MCPcopy Index your code
hub / github.com/openai/plugins / verify_manifest_binding

Function verify_manifest_binding

plugins/codex-security/scripts/workbench_db.py:1014–1082  ·  view source on GitHub ↗
(scan: sqlite3.Row, manifest: dict[str, Any])

Source from the content-addressed store, hash-verified

1012
1013
1014def verify_manifest_binding(scan: sqlite3.Row, manifest: dict[str, Any]) -> None:
1015 manifest_scan = manifest.get("scan")
1016 if not isinstance(manifest_scan, dict):
1017 raise SystemExit("scan-manifest.json scan must be an object.")
1018 if manifest_scan.get("id") != scan["id"]:
1019 raise SystemExit("scan-manifest.json scan.id must match the workbench scan ID.")
1020 target = manifest_scan.get("target")
1021 if not isinstance(target, dict):
1022 raise SystemExit("scan-manifest.json scan.target must be an object.")
1023 expected_contract = scan_contract(scan)
1024 expected_target = expected_contract["target"]
1025 if target.get("targetId") != expected_target["targetId"]:
1026 raise SystemExit("scan-manifest.json targetId must match the workbench target.")
1027 if target.get("displayName") != expected_target["displayName"]:
1028 raise SystemExit("scan-manifest.json target displayName must match the workbench target.")
1029 if target.get("kind") not in expected_target["allowedKinds"]:
1030 raise SystemExit("scan-manifest.json target kind must match the workbench target.")
1031 if (
1032 scan["target_revision"] != "unversioned"
1033 and target.get("kind") in {"git_worktree", "git_revision"}
1034 and target.get("revision") != scan["target_revision"]
1035 ):
1036 raise SystemExit("scan-manifest.json target revision must match the workbench target.")
1037 if (
1038 scan["mode"] != "diff"
1039 and scan["target_snapshot_digest"] is not None
1040 and target.get("kind") in {"directory_snapshot", "git_worktree"}
1041 and target.get("snapshotDigest") != scan["target_snapshot_digest"]
1042 ):
1043 raise SystemExit(
1044 "scan-manifest.json target snapshotDigest must match the workbench target snapshot."
1045 )
1046 if scan["mode"] == "diff":
1047 if not scan["diff_target_kind"]:
1048 raise SystemExit("This migrated diff scan does not have a validated change set.")
1049 if target.get("baseRevision") != scan["diff_base_revision"]:
1050 raise SystemExit(
1051 "scan-manifest.json target baseRevision must match the workbench diff target."
1052 )
1053 if target.get("headRevision") != scan["diff_head_revision"]:
1054 raise SystemExit(
1055 "scan-manifest.json target headRevision must match the workbench diff target."
1056 )
1057 if (
1058 scan["diff_target_kind"] == "working_tree"
1059 and target.get("snapshotDigest") != scan["diff_content_digest"]
1060 ):
1061 raise SystemExit(
1062 "scan-manifest.json target snapshotDigest must match the selected "
1063 "working-tree contents."
1064 )
1065 scope = manifest_scan.get("scope")
1066 if not isinstance(scope, dict):
1067 raise SystemExit("scan-manifest.json scan.scope must be an object.")
1068 include_paths = scope.get("includePaths")
1069 if not isinstance(include_paths, list):
1070 raise SystemExit("scan-manifest.json scope includePaths must be an array.")
1071 if scope.get("excludePaths") != []:

Callers 3

complete_scan_lockedFunction · 0.85
export_findingsFunction · 0.85

Calls 3

scan_contractFunction · 0.85
path_within_scopeFunction · 0.85
getMethod · 0.45

Tested by

no test coverage detected