Merge pull request #1330 from theztefan/fix/secret-scanning-locations-types

Fixes secret scanning alerts migration - locations processing and matching

Author: Arin Ghazarian

RELEASENOTES.md

@@ -1 +1,2 @@
-
+- Improved location matching logic for Secret Scanning alert locations in - `gh gei migrate-secret-alerts`.
+- Fixed a bug in `gh gei migrate-secret-alerts` where alerts with locations of non `commit` and `wiki_commit` type were not matched correctly.

src/Octoshift/Services/GithubApi.cs

@@ -1184,29 +1184,31 @@ private static GithubSecretScanningAlert BuildSecretScanningAlert(JToken secretA
             Secret = (string)secretAlert["secret"],
         };
 
-    private static GithubSecretScanningAlertLocation BuildSecretScanningAlertLocation(JToken alertLocation) =>
-        new()
+    private static GithubSecretScanningAlertLocation BuildSecretScanningAlertLocation(JToken alertLocation)
+    {
+        var details = alertLocation["details"];
+        return new GithubSecretScanningAlertLocation
         {
             LocationType = (string)alertLocation["type"],
-            Path = (string)alertLocation["details"]["path"],
-            StartLine = (int)alertLocation["details"]["start_line"],
-            EndLine = (int)alertLocation["details"]["end_line"],
-            StartColumn = (int)alertLocation["details"]["start_column"],
-            EndColumn = (int)alertLocation["details"]["end_column"],
-            BlobSha = (string)alertLocation["details"]["blob_sha"],
-            IssueTitleUrl = (string)alertLocation["details"]["issue_title_url"],
-            IssueBodyUrl = (string)alertLocation["details"]["issue_body_url"],
-            IssueCommentUrl = (string)alertLocation["details"]["issue_comment_url"],
-            DiscussionTitleUrl = (string)alertLocation["details"]["discussion_title_url"],
-            DiscussionBodyUrl = (string)alertLocation["details"]["discussion_body_url"],
-            DiscussionCommentUrl = (string)alertLocation["details"]["discussion_comment_url"],
-            PullRequestTitleUrl = (string)alertLocation["details"]["pull_request_title_url"],
-            PullRequestBodyUrl = (string)alertLocation["details"]["pull_request_body_url"],
-            PullRequestCommentUrl = (string)alertLocation["details"]["pull_request_comment_url"],
-            PullRequestReviewUrl = (string)alertLocation["details"]["pull_request_review_url"],
-            PullRequestReviewCommentUrl = (string)alertLocation["details"]["pull_request_review_comment_url"],
+            Path = (string)details["path"],
+            StartLine = (int?)details["start_line"] ?? 0,
+            EndLine = (int?)details["end_line"] ?? 0,
+            StartColumn = (int?)details["start_column"] ?? 0,
+            EndColumn = (int?)details["end_column"] ?? 0,
+            BlobSha = (string)details["blob_sha"],
+            IssueTitleUrl = (string)details["issue_title_url"],
+            IssueBodyUrl = (string)details["issue_body_url"],
+            IssueCommentUrl = (string)details["issue_comment_url"],
+            DiscussionTitleUrl = (string)details["discussion_title_url"],
+            DiscussionBodyUrl = (string)details["discussion_body_url"],
+            DiscussionCommentUrl = (string)details["discussion_comment_url"],
+            PullRequestTitleUrl = (string)details["pull_request_title_url"],
+            PullRequestBodyUrl = (string)details["pull_request_body_url"],
+            PullRequestCommentUrl = (string)details["pull_request_comment_url"],
+            PullRequestReviewUrl = (string)details["pull_request_review_url"],
+            PullRequestReviewCommentUrl = (string)details["pull_request_review_comment_url"],
         };
-
+    }
     private static CodeScanningAnalysis BuildCodeScanningAnalysis(JToken codescan) =>
         new()
         {

src/Octoshift/Services/SecretScanningAlertService.cs

@@ -2,6 +2,7 @@
 using System.Linq;
 using System.Threading.Tasks;
 using Octoshift.Models;
+using OctoshiftCLI.Extensions;
 
 namespace OctoshiftCLI.Services;
 
