Skip to content
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
64 changes: 7 additions & 57 deletions .pre-commit-config.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -23,52 +23,14 @@ repos:
name: Check conventional commit message
stages: [commit-msg]

# Sort imports.
- repo: https://github.com/pycqa/isort
rev: 8.0.1
# Ruff formats and lints code.
- repo: https://github.com/astral-sh/ruff-pre-commit
rev: v0.15.20
hooks:
- id: isort
name: Sort import statements
args: [--settings-path, pyproject.toml]
exclude: ^tests/malware_analyzer/pypi/resources/sourcecode_samples.*

# Add Black code formatters.
- repo: https://github.com/ambv/black
rev: 26.3.1
hooks:
- id: black
name: Format code
args: [--config, pyproject.toml, --target-version, py311]
exclude: ^tests/malware_analyzer/pypi/resources/sourcecode_samples.*
- repo: https://github.com/asottile/blacken-docs
rev: 1.20.0
hooks:
- id: blacken-docs
name: Format code in docstrings
args: [--line-length, '120']
additional_dependencies: [black==26.3.1]

# Upgrade and rewrite Python idioms.
- repo: https://github.com/asottile/pyupgrade
rev: v3.21.2
hooks:
- id: pyupgrade
name: Upgrade code idioms
files: ^src/macaron/|^tests/
args: [--py311-plus]

# Similar to pylint, with a few more/different checks. For more available
# extensions: https://github.com/DmytroLitvinov/awesome-flake8-extensions
- repo: https://github.com/pycqa/flake8
rev: 7.3.0
hooks:
- id: flake8
name: Check flake8 issues
files: ^src/macaron/|^tests/
types: [text, python]
additional_dependencies: [flake8-bugbear==25.11.29, flake8-builtins==3.1.0, flake8-comprehensions==3.17.0, flake8-docstrings==1.7.0, flake8-logging==1.8.0, flake8-mutable==1.2.0, flake8-noqa==1.5.0, flake8-print==5.0.0, flake8-pytest-style==2.2.0, flake8-rst-docstrings==0.4.0, pep8-naming==0.15.1]
exclude: ^tests/malware_analyzer/pypi/resources/sourcecode_samples.*
args: [--config, .flake8]
- id: ruff-format
args: [--config, pyproject.toml]
- id: ruff-check
args: [--config, pyproject.toml, --fix, --unsafe-fixes, --exit-non-zero-on-fix]

# Check GitHub Actions workflow files.
- repo: https://github.com/Mateusz-Grzelinski/actionlint-py
Expand Down Expand Up @@ -108,18 +70,6 @@ repos:
exclude: ^tests/malware_analyzer/pypi/resources/sourcecode_samples.*
args: [--show-traceback, --config-file, pyproject.toml]

# Check for potential security issues.
- repo: https://github.com/PyCQA/bandit
rev: 1.9.4
hooks:
- id: bandit
name: Check for security issues
args: [--configfile, pyproject.toml]
files: ^src/macaron/|^tests/
types: [text, python]
additional_dependencies: ['bandit[toml]']
exclude: ^tests/malware_analyzer/pypi/resources/sourcecode_samples.*

# Enable a whole bunch of useful helper hooks, too.
# See https://pre-commit.com/hooks.html for more hooks.
- repo: https://github.com/pre-commit/pre-commit-hooks
Expand Down
10 changes: 4 additions & 6 deletions Makefile
Original file line number Diff line number Diff line change
Expand Up @@ -313,12 +313,10 @@ audit:
python -m pip_audit --skip-editable --desc on --fix --dry-run --ignore-vuln GHSA-vfmq-68hx-4jfw

# Run some or all checks over the package code base.
.PHONY: check check-code check-bandit check-flake8 check-lint check-mypy check-go check-actionlint
check-code: check-bandit check-flake8 check-lint check-mypy check-go check-actionlint
check-bandit:
pre-commit run bandit --all-files
check-flake8:
pre-commit run flake8 --all-files
.PHONY: check check-code check-ruff check-lint check-mypy check-go check-actionlint
check-code: check-ruff check-lint check-mypy check-go check-actionlint
check-ruff:
pre-commit run ruff-check --all-files
check-lint:
pre-commit run pylint --all-files
check-mypy:
Expand Down
95 changes: 72 additions & 23 deletions pyproject.toml
Original file line number Diff line number Diff line change
Expand Up @@ -122,20 +122,6 @@ Documentation = "https://oracle.github.io/macaron/index.html"
Issues = "https://github.com/oracle/macaron/issues"


