Refactoring (#291)

Author: Talgarr

analyze/analyze.go

@@ -259,19 +259,30 @@ func (a *Analyzer) AnalyzeStaleBranches(ctx context.Context, repoString string,
 	bar.Describe("Check which workflows match regex: " + regex.String())
 	_ = bar.Add(1)
 
-	workflowDir := filepath.Join(tempDir, ".github", "workflows")
-	if err = os.MkdirAll(workflowDir, 0700); err != nil {
-		return nil, fmt.Errorf("failed to create .github/workflows/ dir: %w", err)
-	}
-
-	wg := sync.WaitGroup{}
 	errChan := make(chan error, 1)
 	maxGoroutines := 5
 	if numberOfGoroutines != nil {
 		maxGoroutines = *numberOfGoroutines
 	}
 	semaphore := semaphore.NewWeighted(int64(maxGoroutines))
 	m := sync.Mutex{}
+	type file struct {
+		path string
+		data []byte
+	}
+	filesChan := make(chan *file)
+	files := make(map[string][]byte)
+
+	wgConsumer := sync.WaitGroup{}
+	wgProducer := sync.WaitGroup{}
+
+	wgConsumer.Add(1)
+	go func() {
+		defer wgConsumer.Done()
+		for v := range filesChan {
+			files[v.path] = v.data
+		}
+	}()
 	blobShas := make([]string, 0, len(workflows))
 	for sha := range workflows {
 		blobShas = append(blobShas, sha)
@@ -281,19 +292,19 @@ func (a *Analyzer) AnalyzeStaleBranches(ctx context.Context, repoString string,
 			errChan <- fmt.Errorf("failed to acquire semaphore: %w", err)
 			break
 		}
-		wg.Add(1)
+		wgProducer.Add(1)
 		go func(blobSha string) {
-			defer wg.Done()
+			defer wgProducer.Done()
 			defer semaphore.Release(1)
 			match, content, err := a.GitClient.BlobMatches(ctx, tempDir, blobSha, regex)
 			if err != nil {
 				errChan <- fmt.Errorf("failed to blob match %s: %w", blobSha, err)
 				return
 			}
 			if match {
-				err = os.WriteFile(filepath.Join(workflowDir, blobSha+".yaml"), content, 0644)
-				if err != nil {
-					errChan <- fmt.Errorf("failed to write file for blob %s: %w", blobSha, err)
+				filesChan <- &file{
+					path: ".github/workflows/" + blobSha + ".yaml",
+					data: content,
 				}
 			} else {
 				m.Lock()
@@ -302,8 +313,10 @@ func (a *Analyzer) AnalyzeStaleBranches(ctx context.Context, repoString string,
 			}
 		}(blobSha)
 	}
-	wg.Wait()
+	wgProducer.Wait()
 	close(errChan)
+	close(filesChan)
+	wgConsumer.Wait()
 	for err := range errChan {
 		return nil, err
 	}
@@ -315,9 +328,9 @@ func (a *Analyzer) AnalyzeStaleBranches(ctx context.Context, repoString string,
 		return nil, fmt.Errorf("failed to generate package insight: %w", err)
 	}
 
-	inventoryScanner := scanner.InventoryScanner{
-		Path: tempDir,
-		Parsers: []scanner.Parser{
+	inventoryScanner := scanner.InventoryScannerMem{
+		Files: files,
+		Parsers: []scanner.MemParser{
 			scanner.NewGithubActionWorkflowParser(),
 		},
 	}
@@ -353,7 +366,16 @@ func (a *Analyzer) AnalyzeStaleBranches(ctx context.Context, repoString string,
 			return nil, fmt.Errorf("failed to finalize analysis of package: %w", err)
 		}
 	} else {
-		if err := a.Formatter.FormatWithPath(ctx, []*models.PackageInsights{scannedPackage}, workflows); err != nil {
+		results := make(map[string][]*models.RepoInfo, len(workflows))
+		for blobsha, branchinfos := range workflows {
+			results[blobsha] = []*models.RepoInfo{{
+				RepoName:    repoName,
+				Purl:        pkg.Purl,
+				BranchInfos: branchinfos,
+			}}
+		}
+
+		if err := a.Formatter.FormatWithPath(ctx, []*models.PackageInsights{scannedPackage}, results); err != nil {
 			return nil, fmt.Errorf("failed to finalize analysis of package: %w", err)
 		}
 
@@ -458,7 +480,7 @@ func (a *Analyzer) AnalyzeLocalRepo(ctx context.Context, repoPath string) (*mode
 
 type Formatter interface {
 	Format(ctx context.Context, packages []*models.PackageInsights) error
-	FormatWithPath(ctx context.Context, packages []*models.PackageInsights, pathAssociation map[string][]models.BranchInfo) error
+	FormatWithPath(ctx context.Context, packages []*models.PackageInsights, pathAssociation map[string][]*models.RepoInfo) error
 }
 
 func (a *Analyzer) finalizeAnalysis(ctx context.Context, scannedPackages []*models.PackageInsights) error {

cmd/analyzeRepoStaleBranches.go

@@ -9,7 +9,6 @@ import (
 	"github.com/spf13/viper"
 )
 
