Add CEL filter

2025-12-10 00:22:08 -06:00 · 2023-01-03 17:41:13 +05:30 · 2023-01-03 17:41:13 +05:30 · a12afa1344
commit a12afa1344
parent e0d3353cc3
6 changed files with 142 additions and 0 deletions
--- a/go.mod
+++ b/go.mod
@ -4,6 +4,7 @@ go 1.18

 require (
 	github.com/deepmap/oapi-codegen v1.12.4
+	github.com/google/cel-go v0.13.0
 	github.com/google/osv-scanner v1.0.2
 	github.com/sirupsen/logrus v1.9.0
 	github.com/spf13/cobra v1.6.1
@ -14,13 +15,18 @@ require (

 require (
 	github.com/BurntSushi/toml v1.2.1 // indirect
+	github.com/antlr/antlr4/runtime/Go/antlr v1.4.10 // indirect
 	github.com/apapsch/go-jsonmerge/v2 v2.0.0 // indirect
 	github.com/davecgh/go-spew v1.1.1 // indirect
 	github.com/google/uuid v1.3.0 // indirect
 	github.com/inconshreveable/mousetrap v1.0.1 // indirect
 	github.com/pmezard/go-difflib v1.0.0 // indirect
 	github.com/spf13/pflag v1.0.5 // indirect
+	github.com/stoewer/go-strcase v1.2.0 // indirect
 	golang.org/x/mod v0.7.0 // indirect
 	golang.org/x/sys v0.3.0 // indirect
+	golang.org/x/text v0.4.0 // indirect
+	google.golang.org/genproto v0.0.0-20221027153422-115e99e71e1c // indirect
+	google.golang.org/protobuf v1.28.1 // indirect
 	gopkg.in/yaml.v3 v3.0.1 // indirect
 )
--- a/go.sum
+++ b/go.sum
@ -1,6 +1,8 @@
 github.com/BurntSushi/toml v1.2.1 h1:9F2/+DoOYIOksmaJFPw1tGFy1eDnIJXg+UHjuD8lTak=
 github.com/BurntSushi/toml v1.2.1/go.mod h1:CxXYINrC8qIiEnFrOxCa7Jy5BFHlXnUU2pbicEuybxQ=
 github.com/RaveNoX/go-jsoncommentstrip v1.0.0/go.mod h1:78ihd09MekBnJnxpICcwzCMzGrKSKYe4AqU6PDYYpjk=
+github.com/antlr/antlr4/runtime/Go/antlr v1.4.10 h1:yL7+Jz0jTC6yykIK/Wh74gnTJnrGr5AyrNMXuA0gves=
+github.com/antlr/antlr4/runtime/Go/antlr v1.4.10/go.mod h1:F7bn7fEU90QkQ3tnmaTx3LTKLEDqnwWODIYppRQ5hnY=
 github.com/apapsch/go-jsonmerge/v2 v2.0.0 h1:axGnT1gRIfimI7gJifB699GoE/oq+F2MU7Dml6nw9rQ=
 github.com/apapsch/go-jsonmerge/v2 v2.0.0/go.mod h1:lvDnEdqiQrp0O42VQGgmlKpxL1AP2+08jFMw88y4klk=
 github.com/bmatcuk/doublestar v1.1.1/go.mod h1:UD6OnuiIn0yFxxA2le/rnRU1G4RaI4UvFv1sNto9p6w=
@ -10,6 +12,11 @@ github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c
 github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
 github.com/deepmap/oapi-codegen v1.12.4 h1:pPmn6qI9MuOtCz82WY2Xaw46EQjgvxednXXrP7g5Q2s=
 github.com/deepmap/oapi-codegen v1.12.4/go.mod h1:3lgHGMu6myQ2vqbbTXH2H1o4eXFTGnFiDaOaKKl5yas=
+github.com/golang/protobuf v1.5.0/go.mod h1:FsONVRAS9T7sI+LIUmWTfcYkHO4aIWwzhcaSAoJOfIk=
+github.com/google/cel-go v0.13.0 h1:z+8OBOcmh7IeKyqwT/6IlnMvy621fYUqnTVPEdegGlU=
+github.com/google/cel-go v0.13.0/go.mod h1:K2hpQgEjDp18J76a2DKFRlPBPpgRZgi6EbnpDgIhJ8s=
+github.com/google/go-cmp v0.5.5/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE=
+github.com/google/go-cmp v0.5.9 h1:O2Tfq5qg4qc4AmwVlvv0oLiVAGB7enBSJ2x2DqQFi38=
 github.com/google/osv-scanner v1.0.2 h1:EiDbP8XQhEvo9I7WZMvA7OkJinyOULhNTD7SITS2tBY=
 github.com/google/osv-scanner v1.0.2/go.mod h1:KTYFW64rATMvw7MtWAVXxIkG7u0R86n6VUKM8pzOzF0=
