Add fossa report
#66
Add fossa report
#66
Conversation
cmd/fossa/report.go
Outdated
| if err != nil { | ||
| reportLogger.Fatalf("Invalid FOSSA endpoint: %s", err.Error()) | ||
| } | ||
| api, err := server.Parse(fmt.Sprintf("/api/revisions/%s/dependencies", url.PathEscape(config.MakeLocator(conf.Project, conf.Revision)))) |
There was a problem hiding this comment.
Why is MakeLocator in the config package?
There was a problem hiding this comment.
Legacy. I'll refactor it out later, I think.
There was a problem hiding this comment.
It kinda makes sense as a config util, to take config params and make it into a certain form.
| @@ -125,6 +125,18 @@ func main() { | |||
| cli.BoolFlag{Name: "debug", Usage: debugUsage}, | |||
| }, | |||
| }, | |||
| { | |||
| Name: "report", | |||
There was a problem hiding this comment.
I think we should allow for multiple report formats.
fossa report dependencies (default), fossa report licenses, fossa report vulns
There was a problem hiding this comment.
This is a good idea. I was thinking of report types as different kinds of notices to generate (e.g. NOTICE, ATTRIBUTION, LICENSE) but this makes a lot more sense. I'll implement this.
cmd/fossa/report.go
Outdated
| } | ||
|
|
||
| type licenseResponse struct { | ||
| ID string |
There was a problem hiding this comment.
should include SPDX id; we should prefer using SPDX in general
| - `ATTRIBUTION`: generate an `ATTRIBUTION` file for your dependencies | ||
|
|
||
| ##### `-j, --json` | ||
| <!-- ##### `-j, --json` |
There was a problem hiding this comment.
I was originally thinking of report types in the context of licenses i.e. generating attribution vs. notice files. I couldn't figure out a good way to automatically generate different types of license reports, so I removed this.
This is going to be added back in to differentiate between e.g. dependency vs. license reports.
| } | ||
| } | ||
| fmt.Println() | ||
| } |
There was a problem hiding this comment.
A thought -- in the future maybe we could fallback to querying package registries if we're missing license data.
cmd/fossa/report.go
Outdated
| if err != nil { | ||
| reportLogger.Fatalf("Invalid FOSSA endpoint: %s", err.Error()) | ||
| } | ||
| api, err := server.Parse(fmt.Sprintf("/api/revisions/%s/dependencies", url.PathEscape(config.MakeLocator(conf.Project, conf.Revision)))) |
There was a problem hiding this comment.
This depends on fossa upload succeeding as well as all deep deps to be resolved. I would imagine the implementation would query our /api/revisions and /api/licenses api.
I prefer for the report command to be independent from if the user was integrated with FOSSA; and we can offer "better" data if you used a FOSSA account.
In cases where we hit stuff that hasn't been scanned, we could rely on the fetcher.getMetadata() responses which we'd need to build support for in FOSSA.
If we're running with this path as our v1 implementation, I would:
- File an issue proposing the fossa-independent report design
- Give user feedback that you need
fossa uploadto succeed for this command to succeed
elldritch
force-pushed
the
feat/report-command
branch
2 times, most recently
from
d6872f2
to
648dc06
Compare
|
PTAL. |
| Usage: "Generates a license report", | ||
| Action: reportCmd, | ||
| Flags: []cli.Flag{ | ||
| cli.StringFlag{Name: "c, config", Usage: configUsage}, |
There was a problem hiding this comment.
Good catch. We're going to switch these to use global flags.
|
As per offline discussion, I'm going to merge this in and override merge checks. |
elldritch
force-pushed
the
feat/report-command
branch
from
2455b51
to
2151729
Compare
elldritch
force-pushed
the
feat/report-command
branch
from
2151729
to
835c014
Compare
This PR adds basic NOTICE generation. Reference links: