Pipeline for Maven#1953
Conversation
Signed-off-by: Chin Yeung Li <tli@nexb.com>
Signed-off-by: Chin Yeung Li <tli@nexb.com>
Signed-off-by: Chin Yeung Li <tli@nexb.com>
Signed-off-by: Chin Yeung Li <tli@nexb.com>
- Update format Signed-off-by: Chin Yeung Li <tli@nexb.com>
Signed-off-by: Chin Yeung Li <tli@nexb.com>
…1763 - Update package's license if missing while the same package has license detected in RESOURCES Signed-off-by: Chin Yeung Li <tli@nexb.com>
Signed-off-by: Chin Yeung Li <tli@nexb.com>
Signed-off-by: Chin Yeung Li <tli@nexb.com>
Signed-off-by: Chin Yeung Li <tli@nexb.com>
Signed-off-by: Chin Yeung Li <tli@nexb.com>
tdruez
left a comment
There was a problem hiding this comment.
- Create a new maven pipe module in place of use resolve
- Opening and loading a large file to make edits multiple times in various steps is not great.
- To be discussed: Do we need a dedicated pipeline for just an extra step? Shouldn't the original
scan_single_packagedetect that it's a Maven package and apply the necessary? Any reason to keep this new logic separated?
Signed-off-by: Chin Yeung Li <tli@nexb.com>
- Create a new maven pipe module - Use database queries for update_package_license_from_resource_if_missing() - Add tests Signed-off-by: Chin Yeung Li <tli@nexb.com>
Signed-off-by: Chin Yeung Li <tli@nexb.com>
Signed-off-by: Chin Yeung Li <tli@nexb.com>
Signed-off-by: Chin Yeung Li <tli@nexb.com>
Signed-off-by: Chin Yeung Li <tli@nexb.com>
|
@tdruez I’ve updated the code to include support for the "D2D" option.
The "deploy_to_devel" option is equivalent to the "map_deploy_to_develop" pipeline, which runs on Java, JavaScript, Kotlin, and Scala as these are the languages commonly found in Maven projects. |
Signed-off-by: Chin Yeung Li <tli@nexb.com>
Signed-off-by: Chin Yeung Li <tli@nexb.com>
Some projects encountered a unique constraint violation when a resource was already mapped: ``` duplicate key value violates unique constraint "scanpipe_codebaserelation_unique_relation" DETAIL: Key (from_resource_id, to_resource_id, map_type)=(1512780, 1512790, jar_to_source) already exists. ``` Signed-off-by: Chin Yeung Li <tli@nexb.com>
Signed-off-by: tdruez <tdruez@aboutcode.org>
Signed-off-by: tdruez <tdruez@aboutcode.org>
The failing test is related to #2172 (#1763 (comment)) Reference data: However, in SCIO the file reports: So this discrepancy is not something to be fixed in this issue? |
Signed-off-by: Chin Yeung Li <tli@nexb.com>
|
I decided to change to another test file so that the test is passing. |
|
There seems to be duplicate commits coming in when you updated your branch, I'm not sure how to resolve this. |
Are you referring to the DCO? Should I force it and click “Set DCO to pass”? |
Signed-off-by: Chin Yeung <tli@nexb.com>
…1763 Signed-off-by: Chin Yeung Li <tli@nexb.com>
|
I have doubts about this design, and I want to revisit a concern I raised earlier that wasn't addressed: #1953 (review)
This new pipeline ScanMavenPackage implementation merges two fundamentally different processing paths: a basic scan and a full D2D analysis, into one class controlled by a d2d_option_enabled boolean. The current design will be confusing to maintain and to users. |
@tdruez The current pipeline design combines the basic scan and the D2D steps that already exist in other pipelines, with two additional steps:
So, I guess the question is is it necessary to have a dedicated pipeline for these 2 extra steps. @pombredanne any comment on it? |
|
@chinyeungli I like the dedicated pipeline as it helps focus the analysis, we just need to make sure we have design that @tdruez agrees to. One question is the way to invoke this. IMHO the input should be ONE PURL, and based on that the POM, the src JAR, the binary JAR(s) should be fetched, and possibly also even the corresponding source git repo should be fetched and processed. That way I could run it at the scale of a whole Maven repo, spawning one SCIO project for each PURL. Another question is if we want to also include C/C++ and native binaries steps, but that's for later. Let's discuss the details in the next call, if that works for you and @tdruez |
| options = ["Java", "Kotlin", "Scala", "JavaScript"] | ||
| d2d_config.load_ecosystem_config(pipeline=self, options=options) | ||
|
|
||
| self.map_about_files() |
There was a problem hiding this comment.
I am not sure you want to call all mapping steps inside a step? Should not these be their own steps?
There was a problem hiding this comment.
