Skip to content

Added catch for empty results file in dependency track #146

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 2 commits into from
Aug 20, 2025
Merged

Added catch for empty results file in dependency track #146

merged 2 commits into from
Aug 20, 2025

Conversation

Alex-1089
Copy link
Contributor

@Alex-1089 Alex-1089 commented Aug 20, 2025
edited by coderabbitai bot
Loading

Summary by CodeRabbit

  • New Features

    • Added support for policy checks on Dependency-Track projects with no components (empty SBOMs).

  • Bug Fixes

    • Improved timeout handling for Dependency-Track inspections: uses a numeric default and accepts decimal values for more reliable configuration.

  • Chores

    • Bumped package version to 1.31.4.
    • Updated changelog and release comparison links.

@Alex-1089 Alex-1089 requested a review from eeisegn August 20, 2025 15:45
@Alex-1089 Alex-1089 self-assigned this Aug 20, 2025
@coderabbitai coderabbitai
Copy link

coderabbitai bot commented Aug 20, 2025
edited
Loading

Walkthrough

Bumps package to 1.31.4, updates CHANGELOG compare links, changes CLI --timeout to parse as float with numeric default, updates DEFAULT_TIME_OUT to float, and adds an early-return guard in Dependency Track project-violation logic to treat empty SBOMs as updated.

Changes

Cohort / File(s) Summary of changes
Versioning and changelog
CHANGELOG.md, src/scanoss/__init__.py		 Added unreleased 1.31.4 entry and compare link, updated __version__ from 1.31.31.31.4.
CLI timeout parsing
src/scanoss/cli.py		 --timeout / -M argument default changed from string '300' to numeric 300 and type=float added.
Dependency Track project violation logic
src/scanoss/inspection/dependency_track/project_violation.py		 DEFAULT_TIME_OUT changed from 300300.0 (int → float); is_project_updated gains an early-return guard: when last_import ≤ last_occurrence and metrics indicates <1 components (empty SBOM), it logs and returns True (short-circuit).

Sequence Diagram(s)

sequenceDiagram
  autonumber
  participant Caller
  participant Inspector as ProjectViolationInspector
  participant DT as DependencyTrackAPI

  Caller->>Inspector: is_project_updated(project)
  Inspector->>DT: fetch last_import, last_occurrence, metrics
  DT-->>Inspector: timestamps + metrics

  alt last_occurrence ≥ last_import AND components < 1
    note right of Inspector #D6EAF8: New guard — empty SBOM treated as updated
    Inspector-->>Caller: return True (short-circuit)
  else existing timestamp checks
    Inspector-->>Caller: continue existing checks and return result
  end
Loading

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

Possibly related PRs

Suggested labels

bug

Suggested reviewers

  • eeisegn
  • agustingroh
  • ortizjeronimo

Poem

A nibble of code, a hop to four,
Time now floats—300.0 at the door.
Empty SBOM? I twitch and say—
"Marked updated, hop on your way!" 🐇✨

Tip

🔌 Remote MCP (Model Context Protocol) integration is now available!

Pro plan users can now connect to remote MCP servers from the Integrations page. Connect with popular remote MCPs such as Notion and Linear to add more context to your reviews and chats.

📜 Recent review details

Configuration used: CodeRabbit UI
Review profile: CHILL
Plan: Pro

💡 Knowledge Base configuration:

  • MCP integration is disabled by default for public repositories
  • Jira integration is disabled by default for public repositories
  • Linear integration is disabled by default for public repositories

You can enable these sources in your CodeRabbit configuration.

📥 Commits

Reviewing files that changed from the base of the PR and between b8b0603 and 06151b3.

📒 Files selected for processing (1)
  • src/scanoss/inspection/dependency_track/project_violation.py (2 hunks)
🚧 Files skipped from review as they are similar to previous changes (1)
  • src/scanoss/inspection/dependency_track/project_violation.py
⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (1)
  • GitHub Check: build
✨ Finishing Touches
  • 📝 Generate Docstrings
🧪 Generate unit tests
  • Create PR with unit tests
  • Post copyable unit tests in a comment
  • Commit unit tests in branch feat/alex/SP-3083_empty-policy-check

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share
🪧 Tips

Chat

There are 3 ways to chat with CodeRabbit:

  • Review comments: Directly reply to a review comment made by CodeRabbit. Example:
    • I pushed a fix in commit <commit_id>, please review it.
    • Open a follow-up GitHub issue for this discussion.
  • Files and specific lines of code (under the "Files changed" tab): Tag @coderabbitai in a new review comment at the desired location with your query.
  • PR comments: Tag @coderabbitai in a new PR comment to ask questions about the PR branch. For the best results, please provide a very specific query, as very limited context is provided in this mode. Examples:
    • @coderabbitai gather interesting stats about this repository and render them as a table. Additionally, render a pie chart showing the language distribution in the codebase.
    • @coderabbitai read the files in the src/scheduler package and generate a class diagram using mermaid and a README in the markdown format.

Support

Need help? Create a ticket on our support page for assistance with any issues or questions.

CodeRabbit Commands (Invoked using PR/Issue comments)

Type @coderabbitai help to get the list of available commands.

Other keywords and placeholders

  • Add @coderabbitai ignore anywhere in the PR description to prevent this PR from being reviewed.
  • Add @coderabbitai summary to generate the high-level summary at a specific location in the PR description.
  • Add @coderabbitai anywhere in the PR title to generate the title automatically.

