BlackDuck advisor PoC #9627
BlackDuck advisor PoC #9627
Conversation
Signed-off-by: Frank Viernau <[email protected]>
Signed-off-by: Frank Viernau <[email protected]>
The property allows to specify the origin (BlackDuck terminology) corresponding to this package. Knowing the origin is necessary in order to retrieve any information about the package from BlackDuck, for example known security vulnerabilities. Normally, for a couple of ecosystems, it is possible to determine the origin automaticall based on the purl. However, this does not always work: 1. BlackDuck does not know the origin but a similar one from a different external namesace. For example, the database contains entries for NuGet release but not for the GitHub release of a particular package. 2. TBC Signed-off-by: Frank Viernau <[email protected]>
Signed-off-by: Frank Viernau <[email protected]>
If the package has the BlackDuck origin speciified as external ID, use that reference to determine the corresponding origin for which to query the vulnerabilities. Note: This is necessary in the following case TBD Signed-off-by: Frank Viernau <[email protected]>
![github-advanced-security[bot]](https://avatars.githubusercontent.com/in/57789?s=60&v=4){kind=small}
| } | ||
|
|
||
| private fun getVulnerabilitiesByExternalId(pkg: Package): List<Vulnerability>? { | ||
| val ref = pkg.blackDuckOrigin!! |
Check warning
Code scanning / detekt
Unsafe calls on nullable types detected. These calls will throw a NullPointerException in case the nullable value is null. Warning
| ?: return null | ||
|
|
||
| val type = remaining.substringBefore("/") | ||
| remaining = remaining.withoutPrefix("$type/")!! |
Check warning
Code scanning / detekt
Unsafe calls on nullable types detected. These calls will throw a NullPointerException in case the nullable value is null. Warning
| return Purl(type, namespace, name, version) | ||
| } | ||
|
|
||
| fun isValid(s: String): Boolean = !parse(s)?.name.orEmpty().isNullOrBlank() |
Check warning
Code scanning / detekt
This call on a non-null reference may be reduced or removed. Some calls are intended to be called on nullable collection or text types (e.g. `String?`).When this call is used on a reference to a non-null type (e.g. `String`) it is redundant and will have no effect, so it can be removed. Warning
| import org.ossreviewtoolkit.utils.test.getAssetFile | ||
| import org.ossreviewtoolkit.utils.test.identifierToPackage | ||
|
|
||
| class BlackDuckFunTest : WordSpec({ |
Check warning
Code scanning / QDJVMC
Unused symbol Warning
| /** | ||
| * The base URL of the BlackDuck REST API. | ||
| */ | ||
| @OrtPluginOption() |
Check notice
Code scanning / QDJVMC
Remove unnecessary parentheses Note
| /** | ||
| * The API token to use for authentication. | ||
| */ | ||
| @OrtPluginOption() |
Check notice
Code scanning / QDJVMC
Remove unnecessary parentheses Note
| val version: String? | ||
| ) { | ||
| companion object { | ||
| fun parse(s: String): Purl? { |
Check notice
Code scanning / QDJVMC
Class member can have 'private' visibility Note
| return Purl(type, namespace, name, version) | ||
| } | ||
|
|
||
| fun isValid(s: String): Boolean = !parse(s)?.name.orEmpty().isNullOrBlank() |
Check warning
Code scanning / QDJVMC
Useless call on not-null type Warning
Codecov ReportAll modified and coverable lines are covered by tests ✅
Additional details and impacted files@@ Coverage Diff @@
## main #9627 +/- ##
============================================
- Coverage 68.03% 67.99% -0.05%
Complexity 1287 1287
============================================
Files 249 249
Lines 8826 8879 +53
Branches 920 940 +20
============================================
+ Hits 6005 6037 +32
- Misses 2432 2449 +17
- Partials 389 393 +4
Flags with carried forward coverage won't be shown. Click here to find out more. ☔ View full report in Codecov by Sentry. |
No description provided.