I've separated the logic into different steps
| return scanning_errors | ||
|
|
||
|
|
||
| def parse_maven_filename(filename): |
There was a problem hiding this comment.
Should this be in ScanCode? Do we have that already somewhere in PurlDB too?
There was a problem hiding this comment.
removed as this is not needed.
| package_ns = package.get("namespace", "") | ||
| package_name = package.get("name", "") | ||
| package_version = package.get("version", "") | ||
| pom_url = ( |
There was a problem hiding this comment.
Using this hardcoded URL means that we cannot run that on any other repo. We need to find a way to avoid that. If we use a PURL as a project input, then the Maven repo will be part of the PURL (most of the times as default), but then we do not have to further dive into that
There was a problem hiding this comment.
Updated code to use PURL as an input.
| return None, None | ||
|
|
||
|
|
||
| def get_pom_url_list(input_source, packages): |
There was a problem hiding this comment.
| def get_pom_url_list(input_source, packages): | |
| def get_pom_urls(input_source, packages): |
|
|
||
| def get_pom_url_list(input_source, packages): | ||
| """Generate Maven POM URLs from package metadata or input source.""" | ||
| pom_url_list = [] |
There was a problem hiding this comment.
May be use:
| pom_url_list = [] | |
| pom_urls = [] |
| input_source_url = input_source.get("download_url", "") | ||
|
|
||
| parsed_url = urlparse(input_source_url) | ||
| maven_hosts = { |
There was a problem hiding this comment.
See my comment above: no hardcoding of hosts should be needed
| "repo.maven.apache.org", | ||
| "maven.google.com", | ||
| } | ||
| if input_source_url and parsed_url.netloc in maven_hosts: |
There was a problem hiding this comment.
Do not we have code to do that in FetchCode, packageurl-python and/or scancode-toolkit? Also I have a hard time to understand all the parsing with indices. Do you have an example or tests of what you are trying to accomplish?
| return False | ||
|
|
||
|
|
||
| def download_pom_files(pom_url_list): |
There was a problem hiding this comment.
It is best to avoid a _list suffix IMHO
| def download_pom_files(pom_url_list): | |
| def download_pom_files(pom_url): |
| for pom_url in pom_url_list: | ||
| pom_file_dict = {} | ||
| try: | ||
| downloaded_pom = fetch.fetch_http(pom_url) |
There was a problem hiding this comment.
Could we use fetchcode to fetch instead?
There was a problem hiding this comment.
Yes, we could, but the issue is do we want to.
Following is the code if we switch to fetchcode which seems making things complicated, OR we can move the "fetch_http" to fetchcode and use it.
import os
import fetchcode
downloaded_pom = fetchcode.fetch(pom_url)
location = str(downloaded_pom.location)
path = location + ".pom"
# The fetch function from fetchcode save the file as /tmp/name
# without an extension. We need to add the ".pom" extension so that
# the package scan can work properly for this file.
os.rename(location, path)
Signed-off-by: tdruez <tdruez@aboutcode.org>
Signed-off-by: tdruez <tdruez@aboutcode.org>
Signed-off-by: tdruez <tdruez@aboutcode.org>
#2187) Signed-off-by: tdruez <tdruez@aboutcode.org>
Signed-off-by: tdruez <tdruez@aboutcode.org>
Signed-off-by: tdruez <tdruez@aboutcode.org>
- Remove unnecessary code - Override the default "download_inputs" action - Accept only a single Maven PURL as input - Perform a D2D scan by default if both binary and source are available - Update tests Signed-off-by: Chin Yeung Li <tli@nexb.com>
Signed-off-by: Chin Yeung Li <tli@nexb.com>
* Require for `"tab_context": {"VULNERABLECODE_URL": settings.VULNERABLECODE_URL},`
Signed-off-by: Chin Yeung Li <tli@nexb.com>
Signed-off-by: Chin Yeung <tli@nexb.com>
|
I've redesigned the code. It now only takes 1 PURL as input. Example 1: Without fetching the remote POM and updating the package data, no packages are detected because the fetched binary (https://repo1.maven.org/maven2/aero/champ/cargojson/1.0/cargojson-1.0.jar) doesn't contain a pom.xml. However, with remote POM fetching and package data updates enabled, we successfully detect 1 package and update 17 dependencies in the summary: Example 2: Since there is no source available for this package, only a basic scan is performed. |
* Require for `"tab_context": {"VULNERABLECODE_URL": settings.VULNERABLECODE_URL},`
Signed-off-by: Chin Yeung Li <tli@nexb.com>
Signed-off-by: Chin Yeung Li <tli@nexb.com>
Signed-off-by: Chin Yeung Li <tli@nexb.com>
Signed-off-by: Chin Yeung Li <tli@nexb.com>
Signed-off-by: Chin Yeung Li <tli@nexb.com>






Uh oh!
There was an error while loading. Please reload this page.