Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add .whitesource and config files to activate whitesource integration #165

Merged
merged 2 commits into from
Jan 13, 2022

Conversation

zelinh
Copy link
Member

@zelinh zelinh commented Dec 30, 2021

Signed-off-by: Zelin Hao [email protected]

Description

We @bbarani already enable the access of WhiteSource integration with Github.com for this repo. However, the automatic PR of .whitesource is not created. We asked for the support from WhiteSource side and they suggested we could raise one by ourselves. This PR will also set the WhiteSource integration config mode LOCAL so it will be using the whitesource.config in the root directory. Dashboards team can modify this configuration on their own to customize it. We are providing the one we had for all repos at this time.

Another PR we created for the same issue. opensearch-project/OpenSearch-Dashboards#999

Please be aware that when this PR is merged, WhiteSource integration might be automatically created CVEs Github issues like these in build repo.

Issues Resolved

[List any issues this PR will resolve]

Check List

  • New functionality includes testing.
    • All tests pass
  • New functionality has been documented.
  • Commits are signed per the DCO using --signoff

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.
For more information on following Developer Certificate of Origin and signing off your commits, please check here.

@zelinh zelinh requested a review from a team December 30, 2021 20:40
@codecov-commenter
Copy link

codecov-commenter commented Dec 30, 2021

Codecov Report

Merging #165 (5297cae) into main (ec768b7) will decrease coverage by 0.16%.
The diff coverage is n/a.

Impacted file tree graph

@@            Coverage Diff             @@
##             main     #165      +/-   ##
==========================================
- Coverage   44.12%   43.95%   -0.17%     
==========================================
  Files         156      156              
  Lines        5145     5173      +28     
  Branches      948      953       +5     
==========================================
+ Hits         2270     2274       +4     
- Misses       2657     2681      +24     
  Partials      218      218              
Impacted Files Coverage Δ
...hboards-plugin/public/redux/reducers/opensearch.ts 56.47% <0.00%> (-0.68%) ⬇️
...pages/DetectorDetail/containers/DetectorDetail.tsx 16.05% <0.00%> (-0.61%) ⬇️
...ages/DetectorResults/containers/AnomalyHistory.tsx 12.54% <0.00%> (-0.44%) ⬇️
...aly-detection-dashboards-plugin/utils/constants.ts 100.00% <0.00%> (ø)
...s/AnomalyCharts/containers/AnomalyHeatmapChart.tsx 51.12% <0.00%> (ø)
...ugin/public/pages/DetectorDetail/utils/helpers.tsx 25.80% <0.00%> (+4.97%) ⬆️

Continue to review full report at Codecov.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update ec768b7...5297cae. Read the comment docs.

"displayMode": "diff"
},
"issueSettings": {
"minSeverityLevel": "LOW"
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Do we have agreement on all repos that we should care LOW level issues?

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is something that each team can change it based their demand. You can always modify the severity level issue would be created by changing this parameter. https://whitesource.atlassian.net/wiki/spaces/WD/pages/697696422/WhiteSource+for+GitHub.com#Issue-Settings-(issueSettings). This PR is to help onboard WhiteSource with some default values.

resolveAllDependencies=false
#excludeDependenciesFromNodes=.*commons-io.*,.*maven-model

resolveAllDependencies=false
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Duplicate line as line 78

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Removed. Thanks!

Copy link
Contributor

@ylwu-amzn ylwu-amzn left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM. Thanks for the change!

@ohltyler
Copy link
Member

@zelinh we have seen with Dependabot that oftentimes the alerts are for dependencies stored in yarn.lock that are actually coming from core Dashboards, but pulled into the plugin's dependency tree, and can't be fixed at the plugin level. Do you know if this will add similar issues, such as automatic PRs for dependencies stored in core Dashboards?

@zelinh
Copy link
Member Author

zelinh commented Jan 10, 2022

@zelinh we have seen with Dependabot that oftentimes the alerts are for dependencies stored in yarn.lock that are actually coming from core Dashboards, but pulled into the plugin's dependency tree, and can't be fixed at the plugin level. Do you know if this will add similar issues, such as automatic PRs for dependencies stored in core Dashboards?

I think this will mostly create issues for those vulnerabilities as long as they are existed in this repo. You can always whitelist those issues that can't fix at your level in the WhiteSource dashboard to ignore them. Furthermore, automatic fix for CVEs is disabled in default, so it won't create PR to fix CVEs unless you allow it.

@ohltyler
Copy link
Member

@zelinh we have seen with Dependabot that oftentimes the alerts are for dependencies stored in yarn.lock that are actually coming from core Dashboards, but pulled into the plugin's dependency tree, and can't be fixed at the plugin level. Do you know if this will add similar issues, such as automatic PRs for dependencies stored in core Dashboards?

I think this will mostly create issues for those vulnerabilities as long as they are existed in this repo. You can always whitelist those issues that can't fix at your level in the WhiteSource dashboard to ignore them. Furthermore, automatic fix for CVEs is disabled in default, so it won't create PR to fix CVEs unless you allow it.

Got it, sounds good. Thanks for adding!

@ylwu-amzn ylwu-amzn merged commit ef40275 into opensearch-project:main Jan 13, 2022
opensearch-trigger-bot bot pushed a commit that referenced this pull request Mar 2, 2022
…#165)

* Add .whitesource and config files to trigger whitesource integration

Signed-off-by: Zelin Hao <[email protected]>

* Remove duplicate code for example config

Signed-off-by: Zelin Hao <[email protected]>
(cherry picked from commit ef40275)
ohltyler pushed a commit that referenced this pull request Mar 2, 2022
…#165)

* Add .whitesource and config files to trigger whitesource integration

Signed-off-by: Zelin Hao <[email protected]>

* Remove duplicate code for example config

Signed-off-by: Zelin Hao <[email protected]>
(cherry picked from commit ef40275)
@ohltyler ohltyler added the infra Changes to infrastructure, testing, CI/CD, pipelines, etc. label Mar 10, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
backport 1.x infra Changes to infrastructure, testing, CI/CD, pipelines, etc.
Projects
None yet
Development

Successfully merging this pull request may close these issues.

4 participants