oss-review-toolkit · mnonnenmacher · Oct 16, 2023 · Oct 11, 2023 · Oct 13, 2023 · Oct 13, 2023
@@ -26,10 +26,10 @@ import io.kotest.matchers.shouldBe
 import java.time.Instant
 
 import org.ossreviewtoolkit.advisor.advisors.Osv
+import org.ossreviewtoolkit.advisor.advisors.OsvConfiguration
 import org.ossreviewtoolkit.model.AdvisorResult
 import org.ossreviewtoolkit.model.Identifier
 import org.ossreviewtoolkit.model.Package
-import org.ossreviewtoolkit.model.config.OsvConfiguration
 import org.ossreviewtoolkit.model.readValue
 import org.ossreviewtoolkit.model.utils.toPurl
 import org.ossreviewtoolkit.utils.test.getAssetFile

@@ -21,48 +21,15 @@ package org.ossreviewtoolkit.advisor
 
 import java.util.ServiceLoader
 
-import org.ossreviewtoolkit.model.config.AdvisorConfiguration
-import org.ossreviewtoolkit.utils.common.Options
-import org.ossreviewtoolkit.utils.common.Plugin
-import org.ossreviewtoolkit.utils.ort.ORT_CONFIG_FILENAME
-import org.ossreviewtoolkit.utils.ort.ortConfigDirectory
+import org.ossreviewtoolkit.utils.common.TypedConfigurablePluginFactory
 
 /**
- * A common interface for use with [ServiceLoader] that all [AbstractAdviceProviderFactory] classes need to
- * implement.
+ * A common abstract class for use with [ServiceLoader] that all [AdviceProviderFactory] classes need to implement.
  */
-interface AdviceProviderFactory : Plugin {
+abstract class AdviceProviderFactory<CONFIG>(override val type: String) :
+    TypedConfigurablePluginFactory<CONFIG, AdviceProvider> {
     /**
-     * Create an [AdviceProvider] using the specified [config].
-     */
-    fun create(config: AdvisorConfiguration): AdviceProvider
-}
-
-/**
- * A generic factory class for an [AdviceProvider].
- */
-abstract class AbstractAdviceProviderFactory<out T : AdviceProvider>(
-    override val type: String
-) : AdviceProviderFactory {
-    abstract override fun create(config: AdvisorConfiguration): T
-
-    /**
-     * For providers that require configuration, return the typed configuration dedicated to provider [T] or throw if it
-     * does not exist.
-     */
-    protected fun <T : Any> AdvisorConfiguration.forProvider(select: AdvisorConfiguration.() -> T?): T =
-        requireNotNull(select()) {
-            "No configuration for '$type' found in '${ortConfigDirectory.resolve(ORT_CONFIG_FILENAME)}'."
-        }
-
-    /**
-     * Return a map with options for the [AdviceProvider] managed by this factory or an empty map if no options are
-     * available.
-     */
-    protected fun AdvisorConfiguration.providerOptions(): Options = options.orEmpty()[type].orEmpty()
-
-    /**
-     * Return the provider's name here to allow Clikt to display something meaningful when listing the advisors which
+     * Return the provider's type here to allow Clikt to display something meaningful when listing the advisors which
      * are enabled by default via their factories.
      */
     override fun toString() = type

@@ -42,14 +42,14 @@ import org.ossreviewtoolkit.utils.ort.Environment
  * [OrtResult].
  */
 class Advisor(
-    private val providerFactories: List<AdviceProviderFactory>,
+    private val providerFactories: List<AdviceProviderFactory<*>>,
     private val config: AdvisorConfiguration
 ) {
     companion object {
         /**
          * All [advice provider factories][AdviceProviderFactory] available in the classpath, associated by their names.
          */
-        val ALL by lazy { Plugin.getAll<AdviceProviderFactory>() }
+        val ALL by lazy { Plugin.getAll<AdviceProviderFactory<*>>() }
     }
 
     /**
@@ -83,7 +83,10 @@ class Advisor(
             if (packages.isEmpty()) {
                 logger.info { "There are no packages to give advice for." }
             } else {
-                val providers = providerFactories.map { it.create(config) }
+                val providers = providerFactories.map {
+                    val providerConfig = config.config?.get(it.type)
+                    it.create(providerConfig?.options.orEmpty(), providerConfig?.secrets.orEmpty())
+                }
 
                 providers.map { provider ->
                     async {

@@ -33,8 +33,8 @@
 
 import org.apache.logging.log4j.kotlin.logger
 
-import org.ossreviewtoolkit.advisor.AbstractAdviceProviderFactory
 import org.ossreviewtoolkit.advisor.AdviceProvider
+import org.ossreviewtoolkit.advisor.AdviceProviderFactory
 import org.ossreviewtoolkit.clients.github.DateTime
 import org.ossreviewtoolkit.clients.github.GitHubService
 import org.ossreviewtoolkit.clients.github.Paging
@@ -50,9 +50,9 @@
 import org.ossreviewtoolkit.model.Issue
 import org.ossreviewtoolkit.model.Package
 import org.ossreviewtoolkit.model.Severity
-import org.ossreviewtoolkit.model.config.AdvisorConfiguration
-import org.ossreviewtoolkit.model.config.GitHubDefectsConfiguration
+import org.ossreviewtoolkit.model.config.PluginConfiguration
 import org.ossreviewtoolkit.model.createAndLogIssue
+import org.ossreviewtoolkit.utils.common.Options
 import org.ossreviewtoolkit.utils.common.collectMessages
 import org.ossreviewtoolkit.utils.common.enumSetOf
 import org.ossreviewtoolkit.utils.ort.filterVersionNames
@@ -79,6 +79,23 @@
  *
  * For these reasons, this advisor is more a reference implementation for ORT's defects model and not necessarily
  * suitable for production usage.
+ *
+ * This [AdviceProvider] offers the following configuration options:
+ *
+ * #### [Options][PluginConfiguration.options]
+ *
+ * * **`endpointUrl`:** The URL of the GraphQL endpoint to be accessed by the service. If undefined, default is the
+ *   endpoint of the official GitHub GraphQL API.
+ * * **`labelFilter`:** A list with labels to be used for filtering GitHub issues. See
+ *   [GitHubDefectsConfiguration.labelFilter] for details.
+ * * **`maxNumberOfIssuesPerRepository`:** The maximum number of defects that are retrieved from a single repository.
+ *   See [GitHubDefectsConfiguration.maxNumberOfIssuesPerRepository] for details.
+ * * **`parallelRequests`:** Determines the number of requests to the GitHub GraphQL API that are executed in parallel.
+ *   See [GitHubDefectsConfiguration.parallelRequests] for details.
+ *
+ * #### [Secrets][PluginConfiguration.secrets]
+ *
+ * * **`token`:** The access token to authenticate against the GitHub GraphQL endpoint.
  */
 class GitHubDefects(name: String, config: GitHubDefectsConfiguration) : AdviceProvider(name) {
     companion object {
@@ -89,8 +106,18 @@
         const val DEFAULT_PARALLEL_REQUESTS = 4
     }
 
-    class Factory : AbstractAdviceProviderFactory<GitHubDefects>("GitHubDefects") {
-        override fun create(config: AdvisorConfiguration) = GitHubDefects(type, config.forProvider { gitHubDefects })
+    class Factory : AdviceProviderFactory<GitHubDefectsConfiguration>("GitHubDefects") {
+        override fun create(config: GitHubDefectsConfiguration) = GitHubDefects(type, config)
+
+        override fun parseConfig(options: Options, secrets: Options) =
+            GitHubDefectsConfiguration(
+                token = secrets["token"],
+                endpointUrl = options["endpointUrl"],
+                labelFilter = options["labelFilter"]?.split(",")?.map { it.trim() }
+                    ?: listOf("!duplicate", "!enhancement", "!invalid", "!question", "*"),
+                maxNumberOfIssuesPerRepository = options["maxNumberOfIssuesPerRepository"]?.toInt(),
+                parallelRequests = options["parallelRequests"]?.toInt()
+            )
     }
 
     /**

@@ -0,0 +1,73 @@
+/*
+ * Copyright (C) 2021 The ORT Project Authors (see <https://github.com/oss-review-toolkit/ort/blob/main/NOTICE>)
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     https://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ *
+ * SPDX-License-Identifier: Apache-2.0
+ * License-Filename: LICENSE
+ */
+
+package org.ossreviewtoolkit.advisor.advisors
+
+/**
+ * The configuration for the GitHub Defects advisor.
+ */
+data class GitHubDefectsConfiguration(
+    /**
+     * The access token to authenticate against the GitHub GraphQL endpoint.
+     */
+    val token: String? = null,
+
+    /**
+     * The URL of the GraphQL endpoint to be accessed by the service. If undefined, default is the endpoint of the
+     * official GitHub GraphQL API.
+     */
+    val endpointUrl: String? = null,
+
+    /**
+     * A list with labels to be used for filtering GitHub issues. With GitHub's data model for issues, it is not
+     * possible to determine whether a specific issue is actually a defect or something else, e.g. a feature request.
+     * Via this property, it is possible to limit the issues retrieved by the GitHub defects advisor by filtering for
+     * specific label values. The filtering works as follows:
+     *  - Each string in this list refers to a label to be matched. The strings are processed in order.
+     *  - If for an issue a label with the name of the current string is found, the issue is included into the result
+     *    set.
+     *  - If the current string starts with one of the characters '-' or '!', it defines an exclusion. So, if an issue
+     *    contains a label named like the current string with the first character removed, this issue is not added to
+     *    the result set, and filtering stops here. (The ordered processing resolves conflicting filters, as the first
+     *    match wins.)
+     *  - Label name matches are case-insensitive.
+     *  - Wildcards are supported; a "*" matches arbitrary characters.
+     *  - If the end of the list is reached and no match was found, the issue is not added to the result set. In order
+     *    to have all issues included for which no specific exclusion was found, a wildcard match "*" can be added at
+     *    the end.
+     * Per default, some of GitHub's default labels are excluded that typically indicate that an issue is not a defect
+     * (see https://docs.github.com/en/issues/using-labels-and-milestones-to-track-work/managing-labels#about-default-labels)
+     */
+    val labelFilter: List<String> = listOf("!duplicate", "!enhancement", "!invalid", "!question", "*"),
+
+    /**
+     * The maximum number of defects that are retrieved from a single repository. If a repository contains more
+     * issues, only this number is returned (the newest ones). Popular libraries hosted on GitHub can really have a
+     * large number of issues; therefore, it makes sense to restrict the result set produced by this advisor.
+     */
+    val maxNumberOfIssuesPerRepository: Int? = null,
+
+    /**
+     * Determines the number of requests to the GitHub GraphQL API that are executed in parallel. Rather than querying
+     * each repository one after the other, fetching the data of multiple repositories concurrently can reduce the
+     * execution times for this advisor implementation. If unspecified, a default value for parallel executions as
+     * defined in the _GitHubDefects_ class is used.
+     */
+    val parallelRequests: Int? = null
+)
@@ -25,8 +25,8 @@
 
