Hipcheck 3.8.0 Release
Written by Andrew Lilley Brinker
Posted on December 11, 2024
Introducing Hipcheck 3.8.0, with stable support for third-party plugins, a suite of initial plugins, and a lot of polish for the plugin user experience.
📦 Stable Support for Plugins
In Hipcheck 3.6.2, we introduced experimental support for plugins, which add support for new data sources and analyses to Hipcheck. The goals of the plugin system are to enable anyone to expand Hipcheck's analysis capabilities themselves and to ensure it's the best tool for users to express and enforce their own policies for third-party dependencies.
Plugins in Hipcheck work by submitting queries to each other; when a plugin is specified in a user's policy file, Hipcheck runs that plugin's "default query," sending information about the target source repository and any package the user is analyzing. Those plugins can then make queries back to Hipcheck, which Hipcheck dispatches out to the appropriate plugin. For every query, Hipcheck also caches the result and can reuse it for any other plugins that need it. Even better, plugins expose JSON schemas for all queries which Hipcheck validates, and which dependent plugins can use to ensure compatibility.
Since 3.6.2, we've been working on testing and improving the plugin system,
and on transitioning Hipcheck's existing data sources and analyses out from
the hc program itself and into plugins.
This transition, to make all data sources and analyses run as plugins, ensures we gain firsthand experience with the plugin system and with our Rust plugin SDK. During this transition we identified bugs and deficiencies in the plugin system which have been fixed or have spurred the creation of RFDs proposing enhancements, including:
- Chunked requests for plugin queries (RFD #10), to enable sending queries with large keys, which can arise when analyzing large Git repositories like the Linux kernel repository.
- Support for batch querying (RFD #9), to enable sending many small queries which are cached independently but combined in a single query to reduce gRPC overhead.
We expect to implement these RFDs in future versions of Hipcheck.
Introducing the New Plugins
The following table lists all of the plugins added, and links to the documentation for each plugin:
The plugins listed as being "top-level" can be used directly in a policy file, because they support a default query accepting a Hipcheck "target" to analyze.
The "download manifest locations" specify the files Hipcheck uses to determine
what artifacts to download for a plugin based on your desired version and
current architecture. You specify a plugin in a plugins block in your
policy file, like so:
plugins {
plugin "mitre/activity" version="0.1.0" \
manifest="https://hipcheck.mitre.org/dl/plugin/mitre/activity.kdl"
}
🦀 Rust SDK version 0.2.0
This release also includes improvements for the Hipcheck Rust SDK, including:
-
New Features
- Plugins can now report "concerns," additional information to inform a Hipcheck user what to inspect if they want to further investigate a target (#511)
- Reduced the size of compiled code from the SDK using non-generic inner functions (#488)
- Added ability for plugin test code to mock query responses (#476)
-
Bugfixes
- Fixed bugs with query chunking which could result in errors when analyzing large repositories (#630)
- Fixed bug that resulted in duplicate reporting of query explanations for the default query of a plugin (#605)
- Fixed bug that caused failing queries to not send errors over gRPC back to Hipcheck core (#548)
🗺️ How to Get Involved
Hipcheck is an open source project, and we'd love to get more contributors
involved in building it. This doesn't just mean contributing to hc itself
or building plugins, but also contributing to the website, improving the
documentation, asking questions and sharing ideas in the issue tracker
and discussions forum, and writing about your own experiences and lessons
with Hipcheck for others to read.
We have big plans for version 3.9.0 and beyond, including:
- Version 3.9.0
- Query Batching and Submit Chunking
- Integrating plugins with the
hc readycommand
- Version 3.10.0
- Substantial plugin documentation improvements, especially for creating your own plugins
- Refactoring target resolution to make it easier to add support for more types of targets, like more SBOM formats or package hosts
- Version 3.11.0
- Explainable policy expressions, improving reporting of failed analyses by explaining policy expressions in plain language
- Overhaul result reporting to make it easier to improve in the future, and improve parity between the human-readable and JSON formats
- Upgrade
salsa, the Rust package we use internally for query caching, to the latest major version - Introduce new documentation on how to become a Hipcheck developer yourself
You can the full roadmap on GitHub.
⭐️ Thank You to Our Contributors and Supporters
I want to say a big "Thank you!" to everyone who supports the project here at MITRE, to CISA for sponsoring our current work on it, to our prior government sponsors who have helped advance Hipcheck, and to everyone who has contributed, given feedback, or encouraged us in building it.
Thank you especially to the contributors for this release:
- Julian Lanson, Hipcheck Development Team Lead at MITRE
- Patrick Casey, Hipcheck Developer at MITRE
- Michael Chernicoff, Hipcheck Developer at MITRE
- Cal Stepanian, Hipcheck Developer at MITRE
- Nino Agrawal, Hipcheck Developer at MITRE
- Aisha Mohammed, Hipcheck Developer at MITRE
- Brian Marr, Hipcheck Developer at MITRE
- Ashley Williams, Founder of Axo.dev