NOTE: This issue is still in a draft state. Its contents will likely change as new commands are identified as part of the pipeline.

analyze

The primary user-facing command. This command will delegate to other freshli commands to accomplish its work. It will manage work queues to enable parallelization.

freshli [global options] analyze [command options] <repo url>|<local dir>

What this command does?

With no options specified, performs analysis locally, and then sends the results to the Freshli web app so that the results can be viewed at at URL that will be provided in the command output.

Global Options

• --cache-dir <path>
  • the location where the freshli command will write temporary files as part of it’s processing
  • default value: $HOME/.freshli

Command Options

• --git-path
  • Path to the git binary
  • default value: git
• --branch <name>
  • The branch to checkout after cloning the repository
  • If the option is not specified, then no checkout command will be issued. The remote server’s default branch will be used instead.
• --commit-history (this might be moved to the "build later" category per #188)
  • Analyzes only the points in time when files have changed in the commit history. This can be combined with --history-invertal to make sure that every commit is included in the result set. If --history-interval is not used, then only the values from each commit will be present in the output, meaning that the data will show the metrics at the time that the files were changed, but will not show how the metrics changed between commits.
• --history-interval <duration> (this might be moved to the "build later" category per #187)
  • As the analyze command moves backwards in time through the history of the project, what time interval should it use to determine the points in time that are sampled
  • default value: 1m
  • valid values: /\d+[ymwd]?/
    • y suffix – specifies duration in years
    • m suffix – specifies duration in months
    • w suffix – specifies duration in weeks
    • d suffix – specifies duration in days
    • If no suffix is provided, then the duration is assumed to be a number of months
  • When walking backward in time the following approach will be taken: given current time T, subtract the smallest amount of time to produce time T' such that T' when be an even interval of the specified duration suffix.
    • Example:
      • Assume
        • T = 2022-02-01 23:11:43Z
        • Interval duration — 1d
        • Timezone offset — -04:00
        • Then T' would be set to 2022-02-01 00:00:00-04:00
        • The value of T' would be decremented by one calendar day until the earliest commit date is reached
• --workers — the number of worker processes that should be running at any given time. This defaults to twice the number of CPU cores.

Running this command will dispatch a StartAnalysisActivity. Additionally, this command will be responsible for adjusting the number of application engine workers to match the provided value of the --workers parameter.

Tasks:

• Add Cucumber/Aruba-based acceptance tests for this command
• Implement handling analyze command
  • Adjust number of workers (this could be considered a nice to have if it turns out to be difficult)
  • Pass command line parameters to StartAnalysisActivity (all except --workers should be passed in)
• Remove the following commands
  • git checkout-history
  • git compute-history
  • git clone
  • compute-libyear
• Write results to freshli-web database
  • TBD columns

bom generate-histories

Used to generate CycloneDX BOM files for each each historical point for the given repository.

freshli [global options] bom generate-histories [command options] <repository-id>

What this command does?

Iterates over the recorded historical intervals that are defined for the repository and invokes the bom generate-history command for each one. The number of copies of the bom generate-history command that are allowed to run at one time is controlled by the --workers parameter.

Global Options

• --cache-dir <path>
  • the location where the freshli command will write temporary files as part of it’s processing
  • default value: $HOME/.freshli

Command Options

• --workers
  • the number of worker processes that should be running at any given time. This defaults to twice the number of CPU cores.
  • default: N+1 where N is the number of cores that are detected in the CPU

Spawned from #23. Currently the CLI does not command line parsing and just assume the first argument passed in is the repository. We need to create a framework/design for parsing more complicated command lines.

This issue only encompasses adding the framework and adding the scan and help commands. No other commands should be added.

Currently the CLI supports the following command which scans the repository:

freshli-cli http://url/to/git/repo

After this issue is implemented the above existing command should still work but with the scan command:

freshli-cli scan <git-repo>

There should also be a help command:

freshli-cli help [command]

The help should display something like the below. Will have to work with someone smarter then myself to create a nice looking help message.