@@ -108,7 +109,7 @@ private bool IsLocationMatched(GithubSecretScanningAlertLocation sourceLocation,
     // Check if the locations of the source and target alerts match exactly
     // We compare the type of location and the corresponding fields based on the type
     // Each type has different fields that need to be compared for equality so we use a switch statement
-    // Note: Discussions are commented out as we don't miggate them currently
+    // Note: Discussions are commented out as we don't migrate them currently
     [System.Diagnostics.CodeAnalysis.SuppressMessage("Style", "IDE0075: Conditional expression can be simplified", Justification = "Want to keep guard for better performance.")]
     private bool AreLocationsEqual(GithubSecretScanningAlertLocation sourceLocation, GithubSecretScanningAlertLocation targetLocation)
     {
@@ -122,15 +123,9 @@ private bool AreLocationsEqual(GithubSecretScanningAlertLocation sourceLocation,
                                             sourceLocation.StartColumn == targetLocation.StartColumn &&
                                             sourceLocation.EndColumn == targetLocation.EndColumn &&
                                             sourceLocation.BlobSha == targetLocation.BlobSha,
-                "issue_title" => sourceLocation.IssueTitleUrl == targetLocation.IssueTitleUrl,
-                "issue_body" => sourceLocation.IssueBodyUrl == targetLocation.IssueBodyUrl,
-                "issue_comment" => sourceLocation.IssueCommentUrl == targetLocation.IssueCommentUrl,
-                "pull_request_title" => sourceLocation.PullRequestTitleUrl == targetLocation.PullRequestTitleUrl,
-                "pull_request_body" => sourceLocation.PullRequestBodyUrl == targetLocation.PullRequestBodyUrl,
-                "pull_request_comment" => sourceLocation.PullRequestCommentUrl == targetLocation.PullRequestCommentUrl,
-                "pull_request_review" => sourceLocation.PullRequestReviewUrl == targetLocation.PullRequestReviewUrl,
-                "pull_request_review_comment" => sourceLocation.PullRequestReviewCommentUrl == targetLocation.PullRequestReviewCommentUrl,
-                _ => false
+                // For all other location types, we match on the final path segment of the relevant URL
+                // because the rest of the URL is going to be different between source and target org/repo
+                _ => CompareUrlIds(GetLocationUrl(sourceLocation), GetLocationUrl(targetLocation))
             };
     }
 
@@ -153,6 +148,30 @@ private bool AreLocationsEqual(GithubSecretScanningAlertLocation sourceLocation,
             .GroupBy(alert => (alert.Alert.SecretType, alert.Alert.Secret))
             .ToDictionary(group => group.Key, group => group.ToList());
     }
+
+    // Compares the final segment of an URL which is relevant for the comparison
+    private bool CompareUrlIds(string sourceUrl, string targetUrl)
+    {
+        return sourceUrl.HasValue() && targetUrl.HasValue() && sourceUrl.TrimEnd('/').Split('/').Last()
+            == targetUrl.TrimEnd('/').Split('/').Last();
+    }
+
+    // Get the URL of the location based on its type
+    private string GetLocationUrl(GithubSecretScanningAlertLocation location)
+    {
+        return location.LocationType switch
+        {
+            "issue_title" => location.IssueTitleUrl,
+            "issue_body" => location.IssueBodyUrl,
+            "issue_comment" => location.IssueCommentUrl,
+            "pull_request_title" => location.PullRequestTitleUrl,
+            "pull_request_body" => location.PullRequestBodyUrl,
+            "pull_request_comment" => location.PullRequestCommentUrl,
+            "pull_request_review" => location.PullRequestReviewUrl,
+            "pull_request_review_comment" => location.PullRequestReviewCommentUrl,
+            _ => null
+        };
+    }
 }
 
 internal class AlertWithLocations

src/OctoshiftCLI.Tests/Octoshift/Services/GithubApiTests.cs

@@ -3538,6 +3538,273 @@ await FluentActions
             .ThrowExactlyAsync<ArgumentNullException>();
     }
 
