Migrate trusty eval engine to Trusty v2 API. #5013
Conversation
go.mod
Outdated
| @@ -70,7 +70,7 @@ require ( | |||
| github.com/spf13/viper v1.19.0 | |||
| github.com/sqlc-dev/pqtype v0.3.0 | |||
| github.com/stacklok/frizbee v0.1.4 | |||
| github.com/stacklok/trusty-sdk-go v0.2.2 | |||
| github.com/stacklok/trusty-sdk-go v0.2.3-0.20241120172703-3643fb488d5e | |||
There was a problem hiding this comment.
We need this PR to be merged to remove this.
There was a problem hiding this comment.
It was not 100% ready, some optional changes were requested that I wanted to address first.
I merged it now, we're ok.
| @@ -324,7 +324,7 @@ func (sph *summaryPrHandler) generateSummary() (string, error) { | |||
| // (2) we don't suggest malicious packages, I | |||
| // suggest getting rid of this check | |||
| // altogether. | |||
| if altData.Score != nil && *altData.Score <= lowScorePackages[alternative.Dependency.Name].Score { | |||
| if altData.Score != nil && *altData.Score != 0 && *altData.Score <= lowScorePackages[alternative.Dependency.Name].Score { | |||
There was a problem hiding this comment.
The diff here is a bit confusing: this only adds *altData.Score != 0 which fixes bug #4945
There was a problem hiding this comment.
should this be moved to a small and dedicated function with an appropriate explanation? you're right that it's a bit confusing and having some docs in the code would probably help.
blkt
force-pushed
the
feat/trusty-engine-v2-api
branch
from
5432bcd
to
c4601e0
Compare
blkt
force-pushed
the
feat/trusty-engine-v2-api
branch
from
c4601e0
to
5af08e7
Compare
This change migrates `trusty` evaluation engine to use Trusty v2 API. Most of the changes apply to the intermediate representation we recently added to decouple Trusty from Minder, but some additional changes were required due to some fields becoming optional and nullable. Note: this change is again meant to be bug-compatible with the current evaluation engine, so we treat the lack of `"score"` as a score of `0`, thus triggering false positives as done by the current engine. The idea is to build on top of this to fix known issues of the engine before migrating it to Data Sources. Fixes stacklok/minder-stories#77
blkt
force-pushed
the
feat/trusty-engine-v2-api
branch
from
6b37f59
to
026b68d
Compare
| respSummary, err := trustyClient.Summary(ctx, input) | ||
| if err != nil { | ||
| return nil, fmt.Errorf("failed getting summary: %w", err) | ||
| } | ||
|
|
||
| respPkg, err := trustyClient.PackageMetadata(ctx, input) | ||
| if err != nil { | ||
| return nil, fmt.Errorf("failed getting package metadata: %w", err) | ||
| } | ||
|
|
||
| respAlternatives, err := trustyClient.Alternatives(ctx, input) |
There was a problem hiding this comment.
Not required, but you might want to issue these calls in parallel, since they may be around a second each. It's a bunch more code, though, so it's also fine to just leave a comment for now:
| respSummary, err := trustyClient.Summary(ctx, input) | |
| if err != nil { | |
| return nil, fmt.Errorf("failed getting summary: %w", err) | |
| } | |
| respPkg, err := trustyClient.PackageMetadata(ctx, input) | |
| if err != nil { | |
| return nil, fmt.Errorf("failed getting package metadata: %w", err) | |
| } | |
| respAlternatives, err := trustyClient.Alternatives(ctx, input) | |
| summary := make(chan *v2types.PackageSummaryAnnotation, 1) | |
| metadata := make(chan *v2types.TrustyPackageMetadata, 1) | |
| alternatives := make(chan *v2types.PackageAlternatives, 1) | |
| errors := make(chan error) | |
| defer go func() { | |
| close(summary) | |
| close(metadata) | |
| close(alternatives) | |
| close(errors) | |
| } | |
| go func() { | |
| resp, err := trustyClient.Summary(ctx, input) | |
| errors <- err | |
| summary <- resp | |
| }() | |
| go func() { | |
| resp, err := trustyClient.PackageMetadata(ctx, input) | |
| errors <- err | |
| metadata <- resp | |
| }() | |
| go func() { | |
| resp, err := trustyClient.Alternatives(ctx, input) | |
| errors <- err | |
| alternatives <- resp | |
| } | |
| for (int i = 0; i < 3; i++) { | |
| err := <- errors | |
| if err != nil { | |
| return nil, fmt.Errorf("Trusty call failed: %w", err) | |
| } | |
| } | |
| respSummary := <- summary | |
| respPkg := <- metadata | |
| respAlternatives := <-alternatives |
| } | ||
|
|
||
| res := makeTrustyReport(dep, resp) | ||
| respProvenance, err := trustyClient.Provenance(ctx, input) |
There was a problem hiding this comment.
(This would follow the same pattern above)
| } | ||
|
|
||
| res := makeTrustyReport(dep, resp) | ||
| respProvenance, err := trustyClient.Provenance(ctx, input) |
There was a problem hiding this comment.
Do you know whether the Trusty client is emitting metrics on these calls that we could use to track performance over time?
| const ( | ||
| better packageComparison = iota | ||
| worse | ||
| ) |
There was a problem hiding this comment.
Can we use the same contract as e.g. slices.SortFunc and use positive numbers to indicate a > b, and negative numbers for a < b?
That would also allow us to use slices.SortFunc elsewhere for lists of packages with the comparison function.
| @@ -428,8 +448,12 @@ func newSummaryPrHandler( | |||
| }, nil | |||
| } | |||
|
|
|||
| func preprocessDetails(s string) string { | |||
| scanner := bufio.NewScanner(strings.NewReader(s)) | |||
| func preprocessDetails(s *string) string { | |||
There was a problem hiding this comment.
Why change this to take a *string? (If so, this looks like the correct behavior)
|
|
||
| return res | ||
| } | ||
|
|
||
| func makeScoreComponents(descr map[string]any) []scoreComponent { | ||
| func addSummaryDetails(res *trustyReport, resp *trustytypes.PackageSummaryAnnotation) { |
There was a problem hiding this comment.
Can we get a nil annotation response without an error? If not, maybe pass through the concrete type or document that it can't be nil.
| Score: &alt.Score, | ||
| Score: alt.Score, |
There was a problem hiding this comment.
👍 to removing pointer types where possible; it reduces the number of times we need to remember nil checks.
Summary
This change migrates
trustyevaluation engine to use Trusty v2 API. Most of the changes apply to the intermediate representation we recently added to decouple Trusty from Minder, but some additional changes were required due to some fields becoming optional and nullable.Note: this change is again meant to be bug-compatible with the current evaluation engine, so we treat the lack of
"score"as a score of0, thus triggering false positives as done by the current engine. The idea is to build on top of this to fix known issues of the engine before migrating it to Data Sources.Fixes stacklok/minder-stories#77
Change Type
Testing
Updated unit tests, ran smoke tests locally.
Review Checklist: