-
Notifications
You must be signed in to change notification settings - Fork 0
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
WIP: enable OSH integration #2
Conversation
@@ -14,6 +14,9 @@ upstream_package_name: polkit | |||
# downstream (Fedora) RPM package name | |||
downstream_package_name: polkit | |||
|
|||
# Enable Open Scan Hub integration | |||
osh_diff_scan_after_copr_build: true |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I thought it wasn't necessary: https://packit.dev/posts/openscanhub-prototype. Did anything change on their side?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
It's indeed not necessary, that was just an extra precaution given the prototype warning (https://packit.dev/docs/configuration#osh_diff_scan_after_copr_build) and also an excuse to not post a completely empty PR :)
But I'll probably drop it before I propose this to upstream, since only 41da136 should be needed.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Empty PRs are better than PRs with a gazillion bugs :-)
only 41da136 should be needed
Makes sense. I didn't notice it's missing upstream.
By the way I opened polkit-org#517 and I wonder if the polkit project has access to that at all? If not I guess it should be possible to create a new project there to get the token.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
By the way I opened polkit-org#517 and I wonder if the polkit project has access to that at all? If not I guess it should be possible to create a new project there to get the token.
Given the Coverity project uses even the pre-gitlab URL I have my doubts about that, but maybe someone from the original maintainer team will still be available.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Got it. If all else fails it usually takes a couple of days for Coverity to approve new projects so access to that project isn't critical.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Please put a comment here saying osh_diff_scan_after_copr_build
is not mandatory and should be removed in the future (or before merging).
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
No worries, when I submit the changes to the polkit's upstream I'll drop this hunk completely.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Seems to work as expected: https://github.com/systemd-ci-incubator/polkit/pull/2/checks?check_run_id=32919432974
UI for new findings would look something like https://github.com/lbarcziova/ogr/pull/1/checks?check_run_id=32709387417
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
FWIW @siteshwar I'm not sure if Packit/OSH is interested in that or not but since it's essentially a SAST check it should be possible to add a probe to scorecard by analogy with how Packit itself is detected (ossf/scorecard#1293). This way projects using OSH would get more security points :-) and OSH would be listed there as well making it a bit more visible in general. (I'm not saying it's important or anything like that. It's just something I remembered for no reason)
Otherwise it gets leaked: [356645.511913] systemd[1]: Stopping polkit.service - Authorization Manager... [356645.514024] polkitd[15468]: Handling SIGTERM [356645.514024] polkitd[15468]: Shutting down [356645.519238] polkitd[15468]: Exiting with code 0 [356645.618456] polkitd[15468]: ================================================================= [356645.618456] polkitd[15468]: ==15468==ERROR: LeakSanitizer: detected memory leaks [356645.618456] polkitd[15468]: Direct leak of 4000 byte(s) in 50 object(s) allocated from: [356645.619128] polkitd[15468]: #0 0x0000004a1a33 in malloc (/usr/lib/polkit-1/polkitd+0x4a1a33) (BuildId: a927b98f2ddc1b57773bec4e0f8a537fe46632b1) [356645.619128] polkitd[15468]: #1 0x7f1b20324039 in g_malloc (/lib64/libglib-2.0.so.0+0x47039) (BuildId: c18bb9dc5295ff894f6098fa33e9ba39341c5bc1) [356645.619128] polkitd[15468]: #2 0x7f1b2033d4d4 in g_slice_alloc (/lib64/libglib-2.0.so.0+0x604d4) (BuildId: c18bb9dc5295ff894f6098fa33e9ba39341c5bc1) [356645.619128] polkitd[15468]: polkit-org#3 0x7f1b2036b547 in g_variant_iter_new (/lib64/libglib-2.0.so.0+0x8e547) (BuildId: c18bb9dc5295ff894f6098fa33e9ba39341c5bc1) [356645.619128] polkitd[15468]: polkit-org#4 0x7f1b2036dc5d (/lib64/libglib-2.0.so.0+0x90c5d) (BuildId: c18bb9dc5295ff894f6098fa33e9ba39341c5bc1) [356645.619128] polkitd[15468]: polkit-org#5 0x7f1b2036d8b7 (/lib64/libglib-2.0.so.0+0x908b7) (BuildId: c18bb9dc5295ff894f6098fa33e9ba39341c5bc1) [356645.619128] polkitd[15468]: polkit-org#6 0x7f1b2036de0f in g_variant_get_va (/lib64/libglib-2.0.so.0+0x90e0f) (BuildId: c18bb9dc5295ff894f6098fa33e9ba39341c5bc1) [356645.619128] polkitd[15468]: polkit-org#7 0x7f1b2036df88 in g_variant_get (/lib64/libglib-2.0.so.0+0x90f88) (BuildId: c18bb9dc5295ff894f6098fa33e9ba39341c5bc1) [356645.619128] polkitd[15468]: polkit-org#8 0x7f1b2067ce85 in polkit_system_bus_name_get_creds_sync /root/polkit/build/../src/polkit/polkitsystembusname.c:542:3 [356645.619128] polkitd[15468]: polkit-org#9 0x7f1b2067c997 in polkit_system_bus_name_get_process_sync /root/polkit/build/../src/polkit/polkitsystembusname.c:629:8 [356645.619128] polkitd[15468]: polkit-org#10 0x0000005069af in polkit_backend_session_monitor_get_session_for_subject /root/polkit/build/../src/polkitbackend/polkitbackendsessionmonitor-systemd.c:365:41 [356645.619128] polkitd[15468]: polkit-org#11 0x0000004f11b5 in polkit_backend_interactive_authority_revoke_temporary_authorization_by_id /root/polkit/build/../src/polkitbackend/polkitbackendinteractiveauthority.c:3567:24 [356645.619128] polkitd[15468]: polkit-org#12 0x0000004ea2c8 in server_handle_revoke_temporary_authorization_by_id /root/polkit/build/../src/polkitbackend/polkitbackendauthority.c:1292:8 [356645.619128] polkitd[15468]: polkit-org#13 0x0000004e805c in server_handle_method_call /root/polkit/build/../src/polkitbackend/polkitbackendauthority.c:1346:5 [356645.619128] polkitd[15468]: polkit-org#14 0x7f1b20565195 (/lib64/libgio-2.0.so.0+0xd9195) (BuildId: d06dc1cc6f8ddbb3cda89ef05ecf83d6fe037ae7) [356645.619332] polkitd[15468]: polkit-org#15 0x7f1b20323e5c (/lib64/libglib-2.0.so.0+0x46e5c) (BuildId: c18bb9dc5295ff894f6098fa33e9ba39341c5bc1) [356645.619332] polkitd[15468]: polkit-org#16 0x7f1b2031d60b (/lib64/libglib-2.0.so.0+0x4060b) (BuildId: c18bb9dc5295ff894f6098fa33e9ba39341c5bc1) [356645.619332] polkitd[15468]: polkit-org#17 0x7f1b2037db37 (/lib64/libglib-2.0.so.0+0xa0b37) (BuildId: c18bb9dc5295ff894f6098fa33e9ba39341c5bc1) [356645.619332] polkitd[15468]: polkit-org#18 0x7f1b203236f6 in g_main_loop_run (/lib64/libglib-2.0.so.0+0x466f6) (BuildId: c18bb9dc5295ff894f6098fa33e9ba39341c5bc1) [356645.619332] polkitd[15468]: polkit-org#19 0x0000004e3619 in main /root/polkit/build/../src/polkitbackend/polkitd.c:298:3 [356645.619332] polkitd[15468]: polkit-org#20 0x7f1b1fe59447 in __libc_start_call_main (/lib64/libc.so.6+0x3447) (BuildId: f3ac204eaa4ceed81438c80e80998209f828bb1a) [356645.619332] polkitd[15468]: polkit-org#21 0x7f1b1fe5950a in __libc_start_main@GLIBC_2.2.5 (/lib64/libc.so.6+0x350a) (BuildId: f3ac204eaa4ceed81438c80e80998209f828bb1a) [356645.619332] polkitd[15468]: polkit-org#22 0x000000401c04 in _start (/usr/lib/polkit-1/polkitd+0x401c04) (BuildId: a927b98f2ddc1b57773bec4e0f8a537fe46632b1) ... Follow-up for 8cabb11.
[357268.621800] systemd[1]: Stopping polkit.service - Authorization Manager... [357268.623321] polkitd[15601]: Handling SIGTERM [357268.623321] polkitd[15601]: Shutting down [357268.629022] polkitd[15601]: Exiting with code 0 [357268.748206] polkitd[15601]: ================================================================= [357268.748455] polkitd[15601]: ==15601==ERROR: LeakSanitizer: detected memory leaks [357268.748455] polkitd[15601]: Direct leak of 48 byte(s) in 3 object(s) allocated from: [357268.749382] polkitd[15601]: #0 0x0000004a1a33 in malloc (/usr/lib/polkit-1/polkitd+0x4a1a33) (BuildId: a927b98f2ddc1b57773bec4e0f8a537fe46632b1) [357268.749382] polkitd[15601]: #1 0x7fe21ebe5039 in g_malloc (/lib64/libglib-2.0.so.0+0x47039) (BuildId: c18bb9dc5295ff894f6098fa33e9ba39341c5bc1) [357268.749382] polkitd[15601]: #2 0x7fe21ebfe4d4 in g_slice_alloc (/lib64/libglib-2.0.so.0+0x604d4) (BuildId: c18bb9dc5295ff894f6098fa33e9ba39341c5bc1) [357268.749382] polkitd[15601]: polkit-org#3 0x7fe21ebfe5c4 in g_slice_alloc0 (/lib64/libglib-2.0.so.0+0x605c4) (BuildId: c18bb9dc5295ff894f6098fa33e9ba39341c5bc1) [357268.749382] polkitd[15601]: polkit-org#4 0x7fe21ebc6910 (/lib64/libglib-2.0.so.0+0x28910) (BuildId: c18bb9dc5295ff894f6098fa33e9ba39341c5bc1) [357268.749382] polkitd[15601]: polkit-org#5 0x7fe21ebc70a4 in g_error_new_valist (/lib64/libglib-2.0.so.0+0x290a4) (BuildId: c18bb9dc5295ff894f6098fa33e9ba39341c5bc1) [357268.749382] polkitd[15601]: polkit-org#6 0x7fe21ebc72e0 in g_set_error (/lib64/libglib-2.0.so.0+0x292e0) (BuildId: c18bb9dc5295ff894f6098fa33e9ba39341c5bc1) [357268.749382] polkitd[15601]: polkit-org#7 0x7fe21ee50b52 (/lib64/libgio-2.0.so.0+0x103b52) (BuildId: d06dc1cc6f8ddbb3cda89ef05ecf83d6fe037ae7) [357268.749382] polkitd[15601]: polkit-org#8 0x000000508a88 in ensure_all_files /root/polkit/build/../src/polkitbackend/polkitbackendactionpool.c:572:18 [357268.749382] polkitd[15601]: polkit-org#9 0x0000005097c1 in polkit_backend_action_pool_get_all_actions /root/polkit/build/../src/polkitbackend/polkitbackendactionpool.c:456:3 [357268.749382] polkitd[15601]: polkit-org#10 0x0000004e80fd in server_handle_enumerate_actions /root/polkit/build/../src/polkitbackend/polkitbackendauthority.c:689:13 [357268.749382] polkitd[15601]: polkit-org#11 0x0000004e80fd in server_handle_method_call /root/polkit/build/../src/polkitbackend/polkitbackendauthority.c:1326:5 [357268.749382] polkitd[15601]: polkit-org#12 0x7fe21ee26195 (/lib64/libgio-2.0.so.0+0xd9195) (BuildId: d06dc1cc6f8ddbb3cda89ef05ecf83d6fe037ae7) [357268.749382] polkitd[15601]: polkit-org#13 0x7fe21ebe4e5c (/lib64/libglib-2.0.so.0+0x46e5c) (BuildId: c18bb9dc5295ff894f6098fa33e9ba39341c5bc1) [357268.749382] polkitd[15601]: polkit-org#14 0x7fe21ebde60b (/lib64/libglib-2.0.so.0+0x4060b) (BuildId: c18bb9dc5295ff894f6098fa33e9ba39341c5bc1) [357268.749382] polkitd[15601]: polkit-org#15 0x7fe21ec3eb37 (/lib64/libglib-2.0.so.0+0xa0b37) (BuildId: c18bb9dc5295ff894f6098fa33e9ba39341c5bc1) [357268.749382] polkitd[15601]: polkit-org#16 0x7fe21ebe46f6 in g_main_loop_run (/lib64/libglib-2.0.so.0+0x466f6) (BuildId: c18bb9dc5295ff894f6098fa33e9ba39341c5bc1) [357268.749797] polkitd[15601]: polkit-org#17 0x0000004e3619 in main /root/polkit/build/../src/polkitbackend/polkitd.c:298:3 [357268.749797] polkitd[15601]: polkit-org#18 0x7fe21e71a447 in __libc_start_call_main (/lib64/libc.so.6+0x3447) (BuildId: f3ac204eaa4ceed81438c80e80998209f828bb1a) [357268.749797] polkitd[15601]: polkit-org#19 0x7fe21e71a50a in __libc_start_main@GLIBC_2.2.5 (/lib64/libc.so.6+0x350a) (BuildId: f3ac204eaa4ceed81438c80e80998209f828bb1a) [357268.749797] polkitd[15601]: polkit-org#20 0x000000401c04 in _start (/usr/lib/polkit-1/polkitd+0x401c04) (BuildId: a927b98f2ddc1b57773bec4e0f8a537fe46632b1) Follow-up for 9958c25.
No description provided.