optum / barista Goto Github PK

As a Barista user I would like to have a common loading / progress indicator to let me know when data or a long running process is taking place in the UI of the application.

Here is a progress indicator example from the Angular Material library: https://material.angular.io/components/progress-bar/examples

See project Insurance Solutions AARP Third Party Partner API - UHC MR for an example of scans completing successfully but summary graph failing to display

Create badges for Barista so scan statuses can be displayed on appropriate sites.

Check to ensure we are using the latest version of scan code

https://github.com/nexB/scancode-toolkit

Add functionality to perform scans on a schedule.

users with large numbers of AD groups in LDAP receiving login errors

Choosing "none" for the package manager option initiates a ScanCode scan for licensing, rather than the tech stack specific processes (i.e. NPM, maven, nuget etc.) However, the dependency check vulnerability process seems to fail in this scenario.

To recreate:

1. scan a project with known vulnerabilities with a specific package manager chosen - note the expected vulnerability results
2. scan the same project when choosing "none" for the package manager - regardless of the license results, vulnerabilities which were expected are not recorded properly

currently, the scan module will default to using certain package managers if it detects the presence of standard manifest names in the root directory of the target GitHub repo (package.json, pom.xml etc.)

while this can occasionally be helpful for a new barista user, it is also limiting the ability to scan public, external repos which are too complicated for the package dependency approach and the scan module should default to the scancode engine

this issue is resolved when the presence of default package manifest files does not trigger a dependency driven scan if the package manager option is set to none in the GUI

Need to update the Scan module to the latest .Net Core for handling new projects.

The Path to upload file for scanning field on the project details page works as intended for the correct use case; i.e. when the user wishes to point the system to a URL for a zip or tar or other compressed file when their project does not have source code in GitHub.

However, we discovered today that if a user inadvertently fills out this field when it is not needed as in the use case for the AppStore (where a GitHub Repo is also left blank), it blows up the scanning pod with an unrecoverable error.

We need to devise an error handling or UI/UX solution to prevent this scenario.

Adding @woodrbe for reference if he has time to discuss with @vsurge

Need specific steps for recovery when a scan job fails or hangs without completion as this has happened several times in production now.

Do we simply delete the offending rows from the Scan table?

Do we need to clean out the redis queue?

Complete when there is a markdown file in the documentation folder with specific recovery and trouble-shooting steps.

As a Barista user I would like to have normalized package identifiers across tools such that package results from all license scanners and dependency check tools can be correlated by the same package identifier. Done when packages detected by all tools can be unified where there is no duplication.

need to add two items to seed data for new installs only (i.e. should not override existing entries):

1. NPM cache directory in the system config table needs to be set to /usr/src/app/tools
2. NPM Registry entry in the system config table needs to be set to https://registry.npmjs.org/

Scans are only allowing adding new scans based on the number of active pods.

As a Barista Stakeholder I would like to have User Guide documentation so that I can better understand the system.

16h

As a Barista Stakeholder I would like to have Deployment Quick Start documentation so that I can better understand the system.

16h

[Steps to Reproduce]

1. From the root of the barista repository isse docker-compose -f ./docker-compose.yaml up

[Actual Behavior]

• Observe that the following error is thrown:

Building barista-base
Traceback (most recent call last):
  File "site-packages/docker/utils/build.py", line 96, in create_archive
PermissionError: [Errno 13] Permission denied: '/Users/vincilbishop/Documents/Code/Surge/UHG/UHG-Code/barista/barista-api/node_modules/all-unpacker/lsar'

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
  File "docker-compose", line 6, in <module>
  File "compose/cli/main.py", line 71, in main
  File "compose/cli/main.py", line 127, in perform_command
  File "compose/cli/main.py", line 1085, in up
  File "compose/cli/main.py", line 1081, in up
  File "compose/project.py", line 527, in up
  File "compose/service.py", line 360, in ensure_image_exists
  File "compose/service.py", line 1084, in build
  File "site-packages/docker/api/build.py", line 159, in build
  File "site-packages/docker/utils/build.py", line 31, in tar
  File "site-packages/docker/utils/build.py", line 100, in create_archive
OSError: Can not read file in context: /Users/vincilbishop/Documents/Code/Surge/UHG/UHG-Code/barista/barista-api/node_modules/all-unpacker/lsar
[16221] Failed to execute script docker-compose

[Expected Behavior]

• No error should be thrown and the Docker images should build and start.

