mindersec · rdimitrov · Jun 13, 2024 · Jun 5, 2024 · Jun 5, 2024
@@ -54,6 +54,7 @@ require (
 	github.com/spf13/viper v1.19.0
 	github.com/sqlc-dev/pqtype v0.3.0
 	github.com/stacklok/frizbee v0.0.19
+	github.com/stacklok/trusty-sdk-go v0.1.0
 	github.com/stretchr/testify v1.9.0
 	github.com/styrainc/regal v0.22.0
 	github.com/thomaspoignant/go-feature-flag v1.30.0

@@ -866,6 +866,8 @@ github.com/sqlc-dev/pqtype v0.3.0 h1:b09TewZ3cSnO5+M1Kqq05y0+OjqIptxELaSayg7bmqk
 github.com/sqlc-dev/pqtype v0.3.0/go.mod h1:oyUjp5981ctiL9UYvj1bVvCKi8OXkCa0u645hce7CAs=
 github.com/stacklok/frizbee v0.0.19 h1:lD5O5e1lCYl6yGTtWW93m2w60TMeTJB5oLXMeaHnFHo=
 github.com/stacklok/frizbee v0.0.19/go.mod h1:Hvi3/ryonTgeMBG4/EtBGjfK49W0rP0P3+0RAg3kqHI=
+github.com/stacklok/trusty-sdk-go v0.1.0 h1:b0m9HrAjJpyorev7vMbGf56UUMI1XyUBgd3SwnHCPh0=
+github.com/stacklok/trusty-sdk-go v0.1.0/go.mod h1:OWk/FxKjjFw+mQnCKaytoYL7vMWoj+8Ep2TYsp8QSaI=
 github.com/stoewer/go-strcase v1.3.0 h1:g0eASXYtp+yvN9fK8sH94oCIk0fau9uV1/ZdJ0AVEzs=
 github.com/stoewer/go-strcase v1.3.0/go.mod h1:fAH5hQ5pehh+j3nZfvwdk2RgEgQjAoM8wodgtPmh1xo=
 github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME=

@@ -28,6 +28,7 @@ import (
 
 	"github.com/google/go-github/v61/github"
 	"github.com/rs/zerolog"
+	trustytypes "github.com/stacklok/trusty-sdk-go/pkg/types"
 
 	"github.com/stacklok/minder/internal/constants"
 	"github.com/stacklok/minder/internal/engine/eval/pr_actions"
@@ -201,7 +202,7 @@ type dependencyAlternatives struct {
 	BlockPR bool
 
 	// trustyReply is the complete response from trusty for this package
-	trustyReply *Reply
+	trustyReply *trustytypes.Reply
 }
 
 // summaryPrHandler is a prStatusHandler that adds a summary text to the PR as a comment.
@@ -345,7 +346,7 @@ func (sph *summaryPrHandler) generateSummary() (string, error) {
 }
 
 // buildProvenanceStruct builds the provenance data structure for the PR template
-func buildProvenanceStruct(r *Reply) *templateProvenance {
+func buildProvenanceStruct(r *trustytypes.Reply) *templateProvenance {
 	if r == nil || r.Provenance == nil {
 		return nil
 	}

@@ -18,6 +18,7 @@ package trusty
 import (
 	"testing"
 
+	trustytypes "github.com/stacklok/trusty-sdk-go/pkg/types"
 	"github.com/stretchr/testify/require"
 
 	v1 "github.com/stacklok/minder/pkg/api/protobuf/go/minder/v1"
@@ -36,23 +37,23 @@ func TestBuildProvenanceStruct(t *testing.T) {
 	t.Parallel()
 	for _, tc := range []struct {
 		name     string
-		sut      *Reply
+		sut      *trustytypes.Reply
 		mustNil  bool
 		expected *templateProvenance
 	}{
 		{
 			name: "full-response",
-			sut: &Reply{
-				Provenance: &Provenance{
+			sut: &trustytypes.Reply{
+				Provenance: &trustytypes.Provenance{
 					Score: 8.0,
-					Description: ProvenanceDescription{
-						Historical: HistoricalProvenance{
+					Description: trustytypes.ProvenanceDescription{
+						Historical: trustytypes.HistoricalProvenance{
 							Tags:     10,
 							Common:   8,
 							Overlap:  80,
 							Versions: 10,
 						},
-						Sigstore: SigstoreProvenance{
+						Sigstore: trustytypes.SigstoreProvenance{
 							Issuer:           "CN=sigstore-intermediate,O=sigstore.dev",
 							Workflow:         ".github/workflows/build_and_deploy.yml",
 							SourceRepository: "https://github.com/vercel/next.js",
@@ -78,11 +79,11 @@ func TestBuildProvenanceStruct(t *testing.T) {
 		},
 		{
 			name: "only-historical",
-			sut: &Reply{
-				Provenance: &Provenance{
+			sut: &trustytypes.Reply{
+				Provenance: &trustytypes.Provenance{
 					Score: 8.0,
-					Description: ProvenanceDescription{
-						Historical: HistoricalProvenance{
+					Description: trustytypes.ProvenanceDescription{
+						Historical: trustytypes.HistoricalProvenance{
 							Tags:     10,
 							Common:   8,
 							Overlap:  80,
@@ -102,11 +103,11 @@ func TestBuildProvenanceStruct(t *testing.T) {
 		},
 		{
 			name: "only-sigstore",
-			sut: &Reply{
-				Provenance: &Provenance{
+			sut: &trustytypes.Reply{
+				Provenance: &trustytypes.Provenance{
 					Score: 8.0,
-					Description: ProvenanceDescription{
-						Sigstore: SigstoreProvenance{
+					Description: trustytypes.ProvenanceDescription{
+						Sigstore: trustytypes.SigstoreProvenance{
 							Issuer:           "CN=sigstore-intermediate,O=sigstore.dev",
 							Workflow:         ".github/workflows/build_and_deploy.yml",
 							SourceRepository: "https://github.com/vercel/next.js",
@@ -132,7 +133,7 @@ func TestBuildProvenanceStruct(t *testing.T) {
 		},
 		{
 			name:    "no-provenance",
-			sut:     &Reply{},
+			sut:     &trustytypes.Reply{},
 			mustNil: true,
 		},
 	} {

