Call for feedback: OpenScanHub integration #2371

lbarcziova · 2024-07-31T09:12:46Z

lbarcziova
Jul 31, 2024
Maintainer

We are happy to share the news about our recently added feature - SAST using OpenScanHub. Currently, this feature runs by default for successful Copr builds for fedora-rawhide-x86_64 for users that have both Copr builds for pull requests and commits configured (see more details in the 📝 docs 📝 ).

ℹ️ This functionality is an initial prototype and both configuration and functionality will likely change in the future. If you want to try it, just make sure you have the needed Copr build jobs configured.

💡 Therefore, we welcome any feedback, suggestions, or ideas! Please share your thoughts in the comments below.

Looking forward to your input!

siteshwar · 2024-08-08T13:13:45Z

siteshwar
Aug 8, 2024

We have also enabled find-unicode-control in production today.

0 replies

siteshwar · 2024-08-09T11:21:52Z

siteshwar
Aug 9, 2024

clippy was enabled in production today too.

0 replies

evverx · 2024-08-20T12:59:06Z

evverx
Aug 20, 2024

I've just seen "osh-diff-scan:fedora-rawhide-x86_64" in avahi/avahi#635 and ended up here. Both those issues could have been found with cppcheck and as far as I can see cppcheck is included in https://openscanhub.fedoraproject.org/task/6201/. I don't think that check is turned on by default so I think it would be great if it was possible to see how SAST tools are run in general and control what flags are passed to them. That being said cppcheck can be kind of chatty so it would be nice if its chattiness can be tweaked as well. Anyway this looks interesting. Thank you!

19 replies

lbarcziova Sep 5, 2024
Maintainer Author

I think this is related to the reporting in general and should be fixed as one issue. Also, we may think about the config design then more, e.g., whether we should have a new dedicated job type and whether this config option couldn't be more general (applied also for the other jobs).

siteshwar Sep 5, 2024

@siteshwar is the fail_ci_on_build_failure even though we trigger this after the successful Copr build?

We can use the term "scan" instead of "build" then.

Can you please open an issue for this?

packit/packit-service#2515

evverx Sep 9, 2024

We may need two different options here, fail_ci_on_build_failure and fail_ci_on_new_findings. Both the options should be kept false by default

I agree that those options should be false by default but I think fail_ci_on_new_findings can be too broad in the sense that as far as I understand it should always fail regardless of what OpenScanHub has found. In my case I'm OK with cppcheck false positives and I'll go and look at the diff tab anyway but I think it would be great if it failed only when new compiler warnings were introduced (mostly to avoid annoying contributors).

siteshwar Sep 10, 2024

We may need two different options here, fail_ci_on_build_failure and fail_ci_on_new_findings. Both the options should be kept false by default

I agree that those options should be false by default but I think fail_ci_on_new_findings can be too broad in the sense that as far as I understand it should always fail regardless of what OpenScanHub has found. In my case I'm OK with cppcheck false positives and I'll go and look at the diff tab anyway but I think it would be great if it failed only when new compiler warnings were introduced (mostly to avoid annoying contributors).

Your use case is specific, so you can turn this option on in your Packit configurations. Other possibility is to use action_required status for new findings, but I still believe it can be too annoying for projects with high false positive rate and developers may start ignoring this status.

evverx Sep 10, 2024

I still believe it can be too annoying for projects with high false positive rate and developers may start ignoring this status

Agreed. I think another option would probably be to show something like "10 new alerts" in the check status (by analogy with how coverage services report their findings) without the whole check turning red. It seems to be safer in general. Then again it could be I'm overthinking this.

evverx · 2024-08-20T13:06:39Z

evverx
Aug 20, 2024

One more thing. It would be really cool if it could show compiler warnings introduced in PRs (as far as I understand it should be differential eventually). Unfortunately I can't flip -Werror there due to avahi/avahi#595 and kludges where I tried to ignore known warnings that should be fixed eventually turned out to be unmaintainable :-)

Edit: looks like it already works. I introduced an unused variable and it was reported in https://openscanhub.fedoraproject.org/task/6611/log/added.html.

0 replies

kdudka · 2024-08-20T13:55:26Z

kdudka
Aug 20, 2024

@evverx Thanks for feedback!

OSH provides differential scan results for both GCC an Cppcheck but the differential output is empty for the mentioned PR. Could you please provide the exact steps to detect this bug with GCC/Cppcheck?

OSH can transparently change the flags for both GCC and Cppcheck. However, we need to be careful with overriding the default configuration in order to keep the signal-to-noise ratio acceptable.

1 reply

evverx Aug 20, 2024

Could you please provide the exact steps to detect this bug with GCC/Cppcheck?

