Closed micheelengronne closed 1 year ago
For new package managers we generally approach the problem in 3 steps:
Is a new datasource required?
Is a new version scheme required (e.g. vanilla semver is not supported)
Add extract and update functions
So to start with, can you provide an example profile that includes references to chef, custom and git repositories?
Inspec itself includes examples for its tests: https://github.com/inspec/inspec/tree/master/examples
With the meta profile, you have supermarket, git and url dependencies: https://github.com/inspec/inspec/tree/master/examples/meta-profile
With the inheritance profile, you have local dependencies: https://github.com/inspec/inspec/tree/master/examples/inheritance
As far as I know, the only place (except the git tag and tar.gz artifact) where I see a version number is the version
field in inspec.yml
Inspec also creates an inspec.lock file with the command inspec vendor
with the --overwrite
attribute to change the existing lock file.
Can you point me to specific lines/sections of the files in the example tests? It's too complex for me to grok immediately. Specifically I'm looking for the types of references that you'd expect Renovate to update.
These examples do not keep their inspec.lock files so I generated them with inspec vendor
:
For the meta-profile https://github.com/inspec/inspec/tree/master/examples/meta-profile:
---
lockfile_version: 1
depends:
- name: dev-sec/ssh-baseline
resolved_source:
url: https://github.com/dev-sec/ssh-baseline/archive/master.tar.gz
sha256: 880d952f8bcaeb548e4f2aa798d4bfad0b35e0afad0f0a4d8e98ce474ae19f8a
version_constraints: []
- name: ssl-baseline
resolved_source:
url: https://github.com/dev-sec/ssl-baseline/archive/master.tar.gz
sha256: cf43acbe903f9fff832e0a1cb62ac5db19f2d92586c4eb9871e323207d673b35
version_constraints: []
- name: windows-patch-benchmark
resolved_source:
url: https://github.com/chris-rock/windows-patch-benchmark/archive/master.tar.gz
sha256: c96dcf60b60de709831000a253427116012dbb9c8b1958f5cd2f90e1abb68410
version_constraints: []
For the inheritance profile https://github.com/inspec/inspec/tree/master/examples/inheritance:
---
lockfile_version: 1
depends:
- name: profile
resolved_source:
path: "/usr/local/src/inspec/examples/profile"
sha256: 71d1cded626231c4cdf171fb7ecb0ccafe4ef5c0cbe55ee8fe055aa48947f7e1
version_constraints: []
- name: profile-attribute
resolved_source:
path: "/usr/local/src/inspec/examples/profile-attribute"
sha256: b321127d15ac031588575b4bbac140739b6238d187657659d82ea131cb9ea498
version_constraints: []
As you can see in this other profile the version appears in the version field and is equivalent to a git tag: https://github.com/dev-sec/linux-baseline/blob/master/inspec.yml
To improve further, I altered the meta-profile with the following inspec.yml:
name: meta-profile
title: Meta Compliance Profile
maintainer: InSpec Authors
copyright: InSpec Authors
copyright_email: support@chef.io
license: Apache-2.0
summary: InSpec Profile that is only consuming dependencies
version: 0.2.0
depends:
- name: dev-sec/ssh-baseline
git: https://github.com/dev-sec/ssh-baseline
version: 2.4.1
Notice that it uses a git dependency with a version constraint. The resulting inspec.lock is:
---
lockfile_version: 1
depends:
- name: dev-sec/ssh-baseline
resolved_source:
git: https://github.com/dev-sec/ssh-baseline
ref: 6625de7fd1bc9379f2a16d77051727354ecff28d
version_constraints:
- 2.4.1
The version constraint is reported in the lock
By the way, in order of difficulty for us:
Right now we don't do the third one for many managers at all. e.g. if you configure an npm dependency to have version "*"
then we leave it alone and do not pin it. Same with Docker images.
So in terms of implementation I would aim to first support simple updating of versions in Inspec (e.g. 1.0.0 -> 1.0.1) and then pinning of versions (assuming ranges are supported) and then finally going from no version to a pinned version.
We'd also have to decide if we call "updating from no version to an exact version" to be "pinning" or if we need a new term to differentiate it
I don't know if ranges are supported and if "pinning" is the correct term.
I am not a member of the Inspec team. I think, we should work with them.
@aaronlippold @skpaterson and @chef your thoughts on that ?
hi @micheelengronne and @rarkins - apologies for the delay in responding. Adding InSpec support in Renovate looks interesting, I'll mention to our product folks this side. Vendoring effectively pins all profile dependencies. As far as I'm aware we cannot currently specify ranges of profile versions. For info, there's more detail here on InSpec profiles and versioning: https://www.inspec.io/docs/reference/profiles/
With the custom manager, it is possible to handle dependencies. What is missing though are datasources.
Inspec dependencies can be stored on a local path, an url, supermarket
and chef compliance server
. See https://www.inspec.io/docs/reference/profiles/
I think, we can handle the lock update indirectly if the custom script feature is implemented.
It seems that https://github.com/renovatebot/renovate/pull/5202 can fulfill my usecase. I will try it.
Hi @micheelengronne , how did you implement the update of inspec.yml?
Hi @tbugfinder, I added my deps that way in inspec.yml:
- name: linux-baseline
git: https://github.com/dev-sec/linux-baseline.git
# yamllint disable-line rule:line-length
# source: https://github.com/dev-sec/linux-baseline.git name: linux-baseline
tag: 2.4.6
And in renovate config:
"regexManagers": [
{
"fileMatch": ["^inspec.yml$"],
"matchStrings": [
"# source: (?<lookupName>.*)? name: (?<depName>.*)?\n tag: (?<currentValue>.*)"
],
"datasourceTemplate": "git-tags"
}
],
Excellent. Thank you
Hi there,
You're asking us to support a new package manager. We need to know some basic information about this package manager first. Please copy/paste the new package manager questionnaire, and fill it out in full.
Once the questionnaire is filled out we'll decide if we want to support this new manager.
Good luck,
The Renovate team
I would like to be able to handle my inspec profiles dependencies with renovate.
Inspec https://www.inspec.io/ is an evolution of serverspec to test systems and infrastructures.
It has a packaging system. A package is called a profile in the Inspec world.
An Inspec profile can have dependencies and a lock file.
I would like to fetch profiles from chef repositories, custom repositories and git repositories.
Thanks.