-
-
Notifications
You must be signed in to change notification settings - Fork 18
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add support for fetching meta data from deps.dev #1457
Open
n1ckl0sk0rtge
wants to merge
9
commits into
DependencyTrack:main
Choose a base branch
from
n1ckl0sk0rtge:main
base: main
Could not load branches
Branch not found: {{ refName }}
Loading
Could not load tags
Nothing to show
Loading
Are you sure you want to change the base?
Some commits from the old base branch may be removed from the timeline,
and old review comments may become outdated.
Open
Changes from all commits
Commits
Show all changes
9 commits
Select commit
Hold shift + click to select a range
a397e39
feature/DepsDev analyzer
san-zrl b774c59
fixed imports
san-zrl 67ddadc
Merge branch 'n1ckl0sk0rtge:main' into DevDeps-analyzer
san-zrl be13f66
Merge pull request #1 from san-zrl/DevDeps-analyzer
n1ckl0sk0rtge 472841c
Merge branch 'DependencyTrack:main' into main
n1ckl0sk0rtge 502d047
Merge branch 'DependencyTrack:main' into main
n1ckl0sk0rtge 1963a55
Merge branch 'DependencyTrack:main' into main
n1ckl0sk0rtge 740b205
Merge branch 'DependencyTrack:main' into main
n1ckl0sk0rtge 59c4b35
Merge branch 'DependencyTrack:main' into main
n1ckl0sk0rtge File filter
Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
115 changes: 115 additions & 0 deletions
115
.../src/main/java/org/dependencytrack/repometaanalyzer/repositories/DepsDevMetaAnalyzer.java
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,115 @@ | ||
| /* | ||
| * This file is part of Dependency-Track. | ||
| * | ||
| * Licensed under the Apache License, Version 2.0 (the "License"); | ||
| * you may not use this file except in compliance with the License. | ||
| * You may obtain a copy of the License at | ||
| * | ||
| * http://www.apache.org/licenses/LICENSE-2.0 | ||
| * | ||
| * Unless required by applicable law or agreed to in writing, software | ||
| * distributed under the License is distributed on an "AS IS" BASIS, | ||
| * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. | ||
| * See the License for the specific language governing permissions and | ||
| * limitations under the License. | ||
| * | ||
| * SPDX-License-Identifier: Apache-2.0 | ||
| * Copyright (c) OWASP Foundation. All Rights Reserved. | ||
| */ | ||
| package org.dependencytrack.repometaanalyzer.repositories; | ||
|
|
||
| import java.io.IOException; | ||
| import java.io.InputStream; | ||
| import java.net.URLEncoder; | ||
| import java.nio.charset.StandardCharsets; | ||
| import java.util.Iterator; | ||
| import java.util.Optional; | ||
|
|
||
| import org.apache.http.HttpEntity; | ||
| import org.apache.http.HttpStatus; | ||
| import org.apache.http.client.methods.CloseableHttpResponse; | ||
| import org.dependencytrack.persistence.model.Component; | ||
| import org.dependencytrack.persistence.model.RepositoryType; | ||
| import org.dependencytrack.repometaanalyzer.model.MetaModel; | ||
| import org.dependencytrack.repometaanalyzer.util.PurlUtil; | ||
| import org.json.JSONArray; | ||
| import org.json.JSONException; | ||
| import org.json.JSONObject; | ||
| import org.json.JSONTokener; | ||
| import org.slf4j.Logger; | ||
| import org.slf4j.LoggerFactory; | ||
|
|
||
| import com.github.packageurl.PackageURL; | ||
|
|
||
| public class DepsDevMetaAnalyzer extends AbstractMetaAnalyzer { | ||
| private static final Logger LOGGER = LoggerFactory.getLogger(DepsDevMetaAnalyzer.class); | ||
| private static final String DEFAULT_BASE_URL = "https://api.deps.dev/v3alpha"; | ||
| private static final String API_URL = "/purl/%s"; | ||
| private static final String SOURCE_REPO = "SOURCE_REPO"; | ||
|
|
||
| DepsDevMetaAnalyzer() { | ||