With cppcheck it's included in the "style" checks:

$ cppcheck --enable=style examples |& grep clari
examples/client-publish-service.c:135:12: style: Suspicious condition (assignment + comparison); Clarify expression with parentheses. [clarifyCondition]
examples/core-publish-service.c:115:8: style: Suspicious condition (assignment + comparison); Clarify expression with parentheses. [clarifyCondition]

For some reason in the avahi repository it pops up from time to time: avahi/avahi#521. I'm guessing it's because of its coding style.

OSH can transparently change the flags for both GCC and Cppcheck. However, we need to be careful with overriding the default configuration in order to keep the signal-to-noise ratio acceptable.

Got it. I agree that false positives can be annoying.

I'll take a closer look at what's going on there. I learnt about this today so It could be I'm missing something.

kdudka · 2024-08-20T15:58:35Z

kdudka
Aug 20, 2024

@evverx Thank you for clarifying it! Unfortunately, the style checkers are too noisy to be enabled by default for all scans. In the internal scans at Red Hat, we needed to filter out even some of the checkers that were enabled by default because engineers were complaining about the amount of results they get from OSH.

Nevertheless, the scanning configuration in OSH can be customized for individual scans if needed. I have triggered a scan manually with the option given to Cppcheck:

osh-cli version-diff-build --config fedora-rawhide-x86_64 \
    --srpm avahi-0.9.rc1-29.20240820114655213175.pr635.54.g8e7e956.src.rpm \
    --base-srpm avahi-0.9.rc1-29.20240819212535207647.master.52.g9cbc63c.src.rpm \
    --csmock-args=--cppcheck-add-flag=--enable=style

... and the differential scan reported (as fixed) only the two findings that you were looking for: https://openscanhub.fedoraproject.org/task/6245/log/fixed.html

I think we would need to extend Packit such that it can pass custom options to OSH for users with specific needs...

15 replies

siteshwar Sep 11, 2024

As far as I can see those build errors should were fixed in systemd/systemd#31709 and systemd/systemd#33108 so it should probably no longer fail to build.

A sample report can be seen on the staging instance however

I'll take a look. Thank you!

The latest full scan report for systemd can be seen here. To list context of the findings, you can run below command to get a longer report:

curl -s 'https://openscanhub.fedoraproject.org/task/10265/log/systemd-256.5-1.fc42/scan-results.js?format=raw' | csgrep

evverx Sep 14, 2024

@siteshwar got it. I wonder if those reports are published somewhere periodically? As far as I can remember I followed a bunch of links mentioned in some thread where critical (or something like that) Fedora projects were discussed and saw a couple of links pointing to two reports built 2 weeks apart (or something like that). I can't seem to find those links now for some reason.

siteshwar Sep 14, 2024

@siteshwar got it. I wonder if those reports are published somewhere periodically? As far as I can remember I followed a bunch of links mentioned in some thread where critical (or something like that) Fedora projects were discussed and saw a couple of links pointing to two reports built 2 weeks apart (or something like that). I can't seem to find those links now for some reason.

I have performed couple of mass scans this year on rawhide. Related reports can be seen here:

https://www.mail-archive.com/[email protected]/msg200973.html

https://www.mail-archive.com/[email protected]/msg199411.html

siteshwar Nov 14, 2024

@evverx Another mass scan was performed this week. You can see the report at https://www.mail-archive.com/[email protected]/msg203529.html

siteshwar Nov 20, 2024

@mrc0mmand @jamacku I wonder if it would make sense to turn it on for systemd?

It seems unlikely it would be turned on in systemd due to large amount of false positives and LTO support in GCC not being ready for production.

mrc0mmand · 2024-10-31T14:04:22Z

mrc0mmand
Oct 31, 2024

Hey!

I started playing around with this a bit, and one thing I noticed straight away is that links to added/fixed/results pages in the job overview all link to JSON versions instead of the HTML ones:

(Taken from https://github.com/systemd-ci-incubator/polkit/pull/2/checks?check_run_id=32338234664)

Is this expected? It's a bit annoying from the UX point of view, since the HTML versions are much more human friendly, and right now you have to click through the first link to get to them. Or is it expected to consume the OSH results primarily by downloading the JSON reports and piping them to csgrep?

3 replies

lbarcziova Oct 31, 2024
Maintainer Author

Hi! Thanks for the feedback, I would say what you wrote makes sense, we should store and display the HTML versions. I will fix it as part of packit/dashboard#441 where we would like to also process the data further (using the mentioned csgrep) and report using GitHub security UI capabilities.

mrc0mmand Oct 31, 2024

Thank you!

siteshwar Nov 13, 2024

Is this expected? It's a bit annoying from the UX point of view, since the HTML versions are much more human friendly, and right now you have to click through the first link to get to them.

