Strict mode

[JeffreyHuynh1]

Overview

We should allow users to enforce that the first strategy within our list of strategies passes. This is to ensure ‘ideal’ results and that no fallback strategies are ran.

Acceptance criteria

• When running fossa analyze --strict :

  • Turn warnings into fatalities

  • Ensure that the first strategy in the list passes

Testing plan

Manually testing:

• fossa analyze --strict --debug (I scanned a Maven project)
• In the plugin strategy , emit a fatal error e.g. fatal.MissingDeepDeps
• See that we do not fallback to the other strategies (deptree, pom, etc) and analysis halts

Risks

Would like to add some automated tests but wanted to get some opinions. Would it be sufficient to just create a test for guardStrictMode bc that's the main logic that powers strict mode? Unsure on how to best create tests for strict mode for specific languages / package managers.

Metrics

References

• ANE-236

Checklist

• I added tests for this PR's change (or explained in the PR description why tests don't make sense).
• If this PR introduced a user-visible change, I added documentation into docs/.
• If this PR added docs, I added links as appropriate to the user manual's ToC in docs/README.ms and gave consideration to how discoverable or not my documentation is.
• If this change is externally visible, I updated Changelog.md. If this PR did not mark a release, I added my changes into an # Unreleased section at the top.
• If I made changes to .fossa.yml or fossa-deps.{json.yml}, I updated docs/references/files/*.schema.json AND I have updated example files used by fossa init command. You may also need to update these if you have added/removed new dependency type (e.g. pip) or analysis target type (e.g. poetry).
• If I made changes to a subcommand's options, I updated docs/references/subcommands/<subcommand>.md.

[csasarak]

This looks pretty good! I think the main changes I'd ask for here are some clarity around how --static-only-analysis and --strict interact and a few comments.

[csasarak]

One thing I forgot to mention is that I think this should be pretty easy to write tests for. I think that if you go to the tests for each of these strategies there is likely one that gets results from the "ideal" analysis. You can run the analysis using strict mode and just check that the output equals the output of the other test. I'd like it if you could try to make a few of these and see what the effort is like. Let me know if you'd like any help.

[carloskcheung]

------------------------ Carlos Cheung - Georgetown Club of Northern California, Board Member Twitter: @carloskcheung | 415.515.1063 | http://www.linkedin.com/in/carloscheung "Learn to work then you'll always work; Work to learn then you'll always learn"

…

On Tue, Sep 3, 2024 at 10:45 AM Christopher Sasarak < ***@***.***> wrote: One thing I forgot to mention is that I think this should be pretty easy to write tests for. I think that if you go to the tests for each of these strategies there is likely one that gets results from the "ideal" analysis. You can run the analysis using strict mode and just check that the output equals the output of the other test. I'd like it if you could try to make a few of these and see what the effort is like. Let me know if you'd like any help. — Reply to this email directly, view it on GitHub <#1463 (comment)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/AAXKLILIL3ITIDRFTCQ6JYLZUXYVJAVCNFSM6AAAAABNNBEHFKVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDGMRXGA4TEOJTGU> . You are receiving this because you are subscribed to this thread.Message ID: ***@***.***>

[csasarak]

Looks good. Please address my comments, but I don't think anything there should need me to look this over again unless you want me to.