Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

New VersionDistance policy to check and report outdated components #2537

Merged
merged 1 commit into from
Jul 8, 2023
Merged

New VersionDistance policy to check and report outdated components #2537

merged 1 commit into from
Jul 8, 2023

Conversation

walterdeboer
Copy link

@walterdeboer walterdeboer commented Feb 28, 2023
edited
Loading

Description

Dependenct Track now supports a Component Age policy and a Component Version policy, but both are unsuitable to detect outdated components. For this the distance between the current component version and it's latest version needs to be analysed.

The VersionDistancePolicyEvaluator evaluates the VersionDistance between a Component's current and it's latest version. The policy "greater than 0:1.?.?" for example, means a difference of only one between the curren version's major number and the latest version's major number is allowed.

Combining VersionDistances is also supported: "greater than 1:1.?.?". This way multiple parts (epoch or major) number can be considered in one go, combining them with a Boolean OR. Not sure yet if this will be supported in the UI...

Addressed Issue

closes #2528, addresses #208, #257

Additional Details

Together with the Age Policy and the Version Policy this would enable advanced policies like "no outdated versions (one major difference), but only if the minor version is at least exactly 1 and when it is older than 21 days. (3.0.0 is to early, but 3.1.0 is considered safe, when it's older than three weeks without a patch release)"

Accompanying PR for the frontend DependencyTrack/frontend#432

Checklist

  • I have read and understand the contributing guidelines
  • This PR fixes a defect, and I have provided tests to verify that the fix is effective
  • This PR implements an enhancement, and I have provided tests to verify that it works as intended
  • This PR introduces changes to the database model, and I have added corresponding update logic
  • This PR introduces new or alters existing behavior, and I have updated the documentation accordingly

@walterdeboer walterdeboer changed the title Feature/2528 New VersionDistance policy to check and report outdated components #2528 Feb 28, 2023
@walterdeboer walterdeboer changed the title New VersionDistance policy to check and report outdated components #2528 New VersionDistance policy to check and report outdated components Feb 28, 2023
@sonatype-lift
Copy link
Contributor

sonatype-lift bot commented Feb 28, 2023

🛠 Lift Auto-fix

Some of the Lift findings in this PR can be automatically fixed. You can download and apply these changes in your local project directory of your branch to review the suggestions before committing.1

# Download the patch
curl https://lift.sonatype.com/api/patch/github.com/DependencyTrack/dependency-track/2537.diff -o lift-autofixes.diff

# Apply the patch with git
git apply lift-autofixes.diff

# Review the changes
git diff

Want it all in a single command? Open a terminal in your project's directory and copy and paste the following command:

curl https://lift.sonatype.com/api/patch/github.com/DependencyTrack/dependency-track/2537.diff | git apply

Once you're satisfied, commit and push your changes in your project.

Footnotes

  1. You can preview the patch by opening the patch URL in the browser.

@walterdeboer walterdeboer force-pushed the feature/2528 branch 2 times, most recently from ce81753 to 49fabd1 Compare March 1, 2023 15:30
@walterdeboer walterdeboer force-pushed the feature/2528 branch 2 times, most recently from c46b57d to 0d77fdf Compare March 1, 2023 22:17
@walterdeboer walterdeboer marked this pull request as ready for review March 1, 2023 22:20
@walterdeboer walterdeboer force-pushed the feature/2528 branch 2 times, most recently from a0ceff7 to 18b2310 Compare March 2, 2023 10:44
This was referenced Mar 2, 2023
Closed
Merged
@walterdeboer walterdeboer force-pushed the feature/2528 branch 3 times, most recently from bec10e5 to 477ef1e Compare March 4, 2023 07:02
@melba-lopez melba-lopez mentioned this pull request Jun 20, 2023
Merged
5 tasks
@walterdeboer walterdeboer marked this pull request as draft June 23, 2023 20:34
@walterdeboer walterdeboer force-pushed the feature/2528 branch 3 times, most recently from 1cae90c to 280aebe Compare June 23, 2023 21:08
@walterdeboer walterdeboer marked this pull request as ready for review June 23, 2023 21:35
@walterdeboer walterdeboer marked this pull request as draft June 24, 2023 15:41
@walterdeboer walterdeboer marked this pull request as ready for review June 29, 2023 08:19
@walterdeboer walterdeboer force-pushed the feature/2528 branch 2 times, most recently from 595d791 to 30ec3b7 Compare June 29, 2023 19:57
melba-lopez
melba-lopez approved these changes Jun 30, 2023
View reviewed changes
src/main/java/org/dependencytrack/util/VersionDistance.java
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@walterdeboer super excited to see this come to life! Been wanting to see how backlevel (versus just an amber).

I do have a question. What happens when the versions have letters in them?? I may not be seeing the code properly, but I'm not seeing anything handling that use case.

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

For now this works best on SemVer I guess. There is no strict defined math for version numbers, especially when something else than SemVer is used. So it's all best effort here... But I hope this will help al lot for the 95% where decent version numbering is used :-) The first three numbers will be most significant in almost every case. More logic might be added to handle letters but for now I don't feel the urge. Maybe someone else will :-)

@nscuro
Copy link
Member

nscuro commented Jul 1, 2023

@walterdeboer There seems to be a mismatch on the policy condition value, between what the frontend sends and what the evaluator in the API server expects. I have the following condition configured:

image

When this is evaluated, I'm getting these errors logged:

2023-07-01 18:25:41,917 ERROR [VersionDistancePolicyEvaluator] Invalid version distance format
java.lang.NumberFormatException: Invallid version distance: {"epoch":null,"major":1,"minor":null,"patch":null}
	at org.dependencytrack.util.VersionDistance.<init>(VersionDistance.java:117)
	at org.dependencytrack.policy.VersionDistancePolicyEvaluator.evaluate(VersionDistancePolicyEvaluator.java:98)
	at org.dependencytrack.policy.VersionDistancePolicyEvaluator.evaluate(VersionDistancePolicyEvaluator.java:87)
	at org.dependencytrack.policy.PolicyEngine.evaluate(PolicyEngine.java:89)
	at org.dependencytrack.policy.PolicyEngine.evaluate(PolicyEngine.java:71)
	at org.dependencytrack.tasks.PolicyEvaluationTask.performPolicyEvaluation(PolicyEvaluationTask.java:55)
	at org.dependencytrack.tasks.PolicyEvaluationTask.inform(PolicyEvaluationTask.java:44)

It seems to me that the evaluator is expecting a simple string, but it's getting a JSON object instead.

@walterdeboer walterdeboer marked this pull request as draft July 2, 2023 07:56
VersionDistancePolicyEvaluator for detecting outdated components
d36f0ce 
Signed-off-by: Walter de Boer <walterdeboer@dbso.nl>
@walterdeboer walterdeboer marked this pull request as ready for review July 3, 2023 07:28
@walterdeboer
Copy link
Author

@nscuro please try again

@nscuro nscuro merged commit ac0e1f1 into DependencyTrack:master Jul 8, 2023
7 checks passed
@walterdeboer walterdeboer deleted the feature/2528 branch July 8, 2023 20:43
@github-actions github-actions bot locked as resolved and limited conversation to collaborators Aug 8, 2023
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Reviewers

@sonatype-lift sonatype-lift sonatype-lift left review comments

@nscuro nscuro nscuro approved these changes

@melba-lopez melba-lopez Awaiting requested review from melba-lopez

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
4.9
Development

Successfully merging this pull request may close these issues.

New VersionDistance policy to check and report outdated components
4 participants
@walterdeboer @msymons @nscuro @melba-lopez