Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

🚧 Third party repository detection probe #323

Closed
wants to merge 57 commits into from
Closed

🚧 Third party repository detection probe #323

wants to merge 57 commits into from

Conversation

Jagrutiti
Copy link
Member

@Jagrutiti Jagrutiti commented Jun 1, 2023
edited
Loading

Description

This probe will check:

  • Whether third party repositories is being used. If yes, it may list the repositories .
  • If no third party repositories are used, it will succeed.

Closes #299

Submitter checklist

  • If the issue exists, it is well described and linked in the description
  • The description of this pull request is detailed and explain why this pull request is needed
  • The changeset is on a specific branch
    • feature/ for new feature, or improvements
    • fix/ for bug fixes
    • docs/ for any documentation changes
  • If required, the documentation has been updated
  • There is automated tests to cover the code change / addition
    • If there is no test, include an explanation why in the description
  • Run mvn verify locally and all tests are passing successfully
    • It is OK to create a pull request which has failing tests if it is created as a draft, is to fix a bug and the first commit is the test to prove the existence of the bug.
  • There is no new warnings (checkstyle nor spotbugs) on the code

alecharp
alecharp reviewed Jun 2, 2023
View reviewed changes
Copy link
Collaborator

@alecharp alecharp left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think it would be good to have multiple pom.xml files (in different folders) to have

  1. one with one repository with the correct url
  2. one with one repository with url pointing outside of the Jenkins environement
  3. one with two repositories, one ok and one not.

core/src/test/resources/fake-test-directory/pom.xml Outdated Show resolved Hide resolved
core/src/test/resources/fake-test-directory/pom.xml Outdated Show resolved Hide resolved
core/src/test/resources/fake-test-directory/pom.xml Outdated Show resolved Hide resolved
core/src/test/resources/fake-test-directory/pom.xml Outdated Show resolved Hide resolved
core/src/test/resources/fake-test-directory/pom.xml Outdated Show resolved Hide resolved
core/src/test/resources/fake-test-directory/pom.xml Outdated Show resolved Hide resolved
alecharp
alecharp reviewed Jun 3, 2023
View reviewed changes
Copy link
Collaborator

@alecharp alecharp left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Would it be possible to have no repository configured in the pom.xml?

core/pom.xml Outdated Show resolved Hide resolved
.gitignore Outdated Show resolved Hide resolved
...src/main/java/io/jenkins/pluginhealth/scoring/probes/ThirdPartyRepositoryDetectionProbe.java Outdated Show resolved Hide resolved
...src/main/java/io/jenkins/pluginhealth/scoring/probes/ThirdPartyRepositoryDetectionProbe.java Outdated Show resolved Hide resolved
...test/java/io/jenkins/pluginhealth/scoring/probes/ThirdPartyRepositoryDetectionProbeTest.java Outdated Show resolved Hide resolved
@Jagrutiti
Copy link
Member Author

Would it be possible to have no repository configured in the pom.xml?

Maybe

@Jagrutiti Jagrutiti changed the title Third party repository detection probe feature/third party repository detection probe Jun 3, 2023
alecharp
alecharp reviewed Jun 3, 2023
View reviewed changes
.gitignore Outdated Show resolved Hide resolved
@Jagrutiti Jagrutiti changed the title feature/third party repository detection probe Third party repository detection probe Jun 3, 2023
@Jagrutiti @alecharp
Apply suggestions from code review
99a1379 
Co-authored-by: Adrien Lecharpentier <adrien.lecharpentier@gmail.com>
@Jagrutiti Jagrutiti closed this Jun 3, 2023
@Jagrutiti Jagrutiti deleted the third-party-repository-detection branch June 3, 2023 15:40
@Jagrutiti Jagrutiti restored the third-party-repository-detection branch June 3, 2023 15:43
@Jagrutiti Jagrutiti reopened this Jun 3, 2023
@Jagrutiti Jagrutiti marked this pull request as ready for review June 3, 2023 17:07
@Jagrutiti Jagrutiti requested a review from alecharp June 3, 2023 17:07
Jagrutiti
Jagrutiti commented Jun 10, 2023
View reviewed changes
...src/main/java/io/jenkins/pluginhealth/scoring/probes/ThirdPartyRepositoryDetectionProbe.java Outdated
public static final String KEY = "third-party-repository-detection-probe";
final String hostName = "https://repo.jenkins-ci.org";
// final String parentPom = "https://raw.githubusercontent.com/jenkinsci/plugin-pom/master/pom.xml";
final String parentPom = "https://github.com/jenkinsci/plugin-pom/blob/master/pom.xml";
Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I wanted to use this in the beginning but now I am not.

For test cases, I do not need to. But I am not sure about real-world scenarios.

