Setup elasticsearch dependency monitoring with Snyk for production code #88036
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
breskeby
added
:Delivery/Build
breskeby
changed the title
breskeby
commented
Jun 24, 2022
| @@ -168,7 +168,6 @@ private static String readFirstLine(final Path path) throws IOException { | |||
|
|
|||
| /** Find the reponame. */ | |||
| public String urlFromOrigin() { | |||
| String oritin = getOrigin(); | |||
There was a problem hiding this comment.
fixed typo on the way
breskeby
commented
Jun 24, 2022
| Class<? extends Plugin> pluginClassUnderTest = SnykDependencyMonitoringGradlePlugin.class | ||
|
|
||
| def setup() { | ||
| configurationCacheCompatible = false // configuration is not cc compliant |
There was a problem hiding this comment.
For creating the dependency graph we need to work on the Configuration object that is not compliant with the gradle configuration-cache at the moment. This should not affect our developers as this task should never be triggered in day to day life from dev environments
breskeby
commented
Jun 24, 2022
| } | ||
|
|
||
| dependencies { | ||
| implementation 'org.apache.lucene:lucene-monitor:9.2.0' |
There was a problem hiding this comment.
For now, I don't want to go down the route of creating a maven test fixture to reproduce dependency graphs from scratch. Therefore we test against real dependencies from real repositories.
breskeby
commented
Jun 24, 2022
| String content = FileUtils.readFileToString(inputFile.getAsFile().get()); | ||
| HttpPut putRequest = new HttpPut(endpoint); | ||
| putRequest.addHeader("Authorization", "token " + token.get()); | ||
| putRequest.addHeader("Content-Type", "application/json"); |
There was a problem hiding this comment.
For now we send the plain json in text format to the endpoint. Snyk supports gzipped data here but I didn't see a major performance issue here at all that would make the effort to support gz worth it for now.
breskeby
commented
Jun 24, 2022
| @@ -17,8 +17,7 @@ tasks.named("assemble").configure { enabled = true } | |||
| archivesBaseName = 'client-benchmarks' | |||
| mainClassName = 'org.elasticsearch.client.benchmark.BenchmarkMain' | |||
|
|
|||
| // never try to invoke tests on the benchmark project - there aren't any | |||
| tasks.named("test").configure {enabled = false } | |||
There was a problem hiding this comment.
I removed those explicit set tests to not execute. Gradle will shortcut that anyhow as no source is detected. It also makes the outcome of that task more clear IMO as it will tell NO_SOURCE instead of SKIPPED which can have different reasons.
breskeby
commented
Jun 24, 2022
| @@ -20,5 +20,4 @@ esplugin { | |||
| tasks.named("assemble").configure { enabled = false } | |||
| tasks.named("dependencyLicenses").configure { enabled = false } | |||
| tasks.named("dependenciesInfo").configure { enabled = false } | |||
| // no unit tests | |||
| tasks.named("test").configure { enabled = false } | |||
| tasks.named("uploadSnykDependencyGraph").configure { enabled = false } | |||
There was a problem hiding this comment.
this plugin applies elasticsearch.build but I don't consider it production code
breskeby
commented
Jun 24, 2022
client/benchmark/build.gradle
Outdated
| @@ -17,8 +17,7 @@ tasks.named("assemble").configure { enabled = true } | |||
| archivesBaseName = 'client-benchmarks' | |||
| mainClassName = 'org.elasticsearch.client.benchmark.BenchmarkMain' | |||
|
|
|||
| // never try to invoke tests on the benchmark project - there aren't any | |||
| tasks.named("test").configure {enabled = false } | |||
| tasks.named("uploadSnykDependencyGraph").configure {enabled = false } | |||
There was a problem hiding this comment.
this project applies elasticsearch.build but I don't consider it production code
breskeby
commented
Jun 24, 2022
| @@ -7,3 +7,7 @@ dependencies { | |||
|
|
|||
| testImplementation project(":test:framework") | |||
| } | |||
|
|
|||
There was a problem hiding this comment.
plenty of forbidden api failures. TODO: raise ticket
breskeby
commented
Jun 24, 2022
| @@ -8,3 +8,9 @@ dependencies { | |||
| tasks.named('shadowJar').configure { | |||
| exclude 'org/apache/hadoop/util/ShutdownHookManager$*.class' | |||
| } | |||
|
|
|||
| ['jarHell', 'thirdPartyAudit', 'forbiddenApisMain', 'splitPackagesAudit'].each { | |||
There was a problem hiding this comment.
All kinds of problems here that have been not discovered before.
TODO: raise ticket
breskeby
commented
Jun 24, 2022
| @@ -47,7 +47,6 @@ tasks.named('forbiddenApisMain').configure { | |||
| // TODO: should we have licenses for our test deps? | |||
| tasks.named("dependencyLicenses").configure { enabled = false } | |||
| tasks.named("dependenciesInfo").configure { enabled = false } | |||
| tasks.named("dependenciesGraph").configure { enabled = false } | |||
There was a problem hiding this comment.
