Merge pull request #3 from snyk-labs/feat/repo-alias

feat: repo alias
snyk-labs · Apr 1, 2024 · 40de070 · 40de070
2 parents ebf60b3 + dceb795
commit 40de070
Show file tree

Hide file tree

Showing 24 changed files with 7,446 additions and 630 deletions.
diff --git a/.github/CODEOWNERS b/.github/CODEOWNERS
@@ -0,0 +1 @@
+* @snyk-labs/cs-engineers
diff --git a/.github/ISSUE_TEMPLATE/bug-report.md b/.github/ISSUE_TEMPLATE/bug-report.md
@@ -0,0 +1,31 @@
+---
+name: "\U0001F41B Bug report"
+about: Submit a bug
+title: "[\U0001F41B]"
+labels: "\U0001F41B  bug"
+assignees: ''
+---
+
+- poetry version
+- python version
+- OS: (e.g. MacOS, Linux/UNIX, Windows)
+- Command run
+
+### Expected behaviour
+Please share _expected_ behaviour.
+
+### Actual behaviour
+Please share _problematic_ behaviour you are seeing.
+
+### Steps to reproduce
+Please share _minimal_ steps needed to reproduce your issue. Ideally
+a paired down manifest / project to showcase the problem that can also
+be used for testing.
+
+
+### Debug log
+If applicable, please include debug output here **ensuring to remove any sensitive/personal details or tokens.
+
+
+### Screenshots
+If applicable, add screenshots to help explain your problem.
diff --git a/.github/ISSUE_TEMPLATE/feature-request.md b/.github/ISSUE_TEMPLATE/feature-request.md
@@ -0,0 +1,18 @@
+---
+name: "\U0001F64F Feature Request"
+about: Submit a feature request
+title: "[\U0001F64F]"
+labels: "\U0001F64F feature request"
+assignees: ''
+---
+
+**Describe the user need**
+E.g. I want Snyk to ...
+
+**Describe expected behaviour**
+
+If you have an idea how you would like this to behave please share in as much detail as possible.
+
+**Additional context**
+
+Add any other context or screenshots about the feature request here.
diff --git a/.github/PULL_REQUEST_TEMPLATE.md b/.github/PULL_REQUEST_TEMPLATE.md
@@ -0,0 +1,20 @@
+- [ ] Tests written and linted
+- [ ] Documentation written in [README](../README.md)
+- [ ] Commit history is tidy & follows Contributing guidelines
+
+
+### What this does
+
+_Explain why this PR exists_
+
+### Notes for the reviewer
+
+_Instructions on how to run this locally, background context, what to review, questions…_
+
+### More information
+
+- [Link to documentation]()
+
+### Screenshots
+
+_Visuals that may help the reviewer_
diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
@@ -0,0 +1,30 @@
+name: Build and Test
+on:
+  push:
+    branches:
+      - main
+  workflow_dispatch:
+jobs:
+  pytest:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v2
+
+      - name: Set up Python 3.9
+        uses: actions/setup-python@v2
+        with:
+          python-version: 3.9
+
+      - name: Install Poetry
+        run: pip install poetry
+
+      - name: Install dependencies
+        run: $HOME/.poetry/bin/poetry install -v
+        env:
+          POETRY_VIRTUALENVS_IN_PROJECT: true
+
+      - name: Run pytest
+        run: |
+          $HOME/.poetry/bin/poetry run pytest -v --ruff --ruff-format
+  
diff --git a/README.md b/README.md
@@ -4,7 +4,7 @@
 
 ## bazel2snyk
 
-convert the third party dependency output from `bazel query` into a snyk depgraph object to be tested or monitored as a project via the API.
+Convert the third party dependency output from `bazel query` into a snyk depgraph object to be tested or monitored as a project via the API.
 
 Bazel [targets](https://docs.bazel.build/versions/main/skylark/lib/Target.html) should be mapped to Snyk projects. 
 
@@ -16,25 +16,31 @@ bazel query "deps(//app/package:target)" --noimplicit_deps --output xml > bazel_
 
 ## Usage
 
-The `bazel query` XML output can then be post processed by this script, which provides for the following commands to be used in a CI workflow.
+The `bazel query` XML output can then be post processed by this script, which provides for the following commands to be used in a CI workflow or local development environment.
 
