konveyor / kantra Goto Github PK
View Code? Open in Web Editor NEWA CLI that unifies analysis and transformation capabilities of Konveyor
License: Apache License 2.0
A CLI that unifies analysis and transformation capabilities of Konveyor
License: Apache License 2.0
This will allow users to specify an output directory for the static report as well as the raw YAML output from analyzers
0.3-beta.1
Major
The tool should be configured to use docker by default, since podman can emulate docker, but not viceversa.
As a kantra user
When I run ./kantra analyze
having only docker installed
Then the tool executes correctly
As a kantra user
When I run ./kantra analyze
having only podman installed
Then the tool executes correctly
Always (Default)
No response
- OS: fedora 38
No response
The meaning of this option is different from what windup option was. We need to be careful in expressing that in the description clearly
analyze static report fails on windows copying from container to host: https://github.com/konveyor-ecosystem/kantra/blob/main/cmd/container.go#L221
level=debug msg="copying files from container" dest="C:\\Users\\Emily\\test-output" podman="C:\\Program
Files\\RedHat\\Podman\\podman.exe" src=/usr/local/static-report
time="2023-09-06T16:22:27-04:00" level=error msg="failed to generate static report" error="exit status 125"
Error: exit status 125
Could be a known issue with podman cp with windows: containers/podman#14862
N/A
Major
When running kantra analyze
, the analysis stops generating logs after a few minutes. The end of the log file does not show any failed steps or errors. Only two files are generated: analysis.log
and dependency.log
as output.
Potential solutions/reasons:
$ ls ./output/ -1
analysis.log
dependencies.yaml
dependency.log
output.yaml
static-report
However, only two files are generated: analysis.log
and dependency.log
as output.
[Sometimes]
Use this demo link to reproduce (https://github.com/konveyor/kantra#analyze-1)
- OS:
Podman is running on macOS (Mac x86)
We need to build label selector expressions based on values passed in --source and --target options. See selector syntax here.
When neither --source nor --target is specified, --label-selector should not be specified on analyzer command.
When multiple targets are specified, their individual label selector expressions should be OR'd with each other. e.g. (konveyor.io/target=t1 || konveyor.io/target=t2)
When no sources are specified, but a --target is specified, a "catch-all" expression for the source should be AND'ed with the --target expression. e.g. (<target-selector-expression>) && konveyor.io/source
. Note that the source selector doesn't specifiy any value.
When multiple sources are specified, they all should be OR'd with each other. (konveyor.io/source=s1 || konveyor.io/source=s2)
Note that "catch-all" expression is not specified when at least one source is specified.
When both source and targets are specified, their individual sub-expressions should be AND'ed with each other e.g. (<target-selector-expression>) && (<source-selector-expression>)
This subcommand will invoke windup-shim convert
command.
The windup-shim
is already part of the dockerfile. Its convert
command can be used as:
windup-shim convert --outputdir=<path/to/output/dir> <path/to/XML/rules/directory> <path/to/another/XML/rules/directory>...
Note that multiple paths to directories with XML rules can be specified.
This will allow users to select from one or more targets from packaged rulesets. This needs to have validation such that only the discovered targets should be allowed.
This will disable the static report generation
Kantra version: Latest (Retrieved on September 4th through the documented command for Linux installs)
OS Fedora 36
podman version 4.3.1
tackle-testapp application
Running analysis of both source code and binaries is triggering rules and generating issues that don't belong to the application that is being analyzed. In both cases, the target application is tackle-testapp. Please bear in mind that the application has a dependency with the config-utils library, which can only be retrieved from the Maven repository associated to that source code repository following these instructions. After the settings file is correctly configured, the binary can be generated with the mvn package
command.
For binary, the following command was executed:
kantra analyze --input=./customers-tomcat-0.0.1-SNAPSHOT.war --output=/home/rroman/kantraresults-binary --target=cloud-readiness --target=linux --log-level=7 | tee logbinary.log
The log file produced by that execution is the following: logbinary.log
The report available in the kantraresults-binary directory contains the following issues:
The Hardcoded IP Address issue seems to be right and points to the right file and the right location inside that file. The problem is the File system - Java IO issue, which shouldn't have been triggered for all of the available occurrences. Checking the list of affected files, we can see that the file PersistenceConfig.java
appears several times with a single incident, instead of appearing once with multiple incidents. Clicking on any of the file instances displays the right code snippet with what seems to be a random line highlighted:
Please note that no Java IO classes are imported nor instantiated in this class. It should also be noted that the File system - Java IO issue should have been triggered for one of the files available in the embedded config-utils library, but it is missing in the report.
