Frogbot shouldn't attempt upgrading Go and Pip (#315)

omerzi · web-flow · commit 5a7f2973ce49 · 2023-04-30T11:13:00.000+03:00
diff --git a/commands/createfixpullrequests.go b/commands/createfixpullrequests.go
@@ -12,6 +12,7 @@ import (
 	"github.com/jfrog/jfrog-client-go/utils/io/fileutils"
 	"github.com/jfrog/jfrog-client-go/utils/log"
 	"github.com/jfrog/jfrog-client-go/xray/services"
+	"golang.org/x/exp/slices"
 	"os"
 	"strings"
 )
@@ -305,6 +306,13 @@ func (cfp *CreateFixPullRequestsCmd) updatePackageToFixedVersion(impactedPackage
 			}
 		}()
 	}
+	// Skip build tools dependencies (for example, pip)
+	// That are not defined in the descriptor file and cannot be fixed by a PR.
+	if slices.Contains(utils.BuildToolsDependenciesMap[fixVersionInfo.PackageType], impactedPackage) {
+		log.Info("Skipping vulnerable package", impactedPackage, "since it is not defined in your package descriptor file.",
+			"Update", impactedPackage, "version to", fixVersionInfo.FixVersion, "to fix this vulnerability.")
+		return
+	}
 	packageHandler := packagehandlers.GetCompatiblePackageHandler(fixVersionInfo, cfp.details, &cfp.mavenDepToPropertyMap)
 	return packageHandler.UpdateImpactedPackage(impactedPackage, fixVersionInfo)
 }
diff --git a/commands/createfixpullrequests_test.go b/commands/createfixpullrequests_test.go
@@ -25,13 +25,15 @@ type packageFixTest struct {
 	fixVersion           string
 	packageDescriptor    string
 	testPath             string
+	shouldNotFix         bool
 	fixPackageVersionCmd FixPackagesTestFunc
 }
 
 var packageFixTests = []packageFixTest{
 	{technology: coreutils.Maven, impactedPackaged: "junit", fixVersion: "4.11", packageDescriptor: "pom.xml", fixPackageVersionCmd: getMavenFixPackageVersionFunc()},
 	{technology: coreutils.Npm, impactedPackaged: "minimatch", fixVersion: "3.0.2", packageDescriptor: "package.json", fixPackageVersionCmd: getGenericFixPackageVersionFunc()},
 	{technology: coreutils.Go, impactedPackaged: "github.com/google/uuid", fixVersion: "1.3.0", packageDescriptor: "go.mod", fixPackageVersionCmd: getGenericFixPackageVersionFunc()},
+	{technology: coreutils.Go, impactedPackaged: "github.com/golang/go", fixVersion: "1.20.3", packageDescriptor: "go.mod", fixPackageVersionCmd: getGenericFixPackageVersionFunc(), shouldNotFix: true},
 	{technology: coreutils.Yarn, impactedPackaged: "minimist", fixVersion: "1.2.6", packageDescriptor: "package.json", fixPackageVersionCmd: getGenericFixPackageVersionFunc()},
 	{technology: coreutils.Pipenv, impactedPackaged: "pyjwt", fixVersion: "2.4.0", packageDescriptor: "Pipfile", fixPackageVersionCmd: getGenericFixPackageVersionFunc()},
 	{technology: coreutils.Pipenv, impactedPackaged: "Pyjwt", fixVersion: "2.4.0", packageDescriptor: "Pipfile", fixPackageVersionCmd: getGenericFixPackageVersionFunc()},
@@ -40,6 +42,9 @@ var packageFixTests = []packageFixTest{
 	{technology: coreutils.Pip, impactedPackaged: "pyjwt", fixVersion: "2.4.0", packageDescriptor: "requirements.txt", fixPackageVersionCmd: getGenericFixPackageVersionFunc()},
 	{technology: coreutils.Pip, impactedPackaged: "PyJwt", fixVersion: "2.4.0", packageDescriptor: "requirements.txt", fixPackageVersionCmd: getGenericFixPackageVersionFunc()},
 	{technology: coreutils.Pip, impactedPackaged: "pyjwt", fixVersion: "2.4.0", packageDescriptor: "setup.py", fixPackageVersionCmd: getGenericFixPackageVersionFunc()},
+	{technology: coreutils.Pip, impactedPackaged: "pip", fixVersion: "23.1", packageDescriptor: "setup.py", fixPackageVersionCmd: getGenericFixPackageVersionFunc(), shouldNotFix: true},
+	{technology: coreutils.Pip, impactedPackaged: "wheel", fixVersion: "2.3.0", packageDescriptor: "setup.py", fixPackageVersionCmd: getGenericFixPackageVersionFunc(), shouldNotFix: true},
+	{technology: coreutils.Pip, impactedPackaged: "setuptools", fixVersion: "66.6.6", packageDescriptor: "setup.py", fixPackageVersionCmd: getGenericFixPackageVersionFunc(), shouldNotFix: true},
 }
 
