Inventory Scanner Refactoring (#230)

Author: SUSTAPLE117

analyze/analyze.go

@@ -87,7 +87,7 @@ type Analyzer struct {
 	Opa       *opa.Opa
 }
 
-func (a *Analyzer) AnalyzeOrg(ctx context.Context, org string, numberOfGoroutines *int) error {
+func (a *Analyzer) AnalyzeOrg(ctx context.Context, org string, numberOfGoroutines *int) ([]*models.PackageInsights, error) {
 	provider := a.ScmClient.GetProviderName()
 
 	providerVersion, err := a.ScmClient.GetProviderVersion(ctx)
@@ -114,19 +114,21 @@ func (a *Analyzer) AnalyzeOrg(ctx context.Context, org string, numberOfGoroutine
 	}
 	goRoutineLimitSem := semaphore.NewWeighted(int64(maxGoroutines))
 
+	scannedPackages := make([]*models.PackageInsights, 0)
+
 	pkgChan := make(chan *models.PackageInsights)
 	pkgWg := sync.WaitGroup{}
 	pkgWg.Add(1)
 	go func() {
 		defer pkgWg.Done()
 		for pkg := range pkgChan {
-			inventory.Packages = append(inventory.Packages, pkg)
+			scannedPackages = append(scannedPackages, pkg)
 		}
 	}()
 
 	for repoBatch := range orgReposBatches {
 		if repoBatch.Err != nil {
-			return fmt.Errorf("failed to get batch of repos: %w", repoBatch.Err)
+			return scannedPackages, fmt.Errorf("failed to get batch of repos: %w", repoBatch.Err)
 		}
 		if repoBatch.TotalCount != 0 {
 			bar.ChangeMax(repoBatch.TotalCount)
@@ -144,7 +146,7 @@ func (a *Analyzer) AnalyzeOrg(ctx context.Context, org string, numberOfGoroutine
 			}
 			if err := goRoutineLimitSem.Acquire(ctx, 1); err != nil {
 				close(errChan)
-				return fmt.Errorf("failed to acquire semaphore: %w", err)
+				return scannedPackages, fmt.Errorf("failed to acquire semaphore: %w", err)
 			}
 
 			reposWg.Add(1)
@@ -165,7 +167,7 @@ func (a *Analyzer) AnalyzeOrg(ctx context.Context, org string, numberOfGoroutine
 					return
 				}
 
-				scannedPkg, err := inventory.ScanPackage(ctx, pkg, tempDir)
+				scannedPkg, err := inventory.ScanPackage(ctx, *pkg, tempDir)
 				if err != nil {
 					log.Error().Err(err).Str("repo", repoNameWithOwner).Msg("failed to scan package")
 					return
@@ -192,23 +194,28 @@ func (a *Analyzer) AnalyzeOrg(ctx context.Context, org string, numberOfGoroutine
 
 	for err := range errChan {
 		if err != nil {
-			return err
+			return scannedPackages, err
 		}
 	}
 
 	_ = bar.Finish()
 
-	return a.finalizeAnalysis(ctx, inventory)
+	err = a.finalizeAnalysis(ctx, scannedPackages)
+	if err != nil {
+		return scannedPackages, err
+	}
+
+	return scannedPackages, nil
 }
 
-func (a *Analyzer) AnalyzeRepo(ctx context.Context, repoString string, ref string) error {
+func (a *Analyzer) AnalyzeRepo(ctx context.Context, repoString string, ref string) (*models.PackageInsights, error) {
 	org, repoName, err := a.ScmClient.ParseRepoAndOrg(repoString)
 	if err != nil {
-		return fmt.Errorf("failed to parse repository: %w", err)
+		return nil, fmt.Errorf("failed to parse repository: %w", err)
 	}
 	repo, err := a.ScmClient.GetRepo(ctx, org, repoName)
 	if err != nil {
-		return fmt.Errorf("failed to get repo: %w", err)
+		return nil, fmt.Errorf("failed to get repo: %w", err)
 	}
 	provider := repo.GetProviderName()
 
@@ -228,7 +235,7 @@ func (a *Analyzer) AnalyzeRepo(ctx context.Context, repoString string, ref strin
 
 	tempDir, err := a.cloneRepoToTemp(ctx, repo.BuildGitURL(a.ScmClient.GetProviderBaseURL()), a.ScmClient.GetToken(), ref)
 	if err != nil {
-		return err
+		return nil, err
 	}
 	defer os.RemoveAll(tempDir)
 
@@ -237,26 +244,31 @@ func (a *Analyzer) AnalyzeRepo(ctx context.Context, repoString string, ref strin
 
 	pkg, err := a.generatePackageInsights(ctx, tempDir, repo, ref)
 	if err != nil {
-		return err
+		return nil, err
 	}
 
-	err = inventory.AddPackage(ctx, pkg, tempDir)
+	scannedPackage, err := inventory.ScanPackage(ctx, *pkg, tempDir)
 	if err != nil {
-		return err
+		return nil, err
 	}
 	_ = bar.Finish()
 
-	return a.finalizeAnalysis(ctx, inventory)
+	err = a.finalizeAnalysis(ctx, []*models.PackageInsights{scannedPackage})
+	if err != nil {
+		return nil, err
+	}
+
+	return scannedPackage, nil
 }
 
-func (a *Analyzer) AnalyzeLocalRepo(ctx context.Context, repoPath string) error {
+func (a *Analyzer) AnalyzeLocalRepo(ctx context.Context, repoPath string) (*models.PackageInsights, error) {
 	org, repoName, err := a.ScmClient.ParseRepoAndOrg(repoPath)
 	if err != nil {
-		return fmt.Errorf("failed to parse repository: %w", err)
+		return nil, fmt.Errorf("failed to parse repository: %w", err)
 	}
 	repo, err := a.ScmClient.GetRepo(ctx, org, repoName)
 	if err != nil {
-		return fmt.Errorf("failed to get repo: %w", err)
+		return nil, fmt.Errorf("failed to get repo: %w", err)
 	}
 	provider := repo.GetProviderName()
 
@@ -274,28 +286,28 @@ func (a *Analyzer) AnalyzeLocalRepo(ctx context.Context, repoPath string) error
 
 	pkg, err := a.generatePackageInsights(ctx, repoPath, repo, "")
 	if err != nil {
-		return err
+		return nil, err
 	}
 
-	err = inventory.AddPackage(ctx, pkg, repoPath)
+	scannedPackage, err := inventory.ScanPackage(ctx, *pkg, repoPath)
 	if err != nil {
-		return err
+		return nil, err
+	}
+
+	err = a.finalizeAnalysis(ctx, []*models.PackageInsights{scannedPackage})
+	if err != nil {
+		return nil, err
 	}
 
-	return a.finalizeAnalysis(ctx, inventory)
+	return scannedPackage, nil
 }
 
 type Formatter interface {
-	Format(ctx context.Context, report *opa.FindingsResult, packages []*models.PackageInsights) error
+	Format(ctx context.Context, packages []*models.PackageInsights) error
 }
 
-func (a *Analyzer) finalizeAnalysis(ctx context.Context, inventory *scanner.Inventory) error {
-	report, err := inventory.Findings(ctx)
-	if err != nil {
-		return err
-	}
-
-	err = a.Formatter.Format(ctx, report, inventory.Packages)
+func (a *Analyzer) finalizeAnalysis(ctx context.Context, scannedPackages []*models.PackageInsights) error {
+	err := a.Formatter.Format(ctx, scannedPackages)
 	if err != nil {
 		return err
 	}

cmd/analyzeLocal.go

@@ -36,7 +36,7 @@ Example: poutine analyze_local /path/to/repo`,
 
 		analyzer := analyze.NewAnalyzer(localScmClient, localGitClient, formatter, config, opaClient)
 
