• Joined on 2021年07月21日
ulexus commented on pull request stagex/stagex#32 2024年02月16日 16:47:53 +01:00
refactor: add context to background section

This comma is actually required, because these are two complete sentences and not a list.

ulexus commented on pull request stagex/stagex#32 2024年02月16日 16:47:53 +01:00
refactor: add context to background section

Some grammatical nits and one point of substance. Overall, nice improvement.

ulexus commented on pull request stagex/stagex#32 2024年02月16日 16:47:52 +01:00
refactor: add context to background section

perhaps "there isn't currently another solution which..."?

ulexus commented on pull request stagex/stagex#32 2024年02月16日 16:47:52 +01:00
refactor: add context to background section

pref: comma before which; subordinate supporting clause (though this is not a hard requirement)

ulexus commented on pull request stagex/stagex#32 2024年02月16日 16:47:52 +01:00
refactor: add context to background section

Observation: this isn't really what we are doing is it? We are answering the question: do I have a way of verifying that this binary was produced based on this source code?

ulexus commented on pull request stagex/stagex#32 2024年02月16日 16:47:52 +01:00
refactor: add context to background section

+1

ulexus commented on pull request stagex/stagex#32 2024年02月16日 16:47:51 +01:00
refactor: add context to background section

This should not have a command, because it adjoins only two clauses.

ulexus commented on pull request stagex/stagex#32 2024年02月16日 16:47:51 +01:00
refactor: add context to background section

The "which" here was required, because it is a subordinate clause unrelated to the previous list clauses.

ulexus pushed tag v0.0.4 to stagex/sxctl 2024年02月15日 23:23:06 +01:00
ulexus pushed to main at stagex/sxctl 2024年02月15日 23:20:53 +01:00
cf9e9ff0d4 chore: update to allow stagex/ dependency prefix
ulexus commented on pull request stagex/sxctl#4 2024年02月14日 17:39:38 +01:00
WIP: feat: add vuln scanner

The go standard library has tooling to manipulate parameters like this programmatically, too, which makes things a little more flexible, with less direct string manipulation in this code.

ulexus commented on pull request stagex/sxctl#4 2024年02月14日 17:39:38 +01:00
WIP: feat: add vuln scanner

A number of comments/suggestions

ulexus commented on pull request stagex/sxctl#4 2024年02月14日 17:39:38 +01:00
WIP: feat: add vuln scanner

Since this doesn't constitute a subcommand, let's just collapse this entire function and call vulnerability.FullScan() directly.

ulexus commented on pull request stagex/sxctl#4 2024年02月14日 17:39:38 +01:00
WIP: feat: add vuln scanner

I'm pretty sure none of this code should ever actually be hit (a file named ContainerFileName cannot be subtended from a non-directory). This appears to be leftover code from one of my prior iterations; it's ugly and should just be cut. It should be able to collapse into something like:

ulexus commented on pull request stagex/sxctl#4 2024年02月14日 17:39:38 +01:00
WIP: feat: add vuln scanner

Do you anticipate the need for v / not-v version normalization? The pattern so far has been not-v... but will that hold?

ulexus commented on pull request stagex/sxctl#4 2024年02月14日 17:39:38 +01:00
WIP: feat: add vuln scanner

Since you are just using an unmodified client, you could just use the http.DefaultClient, by calling http.Do(req) directly.

ulexus commented on pull request stagex/sxctl#4 2024年02月14日 17:39:38 +01:00
WIP: feat: add vuln scanner

Rather than reading the body in fully to a heap allocation and then unmarshalling, we can instead stream the Body as a reader into the parser. It doesn't make that much difference in RAM usage for something like this, but it does make the code cleaner. Ex:

ulexus commented on pull request stagex/sxctl#4 2024年02月14日 17:39:38 +01:00
WIP: feat: add vuln scanner

Writing a test for this process is going to be difficult, because the acquisition of the response is coupled with its processing. Because resp.Body is an io.Reader, I would consider making the processing of the report work with any io.Reader, so that you can cleanly substitute in canned local responses for testing.

ulexus commented on pull request stagex/sxctl#4 2024年02月14日 17:39:38 +01:00
WIP: feat: add vuln scanner

Here is a case where I would again use the namespacing to our advantage. The caller will be calling this as vulnerability.VulnerabilityReport, which is awkward. We can instead, just call this Report.

ulexus commented on pull request stagex/sxctl#4 2024年02月14日 17:39:38 +01:00
WIP: feat: add vuln scanner

It's fine to embed internal structs like this, but I find it to generally be cleaner to at least separate major subcomponents as top-level types, just referencing them herein. So this would become a slice of Vulnerability-s, rather than a slice of literal structs. This makes working with the internal structs easier, too, since you can deal with them as named entities.