Merge ubuntu-security-tools:iosifache/semgrep-rules-manager into ubuntu-security-tools:master
Status: | Rejected |
---|---|
Rejected by: | George-Andrei Iosif |
Proposed branch: | ubuntu-security-tools:iosifache/semgrep-rules-manager |
Merge into: | ubuntu-security-tools:master |
Diff against target: |
199 lines (+87/-7) 6 files modified
audits/.gitignore (+2/-0) audits/CONTRIBUTING.md (+4/-0) audits/README.md (+2/-0) audits/custom-semgrep-rules/third-party/.gitkeep (+0/-0) audits/uaudit (+78/-6) audits/workflow.template (+1/-1) |
Related bugs: |
Reviewer | Review Type | Date Requested | Status |
---|---|---|---|
Spyros Seimenis | Needs Fixing | ||
Review via email: mp+448255@code.launchpad.net |
Commit message
Integrates semgrep-
Description of the change
This merge proposal targets the auditing capabilities of UST.
As a result of the Semgrep integration in MP #446963 [1], the commits in this merge proposal include a newly constructed Semgrep-related utility, semgrep-
The objective of semgrep-
The merge proposal adds a new workflow:
1. When the first time uaudit is launched, the user is prompted if she wishes to install new Semgrep rules.
2. If yes, the semgrep-
3. Once the installation is complete, all Semgrep rule sources are downloaded to $UST/audits/
4. uaudit will then launch Semgrep, which will detect and use the downloaded rules for scanning.
Regardless of the answer supplied in the first step, semgrep-
The commits, in addition to the mentioned behaviour, target documentation files (README.md and CONTRIBUTING.md), which are updated with information about the changes made in this MP.
[1] https:/
[2] https:/
[3] https:/
[4] https:/
P.S.: The previously generated Semgrep snap is actively utilized by tens of users in our community! The download of semgrep-
I think we can reuse the logic and flow that is already there for tool installation instead of introducing extra helpers. The new requirement of semgrep- rules-manager for example can be handled in verify_ requirements( ) or maybe even better in uaudit_ install_ dependencies( ) directly:
```python install_ dependencies( ): analysis_ tools:
dependencies[ tool.name] = tool.install_cmd()
def uaudit_
dependencies = {}
for tool in static_
+ dependencies[ "semgrep- rules-manager" ] = ["snap", "install", "semgrep- rules-manager" ]
for tool, cmd_args in dependencies. items() : installed( tool):
debug( f'{tool} is already installed in the system')
install_ tool(cmd_ args, tool)
if is_program_
else:
```
Then we would only need to prompt for the extra sources via ask_for_ custom_ semgrep_ rules() -> download_ custom_ semgrep_ rules() and remove the ensure_ installed_ semgrep_ rules_manager( ) method.