feat: extend static analysis and compute confidence scores for deploy commands #673
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
oracle-contributor-agreement
bot
added
the
OCA Verified
behnazh-w
force-pushed
the
improve-build-checks
branch
from
596c233 to
ed96dae
Compare
tromai
reviewed
Mar 20, 2024
tromai
reviewed
Mar 20, 2024
tests/parsers/bashparser/resources/bash_files/valid_github_action_bash.sh
Show resolved
Hide resolved
tromai
reviewed
Mar 20, 2024
tromai
reviewed
Mar 20, 2024
tromai
reviewed
Mar 20, 2024
src/macaron/slsa_analyzer/ci_service/github_actions/github_actions_ci.py
Outdated
Show resolved
Hide resolved
tromai
reviewed
Mar 21, 2024
src/macaron/slsa_analyzer/ci_service/github_actions/analyzer.py
Outdated
Show resolved
Hide resolved
tromai
reviewed
Mar 21, 2024
tromai
reviewed
Mar 21, 2024
src/macaron/slsa_analyzer/ci_service/github_actions/analyzer.py
Outdated
Show resolved
Hide resolved
nicallen
reviewed
Mar 21, 2024
nicallen
reviewed
Mar 21, 2024
nicallen
reviewed
Mar 21, 2024
tromai
reviewed
Mar 21, 2024
src/macaron/slsa_analyzer/ci_service/github_actions/analyzer.py
Outdated
Show resolved
Hide resolved
tromai
reviewed
Mar 21, 2024
src/macaron/slsa_analyzer/ci_service/github_actions/analyzer.py
Outdated
Show resolved
Hide resolved
tromai
reviewed
Mar 21, 2024
tromai
reviewed
Mar 21, 2024
src/macaron/slsa_analyzer/ci_service/github_actions/analyzer.py
Outdated
Show resolved
Hide resolved
nicallen
reviewed
Mar 21, 2024
tromai
reviewed
Mar 22, 2024
src/macaron/slsa_analyzer/ci_service/github_actions/github_actions_ci.py
Outdated
Show resolved
Hide resolved
behnazh-w
added a commit
that referenced
this pull request
Mar 22, 2024
This PR temporarily excludes mcn_provenance_available_1 check for micronaut-core integration test because provenances have failed to publish due to an issue in [email protected]. It also excludes mcn_infer_artifact_pipeline_1, which is due to a non-deterministic behavior in deploy command detection, which will be fixed in PR #673. Signed-off-by: behnazh-w <[email protected]>
tromai
reviewed
Mar 22, 2024
tromai
reviewed
Mar 22, 2024
tromai
reviewed
Mar 22, 2024
tromai
reviewed
Mar 22, 2024
tromai
reviewed
Mar 22, 2024
tromai
reviewed
Mar 22, 2024
tromai
reviewed
Mar 22, 2024
tromai
suggested changes
Mar 26, 2024
Contributor
tromai
left a comment
tromai
left a comment
There was a problem hiding this comment.
I think I have put down all of my questions for now. Thanks for the changes!
behnazh-w
force-pushed
the
improve-build-checks
branch
from
ed96dae to
071e99a
Compare
Member
Author
|
This commit 071e99a adds |
Signed-off-by: behnazh-w <[email protected]>
Signed-off-by: behnazh-w <[email protected]>
tromai
reviewed
Mar 26, 2024
Signed-off-by: behnazh-w <[email protected]>
tromai
reviewed
Mar 27, 2024
tromai
reviewed
Mar 27, 2024
Contributor
@behnazh-w I think the commit is not available anymore (I got 404 when I clicked on the link). |
Signed-off-by: behnazh-w <[email protected]>
Member
Author
Please check again. |
Contributor
|
I can access it again. Thanks @behnazh-w |
Signed-off-by: behnazh-w <[email protected]>
Signed-off-by: behnazh-w <[email protected]>
behnazh-w
force-pushed
the
improve-build-checks
branch
from
cbe9501 to
b4506de
Compare
Signed-off-by: behnazh-w <[email protected]>
Signed-off-by: behnazh-w <[email protected]>
behnazh-w
force-pushed
the
improve-build-checks
branch
from
6a74072 to
a882a62
Compare
Signed-off-by: behnazh-w <[email protected]>
Signed-off-by: behnazh-w <[email protected]>
Signed-off-by: behnazh-w <[email protected]>
Signed-off-by: behnazh-w <[email protected]>
tromai
approved these changes
Apr 1, 2024
Contributor
tromai
left a comment
tromai
left a comment
There was a problem hiding this comment.
LGTM. Thanks for the changes.
nicallen
approved these changes
Apr 2, 2024
art1f1c3R
pushed a commit
that referenced
this pull request
Nov 29, 2024
This PR temporarily excludes mcn_provenance_available_1 check for micronaut-core integration test because provenances have failed to publish due to an issue in [email protected]. It also excludes mcn_infer_artifact_pipeline_1, which is due to a non-deterministic behavior in deploy command detection, which will be fixed in PR #673. Signed-off-by: behnazh-w <[email protected]>
art1f1c3R
pushed a commit
that referenced
this pull request
Nov 29, 2024
… commands (#673) This PR extends and makes changes to the static analysis of CI configurations in Macaron with the high-level goal of finding build and deploy commands more accurately. To achieve that, some of the abstractions had to be replaced to allow writing customized analyses, such as detecting build language setup in a GitHub Actions workflow or detecting reachable secrets. Here are the summary of changes: * BashCommands which consisted of build tool commands collected after analyzing GitHub Actions and passed to checks is replaced with BuildToolCommand. * The build related checks are refactored and simplified to use BuildToolCommand. * The callgraph analysis, which needs to be implemented for each CI service, is extended with new node types for GitHub Actions. The callgraph plays the role of Intermediate Representation and is available to all checks. * The mcn_build_script_1 check does not depend on any checks and always runs by default based on a customer request. * The mcn_build_as_code_1 check now reports deploy commands with confidence scores. * New analysis is added to resolve the value of expression variables, which is used for other analysis, such as reachable secrets and build language detection. * New abstractions are added to model third-party GitHub Actions. This feature is used to collect data about build Language setup Signed-off-by: behnazh-w <[email protected]>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This PR extends and makes changes to the static analysis of CI configurations in Macaron with the high-level goal of finding build and deploy commands more accurately. To achieve that, some of the abstractions had to be replaced to allow writing customized analyses, such as detecting build language setup in a GitHub Actions workflow or detecting reachable secrets. The list of extensions and changes are as follows:
BashCommandswhich consisted of build tool commands collected after analyzing GitHub Actions and passed to checks withBuildToolCommand. With this PRBuildToolCommandare created by each build tool instead, and can be detected by calling a build tool API as part of the check. This delegation of analysis to each build tool allows to customize them per build tool. Moreover, now each build tool has direct access to the parsed AST of GitHub Actions and bash scripts, which opens opportunities to add new analyses more easily.BuildToolCommand.mcn_build_script_1check does not depend on any checks and always runs by default based on a customer request.mcn_build_as_code_1check now reports deploy commands with confidence scores. The confidence scores are computed based on additional facts collected from GitHub Actions, such as the CI event, reachable secrets, and name of the workflows.