fix(nuget): add nuget dependency extract #3121
Conversation
|
Thanks! Could you fix the test failures at
Also please add your signoff. 🙇 |
|
@hellhound-abu gentle ping.. we would like to merge this... but we cannot unless you update your PR at least with a DCO signoff. |
|
@6mile ping you seem to be from the same group, may be you can help there? |
I've let him know. Cheers. |
|
Hey folks, Dan from SecureStack here. Abu is on holidays so won’t be able to contribute till 2 weeks from now. I can fix the failing tests if that’s helpful but that won’t help get a DCO from him. Do you have a way around this or content to wait? |
|
@jaitaiwan Thank you ++ for your reply! Whatever you guys are doing on SecureStack looks great BTW! 👍 |
|
@hellhound-abu gentle ping ... you may be back now? |
hellhound-abu
force-pushed
the
add-nuget-dependencies
branch
from
dfb4de1 to
6049c36
Compare
Signed-off-by: Abedin Poonawala <[email protected]>
1. update code to look for dependencies in a group as well
2. update nuget test data with dependency data
Signed-off-by: Abedin Poonawala <[email protected]>
hellhound-abu
force-pushed
the
add-nuget-dependencies
branch
from
6049c36 to
a228078
Compare
Signed-off-by: Abedin Poonawala <[email protected]>
Signed-off-by: Abedin Poonawala <[email protected]>
Signed-off-by: Abedin Poonawala <[email protected]>
hellhound-abu
force-pushed
the
add-nuget-dependencies
branch
from
c8708e9 to
60a14ec
Compare
|
Updated the branch with necessary changes. If we can merge it whenever possible. Thanks for waiting. |
There was a problem hiding this comment.
@hellhound-abu Thank you ++ for the updates! I posted a few review comments inline for your consideration. There is also one failing test.
| """ | ||
| Handle NuGet packages and their manifests. | ||
| """ | ||
| # TODO: add dependencies | ||
|
|
||
| # TODO: Add section to handle dependencies of dependencies |
There was a problem hiding this comment.
For this you may want to create a separate issue... TODO comments (that I tend to abuse) eventually get lost.
Note also that for a full, dynamic dependency resolution of nugets. there is this new project at https://github.com/nexB/nuget-inspector
There was a problem hiding this comment.
I say the same thing about TODO's internally 😂 That nuget-inspector proejct looks promising.
| type='nuget', | ||
| namespace=None, | ||
| name=dependency.get("@id"), | ||
| version=dependency.get("@version"), |
There was a problem hiding this comment.
You can only put a version here if this is not a range so IMHO you would have to test for this.
| dep_pack = models.DependentPackage( | ||
| purl=str(dpurl), | ||
| extracted_requirement=dependency.get("@version"), | ||
| scope="dependency", |
There was a problem hiding this comment.
Would not each dependency group become a scope here?
| scope="dependency", | ||
| is_runtime=False, | ||
| is_optional=False, | ||
| is_resolved=True, |
There was a problem hiding this comment.
A dependency is resolved if an only if we have a concrete version and not a range. Here the version is optional AFAIK and could be a range?
|
|
||
| dependencies.append(dep_pack) | ||
|
|
||
| if "dependency" in nuspec.get("dependencies"): |
There was a problem hiding this comment.
I would prefer something like this, and then reuse the nuget_dependency var below:
| if "dependency" in nuspec.get("dependencies"): | |
| nuget_dependencies = nuspec.get("dependencies") or {} | |
| nuget_dependency = nuget_dependencies.get("dependency") | |
| if nuget_dependency: |
There was a problem hiding this comment.
Out of curiosity, any reason for or {} over get("...", {})?
There was a problem hiding this comment.
@jaitaiwan re:
Out of curiosity, any reason for or {} over get("...", {})?
This is an idiom I like to use to make sure that I am getting a proper empty dict in all cases even if the get returns None or some emptyish value.
Getting an empty dict when you expect a dict enable chaining the next call without requiring an extra check for empties.
>>> repr({1: None, 2: "", 3: {"bar": "baz"}}.get(1, {}))
'None'
>>> repr({1: None, 2: "", 3: {"bar": "baz"}}.get(1, {}) or {})
'{}'
>>> repr({1: None, 2: "", 3: {"bar": "baz"}}.get(1) or {})
'{}'| dep_pack = models.DependentPackage( | ||
| purl=str(dpurl), | ||
| extracted_requirement=nuspec.get("dependencies").get( | ||
| "dependency").get("@version"), |
There was a problem hiding this comment.
Factor version here and above in a variable.
| scope="dependency", | ||
| is_runtime=False, | ||
| is_optional=False, | ||
| is_resolved=True, |
There was a problem hiding this comment.
Same comment as above... resolve is True IFF we have a concrete pinned, non-empty version
| return dependencies | ||
|
|
||
| except Exception as e: | ||
| print(e) |
There was a problem hiding this comment.
Please do not print exceptions. In general your should avoid to wrap you code in a try/except altogether as this can never be debugged this way. Let the exception bubble up and we will catch it where needed, and worse case at the top level.
| @@ -62,14 +144,15 @@ def parse(cls, location): | |||
|
|
|||
| # Summary: A short description of the package for UI display. If omitted, a | |||
| # truncated version of description is used. | |||
| description = build_description(nuspec.get('summary') , nuspec.get('description')) | |||
| description = build_description( | |||
There was a problem hiding this comment.
Why wrapping this on tow lines? I am not sure this helps with readability.
| "datasource_id": "nuget_nupsec", | ||
| "purl": "pkg:nuget/[email protected]" | ||
| } | ||
| "type": "nuget", |
There was a problem hiding this comment.
Please avoid changing the spacing if possible as this makes reviewing the diff difficult
|
@hellhound-abu Happy new year! gentle ping |
pombredanne
requested review from
jaitaiwan and
AyanSinhaMahapatra
and removed request for
jaitaiwan
|
@AyanSinhaMahapatra since there is no reply for now, let's move this to the next milestone |
|
@pombredanne moved this to v32.1 |
|
I have applied the fixes in #3206 on top of your commits. So I am losing this and will merge this other branch! |
Fixes #0000
Tasks
Run tests locally to check for errors.