import re import sys import pipenv.vendor.click as click try: import github as pygithub except ImportError: pygithub = None from . import utils, requirements def create_branch(repo, base_branch, new_branch): ref = repo.get_git_ref("heads/" + base_branch) repo.create_git_ref(ref="refs/heads/" + new_branch, sha=ref.object.sha) def delete_branch(repo, branch): ref = repo.get_git_ref(f"heads/{branch}") ref.delete() @click.command() @click.option('--repo', help='GitHub standard repo path (eg, my-org/my-project)') @click.option('--token', help='GitHub Access Token') @click.option('--base-url', help='Optional custom Base URL, if you\'re using GitHub enterprise', default=None) @click.pass_obj @utils.require_files_report def github_pr(obj, repo, token, base_url): """ Create a GitHub PR to fix any vulnerabilities using PyUp's remediation data. Normally, this is run by a GitHub action. If you're running this manually, ensure that your local repo is up to date and on HEAD - otherwise you'll see strange results. """ if pygithub is None: click.secho("pygithub is not installed. Did you install Safety with GitHub support? Try pip install safety[github]", fg='red') sys.exit(1) # TODO: Improve access to our config in future. branch_prefix = obj.policy.get('alert', {}).get('security', {}).get('github-pr', {}).get('branch-prefix', 'pyup/') pr_prefix = obj.policy.get('alert', {}).get('security', {}).get('github-pr', {}).get('pr-prefix', '[PyUp] ') assignees = obj.policy.get('alert', {}).get('security', {}).get('github-pr', {}).get('assignees', []) labels = obj.policy.get('alert', {}).get('security', {}).get('github-pr', {}).get('labels', ['security']) label_severity = obj.policy.get('alert', {}).get('security', {}).get('github-pr', {}).get('label-severity', True) ignore_cvss_severity_below = obj.policy.get('alert', {}).get('security', {}).get('github-pr', {}).get('ignore-cvss-severity-below', 0) ignore_cvss_unknown_severity = obj.policy.get('alert', {}).get('security', {}).get('github-pr', {}).get('ignore-cvss-unknown-severity', False) gh = pygithub.Github(token, **({"base_url": base_url} if base_url else {})) repo = gh.get_repo(repo) try: self_user = gh.get_user().login except pygithub.GithubException: # If we're using a token from an action (or integration) we can't call `get_user()`. Fall back # to assuming we're running under an action self_user = "web-flow" pulls = repo.get_pulls(state='open', sort='created', base=repo.default_branch) pending_updates = set(obj.report['remediations'].keys()) # TODO: Refactor this loop into a fn to iterate over remediations nicely for name, contents in obj.requirements_files.items(): raw_contents = contents contents = contents.decode('utf-8') # TODO - encoding? parsed_req_file = requirements.RequirementFile(name, contents) for pkg, remediation in obj.report['remediations'].items(): if remediation['recommended_version'] is None: print(f"The GitHub PR alerter only currently supports remediations that have a recommended_version: {pkg}") continue # We have a single remediation that can have multiple vulnerabilities vulns = [x for x in obj.report['vulnerabilities'] if x['package_name'] == pkg and x['analyzed_version'] == remediation['current_version']] if ignore_cvss_unknown_severity and all(x['severity'] is None for x in vulns): print("All vulnerabilities have unknown severity, and ignore_cvss_unknown_severity is set.") continue highest_base_score = 0 for vuln in vulns: if vuln['severity'] is not None: highest_base_score = max(highest_base_score, (vuln['severity'].get('cvssv3', {}) or {}).get('base_score', 10)) if ignore_cvss_severity_below: at_least_one_match = False for vuln in vulns: # Consider a None severity as a match, since it's controlled by a different flag # If we can't find a base_score but we have severity data, assume it's critical for now. if vuln['severity'] is None or (vuln['severity'].get('cvssv3', {}) or {}).get('base_score', 10) >= ignore_cvss_severity_below: at_least_one_match = True if not at_least_one_match: print(f"None of the vulnerabilities found have a score greater than or equal to the ignore_cvss_severity_below of {ignore_cvss_severity_below}") continue for parsed_req in parsed_req_file.requirements: if parsed_req.name == pkg: updated_contents = parsed_req.update_version(contents, remediation['recommended_version']) pending_updates.discard(pkg) new_branch = branch_prefix + utils.generate_branch_name(pkg, remediation) skip_create = False # Few possible cases: # 1. No existing PRs exist for this change (don't need to handle) # 2. An existing PR exists, and it's out of date (eg, recommended 0.5.1 and we want 0.5.2) # 3. An existing PR exists, and it's not mergable anymore (eg, needs a rebase) # 4. An existing PR exists, and everything's up to date. # 5. An existing PR exists, but it's not needed anymore (perhaps we've been updated to a later version) # 6. No existing PRs exist, but a branch does exist (perhaps the PR was closed but a stale branch left behind) # In any case, we only act if we've been the only committer to the branch. for pr in pulls: if not pr.head.ref.startswith(branch_prefix): continue authors = [commit.committer.login for commit in pr.get_commits()] only_us = all([x == self_user for x in authors]) try: _, pr_pkg, pr_ver = pr.head.ref.split('/') except ValueError: # It's possible that something weird has manually been done, so skip that print('Found an invalid branch name on an open PR, that matches our prefix. Skipping.') continue if pr_pkg != pkg: continue # Case 4 if pr_pkg == pkg and pr_ver == remediation['recommended_version'] and pr.mergeable: print(f"An up to date PR #{pr.number} for {pkg} was found, no action will be taken.") skip_create = True continue if not only_us: print(f"There are other committers on the PR #{pr.number} for {pkg}. No further action will be taken.") continue # Case 2 if pr_pkg == pkg and pr_ver != remediation['recommended_version']: print(f"Closing stale PR #{pr.number} for {pkg} as a newer recommended version became") pr.create_issue_comment("This PR has been replaced, since a newer recommended version became available.") pr.edit(state='closed') delete_branch(repo, pr.head.ref) # Case 3 if not pr.mergeable: print(f"Closing PR #{pr.number} for {pkg} as it has become unmergable and we were the only committer") pr.create_issue_comment("This PR has been replaced since it became unmergable.") pr.edit(state='closed') delete_branch(repo, pr.head.ref) if updated_contents == contents: print(f"Couldn't update {pkg} to {remediation['recommended_version']}") continue if skip_create: continue try: create_branch(repo, repo.default_branch, new_branch) except pygithub.GithubException as e: if e.data['message'] == "Reference already exists": # There might be a stale branch. If the bot is the only committer, nuke it. comparison = repo.compare(repo.default_branch, new_branch) authors = [commit.committer.login for commit in comparison.commits] only_us = all([x == self_user for x in authors]) if only_us: delete_branch(repo, new_branch) create_branch(repo, repo.default_branch, new_branch) else: print(f"The branch '{new_branch}' already exists - but there is no matching PR and this branch has committers other than us. This remediation will be skipped.") continue else: raise e try: repo.update_file( path=name, message=utils.generate_commit_message(pkg, remediation), content=updated_contents, branch=new_branch, sha=utils.git_sha1(raw_contents) ) except pygithub.GithubException as e: if "does not match" in e.data['message']: click.secho(f"GitHub blocked a commit on our branch to the requirements file, {name}, as the local hash we computed didn't match the version on {repo.default_branch}. Make sure you're running safety against the latest code on your default branch.", fg='red') continue else: raise e pr = repo.create_pull(title=pr_prefix + utils.generate_title(pkg, remediation, vulns), body=utils.generate_body(pkg, remediation, vulns, api_key=obj.key), head=new_branch, base=repo.default_branch) print(f"Created Pull Request to update {pkg}") for assignee in assignees: pr.add_to_assignees(assignee) for label in labels: pr.add_to_labels(label) if label_severity: score_as_label = utils.cvss3_score_to_label(highest_base_score) if score_as_label: pr.add_to_labels(score_as_label) if len(pending_updates) > 0: click.secho("The following remediations were not followed: {}".format(', '.join(pending_updates)), fg='red') @click.command() @click.option('--repo', help='GitHub