-
Notifications
You must be signed in to change notification settings - Fork 31
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add Support to the New Scanners Config #412
Conversation
src/main/java/com/jfrog/ide/idea/scan/SourceCodeScannerManager.java
Outdated
Show resolved
Hide resolved
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Looks like there is a missing directory:
scan/data/applications
I'd like to review it again after handling my comments and adding the missing directory.
} | ||
|
||
protected List<JFrogSecurityWarning> execute(ScanConfig.Builder inputFileBuilder, List<String> args, Runnable checkCanceled, boolean createInputFile, File executionDir) throws IOException, InterruptedException { | ||
protected List<JFrogSecurityWarning> execute(ScanConfig.Builder inputFileBuilder, List<String> args, Runnable checkCanceled, boolean newConfigFormat) throws IOException, InterruptedException { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This method became very long and not readable. Please consider refactoring by splitting it into submethods in this or another PR.
@@ -288,7 +287,7 @@ protected void downloadBinary() throws IOException { | |||
} | |||
} | |||
|
|||
Path createTempRunInputFile(ScansConfig scanInput) throws IOException { | |||
Path createTempRunInputFile(Object scanInput) throws IOException { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Deserializing an object is considered insecure. See https://owasp.org/www-project-top-ten/2017/A8_2017-Insecure_Deserialization.
Let's deserialize only ScanConfig or NewScanConfig. You can use method overloading for this.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Those are internal input objects that should be unified in the near future (when all the scanners will support the new config file). Hence we are only deserializing objects we are creating, I see no security concern here.
src/main/java/com/jfrog/ide/idea/scan/SourceCodeScannerManager.java
Outdated
Show resolved
Hide resolved
src/main/java/com/jfrog/ide/idea/scan/SourceCodeScannerManager.java
Outdated
Show resolved
Hide resolved
JFrogApplicationsConfig projectConfig = parseJFrogApplicationsConfig(); | ||
|
||
if (projectConfig != null) { | ||
for (ModuleConfig moduleConfig : projectConfig.getModules()) { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Can we run them in tasks? Running each scanner serially may take a lot of time
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
We should do it in a separate PR in the near future.
99681d9
to
7c8ee3a
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Looks better! Please consider the below changes.
Add support for the new project config file.
Depends on jfrog/ide-plugins-common#134