I was unable to read the pom from the URL in MavenXpp3Reader

Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I don't think this is what we want here.

alecharp
alecharp requested changes Jun 14, 2023
View reviewed changes
core/src/main/java/io/jenkins/pluginhealth/scoring/probes/Probe.java Outdated Show resolved Hide resolved
...src/main/java/io/jenkins/pluginhealth/scoring/probes/ThirdPartyRepositoryDetectionProbe.java Outdated Show resolved Hide resolved
...src/main/java/io/jenkins/pluginhealth/scoring/probes/ThirdPartyRepositoryDetectionProbe.java Outdated Show resolved Hide resolved
...src/main/java/io/jenkins/pluginhealth/scoring/probes/ThirdPartyRepositoryDetectionProbe.java Outdated
return new String[] { SCMLinkValidationProbe.KEY};
}

public Model parsePomFromUrl(String pomUrl) {
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I don't like this because what it happening if someone puts an url pointing to a fake pom.xml which run random code?

Copy link
Member Author

@Jagrutiti Jagrutiti Jun 14, 2023
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

You mean what if there is a fake parent path in the child pom.xml ?

Copy link
Member Author

@Jagrutiti Jagrutiti Jun 14, 2023
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

How do I validate the path? What is the correct way to resolve this? I am clueless here.

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

One thing we can do is check the extension of the file. Whether it ends with .xml or the file name is pom.xml.

Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I don't think we should rely on the relativePath tag of the parent.
We should look if the plugin has a folder configured (module) and if so, we should check that the parent pom of the repository has a parent to what we expect, that the module has a parent to the root pom file and that none of them have a third party repository.

core/src/main/java/io/jenkins/pluginhealth/scoring/probes/Probe.java Outdated Show resolved Hide resolved
...src/main/java/io/jenkins/pluginhealth/scoring/probes/ThirdPartyRepositoryDetectionProbe.java Outdated
public static final String KEY = "third-party-repository-detection-probe";
final String hostName = "https://repo.jenkins-ci.org";
// final String parentPom = "https://raw.githubusercontent.com/jenkinsci/plugin-pom/master/pom.xml";
final String parentPom = "https://github.com/jenkinsci/plugin-pom/blob/master/pom.xml";
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I don't think this is what we want here.

...src/main/java/io/jenkins/pluginhealth/scoring/probes/ThirdPartyRepositoryDetectionProbe.java Outdated Show resolved Hide resolved
...src/main/java/io/jenkins/pluginhealth/scoring/probes/ThirdPartyRepositoryDetectionProbe.java Outdated
Comment on lines 44 to 56
allRepositories.addAll(model.getRepositories());
allRepositories.addAll(model.getPluginRepositories());

if (!model.getParent().getRelativePath().isBlank()) {
Model parentPomModel = parsePomFromUrl(model.getParent().getRelativePath());
allRepositories.addAll(parentPomModel.getRepositories());
allRepositories.addAll(parentPomModel.getPluginRepositories());
}
for (Repository repository : allRepositories) {
if (!repository.getUrl().startsWith(hostName)) {
return ProbeResult.failure(KEY, "Third party repositories detected in the plugin");
}
}
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'm sure you can simplify that by filtering the model repositories before adding them to the set.

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

On what parameters you want me to filter them?

@alecharp
Copy link
Collaborator

To complete this pull request, we need to be able to generate the effective-pom of a project. To do so, the project is missing a complex system which is larger than the current pull request and need to be address separately.

We are not throwing away the current content but delaying it until we have the extra service.

@alecharp alecharp marked this pull request as draft June 16, 2023 10:53
@alecharp alecharp changed the title Third party repository detection probe 🚧 Third party repository detection probe Jun 16, 2023
@Jagrutiti
Copy link
Member Author

To complete this pull request, we need to be able to generate the effective-pom of a project. To do so, the project is missing a complex system which is larger than the current pull request and need to be address separately.

I have added a prototype for the effective-pom service.

As per my understanding, the test cases that are failing are correct. They cannot pass in the case when effective-pom is generated because third-party repository exists in the super pom.

@alecharp
Copy link
Collaborator

Because I have no visibility about create the required maven execution system I don't think we can move forward on this task. If that's fine with you @Jagrutiti, I'm closing this pull request.
Please don't hesitate to re-open it if you can move this effort forward.

@alecharp alecharp closed this Oct 18, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@aneveux aneveux Awaiting requested review from aneveux

@alecharp alecharp Awaiting requested review from alecharp

@lemeurherve lemeurherve Awaiting requested review from lemeurherve

Assignees

@Jagrutiti Jagrutiti

Labels
enhancement New feature or request
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Third party repository detection
3 participants
@Jagrutiti @alecharp @lemeurherve