Skip to content

Comments

feat: add manually imported data into report#572

Merged
ruromero merged 1 commit intoguacsec:mainfrom
ruromero:feat/manual-importer
Feb 16, 2026
Merged

feat: add manually imported data into report#572
ruromero merged 1 commit intoguacsec:mainfrom
ruromero:feat/manual-importer

Conversation

@ruromero
Copy link
Collaborator

@ruromero ruromero commented Feb 16, 2026

User description

Fix #571


PR Type

Enhancement, Tests


Description

  • Add default "manual" source for manually imported data

  • Handle missing importer labels gracefully with fallback

  • Add test coverage for default source assignment


Diagram Walkthrough

flowchart LR
  A["Missing Importer Label"] -- "getSource method" --> B["Return DEFAULT_SOURCE"]
  C["Importer Label Present"] -- "getSource method" --> D["Return Importer Value"]
  B --> E["Issue with manual source"]
  D --> F["Issue with importer source"]
Loading

File Walkthrough

Relevant files
Enhancement
TrustifyResponseHandler.java
Add default source handling for manual imports                     

src/main/java/io/github/guacsec/trustifyda/integration/providers/trustify/TrustifyResponseHandler.java

  • Add DEFAULT_SOURCE constant set to "manual"
  • Modify getSource() method to return default source when labels are
    null
  • Add null check for importer value with fallback to default source
+7/-2     
Tests
TrustifyResponseHandlerTest.java
Test default source for missing importer labels                   

src/test/java/io/github/guacsec/trustifyda/integration/providers/trustify/TrustifyResponseHandlerTest.java

  • Add new test testResponseToIssuesWithDefaultSource() to verify default
    source assignment
  • Test validates that issues without importer label receive "manual" as
    source
  • Test covers the scenario with missing importer in labels object
+54/-0   

@qodo-code-review
Copy link
Contributor

qodo-code-review bot commented Feb 16, 2026

PR Compliance Guide 🔍

Below is a summary of compliance checks for this PR:

Security Compliance
🟢
No security concerns identified No security vulnerabilities detected by AI analysis. Human verification advised for critical code.
Ticket Compliance
🟡
🎫 #571
🟢 Vulnerability/advisory data without an importer label should be grouped under a generic
source named manual.
The response handler should not rely solely on the importer label to group vulnerability
data; it must handle missing labels gracefully.
When vulnerability/advisory data is uploaded manually and lacks the labels.importer field,
it must not be excluded from the report.
Codebase Duplication Compliance
Codebase context is not defined

Follow the guide to enable codebase context checks.

Custom Compliance
🟢
Generic: Comprehensive Audit Trails

Objective: To create a detailed and reliable record of critical system actions for security analysis
and compliance.

Status: Passed

Learn more about managing compliance generic rules or creating your own custom rules

Generic: Meaningful Naming and Self-Documenting Code

Objective: Ensure all identifiers clearly express their purpose and intent, making code
self-documenting

Status: Passed

Learn more about managing compliance generic rules or creating your own custom rules

Generic: Robust Error Handling and Edge Case Management

Objective: Ensure comprehensive error handling that provides meaningful context and graceful
degradation

Status: Passed

Learn more about managing compliance generic rules or creating your own custom rules

Generic: Secure Error Handling

Objective: To prevent the leakage of sensitive system information through error messages while
providing sufficient detail for internal debugging.

Status: Passed

Learn more about managing compliance generic rules or creating your own custom rules

Generic: Secure Logging Practices

Objective: To ensure logs are useful for debugging and auditing without exposing sensitive
information like PII, PHI, or cardholder data.

Status: Passed

Learn more about managing compliance generic rules or creating your own custom rules

Generic: Security-First Input Validation and Data Handling

Objective: Ensure all data inputs are validated, sanitized, and handled securely to prevent
vulnerabilities

Status: Passed

Learn more about managing compliance generic rules or creating your own custom rules

  • Update
Compliance status legend 🟢 - Fully Compliant
🟡 - Partial Compliant
🔴 - Not Compliant
⚪ - Requires Further Human Verification
🏷️ - Compliance label

@qodo-code-review
Copy link
Contributor

qodo-code-review bot commented Feb 16, 2026

PR Code Suggestions ✨

Latest suggestions up to cc9536e

CategorySuggestion                                                                                                                                    Impact
Possible issue
Add null-safety guard

Add a null check for the node parameter in the getSource method to prevent
potential NullPointerException and return the default source instead.

src/main/java/io/github/guacsec/trustifyda/integration/providers/trustify/TrustifyResponseHandler.java [224-231]

 private String getSource(JsonNode node) {
+  if (node == null || node.isNull()) {
+    return DEFAULT_SOURCE;
+  }
   var labels = node.get("labels");
   var importer = JsonUtils.getTextValue(labels, "importer");
   if (importer == null || importer.isBlank()) {
     return DEFAULT_SOURCE;
   }
   return importer;
 }
  • Apply / Chat
Suggestion importance[1-10]: 7

__

Why: The suggestion correctly identifies a potential NullPointerException and proposes a reasonable fix that enhances robustness, which is a good practice for handling external data.

Medium
  • More

Previous suggestions

Suggestions up to commit 826919c
CategorySuggestion                                                                                                                                    Impact
Possible issue
Fallback on blank importer

In the getSource method, add a check for blank or empty importer strings to
ensure they also fall back to the DEFAULT_SOURCE.

src/main/java/io/github/guacsec/trustifyda/integration/providers/trustify/TrustifyResponseHandler.java [229-233]

 var importer = JsonUtils.getTextValue(labels, "importer");
-if (importer == null) {
+if (importer == null || importer.isBlank()) {
   return DEFAULT_SOURCE;
 }
 return importer;
Suggestion importance[1-10]: 6

__

Why: This suggestion correctly identifies a potential edge case where an empty or blank importer string would be considered a valid source. Adding an importer.isBlank() check improves the robustness of the getSource method.

Low
General
Remove redundant null check

Remove the redundant null check for the labels variable, as the
JsonUtils.getTextValue method already handles null inputs.

src/main/java/io/github/guacsec/trustifyda/integration/providers/trustify/TrustifyResponseHandler.java [224-234]

 private String getSource(JsonNode node) {
   var labels = node.get("labels");
-  if (labels == null) {
-    return DEFAULT_SOURCE;
-  }
   var importer = JsonUtils.getTextValue(labels, "importer");
   if (importer == null) {
     return DEFAULT_SOURCE;
   }
   return importer;
 }
Suggestion importance[1-10]: 4

__

Why: The suggestion correctly identifies that the initial null check for labels is redundant because JsonUtils.getTextValue already handles a null input, making the code simpler and more concise without changing behavior.

Low

@ruromero ruromero force-pushed the feat/manual-importer branch from 826919c to 58985c9 Compare February 16, 2026 16:41
Signed-off-by: Ruben Romero Montes <rromerom@redhat.com>
@ruromero ruromero force-pushed the feat/manual-importer branch from 58985c9 to cc9536e Compare February 16, 2026 16:42
@ruromero ruromero merged commit 4e1269b into guacsec:main Feb 16, 2026
2 checks passed
@ruromero ruromero deleted the feat/manual-importer branch February 16, 2026 20:12
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Projects

None yet

Development

Successfully merging this pull request may close these issues.

Show manually imported vulnerability data

1 participant