[Notes]

• This SO article quotes a permission problem after a user is added in the docker image: https://stackoverflow.com/questions/56784492/docker-compose-permissionerror-errno-13-permission-denied-manage-py
• A user is added on line:7 of the barista-base image: https://hub.docker.com/layers/rmolinger/barista-base/compose/images/sha256-769695e52bdfb5313071a80521c208cdf1f13f604f5c1a760eb25887cc53abaa

As a Barista Stakeholder I would like the system to be configurable such that I can use LDAP or database authentication.

24h

As a Barista Stakeholder I would like to have Product Overview documentation so that I can better understand the system.

16h

Landing page should not require login
should be the first page encountered

As a Barista stakeholder I would like to prove that Jasper Reports can be implemented with the Barista system by implementing a simple report for POC.

This library looks promising: https://www.npmjs.com/package/node-jasper

Provide better feedback to users of the system when errors occur during scans.

Known errors:

• Scanning needs access to repo

Parentheses characters "()" in the project name are causing a problem when the dependency check module is executed.

Fixed when the user cannot enter parentheses characters in the project name.

As a user, when I enter the wrong password or if I am not in the required ldap group, I expect a message that tells me such. Currently a generic "An Unknown Error Occurred" is displayed, which leads to user confusion.

Change this error to "Invalid Username/Password" for bad login, or "Required group membership in not present"

In the external version of Barista hosted on Github, the most used authorization type will be db, which is used for demonstrations. When the user logs in as Admin, they are not allowed to update any of the seed projects, the button is greyed out.

Add additional endpoints on API for retrieving reporting/integration data

Create SQL queries for reporting data

Project owner needs ability to delete project if there are no scan results yet. If scan results are present, delete action should result in project archive whereby project is no longer visible but scan results remain for reporting purposes, component searches etc.

barista needs to support a gradle build process for java projects in addition to the maven process

When Barista is deployed in the external world through containers, the Ask-ID is supposed to have a different name on the form. It is supposed to be configurable via the 'Tool tips' but that does not save properly either. Two things need to be fixed.

1. Initial seed data should not show 'ASK id' as the default
2. Updates to the Tool-tips form need to be saved to database and used on the form when next rendered.

Upgrade Node to latest version

As a Barista Stakeholder I would like to have Class documentation so that I can better understand the system.

16h

The User ID field in the project details page is only available to admins and normally contains the AD id for the user who created the project. A feature was added in P/1.8 which allowed for substitution of an AD Group to enable co-ownership. This capability no longer appears to be working.

move all other hub connect content to new Docusaurus - inside - clone outside

GO is increasing in popularity and we need to evaluate adding GO specific package management capabilities to the Scan module.

Add quick method to login from top toolbar instead of the login page

As a Barista Stakeholder I would like to have a Docker Compose configuration so that I can easily start all tiers in the system.

8h

I think a Kustomize based set of Kubernetes manifests for dev, and production style environments would help with adoption. If you agree, I'd be happy to submit the PR.

ng-charts is not actively maintained.
Possibly replacements include ngx-charts and PrimeNG charts

Scanning the Barista project returns multiple results in the vulnerability reporting which need to be reviewed and remediated if appropriate.

We need to check for available component upgrades and other scenarios where we can reduce potential vulnerabilities.

Dependabot Fridays!

Autogenerate copyright html pages for scans

https://github.com/jeremylong/DependencyCheck

Upgrade Angular to version 9

need to speed this process up - maybe put on persistent storage or something to reduce repetitive activity - can sometimes cause Scan pod not to startup at all

also, when we go to multiple Scan pods, would be good not to have multiple copies loaded

As a Barista Stakeholder I would like to have Developer Quick Start documentation so that I can better understand the system.

24h

As a Barista Stakeholder I would like to have API documentation so that I can better understand the system.

16h