 github.com/google/uuid v1.3.0 h1:t6JiXgmwXMjEs8VusXIJk2BXHsn+wx8BZdTaoZ5fu7I=
@ -27,10 +34,13 @@ github.com/spf13/cobra v1.6.1/go.mod h1:IOw/AERYS7UzyrGinqmz6HLUo219MORXGxhbaJUq
 github.com/spf13/pflag v1.0.5 h1:iy+VFUOCP1a+8yFto/drg2CJ5u0yRoB7fZw3DKv/JXA=
 github.com/spf13/pflag v1.0.5/go.mod h1:McXfInJRrz4CZXVZOBLb0bTZqETkiAhM9Iw0y3An2Bg=
 github.com/spkg/bom v0.0.0-20160624110644-59b7046e48ad/go.mod h1:qLr4V1qq6nMqFKkMo8ZTx3f+BZEkzsRUY10Xsm2mwU0=
+github.com/stoewer/go-strcase v1.2.0 h1:Z2iHWqGXH00XYgqDmNgQbIBxf3wrNq0F3feEy0ainaU=
+github.com/stoewer/go-strcase v1.2.0/go.mod h1:IBiWB2sKIp3wVVQ3Y035++gc+knqhUQag1KpM8ahLw8=
 github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME=
 github.com/stretchr/objx v0.4.0/go.mod h1:YvHI0jy2hoMjB+UWwv71VJQ9isScKT/TqJzVSSt89Yw=
 github.com/stretchr/objx v0.5.0/go.mod h1:Yh+to48EsGEfYuaHDzXPcE3xhTkx73EhmCGUpEOglKo=
 github.com/stretchr/testify v1.3.0/go.mod h1:M5WIy9Dh21IEIfnGCwXGc5bZfKNJtfHm1UVUgZn+9EI=
+github.com/stretchr/testify v1.5.1/go.mod h1:5W2xD1RspED5o8YsWQXVCued0rvSQ+mT+I5cxcmMvtA=
 github.com/stretchr/testify v1.7.0/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg=
 github.com/stretchr/testify v1.7.1/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg=
 github.com/stretchr/testify v1.8.0/go.mod h1:yNjHg4UonilssWZ8iaSj1OCr/vHnekPRkoO+kdMU+MU=
@ -43,8 +53,17 @@ golang.org/x/sys v0.3.0 h1:w8ZOecv6NaNa/zC8944JTU3vz4u6Lagfk4RPQxv92NQ=
 golang.org/x/sys v0.3.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/term v0.3.0 h1:qoo4akIqOcDME5bhc/NgxUdovd6BSS2uMsVjB56q1xI=
 golang.org/x/term v0.3.0/go.mod h1:q750SLmJuPmVoN1blW3UFBPREJfb1KmY3vwxfr+nFDA=
+golang.org/x/text v0.4.0 h1:BrVqGRd7+k1DiOgtnFvAkoQEWQvBc25ouMJM6429SFg=
+golang.org/x/text v0.4.0/go.mod h1:mrYo+phRRbMaCq/xk9113O4dZlRixOauAjOtrjsXDZ8=
+golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
+google.golang.org/genproto v0.0.0-20221027153422-115e99e71e1c h1:QgY/XxIAIeccR+Ca/rDdKubLIU9rcJ3xfy1DC/Wd2Oo=
+google.golang.org/genproto v0.0.0-20221027153422-115e99e71e1c/go.mod h1:CGI5F/G+E5bKwmfYo09AXuVN4dD894kIKUFmVbP2/Fo=
+google.golang.org/protobuf v1.26.0-rc.1/go.mod h1:jlhhOSvTdKEhbULTjvd4ARK9grFBp09yW+WbY/TyQbw=
+google.golang.org/protobuf v1.28.1 h1:d0NfwRgPtno5B1Wa6L2DAG+KivqkdutMf1UhdNx175w=
+google.golang.org/protobuf v1.28.1/go.mod h1:HV8QOd/L58Z+nl8r43ehVNZIU/HEI6OcFqwMG9pJV4I=
 gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405 h1:yhCVgyC4o1eVCa2tZl7eS0r+SDo693bJlVdllGtEeKM=
 gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
+gopkg.in/yaml.v2 v2.2.2/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
 gopkg.in/yaml.v2 v2.4.0 h1:D8xgwECY7CYvx+Y2n4sBz93Jn9JRvxdiyyo8CTfuKaY=
 gopkg.in/yaml.v2 v2.4.0/go.mod h1:RDklbk79AGWmwhnvt/jBztapEOGDOx6ZbXqjP6csGnQ=
 gopkg.in/yaml.v3 v3.0.0-20200313102051-9f266ea9e77c/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
--- a/pkg/analyzer/analyzer.go
+++ b/pkg/analyzer/analyzer.go
@ -2,10 +2,19 @@ package analyzer

 import "github.com/safedep/vet/pkg/models"

+type AnalyzerEventType string
+
+const (
+	ET_FilterExpressionMatched = AnalyzerEventType("ev_pkg_filter_match")
+)
+
 type AnalyzerEvent struct {
 	// Analyzer generating this event
 	Source string

+	// Type of the event
+	Type AnalyzerEventType
+
 	// Entities on which event was generated
 	Manifest *models.PackageManifest
 	Package  *models.Package
--- a/pkg/analyzer/cel_filter.go
+++ b/pkg/analyzer/cel_filter.go
@ -0,0 +1,95 @@
+package analyzer
+
+import (
+	"encoding/json"
+	"fmt"
+	"reflect"
+
+	"github.com/google/cel-go/cel"
+	"github.com/safedep/vet/pkg/common/logger"
+	"github.com/safedep/vet/pkg/models"
+)
+
+type celFilterAnalyzer struct {
+	program cel.Program
+}
+
+func NewCelFilterAnalyzer(filter string) (Analyzer, error) {
+	env, err := cel.NewEnv(
+		cel.Variable("pkg", cel.DynType),
+		cel.Variable("manifest", cel.DynType),
+	)
+
+	if err != nil {
+		return nil, err
+	}
+
+	ast, issues := env.Compile(filter)
+	if issues != nil && issues.Err() != nil {
+		return nil, issues.Err()
+	}
+
+	prog, err := env.Program(ast)
+	if err != nil {
+		return nil, err
+	}
+
+	return &celFilterAnalyzer{program: prog}, nil
+}
+
+func (f *celFilterAnalyzer) Name() string {
+	return "CEL Filter Analyzer"
+}
+
+func (f *celFilterAnalyzer) Analyze(manifest *models.PackageManifest,
+	handler AnalyzerEventHandler) error {
+
+	pkgManifestVal, err := f.valType(manifest)
+	if err != nil {
+		logger.Errorf("Failed to convert manifest to val: %v", err)
+	}
+
+	logger.Infof("CEL filtering manifest: %s", manifest.Path)
+	for _, pkg := range manifest.Packages {
+		pkgVal, err := f.valType(pkg)
+		if err != nil {
+			logger.Errorf("Failed to convert package to val: %v", err)
+			continue
+		}
+
+		out, _, err := f.program.Eval(map[string]interface{}{
+			"pkg":      pkgVal,
+			"manifest": pkgManifestVal,
+		})
+
+		if err != nil {
+			logger.Errorf("Failed to evaluate CEL for %s:%v : %v",
+				pkg.PackageDetails.Name,
+				pkg.PackageDetails.Version, err)
+			continue
+		}
+
+		if (reflect.TypeOf(out).Kind() == reflect.Bool) &&
+			(reflect.ValueOf(out).Bool()) {
+			fmt.Printf("[%s] %s %v\n", pkg.PackageDetails.Ecosystem,
+				pkg.PackageDetails.Name, pkg.PackageDetails.Version)
+		}
+	}
+
+	return nil
+}
+
+func (f *celFilterAnalyzer) valType(i any) (any, error) {
+	data, err := json.Marshal(i)
+	if err != nil {
+		return nil, err
+	}
+
+	ret := make(map[string]interface{})
+	err = json.Unmarshal(data, &ret)
+	if err != nil {
+		return nil, err
+	}
+
+	return ret, nil
+}
--- a/pkg/models/models.go
+++ b/pkg/models/models.go
@ -78,6 +78,7 @@ func (p *Package) Id() string {
 func NewPackageDetail(e, n, v string) lockfile.PackageDetails {
 	return lockfile.PackageDetails{
 		Ecosystem: lockfile.Ecosystem(e),
+		CompareAs: lockfile.Ecosystem(e),
 		Name:      n,
 		Version:   v,
 	}
--- a/scan.go
+++ b/scan.go
@ -20,6 +20,7 @@ var (
 	concurrency         int
 	dumpJsonManifest    bool
 	dumpJsonManifestDir string
+	celFilterExpression string
 )

 func newScanCommand() *cobra.Command {
@ -53,6 +54,8 @@ func newScanCommand() *cobra.Command {
 		"Dump enriched manifests as JSON docs")
 	cmd.Flags().StringVarP(&dumpJsonManifestDir, "json-dump-dir", "", "",
 		"Dump dir for enriched JSON docs")
+	cmd.Flags().StringVarP(&celFilterExpression, "filter-cel", "", "",
+		"Filter and print packages using CEL")

 	cmd.AddCommand(listParsersCommand())
 	return cmd
@ -93,6 +96,15 @@ func internalStartScan() error {
 		analyzers = append(analyzers, task)
 	}

+	if len(celFilterExpression) > 0 {
+		task, err := analyzer.NewCelFilterAnalyzer(celFilterExpression)
+		if err != nil {
+			return err
+		}
+
+		analyzers = append(analyzers, task)
+	}
+
 	enrichers := []scanner.PackageMetaEnricher{
 		scanner.NewInsightBasedPackageEnricher(),
 	}