gh-gei/src/Octoshift/Services/DependabotAlertService.cs at 2daaaba72d498c3287c054260ba9a06ce4bb3128 · github/gh-gei · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
using System.Collections.Generic;
using System.Linq;
using System.Threading.Tasks;
using Octoshift.Models;
using OctoshiftCLI.Models;

namespace OctoshiftCLI.Services;

public class DependabotAlertService
{
    private readonly GithubApi _sourceGithubApi;
    private readonly GithubApi _targetGithubApi;
    private readonly OctoLogger _log;

    public DependabotAlertService(GithubApi sourceGithubApi, GithubApi targetGithubApi, OctoLogger octoLogger)
    {
        _sourceGithubApi = sourceGithubApi;
        _targetGithubApi = targetGithubApi;
        _log = octoLogger;
    }

    public virtual async Task MigrateDependabotAlerts(string sourceOrg, string sourceRepo, string targetOrg,
        string targetRepo, bool dryRun)
    {
        _log.LogInformation($"Migrating Dependabot Alerts from '{sourceOrg}/{sourceRepo}' to '{targetOrg}/{targetRepo}'");

        var sourceAlerts = (await _sourceGithubApi.GetDependabotAlertsForRepository(sourceOrg, sourceRepo)).ToList();

        // no reason to call the target on a dry run - there will be no alerts
        var targetAlerts = dryRun ?
            [] :
            (await _targetGithubApi.GetDependabotAlertsForRepository(targetOrg, targetRepo)).ToList();

        var successCount = 0;
        var skippedCount = 0;
        var notFoundCount = 0;

        _log.LogInformation($"Found {sourceAlerts.Count} source and {targetAlerts.Count} target alerts. Starting migration of alert states...");

        foreach (var sourceAlert in sourceAlerts)
        {
            if (!DependabotAlertState.IsOpenOrDismissed(sourceAlert.State))
            {
                _log.LogInformation($"  skipping alert {sourceAlert.Number} ({sourceAlert.Url}) because state '{sourceAlert.State}' is not migratable.");
                skippedCount++;
                continue;
            }

            if (dryRun)
            {
                _log.LogInformation($"  running in dry-run mode. Would have tried to find target alert for {sourceAlert.Number} ({sourceAlert.Url}) and set state '{sourceAlert.State}'");
                successCount++;
                // No sense in continuing here, because we don't have the target alert as it is not migrated in dryRun mode
                continue;
            }

            var matchingTargetAlert = FindMatchingTargetAlert(targetAlerts, sourceAlert);

            if (matchingTargetAlert == null)
            {
                _log.LogError($"  could not find a target alert for {sourceAlert.Number} ({sourceAlert.Url}).");
                notFoundCount++;
                continue;
            }

            if (matchingTargetAlert.State == sourceAlert.State)
            {
                _log.LogInformation("  skipping alert because target alert already has the same state.");
                skippedCount++;
                continue;
            }

            _log.LogVerbose($"Setting Status {sourceAlert.State} for target alert {matchingTargetAlert.Number} ({matchingTargetAlert.Url})");
            await _targetGithubApi.UpdateDependabotAlert(
                targetOrg,
                targetRepo,
                matchingTargetAlert.Number,
                sourceAlert.State,
                sourceAlert.DismissedReason,
                sourceAlert.DismissedComment
                );
            successCount++;
        }

        _log.LogInformation($"Dependabot Alerts done!\nStatus of {sourceAlerts.Count} Alerts:\n  Success: {successCount}\n  Skipped (status not migratable or already matches): {skippedCount}\n  No matching target found (see logs): {notFoundCount}.");

        if (notFoundCount > 0)
        {
            throw new OctoshiftCliException("Migration of Dependabot Alerts failed.");
        }
    }

    private DependabotAlert FindMatchingTargetAlert(List<DependabotAlert> targetAlerts, DependabotAlert sourceAlert)
    {
        // Try to match based on the security advisory GHSA ID and package name
        var matchingAlert = targetAlerts.FirstOrDefault(targetAlert =>
            targetAlert.SecurityAdvisory?.GhsaId == sourceAlert.SecurityAdvisory?.GhsaId &&
            targetAlert.Dependency?.Package == sourceAlert.Dependency?.Package &&
            targetAlert.Dependency?.Manifest == sourceAlert.Dependency?.Manifest);

        if (matchingAlert != null)
        {
            return matchingAlert;
        }

        // Fall back to matching by CVE ID if GHSA ID doesn't match
        return targetAlerts.FirstOrDefault(targetAlert =>
            targetAlert.SecurityAdvisory?.CveId == sourceAlert.SecurityAdvisory?.CveId &&
            targetAlert.Dependency?.Package == sourceAlert.Dependency?.Package &&
            targetAlert.Dependency?.Manifest == sourceAlert.Dependency?.Manifest);
    }
}