search

mindersec / minder

Software Supply Chain Security Platform
https://minder-docs.stacklok.dev/
Apache License 2.0
294 stars 42 forks source link

Trusty score is 0 when Minder comments on PR #4944

Open eleftherias opened 1 week ago

eleftherias commented 1 week ago

Describe the issue

When I have a profile that includes the Trusty ruletype And I create a PR that adds a dependency Then Minder comments on the PR stating that the Trusty score is 0

This can be seen in this PR comment https://github.com/eleftherias/demo-repo-python/pull/25#pullrequestreview-2429173373

Screenshot 2024-11-12 at 11 36 46

Note: This happens in both production and staging

Additional information This is the YAML output when I run minder profile get:

profile:
    alert: "off"
    context:
        project: b73403a2-d409-43ea-b8f6-2b567a558a6d
    displayName: Dependencies Security
    id: 30726deb-e96c-4c4c-b92f-454660072611
    name: dependencies-github-profile
    pullRequest:
        - def:
            action: review
            ecosystem_config:
                - name: npm
                  package_repository:
                    url: https://registry.npmjs.org
                  vulnerability_database_endpoint: https://api.osv.dev/v1/query
                  vulnerability_database_type: osv
                - name: go
                  package_repository:
                    url: https://proxy.golang.org
                  sum_repository:
                    url: https://sum.golang.org
                  vulnerability_database_endpoint: https://api.osv.dev/v1/query
                  vulnerability_database_type: osv
                - name: pypi
                  package_repository:
                    url: https://pypi.org/pypi
                  vulnerability_database_endpoint: https://api.osv.dev/v1/query
                  vulnerability_database_type: osv
          name: Check pull requests for vulnerable dependencies
          type: stacklok/pr_vulnerability_check
        - def:
            action: summary
            ecosystem_config:
                - name: npm
                  score: 5
                - name: pypi
                  score: 5
          name: Check pull requests for dependencies with low Trusty Score
          type: stacklok/pr_trusty_check
    remediate: "off"
    repository:
        - def:
            apply_if_file: go.mod
            package_ecosystem: gomod
            schedule_interval: daily
          name: Dependabot configured for Go projects
          type: stacklok/dependabot_configured
        - def:
            apply_if_file: package.json
            package_ecosystem: npm
            schedule_interval: daily
          name: Dependabot configured for JavaScript projects
          type: stacklok/dependabot_configured
        - def:
            apply_if_file: requirements.txt
            package_ecosystem: pip
            schedule_interval: daily
          name: Dependabot configured for Python projects
          type: stacklok/dependabot_configured

To Reproduce

No response

What version are you using?

No response

blkt commented 3 days ago

Trusty API v1 removed score from its payload, and depending on where it appears it's either null or 0.

$ curl https://api.trustypkg.dev/v1/report\?package_name\=requests\&package_type\=pypi | jq .summary
{
  "score": null,
  "description": {
    "trust-summary": 8.5,
    "from": "provenance",
    "activity_user": 9.4,
    "activity_repo": 9.4,
    "activity": 9.4,
    "typosquatting": 10.0,
    "provenance_type": "historical_provenance_match"
  },
  "updated_at": "2024-11-20T07:24:35.479848"
}

So this is not a bug in Minder, but we do have to revisit pr_trusty_check rule.