Skip to content

Conversation

michaelehab
Copy link
Collaborator

Solves #1933

  • Update Elixir Security importer to filter and process advisories relevant to the purl passed in the constructor
  • Update Elixir Security v2 importer to filter and process advisories relevant to the purl passed in the constructor
  • Update Elixir Security importer tests to include testing package-first mode

@michaelehab
Copy link
Collaborator Author

@TG1999 I merged the recent fixes here and did another functional test for the v2 importer.
I'd appreciate your feedback and review, thanks.

def __init__(self, purl=None, *args, **kwargs):
super().__init__(*args, **kwargs)
self.purl = purl
if self.purl:
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This pattern is being used at multiple importers, we shall extract it out as a function

Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I agree
We can modify the constructor of the base class instead of modifying each individual importer's constructor.
But I believe in this case we won't show the warning messages if the purl is not right for the importer.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We can always pass the message or the type or even the log as a parameter

Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I like the idea of passing the supported types, that would make it generic with less duplicate code
The warning message is the same, so it will adapt if we pass supported types

Copy link
Member

@keshav-space keshav-space left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@michaelehab there is no need to override __init__ in pipeline.

Comment on lines 44 to 38
is_batch_run = True

def __init__(self, *args, purl=None, **kwargs):
super().__init__(*args, **kwargs)
self.purl = purl
if self.purl:
ElixirSecurityImporterPipeline.is_batch_run = False
if self.purl.type != "hex":
self.log(
f"Warning: PURL type {self.purl.type} is not 'hex', may not match any advisories"
)

Copy link
Member

@keshav-space keshav-space Jul 16, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Do not add purl as a primary argument to Pipeline. Primary arguments to the pipeline are exclusively reserved for managing pipeline execution. Instead, you can pass purl to the pipeline like this: ElixirSecurityImporterPipeline(purl="pkg:hex/coherence") and then access it inside a pipeline step using self.inputs["purl"].

Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I see that the constructor has arguments for managing pipeline execution (in BasePipelineRun class).
How do I access the purl argument without overriding the constructor or modifying BasePipelineRun constructor?
The way I approached this was to call the parent constructor with the arguments so that the pipeline functions properly, and then take the PURL which is important in the importer-level.

Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

And based on @TG1999's comment, we can unify the purl handling in package-first mode by overriding the VulnerableCodeBaseImporterPipeline constructor for example to do something like this.

def __init__(self, *args, **kwargs):
    super().__init__(*args, **kwargs)
    self.purl = kwargs.get("purl")
    self.supported_types = kwargs.get("supported_types)

Then doing the package-first checks and warnings which is unified for all importers.

* Add Elixir Security Live V2 Importer

* Add tests for the Elixir Security Live V2 Importer

* Tested functionally using the Live Evaluation API in #1969

Signed-off-by: Michael Ehab Mikhail <[email protected]>
@michaelehab michaelehab force-pushed the 1933-elixir-security-importer-package-first branch from 3392144 to e6152cf Compare August 21, 2025 12:41
Signed-off-by: Michael Ehab Mikhail <[email protected]>
@michaelehab michaelehab force-pushed the 1933-elixir-security-importer-package-first branch from 3be7a4f to 0fee3b9 Compare August 21, 2025 13:08
@michaelehab michaelehab changed the title Modify Elixir Security importer to support package-first mode Add Elixir Security Live V2 Importer Aug 21, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Development

Successfully merging this pull request may close these issues.

3 participants