# https://bandit.readthedocs.io/en/latest/config.html
# Skip test B101 because of issue https://github.com/PyCQA/bandit/issues/457
[tool.bandit]
tests = []
skips = ["B101"]
exclude_dirs = ["tests/malware_analyzer/pypi/resources/sourcecode_samples"]


# https://github.com/psf/black#configuration
[tool.black]
line-length = 120
force-exclude = ["tests/malware_analyzer/pypi/resources/sourcecode_samples/"]


# https://github.com/commitizen-tools/commitizen
# https://commitizen-tools.github.io/commitizen/bump/
[tool.commitizen]
Expand Down Expand Up @@ -181,15 +167,6 @@ exclude = [
]


# https://pycqa.github.io/isort/
[tool.isort]
profile = "black"
multi_line_output = 3
line_length = 120
skip_gitignore = true
filter_files = true


# https://mypy.readthedocs.io/en/stable/config_file.html#using-a-pyproject-toml
[tool.mypy]
show_error_codes = true
Expand Down Expand Up @@ -304,3 +281,75 @@ filterwarnings = [
"ignore::DeprecationWarning:cyclonedx.model.tool",
"error::DeprecationWarning:pkg_resources",
]


# https://docs.astral.sh/ruff/formatter/
# https://docs.astral.sh/ruff/linter/
[tool.ruff]
line-length = 120

[tool.ruff.format]
exclude = [
"tests/malware_analyzer/pypi/resources/sourcecode_samples/**/*.py",
]
docstring-code-format = true
docstring-code-line-length = 88

# https://docs.astral.sh/ruff/configuration/
# https://docs.astral.sh/ruff/rules/
[tool.ruff.lint]
exclude = ["docs/*"]
select = [
"A", # flake8-builtins
"B", # flake8-bugbear
"C4", # flake8-comprehensions
"D", # pydocstyle
"DOC", # pydoclint
"E", # pycodestyle
"F", # pyflakes
"FURB", # refurb
"I", # isort
"ICN", # flake8-import-conventions
"LOG", # flake8-logging
"N", # pep8-naming
"PIE", # flake8-pie
"PT", # flake8-pytest-style
"PYI", # flake8-pyi
"RUF", # ruff-specific rules
"S", # flake8-bandit
"SIM", # flake8-simplify
"SLOT", # flake8-slots
"T20", # flake8-print
"UP", # pyupgrade
]
ignore = [
"D104", # D104: Missing docstring in public package
"D105", # D105: Missing docstring in magic method
"D404", # D404: First word of the docstring should not be "This"
"E203", # E203: whitespace before ‘,’, ‘;’, or ‘:’ (not Black compliant)
"E501", # E501: line too long (managed better by Bugbear's B950)
"SIM102", # Use a single `if` statement instead of nested `if` statements
]

[tool.ruff.lint.flake8-pytest-style]
fixture-parentheses = true

[tool.ruff.lint.pydocstyle]
convention = "numpy"

[tool.ruff.lint.per-file-ignores]
"tests/*" = [
"D102", # D102: Missing docstring in public method
"D104", # D104: Missing docstring in public package
"S101", # S101 Use of `assert` detected
"T201", # T201 `print` found
]
"tests/malware_analyzer/pypi/resources/sourcecode_samples/**/*" = [
"A", # flake8-builtins
"D", # pydocstyle
"E", # pycodestyle
"F", # pyflakes
"N", # pep8-naming
"S", # flake8-bandit
"SIM", # flake8-simplify
]
19 changes: 8 additions & 11 deletions scripts/actions/write_job_summary.py
Original file line number Diff line number Diff line change
Expand Up @@ -90,7 +90,7 @@ def _write_header(
vsa_path = _env("VSA_PATH", f"{output_dir}/vsa.intoto.jsonl")
policy_succeeded = bool(vsa_path) and Path(vsa_path).is_file()