| this.baseUrl = DEFAULT_BASE_URL; | ||
| } | ||
|
|
||
| @Override | ||
| public boolean isApplicable(Component component) { | ||
| return component.getPurl() != null; | ||
| } | ||
|
|
||
| /** | ||
| * {@inheritDoc} | ||
| */ | ||
| public RepositoryType supportedRepositoryType() { | ||
| return null; // Supported values for type are cargo, golang, maven, npm, nuget and pypi. | ||
| } | ||
|
|
||
| /** | ||
| * {@inheritDoc} | ||
| */ | ||
| public MetaModel analyze(final Component component) { | ||
| final MetaModel meta = new MetaModel(component); | ||
| final PackageURL purl = component.getPurl(); | ||
| if (purl != null) { | ||
| PackageURL coords = PurlUtil.silentPurlCoordinatesOnly(purl); | ||
| if (coords != null) { | ||
| String encodedCoords = URLEncoder.encode(coords.canonicalize(), StandardCharsets.UTF_8); | ||
| final String url = String.format(baseUrl + API_URL, encodedCoords); | ||
| try (final CloseableHttpResponse response = processHttpRequest(url)) { | ||
| if (response.getStatusLine().getStatusCode() == HttpStatus.SC_OK && | ||
| response.getEntity() != null) { | ||
| Optional<String> sourceRepo = extractSourceRepo(response.getEntity()); | ||
| sourceRepo.ifPresent(meta::setSourceRepository); | ||
| } | ||
| } catch (IOException | JSONException e) { | ||
| handleRequestException(LOGGER, e); | ||
| } | ||
| } | ||
| } | ||
| return meta; | ||
| } | ||
|
|
||
| private Optional<String> extractSourceRepo(HttpEntity entity) throws IOException, JSONException { | ||
| try (InputStream in = entity.getContent()) { | ||
| JSONObject version = new JSONObject(new JSONTokener(in)).getJSONObject("version"); | ||
|
|
||
| // Try to read the repo url from the links section | ||
| JSONArray links = version.getJSONArray("links"); | ||
| if (links != null) { | ||
| Iterator<Object> it = links.iterator(); | ||
| while(it.hasNext()) { | ||
| JSONObject link = (JSONObject)it.next(); | ||
| if (SOURCE_REPO.equals(link.getString("label"))) { | ||
| return Optional.of(link.getString("url")); | ||
| } | ||
| } | ||
| } | ||
| } | ||
| return Optional.empty(); | ||
| } | ||
|
|
||
| @Override | ||
| public String getName() { | ||
| return this.getClass().getSimpleName(); | ||
| } | ||
|
|
||
| } | ||
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
58 changes: 58 additions & 0 deletions
58
.../test/java/org/dependencytrack/repometaanalyzer/repositories/DepsDevMetaAnalyzerTest.java
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,58 @@ | ||
| /* | ||
| * This file is part of Dependency-Track. | ||
| * | ||
| * Licensed under the Apache License, Version 2.0 (the "License"); | ||
| * you may not use this file except in compliance with the License. | ||
| * You may obtain a copy of the License at | ||
| * | ||
| * http://www.apache.org/licenses/LICENSE-2.0 | ||
| * | ||
| * Unless required by applicable law or agreed to in writing, software | ||
| * distributed under the License is distributed on an "AS IS" BASIS, | ||
| * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. | ||
| * See the License for the specific language governing permissions and | ||
| * limitations under the License. | ||
| * | ||
| * SPDX-License-Identifier: Apache-2.0 | ||
| * Copyright (c) OWASP Foundation. All Rights Reserved. | ||
| */ | ||
| package org.dependencytrack.repometaanalyzer.repositories; | ||
|
|
||
| import org.apache.http.impl.client.HttpClients; | ||
| import org.dependencytrack.persistence.model.Component; | ||
| import org.dependencytrack.repometaanalyzer.model.MetaModel; | ||
| import org.junit.Assert; | ||
| import org.junit.jupiter.api.Test; | ||
| import org.junit.jupiter.api.BeforeEach; | ||
|
|
||
| class DepsDevMetaAnalyzerTest { | ||