+    [Fact]
+    public async Task GetSecretScanningAlertsLocations_Handles_Missing_Fields_Gracefully()
+    {
+        // Arrange
+        const int alertNumber = 1;
+        var url = $"https://api.github.com/repos/{GITHUB_ORG}/{GITHUB_REPO}/secret-scanning/alerts/{alertNumber}/locations?per_page=100";
+
+        var locationWithMissingFields = $@"
+            {{
+                ""type"": ""commit"",
+                ""details"": {{
+                    ""path"": ""src/index.js"",
+                    ""start_line"": 5,
+                    ""end_line"": 5,
+                    ""blob_sha"": ""2044bb6ccd535142b974776db108c32a19f89e80""
+                    // Missing start_column and end_column
+                }}
+            }}
+        ";
+
+        _githubClientMock
+            .Setup(m => m.GetAllAsync(url, null))
+            .Returns(new[] { JToken.Parse(locationWithMissingFields) }.ToAsyncEnumerable());
+
+        // Act
+        var locations = await _githubApi.GetSecretScanningAlertsLocations(GITHUB_ORG, GITHUB_REPO, alertNumber);
+
+        // Assert
+        locations.Should().HaveCount(1);
+        var location = locations.First();
+        location.Path.Should().Be("src/index.js");
+        location.StartLine.Should().Be(5);
+        location.EndLine.Should().Be(5);
+        location.StartColumn.Should().Be(0);
+        location.EndColumn.Should().Be(0);
+    }
+
+    [Fact]
+    public async Task GetSecretScanningAlertsLocations_Handles_Extra_Fields_Gracefully()
+    {
+        // Arrange
+        const int alertNumber = 1;
+        var url = $"https://api.github.com/repos/{GITHUB_ORG}/{GITHUB_REPO}/secret-scanning/alerts/{alertNumber}/locations?per_page=100";
+
+        var locationWithExtraFields = $@"
+            {{
+                ""type"": ""commit"",
+                ""details"": {{
+                    ""path"": ""src/index.js"",
+                    ""start_line"": 5,
+                    ""end_line"": 5,
+                    ""start_column"": 12,
+                    ""end_column"": 52,
+                    ""blob_sha"": ""2044bb6ccd535142b974776db108c32a19f89e80"",
+                    ""extra_field"": ""extra_value""
+                }}
+            }}
+        ";
+
+        _githubClientMock
+            .Setup(m => m.GetAllAsync(url, null))
+            .Returns(new[] { JToken.Parse(locationWithExtraFields) }.ToAsyncEnumerable());
+
+        // Act
+        var locations = await _githubApi.GetSecretScanningAlertsLocations(GITHUB_ORG, GITHUB_REPO, alertNumber);
+
+        // Assert
+        locations.Should().HaveCount(1);
+        var location = locations.First();
+        location.Path.Should().Be("src/index.js");
+        location.StartLine.Should().Be(5);
+        location.EndLine.Should().Be(5);
+        location.StartColumn.Should().Be(12);
+        location.EndColumn.Should().Be(52);
+    }
+
+    [Fact]
+    public async Task GetSecretScanningAlertsLocations_Handles_Commit_Location()
+    {
+        // Arrange
+        const int alertNumber = 1;
+        var url = $"https://api.github.com/repos/{GITHUB_ORG}/{GITHUB_REPO}/secret-scanning/alerts/{alertNumber}/locations?per_page=100";
+
+        var commitLocation = $@"
+            {{
+                ""type"": ""commit"",
+                ""details"": {{
+                    ""path"": ""storage/src/main/resources/.env"",
+                    ""start_line"": 6,
+                    ""end_line"": 6,
+                    ""start_column"": 17,
+                    ""end_column"": 49,