_append_line(summary_path, "<h2 id=\"macaron-analysis-summary\">Macaron Analysis Results</h2>")
_append_line(summary_path, '<h2 id="macaron-analysis-summary">Macaron Analysis Results</h2>')
_append_line(summary_path)
if upload_reports:
_append_line(summary_path, "Download reports from this artifact link:")
Expand Down Expand Up @@ -157,7 +157,7 @@ def _query_selected_columns(
if not selected:
return [], []

sql = f"SELECT {', '.join(selected)} FROM {table_name}"
sql = f"SELECT {', '.join(selected)} FROM {table_name}" # noqa: S608
if where_clause:
sql = f"{sql} WHERE {where_clause}"
sql = f"{sql} ORDER BY 1"
Expand Down Expand Up @@ -373,13 +373,13 @@ def write_compact_gha_vuln_diagnostics(summary_path: Path, columns: list[str], r
_append_line(summary_path)
_append_line(
summary_path,
"<h2 id=\"macaron-full-findings-remediation-details\">Full Findings and Remediation Details</h2>",
'<h2 id="macaron-full-findings-remediation-details">Full Findings and Remediation Details</h2>',
)
_append_line(summary_path)
_append_line(summary_path, "<details>")
_append_line(summary_path, "<summary>Show full findings</summary>")
_append_line(summary_path)
detail_groups = groups_in_rows if groups_in_rows else ["all_findings"]
detail_groups = groups_in_rows or ["all_findings"]
row_counter = 1
for group in detail_groups:
if group_idx is None:
Expand All @@ -397,10 +397,7 @@ def write_compact_gha_vuln_diagnostics(summary_path: Path, columns: list[str], r
priority = row[col_index["finding_priority"]]
finding_type = str(row[col_index["finding_type"]])
workflow = str(row[col_index["vulnerable_workflow"]])
if group == "workflow_security_issue":
subject = workflow
else:
subject = f"{action}@{version}" if version else action
subject = workflow if group == "workflow_security_issue" else f"{action}@{version}" if version else action
_append_line(summary_path, f"{row_counter}. **`{subject}`** (`{finding_type}`, priority `{priority}`)")
_append_line(summary_path, f"- Workflow: `{workflow}`")

Expand Down Expand Up @@ -498,7 +495,7 @@ def _write_existing_policy_failure_diagnostics(
cols, rows = _query_sql(conn, sql_query)
if cols and rows:
_append_line(summary_path)
_append_line(summary_path, f"#### Results")
_append_line(summary_path, "#### Results")
if policy_name == "check-github-actions":
rendered = write_compact_gha_vuln_diagnostics(summary_path, cols, rows)
else:
Expand All @@ -510,7 +507,7 @@ def _write_existing_policy_failure_diagnostics(
_append_line(summary_path, "- Additional check-level details are unavailable for this failure.")


def main() -> None:
def _main() -> None:
output_dir = Path(_env("OUTPUT_DIR", "output"))
db_path = Path(_env("DB_PATH", os.path.join(str(output_dir), "macaron.db")))
policy_report = _env("POLICY_REPORT", os.path.join(str(output_dir), "policy_report.json"))
Expand Down Expand Up @@ -547,4 +544,4 @@ def main() -> None:


if __name__ == "__main__":
main()
_main()
6 changes: 3 additions & 3 deletions src/macaron/build_spec_generator/build_spec_generator.py
Original file line number Diff line number Diff line change
@@ -1,12 +1,12 @@
# Copyright (c) 2025 - 2025, Oracle and/or its affiliates. All rights reserved.
# Copyright (c) 2025 - 2026, Oracle and/or its affiliates. All rights reserved.
# Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl/.

"""This module contains the functions used for generating build specs from the Macaron database."""

import json
import logging
import os
from enum import Enum
from enum import StrEnum

from packageurl import PackageURL
from sqlalchemy import create_engine
Expand All @@ -23,7 +23,7 @@
logger: logging.Logger = logging.getLogger(__name__)


class BuildSpecFormat(str, Enum):
class BuildSpecFormat(StrEnum):
"""The build spec formats that we support."""

