launchpad-reviewers team mailing list archive
-
launchpad-reviewers team
-
Mailing list archive
-
Message #29260
[Merge] ~cjwatson/launchpad:soss-scan-malware into launchpad:master
Colin Watson has proposed merging ~cjwatson/launchpad:soss-scan-malware into launchpad:master.
Commit message:
Allow configuring CI builds to scan for malware
Requested reviews:
Launchpad code reviewers (launchpad-reviewers)
For more details, see:
https://code.launchpad.net/~cjwatson/launchpad/+git/launchpad/+merge/430827
This is the buildd-manager side of https://code.launchpad.net/~cjwatson/launchpad-buildd/+git/launchpad-buildd/+merge/430040. It shouldn't be landed until that change has been deployed to production.
--
Your team Launchpad code reviewers is requested to review the proposed merge of ~cjwatson/launchpad:soss-scan-malware into launchpad:master.
diff --git a/lib/lp/code/model/cibuildbehaviour.py b/lib/lp/code/model/cibuildbehaviour.py
index 04ce888..6a50dd8 100644
--- a/lib/lp/code/model/cibuildbehaviour.py
+++ b/lib/lp/code/model/cibuildbehaviour.py
@@ -100,6 +100,13 @@ def build_secrets(distribution_name: str) -> dict:
return rv
+def should_scan_malware(distribution_name: str) -> bool:
+ try:
+ return config["cibuild." + distribution_name]["scan_malware"]
+ except NoSectionError:
+ return False
+
+
@adapter(ICIBuild)
@implementer(IBuildFarmJobBehaviour)
class CIBuildBehaviour(BuilderProxyMixin, BuildFarmJobBehaviourBase):
@@ -195,6 +202,7 @@ class CIBuildBehaviour(BuilderProxyMixin, BuildFarmJobBehaviourBase):
)
args["plugin_settings"] = build_plugin_settings(distribution_name)
args["secrets"] = build_secrets(distribution_name)
+ args["scan_malware"] = should_scan_malware(distribution_name)
return args
def verifySuccessfulBuild(self):
diff --git a/lib/lp/code/model/tests/test_cibuildbehaviour.py b/lib/lp/code/model/tests/test_cibuildbehaviour.py
index 46cea3c..20c85c2 100644
--- a/lib/lp/code/model/tests/test_cibuildbehaviour.py
+++ b/lib/lp/code/model/tests/test_cibuildbehaviour.py
@@ -362,6 +362,7 @@ class TestAsyncCIBuildBehaviour(StatsMixin, TestCIBuildBehaviourBase):
self.assertEqual([], args["package_repositories"])
self.assertEqual({}, args["plugin_settings"])
self.assertEqual({}, args["secrets"])
+ self.assertFalse(args["scan_malware"])
@defer.inlineCallbacks
def test_extraBuildArgs_git_no_artifactory_configuration(self):
@@ -444,6 +445,7 @@ class TestAsyncCIBuildBehaviour(StatsMixin, TestCIBuildBehaviourBase):
"revocation_endpoint": RevocationEndpointMatcher(
job, self.now
),
+ "scan_malware": Is(False),
"series": Equals(job.build.distro_series.name),
"trusted_keys": Equals(expected_trusted_keys),
"environment_variables": Equals(
@@ -516,6 +518,20 @@ class TestAsyncCIBuildBehaviour(StatsMixin, TestCIBuildBehaviourBase):
)
@defer.inlineCallbacks
+ def test_extraBuildArgs_scan_malware(self):
+ self.pushConfig("cibuild.soss", scan_malware=True)
+ package = self.factory.makeDistributionSourcePackage(
+ distribution=self.factory.makeDistribution(name="soss")
+ )
+ git_repository = self.factory.makeGitRepository(target=package)
+ job = self.makeJob(
+ stages=[[("test", 0)]], git_repository=git_repository
+ )
+ with dbuser(config.builddmaster.dbuser):
+ args = yield job.extraBuildArgs()
+ self.assertTrue(args["scan_malware"])
+
+ @defer.inlineCallbacks
def test_extraBuildArgs_archive_trusted_keys(self):
# If the archive has a signing key, extraBuildArgs sends it.
yield self.useFixture(InProcessKeyServerFixture()).start()
diff --git a/lib/lp/services/config/schema-lazr.conf b/lib/lp/services/config/schema-lazr.conf
index 1de9763..86aeddd 100644
--- a/lib/lp/services/config/schema-lazr.conf
+++ b/lib/lp/services/config/schema-lazr.conf
@@ -262,6 +262,10 @@ plugin_settings: none
# until the more generic secrets handling will be implemented for all use cases
secrets: none
+# If true, scan job output for malware.
+# datatype: boolean
+scan_malware: False
+
[codebrowse]
# Where to store codebrowse's sqlite "files changed" caches. If
