repman icon indicating copy to clipboard operation
repman copied to clipboard
verified publisher icon repman-io

Security Scan always scan latest tag/master

Open giggsey opened this issue 5 years ago • 9 comments

The Security scan triggers on every push (which is great), but is only scanning the latest tags / master (if no tags).

This causes extra alerts during development pushes.

Could it scan the actual branch that's been pushed?

giggsey avatar Aug 24 '20 09:08 giggsey

Could scan a pushed version, only the question is what then with the status on the package list, because now it concerns the most recent version - which doesn't necessarily mean the pushed one.

There are two things you can definitely do here:

  • [ ] with a new push, do not scan the version that has already been scanned
  • [ ] create scan settings for a given package and enable tracking of selected refs

akondas avatar Sep 01 '20 08:09 akondas

Showing the latest 'release' results on the Package list should be fine, as that view is already showing the version number.

Skipping already scanned versions might be tricky, as you want to re-scan it when the vulnerability database is updated.

giggsey avatar Sep 01 '20 08:09 giggsey

re-scan is already implemented. When vulnerability database is updated Repman scan all packages to ensure that all new threats will be detected :wink:

akondas avatar Sep 01 '20 08:09 akondas

re-scan is already implemented. When vulnerability database is updated Repman scan all packages to ensure that all new threats will be detected

Yup, just in case you did "do not scan the version that has already been scanned" - re-scan needs to run regardless.

giggsey avatar Sep 01 '20 10:09 giggsey

Hey @giggsey, now that the package view has been updated I think we can close this issue for now. Correct me if I'm wrong and thanks for your hard work :beers:

akondas avatar Oct 22 '20 09:10 akondas

Wouldn't the problem still exist?

If repman v1.0 had a security vulnerability, and I pushed to dev-new-feature, it would do the security scan on v1.0 and email me?

giggsey avatar Oct 22 '20 09:10 giggsey

It all depends on the sequence of events. Currently only latest version is scanned. Latest mean package with greater sem ver version (Composer\Semver\Comparator):

            usort($packages, static function (PackageInterface $a, PackageInterface $b): int {
                if ($a->getVersion() === $b->getVersion()) {
                    return $a->getReleaseDate() <=> $b->getReleaseDate();
                }

                return Comparator::greaterThan($a->getVersion(), $b->getVersion()) ? 1 : -1;
            });

So in your case, version 1.0 should be scanned and you should receive email about it.

On the other hand, we cannot allow everything to be scanned, otherwise we will always get a message (until we remove the troublesome tag).

akondas avatar Oct 22 '20 10:10 akondas

How about if the webhook sync only scans the new versions (or the ones that have changed ref)?

Doing a Sync or Scan actions should do the latest version, but the webhook is used when something new is pushed/tagged.

giggsey avatar Oct 22 '20 10:10 giggsey

Thanks, that's actually a quite good idea :+1:

akondas avatar Oct 22 '20 10:10 akondas