Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

BlackDuck advisor PoC #9627

Draft
wants to merge 5 commits into
base: main
Choose a base branch
from
Draft

BlackDuck advisor PoC #9627

wants to merge 5 commits into from

Conversation

fviernau
Copy link
Member

No description provided.

fviernau and others added 5 commits December 13, 2024 14:06
Signed-off-by: Frank Viernau <frank_viernau@epam.com>
Signed-off-by: Frank Viernau <x9fviern@zeiss.com>
The property allows to specify the origin (BlackDuck terminology)
corresponding to this package. Knowing the origin is necessary in order
to retrieve any information about the package from BlackDuck, for
example known security vulnerabilities.

Normally, for a couple of ecosystems, it is possible to determine the
origin automaticall based on the purl. However, this does not always
work:

1. BlackDuck does not know the origin but a similar one from a
   different external namesace. For example, the database contains
   entries for NuGet release but not for the GitHub release of a
   particular package.
2. TBC

Signed-off-by: Frank Viernau <x9fviern@zeiss.com>
Signed-off-by: Frank Viernau <x9fviern@zeiss.com>
If the package has the BlackDuck origin speciified as external ID,
use that reference to determine the corresponding origin for which to
query the vulnerabilities.

Note: This is necessary in the following case

TBD

Signed-off-by: Frank Viernau <x9fviern@zeiss.com>
}

private fun getVulnerabilitiesByExternalId(pkg: Package): List<Vulnerability>? {
val ref = pkg.blackDuckOrigin!!

Check warning

Code scanning / detekt

Unsafe calls on nullable types detected. These calls will throw a NullPointerException in case the nullable value is null. Warning

Calling !! on a nullable type will throw a NullPointerException at runtime in case the value is null. It should be avoided.
?: return null

val type = remaining.substringBefore("/")
remaining = remaining.withoutPrefix("$type/")!!

Check warning

Code scanning / detekt

Unsafe calls on nullable types detected. These calls will throw a NullPointerException in case the nullable value is null. Warning

Calling !! on a nullable type will throw a NullPointerException at runtime in case the value is null. It should be avoided.
return Purl(type, namespace, name, version)
}

fun isValid(s: String): Boolean = !parse(s)?.name.orEmpty().isNullOrBlank()

Check warning

Code scanning / detekt

This call on a non-null reference may be reduced or removed. Some calls are intended to be called on nullable collection or text types (e.g. `String?`).When this call is used on a reference to a non-null type (e.g. `String`) it is redundant and will have no effect, so it can be removed. Warning

Replace isNullOrBlank with isBlank
import org.ossreviewtoolkit.utils.test.getAssetFile
import org.ossreviewtoolkit.utils.test.identifierToPackage

class BlackDuckFunTest : WordSpec({

Check warning

Code scanning / QDJVMC

Unused symbol Warning

Class "BlackDuckFunTest" is never used
/**
* The base URL of the BlackDuck REST API.
*/
@OrtPluginOption()

Check notice

Code scanning / QDJVMC

Remove unnecessary parentheses Note

Parentheses should be removed
/**
* The API token to use for authentication.
*/
@OrtPluginOption()

Check notice

Code scanning / QDJVMC

Remove unnecessary parentheses Note

Parentheses should be removed
val version: String?
) {
companion object {
fun parse(s: String): Purl? {

Check notice

Code scanning / QDJVMC

Class member can have 'private' visibility Note

Function 'parse' could be private
return Purl(type, namespace, name, version)
}

fun isValid(s: String): Boolean = !parse(s)?.name.orEmpty().isNullOrBlank()

Check warning

Code scanning / QDJVMC

Useless call on not-null type Warning

Call on not-null type may be reduced
Copy link

codecov bot commented Dec 17, 2024

Codecov Report

All modified and coverable lines are covered by tests ✅

Project coverage is 67.99%. Comparing base (8bc47a4) to head (57f5acc).
Report is 24 commits behind head on main.

Additional details and impacted files
@@             Coverage Diff              @@
##               main    #9627      +/-   ##
============================================
- Coverage     68.03%   67.99%   -0.05%     
  Complexity     1287     1287              
============================================
  Files           249      249              
  Lines          8826     8879      +53     
  Branches        920      940      +20     
============================================
+ Hits           6005     6037      +32     
- Misses         2432     2449      +17     
- Partials        389      393       +4     
Flag Coverage Δ
test-ubuntu-24.04 35.84% <ø> (+0.03%) ⬆️
test-windows-2022 35.82% <ø> (+0.03%) ⬆️

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

1 participant