REPRODUCIBLE_CENTRAL = "rc-buildspec"
Expand Down
Original file line number Diff line number Diff line change
@@ -1,4 +1,4 @@
# Copyright (c) 2025 - 2025, Oracle and/or its affiliates. All rights reserved.
# Copyright (c) 2025 - 2026, Oracle and/or its affiliates. All rights reserved.
# Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl/.

"""This module contain the base classes cli command parsers related."""
Expand All @@ -7,7 +7,7 @@
from abc import abstractmethod
from collections.abc import Mapping
from dataclasses import dataclass
from enum import Enum
from enum import StrEnum
from typing import Any, Generic, Protocol, TypeGuard, TypeVar


Expand Down Expand Up @@ -93,7 +93,7 @@ def get_patch_type_str(self) -> str:
raise NotImplementedError()


class PatchCommandBuildTool(str, Enum):
class PatchCommandBuildTool(StrEnum):
"""Build tool supported for CLICommand patching."""

MAVEN = "maven"
Expand Down
Original file line number Diff line number Diff line change
@@ -1,4 +1,4 @@
# Copyright (c) 2025 - 2025, Oracle and/or its affiliates. All rights reserved.
# Copyright (c) 2025 - 2026, Oracle and/or its affiliates. All rights reserved.
# Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl/.

"""This module contains the classes that represent components of a Gradle CLI Command."""
Expand Down Expand Up @@ -382,4 +382,4 @@ class GradleCLICommand:

def to_cmds(self) -> list[str]:
"""Return the CLI Command as a list of strings."""
return [self.executable] + self.options.to_option_cmds()
return [self.executable, *self.options.to_option_cmds()]
Original file line number Diff line number Diff line change
@@ -1,4 +1,4 @@
# Copyright (c) 2025 - 2025, Oracle and/or its affiliates. All rights reserved.
# Copyright (c) 2025 - 2026, Oracle and/or its affiliates. All rights reserved.
# Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl/.

"""This module contains the Gradle CLI Command parser."""
Expand Down Expand Up @@ -58,7 +58,7 @@ def add_to_arg_parser(self, arg_parse: argparse.ArgumentParser) -> None:

if self.short_names:
arg_parse.add_argument(
*(self.short_names + [self.long_name]),
*([*self.short_names, self.long_name]),
**kwargs,
)
else:
Expand Down Expand Up @@ -445,7 +445,7 @@ def get_patch_type_str(self) -> str:
class GradleCLICommandParser:
"""A Gradle CLI Command Parser."""

ACCEPTABLE_EXECUTABLE = {"gradle", "gradlew"}
ACCEPTABLE_EXECUTABLE = frozenset(("gradle", "gradlew"))

def __init__(self) -> None:
"""Initialize the instance."""
Expand Down
Original file line number Diff line number Diff line change
@@ -1,4 +1,4 @@
# Copyright (c) 2025 - 2025, Oracle and/or its affiliates. All rights reserved.
# Copyright (c) 2025 - 2026, Oracle and/or its affiliates. All rights reserved.
# Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl/.

"""This module contains the classes that represent components of a Maven CLI Command."""
Expand Down Expand Up @@ -318,4 +318,4 @@ class MavenCLICommand:

def to_cmds(self) -> list[str]:
"""Return the CLI Command as a list of strings."""
return [self.executable] + self.options.to_option_cmds()
return [self.executable, *self.options.to_option_cmds()]
Original file line number Diff line number Diff line change
@@ -1,4 +1,4 @@
# Copyright (c) 2025 - 2025, Oracle and/or its affiliates. All rights reserved.
# Copyright (c) 2025 - 2026, Oracle and/or its affiliates. All rights reserved.
# Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl/.

"""This module contains the Maven CLI Command parser."""
Expand Down Expand Up @@ -347,7 +347,7 @@ def get_patch_type_str(self) -> str:
class MavenCLICommandParser:
"""A Maven CLI Command Parser."""

ACCEPTABLE_EXECUTABLE = {"mvn", "mvnw"}
ACCEPTABLE_EXECUTABLE = frozenset(("mvn", "mvnw"))

def __init__(self) -> None:
"""Initialize the instance."""
Expand Down
Loading
Loading