Html out

.github/workflows/codeql-analysis.yml

@@ -31,11 +31,11 @@ jobs:
 
     steps:
     - name: Checkout repository
-      uses: actions/checkout@3df4ab11eba7bda6032a0b82a6bb43b11571feac
+      uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab
 
     # Initializes the CodeQL tools for scanning.
     - name: Initialize CodeQL
-      uses: github/codeql-action/init@fdcae64e1484d349b3366718cdfef3d404390e85
+      uses: github/codeql-action/init@6c089f53dd51dc3fc7e599c3cb5356453a52ca9e
       with:
         languages: ${{ matrix.language }}
         # If you wish to specify custom queries, you can do so here or in a config file.
@@ -44,4 +44,4 @@ jobs:
         # queries: ./path/to/local/query, your-org/your-repo/queries@main
 
     - name: Perform CodeQL Analysis
-      uses: github/codeql-action/analyze@fdcae64e1484d349b3366718cdfef3d404390e85
+      uses: github/codeql-action/analyze@6c089f53dd51dc3fc7e599c3cb5356453a52ca9e

.github/workflows/make-github-and-docker-release.yml

@@ -20,7 +20,7 @@ jobs:
       packages: write
     steps:
       - name: Check out the repo
-        uses: actions/checkout@3df4ab11eba7bda6032a0b82a6bb43b11571feac
+        uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab
 
       - name: Setup NCA environment
         uses: ./.github/actions/setup-nca-env
@@ -31,21 +31,21 @@ jobs:
           echo "version=$VERSION" >> $GITHUB_ENV
 
       - name: Log in to Docker Hub
-        uses: docker/login-action@343f7c4344506bcbf9b4de18042ae17996df046d
+        uses: docker/login-action@465a07811f14bebb1938fbed4728c6a1ff8901fc
         with:
           registry: ghcr.io
           username: ${{ github.actor }}
           password: ${{ secrets.GITHUB_TOKEN }}
 
       - name: Build and push Docker image
-        uses: docker/build-push-action@0565240e2d4ab88bba5387d719585280857ece09
+        uses: docker/build-push-action@44ea916f6c540f9302d50c2b1e5a8dc071f15cdf
         with:
           context: .
           push: true
           tags: ghcr.io/ibm/nca:${{ env.version }}
 
       - name: Build and push ubi-based Docker image
-        uses: docker/build-push-action@0565240e2d4ab88bba5387d719585280857ece09
+        uses: docker/build-push-action@44ea916f6c540f9302d50c2b1e5a8dc071f15cdf
         with:
           context: .
           file: Dockerfile.ubi

.github/workflows/reset-tests-expected-runtime.yml

@@ -13,21 +13,21 @@ jobs:
     permissions:
       contents: write
     steps:
-      - uses: actions/checkout@3df4ab11eba7bda6032a0b82a6bb43b11571feac
+      - uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab
       - uses: ./.github/actions/setup-nca-env
-      - uses: dawidd6/action-download-artifact@268677152d06ba59fcec7a7f0b5d961b6ccd7e1e
+      - uses: dawidd6/action-download-artifact@7132ab516fba5f602fafae6fdd4822afa10db76f
         with:
           workflow: test-push.yml
           workflow_conclusion: completed
           name: k8s-log
           path: tests/
-      - uses: dawidd6/action-download-artifact@268677152d06ba59fcec7a7f0b5d961b6ccd7e1e
+      - uses: dawidd6/action-download-artifact@7132ab516fba5f602fafae6fdd4822afa10db76f
         with:
           workflow: test-push.yml
           workflow_conclusion: completed
           name: calico-log
           path: tests/
-      - uses: dawidd6/action-download-artifact@268677152d06ba59fcec7a7f0b5d961b6ccd7e1e
+      - uses: dawidd6/action-download-artifact@7132ab516fba5f602fafae6fdd4822afa10db76f
         with:
           workflow: test-push.yml
           workflow_conclusion: completed

.github/workflows/scorecard.yml

@@ -24,12 +24,12 @@ jobs:
 
     steps:
       - name: "Checkout code"
-        uses: actions/checkout@3df4ab11eba7bda6032a0b82a6bb43b11571feac
+        uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab
         with:
           persist-credentials: false
 
