Fixes after review

Signed-off-by: Walter de Boer <[email protected]>

src/main/java/org/dependencytrack/event/PolicyEvaluationEvent.java

@@ -18,19 +18,15 @@
  */
 package org.dependencytrack.event;
 
-import java.util.ArrayList;
-import java.util.List;
+import alpine.event.framework.AbstractChainableEvent;
+import alpine.event.framework.Event;
 import org.dependencytrack.model.Component;
 import org.dependencytrack.model.Project;
-import alpine.event.framework.AbstractChainableEvent;
+import java.util.ArrayList;
+import java.util.List;
 
 /**
- * Defines a general purpose event to analyze components for vulnerabilities.
- * Additional logic in the event handler performs analysis on what specific
- * type of analysis should take place.
- *
- * @author Steve Springett
- * @since 3.0.0
+ * Defines an {@link Event} used to trigger policy evaluation.
  */
 public class PolicyEvaluationEvent extends AbstractChainableEvent {
 

src/main/java/org/dependencytrack/event/RepositoryMetaEvent.java

@@ -20,7 +20,6 @@
 
 import alpine.event.framework.Event;
 import org.dependencytrack.model.Component;
-
 import java.util.Collections;
 import java.util.List;
 import java.util.Optional;

src/main/java/org/dependencytrack/resources/v1/ComponentResource.java

@@ -18,20 +18,19 @@
  */
 package org.dependencytrack.resources.v1;
 
-import java.util.List;
-import java.util.Map;
-import javax.validation.Validator;
-import javax.ws.rs.Consumes;
-import javax.ws.rs.DELETE;
-import javax.ws.rs.GET;
-import javax.ws.rs.POST;
-import javax.ws.rs.PUT;
-import javax.ws.rs.Path;
-import javax.ws.rs.PathParam;
-import javax.ws.rs.Produces;
-import javax.ws.rs.QueryParam;
-import javax.ws.rs.core.MediaType;
-import javax.ws.rs.core.Response;
+import alpine.event.framework.Event;
+import alpine.persistence.PaginatedResult;
+import alpine.server.auth.PermissionRequired;
+import alpine.server.resources.AlpineResource;
+import com.github.packageurl.MalformedPackageURLException;
+import com.github.packageurl.PackageURL;
+import io.swagger.annotations.Api;
+import io.swagger.annotations.ApiOperation;
+import io.swagger.annotations.ApiParam;
+import io.swagger.annotations.ApiResponse;
+import io.swagger.annotations.ApiResponses;
+import io.swagger.annotations.Authorization;
+import io.swagger.annotations.ResponseHeader;
 import org.apache.commons.lang3.StringUtils;
 import org.dependencytrack.auth.Permissions;
 import org.dependencytrack.event.InternalComponentIdentificationEvent;
@@ -46,19 +45,20 @@
 import org.dependencytrack.model.RepositoryType;
 import org.dependencytrack.persistence.QueryManager;
 import org.dependencytrack.util.InternalComponentIdentificationUtil;
-import com.github.packageurl.MalformedPackageURLException;
-import com.github.packageurl.PackageURL;
-import alpine.event.framework.Event;
-import alpine.persistence.PaginatedResult;
-import alpine.server.auth.PermissionRequired;
-import alpine.server.resources.AlpineResource;
-import io.swagger.annotations.Api;
-import io.swagger.annotations.ApiOperation;
-import io.swagger.annotations.ApiParam;
-import io.swagger.annotations.ApiResponse;
-import io.swagger.annotations.ApiResponses;
-import io.swagger.annotations.Authorization;
-import io.swagger.annotations.ResponseHeader;
+import javax.validation.Validator;
+import javax.ws.rs.Consumes;
+import javax.ws.rs.DELETE;
+import javax.ws.rs.GET;
+import javax.ws.rs.POST;
+import javax.ws.rs.PUT;
+import javax.ws.rs.Path;
+import javax.ws.rs.PathParam;
+import javax.ws.rs.Produces;
+import javax.ws.rs.QueryParam;
+import javax.ws.rs.core.MediaType;
+import javax.ws.rs.core.Response;
+import java.util.List;
+import java.util.Map;
 
 /**
  * JAX-RS resources for processing components.

src/main/java/org/dependencytrack/resources/v1/FindingResource.java

@@ -18,28 +18,6 @@
  */
 package org.dependencytrack.resources.v1;
 
-import java.util.Collections;
-import java.util.List;
-import java.util.UUID;
-import java.util.stream.Collectors;
-import javax.ws.rs.GET;
-import javax.ws.rs.POST;
-import javax.ws.rs.Path;
-import javax.ws.rs.PathParam;
-import javax.ws.rs.Produces;
-import javax.ws.rs.QueryParam;
-import javax.ws.rs.core.MediaType;
-import javax.ws.rs.core.Response;
-import org.dependencytrack.auth.Permissions;
-import org.dependencytrack.event.PolicyEvaluationEvent;
-import org.dependencytrack.event.RepositoryMetaEvent;
-import org.dependencytrack.event.VulnerabilityAnalysisEvent;
-import org.dependencytrack.integrations.FindingPackagingFormat;
-import org.dependencytrack.model.Component;
-import org.dependencytrack.model.Finding;
-import org.dependencytrack.model.Project;
-import org.dependencytrack.model.Vulnerability;
-import org.dependencytrack.persistence.QueryManager;
 import alpine.common.logging.Logger;
 import alpine.event.framework.Event;
 import alpine.server.auth.PermissionRequired;
@@ -51,6 +29,28 @@
 import io.swagger.annotations.ApiResponses;
 import io.swagger.annotations.Authorization;
 import io.swagger.annotations.ResponseHeader;
+import org.dependencytrack.auth.Permissions;
+import org.dependencytrack.event.PolicyEvaluationEvent;
+import org.dependencytrack.event.RepositoryMetaEvent;
+import org.dependencytrack.event.VulnerabilityAnalysisEvent;
+import org.dependencytrack.integrations.FindingPackagingFormat;
+import org.dependencytrack.model.Component;
+import org.dependencytrack.model.Finding;
+import org.dependencytrack.model.Project;
+import org.dependencytrack.model.Vulnerability;
+import org.dependencytrack.persistence.QueryManager;
+import javax.ws.rs.GET;
+import javax.ws.rs.POST;
+import javax.ws.rs.Path;
+import javax.ws.rs.PathParam;
+import javax.ws.rs.Produces;
+import javax.ws.rs.QueryParam;
+import javax.ws.rs.core.MediaType;
+import javax.ws.rs.core.Response;
+import java.util.Collections;
+import java.util.List;
+import java.util.UUID;
+import java.util.stream.Collectors;
 
 /**
  * JAX-RS resources for processing findings.

src/main/java/org/dependencytrack/tasks/BomUploadProcessingTask.java

@@ -18,11 +18,11 @@
  */
 package org.dependencytrack.tasks;
 
-import java.util.ArrayList;
-import java.util.Base64;
-import java.util.Date;
-import java.util.List;
-import java.util.Optional;
+import alpine.common.logging.Logger;
+import alpine.event.framework.Event;
+import alpine.event.framework.Subscriber;
+import alpine.notification.Notification;
+import alpine.notification.NotificationLevel;
 import org.cyclonedx.BomParserFactory;
 import org.cyclonedx.parsers.Parser;
 import org.dependencytrack.event.BomUploadEvent;
@@ -45,11 +45,11 @@
 import org.dependencytrack.persistence.QueryManager;
 import org.dependencytrack.util.CompressUtil;
 import org.dependencytrack.util.InternalComponentIdentificationUtil;
-import alpine.common.logging.Logger;
-import alpine.event.framework.Event;
-import alpine.event.framework.Subscriber;
-import alpine.notification.Notification;
-import alpine.notification.NotificationLevel;
+import java.util.ArrayList;
+import java.util.Base64;
+import java.util.Date;
+import java.util.List;
+import java.util.Optional;
 
 /**
  * Subscriber task that performs processing of bill-of-material (bom)
@@ -65,6 +65,7 @@ public class BomUploadProcessingTask implements Subscriber {
     /**
      * {@inheritDoc}
      */
+    @Override
     public void inform(final Event e) {
         if (e instanceof BomUploadEvent) {
             Project bomProcessingFailedProject = null;
@@ -168,11 +169,17 @@ public void inform(final Event e) {
                     // vulnerability analysis completed.
                     vae.onSuccess(new NewVulnerableDependencyAnalysisEvent(newComponents));
                 }
-                // Wait for RepositoryMetaEvent after VulnerabilityAnalysisEvent,
-                // as both might be needed in policy evaluation
-                vae.onSuccess(new RepositoryMetaEvent(detachedFlattenedComponent));
+                // Start PolicyEvaluationEvent when VulnerabilityAnalysisEvent is succesful
                 vae.onSuccess(new PolicyEvaluationEvent(detachedFlattenedComponent).project(detachedProject));
                 Event.dispatch(vae);
+
+                // Repository Metadata analysis
+                final var rme = new RepositoryMetaEvent(detachedFlattenedComponent);
+                // Start PolicyEvaluationEvent again when RepositoryMetaEvent is succesful,
+                // as it might trigger new violations
+                rme.onSuccess(new PolicyEvaluationEvent(detachedFlattenedComponent).project(detachedProject));
+                Event.dispatch(rme);
+
                 LOGGER.info("Processed " + flattenedComponents.size() + " components and " + flattenedServices.size() + " services uploaded to project " + event.getProjectUuid());
                 Notification.dispatch(new Notification()
                         .scope(NotificationScope.PORTFOLIO)

src/main/java/org/dependencytrack/tasks/PolicyEvaluationTask.java

@@ -18,16 +18,16 @@
  */
 package org.dependencytrack.tasks;
 
-import java.util.ArrayList;
-import java.util.List;
+import alpine.common.logging.Logger;
+import alpine.event.framework.Event;
+import alpine.event.framework.Subscriber;
 import org.dependencytrack.event.PolicyEvaluationEvent;
 import org.dependencytrack.event.ProjectMetricsUpdateEvent;
 import org.dependencytrack.model.Component;
 import org.dependencytrack.model.Project;
 import org.dependencytrack.policy.PolicyEngine;
-import alpine.common.logging.Logger;
-import alpine.event.framework.Event;
-import alpine.event.framework.Subscriber;
+import java.util.ArrayList;
+import java.util.List;
 
 public class PolicyEvaluationTask implements Subscriber {
 
@@ -36,16 +36,16 @@ public class PolicyEvaluationTask implements Subscriber {
     /**
      * {@inheritDoc}
      */
+    @Override
     public void inform(final Event e) {
-        if (e instanceof PolicyEvaluationEvent) {
-            final PolicyEvaluationEvent event = (PolicyEvaluationEvent) e;
-            LOGGER.info("Starting policy evaluation");
-            if (event.getComponents() != null && !event.getComponents().isEmpty()) {
-                performPolicyEvaluation(event.getProject(), event.getComponents());
-            } else if (event.getProject() != null) {
-                performPolicyEvaluation(event.getProject(), new ArrayList<>());
+        if (e instanceof PolicyEvaluationEvent event) {
+            if (event.getProject() != null) {
+                if (event.getComponents() != null && !event.getComponents().isEmpty()) {
+                    performPolicyEvaluation(event.getProject(), event.getComponents());
+                } else {
+                    performPolicyEvaluation(event.getProject(), new ArrayList<>());
+                }
             }
-            LOGGER.info("Policy evaluation complete");
         }
     }
 

