redhat-developer
diff --git a/‎README.md‎
Lines changed: 69 additions & 22 deletions b/‎README.md‎
Lines changed: 69 additions & 22 deletions
diff --git a/‎src/main/resources/META-INF/plugin.xml‎
Lines changed: 89 additions & 18 deletions b/‎src/main/resources/META-INF/plugin.xml‎
Lines changed: 89 additions & 18 deletions
diff --git a/‎src/main/resources/images/settings.png‎
32 KB b/‎src/main/resources/images/settings.png‎
32 KB
diff --git a/‎src/main/resources/images/stack-analysis.gif‎
-2.44 MB b/‎src/main/resources/images/stack-analysis.gif‎
-2.44 MB
@@ -24,7 +24,8 @@ Dependency Analytics only accesses your manifest files to analyze your applicati
 vulnerability report.
 
 **IMPORTANT:**
-<br >Currently, Dependency Analytics only supports projects that use Maven (`mvn`), and Node ecosystems (`npm`).
+<br >Currently, Dependency Analytics only supports projects that use Maven (`mvn`), Node (`npm`), Golang (`go mod`) and
+Python (`pip`) ecosystems.
 In future releases, Red Hat plans to support other programming languages.
 
 ##### Table of Contents
@@ -42,7 +43,11 @@ In future releases, Red Hat plans to support other programming languages.
 **Prerequisites**
 
 - For Maven projects, analyzing a `pom.xml` file, you must have the `mvn` binary in your IDE's `PATH` environment.
-- For Node projects, analyzing a `package.json` file, you must have the `npm` binary in your IDE's `PATH` environment.
+- For Node projects, analyzing a `package.json` file, you must have the `npm` and `node` binaries in your IDE's `PATH`
+  environment.
+- For Golang projects, analyzing a `go.mod` file, you must have the `go` binary in your IDE's `PATH` environment.
+- For Python projects, analyzing a `requirements.txt` file, you must have the `python3` and `pip3` binaries in your
+  IDE's `PATH` environment.
 
 **Procedure**
 
@@ -80,28 +85,48 @@ according to your preferences.
 **Configurable parameters**
 
 - **Maven** :
-<br >Path of the `mvn` executable allows Exhort to locate and execute the `mvn` commands to resolve dependencies for
-Maven projects.
-Path of the `JAVA_HOME` directory is required by the `mvn` executable.
-If the paths are not provided, your IDE's `PATH` and `JAVA_HONE` environments will be used to locate the executables.
-
-- **Npm** :
-<br >Path of the `npm` executable allows Exhort to locate and execute `npm` commands to resolve dependencies for Node
-projects.
-Path of the directory containing the `node` executable is required by the `npm` executable.
-If the paths are not provided, your IDE's `PATH` environment will be used to locate the executables.
+  <br >Set the full path of the Maven executable, which allows Exhort to locate and execute the `mvn` command to resolve
+  dependencies for Maven projects.
+  Path of the `JAVA_HOME` directory is required by the `mvn` executable.
+  If the paths are not provided, your IDE's `PATH` and `JAVA_HONE` environments will be used to locate the executables.
+
+- **Node** :
+  <br >Set the full path of the Node executable, which allows Exhort to locate and execute the `npm` command to resolve
+  dependencies for Node projects.
+  Path of the directory containing the `node` executable is required by the `npm` executable.
+  If the paths are not provided, your IDE's `PATH` environment will be used to locate the executables.
+
+- **Golang** :
+  <br >Set the full path of the Go executable, which allows Exhort to locate and execute the `go` command to resolve
+  dependencies for Go projects.
+  If the path is not provided, your IDE's `PATH` environment will be used to locate the executable.
+  When option `Strictly match package version` is selected, the resolved dependency versions will be compared to the
+  versions specified in the manifest file, and users will be alerted if any mismatch is detected.
+
+- **Python** :
+  <br >Set the full paths of the Python and the package installer for Python executables, which allows Exhort to locate
+  and execute the `pip3` commands to resolve dependencies for Python projects.
+  Python 2 executables `python` and `pip` can be used instead, if the `Use python 2.x` option is selected.
+  If the paths are not provided, your IDE's `PATH` environment will be used to locate the executables.
+  When option `Strictly match package version` is selected, the resolved dependency versions will be compared to the
+  versions specified in the manifest file, and users will be alerted if any mismatch is detected.
+  Python virtual environment can be applied, when selecting the `Use python virtual environment` option.
+  If selecting option `Allow alternate package version` while using virtual environment, the dependency versions
+  specified in the manifest file will be ignored, and dependency versions will be resolved dynamically instead (this
+  feature cannot be enabled when `Strictly match package version` is selected).
 
 - **Exhort Snyk Token** :
-<br >The Snyk token allows Exhort to authenticate with the Snyk Vulnerability Database.
-If a Snyk token is not provided, Snyk vulnerability information is not displayed.
+  <br >The Snyk token allows Exhort to authenticate with the Snyk Vulnerability Database.
+  If a Snyk token is not provided, Snyk vulnerability information is not displayed.
 
 If you need a new Snyk token, you can generate a new
 token [here](https://app.snyk.io/login?utm_campaign=Code-Ready-Analytics-2020&utm_source=code_ready&code_ready=FF1B53D9-57BE-4613-96D7-1D06066C38C9).
 
 ## Features
 
 - **Component analysis**
-  <br >Upon opening a manifest file, such as a `pom.xml` or `package.json` file, a scan starts the analysis process.
+  <br >Upon opening a manifest file, such as a `pom.xml`, `package.json`, `go.mod` or `requirements.txt` file, a scan
+  starts the analysis process.
   The scan provides immediate inline feedback on detected security vulnerabilities for your application's dependencies.
   Such dependencies are appropriately underlined in red, and hovering over it gives you a short summary of the security
   concern.
@@ -115,7 +140,6 @@ token [here](https://app.snyk.io/login?utm_campaign=Code-Ready-Analytics-2020&ut
   If you wish to ignore vulnerabilities for a dependency in a `pom.xml` file, you must add `exhortignore` as a comment
   against the dependency, group id, artifact id, or version scopes of that particular dependency in the manifest file.
   For example:
-
   ```xml
   <dependency> <!--exhortignore-->
       <groupId>...</groupId>
@@ -126,10 +150,7 @@ token [here](https://app.snyk.io/login?utm_campaign=Code-Ready-Analytics-2020&ut
 
   If you wish to ignore vulnerabilities for a dependency in a `package.json` file, you must add `exhortignore` as a
   attribute-value pair.
-  If `exhortignore` is followed by a list of comma-separated Snyk vulnerability IDs, only the listed vulnerabilities
-  will be ignored during analysis.
   For example:
-
   ```json
   {
       "name": "sample",
@@ -151,22 +172,36 @@ token [here](https://app.snyk.io/login?utm_campaign=Code-Ready-Analytics-2020&ut
   }
   ```
 
+  If you wish to ignore vulnerabilities for a dependency in a `go.mod` file, you must add `exhortignore` as a comment
+  against the dependency in the manifest file.
+  For example:
+  ```text
+  require (
+      golang.org/x/sys v1.6.7 // exhortignore
+  )
+  ```
+
+  If you wish to ignore vulnerabilities for a dependency in a `requirements.txt` file, you must add `exhortignore` as a
+  comment against the dependency in the manifest file.
+  For example:
+  ```text
+  requests==2.28.1 # exhortignore
+  ```
+
 - **Excluding developmental or test dependencies**
   <br >Red Hat Dependency Analytics does not analyze dependencies marked as `dev` or `test`, these dependencies are
   ignored.
   For example, setting `test` in the `scope` tag within a `pom.xml` file:
-
   ```xml
   <dependency>
       <groupId>...</groupId>
       <artifactId>...</artifactId>
       <version>...</version>
       <scope>test</scope>
   </dependency>
-  ```	
+  ```
 