       - name: "Run analysis"
-        uses: ossf/scorecard-action@483ef80eb98fb506c348f7d62e28055e49fe2398 # v2.3.0
+        uses: ossf/scorecard-action@80e868c13c90f172d68d1f4501dee99e2479f7af # v2.1.3
         with:
           results_file: results.sarif
           results_format: sarif
@@ -47,6 +47,6 @@ jobs:
 
       # Upload the results to GitHub's code scanning dashboard.
       - name: "Upload to code-scanning"
-        uses: github/codeql-action/upload-sarif@fdcae64e1484d349b3366718cdfef3d404390e85
+        uses: github/codeql-action/upload-sarif@6c089f53dd51dc3fc7e599c3cb5356453a52ca9e # v2.1.27
         with:
           sarif_file: results.sarif

.github/workflows/update-tests-expected-output.yml

@@ -13,7 +13,7 @@ jobs:
     permissions:
       contents: write
     steps:
-      - uses: actions/checkout@3df4ab11eba7bda6032a0b82a6bb43b11571feac
+      - uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab
       - uses: ./.github/actions/setup-nca-env
       - name: update or add expected output files
         run: |

.github/workflows/update-tests-expected-runtime.yml

@@ -13,7 +13,7 @@ jobs:
     outputs:
       changed_tests: ${{ steps.changes.outputs.changed_tests}}
     steps:
-      - uses: actions/checkout@3df4ab11eba7bda6032a0b82a6bb43b11571feac
+      - uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab
         with:
           fetch-depth: 0
       - uses: ./.github/actions/setup-nca-env
@@ -28,21 +28,21 @@ jobs:
     needs: changed-tests
     if: ${{needs.changed-tests.outputs.changed_tests}}
     steps:
-      - uses: actions/checkout@3df4ab11eba7bda6032a0b82a6bb43b11571feac
+      - uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab
       - uses: ./.github/actions/setup-nca-env
-      - uses: dawidd6/action-download-artifact@268677152d06ba59fcec7a7f0b5d961b6ccd7e1e
+      - uses: dawidd6/action-download-artifact@7132ab516fba5f602fafae6fdd4822afa10db76f
         with:
           workflow: test-push.yml
           workflow_conclusion: completed
           name: k8s-log
           path: tests/
-      - uses: dawidd6/action-download-artifact@268677152d06ba59fcec7a7f0b5d961b6ccd7e1e
+      - uses: dawidd6/action-download-artifact@7132ab516fba5f602fafae6fdd4822afa10db76f
         with:
           workflow: test-push.yml
           workflow_conclusion: completed
           name: calico-log
           path: tests/
-      - uses: dawidd6/action-download-artifact@268677152d06ba59fcec7a7f0b5d961b6ccd7e1e
+      - uses: dawidd6/action-download-artifact@7132ab516fba5f602fafae6fdd4822afa10db76f
         with:
           workflow: test-push.yml
           workflow_conclusion: completed

Dockerfile

@@ -4,7 +4,7 @@
 #
 
 # Using python:3.9-slim
-FROM python@sha256:7476637ee33fae24822294643449e7fe9158708c976ea379037960d3007590a4
+FROM python@sha256:1fc44d17b4ca49a8715af80786f21fa5ed8cfd257a1e14e24f4a79b4ec329388
 
 COPY requirements.txt /nca/
 RUN python -m pip install -U pip wheel setuptools && pip install -r /nca/requirements.txt

Dockerfile.ubi

@@ -3,7 +3,7 @@
 # SPDX-License-Identifier: Apache2.0
 #
 
-FROM registry.access.redhat.com/ubi8/ubi-minimal@sha256:8d43664c250c72d35af8498c7ff76a9f0d42f16b9b3b29f0caa747121778de0e
+FROM registry.access.redhat.com/ubi8/ubi-minimal@sha256:6910799b75ad41f00891978575a0d955be2f800c51b955af73926e7ab59a41c3
 
 USER 0
 

README.md

@@ -13,7 +13,7 @@ It takes such resources as input, in addition to a list of relevant endpoints, a
 - What are the endpoints that are not covered by any policy?
 - Are my policies implemented efficiently?
 