-		err = analyzer.AnalyzeLocalRepo(ctx, repoPath)
+		_, err = analyzer.AnalyzeLocalRepo(ctx, repoPath)
 		if err != nil {
 			return fmt.Errorf("failed to analyze repoPath %s: %w", repoPath, err)
 		}

cmd/analyzeOrg.go

@@ -31,7 +31,7 @@ Note: This command will scan all repositories in the organization except those t
 
 		org := args[0]
 
-		err = analyzer.AnalyzeOrg(ctx, org, &threads)
+		_, err = analyzer.AnalyzeOrg(ctx, org, &threads)
 		if err != nil {
 			return fmt.Errorf("failed to analyze org %s: %w", org, err)
 		}

cmd/analyzeRepo.go

@@ -26,7 +26,7 @@ Example Scanning a remote Github Repository: poutine analyze_repo org/repo --tok
 
 		repo := args[0]
 
-		err = analyzer.AnalyzeRepo(ctx, repo, ref)
+		_, err = analyzer.AnalyzeRepo(ctx, repo, ref)
 		if err != nil {
 			return fmt.Errorf("failed to analyze repo %s: %w", repo, err)
 		}

formatters/json/json.go

@@ -5,6 +5,7 @@ import (
 	"fmt"
 	"github.com/boostsecurityio/poutine/models"
 	"github.com/boostsecurityio/poutine/opa"
+	"github.com/boostsecurityio/poutine/results"
 	"io"
 )
 
@@ -22,11 +23,23 @@ type Format struct {
 	format string
 }
 
-func (f *Format) Format(ctx context.Context, report *opa.FindingsResult, packages []*models.PackageInsights) error {
+func (f *Format) Format(ctx context.Context, packages []*models.PackageInsights) error {
 	var result struct {
 		Output string `json:"output"`
 		Error  string `json:"error"`
 	}
+	report := &results.FindingsResult{
+		Findings: make([]results.Finding, 0),
+		Rules:    map[string]results.Rule{},
+	}
+	for _, pkg := range packages {
+		for _, finding := range pkg.FindingsResults.Findings {
+			report.Findings = append(report.Findings, finding)
+		}
+		for _, rule := range pkg.FindingsResults.Rules {
+			report.Rules[rule.Id] = rule
+		}
+	}
 	err := f.opa.Eval(ctx,
 		"data.poutine.queries.format.result",
 		map[string]interface{}{

formatters/pretty/pretty.go

@@ -3,41 +3,48 @@ package pretty
 import (
 	"context"
 	"fmt"
+	"github.com/boostsecurityio/poutine/results"
 	"io"
 	"os"
 	"sort"
 
 	"github.com/rs/zerolog/log"
 
 	"github.com/boostsecurityio/poutine/models"
-	"github.com/boostsecurityio/poutine/opa"
 	"github.com/olekukonko/tablewriter"
 )
 
 type Format struct {
 }
 
-func (f *Format) Format(ctx context.Context, report *opa.FindingsResult, packages []*models.PackageInsights) error {
+func (f *Format) Format(ctx context.Context, packages []*models.PackageInsights) error {
 	failures := map[string]int{}
-	findings := map[string][]opa.Finding{}
+	findings := map[string][]results.Finding{}
+	rules := map[string]results.Rule{}
 
-	if len(report.Findings) == 0 {
-		log.Info().Msg("No results returned by analysis")
-		return nil
-	}
+	for _, pkg := range packages {
+		if len(pkg.FindingsResults.Findings) == 0 {
+			log.Info().Msg("No results returned by analysis")
+			continue
+		}
 
-	for _, finding := range report.Findings {
-		failures[finding.RuleId]++
-		findings[finding.RuleId] = append(findings[finding.RuleId], finding)
+		for _, finding := range pkg.FindingsResults.Findings {
+			failures[finding.RuleId]++
+			findings[finding.RuleId] = append(findings[finding.RuleId], finding)
+		}
+
+		for _, rule := range pkg.FindingsResults.Rules {
+			rules[rule.Id] = rule
+		}
 	}
 
