-
-
Notifications
You must be signed in to change notification settings - Fork 5
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Extraction of license text from files. #193
Extraction of license text from files. #193
Conversation
Signed-off-by: Augustus Kling <[email protected]>
we have a basic implementation here: https://github.com/CycloneDX/cyclonedx-webpack-plugin/blob/72700f06d00eac79fa3b91fe838bd78c583346a2/src/extractor.ts#L135 I was thinking of pulling this one into the CDX library,. so it is available for every downstream user - like here... PS: I found that your implementation is basically a copy/past from the mentioned implementation. So i guess it is any good -- so better pull it over to the library, than copy/pasting it here. |
Taking a file name + a data blob and converting it to an instance of Since you explicitly referred to the other implementation in ticket #33, the implementation here matches it. One would not want different behavior for different libraries under the CycloneDX umbrella. Before this PR has an chance of moving forward, this repo needs to be fixed. The current ESLint setup does not work with the present TypeScript version. You can do a Also, the tests in the repo depend on |
Exactly. here is the (WIP/draft) PR to bring the functionality to the library: CycloneDX/cyclonedx-javascript-library#1158 |
Please discuss these things in individual extra tickets. Thank you in advance. |
CycloneDX/cyclonedx-javascript-library#1158 was postponed and will not ship any soon. Please continue your work crafting a yarn=specific implementation. |
i had to fix one of the github workflows. |
… into gather-license-texts
Signed-off-by: Augustus Kling <[email protected]>
Note that despite the build passing in the PR validations, the existing tests fail for me. This is with the Example with similar changes in many test cases:
|
… into gather-license-texts
a lot of dependencies and other things were bumped lately. Better rebase/merge master, delete your local regarding your failing tests - #193 (comment) the underlying test beds ship own lock files, they are not affected by your project lock file. Anyway, do you maybe have old build artifacts, that need to be removed before testing?
|
… into gather-license-texts
Signed-off-by: Augustus Kling <[email protected]>
Just for your info the part of the install where node-gyp is used to build libxmljs2 is failing in case you run with Node 22 (current LTS). It's header files are incompatible with the referenced libxml. Updating libxmljs2 to 0.35.0 in CycloneDX/cyclonedx-javascript-library should solve this. Building on Node 20 is not showing the incompatibility and should work with libxmljs2 version 0.33.0 as well as 0.35.0.
Thanks for the hints. It turned out that test errors were the result of a bug in my changed code. It's fixed with correcting the invocation of the normalize-package-data library in my last commit. Please try out the changes and check if the license evidence is included as you would expect in the resulting SBOMs. |
Signed-off-by: Augustus Kling <[email protected]>
Signed-off-by: Jan Kowalleck <[email protected]>
Signed-off-by: Jan Kowalleck <[email protected]>
this libxmljs2 is a transitive optional dependency. I would love to omit it. |
I do not think this is doable from cyclonedx-node-yarn. Yarn and probably other package managers, too, would download all optional dependencies in the dependency tree, transitively. Then they should compare the current system environment with the compatibility info from the packages' manifests; that is the fields In the specific case here the build of libxmljs2 fails and Yarns warns about it. This failure with the libxmljs2 packages does however not abort the installation of cyclonedx-node-yarn. Instead, Yarn excludes libxmljs2 automatically since it's only part of the dependency tree as an optional dependency. You'll lose whatever optional feature or optimization libxmljs2 should have contributed to @cyclonedx/cyclonedx-library. If you really wanted to exclude libxmljs2, you'd need to remove it from @cyclonedx/cyclonedx-library but I guess it is there for a reason. Instead, update libxmljs2 to 0.35.0 to allow for a successful build with more Node versions. The following is Yarn's way to notify about the build failure or an optional dependency. It would be nicer if the wording was more explicit and it said something along the lines of "excluding libxmljs2 which is an optional dependency".
|
I expected that, since - according to the docs I've read - yarn's concept of optional is a very well-thought one. But since I am not a heavy user of yarn, I thought I should ask, before assuming something. The features provided by this optional dependency are not used in the code at the moment, so they are not bundled in the final product, and no related code is generated in the build artifact. From developer experience, the warning on setup/install looks ugly, true. But it's fine, it is not a blocker. If it was, please open an issue for that. |
The warning is easily misunderstood for a problem but can be safely ignored. |
Signed-off-by: Jan Kowalleck <[email protected]>
Signed-off-by: Jan Kowalleck <[email protected]>
Signed-off-by: Jan Kowalleck <[email protected]>
Signed-off-by: Jan Kowalleck <[email protected]>
…x-webpack-plugin#1339 Signed-off-by: Jan Kowalleck <[email protected]>
refactor & restructure LicenseEvidenceFetcher
followups and concerns that need to be taken into account: AugustusKling#1 (comment)
tracking of tasks that need to ke tackled immediately:
|
I've suggested the docs regarding the "experimental" nature of the new feature. |
Co-authored-by: Jan Kowalleck <[email protected]> Signed-off-by: Augustus Kling <[email protected]>
Co-authored-by: Jan Kowalleck <[email protected]> Signed-off-by: Augustus Kling <[email protected]>
@jkowalleck, thanks for the suggestions. I've merged them and also the main branch into this. The build/tests pass locally. Can you please check why the workflows for the PR validations do not start to run? |
the CI does not start automatically for PRs, it needs to be triggered by a maintainer - after reviewing the changes. (This s a security-feature by github, taken for workflows that were not migrated to github's modern permission system. Anyway, I had the CI running, and it passed - as expected 🥳 I'd consider this PR as ready for merging. PS: I'd plan a release of this feature for early January 2025. Until then, I will work on some chores and other maintenance tasks. |
Hi @jkowalleck , I created the tickets #228 and #229 for the improvements after merge of this pull request. I agree that this is ready to be merged since the README file already mentions license text extraction is experimental. |
fixes #256 This PR is based on #427, and uses the same implementation as it was implemented in yarn (See CycloneDX/cyclonedx-node-yarn#193) closes #427 --------- Signed-off-by: Matthias Schiebel <[email protected]> Signed-off-by: Christoph Uhland <[email protected]> Signed-off-by: Christoph Uhland <[email protected]> Co-authored-by: Matthias Schiebel <[email protected]>
Untested code for license text extraction.
fixes #33