Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Integrity check for maven, npm and pypi #727

Closed
wants to merge 200 commits into from
Closed

Integrity check for maven, npm and pypi #727

wants to merge 200 commits into from

Conversation

mehab
Copy link
Collaborator

@mehab mehab commented Aug 4, 2023
edited by sahibamittal
Loading

Addresses issue

The integrity check functionality (maven, npm and pypi).
Hyades-apiserver PR: DependencyTrack/hyades-apiserver#261

nscuro
nscuro reviewed Aug 14, 2023
View reviewed changes
proto/src/main/proto/org/hyades/repometaanalysis/v1/repo_meta_analysis.proto Outdated Show resolved Hide resolved
repository-meta-analyzer/src/main/java/org/hyades/RepositoryMetaAnalyzerTopology.java Outdated Show resolved Hide resolved
repository-meta-analyzer/src/main/java/org/hyades/repositories/IMetaAnalyzer.java Outdated Show resolved Hide resolved
proto/src/main/proto/org/hyades/repometaanalysis/v1/repo_meta_analysis.proto Outdated Show resolved Hide resolved
repository-meta-analyzer/src/main/java/org/hyades/repositories/IntegrityAnalyzerFactory.java Outdated Show resolved Hide resolved
proto/src/main/proto/org/hyades/repometaanalysis/v1/repo_meta_analysis.proto Show resolved Hide resolved
repository-meta-analyzer/src/main/java/org/hyades/processor/IntegrityAnalyzerProcessor.java Outdated Show resolved Hide resolved
repository-meta-analyzer/src/main/java/org/hyades/processor/IntegrityAnalyzerProcessor.java Outdated Show resolved Hide resolved
proto/src/main/proto/org/hyades/repometaanalysis/v1/repo_meta_analysis.proto Outdated Show resolved Hide resolved
repository-meta-analyzer/src/main/java/org/hyades/processor/IntegrityAnalyzerProcessor.java Outdated Show resolved Hide resolved
@sahibamittal sahibamittal requested review from sahibamittal and nscuro and removed request for sahibamittal August 21, 2023 08:48
@sahibamittal sahibamittal changed the title Mavenintegritychecpoc Integrity check for maven, npm and pypi Aug 23, 2023
@sahibamittal sahibamittal mentioned this pull request Aug 23, 2023
Closed
mehab and others added 17 commits September 12, 2023 12:06
@mehab
e2e test added
63e6666 
Signed-off-by: mehab <[email protected]>
@mehab
updated e2e test working
dbc0dac 
Signed-off-by: mehab <[email protected]>
@mehab
updated e2e test working
2d2da3b 
Signed-off-by: mehab <[email protected]>
@dependabot @mehab
Bump lib.kafka.version from 3.4.1 to 3.5.0
30cffae 
Bumps `lib.kafka.version` from 3.4.1 to 3.5.0.

Updates `kafka-clients` from 3.4.1 to 3.5.0

Updates `kafka-streams` from 3.4.1 to 3.5.0

Updates `kafka-streams-test-utils` from 3.4.1 to 3.5.0

---
updated-dependencies:
- dependency-name: org.apache.kafka:kafka-clients
  dependency-type: direct:production
  update-type: version-update:semver-minor
- dependency-name: org.apache.kafka:kafka-streams
  dependency-type: direct:production
  update-type: version-update:semver-minor
- dependency-name: org.apache.kafka:kafka-streams-test-utils
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <[email protected]>
Signed-off-by: mehab <[email protected]>
@dependabot @mehab
Bump quarkus.platform.version from 3.1.0.Final to 3.1.2.Final
396efd9 
Bumps `quarkus.platform.version` from 3.1.0.Final to 3.1.2.Final.

Updates `quarkus-bom` from 3.1.0.Final to 3.1.2.Final
- [Release notes](https://github.com/quarkusio/quarkus/releases)
- [Commits](quarkusio/quarkus@3.1.0.Final...3.1.2.Final)

Updates `quarkus-maven-plugin` from 3.1.0.Final to 3.1.2.Final
- [Commits](quarkusio/quarkus-platform@3.1.0.Final...3.1.2.Final)

Updates `quarkus-container-image-docker` from 3.1.0.Final to 3.1.2.Final

---
updated-dependencies:
- dependency-name: io.quarkus:quarkus-bom
  dependency-type: direct:production
  update-type: version-update:semver-patch
- dependency-name: io.quarkus.platform:quarkus-maven-plugin
  dependency-type: direct:production
  update-type: version-update:semver-patch
- dependency-name: io.quarkus:quarkus-container-image-docker
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <[email protected]>
Signed-off-by: mehab <[email protected]>
@nscuro @mehab
Update snappy-java to 1.1.10.1
6da6896 
Fixes GHSA-qcwq-55hx-v3vh, GHSA-fjpj-2g6w-x25r, and GHSA-pqr6-cmr2-h8hf

Signed-off-by: nscuro <[email protected]>
Signed-off-by: mehab <[email protected]>
@mehab
use httpClient from commons module so proxy settings can be applied f…
40c5930 
…or osv client

Signed-off-by: mehab <[email protected]>
@mehab
removed unused dependencies
e44abc1 
Signed-off-by: mehab <[email protected]>
@mehab
renamed variable for better semantics of json result (#625)
a9be0fc 
Signed-off-by: mehab <[email protected]>
@mehab
updated e2e test per review comments
22b1885 
Signed-off-by: mehab <[email protected]>
@nscuro @mehab
Fix broken native images after KStreams upgrade (#622)
4d4a661 
* Fix broken native images after KStreams upgrade

As of kafka-streams 3.5.0, users can configure a KafkaClientSupplier, with the default implementation being `DefaultKafkaClientSupplier` (https://issues.apache.org/jira/browse/KAFKA-14395).

The supplier is called via reflection, but Quarkus <= 3.1.x doesn't yet register it as such for GraalVM.

Signed-off-by: nscuro <[email protected]>

* Fix failing native image ITs not failing the build

The build was succeeding despite the actual integration tests failing, causing #622 to slip through.

Signed-off-by: nscuro <[email protected]>

---------

Signed-off-by: nscuro <[email protected]>
Signed-off-by: mehab <[email protected]>
@nscuro @mehab
Have the API server generate the DB schema for the demo setup (#623)
3ccfb8e 
Signed-off-by: nscuro <[email protected]>
Signed-off-by: mehab <[email protected]>
@nscuro @mehab
Include Snyk request ID in exception message
f1d4d01 
Closes #483

Signed-off-by: nscuro <[email protected]>
Signed-off-by: mehab <[email protected]>
@nscuro @mehab
Add support for logging in JSON format
aec059f 
Defaults to off in order to be more human-readable.

Example log entry:

```
{"timestamp":"2023-06-23T11:55:24.627+02:00","sequence":2333,"loggerClassName":"org.jboss.logging.Logger","loggerName":"io.quarkus.deployment.dev.RuntimeUpdatesProcessor","level":"INFO","message":"Live reload total time: 1.348s ","threadName":"Aesh InputStream Reader","threadId":91,"mdc":{},"ndc":"","hostName":"ctrl","processName":"mirror-service-dev.jar","processId":33646}
```

Closes #618

Signed-off-by: nscuro <[email protected]>
Signed-off-by: mehab <[email protected]>
@mehab
added null check on purl to avoid parse exceptions showing up as erro…
f8a097a 
…rs in the osv mirror log. Corrected exception message

Signed-off-by: mehab <[email protected]>
@mehab
removed purl not null check
883e815 
Signed-off-by: mehab <[email protected]>
@nscuro @mehab
Fix native image tests for mirror-service
04ee6c4 
The GitHub advisory client loads template files from classpath, which are not packaged into the native image by default.

