Skip to content

Comments

Allow user override of project and version through blackDuckProperties#54

Open
linanqiu wants to merge 2 commits intoblackducksoftware:masterfrom
linanqiu:release/override
Open

Allow user override of project and version through blackDuckProperties#54
linanqiu wants to merge 2 commits intoblackducksoftware:masterfrom
linanqiu:release/override

Conversation

@linanqiu
Copy link

@linanqiu linanqiu commented Aug 18, 2021

Use case: when we scan a directory of packages, the default ends up creating a single version for each component (which results in far too many components). We are scanning a remote repository, so we don't have the option of setting repo level properties -- Artifactory only allows users to set properties on the remote cache, not the remote repo itself (which is the first point of contact for downloads, hence resulting in the remote cache repo's properties not being read) or virtual repos.

This allows users to just set

blackduck.artifactory.scan.override.project=<override-project-string>
blackduck.artifactory.scan.override.version=<override-version-string>

in the blackDuckPlugin.properties file and have those apply to all scans.

Why we're scanning remote repos: long story, but blackduck doesn't support R libraries out of the box. We have an ongoing thread with a rep from Synopsys, but it doesn't look like this functionality is supported fully. Fortunately, R packages are mostly .tar.gz wrappers around c++ / javascript / fortran libraries, so it's sufficient to just scan those .tar.gz packages. Hence we're scanning a remote repo.

@jasonwbarnett
Copy link

jasonwbarnett commented Aug 23, 2021
edited
Loading

@linanqiu you should document the new properties in blackDuckPlugin.properties too.

@linanqiu
Copy link
Author

linanqiu commented Aug 24, 2021

@jasonwbarnett done!

@linanqiu
Copy link
Author

linanqiu commented Aug 26, 2021

@JakeMathews can you help look at this PR?

@JakeMathews
Copy link
Contributor

JakeMathews commented Aug 31, 2021
edited
Loading

@linanqiu I am a little confused by the use case here. The ScanModule is not intended to be run on remote or virtual repositories. The plugin needs the ability to read and write properties to the Artifacts.

When an artifact is pulled from a remote, it's automatically added to the remote-cache. I am confused as to why the remote-cache is not an option.

Also I would advise against using the signature scanner on a remote-cache of open source components due to the quantity. The InspectionModule is what should be used for remote-cache repositories. The InspectionModule should support CRAN.

Since there already exists a mechanism for overriding the project name and version, I am hesitating to add this complication.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@linanqiu @jasonwbarnett @JakeMathews