update variable names for PR structs to match API

* Update PR struct to work with both old and new versions of PR attestation

* Fix payload for non-github PR attestations and tidy up comments

* Fix payload issues for non-Github-attest commands

* Update report evidence command payloads

* Get git provider for reporting commit evidence properly

* add author_username to github pr attestation commits

---------

Co-authored-by: Faye <[email protected]>

Author: sami-alajrami

cmd/kosli/assertPRAzure.go

@@ -59,7 +59,7 @@ func newAssertPullRequestAzureCmd(out io.Writer) *cobra.Command {
 }
 
 func (o *assertPullRequestAzureOptions) run(args []string) error {
-	pullRequestsEvidence, err := o.azureConfig.PREvidenceForCommit(o.commit)
+	pullRequestsEvidence, err := o.azureConfig.PREvidenceForCommitV2(o.commit)
 	if err != nil {
 		return err
 	}

cmd/kosli/assertPRBitbucket.go

@@ -81,7 +81,7 @@ func newAssertPullRequestBitbucketCmd(out io.Writer) *cobra.Command {
 }
 
 func (o *assertPullRequestBitbucketOptions) run(args []string) error {
-	pullRequestsEvidence, err := o.bbConfig.PREvidenceForCommit(o.commit)
+	pullRequestsEvidence, err := o.bbConfig.PREvidenceForCommitV2(o.commit)
 	if err != nil {
 		return err
 	}

cmd/kosli/assertPRGithub.go

@@ -58,7 +58,7 @@ func newAssertPullRequestGithubCmd(out io.Writer) *cobra.Command {
 }
 
 func (o *assertPullRequestGithubOptions) run(args []string) error {
-	pullRequestsEvidence, err := o.githubConfig.PREvidenceForCommit(o.commit)
+	pullRequestsEvidence, err := o.githubConfig.PREvidenceForCommitV2(o.commit)
 	if err != nil {
 		return err
 	}

cmd/kosli/assertPRGithub_test.go

@@ -47,7 +47,7 @@ func (suite *AssertPRGithubCommandTestSuite) TestAssertPRGithubCmd() {
 			name:      "assert Github PR evidence fails when commit does not exist",
 			cmd: `assert pullrequest github --github-org kosli-dev --repository cli 
 			--commit 19aab7f063147614451c88969602a10afba123ab` + suite.defaultKosliArguments,
-			golden: "Error: GET https://api.github.com/repos/kosli-dev/cli/commits/19aab7f063147614451c88969602a10afba123ab/pulls: 422 No commit found for SHA: 19aab7f063147614451c88969602a10afba123ab []\n",
+			golden: "Error: assert failed: found no pull request(s) in Github for commit: 19aab7f063147614451c88969602a10afba123ab\n",
 		},
 	}
 

cmd/kosli/assertPRGitlab.go

@@ -58,7 +58,7 @@ func newAssertPullRequestGitlabCmd(out io.Writer) *cobra.Command {
 }
 
 func (o *assertPullRequestGitlabOptions) run(args []string) error {
-	pullRequestsEvidence, err := o.gitlabConfig.PREvidenceForCommit(o.commit)
+	pullRequestsEvidence, err := o.gitlabConfig.PREvidenceForCommitV2(o.commit)
 	if err != nil {
 		return err
 	}

cmd/kosli/docs.go

@@ -340,6 +340,6 @@ var liveCliMap = map[string]string{
 	"kosli list flows":        "kosli list flows --output=json",
 	"kosli get flow":          "kosli get flow dashboard-ci --output=json",
 	//"kosli list trails":       "kosli list trails dashboard-ci --output=json",  // Produces too much output
-	"kosli get trail":         "kosli get trail dashboard-ci 1159a6f1193150681b8484545150334e89de6c1c --output=json",
-	"kosli get attestation":   "kosli get attestation snyk-container-scan --flow=differ-ci --fingerprint=0cbbe3a6e73e733e8ca4b8813738d68e824badad0508ff20842832b5143b48c0 --output=json",
+	"kosli get trail":       "kosli get trail dashboard-ci 1159a6f1193150681b8484545150334e89de6c1c --output=json",
+	"kosli get attestation": "kosli get attestation snyk-container-scan --flow=differ-ci --fingerprint=0cbbe3a6e73e733e8ca4b8813738d68e824badad0508ff20842832b5143b48c0 --output=json",
 }

