Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Check if Library Id (GAV) is well known #383

Merged
merged 6 commits into from
Jun 23, 2020
Merged

Check if Library Id (GAV) is well known #383

merged 6 commits into from
Jun 23, 2020

Conversation

serenaponta
Copy link
Contributor

@serenaponta serenaponta commented May 14, 2020
edited
Loading

When libraries are saved, the backend checks whether the digest is wellKnown using one of the implemented verifiers, i.e. Maven Central and Pypi.

Problem Observed:
Until now we didn't check whether the libraryId provided by the client is also well known, as a result we may end up with not-well-known library ids saved to the database (even for well known digests).

Solution:
The verifyDigest method now checks that the provided libraryId is wellKnown, and replaces it with the well known one if it isn't (it takes the first in case multiple ones are returned). Note that:

  • the verification is not done in the prePersist method anylonger because we need to save the transient LibraryId entity in case it gets replaced.
  • the verification now happens every time a library is saved (thus replacing also the url and timestamp of the verification)

@serenaponta serenaponta added the wip Work in progress - Don't merge label May 14, 2020
@serenaponta serenaponta removed the wip Work in progress - Don't merge label Jun 16, 2020
henrikplate
henrikplate reviewed Jun 16, 2020
View reviewed changes
rest-backend/src/main/java/com/sap/psr/vulas/backend/repo/LibraryRepositoryImpl.java Outdated
_lib.setDigestVerificationUrl(managed_lib.getDigestVerificationUrl());
_lib.setDigestTimestamp(managed_lib.getDigestTimestamp());
}
// // Re-create wellknownDigest if it is null in our current db (this part should be removed once it is created for all)
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Just delete all those commented sections :)

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

you are right, done!

@serenaponta serenaponta merged commit ad6ec2c into master Jun 23, 2020
@serenaponta serenaponta deleted the verify-libid branch June 23, 2020 14:27
This pull request was closed.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@henrikplate henrikplate henrikplate left review comments

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@serenaponta @henrikplate