sschuberth
commented
3 years ago Could you please be more specific? What given information is wrong, and how does it need to be fixed in our opinion?
Open saju-1312 opened 3 years ago
sschuberth
commented
3 years ago Could you please be more specific? What given information is wrong, and how does it need to be fixed in our opinion?
saju-1312
commented
3 years ago In getting started page, there is a lack of information for advisor library...you have given the example for running the command of analyzer,scanner,evaluator and reporter library. Similarly share some information for advisor with example commands.
chess-levin
commented
3 years ago Couldn't find any information on how to integrate the advisor-result.json into the generated report. I thought there should be a special input parameter at the report command, but didn't find one. Could you give me a hint how to tell the reporter to make a combined report from the evaluator-result.json and the advisor-result.json
sschuberth
commented
3 years ago integrate the advisor-result.json into the generated report.
Which report format specifically? I'm asking because what kind of information is shown in a report partly depends on the report format and its capabilities.
how to tell the reporter to make a combined report from the evaluator-result.json and the advisor-result.json
ORT works differently. Each tool that runs enriches the input with its output. So once you have the new output, there is no need really to keep the original input around. For example, if the advisor runs before the evaluator, also the evaluator output will contain the advisor output.
My hunch is that you're looking at a report format, like the web app report, which simply does not display the vulnerabilities found by the advisor yet.
chess-levin
commented
3 years ago Thank you for the quick response.
integrate the advisor-result.json into the generated report.
Which report format specifically? I'm asking because what kind of information is shown in a report partly depends on the report format and its capabilities.
how to tell the reporter to make a combined report from the evaluator-result.json and the advisor-result.json
ORT works differently. Each tool that runs enriches the input with its output. So once you have the new output, there is no need really to keep the original input around. For example, if the advisor runs before the evaluator, also the evaluator output will contain the advisor output.
Yep. This I already found out.
My hunch is that you're looking at a report format, like the web app report, which simply does not display the vulnerabilities found by the advisor yet.
Ah ok. I've only generated the WebApp. Which one contains the vulnerabilities?
sschuberth
commented
3 years ago Ah ok. I've only generated the WebApp. Which one contains the vulnerabilities?
So far only the evaluated model report and the vulnerability report list vulnerabilities.
chess-levin
commented
3 years ago Ah ok. I've only generated the WebApp. Which one contains the vulnerabilities?
So far only the evaluated model report and the vulnerability report list vulnerabilities.
Sorry but the help output for ort report -f
* -f, --report-formats VALUE The comma-separated reports to generate, any of
[AdocTemplate, CycloneDx, DocBookTemplate,
EvaluatedModel, Excel, GitLabLicenseModel,
HtmlTemplate, ManPageTemplate, NoticeTemplate,
Opossum, PdfTemplate, SpdxDocument, StaticHtml,
WebApp, XHtmlTemplate].shows no vulnerability report.
sschuberth
commented
3 years ago The vulnerability report is just a special template for the AsciiDocTemplateReporter reporter (and related backend-specific reporters like PdfTemplate). It's use is described here (use vulnerability_report as the template-id).
chess-levin
commented
3 years ago Ok. Thank you.
Kindly update the command format for advisor library in the getting starting page.