cmd/kosli/pullrequest.go

@@ -48,8 +48,19 @@ func (o *pullRequestArtifactOptions) run(out io.Writer, args []string) error {
 		}
 	}
 
+	label := ""
+	o.payload.GitProvider, label = getGitProviderAndLabel(o.retriever)
+
 	url := fmt.Sprintf("%s/api/v2/evidence/%s/artifact/%s/pull_request", global.Host, global.Org, o.flowName)
-	pullRequestsEvidence, err := o.getRetriever().PREvidenceForCommit(o.commit)
+
+	// TODO: after the PR payload is enhanced for all git providers they will all use the same method
+	var pullRequestsEvidence []*types.PREvidence
+	if o.payload.GitProvider == "github" {
+		pullRequestsEvidence, err = o.getRetriever().PREvidenceForCommitV1(o.commit)
+	} else {
+		pullRequestsEvidence, err = o.getRetriever().PREvidenceForCommitV2(o.commit)
+	}
+
 	if err != nil {
 		return err
 	}
@@ -60,9 +71,6 @@ func (o *pullRequestArtifactOptions) run(out io.Writer, args []string) error {
 		return err
 	}
 
-	label := ""
-	o.payload.GitProvider, label = getGitProviderAndLabel(o.retriever)
-
 	// PR evidence does not have files to upload
 	form, cleanupNeeded, evidencePath, err := newEvidenceForm(o.payload, []string{})
 	// if we created a tar package, remove it after uploading it
@@ -119,7 +127,7 @@ func (o *attestPROptions) run(args []string) error {
 		return err
 	}
 
-	pullRequestsEvidence, err := o.getRetriever().PREvidenceForCommit(o.payload.Commit.Sha1)
+	pullRequestsEvidence, err := o.getRetriever().PREvidenceForCommitV2(o.payload.Commit.Sha1)
 	if err != nil {
 		return err
 	}
@@ -175,14 +183,21 @@ func (o *pullRequestCommitOptions) run(args []string) error {
 		return err
 	}
 
-	pullRequestsEvidence, err := o.getRetriever().PREvidenceForCommit(o.payload.CommitSHA)
+	label := ""
+	o.payload.GitProvider, label = getGitProviderAndLabel(o.retriever)
+
+	// TODO: after the PR payload is enhanced for all git providers they will all use the same method
+	var pullRequestsEvidence []*types.PREvidence
+	if o.payload.GitProvider == "github" {
+		pullRequestsEvidence, err = o.getRetriever().PREvidenceForCommitV1(o.payload.CommitSHA)
+	} else {
+		pullRequestsEvidence, err = o.getRetriever().PREvidenceForCommitV2(o.payload.CommitSHA)
+	}
 	if err != nil {
 		return err
 	}
 
 	o.payload.PullRequests = pullRequestsEvidence
-	label := ""
-	o.payload.GitProvider, label = getGitProviderAndLabel(o.retriever)
 
