feat: Exhort dependency triage for SPDX multi-component uploads#228
Draft
batzionb wants to merge 3 commits into
Draft
feat: Exhort dependency triage for SPDX multi-component uploads#228batzionb wants to merge 3 commits into
batzionb wants to merge 3 commits into
Conversation
batzionb
requested review from
IlonaShishov,
rhartuv,
vbelouso and
zvigrinberg
as code owners
Rethrow ExhortCveGateException without wrapping; guard credential injection log; trim ExhortCveGateException formatting; ensure Product record ends with newline. Co-authored-by: Cursor <cursoragent@cursor.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
This pull request implements Trustify Dependency Analytics (Exhort) for SPDX whole-product processing: per-component CycloneDX analysis, CVE-in-tree gating, a whole-product health probe that sets
dependencyTriageUnavailablewhen Exhort is unreachable,excludedComponentsoutcomes (errorvsdependency_not_present), andcomponentDependencyTriageFailedon persisted reports when Exhort fails while triage is active—aligned with OpenSpec:openspec/specs/upload-spdx-api/spec.md— Dependency analytics (Exhort) CVE gate, Exhort health probe before SPDX whole-product analysis, unsupported OCI handling andexcludedComponents.openspec/specs/report-file-upload/spec.md— Per-report dependency triage flag on API responses (componentDependencyTriageFailed).openspec/specs/report-page/spec.md— product-level alert whendependencyTriageUnavailable.openspec/specs/repository-reports-table/spec.md— repository table and triage indicators.openspec/specs/excluded-components-page/spec.md— excluded component presentation.openspec/specs/reports-table/spec.md— SBOM reports table and product-level Finding aggregation with exclusions.Notable changes
ExhortServiceREST client,ExhortHealthProbe(POST/api/v5/analysisminimal CycloneDX),ExhortResponseParser,ComponentProcessingServicepipeline updates, product/report models and persistence (excluded_components,dependency_triage_unavailable,componentDependencyTriageFailed), WireMock mappings and REST tests (including Exhort-down profile).getProductFinding/ exclusions), report page alert for product-level triage unavailable, OpenAPI and generated client updates.Commits
exhort— main integration (HEAD subject on the feature commit).fix: harden Exhort client and component processing— rethrowExhortCveGateExceptionwithout double-wrapping; credential injection log message; minor formatting.Testing
./mvnw test(REST tests with WireMock / profiles as configured in the repo).quarkus devwith devservices products/reports and optional WireMock for Exhort.