 var requirementsFile = "oslo.config>=1.12.1,<1.13\noslo.utils<5.0,>=4.0.0\nparamiko==2.7.2\npasslib<=1.7.4\nprance>=0.9.0\nprompt-toolkit~=1.0.15\npyinotify>0.9.6\nPyJWT>1.7.1\nurllib3 > 1.1.9, < 1.5.*"
@@ -150,9 +155,13 @@ func TestFixPackageVersion(t *testing.T) {
 				assert.NoError(t, cfg.updatePackageToFixedVersion(test.impactedPackaged, fixVersionInfo))
 				file, err := os.ReadFile(test.packageDescriptor)
 				assert.NoError(t, err)
-				assert.Contains(t, string(file), test.fixVersion)
-				// Verify that case-sensitive packages in python are lowered
-				assert.Contains(t, string(file), strings.ToLower(test.impactedPackaged))
+				if test.shouldNotFix {
+					assert.NotContains(t, string(file), test.fixVersion)
+				} else {
+					assert.Contains(t, string(file), test.fixVersion)
+					// Verify that case-sensitive packages in python are lowered
+					assert.Contains(t, string(file), strings.ToLower(test.impactedPackaged))
+				}
 			})
 		}()
 	}
diff --git a/commands/utils/packagehandlers/genericpackagehandler.go b/commands/utils/packagehandlers/genericpackagehandler.go
@@ -14,16 +14,14 @@ type PackageHandler interface {
 	UpdateImpactedPackage(impactedPackage string, fixVersionInfo *utils.FixVersionInfo, extraArgs ...string) error
 }
 
-func GetCompatiblePackageHandler(fixVersionInfo *utils.FixVersionInfo, pipfilePath *utils.ScanDetails, mavenPropertyMap *map[string][]string) PackageHandler {
+func GetCompatiblePackageHandler(fixVersionInfo *utils.FixVersionInfo, details *utils.ScanDetails, mavenPropertyMap *map[string][]string) PackageHandler {
 	switch fixVersionInfo.PackageType {
-	case coreutils.Go:
-		return &GoPackageHandler{}
 	case coreutils.Maven:
 		return &MavenPackageHandler{mavenDepToPropertyMap: *mavenPropertyMap}
 	case coreutils.Poetry:
 		return &PythonPackageHandler{}
 	case coreutils.Pip:
-		return &PythonPackageHandler{pipRequirementsFile: pipfilePath.PipRequirementsFile}
+		return &PythonPackageHandler{pipRequirementsFile: details.PipRequirementsFile}
 	default:
 		return &GenericPackageHandler{FixVersionInfo: fixVersionInfo}
 	}
diff --git a/commands/utils/packagehandlers/gopackagehandler.go b/commands/utils/packagehandlers/gopackagehandler.go
diff --git a/commands/utils/packagehandlers/pythonpackagehandler.go b/commands/utils/packagehandlers/pythonpackagehandler.go
@@ -15,7 +15,6 @@ const (
 
 	// Package names are case-insensitive with this prefix
 	PythonPackageRegexPrefix = "(?i)"
-
 	// Match all possible operators and versions syntax
 	PythonPackageRegexSuffix = "\\s*(([\\=\\<\\>\\~]=)|([\\>\\<]))\\s*(\\.|\\d)*(\\d|(\\.\\*))(\\,\\s*(([\\=\\<\\>\\~]=)|([\\>\\<])).*\\s*(\\.|\\d)*(\\d|(\\.\\*)))?"
 )
@@ -35,7 +34,7 @@ func (py *PythonPackageHandler) UpdateImpactedPackage(impactedPackage string, fi
 	case coreutils.Pipenv:
 		return py.GenericPackageHandler.UpdateImpactedPackage(impactedPackage, fixVersionInfo, extraArgs...)
 	default:
-		return errors.New("Unknown python package manger: " + fixVersionInfo.PackageType.GetPackageType())
+		return errors.New("unknown python package manger: " + fixVersionInfo.PackageType.GetPackageType())
 	}
 }
 
diff --git a/commands/utils/utils.go b/commands/utils/utils.go
@@ -41,6 +41,11 @@ var (
 	branchInvalidCharsRegex = regexp.MustCompile(branchNameRegex)
 )
 
