Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add support for dependency graph #1

Closed
nscuro opened this issue Mar 8, 2021 · 4 comments
Closed

Add support for dependency graph #1

nscuro opened this issue Mar 8, 2021 · 4 comments
Labels
enhancement New feature or request
Milestone
v0.2.0

Comments

@nscuro
Copy link
Member

nscuro commented Mar 8, 2021

CycloneDX supports dependency graphs.

Coincidentally, Go's go mod graph command provides a module graph in pretty much the same structure:

$ go mod graph
github.com/CycloneDX/cyclonedx-gomod github.com/CycloneDX/[email protected]
github.com/CycloneDX/cyclonedx-gomod github.com/google/[email protected]
github.com/CycloneDX/cyclonedx-gomod golang.org/x/[email protected]
github.com/CycloneDX/[email protected] github.com/bradleyjkemp/cupaloy/[email protected]
github.com/CycloneDX/[email protected] github.com/stretchr/[email protected]
golang.org/x/[email protected] golang.org/x/[email protected]
golang.org/x/[email protected] golang.org/x/[email protected]
golang.org/x/[email protected] golang.org/x/[email protected]
github.com/bradleyjkemp/cupaloy/[email protected] github.com/davecgh/[email protected]
github.com/bradleyjkemp/cupaloy/[email protected] github.com/pmezard/[email protected]
github.com/bradleyjkemp/cupaloy/[email protected] github.com/stretchr/[email protected]
github.com/bradleyjkemp/cupaloy/[email protected] github.com/stretchr/[email protected]
github.com/stretchr/[email protected] github.com/davecgh/[email protected]
github.com/stretchr/[email protected] github.com/pmezard/[email protected]
github.com/stretchr/[email protected] github.com/stretchr/[email protected]
github.com/stretchr/[email protected] gopkg.in/[email protected]
golang.org/x/[email protected] golang.org/x/[email protected]
golang.org/x/[email protected] golang.org/x/[email protected]
golang.org/x/[email protected] golang.org/x/[email protected]
golang.org/x/[email protected] golang.org/x/[email protected]
golang.org/x/[email protected] golang.org/x/[email protected]
github.com/stretchr/[email protected] github.com/davecgh/[email protected]
github.com/stretchr/[email protected] github.com/pmezard/[email protected]
github.com/stretchr/[email protected] github.com/stretchr/[email protected]
github.com/stretchr/[email protected] gopkg.in/[email protected]
gopkg.in/[email protected] gopkg.in/[email protected]
golang.org/x/[email protected] golang.org/x/[email protected]
golang.org/x/[email protected] golang.org/x/[email protected]
golang.org/x/[email protected] golang.org/x/[email protected]
golang.org/x/[email protected] golang.org/x/[email protected]
golang.org/x/[email protected] golang.org/x/[email protected]
golang.org/x/[email protected] golang.org/x/[email protected]

An MVP implementation could simply take this output, convert <path>@<version> expressions to package URLs and be done with it.

Will have to figure out how to deal with replacements though. We currently treat replaced modules as ancestors in the replacement component's pedigree. However, the module graph will still reference the replaced module, not the replacement.
@nscuro nscuro added the enhancement New feature or request label Mar 8, 2021
nscuro added a commit that referenced this issue Mar 10, 2021
@nscuro
feat: dependency graph support (#1) �
d0ecdb7
@nscuro
Copy link
Member Author

nscuro commented Mar 10, 2021

Basic dependency graph support is done, as can be seen in this example BOM. Won't close this issue unless I have a good solution for replacements though.

@nscuro
Copy link
Member Author

nscuro commented Mar 11, 2021

The graph provided by go mod graph contains multiple versions of the same module (e.g. golang.org/x/net in the output above). We need to rewire the graph so that it lines up with the module list returned by go list -json -m all. Roughly speaking, Go will use the latest version of a module if multiple versions are in the graph.

@nscuro nscuro added this to the v0.2.0 milestone Mar 11, 2021
nscuro added a commit that referenced this issue Mar 12, 2021
@nscuro
feat: filter & rewire module graph #1
6cb25a9 
Go will only include the latest requested version of a module when compiling, which is reflected in the module list obtained by GetModules. This commit makes it so that the module graph reflects that behavior.
nscuro added a commit that referenced this issue Mar 12, 2021
@nscuro
feat: handle replacements in module graph (#1)
7b06d18
@nscuro
Copy link
Member Author

nscuro commented Mar 12, 2021

As per golang/go#40513, dependencies of replacements are evaluated, but attributed to the replaced module in the module graph. Addressed this by rewiring the all references to the replacement instead.

@nscuro
Copy link
Member Author

nscuro commented Mar 12, 2021

Delivered with v0.2.0 ✔

@nscuro nscuro closed this as completed Mar 12, 2021
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement New feature or request
Projects
None yet
Milestone
v0.2.0
Development

No branches or pull requests
1 participant
@nscuro