| private static IMetaAnalyzer analyzer; | ||
|
|
||
| @BeforeEach | ||
| void beforeEach() { | ||
| analyzer = new DepsDevMetaAnalyzer(); | ||
| analyzer.setHttpClient(HttpClients.createDefault()); | ||
| } | ||
|
|
||
| @Test | ||
| void testRepoFound() { | ||
| Component component = new Component(); | ||
| component.setPurl("pkg:maven/com.googlecode.owasp-java-html-sanitizer/java10-shim@20240325.1"); | ||
|
|
||
| Assert.assertTrue(analyzer.isApplicable(component)); | ||
| Assert.assertNull(analyzer.supportedRepositoryType()); | ||
| MetaModel metaModel = analyzer.analyze(component); | ||
| Assert.assertEquals("https://github.com/OWASP/java-html-sanitizer", metaModel.getSourceRepository()); | ||
| } | ||
|
|
||
| @Test | ||
| void testRepoNotFound() { | ||
| Component component = new Component(); | ||
| component.setPurl("pkg:maven/org.apache.httpcomponents/httpclient@4.5.14"); | ||
|
|
||
| Assert.assertTrue(analyzer.isApplicable(component)); | ||
| Assert.assertNull(analyzer.supportedRepositoryType()); | ||
| MetaModel metaModel = analyzer.analyze(component); | ||
| Assert.assertNull(metaModel.getSourceRepository()); | ||
| } | ||
| } |
Oops, something went wrong.
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The analyzer would still need to be registered with
RepositoryAnalyzerFactory, based on the PURL types it supports:hyades/repository-meta-analyzer/src/main/java/org/dependencytrack/repometaanalyzer/repositories/RepositoryAnalyzerFactory.java
Lines 33 to 44 in 941dd0f
The current model assumes at most one analyzer per PURL type though, so we'd need to adjust this to support multiple. Question then is, should one take priority over the other? Do we execute all applicable analyzers, and if so, how do we merge all results back into one?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I'm wondering if perhaps we should switch to deps.dev entirely for all public components. The
internalstatus is already provided to the repository meta analyzer as per Protobuf definition:hyades/proto/src/main/proto/org/dependencytrack/repometaanalysis/v1/repo_meta_analysis.proto
Lines 45 to 47 in 941dd0f
In that case, we would not only source the repository from deps.dev, but also:
I think that would be simpler than trying to support multiple analyzers per PURL.
Does that sound reasonable? Granted that change would be a bit larger.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@nscuro took me a while to review. Yes, thats a good point. So do you think the Map can hold
List<Supplier<IMetaAnalyzer>>and that we add some priority mechanism toIMetaAnalyzer? What we could also do is havingDepsDevMetaAnalyzeras a base class for all the other MetaAnayzer. This would result in having a basic implementation for all PURL typs inDepsDevMetaAnalyzerwhich can be specialised and overridden. Then using the sameANALYZER_SUPPLIERS-map we can select and migrate step by step for each purl type.There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yes, I really like this idea!
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
DevDeps accepts purls with and without version tags but returns different content:
If the version is not part of the purl we get a json object containing information about all available versions. If the version is part of the purl, we get the information about the given version enriched with additional data such as SOURCE_REPO. From this we could extract
In DT we have purls with version tags. Finding out the latest version of a package would be complicated given the way DevDeps purlLookup works. We would have to query DevDeps twice, once without version tag and a second time with version tag. Probably not a good idea...