Fix Analyze Org Data Race (#198)

* reworked opa initialization. We initialize the compiler only once after the instance is created and the config is loaded instead of on every eval call

* fix tests

* reworked analyze org to fix data race when accumulating scanned packages in the inventory to then proceed to the finalization of the analysis

Author: SUSTAPLE117

analyze/analyze.go

@@ -92,13 +92,23 @@ func (a *Analyzer) AnalyzeOrg(ctx context.Context, org string, numberOfGoroutine
 	log.Debug().Msgf("Starting repository analysis for organization: %s on %s", org, provider)
 	bar := a.progressBar(0, "Analyzing repositories")
 
-	var wg sync.WaitGroup
+	var reposWg sync.WaitGroup
 	errChan := make(chan error, 1)
 	maxGoroutines := 2
 	if numberOfGoroutines != nil {
 		maxGoroutines = *numberOfGoroutines
 	}
-	sem := semaphore.NewWeighted(int64(maxGoroutines))
+	goRoutineLimitSem := semaphore.NewWeighted(int64(maxGoroutines))
+
+	pkgChan := make(chan *models.PackageInsights)
+	pkgWg := sync.WaitGroup{}
+	pkgWg.Add(1)
+	go func() {
+		defer pkgWg.Done()
+		for pkg := range pkgChan {
+			inventory.Packages = append(inventory.Packages, pkg)
+		}
+	}()
 
 	for repoBatch := range orgReposBatches {
 		if repoBatch.Err != nil {
@@ -113,15 +123,15 @@ func (a *Analyzer) AnalyzeOrg(ctx context.Context, org string, numberOfGoroutine
 				bar.ChangeMax(repoBatch.TotalCount - 1)
 				continue
 			}
-			if err := sem.Acquire(ctx, 1); err != nil {
+			if err := goRoutineLimitSem.Acquire(ctx, 1); err != nil {
 				close(errChan)
 				return fmt.Errorf("failed to acquire semaphore: %w", err)
 			}
 
-			wg.Add(1)
+			reposWg.Add(1)
 			go func(repo Repository) {
-				defer sem.Release(1)
-				defer wg.Done()
+				defer goRoutineLimitSem.Release(1)
+				defer reposWg.Done()
 				repoNameWithOwner := repo.GetRepoIdentifier()
 				tempDir, err := a.cloneRepoToTemp(ctx, repo.BuildGitURL(a.ScmClient.GetProviderBaseURL()), a.ScmClient.GetToken(), "HEAD")
 				if err != nil {
@@ -136,9 +146,16 @@ func (a *Analyzer) AnalyzeOrg(ctx context.Context, org string, numberOfGoroutine
 					return
 				}
 
-				err = inventory.AddPackage(ctx, pkg, tempDir)
+				scannedPkg, err := inventory.ScanPackage(ctx, pkg, tempDir)
 				if err != nil {
-					log.Error().Err(err).Str("repo", repoNameWithOwner).Msg("failed to add package to inventory")
+					log.Error().Err(err).Str("repo", repoNameWithOwner).Msg("failed to scan package")
+					return
+				}
+
+				select {
+				case pkgChan <- scannedPkg:
+				case <-ctx.Done():
+					log.Error().Msg("Context canceled while sending package to channel")
 					return
 				}
 				_ = bar.Add(1)
@@ -147,10 +164,13 @@ func (a *Analyzer) AnalyzeOrg(ctx context.Context, org string, numberOfGoroutine
 	}
 
 	go func() {
-		wg.Wait()
+		reposWg.Wait()
+		close(pkgChan)
 		close(errChan)
 	}()
 
+	pkgWg.Wait()
+
 	for err := range errChan {
 		if err != nil {
 			return err

cmd/root.go

@@ -186,12 +186,11 @@ func GetAnalyzer(ctx context.Context, command string) (*analyze.Analyzer, error)
 }
 
 func newOpa(ctx context.Context) (*opa.Opa, error) {
-	opaClient, err := opa.NewOpa()
+	opaClient, err := opa.NewOpa(ctx, config)
 	if err != nil {
 		log.Error().Err(err).Msg("Failed to create OPA client")
 		return nil, err
 	}
-	_ = opaClient.WithConfig(ctx, config)
 
 	return opaClient, nil
 }

opa/opa.go

@@ -30,15 +30,27 @@ type Opa struct {
 	LoadPaths []string
 }
 
-func NewOpa() (*Opa, error) {
+func NewOpa(ctx context.Context, config *models.Config) (*Opa, error) {
 	registerBuiltinFunctions()
 
