Basic implementation of compliance scan command
#1940
Conversation
oxisto
requested review from
fwendland,
konradweiss and
KuechA
as code owners
oxisto
added
the
publish-to-github-packages
This is a basic implementation of the compliance scan command. It will output an example SARIF finding, but will do an actual CPG translation.
… the CLI commands
…om outside applications
|
|
||
| /** Loads the security goals from the project. */ | ||
| fun loadSecurityGoals(): List<SecurityGoal> { | ||
| return loadSecurityGoals(projectOptions.directory.resolve("security-goals")) |
There was a problem hiding this comment.
I'm not the biggest fan of these hardcoded paths and would prefer passing an argument in the CLI
There was a problem hiding this comment.
My idea for the future would be to replace the security-goals.yaml with a project.yaml or something similar, which basically describes the whole project structure and has the "authority" to change these paths, I am not sure if they are really suitable for CLI args. My suggestion is to extract these hardcoded paths into a Project structure (which is already prepare) so we can make them dynamic in the future.
codyze-compliance/src/main/kotlin/de/fraunhofer/aisec/codyze/compliance/Command.kt
Show resolved
Hide resolved
codyze-core/src/main/kotlin/de/fraunhofer/aisec/codyze/Project.kt
Outdated
Show resolved
Hide resolved
codyze-core/src/main/kotlin/de/fraunhofer/aisec/codyze/Project.kt
Outdated
Show resolved
Hide resolved
codyze-core/src/main/kotlin/de/fraunhofer/aisec/codyze/Project.kt
Outdated
Show resolved
Hide resolved
.../resources/META-INF/kotlin/script/templates/de.fraunhofer.aisec.codyze.QueryScript.classname
Outdated
Show resolved
Hide resolved
codyze-core/src/main/kotlin/de/fraunhofer/aisec/codyze/QueryScriptDefinition.kt
Show resolved
Hide resolved
| * This command assumes that the project contains a folder named `security-goals` that contains YAML | ||
| * files with the security goals. | ||
| */ | ||
| class ListSecurityGoals : ProjectCommand() { |
There was a problem hiding this comment.
I wouldn't inherit from ProjectCommand because I currently see no reason to specify a project dir or CPG translation options. We're also not calling analyze().
Should we use use a CliktCommand for now?
This is a basic implementation of the compliance scan command. It will output an example SARIF finding, but will do an actual CPG translation.
The syntax is the following:
codyze compliance --project-dir [project-directory] --sources [your-sources]This will do an actual CPG translation and print a "note" SARIF finding on the console