CVE: adapt IDEasy to consider security.json files to warn user #1280
Conversation
…olSecurity.java Co-authored-by: Jörg Hohwiller <hohwille@users.noreply.github.com>
…olSecurity.java Co-authored-by: Jörg Hohwiller <hohwille@users.noreply.github.com>
…olSecurity.java Co-authored-by: Jörg Hohwiller <hohwille@users.noreply.github.com>
…olSecurity.java Co-authored-by: Jörg Hohwiller <hohwille@users.noreply.github.com>
# Conflicts: # cli/src/main/java/com/devonfw/tools/ide/variable/IdeVariables.java
# Conflicts: # cli/src/main/java/com/devonfw/tools/ide/variable/IdeVariables.java
There was a problem hiding this comment.
@KianRolf thanks for your PR. Quite some complexity and great that you found your way to get everything solved and working.
This is good work and only needs little polishing before we can merge. 👍
I left some review comments.
What I slightly dislike is the many and also empty *.urls files that you added what will cause us quite some maintenance effort later (will collide with #706). It would have been much better to add a new test-project for your scenario and even if you again would use intellij plus java as your scenario at least make the URLs OS-agnostic so you do not have to have 3 *.urls file for every version. Do these *.urls files actually matter for your test at all? Or could you also just add one single urls file in each of the versions folder you added?
I have not yet tested your code for bugs but just wrote my review comments from reading your code. Lets find a balance how you can get this PR done with low additional effort so we can merge it. Other things then have to be addressed after the merge.
| } | ||
| } | ||
| return cves; | ||
| public List<CVE> findCVEs() { |
There was a problem hiding this comment.
This method is a getter and the same functionality already exists as getIssues().
It should simply be removed.
cli/src/main/java/com/devonfw/tools/ide/tool/ToolCommandlet.java
Outdated
Show resolved
Hide resolved
cli/src/main/java/com/devonfw/tools/ide/variable/IdeVariables.java
Outdated
Show resolved
Hide resolved
| //arrange | ||
| context.setUrlsPath(URLS_PATH); | ||
| Intellij commandlet = new Intellij(this.context); | ||
| context.setAnswers("current"); |
There was a problem hiding this comment.
very nice test. But why don't you also test the other 2 options? Too much effort?
There was a problem hiding this comment.
expanded test but ran into a problem with the java check on the latest option could not figure out what went wrong.
| + " Therefore, we install a compatible version in that range."), | ||
| new IdeLogEntry(IdeLogLevel.DEBUG, "Installed java in version " + javaVersionTomcat + " at ", true), | ||
| new IdeLogEntry(IdeLogLevel.SUCCESS, "Successfully installed tomcat in version " + tomcatVersion), | ||
| new IdeLogEntry(IdeLogLevel.INFO, "OpenJDK version " + javaVersionTomcat), |
There was a problem hiding this comment.
why was this removed? Did this fail after your changes?
Does it reveal a bug or are we sure this is OK?
There was a problem hiding this comment.
Please re-add this assertion and try to find out why your changes caused this to fail.
|
|
||
| // assert | ||
| assertThat(security).containsExactly(new CVE("CVE-2024-32002", 9.0f, versionRanges)); | ||
| assertThat(security).contains(new CVE("CVE-2024-32002", 9.0f, versionRanges)); |
There was a problem hiding this comment.
This is also confusing me. Why was the test changed from tomcat to intellij?
Why did you change from containsExactly to the weaker contains?
github-project-automation
bot
moved this from Team Review
to 👀 In review
in IDEasy board
| VariableDefinitionPath WORKSPACE_PATH = new VariableDefinitionPath("WORKSPACE_PATH", null, c -> c.getWorkspacePath(), true); | ||
|
|
||
| /** {@link VariableDefinition} for default CVE_MIN_SEVERITY. */ | ||
| VariableDefinitionDoulbe CVE_MIN_SEVERIRY = new VariableDefinitionDoulbe("CVE_MIN_SEVERITY", null, c -> 1.0); |
There was a problem hiding this comment.
Typo in Class name and in constant CVE_MIN_SEVERIRY => CVE_MIN_SEVERITY
|
|
||
| import com.devonfw.tools.ide.context.IdeContext; | ||
|
|
||
| public class VariableDefinitionDoulbe extends AbstractVariableDefinition<Double> { |
There was a problem hiding this comment.
Typo in class name and Javadocs missing.
| return install(silent, processContext, step, false); | ||
| } | ||
|
|
||
| public boolean install(boolean silent, ProcessContext processContext, Step step, boolean isDependency) { |
There was a problem hiding this comment.
Please declare this install override method as an abstract in ToolCommandlet and use the @Override annotation here. Please also add Javadoc to the method.
| private boolean doInstallStep(VersionIdentifier configuredVersion, VersionIdentifier installedVersion, boolean silent, ProcessContext processContext, | ||
| Step step) { | ||
| return doInstallStep(configuredVersion, installedVersion, silent, processContext, step, false); | ||
| } |
There was a problem hiding this comment.
