Merge pull request #4937 from linuxfoundation/unicron-add-remove-co-authored-by-option-prod

Update comment message, add test case, fix vulnerablities

Author: lukaszgryglicki

.gitignore

@@ -3,6 +3,12 @@
 *.pem
 .mypy_cache
 
+# Go binaries
+cla-backend-legacy/bin/
+cla-backend-legacy/legacy-api
+cla-backend-legacy/legacy-api-local
+cla-backend-legacy/bin/legacy-api-lambda
+
 # Logs
 logs
 *.log
@@ -234,6 +240,7 @@ Desktop.ini
 
 # Build files
 dist/*
+bin/*
 
 # Playground tmp files
 .playground
@@ -269,4 +276,12 @@ cla-backend-go/golang-api.log
 utils/otel_dd_go/otel_dd
 audit.json
 spans*.json
-api_usage.csv
+*api_usage.csv
+
+*.exe
+*.exe~
+*.dll
+*.so
+*.dylib
+*.test
+*.out

cla-backend-go/github/github_repository.go

@@ -53,6 +53,8 @@ Supported |Co-authored-by:| formats include:
 4) |Anything <other-email>| - it will locate your GitHub user by |other-email| part but only if that email was used before for any other CLA as a main commit author.
 5) |login <any-valid-email>| - it will locate your GitHub user by |login| part, note that |login| part must be at least 3 characters long.
 
+Alternatively, if the co-author should not be included, remove the |Co-authored-by:| line from the commit message.
+
 Please update your commit message(s) by doing |git commit --amend| and then |git push [--force]| and then request re-running CLA check via commenting on this pull request:
 
 |||

cla-backend-go/github/github_repository_test.go

@@ -0,0 +1,62 @@
+// Copyright The Linux Foundation and each contributor to CommunityBridge.
+// SPDX-License-Identifier: MIT
+
+package github
+
+import (
+	"testing"
+
+	gh "github.com/google/go-github/v37/github"
+	"github.com/stretchr/testify/assert"
+)
+
+func TestGetCommentBodyIncludesCoAuthorRemovalGuidance(t *testing.T) {
+	signed := []*UserCommitSummary{{
+		SHA: "abc1234xyz-123",
+		CommitAuthor: &gh.User{
+			ID:    gh.Int64(1234),
+			Login: gh.String("login_value"),
+			Name:  gh.String("author name"),
+			Email: gh.String("foo@bar.com"),
+		},
+		Affiliated: true,
+		Authorized: true,
+	}}
+
+	missing := []*UserCommitSummary{{
+		SHA: "some_other_sha",
+		CommitAuthor: &gh.User{
+			ID:    gh.Int64(123456),
+			Login: gh.String("login_value2"),
+			Name:  gh.String("author name2"),
+			Email: gh.String("foo2@bar.com"),
+		},
+		Affiliated: false,
+		Authorized: false,
+	}}
+
+	body := getCommentBody("github", "https://foo.com", signed, missing, true)
+
+	assert.Contains(t, body, "One or more co-authors of this pull request were not found")
+	assert.Contains(t, body, "Alternatively, if the co-author should not be included, remove the `Co-authored-by:` line from the commit message.")
+	assert.NotContains(t, body, "|Co-authored-by:|")
+}
+
+func TestGetCommentBodyOmitsCoAuthorRemovalGuidanceWhenNoCoAuthorIsMissing(t *testing.T) {
+	missing := []*UserCommitSummary{{
+		SHA: "some_other_sha",
+		CommitAuthor: &gh.User{
+			ID:    gh.Int64(123456),
+			Login: gh.String("login_value2"),
+			Name:  gh.String("author name2"),
+			Email: gh.String("foo2@bar.com"),
+		},
+		Affiliated: false,
+		Authorized: false,
+	}}
+
+	body := getCommentBody("github", "https://foo.com", nil, missing, false)
+
+	assert.NotContains(t, body, "One or more co-authors of this pull request were not found")
+	assert.NotContains(t, body, "Alternatively, if the co-author should not be included, remove the `Co-authored-by:` line from the commit message.")
+}

cla-backend-go/go.mod

@@ -2,7 +2,9 @@
 // SPDX-License-Identifier: MIT
 module github.com/linuxfoundation/easycla/cla-backend-go
 
-go 1.24
+go 1.24.0
+
+toolchain go1.24.4
 
 replace github.com/awslabs/aws-lambda-go-api-proxy => github.com/LF-Engineering/aws-lambda-go-api-proxy v0.3.2
 
@@ -68,12 +70,12 @@ require (
 require (
 	github.com/aws/aws-sdk-go-v2/service/s3 v1.53.1
 	github.com/bradleyfalzon/ghinstallation/v2 v2.2.0
-	github.com/golang-jwt/jwt v3.2.2+incompatible
-	github.com/golang-jwt/jwt/v4 v4.5.0
+	github.com/golang-jwt/jwt/v4 v4.5.2
 	go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.65.0
 	go.opentelemetry.io/otel v1.40.0
 	go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp v1.40.0
 	go.opentelemetry.io/otel/sdk v1.40.0
+	go.opentelemetry.io/otel/trace v1.40.0
 )
 
 require (
@@ -131,7 +133,6 @@ require (
 	go.opentelemetry.io/auto/sdk v1.2.1 // indirect
 	go.opentelemetry.io/otel/exporters/otlp/otlptrace v1.40.0 // indirect
 	go.opentelemetry.io/otel/metric v1.40.0 // indirect
-	go.opentelemetry.io/otel/trace v1.40.0 // indirect
 	go.opentelemetry.io/proto/otlp v1.9.0 // indirect
 	golang.org/x/text v0.33.0 // indirect
 	google.golang.org/genproto/googleapis/api v0.0.0-20260209200024-4cfbd4190f57 // indirect

cla-backend-go/go.sum

@@ -285,10 +285,9 @@ github.com/gobuffalo/packr/v2 v2.2.0/go.mod h1:CaAwI0GPIAv+5wKLtv8Afwl+Cm78K/I/V
 github.com/gobuffalo/syncx v0.0.0-20190224160051-33c29581e754/go.mod h1:HhnNqWY95UYwwW3uSASeV7vtgYkT2t16hJgV3AEPUpw=
 github.com/gofrs/uuid v4.0.0+incompatible h1:1SD/1F5pU8p29ybwgQSwpQk+mwdRrXCYuPhW6m+TnJw=
 github.com/gofrs/uuid v4.0.0+incompatible/go.mod h1:b2aQJv3Z4Fp6yNu3cdSllBxTCLRxnplIgP/c0N/04lM=
-github.com/golang-jwt/jwt v3.2.2+incompatible h1:IfV12K8xAKAnZqdXVzCZ+TOjboZ2keLg81eXfW3O+oY=
-github.com/golang-jwt/jwt v3.2.2+incompatible/go.mod h1:8pz2t5EyA70fFQQSrl6XZXzqecmYZeUEB8OUGHkxJ+I=
-github.com/golang-jwt/jwt/v4 v4.5.0 h1:7cYmW1XlMY7h7ii7UhUyChSgS5wUJEnm9uZVTGqOWzg=
 github.com/golang-jwt/jwt/v4 v4.5.0/go.mod h1:m21LjoU+eqJr34lmDMbreY2eSTRJ1cv77w39/MY0Ch0=
+github.com/golang-jwt/jwt/v4 v4.5.2 h1:YtQM7lnr8iZ+j5q71MGKkNw9Mn7AjHM68uc9g5fXeUI=
+github.com/golang-jwt/jwt/v4 v4.5.2/go.mod h1:m21LjoU+eqJr34lmDMbreY2eSTRJ1cv77w39/MY0Ch0=
 github.com/golang/dep v0.5.4/go.mod h1:6RZ2Wai7dSWk7qL55sDYk+8UPFqcW7all2KDBraPPFA=
 github.com/golang/glog v0.0.0-20160126235308-23def4e6c14b/go.mod h1:SBH7ygxi8pfUlaOkMMuAQtPIUF8ecWP5IEl/CR7VP2Q=
 github.com/golang/groupcache v0.0.0-20190702054246-869f871628b6/go.mod h1:cIg4eruTrX1D+g88fzRXU5OdNfaM+9IcxsU14FzY7Hc=

