Add resolver that generates lockfile patch GitHub PRs

.yarnrc.yml

@@ -50,6 +50,11 @@ packageExtensions:
       querystring: "*"
       url: "*"
       util: "*"
+  "@types/npm-registry-fetch@^8.0.4":
+    dependencies:
+      "@types/node-fetch": "*"
+      "node-fetch": "*"
+
   "@types/serve-static@*":
     dependencies:
       mime: "*"

lunatrace/bsl/backend/package.json

@@ -26,7 +26,7 @@
     "generate:hasura-calls": "graphql-codegen --config codegen.hasura.yml",
     "generate:custom-calls": "graphql-codegen --config codegen.lunatrace-custom.yml",
     "generate:github-calls": "graphql-codegen --config codegen.github.yml",
-    "generate": "yarn run generate:github-calls && yarn run generate:hasura-calls && yarn run generate:custom-calls",
+    "generate": "echo 'Parallel running:' && echo github\nhasura\ncustom | xargs -I% -n 1 -P 5 sh -c 'echo \"  yarn run generate:%-calls\" & yarn run generate:%-calls'",
     "dev:graphql:watch": "yarn run generate:hasura-calls && watch 'yarn run generate:hasura-calls' ./src/hasura-api/graphql",
     "compile": "tsc -p tsconfig.json && cp src/graphql-yoga/schema.graphql build/graphql-yoga/schema.graphql",
     "compile:watch": "tsc -p tsconfig.json -w",
@@ -52,6 +52,7 @@
     "@jest/globals": "~28.1.3",
     "@lunatrace/logger": "workspace:~",
     "@lunatrace/lunatrace-common": "workspace:~",
+    "@lunatrace/npm-package-cli": "workspace:~",
     "@octokit/auth-app": "^3.6.1",
     "@octokit/graphql": "^4.8.0",
     "@octokit/plugin-rest-endpoint-methods": "^5.13.0",
@@ -85,7 +86,6 @@
     "markdown-table": "2.0.0",
     "minimatch": "~5.1.2",
     "murmurhash-native": "^3.5.0",
-    "node-fetch": "2",
     "nodemon": "^2.0.15",
     "octokit": "^1.7.1",
     "pg": "^8.7.1",

lunatrace/bsl/backend/src/graphql-yoga/helpers/auth-helpers.ts

@@ -51,19 +51,16 @@ export function getUserId(ctx: Context, kratos_id_instead = false): string {
   return userId;
 }
 
-export async function checkProjectIsAuthorized(projectId: string, ctx: Context): Promise<void> {
-  const identityId = getUserId(ctx, true);
-  const usersAuthorizedProjects = await hasura.GetUsersProjects({ user_id: identityId });
-  const userIsAuthorized = usersAuthorizedProjects.projects.some((p) => {
-    return p.id === projectId;
-  });
-  if (!userIsAuthorized) {
+export async function checkProjectIsAuthorizedOrThrow(projectId: string, ctx: Context): Promise<void> {
+  const identityId = getUserId(ctx);
+  const project = await hasura.GetUserProjectFromProjectId({ project_id: projectId, user_id: identityId });
+  if (project.projects.length === 0) {
     throw new GraphQLYogaError('Not authorized for this project');
   }
   return;
 }
 
-export async function checkBuildsAreAuthorized(buildIds: string[], ctx: Context): Promise<void> {
+export async function checkBuildsAreAuthorizedOrThrow(buildIds: string[], ctx: Context): Promise<void> {
   const userId = getUserId(ctx);
   const existingBuildsRes = await hasura.GetUsersBuilds({ build_ids: buildIds, user_id: userId });
   if (!existingBuildsRes.builds) {

lunatrace/bsl/backend/src/graphql-yoga/resolvers/create-pull-request-for-vulnerability.ts

@@ -0,0 +1,142 @@
+/*
+ * Copyright by LunaSec (owned by Refinery Labs, Inc)
+ *
+ * Licensed under the Business Source License v1.1
+ * (the "License"); you may not use this file except in compliance with the
+ * License. You may obtain a copy of the License at
+ *
+ * https://github.com/lunasec-io/lunasec/blob/master/licenses/BSL-LunaTrace.txt
+ *
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ *
+ */
+import { GraphQLYogaError } from '@graphql-yoga/node';
+import {
+  PullRequestOctokit,
+  replacePackageAndFileGitHubPullRequest,
+} from '@lunatrace/npm-package-cli/src/package/github-pr';
+
+import { getInstallationAccessToken } from '../../github/auth';
+import { hasura } from '../../hasura-api';
+import { log } from '../../utils/log';
+import { MutationResolvers } from '../generated-resolver-types';
+import { checkProjectIsAuthorizedOrThrow, isAuthenticated } from '../helpers/auth-helpers';
+
+type CreatePullRequestForVulnerabilityType = NonNullable<MutationResolvers['createPullRequestForVulnerability']>;
+
+function splitGitHubRepoPath(gitHubRepo: string) {
+  const split = gitHubRepo.split('/');
+  const owner = split[split.length - 2];
+  const repo = split[split.length - 1].replace('.git', '');
+  return { owner, repo };
+}
+
+/**
+ * Installs the repos the user selected in the GUIG
+ */
+export const createPullRequestForVulnerabilityResolver: CreatePullRequestForVulnerabilityType = async (
+  parent,
+  args,
+  ctx,
+  _info
+) => {
+  try {
+    if (!isAuthenticated(ctx)) {
+      log.warn('No parsed JWT claims with a user ID on route that required authorization, throwing a graphql error');
+      throw new GraphQLYogaError('Unauthorized');
+    }
+
+    const vulnerabilityId = args.vulnerability_id;
+    if (!vulnerabilityId) {
+      throw new GraphQLYogaError('No vulnerability id provided');
+    }
+
+    const projectId = args.project_id;
+    if (!projectId) {
+      throw new GraphQLYogaError('No project id provided');
+    }
+
+    const oldPackageSlug = args.old_package_slug;
+    if (!oldPackageSlug) {
+      throw new GraphQLYogaError('No old package slug provided');
+    }
+
+    const newPackageSlug = args.new_package_slug;
+    if (!newPackageSlug) {
+      throw new GraphQLYogaError('No new package slug provided');
+    }
+
+    const packageManifestPath = args.package_manifest_path;
+    if (!packageManifestPath) {
+      throw new GraphQLYogaError('No package manifest path provided');
+    }
+
+    // Strips out the actual package.json/yarn.lock/package-lock.json from the path since we just need the folder.
+    const normalizedPackageManifestPath = packageManifestPath
+      .replace(/package\.json$/, '')
+      .replace(/yarn\.lock$/, '')
+      .replace(/package-lock\.json$/, '');
+
+    await checkProjectIsAuthorizedOrThrow(projectId, ctx);
+
+    const installationIdResult = await hasura.GetGitHubInstallationIdFromProjectId({
+      project_id: projectId,
+    });
+
+    if (installationIdResult.projects.length === 0) {
+      throw new GraphQLYogaError('No project found when fetching installation id');
+    }
+
+    const installationId = installationIdResult.projects[0].organization?.installation_id;
+
+    if (!installationId) {
+      throw new GraphQLYogaError('No installation id found for project');
+    }
+
+    const githubRepo = installationIdResult.projects[0].github_repository?.git_url;
+
+    if (!githubRepo) {
+      throw new GraphQLYogaError('No github repo found for project');
+    }
+
+    const { owner, repo } = splitGitHubRepoPath(githubRepo);
+
+    const installationAccessTokenRes = await getInstallationAccessToken(installationId);
+    if (installationAccessTokenRes.error) {
+      log.error('Failed to fetch installation access token', { installationAccessTokenRes });
+      throw new Error('Error fetching installation access token');
+    }
+
+    const installationAccessToken = installationAccessTokenRes.res;
+
+    const octokit = new PullRequestOctokit({
+      auth: installationAccessToken,
+    });
+
+    const pullRequestResult = await replacePackageAndFileGitHubPullRequest(
+      octokit,
+      owner,
+      repo,
+      normalizedPackageManifestPath,
+      // TODO: Make this less hacky and brittle
+      packageManifestPath.endsWith('package-lock.json') ? 'npm' : 'yarn',
+      oldPackageSlug,
+      newPackageSlug
+    );
+
+    // TODO: Actually implement this endpoint instead of this stub
+    return {
+      success: true,
+      pullRequestUrl: pullRequestResult.pullRequestUrl,
+    };
+  } catch (error) {
+    // TODO: temporary error handler until i figure out how to deal with global errors in yoga which seems maybe impossible
+    if (error instanceof GraphQLYogaError) {
+      log.warn('handled graphql yoga error, returning error to client', { error });
+    } else {
+      log.error('UNKNOWN ERROR IN GRAPHQL RESOLVER', { e: error });
+    }
+    throw error;
+  }
+};

lunatrace/bsl/backend/src/graphql-yoga/resolvers/index.ts

@@ -17,6 +17,7 @@ import { Resolvers } from '../generated-resolver-types';
 
 import { authenticatedRepoCloneUrlResolver } from './authenticated-repo-clone-url';
 import { availableOrgsWithReposResolver } from './available-repos';
+import { createPullRequestForVulnerabilityResolver } from './create-pull-request-for-vulnerability';
 import { installSelectedReposResolver } from './install-selected-repos';
 import { presignManifestUploadResolver } from './presign-manifest-upload';
 import { presignSbomUploadResolver } from './presign-sbom-upload';
@@ -34,6 +35,7 @@ export const resolvers: Resolvers = {
   Mutation: {
     presignManifestUpload: presignManifestUploadResolver,
     installSelectedRepos: installSelectedReposResolver,
+    createPullRequestForVulnerability: createPullRequestForVulnerabilityResolver,
   },
   uuid: GraphQLUUID,
   jsonb: GraphQLJSON,

