-
Notifications
You must be signed in to change notification settings - Fork 88
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
RFC: Design improved relationships for Package, Dependencies, Embeds and Requirements #1066
Comments
Note that this is as much for ScanCode.io as it is for ScanCode Toolkit, DejaCode and PurlDB |
Summarizing the discussion we had on the community call on this issue: We need to have dependencies also as packages, and not Here we have some types of packages:
This approach has some benefits:
For example, in SCIO we could have filters for primary packages, secondary/embedded packages, Two possible implementations in this: a) We have everything (packages, resolved/embedded dependencies, dependency purls and even requirements)
b) We have everything else but requirements (packages, resolved/embedded dependencies, dependency purls)
|
The latest design is to go in this direction:
See also attached: To clarify, we would go with option 1:
|
@AyanSinhaMahapatra I had some other notes too... did you capture some? |
And refine existing fields of the model Signed-off-by: tdruez <[email protected]>
Signed-off-by: tdruez <[email protected]>
Signed-off-by: tdruez <[email protected]>
I would recommend an implementation in multiple stages:
|
Signed-off-by: tdruez <[email protected]>
Signed-off-by: tdruez <[email protected]>
@AyanSinhaMahapatra The new Could you start a PR on the resolution part? #1066 (comment) |
Here are some notes as how I understand this model will work: We are updating these existing relationships (and their reverses):
We are creating these new relationships (and their reverses):
A resolution would start with this:
|
As per above and #896, now Now, adding the above suggestion of A package has requirements, a requirement resolves to a dependency and a dependency maps to a package. Packages retain their many to many relationship via the dependency associative but every dependency also has a one to one relationship with a requirement. @tdruez |
@Hritik14 If I expand on the topic of #1066 (comment) then we have these records and relationships (I have added a few extra packages/deps) Before resolution:
After resolution:
What does having an intermediate DiscoveredRequirement brings that we cannot do with the newly updated model? (The idea here is to avoid changing fundamentally the model structure) With that said |
Reference: #1237 Reference: #1066 Signed-off-by: Ayan Sinha Mahapatra <[email protected]>
@tdruez @pombredanne I've added an initial implementation for the resolution process, this is now:
Things remaining [WIP]:
Questions:
Can we implement the above with #880 Also, should we use https://github.com/nexB/univers more in SCTK and make sure |
Signed-off-by: tdruez <[email protected]>
Signed-off-by: tdruez <[email protected]>
Signed-off-by: tdruez <[email protected]>
Signed-off-by: tdruez <[email protected]>
Signed-off-by: tdruez <[email protected]>
Signed-off-by: tdruez <[email protected]>
Signed-off-by: tdruez <[email protected]>
Reference: #1237 Reference: #1066 Signed-off-by: Ayan Sinha Mahapatra <[email protected]>
* Resolve dependencies from lockfiles #1237 Reference: #1237 Reference: #1066 Signed-off-by: Ayan Sinha Mahapatra <[email protected]> * Address feedback and add improvements Signed-off-by: Ayan Sinha Mahapatra <[email protected]> * Improve dependency resolving from lockfiles #1237 Resolves dependency for cases where multiple requirements are resolved by one package and all the version requirements are joined for that package. Reference: #1237 Signed-off-by: Ayan Sinha Mahapatra <[email protected]> * Update scancode-toolkit and fix tests Signed-off-by: Ayan Sinha Mahapatra <[email protected]> * Bump scancode-toolkit to v32.2.0 Reference: https://github.com/nexB/scancode-toolkit/releases/tag/v32.2.0 Signed-off-by: Ayan Sinha Mahapatra <[email protected]> * Regenerate test fixtures and expectations Signed-off-by: Ayan Sinha Mahapatra <[email protected]> * Improve dependency resolver for lockfiles Handle various lockfile cases where: * Same package/dependencies are present in different lockfiles * Independent lockfiles without a manifest and root package * Ecosystems which have only a single version of package in their environment * Dependency graphs where a resolved package can have many parent packages. Signed-off-by: Ayan Sinha Mahapatra <[email protected]> * Address feedback and refactor code Signed-off-by: Ayan Sinha Mahapatra <[email protected]> * FIx bugs for resolving python packages Signed-off-by: Ayan Sinha Mahapatra <[email protected]> * Add unit tests and refactor code Signed-off-by: Ayan Sinha Mahapatra <[email protected]> * Address comments and add CHANGELOG entries Signed-off-by: Ayan Sinha Mahapatra <[email protected]> --------- Signed-off-by: Ayan Sinha Mahapatra <[email protected]>
This is now there with 08c54b1 and support has been added for pypi, poetry, swift, nuget, cocoapods, npm, yarn also with additional help from deplock at https://github.com/nexB/dependency-inspector to generate lockfiles if they are not present, and then parse, store and resolve dependencies to form a graph. |
Renaming the dependency attribute is_resolved to is_pinned to more accurately represent this attribute accurately. This is more relevant after the changes in aboutcode-org/scancode.io#1066 Reference: aboutcode-org/scancode.io#1066 Signed-off-by: Ayan Sinha Mahapatra <[email protected]>
Renaming the dependency attribute is_resolved to is_pinned to more accurately represent this attribute accurately. This is more relevant after the changes in aboutcode-org/scancode.io#1066 Reference: aboutcode-org/scancode.io#1066 Signed-off-by: Ayan Sinha Mahapatra <[email protected]>
* Rename dependency attribute is_resolved Renaming the dependency attribute is_resolved to is_pinned to more accurately represent this attribute accurately. This is more relevant after the changes in aboutcode-org/scancode.io#1066 Reference: aboutcode-org/scancode.io#1066 Signed-off-by: Ayan Sinha Mahapatra <[email protected]>
We need to design improved models for Package, Dependencies, Embeds and Requirements.
Some background:
What we routinely calls "dependencies" are not really dependencies: more often these are requirements that are "resolved" to actual concrete dependencies. To really "depend" on a software package, you need to know the exact resolved version. On the other hand, a requirement expresses the need for some range of versions (even if it's a range of a single version).
We should distinguish a "require" relationship between packages vs. an actual "resolved" dependency to a concrete version, and track if the resolved dependency is present in the codebase or not.
Dependencies (or requirements) may be only documented in a package manifest (like pom.xml) or a lockfile (like package-lock.json), or also be present in the codebase.
We need to track also when a package contains another package (or for that matter when an app contains or embeds packages).
Therefore we may have three levels of tree-like data we need to track for packages:
We have agreed on some key model updates, based on discussions here and in our weekly calls:
Enhance python-inspector models to support relating dependencies to packages using the new modelsEnhance nuget-inspector models to support relating dependencies to packages using the new modelsCreate dependency-inspector to relate dependencies to packages using the new modelsThe https://github.com/nexB/dependency-inspector tickets to create lockfiles are:
yarn
dependency-inspector#3pnpm
dependency-inspector#5npm
dependency-inspector#4dotnet restore
and other built in commands dependency-inspector#11Then for the effective resolution of dependencies as a tree from manifests and lockfiles:
And beyond:
Here are also some related issues, but not directly need to complete this feature:
DiscoveredPackage
andDiscoverdDependency
are very different #885The text was updated successfully, but these errors were encountered: