konveyor / kantra Goto Github PK

This will allow users to specify an output directory for the static report as well as the raw YAML output from analyzers

https://issues.redhat.com/browse/MTA-1309

Is there an existing issue for this?

• I have searched the existing issues

Konveyor version

0.3-beta.1

Priority

Major

Current Behavior

The tool should be configured to use docker by default, since podman can emulate docker, but not viceversa.

Expected Behavior

As a kantra user
When I run ./kantra analyze having only docker installed
Then the tool executes correctly

As a kantra user
When I run ./kantra analyze having only podman installed
Then the tool executes correctly

How Reproducible

Always (Default)

Steps To Reproduce

No response

Environment

- OS: fedora 38

Anything else?

No response

https://issues.redhat.com/browse/MTA-1305

The meaning of this option is different from what windup option was. We need to be careful in expressing that in the description clearly

https://issues.redhat.com/browse/MTA-1320

analyze static report fails on windows copying from container to host: https://github.com/konveyor-ecosystem/kantra/blob/main/cmd/container.go#L221

level=debug msg="copying files from container" dest="C:\\Users\\Emily\\test-output" podman="C:\\Program
 Files\\RedHat\\Podman\\podman.exe" src=/usr/local/static-report
time="2023-09-06T16:22:27-04:00" level=error msg="failed to generate static report" error="exit status 125"
Error: exit status 125

Could be a known issue with podman cp with windows: containers/podman#14862

Is there an existing issue for this?

• I have searched the existing issues

Konveyor version

N/A

Priority

Major

Current Behavior

When running kantra analyze, the analysis stops generating logs after a few minutes. The end of the log file does not show any failed steps or errors. Only two files are generated: analysis.log and dependency.log as output.

Potential solutions/reasons:

1. The limit of open files in mounted volumes is 64, which is incredibly low (containers/podman#16106 (comment)) Suggested by David
2. Increase resources by changing podman machine settings.

Expected Behavior

$ ls ./output/ -1
analysis.log
dependencies.yaml
dependency.log
output.yaml
static-report

However, only two files are generated: analysis.log and dependency.log as output.

How Reproducible

[Sometimes]

Steps To Reproduce

Use this demo link to reproduce (https://github.com/konveyor/kantra#analyze-1)

Environment

- OS:

Anything else?

Podman is running on macOS (Mac x86)

We need to build label selector expressions based on values passed in --source and --target options. See selector syntax here.

• When neither --source nor --target is specified, --label-selector should not be specified on analyzer command.

• When multiple targets are specified, their individual label selector expressions should be OR'd with each other. e.g. (konveyor.io/target=t1 || konveyor.io/target=t2)

• When no sources are specified, but a --target is specified, a "catch-all" expression for the source should be AND'ed with the --target expression. e.g. (<target-selector-expression>) && konveyor.io/source. Note that the source selector doesn't specifiy any value.

• When multiple sources are specified, they all should be OR'd with each other. (konveyor.io/source=s1 || konveyor.io/source=s2) Note that "catch-all" expression is not specified when at least one source is specified.

• When both source and targets are specified, their individual sub-expressions should be AND'ed with each other e.g. (<target-selector-expression>) && (<source-selector-expression>)

https://issues.redhat.com/browse/MTA-1313

This subcommand will invoke windup-shim convert command.

The windup-shim is already part of the dockerfile. Its convert command can be used as:

windup-shim convert --outputdir=<path/to/output/dir> <path/to/XML/rules/directory> <path/to/another/XML/rules/directory>...

Note that multiple paths to directories with XML rules can be specified.

This will allow users to select from one or more targets from packaged rulesets. This needs to have validation such that only the discovered targets should be allowed.

This will disable the static report generation

https://issues.redhat.com/browse/MTA-1395

Environment

Kantra version: Latest (Retrieved on September 4th through the documented command for Linux installs)
OS Fedora 36
podman version 4.3.1
tackle-testapp application

Description

Running analysis of both source code and binaries is triggering rules and generating issues that don't belong to the application that is being analyzed. In both cases, the target application is tackle-testapp. Please bear in mind that the application has a dependency with the config-utils library, which can only be retrieved from the Maven repository associated to that source code repository following these instructions. After the settings file is correctly configured, the binary can be generated with the mvn package command.

For binary, the following command was executed:

kantra analyze --input=./customers-tomcat-0.0.1-SNAPSHOT.war --output=/home/rroman/kantraresults-binary --target=cloud-readiness --target=linux --log-level=7 | tee logbinary.log

The log file produced by that execution is the following: logbinary.log

The report available in the kantraresults-binary directory contains the following issues:

The Hardcoded IP Address issue seems to be right and points to the right file and the right location inside that file. The problem is the File system - Java IO issue, which shouldn't have been triggered for all of the available occurrences. Checking the list of affected files, we can see that the file PersistenceConfig.java appears several times with a single incident, instead of appearing once with multiple incidents. Clicking on any of the file instances displays the right code snippet with what seems to be a random line highlighted:

Please note that no Java IO classes are imported nor instantiated in this class. It should also be noted that the File system - Java IO issue should have been triggered for one of the files available in the embedded config-utils library, but it is missing in the report.

