Skip to content

Migrate vul chain finder to data processing platform#11

Open
mehdikeshani wants to merge 40 commits intomainfrom
mehdi/migrate-vul-chain-finder
Open

Migrate vul chain finder to data processing platform#11
mehdikeshani wants to merge 40 commits intomainfrom
mehdi/migrate-vul-chain-finder

Conversation

@mehdikeshani
Copy link

@mehdikeshani mehdikeshani commented Mar 4, 2022

In this PR we migrate the proof of concept implementation of VulChainFinder in the old repository to the data-processing platform.

@mehdikeshani mehdikeshani requested a review from proksch March 4, 2022 13:59
mir-am
mir-am reviewed Mar 25, 2022
View reviewed changes
plugins/vulnerable-chain-finder/src/main/java/eu/f4sten/vulchainfinder/utils/DatabaseUtils.java

public static String createStrForSelectVulCallablesWhereModuleIdIs(final Long moduleId) {
return "SELECT packages.package_name, package_versions.version, callables.fasten_uri, " +
"callables.metadata -> 'vulnerabilities' " +
Copy link
Contributor

@mir-am mir-am Mar 25, 2022
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

BTW, you can also use JOOQ's methods to get vulnerable callables given a module id instead of using a raw SQL query.

@mir-am mir-am mentioned this pull request Mar 28, 2022
Merged
@mir-am
Copy link
Contributor

mir-am commented May 11, 2022

I have talked to Sebastian (@proksch) and we have decided that I can work on this feature branch, address the above comments, and deploy it on monster for the vulnerability paper(s).
That said, we are not going to merge it until the final code review and your approval.
I would like to ask you, Mehdi (@ashkboos ), whether you are also okay with this, i.e, me working on this feature branch.

@mehdikeshani
Copy link
Author

mehdikeshani commented May 11, 2022

I have talked to Sebastian (@proksch) and we have decided that I can work on this feature branch, address the above comments, and deploy it on monster for the vulnerability paper(s). That said, we are not going to merge it until the final code review and your approval. I would like to ask you, Mehdi (@ashkboos ), whether you are also okay with this, i.e, me working on this feature branch.

Yes sure, no need to even ask Amir. And sorry for not addressing the comments so far, I was waiting for the code review session that we planned to do on this PR to look at it together in person but unfortunately, it got postponed multiple times.

ashkboos added 24 commits May 19, 2022 22:00
@proksch
add callableindex and vulchainfinder to default topics
871a793
@proksch
add vulchain finder module
2fbe385
@proksch
Implementing basic plugin that consumes from callable index output to…
4377293 
…pic and prints the maven coordinate
@proksch
add more intellij files to gitignore
98da731
@proksch
Implement rest api dependency resolver and test it
5dbf062
@proksch
add base uri of rest api to the arguments of vulchainfinder plugin
34eefd7
@proksch
fix a minor checkstyle validation
c715c4d
@proksch
Implementing vul chain finder DatabaseUtils and its test
9588a01
@proksch
implement and test impact propagator
53d39f1
@proksch
add test resources for propagator
9f62cb1
@proksch
add NodeImpact
5379853
@proksch
add JsonUtils to vulchainfinder
653a286
@proksch
add callable index to args and config
c5a0472
@proksch
add callable index utils to vulchainfinder plugin
180107a
@proksch
add a method and test for querying vulnerable packages to vulchain pl…
70f8c44 
…ugin DBUtils
@proksch
use set in RestAPIResolver to be compatible with merger
8abe3e5
@proksch
Implement and test the Main class of vulchainfinder plugin
8091a24
@proksch
add dependency to OPAL plugin in vulchain plugin
791d893
@proksch
disable test in vulchain main test
7ee536a
@proksch
Adapt versions to fix build
5585452
@proksch
Finish the implementation of Main of the plugin and its tests
09fd34f
@proksch
add CoreJacksonModule to vulchainfinder
de0ac20
@proksch
update uri and vul object in the DBUtilstest
60d3988
@proksch
add expected json for vulchain integration test
c8d0a09
ashkboos and others added 15 commits May 19, 2022 22:00
@proksch
bump version of vulchainfinder
902d2c4
@proksch
remove old json utils completely
e2d4c2c
@proksch
test node reachability and add isReachableTarget method
59eb9de
@proksch
add test for FastenJacksonModule and fix the build
6ec7f92
@proksch
improve testing of DBUtils
b469f90
@proksch
improve testing of impact propagator
f297370
@proksch
Disable the integration tests
015d95b
@proksch
Adapt changes introduced in newer core release
f525311
@mir-am @proksch
Fix the CLI args for VulChainFinder and add asserts for them
127a00b
@mir-am @proksch
Provide the baseDir arg for storing Vuln. chain repos
77ecb44
@mir-am @proksch
Open RocksDB in the read-only mode to bypass LOCK
c843bf3
@mir-am @proksch
Use internal REST API, not through proxy (needed for production)
e7fa3b6
@mir-am @proksch
Store all the vuln. chains regardless of whether there exists a vulne…
1a02e29 
…rable chain or not.
@mir-am @proksch
Check if a record is already processed when finding vuln. call chains.
700a8d2
@mir-am @proksch
Create RestApiError to stop vulnchainfinder when the REST API is …
936e533 
…unavailable
@proksch proksch force-pushed the mehdi/migrate-vul-chain-finder branch from 3e5d0f4 to 936e533 Compare May 19, 2022 21:30
@proksch
Copy link
Contributor

proksch commented May 19, 2022

I have updated (and rebased) the branch to include the latest changes that were necessary to adopt changes from core. The build should work again and use all up-to-date classes/plugins.

While updating, I also checked the implementation a bit... maybe we should make this plugin subject of a pair programming Monday to clarify some things about the loader platform and to talk about recurring issues that I found in several places in the code.

I am also not particularly sure about the introduction of the new Error class for exception handling... I would like to discuss this with you in person before we release this plugin.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@mir-am mir-am mir-am left review comments

@proksch proksch Awaiting requested review from proksch

Assignees

@mehdikeshani mehdikeshani

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@mehdikeshani @mir-am @proksch