Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Infrastructure for scanning a complete ORTResult #5324

Closed
porsche-rbieniek opened this issue May 4, 2022 · 2 comments
Closed

Infrastructure for scanning a complete ORTResult #5324

porsche-rbieniek opened this issue May 4, 2022 · 2 comments

Comments

@porsche-rbieniek
Copy link

We are curently integrating the commercial Blackduck engine as a remote scanner into ORT.

We have built a client layer for interface with the Blackduck ReST API which allows us to create a container structure ("project group") in the remote Blackduck system. This container serves as an outer bracing for all projects in an ORT result.
For each project in an ORT result, we create a matching project in the container project group, upload the dependency information to Blackduck and let Blackduck process the individual porjects.

Once Blackduck is done, we consume the scan results from Blackduck, convert them into the internal format used by ORT and pass them on as a standard ORT scan result.

During the integration efforts, we learned that ORT relies on the abstraction of package scannner eniges, e.g. each dependency can be seperately scanned as an isolated work item.
The way how Blackduck operates, it requires an all-or-nothing approach where we need to upload all packages at once as belonging to a project and let Blackduck process the whole dependency set (per project) in one operation.

IMHO there is currently no "official" way to process a full ORT result structure by a scanner because that infrastructure impliclitly relies on the idea that a scanner is operating on the package level.

We would like to propose the idea of a more powerful scanner integration with the required capabilities to the community and will raise a pull request how we got this working so far
porsche-rbieniek added a commit to porsche-rbieniek/ort that referenced this issue May 4, 2022
@porsche-rbieniek
Introduce ORT result scanner infrastructre
0f67acd 
As explained in the issue oss-review-toolkit#5324, we need a scanner with the capability to access and autonomously process the full ORT result into a scan result structure.

This pull request gives an insight on how we solved this requirement using the current ORT infrastructure. This has to be seen as an example and a base for further discussion on the ORT developer community.

Signed-off-by: Rainer Bieniek <extern.rainer.bieniek@porsche.de>
@porsche-rbieniek
Copy link
Author

The current implementation by Porsche has been submitted as a pull request #5325

@sschuberth sschuberth mentioned this issue Jun 10, 2024
Open
@sschuberth
Copy link
Member

With the draft #53 now being closed, and us having dedicated issues for Black Duck advisor and scanner integrations, this is getting closed as part of backlog grooming. Feel free to comment if you would like to contribute to this.

@sschuberth sschuberth closed this as not planned Won't fix, can't repro, duplicate, stale Jun 10, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@sschuberth @porsche-rbieniek