The source code was analyzed with the following command, passing exactly the same targets:

kantra analyze --input=./tackle-testapp --output=/home/rroman/kantraresults-source --target=cloud-readiness --target=linux --log-level=6 | tee output.log

The log file produced by that execution is the following: output.log

In this case, the list of detected issues seems to be way bigger, as it seems that the analyzer is adding dependencies to the analysis scope, even though the --analyzeKnownLibraries flag hasn't been passed as a parameter:

It's hard to determine which of the rules are right, although there are some examples of the previously described random behavior. For example, for the Java native libraries (JNI, JNA) rule, we can see that one of the occurrences in the GenericGroovyApplicationContext.class file highlights a comment as the incident:

The snippet for the GenericGroovyApplicationContext.class file seems to be cropped, so it's hard to determine if there are imports in the file that could match any of the patterns for the rule that got triggered.

For example, for the Java Mail API rule, there seems to be a correct match with the MailSenderAutoConfiguration.class file, but the line that got highlighted doesn't make any sense:

For dependencies to be excluded based on whether they are open-source or internal, we need to package the maven index file in the CLI. This file can be taken from java-analyzer-bundle

We need to think about whether we want to keep the log. I think, for the successful runs, we can safely ignore logs and just clean up the container by default. Can have a flag to not clean up. This also means that we will maintain a handle for the container throughout the lifecycle of the command, I think container name should just be fine.

We need to start testing the CLI on windows as early as possible

https://issues.redhat.com/browse/MTA-1297

For static reports we need to place the output in the public directory of the report tarball.

Either add a new option to create analysis and dependencies outputs as JSON or generate both JSON and YAML in the same folder without an explicit option.

• Add maven settings in analyze subcommand
• Add maven settings in openrewrite subcommand

https://issues.redhat.com/browse/MTA-1377

Currently, only rules from this windup repo (https://github.com/windup/windup-rulesets/tree/master/rules/rules-reviewed/openrewrite) are supported.
It would be nice to also support rules from the openrewrite.org Recipe list e.g. Upgrading to Java 17 https://docs.openrewrite.org/recipes/java/migrate/upgradetojava17#usage.

This could be either providing the name of the recipe dependency and the name of the recipe as command flags or by providing a custom rewrite.yaml. With that functionality one could also create custom recipes and use them with Kantra.

We need to package the CLI into a Dockerfile, it will use the analyzer base image to get the binary to run.

Right now we have settings.json kept as provider settings. To avoid this going stale, we need to build up and write this file via the provider config API.

https://issues.redhat.com/browse/MTA-1286

We need this so that users can pass custom rules along with pre-packaged sources / targets

Is there an existing issue for this?

• I have searched the existing issues

Konveyor version

N/A

Priority

Critical

Current Behavior

After analyzing an application, when I go to any of the Issues views, the application crashes and the view goes blank.

Getting the following on the browser console:

Expected Behavior

The report issues should be viewable.

How Reproducible

Always (Default)

Steps To Reproduce

1. With the given environment, install kantra following the instructions from the README.
2. Get the latest rules from the rulesets repo.
3. Clone the daytrader app.
4. Run kantra with the following options: `PODMAN_BIN=/usr/local/bin/docker ./kantra analyze --target cloud-readiness --input --output --rules <rulesets-repo-dir/default/generated>
5. Check the report and go to any of the "Issues" views.

Environment

- OS: Fedora 38
- Browser: Chrome (Version 117.0.5938.132)
- Containers: Docker version 24.0.6, build ed223bc

Anything else?

No response

This will enable analyzer to generate incidents for all dependencies.

We need an option to specify proxy config, this could either be a proxy string or a config file or both. I think starting with a string proxy config would be the easiest and should satisfy requirement

--label-selector and --source / --target should be exclusive

Environment

Kantra version: Latest (Retrieved on September 4th through the documented command for Linux installs)
OS Fedora 36
podman version 4.3.1

Description

The OpenJDK target is not included in the available target. That target is essential, as it included rules to migrate from Oracle JDK to OpenJDK.

$ kantra analyze --list-targets
available target technologies: azure-aks azure-appservice azure-container-apps azure-spring-apps camel2 camel3 cloud-readiness drools6 eap eap6 eap7 eap8 eapxp2 eapxp3 fsw6 fuse6 hibernate-search5 hibernate4 hibernate5 hibernate5.1 hibernate5.3 hibernate6 hibernate6.1 hibernate6.2 jakarta-ee8 jakarta-ee9 java-ee6 java-ee7 jbpm6 linux openjdk11 openjdk17 openjdk7 openliberty quarkus resteasy3 rhr

This will allow users to select from one or more sources from packaged rulesets. This needs to have validation such that only the discovered targets should be allowed.

This will allow users to point to a directory where application source code or binary could be found.

https://issues.redhat.com/browse/MTA-1362

https://issues.redhat.com/browse/MTA-1294