Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

rework "normalizing" of composer versions #102

Closed
3 tasks
jkowalleck opened this issue Jul 14, 2021 · 5 comments
Closed
3 tasks

rework "normalizing" of composer versions #102

jkowalleck opened this issue Jul 14, 2021 · 5 comments
Milestone

Comments

@jkowalleck
Copy link
Member

jkowalleck commented Jul 14, 2021

backgroud

in php/composer the v prefix in versions is understood by the ecosystem. it "heals" itself regarding a missing/existing v.
in the lock file the actual version is used; the v is added/removed to match the correct prefix of the actual version. (example)

I would prefer to keep the v if composer found that it is part of the actual version.
I would prefer not to modify the version, but keep the one that is idiomatic to the composer ecosystem.

but unfortunately this would be a change of the implementation since v1 that is actually kept until now(v3) since it seams to be there for a reason (, which drives me mad since the actual version sometimes has a v for real).

proposal

dont handle a leading v in any special way. just leave everything as is.
additionally: make it optional(opt-in) to strip the v in front of a version. (only if there is an actual need for this, dont write this feature unless it is required)

impact

this would be a breaking change, since current implementation strips the v per default.
Proposed change would remove this behavior per default.

acceptance criteria

  • the v is not stripped, if composer tells that it exists.
  • remove --no-version-normalization option and related capabilities
  • remove the "normalizer" entirely

work packages

tbd

@jkowalleck jkowalleck changed the title make "normalicing" of composer versions an opt-in make "normalizing" of composer versions an opt-in Jul 14, 2021
@jkowalleck jkowalleck removed the idea label Jul 18, 2021
@jkowalleck
Copy link
Member Author

alternative: just dont touch the version string at all.
dont even have an option to strip the v at any point.

just like CycloneDX/cyclonedx-gomod#60 (comment)

@jkowalleck
Copy link
Member Author

is related to DependencyTrack/dependency-track#1220

@jkowalleck jkowalleck changed the title make "normalizing" of composer versions an opt-in rework "normalizing" of composer versions Oct 8, 2021
@jkowalleck
Copy link
Member Author

is related to: DependencyTrack/dependency-track#1243

@jkowalleck jkowalleck pinned this issue Nov 7, 2021
jkowalleck added a commit that referenced this issue Nov 10, 2021
is related to #102

Signed-off-by: Jan Kowalleck <[email protected]>
jkowalleck added a commit that referenced this issue Nov 10, 2021
is related to #102

Signed-off-by: Jan Kowalleck <[email protected]>
jkowalleck added a commit that referenced this issue Nov 10, 2021
is related to #102

Signed-off-by: Jan Kowalleck <[email protected]>
jkowalleck added a commit that referenced this issue Nov 10, 2021
is related to #102

Signed-off-by: Jan Kowalleck <[email protected]>
jkowalleck added a commit that referenced this issue Nov 10, 2021
* Added
  * CLI got a new switch `--no-version-normalization`. (via [#138])
    That allows to omit component version-string normalization.
    Per default this plugin will normalize version strings by stripping
leading "v".
    This is a compatibility-switch. The next major-version of this
plugin will not modify component versions. (see [#102])

[#138]: #138
[#102]: #102
@jkowalleck jkowalleck unpinned this issue Nov 13, 2021
@JorisVanEijden
Copy link

is related to OSSIndex/vulns#231

@jkowalleck
Copy link
Member Author

the behaviour wad changed and will be published via #250

jkowalleck added a commit that referenced this issue Mar 11, 2023
* BREAKING changes
  * Removed support for PHP `<8.0` ([#91] via [#250])
  * Removed support for PHP `<8.1` (via [#250])
  * Removed support for Composer `<2.3` ([#153] via [#250])
  * CLI
    * Removed deprecated composer command `make-bom`, call `composer CycloneDX:make-sbom` instead ([#293] via [#309])
    * Changed option `output-file` to default to `-` now, which causes to print to STDOUT (via [#250])
    * Removed option `exclude-dev` in favour of new option `omit` (via [#250])
    * Removed option `exclude-plugins` in favour of new option `omit` (via [#250])
    * Removed option `no-version-normalization` ([#102] via [#250])
  * SBOM results
    * Components' version is no longer artificially normalized ([#102] via [#250])
  * Dependencies
    * Requires `cyclonedx/cyclonedx-library:^2.0`, was `:^1.4.2` ([#128] via [#250])
* Changed
  * Evidence analysis prefers actually installed packages over lock file ([#122] via [#250])
  * Root component's versions is unset, if version detection fails ([#154] via [#250])
  * Composer packages of type "composer-installer" are treated as composer plugins (via [#250])
* Added
  * Evidence collection knows actually installed packages ([#122] via [#250])
  * SBOM results
    * Support for CycloneDX Spec v1.4 (via [#250])
    * might have `serialnumber` populated ([#279] via [#250])
    * might have `metadata.timestamp` populated ([#112] via [#250])
    * might have `metadata.tools[].tool.externalReferences` populated ([#171] via [#250])
    * might have `components[].component.author` populated ([#261] via [#250])
    * might have `components[].component.properties` populated according to [`cdx:composer` Namespace Taxonomy](https://github.com/CycloneDX/cyclonedx-property-taxonomy/blob/main/cdx/composer.md) (via [#250])
  * CLI
    * New option `omit` (via [#250])
    * New switch `validate` to override `no-validate` (via [#250])
    * New switches `output-reproducible` and `no-output-reproducible` (via [#250])
* Misc
  * Added demo and reproducible continuous integration test "devReq" that is dedicated to composer's `require-dev` feature (via [#250])
  * Reworked demo setups to be more global-install like (via [#250])

[#91]:  #91
[#102]: #102
[#112]: #112
[#122]: #122
[#128]: #128
[#153]: #153
[#154]: #154
[#171]: #171
[#250]: #250
[#261]: #261
[#279]: #279
[#293]: #293
[#309]: #309
[#313]: #313

---------

Signed-off-by: Jan Kowalleck <[email protected]>
@jkowalleck jkowalleck mentioned this issue Mar 11, 2023
12 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

No branches or pull requests

2 participants