This repository has been archived by the owner on Mar 4, 2020. It is now read-only.
chore: cache results of vulnerability scans #621
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,65 @@ | ||
| import * as fs from 'fs' | ||
| import { task } from 'gulp' | ||
| import * as path from 'path' | ||
| import debug from 'debug' | ||
|
|
||
| import config from '../../../config' | ||
| import sh from '../sh' | ||
|
|
||
| const { paths } = config | ||
|
|
||
| const SCAN_RESULTS_DIR_NAME = '.vuln-scans' | ||
|
|
||
| const log = message => debug.log(message) | ||
| log.success = message => debug.log(`✔ ${message}`) | ||
|
|
||
| const ensureDirExists = path => { | ||
| if (!fs.existsSync(path)) { | ||
| sh(`mkdir -p ${path}`) | ||
|
There was a problem hiding this comment.
There was a problem hiding this comment. for that we need Node LTS v10 (and this is, actually, the step we should make). Agreed to defer it to the follow-up PR, to be absolutely sure that all the necessary accompanying adjustments to the code will be made |
||
| } | ||
| } | ||
|
|
||
| const getScanResultsDirPath = () => { | ||
| return paths.base(SCAN_RESULTS_DIR_NAME) | ||
| } | ||
|
There was a problem hiding this comment. Do we actually need it? As I see it can be a simple variable |
||
|
|
||
| const getTodayScanFilePath = () => { | ||
| const now = new Date() | ||
|
|
||
| const fileName = `snyk-scanned-${now.getUTCFullYear()}-${now.getUTCMonth() + | ||
| 1}-${now.getUTCDate()}` | ||
|
There was a problem hiding this comment. Can we split this to multiple variables? To avoid multiline there |
||
|
|
||
| return path.resolve(getScanResultsDirPath(), fileName) | ||
| } | ||
|
|
||
| const recentlyChecked = () => { | ||
| const recentCheckFilePath = getTodayScanFilePath() | ||
| return fs.existsSync(recentCheckFilePath) | ||
| } | ||
|
|
||
| const registerRecentSucessfulScan = async () => { | ||
| ensureDirExists(getScanResultsDirPath()) | ||
|
|
||
| const recentScanFilePath = getTodayScanFilePath() | ||
| await sh(`touch ${recentScanFilePath}`) | ||
| } | ||
|
|
||
| /** | ||
| * The following strategy is used to perform vulnerabilites scan | ||
| * - check if there is marker of recent sucessful scan | ||
| * - if this marker exists, skip checks | ||
| * - if there is no marker, perform check | ||
| * - if check is successful, create successful check marker | ||
| */ | ||
| task('test:vulns', async () => { | ||
| if (recentlyChecked()) { | ||
| log.success('Vulnerabilities check was already performed recently, skipping..') | ||
| return | ||
| } | ||
|
|
||
| log('Scanning dependency packages for vulnerabilities..') | ||
| await sh(`yarn snyk test`) | ||
| log.success('Vulnerability scan is successfully passed.') | ||
|
|
||
| registerRecentSucessfulScan() | ||
| }) | ||
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Is it okay that we restoring a cache with a key without the
epochvariable?There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
this is necessary because otherwise Circle CI won't update the cache entry if it has existed before (this is its feature). To avoid this 'rewrite ban' the following strategy was suggested: https://discuss.circleci.com/t/add-mechanism-to-update-existing-cache-key/9014/12
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
As we discussed, please add a small comment with this link before the
keyline 👍There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
agreed to introduce comment for that