+                    ""blob_sha"": ""40ecdbab769bc2cb0e4e2114fd6986ae1acc3df2"",
+                    ""blob_url"": ""https://api.github.com/repos/ORG/REPO/git/blobs/40ecdbab769bc2cb0e4e2114fd6986ae1acc3df2"",
+                    ""commit_sha"": ""b350b85436a872ccdc1a0cfa73f59264b8dbf4eb"",
+                    ""commit_url"": ""https://api.github.com/repos/ORG/REPO/git/commits/b350b85436a872ccdc1a0cfa73f59264b8dbf4eb""
+                }}
+            }}
+        ";
+
+        _githubClientMock
+            .Setup(m => m.GetAllAsync(url, null))
+            .Returns(new[] { JToken.Parse(commitLocation) }.ToAsyncEnumerable());
+
+        // Act
+        var locations = await _githubApi.GetSecretScanningAlertsLocations(GITHUB_ORG, GITHUB_REPO, alertNumber);
+
+        // Assert
+        locations.Should().HaveCount(1);
+        var location = locations.First();
+        location.Path.Should().Be("storage/src/main/resources/.env");
+        location.StartLine.Should().Be(6);
+        location.EndLine.Should().Be(6);
+        location.StartColumn.Should().Be(17);
+        location.EndColumn.Should().Be(49);
+    }
+
+    [Fact]
+    public async Task GetSecretScanningAlertsLocations_Handles_Pull_Request_Comment_Location()
+    {
+        // Arrange
+        const int alertNumber = 1;
+        var url = $"https://api.github.com/repos/{GITHUB_ORG}/{GITHUB_REPO}/secret-scanning/alerts/{alertNumber}/locations?per_page=100";
+
+        var prCommentLocation = $@"
+            {{
+                ""type"": ""pull_request_comment"",
+                ""details"": {{
+                    ""pull_request_comment_url"": ""https://api.github.com/repos/ORG/REPO/issues/comments/2758069588""
+                }}
+            }}
+        ";
+
+        _githubClientMock
+            .Setup(m => m.GetAllAsync(url, null))
+            .Returns(new[] { JToken.Parse(prCommentLocation) }.ToAsyncEnumerable());
+
+        // Act
+        var locations = await _githubApi.GetSecretScanningAlertsLocations(GITHUB_ORG, GITHUB_REPO, alertNumber);
+
+        // Assert
+        locations.Should().HaveCount(1);
+        var location = locations.First();
+        location.LocationType.Should().Be("pull_request_comment");
+        location.PullRequestCommentUrl.Should().Be("https://api.github.com/repos/ORG/REPO/issues/comments/2758069588");
+    }
+
+    [Fact]
+    public async Task GetSecretScanningAlertsLocations_Handles_Pull_Request_Body_Location()
+    {
+        // Arrange
+        const int alertNumber = 1;
+        var url = $"https://api.github.com/repos/{GITHUB_ORG}/{GITHUB_REPO}/secret-scanning/alerts/{alertNumber}/locations?per_page=100";
+
+        var prBodyLocation = $@"
+            {{
+                ""type"": ""pull_request_body"",
+                ""details"": {{
+                    ""pull_request_body_url"": ""https://api.github.com/repos/ORG/REPO/pulls/6""
+                }}
+            }}
+        ";
+
+        _githubClientMock
+            .Setup(m => m.GetAllAsync(url, null))
+            .Returns(new[] { JToken.Parse(prBodyLocation) }.ToAsyncEnumerable());
+
+        // Act
+        var locations = await _githubApi.GetSecretScanningAlertsLocations(GITHUB_ORG, GITHUB_REPO, alertNumber);
+
+        // Assert
+        locations.Should().HaveCount(1);
+        var location = locations.First();
+        location.LocationType.Should().Be("pull_request_body");
+        location.PullRequestBodyUrl.Should().Be("https://api.github.com/repos/ORG/REPO/pulls/6");
+    }
+
+    [Fact]
