Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Migrate Advisor plugins to configurable plugin API #7690

Merged
merged 3 commits into from
Oct 16, 2023

Conversation

mnonnenmacher
Copy link
Member

@mnonnenmacher mnonnenmacher commented Oct 12, 2023

Migrate the advisor plugins to use the configurable plugin API. See the commit messages for details.

Breaking change:
The configuration of advice providers has changed, see the diff of reference.yml for examples.

Breaking API change:
The API of the AdviceProviderFactory has changed.

@mnonnenmacher mnonnenmacher force-pushed the advisor-secret-options branch from c349cff to 611a78a Compare October 13, 2023 10:21
@codecov
Copy link

codecov bot commented Oct 13, 2023

Codecov Report

Attention: 40 lines in your changes are missing coverage. Please review.

Comparison is base (112808a) 68.06% compared to head (48ea526) 67.90%.

Additional details and impacted files
@@             Coverage Diff              @@
##               main    #7690      +/-   ##
============================================
- Coverage     68.06%   67.90%   -0.17%     
- Complexity     2025     2033       +8     
============================================
  Files           345      350       +5     
  Lines         16736    16747      +11     
  Branches       2366     2368       +2     
============================================
- Hits          11392    11372      -20     
- Misses         4366     4397      +31     
  Partials        978      978              
Flag Coverage Δ
funTest-non-docker 36.28% <3.33%> (-0.04%) ⬇️
test 34.53% <30.00%> (-0.28%) ⬇️

Flags with carried forward coverage won't be shown. Click here to find out more.

Files Coverage Δ
...main/kotlin/advisors/GitHubDefectsConfiguration.kt 100.00% <100.00%> (ø)
.../src/main/kotlin/advisors/OssIndexConfiguration.kt 100.00% <100.00%> (ø)
...del/src/main/kotlin/config/AdvisorConfiguration.kt 100.00% <100.00%> (+2.38%) ⬆️
...visor/src/main/kotlin/advisors/OsvConfiguration.kt 66.66% <66.66%> (ø)
...ain/kotlin/advisors/VulnerableCodeConfiguration.kt 75.00% <75.00%> (ø)
advisor/src/main/kotlin/advisors/Osv.kt 63.44% <0.00%> (-0.69%) ⬇️
...r/src/main/kotlin/advisors/NexusIqConfiguration.kt 0.00% <0.00%> (ø)
advisor/src/main/kotlin/advisors/VulnerableCode.kt 76.08% <0.00%> (-7.25%) ⬇️
advisor/src/main/kotlin/advisors/OssIndex.kt 76.36% <0.00%> (-7.64%) ⬇️
advisor/src/main/kotlin/advisors/GitHubDefects.kt 83.46% <20.00%> (-5.62%) ⬇️
... and 1 more

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

@mnonnenmacher mnonnenmacher force-pushed the advisor-secret-options branch from 611a78a to e09b2b4 Compare October 13, 2023 12:30
@mnonnenmacher mnonnenmacher marked this pull request as ready for review October 13, 2023 12:32
token = secrets["token"],
endpointUrl = options["endpointUrl"],
labelFilter = options["labelFilter"]?.split(",")?.map { it.trim() }
?: listOf("!duplicate", "!enhancement", "!invalid", "!question", "*"),
Copy link
Member

@sschuberth sschuberth Oct 13, 2023

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This now duplicates the default value of GitHubDefectsConfiguration.labelFilter, which IMO is not so nice. In my old draft I tried to solve this by extracting default values to constants (not fully implemented, also see the last commit in that PR).

This raises the general question where default values should be applied. I see basically tree options:

  1. in parseConfig(),
  2. in the constructor of the output config class,
  3. in the consumer of the config class.

My current preference would be 1., and I'd propose a clean-up commit that removes the default parameters from GitHubDefectsConfiguration's constructor.

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Would you be fine with doing that clean up commit outside of this PR?

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yes, if it's resolved within reasonable time, before we forget about it.

Use the `TypedConfigurablePluginFactory` as base class for the
`AdviceProviderFactory`. This decouples the configuration model from any
advisor specific configuration classes and is a precondition for moving
advisors to their own plugin projects.

The advisor specific configuration properties in the
`AdvisorConfiguration` are replaced with a map similar to the one used
for configuring scanner wrapper plugins and the `reference.yml` is
updated accordingly. While at it, also sort the advice providers
in the `reference.yml` alphabetically.

Tests that were testing the behavior of the previous implementation are
removed.

Signed-off-by: Martin Nonnenmacher <martin.nonnenmacher@bosch.io>
Since the previous commit the model does not require the advisor
specific configuration classes anymore. Move them to the advisor module
to prepare for moving the advice provider implementations to their own
plugin modules.

Signed-off-by: Martin Nonnenmacher <martin.nonnenmacher@bosch.io>
Remove the Jackson annotation from the advice provider configuration
classes as the configurations are not used for serialization anymore.

Signed-off-by: Martin Nonnenmacher <martin.nonnenmacher@bosch.io>
*/
@JsonProperty(access = JsonProperty.Access.WRITE_ONLY)
val apiKey: String? = null
val config: Map<String, PluginConfiguration>? = null
Copy link
Member

@sschuberth sschuberth Oct 16, 2023

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Note to myself: Let's discuss later if this class could be inlined to get rid of the double config nesting.

@mnonnenmacher mnonnenmacher merged commit 7250e66 into main Oct 16, 2023
19 of 22 checks passed
@mnonnenmacher mnonnenmacher deleted the advisor-secret-options branch October 16, 2023 10:27
@mnonnenmacher
Copy link
Member Author

Merged as failing GoModFunTest is unrelated to the change.

@nnobelis
Copy link
Member

Once again this is a breaking change that breaks our plugins. Please add the corresponding tags to the PR.

@sschuberth
Copy link
Member

sschuberth commented Oct 18, 2023

Once again this is a breaking change that breaks our plugins.

@nnobelis Conventional commits and release notes generated from them by now have superseded PR labels in this regard. Please take a look at the "Breaking Changes" section for a release instead (this time it was not forgotten to mark commits accordingly).

Please add the corresponding tags to the PR.

Anyway, this PR actually was labeled accordingly.

@nnobelis
Copy link
Member

Ah yes true my mistake.

Could we, as a convention, put also something in the PR title so we can have a quick oversight when browsing the Github notifications ?

@sschuberth
Copy link
Member

put also something in the PR title

I'm not a fan of this as it's prone to typos etc., and we already have release notes, PR labels, and a note in the PR's top post; we can't put it just everywhere.

sschuberth added a commit that referenced this pull request Nov 29, 2023
Firstly, VulnerableCode can be used without an API key now [1], and
secondly the code to configure the API key was outdated anyway as it was
not adjusted to [2]. Simply remove the code to address this.

If the need to specify an API key should reoccur, the feature introduced
in 738790c should be used to set it via an environment variable that is
being used in a `config.yml` template.

[1]: aboutcode-org/vulnerablecode#1352
[2]: #7690

Signed-off-by: Sebastian Schuberth <sebastian@doubleopen.org>
sschuberth added a commit that referenced this pull request Nov 30, 2023
Firstly, VulnerableCode can be used without an API key now [1], and
secondly the code to configure the API key was outdated anyway as it was
not adjusted to [2]. Simply remove the code to address this.

If the need to specify an API key should reoccur, the feature introduced
in 738790c should be used to set it via an environment variable that is
being used in a `config.yml` template.

[1]: aboutcode-org/vulnerablecode#1352
[2]: #7690

Signed-off-by: Sebastian Schuberth <sebastian@doubleopen.org>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

3 participants