-	return &Opa{
+	newOpa := &Opa{
 		Store: inmem.NewFromObject(map[string]interface {
 		}{
 			"config": models.DefaultConfig(),
 		}),
-	}, nil
+	}
+
+	err := newOpa.WithConfig(ctx, config)
+	if err != nil {
+		return nil, fmt.Errorf("failed to set opa with config: %w", err)
+	}
+
+	err = newOpa.Compile(ctx)
+	if err != nil {
+		return nil, fmt.Errorf("failed to initialize opa compiler: %w", err)
+	}
+
+	return newOpa, nil
 }
 
 func (o *Opa) Print(ctx print.Context, s string) error {
@@ -117,14 +129,7 @@ func (o *Opa) Compile(ctx context.Context) error {
 }
 
 func (o *Opa) Eval(ctx context.Context, query string, input map[string]interface{}, result interface{}) error {
-	if o.Compiler == nil {
-		if err := o.Compile(ctx); err != nil {
-			log.Debug().Msg(err.Error())
-			return err
-		}
-	}
-
-	rego := rego.New(
+	regoInstance := rego.New(
 		rego.Query(query),
 		rego.Compiler(o.Compiler),
 		rego.PrintHook(o),
@@ -133,7 +138,7 @@ func (o *Opa) Eval(ctx context.Context, query string, input map[string]interface
 		rego.Store(o.Store),
 	)
 
-	rs, err := rego.Eval(ctx)
+	rs, err := regoInstance.Eval(ctx)
 	if err != nil {
 		return err
 	}

opa/opa_test.go

@@ -42,7 +42,9 @@ func TestOpaBuiltins(t *testing.T) {
 		},
 	}
 
-	opa, err := NewOpa()
+	opa, err := NewOpa(context.TODO(), &models.Config{
+		Include: []models.ConfigInclude{},
+	})
 	noOpaErrors(t, err)
 
 	for _, c := range cases {
@@ -77,7 +79,9 @@ func TestSemverConstraintCheck(t *testing.T) {
 		},
 	}
 
-	opa, err := NewOpa()
+	opa, err := NewOpa(context.TODO(), &models.Config{
+		Include: []models.ConfigInclude{},
+	})
 	noOpaErrors(t, err)
 
 	for _, c := range cases {
@@ -114,7 +118,9 @@ func TestJobUsesSelfHostedRunner(t *testing.T) {
 		"random-name":         true,
 	}
 
-	opa, err := NewOpa()
+	opa, err := NewOpa(context.TODO(), &models.Config{
+		Include: []models.ConfigInclude{},
+	})
 	noOpaErrors(t, err)
 
 	for runner, expected := range cases {
@@ -136,7 +142,9 @@ func TestJobUsesSelfHostedRunner(t *testing.T) {
 }
 
 func TestWithConfig(t *testing.T) {
-	o, err := NewOpa()
+	o, err := NewOpa(context.TODO(), &models.Config{
+		Include: []models.ConfigInclude{},
+	})
 	noOpaErrors(t, err)
 	ctx := context.TODO()
 
@@ -181,7 +189,9 @@ func TestCapabilities(t *testing.T) {
 }
 
 func TestRulesMetadataLevel(t *testing.T) {
-	opa, err := NewOpa()
+	opa, err := NewOpa(context.TODO(), &models.Config{
+		Include: []models.ConfigInclude{},
+	})
 	noOpaErrors(t, err)
 
 	query := `{rule_id: rule.level |
@@ -202,7 +212,9 @@ func TestRulesMetadataLevel(t *testing.T) {
 }
 
 func TestWithRulesConfig(t *testing.T) {
-	o, err := NewOpa()
+	o, err := NewOpa(context.TODO(), &models.Config{
+		Include: []models.ConfigInclude{},
+	})
 	noOpaErrors(t, err)
 	ctx := context.TODO()
 

scanner/inventory.go

@@ -32,16 +32,25 @@ func NewInventory(opa *opa.Opa, pkgsupplyClient ReputationClient, provider strin
 }
 
 func (i *Inventory) AddPackage(ctx context.Context, pkg *models.PackageInsights, workdir string) error {
+	scannedPackage, err := i.ScanPackage(ctx, pkg, workdir)
+	if err != nil {
+		return err
+	}
+
+	i.Packages = append(i.Packages, scannedPackage)
+	return nil
+}
+
+func (i *Inventory) ScanPackage(ctx context.Context, pkg *models.PackageInsights, workdir string) (*models.PackageInsights, error) {
 	s := NewScanner(workdir)
 	s.Package = pkg
 
