optum / barista Goto Github PK
View Code? Open in Web Editor NEWproject barista - open source license and vulnerability management
License: Apache License 2.0
project barista - open source license and vulnerability management
License: Apache License 2.0
As a Barista user I would like to have a common loading / progress indicator to let me know when data or a long running process is taking place in the UI of the application.
Here is a progress indicator example from the Angular Material library: https://material.angular.io/components/progress-bar/examples
See project Insurance Solutions AARP Third Party Partner API - UHC MR for an example of scans completing successfully but summary graph failing to display
Create badges for Barista so scan statuses can be displayed on appropriate sites.
Check to ensure we are using the latest version of scan code
Add functionality to perform scans on a schedule.
users with large numbers of AD groups in LDAP receiving login errors
Choosing "none" for the package manager option initiates a ScanCode scan for licensing, rather than the tech stack specific processes (i.e. NPM, maven, nuget etc.) However, the dependency check vulnerability process seems to fail in this scenario.
To recreate:
currently, the scan module will default to using certain package managers if it detects the presence of standard manifest names in the root directory of the target GitHub repo (package.json, pom.xml etc.)
while this can occasionally be helpful for a new barista user, it is also limiting the ability to scan public, external repos which are too complicated for the package dependency approach and the scan module should default to the scancode engine
this issue is resolved when the presence of default package manifest files does not trigger a dependency driven scan if the package manager option is set to none
in the GUI
Need to update the Scan module to the latest .Net Core for handling new projects.
The Path to upload file for scanning
field on the project details page works as intended for the correct use case; i.e. when the user wishes to point the system to a URL for a zip or tar or other compressed file when their project does not have source code in GitHub.
However, we discovered today that if a user inadvertently fills out this field when it is not needed as in the use case for the AppStore (where a GitHub Repo is also left blank), it blows up the scanning pod with an unrecoverable error.
We need to devise an error handling or UI/UX solution to prevent this scenario.
Adding @woodrbe for reference if he has time to discuss with @vsurge
Need specific steps for recovery when a scan job fails or hangs without completion as this has happened several times in production now.
Do we simply delete the offending rows from the Scan table?
Do we need to clean out the redis queue?
Complete when there is a markdown file in the documentation folder with specific recovery and trouble-shooting steps.
As a Barista user I would like to have normalized package identifiers across tools such that package results from all license scanners and dependency check tools can be correlated by the same package identifier. Done when packages detected by all tools can be unified where there is no duplication.
need to add two items to seed data for new installs only (i.e. should not override existing entries):
/usr/src/app/tools
https://registry.npmjs.org/
Scans are only allowing adding new scans based on the number of active pods.
As a Barista Stakeholder I would like to have User Guide documentation so that I can better understand the system.
16h
As a Barista Stakeholder I would like to have Deployment Quick Start documentation so that I can better understand the system.
16h
docker-compose -f ./docker-compose.yaml up
Building barista-base
Traceback (most recent call last):
File "site-packages/docker/utils/build.py", line 96, in create_archive
PermissionError: [Errno 13] Permission denied: '/Users/vincilbishop/Documents/Code/Surge/UHG/UHG-Code/barista/barista-api/node_modules/all-unpacker/lsar'
During handling of the above exception, another exception occurred:
Traceback (most recent call last):
File "docker-compose", line 6, in <module>
File "compose/cli/main.py", line 71, in main
File "compose/cli/main.py", line 127, in perform_command
File "compose/cli/main.py", line 1085, in up
File "compose/cli/main.py", line 1081, in up
File "compose/project.py", line 527, in up
File "compose/service.py", line 360, in ensure_image_exists
File "compose/service.py", line 1084, in build
File "site-packages/docker/api/build.py", line 159, in build
File "site-packages/docker/utils/build.py", line 31, in tar
File "site-packages/docker/utils/build.py", line 100, in create_archive
OSError: Can not read file in context: /Users/vincilbishop/Documents/Code/Surge/UHG/UHG-Code/barista/barista-api/node_modules/all-unpacker/lsar
[16221] Failed to execute script docker-compose
As a Barista Stakeholder I would like the system to be configurable such that I can use LDAP or database authentication.
24h
As a Barista Stakeholder I would like to have Product Overview documentation so that I can better understand the system.
16h
Landing page should not require login
should be the first page encountered
As a Barista stakeholder I would like to prove that Jasper Reports can be implemented with the Barista system by implementing a simple report for POC.
This library looks promising: https://www.npmjs.com/package/node-jasper
Provide better feedback to users of the system when errors occur during scans.
Known errors:
Parentheses characters "()" in the project name are causing a problem when the dependency check module is executed.
Fixed when the user cannot enter parentheses characters in the project name.
As a user, when I enter the wrong password or if I am not in the required ldap group, I expect a message that tells me such. Currently a generic "An Unknown Error Occurred" is displayed, which leads to user confusion.
Change this error to "Invalid Username/Password" for bad login, or "Required group membership in not present"
In the external version of Barista hosted on Github, the most used authorization type will be db, which is used for demonstrations. When the user logs in as Admin, they are not allowed to update any of the seed projects, the button is greyed out.
Add additional endpoints on API for retrieving reporting/integration data
Create SQL queries for reporting data
Project owner needs ability to delete project if there are no scan results yet. If scan results are present, delete action should result in project archive whereby project is no longer visible but scan results remain for reporting purposes, component searches etc.
barista needs to support a gradle build process for java projects in addition to the maven process
When Barista is deployed in the external world through containers, the Ask-ID is supposed to have a different name on the form. It is supposed to be configurable via the 'Tool tips' but that does not save properly either. Two things need to be fixed.
Upgrade Node to latest version
As a Barista Stakeholder I would like to have Class documentation so that I can better understand the system.
16h
The User ID field in the project details page is only available to admins and normally contains the AD id for the user who created the project. A feature was added in P/1.8 which allowed for substitution of an AD Group to enable co-ownership. This capability no longer appears to be working.
move all other hub connect content to new Docusaurus - inside - clone outside
GO is increasing in popularity and we need to evaluate adding GO specific package management capabilities to the Scan module.
Add quick method to login from top toolbar instead of the login page
As a Barista Stakeholder I would like to have a Docker Compose configuration so that I can easily start all tiers in the system.
8h
I think a Kustomize based set of Kubernetes manifests for dev, and production style environments would help with adoption. If you agree, I'd be happy to submit the PR.
ng-charts is not actively maintained.
Possibly replacements include ngx-charts and PrimeNG charts
Scanning the Barista project returns multiple results in the vulnerability reporting which need to be reviewed and remediated if appropriate.
We need to check for available component upgrades and other scenarios where we can reduce potential vulnerabilities.
Dependabot Fridays!
Autogenerate copyright html pages for scans
Upgrade Angular to version 9
need to speed this process up - maybe put on persistent storage or something to reduce repetitive activity - can sometimes cause Scan pod not to startup at all
also, when we go to multiple Scan pods, would be good not to have multiple copies loaded
As a Barista Stakeholder I would like to have Developer Quick Start documentation so that I can better understand the system.
24h
As a Barista Stakeholder I would like to have API documentation so that I can better understand the system.
16h
A declarative, efficient, and flexible JavaScript library for building user interfaces.
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. ๐๐๐
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google โค๏ธ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.