Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Scan attempted for branches that don't match protected branch criteria when webhook event comes from repo default branch #1195

Open
nleach999 opened this issue Feb 24, 2023 · 0 comments
Open

Scan attempted for branches that don't match protected branch criteria when webhook event comes from repo default branch #1195

nleach999 opened this issue Feb 24, 2023 · 0 comments
Labels
bug Something isn't working Planned For Upcoming releases

Comments

@nleach999
Copy link
Contributor

Description

Testing with BitBucket server using Postwebhooks for a global webhook. I assume this is an issue for other SCMs.

Webhooks should only handle scan orchestration for protected branches. If no protected branches are defined (either in yaml or config-as-code), all webhook deliveries from a repo should not attempt to orchestrate a scan since the event branch will never match a protected branch name.

Testing in CxFlow 1.6.28, this works as expected.

Testing in CxFlow 1.6.39, this works if and only if the branch that generated the event is not the repo's default branch. If the default branch initiates the event, a scan is attempted. The scan usually will fail since it is missing a correct team assignment, but this is not always going to be true.

This appears to be mostly cosmetic where it is currently observed, however there are a few potential impacts:

  • It is difficult for log monitors to tell a real failure apart from this failure.
  • Under certain conditions, this could put a load on SAST since the SAST APIs need to be used to identify the team.
  • My example shows CxFlow configured purposely with an invalid team (I did this originally to catch bad config-as-code configurations), so it fails. Some orgs may use /CxServer as default, which may allow it to initiate a scan.

Expected Behavior

An event from a branch that does not match a defined protected branch should finish with a message similar to "Branch did not meet the scanning criteria"

Actual Behavior

CxFlow 1.6.39 tries to initiate a scan on the default branch when the event is originated from the default branch.

It shouldn't need to retrieve the default branch if the branch that generates the event doesn't match any protected branch.

Reproduction

  1. Configure CxFlow yaml with no branches. eg:
cx-flow:
  branches:

  1. Ensure the repo does not contain a config-as-code file (you will see 404 results when requesting the config-as-code file)

  2. Initiate a webhook event from the default branch by changing a file

  3. Observe that CxFlow attempts to perform a scan with the default branch that can't possibly match as a protected branch

How it should work: cxflow.1.6.28.log

It works correctly in 1.6.39 for non-default branches: cxflow.1.6.39.non-default-branch.log

It attempts a scan in 1.6.39 for a default branch: cxflow.1.6.39.default-branch.log

The failure log shows it calling the project name script twice for some reason. It shouldn't do that either.

Environment Details

CxFlow 1.6.39 in webhook mode
BitBucket Server 8.8.2 with Postwebhooks (not native BB webhooks)
Project name script: name.groovy
cx-flow.branches set to empty (protected branches are to be defined in Config-as-Code)
@nleach999 nleach999 added the bug Something isn't working label Feb 24, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working Planned For Upcoming releases
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@nleach999 @itsKedar