fix:[NEXT-455] Vulnerability for multiple asset types for a plugin

[arunpaladin]

fix:NEXT-455 Vulnerability for multiple asset types for a plugin

Fixes # (issue if any)

Type of change

Please delete options that are not relevant.

• Bug fix (non-breaking change which fixes an issue)
• New feature (non-breaking change which adds functionality)
• Chore (no code changes)
• Breaking change (fix or feature that would cause existing functionality to not work as expected)
• This change requires a documentation update

How Has This Been Tested?

Please describe the tests that you ran to verify your changes. Provide instructions so we can reproduce. Please also
list any relevant details for your test configuration

• Test A
• Test B

Checklist:

• My code follows the style guidelines of this project
• My commit message/PR follows the contribution guidelines of this project
• I have performed a self-review of my code
• I have commented my code, particularly in hard-to-understand areas
• I have added tests that prove my fix is effective or that my feature works
• New and existing unit tests pass locally with my changes

Other Information:

List any documentation updates that are needed for the Wiki

Summary by CodeRabbit

• Chores
  • Upgraded the AWS S3 dependency to ensure improved stability and compatibility with our cloud services.
• Refactor
  • Enhanced the data ingestion process from cloud storage with streamlined file processing, improved error handling, and more modular logic for handling vulnerability and detection information.

[coderabbitai]

Walkthrough

The pull request updates the AWS Java SDK S3 dependency version in the project's POM file and restructures the S3 data retrieval process in the VulnerabilityAssociationManager. The rework includes listing S3 objects with a new request method, filtering based on file suffixes, and delegating entity upload to a new method. Error handling has been streamlined and new constants have been introduced to identify file types.

Changes

File	Change Summary
jobs/.../pom.xml	Updated the aws-java-sdk-s3 dependency version from 1.12.261 to 1.12.263.
jobs/.../VulnerabilityAssociationManager.java	Restructured uploadVulnerabilityInfo to list S3 objects via ListObjectsV2Request, added constants (VUL_FILE_SUFFIX, DETECTION_FILE_SUFFIX), introduced new uploadEntity method for processing and uploading entities, and streamlined error handling.

Sequence Diagram(s)

sequenceDiagram
    participant Client as Client
    participant Manager as VulnerabilityAssociationManager
    participant S3 as AWS S3
    participant ES as Elasticsearch

    Client->>Manager: initiate uploadVulnerabilityInfo()
    Manager->>S3: ListObjectsV2(DATA_PATH)
    S3-->>Manager: Return list of objects
    Manager->>Manager: Filter objects by suffixes (VUL_FILE_SUFFIX, DETECTION_FILE_SUFFIX)
    Manager->>Manager: Process and transform data
    Manager->>ES: Call uploadEntity(entities, indexName, loadDate)
    ES-->>Manager: Upload confirmation
    Manager->>Client: Return success response

Loading

Suggested reviewers

• rnithinpaladin
• ershad-paladin
• plyubich
• kevin-paladin

Poem

In the code meadow, I hop with glee,
Changing versions and methods silently.
New flows from S3, neatly split and spun,
Uploading with care ‘til the work is done.
A little hop with a smile, code now shines bright!
🐇✨

Tip

🌐 Web search-backed reviews and chat

• We have enabled web search-based reviews and chat for all users. This feature allows CodeRabbit to access the latest documentation and information on the web.
• You can disable this feature by setting web_search: false in the knowledge_base settings.
• Please share any feedback in the Discord discussion.

✨ Finishing Touches

• 📝 Generate Docstrings (Beta)

---

Thank you for using CodeRabbit. We offer it for free to the OSS community and would appreciate your support in helping us grow. If you find it useful, would you consider giving us a shout-out on your favorite social media?

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

🪧 Tips

Chat

There are 3 ways to chat with CodeRabbit:

• Review comments: Directly reply to a review comment made by CodeRabbit. Example:
  • I pushed a fix in commit <commit_id>, please review it.
  • Generate unit testing code for this file.
  • Open a follow-up GitHub issue for this discussion.
• Files and specific lines of code (under the "Files changed" tab): Tag @coderabbitai in a new review comment at the desired location with your query. Examples:
  • @coderabbitai generate unit testing code for this file.
  • @coderabbitai modularize this function.
• PR comments: Tag @coderabbitai in a new PR comment to ask questions about the PR branch. For the best results, please provide a very specific query, as very limited context is provided in this mode. Examples:
  • @coderabbitai gather interesting stats about this repository and render them as a table. Additionally, render a pie chart showing the language distribution in the codebase.
  • @coderabbitai read src/utils.ts and generate unit testing code.
  • @coderabbitai read the files in the src/scheduler package and generate a class diagram using mermaid and a README in the markdown format.
  • @coderabbitai help me debug CodeRabbit configuration file.

Note: Be mindful of the bot's finite context window. It's strongly recommended to break down tasks such as reading entire modules into smaller chunks. For a focused discussion, use review comments to chat about specific files and their changes, instead of using the PR comments.

