Skip to content

feat: Dependency track tags reporting #2473

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Draft
wants to merge 16 commits into
base: master
Choose a base branch
from
Draft

feat: Dependency track tags reporting #2473

wants to merge 16 commits into from
+306 −38

Conversation

@gschafra
Copy link

  • Allow providing (multiple) tags for dependency track reporting

@gschafra gschafra requested a review from prabhu as a code owner October 13, 2025 14:31
@malice00
Copy link
Collaborator

Can you please add some tests for this feature, so we actually know it works correctly? Also, can you please sign off on your commit? See git documentation on how to do this, if you're no familiar.

@gschafra gschafra force-pushed the dependency-track-tags-support branch from 7c34e74 to b49a059 Compare October 13, 2025 17:06
@gschafra
Copy link
Author

gschafra commented Oct 13, 2025
edited
Loading

Can you please add some tests for this feature, so we actually know it works correctly? Also, can you please sign off on your commit? See git documentation on how to do this, if you're no familiar.

Are there already any tests in place concerning the reporting to dependency check using command line parameters (like --project-id)? If yes, where can I find those?

AFAICS for the Dependency-Track SBOM submission/reporting features (e.g. --project-id) there seem no tests at all 😞, so I'm missing the test method (unit, integration?) for this use case (CLI param -> expected result).

@gschafra
Copy link
Author

O.k.. sorry... find a way using quibble for mocking and call expectations of got() in submitBom(). Test will follow tomorrow.

@malice00
Copy link
Collaborator

You are correct, we don't have tests for that yet! All the more reason to add some imho.
Preferably they're unit tests (check the xx.poku.js files), but if it's easier, you can check our repotests.yml-workflow and add your repo (if possible, don't want to force proprietary stuff to become public 😉) with tests to it.

prabhu
prabhu reviewed Oct 14, 2025
View reviewed changes
Copy link
Collaborator

@prabhu prabhu left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thank you! I didn't know about this useful feature before.

@gschafra
Copy link
Author

Will try to implement unit tests next week. Still try to find a way and the code location to test by mocking out the client (using quibble?) doing the requests to dtrack and verify against against call (parameter) expectations (using Sinon.js?). This seems not so easy in the JS world 😞

@gschafra gschafra marked this pull request as draft October 21, 2025 21:30
@gschafra gschafra force-pushed the dependency-track-tags-support branch 2 times, most recently from 1ad7ff2 to fbc9c20 Compare October 22, 2025 06:39
Günter Schafranek and others added 2 commits October 22, 2025 08:46
@gschafra
feat: Dependency track tags reporting
d3afc75 
- Allow providing (multiple) tags for dependency track reporting

Signed-off-by: Günter Schafranek <[email protected]>
@gschafra
test(cli): Started implementing unit test for SBOM reporting params
89c2627 
Signed-off-by: Guenter Schafranek <[email protected]>
@gschafra gschafra force-pushed the dependency-track-tags-support branch from fbc9c20 to 89c2627 Compare October 22, 2025 06:46
@gschafra
Merge branch 'master' into dependency-track-tags-support
ee85a6f 
Signed-off-by: gschafra <[email protected]>
@gschafra
docs(cli): Docs concerning tag feature on SBOM reporting
068be9a 
- Reference (link) to dependency-track release v4.12.0 which introduces the feature
- API docu links

Signed-off-by: Guenter Schafranek <[email protected]>
@gschafra
test(cli): First SBOM reporting test
c3fc454 
- Taking dependency-track project id, name, version and tag into account

Signed-off-by: Guenter Schafranek <[email protected]>
@gschafra
build(deps): Package fixed versions and overrides
10c6f7c 
Signed-off-by: Guenter Schafranek <[email protected]>
@gschafra
Copy link
Author

You are correct, we don't have tests for that yet! All the more reason to add some imho. Preferably they're unit tests (check the xx.poku.js files), but if it's easier, you can check our repotests.yml-workflow and add your repo (if possible, don't want to force proprietary stuff to become public 😉) with tests to it.

