Closed mystor closed 6 months ago
mystor
commented
7 months ago @afranchuk Would you be interested in implementing this feature? I think it could be done in 2 passes, with the first being the automatic pruning of unused importable = false audits similar to how we prune exemptions, and the second being the certify changes.
afranchuk
commented
7 months ago @afranchuk Would you be interested in implementing this feature? I think it could be done in 2 passes, with the first being the automatic pruning of unused
importable = falseaudits similar to how we prune exemptions, and the second being the certify changes.
Sure, I'll take a stab at it!
In #520, we added a new option to audits, which allows them to be marked as non-importable. This new flag is specified by default for newly created audits mentioning git revisions, as they have limited value for others consuming your audit list.
These git audits can in some cases produce a large amount of non-useful audits in the audits file, which would be nice to simplify in an automated fashion.
In order to clean these non-importable audits up automatically, we should introduce automatic pruning, similar to the pruning we do for exemptions, but for non-importable audits. They should probably be preferred in a similar manner to exemptions, but at a higher priority to exemptions (as a non-importable audit is preferred to an exemption). This will handle removing audits in the case where a non-importable audit is useless.
This won't automatically handle removing large audit chains, however, as if we build a chain of non-importable audits it will not be collapsed. To handle this, we can introduce a (perhaps opt-in?) mechanism during
vet certifywhich will try to help with this.My current (very) rough idea is that before certifying a non-importable delta audit, we first check if there is exactly one local non-importable audit with at least the same criteria as our new audit, which has our version as its "to", and where the "from" version is valid for the certified criteria. If this is the case, we'd change the new audit's "from" version to that audit's "from" version - effectively bypassing it, and allowing the pruner to remove the other audit now that it is unused.
We could try to handle more cases, and do this recursively, however that's probably unnecessary.
I imagine there are some edge cases and/or potential simplifications we could do here (e.g. we could remove the "valid for the certified criteria" check if we unconditionally introduce both the original audit and the broader audit, allowing the pruner to clean up after us, but that runs the risk of adding even more junk audits if the pruner fails).