-var threadsRepoStaleBranch int
 var expand bool
 var regex string
 
@@ -38,7 +37,7 @@ Example Scanning a remote Github Repository: poutine analyze_repo_stale_branches
 			return fmt.Errorf("error compiling regex: %w", err)
 		}
 
-		_, err = analyzer.AnalyzeStaleBranches(ctx, repo, &threadsRepoStaleBranch, &expand, reg)
+		_, err = analyzer.AnalyzeStaleBranches(ctx, repo, &threads, &expand, reg)
 		if err != nil {
 			return fmt.Errorf("failed to analyze repo %s: %w", repo, err)
 		}
@@ -51,7 +50,7 @@ func init() {
 	rootCmd.AddCommand(analyzeRepoStaleBranches)
 
 	analyzeRepoStaleBranches.Flags().StringVarP(&token, "token", "t", "", "SCM access token (env: GH_TOKEN)")
-	analyzeRepoStaleBranches.Flags().IntVarP(&threadsRepoStaleBranch, "threads", "j", 5, "Parallelization factor for scanning stale branches")
+	analyzeRepoStaleBranches.Flags().IntVarP(&threads, "threads", "j", 5, "Parallelization factor for scanning stale branches")
 	analyzeRepoStaleBranches.Flags().BoolVarP(&expand, "expand", "e", false, "Expand the output to the classic representation from analyze_repo")
 	analyzeRepoStaleBranches.Flags().StringVarP(&regex, "regex", "r", "pull_request_target", "Regex to check if the workflow is accessible in stale branches")
 

formatters/json/json.go

@@ -64,7 +64,7 @@ func (f *Format) Format(ctx context.Context, packages []*models.PackageInsights)
 	return nil
 }
 
-func (f *Format) FormatWithPath(ctx context.Context, packages []*models.PackageInsights, pathAssociations map[string][]models.BranchInfo) error {
+func (f *Format) FormatWithPath(ctx context.Context, packages []*models.PackageInsights, pathAssociations map[string][]*models.RepoInfo) error {
 	var result struct {
 		Output string `json:"output"`
 		Error  string `json:"error"`

formatters/pretty/pretty.go

@@ -47,49 +47,52 @@ func (f *Format) Format(ctx context.Context, packages []*models.PackageInsights)
 	return nil
 }
 
-func (f *Format) FormatWithPath(ctx context.Context, packages []*models.PackageInsights, pathAssociations map[string][]models.BranchInfo) error {
+func (f *Format) FormatWithPath(ctx context.Context, packages []*models.PackageInsights, pathAssociations map[string][]*models.RepoInfo) error {
 	failures := map[string]int{}
 	rules := map[string]results.Rule{}
 
 	for _, pkg := range packages {
-		findings := map[string][]string{}
+		findings := make(map[string]map[string]bool)
 		for _, finding := range pkg.FindingsResults.Findings {
-			failures[finding.RuleId]++
 			filename := filepath.Base(finding.Meta.Path)
 			filename = strings.TrimSuffix(filename, filepath.Ext(filename))
-			findings[filename] = append(findings[filename], finding.RuleId)
+			if _, ok := findings[filename]; !ok {
+				findings[filename] = make(map[string]bool)
+			}
+			if _, ok := findings[filename][finding.RuleId]; !ok {
+				failures[finding.RuleId]++
+			}
+			findings[filename][finding.RuleId] = true
 		}
 
 		for _, rule := range pkg.FindingsResults.Rules {
 			rules[rule.Id] = rule
 		}
 
-		_ = f.printFindingsPerWorkflow(os.Stdout, findings, pkg.Purl, pathAssociations)
+		_ = f.printFindingsPerWorkflow(os.Stdout, findings, pathAssociations)
 	}
 	printSummaryTable(os.Stdout, failures, rules)
 
 	return nil
 }
 
-func (f *Format) printFindingsPerWorkflow(out io.Writer, results map[string][]string, purlStr string, pathAssociations map[string][]models.BranchInfo) error {
+func (f *Format) printFindingsPerWorkflow(out io.Writer, results map[string]map[string]bool, pathAssociations map[string][]*models.RepoInfo) error {
 	// Skip rules with no findings.
 	table := tablewriter.NewWriter(out)
 	table.SetAutoMergeCells(true)
-	table.SetHeader([]string{"Workflow sha", "Rule", "Branch", "URL"})
+	table.SetHeader([]string{"Workflow sha", "Rule", "Location", "URL"})
 