 	// PR evidence does not have files to upload
 	form, cleanupNeeded, evidencePath, err := newEvidenceForm(o.payload, []string{})

go.mod

@@ -32,6 +32,7 @@ require (
 	github.com/owenrumney/go-sarif/v2 v2.3.3
 	github.com/pkg/errors v0.9.1
 	github.com/rjeczalik/notify v0.9.3
+	github.com/shurcooL/graphql v0.0.0-20230722043721-ed46e5a46466
 	github.com/spf13/cobra v1.9.1
 	github.com/spf13/pflag v1.0.6
 	github.com/spf13/viper v1.20.1

go.sum

@@ -611,6 +611,8 @@ github.com/sagikazarmark/locafero v0.9.0/go.mod h1:UBUyz37V+EdMS3hDF3QWIiVr/2dPr
 github.com/sean-/seed v0.0.0-20170313163322-e2103e2c3529/go.mod h1:DxrIzT+xaE7yg65j358z/aeFdxmN0P9QXhEzd20vsDc=
 github.com/sergi/go-diff v1.3.2-0.20230802210424-5b0b94c5c0d3 h1:n661drycOFuPLCN3Uc8sB6B/s6Z4t2xvBgU1htSHuq8=
 github.com/sergi/go-diff v1.3.2-0.20230802210424-5b0b94c5c0d3/go.mod h1:A0bzQcvG0E7Rwjx0REVgAGH58e96+X0MeOfepqsbeW4=
+github.com/shurcooL/graphql v0.0.0-20230722043721-ed46e5a46466 h1:17JxqqJY66GmZVHkmAsGEkcIu0oCe3AM420QDgGwZx0=
+github.com/shurcooL/graphql v0.0.0-20230722043721-ed46e5a46466/go.mod h1:9dIRpgIY7hVhoqfe0/FcYp0bpInZaT7dc3BYOprrIUE=
 github.com/shurcooL/sanitized_anchor_name v1.0.0/go.mod h1:1NzhyTcUVG4SuEtjjoZeVRXNmyL/1OwPU0+IJeTBvfc=
 github.com/sirupsen/logrus v1.2.0/go.mod h1:LxeOpSwHxABJmUn/MG1IvRgCAasNZTLOkJPxbbu5VWo=
 github.com/sirupsen/logrus v1.7.0/go.mod h1:yWOB1SBYBC5VeMP7gHvWumXLIWorT60ONWic61uBYv0=

internal/azure/azure.go

@@ -7,6 +7,7 @@ import (
 	"strings"
 
 	"github.com/kosli-dev/cli/internal/types"
+	"github.com/kosli-dev/cli/internal/utils"
 	"github.com/microsoft/azure-devops-go-api/azuredevops"
 	"github.com/microsoft/azure-devops-go-api/azuredevops/git"
 )
@@ -54,7 +55,8 @@ func NewAzureClientFromToken(ctx context.Context, azToken, orgURL string) (git.C
 	return gitClient, nil
 }
 
-func (c *AzureConfig) PREvidenceForCommit(commit string) ([]*types.PREvidence, error) {
+// This is the old implementation, it will be removed after the PR payload is enhanced for Azure
+func (c *AzureConfig) PREvidenceForCommitV2(commit string) ([]*types.PREvidence, error) {
 	pullRequestsEvidence := []*types.PREvidence{}
 	prs, err := c.PullRequestsForCommit(commit)
 	if err != nil {
@@ -70,6 +72,11 @@ func (c *AzureConfig) PREvidenceForCommit(commit string) ([]*types.PREvidence, e
 	return pullRequestsEvidence, nil
 }
 
+// This is the new implementation, it will be used for Azure
+func (c *AzureConfig) PREvidenceForCommitV1(commit string) ([]*types.PREvidence, error) {
+	return []*types.PREvidence{}, nil
+}
+
 func (c *AzureConfig) newPRAzureEvidence(pr git.GitPullRequest) (*types.PREvidence, error) {
 	prID := strconv.Itoa(*pr.PullRequestId)
 	url, err := url.JoinPath(c.OrgURL, c.Project, "_git", c.Repository, "pullrequest", prID)
@@ -85,7 +92,7 @@ func (c *AzureConfig) newPRAzureEvidence(pr git.GitPullRequest) (*types.PREviden
 	if err != nil {
 		return evidence, err
 	}
-	evidence.Approvers = approvers
+	evidence.Approvers = utils.ConvertStringListToInterfaceList(approvers)
 	return evidence, nil
 }