Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Black Duck: Add a mechanism to set the origin-id for a package via a label curation. #9819

Merged
merged 2 commits into from
Jan 24, 2025
Merged

Black Duck: Add a mechanism to set the origin-id for a package via a label curation. #9819

merged 2 commits into from
Jan 24, 2025

Conversation

fviernau
Copy link
Member

See individual commits.

Part of: #8739.

@fviernau fviernau requested a review from a team as a code owner January 23, 2025 15:04
@fviernau fviernau marked this pull request as draft January 23, 2025 15:05
@fviernau fviernau force-pushed the black-duck-origin-id-curation-mechanism branch 4 times, most recently from 2fdc0d5 to 3df3785 Compare January 23, 2025 15:10
@fviernau fviernau marked this pull request as ready for review January 23, 2025 15:32
@codecov Codecov
Copy link

codecov bot commented Jan 23, 2025
edited
Loading

Codecov Report

All modified and coverable lines are covered by tests ✅

Project coverage is 68.07%. Comparing base (e3b5c3d) to head (44c9067).
Report is 6 commits behind head on main.

Additional details and impacted files 
@@            Coverage Diff            @@
##               main    #9819   +/-   ##
=========================================
  Coverage     68.07%   68.07%           
  Complexity     1285     1285           
=========================================
  Files           249      249           
  Lines          8828     8828           
  Branches        918      918           
=========================================
  Hits           6010     6010           
  Misses         2432     2432           
  Partials        386      386
Flag Coverage Δ
funTest-docker 65.00% <ø> (ø)
funTest-non-docker 33.35% <ø> (ø)
test-ubuntu-24.04 35.90% <ø> (ø)
test-windows-2022 35.88% <ø> (ø)

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

@fviernau fviernau force-pushed the black-duck-origin-id-curation-mechanism branch from 3df3785 to 99cae52 Compare January 23, 2025 15:50
sschuberth
sschuberth reviewed Jan 23, 2025
View reviewed changes
plugins/advisors/black-duck/src/main/kotlin/BlackDuckOriginId.kt Outdated
Comment on lines 52 to 60
val index = coordinates.indexOf(':')
require(index != -1) {
"Could not parse originId '$coordinates'. Missing ':' separator ."
}

return BlackDuckOriginId(
externalNamespace = coordinates.substring(0, index),
externalId = coordinates.substring(index + 1, coordinates.length)
)
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Alternatively:

        val parts = coordinates.split(':', limit = 2)
        require(parts.size == 2) { 
            "Could not parse originId '$coordinates'. Missing ':' separator ."
        }

        return BlackDuckOriginId(externalNamespace = parts[0], externalId = parts[1])

@fviernau
test(black-duck): Make a test name more specific
2a3c692 
Prepare for adding a test for querying by origin-id.

Signed-off-by: Frank Viernau <x9fviern@zeiss.com>
@fviernau fviernau force-pushed the black-duck-origin-id-curation-mechanism branch from 99cae52 to 5234a50 Compare January 23, 2025 21:03
@fviernau fviernau requested a review from sschuberth January 23, 2025 21:04
@fviernau
feat(black-duck): Add a mechanism to query vulnerabilities by origin-id
44c9067 
By default, the vulnerabilities are queried by the respective purl. This
does not work in all cases, e.g.:

1. Some origins do not (yet) have a purl associated.
2. For some ecosystem, querying by purl doesn't work, even though the
   data sets have a purl.
3. The knowledge base may not contain a data set for the exact package
   but for the same "package" in a different ecosystem. For example,
   query vulnerabilities for the "ubuntu" package instead of for the
   "github" package.

So, allow to set the origin-id via a package label curation, to override
the origin for which the vulnerabilities shall be retrieved.

Note: Since the amount of external namespaces is rather large, test the
querying only for a few ecosystems. This should be fine, because there
is very little namespace specific logic in ORT's code involved.

Signed-off-by: Frank Viernau <x9fviern@zeiss.com>
@fviernau fviernau force-pushed the black-duck-origin-id-curation-mechanism branch from 5234a50 to 44c9067 Compare January 23, 2025 21:06
@fviernau fviernau enabled auto-merge (rebase) January 23, 2025 21:06
@fviernau fviernau merged commit ae2ae6e into main Jan 24, 2025
26 checks passed
@fviernau fviernau deleted the black-duck-origin-id-curation-mechanism branch January 24, 2025 08:47
@sschuberth sschuberth mentioned this pull request Jan 24, 2025
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@sschuberth sschuberth sschuberth approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@fviernau @sschuberth