standard repo path (eg, my-org/my-project)') @click.option('--token', help='GitHub Access Token') @click.option('--base-url', help='Optional custom Base URL, if you\'re using GitHub enterprise', default=None) @click.pass_obj @utils.require_files_report # TODO: For now, it can be removed in the future to support env scans. def github_issue(obj, repo, token, base_url): """ Create a GitHub Issue for any vulnerabilities found using PyUp's remediation data. Normally, this is run by a GitHub action. If you're running this manually, ensure that your local repo is up to date and on HEAD - otherwise you'll see strange results. """ if pygithub is None: click.secho("pygithub is not installed. Did you install Safety with GitHub support? Try pip install safety[github]", fg='red') sys.exit(1) # TODO: Improve access to our config in future. issue_prefix = obj.policy.get('alert', {}).get('security', {}).get('github-issue', {}).get('issue-prefix', '[PyUp] ') assignees = obj.policy.get('alert', {}).get('security', {}).get('github-issue', {}).get('assignees', []) labels = obj.policy.get('alert', {}).get('security', {}).get('github-issue', {}).get('labels', ['security']) label_severity = obj.policy.get('alert', {}).get('security', {}).get('github-pr', {}).get('label-severity', True) ignore_cvss_severity_below = obj.policy.get('alert', {}).get('security', {}).get('github-pr', {}).get('ignore-cvss-severity-below', 0) ignore_cvss_unknown_severity = obj.policy.get('alert', {}).get('security', {}).get('github-pr', {}).get('ignore-cvss-unknown-severity', False) gh = pygithub.Github(token, **({"base_url": base_url} if base_url else {})) repo = gh.get_repo(repo) issues = list(repo.get_issues(state='open', sort='created')) ISSUE_TITLE_REGEX = re.escape(issue_prefix) + r"Security Vulnerability in (.+)" for name, contents in obj.requirements_files.items(): raw_contents = contents contents = contents.decode('utf-8') # TODO - encoding? parsed_req_file = requirements.RequirementFile(name, contents) for pkg, remediation in obj.report['remediations'].items(): if remediation['recommended_version'] is None: print(f"The GitHub Issue alerter only currently supports remediations that have a recommended_version: {pkg}") continue # We have a single remediation that can have multiple vulnerabilities vulns = [x for x in obj.report['vulnerabilities'] if x['package_name'] == pkg and x['analyzed_version'] == remediation['current_version']] if ignore_cvss_unknown_severity and all(x['severity'] is None for x in vulns): print("All vulnerabilities have unknown severity, and ignore_cvss_unknown_severity is set.") continue highest_base_score = 0 for vuln in vulns: if vuln['severity'] is not None: highest_base_score = max(highest_base_score, (vuln['severity'].get('cvssv3', {}) or {}).get('base_score', 10)) if ignore_cvss_severity_below: at_least_one_match = False for vuln in vulns: # Consider a None severity as a match, since it's controlled by a different flag # If we can't find a base_score but we have severity data, assume it's critical for now. if vuln['severity'] is None or (vuln['severity'].get('cvssv3', {}) or {}).get('base_score', 10) >= ignore_cvss_severity_below: at_least_one_match = True if not at_least_one_match: print(f"None of the vulnerabilities found have a score greater than or equal to the ignore_cvss_severity_below of {ignore_cvss_severity_below}") continue for parsed_req in parsed_req_file.requirements: if parsed_req.name == pkg: skip = False for issue in issues: match = re.match(ISSUE_TITLE_REGEX, issue.title) if match: if match.group(1) == pkg: skip = True # For now, we just skip issues if they already exist - we don't try and update them. if skip: print(f"An issue already exists for {pkg} - skipping") continue pr = repo.create_issue(title=issue_prefix + utils.generate_issue_title(pkg, remediation), body=utils.generate_issue_body(pkg, remediation, vulns, api_key=obj.key)) print(f"Created issue to update {pkg}") for assignee in assignees: pr.add_to_assignees(assignee) for label in labels: pr.add_to_labels(label) if label_severity: score_as_label = utils.cvss3_score_to_label(highest_base_score) if score_as_label: pr.add_to_labels(score_as_label)