Create pipeline for symbol reachability#2151
Conversation
944dcbe to
da128db
Compare
|
The pipeline requires the unidiff dependency to parse diffs/patch text |
d5fed3d to
08512ab
Compare
|
This depends on: We have an API support for patching VulnerableCode, see: |
08512ab to
503af03
Compare
Signed-off-by: ziad hany <ziadhany2016@gmail.com>
Signed-off-by: ziad hany <ziadhany2016@gmail.com>
Signed-off-by: ziad hany <ziadhany2016@gmail.com>
Signed-off-by: ziad hany <ziadhany2016@gmail.com>
Fix the test Signed-off-by: ziad hany <ziadhany2016@gmail.com>
Signed-off-by: ziad hany <ziadhany2016@gmail.com>
Add missing logic for imports Signed-off-by: ziad hany <ziadhany2016@gmail.com>
Signed-off-by: ziad hany <ziadhany2016@gmail.com>
Signed-off-by: ziad hany <ziadhany2016@gmail.com>
Signed-off-by: ziad hany <ziadhany2016@gmail.com>
Improve pipeline structure Signed-off-by: ziad hany <ziadhany2016@gmail.com>
Fix formating tests Signed-off-by: ziad hany <ziadhany2016@gmail.com>
3686a85 to
dfbb4db
Compare
Signed-off-by: ziad hany <ziadhany2016@gmail.com>
Fix formating Signed-off-by: ziad hany <ziadhany2016@gmail.com>
Signed-off-by: ziad hany <ziadhany2016@gmail.com>
Signed-off-by: ziad hany <ziadhany2016@gmail.com>
There was a problem hiding this comment.
I'm not sure if we need to update all these dependency. I just ran uv add unidiff, which updated it automatically.
|
I'm also not sure why Run unit tests on macOS / run-unit-tests (3.13) is failing. |
|
@ziadhany try to fix the failing test please |
| data = { | ||
| "purls": purls, | ||
| "details": True, | ||
| "reachability": True, |
There was a problem hiding this comment.
You should only go for reachability if collect_symbols_reachability has called it, not for every VCIO call
|
|
||
|
|
||
| class PatchAnalyzer: | ||
| EMPTY_TREE_SHA = "4b825dc642cb6eb9a060e54bf8b8e6f9b79b4d2b" |
|
|
||
| return files | ||
|
|
||
| def get_commit_diff_text(self): |
|
@ziadhany this mostly looks good, let's have a session soon and do a demo and understand the limitations of the current approach |
| "urllib3==2.7.0", | ||
| "idna==3.16", | ||
| "GitPython==3.1.50", | ||
| "unidiff==0.7.5", |
There was a problem hiding this comment.
Is this absolutely needed? No built-in solutions available?
| analyze_docker_image = "scanpipe.pipelines.analyze_docker:Docker" | ||
| analyze_root_filesystem_or_vm_image = "scanpipe.pipelines.analyze_root_filesystem:RootFS" | ||
| analyze_windows_docker_image = "scanpipe.pipelines.analyze_docker_windows:DockerWindows" | ||
| analyze_symbols_reachability = "scanpipe.pipelines.collect_symbols_reachability:SymbolReachability" |
There was a problem hiding this comment.
analyze_symbols_reachability / collect_symbols_reachability
We need consistency, same for step and pipe names
Issues
Changes
Add Pipeline(s) that can retrieve vulnerable / fix symbols, collect local symbols (pur2sym) and match them
Pipeline Graph:
flowchart TD %% Main Entry Point Start([collect_and_store_symbol_reachability_results]) --> GetResources[Filter candidate_resources] GetResources --> GroupPatches[Group fixed_in_patches by vcs_url] GroupPatches --> RepoLoop{For each repository} %% Repository Processing RepoLoop -->|Process Repo| GitContext[GitRepositoryContext] GitContext -->|Clone & Enter| PatchLoop{For each patch} %% Patch Processing PatchLoop -->|Next Patch| GitCheckout[Checkout commit_hash] GitCheckout --> GenReport[generate_reachability_report] %% Patch Analysis Stage GenReport --> PatchAnalyzer[PatchAnalyzer.collect_patch_symbols] PatchAnalyzer --> AnalyzeDiff[Get Diff & Changed Files] AnalyzeDiff --> PatchAnalyzeLoop[Analyze vulnerable & fixed texts] PatchAnalyzeLoop --> DetectLang[detect_language_with_scancode] DetectLang --> ParsePatchAST[LanguageQuery.parse_code_to_ast] ParsePatchAST --> ExtractPatchSymbols[SymbolExtractor: Extract Changed Symbols] ExtractPatchSymbols --> DiffSymbols[diff_changed_symbols] DiffSymbols --> ResourceLoop{For each candidate_resource} %% Resource Matching Stage ResourceLoop -->|Next Resource| LangCheck{Language matches patch?} LangCheck -->|No| ResourceLoop LangCheck -->|Yes| ResAnalyzer[ResourceAnalyzer.build_index] ResAnalyzer --> ParseResAST[Parse Resource to AST] ParseResAST --> IndexResSymbols[Extract definitions, imports, calls] IndexResSymbols --> Matcher[ResourcePatchMatcher.match] Matcher --> MatchVuln[Match Vulnerable Symbols] Matcher --> MatchFixed[Match Fixed Symbols] MatchVuln & MatchFixed --> CheckEvidence{Evidence found?} CheckEvidence -->|No| ResourceLoop %% Reporting Stage CheckEvidence -->|Yes| Classify[classify_reachability] Classify --> StatusReach[REACHABLE / POTENTIALLY / NOT_REACHABLE] StatusReach --> UpdateData[Update resource.extra_data] UpdateData --> ResourceLoop %% Loop Backs and Exit ResourceLoop -->|All resources checked| PatchLoop PatchLoop -->|All patches checked| RepoLoop RepoLoop -->|All repos checked| End([End Process]) %% Styling classDef functionNode fill:#e1f5fe,stroke:#03a9f4,stroke-width:2px; classDef logicNode fill:#fff3e0,stroke:#ff9800,stroke-width:2px; classDef loopNode fill:#f3e5f5,stroke:#9c27b0,stroke-width:2px; class Start,GenReport,PatchAnalyzer,ResAnalyzer,Matcher,Classify functionNode; class RepoLoop,PatchLoop,ResourceLoop loopNode; class LangCheck,CheckEvidence logicNode;Checklist