 | command     | description                                                                                                                           |
 |-------------|---------------------------------------------------------------------------------------------------------------------------------------|
 | print-graph | prints converted Snyk depGraph JSON to STDOUT                                                                                         |
 | test        | tests the depGraph for issues via Snyk API. Returns exit code 1 if issues are found and prints the tests results JSON to SDOUT        |
-| monitor     | submits the depGraph for continuous monitoring via Snyk API. Prints the response JSON to STDOUT including the snapshot URL in snyk.io |
+| monitor     | submits the depGraph for continuous monitoring via Snyk API. Prints the response JSON to STDOUT including the [snapshot](docs/images/b2s_snyk_deps.png) URL in snyk.io |
 
 ```
 Usage: cli.py [OPTIONS] COMMAND [ARGS]...
 
+  Convert Bazel query output to Snyk depGraph for testing and monitoring
+
 Options:
   --bazel-deps-xml TEXT           Path to bazel query XML output file  [env
                                   var:  bazel_deps_xml; default:
                                   bazel_deps.xml]
   --bazel-target TEXT             Name of the target, e.g. //store/api:main
-                                  [env var: BAZEL_TARGET]
-  --package-source [maven|pip]    Name of the target, e.g. //store/api:main
+                                  [env var: BAZEL_TARGET; required]
+  --package-source TEXT           Name of the target, e.g. //store/api:main
                                   [env var: PACKAGE_SOURCE; default: maven]
+  --alt-repo-names TEXT           specify comma-delimitied list if you have
+                                  repos with different names for either @maven
+                                  or @pypi, e.g. @maven_repo_1, @maven_repo_2
+                                  [env var: ALT_REPO_NAMES]
   --debug / --no-debug            Set log level to debug  [default: no-debug]
   --print-deps / --no-print-deps  Print bazel dependency structure  [default:
                                   no-print-deps]
@@ -45,24 +51,36 @@ Options:
   --help                          Show this message and exit.
 
 Commands:
-  monitor
-  print-graph
-  test
+  monitor      Continously retest your Bazel target's OSS dependencies...
+  print-graph  Print the Snyk depGraph representation of the dependency...
+  test         Test your Bazel target's OSS depedencies for security...
   ```
 
 export your SNYK_TOKEN before running the script
 
-### print-graph
+### `print-graph`
 ```
 poetry run python3 bazel2snyk/cli.py \
+    --package-source=maven \
     --bazel-deps-xml=bazel_deps.xml \
     --bazel-target=//app/package:target \
     print-graph
 ```
 
-### test
+### `test` pip project
 ```
 poetry run python3 bazel2snyk/cli.py \
+    --package-source=pip \
+    --bazel-deps-xml=bazel_deps.xml \
+    --bazel-target=//app/package:target \
+    test \
+    --snyk-org-id=a1f3f68e-99b1-4f3f-bfdb-6ee4b4990513
+```
+
+### `test` maven project
+```
+poetry run python3 bazel2snyk/cli.py \
+    --package-source=maven \
     --bazel-deps-xml=bazel_deps.xml \
     --bazel-target=//app/package:target \
     test \
@@ -92,11 +110,33 @@ exiting with code 1
 
 ```
 
-### monitor
+### `monitor` pip project
+```
+poetry run python3 bazel2snyk/cli.py \
+    --package-source=pip \
+    --bazel-deps-xml=bazel_deps.xml \
+    --bazel-target=//app/package:target \
+    monitor \
+    --snyk-org-id=a1f3f68e-99b1-4f3f-bfdb-6ee4b4990513
+```
+
+### `monitor` maven project
+```
+poetry run python3 bazel2snyk/cli.py \
+    --package-source=maven \
+    --bazel-deps-xml=bazel_deps.xml \
+    --bazel-target=//app/package:target \
+    monitor \
+    --snyk-org-id=a1f3f68e-99b1-4f3f-bfdb-6ee4b4990513
+```
+
+### `monitor` maven project using alternate repo name
 ```
 poetry run python3 bazel2snyk/cli.py \
+    --package-source=maven \
     --bazel-deps-xml=bazel_deps.xml \
     --bazel-target=//app/package:target \
+    --alt-repo-names="@multiversion_maven"
     monitor \
     --snyk-org-id=a1f3f68e-99b1-4f3f-bfdb-6ee4b4990513
 ```
@@ -119,13 +159,12 @@ If you encounter a HTTP 500 when performing `test` or `monitor` commands, then t
 What is likely happening is that there are too many vulnerable paths for the system (>100,000), so
 pruning the repeated sub-dependencies will alleviate this.
 
-You may run with --prune all the time to avoid this error.
+You may run with `--prune` all the time to avoid this error.
 
-## Supported package types
+## Currently supported package types
 * maven (tested with rules_jvm_external)
 * python pip (tested with rules_python)
 
 ## Todo
 - Investigate and add support for additional package types
-- Automated test suite
-- Additional error handling/messages
+- Add [semantic versioning and release](https://github.com/python-semantic-release/python-semantic-release) for github
diff --git a/bazel2snyk/__init__.py b/bazel2snyk/__init__.py
@@ -1,2 +1,10 @@
-from .snyk_dep_graph import DepGraph
-from .bazel import BazelXmlParser
+import logging
+import os
+import bazel2snyk
+
+BASE_PATH = os.path.dirname(bazel2snyk.__file__)
+
+logger = logging.getLogger(__name__)
+FORMAT = "[%(filename)s:%(lineno)4s - %(funcName)s ] %(message)s"
+logging.basicConfig(format=FORMAT)
+logger.setLevel(logging.WARN)