+var BuildToolsDependenciesMap = map[coreutils.Technology][]string{
+	coreutils.Go:  {"github.com/golang/go"},
+	coreutils.Pip: {"pip", "setuptools", "wheel"},
+}
+
 type ErrMissingEnv struct {
 	VariableName string
 }

Original file line number	Diff line number	Diff line change
`@@ -12,6 +12,7 @@ import (`
`12`	`12`	`"github.com/jfrog/jfrog-client-go/utils/io/fileutils"`
`13`	`13`	`"github.com/jfrog/jfrog-client-go/utils/log"`
`14`	`14`	`"github.com/jfrog/jfrog-client-go/xray/services"`
	`15`	`+ "golang.org/x/exp/slices"`
`15`	`16`	`"os"`
`16`	`17`	`"strings"`
`17`	`18`	`)`
`@@ -305,6 +306,13 @@ func (cfp *CreateFixPullRequestsCmd) updatePackageToFixedVersion(impactedPackage`
`305`	`306`	`}`
`306`	`307`	`}()`
`307`	`308`	`}`
	`309`	`+ // Skip build tools dependencies (for example, pip)`
	`310`	`+ // That are not defined in the descriptor file and cannot be fixed by a PR.`
	`311`	`+ if slices.Contains(utils.BuildToolsDependenciesMap[fixVersionInfo.PackageType], impactedPackage) {`
	`312`	`+ log.Info("Skipping vulnerable package", impactedPackage, "since it is not defined in your package descriptor file.",`
	`313`	`+ "Update", impactedPackage, "version to", fixVersionInfo.FixVersion, "to fix this vulnerability.")`
	`314`	`+ return`
	`315`	`+ }`
`308`	`316`	`packageHandler := packagehandlers.GetCompatiblePackageHandler(fixVersionInfo, cfp.details, &cfp.mavenDepToPropertyMap)`
`309`	`317`	`return packageHandler.UpdateImpactedPackage(impactedPackage, fixVersionInfo)`
`310`	`318`	`}`
Original file line number	Diff line number	Diff line change
`@@ -15,7 +15,6 @@ const (`
`15`	`15`
`16`	`16`	`// Package names are case-insensitive with this prefix`
`17`	`17`	`PythonPackageRegexPrefix = "(?i)"`
`18`		`-`
`19`	`18`	`// Match all possible operators and versions syntax`
`20`	`19`	`PythonPackageRegexSuffix = "\\s(([\\=\\<\\>\\~]=)\|([\\>\\<]))\\s(\\.\|\\d)(\\d\|(\\.\\))(\\,\\s(([\\=\\<\\>\\~]=)\|([\\>\\<])).\\s(\\.\|\\d)(\\d\|(\\.\\*)))?"`
`21`	`20`	`)`
`@@ -35,7 +34,7 @@ func (py *PythonPackageHandler) UpdateImpactedPackage(impactedPackage string, fi`
`35`	`34`	`case coreutils.Pipenv:`
`36`	`35`	`return py.GenericPackageHandler.UpdateImpactedPackage(impactedPackage, fixVersionInfo, extraArgs...)`
`37`	`36`	`default:`
`38`		`- return errors.New("Unknown python package manger: " + fixVersionInfo.PackageType.GetPackageType())`
	`37`	`+ return errors.New("unknown python package manger: " + fixVersionInfo.PackageType.GetPackageType())`
`39`	`38`	`}`
`40`	`39`	`}`
`41`	`40`
Original file line number	Diff line number	Diff line change
`@@ -41,6 +41,11 @@ var (`
`41`	`41`	`branchInvalidCharsRegex = regexp.MustCompile(branchNameRegex)`
`42`	`42`	`)`
`43`	`43`
	`44`	`+var BuildToolsDependenciesMap = map[coreutils.Technology][]string{`
	`45`	`+ coreutils.Go: {"github.com/golang/go"},`
	`46`	`+ coreutils.Pip: {"pip", "setuptools", "wheel"},`
	`47`	`+}`
	`48`	`+`
`44`	`49`	`type ErrMissingEnv struct {`
`45`	`50`	`VariableName string`
`46`	`51`	`}`