used installedRepo instead of lockedRepo, if possible #122
Labels
Milestone
Comments
9 tasks
jkowalleck
changed the title
|
unfortunately the implementation of the |
jkowalleck
added a commit
that referenced
this issue
Mar 11, 2023
* BREAKING changes * Removed support for PHP `<8.0` ([#91] via [#250]) * Removed support for PHP `<8.1` (via [#250]) * Removed support for Composer `<2.3` ([#153] via [#250]) * CLI * Removed deprecated composer command `make-bom`, call `composer CycloneDX:make-sbom` instead ([#293] via [#309]) * Changed option `output-file` to default to `-` now, which causes to print to STDOUT (via [#250]) * Removed option `exclude-dev` in favour of new option `omit` (via [#250]) * Removed option `exclude-plugins` in favour of new option `omit` (via [#250]) * Removed option `no-version-normalization` ([#102] via [#250]) * SBOM results * Components' version is no longer artificially normalized ([#102] via [#250]) * Dependencies * Requires `cyclonedx/cyclonedx-library:^2.0`, was `:^1.4.2` ([#128] via [#250]) * Changed * Evidence analysis prefers actually installed packages over lock file ([#122] via [#250]) * Root component's versions is unset, if version detection fails ([#154] via [#250]) * Composer packages of type "composer-installer" are treated as composer plugins (via [#250]) * Added * Evidence collection knows actually installed packages ([#122] via [#250]) * SBOM results * Support for CycloneDX Spec v1.4 (via [#250]) * might have `serialnumber` populated ([#279] via [#250]) * might have `metadata.timestamp` populated ([#112] via [#250]) * might have `metadata.tools[].tool.externalReferences` populated ([#171] via [#250]) * might have `components[].component.author` populated ([#261] via [#250]) * might have `components[].component.properties` populated according to [`cdx:composer` Namespace Taxonomy](https://github.com/CycloneDX/cyclonedx-property-taxonomy/blob/main/cdx/composer.md) (via [#250]) * CLI * New option `omit` (via [#250]) * New switch `validate` to override `no-validate` (via [#250]) * New switches `output-reproducible` and `no-output-reproducible` (via [#250]) * Misc * Added demo and reproducible continuous integration test "devReq" that is dedicated to composer's `require-dev` feature (via [#250]) * Reworked demo setups to be more global-install like (via [#250]) [#91]: #91 [#102]: #102 [#112]: #112 [#122]: #122 [#128]: #128 [#153]: #153 [#154]: #154 [#171]: #171 [#250]: #250 [#261]: #261 [#279]: #279 [#293]: #293 [#309]: #309 [#313]: #313 --------- Signed-off-by: Jan Kowalleck <[email protected]>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
fetching a project's components from the lock file is fine.
but it would be better to fetch them from composer's internal "installed" repository.
this is a locked repo that holds info of the actual installed components, like a component is installed as dist or src .... etc ...
the installedRepo is to be preferred over the lockedRepo.
implementation details:
vendor/composer/installed.json- which is accessible via\Composer\Composer::getRepositoryManager()->getLocalRepository()as a\Composer\Repository\RepositoryInterface-usable just like the already used
\Composer\Repository\LockArrayRepositoryComposer\InstalledVersions::getInstalledPackages()might be related to #129
The text was updated successfully, but these errors were encountered: