-
Notifications
You must be signed in to change notification settings - Fork 580
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Issue #1227 - Get licenses for NuGet packages #3329
base: main
Are you sure you want to change the base?
Conversation
Signed-off-by: HeyeOpenSource <[email protected]>
Signed-off-by: HeyeOpenSource <[email protected]>
Signed-off-by: HeyeOpenSource <[email protected]>
Improves the go cataloger semver extraction logic to include getting the release version of traefik. This is based off of the regex pattern that already existed in the traefik binary classifier. Signed-off-by: Weston Steimel <[email protected]> Signed-off-by: HeyeOpenSource <[email protected]>
Signed-off-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> Co-authored-by: wagoodman <[email protected]> Signed-off-by: HeyeOpenSource <[email protected]>
…options dotnetConfig struct. Signed-off-by: HeyeOpenSource <[email protected]>
…ons Catalog struct. Signed-off-by: HeyeOpenSource <[email protected]>
…re#3327) Bumps [github/codeql-action](https://github.com/github/codeql-action) from 3.26.12 to 3.26.13. - [Release notes](https://github.com/github/codeql-action/releases) - [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md) - [Commits](github/codeql-action@c36620d...f779452) --- updated-dependencies: - dependency-name: github/codeql-action dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Signed-off-by: HeyeOpenSource <[email protected]>
…3326) Bumps [anchore/sbom-action](https://github.com/anchore/sbom-action) from 0.17.2 to 0.17.3. - [Release notes](https://github.com/anchore/sbom-action/releases) - [Changelog](https://github.com/anchore/sbom-action/blob/main/RELEASE.md) - [Commits](anchore/sbom-action@61119d4...f5e124a) --- updated-dependencies: - dependency-name: anchore/sbom-action dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Signed-off-by: HeyeOpenSource <[email protected]>
…09e9e5 (anchore#3331) Signed-off-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> Co-authored-by: willmurphyscode <[email protected]> Signed-off-by: HeyeOpenSource <[email protected]>
…870434 (anchore#3332) Signed-off-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> Co-authored-by: willmurphyscode <[email protected]> Signed-off-by: HeyeOpenSource <[email protected]>
Signed-off-by: HeyeOpenSource <[email protected]>
…rs() function in syft/pkg/cataloger/dotnet. Signed-off-by: HeyeOpenSource <[email protected]>
Signed-off-by: HeyeOpenSource <[email protected]>
641818d
to
00e2895
Compare
Just for the record: The configuration can also be influenced by the following four main environment variables:
NuGet package provider credentials: These are only ever used, if a NuGet package repository returns the status code 401
N.B.:
|
Signed-off-by: HeyeOpenSource <[email protected]>
…age provider URLs terminated by '/'. Signed-off-by: HeyeOpenSource <[email protected]>
…hen accessing remote NuGet package repositories. Signed-off-by: HeyeOpenSource <[email protected]>
- Fix remote NuGet license retrieval. - Allow for NuGet package retrieval from package repositories requiring authentication. Signed-off-by: HeyeOpenSource <[email protected]>
Signed-off-by: HeyeOpenSource <[email protected]>
Signed-off-by: HeyeOpenSource <[email protected]>
FYI: Gitea for example allows to create such code- and NuGet package repositories. |
Signed-off-by: HeyeOpenSource <[email protected]>
Signed-off-by: HeyeOpenSource <[email protected]>
Signed-off-by: HeyeOpenSource <[email protected]>
Signed-off-by: HeyeOpenSource <[email protected]>
Signed-off-by: HeyeOpenSource <[email protected]>
Signed-off-by: HeyeOpenSource <[email protected]>
…rich``` functionality. Signed-off-by: HeyeOpenSource <[email protected]>
Signed-off-by: HeyeOpenSource <[email protected]>
Signed-off-by: HeyeOpenSource <[email protected]>
Signed-off-by: HeyeOpenSource <[email protected]>
After tackling all review conversations up to now, the
I have removed any artifacts, which are not strictly neccessary. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks for the latest updates; I found a few other things after a finer tooth comb. Other than what's mentioned here, it's looking really good -- very appreciated!
…Oct 29th 2024. Signed-off-by: HeyeOpenSource <[email protected]>
Signed-off-by: Keith Zantow <[email protected]> Signed-off-by: HeyeOpenSource <[email protected]>
…3393) Bumps [anchore/sbom-action](https://github.com/anchore/sbom-action) from 0.17.5 to 0.17.6. - [Release notes](https://github.com/anchore/sbom-action/releases) - [Changelog](https://github.com/anchore/sbom-action/blob/main/RELEASE.md) - [Commits](anchore/sbom-action@1ca97d9...251a468) --- updated-dependencies: - dependency-name: anchore/sbom-action dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Signed-off-by: HeyeOpenSource <[email protected]>
Signed-off-by: HeyeOpenSource <[email protected]>
Signed-off-by: HeyeOpenSource <[email protected]>
Signed-off-by: HeyeOpenSource <[email protected]>
Signed-off-by: HeyeOpenSource <[email protected]>
ca20669
to
438d94f
Compare
Signed-off-by: HeyeOpenSource <[email protected]>
Signed-off-by: HeyeOpenSource <[email protected]>
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
In a sense, the localNuGetCacheResolvers are source content:
These are the folders ('sources') from where the external NuGet dependencies are linked...
Hence, I would currently refrain from changing from the file.Resolver
implementation to an fs
package implementation.
@kzantow : What do you say?
syft/pkg/cataloger/dotnet/parse_dotnet_portable_executable_test.go
Outdated
Show resolved
Hide resolved
|
||
type nugetLicenseResolver struct { | ||
opts CatalogerConfig | ||
localNuGetCacheResolvers []file.Resolver |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks for the clarification about the decisions taken.
At the moment I am not quite sure, how I'd go about performing the switch towards the fs
package...
Then again:
In a sense, the localNuGetCacheResolvers are source content:
These are the folders ('sources') from where the external NuGet dependencies are linked... 🤷♂️
@kzantow : What do you say?
Description
Type of change
Checklist: