Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Make dependency resolution and analysis optional AND allow specifying the dep depth through CLI #838

Closed
11 tasks done
tromai opened this issue Aug 21, 2024 · 0 comments
Closed
11 tasks done

Make dependency resolution and analysis optional AND allow specifying the dep depth through CLI #838

tromai opened this issue Aug 21, 2024 · 0 comments
Assignees
@tromai
Labels
cli related to the Command-line Interface

Comments

@tromai
Copy link
Member

tromai commented Aug 21, 2024
edited
Loading

Description

We have agreed that it's better to have dependency resolution optional for various reasons:

  • A lot of internal use cases don't require dependency analysis.
  • Dependency resolution and analysis can take a long time to run. For users that want to try Macaron out, it's not ideal to lock them in a very long running process.

In additions, we also want to let the user, if they want to enable automatic dependency resolution, specify the depth of dependency resolution (right not we only support 1. direct dependencies and 2. all transitive dependencies).

Solution

We will make dependency resolution and analysis off by default. If the user want to run dependency resolution, they must provide an additional flag.
The --skip-deps flag will still be left in the command line interface of Macaron, however, enabling it will not do anything, except printing out a DEPRECATED message. This flag will be completely removed after the next Macaron release (v0.13.0).

The addition flag will be called --deps-depth. This flag accepts a value that specify the depth level of dependencies.:

  • 1 means direct dependencies
  • 0 means no dependency resolution
  • inf means all transitive dependencies

In theory, we could accept any whole number as the value (e.g. 2, 3, etc.) if need arises in the future.

Tasks

  • Make --skip-deps do nothing.
  • Add deprecated message if --skip-deps is used.
  • Remove --skip-deps from existing test cases
  • Update the Sphinx documentation (e.g

    macaron/docs/source/pages/tutorials/detect_malicious_package.rst

    Lines 182 to 187 in ac8de70

    By default Macaron only checks the direct dependencies. To turn on recursive dependency analysis, add the following to the ``configurations.ini`` file:
    .. code-block:: ini
    [dependency.resolver]
    recursive = True
    or wherever we uses the recursive flag).
  • Update the Sphinx documentation where SBOM is provided as a CLI flag. Because right now we need to set --deps-depth for SBOM deps resolution to work.
  • Make sure that when --deps-depth=0, no dependency resolution is run even if an SBOM is provided,
  • Add --deps-depth=1 to all test cases that require direct dependency resolution
  • Add --deps-depth=inf to all test cases that require transitive dependency resolution
  • Add a flag --deps-depth
  • Remove the recursive option in [dependency.resolver] in defaults.ini
  • Integration tests on invalid/valid input to --deps-depth
@tromai tromai added the cli related to the Command-line Interface label Aug 21, 2024
@tromai tromai self-assigned this Aug 21, 2024
This was referenced Aug 21, 2024
Open
Merged
@tromai tromai changed the title Make dependency resolution and analysis optional Make dependency resolution and analysis optional AND allow specifying the dep depth through CLI Aug 22, 2024
@tromai tromai closed this as completed Sep 25, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@tromai tromai

Labels
cli related to the Command-line Interface
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@tromai