Erlang & Elixir Package Manager Plugins #11319
Conversation
![github-advanced-security[bot]](https://avatars.githubusercontent.com/in/57789?s=60&v=4){kind=small}
|
|
||
| #------------------------------------------------------------------------ | ||
| # Elixir (Mix SBoM) | ||
| FROM base AS mix_sbom_build |
Check warning
Code scanning / Scorecard
Pinned-Dependencies Medium
|
|
||
| #------------------------------------------------------------------------ | ||
| # Erlang (Rebar3 SBoM wrapped in Bombom) | ||
| FROM base AS rebar3_sbom_build |
Check warning
Code scanning / Scorecard
Pinned-Dependencies Medium
| * It converts a [PurlType] enum value to the corresponding ORT | ||
| * type string format. | ||
| */ | ||
| fun PurlType.toOrtType(): String = |
Check warning
Code scanning / QDJVM
Unused symbol Warning
maennchen
force-pushed
the
sosef/m7
branch
2 times, most recently
from
bf91d9a to
0bb4a3d
Compare
Codecov Report❌ Patch coverage is
Additional details and impacted files@@ Coverage Diff @@
## main #11319 +/- ##
============================================
+ Coverage 57.78% 57.86% +0.08%
Complexity 1711 1711
============================================
Files 347 347
Lines 12904 12987 +83
Branches 1238 1257 +19
============================================
+ Hits 7456 7515 +59
- Misses 5000 5022 +22
- Partials 448 450 +2
Flags with carried forward coverage won't be shown. Click here to find out more. ☔ View full report in Codecov by Sentry. 🚀 New features to boost your workflow:
|
maennchen
force-pushed
the
sosef/m7
branch
4 times, most recently
from
84e8b2c to
e1a06b7
Compare
|
As I was just reading this article about workspace support in package managers, something to double-check during the review is whether "Mix (Elixir) [...] umbrella projects" are handled properly. |
|
@sschuberth The way Mix does this is called “Umbrella” applications. I have added a test specifically for that. |
|
Rebased on latest main (detekt update fixes) |
maennchen
force-pushed
the
sosef/m7
branch
2 times, most recently
from
6a17bd0 to
df42b18
Compare
| --build-context "base=docker-image://${DOCKER_IMAGE_ROOT}/ort/base:latest" \ | ||
| "$@" | ||
|
|
||
| # Bombom (Erlang/Rebar3) |
There was a problem hiding this comment.
Nit: Looks like there is a blank line between footer lines in the commit message, which should not be.
There was a problem hiding this comment.
I removed the line, but now the commit linter is complaining.
|
|
||
| ENV MIX_SBOM_HOME=/opt/mix_sbom | ||
|
|
||
| # Download cosign binary, verify mix_sbom binary signature, then clean up |
There was a problem hiding this comment.
Just wondering: If we had gh available, would there be a way to simplify this via gh release download / gh release verify(-asset) commands?
There was a problem hiding this comment.
Yes, that would take slightly less options in the command.
If you’d like, I can do a follow up PR and also change that for gleam.
There was a problem hiding this comment.
Yes, let's keep that in mind for a follow-up PR, this one has already grown big enough. Esp. if there are also other places in the Dockerfile that would benefit from this simplification.
There was a problem hiding this comment.
I'll have a look as a follow up 👍
plugins/package-managers/rebar3/src/funTest/kotlin/Rebar3FunTest.kt
Outdated
Show resolved
Hide resolved
Install mix_sbom binary with sigstore signature verification using cosign. Signed-off-by: Jonatan Männchen <jonatan@maennchen.ch>
Install rebar3_sbom binary using the bombom wrapper with sigstore signature verification using cosign, Co-authored-by: Jonatan Männchen<jonatan@maennchen.ch> Signed-off-by: GwendalLaurent <gwendal.laurent@stritzinger.com>
Add a new utils/cyclonedx module that provides reusable functionality for analyzing CycloneDX SBOMs. This enables multiple package managers to analyze CycloneDX SBOMs by extending the shared CycloneDxPackageManager class. The new module includes: - CycloneDxPackageManager abstract base class for SBOM analysis - CycloneDxSbom for parsing CycloneDX JSON files - CycloneDxDependencyHandler for dependency translation - CycloneDxDependency for dependency representation - Comprehensive test coverage for CycloneDX utilities Relates to oss-review-toolkit#9878. Co-authored-by: Barbara Chassoul <barbara.chassoul@stritzinger.com> Co-authored-by: Jonatan Männchen<jonatan@maennchen.ch> Signed-off-by: IciaC <iciacarrobarallobre@gmail.com>
Signed-off-by: Barbara Chassoul <barbara.chassoul@stritzinger.com>
Signed-off-by: Barbara Chassoul <barbara.chassoul@stritzinger.com>
Add support for analyzing Elixir projects using mix_sbom for CycloneDX SBOM generation. Supports single projects and umbrella workspaces with proper handling of Hex packages. Signed-off-by: Jonatan Männchen <jonatan@maennchen.ch>
Add support for analyzing Erlang projects using bombom for CycloneDX SBOM generation. Supports single projects with proper handling of Hex packages. Signed-off-by: Jonatan Männchen <jonatan@maennchen.ch>
Add Mix and Rebar3 to the list of known package managers in the analyzer configuration and JSON schema. Signed-off-by: Jonatan Männchen <jonatan@maennchen.ch>
Add Mix & Rebar3 to the analyzer documentation listing supported package managers. Signed-off-by: Jonatan Männchen <jonatan@maennchen.ch>
| /** | ||
| * Get the type as a [PurlType] enum, or null if the type is unknown. | ||
| */ | ||
| fun getPurlType(): PurlType? = runCatching { PurlType.fromString(type.lowercase()) }.getOrNull() |
Check warning
Code scanning / QDJVM
Unused symbol Warning
5 participants
See individual commits.