src/main/java/org/dependencytrack/tasks/VulnerabilityAnalysisTask.java

@@ -41,7 +41,6 @@
 import org.dependencytrack.tasks.scanners.ScanTask;
 import org.dependencytrack.tasks.scanners.SnykAnalysisTask;
 import org.dependencytrack.tasks.scanners.VulnDbAnalysisTask;
-
 import java.time.Duration;
 import java.time.Instant;
 import java.util.ArrayList;
@@ -61,10 +60,9 @@ public class VulnerabilityAnalysisTask implements Subscriber {
     /**
      * {@inheritDoc}
      */
+    @Override
     public void inform(final Event e) {
-        if (e instanceof VulnerabilityAnalysisEvent) {
-            final VulnerabilityAnalysisEvent event = (VulnerabilityAnalysisEvent) e;
-            LOGGER.info("Analyzing vulnerabilities");
+        if (e instanceof VulnerabilityAnalysisEvent event) {
             if (event.getComponents() != null && event.getComponents().size() > 0) {
                 final List<Component> components = new ArrayList<>();
                 try (final QueryManager qm = new QueryManager()) {
@@ -77,9 +75,7 @@ public void inform(final Event e) {
                     analyzeComponents(qm, components, e);
                 }
             }
-            LOGGER.info("Vulnerability analysis complete");
-        } else if (e instanceof PortfolioVulnerabilityAnalysisEvent) {
-            final PortfolioVulnerabilityAnalysisEvent event = (PortfolioVulnerabilityAnalysisEvent) e;
+        } else if (e instanceof PortfolioVulnerabilityAnalysisEvent event) {
             LOGGER.info("Analyzing portfolio");
             try (final QueryManager qm = new QueryManager()) {
                 final List<UUID> projectUuids = qm.getAllProjects(true)

src/main/java/org/dependencytrack/tasks/scanners/VulnDbAnalysisTask.java

@@ -36,7 +36,6 @@
 import org.dependencytrack.parser.vulndb.model.Results;
 import org.dependencytrack.persistence.QueryManager;
 import org.dependencytrack.util.NotificationUtil;
-
 import java.io.IOException;
 import java.net.URISyntaxException;
 import java.util.List;
@@ -58,6 +57,7 @@ public class VulnDbAnalysisTask extends BaseComponentAnalyzerTask implements Sub
 
     private String apiBaseUrl;
 
+    @Override
     public AnalyzerIdentity getAnalyzerIdentity() {
         return AnalyzerIdentity.VULNDB_ANALYZER;
     }
@@ -73,6 +73,7 @@ public VulnDbAnalysisTask() {
     /**
      * {@inheritDoc}
      */
+    @Override
     public void inform(final Event e) {
         if (e instanceof VulnDbAnalysisEvent) {
             if (!super.isEnabled(ConfigPropertyConstants.SCANNER_VULNDB_ENABLED)) {
@@ -110,11 +111,11 @@ public void inform(final Event e) {
             }
             final var event = (VulnDbAnalysisEvent) e;
             vulnerabilityAnalysisLevel = event.getVulnerabilityAnalysisLevel();
-            LOGGER.info("Starting VulnDB analysis task");
+            LOGGER.debug("Starting VulnDB analysis task");
             if (!event.getComponents().isEmpty()) {
                 analyze(event.getComponents());
             }
-            LOGGER.info("VulnDB analysis complete");
+            LOGGER.debug("VulnDB analysis complete");
         }
     }
 
@@ -124,6 +125,7 @@ public void inform(final Event e) {
      * @param component the Component to analyze
      * @return true if VulnDbAnalysisTask should analyze, false if not
      */
+    @Override
     public boolean isCapable(final Component component) {
         return component.getCpe() != null;
     }
@@ -133,6 +135,7 @@ public boolean isCapable(final Component component) {
      *
      * @param components a list of Components
      */
+    @Override
     public void analyze(final List<Component> components) {
         final var api = new VulnDbClient(this.apiConsumerKey, this.apiConsumerSecret, this.apiBaseUrl);
         for (final Component component : components) {

src/test/java/org/dependencytrack/event/RepositoryMetaEventTest.java

@@ -21,8 +21,6 @@
 import org.dependencytrack.model.Component;
 import org.junit.Assert;
 import org.junit.Test;
-
-import java.util.Collections;
 import java.util.LinkedList;
 import java.util.List;
 import java.util.Optional;