CodeRabbit Commands (Invoked using PR comments)

• @coderabbitai pause to pause the reviews on a PR.
• @coderabbitai resume to resume the paused reviews.
• @coderabbitai review to trigger an incremental review. This is useful when automatic reviews are disabled for the repository.
• @coderabbitai full review to do a full review from scratch and review all the files again.
• @coderabbitai summary to regenerate the summary of the PR.
• @coderabbitai generate docstrings to generate docstrings for this PR. (Beta)
• @coderabbitai resolve resolve all the CodeRabbit review comments.
• @coderabbitai configuration to show the current CodeRabbit configuration for the repository.
• @coderabbitai help to get help.

Other keywords and placeholders

• Add @coderabbitai ignore anywhere in the PR description to prevent this PR from being reviewed.
• Add @coderabbitai summary to generate the high-level summary at a specific location in the PR description.
• Add @coderabbitai anywhere in the PR title to generate the title automatically.

CodeRabbit Configuration File (.coderabbit.yaml)

• You can programmatically configure CodeRabbit by adding a .coderabbit.yaml file to the root of your repository.
• Please see the configuration documentation for more information.
• If your editor has YAML language server enabled, you can add the path at the top of this file to enable auto-completion and validation: # yaml-language-server: $schema=https://coderabbit.ai/integrations/schema.v2.json

Documentation and Community

• Visit our Documentation for detailed information on how to use CodeRabbit.
• Join our Discord Community to get help, request features, and share feedback.
• Follow us on X/Twitter for updates and announcements.

[coderabbitai]

Actionable comments posted: 0

🧹 Nitpick comments (4)

jobs/pacman-data-shipper/src/main/java/com/tmobile/cso/pacman/datashipper/entity/VulnerabilityAssociationManager.java (4)

6-6: Avoid wildcard imports for clarity.
Using wildcard imports (import com.amazonaws.services.s3.model.*;) can reduce code clarity and may lead to unintended name conflicts if multiple classes share the same name. Consider importing individual classes explicitly or using a smaller subset of imports to improve readability.

---

54-60: Consider handling large S3 listings in smaller batches.
While listing objects in a single request works for smaller amounts of data, large buckets may significantly impact memory usage and performance. Consider using pagination (ListObjectsV2Request#setMaxKeys) or iterating through partial results if the data could become large in production.

---

63-65: Clarify combined logical checks when filtering file names.
The condition

if (fileName.endsWith(VUL_FILE_SUFFIX) && entry.getKey().contains("vulnerabilities") 
    || fileName.endsWith(DETECTION_FILE_SUFFIX) && entry.getKey().contains("-detections")) {
  ...
}

is correct, but it can be confusing due to mixed && and ||. Consider adding explicit parentheses or refactoring to multiple if checks for enhanced readability.

---

68-77: Log messages within catch block may obscure real errors.
At lines 73-75, any exception when reading entities is logged as “data is empty,” which can be misleading if there's a parsing or network issue. Logging the actual exception message or rethrowing a custom exception might improve troubleshooting.

} catch (Exception e) {
-    LOGGER.info("{} data is empty", filePrefix);
+    LOGGER.error("Error reading data from {}: {}", filePrefix, e.getMessage());

📜 Review details

Configuration used: CodeRabbit UI
Review profile: CHILL
Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 369e660 and de90d39.

📒 Files selected for processing (2)

• jobs/pacman-data-shipper/pom.xml (1 hunks)
• jobs/pacman-data-shipper/src/main/java/com/tmobile/cso/pacman/datashipper/entity/VulnerabilityAssociationManager.java (4 hunks)

⏰ Context from checks skipped due to timeout of 90000ms (3)

• GitHub Check: Shipper-Build
• GitHub Check: Analyze (java)
• GitHub Check: SonarCloud-Build

🔇 Additional comments (5)

jobs/pacman-data-shipper/pom.xml (1)

15-15: Updated AWS Java SDK S3 dependency version.

The version has been updated from 1.12.261 to 1.12.263. Please ensure that this dependency update has been thoroughly tested for compatibility with your S3 data retrieval improvements in the VulnerabilityAssociationManager. Verifying that no deprecated APIs are called and that the vulnerability fix is effective would be beneficial.

jobs/pacman-data-shipper/src/main/java/com/tmobile/cso/pacman/datashipper/entity/VulnerabilityAssociationManager.java (4)

33-34: Constants for file suffixes look good.
Introducing dedicated suffix constants (VUL_FILE_SUFFIX and DETECTION_FILE_SUFFIX) improves maintainability and reduces the likelihood of typos when handling different file types.

---

66-66: Appropriate use of try-with-resources.
Using a try-with-resources block for reading from the S3 object content ensures the stream is closed automatically, preventing resource leaks. This is a good practice.

---

93-93: No functional change on this line.
This line appears to be a blank or spacing adjustment. No further action needed.

---

95-108: Validate concurrency when modifying entities with parallel streams.
The parallelStream() on line 100 applies modifications (removing closedDate and adding _loaddate) to each map. While this is acceptable if each map is independent, ensure that the root data structure is safe for parallel updates. Otherwise, consider a regular stream or use thread-safe structures if concurrency issues appear.

[sonarqubecloud]

Quality Gate passed

Issues
1 New issue
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud