-
-
Notifications
You must be signed in to change notification settings - Fork 5
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Extraction of license text from files. #33 #193
base: main
Are you sure you want to change the base?
Conversation
Signed-off-by: Augustus Kling <[email protected]>
we have a basic implementation here: https://github.com/CycloneDX/cyclonedx-webpack-plugin/blob/72700f06d00eac79fa3b91fe838bd78c583346a2/src/extractor.ts#L135 I was thinking of pulling this one into the CDX library,. so it is available for every downstream user - like here... PS: I found that your implementation is basically a copy/past from the mentioned implementation. So i guess it is any good -- so better pull it over to the library, than copy/pasting it here. |
Taking a file name + a data blob and converting it to an instance of Since you explicitly referred to the other implementation in ticket #33, the implementation here matches it. One would not want different behavior for different libraries under the CycloneDX umbrella. Before this PR has an chance of moving forward, this repo needs to be fixed. The current ESLint setup does not work with the present TypeScript version. You can do a Also, the tests in the repo depend on |
Exactly. here is the (WIP/draft) PR to bring the functionality to the library: CycloneDX/cyclonedx-javascript-library#1158 |
Please discuss these things in individual extra tickets. Thank you in advance. |
CycloneDX/cyclonedx-javascript-library#1158 was postponed and will not ship any soon. Please continue your work crafting a yarn=specific implementation. |
i had to fix one of the github workflows. |
… into gather-license-texts
Signed-off-by: Augustus Kling <[email protected]>
Note that despite the build passing in the PR validations, the existing tests fail for me. This is with the Example with similar changes in many test cases:
|
… into gather-license-texts
a lot of dependencies and other things were bumped lately. Better rebase/merge master, delete your local regarding your failing tests - #193 (comment) the underlying test beds ship own lock files, they are not affected by your project lock file. Anyway, do you maybe have old build artifacts, that need to be removed before testing?
|
… into gather-license-texts
Signed-off-by: Augustus Kling <[email protected]>
Just for your info the part of the install where node-gyp is used to build libxmljs2 is failing in case you run with Node 22 (current LTS). It's header files are incompatible with the referenced libxml. Updating libxmljs2 to 0.35.0 in CycloneDX/cyclonedx-javascript-library should solve this. Building on Node 20 is not showing the incompatibility and should work with libxmljs2 version 0.33.0 as well as 0.35.0.
Thanks for the hints. It turned out that test errors were the result of a bug in my changed code. It's fixed with correcting the invocation of the normalize-package-data library in my last commit. Please try out the changes and check if the license evidence is included as you would expect in the resulting SBOMs. |
Signed-off-by: Augustus Kling <[email protected]>
manifest: JSON.parse(await packageFs.readFilePromise(manifestPath, 'utf8')) | ||
} | ||
if (gatherLicenseTexts) { | ||
packageInfo.licenseEvidence = makeLicenseEvidence(prefixPath, packageFs) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
this has nothing to do with the function it is placed in.
the evidence are no package-info at all.
I pull-requested my idea here: AugustusKling#1
this libxmljs2 is a transitive optional dependency. I would love to omit it. |
I do not think this is doable from cyclonedx-node-yarn. Yarn and probably other package managers, too, would download all optional dependencies in the dependency tree, transitively. Then they should compare the current system environment with the compatibility info from the packages' manifests; that is the fields In the specific case here the build of libxmljs2 fails and Yarns warns about it. This failure with the libxmljs2 packages does however not abort the installation of cyclonedx-node-yarn. Instead, Yarn excludes libxmljs2 automatically since it's only part of the dependency tree as an optional dependency. You'll lose whatever optional feature or optimization libxmljs2 should have contributed to @cyclonedx/cyclonedx-library. If you really wanted to exclude libxmljs2, you'd need to remove it from @cyclonedx/cyclonedx-library but I guess it is there for a reason. Instead, update libxmljs2 to 0.35.0 to allow for a successful build with more Node versions. The following is Yarn's way to notify about the build failure or an optional dependency. It would be nicer if the wording was more explicit and it said something along the lines of "excluding libxmljs2 which is an optional dependency".
|
I expected that, since - according to the docs I've read - yarn's concept of optional is a very well-thought one. But since I am not a heavy user of yarn, I thought I should ask, before assuming something. The features provided by this optional dependency are not used in the code at the moment, so they are not bundled in the final product, and no related code is generated in the build artifact. From developer experience, the warning on setup/install looks ugly, true. But it's fine, it is not a blocker. If it was, please open an issue for that. |
The warning is easily misunderstood for a problem but can be safely ignored. |
Untested code for license text extraction.