[FEATURE] Reduce noise for Android projects in Nexus IQ evaluation reports

sonatype-nexus-community / scan-gradle-plugin

Gradle plugin that scans the dependencies of a Gradle project using Sonatype platforms: OSS Index and Nexus IQ Server.

Apache License 2.0

77 stars 21 forks source link

[FEATURE] Reduce noise for Android projects in Nexus IQ evaluation reports #80

Closed guillermo-varela closed 3 years ago

guillermo-varela commented 3 years ago

What are you trying to do? Currently when scanning Android projects with Nexus IQ Server the AAR files are analyzed deeply to the point of finding the inner classes.jar files which are later reported as "Unknown Components" in the evaluation report.
What feature or behavior is this required for? An evaluation report could easily end up with lots of classes.jar records, which generates too much noise for customers.
How could we solve this issue? (Not knowing is okay!) classes.jar inside AAR files need to be excluded from evaluation.

cc @bhamail / @DarthHater / @guillermo-varela / @shaikhu

acprocacci commented 3 years ago

Hi @guillermo-varela, in my scan results (Android project) I don't think I'm seeing the parent AAR files being scanned. I'm only seeing the classes.jar and annotations.zip files. So if you are going to exclude the classes.jar files from evaluation, shouldn't there be logic to more shallowly evaluate these exploded AARs?

For example in the Nexus IQ Server UI, if I click into one of the classes.jar components from an Android scan and navigate to the Occurrences tab, I see classes.jar located at foo/bar-X.X.X.aar but I do not see foo/bar-X.X.X.aar in the list of components in the scan results. Doesn't foo/bar-X.X.X.aar still need to be evaluated?

guillermo-varela commented 3 years ago

Hi @acprocacci,

I did a test using a small Android project with just one dependency: com.android.support:support-compat:24.2.1

As seen in the evaluation report from IQ, the AAR was properly scanned (last row). When opening the details for the unknown components (classes.jar, annotations.zip and internal_impl-24.2.1.jar) we can see on the "Occurrences" tab those come from the AAR file:

What we'll attempt to do here is to keep the AAR component being scanned while keeping the internal JARs and annotation.zip out of the evaluation report.

Please let me know if that resolves your concern.

Thanks.

acprocacci commented 3 years ago

Definitely resolves my concern, thanks!

mitunzavery commented 3 years ago

Hi @guillermo-varela is there any update on resolving this issue? The increased noise is causing difficulties in identifying risk within an application being scanned. Removing the noise, would vastly improve the identification rate and remove noise. Thanks.

guillermo-varela commented 3 years ago

Hi @mitunzavery,

Unfortunately I haven't been able to work on this, but hopefully I'll be taking a look at this during next improvement day (next week).

Thanks.

guillermo-varela commented 3 years ago

Hi @mitunzavery and @acprocacci,

The new option dirExcludes has been added in version 2.1.0 which allows to set a comma-separated list of ant-patterns with the files to exclude. The suggested value for Android projects is dirExcludes = '**/classes.jar,**/annotations.zip,**/lint.jar,**/internal_impl-*.jar' but please be aware that it's an optional configuration, meaning nothing is excluded by default as this is general purposes plugin (not just for Android), so users with Android projects need to set this manually.

As it's optional, we hope @acprocacci initial concerns are covered :)

https://github.com/sonatype-nexus-community/scan-gradle-plugin/releases/tag/2.1.0

Thanks.