   For example, setting `devDependencies` attributte in the `package.json` file:
-  
   ```json
   {
       "name": "sample",
@@ -188,6 +223,18 @@ token [here](https://app.snyk.io/login?utm_campaign=Code-Ready-Analytics-2020&ut
   }
   ```
 
+  For example, setting `exclude` attribute in the `go.mod` file:
+  ```text
+  exclude golang.org/x/sys v1.6.7
+
+  exclude (
+      golang.org/x/sys v1.6.7
+  )
+  ```
+
+  You can create an alternative file to `requirements.txt`, for example, a `requirements-dev.txt` or
+  a `requirements-test.txt` file where you can add the development or test dependencies there.
+
 - **Red Hat Dependency Analytics report**
   <br >The Red Hat Dependency Analytics report is a temporary HTML file that exist if the **Red Hat Dependency Analytics
   Report** tab remains open.
 
@@ -12,10 +12,12 @@
 <p>
     Red Hat Dependency Analytics (RHDA) plugin gives you awareness to security concerns within your software supply
     chain while you build your application.
-    <br>The Dependency Analytics plugin uses the Snyk REST API to query <a href="https://snyk.io/product/vulnerability-database/"
-                                                    rel="noopener noreferrer" target="_blank">Snyk's Vulnerability
+    <br>The Dependency Analytics plugin uses the Snyk REST API to query <a
+        href="https://snyk.io/product/vulnerability-database/"
+        rel="noopener noreferrer" target="_blank">Snyk's Vulnerability
     Database</a> for the most up-to-date vulnerability information available.
-    <br>Snyk uses industry-leading security intelligence by pulling from many data sources to give you exact vulnerability information.
+    <br>Snyk uses industry-leading security intelligence by pulling from many data sources to give you exact
+    vulnerability information.
 
 <p>
     <b>NOTE:</b>
@@ -25,8 +27,8 @@
     the vulnerability report.
 <p>
     <b>IMPORTANT:</b>
-    <br>Currently, Dependency Analytics only supports projects that use Maven (<code>mvn</code>), and Node ecosystems
-    (<code>npm</code>).
+    <br>Currently, Dependency Analytics only supports projects that use Maven (<code>mvn</code>), and Node
+    (<code>npm</code>), Golang (<code>go mod</code>) and Python (<code>pip</code>) ecosystems.
     <br>In future releases, Red Hat plans to support other programming languages.
 <p>
 
@@ -37,9 +39,15 @@
     <li>For Maven projects, analyzing a <code>pom.xml</code> file, you must have the <code>mvn</code> binary in your
         IDE's <code>PATH</code> environment.
     </li>
-    <li>For Node projects, analyzing a <code>package.json</code> file, you must have the <code>npm</code> binary in your
+    <li>For Node projects, analyzing a <code>package.json</code> file, you must have the <code>npm</code> and
+        <code>node</code> binaries in your IDE's <code>PATH</code> environment.
+    </li>
+    <li>For Golang projects, analyzing a <code>go.mod</code> file, you must have the <code>go</code> binary in your
         IDE's <code>PATH</code> environment.
     </li>
+    <li>For Python projects, analyzing a <code>requirements.txt</code> file, you must have the <code>python3</code> and
+        <code>pip3</code> binaries in your IDE's <code>PATH</code> environment.
+    </li>
 </ul>
 <p>
     <b>Procedure</b>
@@ -54,8 +62,8 @@
     <li>To start scanning your application for security vulnerabilities, and view the vulnerability report, you can do
         one of the following:
         <ul>
-            <li>Open a manifest file, hover over a dependency marked by the inline Component Analysis, indicated by the wavy-red
-                line under a dependency, and click <b>Detailed Vulnerability Report</b>.
+            <li>Open a manifest file, hover over a dependency marked by the inline Component Analysis, indicated by the
+                wavy-red line under a dependency, and click <b>Detailed Vulnerability Report</b>.
             </li>
             <li>Right click on a manifest file in the <b>Project</b> window, and click <b>Dependency Analytics
                 Report</b>.
@@ -81,30 +89,62 @@
 
 <h2>Configuration</h2>
 <p>
-    The Red Hat Dependency Analytics plugin has some configurable parameters that allows you to customize its behavior according to your preferences.
+    The Red Hat Dependency Analytics plugin has some configurable parameters that allows you to customize its behavior
+    according to your preferences.
 <p>
     <b>Procedure</b>
 <ol>
     <li>Open the IntelliJ IDEA application.</li>
     <li>Click <b>Settings</b> from the menu, and click <b>Tools</b>.</li>
     <li>Click the <b>Red Hat Dependency Analytics</b>.</li>
 </ol>
-    <img src="https://raw.githubusercontent.com/redhat-developer/intellij-dependency-analytics/main/src/main/resources/images/settings.png"
+<img src="https://raw.githubusercontent.com/redhat-developer/intellij-dependency-analytics/main/src/main/resources/images/settings.png"
      alt="Red Hat Dependency Analytics plugin settings">
 <p>
     <b>Configurable parameters</b>
 <ul>
     <li>
         <b>Maven</b>:
-        <br>Path of the <code>mvn</code> executable allows Exhort to locate and execute the <code>mvn</code> commands to resolve dependencies forMaven projects.
+        <br>Set the full path of the Maven executable, which allows Exhort to locate and execute the <code>mvn</code>
+        command to resolve dependencies forMaven projects.
         <br>Path of the <code>JAVA_HOME</code> directory is required by the <code>mvn</code> executable.
-        <br>If the paths are not provided, your IDE's <code>PATH</code> and <code>JAVA_HONE</code> environments will be used to locate the executables.
+        <br>If the paths are not provided, your IDE's <code>PATH</code> and <code>JAVA_HONE</code> environments will be
+        used to locate the executables.
+    </li>
+    <li>
+        <b>Node</b>:
+        <br>Set the full path of the Node executable, which allows Exhort to locate and execute <code>npm</code> command
+        to resolve dependencies for Node projects.
+        <br>Path of the directory containing the <code>node</code> executable is required by the <code>npm</code>
+        executable.
+        <br>If the paths are not provided, your IDE's <code>PATH</code> environment will be used to locate the
+        executables.
     </li>
     <li>
-        <b>Npm</b>:
-        <br>Path of the <code>npm</code> executable allows Exhort to locate and execute <code>npm</code> commands to resolve dependencies for Node projects.
-        <br>Path of the directory containing the <code>node</code> executable is required by the <code>npm</code> executable.
-        <br>If the paths are not provided, your IDE's <code>PATH</code> environment will be used to locate the executables.
+        <b>Golang</b>:
+        <br>Set the full path of the Go executable, which allows Exhort to locate and execute the <code>go</code>
+        command to resolve dependencies for Go projects.
+        <br>If the path is not provided, your IDE's <code>PATH</code> environment will be used to locate the executable.
+        <br>When option `Strictly match package version` is selected, the resolved dependency versions will be compared
+        to the versions specified in the manifest file, and users will be alerted if any mismatch is detected.
+    </li>
+    <li>
+        <b>Python</b>:
+        <br>Set the full paths of the Python and the package installer for Python executables, which allows Exhort to
+        locate and execute the <code>pip3</code> commands to resolve dependencies for Python projects.
+        <br>Python 2 executables <code>python</code> and <code>pip</code> can be used instead, if the <code>Use python
+        2.x</code> option is selected.
+        <br>If the paths are not provided, your IDE's <code>PATH</code> environment will be used to locate the
+        executables.
+        <br>When option <code>Strictly match package version</code> is selected, the resolved dependency versions will
+        be compared to the versions specified in the manifest file, and users will be alerted if any mismatch is
+        detected.
+        <br>Python virtual environment can be applied, when selecting the <code>Use python virtual environment</code>
+        option.
+        <br>If selecting option <code>Allow alternate package version</code> while using virtual environment, the
+        dependency versions specified in the manifest file will be ignored, and dependency versions will be resolved
+        dynamically instead. This feature cannot be enabled when <code>Strictly match package version</code> is
+        selected.
     </li>
     <li>
         <b>Exhort Snyk Token</b>:
@@ -134,6 +174,7 @@
     <li>
         <b>Excluding dependencies with <code>exhortignore</code></b>
         <br>You can exclude a package from analysis by marking the package for exclusion.
+        <br>
         <br>If you wish to ignore vulnerabilities for a dependency in a <code>pom.xml</code> file, you must add <code>exhortignore</code>
         as a comment against the dependency, group id, artifact id, or version scopes of that particular dependency in
         the manifest file.
@@ -145,10 +186,9 @@
             <br>&nbsp;&nbsp;&lt;version&gt;...&lt;/version&gt;
             <br>&lt;/dependency&gt;
         </code>
+        <br>
         <br>If you wish to ignore vulnerabilities for a dependency in a <code>package.json</code> file, you must add
         <code>exhortignore</code> as a attribute-value pair.
-        <br>If <code>exhortignore</code>is followed by a list of comma-separated Snyk vulnerability IDs, only the listed
-        vulnerabilities will be ignored during analysis.
         <br>For example:
         <code>
             <br>{
@@ -170,11 +210,28 @@
             <br>&nbsp;&nbsp;]
             <br>}
         </code>
+        <br>
+        <br>If you wish to ignore vulnerabilities for a dependency in a <code>go.mod</code> file, you must add
+        <code>exhortignore</code> as a comment against the dependency in the manifest file.
+        <br>For example:
+        <code>
+            <br>require (
+            <br>&nbsp;&nbsp;golang.org/x/sys v1.6.7 // exhortignore
+            <br>)
+        </code>
+        <br>
+        <br>If you wish to ignore vulnerabilities for a dependency in a <code>requirements.txt</code> file, you must add
+        <code>exhortignore</code> as a comment against the dependency in the manifest file.
+        <br>For example:
+        <code>
+            <br>requests==2.28.1 # exhortignore
+        </code>
     </li>
     <li>
         <b>Excluding developmental or test dependencies</b>
         <br>Red Hat Dependency Analytics does not analyze dependencies marked as <code>dev</code> or <code>test</code>,
         these dependencies are ignored.
+        <br>
         <br>For example, setting <code>test</code> in the <code>scope</code> tag within a <code>pom.xml</code> file:
         <code>
             <br>&lt;dependency&gt;
@@ -184,6 +241,7 @@
             <br>&nbsp;&nbsp;&lt;scope&gt;test&lt;/scope&gt;
             <br>&lt;/dependency&gt;
         </code>
+        <br>
         <br>For example, setting <code>devDependencies</code> attributte in the <code>package.json</code> file:
         <code>
             <br>{
@@ -205,6 +263,17 @@
             <br>&nbsp;&nbsp;}
             <br>}
         </code>
+        <br>
+        <br>For example, setting <code>exclude</code> attribute in the <code>go.mod</code> file:
+        <code>
+            <br>exclude golang.org/x/sys v1.6.7
+            <br>exclude (
+            <br>&nbsp;&nbsp;golang.org/x/sys v1.6.7
+            <br>)
+        </code>
+        <br>
+        <br>You can create an alternative file to <code>requirements.txt</code>, for example, a <code>requirements-dev.txt</code>
+        or a <code>requirements-test.txt</code> file where you can add the development or test dependencies there.
     </li>
     <li>
         <b>Red Hat Dependency Analytics Report</b>
@@ -258,6 +327,8 @@
   ]]></description>
 
     <change-notes><![CDATA[
+  <p><b>0.7.1</b></p>
+  <p>Enable component analysis for Golang (<code>go mod</code>) and Python (<code>pip</code>).</p>
   <p><b>0.7.0</b></p>
   <p>Initial release for the new Red Hat Dependency Analytics service.</p>
   <p>Based on exhort-java-api.</p>