Include new app_blocking_match_based_ids field in `ci_scan_complete…

…_response` (#326) Right now whether or not a CI scan should exit with code 1 is determined _mostly_ by the CLI, but the app can use the `app_block_override` field of `ci_scan_complete_response` to tell the CLI to exit with code 1 no matter what. This is currently used to support blocking scans when we detect a dependency with a blocked license. We're currently working on a project which includes making it more customizable within the app whether or not a given finding should be blocking, right now just for supply chain, but with the aim to eventually move the computation of blocking findings entirely to the app. So we'd like to be able to tell the CLI not only "please block" but also "here are the list of findings that the app determined are blocking". - [x] I ran `make setup && make` to update the generated code after editing a `.atd` file (TODO: have a CI check) - [x] I made sure we're still backward compatible with old versions of the CLI. For example, the Semgrep backend need to still be able to *consume* data generated by Semgrep 1.50.0. See https://atd.readthedocs.io/en/latest/atdgen-tutorial.html#smooth-protocol-upgrades Note that the types related to the semgrep-core JSON output or the semgrep-core RPC do not need to be backward compatible!
semgrep · Dec 6, 2024 · 37314fd · 37314fd
1 parent c992c98
commit 37314fd
Show file tree

Hide file tree

Showing 7 changed files with 161 additions and 4 deletions.
diff --git a/semgrep_output_v1.atd b/semgrep_output_v1.atd
@@ -100,6 +100,8 @@ type uuid = string wrap <ocaml module="ATD_string_wrap.Uuidm">
 (* RFC 3339 format *)
 type datetime = string wrap <ocaml module="ATD_string_wrap.Datetime">
 
+type match_based_id = string wrap
+
 (*****************************************************************************)
 (* Versioning *)
 (*****************************************************************************)
@@ -1617,12 +1619,15 @@ type parsing_stats = {
   num_bytes: int;
 }
 
+
 (* Response by the backend to the CLI to the POST /complete *)
 type ci_scan_complete_response <ocaml attr="deriving show"> = {
    success: bool;
    ~app_block_override: bool;
    (* only when app_block_override is true *)
    ~app_block_reason: string;
+   (* match_based_ids of findings that semgrep-app determined should cause the scan to block *)
+   ~app_blocking_match_based_ids : match_based_id list;
 }
 
 (* ----------------------------- *)

diff --git a/semgrep_output_v1.jsonschema b/semgrep_output_v1.jsonschema
diff --git a/semgrep_output_v1.proto b/semgrep_output_v1.proto
diff --git a/semgrep_output_v1.py b/semgrep_output_v1.py
diff --git a/semgrep_output_v1.ts b/semgrep_output_v1.ts
diff --git a/semgrep_output_v1_j.ml b/semgrep_output_v1_j.ml
diff --git a/semgrep_output_v1_j.mli b/semgrep_output_v1_j.mli