cla-backend-go/package.json

@@ -26,11 +26,13 @@
     "serverless-layers": "^2.6.1",
     "serverless-plugin-tracing": "^2.0.0",
     "serverless-prune-plugin": "^2.0.2",
+    "simple-git": "^3.33.0",
     "xml2js": "^0.6.0",
     "yarn-audit-fix": "^9.3.10"
   },
   "resolutions": {
     "axios": "^0.30.3",
+    "tar": "^7.5.10",
     "ansi-regex": "^5.0.1",
     "aws-sdk": "^2.1329.0",
     "cookiejar": "^2.1.4",
@@ -44,11 +46,10 @@
     "normalize-url": "^4.5.1",
     "qs": "^6.14.2",
     "set-value": "^4.0.1",
-    "simple-git": "^3.16.0",
+    "simple-git": "^3.33.0",
     "ws": ">=7.5.10",
     "xmlhttprequest-ssl": "^1.6.2",
     "form-data": "^4.0.4",
-    "tar": "^7.5.8",
     "minimatch": "^10.2.1",
     "fast-xml-parser": "^5.3.6"
   }

cla-backend-go/telemetry/datadog_otlp.go

@@ -132,16 +132,11 @@ func InitDatadogOTel(cfg DatadogOTelConfig) error {
 
 // WrapHTTPHandler instruments inbound HTTP requests using otelhttp and produces spans.
 func WrapHTTPHandler(next http.Handler) http.Handler {
-	// Regexes mirror ./utils/count_apis.sh so OTel span names group the same way as the offline API log rollups:
-	// - collapse multiple slashes
-	// - trim trailing slash
-	// - mask common asset extensions -> ".{asset}"
-	// - normalize Swagger assets "/vN/swagger.{asset}" -> "/vN/swagger" (keep version; do NOT map to /v*)
-	// - mask UUIDs, numeric IDs, Salesforce IDs, LFX IDs, and literal "null" segments
 	reMultiSlash := regexp.MustCompile(`/{2,}`)
 	reAssetExt := regexp.MustCompile(`\.(png|svg|css|js|json|xml|htm|html)$`)
 	reSwaggerAsset := regexp.MustCompile(`^(/v[0-9]+)/swagger\.\{asset\}$`)
-	// UUIDs: classify valid vs invalid (E2E often probes invalid IDs)
+	reSwaggerJSONResource := regexp.MustCompile(`^(/v[0-9]+/swagger\.json)/.+$`)
+	reSwaggerTemplatedResource := regexp.MustCompile(`^(/v[0-9]+/swagger\.\{asset\})/.+$`)
 	reUUIDValid := regexp.MustCompile(`[0-9a-fA-F]{8}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{12}`)
 	reUUIDLike := regexp.MustCompile(`/[0-9A-Za-z]{8}-[0-9A-Za-z]{4}-[0-9A-Za-z]{4}-[0-9A-Za-z]{4}-[0-9A-Za-z]{12}(/|$)`)
 	reUUIDHexDash36 := regexp.MustCompile(`/[0-9a-fA-F-]{36}(/|$)`)
@@ -151,8 +146,15 @@ func WrapHTTPHandler(next http.Handler) http.Handler {
 	reLFXIDValid := regexp.MustCompile(`/lf[A-Za-z0-9]{16,22}(/|$)`)
 	reLFXIDLike := regexp.MustCompile(`/lf[^/]{1,32}(/|$)`)
 	reNull := regexp.MustCompile(`/null(/|$)`)
+	reUndefined := regexp.MustCompile(`/undefined(/|$)`)
 	reInvalidUUIDSeg := regexp.MustCompile(`/(?:invalid-uuid(?:-format)?|not-a-uuid)(/|$)`)
 	reInvalidSFIDSeg := regexp.MustCompile(`/invalid-sfid(?:-format)?(/|$)`)
+	reUsersUsername := regexp.MustCompile(`^(/v[0-9]+/users/username)/[^/]+$`)
+	reCompanyName := regexp.MustCompile(`^(/v[0-9]+/company/name)/[^/]+$`)
+	reCompanyUserCLAManagerDesignee := regexp.MustCompile(`^(/v[0-9]+/company/[^/]+/user)/[^/]+(/claGroupID/[^/]+/is-cla-manager-designee)$`)
+	reProjectCLAManagerUser := regexp.MustCompile(`^(/v[0-9]+/company/[^/]+/project/[^/]+/cla-manager)/[^/]+$`)
+	reRepositoryProviderGithubSignNumeric := regexp.MustCompile(`^(/v[0-9]+/repository-provider/github/sign/[^/]+)/[0-9]+(/[^/]+)$`)
+	reSignedIndividualGithubNumeric := regexp.MustCompile(`^(/v[0-9]+/signed/individual/[^/]+)/[0-9]+(/[^/]+)$`)
 
 	boolishTrue := func(v string) bool {
 		switch strings.ToLower(strings.TrimSpace(v)) {
@@ -177,29 +179,32 @@ func WrapHTTPHandler(next http.Handler) http.Handler {
 			p = strings.TrimSuffix(p, "/")
 		}
 
