Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Feature/precompute #169

Merged
merged 3 commits into from
May 12, 2023
Merged

Feature/precompute #169

merged 3 commits into from
May 12, 2023

Conversation

mehab
Copy link
Collaborator

@mehab mehab commented May 12, 2023
edited
Loading

Description

Updated policy evaluation to get vulnerabilities list for each component in advance in case it is needed by evaluators (severity, cwe and vulnerability id). In these cases, in the existing logic the getAllVulnerabilities query was being called separately each time

Addressed Issue

Addresses DependencyTrack/hyades#529

Additional Details

Checklist

  • I have read and understand the contributing guidelines
  • This PR fixes a defect, and I have provided tests to verify that the fix is effective
  • This PR implements an enhancement, and I have provided tests to verify that it works as intended
  • This PR introduces changes to the database model, and I have added corresponding update logic
  • This PR introduces new or alters existing behavior, and I have updated the documentation accordingly

mehab added 2 commits May 12, 2023 17:04
@mehab
added changes for vulnerabilities to be fetched in advance
82181c8 
Signed-off-by: mehab <meha.bhargava2@gmail.com>
@mehab
updated tests
62c1cf0 
Signed-off-by: mehab <meha.bhargava2@gmail.com>
@mehab mehab requested review from nscuro, sahibamittal and VithikaS May 12, 2023 16:21
sonatype-lift[bot]
sonatype-lift bot reviewed May 12, 2023
View reviewed changes
src/main/java/org/dependencytrack/policy/CwePolicyEvaluator.java
@@ -50,13 +50,13 @@ public PolicyCondition.Subject supportedSubject() {
* {@inheritDoc}
*/
@Override
public List<PolicyConditionViolation> evaluate(final Policy policy, final Component component) {
public List<PolicyConditionViolation> evaluate(final Policy policy, final Component component, List<Vulnerability> vulerabilities) {
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

15% of developers fix this issue

MixedMutabilityReturnType: This method returns both mutable and immutable collections or maps from different paths. This may be confusing for users of the method.

Suggested change
public List<PolicyConditionViolation> evaluate(final Policy policy, final Component component, List<Vulnerability> vulerabilities) {
final ImmutableList.Builder<PolicyConditionViolation> violations = ImmutableList.builder();

❗❗ 2 similar findings have been found in this PR

🔎 Expand here to view all instances of this finding
File Path Line Number
src/main/java/org/dependencytrack/policy/VulnerabilityIdPolicyEvaluator.java 55
src/main/java/org/dependencytrack/policy/SeverityPolicyEvaluator.java 58

Visit the Lift Web Console to find more details in your report.

ℹ️ Expand to see all @sonatype-lift commands

You can reply with the following commands. For example, reply with @sonatype-lift ignoreall to leave out all findings.

Command Usage
@sonatype-lift ignore Leave out the above finding from this PR
@sonatype-lift ignoreall Leave out all the existing findings from this PR
@sonatype-lift exclude <file|issue|path|tool> Exclude specified file|issue|path|tool from Lift findings by updating your config.toml file

Note: When talking to LiftBot, you need to refresh the page to see its response.
Click here to add LiftBot to another repo.

Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@sonatype-lift ignore

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I've recorded these 3 issues as ignored for this pull request.
If you change your mind, just comment @sonatype-lift unignore.

@mehab
removed db properties
74f0b84 
Signed-off-by: mehab <meha.bhargava2@gmail.com>
@mehab mehab merged commit 1b1f26d into main May 12, 2023
@github-actions github-actions bot locked as resolved and limited conversation to collaborators Jun 12, 2023
@mehab mehab deleted the feature/precompute branch February 21, 2024 09:44
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Reviewers

@sonatype-lift sonatype-lift[bot] sonatype-lift[bot] left review comments

@nscuro nscuro nscuro approved these changes

@sahibamittal sahibamittal Awaiting requested review from sahibamittal

@VithikaS VithikaS Awaiting requested review from VithikaS

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@mehab @nscuro