refactor & restructure LicenseEvidenceFetcher #1
Conversation
Signed-off-by: Jan Kowalleck <[email protected]>
jkowalleck
changed the title
Signed-off-by: Jan Kowalleck <[email protected]>
|
|
||
| export type MimeType = string | ||
|
|
||
| const MAP_TEXT_EXTENSION_MIME: Readonly<Record<string, MimeType>> = { |
There was a problem hiding this comment.
copied from webpack implementation
There was a problem hiding this comment.
I'm completely fine with copying this over and improving later regarding mime types and file patterns.
| } | ||
| const LICENSE_FILENAME_PATTERN = this.#LICENSE_FILENAME_PATTERN | ||
| const logger = this.console | ||
| return async function * (pkg: Package): AsyncGenerator<License> { |
There was a problem hiding this comment.
coppied from webpack implementation with the needed adjustments for yarn
| "licenses": [ | ||
| { | ||
| "license": { | ||
| "name": "file: LICENSE.MIT", |
There was a problem hiding this comment.
this is a potential license evidence.
to be honest, i'd rather improve the pattern match in a later ticket/pr,
than spending too much time with this initial base PR
| "licenses": [ | ||
| { | ||
| "license": { | ||
| "name": "file: LICENSE.BSD", |
There was a problem hiding this comment.
this is a potential license evidence.
to be honest, i'd rather improve the pattern match in a later ticket/pr,
than spending too much time with this initial base PR
|
@AugustusKling reverted most of your work and dump copied over the existing art. it showes some minor flaws, that i would love to tackle in an independent issue/PR |
jkowalleck
changed the title
|
|
||
| export type MimeType = string | ||
|
|
||
| const MAP_TEXT_EXTENSION_MIME: Readonly<Record<string, MimeType>> = { |
There was a problem hiding this comment.
I'm completely fine with copying this over and improving later regarding mime types and file patterns.
|
|
||
| interface BomBuilderOptions { | ||
| omitDevDependencies?: BomBuilder['omitDevDependencies'] | ||
| metaComponentType?: BomBuilder['metaComponentType'] | ||
| reproducible?: BomBuilder['reproducible'] | ||
| shortPURLs?: BomBuilder['shortPURLs'] | ||
| gatherLicenseTexts: BomBuilder['gatherLicenseTexts'] | ||
| gatherLicenseTexts?: BomBuilder['gatherLicenseTexts'] |
There was a problem hiding this comment.
There is no need to have this optionally. The parameter definition of Clipanion has a default value of false set for the gather-license-texts parameter. Therefore the boolean is always present, either true or false.
There was a problem hiding this comment.
understood.
I went with the code "style" the existing interface had.
I think it should be changed/improved in a dedicated pullrequest.
Changing everything at once makes review hard; keeping up the changes and intended outcome gets harder when modifying out-of-scope code.
|
|
||
| this.console = console_ | ||
| } | ||
|
|
||
| async buildFromWorkspace (workspace: Workspace): Promise<Bom> { | ||
| // @TODO make switch to disable load from fs | ||
| const fetchManifest: ManifestFetcher = await this.makeManifestFetcher(workspace.project) | ||
| const fetchLicenseEvidences: LicenseEvidenceFetcher = await this.makeLicenseEvidenceFetcher(workspace.project) |
There was a problem hiding this comment.
I get your argument from CycloneDX#193 (review) but 2 separate fetchers means that all packages have to be extracted twice. This is a waste resource-wise.
We should therefore have only 1 fetcher but not call it manifest fetcher nor license evidence fetcher. The fetcher is something general that makes package contents available. Depending on the linker used it goes to a real file system or a virtual one like the content of ZIP files.
What do you think about letting the fetcher take multiple extractors? Then the fetcher could open the packages (using fetcher.fetch(...)), call all extractors and close the packages (using releaseFs()). In between one extractor could get the package.json while the other could search for license evidence files.
There was a problem hiding this comment.
I totally understand. During development of this patch, I've made attempts of extracting/refactoring the fetcher. I rolled back these results, as I thought they were premature optimizations.
I would like to have the unoptimized most-basic solution in place first, so any optimization is measurable easily, and can be introduced in an isolated pullrequest.
A process for this would be:
- introduce a new feature as a minimum viable product (MVP)- merge it
- test/benchmark this product and baseline your outcome
- identify what can/must be improved - and write a very brief ticket/report for it
- pullrequest a scoped fix for the issues
Changing all at once might be appealing, but it makes reviews harder and collaboration processes slower.
This is why I encourage small/scoped increments. :-D
src/builders.ts
Outdated
| // option `withFileTypes:true` is not supported and casues crashes | ||
| files = packageFs.readdirSync(prefixPath) | ||
| } catch (e) { | ||
| logger?.warn('collecting license evidence in', prefixPath, 'failed:', e) |
There was a problem hiding this comment.
Whilst I prefer to simply call console.warn(...) like here, it does not follow the style of cyclonedx-node-yarn which uses console.warn('WARN | ...) in the other code.
There was a problem hiding this comment.
thanks for spotting this.
fixed it via 2973e59
src/builders.ts
Outdated
| try { | ||
| // option `withFileTypes:true` is not supported and casues crashes | ||
| files = packageFs.readdirSync(prefixPath) | ||
| } catch (e) { |
There was a problem hiding this comment.
This catch should not be here as it hides errors. The warning message is not enough.
I'd assume users of cyclonedx-node-yarn would call it as part of a build pipeline and expect a non zero exit code if anything fails that affects the produced SBOM. It's better to explode than to log a human-friendly message.
There was a problem hiding this comment.
I copied this over from webpack implementation, without thinking too much.
With webpack, the SBOM is a side-artifact that is generated during build time, and it is designed to not break build processes.
the yarn plugin is called explicitly, and - like you said - it is expected to explode on errors.
I will change this accordingly.
PS: done via 643f95e
|
|
||
| const contentType = getMimeForTextFile(file) | ||
| if (contentType === undefined) { | ||
| continue |
There was a problem hiding this comment.
Do not silently skip over files matching LICENSE_FILENAME_PATTERN.
There was a problem hiding this comment.
current implementation is a copy/past of existing art.
lets discuss improvements in a different issue/pullrequest (see #1 (comment))
src/builders.ts
Outdated
| manifest.name = pkg.scope ? `@${pkg.scope}/${pkg.name}` : pkg.name | ||
| manifest.version = pkg.version | ||
| const component = this.makeComponent(pkg, manifest, type) | ||
| if (component instanceof Component) { |
There was a problem hiding this comment.
I don't see how makeComponent could conditionally return an instance. I'd guess something is wrong if we do not get an Component instance here and thus the code should abort execution.
There was a problem hiding this comment.
lets discuss improvements in a different issue/pullrequest (see #1 (comment))
| @@ -103,7 +103,8 @@ | |||
| "type": "website", | |||
| "comment": "as detected from PackageJson property \"homepage\"" | |||
| } | |||
| ] | |||
| ], | |||
| "evidence": {} | |||
There was a problem hiding this comment.
Should only be added if --gather-license-texts was given.
Signed-off-by: Jan Kowalleck <[email protected]>
Signed-off-by: Jan Kowalleck <[email protected]>
Signed-off-by: Jan Kowalleck <[email protected]>
Signed-off-by: Jan Kowalleck <[email protected]>
this copies the existing art from https://github.com/CycloneDX/cyclonedx-webpack-plugin/blob/master/src/extractor.ts
I'd rather take it as is - with all possible flaws - and improve it in a later issue/PR, than mixing too many things at a time.