-		// Asset extensions (including swagger.json/xml/html) -> ".{asset}"
+		p = reSwaggerJSONResource.ReplaceAllString(p, "$1/{resource}")
+		p = reSwaggerTemplatedResource.ReplaceAllString(p, "$1/{resource}")
+		p = reUsersUsername.ReplaceAllString(p, "$1/{name}")
+		p = reCompanyName.ReplaceAllString(p, "$1/{name}")
+		p = reCompanyUserCLAManagerDesignee.ReplaceAllString(p, "$1/{name}$2")
+		p = reProjectCLAManagerUser.ReplaceAllString(p, "$1/{name}")
+		p = reRepositoryProviderGithubSignNumeric.ReplaceAllString(p, "$1/{n}$2")
+		p = reSignedIndividualGithubNumeric.ReplaceAllString(p, "$1/{n}$2")
 		p = reAssetExt.ReplaceAllString(p, ".{asset}")
-
-		// Keep the version (/v1, /v2, ...) but normalize swagger asset paths.
 		if m := reSwaggerAsset.FindStringSubmatch(p); m != nil {
 			p = m[1] + "/swagger"
 		}
 
-		// Dynamic segment masking (use template placeholders, not "*")
-		// UUIDs: valid vs invalid
 		p = reUUIDValid.ReplaceAllString(p, "{uuid}")
 		p = reUUIDLike.ReplaceAllString(p, "/{invalid-uuid}$1")
 		p = reUUIDHexDash36.ReplaceAllString(p, "/{invalid-uuid}$1")
-		p = reNumericID.ReplaceAllString(p, "/{id}$1")
-		p = reNumericID.ReplaceAllString(p, "/{id}$1")
-		// Salesforce IDs: valid vs invalid
+		for prev := ""; p != prev; {
+			prev = p
+			p = reNumericID.ReplaceAllString(p, "/{id}$1")
+		}
 		p = reSFIDValid.ReplaceAllString(p, "/{sfid}$1")
 		p = reSFIDLike.ReplaceAllString(p, "/{invalid-sfid}$1")
-		// LFX IDs: valid vs invalid
 		p = reLFXIDValid.ReplaceAllString(p, "/{lfxid}$1")
 		p = reLFXIDLike.ReplaceAllString(p, "/{invalid-lfxid}$1")
 		p = reNull.ReplaceAllString(p, "/{null}$1")
-		// Known "invalid" test tokens (Cypress) -> placeholders
+		p = reUndefined.ReplaceAllString(p, "/{undefined}$1")
 		p = reInvalidUUIDSeg.ReplaceAllString(p, "/{invalid-uuid}$1")
 		p = reInvalidSFIDSeg.ReplaceAllString(p, "/{invalid-sfid}$1")
 

cla-backend-go/v2/sign/jwt.go

@@ -6,7 +6,7 @@ package sign
 import (
 	"time"
 
-	"github.com/golang-jwt/jwt"
+	"github.com/golang-jwt/jwt/v4"
 	log "github.com/linuxfoundation/easycla/cla-backend-go/logging"
 	"github.com/linuxfoundation/easycla/cla-backend-go/utils"
 	"github.com/sirupsen/logrus"

cla-backend-go/yarn.lock

@@ -2385,13 +2385,20 @@ dayjs@^1.11.8:
   resolved "https://registry.yarnpkg.com/dayjs/-/dayjs-1.11.13.tgz#92430b0139055c3ebb60150aa13e860a4b5a366c"
   integrity sha512-oaMBel6gjolK862uaPQOVTA7q3TZhuSvuMQAAglQDOWYO9A91IrAOUJEyKVlqJlHE0vq5p5UXxzdPfMH/x6xNg==
 
-debug@4, debug@^4.1.1, debug@^4.3.4, debug@^4.3.5:
+debug@4, debug@^4.1.1, debug@^4.3.4:
   version "4.4.0"
   resolved "https://registry.yarnpkg.com/debug/-/debug-4.4.0.tgz#2b3f2aea2ffeb776477460267377dc8710faba8a"
   integrity sha512-6WTZ/IxCY/T6BALoZHaE4ctp9xm+Z5kY/pzYaCHRFeyVhojxlrm+46y68HA6hr0TcwEssoxNiDEUJQjfPZ/RYA==
   dependencies:
     ms "^2.1.3"
 
+debug@^4.4.0:
+  version "4.4.3"
+  resolved "https://registry.yarnpkg.com/debug/-/debug-4.4.3.tgz#c6ae432d9bd9662582fce08709b038c58e9e3d6a"
+  integrity sha512-RGwwWnwQvkVfavKVt22FGLw+xYSdzARwm0ru6DhTVA3umU5hZc28V3kO4stgYryrTlLpuvgI9GiijltAjNbcqA==
+  dependencies:
+    ms "^2.1.3"
+
 decompress-response@^6.0.0:
   version "6.0.0"
   resolved "https://registry.yarnpkg.com/decompress-response/-/decompress-response-6.0.0.tgz#ca387612ddb7e104bd16d85aab00d5ecf09c66fc"
@@ -4783,14 +4790,14 @@ signal-exit@^3.0.2, signal-exit@^3.0.7:
   resolved "https://registry.yarnpkg.com/signal-exit/-/signal-exit-3.0.7.tgz#a9a1767f8af84155114eaabd73f99273c8f59ad9"
   integrity sha512-wnD2ZE+l+SPC/uoS0vXeE9L1+0wuaMqKlfz9AMUo38JsyLSBWSFcHR1Rri62LZc12vLr1gb3jl7iwQhgwpAbGQ==
 
-simple-git@^3.16.0:
-  version "3.27.0"
-  resolved "https://registry.yarnpkg.com/simple-git/-/simple-git-3.27.0.tgz#f4b09e807bda56a4a3968f635c0e4888d3decbd5"
-  integrity sha512-ivHoFS9Yi9GY49ogc6/YAi3Fl9ROnF4VyubNylgCkA+RVqLaKWnDSzXOVzya8csELIaWaYNutsEuAhZrtOjozA==
+simple-git@^3.16.0, simple-git@^3.33.0:
+  version "3.33.0"
+  resolved "https://registry.yarnpkg.com/simple-git/-/simple-git-3.33.0.tgz#b903dc70f5b93535a4f64ff39172da43058cfb88"
+  integrity sha512-D4V/tGC2sjsoNhoMybKyGoE+v8A60hRawKQ1iFRA1zwuDgGZCBJ4ByOzZ5J8joBbi4Oam0qiPH+GhzmSBwbJng==
   dependencies:
     "@kwsites/file-exists" "^1.1.1"
     "@kwsites/promise-deferred" "^1.1.1"
-    debug "^4.3.5"
+    debug "^4.4.0"
 
 slash@^3.0.0:
   version "3.0.0"
@@ -5032,10 +5039,10 @@ tar-stream@^2.1.0, tar-stream@^2.2.0:
     inherits "^2.0.3"
     readable-stream "^3.1.1"
 
-tar@^6.1.15, tar@^7.5.8:
-  version "7.5.9"
-  resolved "https://registry.yarnpkg.com/tar/-/tar-7.5.9.tgz#817ac12a54bc4362c51340875b8985d7dc9724b8"
-  integrity sha512-BTLcK0xsDh2+PUe9F6c2TlRp4zOOBMTkoQHQIWSIzI0R7KG46uEwq4OPk2W7bZcprBMsuaeFsqwYr7pjh6CuHg==
+tar@^6.1.15, tar@^7.5.10:
+  version "7.5.11"
+  resolved "https://registry.yarnpkg.com/tar/-/tar-7.5.11.tgz#1250fae45d98806b36d703b30973fa8e0a6d8868"
+  integrity sha512-ChjMH33/KetonMTAtpYdgUFr0tbz69Fp2v7zWxQfYZX4g5ZN2nOBXm1R2xyA+lMIKrLKIoKAwFj93jE/avX9cQ==
   dependencies:
     "@isaacs/fs-minipass" "^4.0.0"
     chownr "^3.0.0"