-
-
Notifications
You must be signed in to change notification settings - Fork 7
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
rework "normalizing" of composer versions #102
Labels
Milestone
Comments
jkowalleck
changed the title
make "normalicing" of composer versions an opt-in
make "normalizing" of composer versions an opt-in
Jul 14, 2021
alternative: just dont touch the version string at all. just like CycloneDX/cyclonedx-gomod#60 (comment) |
is related to DependencyTrack/dependency-track#1220 |
jkowalleck
changed the title
make "normalizing" of composer versions an opt-in
rework "normalizing" of composer versions
Oct 8, 2021
is related to: DependencyTrack/dependency-track#1243 |
jkowalleck
added a commit
that referenced
this issue
Nov 10, 2021
is related to #102 Signed-off-by: Jan Kowalleck <[email protected]>
jkowalleck
added a commit
that referenced
this issue
Nov 10, 2021
is related to #102 Signed-off-by: Jan Kowalleck <[email protected]>
jkowalleck
added a commit
that referenced
this issue
Nov 10, 2021
is related to #102 Signed-off-by: Jan Kowalleck <[email protected]>
jkowalleck
added a commit
that referenced
this issue
Nov 10, 2021
is related to #102 Signed-off-by: Jan Kowalleck <[email protected]>
jkowalleck
added a commit
that referenced
this issue
Nov 10, 2021
* Added * CLI got a new switch `--no-version-normalization`. (via [#138]) That allows to omit component version-string normalization. Per default this plugin will normalize version strings by stripping leading "v". This is a compatibility-switch. The next major-version of this plugin will not modify component versions. (see [#102]) [#138]: #138 [#102]: #102
is related to OSSIndex/vulns#231 |
the behaviour wad changed and will be published via #250 |
jkowalleck
added a commit
that referenced
this issue
Mar 11, 2023
* BREAKING changes * Removed support for PHP `<8.0` ([#91] via [#250]) * Removed support for PHP `<8.1` (via [#250]) * Removed support for Composer `<2.3` ([#153] via [#250]) * CLI * Removed deprecated composer command `make-bom`, call `composer CycloneDX:make-sbom` instead ([#293] via [#309]) * Changed option `output-file` to default to `-` now, which causes to print to STDOUT (via [#250]) * Removed option `exclude-dev` in favour of new option `omit` (via [#250]) * Removed option `exclude-plugins` in favour of new option `omit` (via [#250]) * Removed option `no-version-normalization` ([#102] via [#250]) * SBOM results * Components' version is no longer artificially normalized ([#102] via [#250]) * Dependencies * Requires `cyclonedx/cyclonedx-library:^2.0`, was `:^1.4.2` ([#128] via [#250]) * Changed * Evidence analysis prefers actually installed packages over lock file ([#122] via [#250]) * Root component's versions is unset, if version detection fails ([#154] via [#250]) * Composer packages of type "composer-installer" are treated as composer plugins (via [#250]) * Added * Evidence collection knows actually installed packages ([#122] via [#250]) * SBOM results * Support for CycloneDX Spec v1.4 (via [#250]) * might have `serialnumber` populated ([#279] via [#250]) * might have `metadata.timestamp` populated ([#112] via [#250]) * might have `metadata.tools[].tool.externalReferences` populated ([#171] via [#250]) * might have `components[].component.author` populated ([#261] via [#250]) * might have `components[].component.properties` populated according to [`cdx:composer` Namespace Taxonomy](https://github.com/CycloneDX/cyclonedx-property-taxonomy/blob/main/cdx/composer.md) (via [#250]) * CLI * New option `omit` (via [#250]) * New switch `validate` to override `no-validate` (via [#250]) * New switches `output-reproducible` and `no-output-reproducible` (via [#250]) * Misc * Added demo and reproducible continuous integration test "devReq" that is dedicated to composer's `require-dev` feature (via [#250]) * Reworked demo setups to be more global-install like (via [#250]) [#91]: #91 [#102]: #102 [#112]: #112 [#122]: #122 [#128]: #128 [#153]: #153 [#154]: #154 [#171]: #171 [#250]: #250 [#261]: #261 [#279]: #279 [#293]: #293 [#309]: #309 [#313]: #313 --------- Signed-off-by: Jan Kowalleck <[email protected]>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
backgroud
in php/composer the
v
prefix in versions is understood by the ecosystem. it "heals" itself regarding a missing/existingv
.in the lock file the actual version is used; the
v
is added/removed to match the correct prefix of the actual version. (example)I would prefer to keep the
v
if composer found that it is part of the actual version.I would prefer not to modify the version, but keep the one that is idiomatic to the composer ecosystem.
but unfortunately this would be a change of the implementation since v1 that is actually kept until now(v3) since it seams to be there for a reason (, which drives me mad since the actual version sometimes has a
v
for real).proposal
dont handle a leading
v
in any special way. just leave everything as is.additionally: make it optional(opt-in) to strip the
v
in front of a version. (only if there is an actual need for this, dont write this feature unless it is required)impact
this would be a breaking change, since current implementation strips the
v
per default.Proposed change would remove this behavior per default.
acceptance criteria
v
is not stripped, if composer tells that it exists.--no-version-normalization
option and related capabilitieswork packages
tbd
The text was updated successfully, but these errors were encountered: