Enhance CMP Plugin Evaluation for Applications with Name-based Configuration

[jsolana]

Summary

Modify the behavior during cmp plugin evaluation (DetectConfigManagementPlugin) to avoid transferring the entire repository to cmp-server when the application configures the plugin by name.

Motivation

In scenarios involving monorepos and/or multiple clusters, transferring the entire repository multiple times solely for verifying the correct configuration of the plugin can lead to disk usage bottlenecks impacting performance and resource utilization:

Proposal

Instead of transferring the entire repository during plugin evaluation, consider adjusting the implementation to return the client (cmpClient) without performing a matchRepository operation when the application'plugin be configured by its.

utils/app/discovery/discovery.go

func cmpSupports(ctx context.Context, pluginSockFilePath, appPath, repoPath, fileName string, env []string, tarExcludedGlobs []string, namedPlugin bool) (io.Closer, pluginclient.ConfigManagementPluginServiceClient, bool) {
	absPluginSockFilePath, err := filepath.Abs(pluginSockFilePath)
	if err != nil {
		log.Errorf("error getting absolute path for plugin socket dir %v, %v", pluginSockFilePath, err)
		return nil, nil, false
	}
	address := filepath.Join(absPluginSockFilePath, fileName)
	if !files.Inbound(address, absPluginSockFilePath) {
		log.Errorf("invalid socket file path, %v is outside plugin socket dir %v", fileName, pluginSockFilePath)
		return nil, nil, false
	}

	cmpclientset := pluginclient.NewConfigManagementPluginClientSet(address)

	conn, cmpClient, err := cmpclientset.NewConfigManagementPluginClient()
	if err != nil {
		log.WithFields(log.Fields{
			common.SecurityField:    common.SecurityMedium,
			common.SecurityCWEField: common.SecurityCWEMissingReleaseOfFileDescriptor,
		}).Errorf("error dialing to cmp-server for plugin %s, %v", fileName, err)
		return nil, nil, false
	}
	
        // if plugin name is specified, lets return the client directly
	if namedPlugin {
		return conn, cmpClient, true
	}

	isSupported, _, err := matchRepositoryCMP(ctx, appPath, repoPath, cmpClient, env, tarExcludedGlobs)
	if err != nil {
		log.WithFields(log.Fields{
			common.SecurityField:    common.SecurityMedium,
			common.SecurityCWEField: common.SecurityCWEMissingReleaseOfFileDescriptor,
		}).Errorf("repository %s is not the match because %v", repoPath, err)
		io.Close(conn)
		return nil, nil, false
	}

	if !isSupported {
		log.WithFields(log.Fields{
			common.SecurityField:    common.SecurityLow,
			common.SecurityCWEField: common.SecurityCWEMissingReleaseOfFileDescriptor,
		}).Debugf("Reponse from socket file %s does not support %v", fileName, repoPath)
		io.Close(conn)
		return nil, nil, false
	}
	return conn, cmpClient, true
}

[jsolana]

If it is ok, I can create the MR :)