search

OWASP / threat-dragon

An open source threat modeling tool from OWASP
https://owasp.org/www-project-threat-dragon/
Apache License 2.0
855 stars 231 forks source link

USE_SEARCH results in an expection when used with gitlab #1001

Closed ch-lepp closed 2 weeks ago

ch-lepp commented 3 weeks ago

Describe the bug: The two env vars GITHUB_USE_SEARCH and GITHUB_SEARCH_QUERY apply (contrary to what their name implies) to all repos.

When used with gitlab however, they result in the following exception:

threatdragon-1  | error: controllers/threatmodelcontroller.js:  {"service":"threat-dragon","timestamp":"2024-07-05 06:23:54"}
threatdragon-1  | error: getClient(...).reposAsync is not a function {"service":"threat-dragon","stack":"TypeError: getClient(...).reposAsync is not a function\n    at Object.searchAsync (/app/td.server/dist/repositories/gitlabrepo.js:84:33)\n    at _callee$ (/app/td.server/dist/controllers/threatmodelcontroller.js:31:29)\n    at tryCatch (/app/td.server/node_modules/@babel/runtime/helpers/regeneratorRuntime.js:45:16)\n    at Generator.<anonymous> (/app/td.server/node_modules/@babel/runtime/helpers/regeneratorRuntime.js:133:17)\n    at Generator.next (/app/td.server/node_modules/@babel/runtime/helpers/regeneratorRuntime.js:74:21)\n    at asyncGeneratorStep (/app/td.server/node_modules/@babel/runtime/helpers/asyncToGenerator.js:3:24)\n    at _next (/app/td.server/node_modules/@babel/runtime/helpers/asyncToGenerator.js:22:9)\n    at /app/td.server/node_modules/@babel/runtime/helpers/asyncToGenerator.js:27:7\n    at new Promise (<anonymous>)\n    at /app/td.server/node_modules/@babel/runtime/helpers/asyncToGenerator.js:19:12\n    at _callee$ (/app/td.server/dist/controllers/responseWrapper.js:50:18)\n    at tryCatch (/app/td.server/node_modules/@babel/runtime/helpers/regeneratorRuntime.js:45:16)\n    at Generator.<anonymous> (/app/td.server/node_modules/@babel/runtime/helpers/regeneratorRuntime.js:133:17)\n    at Generator.next (/app/td.server/node_modules/@babel/runtime/helpers/regeneratorRuntime.js:74:21)\n    at asyncGeneratorStep (/app/td.server/node_modules/@babel/runtime/helpers/asyncToGenerator.js:3:24)\n    at _next (/app/td.server/node_modules/@babel/runtime/helpers/asyncToGenerator.js:22:9)","timestamp":"2024-07-05 06:23:54"}
threatdragon-1  | error: undefined {"service":"threat-dragon","timestamp":"2024-07-05 06:23:54"}

The reason seems to be the searchAsync method of the gitlabrepo, which uses a function that does not exist.

Expected behaviour: The gitlab integration should be able to properly handle the SEARCH_QUERY env.

Additionally the env should be renamed to make it clear, that it does not only apply to github integrations.

Environment:

To Reproduce: Integrate a gitlab repo and set GITHUB_USE_SEARCH to true.

Any additional context, screenshots, etc:

Side-Note: Maybe you could consider switching to TS instead of JS. That way using methods that dont exist becomes way more unlikely...

ch-lepp commented 2 weeks ago

I am sry, but I have to reopen this issue. The renamed env is not properly processed by the application...

Additionally the gitlab search does not return an object with an atribute named items but simply just an array...