Sarif reporting#1660
Conversation
autonomousapps
left a comment
There was a problem hiding this comment.
Thanks for this PR. I have not done a thorough review because I don't have time at the moment, but I'm very open to seeing this progress and eventually get merged.
We ought to be able to resolve the issue with projectHealth not having access to the reporting handler. I think for this to be considered feature-complete, it would have to work for both buildHealth and projectHealth.
The build file scanning may have some issues, but I haven't thoroughly inspected it. As you know, the plugin's analysis uses Gradle's APIs to find dependencies—it doesn't actually scan build scripts unless it's trying to rewrite them. So that'll have to be done on a best-effort basis (which is what I think you're doing).
|
I had a thought about this and I think I do not want to modify the *this should be opt-in, based on user preference. public data class SarifAdvice( // name TBD
advice: Advice,
lineNumber: Int?,
)And then we could emit a sorted set of There are already examples in the project of configuring something in the root and having that value picked up safely in subprojects. If you need pointers, please let me know. |
|
So you would want to generate yet another json next to the regular advice json just for an extra property and then consume that json in addition to the regular json? Sounds a pretty complicated thing to do. Or did I miss the intention here? |
Yes, that's correct. And also that feature should be opt-in, based on user preference (as expressed in the In my opinion, this is actually easier than what you've spiked here. json is cheap. |
|
Updated. now dependency filtering task will also emit There is also an issue of reporting configuration: |
I think it should remain a singleton. I don't see the benefit of allowing per-project variation here. Do you? |
|
Yeah, then I should revert the reporting handler being accessible from project - it would only be configurable from the root project. This is an unusual UX for the Gradle project, though. It is generally expected, that every project's configuration is only affecting that project, not anything else (especially after Isolated Projects). Configuration for root project affecting other project is a bit unexpected. But I guess DAGP has already set a precedent for this with bundles being set only on root, but applying everywhere. |
# Conflicts: # README.asciidoc # src/main/kotlin/com/autonomousapps/internal/artifacts/DagpArtifacts.kt # src/main/kotlin/com/autonomousapps/internal/utils/utils.kt # src/main/kotlin/com/autonomousapps/subplugin/ProjectPlugin.kt # src/main/kotlin/com/autonomousapps/subplugin/RootPlugin.kt
This reverts commit aa4e1da. It was decided that this should only be set on the top level.
|
|
||
| val sarif: SarifSchema210 | ||
|
|
||
| private val advicePrinter = AdvicePrinter(dslKind, ProjectType.JVM, dependencyMap, useTypesafeProjectAccessors) |
There was a problem hiding this comment.
ProjectType appears to be unused in AdvicePrinter? So I just hardcoded it to the JVM for now. Is a future use expected?
There was a problem hiding this comment.
Huh. I added that when I added the first burst of KMP support. I can't say now whether not using it is an oversight, or leaving it in as an unused constructor is the oversight.
|
Updated to the latest main, reverted per-project sarif settings and added sarif reporting to the per-project tasks. I think it's ready for the next review now. |
autonomousapps
left a comment
There was a problem hiding this comment.
Didn't finish review, left a bunch of comments. Please double-check all your changes and let me know when you're resolved all the weird formatting inconsistencies and breakages.
| public fun ofAdd( | ||
| coordinates: Coordinates, | ||
| toConfiguration: String, | ||
| declarationLineNumber: Int? = null |
There was a problem hiding this comment.
vestige from an earlier version of this PR, I think?
There was a problem hiding this comment.
I think probably all the changes in this file could be reverted.
| @JsonClass(generateAdapter = false) | ||
| public data class SourcedAdvice( | ||
| val advice: Advice, | ||
| val buildFileDeclarationLineNumber: Int? = null, |
There was a problem hiding this comment.
Once we're creating an instance of this type, can the line number be null?
There was a problem hiding this comment.
Yes, because line number is a guess at best. Sometimes, we will not know the line number at all (if nothing matches in the build file). In this case, it is null.
| val warning: Warning = Warning.empty(), | ||
| /** True if there is any advice in a category for which the user has declared they want the build to fail. */ | ||
| val shouldFail: Boolean = false, | ||
| val projectBuildFile: String? = null, |
There was a problem hiding this comment.
You are right. It was nullable in the previous version, but in the new separate-class version it's always filled.
| t.sarifOutput.set( | ||
| dagpExtension.reportingHandler.sarifReport.flatMap { sarifReportEnabled -> | ||
| if (sarifReportEnabled) paths.sarifReportPath else null | ||
| } | ||
| ) |
There was a problem hiding this comment.
Set the output unconditionally.
| if (dagpExtension.reportingHandler.sarifReport.get()) { | ||
| sourcedProjectHealthPublisher.publish(filterAdviceTask.flatMap { it.sourcedOutput }) | ||
| } |
There was a problem hiding this comment.
I think this one needs to stay conditional. Publish output always needs to be present, otherwise the build will fail. And, when sarif report is disabled, sourcedOutput would not return any outputs. So, we must disable publishing in this case, to avoid the empty publish scenario.
Nevermind, we can just not-read the resolver side. Removed the condition.
| project = project, | ||
| artifactDescription = DagpArtifacts.Kind.PROJECT_HEALTH, | ||
| ) | ||
| private val sourcedAdviceResolver = interProjectResolver( |
| t.sarifOutput.set( | ||
| dagpExtension.reportingHandler.sarifReport.flatMap { sarifReportEnabled -> | ||
| if (sarifReportEnabled) paths.sarifReportPath else null | ||
| } | ||
| ) |
| tasks.register("generateWorkPlan", GenerateWorkPlan::class.java) { t -> | ||
| tasks.register( | ||
| "generateWorkP it.sarifReport.set(generateBuildHealthTask.flatMap { it.sarifOutput })\nlan", | ||
| GenerateWorkPlan::class.java | ||
| ) { t -> |
There was a problem hiding this comment.
Looks like a copy paste error. Reverted.
|
I think that should be all weird indentations fixed. Sorry about that. |
Thanks for addressing! I'll continue my review soon. |
PR adds an ability for the plugin to also export the report in the standard
.sarifformat, in addition to the txt.Would appreciate feedback on some things:
build.gradle(.kts)file and just string matching of the advice's coordinates. Is that okay? Could we come up with a better way to do this?buildHealthtask, but not theprojectHealth. The issue is that individual projects do not have access to the reporting config and thus could not enable this. If necessary, I could addpublic fun reporting(action: Action<ReportingHandler>)to theDependencyAnalysisSubExtensionand add sarif output to theprojectHealth(This PR is based on the
3.5.1due to #1653, as it makes testing easier for me. When the code is final, I can resolve conflicts and merge latest version in)this fixes #1094