Comments (13)
@maoo hm, actually the discussion about whether or not we should expose information about security issues of the whole project should be with @pierredebelen and @gs-bracej as well, I thought we turned off Whitesource's auto-creating the Github issues for the same reason 😭
Though that being said, I notice projects like
dropwizard
having no qualms about this, so yeah ...
You're right, but SonarCloud is what we use to check quality, not security; I know these 2 aspects are quite connected, but I think we could easily work around this by hiding (if possible) the CVE reporting on SonarCloud), and rely on WhiteSource for security-related issues/reporting.
But, looks like I bump into another roadblock - see this pipeline
Failed to execute goal org.sonarsource.scanner.maven:sonar-maven-plugin:3.7.0.1746:sonar (default) on project legend-studio: You're not authorized to run analysis. Please contact the project administrator. -> [Help 1]
Mh, could be related with the renaming? I'll do some tests and let you know.
from legend-pure.
@maoo @gs-bracej @pierredebelen regarding hiding CVE, I think it's a reasonable move, just that when I think about all of this: if someone really wants to take advantage of the security issues, they can peruse the PRs and it's not hard for them to figure out that, oh, the change in this PR has nothing to do with the CVE report generated, that implies the project master branch is already susceptible to an attack. I mean of course we have to be responsible for fixing up whitesource security alerts, but the mere fact that we expose Whitesource status on a PR could potentially be taken advantage of.
Or even simpler, a bad actor could just checkout the code, run WhiteSource, Snyk, Fossa, SonarCloud or any other other 1000 free solutions that resolve CVEs for each project dependency and try exploiting them, so I agree with your statement. I also think we should treasure the lessons learned from Equifax attack in 2017, to understand what can happen if security issues are not being acted upon.
I'll let you and the rest of the Legend team to discuss if you'd like to try disabling CVE scanning on SonarCloud or not. TY.
from legend-pure.
@maoo I thought it's better to create a separate thread to the conversation about
sonar
. I can set quality gate now, for all projects except forlegend-pure
, which is actually the one I need right now 😄 If you could add me to that one, it would be great!
It's fixed now, sorry.
That aside, I think the current quality gate profile
Sonar default
is good enough. My concern is how should we set thenew code definition
, do you have any experience or advice for us about this? As of now I thought the most sensible option isprevious version
(see screenshot), what do you think?
Yes, agreed; this is the configuration we used in the past.
I've checked sonarcloud and seems that all configurations are in place, although I haven't seen it in action on any PR.
Feel free to tweak the legend repo configurations on SonarCloud, and let me know if I can help.
from legend-pure.
@maoo I have enabled Github integration for all Legend projects, but looking at their doc, it seems to require to authorize sonarcloud to for FINOS Github organization, so we might need your help there. At the bottom of the doc is the onboarding link, I am not authorized to see this page.
btw, hate to bother you so much with the details, but could we update the name of legend-studio
project in sonarcloud to Legend Studio
instead of legend-studio
? Thank you so much!
from legend-pure.
@maoo I have enabled Github integration for all Legend projects, but looking at their doc, it seems to require to authorize sonarcloud to for FINOS Github organization, so we might need your help there. At the bottom of the doc is the onboarding link, I am not authorized to see this page.
This was setup a while ago, below the screenshot with the config...
btw, hate to bother you so much with the details, but could we update the name of
legend-studio
project in sonarcloud toLegend Studio
instead oflegend-studio
? Thank you so much!
You don't bother at all, in fact, well spotted!
I believe that the issue is in the pom.xml
, as I see it's missing the <name>
tag, see https://github.com/finos/legend-studio/blob/master/pom.xml#L29
Could you try to add it and see if Sonar picks it up?
FYI - I just switched all Sonar projects to public, let's see it this makes the PR integration happier!
from legend-pure.
@maoo hm, actually the discussion about whether or not we should expose information about security issues of the whole project should be with @pierredebelen and @gs-bracej as well, I thought we turned off Whitesource's auto-creating the Github issues for the same reason 😭
Though that being said, I notice projects like dropwizard
having no qualms about this, so yeah ...
But, looks like I bump into another roadblock - see this pipeline
Failed to execute goal org.sonarsource.scanner.maven:sonar-maven-plugin:3.7.0.1746:sonar (default) on project legend-studio: You're not authorized to run analysis. Please contact the project administrator. -> [Help 1]
from legend-pure.
yep, actually, all I need is there when you set the SONAR_TOKEN
@maoo, looks like I made some progress in https://github.com/finos/legend-studio/runs/1339521705?check_suite_focus=true, anyhow I'll battle with it for a bit more and let you know. Thanks!!
from legend-pure.
TY @akphi ! One thing re. the legend-studio name; I believe it's coming from https://github.com/finos/legend-studio/blob/master/package.json#L2 .
from legend-pure.
@maoo ooh, I did not see that coming ... thought the maven one is enough 😭 will give it shot
By the way, looking at this, do we use SonarCloud or SonarQube, the error I got seems to be that I specified the wrong host.url - mvn -Dsonar.projectKey=legend-studio -Dsonar.organization=finos -Dsonar.host.url=https://sonarcloud.io org.sonarsource.scanner.maven:sonar-maven-plugin:sonar
Error: SonarQube server [http://localhost:9000] can not be reached
from legend-pure.
@maoo ok! I think I got it finos/legend-studio#29 🚀
Turns out I have to allow anyone
to be able to execute analysis (see my screenshot from the SonarCloud project permission config below), do you think that makes sense?
from legend-pure.
@maoo @gs-bracej @pierredebelen regarding hiding CVE, I think it's a reasonable move, just that when I think about all of this: if someone really wants to take advantage of the security issues, they can peruse the PRs and it's not hard for them to figure out that, oh, the change in this PR has nothing to do with the CVE report generated, that implies the project master branch is already susceptible to an attack. I mean of course we have to be responsible for fixing up whitesource security alerts, but the mere fact that we expose Whitesource status on a PR could potentially be taken advantage of.
from legend-pure.
Thanks @maoo, that's a fair point
from legend-pure.
I have lost some context on this one and the conversation goes to CVE scanning on SonarCloud. I think we will keep using Whitesource for CVE.
We still haven't been able to turn on Github integration for SonarCloud. But I think we lost the motivation somewhat, given the long time and no one was talking about this. Should we come around to this discussion one day, followings are some good links
https://sonarcloud.io/github
https://community.sonarsource.com/t/checks-tab-remains-empty-in-github-pull-request/40319
https://community.sonarsource.com/t/pr-analysis-results-are-now-displayed-in-the-checks-tab-of-pull-requests-in-github/5870
from legend-pure.
Related Issues (20)
- CVE-2020-15250 (Medium) detected in junit-4.11.jar - autoclosed HOT 1
- Snowflake support for convertVarchar128() HOT 1
- MemSQL support for modulus operator
- Expand relational grammar to allow dashes in schema names
- SubtypeOf should fallback on graph _subTypeOf when to search for classes in the graph
- Legend Supports Generating Morphir IR Enriched with Pure Source Information HOT 4
- Support the use of Store objects that do not exist globally, but rather via local variables.
- Persistence specification
- Provide a way to invoke generic functions with explicit type arguments
- Persistence Generation for Aws
- Fails to build HOT 3
- Test issue
- Persistence test framework
- TestPureDate.java fails on Java 11.0.9
- WhiteSource security checks fails on version of y18n used via webpack-dev-server HOT 1
- Legend Light IDE's PURE URL is ignored
- Invalid Java generation for function eval with unused result
- Enhancing error message
- Remove validation restriction of data parameter to getAll being only a constant or variable (to enable FunctionExpression)
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from legend-pure.