From 02ba94923bcb274f685ff721b18dcc9589e86718 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Ga=C5=A1per=20Grom?= Date: Mon, 18 May 2026 14:14:49 +0100 Subject: [PATCH 1/3] chore: update pvtr plugin to ossf repo and v0.23.2 (IN-986) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Gašper Grom --- .../docker/Dockerfile.security_best_practices_worker | 10 +++++----- .../security_best_practices_worker/example-config.yml | 2 +- .../src/activities/index.ts | 2 +- 3 files changed, 7 insertions(+), 7 deletions(-) diff --git a/scripts/services/docker/Dockerfile.security_best_practices_worker b/scripts/services/docker/Dockerfile.security_best_practices_worker index c30cb8d911..ddeccb62d0 100644 --- a/scripts/services/docker/Dockerfile.security_best_practices_worker +++ b/scripts/services/docker/Dockerfile.security_best_practices_worker @@ -11,11 +11,11 @@ RUN tar -xzf privateer_${PLATFORM}.tar.gz FROM golang:1.24.4-alpine3.21 AS plugin RUN apk add --no-cache make git WORKDIR /plugin -ARG PVTR_COMMIT=88d79df63e6140c593cf15366ed63992e1fbed63 -# To run the latest version of the plugin, we need to use the latest commit of the pvtr-github-repo repository. -# Currently using the version https://github.com/revanite-io/pvtr-github-repo/commit/88d79df63e6140c593cf15366ed63992e1fbed63 -RUN git clone https://github.com/revanite-io/pvtr-github-repo.git && cd pvtr-github-repo && git checkout ${PVTR_COMMIT} -RUN cd pvtr-github-repo && make binary && cp github-repo ../github-repo +ARG PVTR_COMMIT=c7bd9538d64f7eaab94a05c9b5fd05458a387b1c +# To run the latest version of the plugin, we need to use the latest commit of the pvtr-github-repo-scanner repository. +# Currently using v0.23.2: https://github.com/ossf/pvtr-github-repo-scanner/commit/c7bd9538d64f7eaab94a05c9b5fd05458a387b1c +RUN git clone https://github.com/ossf/pvtr-github-repo-scanner.git && cd pvtr-github-repo-scanner && git checkout ${PVTR_COMMIT} +RUN cd pvtr-github-repo-scanner && make binary && cp github-repo ../github-repo FROM node:20-alpine as builder diff --git a/services/apps/security_best_practices_worker/example-config.yml b/services/apps/security_best_practices_worker/example-config.yml index 5117ad28d5..f6619448b1 100644 --- a/services/apps/security_best_practices_worker/example-config.yml +++ b/services/apps/security_best_practices_worker/example-config.yml @@ -7,7 +7,7 @@ services: policy: catalogs: - - OSPS_B + - osps-baseline-2026-02 applicability: - Maturity Level 1 diff --git a/services/apps/security_best_practices_worker/src/activities/index.ts b/services/apps/security_best_practices_worker/src/activities/index.ts index 6864ed2258..543cf5b7fc 100644 --- a/services/apps/security_best_practices_worker/src/activities/index.ts +++ b/services/apps/security_best_practices_worker/src/activities/index.ts @@ -93,7 +93,7 @@ export async function saveOSPSBaselineInsightsToDB( key: string, repo: ISecurityInsightsObsoleteRepo, ): Promise { - const CATALOG_ID = 'OSPS_B' + const CATALOG_ID = 'osps-baseline-2026-02' const redisCache = new RedisCache(`osps-baseline-insights`, svc.redis, svc.log) const result = await redisCache.get(key) const parsedResult: ISecurityInsightsPrivateerResult = JSON.parse(result) From e7b33bf4583f692ceaf5fda2896dee253b688c4d Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Ga=C5=A1per=20Grom?= Date: Mon, 18 May 2026 14:25:54 +0100 Subject: [PATCH 2/3] chore: bump golang image to 1.26.3 for pvtr-github-repo-scanner compatibility (IN-986) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Gašper Grom --- .../services/docker/Dockerfile.security_best_practices_worker | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/scripts/services/docker/Dockerfile.security_best_practices_worker b/scripts/services/docker/Dockerfile.security_best_practices_worker index ddeccb62d0..c954c19fde 100644 --- a/scripts/services/docker/Dockerfile.security_best_practices_worker +++ b/scripts/services/docker/Dockerfile.security_best_practices_worker @@ -8,7 +8,7 @@ ARG PLATFORM=Linux_x86_64 RUN wget https://github.com/privateerproj/privateer/releases/download/v${VERSION}/privateer_${PLATFORM}.tar.gz RUN tar -xzf privateer_${PLATFORM}.tar.gz -FROM golang:1.24.4-alpine3.21 AS plugin +FROM golang:1.26.3-alpine3.23 AS plugin RUN apk add --no-cache make git WORKDIR /plugin ARG PVTR_COMMIT=c7bd9538d64f7eaab94a05c9b5fd05458a387b1c From f5e33c80b389fa51ba745148782ff8fd9a41aeaa Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Ga=C5=A1per=20Grom?= Date: Mon, 18 May 2026 15:04:56 +0100 Subject: [PATCH 3/3] fix: scope findSuiteControlEvaluation by suiteId to prevent duplicate row error (IN-986) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Gašper Grom --- .../security_best_practices_worker/src/activities/index.ts | 1 + services/libs/data-access-layer/src/security_insights/index.ts | 3 +++ 2 files changed, 4 insertions(+) diff --git a/services/apps/security_best_practices_worker/src/activities/index.ts b/services/apps/security_best_practices_worker/src/activities/index.ts index 543cf5b7fc..d7eb39c1dd 100644 --- a/services/apps/security_best_practices_worker/src/activities/index.ts +++ b/services/apps/security_best_practices_worker/src/activities/index.ts @@ -131,6 +131,7 @@ export async function saveOSPSBaselineInsightsToDB( qx, repo.repoUrl, evaluation['control-id'], + suite.id, ) for (const assessment of evaluation.assessments) { await addControlEvaluationAssessment(qx, { diff --git a/services/libs/data-access-layer/src/security_insights/index.ts b/services/libs/data-access-layer/src/security_insights/index.ts index 5289d392a8..54f869dfff 100644 --- a/services/libs/data-access-layer/src/security_insights/index.ts +++ b/services/libs/data-access-layer/src/security_insights/index.ts @@ -102,16 +102,19 @@ export async function findSuiteControlEvaluation( qx: QueryExecutor, repo: string, controlId: string, + suiteId?: string, ): Promise { return await qx.selectOneOrNone( ` select * from "securityInsightsEvaluations" where "repo" = $(repo) and "controlId" = $(controlId) + ${suiteId ? 'and "securityInsightsEvaluationSuiteId" = $(suiteId)' : ''} `, { repo, controlId, + suiteId, }, ) }