-## Installation (requires Python 3.9 or above)
+## Installation (requires Python 3.8 or above)
 For command-line use, NCA is installed with:
 ```shell
 pip install network-config-analyzer
@@ -95,8 +95,6 @@ The arguments to `--resource_list` and to `--base_resource_list` should be one o
   *shorthand* `-f`
 - `--expected_output <file name>`\
   A file path to the expected query output (for connectivity or semantic_diff queries).\
-- `--simplify_graph`\
-  simplify the connectivity graph, (relevant only when output_format is dot or jpg)
 - `--pr_url <URL>`\
    Write output as GitHub PR comment. URL points to the relevant `comments` resource in the GitHub API.\
    e.g., https://api.github.com/repos/shift-left-netconfig/online-boutique/issues/1/comments

docs/SchemeFileFormat.md

@@ -82,7 +82,6 @@ The supported entries in the outputConfiguration object are as follows:
 |------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|--------------------------------------------------------------|
 | outputFormat     | Output format specification.                                                                                                                                                                                                                                                                                                                                                                                                           | string [ txt / yaml / csv / md / dot / jpg/ txt_no_fw_rules] |
 | outputPath       | A file path to redirect output into.                                                                                                                                                                                                                                                                                                                                                                                                   | string                                                       |
-| simplifyGraph    | Choose if to simplify the connectivity graph.                                                                                                                                                                                                                                                                                                                                                                                          | bool  [default: False]                                       |
 | outputEndpoints  | Choose endpoints type in output.                                                                                                                                                                                                                                                                                                                                                                                                       | string [ pods / deployments ]                                |
 | subset           | A dict object with the defined subset elements to display in the output                                                                                                                                                                                                                                                                                                                                                                | [subset](#subset) object                                     |
 | fullExplanation  | Choose if to print all counterexamples causing the query result in the output                                                                                                                                                                                                                                                                                                                                                          | bool                                                         |

nca/CoreDS/CanonicalHyperCubeSet.py

@@ -541,23 +541,20 @@ def _contained_in_aux(self, other, all_active_dims):  # noqa: C901
                 common_part = current_layer_0 & other_layer
                 has_common_part = bool(common_part)
                 if has_common_part:
-                    # if it's not last dim for both self and other, determine containment recursively
                     if not self._is_last_dimension() and not other._is_last_dimension() and \
                             not (self.layers[layer])._contained_in_aux(other_sub_elem, all_active_dims[1:]):
                         return False
-                    # if it's last dim for self but not for other: the remaining of other should be entire cube
-                    if self._is_last_dimension() and not other._is_last_dimension() and \
-                            not other_sub_elem._is_sub_elem_entire_sub_space():
-                        return False
-                    # if it's the last dim for other but not for self -> containment is satisfied on this part
-                    # at this point, sub-object from common_part is contained
                     remaining = current_layer_0 - common_part
                     if remaining:
                         # continue exploring other's cubes for containment of the remaining part from self
                         current_layer_0 = remaining
                     else:
-                        # count current cube (from current_layer_0) as contained in other
-                        is_subset_count += 1
+                        if self._is_last_dimension() and not other._is_last_dimension():
