Skip to content

feat: CQ-4361662 security worker calls code import worker #1572

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 18 commits into from
Nov 24, 2025
Merged

feat: CQ-4361662 security worker calls code import worker #1572

merged 18 commits into from
Nov 24, 2025

Conversation

@Amoratinos
Copy link
Contributor

@Amoratinos Amoratinos commented Nov 14, 2025
edited by bottadobe
Loading

This PR modified the security audit worker, to call the code import worker before calling mystique.
we hard to refactor it to be a multi step worker

@github-actions
Copy link

github-actions bot commented Nov 17, 2025

This PR will trigger no release when merged.

Amoratinos
Amoratinos commented Nov 17, 2025
View reviewed changes
src/vulnerabilities/handler.js
.withPostProcessors([opportunityAndSuggestionsStep])
// Note the import worker MUST trigger the next step regardless if code repo is configured
.addStep('import', extractCodeBucket, AUDIT_STEP_DESTINATIONS.IMPORT_WORKER)
.addStep('generate-suggestion-data', opportunityAndSuggestionsStep)
Copy link
Contributor Author

@Amoratinos Amoratinos Nov 17, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Not sure so just asking to confirm, the audit-worker is called back from the import worker once the code is done? Or it just continues once the message is sent to the import worker?

Copy link
Contributor

@bottadobe bottadobe Nov 17, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

the code exits after the import step (maybe change the name :), after the message is sent to the import worker.
then the import worker puts another message into the queue calling the audit worker with a payload next:generate-suggestion-data and that is when the second step is executed.

dulvac
dulvac reviewed Nov 17, 2025
View reviewed changes
src/vulnerabilities/handler.js
.withRunner(vulnerabilityAuditRunner)
.withPostProcessors([opportunityAndSuggestionsStep])
// Note the import worker MUST trigger the next step regardless if code repo is configured
.addStep('import-from-starfish', extractCodeBucket, AUDIT_STEP_DESTINATIONS.IMPORT_WORKER)
Copy link
Member

@dulvac dulvac Nov 17, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Do these need to be named with a more unique name? like security-* ?

Copy link
Contributor

@bottadobe bottadobe Nov 17, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

not really, those are steps in the security vulnerability audit types.
e.g. the SQS message looks like

{
  "type": "audit",
  "siteId": "9ee60274-f27a-47ab-9b60-46c09a83175c",
  "allowCache": true,
  "auditContext": {
    "next": "generate-suggestion-data",
    "auditId": "e082980d-673b-4e37-828a-949731127261",
    "auditType": "security-vulnerabilities",
    "fullAuditRef": "publish-p15854-e1797721.adobeaemcloud.com/us/en.html"
  },
  "data":{
     "codeBucket": "spacecat-dev-importer",
     "codePath": "/my/code/path"
  }
  "timestamp": "2025-11-11T16:19:38.130Z"
}

note the auditContext.auditType and auditContext.next

test/dev/server.mjs
// checks the session token of 1h

// poor man's way to use tokens that are valid > 1h. Ask bott.
if (process.env.IM_REALLY_USING_A_DEV_TOKEN === 'true' || process.env.IM_REALLY_USING_A_DEV_TOKEN === 'pinky finger promise') {
Copy link
Member

@dulvac dulvac Nov 17, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

can you make this a bit less hackish-looking?

Copy link
Contributor

@bottadobe bottadobe Nov 17, 2025
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

the original way is hackish and annoying, this is just a patch on top,
note this is only for local development.

@bottadobe bottadobe changed the title Sec vuln import worker feat: CQ-4361662 security worker calls code import worker Nov 17, 2025
kronnox
kronnox requested changes Nov 17, 2025
View reviewed changes
@andresbott
Copy link

andresbott commented Nov 24, 2025

@kronnox can i get another pair of eyes?

@bottadobe bottadobe merged commit 3ae7900 into main Nov 24, 2025
8 checks passed
@bottadobe bottadobe deleted the sec-vuln-import-worker branch November 24, 2025 15:19
solaris007 pushed a commit that referenced this pull request Nov 24, 2025
@semantic-release-bot
chore(release): 1.253.0 [skip ci]
a9e9375 
# [1.253.0](v1.252.6...v1.253.0) (2025-11-24)

### Features

* CQ-4361662 security worker calls code import worker ([#1572](#1572)) ([3ae7900](3ae7900))
@solaris007
Copy link
Member

solaris007 commented Nov 24, 2025

🎉 This PR is included in version 1.253.0 🎉

The release is available on GitHub release

Your semantic-release bot 📦🚀

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@dulvac dulvac dulvac approved these changes

@bottadobe bottadobe bottadobe left review comments

@kronnox kronnox kronnox approved these changes

+1 more reviewer

@andresbott andresbott andresbott left review comments

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

released

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

7 participants

@Amoratinos @andresbott @solaris007 @dulvac @kronnox @bottadobe