This method is not in use anymore, delete?
| * @return the {@link ToolInstallation} matching the given {@code version}. | ||
| */ | ||
| public ToolInstallation installTool(GenericVersionRange version, ProcessContext processContext) { | ||
| public ToolInstallation installTool(GenericVersionRange version, ProcessContext processContext, boolean isDependency) { |
There was a problem hiding this comment.
Please add isDependency param to Javadoc.
| * @return the {@link ToolInstallation} matching the given {@code version}. | ||
| */ | ||
| public ToolInstallation installTool(GenericVersionRange version, ProcessContext processContext, String edition) { | ||
| public ToolInstallation installTool(GenericVersionRange version, ProcessContext processContext, String edition, boolean isDependenny) { |
There was a problem hiding this comment.
Please fix the typo and add isDependency param to Javadoc.
| * @param allowedVersions the allowed {@link VersionRange}. | ||
| * @return {@code true} if the tool was newly installed, {@code false} otherwise (installation was already present). | ||
| */ | ||
| private VersionIdentifier lookForCVEs(VersionIdentifier version, String edition, ProcessContext processContext, VersionRange allowedVersions) { |
There was a problem hiding this comment.
Please rename method to lookForCves.
Use CamelCase even for abbreviations (XmlUtil instead of XMLUtil).
See: https://github.com/devonfw/IDEasy/blob/main/documentation/coding-conventions.adoc
| /** | ||
| * Class used to handle and get {@link ToolSecurity}, {@link CVE} for specific tool. | ||
| */ | ||
| public class CVEFinder { |
There was a problem hiding this comment.
Please rename class to CveFinder.
Use CamelCase even for abbreviations (XmlUtil instead of XMLUtil).
See: https://github.com/devonfw/IDEasy/blob/main/documentation/coding-conventions.adoc
| } else { | ||
| cveFinder = new CVEFinder(context, this, version, allowedVersions); | ||
| } | ||
| Collection<CVE> cves = cveFinder.getCVEs(version); |
There was a problem hiding this comment.
Please rename CVE class to Cve.
Use CamelCase even for abbreviations (XmlUtil instead of XMLUtil).
See: https://github.com/devonfw/IDEasy/blob/main/documentation/coding-conventions.adoc
| * | ||
| * @param versionIdentifier {@link VersionIdentifier}. | ||
| */ | ||
| public void listCVEs(VersionIdentifier versionIdentifier) { |
There was a problem hiding this comment.
Please rename method to listCves.
Use CamelCase even for abbreviations (XmlUtil instead of XMLUtil).
See: https://github.com/devonfw/IDEasy/blob/main/documentation/coding-conventions.adoc
| * @param versionIdentifier | ||
| * @return all {@link CVE}s from specific {@link VersionIdentifier}. | ||
| */ | ||
| public Collection<CVE> getCVEs(VersionIdentifier versionIdentifier) { |
There was a problem hiding this comment.
Please rename method to getCves.
Use CamelCase even for abbreviations (XmlUtil instead of XMLUtil).
See: https://github.com/devonfw/IDEasy/blob/main/documentation/coding-conventions.adoc
cli/src/main/java/com/devonfw/tools/ide/tool/LocalToolCommandlet.java
Outdated
Show resolved
Hide resolved
| /** | ||
| * Test for method lookForCVEs in {@link LocalToolCommandlet}. | ||
| */ | ||
| public class LookForCVEsTest extends AbstractIdeContextTest { |
There was a problem hiding this comment.
Please rename class to LookForCvesTest.
| toolParent, this.tool, version, configuredVersion); | ||
| } | ||
| ToolInstallation toolInstallation = installTool(version, processContext); | ||
| ToolInstallation toolInstallation = installTool( |
There was a problem hiding this comment.
This change seems to break the TomcatTest. Please check why the version determined from the dependency file (21_35) is not being used.
Co-authored-by: Jörg Hohwiller <hohwille@users.noreply.github.com>
Co-authored-by: Jörg Hohwiller <hohwille@users.noreply.github.com>
Co-authored-by: Jörg Hohwiller <hohwille@users.noreply.github.com>
Co-authored-by: Jörg Hohwiller <hohwille@users.noreply.github.com>
Co-authored-by: Jörg Hohwiller <hohwille@users.noreply.github.com>
Co-authored-by: Jörg Hohwiller <hohwille@users.noreply.github.com>
…java Co-authored-by: Jörg Hohwiller <hohwille@users.noreply.github.com>
…et.java Co-authored-by: jan-vcapgemini <59438728+jan-vcapgemini@users.noreply.github.com>
4 participants
#fixes #1144