Add osv output lockfile + refactor #505
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Spiritaine
approved these changes
Aug 26, 2023
Spiritaine
approved these changes
Aug 26, 2023
This comment was marked as resolved.
This comment was marked as resolved.
oliverchang
reviewed
Aug 28, 2023
oliverchang
reviewed
Aug 28, 2023
pkg/lockfile/osv-vuln-results.go
Outdated
| "github.com/google/osv-scanner/pkg/models" | ||
| ) | ||
|
|
||
| const OSVScannerEcosystem Ecosystem = "OSV-Scanner-Results" |
There was a problem hiding this comment.
Is this required to be defined? IT doesn't seem to be used anywhere, and seems like a weird fit.
There was a problem hiding this comment.
Good point, removed it now.
Merged
another-rex
added a commit
that referenced
this pull request
Aug 28, 2023
Pulled refactor out to a separate PR as suggested here: #505 In this PR: - Refactored models package to no longer depend on lockfile - Moved functions that required lockfile types into separate internal package under `utility/vulns` - Copied over OSV url from `osv` package to avoid dependency on `osv` from `output`/`reporter` I went through and graphed out the dependencies, - `models` no longer depends on any internal dependencies - `lockfile` doesn't depend on any internal dependencies apart from `cacheexp` - `osv` brings in both `lockfiles` and `models`. This is probably the most problematic one. Ideally `osv` should only be referencing `models`, but it'll be a breaking change to change this API. This is one of the main things we should change for V2 (related to #442) (TODO: Make separate issue for this - `reporter` depends on the internal `output`, which depends on `osv`. This dependency causes `lockfile` to be pulled into everywhere that needs to print out anything. This can be decoupled without too much trouble by copying in the OSV url. I did so in this PR. - `config` package references `reporter`, with the above change it also no longer depends on `lockfile`.
G-Rath
reviewed
Aug 28, 2023
G-Rath
reviewed
Aug 28, 2023
| @@ -55,11 +78,12 @@ func expectPackage(t *testing.T, packages []lockfile.PackageDetails, pkg lockfil | |||
| } | |||
| } | |||
|
|
|||
| func findMissingPackages(actualPackages []lockfile.PackageDetails, expectedPackages []lockfile.PackageDetails) []lockfile.PackageDetails { | |||
| func findMissingPackages(t *testing.T, actualPackages []lockfile.PackageDetails, expectedPackages []lockfile.PackageDetails) []lockfile.PackageDetails { | |||
There was a problem hiding this comment.
This change is good by itself along with the hasPackage one, so if you can be bothered I'd favor landing it in its own PR so that this diff is reduced rather than have it wait around for the rest of the changes to get reviewed
G-Rath
reviewed
Aug 28, 2023
oliverchang
reviewed
Aug 28, 2023
oliverchang
approved these changes
Aug 29, 2023
G-Rath
suggested changes
Aug 30, 2023
G-Rath
approved these changes
Aug 30, 2023
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Introduces the osv-scanner results lockfile format (feel free to suggest a better name for this),
This also refactors the models folder slightly to move some of the helper functions out to a separate internal crate. This stops the models package from pulling in the lockfile package, causing cyclic imports.
I also added another field to
PackageDetails,Source, a currently optional string to specify the location the dependency is actually specified. The only times it will be different from the lockfile location currently is:-r