chore: change report logic (#2689)

In this PR:
- Show the package information report regardless of the analysis result.
- Change report format (verified in unit tests).

Author: JoeWang1127

java-shared-dependencies/dependency-analyzer/src/main/java/com/google/cloud/DependencyAnalyzer.java

@@ -6,6 +6,7 @@
 import com.google.cloud.model.Advisory;
 import com.google.cloud.model.AdvisoryKey;
 import com.google.cloud.model.AnalysisResult;
+import com.google.cloud.model.License;
 import com.google.cloud.model.ReportResult;
 import com.google.cloud.model.PackageInfo;
 import com.google.cloud.model.QueryResult;
@@ -52,11 +53,13 @@ public AnalysisResult analyze(String system, String packageName, String packageV
     List<PackageInfo> result = new ArrayList<>();
     for (VersionKey versionKey : dependencies) {
       QueryResult packageInfo = depsDevClient.getQueryResult(versionKey);
-      List<String> licenses = new ArrayList<>();
+      List<License> licenses = new ArrayList<>();
       List<Advisory> advisories = new ArrayList<>();
       for (Result res : packageInfo.results()) {
         Version version = res.version();
-        licenses.addAll(version.licenses());
+        for (String license : version.licenses()) {
+          licenses.add(License.toLicense(license));
+        }
         for (AdvisoryKey advisoryKey : version.advisoryKeys()) {
           advisories.add(depsDevClient.getAdvisory(advisoryKey.id()));
         }
@@ -65,7 +68,7 @@ public AnalysisResult analyze(String system, String packageName, String packageV
       result.add(new PackageInfo(versionKey, licenses, advisories));
     }
 
-    return AnalysisResult.of(root, result);
+    return AnalysisResult.of(result);
   }
 
   /**
@@ -109,7 +112,9 @@ public static void main(String[] args) throws IllegalArgumentException {
       System.exit(1);
     }
 
-    ReportResult result = analyzeReport.generateReport();
+    System.out.println("Please copy and paste the package information below to your ticket.\n");
+    System.out.println(analyzeReport.toString());
+    ReportResult result = analyzeReport.getAnalysisResult();
     System.out.println(result);
     if (result.equals(ReportResult.FAIL)) {
       System.out.println(

java-shared-dependencies/dependency-analyzer/src/main/java/com/google/cloud/model/Advisory.java

@@ -22,5 +22,9 @@ public record Advisory(
     double cvss3Score,
     String cvss3Vector) {
 
+  @Override
+  public String toString() {
+    return String.format("Advisory (id: %s, more info: [%s](%s))", advisoryKey.id(), title, url);
+  }
 }
 

java-shared-dependencies/dependency-analyzer/src/main/java/com/google/cloud/model/AnalysisResult.java

@@ -7,49 +7,34 @@
 import java.util.List;
 import java.util.Map;
 import java.util.Set;
-import java.util.logging.Level;
-import java.util.logging.Logger;
 
 public class AnalysisResult {
 
-  private final VersionKey root;
   private final List<PackageInfo> packageInfos;
   private final Map<VersionKey, List<Advisory>> advisories;
-  private final Map<VersionKey, List<String>> nonCompliantLicenses;
+  private final Map<VersionKey, List<License>> nonCompliantLicenses;
 
-  private final static Logger LOGGER = Logger.getLogger(AnalysisResult.class.getName());
-
-  private AnalysisResult(VersionKey root, List<PackageInfo> result) {
-    this.root = root;
+  private AnalysisResult(List<PackageInfo> result) {
     this.packageInfos = result;
     this.advisories = getAdvisories(result);
     this.nonCompliantLicenses = getNonCompliantLicenses(result);
   }
 
-  public static AnalysisResult of(VersionKey root, List<PackageInfo> result) {
-    return new AnalysisResult(root, result);
+  public static AnalysisResult of(List<PackageInfo> result) {
+    return new AnalysisResult(result);
   }
 
-  public ReportResult generateReport() {
-    if (!advisories.isEmpty()) {
-      formatLog(root, advisories, "New security vulnerability found in dependencies:");
-    }
-
-    if (!nonCompliantLicenses.isEmpty()) {
-      formatLog(root, nonCompliantLicenses, "Non-compliant license found in dependencies:");
+  public ReportResult getAnalysisResult() {
+    if (advisories.isEmpty() && nonCompliantLicenses.isEmpty()) {
+      return ReportResult.PASS;
     }
 