-	purl, err := models.NewPurl(purlStr)
-	if err != nil {
-		return fmt.Errorf("error creating purl: %w", err)
-	}
-	for blobsha, branchInfos := range pathAssociations {
+	for blobsha, repoInfos := range pathAssociations {
 		findings := results[blobsha]
 		if len(findings) == 0 {
 			continue
 		}
 		largestElement := len(findings)
 		sumPath := 0
-		for _, branchInfo := range branchInfos {
-			sumPath += len(branchInfo.FilePath)
+		for _, repoInfo := range repoInfos {
+			for _, branchInfo := range repoInfo.BranchInfos {
+				sumPath += len(branchInfo.FilePath)
+			}
 		}
 		blobshaTable := make([][]string, max(largestElement, sumPath))
 		for i := range blobshaTable {
@@ -98,19 +101,35 @@ func (f *Format) printFindingsPerWorkflow(out io.Writer, results map[string][]st
 
 		blobshaTable[0][0] = blobsha
 
-		for i, finding := range findings {
+		// Extract and sort the keys of the findings map
+		sortedFindings := make([]string, 0, len(findings))
+		for finding := range findings {
+			sortedFindings = append(sortedFindings, finding)
+		}
+		sort.Strings(sortedFindings)
+
+		// Iterate over the sorted keys
+		i := 0
+		for _, finding := range sortedFindings {
 			blobshaTable[i][1] = finding
+			i++
 		}
 
 		index := 0
-		for _, branchInfo := range branchInfos {
-			for j, path := range branchInfo.FilePath {
-				if j == 0 {
-					blobshaTable[index][2] = branchInfo.BranchName
+		for _, repoInfo := range repoInfos {
+			purl, err := models.NewPurl(repoInfo.Purl)
+			if err != nil {
+				return fmt.Errorf("failed to parse purl: %w", err)
+			}
+			for _, branchInfo := range repoInfo.BranchInfos {
+				for j, path := range branchInfo.FilePath {
+					if j == 0 {
+						blobshaTable[index][2] = repoInfo.RepoName + "/" + branchInfo.BranchName
+					}
+
+					blobshaTable[index][3] = purl.Link() + "/tree/" + branchInfo.BranchName + "/" + path
+					index += 1
 				}
-
-				blobshaTable[index][3] = purl.Link() + "/tree/" + branchInfo.BranchName + "/" + path
-				index += 1
 			}
 		}
 

formatters/sarif/sarif.go

@@ -117,6 +117,6 @@ func (f *Format) Format(ctx context.Context, packages []*models.PackageInsights)
 	return nil
 }
 
-func (f *Format) FormatWithPath(ctx context.Context, packages []*models.PackageInsights, pathAssociations map[string][]models.BranchInfo) error {
+func (f *Format) FormatWithPath(ctx context.Context, packages []*models.PackageInsights, pathAssociations map[string][]*models.RepoInfo) error {
 	return errors.New("not implemented")
 }

models/branch_info.go

@@ -4,3 +4,9 @@ type BranchInfo struct {
 	BranchName string   `json:"branch_name"`
 	FilePath   []string `json:"file_path"`
 }
+
+type RepoInfo struct {
+	Purl        string       `json:"purl"`
+	RepoName    string       `json:"repo_name"`
+	BranchInfos []BranchInfo `json:"branch_infos"`
+}

scanner/inventory.go

@@ -30,7 +30,11 @@ func NewInventory(opa *opa.Opa, pkgSupplyClient ReputationClient, provider strin
 	}
 }
 
-func (i *Inventory) ScanPackageScanner(ctx context.Context, pkgInsights models.PackageInsights, inventoryScanner *InventoryScanner) (*models.PackageInsights, error) {
+type InventoryScannerI interface {
+	Run(pkgInsights *models.PackageInsights) error
+}
+
+func (i *Inventory) ScanPackageScanner(ctx context.Context, pkgInsights models.PackageInsights, inventoryScanner InventoryScannerI) (*models.PackageInsights, error) {
 	refPkgInsights := &pkgInsights
 
 	if err := inventoryScanner.Run(refPkgInsights); err != nil {

scanner/inventory_scanner_mem.go

@@ -0,0 +1,32 @@
+package scanner
+
+import (
+	"regexp"
+
+	"github.com/boostsecurityio/poutine/models"
+	"github.com/rs/zerolog/log"
+)
+
+type MemParser interface {
+	MatchPattern() *regexp.Regexp
+	ParseFromMemory(data []byte, filePath string, pkgInsights *models.PackageInsights) error
+}
+
+type InventoryScannerMem struct {
+	Files   map[string][]byte
+	Parsers []MemParser
+}
+
+func (s *InventoryScannerMem) Run(pkgInsights *models.PackageInsights) error {
+	for path, data := range s.Files {
+		for _, parser := range s.Parsers {
+			if !parser.MatchPattern().MatchString(path) {
+				continue
+			}
+			if err := parser.ParseFromMemory(data, path, pkgInsights); err != nil {
+				log.Error().Str("file", path).Err(err).Msg("error parsing matched file")
+			}
+		}
+	}
+	return nil
+}