Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

feat(advisor): Add BlackDuck as advisor #9652

Open
wants to merge 4 commits into
base: main
Choose a base branch
from
Open

feat(advisor): Add BlackDuck as advisor #9652

wants to merge 4 commits into from
+6,239 −1

Conversation

fviernau
Copy link
Member

@fviernau fviernau commented Dec 20, 2024
edited
Loading

Add an initial version of the integration of BlackDuck as security vulnerability provider.

Note: The implementation will be iterated upon, e.g. a curation mechanism to manually specify an origin will
be added in a following PR.

Part of: #8739.

@fviernau fviernau force-pushed the initial-black-duck-advisor branch from ef2e79e to 1e78d98 Compare December 20, 2024 12:01
@fviernau fviernau force-pushed the initial-black-duck-advisor branch 3 times, most recently from 3eda163 to 951f01b Compare December 20, 2024 12:26
@codecov Codecov
Copy link

codecov bot commented Dec 20, 2024
edited
Loading

Codecov Report

All modified and coverable lines are covered by tests ✅

Project coverage is 68.10%. Comparing base (4cae987) to head (6858178).

Additional details and impacted files 
@@            Coverage Diff            @@
##               main    #9652   +/-   ##
=========================================
  Coverage     68.10%   68.10%           
  Complexity     1294     1294           
=========================================
  Files           249      249           
  Lines          8841     8841           
  Branches        922      922           
=========================================
  Hits           6021     6021           
  Misses         2432     2432           
  Partials        388      388
Flag Coverage Δ
funTest-docker 65.14% <ø> (ø)
funTest-non-docker 33.28% <ø> (ø)
test-ubuntu-24.04 35.91% <ø> (ø)
test-windows-2022 35.88% <ø> (ø)

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

@fviernau fviernau force-pushed the initial-black-duck-advisor branch from 951f01b to ddd2034 Compare December 20, 2024 14:58
@fviernau fviernau force-pushed the initial-black-duck-advisor branch from ddd2034 to aa40097 Compare December 20, 2024 15:04
@fviernau fviernau force-pushed the initial-black-duck-advisor branch 5 times, most recently from 918d103 to d154358 Compare December 23, 2024 12:58
@fviernau fviernau marked this pull request as ready for review December 23, 2024 12:59
@fviernau fviernau requested review from a team as code owners December 23, 2024 12:59
@fviernau fviernau requested a review from sschuberth December 23, 2024 13:00
@fviernau fviernau force-pushed the initial-black-duck-advisor branch 2 times, most recently from 642d0bb to fa916ac Compare December 23, 2024 14:23
sschuberth
sschuberth requested changes Dec 23, 2024
View reviewed changes
buildSrc/src/main/kotlin/ort-base-conventions.gradle.kts Show resolved Hide resolved
buildSrc/src/main/kotlin/ort-base-conventions.gradle.kts Outdated Show resolved Hide resolved
buildSrc/src/main/kotlin/ort-base-conventions.gradle.kts Outdated Show resolved Hide resolved
plugins/advisors/black-duck/src/funTest/kotlin/BlackDuckFunTest.kt Outdated Show resolved Hide resolved
plugins/advisors/black-duck/src/funTest/kotlin/BlackDuckFunTest.kt Outdated Show resolved Hide resolved
plugins/advisors/black-duck/src/main/kotlin/BlackDuck.kt Outdated Show resolved Hide resolved
plugins/advisors/black-duck/src/main/kotlin/BlackDuck.kt Outdated Show resolved Hide resolved
plugins/advisors/black-duck/src/main/kotlin/BlackDuck.kt Show resolved Hide resolved
plugins/advisors/black-duck/src/main/kotlin/BlackDuck.kt Show resolved Hide resolved
plugins/advisors/black-duck/src/main/kotlin/ExtendedComponentService.kt Outdated Show resolved Hide resolved
@fviernau fviernau force-pushed the initial-black-duck-advisor branch from fa916ac to 9b62a53 Compare December 23, 2024 15:46
@fviernau fviernau requested a review from sschuberth December 23, 2024 15:46
@fviernau fviernau force-pushed the initial-black-duck-advisor branch 4 times, most recently from 406bb8c to 2b0bfc7 Compare December 23, 2024 16:09
sschuberth
sschuberth requested changes Dec 23, 2024
View reviewed changes
website/docs/tools/advisor.md Outdated Show resolved Hide resolved
website/docs/tools/advisor.md Show resolved Hide resolved
website/docs/tools/advisor.md Outdated Show resolved Hide resolved
@fviernau fviernau force-pushed the initial-black-duck-advisor branch from 2b0bfc7 to 4e2d854 Compare December 23, 2024 20:34
@fviernau fviernau requested a review from sschuberth December 23, 2024 20:34
@fviernau fviernau force-pushed the initial-black-duck-advisor branch 4 times, most recently from 331b370 to 20e80da Compare December 24, 2024 10:32
@fviernau fviernau enabled auto-merge (rebase) December 24, 2024 10:34
@fviernau
feat(advisor): Add BlackDuck as security vulnerability provider
4e3288a 
BlackDuck's knowledge base about external components allows the
retrieval of vulnerabilities by either a `(component, version)` tuple
or an `origin`.

The implementation relies on querying the vulnerabilities solely based
on the origin, because that is what most closely resembles an ORT
identifier or a purl. Relying on (component, version) would
lead to unnecessary overreporting, let alone the difficulties with
finding a good match.

The implementation for now determines the origin by searching for it
via the purl. Considering the ecosystems currently present in ORT, this
works well for crate, gem, hackage, maven, npm, nuget, pod, pub and
pypi, see also [1].

Note: Not all origins do have a purl associated, but they always have
      a `(externalNamespace, externalId)`. For such cases the
      implementation should be enhanced to allow specifying the
      `(externalNamespace, externalId)` via a curation.

[1]: #9638

Signed-off-by: Frank Viernau <x9fviern@zeiss.com>
@fviernau
docs(model): Illustrate how to configure the BlackDuck advisor
d050c22 
Signed-off-by: Frank Viernau <x9fviern@zeiss.com>
@fviernau
chore(completions): Regenerate shell completions
0fd398c 
Re-align the completions after adding the new BlackDuck advisor by
running [1].

[1]: `/scripts/generate_completion_scripts.sh`

Signed-off-by: Frank Viernau <x9fviern@zeiss.com>
@fviernau
docs(website): Add a section for the new BlackDuck advisor
6858178 
Signed-off-by: Frank Viernau <x9fviern@zeiss.com>
@fviernau fviernau force-pushed the initial-black-duck-advisor branch from 20e80da to 6858178 Compare December 28, 2024 11:21
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@sschuberth sschuberth Awaiting requested review from sschuberth

Requested changes must be addressed to merge this pull request.

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@fviernau @sschuberth