Signed-off-by: nscuro <[email protected]>
Signed-off-by: mehab <[email protected]>
@sahibamittal @mehab
Update RepositoryMetaAnalyzerTopology.java
db8dddf 
Signed-off-by: mehab <[email protected]>
@sahibamittal @mehab
separate integrity analyzer interface
980c6ae 
Signed-off-by: mehab <[email protected]>
@sahibamittal @mehab
reduce duplicate code
ef31002 
Signed-off-by: mehab <[email protected]>
@sahibamittal @mehab
proto update and null check
e27ec26 
Signed-off-by: mehab <[email protected]>
@sahibamittal @mehab
refactor WIP
2ef4e84 
Signed-off-by: mehab <[email protected]>
@sahibamittal @mehab
refactor
0e07338 
Signed-off-by: mehab <[email protected]>
@sahibamittal @mehab
Update integrity_check.proto
3a534bb 
Signed-off-by: mehab <[email protected]>
@sahibamittal @mehab
Update integrity_check.proto
f96a22f 
Signed-off-by: mehab <[email protected]>
@sahibamittal @mehab
fix buf lint issue
8862452 
Signed-off-by: mehab <[email protected]>
@sahibamittal @mehab
fix buf lint 2
2b28e4d 
Signed-off-by: mehab <[email protected]>
@sahibamittal @mehab
fix proto imports
e4f701d 
Signed-off-by: mehab <[email protected]>
@sahibamittal @mehab
revert AUTHENTICATION_REQUIRED
06790c2 
Signed-off-by: mehab <[email protected]>
@sahibamittal @mehab
Update V0.0.1__API-Server-4.8.2.sql
fa11b41 
Signed-off-by: mehab <[email protected]>
@sahibamittal @mehab
Update RepositoryMetaAnalyzerIT.java
03bd8c4 
Signed-off-by: mehab <[email protected]>
@sahibamittal @mehab
added NPM integrity check
cd68d5b 
Signed-off-by: mehab <[email protected]>
@sahibamittal @mehab
fix purl namespace nullPointerEx
8ddd0a8 
Signed-off-by: mehab <[email protected]>
@sahibamittal @mehab
added pypi integrity and tests
99f5fbe 
Signed-off-by: mehab <[email protected]>
@sahibamittal @mehab
clean imports
b9c0bde 
Signed-off-by: mehab <[email protected]>
@sahibamittal @mehab
Update MavenMetaAnalyzerTest.java
a1100ce 
Signed-off-by: mehab <[email protected]>
@sahibamittal @mehab
removed duplicate code
19d4006 
Signed-off-by: mehab <[email protected]>
@sahibamittal @mehab
refactor IntegrityModel variables
95312d5 
Signed-off-by: mehab <[email protected]>
@sahibamittal @mehab
update repository_url to identifier
d553fee 
Signed-off-by: mehab <[email protected]>
@sonarcloud
Copy link

sonarcloud bot commented Sep 18, 2023

SonarCloud Quality Gate failed.    Quality Gate failed

Bug A 0 Bugs
Vulnerability A 0 Vulnerabilities
Security Hotspot A 0 Security Hotspots
Code Smell A 12 Code Smells

81.6% 81.6% Coverage
3.4% 3.4% Duplication

idea Catch issues before they fail your Quality Gate with our IDE extension sonarlint SonarLint

@mehab mehab mentioned this pull request Sep 18, 2023
Closed
@mehab
Copy link
Collaborator Author

mehab commented Sep 18, 2023

Closing this pull request after reconsidering the design as per requirement of having published date for newly fetched components all the time. Adding the detailed meeting notes on issue #699

@mehab mehab closed this Sep 18, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@sahibamittal sahibamittal Awaiting requested review from sahibamittal

@nscuro nscuro Awaiting requested review from nscuro

@VithikaS VithikaS Awaiting requested review from VithikaS

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
5 participants
@mehab @nscuro @sahibamittal @VithikaS @dependencytrack-bot