Compare commits

...

5 commits
v0.1.0 ... main

Author SHA1 Message Date
99eef916b4 Implement version handling in check 2024-10-24 19:07:19 +02:00
75bd20c775 Fix field name in README 2024-10-24 18:10:27 +02:00
1a93593ca0 Ignore and remove binary 2024-10-24 17:56:41 +02:00
63b77842cf Update README
- update input and output examples
- add license text
2023-01-22 13:23:27 +01:00
182f21944b Use correct long description from DSA long RDF
- use date and DSA number as version identifier
- add tests for Check and Get calls
2023-01-22 13:18:57 +01:00
8 changed files with 133 additions and 17 deletions

4
.gitignore vendored
View file

@ -1 +1,5 @@
/.idea/ /.idea/
/check
/debian-dsa
/in
/out

View file

@ -1,10 +1,11 @@
FROM golang:1.19-bullseye AS builder FROM golang:1.19-bullseye AS builder
WORKDIR /build WORKDIR /build
COPY go.mod /build/ COPY go.mod go.sum /build/
COPY cmd /build/cmd/ COPY cmd /build/cmd/
COPY internal /build/internal/ COPY internal /build/internal/
RUN go test -v ./...
RUN CGO_ENABLED=0 go build ./cmd/debian-dsa RUN CGO_ENABLED=0 go build ./cmd/debian-dsa
FROM alpine:3 FROM alpine:3

