Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Feature/javans improvements #604

Merged
merged 5 commits into from
Oct 3, 2023
Merged

Feature/javans improvements #604

merged 5 commits into from
Oct 3, 2023

Conversation

prabhu
Copy link
Collaborator

@prabhu prabhu commented Oct 2, 2023

In deep mode, jar namespaces are retained as properties in the cdx document.
Improved requirements.txt parsing

prabhu added 5 commits October 2, 2023 10:43
@prabhu
Capture the java namespaces in deep mode under properties
81a084d 
Signed-off-by: Prabhu Subramanian <prabhu@appthreat.com>
@prabhu
Improved requirements txt parsing
be7a7e1 
Signed-off-by: Prabhu Subramanian <prabhu@appthreat.com>
@prabhu
stay with packageurl 1.0.2 for now. workaround for #603
af78510 
Signed-off-by: Prabhu Subramanian <prabhu@appthreat.com>
@prabhu
Added missing test da
6cf0a46 
Signed-off-by: Prabhu Subramanian <prabhu@appthreat.com>
@prabhu
Windows bug fix
b668960 
Signed-off-by: Prabhu Subramanian <prabhu@appthreat.com>
@prabhu
Copy link
Collaborator Author

prabhu commented Oct 2, 2023
edited
Loading

@heubeck could you test this branch by passing --deep for both java and war/jar file as path. The resulting cdx document must have a property called Namespaces with all the class names. I am also interested in finding out what happens with shaded jars in case you have any.

@prabhu prabhu mentioned this pull request Oct 2, 2023
Merged
@prabhu prabhu merged commit 5c8d1f6 into master Oct 3, 2023
@prabhu prabhu deleted the feature/javans-improvements branch October 3, 2023 11:24
setchy pushed a commit to setchy/cdxgen that referenced this pull request Oct 3, 2023
@prabhu @setchy
Feature/javans improvements (CycloneDX#604)
7c5b450 
* Capture the java namespaces in deep mode under properties

Signed-off-by: Prabhu Subramanian <prabhu@appthreat.com>

* Improved requirements txt parsing

Signed-off-by: Prabhu Subramanian <prabhu@appthreat.com>

* stay with packageurl 1.0.2 for now. workaround for CycloneDX#603

Signed-off-by: Prabhu Subramanian <prabhu@appthreat.com>

* Added missing test da

Signed-off-by: Prabhu Subramanian <prabhu@appthreat.com>

* Windows bug fix

Signed-off-by: Prabhu Subramanian <prabhu@appthreat.com>

---------

Signed-off-by: Prabhu Subramanian <prabhu@appthreat.com>
@heubeck
Copy link
Contributor

heubeck commented Oct 9, 2023

@heubeck could you test this branch by passing --deep for both java and war/jar file as path. The resulting cdx document must have a property called Namespaces with all the class names. I am also interested in finding out what happens with shaded jars in case you have any.

Sorry for my late reply, @prabhu.
Unfortunately (or luckily?) I've neither wars nor (shaded) jars to analyze, just source code repositories.

Will compare some samples with/without --deep analysis, at least it lasts (much) longer to create them :P

Do you think, --deep is a good default parameter, when analyzing source code repos, or should it only be used in special cases?

@prabhu
Copy link
Collaborator Author

prabhu commented Oct 9, 2023

You can use with java source as well. Thank you

@heubeck
Copy link
Contributor

heubeck commented Oct 9, 2023

You can use with java source as well. Thank you

thx. but run-time is not acceptable for a default arg ;)

@prabhu
Copy link
Collaborator Author

prabhu commented Oct 9, 2023

You can use with java source as well. Thank you

thx. but run-time is not acceptable for a default arg ;)

It's a good point. Maybe it's time to revisit dotenv support and accept all arguments via env and config files.

@heubeck
Copy link
Contributor

heubeck commented Oct 9, 2023

Maybe it's time to revisit dotenv support and accept all arguments via env and config files.

That would simplify my apps configuration, as I'll pass though custom cdxgen config using my github apps config: https://github.com/MediaMarktSaturn/technolinator/blob/main/docs/Repository_Config.md

@prabhu
Copy link
Collaborator Author

prabhu commented Oct 9, 2023

Maybe it's time to revisit dotenv support and accept all arguments via env and config files.

That would simplify my apps configuration, as I'll pass though custom cdxgen config using my github apps config: https://github.com/MediaMarktSaturn/technolinator/blob/main/docs/Repository_Config.md

Interesting idea! Shall we use the config directory structure .config/cdxgen.json and accept the language, package manager, repo, and directory-specific overrides?

@heubeck
Copy link
Contributor

heubeck commented Oct 9, 2023
edited
Loading

that would be the galactic-problem-solving-solution ;)
maybe without .config path, just .cdxgen.conf or so
any chance not doing .json? 😕

@prabhu
Copy link
Collaborator Author

prabhu commented Oct 9, 2023

that would be the galactic-problem-solving-solution ;) maybe without .config path, just .cdxgen.conf or so any chance not doing .json? 😕

The root directories are getting polluted, so there is a movement to promote dotconfig directories. Since cdxgen is a node package json is usually the default format for config files. But noticed that js-yaml is included with the package so we can support both yaml and json?

@heubeck
Copy link
Contributor

heubeck commented Oct 9, 2023

yaml or json is great.
.config in the root is also fine, but for directory overrides?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@prabhu @heubeck