Sast rescoring update #270
Conversation
ocm-ci-robot-0
added
reviewed/ok-to-test
TuanAnh17N
force-pushed
the
sast-rescoring-update
branch
from
79f7529 to
5106da9
Compare
ocm-ci-robot-0
added
reviewed/ok-to-test
TuanAnh17N
force-pushed
the
sast-rescoring-update
branch
from
5106da9 to
a3c0361
Compare
ocm-ci-robot-0
added
reviewed/ok-to-test
TuanAnh17N
force-pushed
the
sast-rescoring-update
branch
from
a3c0361 to
2f3b3ba
Compare
ocm-ci-robot-0
added
the
reviewed/ok-to-test
ocm-ci-robot-0
removed
the
reviewed/ok-to-test
| return None | ||
|
|
||
|
|
||
| def rescore_sast_severity( |
There was a problem hiding this comment.
this function should work for all types of rescoring-rule no?
can we merge / factor out with existing bdba rescoring?
There was a problem hiding this comment.
it seems you decided against my suggestion, which of course is fine, but could you please elaborate what lead to this decision?
looking only at the PR I do not see a good reason against 🤔
TuanAnh17N
force-pushed
the
sast-rescoring-update
branch
from
2f3b3ba to
9895c5f
Compare
ocm-ci-robot-0
added
reviewed/ok-to-test
TuanAnh17N
force-pushed
the
sast-rescoring-update
branch
from
9895c5f to
13f4f76
Compare
ocm-ci-robot-0
added
the
reviewed/ok-to-test
ocm-ci-robot-0
removed
the
reviewed/ok-to-test
TuanAnh17N
force-pushed
the
sast-rescoring-update
branch
from
13f4f76 to
2bf0120
Compare
ocm-ci-robot-0
added
reviewed/ok-to-test
|
@TuanAnh17N : I assume test-errors stem from dependency against (unreleased) changes in cc-utils? If so, then I suggest to first merge and release change for cc-utils + rerun tests here to be sure. |
TuanAnh17N
force-pushed
the
sast-rescoring-update
branch
from
2bf0120 to
4ca5d08
Compare
ocm-ci-robot-0
added
reviewed/ok-to-test
| sast_config: config.SASTConfig, | ||
| component_descriptor_lookup: cnudie.retrieve.ComponentDescriptorLookupById, | ||
| ) -> list[str]: | ||
| if sast_config.component_version: |
There was a problem hiding this comment.
mv to caller, this function should only get versions from time range -> SoC
also, can we please use a more meaningful function name, e.g. version_from_time_range?
| if sast_config.component_version: | ||
| return [sast_config.component_version] | ||
|
|
||
| version_lookup = lookups.init_version_lookup() |
There was a problem hiding this comment.
rather pass in version-lookup (dependency injection)
There was a problem hiding this comment.
also: consistency (why pass-in component-descriptor-lookup, but not version-lookup)
| if not (pv := versionutil.parse_to_semver( | ||
| version=v, | ||
| invalid_semver_ok=False, | ||
| )).prerelease and not pv.build |
There was a problem hiding this comment.
version filtering is good, but I suggest to at least make it configurable via function parameters
There was a problem hiding this comment.
I think we have a util-function for that in cc-util's version.py (at least is_final comes to my mind)
|
|
||
| versions = [ | ||
| version for version | ||
| in filter_by_date_range(versions) |
There was a problem hiding this comment.
rather use built-in filter function
| prune_unique=True, | ||
| ): | ||
| if not cnode.component.sources: | ||
| continue |
There was a problem hiding this comment.
please add a brief comment explaining why this case is skipped to help our future selves x)
There was a problem hiding this comment.
also: why not simply use note_filter.cnudie.iter.Filter.sources?`
| all_findings_for_rescoring = [] | ||
|
|
||
| source_node = cnudie.iter.SourceNode( | ||
| path=(cnudie.iter.NodePathEntry(cnode.component),), |
There was a problem hiding this comment.
rather directly iter source nodes (node_filter in cnudie.iter.iter)
also, if constructing source_node manually, make sure to give the full path and not only the parent component
There was a problem hiding this comment.
