Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Make all package managers use the new dependency graph format #3825

Open
10 of 25 tasks
sschuberth opened this issue Mar 29, 2021 · 7 comments
Open
10 of 25 tasks

Make all package managers use the new dependency graph format #3825

sschuberth opened this issue Mar 29, 2021 · 7 comments
Labels
analyzer About the analyzer tool enhancement Issues that are considered to be enhancements epic A "parent" issue that refers to multiple other issues

Comments

@sschuberth
Copy link
Member

sschuberth commented Mar 29, 2021

Currently, only the Gradle analyzer uses the new dependency graph format introduced in #3502. We should take advantage of the new format for more (ultimately all) package manager implementations.

Package managers that still need to be migrated are unchecked in this list:

  • Bazel
  • Bower
  • Bundler
  • Cargo
  • Carthage
  • CocoaPods
  • Composer
  • Conan
  • GoMod
  • Gradle
  • GradleInspector
  • Maven
  • Npm
  • NuGet
  • Pnpm
  • Pip
  • Pipenv
  • Poetry
  • Pub
  • Sbt (not relevant itself, as it uses Maven)
  • SpdxDocumentFile
  • Stack
  • SwiftPm
  • Yarn
  • Yarn2
@oheger-bosch

This comment was marked as resolved.

@oheger-bosch

This comment was marked as resolved.

@sschuberth

This comment was marked as resolved.

@oheger-bosch

This comment was marked as resolved.

@sschuberth

This comment was marked as resolved.

@oheger-bosch

This comment was marked as resolved.

@sschuberth sschuberth added the epic A "parent" issue that refers to multiple other issues label May 17, 2021
oheger-bosch added a commit to boschglobal/oss-review-toolkit that referenced this issue Feb 6, 2023
The convert() function now accepts an Excludes object. The result of
the conversion contains only dependencies not defined by an excluded
scope.

This functionality is going to be used to implement scope exclusions
centrally for package managers that do not support the dependency
graph format natively (see oss-review-toolkit#3825).

Signed-off-by: Oliver Heger <oliver.heger@bosch.io>
oheger-bosch added a commit to boschglobal/oss-review-toolkit that referenced this issue Feb 6, 2023
The convert() function now accepts an Excludes object. The result of
the conversion contains only dependencies not defined by an excluded
scope.

This functionality is going to be used to implement scope exclusions
centrally for package managers that do not support the dependency
graph format natively (see oss-review-toolkit#3825).

Signed-off-by: Oliver Heger <oliver.heger@bosch.io>
oheger-bosch added a commit to boschglobal/oss-review-toolkit that referenced this issue Feb 6, 2023
The convert() function now accepts an Excludes object. The result of
the conversion contains only dependencies not defined by an excluded
scope.

This functionality is going to be used to implement scope exclusions
centrally for package managers that do not support the dependency
graph format natively, see oss-review-toolkit#3825.

Signed-off-by: Oliver Heger <oliver.heger@bosch.io>
oheger-bosch added a commit to boschglobal/oss-review-toolkit that referenced this issue Feb 6, 2023
The convert() function now accepts an Excludes object. The result of
the conversion contains only dependencies not defined by an excluded
scope.

This functionality is going to be used to implement scope exclusions
centrally for package managers that do not support the dependency
graph format natively, see [1].

[1] oss-review-toolkit#3825

Signed-off-by: Oliver Heger <oliver.heger@bosch.io>
oheger-bosch added a commit to boschglobal/oss-review-toolkit that referenced this issue Feb 6, 2023
The convert() function now accepts an Excludes object. The result of
the conversion contains only dependencies not defined by an excluded
scope.

This functionality is going to be used to implement scope exclusions
centrally for package managers that do not support the dependency
graph format natively, see [1].

[1] oss-review-toolkit#3825

Signed-off-by: Oliver Heger <oliver.heger@bosch.io>
oheger-bosch added a commit to boschglobal/oss-review-toolkit that referenced this issue Feb 7, 2023
The convert() function now accepts an Excludes object. The result of
the conversion contains only dependencies not defined by an excluded
scope.

This functionality is going to be used to implement scope exclusions
centrally for package managers that do not support the dependency
graph format natively, see [1].

[1] oss-review-toolkit#3825

Signed-off-by: Oliver Heger <oliver.heger@bosch.io>
oheger-bosch added a commit that referenced this issue Feb 7, 2023
The convert() function now accepts an Excludes object. The result of
the conversion contains only dependencies not defined by an excluded
scope.

This functionality is going to be used to implement scope exclusions
centrally for package managers that do not support the dependency
graph format natively, see [1].

[1] #3825

Signed-off-by: Oliver Heger <oliver.heger@bosch.io>
@sschuberth sschuberth changed the title Make more package managers use the new dependency graph format Make all package managers use the new dependency graph format Jul 25, 2023
sschuberth added a commit that referenced this issue Sep 3, 2024
See [1] for context.

[1]: #3825

Signed-off-by: Sebastian Schuberth <sebastian@doubleopen.org>
@sschuberth
Copy link
Member Author

sschuberth commented Sep 3, 2024

Here's a brief migration guide that I came up with while working on #9073:

  1. Refactor existing code so that all metadata for a dependency is available in a single data class, let's name it D.
  2. Implement a DependencyHandler<D> that returns various ORT model classes for that data class D.
  3. In the specific package manager class, create a val graphBuilder = DependencyGraphBuilder(...) member variable that takes an instance of that DependencyHandler.
  4. In resolveDependencies(), call graphBuilder.addDependencies(..) for the dependencies.
  5. Change creating a Project from setting scopeDependencies to setting scopeNames = graphBuilder.scopesFor(projectId).
  6. Change the returned ProjectAnalyzerResult to take an emptySet() as packages.
  7. Override createPackageManagerResult() with PackageManagerResult(projectResults, graphBuilder.build(), graphBuilder.packages()).
  8. In existing tests that call resolveSingleProject(), ensure to pass resolveScopes = true.

sschuberth added a commit that referenced this issue Sep 3, 2024
See [1] for context.

[1]: #3825

Signed-off-by: Sebastian Schuberth <sebastian@doubleopen.org>
sschuberth added a commit that referenced this issue Sep 3, 2024
See [1] for context.

[1]: #3825

Signed-off-by: Sebastian Schuberth <sebastian@doubleopen.org>
sschuberth added a commit that referenced this issue Sep 4, 2024
See [1] for context.

[1]: #3825

Signed-off-by: Sebastian Schuberth <sebastian@doubleopen.org>
@sschuberth sschuberth pinned this issue Dec 11, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
analyzer About the analyzer tool enhancement Issues that are considered to be enhancements epic A "parent" issue that refers to multiple other issues
Projects
None yet
Development

No branches or pull requests

2 participants