 	err := s.Run(ctx, i.opa)
 	if err != nil {
-		return err
+		return nil, err
 	}
 
-	i.Packages = append(i.Packages, s.Package)
-	return nil
+	return s.Package, nil
 }
 
 func (i *Inventory) Purls() []string {

scanner/inventory_test.go

@@ -10,7 +10,9 @@ import (
 )
 
 func TestPurls(t *testing.T) {
-	o, _ := opa.NewOpa()
+	o, _ := opa.NewOpa(context.TODO(), &models.Config{
+		Include: []models.ConfigInclude{},
+	})
 	i := NewInventory(o, nil, "", "")
 	pkg := &models.PackageInsights{
 		Purl: "pkg:github/org/owner",
@@ -53,7 +55,9 @@ func TestPurls(t *testing.T) {
 }
 
 func TestFindings(t *testing.T) {
-	o, _ := opa.NewOpa()
+	o, _ := opa.NewOpa(context.TODO(), &models.Config{
+		Include: []models.ConfigInclude{},
+	})
 	i := NewInventory(o, nil, "gitlab", "")
 	purl := "pkg:github/org/owner"
 	pkg := &models.PackageInsights{
@@ -426,7 +430,9 @@ func TestFindings(t *testing.T) {
 }
 
 func TestSkipRule(t *testing.T) {
-	o, _ := opa.NewOpa()
+	o, _ := opa.NewOpa(context.TODO(), &models.Config{
+		Include: []models.ConfigInclude{},
+	})
 	i := NewInventory(o, nil, "", "")
 	ctx := context.TODO()
 	purl := "pkg:github/org/owner"
@@ -470,7 +476,9 @@ func TestSkipRule(t *testing.T) {
 }
 
 func TestRulesConfig(t *testing.T) {
-	o, _ := opa.NewOpa()
+	o, _ := opa.NewOpa(context.TODO(), &models.Config{
+		Include: []models.ConfigInclude{},
+	})
 	i := NewInventory(o, nil, "", "")
 	ctx := context.TODO()
 	purl := "pkg:github/org/owner"

scanner/scanner_test.go

@@ -10,7 +10,9 @@ import (
 
 func TestGithubWorkflows(t *testing.T) {
 	s := NewScanner("testdata")
-	o, _ := opa.NewOpa()
+	o, _ := opa.NewOpa(context.TODO(), &models.Config{
+		Include: []models.ConfigInclude{},
+	})
 	err := s.Run(context.TODO(), o)
 	workflows := s.Package.GithubActionsWorkflows
 
@@ -33,7 +35,9 @@ func TestGithubWorkflows(t *testing.T) {
 
 func TestGithubWorkflowsNotFound(t *testing.T) {
 	s := NewScanner("testdata/.github")
-	o, _ := opa.NewOpa()
+	o, _ := opa.NewOpa(context.TODO(), &models.Config{
+		Include: []models.ConfigInclude{},
+	})
 	err := s.Run(context.TODO(), o)
 	workflows := s.Package.GithubActionsWorkflows
 
@@ -43,7 +47,9 @@ func TestGithubWorkflowsNotFound(t *testing.T) {
 
 func TestGithubActionsMetadata(t *testing.T) {
 	s := NewScanner("testdata")
-	o, _ := opa.NewOpa()
+	o, _ := opa.NewOpa(context.TODO(), &models.Config{
+		Include: []models.ConfigInclude{},
+	})
 	err := s.Run(context.TODO(), o)
 
 	metadata := s.Package.GithubActionsMetadata
@@ -58,7 +64,9 @@ func TestGithubActionsMetadata(t *testing.T) {
 
 func TestRun(t *testing.T) {
 	s := NewScanner("testdata")
-	o, _ := opa.NewOpa()
+	o, _ := opa.NewOpa(context.TODO(), &models.Config{
+		Include: []models.ConfigInclude{},
+	})
 	s.Package.Purl = "pkg:github/org/owner"
 
 	err := s.Run(context.TODO(), o)
@@ -73,7 +81,9 @@ func TestRun(t *testing.T) {
 
 func TestPipelineAsCodeTekton(t *testing.T) {
 	s := NewScanner("testdata")
-	o, _ := opa.NewOpa()
+	o, _ := opa.NewOpa(context.TODO(), &models.Config{
+		Include: []models.ConfigInclude{},
+	})
 	err := s.Run(context.TODO(), o)
 	assert.NoError(t, err)