+                            # if it's last dim for self but not for other: the remaining of other should be entire cube
+                            if other_sub_elem._is_sub_elem_entire_sub_space():
+                                is_subset_count += 1
+                        else:
+                            is_subset_count += 1
                         break
         return is_subset_count == len(self.layers)
 

nca/CoreDS/ConnectionSet.py

@@ -528,12 +528,8 @@ def print_diff(self, other, self_name, other_name):
             return other_name + ' allows all connections while ' + self_name + ' does not.'
         for protocol, properties in self.allowed_protocols.items():
             if protocol not in other.allowed_protocols:
-                res = self_name + ' allows communication using protocol ' + \
-                      ProtocolNameResolver.get_protocol_name(protocol)
-                if not isinstance(properties, bool) and not properties.is_all():
-                    res += ' on ' + properties._get_first_item_str()
-                res += ' while ' + other_name + ' does not.'
-                return res
+                return self_name + ' allows communication using protocol ' + ProtocolNameResolver.get_protocol_name(protocol) \
+                    + ' while ' + other_name + ' does not.'
             other_properties = other.allowed_protocols[protocol]
             if properties != other_properties:
                 return ProtocolNameResolver.get_protocol_name(protocol) + ' protocol - ' + \
@@ -585,9 +581,8 @@ def get_non_tcp_connections():
     #  get rid of ConnectionSet and move the code below to ConnectivityProperties.py
 
     @staticmethod
-    def get_connection_set_and_peers_from_cube(the_cube, peer_container,
+    def get_connection_set_and_peers_from_cube(conn_cube, peer_container,
                                                relevant_protocols=ProtocolSet(True)):
-        conn_cube = the_cube.copy()
         src_peers = conn_cube["src_peers"] or peer_container.get_all_peers_group(True)
         conn_cube.unset_dim("src_peers")
         dst_peers = conn_cube["dst_peers"] or peer_container.get_all_peers_group(True)
@@ -662,10 +657,6 @@ def split_peer_set_to_fw_rule_elements(peer_set, cluster_info):
                 res.append(FWRule.IPBlockElement(peer))
                 peer_set_copy.remove(peer)
                 continue
-            elif isinstance(peer, FWRule.DNSEntry):
-                res.append(FWRule.DNSElement(peer))
-                peer_set_copy.remove(peer)
-                continue
             ns_peers = PeerSet(cluster_info.ns_dict[peer.namespace])
             if ns_peers.issubset(peer_set_copy):
                 ns_set.add(peer.namespace)
@@ -689,8 +680,6 @@ def fw_rules_to_conn_props(fw_rules, peer_container):
         :return: the resulting ConnectivityProperties.
         """
         res = ConnectivityProperties.make_empty_props()
-        if fw_rules.fw_rules_map is None:
-            return res
         for fw_rules_list in fw_rules.fw_rules_map.values():
             for fw_rule in fw_rules_list:
                 conn_props = fw_rule.conn.convert_to_connectivity_properties(peer_container)

nca/CoreDS/ConnectivityProperties.py

@@ -159,7 +159,7 @@ def get_cube_dict(self, cube, is_txt=False):
                 values_list = str(dim_values)
             elif dim in ["src_peers", "dst_peers"]:
                 peers_set = BasePeerSet().get_peer_set_by_indices(dim_values)
-                peers_str_list = sorted([str(peer.full_name()) for peer in peers_set])
+                peers_str_list = [str(peer.full_name()) for peer in peers_set]
                 values_list = ','.join(peers_str_list) if is_txt else peers_str_list
             elif dim_type == DimensionsManager.DimensionType.IntervalSet:
                 values_list = dim_values.get_interval_set_list_numbers_and_ranges()
@@ -491,14 +491,3 @@ def are_auto_conns(self):
             if cube[src_peers_index] != cube[dst_peers_index] or not cube[src_peers_index].is_single_value():
                 return False
         return True
-
-    def props_without_auto_conns(self):
-        """
-        Return the properties after removing all connections from peer to itself
-        """
-        peers = self.project_on_one_dimension("src_peers") | self.project_on_one_dimension("dst_peers")
-        auto_conns = ConnectivityProperties()
-        for peer in peers:
-            auto_conns |= ConnectivityProperties.make_conn_props_from_dict({"src_peers": PeerSet({peer}),
-                                                                            "dst_peers": PeerSet({peer})})
-        return self - auto_conns

nca/CoreDS/Peer.py

@@ -662,17 +662,15 @@ def get_ip_block_canonical_form(self):
                 res |= elem
         return res
 
-    def filter_ip_blocks_by_mask(self, ip_blocks_mask):
+    def filter_ipv6_blocks(self, ip_blocks_mask):
         """
         Update ip blocks in the peer set by keeping only parts overlapping with the given mask.
-        :param IpBlock ip_blocks_mask: the mask according to which ip blocks should be updated
+        :param ip_blocks_mask: the mask according to which ip blocks should be updated
         """
         peers_to_remove = []
         peers_to_add = []
         for peer in self:
             if isinstance(peer, IpBlock):
-                if peer.contained_in(ip_blocks_mask):
-                    continue  # optimization - avoid removing and adding the same peer
                 peers_to_remove.append(peer)
                 if peer.overlaps(ip_blocks_mask):
                     new_peer = peer.copy()