Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Support for scanning renv lockfiles for the R language #642

Closed
dijitali opened this issue Nov 5, 2023 · 2 comments · Fixed by #668
Closed

Support for scanning renv lockfiles for the R language #642

dijitali opened this issue Nov 5, 2023 · 2 comments · Fixed by #668
Assignees
@G-Rath
Labels
enhancement New feature or request

Comments

@dijitali
Copy link

dijitali commented Nov 5, 2023

Following the addition of CRAN for the R language to the OSV database (google/osv.dev#1477), it would be helpful if this CLI supported scanning renv lockfiles.

A workaround at present is to parse the lockfile with jq and generate a custom lockfile:

jq '{
    results: [
      {
        packages: [
          .Packages | to_entries[] | {
            package: {
              name: .key,
              version: .value.Version,
              ecosystem: "CRAN"
            }
          }
        ]
      }
    ]
  }' renv.lock > osv-renv-lock.json

osv-scanner --lockfile osv-scanner:./osv-renv-lock.json
@oliverchang oliverchang added the enhancement New feature or request label Nov 5, 2023
@G-Rath
Copy link
Collaborator

G-Rath commented Nov 7, 2023
edited
Loading

I'd actually been looking into this a few weeks ago; would you mind providing some example lockfiles for fixtures? I can dig these out from open source projects, but if you know of any special cases that would be worth having tests for that'd be great to hear (e.g. the NPM ecosystem supports the same package multiple times with different versions and peer dependencies, ruby supports different OSs, Go has replace, etc; it doesn't look like renv has that kind of complexity, but would be good to confirm that with folks who actually use the tool!)

Also for future me: https://rstudio.github.io/renv/articles/lockfile.html

@dijitali
Copy link
Author

dijitali commented Nov 8, 2023

I'm not too familiar with any special cases but perhaps a good foundation would be the renv project's tests?

For example:
https://github.com/rstudio/renv/blob/main/tests/testthat/test-lockfile.R

Other than that, I'm aware there are changes in the works for things like dev dependencies (rstudio/renv#1695). But actually from a quick look, it sounds like this isn't something osv-scanner supports yet either (#332).

@G-Rath G-Rath self-assigned this Nov 9, 2023
This was referenced Nov 15, 2023
Merged
Merged
oliverchang pushed a commit that referenced this issue Nov 21, 2023
@G-Rath
feat: add support for comparing CRAN versions (#656)
eb862fd 
Part of #642

See G-Rath/osv-detector#235 for the journey I
went on with R for this
oliverchang pushed a commit that referenced this issue Nov 27, 2023
@G-Rath
feat: add support for renv.lock (#668)
e99410e 
Resolves #642
@BrewTestBot BrewTestBot mentioned this issue Dec 6, 2023
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@G-Rath G-Rath

Labels
enhancement New feature or request
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

feat: add support for renv.lock
3 participants
@oliverchang @G-Rath @dijitali