Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Fix VDR export containing non-vulnerable components #2878

Merged
merged 1 commit into from
Aug 14, 2023
Merged

Fix VDR export containing non-vulnerable components #2878

merged 1 commit into from
Aug 14, 2023

Conversation

nscuro
Copy link
Member

@nscuro nscuro commented Jul 8, 2023

Description

This PR fixes the CycloneDX VDR export to not contain components that are not affected by any vulnerability.

Addressed Issue

Fixes #2788

Additional Details

Checklist

  • I have read and understand the contributing guidelines
  • This PR fixes a defect, and I have provided tests to verify that the fix is effective
  • This PR implements an enhancement, and I have provided tests to verify that it works as intended
  • This PR introduces changes to the database model, and I have added corresponding update logic
  • This PR introduces new or alters existing behavior, and I have updated the documentation accordingly

@nscuro
Fix VDR export containing non-vulnerable components
f2d6b07 
Fixes DependencyTrack#2788

Signed-off-by: nscuro <nscuro@protonmail.com>
sonatype-lift[bot]
sonatype-lift bot reviewed Jul 8, 2023
View reviewed changes
src/main/java/org/dependencytrack/parser/cyclonedx/util/ModelConverter.java
dependencies.add(dependency);
}

return dependencies;
}

private static List<Dependency> convertDirectDependencies(final String directDependenciesRaw) {
private static List<Dependency> convertDirectDependencies(final String directDependenciesRaw, final List<Component> components) {
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

15% of developers fix this issue

MixedMutabilityReturnType: This method returns both mutable and immutable collections or maps from different paths. This may be confusing for users of the method.

Suggested change
private static List<Dependency> convertDirectDependencies(final String directDependenciesRaw, final List<Component> components) {
private static ImmutableList<Dependency> convertDirectDependencies(final String directDependenciesRaw, final List<Component> components) {
ℹ️ Expand to see all @sonatype-lift commands

You can reply with the following commands. For example, reply with @sonatype-lift ignoreall to leave out all findings.

Command Usage
@sonatype-lift ignore Leave out the above finding from this PR
@sonatype-lift ignoreall Leave out all the existing findings from this PR
@sonatype-lift exclude <file|issue|path|tool> Exclude specified file|issue|path|tool from Lift findings by updating your config.toml file

Note: When talking to LiftBot, you need to refresh the page to see its response.
Click here to add LiftBot to another repo.

@sonatype-lift
Copy link
Contributor

sonatype-lift bot commented Jul 8, 2023

🛠 Lift Auto-fix

Some of the Lift findings in this PR can be automatically fixed. You can download and apply these changes in your local project directory of your branch to review the suggestions before committing.1

# Download the patch
curl https://lift.sonatype.com/api/patch/github.com/DependencyTrack/dependency-track/2878.diff -o lift-autofixes.diff

# Apply the patch with git
git apply lift-autofixes.diff

# Review the changes
git diff

Want it all in a single command? Open a terminal in your project's directory and copy and paste the following command:

curl https://lift.sonatype.com/api/patch/github.com/DependencyTrack/dependency-track/2878.diff | git apply

Once you're satisfied, commit and push your changes in your project.

Footnotes

  1. You can preview the patch by opening the patch URL in the browser.

@nscuro nscuro mentioned this pull request Jul 8, 2023
Closed
2 tasks
@melba-lopez melba-lopez added the defect Something isn't working label Jul 28, 2023
@nscuro nscuro merged commit 1e276bd into DependencyTrack:master Aug 14, 2023
@nscuro nscuro deleted the issue-2788 branch August 14, 2023 20:52
@github-actions github-actions bot locked as resolved and limited conversation to collaborators Sep 14, 2023
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Reviewers

@sonatype-lift sonatype-lift[bot] sonatype-lift[bot] left review comments

@melba-lopez melba-lopez melba-lopez approved these changes

@stevespringett stevespringett Awaiting requested review from stevespringett

Assignees
No one assigned
Labels
defect Something isn't working
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

VDR erronously include full SBOM inventory
2 participants
@nscuro @melba-lopez