 import org.apache.logging.log4j.kotlin.logger
 
-import org.ossreviewtoolkit.advisor.AbstractAdviceProviderFactory
 import org.ossreviewtoolkit.advisor.AdviceProvider
+import org.ossreviewtoolkit.advisor.AdviceProviderFactory
 import org.ossreviewtoolkit.clients.nexusiq.NexusIqService
 import org.ossreviewtoolkit.clients.nexusiq.NexusIqService.Component
 import org.ossreviewtoolkit.clients.nexusiq.NexusIqService.ComponentDetails
@@ -41,11 +41,11 @@
 import org.ossreviewtoolkit.model.Package
 import org.ossreviewtoolkit.model.Vulnerability
 import org.ossreviewtoolkit.model.VulnerabilityReference
-import org.ossreviewtoolkit.model.config.AdvisorConfiguration
-import org.ossreviewtoolkit.model.config.NexusIqConfiguration
+import org.ossreviewtoolkit.model.config.PluginConfiguration
 import org.ossreviewtoolkit.model.utils.PurlType
 import org.ossreviewtoolkit.model.utils.getPurlType
 import org.ossreviewtoolkit.model.utils.toPurl
+import org.ossreviewtoolkit.utils.common.Options
 import org.ossreviewtoolkit.utils.common.collectMessages
 import org.ossreviewtoolkit.utils.common.enumSetOf
 import org.ossreviewtoolkit.utils.ort.OkHttpClientHelper
@@ -63,10 +63,35 @@
 
 /**
  * A wrapper for [Nexus IQ Server](https://help.sonatype.com/iqserver) security vulnerability data.
+ *
+ * This [AdviceProvider] offers the following configuration options:
+ *
+ * #### [Options][PluginConfiguration.options]
+ *
+ * * **`serverUrl`:** The URL to use for REST API requests against the server.
+ * * **`browseUrl`:** The URL to use as a base for browsing vulnerability details. Defaults to the server URL.
+ *
+ * #### [Secrets][PluginConfiguration.secrets]
+ *
+ * * **`username`:** The username to use for authentication.
+ * * **`password`:** The password to use for authentication.
+ *
+ * If not both `username` and `password` are provided, authentication is disabled.
  */
 class NexusIq(name: String, private val config: NexusIqConfiguration) : AdviceProvider(name) {
-    class Factory : AbstractAdviceProviderFactory<NexusIq>("NexusIQ") {
-        override fun create(config: AdvisorConfiguration) = NexusIq(type, config.forProvider { nexusIq })
+    class Factory : AdviceProviderFactory<NexusIqConfiguration>("NexusIQ") {
+        override fun create(config: NexusIqConfiguration) = NexusIq(type, config)
+
+        override fun parseConfig(options: Options, secrets: Options): NexusIqConfiguration {
+            val serverUrl = options.getValue("serverUrl")
+
+            return NexusIqConfiguration(
+                serverUrl = serverUrl,
+                browseUrl = options["browseUrl"] ?: serverUrl,
+                username = secrets["username"],
+                password = secrets["password"]
+            )
+        }
     }
 
     override val details: AdvisorDetails = AdvisorDetails(providerName, enumSetOf(AdvisorCapability.VULNERABILITIES))

@@ -0,0 +1,47 @@
+/*
+ * Copyright (C) 2020 The ORT Project Authors (see <https://github.com/oss-review-toolkit/ort/blob/main/NOTICE>)
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     https://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ *
+ * SPDX-License-Identifier: Apache-2.0
+ * License-Filename: LICENSE
+ */
+
+package org.ossreviewtoolkit.advisor.advisors
+
+/**
+ * The configuration for Nexus IQ as a security vulnerability provider.
+ */
+data class NexusIqConfiguration(
+    /**
+     * The URL to use for REST API requests against the server.
+     */
+    val serverUrl: String,
+
+    /**
+     * A URL to use as a base for browsing vulnerability details. Defaults to the server URL.
+     */
+    val browseUrl: String = serverUrl,
+
+    /**
+     * The username to use for authentication. If not both [username] and [password] are provided, authentication is
+     * disabled.
+     */
+    val username: String? = null,
+
+    /**
+     * The password to use for authentication. If not both [username] and [password] are provided, authentication is
+     * disabled.
+     */
+    val password: String? = null
+)