I wonder if this should be part of the snyk check or not. It seems we upload this somewhere so I would consider it kind of production code
breskeby
commented
Jun 24, 2022
| @@ -30,7 +30,6 @@ tasks.named('forbiddenApisMain').configure { | |||
| // TODO: should we have licenses for our test deps? | |||
| tasks.named("dependencyLicenses").configure { enabled = false } | |||
| tasks.named("dependenciesInfo").configure { enabled = false } | |||
| tasks.named("dependenciesGraph").configure { enabled = false } | |||
breskeby
commented
Jun 24, 2022
| @@ -291,6 +291,7 @@ dependencies { | |||
| exclude module: "groovy" | |||
| } | |||
| testImplementation buildLibs.spock.junit4 | |||
| testImplementation buildLibs.json.assert | |||
There was a problem hiding this comment.
allows asserting generated json without hassle.
breskeby
requested review from
mark-vieira,
rjernst and
jkakavas
and removed request for
mark-vieira and
rjernst
|
Pinging @elastic/es-delivery (Team:Delivery) |
breskeby
force-pushed
the
snyk-dependency-monitoring
branch
from
100a2ce to
e08f2b8
Compare
|
|
about 1) The way this works is split in 2 tasks. If you just run |
4 tasks
breskeby
added
the
auto-merge-without-approval
Only apply snyk check for production projects
breskeby
force-pushed
the
snyk-dependency-monitoring
branch
from
f923ead to
47206c4
Compare
breskeby
added a commit
to breskeby/elasticsearch
that referenced
this pull request
Jun 30, 2022
…de (elastic#88036) This adds the generation and upload logic of Gradle dependency graphs to snyk We directly implemented a rest api based snyk plugin as: the existing snyk gradle plugin delegates to the snyk command line tool the command line tool uses custom gradle logic by injecting a init file that is a) using deprecated build logic which we definitely want to avoid b) uses gradle api we avoid like eager task creation. Shipping this as a internal gradle plugin gives us the most flexibility as we only want to monitor production code for now we apply this plugin as part of the elasticsearch.build plugin, that usage has been for now the de-facto indicator if a project is considered a "production" project that ends up in our distribution or public maven repositories. This isnt yet ideal and we will revisit the distinction between production and non production code / projects in a separate effort. As part of this effort we added the elasticsearch.build plugin to more projects that actually end up in the distribution. To unblock us on this we for now disabled a few check tasks that started failing by applying elasticsearch.build. Addresses elastic#87620 # Conflicts: # build-tools-internal/src/main/java/org/elasticsearch/gradle/internal/BuildPlugin.java # client/benchmark/build.gradle # client/test/build.gradle # distribution/tools/cli-launcher/build.gradle # distribution/tools/java-version-checker/build.gradle # distribution/tools/windows-service-cli/build.gradle # rest-api-spec/build.gradle # test/framework/build.gradle
breskeby
added a commit
to breskeby/elasticsearch
that referenced
this pull request
Jul 15, 2022
…de (elastic#88036) This adds the generation and upload logic of Gradle dependency graphs to snyk We directly implemented a rest api based snyk plugin as: the existing snyk gradle plugin delegates to the snyk command line tool the command line tool uses custom gradle logic by injecting a init file that is a) using deprecated build logic which we definitely want to avoid b) uses gradle api we avoid like eager task creation. Shipping this as a internal gradle plugin gives us the most flexibility as we only want to monitor production code for now we apply this plugin as part of the elasticsearch.build plugin, that usage has been for now the de-facto indicator if a project is considered a "production" project that ends up in our distribution or public maven repositories. This isnt yet ideal and we will revisit the distinction between production and non production code / projects in a separate effort. As part of this effort we added the elasticsearch.build plugin to more projects that actually end up in the distribution. To unblock us on this we for now disabled a few check tasks that started failing by applying elasticsearch.build. Addresses elastic#87620 # Conflicts: # test/framework/build.gradle
breskeby
added a commit
that referenced
this pull request
Jul 15, 2022
…ion code (#88036) (#88566) * Setup elasticsearch dependency monitoring with Snyk for production code (#88036) This adds the generation and upload logic of Gradle dependency graphs to snyk We directly implemented a rest api based snyk plugin as: the existing snyk gradle plugin delegates to the snyk command line tool the command line tool uses custom gradle logic by injecting a init file that is a) using deprecated build logic which we definitely want to avoid b) uses gradle api we avoid like eager task creation. Shipping this as a internal gradle plugin gives us the most flexibility as we only want to monitor production code for now we apply this plugin as part of the elasticsearch.build plugin, that usage has been for now the de-facto indicator if a project is considered a "production" project that ends up in our distribution or public maven repositories. This isnt yet ideal and we will revisit the distinction between production and non production code / projects in a separate effort. As part of this effort we added the elasticsearch.build plugin to more projects that actually end up in the distribution. To unblock us on this we for now disabled a few check tasks that started failing by applying elasticsearch.build. Addresses #87620 # Conflicts: # test/framework/build.gradle * Fix license report when backporting
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This setups the generation and upload logic of gradle dependency graphs to snyk as raised in #87620
We directly implemented a rest api based snyk plugin as:
a) using deprecated build logic which we definitely want to avoid
b) uses gradle api we avoid like eager task creation.
As we only want to monitor production code for now we apply this plugin as part of the
elasticsearch.buildplugin, that usage has been for now the de-facto indicator if a project is considered a "production" project that ends up in our distribution or public maven repositories. This isnt yet ideal and we will revisit the distinction between production and non production code / projects in a separate effort.The snyk upload can be triggered from command line via:
where XXX is the api token that can be configured at https://app.snyk.io/account
The outcome of this can be found at https://app.snyk.io/org/elasticsearch/projects and https://app.snyk.io/org/elasticsearch/reports/
Setting up build jobs for regular updating the dependency monitoring in snyk will be covered in a separate PR.
As part of this effort we added the
elasticsearch.buildplugin to more projects that actually end up in the distribution. To unblock us on this we for now disabled a few check tasks that started failing by applyingelasticsearch.build. We'll address this in separate PR at its out of scope of this story to fix.