-    if (!advisories.isEmpty() || !nonCompliantLicenses.isEmpty()) {
-      LOGGER.log(Level.SEVERE, String.format("Found dependency risk in %s", root));
-      return ReportResult.FAIL;
-    }
-
-    LOGGER.log(Level.INFO,
-        String.format("%s have no known vulnerabilities and non compliant licenses", root));
-    LOGGER.log(Level.INFO, "Generate package information report...");
-    System.out.println(packageInfoReport());
+    return ReportResult.FAIL;
+  }
 
-    return ReportResult.PASS;
+  @Override
+  public String toString() {
+    return packageInfoReport();
   }
 
   private Map<VersionKey, List<Advisory>> getAdvisories(List<PackageInfo> result) {
@@ -63,22 +48,21 @@ private Map<VersionKey, List<Advisory>> getAdvisories(List<PackageInfo> result)
     return advisories;
   }
 
-  private Map<VersionKey, List<String>> getNonCompliantLicenses(List<PackageInfo> result) {
-    Map<VersionKey, List<String>> licenses = new HashMap<>();
+  private Map<VersionKey, List<License>> getNonCompliantLicenses(List<PackageInfo> result) {
+    Map<VersionKey, List<License>> licenses = new HashMap<>();
     Set<LicenseCategory> compliantCategories = LicenseCategory.compliantCategories();
 
     result.forEach(packageInfo -> {
-      List<String> nonCompliantLicenses = new ArrayList<>();
-      for (String licenseStr : packageInfo.licenses()) {
-        License license = License.toLicense(licenseStr);
+      List<License> nonCompliantLicenses = new ArrayList<>();
+      for (License license : packageInfo.licenses()) {
         // fiter out all compliant categories, the remaining ones are non-compliant.
         List<LicenseCategory> nonCompliantCategories = license
             .getCategories()
             .stream()
             .filter(category -> !compliantCategories.contains(category))
             .toList();
         if (!nonCompliantCategories.isEmpty()) {
-          nonCompliantLicenses.add(licenseStr);
+          nonCompliantLicenses.add(license);
         }
       }
       if (!nonCompliantLicenses.isEmpty()) {
@@ -88,39 +72,18 @@ private Map<VersionKey, List<String>> getNonCompliantLicenses(List<PackageInfo>
     return licenses;
   }
 
-  private <T> void formatLog(VersionKey root, Map<VersionKey, List<T>> map, String message) {
-    LOGGER.log(Level.SEVERE, message);
-    map.forEach((versionKey, list) -> {
-      LOGGER.log(Level.SEVERE, beginSeparator(versionKey, root));
-      list.forEach(item -> LOGGER.log(Level.SEVERE, item.toString()));
-      LOGGER.log(Level.SEVERE, endSeparator());
-    });
-  }
-
-  private String beginSeparator(VersionKey versionKey, VersionKey root) {
-    String relation = versionKey.equals(root) ? "self" : "dependency";
-    return String.format("====================== %s, %s of %s ======================",
-        versionKey, relation, root);
-  }
-
-  private String endSeparator() {
-    return "===========================================================";
-  }
-
-  public String packageInfoReport() {
+  private String packageInfoReport() {
     StringBuilder builder = new StringBuilder();
     PackageInfo root = packageInfos.get(0);
     String title = String.format("""
-        Please copy and paste the package information below to your ticket.
-                
         ## Package information of %s
         %s
         """, root.versionKey(), packageInfoSection(root));
     builder.append(title);
 
-    builder.append("## Dependencies:\n");
+    builder.append("## Dependencies\n");
     if (packageInfos.size() == 1) {
-      builder.append("None");
+      builder.append(String.format("%s has no dependency.", root.versionKey()));
     } else {
       for (int i = 1; i < packageInfos.size(); i++) {
         PackageInfo info = packageInfos.get(i);
@@ -141,11 +104,12 @@ private String packageInfoSection(PackageInfo packageInfo) {
     // generate the report using Markdown format.
     String packageInfoReport = """
         Licenses: %s
-        Vulnerabilities: None.
+        Vulnerabilities: %s.
         Checked in [%s (%s)](%s)
         """;
     return String.format(packageInfoReport,
         packageInfo.licenses(),
+        packageInfo.advisories(),
         versionKey.name(),
         versionKey.version(),
         getQueryUrl(

java-shared-dependencies/dependency-analyzer/src/main/java/com/google/cloud/model/License.java

@@ -51,12 +51,17 @@ public Set<LicenseCategory> getCategories() {
 
   @Override
   public String toString() {
+    String nonCompliantPrefix = "%s (Not Google-compliant!)";
+    String compliantPrefix = "%s (Google-compliant)";
     Set<LicenseCategory> compliantCategories = LicenseCategory.compliantCategories();
+    if (this.categories.isEmpty()) {
+      return String.format(nonCompliantPrefix, this.licenseStr);
+    }
     for (LicenseCategory category : this.categories) {
       if (!compliantCategories.contains(category)) {
-        return this.licenseStr;
+        return String.format(nonCompliantPrefix, this.licenseStr);
       }
     }
-    return String.format("%s (Google-compliant)", this.licenseStr);
+    return String.format(compliantPrefix, this.licenseStr);
   }
 }

java-shared-dependencies/dependency-analyzer/src/main/java/com/google/cloud/model/PackageInfo.java

@@ -9,10 +9,10 @@
  */
 public record PackageInfo(
     VersionKey versionKey,
-    List<String> licenses,
+    List<License> licenses,
     List<Advisory> advisories) {
 
-  public List<String> licenses() {
+  public List<License> licenses() {
     return ImmutableList.copyOf(licenses);
   }
 

java-shared-dependencies/dependency-analyzer/src/test/java/com/google/cloud/model/AnalysisResultTest.java

@@ -9,7 +9,7 @@
 public class AnalysisResultTest {
 
   @Test
-  public void testGenerateReportWithAdvisoriesThrowsException()
+  public void testGenerateReportWithAdvisoriesReturnsFailure()
       throws IllegalArgumentException {
     VersionKey root = VersionKey.from("maven", "com.example:artifact", "1.2.3");
     List<PackageInfo> results = List.of(
@@ -26,22 +26,22 @@ public void testGenerateReportWithAdvisoriesThrowsException()
             ))
         )
     );
-    ReportResult result = AnalysisResult.of(root, results).generateReport();
+    ReportResult result = AnalysisResult.of(results).getAnalysisResult();
     assertEquals(ReportResult.FAIL, result);
   }
 
   @Test
-  public void testGenerateReportWithNonCompliantLicenseThrowsException()
+  public void testGenerateReportWithNonCompliantLicenseReturnsFailure()
       throws IllegalArgumentException {
     VersionKey root = VersionKey.from("maven", "com.example:artifact", "1.2.3");
     List<PackageInfo> results = List.of(
         new PackageInfo(
             root,
-            List.of("BCL"),
+            List.of(License.toLicense("BCL")),
             List.of()
         )
     );
-    ReportResult result = AnalysisResult.of(root, results).generateReport();
+    ReportResult result = AnalysisResult.of(results).getAnalysisResult();
     assertEquals(ReportResult.FAIL, result);
   }
 
@@ -52,54 +52,100 @@ public void testGenerateReportWithoutRiskSucceeds()
     List<PackageInfo> results = List.of(
         new PackageInfo(
             root,
-            List.of("Apache-2.0"),
+            List.of(License.toLicense("Apache-2.0")),
             List.of()
         )
     );
-    ReportResult result = AnalysisResult.of(root, results).generateReport();
+    ReportResult result = AnalysisResult.of(results).getAnalysisResult();
     assertEquals(ReportResult.PASS, result);
   }
 
   @Test
-  public void testPackageInfoReportReturnsCorrectContents() {
+  public void testToStringReturnsNoRiskInformation() {
     VersionKey root = VersionKey.from("maven", "com.example:artifact", "1.2.3");
     List<PackageInfo> results = List.of(
         new PackageInfo(
             root,
-            List.of("Apache-2.0"),
+            List.of(License.toLicense("Apache-2.0")),
             List.of()
         ),
         new PackageInfo(
             VersionKey.from("maven", "com.example:dependency", "4.5.6"),
-            List.of("Apache-2.0", "MIT"),
+            List.of(License.toLicense("Apache-2.0"), License.toLicense("MIT")),
             List.of()
         ),
         new PackageInfo(
             VersionKey.from("maven", "com.example:nested-dependency", "2.3.1"),
-            List.of("Apache-2.0", "MIT"),
+            List.of(License.toLicense("Apache-2.0"), License.toLicense("MIT")),
             List.of()
         )
     );
     assertEquals("""
-        Please copy and paste the package information below to your ticket.
+        ## Package information of com.example:artifact:1.2.3
+        Licenses: [Apache-2.0 (Google-compliant)]
+        Vulnerabilities: [].
+        Checked in [com.example:artifact (1.2.3)](https://api.deps.dev/v3/query?versionKey.system=MAVEN&versionKey.name=com.example:artifact&versionKey.version=1.2.3)
+                
+        ## Dependencies
+        ### Package information of com.example:dependency:4.5.6
+        Licenses: [Apache-2.0 (Google-compliant), MIT (Google-compliant)]
+        Vulnerabilities: [].
+        Checked in [com.example:dependency (4.5.6)](https://api.deps.dev/v3/query?versionKey.system=MAVEN&versionKey.name=com.example:dependency&versionKey.version=4.5.6)
+                
+        ### Package information of com.example:nested-dependency:2.3.1
+        Licenses: [Apache-2.0 (Google-compliant), MIT (Google-compliant)]
+        Vulnerabilities: [].
+        Checked in [com.example:nested-dependency (2.3.1)](https://api.deps.dev/v3/query?versionKey.system=MAVEN&versionKey.name=com.example:nested-dependency&versionKey.version=2.3.1)
+                
                 
+        """, AnalysisResult.of(results).toString());
+  }
+
+  @Test
+  public void testToStringReturnsRiskInformation() {
+    VersionKey root = VersionKey.from("maven", "com.example:artifact", "1.2.3");
+    List<PackageInfo> results = List.of(
+        new PackageInfo(
+            root,
+            List.of(License.APACHE_2_0, License.BCL),
+            List.of()
+        ),
+        new PackageInfo(
+            VersionKey.from("maven", "com.example:dependency", "4.5.6"),
+            List.of(License.MIT),
+            List.of(new Advisory(
+                new AdvisoryKey("GHSA-2qrg-x229-3v8q"),
+                "https://osv.dev/vulnerability/GHSA-2qrg-x229-3v8q",
+                "Deserialization of Untrusted Data in Log4j",
+                new String[]{"CVE-2019-17571"},
+                9.8,
+                "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"
+            ))
+        ),
+        new PackageInfo(
+            VersionKey.from("maven", "com.example:nested-dependency", "2.3.1"),
+            List.of(License.MIT, License.GL2PS),
+            List.of()
+        )
+    );
+    assertEquals("""
         ## Package information of com.example:artifact:1.2.3
-        Licenses: [Apache-2.0]
-        Vulnerabilities: None.
+        Licenses: [Apache-2.0 (Google-compliant), BCL (Not Google-compliant!)]
+        Vulnerabilities: [].
         Checked in [com.example:artifact (1.2.3)](https://api.deps.dev/v3/query?versionKey.system=MAVEN&versionKey.name=com.example:artifact&versionKey.version=1.2.3)
                 
-        ## Dependencies:
+        ## Dependencies
         ### Package information of com.example:dependency:4.5.6
-        Licenses: [Apache-2.0, MIT]
-        Vulnerabilities: None.
+        Licenses: [MIT (Google-compliant)]
+        Vulnerabilities: [Advisory (id: GHSA-2qrg-x229-3v8q, more info: [Deserialization of Untrusted Data in Log4j](https://osv.dev/vulnerability/GHSA-2qrg-x229-3v8q))].
         Checked in [com.example:dependency (4.5.6)](https://api.deps.dev/v3/query?versionKey.system=MAVEN&versionKey.name=com.example:dependency&versionKey.version=4.5.6)
                 
         ### Package information of com.example:nested-dependency:2.3.1
-        Licenses: [Apache-2.0, MIT]
-        Vulnerabilities: None.
+        Licenses: [MIT (Google-compliant), GL2PS (Not Google-compliant!)]
+        Vulnerabilities: [].
         Checked in [com.example:nested-dependency (2.3.1)](https://api.deps.dev/v3/query?versionKey.system=MAVEN&versionKey.name=com.example:nested-dependency&versionKey.version=2.3.1)
                 
                 
-        """, AnalysisResult.of(root, results).packageInfoReport());
+        """, AnalysisResult.of(results).toString());
   }
 }