Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

feat: Go, NPM and Yarn detection #451

Merged
merged 18 commits into from
Oct 3, 2023
Merged

feat: Go, NPM and Yarn detection #451

merged 18 commits into from
Oct 3, 2023

Conversation

timyarkov
Copy link
Contributor

@timyarkov timyarkov commented Aug 30, 2023
edited by behnazh-w
Loading

To increase the breadth of what macaron can detect, this PR adds detection capabilities for projects using Go, NPM and Yarn as their build tools. Note this does not include dependency resolution of these tools, only detection.

  • defaults.ini defines the patterns for detection of Go, NPM and Yarn projects in the relevant sections
  • Go detection looks for a go.mod file, with a build keyword of either build or install. Since go doesn't have any in-built publishing/deployment, the publisher is taken as using goreleaser with the deploy keyword release. In a similar vein to this goreleaser/goreleaser-action is the Github Action looked for.
  • NPM detection looks for looks for a package.json/package-lock.json/.npmrc (whether to accept strange combinations of these like only having a .npmrc or something I'm going to assume is for later PRs), with a build keyword of build and a deployment keyword of publish. For github actions it looks for JS-DevTools/npm-publish
  • Yarn detection looks for the same keywords as NPM detection, except instead of .npmrc it looks for .yarnrc (for yarn classic) or .yarnrc.yml (for yarn modern). For yarn classic the deployment keyword is still publish, but to support yarn modern the keyword npm publish is also supported. Also, it doesn't have any associated CI actions defined as of now.

Linked issues: #363 #443

To clarify before merging this PR:

  • Having two go.mod files within the codebase seems to break the pre-commit hooks at least (for each go related hook it's an exit code of 1 with the only shown error go: warning: "./..." matched no packages), guessing it would break more stuff. Need to sort out this out some sort of way
  • Need clarification on how to handle detecting deployment of Go projects, to ensure whether the approach is correct or not.
  • Are there any Yarn github actions I have potentially missed during my research
  • Need clarification on if NPM's github action is ok, mainly picked it since it seemed popular but it doesn't look like something official

@oracle-contributor-agreement oracle-contributor-agreement bot added the OCA Verified All contributors have signed the Oracle Contributor Agreement. label Aug 30, 2023
@timyarkov timyarkov force-pushed the go-and-npm-detection branch 2 times, most recently from df3ac6a to 49ee1ef Compare September 8, 2023 02:16
@timyarkov timyarkov changed the title feat: Go and NPM detection feat: Go, NPM and Yarn detection Sep 8, 2023
@timyarkov timyarkov marked this pull request as ready for review September 8, 2023 03:31
tromai
tromai reviewed Sep 20, 2023
View reviewed changes
src/macaron/slsa_analyzer/build_tool/go.py Outdated Show resolved Hide resolved
src/macaron/config/defaults.ini Outdated Show resolved Hide resolved
src/macaron/config/defaults.ini Show resolved Hide resolved
tromai
tromai reviewed Sep 21, 2023
View reviewed changes
src/macaron/config/defaults.ini Show resolved Hide resolved
src/macaron/config/defaults.ini Show resolved Hide resolved
src/macaron/config/defaults.ini Outdated Show resolved Hide resolved
src/macaron/config/defaults.ini Outdated Show resolved Hide resolved
tests/slsa_analyzer/build_tool/test_go.py Show resolved Hide resolved
behnazh-w
behnazh-w reviewed Sep 22, 2023
View reviewed changes
scripts/dev_scripts/integration_tests.sh Outdated Show resolved Hide resolved
src/macaron/config/defaults.ini Outdated Show resolved Hide resolved
@behnazh-w
Copy link
Member

We should also add pnpm ,pnpm-lock.yaml, and the publish command.

@timyarkov
Copy link
Contributor Author

timyarkov commented Sep 29, 2023
edited
Loading

We should also add pnpm ,pnpm-lock.yaml, and the publish command.

Should this be a separate class or is it alright to roll it in with npm (i.e. npm build tool looks for both npm and pnpm files)? Since far as I can see from a quick glance for purposes of this its more or less same as npm except for the command/lock file, so I feel like an extra class would be a lot of repeat code that would be a pain to manage in future

@behnazh-w
Copy link
Member

Should this be a separate class or is it alright to roll it in with npm (i.e. npm build tool looks for both npm and pnpm files)? Since far as I can see from a quick glance for purposes of this its more or less same as npm except for the command/lock file, so I feel like an extra class would be a lot of repeat code that would be a pain to manage in future

If they are mostly equivalent, we can add it to the npm section. But please add a comment to explain this decision and document any differences if you notice any.

@timyarkov
feat: add npm support
1201a88 
Signed-off-by: Tim Yarkov <[email protected]>
@timyarkov
feat: go detection
0cdc38d 
Signed-off-by: Tim Yarkov <[email protected]>
@timyarkov
fix: fix bad path in integration test
f2bd4c2 
Signed-off-by: Tim Yarkov <[email protected]>
@timyarkov
fix: fix 2 go.mod test issue
9a1f53b 
Signed-off-by: Tim Yarkov <[email protected]>
@timyarkov
fix: update go publisher and cleanup
a39c759 
Signed-off-by: Tim Yarkov <[email protected]>
@timyarkov
fix: path in uiv integration test
7b57836 
Signed-off-by: Tim Yarkov <[email protected]>
@timyarkov
feat: separate out npm and yarn
dd0ce35 
Signed-off-by: Tim Yarkov <[email protected]>
@timyarkov
fix: fixed yarn test issues
f1db4db 
Signed-off-by: Tim Yarkov <[email protected]>
@timyarkov
fix: fix merging issues and update defaults documentation
4d03e07 
Signed-off-by: Tim Yarkov <[email protected]>
@timyarkov
fix: bad path on integration test
606a647 
Signed-off-by: Tim Yarkov <[email protected]>
@timyarkov
fix: review fixes
6802a74 
Signed-off-by: Tim Yarkov <[email protected]>
@timyarkov
fix: fixed yarn modern e2e test
8f2b34e 
Signed-off-by: Tim Yarkov <[email protected]>
@timyarkov
fix: fix other e2e tests for rebase
e360a88 
Signed-off-by: Tim Yarkov <[email protected]>
@timyarkov
fix: more review fixes
28e6f2b 
Signed-off-by: Tim Yarkov <[email protected]>
@behnazh-w behnazh-w merged commit 561bf18 into oracle:staging Oct 3, 2023
13 checks passed
@behnazh-w behnazh-w mentioned this pull request Oct 3, 2023
Closed
art1f1c3R pushed a commit that referenced this pull request Nov 29, 2024
@timyarkov
feat: add support for Go, npm and Yarn build tools (#451)
c4d7572 
This PR adds detection capabilities for projects using Go, npm and Yarn as their build tools. Note this PR does not add dependency resolution of these tools, only detection, but dependencies can be provided as a CycloneDX SBOM using `--sbom-path` CLI argument to analyze their dependencies. The `defaults.ini` file defines the specification for detection of Go, npm and Yarn projects in the relevant sections.

Signed-off-by: Tim Yarkov <[email protected]>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@tromai tromai tromai approved these changes

@behnazh-w behnazh-w behnazh-w approved these changes

Assignees
No one assigned
Labels
OCA Verified All contributors have signed the Oracle Contributor Agreement.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@timyarkov @behnazh-w @tromai