The source code was analyzed with the following command, passing exactly the same targets:
kantra analyze --input=./tackle-testapp --output=/home/rroman/kantraresults-source --target=cloud-readiness --target=linux --log-level=6 | tee output.log
The log file produced by that execution is the following: output.log
In this case, the list of detected issues seems to be way bigger, as it seems that the analyzer is adding dependencies to the analysis scope, even though the --analyzeKnownLibraries
flag hasn't been passed as a parameter:
It's hard to determine which of the rules are right, although there are some examples of the previously described random behavior. For example, for the Java native libraries (JNI, JNA) rule, we can see that one of the occurrences in the GenericGroovyApplicationContext.class file highlights a comment as the incident:
The snippet for the GenericGroovyApplicationContext.class file seems to be cropped, so it's hard to determine if there are imports in the file that could match any of the patterns for the rule that got triggered.
For example, for the Java Mail API rule, there seems to be a correct match with the MailSenderAutoConfiguration.class
file, but the line that got highlighted doesn't make any sense:
For dependencies to be excluded based on whether they are open-source or internal, we need to package the maven index file in the CLI. This file can be taken from java-analyzer-bundle
We need to think about whether we want to keep the log. I think, for the successful runs, we can safely ignore logs and just clean up the container by default. Can have a flag to not clean up. This also means that we will maintain a handle for the container throughout the lifecycle of the command, I think container name should just be fine.
We need to start testing the CLI on windows as early as possible
For static reports we need to place the output in the public
directory of the report tarball.
Either add a new option to create analysis and dependencies outputs as JSON or generate both JSON and YAML in the same folder without an explicit option.
analyze
subcommandopenrewrite
subcommandCurrently, only rules from this windup repo (https://github.com/windup/windup-rulesets/tree/master/rules/rules-reviewed/openrewrite) are supported.
It would be nice to also support rules from the openrewrite.org Recipe list e.g. Upgrading to Java 17 https://docs.openrewrite.org/recipes/java/migrate/upgradetojava17#usage.
This could be either providing the name of the recipe dependency and the name of the recipe as command flags or by providing a custom rewrite.yaml. With that functionality one could also create custom recipes and use them with Kantra.
We need to package the CLI into a Dockerfile, it will use the analyzer base image to get the binary to run.
Right now we have settings.json kept as provider settings. To avoid this going stale, we need to build up and write this file via the provider config API.
We need this so that users can pass custom rules along with pre-packaged sources / targets
N/A
Critical
After analyzing an application, when I go to any of the Issues views, the application crashes and the view goes blank.
Getting the following on the browser console:
The report issues should be viewable.
Always (Default)
- OS: Fedora 38
- Browser: Chrome (Version 117.0.5938.132)
- Containers: Docker version 24.0.6, build ed223bc
No response
This will enable analyzer to generate incidents for all dependencies.
We need an option to specify proxy config, this could either be a proxy string or a config file or both. I think starting with a string proxy config would be the easiest and should satisfy requirement
--label-selector and --source / --target should be exclusive
Kantra version: Latest (Retrieved on September 4th through the documented command for Linux installs)
OS Fedora 36
podman version 4.3.1
The OpenJDK target is not included in the available target. That target is essential, as it included rules to migrate from Oracle JDK to OpenJDK.
$ kantra analyze --list-targets
available target technologies: azure-aks azure-appservice azure-container-apps azure-spring-apps camel2 camel3 cloud-readiness drools6 eap eap6 eap7 eap8 eapxp2 eapxp3 fsw6 fuse6 hibernate-search5 hibernate4 hibernate5 hibernate5.1 hibernate5.3 hibernate6 hibernate6.1 hibernate6.2 jakarta-ee8 jakarta-ee9 java-ee6 java-ee7 jbpm6 linux openjdk11 openjdk17 openjdk7 openliberty quarkus resteasy3 rhr
This will allow users to select from one or more sources from packaged rulesets. This needs to have validation such that only the discovered targets should be allowed.
This will allow users to point to a directory where application source code or binary could be found.
A declarative, efficient, and flexible JavaScript library for building user interfaces.
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. ๐๐๐
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google โค๏ธ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.