This has been already fixed in production. Now you get a direct link to added findings html report if a new finding is identified.

siteshwar · 2024-11-05T11:32:18Z

siteshwar
Nov 5, 2024

Scan failures for particular packages: Scans currently fail for packages with dynamically generated dependencies that are not listed in the source RPMs being scanned (blocked on this issue).

It has been fixed now. For example, you can see the scan for the packit package was successful and it uses dynamic dependencies.

2 replies

siteshwar Nov 5, 2024

It has been fixed now. For example, you can see the scan for the packit package was successful and it uses dynamic dependencies.

I tried to workaround this issue from the configuration side, but it seems that is not sufficient for all the builds to be successful. For example, tmt scans are still failing. --calculate-build-deps option is more suited to be used from the command line and should be fixed in csmock.

siteshwar Nov 6, 2024

I have deployed the fix from csmock in production and the scans are passing now.

kdudka · 2024-11-12T09:17:15Z

kdudka
Nov 12, 2024

I have submitted a cscppc pull request and the osh-diff-scan job failed with It was not possible to download the SRPMs needed for the differential scan.: https://github.com/csutils/cscppc/pull/45/checks?check_run_id=32848464708

Is there any way to display logs to check what actually happened?

5 replies

lbarcziova Nov 13, 2024
Maintainer Author

Hi, now there is no way for the user to check, I looked into our internal logs:

2024-11-12T08:17:35.479607588+00:00 stderr F [2024-11-12 08:17:35,479: DEBUG/MainProcess] task.run_copr_build_end_handler[43127464-640b-4675-b2ab-f6bf43c29db3] Failed to download file from https://download.copr.fedorainfracloud.org/results/@codescan/csutils/srpm-builds/07776695/cscppc-2.2.5.20240722.150725.g1bbbfa0-1.src.rpm: HTTPError('404 Client Error: Not Found for url: https://download.copr.fedorainfracloud.org/results/@codescan/csutils/srpm-builds/07776695/cscppc-2.2.5.20240722.150725.g1bbbfa0-1.src.rpm')

looking into commits in main, that makes sense as the previously last commit was from July so I assume Copr deleted the artifacts after that time.

We could improve the UX by displaying the URLs of the SRPMs we try to download, WDYT?

siteshwar Nov 13, 2024

We could improve the UX by displaying the URLs of the SRPMs we try to download, WDYT?

Can you display the error message to the user?

kdudka Nov 13, 2024

We could improve the UX by displaying the URLs of the SRPMs we try to download, WDYT?

Yes, that would help for sure!

lbarcziova Nov 13, 2024
Maintainer Author

Can you display the error message to the user?

yes we could do both

kdudka Feb 6, 2025

I am still getting these failures without any details about which SRPMs Packit tried to download. For example, on a today's CI run on a csdiff pull request: https://github.com/csutils/csdiff/pull/217/checks?check_run_id=36715144190

siteshwar · 2024-11-18T10:08:30Z

siteshwar
Nov 18, 2024

Results displaying: We are working on better displaying of the newly found defects, see View for OpenScanHub results dashboard#441

@lbarcziova Shall this be marked as fixed?

1 reply

lbarcziova Nov 18, 2024
Maintainer Author

yes, thanks for reminding, updated!

mfocko · 2025-02-10T11:39:30Z

mfocko
Feb 10, 2025
Maintainer

Retriggering of scans

Note

Issue: packit/packit-service#2710

Last week one of our users hit an issue with a flake during the scan, it blocked their merging process and they weren't aware of how to retrigger the OSH scan¹. As one of the follow-ups we should implement retriggering via comment (and probably also GitHub Check Re-Run).

currently can be done by retriggering whole Copr build, which is a bit wasteful with regards to the Copr team ↩

0 replies

Call for feedback: OpenScanHub integration #2371

Uh oh!

Uh oh!

lbarcziova Jul 31, 2024 Maintainer

Replies: 11 comments · 46 replies

Uh oh!

Uh oh!

Uh oh!

Uh oh!

lbarcziova Sep 5, 2024 Maintainer Author

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

lbarcziova Oct 31, 2024 Maintainer Author

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

lbarcziova Nov 13, 2024 Maintainer Author

Uh oh!

Uh oh!

Uh oh!

Uh oh!

lbarcziova Nov 13, 2024 Maintainer Author

Uh oh!

Uh oh!

Uh oh!

lbarcziova
Jul 31, 2024
Maintainer

Replies: 11 comments 46 replies

lbarcziova Sep 5, 2024
Maintainer Author

lbarcziova Oct 31, 2024
Maintainer Author

lbarcziova Nov 13, 2024
Maintainer Author

lbarcziova Nov 13, 2024
Maintainer Author