Adds audit trail comments for all fields of new analysis #3551
Conversation
Coverage summary from CodacySee diff coverage on Codacy
Coverage variation details
Coverage variation is the difference between the coverage for the head and common ancestor commits of the pull request branch: Diff coverage details
Diff coverage is the percentage of lines that are covered by tests out of the coverable lines that the pull request added or modified: See your quality gate settings Change summary preferencesYou may notice some variations in coverage metrics with the latest Coverage engine update. For more details, visit the documentation Footnotes
|
There was a problem hiding this comment.
Thanks for the PR @sebD! A few suggestions.
a better approach would be to create a dedicated AnalysisService that would be called from the CycloneDXVexImporter and the AnalysisResource. Currently these two classes have too many responsabilities. Moreover, they share the analysis creation responsability and do it in a different manner.
Indeed it would be great to have this logic centralized. Would you like to take a shot at that in this PR?
|
|
||
| public static void makeFirstStateComment(final QueryManager qm, final Analysis analysis, final String commenter) { | ||
| if (analysis.getAnalysisState() != null) { | ||
| addAnalysisStateComment(qm, analysis, null, analysis.getAnalysisState(), commenter); |
There was a problem hiding this comment.
We should use NOT_SET here instead of null. null should not be exposed to users.
| addAnalysisStateComment(qm, analysis, null, analysis.getAnalysisState(), commenter); | |
| addAnalysisStateComment(qm, analysis, AnalysisState.NOT_SET, analysis.getAnalysisState(), commenter); |
| Condition<String> elfBearer = new Condition<String>() { | ||
| public boolean matches(String value) { | ||
| return value.contains("toto"); | ||
| } | ||
| }; |
| assertThat(responseJson.getJsonArray("analysisComments").getJsonObject(0)) | ||
| .hasFieldOrPropertyWithValue("comment", Json.createValue("Analysis: NOT_SET → NOT_AFFECTED")) | ||
| .hasFieldOrPropertyWithValue("comment", Json.createValue("Analysis: null → NOT_AFFECTED")) |
There was a problem hiding this comment.
This is a regression and would be resolved by passing NOT_SET instead of null when creating the comment.
|
|
||
| public static void makeFirstAnalysisResponseComment(QueryManager qm, Analysis analysis, String commenter) { | ||
| if (analysis.getAnalysisResponse() != null) { | ||
| addAnalysisResponseComment(qm, analysis, null, analysis.getAnalysisResponse(), commenter); |
There was a problem hiding this comment.
| addAnalysisResponseComment(qm, analysis, null, analysis.getAnalysisResponse(), commenter); | |
| addAnalysisResponseComment(qm, analysis, AnalysisResponse.NOT_SET, analysis.getAnalysisResponse(), commenter); |
|
|
||
| public static void makeFirstJustificationComment(QueryManager qm, Analysis analysis, String commenter) { | ||
| if (analysis.getAnalysisJustification() != null) { | ||
| addAnalysisJustificationComment(qm, analysis, null, analysis.getAnalysisJustification(), commenter); |
There was a problem hiding this comment.
| addAnalysisJustificationComment(qm, analysis, null, analysis.getAnalysisJustification(), commenter); | |
| addAnalysisJustificationComment(qm, analysis, AnalysisJustification.NOT_SET, analysis.getAnalysisJustification(), commenter); |
|
I'll have a look. |
sebD
force-pushed
the
3470-analysis-details-missing
branch
from
1030f44
to
315ad3e
Compare
|
@nscuro I am currently working on fixing some tests. Do not hesitate to give me any remarks on the proposed solution. I have taken some initiatives that differ a bit from the rest of the app. As I'm a new contributor, I remain open to make any change in the design. |
sebD
force-pushed
the
3470-analysis-details-missing
branch
2 times, most recently
from
067338c
to
5dffd9f
Compare
|
@nscuro PR ready for second review round |
|
Thanks @sebD I'll have a look over the coming days. Trying to wrap up remaining work for v4.11 at the moment. |
|
No problem. Take your time. |
…nalysis added either via UI or directly via REST call. Does add more comments when using the UI but reflects state of the vulnerability audit better. Fixes: DependencyTrack#3470 Signed-off-by: Sebastien Delcoigne <sebastien.delcoigne@gmail.com>
…d service Adds analysis comments for justification, state and details for new analysis added either via UI or directly via REST call. Fixes DependencyTrack#3470 Signed-off-by: Sebastien Delcoigne <sebastien.delcoigne@gmail.com>
Signed-off-by: Sebastien Delcoigne <sebastien.delcoigne@gmail.com>
… AnalysisService to avoid "Object with id 'x' is managed by a different persistence manager" error types Signed-off-by: Sebastien Delcoigne <sebastien.delcoigne@gmail.com>
sebD
force-pushed
the
3470-analysis-details-missing
branch
from
5dffd9f
to
62bf367
Compare
Coverage summary from CodacySee diff coverage on Codacy
Coverage variation details
Coverage variation is the difference between the coverage for the head and common ancestor commits of the pull request branch: Diff coverage details
Diff coverage is the percentage of lines that are covered by tests out of the coverable lines that the pull request added or modified: See your quality gate settings Change summary preferencesYou may notice some variations in coverage metrics with the latest Coverage engine update. For more details, visit the documentation |
Description
Adds audit comments for all properties of a newly created analysis entry.
Addressed Issue
Fixes: #3470
Additional Details
This fix proposition changes the current behavior a bit when audits are performed manually via the UI. At the moment, setting the Analysis state only adds a comment about this particular field even though justification and vendor response are also set with default values. The proposed fix would add comments for those too.
This behavior seem coherent with what I understood from the Vex import feature (cf CycloneDXVexImporter.
This is a quick fix solution, a better approach would be to create a dedicated AnalysisService that would be called from the CycloneDXVexImporter and the AnalysisResource. Currently these two classes have too many responsabilities. Moreover, they share the analysis creation responsability and do it in a different manner.
I'll be happy to discuss this refactor further if deemed interesting.
Checklist