View file

@ -6,6 +6,21 @@ this can be used to trigger registry-image or docker-image builds when security
The source code for the resource type is available at https://git.dittberner.info/jan/concourse-dsa-resource The source code for the resource type is available at https://git.dittberner.info/jan/concourse-dsa-resource
## License
This program is free software: you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
the Free Software Foundation, either version 3 of the License, or
(at your option) any later version.
This program is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU General Public License for more details.
You should have received a copy of the GNU General Public License
along with this program. If not, see <https://www.gnu.org/licenses/>.
## Usage ## Usage
To use the resource type in your own Concourse pipeline you will have to define the resource type and a resource: To use the resource type in your own Concourse pipeline you will have to define the resource type and a resource:
@ -50,11 +65,11 @@ shortened and pretty-printed example output looks like this:
[ [
{ {
"date": "2023-01-18", "date": "2023-01-18",
"title": "DSA-5322 firefox-esr" "dsa": "DSA-5322"
}, },
{ {
"date": "2023-01-19", "date": "2023-01-19",
"title": "DSA-5323 libitext5-java" "dsa": "DSA-5323"
} }
] ]
``` ```
@ -72,7 +87,7 @@ metadata. If the version exists. The following input example returns the output
"params": {}, "params": {},
"version": { "version": {
"date": "2023-01-18", "date": "2023-01-18",
"title": "DSA-5322 firefox-esr" "dsa": "DSA-5322"
} }
} }
``` ```
@ -83,11 +98,12 @@ metadata. If the version exists. The following input example returns the output
{ {
"version": { "version": {
"date": "2023-01-18", "date": "2023-01-18",
"title": "DSA-5322 firefox-esr" "dsa": "DSA-5322"
}, },
"metadata": { "metadata": {
"link": "https://www.debian.org/security/2023/dsa-5322", "link": "https://www.debian.org/security/2023/dsa-5322",
"description": "security update" "package": "firefox-esr",
"description": "Multiple security issues have been found in the Mozilla Firefox web\nbrowser, which could potentially result in the execution of arbitrary\ncode, information disclosure or spoofing."
} }
} }
``` ```

Binary file not shown.

8
go.mod
View file

@ -1,3 +1,11 @@
module git.dittberner.info/concourse-dsa-resource module git.dittberner.info/concourse-dsa-resource
go 1.19 go 1.19
require (
github.com/davecgh/go-spew v1.1.1 // indirect
github.com/pmezard/go-difflib v1.0.0 // indirect
github.com/stretchr/objx v0.5.0 // indirect
github.com/stretchr/testify v1.8.1 // indirect
gopkg.in/yaml.v3 v3.0.1 // indirect
)

17
go.sum Normal file
View file

@ -0,0 +1,17 @@
github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c=
github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZbAQM=
github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=
github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME=
github.com/stretchr/objx v0.4.0/go.mod h1:YvHI0jy2hoMjB+UWwv71VJQ9isScKT/TqJzVSSt89Yw=
github.com/stretchr/objx v0.5.0 h1:1zr/of2m5FGMsad5YfcqgdqdWrIhu+EBEJRhR1U7z/c=
github.com/stretchr/objx v0.5.0/go.mod h1:Yh+to48EsGEfYuaHDzXPcE3xhTkx73EhmCGUpEOglKo=
github.com/stretchr/testify v1.7.1/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg=
github.com/stretchr/testify v1.8.0/go.mod h1:yNjHg4UonilssWZ8iaSj1OCr/vHnekPRkoO+kdMU+MU=
github.com/stretchr/testify v1.8.1 h1:w7B6lhMri9wdJUVmEZPGGhZzrYTPvgJArz7wNPgYKsk=
github.com/stretchr/testify v1.8.1/go.mod h1:w2LPCIKwWwSfY2zedu0+kehJoqGctiVI29o6fzry7u4=
gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
gopkg.in/yaml.v3 v3.0.0-20200313102051-9f266ea9e77c/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
gopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA=
gopkg.in/yaml.v3 v3.0.1/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=

View file

@ -82,7 +82,7 @@ func getRdfData(full bool) (*rdfData, error) {
type Version struct { type Version struct {
Date string `json:"date"` Date string `json:"date"`
Title string `json:"title"` DSANumber string `json:"dsa"`
} }
func (v Version) String() string { func (v Version) String() string {
@ -104,6 +104,7 @@ type getInput struct {
type MetaData struct { type MetaData struct {
Link string `json:"link"` Link string `json:"link"`
Package string `json:"package"`
Description string `json:"description"` Description string `json:"description"`
} }
@ -126,7 +127,7 @@ func (r *VersionRange) Len() int {
} }
func (r *VersionRange) Less(i, j int) bool { func (r *VersionRange) Less(i, j int) bool {
return r.versions[i].Date <= r.versions[j].Date && r.versions[i].Title < r.versions[j].Title return r.versions[i].Date <= r.versions[j].Date && r.versions[i].DSANumber < r.versions[j].DSANumber
} }
func (r *VersionRange) Swap(i, j int) { func (r *VersionRange) Swap(i, j int) {
@ -146,8 +147,10 @@ func (r *Resource) Check() error {
return fmt.Errorf("could not parse input from Concourse: %w", err) return fmt.Errorf("could not parse input from Concourse: %w", err)
} }
var inputDate time.Time
if len(input.Version.Date) > 0 { if len(input.Version.Date) > 0 {
_, err = parseISODate(input.Version.Date) inputDate, err = parseISODate(input.Version.Date)
if err != nil { if err != nil {
return fmt.Errorf("could not interpret version from Concourse as date: %w", err) return fmt.Errorf("could not interpret version from Concourse as date: %w", err)
} }
@ -161,7 +164,16 @@ func (r *Resource) Check() error {
dates := &VersionRange{} dates := &VersionRange{}
for _, item := range dsaData.Items { for _, item := range dsaData.Items {
dates.addVersion(Version{Date: item.Date, Title: item.Title}) parts := strings.SplitN(item.Title, " ", 2)
versionDate, err := parseISODate(item.Date)
if err != nil {
return fmt.Errorf("could not interpret date from RDF feed as date: %w", err)
}
if inputDate.IsZero() || inputDate.Before(versionDate) {
dates.addVersion(Version{Date: item.Date, DSANumber: parts[0]})
}
} }
sort.Sort(dates) sort.Sort(dates)
@ -185,19 +197,26 @@ func (r *Resource) Get(_ string) error {
return fmt.Errorf("could not interpret version from Concourse as date: %w", err) return fmt.Errorf("could not interpret version from Concourse as date: %w", err)
} }
dsaData, err := getRdfData(false) dsaData, err := getRdfData(true)
if err != nil { if err != nil {
log.Fatalf("could not get DSA RDF data: %v", err) log.Fatalf("could not get DSA RDF data: %v", err)
} }
for _, item := range dsaData.Items { for _, item := range dsaData.Items {
if item.Date == input.Version.Date && item.Title == input.Version.Title { if item.Date == input.Version.Date && strings.HasPrefix(item.Title, input.Version.DSANumber) {
parts := strings.SplitN(item.Title, " ", 3)
err = r.writeGetOutput(Version{ err = r.writeGetOutput(Version{
Date: item.Date, Date: item.Date,
Title: item.Title, DSANumber: parts[0],
}, MetaData{ }, MetaData{
Link: item.Link, Link: item.Link,
Description: strings.TrimSpace(item.Description), Package: parts[1],
Description: strings.TrimSpace(
strings.ReplaceAll(strings.ReplaceAll(
item.Description, "<p>", ""), "</p>", "\n",
),
),
}) })
if err != nil { if err != nil {

View file

@ -0,0 +1,51 @@
package dsa
import (
"bytes"
"fmt"
"strings"
"testing"
"github.com/stretchr/testify/assert"
"github.com/stretchr/testify/require"
)
func TestResource_Check(t *testing.T) {
input := strings.NewReader("{}")
output := &bytes.Buffer{}
resource := NewResource(input, output)
err := resource.Check()
assert.NoError(t, err)
result := output.String()
assert.NotEmpty(t, result)
}
func TestResource_Get(t *testing.T) {
rdf, err := getRdfData(false)
item := rdf.Items[0]
parts := strings.SplitN(item.Title, " ", 2)
require.NoError(t, err)
input := strings.NewReader(fmt.Sprintf(
`{"source":{},"params":{},"version":{"date":"%s","dsa":"%s"}}`, item.Date, parts[0],
))
output := &bytes.Buffer{}
resource := NewResource(input, output)
err = resource.Get("/tmp")
assert.NoError(t, err)
result := output.String()
assert.NotEmpty(t, result)
}