github.com/google/osv-scalibr@v0.4.1/enricher/secrets/secrets.go

github.com/google/osv-scalibr@v0.4.1/enricher/secrets/secrets.go (about)

     1  // Copyright 2025 Google LLC
     2  //
     3  // Licensed under the Apache License, Version 2.0 (the "License");
     4  // you may not use this file except in compliance with the License.
     5  // You may obtain a copy of the License at
     6  //
     7  //      http://www.apache.org/licenses/LICENSE-2.0
     8  //
     9  // Unless required by applicable law or agreed to in writing, software
    10  // distributed under the License is distributed on an "AS IS" BASIS,
    11  // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
    12  // See the License for the specific language governing permissions and
    13  // limitations under the License.
    14  
    15  // Package secrets contains an Enricher that uses Veles Validators to validate
    16  // Secrets found by the Veles Extractor.
    17  package secrets
    18  
    19  import (
    20  	"context"
    21  	"time"
    22  
    23  	"github.com/google/osv-scalibr/enricher"
    24  	"github.com/google/osv-scalibr/inventory"
    25  	"github.com/google/osv-scalibr/plugin"
    26  	"github.com/google/osv-scalibr/veles"
    27  )
    28  
    29  const (
    30  	// Name is the unique name of this Enricher.
    31  	Name = "secrets/velesvalidate"
    32  
    33  	version = 1
    34  )
    35  
    36  var _ enricher.Enricher = &Enricher{}
    37  
    38  // Enricher uses a Veles ValidationEngine to validate Secrets found by Veles.
    39  type Enricher struct {
    40  	engine *veles.ValidationEngine
    41  }
    42  
    43  // AddValidator adds a Validator for a specific type of Secret to the underlying validation engine.
    44  //
    45  // Returns whether there was already a Validator in place that now got replaced.
    46  func AddValidator[S veles.Secret](e *Enricher, v veles.Validator[S]) bool {
    47  	return veles.AddValidator(e.engine, v)
    48  }
    49  
    50  // NewWithEngine creates a new Enricher with a specified Veles ValidationEngine.
    51  func NewWithEngine(engine *veles.ValidationEngine) enricher.Enricher {
    52  	return &Enricher{engine: engine}
    53  }
    54  
    55  // Name of the Enricher.
    56  func (Enricher) Name() string {
    57  	return Name
    58  }
    59  
    60  // Version of the Enricher.
    61  func (Enricher) Version() int {
    62  	return version
    63  }
    64  
    65  // Requirements of the Enricher.
    66  // Needs network access so it can validate Secrets.
    67  func (Enricher) Requirements() *plugin.Capabilities {
    68  	return &plugin.Capabilities{
    69  		Network: plugin.NetworkOnline,
    70  	}
    71  }
    72  
    73  // RequiredPlugins returns the plugins that are required to be enabled for this
    74  // Enricher to run. While it works on the results of the filesystem/secrets
    75  // Extractor, the Enricher itself can run independently.
    76  func (Enricher) RequiredPlugins() []string {
    77  	return []string{}
    78  }
    79  
    80  // Enrich validates all the Secrets from the Inventory using a Veles
    81  // ValidationEngine.
    82  //
    83  // Each individual Secret maintains its own error in case the validation failed.
    84  func (e *Enricher) Enrich(ctx context.Context, _ *enricher.ScanInput, inv *inventory.Inventory) error {
    85  	for _, s := range inv.Secrets {
    86  		if err := ctx.Err(); err != nil {
    87  			return err
    88  		}
    89  		status, err := e.engine.Validate(ctx, s.Secret)
    90  		s.Validation = inventory.SecretValidationResult{
    91  			At:     time.Now(),
    92  			Status: status,
    93  			Err:    err,
    94  		}
    95  	}
    96  	return nil
    97  }