-
-
Notifications
You must be signed in to change notification settings - Fork 584
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Adds audit trail comments for all fields of new analysis #3551
base: master
Are you sure you want to change the base?
Conversation
Coverage summary from CodacySee diff coverage on Codacy
Coverage variation details
Coverage variation is the difference between the coverage for the head and common ancestor commits of the pull request branch: Diff coverage details
Diff coverage is the percentage of lines that are covered by tests out of the coverable lines that the pull request added or modified: See your quality gate settings Change summary preferencesYou may notice some variations in coverage metrics with the latest Coverage engine update. For more details, visit the documentation Footnotes
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks for the PR @sebD! A few suggestions.
a better approach would be to create a dedicated AnalysisService that would be called from the CycloneDXVexImporter and the AnalysisResource. Currently these two classes have too many responsabilities. Moreover, they share the analysis creation responsability and do it in a different manner.
Indeed it would be great to have this logic centralized. Would you like to take a shot at that in this PR?
|
||
public static void makeFirstStateComment(final QueryManager qm, final Analysis analysis, final String commenter) { | ||
if (analysis.getAnalysisState() != null) { | ||
addAnalysisStateComment(qm, analysis, null, analysis.getAnalysisState(), commenter); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
We should use NOT_SET
here instead of null
. null
should not be exposed to users.
addAnalysisStateComment(qm, analysis, null, analysis.getAnalysisState(), commenter); | |
addAnalysisStateComment(qm, analysis, AnalysisState.NOT_SET, analysis.getAnalysisState(), commenter); |
Condition<String> elfBearer = new Condition<String>() { | ||
public boolean matches(String value) { | ||
return value.contains("toto"); | ||
} | ||
}; |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This appears to be unused.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Oops. Good catch
assertThat(responseJson.getJsonArray("analysisComments").getJsonObject(0)) | ||
.hasFieldOrPropertyWithValue("comment", Json.createValue("Analysis: NOT_SET → NOT_AFFECTED")) | ||
.hasFieldOrPropertyWithValue("comment", Json.createValue("Analysis: null → NOT_AFFECTED")) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This is a regression and would be resolved by passing NOT_SET
instead of null
when creating the comment.
|
||
public static void makeFirstAnalysisResponseComment(QueryManager qm, Analysis analysis, String commenter) { | ||
if (analysis.getAnalysisResponse() != null) { | ||
addAnalysisResponseComment(qm, analysis, null, analysis.getAnalysisResponse(), commenter); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
addAnalysisResponseComment(qm, analysis, null, analysis.getAnalysisResponse(), commenter); | |
addAnalysisResponseComment(qm, analysis, AnalysisResponse.NOT_SET, analysis.getAnalysisResponse(), commenter); |
|
||
public static void makeFirstJustificationComment(QueryManager qm, Analysis analysis, String commenter) { | ||
if (analysis.getAnalysisJustification() != null) { | ||
addAnalysisJustificationComment(qm, analysis, null, analysis.getAnalysisJustification(), commenter); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
addAnalysisJustificationComment(qm, analysis, null, analysis.getAnalysisJustification(), commenter); | |
addAnalysisJustificationComment(qm, analysis, AnalysisJustification.NOT_SET, analysis.getAnalysisJustification(), commenter); |
I'll have a look. |
1030f44
to
315ad3e
Compare
@nscuro I am currently working on fixing some tests. Do not hesitate to give me any remarks on the proposed solution. I have taken some initiatives that differ a bit from the rest of the app. As I'm a new contributor, I remain open to make any change in the design. |
067338c
to
5dffd9f
Compare
@nscuro PR ready for second review round |
Thanks @sebD I'll have a look over the coming days. Trying to wrap up remaining work for v4.11 at the moment. |
No problem. Take your time. |
…nalysis added either via UI or directly via REST call. Does add more comments when using the UI but reflects state of the vulnerability audit better. Fixes: DependencyTrack#3470 Signed-off-by: Sebastien Delcoigne <sebastien.delcoigne@gmail.com>
…d service Adds analysis comments for justification, state and details for new analysis added either via UI or directly via REST call. Fixes DependencyTrack#3470 Signed-off-by: Sebastien Delcoigne <sebastien.delcoigne@gmail.com>
Signed-off-by: Sebastien Delcoigne <sebastien.delcoigne@gmail.com>
… AnalysisService to avoid "Object with id 'x' is managed by a different persistence manager" error types Signed-off-by: Sebastien Delcoigne <sebastien.delcoigne@gmail.com>
5dffd9f
to
62bf367
Compare
Coverage summary from CodacySee diff coverage on Codacy
Coverage variation details
Coverage variation is the difference between the coverage for the head and common ancestor commits of the pull request branch: Diff coverage details
Diff coverage is the percentage of lines that are covered by tests out of the coverable lines that the pull request added or modified: See your quality gate settings Change summary preferencesYou may notice some variations in coverage metrics with the latest Coverage engine update. For more details, visit the documentation |
@nscuro I've started a new job recently and spent less time following d-track lately. Don't hesitate to ping me if work needs to be done on this code. |
Description
Adds audit comments for all properties of a newly created analysis entry.
Addressed Issue
Fixes: #3470
Additional Details
This fix proposition changes the current behavior a bit when audits are performed manually via the UI. At the moment, setting the Analysis state only adds a comment about this particular field even though justification and vendor response are also set with default values. The proposed fix would add comments for those too.
This behavior seem coherent with what I understood from the Vex import feature (cf CycloneDXVexImporter.
This is a quick fix solution, a better approach would be to create a dedicated AnalysisService that would be called from the CycloneDXVexImporter and the AnalysisResource. Currently these two classes have too many responsabilities. Moreover, they share the analysis creation responsability and do it in a different manner.
I'll be happy to discuss this refactor further if deemed interesting.
Checklist