Question: How do you manage the fixed package version overrides in the package.json? I've to add quibble and sinon for mocking and enhanced assertion to the dev packages. As I've seen, ALL packages including their peer dependencies are listed in the "overrides" section of package.json and putting all of them manually is ... painful (?). Are you using any tooling for this?

@gschafra
build(deps): Package overrides
9777208 
Signed-off-by: Guenter Schafranek <[email protected]>
@gschafra
test(cli): Added another test case
ef52e56 
Signed-off-by: Guenter Schafranek <[email protected]>
@malice00
Copy link
Collaborator

Question: How do you manage the fixed package version overrides in the package.json? I've to add quibble and sinon for mocking and enhanced assertion to the dev packages. As I've seen, ALL packages including their peer dependencies are listed in the "overrides" section of package.json and putting all of them manually is ... painful (?). Are you using any tooling for this?

Yeah, unfortunately that's a manual thing -- currently. I added this a couple of days ago and the idea is to at least consciously think about our dependencies, but some form of listing what is missing for easier adding would be nice... I hope I find some time to do that in the next couple of days.

@malice00
Copy link
Collaborator

So, the version locking was not a success... I reverted those changes and I kindly ask you to rebase your PR again. If it's not too complicated, you can remove your overrides as well -- or leave them in if everything works with them there.

Günter Schafranek added 3 commits October 23, 2025 22:54
style(cli): Biome fix/format
d6e797e 
Signed-off-by: Günter Schafranek <[email protected]>
build(deps): Reverted overrides, only keeping direct packages
df3d26b 
Signed-off-by: Günter Schafranek <[email protected]>
test(utils): Adapted parsePnpmLock test
09a2613 
- since pnpm lock changed to added packages

Signed-off-by: Günter Schafranek <[email protected]>
@gschafra gschafra force-pushed the dependency-track-tags-support branch from 097a00a to 09a2613 Compare October 23, 2025 20:57
style: Biome fix/format
24b69ca 
Signed-off-by: Günter Schafranek <[email protected]>
@gschafra gschafra force-pushed the dependency-track-tags-support branch from 8804aa1 to 24b69ca Compare October 23, 2025 21:10
@gschafra
Merge branch 'master' into dependency-track-tags-support
e58f46d 
Signed-off-by: gschafra <[email protected]>
@gschafra
Merge remote-tracking branch 'origin/dependency-track-tags-support' i…
a4efbe0 
…nto dependency-track-tags-support

# Conflicts:
#	lib/cli/index.poku.js
@gschafra
test(cli): Code style
a0661b6 
Signed-off-by: Guenter Schafranek <[email protected]>
malice00
malice00 reviewed Oct 24, 2025
View reviewed changes
lib/cli/index.poku.js
Comment on lines +84 to +88
it("should successfully report the SBOM with given parent project, name, version and multiple single tags", async () => {
const serverUrl = "https://dtrack.example.com";
const projectName = "cdxgen-test-project";
const projectVersion = "1.0.0";
const projectTag = "tag1";
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

You're doing such an awesome job, that I hate to bring this up: isn't this just a copy of the above test except now it has a parent set? I'm asking because the test-description says 'multiple' (although it also says 'single'), so I figured this would test with multiple tags...

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yup, test is not ready yet... I'm massively struggling with test stubs (from ESM modules [got]) , which seems not to reset correctly between tests or/and affecting each other concerning expecations (call count). I've "consultated" various info sources (yes, even GPT and co.) but unfortunately without success. I'll dive deeper into this next week when I have some free time.

Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Please take your time. It will be super cool to have such advanced tests!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@prabhu prabhu prabhu left review comments

@setchy setchy setchy left review comments

@malice00 malice00 malice00 approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@gschafra @malice00 @prabhu @setchy