CodeRabbit Configuration File (.coderabbit.yaml)

  • You can programmatically configure CodeRabbit by adding a .coderabbit.yaml file to the root of your repository.
  • Please see the configuration documentation for more information.
  • If your editor has YAML language server enabled, you can add the path at the top of this file to enable auto-completion and validation: # yaml-language-server: $schema=https://coderabbit.ai/integrations/schema.v2.json

Status, Documentation and Community

  • Visit our Status Page to check the current availability of CodeRabbit.
  • Visit our Documentation for detailed information on how to use CodeRabbit.
  • Join our Discord Community to get help, request features, and share feedback.
  • Follow us on X/Twitter for updates and announcements.

@github-actions GitHub Actions
Copy link

SCANOSS SCAN Completed 🚀

  • Detected components: 1
  • Undeclared components: 0
  • Declared components: 1
  • Detected files: 83
  • Detected files undeclared: 0
  • Detected files declared: 83
  • Licenses detected: 1
  • Licenses detected with copyleft: 0
  • Policies: ✅ 1 pass (1 total)

View more details on SCANOSS Action Summary

coderabbitai[bot]
coderabbitai bot reviewed Aug 20, 2025
View reviewed changes
Copy link

@coderabbitai coderabbitai bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 1

🧹 Nitpick comments (2)
CHANGELOG.md (1)

12-15: Polish 1.31.4 changelog entry: capitalization and punctuation

Minor consistency nit. Other entries typically capitalize “Dependency Track,” and ending with a period reads better.

Apply this diff:

 ## [1.31.4] - 2025-08-20
 ### Added
-- Added support for empty dependency track project policy checks
+- Added support for empty Dependency Track project policy checks.
src/scanoss/cli.py (1)

804-809: Timeout as float — OK. Consider using the shared constant to avoid drift

Parsing as float is good. To keep defaults centralized and consistent with the implementation, reference DEFAULT_TIME_OUT from the policy checker module rather than hardcoding 300.

Apply this diff in the option definition:

-        --timeout', '-M',
-        required=False,
-        default=300,
-        type=float,
+        --timeout', '-M',
+        required=False,
+        default=DEFAULT_TIME_OUT,
+        type=float,
         help='Timeout (in seconds) for API communication (optional - default 300 sec)'

And update the import to bring in the constant (outside the selected range):

from scanoss.inspection.dependency_track.project_violation import (
    DependencyTrackProjectViolationPolicyCheck,
    DEFAULT_TIME_OUT,
)
📜 Review details

Configuration used: CodeRabbit UI
Review profile: CHILL
Plan: Pro

💡 Knowledge Base configuration:

  • MCP integration is disabled by default for public repositories
  • Jira integration is disabled by default for public repositories
  • Linear integration is disabled by default for public repositories

You can enable these sources in your CodeRabbit configuration.

📥 Commits

Reviewing files that changed from the base of the PR and between 3900859 and b8b0603.

📒 Files selected for processing (4)
  • CHANGELOG.md (2 hunks)
  • src/scanoss/__init__.py (1 hunks)
  • src/scanoss/cli.py (1 hunks)
  • src/scanoss/inspection/dependency_track/project_violation.py (2 hunks)
🧰 Additional context used
🧬 Code Graph Analysis (1)
src/scanoss/inspection/dependency_track/project_violation.py (1)
src/scanoss/scanossbase.py (1)
  • print_msg (51-56)
🪛 LanguageTool
CHANGELOG.md

[grammar] ~12-~12: There might be a mistake here.
Context: ...ing changes... ## [1.31.4] - 2025-08-20 ### Added - Added support for empty dependen...

(QB_NEW_EN)

[grammar] ~13-~13: There might be a mistake here.
Context: ...s... ## [1.31.4] - 2025-08-20 ### Added - Added support for empty dependency track...

(QB_NEW_EN)

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (1)
  • GitHub Check: build
🔇 Additional comments (3)
src/scanoss/__init__.py (1)

25-25: Version bump to 1.31.4 — OK

Matches the CHANGELOG entry and aligns with the release intent. No functional impact.

CHANGELOG.md (1)

649-651: Compare links for 1.31.3 and 1.31.4 — OK

Links look correct and consistent with prior entries.

src/scanoss/inspection/dependency_track/project_violation.py (1)

34-35: Use float timeout default — OK

Switching DEFAULT_TIME_OUT to a float (300.0) is consistent with the CLI change and avoids implicit casts.

@github-actions GitHub Actions
Copy link

SCANOSS SCAN Completed 🚀

  • Detected components: 1
  • Undeclared components: 0
  • Declared components: 1
  • Detected files: 83
  • Detected files undeclared: 0
  • Detected files declared: 83
  • Licenses detected: 1
  • Licenses detected with copyleft: 0
  • Policies: ✅ 1 pass (1 total)

View more details on SCANOSS Action Summary

@Alex-1089 Alex-1089 merged commit e1320cc into main Aug 20, 2025
6 checks passed
@Alex-1089 Alex-1089 deleted the feat/alex/SP-3083_empty-policy-check branch August 20, 2025 16:07
@coderabbitai coderabbitai bot mentioned this pull request Aug 27, 2025
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@coderabbitai coderabbitai[bot] coderabbitai[bot] left review comments

@eeisegn eeisegn eeisegn approved these changes

Assignees

@Alex-1089 Alex-1089

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@Alex-1089 @eeisegn