+    public async Task GetSecretScanningAlertsLocations_Handles_Issue_Title_Location()
+    {
+        // Arrange
+        const int alertNumber = 1;
+        var url = $"https://api.github.com/repos/{GITHUB_ORG}/{GITHUB_REPO}/secret-scanning/alerts/{alertNumber}/locations?per_page=100";
+
+        var issueTitleLocation = $@"
+            {{
+                ""type"": ""issue_title"",
+                ""details"": {{
+                    ""issue_title_url"": ""https://api.github.com/repos/ORG/REPO/issues/7""
+                }}
+            }}
+        ";
+
+        _githubClientMock
+            .Setup(m => m.GetAllAsync(url, null))
+            .Returns(new[] { JToken.Parse(issueTitleLocation) }.ToAsyncEnumerable());
+
+        // Act
+        var locations = await _githubApi.GetSecretScanningAlertsLocations(GITHUB_ORG, GITHUB_REPO, alertNumber);
+
+        // Assert
+        locations.Should().HaveCount(1);
+        var location = locations.First();
+        location.LocationType.Should().Be("issue_title");
+        location.IssueTitleUrl.Should().Be("https://api.github.com/repos/ORG/REPO/issues/7");
+    }
+
+    [Fact]
+    public async Task GetSecretScanningAlertsLocations_Handles_Issue_Body_Location()
+    {
+        // Arrange
+        const int alertNumber = 1;
+        var url = $"https://api.github.com/repos/{GITHUB_ORG}/{GITHUB_REPO}/secret-scanning/alerts/{alertNumber}/locations?per_page=100";
+
+        var issueBodyLocation = $@"
+            {{
+                ""type"": ""issue_body"",
+                ""details"": {{
+                    ""issue_body_url"": ""https://api.github.com/repos/ORG/REPO/issues/7""
+                }}
+            }}
+        ";
+
+        _githubClientMock
+            .Setup(m => m.GetAllAsync(url, null))
+            .Returns(new[] { JToken.Parse(issueBodyLocation) }.ToAsyncEnumerable());
+
+        // Act
+        var locations = await _githubApi.GetSecretScanningAlertsLocations(GITHUB_ORG, GITHUB_REPO, alertNumber);
+
+        // Assert
+        locations.Should().HaveCount(1);
+        var location = locations.First();
+        location.LocationType.Should().Be("issue_body");
+        location.IssueBodyUrl.Should().Be("https://api.github.com/repos/ORG/REPO/issues/7");
+    }
+
+    [Fact]
+    public async Task GetSecretScanningAlertsLocations_Handles_Issue_Comment_Location()
+    {
+        // Arrange
+        const int alertNumber = 1;
+        var url = $"https://api.github.com/repos/{GITHUB_ORG}/{GITHUB_REPO}/secret-scanning/alerts/{alertNumber}/locations?per_page=100";
+
+        var issueCommentLocation = $@"
+            {{
+                ""type"": ""issue_comment"",
+                ""details"": {{
+                    ""issue_comment_url"": ""https://api.github.com/repos/ORG/REPO/issues/comments/2758578142""
+                }}
+            }}
+        ";
+
+        _githubClientMock
+            .Setup(m => m.GetAllAsync(url, null))
+            .Returns(new[] { JToken.Parse(issueCommentLocation) }.ToAsyncEnumerable());
+
+        // Act
+        var locations = await _githubApi.GetSecretScanningAlertsLocations(GITHUB_ORG, GITHUB_REPO, alertNumber);
+
+        // Assert
+        locations.Should().HaveCount(1);
+        var location = locations.First();
+        location.LocationType.Should().Be("issue_comment");
+        location.IssueCommentUrl.Should().Be("https://api.github.com/repos/ORG/REPO/issues/comments/2758578142");
+    }
+
     private string Compact(string source) =>
         source
             .Replace("\r", "")