-
Notifications
You must be signed in to change notification settings - Fork 314
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
BlackDuck advisor PoC #9627
base: main
Are you sure you want to change the base?
BlackDuck advisor PoC #9627
Conversation
Signed-off-by: Frank Viernau <frank_viernau@epam.com>
Signed-off-by: Frank Viernau <x9fviern@zeiss.com>
The property allows to specify the origin (BlackDuck terminology) corresponding to this package. Knowing the origin is necessary in order to retrieve any information about the package from BlackDuck, for example known security vulnerabilities. Normally, for a couple of ecosystems, it is possible to determine the origin automaticall based on the purl. However, this does not always work: 1. BlackDuck does not know the origin but a similar one from a different external namesace. For example, the database contains entries for NuGet release but not for the GitHub release of a particular package. 2. TBC Signed-off-by: Frank Viernau <x9fviern@zeiss.com>
Signed-off-by: Frank Viernau <x9fviern@zeiss.com>
If the package has the BlackDuck origin speciified as external ID, use that reference to determine the corresponding origin for which to query the vulnerabilities. Note: This is necessary in the following case TBD Signed-off-by: Frank Viernau <x9fviern@zeiss.com>
} | ||
|
||
private fun getVulnerabilitiesByExternalId(pkg: Package): List<Vulnerability>? { | ||
val ref = pkg.blackDuckOrigin!! |
Check warning
Code scanning / detekt
Unsafe calls on nullable types detected. These calls will throw a NullPointerException in case the nullable value is null. Warning
?: return null | ||
|
||
val type = remaining.substringBefore("/") | ||
remaining = remaining.withoutPrefix("$type/")!! |
Check warning
Code scanning / detekt
Unsafe calls on nullable types detected. These calls will throw a NullPointerException in case the nullable value is null. Warning
return Purl(type, namespace, name, version) | ||
} | ||
|
||
fun isValid(s: String): Boolean = !parse(s)?.name.orEmpty().isNullOrBlank() |
Check warning
Code scanning / detekt
This call on a non-null reference may be reduced or removed. Some calls are intended to be called on nullable collection or text types (e.g. `String?`).When this call is used on a reference to a non-null type (e.g. `String`) it is redundant and will have no effect, so it can be removed. Warning
import org.ossreviewtoolkit.utils.test.getAssetFile | ||
import org.ossreviewtoolkit.utils.test.identifierToPackage | ||
|
||
class BlackDuckFunTest : WordSpec({ |
Check warning
Code scanning / QDJVMC
Unused symbol Warning
/** | ||
* The base URL of the BlackDuck REST API. | ||
*/ | ||
@OrtPluginOption() |
Check notice
Code scanning / QDJVMC
Remove unnecessary parentheses Note
/** | ||
* The API token to use for authentication. | ||
*/ | ||
@OrtPluginOption() |
Check notice
Code scanning / QDJVMC
Remove unnecessary parentheses Note
val version: String? | ||
) { | ||
companion object { | ||
fun parse(s: String): Purl? { |
Check notice
Code scanning / QDJVMC
Class member can have 'private' visibility Note
return Purl(type, namespace, name, version) | ||
} | ||
|
||
fun isValid(s: String): Boolean = !parse(s)?.name.orEmpty().isNullOrBlank() |
Check warning
Code scanning / QDJVMC
Useless call on not-null type Warning
Codecov ReportAll modified and coverable lines are covered by tests ✅
Additional details and impacted files@@ Coverage Diff @@
## main #9627 +/- ##
============================================
- Coverage 68.03% 67.99% -0.05%
Complexity 1287 1287
============================================
Files 249 249
Lines 8826 8879 +53
Branches 920 940 +20
============================================
+ Hits 6005 6037 +32
- Misses 2432 2449 +17
- Partials 389 393 +4
Flags with carried forward coverage won't be shown. Click here to find out more. ☔ View full report in Codecov by Sentry. |
No description provided.