Use Snyk as data provider #860
Conversation
| @@ -83,6 +86,7 @@ public class PackageManagement extends CachedSingleFeatureGitHubDataProvider<Pac | |||
| ".vcxproj"::equals, ".fsproj"::equals, "packages.config"::equals); | |||
| register(RUBYGEMS, "Gemfile.lock"::equals, "Gemfile"::equals, ".gemspec"::endsWith); | |||
| register(COMPOSER, "composer.json"::equals, "composer.lock"::equals); | |||
| register(GOMODULES, "go.mod"::equals); | |||
There was a problem hiding this comment.
Is this the only form of Go Module possible for Package Management.
Maybe is there a .lock file?
There was a problem hiding this comment.
In addition to go.mod, the go command maintains a file named go.sum containing the expected cryptographic hashes of the content of specific module versions. Do we need to check this as well?
src/test/java/com/sap/oss/phosphor/fosstars/advice/oss/SnykAdvisorTest.java
Outdated
Show resolved
Hide resolved
src/test/java/com/sap/oss/phosphor/fosstars/advice/oss/SnykAdvisorTest.java
Outdated
Show resolved
Hide resolved
src/test/java/com/sap/oss/phosphor/fosstars/advice/oss/SnykAdvisorTest.java
Outdated
Show resolved
Hide resolved
| Rating rating = RatingRepository.INSTANCE.rating(OssSecurityRating.class); | ||
| ValueSet values = new ValueHashSet(); | ||
| values.update(allUnknown(rating.score().allFeatures())); | ||
| values.update(USES_SNYK.value(false)); |
There was a problem hiding this comment.
If this is false, shouldn't the Advisory list contain an advice for Snyk?
And anyways the above test method already tests this scenario, what does this test method actually do?
src/main/java/com/sap/oss/phosphor/fosstars/data/github/UsesSnyk.java
Outdated
Show resolved
Hide resolved
src/main/java/com/sap/oss/phosphor/fosstars/data/github/UsesSnyk.java
Outdated
Show resolved
Hide resolved
| private static boolean isSnyk(String name) { | ||
| return name != null && name.toLowerCase().contains(SNYK_PATTERN); | ||
| } | ||
| } |
There was a problem hiding this comment.
I believe most of the methods given here seems to be from UsesDependebot. Could you please provide an abstract class?
…isorTest.java Co-authored-by: Sourabh Sarvotham Parkala <[email protected]>
…isorTest.java Co-authored-by: Sourabh Sarvotham Parkala <[email protected]>
…yk.java Co-authored-by: Sourabh Sarvotham Parkala <[email protected]>
…yk.java Co-authored-by: Sourabh Sarvotham Parkala <[email protected]>
| * <p>Shows if a project uses Snyk.</p> | ||
| * <p><a href="https://snyk.io/">Snyk</a> offers | ||
| * i) Static Application Security Testing (SAST) amd | ||
| * i) Static Application Security Testing (SAST) amd |
There was a problem hiding this comment.
| * i) Static Application Security Testing (SAST) amd |
| * <p>Shows if a project uses Snyk.</p> | ||
| * <p><a href="https://snyk.io/">Snyk</a> offers | ||
| * i) Static Application Security Testing (SAST) amd | ||
| * i) Static Application Security Testing (SAST) amd | ||
| * ii) Automatic dependency updates | ||
| * In particular for automatic dependency updates, | ||
| * when Snyk finds a vulnerability in dependencies, | ||
| * it opens a pull request to update the vulnerable dependency to the safe version.</p> |
There was a problem hiding this comment.
Could you format this a bit better? It looks very congested.
There was a problem hiding this comment.
*<ul>
* <li></li>
*</ul>
| * it opens a pull request to update the vulnerable dependency to the safe version.</p> | ||
| */ | ||
| public static final Feature<Boolean> USES_SNYK | ||
| = new BooleanFeature("If a project uses Snyk"); |
There was a problem hiding this comment.
I guess here indentation seems to be a miss
| * @see <a href="https://snyk.io/">Snyk</a> | ||
| */ | ||
| public static final BooleanFeature HAS_OPEN_PULL_REQUEST_FROM_SNYK | ||
| = new BooleanFeature("If a project has open pull requests from Snyk"); |
There was a problem hiding this comment.
This feature seems completely useless, where is it used in SnykScore?
There was a problem hiding this comment.
I think this is a good feature to increase the case in Snyk Score
src/main/java/com/sap/oss/phosphor/fosstars/model/feature/oss/OssFeatures.java
Show resolved
Hide resolved
|
|
||
| import com.sap.oss.phosphor.fosstars.model.Confidence; | ||
| import com.sap.oss.phosphor.fosstars.model.Score; | ||
| import com.sap.oss.phosphor.fosstars.model.math.DoubleInterval; |
| from: 1.0 | ||
| openLeft: false | ||
| negativeInfinity: false | ||
| to: 9.0 | ||
| to: 3.0 |
There was a problem hiding this comment.
This cannot be changed like this, As the Okay rating comes only between range 5 - 8 maybe a good range
| type: "DoubleInterval" | ||
| from: 1.0 | ||
| openLeft: false | ||
| negativeInfinity: false | ||
| to: 3.0 |
There was a problem hiding this comment.
This is wrong range for Okay rating
| openRight: false | ||
| positiveInfinity: false | ||
| expectedLabel: null | ||
| alias: "very_good" |
There was a problem hiding this comment.
Please add additional test vector for Bad and moderate rating range as well
| - type: "BooleanValue" | ||
| feature: | ||
| type: "BooleanFeature" | ||
| name: "If a project uses Snyk" | ||
| flag: false |
There was a problem hiding this comment.
Maybe this default value is not required, as you are already putting in unknown values
| - type: "BooleanValue" | ||
| feature: | ||
| type: "BooleanFeature" | ||
| name: "If a project uses Snyk" | ||
| flag: false |
There was a problem hiding this comment.
As a default is already set, maybe this part is not required.
src/test/resources/com/sap/oss/phosphor/fosstars/model/score/oss/DependabotScoreTestVectors.yml
Outdated
Show resolved
Hide resolved
src/test/resources/com/sap/oss/phosphor/fosstars/model/score/oss/DependabotScoreTestVectors.yml
Outdated
Show resolved
Hide resolved
...sources/com/sap/oss/phosphor/fosstars/model/score/oss/SnykDependencyScanScoreTestVectors.yml
Outdated
Show resolved
Hide resolved
...sources/com/sap/oss/phosphor/fosstars/model/score/oss/SnykDependencyScanScoreTestVectors.yml
Outdated
Show resolved
Hide resolved
…ss/DependabotScoreTestVectors.yml Co-authored-by: Sourabh Sarvotham Parkala <[email protected]>
…ss/DependabotScoreTestVectors.yml Co-authored-by: Sourabh Sarvotham Parkala <[email protected]>
…ss/SnykDependencyScanScoreTestVectors.yml Co-authored-by: Sourabh Sarvotham Parkala <[email protected]>
…ss/SnykDependencyScanScoreTestVectors.yml Co-authored-by: Sourabh Sarvotham Parkala <[email protected]>
Fixes #717
Changes:
ToDo: