feat: add purl as a CLI options by tromai · Pull Request #401 · oracle/macaron

tromai · 2023-08-04T04:48:34Z

Description

This Pull request adds a CLI option to Macaron, called -purl/--package-url, for the user to provide the Package URL (see the specification here) for the main analysis software component.

Types of PURL this feature supports.

A "repo-based" PURL.

According to the PURL specification, a PURL string could be used to reference a git repository path.
The format for a "repo-based" PURL would be:

pkg:<type>/<organization>/<repo-name>

Where:

type: could be the pre-defined types for git-based packages as mentioned here. At the current time of this PR, there are only two git-based PURL: github and bitbucket. However, the user could use the git service domain as the type (e.g. github.com or gitlab.com).
organization/repo-name: the repository fullname, which is expected to have 2 components. Example: apache/maven or oracle/macaron,

Other PURL types

At this stage, this type contains PURL strings which do not belong to the first type.

Supported use case

Provide the repository path

This use case is what Macaron has been offering. No changes are made to it.

Provide PURL only

When only the PURL is provided for the main software component:

If that PURL is a repo-based PURL, Macaron can find the repository for it and run the current checks against that repository.
If that PURL is not a repo-based PURL, Macaron would still create a software component entry (see feat!: introduce a new data model and software components based on PURL #305 for more information) but because Macaron could not find a repository path at this stage (upcoming PR would try to address this issue), the checks won't be run against this software component.

Example:

macaron analyze -purl pkg:github.com/apache/maven

Provide PURL with repository path

This is used for the case where the user want to analyze a software component not being a git repository. The repository path is provided from the user to map with that software component.

Note that the branch name and the commit hash must be provide. This enforcement is to prevent Macaron mapping the software component with an incorrect repository snapshot.

Example:

macaron analyze -purl pkg:maven/apache/maven -rp https://github.com/apache/maven -b <branch_name> -d <commit_digest>

benmss · 2023-08-22T04:37:52Z

I have no further suggestions or comments for this PR. The only minor comments I could raise relate to the functions that will be moved into the Repo Finder as part of PR 388. I see no reason to discuss them here when that PR will change them anyway, and is blocked by this one.

Signed-off-by: Trong Nhan Mai <trong.nhan.mai@oracle.com>

… expectation files Signed-off-by: Trong Nhan Mai <trong.nhan.mai@oracle.com>

Signed-off-by: Trong Nhan Mai <trong.nhan.mai@oracle.com>

…ith PURL and repository path Signed-off-by: Trong Nhan Mai <trong.nhan.mai@oracle.com>

behnazh-w · 2023-08-23T08:10:59Z

+        This method is used to handle the cases where the purl type value is not the git domain but a pre-defined
+        repo-based type in https://github.com/package-url/purl-spec/blob/master/PURL-TYPES.rst.
+
+        Note that this method will be updated when there are new pre-defined type as per the PURL specification.


Suggested change

Note that this method will be updated when there are new pre-defined type as per the PURL specification.

Note that this method will be updated when there are new pre-defined types as per the PURL specification.

Fixed in f66b0be

behnazh-w · 2023-08-23T20:25:27Z

+
+  pkg:<git_service_domain>/<organization>/<name>
+
+The list bellow shows examples for the corresponding PURL string for different git repositories:


Suggested change

The list bellow shows examples for the corresponding PURL string for different git repositories:

The list bellow shows examples for the corresponding PURL strings for different git repositories:

Fixed in 229e039

Signed-off-by: Trong Nhan Mai <trong.nhan.mai@oracle.com>

tromai added feature A new feature request cli related to the Command-line Interface purl Related to PURL usage labels Aug 4, 2023

tromai self-assigned this Aug 4, 2023

oracle-contributor-agreement Bot added the OCA Verified All contributors have signed the Oracle Contributor Agreement. label Aug 4, 2023

tromai force-pushed the 375-accept-purl-identifier-as-cli-input branch 3 times, most recently from 75c3e6e to f3375ef Compare August 14, 2023 05:29

tromai mentioned this pull request Aug 15, 2023

Discussion on how to handle --config-path option of the analyze command after pull-request 401 #417

Closed

tromai force-pushed the 375-accept-purl-identifier-as-cli-input branch 2 times, most recently from e195002 to 145c2ac Compare August 17, 2023 02:05

tromai marked this pull request as ready for review August 17, 2023 02:06

tromai requested a review from behnazh-w as a code owner August 17, 2023 02:06

tromai changed the title ~~feat: add purl as a CLI options (WIP)~~ feat: add purl as a CLI options Aug 17, 2023

behnazh-w requested a review from benmss August 17, 2023 02:13

benmss approved these changes Aug 18, 2023

View reviewed changes