Adding the ability to retrieve remote licenses for yarn.lock #2338
Conversation
coheigea
force-pushed
the
coheigea/yarn-licenses
branch
3 times, most recently
from
e6c5ae9 to
74b36ba
Compare
Signed-off-by: Colm O hEigeartaigh <coheigea@apache.org>
coheigea
force-pushed
the
coheigea/yarn-licenses
branch
from
74b36ba to
bf33ac8
Compare
|
👋 sorry @coheigea I can take a look at this today - thanks for all the support on the license gaps! I really appreciate the PR for this. I'll also try and carve out some time for the two other license PR that are on syft right now |
|
This is so far a 👍 from me! I've got a few more things to wrap up for the day, but will take more time tonight to write tests for this and clean up the conflicts |
* main: (40 commits) chore(deps): bump anchore/sbom-action from 0.15.0 to 0.15.1 (anchore#2392) Retrieve remote licenses using pom.properties when there is no pom.xml (anchore#2315) fix(java): improve identification for org.apache.tapestry artifacts (anchore#2384) fix(java): improve identification for io.ratpack artifacts (anchore#2379) fix(java): improve identification for org.apache.cassandra artifacts (anchore#2386) fix(java): improve identification for org.neo4j.procedure artifacts (anchore#2388) fix: bump fangs for ptr summarize fix (anchore#2387) fix(java): improve identification for org.elasticsearch artifacts (anchore#2383) fix(java): improve identification for org.apache.geode artifacts (anchore#2382) fix(java): improve identification for org.apache.tomcat.embed artifacts (anchore#2381) fix(java): improve identification for io.projectreactor.netty artifacts (anchore#2378) fix(java): improve identification for org.eclipse.platform artifacts (anchore#2349) Generalize UI events for cataloging tasks (anchore#2369) chore(deps): update tools to latest versions (anchore#2376) chore(deps): bump github.com/google/go-containerregistry (anchore#2377) chore: fix tests failing due to Mac Rosetta cache (anchore#2374) fix: improve dotnet portable executable identification (anchore#2133) fix file metadata cataloger to use resolved locations (anchore#2370) fix: logging level for parsing potential PE files (anchore#2367) only remove breaking-change label when there are schema changes (anchore#2371) ... Signed-off-by: Christopher Phillips <christopher.phillips@anchore.com>
|
Merged and fixed conflicts with some of the recent plumbing changes in how catalogers work. I made the new yarn config optional for this merge commit and hard coded the online to false to just get everything square. Taking another pass now with updating tests and cataloger architecture to match the latest and greatest. Thanks again for all the contributions @coheigea! |
Signed-off-by: Christopher Phillips <christopher.phillips@anchore.com>
Signed-off-by: Christopher Phillips <christopher.phillips@anchore.com>
|
Just rewiring the cataloger a little now to make it easier to test the network call now like we did the archive parser for maven. This means adding a new baseURL for the config where users who host packages at other registries can set that up. It also allows us to do dependency injection for the internal |
Signed-off-by: Christopher Phillips <christopher.phillips@anchore.com>
Signed-off-by: Christopher Phillips <christopher.phillips@anchore.com>
| // NewCatalogerOpts create a NewCatalogerOpts with default options, which includes: | ||
| // - searchRemoteLicenses is false | ||
| func NewCatalogerOpts() CatalogerConfig { | ||
| g := CatalogerConfig{} | ||
|
|
||
| return g | ||
| } |
There was a problem hiding this comment.
I think this function should get removed in favor of consumers using the DefaultCatalogerConfig() below, which is consistent with the other cataloger configs, e.g. javaCataloger.DefaultArchiveCatalogerConfig() and golangCataloger.DefaultCatalogerConfig()
Signed-off-by: Christopher Phillips <christopher.phillips@anchore.com>
…2338) --------- Signed-off-by: Colm O hEigeartaigh <coheigea@apache.org> Signed-off-by: Christopher Phillips <christopher.phillips@anchore.com> Co-authored-by: Christopher Phillips <christopher.phillips@anchore.com>
Retrieve remote licenses from https://registry.npmjs.com for packages defined in yarn.lock.
It's very slow when enabled so maybe there is some caching mechanism that could be employed...