I think in this context, if is not a good idea to manually construct sourcenodes.
| ), | ||
| time_now=time_now, | ||
| ) | ||
| new_metadata.extend(rescored_metadata) |
There was a problem hiding this comment.
TIL: list.extend resolves a generator :-)
There was a problem hiding this comment.
sure - it accepts any iterable (which includes generators)
| return None | ||
|
|
||
|
|
||
| def rescore_sast_severity( |
There was a problem hiding this comment.
it seems you decided against my suggestion, which of course is fine, but could you please elaborate what lead to this decision?
looking only at the PR I do not see a good reason against 🤔
| if sast_config.component_version: | ||
| return [sast_config.component_version] | ||
|
|
||
| version_lookup = lookups.init_version_lookup() |
There was a problem hiding this comment.
also: consistency (why pass-in component-descriptor-lookup, but not version-lookup)
| if not (pv := versionutil.parse_to_semver( | ||
| version=v, | ||
| invalid_semver_ok=False, | ||
| )).prerelease and not pv.build |
There was a problem hiding this comment.
I think we have a util-function for that in cc-util's version.py (at least is_final comes to my mind)
| prune_unique=True, | ||
| ): | ||
| if not cnode.component.sources: | ||
| continue |
There was a problem hiding this comment.
also: why not simply use note_filter.cnudie.iter.Filter.sources?`
| all_findings_for_rescoring = [] | ||
|
|
||
| source_node = cnudie.iter.SourceNode( | ||
| path=(cnudie.iter.NodePathEntry(cnode.component),), |
There was a problem hiding this comment.
I think in this context, if is not a good idea to manually construct sourcenodes.
| ), | ||
| time_now=time_now, | ||
| ) | ||
| new_metadata.extend(rescored_metadata) |
There was a problem hiding this comment.
sure - it accepts any iterable (which includes generators)
| elif rescoring_rule.rescore is rescore.model.Rescore.TO_NONE: | ||
| return github.compliance.model.Severity.NONE.name | ||
|
|
||
| raise NotImplementedError(rescoring_rule.rescore) |
There was a problem hiding this comment.
nit: while we do use NIE for that in our "heritage" codebase, it is actually not intended to be used for this purpose (python-documentation states NIE is intended for being raised by (abstract) methods that were not implemented). rather use ValueError
| time_now: datetime.datetime | ||
| ) -> typing.Generator[dso.model.ArtefactMetadata, None, None]: | ||
| for finding in findings: | ||
| matching_rule = next( |
There was a problem hiding this comment.
I really do not like this pattern. how about rather doing sth. like
try:
mr = next(...)
except StopIteration:
continue
In my opinion, this makes it a lot more obvious what is being done.
| ) -> typing.Generator[dso.model.ArtefactMetadata, None, None]: | ||
| for finding in findings: | ||
| matching_rule = next( | ||
| matching_sast_rescore_rule( |
There was a problem hiding this comment.
btw: is this function intended to yield more than one rule (judging from the name, I would assume: no)? if not, why not have the function either return a rule or None. This would make it less messy to use.
| new_severity = rescore_sast_severity( | ||
| rescoring_rule=matching_rule, | ||
| ) | ||
| if finding.data.severity == new_severity: |
There was a problem hiding this comment.
if severity is an enum (did not check), use is for comparison.
| severity=new_severity, | ||
| user=user, | ||
| matching_rules=[matching_rule.name], | ||
| comment='Automatically rescored based on rules.', |
There was a problem hiding this comment.
include rulename(s) (+ ruleset-name) in comment?
What this PR does / why we need it:
Which issue(s) this PR fixes:
Fixes #
Special notes for your reviewer:
Release note: