-
-
Notifications
You must be signed in to change notification settings - Fork 48
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
🚧 Third party repository detection probe #323
🚧 Third party repository detection probe #323
Conversation
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think it would be good to have multiple pom.xml
files (in different folders) to have
- one with one repository with the correct url
- one with one repository with url pointing outside of the Jenkins environement
- one with two repositories, one ok and one not.
Co-authored-by: Adrien Lecharpentier <[email protected]>
...test/java/io/jenkins/pluginhealth/scoring/probes/ThirdPartyRepositoryDetectionProbeTest.java
Outdated
Show resolved
Hide resolved
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Would it be possible to have no repository configured in the pom.xml
?
...src/main/java/io/jenkins/pluginhealth/scoring/probes/ThirdPartyRepositoryDetectionProbe.java
Outdated
Show resolved
Hide resolved
...src/main/java/io/jenkins/pluginhealth/scoring/probes/ThirdPartyRepositoryDetectionProbe.java
Outdated
Show resolved
Hide resolved
...test/java/io/jenkins/pluginhealth/scoring/probes/ThirdPartyRepositoryDetectionProbeTest.java
Outdated
Show resolved
Hide resolved
Maybe |
...src/main/java/io/jenkins/pluginhealth/scoring/probes/ThirdPartyRepositoryDetectionProbe.java
Outdated
Show resolved
Hide resolved
Co-authored-by: Adrien Lecharpentier <[email protected]>
...src/main/java/io/jenkins/pluginhealth/scoring/probes/ThirdPartyRepositoryDetectionProbe.java
Show resolved
Hide resolved
public static final String KEY = "third-party-repository-detection-probe"; | ||
final String hostName = "https://repo.jenkins-ci.org"; | ||
// final String parentPom = "https://raw.githubusercontent.com/jenkinsci/plugin-pom/master/pom.xml"; | ||
final String parentPom = "https://github.com/jenkinsci/plugin-pom/blob/master/pom.xml"; |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I wanted to use this in the beginning but now I am not.
For test cases, I do not need to. But I am not sure about real-world scenarios.
I was unable to read the pom
from the URL in MavenXpp3Reader
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I don't think this is what we want here.
…/Jagrutiti/plugin-health-scoring into third-party-repository-detection
core/src/main/java/io/jenkins/pluginhealth/scoring/probes/Probe.java
Outdated
Show resolved
Hide resolved
...src/main/java/io/jenkins/pluginhealth/scoring/probes/ThirdPartyRepositoryDetectionProbe.java
Outdated
Show resolved
Hide resolved
...src/main/java/io/jenkins/pluginhealth/scoring/probes/ThirdPartyRepositoryDetectionProbe.java
Outdated
Show resolved
Hide resolved
return new String[] { SCMLinkValidationProbe.KEY}; | ||
} | ||
|
||
public Model parsePomFromUrl(String pomUrl) { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I don't like this because what it happening if someone puts an url pointing to a fake pom.xml
which run random code?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
You mean what if there is a fake parent path in the child pom.xml
?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
How do I validate the path? What is the correct way to resolve this? I am clueless here.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
One thing we can do is check the extension of the file. Whether it ends with .xml
or the file name is pom.xml
.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I don't think we should rely on the relativePath
tag of the parent
.
We should look if the plugin has a folder configured (module
) and if so, we should check that the parent pom of the repository has a parent to what we expect, that the module has a parent to the root pom file and that none of them have a third party repository.
core/src/main/java/io/jenkins/pluginhealth/scoring/probes/Probe.java
Outdated
Show resolved
Hide resolved
public static final String KEY = "third-party-repository-detection-probe"; | ||
final String hostName = "https://repo.jenkins-ci.org"; | ||
// final String parentPom = "https://raw.githubusercontent.com/jenkinsci/plugin-pom/master/pom.xml"; | ||
final String parentPom = "https://github.com/jenkinsci/plugin-pom/blob/master/pom.xml"; |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I don't think this is what we want here.
...src/main/java/io/jenkins/pluginhealth/scoring/probes/ThirdPartyRepositoryDetectionProbe.java
Outdated
Show resolved
Hide resolved
allRepositories.addAll(model.getRepositories()); | ||
allRepositories.addAll(model.getPluginRepositories()); | ||
|
||
if (!model.getParent().getRelativePath().isBlank()) { | ||
Model parentPomModel = parsePomFromUrl(model.getParent().getRelativePath()); | ||
allRepositories.addAll(parentPomModel.getRepositories()); | ||
allRepositories.addAll(parentPomModel.getPluginRepositories()); | ||
} | ||
for (Repository repository : allRepositories) { | ||
if (!repository.getUrl().startsWith(hostName)) { | ||
return ProbeResult.failure(KEY, "Third party repositories detected in the plugin"); | ||
} | ||
} |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I'm sure you can simplify that by filtering the model repositories before adding them to the set.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
On what parameters you want me to filter them?
Co-authored-by: Adrien Lecharpentier <[email protected]>
To complete this pull request, we need to be able to generate the effective-pom of a project. To do so, the project is missing a complex system which is larger than the current pull request and need to be address separately. We are not throwing away the current content but delaying it until we have the extra service. |
I have added a prototype for the As per my understanding, the test cases that are failing are correct. They cannot pass in the case when |
Because I have no visibility about create the required maven execution system I don't think we can move forward on this task. If that's fine with you @Jagrutiti, I'm closing this pull request. |
Description
This probe will check:
Closes #299
Submitter checklist
feature/
for new feature, or improvementsfix/
for bug fixesdocs/
for any documentation changesmvn verify
locally and all tests are passing successfully