Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Refactor vulnerability-analyzer to use Protobuf schemas #338

Merged
merged 8 commits into from
Mar 7, 2023
Merged

Refactor vulnerability-analyzer to use Protobuf schemas #338

merged 8 commits into from
Mar 7, 2023

Conversation

nscuro
Copy link
Member

@nscuro nscuro commented Feb 20, 2023
edited

This PR refactors the vulnerability-analyzer service to use the Protobuf schemas introduced in #337.

Important notes

  1. Redpanda Console can deserialize Protobuf messages, and display them in a human-readable way1, publishing Protobuf messages via Redpanda Console is currently not supported2
  2. xk6-kafka currently does not support Protobuf3

How to test

Ideally, everything should just continue to work as before.
But anyway, here's how this can be verified:

  1. Checkout this branch and install all modules
    • This will also generate Java classes from the Protobuf schemas
git checkout issue-244-2
./mvnw clean install -DskipTests
  1. Launch Postgres and Redpanda as usual
docker compose up -d
  1. Start the vulnerability-analyzer service
cd vulnerability-analyzer
../mvnw quarkus:dev
  1. In a separate terminal, navigate to the API server repo, and checkout the branch of the companion PR4
cd hyades-apiserver
git fetch
git checkout protobuf
  1. Build the API server JAR
clean package -Pembedded-jetty -Penhance -DskipTests -Dlogback.configuration.file=src/main/docker/logback.xml
  1. Launch the API server
SYSTEM_REQUIREMENT_CHECK_ENABLED=false java -Xmx1g -XX:+UseParallelGC -jar target/dependency-track-apiserver.jar

At this point, you can either proceed with manual, or automatic testing.

For manual:

  • Launch a frontend container
docker run --rm -e "API_BASE_URL=http://localhost:8080" -p 8081:8080 dependencytrack/frontend:snapshot
  • In a browser, navigate to http://localhost:8081, and upload a BOM to a project
  • Check the logs of both API server and vulnerability-analyzer for any errors

For automatic:

  • Prepare a directory with >= 1 SBOMs in CycloneDX JSON format; Ensure they all end in .cdx.json
  • Use dtbench to setup the admin account, create as many projects as you wish, upload BOMs to them, and wait for the processing of every BOM to complete:
docker run -it --rm -v "/path/to/boms:/work:ro" ghcr.io/nscuro/dtbench:latest \
  -url http://host.docker.internal:8080 -pass admin123 \
  -boms /work -count <NUMBER_OF_PROJECTS> \
  -wait -wait-timeout 15m \

Footnotes

  1. https://docs.redpanda.com/docs/manage/console/protobuf/

  2. https://github.com/redpanda-data/console/issues/370

  3. https://github.com/mostafa/xk6-kafka/issues/71

  4. https://github.com/DependencyTrack/hyades-apiserver/pull/32

@nscuro nscuro added enhancement New feature or request domain/vuln-analysis labels Feb 20, 2023
@sonatype-lift

This comment was marked as outdated.

Sign in to view
@nscuro nscuro mentioned this pull request Mar 3, 2023
Merged
2 tasks
@nscuro nscuro marked this pull request as ready for review March 6, 2023 21:21
VithikaS
VithikaS previously approved these changes Mar 7, 2023
View reviewed changes
@nscuro
Initial refactoring work to make use of Protobuf schemas
e98769f 
Signed-off-by: nscuro <nscuro@protonmail.com>
@nscuro
Make internal field optional
89abe19 
Signed-off-by: nscuro <nscuro@protonmail.com>
@nscuro
Refactor processor tests to use Protobuf schemas
3f7d0d0 
Signed-off-by: nscuro <nscuro@protonmail.com>
@nscuro
Address Lift comments
cad7be2 
Signed-off-by: nscuro <nscuro@protonmail.com>
@nscuro
Add Redpanda console config to deal with Protobuf events
8f02acc 
Signed-off-by: nscuro <nscuro@protonmail.com>
@nscuro
Update vuln analyzer README
96f2533 
Signed-off-by: nscuro <nscuro@protonmail.com>
@nscuro
Register generated proto classes for reflection
55faf5c 
Signed-off-by: nscuro <nscuro@protonmail.com>
@nscuro
correlationId -> scanToken
617c2cb 
Signed-off-by: nscuro <nscuro@protonmail.com>
@sonarcloud
Copy link

sonarcloud bot commented Mar 7, 2023

Kudos, SonarCloud Quality Gate passed!    Quality Gate passed

Bug A 0 Bugs
Vulnerability A 0 Vulnerabilities
Security Hotspot A 0 Security Hotspots
Code Smell A 0 Code Smells

81.2% 81.2% Coverage
2.3% 2.3% Duplication

@nscuro nscuro merged commit abec68a into main Mar 7, 2023
@nscuro nscuro deleted the issue-244-2 branch March 7, 2023 15:32
@nscuro nscuro mentioned this pull request Mar 14, 2023
Closed
5 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@sonatype-lift sonatype-lift[bot] sonatype-lift left review comments

@VithikaS VithikaS VithikaS approved these changes

Assignees

@VithikaS VithikaS

Labels
domain/vuln-analysis enhancement New feature or request
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
2 participants
@nscuro @VithikaS