advisor: Allow multiple vulnerability providers in one run #3772
Conversation
KorSin
requested review from
fviernau,
MarcelBochtler,
mnonnenmacher,
oheger-bosch and
sschuberth
as code owners
KorSin
changed the title
| val packages = ortResult.getPackages(skipExcluded).map { it.pkg } | ||
| val results = runBlocking { providers.first().retrievePackageVulnerabilities(packages) } | ||
| .mapKeysTo(sortedMapOf()) { (pkg, _) -> pkg.id } | ||
| runBlocking { |
There was a problem hiding this comment.
While this works, the code could be made more efficient by running the providers in parallel; as they are independent on each other, there should not be any conflicts between them. Instead of the forEach loop, use a map in combination with async to trigger the different providers asynchronously. Their results can then be merged after all have completed.
You can refer to Analyzer.kt for an example how this is done.
There was a problem hiding this comment.
Thanks for the idea! I also was not really satisfied with this block.
Have a look at my solution!
KorSin
force-pushed
the
korsin/multiple-advisors-next
branch
from
1d1d4ba to
f6bfc8e
Compare
KorSin
force-pushed
the
korsin/multiple-advisors-next
branch
from
f6bfc8e to
ceb9d95
Compare
advisor/src/main/kotlin/Advisor.kt
Outdated
| } | ||
| }.forEach { providerResults -> | ||
| providerResults.await().forEach { (pkg, advisorResults) -> | ||
| val resultsForId = results.getOrDefault(pkg.id, emptyList()) |
There was a problem hiding this comment.
Get and update of the results map can probably be simplified by using Map's merge() method.
| @@ -105,8 +105,8 @@ class AdvisorCommand : CliktCommand(name = "advise", help = "Check dependencies | |||
| } | |||
|
|
|||
| val distinctProviders = providerFactories.distinct() | |||
|
|
|||
| println("Using provider '${distinctProviders.first().providerName}'.") | |||
| println("The following vulnerability providers are activated:") | |||
There was a problem hiding this comment.
I would rather combine this change with a previous commit, but do not have any strong feelings here.
There was a problem hiding this comment.
Actually, this should be squashed to the first commit in this PR, not to the previous commit.
KorSin
force-pushed
the
korsin/multiple-advisors-next
branch
from
ceb9d95 to
607db97
Compare
| help = "The advisor to use, one of ${allVulnerabilityProvidersByName.keys}" | ||
| private val providerFactories by option( | ||
| "--vulnerability-providers", "-v", | ||
| help = "The comma separated providers to use, any of ${allVulnerabilityProvidersByName.keys}" |
There was a problem hiding this comment.
s/comma separated/comma-separated/
s/providers/advisors/ (see my comment above)
| "--advisor", "-a", | ||
| help = "The advisor to use, one of ${allVulnerabilityProvidersByName.keys}" | ||
| private val providerFactories by option( | ||
| "--vulnerability-providers", "-v", |
There was a problem hiding this comment.
I'm not sure about this renaming. It's also not mentioned as part for the commit message, which makes it sound like a non-breaking changing, although this makes it a breaking change.
From a user-perspective it would anyway be good to not distinguish between vulnerability providers and other advisors here: They just want to be able to enable any kind of advisor by name. So all user-facing output should generally talk about "advisors" IMO.
TL;DR please do not rename this option here. We can revisit this once we add advisors that are not vulnerability providers.
There was a problem hiding this comment.
Alright, I understand your concerns. What about plural form, i.e. advisors?
But maybe this is a change for later to make it not a breaking change.
There was a problem hiding this comment.
Argh, yes, that's a breaking change that we need 😞 But at least there's a change that people used -a before which continues to work...
| ).convert { name -> | ||
| allVulnerabilityProvidersByName[name] | ||
| ?: throw BadParameterValue( | ||
| "Advisor '$name' is not one of ${allVulnerabilityProvidersByName.keys}" | ||
| "Provider '$name' is not one of ${allVulnerabilityProvidersByName.keys}" |
|
|
||
| println("Using advisor '${providerFactory.providerName}'.") | ||
| println("Using provider '${distinctProviders.first().providerName}'.") |
| @@ -105,8 +105,8 @@ class AdvisorCommand : CliktCommand(name = "advise", help = "Check dependencies | |||
| } | |||
|
|
|||
| val distinctProviders = providerFactories.distinct() | |||
|
|
|||
| println("Using provider '${distinctProviders.first().providerName}'.") | |||
| println("The following vulnerability providers are activated:") | |||
There was a problem hiding this comment.
Actually, this should be squashed to the first commit in this PR, not to the previous commit.
|
|
||
| println("Using provider '${distinctProviders.first().providerName}'.") | ||
| println("The following vulnerability providers are activated:") | ||
| println("\t" + distinctProviders.joinToString(", ")) |
There was a problem hiding this comment.
", " is the default separator, so you should omit it.
KorSin
force-pushed
the
korsin/multiple-advisors-next
branch
from
607db97 to
c6c25e3
Compare
KorSin
force-pushed
the
korsin/multiple-advisors-next
branch
from
c6c25e3 to
c213082
Compare
sschuberth
changed the title
|
@KorSin please rebase to resolve conflicts as I just merged the other fix. |
KorSin
force-pushed
the
korsin/multiple-advisors-next
branch
from
c213082 to
f2d34ca
Compare
advisor/src/main/kotlin/Advisor.kt
Outdated
|
|
||
| val packages = ortResult.getPackages(skipExcluded).map { it.pkg } | ||
| val results = runBlocking { provider.retrievePackageVulnerabilities(packages) } | ||
| val results = runBlocking { providers.first().retrievePackageVulnerabilities(packages) } |
There was a problem hiding this comment.
To be frank, I'm not happy with the topical split between this and the next commit. That's mostly because you already expose the feature to use multiple advisors to the user here, but only make it work in the next commit.
It would have been somewhat fine to still prepare the implementation to be able to deal with multiple advisors here, not implement it fully, but then also not expose it to the user yet, and only expose it to the user in the next commit when it's really working.
But actually, as the next commit is not too big, I wonder why we can't also simply squash these two renaming commits.
There was a problem hiding this comment.
Yes, I agree that the topical spilt is not ideal. I have no problems with squashing, so I will do it.
| val packages = ortResult.getPackages(skipExcluded).map { it.pkg } | ||
| val results = runBlocking { providers.first().retrievePackageVulnerabilities(packages) } | ||
| .mapKeysTo(sortedMapOf()) { (pkg, _) -> pkg.id } | ||
| runBlocking { |
There was a problem hiding this comment.
Nit: Blank line before this one.
Change the long format of the advisor CLI option from advisor to advisors. Run the different providers in parallel and merge the results. Closes oss-review-toolkit#3638. Signed-off-by: Korbinian Singhammer <[email protected]>
KorSin
force-pushed
the
korsin/multiple-advisors-next
branch
from
f2d34ca to
88a34e2
Compare
This is a follow up PR to #3761.
Please look at the commit messages for details.