@@ -22,6 +22,8 @@ import (
 	"strings"
 
 	"github.com/rs/zerolog"
+	trusty "github.com/stacklok/trusty-sdk-go/pkg/client"
+	trustytypes "github.com/stacklok/trusty-sdk-go/pkg/types"
 
 	evalerrors "github.com/stacklok/minder/internal/engine/errors"
 	"github.com/stacklok/minder/internal/engine/eval/pr_actions"
@@ -41,7 +43,7 @@ const (
 type Evaluator struct {
 	cli      provifv1.GitHub
 	endpoint string
-	client   *trustyClient
+	client   *trusty.Trusty
 }
 
 // NewTrustyEvaluator creates a new trusty evaluator
@@ -55,21 +57,21 @@ func NewTrustyEvaluator(ctx context.Context, ghcli provifv1.GitHub) (*Evaluator,
 
 	// If the environment variable is not set, use the default endpoint
 	if trustyEndpoint == "" {
-		trustyEndpoint = trustyEndpointURL
+		trustyEndpoint = trusty.DefaultOptions.BaseURL
 		zerolog.Ctx(ctx).Info().Str("trusty-endpoint", trustyEndpoint).Msg("using default trusty endpoint")
 	} else {
 		zerolog.Ctx(ctx).Info().Str("trusty-endpoint", trustyEndpoint).Msg("using trusty endpoint from environment")
 	}
 
-	piCli := newPiClient(trustyEndpoint)
-	if piCli == nil {
-		return nil, fmt.Errorf("failed to create pi client")
-	}
+	trustyClient := trusty.NewWithOptions(trusty.Options{
+		HttpClient: trusty.DefaultOptions.HttpClient,
+		BaseURL:    trustyEndpoint,
+	})
 
 	return &Evaluator{
 		cli:      ghcli,
 		endpoint: trustyEndpoint,
-		client:   piCli,
+		client:   trustyClient,
 	}, nil
 }
 
@@ -221,9 +223,15 @@ func buildEvalResult(prSummary *summaryPrHandler) error {
 	return nil
 }
 
-func getDependencyScore(ctx context.Context, trusty *trustyClient, dep *pb.PrDependencies_ContextualDependency) (*Reply, error) {
+func getDependencyScore(
+	ctx context.Context, trustyClient *trusty.Trusty, dep *pb.PrDependencies_ContextualDependency,
+) (*trustytypes.Reply, error) {
 	// Call the Trusty API
-	resp, err := trusty.SendRecvRequest(ctx, dep.Dep)
+	resp, err := trustyClient.Report(ctx, &trustytypes.Dependency{
+		Name:      dep.Dep.Name,
+		Version:   dep.Dep.Version,
+		Ecosystem: trustytypes.Ecosystem(dep.Dep.Ecosystem),
+	})
 	if err != nil {
 		return nil, fmt.Errorf("failed to send request: %w", err)
 	}
@@ -233,7 +241,7 @@ func getDependencyScore(ctx context.Context, trusty *trustyClient, dep *pb.PrDep
 // classifyDependency checks the dependencies from the PR for maliciousness or
 // low scores and adds them to the summary if needed
 func classifyDependency(
-	_ context.Context, logger *zerolog.Logger, resp *Reply, ruleConfig *config,
+	_ context.Context, logger *zerolog.Logger, resp *trustytypes.Reply, ruleConfig *config,
 	prSummary *summaryPrHandler, dep *pb.PrDependencies_ContextualDependency,
 ) {
 	// Check all the policy violations
@@ -319,10 +327,10 @@ func classifyDependency(
 
 // readPackageDescription reads the description from the package summary and
 // normlizes the required values when missing from a partial Trusty response
-func readPackageDescription(resp *Reply) map[string]any {
+func readPackageDescription(resp *trustytypes.Reply) map[string]any {
 	descr := map[string]any{}
 	if resp == nil {
-		resp = &Reply{}
+		resp = &trustytypes.Reply{}
 	}
 	if resp.Summary.Description != nil {
 		descr = resp.Summary.Description