Merge pull request #31 from mborne/28-trivy-disabled

chore(trivy): add TRIVY_ENABLED option (closes #28)
mborne · Mar 24, 2024 · b1bde5c · b1bde5c
2 parents 8512537 + 14748bb
commit b1bde5c
Show file tree

Hide file tree

Showing 7 changed files with 73 additions and 9 deletions.
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
@@ -57,6 +57,7 @@ jobs:
         XDEBUG_MODE: coverage
         SYMFONY_DEPRECATIONS_HELPER: weak
         GIT_MANAGER_DIR: /tmp/git-manager-test
+        TRIVY_ENABLED: false
 
     - name: Upload coverage results to coveralls.io
       if: github.ref == 'refs/heads/master' && matrix.php-version == '8.2'

diff --git a/README.md b/README.md
@@ -18,9 +18,10 @@ CLI helpers to manage a set of git repositories.
 
 ## Parameters
 
-| Name              | Description                           | Default            |
-| ----------------- | ------------------------------------- | ------------------ |
-| `GIT_MANAGER_DIR` | Directory containing git repositories | `/var/git-manager` |
+| Name              | Description                           | Default                 |
+| ----------------- | ------------------------------------- | ----------------------- |
+| `GIT_MANAGER_DIR` | Directory containing git repositories | `{projectDir}/var/data` |
+| `TRIVY_ENABLED`   | Enable/disable trivy scan             | `true`                  |
 
 ## Setup
 

diff --git a/config/services.yaml b/config/services.yaml
@@ -1,5 +1,6 @@
 parameters:
     env(GIT_MANAGER_DIR): '%kernel.project_dir%/var/data'
+    env(TRIVY_ENABLED): 'true'
 
 services:
     _defaults:
@@ -8,6 +9,7 @@ services:
         public: false
         bind:
             $dataDir: '%env(GIT_MANAGER_DIR)%'
+            $trivyEnabled: '%env(bool:TRIVY_ENABLED)%'
 
     MBO\GitManager\:
         resource: '../src/*'

diff --git a/src/Git/Analyzer.php b/src/Git/Analyzer.php
@@ -6,6 +6,7 @@
 use MBO\GitManager\Git\Checker\LicenseChecker;
 use MBO\GitManager\Git\Checker\ReadmeChecker;
 use MBO\GitManager\Git\Checker\TrivyChecker;
+use Psr\Log\LoggerInterface;
 
 /**
  * Analyze git repository to provide informations.
@@ -17,12 +18,14 @@ class Analyzer
      */
     private $checkers;
 
-    public function __construct()
-    {
+    public function __construct(
+        bool $trivyEnabled,
+        private LoggerInterface $logger
+    ) {
         $this->checkers = [
-            new ReadmeChecker(),
-            new LicenseChecker(),
-            new TrivyChecker(),
+            new ReadmeChecker($logger),
+            new LicenseChecker($logger),
+            new TrivyChecker($trivyEnabled, $logger),
         ];
     }
 
@@ -33,6 +36,9 @@ public function __construct()
      */
     public function getMetadata(GitRepository $gitRepository): array
     {
+        $this->logger->debug('[Analyser] retrieve git metadata...', [
+            'repository' => $gitRepository->getWorkingDir(),
+        ]);
         $metadata = [
             'size' => $gitRepository->getSize() * 1024,
         ];

diff --git a/src/Git/Checker/LicenseChecker.php b/src/Git/Checker/LicenseChecker.php
@@ -4,12 +4,17 @@
 
 use Gitonomy\Git\Repository as GitRepository;
 use MBO\GitManager\Git\CheckerInterface;
+use Psr\Log\LoggerInterface;
 
 /**
  * Ensure that LICENSE file is present.
  */
 class LicenseChecker implements CheckerInterface
 {
+    public function __construct(private LoggerInterface $logger)
+    {
+    }
+
     public const LICENSE_FILENAMES = [
         'LICENSE',
         'LICENSE.md',
@@ -22,6 +27,12 @@ public function getName(): string
 
     public function check(GitRepository $gitRepository): bool|string
     {
+        $this->logger->debug('[{checker}] look for license file...', [
+            'checker' => $this->getName(),
+            'repository' => $gitRepository->getWorkingDir(),
+            'expected' => static::LICENSE_FILENAMES,
+        ]);
+
         $workingDir = $gitRepository->getWorkingDir();
         foreach (static::LICENSE_FILENAMES as $filename) {
             $expectedPath = $workingDir.DIRECTORY_SEPARATOR.$filename;

diff --git a/src/Git/Checker/ReadmeChecker.php b/src/Git/Checker/ReadmeChecker.php
@@ -4,19 +4,29 @@
 
 use Gitonomy\Git\Repository as GitRepository;
 use MBO\GitManager\Git\CheckerInterface;
+use Psr\Log\LoggerInterface;
 
 /**
  * Ensure that README file is present.
  */
 class ReadmeChecker implements CheckerInterface
 {
+    public function __construct(private LoggerInterface $logger)
+    {
+    }
+
     public function getName(): string
     {
         return 'readme';
     }
 
     public function check(GitRepository $gitRepository): bool
     {
+        $this->logger->debug('[{checker}] look for README.md file...', [
+            'checker' => $this->getName(),
+            'repository' => $gitRepository->getWorkingDir(),
+        ]);
+
         $workingDir = $gitRepository->getWorkingDir();
         $readmePath = $workingDir.DIRECTORY_SEPARATOR.'README.md';
 

diff --git a/src/Git/Checker/TrivyChecker.php b/src/Git/Checker/TrivyChecker.php
@@ -4,6 +4,7 @@
 
 use Gitonomy\Git\Repository as GitRepository;
 use MBO\GitManager\Git\CheckerInterface;
+use Psr\Log\LoggerInterface;
 use Symfony\Component\Process\Exception\ProcessFailedException;
 use Symfony\Component\Process\Process;
 
@@ -14,6 +15,15 @@ class TrivyChecker implements CheckerInterface
 {
     public const SEVERITIES = ['HIGH', 'CRITICAL'];
 
+    private bool $enabled;
+
+    public function __construct(
+        bool $trivyEnabled,
+        private LoggerInterface $logger
+    ) {
+        $this->enabled = $trivyEnabled && $this->isAvailable();
+    }
+
     public function getName(): string
     {
         return 'trivy';
@@ -22,6 +32,21 @@ public function getName(): string
     public function check(GitRepository $gitRepository): mixed
     {
         $workingDir = $gitRepository->getWorkingDir();
+
+        if (!$this->enabled) {
+            $this->logger->debug('[{checker}] skipped (disabled)', [
+                'checker' => $this->getName(),
+                'repository' => $workingDir,
+            ]);
+
+            return null;
+        }
+
+        $this->logger->debug('[{checker}] run trivy fs on repository...', [
+            'checker' => $this->getName(),
+            'repository' => $workingDir,
+        ]);
+
         $trivyReportPath = $workingDir.'/.trivy.json';
         $process = new Process([
             'trivy',
@@ -105,10 +130,18 @@ public function getSummary(array $vulnerabilities): array
     public function isAvailable(): bool
     {
         try {
-            $this->getVersion();
+            $version = $this->getVersion();
+            $this->logger->info('[{checker}] trivy executable found (version={trivy_version})', [
+                'checker' => $this->getName(),
+                'trivy_version' => $version,
+            ]);
 
             return true;
         } catch (\Exception $e) {
+            $this->logger->warning('[{checker}] trivy not found, scan disabled', [
+                'checker' => $this->getName(),
+            ]);
+
             return false;
         }
     }