lunatrace/bsl/backend/src/graphql-yoga/resolvers/presign-manifest-upload.ts

@@ -17,7 +17,7 @@ import { v4 as uuid } from 'uuid';
 import { getBackendBucketConfig } from '../../config';
 import { aws } from '../../utils/aws-utils';
 import { MutationResolvers } from '../generated-resolver-types';
-import { checkProjectIsAuthorized, throwIfUnauthenticated } from '../helpers/auth-helpers';
+import { checkProjectIsAuthorizedOrThrow, throwIfUnauthenticated } from '../helpers/auth-helpers';
 
 type PresignManifestUploadResolver = NonNullable<MutationResolvers['presignManifestUpload']>;
 
@@ -26,7 +26,7 @@ const sbomHandlerConfig = getBackendBucketConfig();
 export const presignManifestUploadResolver: PresignManifestUploadResolver = async (parent, args, ctx, info) => {
   throwIfUnauthenticated(ctx);
   const projectId = args.project_id;
-  await checkProjectIsAuthorized(projectId, ctx);
+  await checkProjectIsAuthorizedOrThrow(projectId, ctx);
   const today = new Date();
   const uniqueId = uuid();
 

lunatrace/bsl/backend/src/graphql-yoga/resolvers/sbom-url.ts

@@ -18,14 +18,14 @@ import { hasura } from '../../hasura-api';
 import { aws } from '../../utils/aws-utils';
 import { log } from '../../utils/log';
 import { QueryResolvers } from '../generated-resolver-types';
-import { checkProjectIsAuthorized, throwIfUnauthenticated } from '../helpers/auth-helpers';
+import { checkProjectIsAuthorizedOrThrow, throwIfUnauthenticated } from '../helpers/auth-helpers';
 
 type sbomUrlResolverT = NonNullable<QueryResolvers['sbomUrl']>;
 
 export const sbomUrlResolver: sbomUrlResolverT = async (parent, args, ctx, info) => {
   throwIfUnauthenticated(ctx);
   const build = await hasura.GetBuild({ build_id: args.buildId });
-  await checkProjectIsAuthorized(build.builds_by_pk?.project?.id, ctx);
+  await checkProjectIsAuthorizedOrThrow(build.builds_by_pk?.project?.id, ctx);
 
   try {
     return formatUrl(await aws.signArbitraryS3URL(build.builds_by_pk?.s3_url || '', 'GET'));

lunatrace/bsl/backend/src/graphql-yoga/resolvers/vulnerable-releases-from-build.ts

@@ -17,14 +17,14 @@ import { SeverityNamesOsv, severityOrderOsv } from '@lunatrace/lunatrace-common'
 import { loadTree } from '../../models/vulnerability-dependency-tree/load-tree';
 import { log } from '../../utils/log';
 import { QueryResolvers } from '../generated-resolver-types';
-import { checkBuildsAreAuthorized, throwIfUnauthenticated } from '../helpers/auth-helpers';
+import { checkBuildsAreAuthorizedOrThrow, throwIfUnauthenticated } from '../helpers/auth-helpers';
 
 type BuildVulnerabilitiesResolver = NonNullable<QueryResolvers['vulnerableReleasesFromBuild']>;
 
 export const vulnerableReleasesFromBuildResolver: BuildVulnerabilitiesResolver = async (parent, args, ctx, info) => {
   throwIfUnauthenticated(ctx);
   const buildId = args.buildId;
-  await checkBuildsAreAuthorized([buildId], ctx);
+  await checkBuildsAreAuthorizedOrThrow([buildId], ctx);
 
   const logger = log.child('vulnerable-releases-resolver', { buildId });
 

lunatrace/bsl/backend/src/graphql-yoga/schema.graphql

@@ -26,6 +26,14 @@ type Mutation {
     installSelectedRepos(
         orgs: [OrgsWithReposInput!]!
     ): InstallSelectedReposResponse
+    createPullRequestForVulnerability(
+        project_id: uuid!
+        vulnerability_id: uuid!
+        """ We could pull this data from the database, probably, but it's easier to pass it in from the Frontend """
+        old_package_slug: String!
+        new_package_slug: String!
+        package_manifest_path: String!
+    ): CreatePullRequestForVulnerabilityResponse
 }
 
 input OrgsWithReposInput {
@@ -37,6 +45,11 @@ type InstallSelectedReposResponse {
     success: Boolean
 }
 
+type CreatePullRequestForVulnerabilityResponse {
+    success: Boolean
+    pullRequestUrl: String!
+}
+
 input SbomUploadUrlInput {
     orgId: uuid!
     projectId: uuid!