-	printFindingsPerRule(os.Stdout, findings, report.Rules)
-	printSummaryTable(os.Stdout, failures, report.Rules)
+	printFindingsPerRule(os.Stdout, findings, rules)
+	printSummaryTable(os.Stdout, failures, rules)
 
 	return nil
 }
 
-func printFindingsPerRule(out io.Writer, results map[string][]opa.Finding, rules map[string]opa.Rule) {
+func printFindingsPerRule(out io.Writer, results map[string][]results.Finding, rules map[string]results.Rule) {
 
 	var sortedRuleIDs []string
 	for ruleID := range rules {
@@ -106,7 +113,7 @@ func printFindingsPerRule(out io.Writer, results map[string][]opa.Finding, rules
 	}
 }
 
-func printSummaryTable(out io.Writer, failures map[string]int, rules map[string]opa.Rule) {
+func printSummaryTable(out io.Writer, failures map[string]int, rules map[string]results.Rule) {
 	table := tablewriter.NewWriter(out)
 	table.SetHeader([]string{"Rule ID", "Rule Name", "Failures", "Status"})
 	table.SetColWidth(80)

formatters/sarif/sarif.go

@@ -3,12 +3,12 @@ package sarif
 import (
 	"context"
 	"fmt"
+	"github.com/boostsecurityio/poutine/results"
 	"io"
 	"strings"
 
 	"github.com/boostsecurityio/poutine/docs"
 	"github.com/boostsecurityio/poutine/models"
-	"github.com/boostsecurityio/poutine/opa"
 	"github.com/owenrumney/go-sarif/v2/sarif"
 )
 
@@ -24,7 +24,7 @@ type Format struct {
 	version string
 }
 
-func (f *Format) Format(ctx context.Context, report *opa.FindingsResult, packages []*models.PackageInsights) error {
+func (f *Format) Format(ctx context.Context, packages []*models.PackageInsights) error {
 	sarifReport, err := sarif.New(sarif.Version210)
 	if err != nil {
 		return err
@@ -35,11 +35,6 @@ func (f *Format) Format(ctx context.Context, report *opa.FindingsResult, package
 		return parts[0]
 	}
 
-	findingsByPurl := make(map[string][]opa.Finding)
-	for _, finding := range report.Findings {
-		findingsByPurl[finding.Purl] = append(findingsByPurl[finding.Purl], finding)
-	}
-
 	docs := docs.GetPagesContent()
 
 	for _, pkg := range packages {
@@ -56,6 +51,11 @@ func (f *Format) Format(ctx context.Context, report *opa.FindingsResult, package
 				WithBranch(pkg.SourceGitRef),
 		)
 
+		findingsByPurl := make(map[string][]results.Finding)
+		for _, finding := range pkg.FindingsResults.Findings {
+			findingsByPurl[finding.Purl] = append(findingsByPurl[finding.Purl], finding)
+		}
+
 		pkgFindings := findingsByPurl[pkg.Purl]
 		for _, depPurl := range pkg.PackageDependencies {
 			normalizedDepPurl := normalizePurl(depPurl)
@@ -65,7 +65,7 @@ func (f *Format) Format(ctx context.Context, report *opa.FindingsResult, package
 		}
 
 		for _, finding := range pkgFindings {
-			rule := report.Rules[finding.RuleId]
+			rule := pkg.FindingsResults.Rules[finding.RuleId]
 			ruleId := rule.Id
 			ruleDescription := rule.Description
 			meta := finding.Meta

models/package_insights.go

@@ -1,6 +1,9 @@
 package models
 
-import "fmt"
+import (
+	"fmt"
+	"github.com/boostsecurityio/poutine/results"
+)
 
 type PackageInsights struct {
 	Version string `json:"version"`
@@ -46,6 +49,8 @@ type PackageInsights struct {
 	GitlabciConfigs        []GitlabciConfig        `json:"gitlabci_configs"`
 	AzurePipelines         []AzurePipeline         `json:"azure_pipelines"`
 	PipelineAsCodeTekton   []PipelineAsCodeTekton  `json:"pipeline_as_code_tekton"`
+
+	FindingsResults results.FindingsResult `json:"-"`
 }
 
 func (p *PackageInsights) GetSourceGitRepoURI() string {