Skip to content

Make NuGet detector more conservative about applying isDevelopmentDependency #2367

Make NuGet detector more conservative about applying isDevelopmentDependency

Make NuGet detector more conservative about applying isDevelopmentDependency #2367

Workflow file for this run

name: Verify snapshot of test scan
env:
CD_DETECTOR_EXPERIMENTS: 1
PipReportSkipFallbackOnFailure: "true"
PIP_INDEX_URL: "https://pypi.python.org/simple"
on: [pull_request]
permissions:
contents: read
jobs:
verify:
runs-on: ${{ matrix.os }}
strategy:
fail-fast: false
matrix:
os: [ubuntu-latest, windows-latest, macos-latest]
steps:
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
- name: Make release snapshot output directory
run: mkdir ${{ github.workspace }}/release-output
- name: Get latest release snapshot download url
id: download-latest-release-snapshot
uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7
with:
result-encoding: string
script: |
const res = await github.paginate(
github.rest.actions.listArtifactsForRepo.endpoint.merge({
owner: 'microsoft',
repo: 'component-detection',
})
);
return res
.filter(
(artifact) => artifact.name === 'release-snapshot-output-${{ matrix.os }}'
)
.sort((a, b) => new Date(b.updated_at) - new Date(a.updated_at))[0]
.archive_download_url;
- name: Download latest release snapshot
working-directory: ${{ github.workspace }}/release-output
run: |
curl -v -L -u octocat:${{ secrets.GITHUB_TOKEN }} -o output.zip "${{ steps.download-latest-release-snapshot.outputs.result }}"
unzip output.zip
rm output.zip
- name: Setup .NET Core
uses: actions/setup-dotnet@3e891b0cb619bf60e2c25674b222b8940e2c1c25 # v4.1.0
- name: Setup Python
uses: actions/setup-python@0b93645e9fea7318ecaed2b359559ac225c90a2b # v5
with:
python-version: '3.10'
- run: dotnet restore
- name: Install Apache Ivy
if: ${{ matrix.os == 'ubuntu-latest' }}
run: curl https://downloads.apache.org/ant/ivy/2.5.2/apache-ivy-2.5.2-bin.tar.gz | tar xOz apache-ivy-2.5.2/ivy-2.5.2.jar > /usr/share/ant/lib/ivy.jar
- name: Install Apache Ivy
if: ${{ matrix.os == 'windows-latest' }}
shell: bash
run: curl https://downloads.apache.org/ant/ivy/2.5.2/apache-ivy-2.5.2-bin.tar.gz | tar xOz apache-ivy-2.5.2/ivy-2.5.2.jar > "$ANT_HOME/lib/ivy.jar"
- name: Install Apache Ivy
if: ${{ matrix.os == 'macos-latest' }}
run: brew install ivy
- name: Make output directory
run: mkdir ${{ github.workspace }}/output
- name: LinuxDetection warning
if: >-
${{
matrix.os == 'macos-latest' ||
matrix.os == 'windows-latest'
}}
run: echo "Linux detection is not supported on ${{ matrix.os }}. Please rely on ubuntu run for LinuxDetection."
- name: Scan verification repo
working-directory: src/Microsoft.ComponentDetection
run:
dotnet run scan --Verbosity Verbose --SourceDirectory ${{ github.workspace }}/test/Microsoft.ComponentDetection.VerificationTests/resources --Output ${{ github.workspace }}/output
--DockerImagesToScan "docker.io/library/debian@sha256:9b0e3056b8cd8630271825665a0613cc27829d6a24906dc0122b3b4834312f7d,mcr.microsoft.com/cbl-mariner/base/core@sha256:c1bc83a3d385eccbb2f7f7da43a726c697e22a996f693a407c35ac7b4387cd59,docker.io/library/alpine@sha256:1304f174557314a7ed9eddb4eab12fed12cb0cd9809e4c28f29af86979a3c870"
--DetectorArgs DockerReference=EnableIfDefaultOff,SPDX22SBOM=EnableIfDefaultOff --MaxDetectionThreads 5
- name: Run Verification Tests
working-directory: test/Microsoft.ComponentDetection.VerificationTests
run: dotnet test
env:
GITHUB_OLD_ARTIFACTS_DIR: ${{ github.workspace }}/release-output
GITHUB_NEW_ARTIFACTS_DIR: ${{ github.workspace }}/output
ALLOWED_TIME_DRIFT_RATIO: ".75"
- name: Upload logs
uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882 # v4.4.3
if: ${{ !cancelled() }}
with:
name: verify-snapshot-output-${{ matrix.os }}
path: ${{ github.workspace }}/output