MARP-1294 Create a central monitoring reporting for security issues of axonivy marketplace #251
Conversation
| this.isLoading = false; | ||
| } | ||
|
|
||
| formatCommitDate(date: string): string { |
There was a problem hiding this comment.
duplicated: similar to time-ago pipe
|
|
||
| private handleError(err: any): void { | ||
| this.errorMessage = | ||
| err.status === 401 |
There was a problem hiding this comment.
use const in common.constant.ts
| isLoading = false; | ||
|
|
||
| private securityMonitorService = inject(SecurityMonitorService); | ||
| private readonly githubBaseUrl = 'https://github.com/axonivy-market'; |
There was a problem hiding this comment.
github -> gitHub
Should we define a constant?
| @@ -0,0 +1,20 @@ | |||
| export interface Repo { | |||
There was a problem hiding this comment.
Name of interface does not match to model file.
In BE site, you used ProductSecurityInfo. I think you can use this name for this model
| status: string; | ||
| alerts: Record<string, number>; | ||
| }; | ||
| secretsScanning: { |
There was a problem hiding this comment.
secretsScanning -> secretScanning
| try { | ||
| ResponseEntity<List<Map<String, Object>>> response = fetchApiResponseAsList(accessToken, | ||
| String.format(GitHubConstants.Url.REPO_DEPENDABOT_ALERTS_OPEN, organization.getLogin(), repo.getName())); | ||
| dependabot.setStatus(com.axonivy.market.enums.AccessLevel.ENABLED); |
There was a problem hiding this comment.
Add import static for enum ENABLED instead of using full path of enum class in a method.
Update also for DISABLED and NO_PERMISSION.
| } | ||
|
|
||
| @NoArgsConstructor(access = AccessLevel.PRIVATE) | ||
| public static class Url { | ||
| private static final String BASE_URL = "https://api.github.com"; | ||
| public static final String USER = BASE_URL + "/user"; | ||
| public static final String REPO_SECURITY_ADVISORIES = BASE_URL + "/repos/%s/%s/security-advisories?state=%s"; |
There was a problem hiding this comment.
this constant is not used.
| return dependabot; | ||
| } | ||
|
|
||
| public static SecretScanning getNumberOfSecretScanningAlerts(GHRepository repo, GHOrganization organization, |
There was a problem hiding this comment.
Format code of this method
| log.warn(e); | ||
| dependabot.setStatus(com.axonivy.market.enums.AccessLevel.NO_PERMISSION); | ||
| } | ||
| return dependabot; |
| return secretScanning; | ||
| } | ||
|
|
||
| public static CodeScanning getCodeScanningAlerts(GHRepository repo, GHOrganization organization, String accessToken) { |
There was a problem hiding this comment.
similar to getDependabotAlerts(), could you unify them?
![github-advanced-security[bot]](https://avatars.githubusercontent.com/in/57789?s=60&v=4){kind=small}
| expect(service.productId()).toBe(''); | ||
| }); | ||
| it('should call API with token and return security details', () => { | ||
| const mockToken = 'valid-token'; |
Check failure
Code scanning / CodeQL
Hard-coded credentials Critical test
| service.productNames.set(newProductNames); | ||
| expect(service.productNames()).toEqual(newProductNames); | ||
| it('should handle error response gracefully', () => { | ||
| const mockToken = 'invalid-token'; |
Check failure
Code scanning / CodeQL
Hard-coded credentials Critical test
| }); | ||
|
|
||
| it('should call API with token and return security details', () => { | ||
| const mockToken = 'valid-token'; |
Check failure
Code scanning / CodeQL
Hard-coded credentials Critical test
| }); | ||
|
|
||
| it('should handle error response gracefully', () => { | ||
| const mockToken = 'invalid-token'; |
Check failure
Code scanning / CodeQL
Hard-coded credentials Critical test
| @@ -0,0 +1,227 @@ | |||
| body { | |||
There was a problem hiding this comment.
You should not change the styles of the body tag. It can affect the marketplace website.
| @@ -18,7 +18,7 @@ import { TimeAgo } from '../enums/time-ago.enum'; | |||
| }) | |||
| export class TimeAgoPipe implements PipeTransform { | |||
| translateService = inject(TranslateService); | |||
| async transform(value?: Date, language?: Language, _args?: []): Promise<string> { | |||
| async transform(value?: Date, language: Language = Language.EN, _args?: []): Promise<string> { | |||
There was a problem hiding this comment.
Check carefully with the time ago of the feature feedback time.
|
|
||
| securityInfoList.sort(Comparator.comparing(ProductSecurityInfo::getRepoName)); | ||
| } catch (IOException e) { | ||
| throw new RuntimeException("Error fetching repository data", e); |
There was a problem hiding this comment.
We should log it, and return an empty list when the system cannot fetch a repository
No description provided.