search

mitre / hipcheck

Automatically assess and score software repositories for supply chain risk.
https://mitre.github.io/hipcheck/
Apache License 2.0
62 stars 3 forks source link

feat: local repos are also cloned to HC_CACHE #208

Closed j-lanson closed 1 month ago

j-lanson commented 1 month ago

Working directly with local repos presents a challenge for 3.5.0 feature #183 . This PR changes local repo handling to do a local git clone to $HC_CACHE/clones/local. The subdir created in this path is returned and is used for all future operations on the repository.

alilleybrinker commented 1 month ago

@j-lanson can you squash down to one commit?

j-lanson commented 1 month ago

In the future we may want to make this more like clone-on-write, where we only clone lazily if we need to do something destructive, but doing it unconditionally is never wrong, while doing it lazily brings more risk. The trade-off is in performance if a repository is big, and disk size.

Totally agree. If you have N destructive analyses, you'll want to ensure they all use the same instance so you don't clone the source repo. salsa seems pretty well-positioned to provide that lazy functionality, but it's up to the analyses to make sure they call the appropriate get_writeable()-type function.