Freshli checks your projects dependency Freshness (i.e. how out of up to date are your dependencies). 

Supported commands:
  scan: Scan the given repository for freshness history.
    freshli-cli scan <git-repo>
    
  help: Display the help for commands.  If not arguments are supplies will show all the high level commands (i.e. what you are viewing now).
    freshli-clie help [command]

Examples:

Scan the Freshli Ruby test repository:
  freshli-cli scan https://github.com/corgibytes/freshli-fixture-ruby-nokotest

Help for the scan command:
  freshli-cli help scan

The help command for scan:

freshli-cli help scan

Should display something like:

Computes the historical Freshness of your repository.  Data is returned in <some format>.

scan: freshli-cli scan <git-repo>

  Arguments:
    git-repo: The Git repository to parse.  Supports `git://` or `https://` paths.

Examples:

Scan the Freshli Ruby test repository:
  freshli-cli scan https://github.com/corgibytes/freshli-fixture-ruby-nokotest

The message One of '--self-contained' or '--no-self-contained' options are required when '--runtime' is used. is being displayed when the dotnet publish command is being run by the CI build.

An example can be seen here: https://github.com/corgibytes/freshli-cli/actions/runs/2348142306

Hello, there!

As part of the university research we are currently doing regarding the security of Github Actions, we noticed that one or many of the workflows that are part of this repository are referencing vulnerable versions of the third-party actions. As part of a disclosure process, we decided to open issues to notify GitHub Community.

Please note that there are could be some false positives in our methodology, thus not all of the open issues could be valid. If that is the case, please let us know, so that we can improve on our approach. You can contact me directly using an email: ikoishy [at] ncsu.edu

Thanks in advance

1. The workflow ci.yml is referencing action gittools/actions/gitversion/setup using references v0.9.9. However this reference is missing the commit 90150b4 which may contain fix to the vulnerability.
2. The workflow ci.yml is referencing action gittools/actions/gitreleasemanager/setup using references v0.9.9. However this reference is missing the commit 90150b4 which may contain fix to the vulnerability.
3. The workflow ci.yml is referencing action gittools/actions/gitversion/execute using references v0.9.9. However this reference is missing the commit 90150b4 which may contain fix to the vulnerability.
4. The workflow ci.yml is referencing action gittools/actions/gitversion/execute using references v0.9.9. However this reference is missing the commit 90150b4 which may contain fix to the vulnerability.
5. The workflow ci.yml is referencing action gittools/actions/gitversion/execute using references v0.9.9. However this reference is missing the commit 90150b4 which may contain fix to the vulnerability.
6. The workflow ci.yml is referencing action gittools/actions/gitreleasemanager/addasset using references v0.9.9. However this reference is missing the commit 90150b4 which may contain fix to the vulnerability.

The vulnerability fix that is missing by actions' versions could be related to:
(1) CVE fix
(2) upgrade of vulnerable dependency
(3) fix to secret leak and others.
Please consider updating the reference to the action.

If you end up updating the reference, please let us know. We need the stats for the paper :-)

bom detect-all-manifests

Used to detect all manifest files that are present in the directory associated with the provided repository id and date-time pair.

freshli [global options] bom detect-all-manifests [command options] <repository-id> <date-time>

What this command does?

For each language-specific agent that is detected (by delegating to the agents detect command), delegates to that language agent’s detect-manifests command.

Each detected manifest will be stored in the cache database with a reference to the repository history that it belongs to (determined by the parameters passed in on the command line), the name of the language agent that detected it, an auto-generated manifest id (sha1 of a guid), a sha hash of the manifest file contents, and a relative path to the manifest file from the root of the checked out history directory. This cached information will be used by the bom process-all-manifests command. If the directory associated with the provided date-time has already been scanned for manifest files, then the cached information will be duplicated for the provided date-time.

Language agents are detected by searching the $PATH for a program name that starts with freshli-agent-. It is assumed that anything after this prefix is the language name, and would be used whenever referring to the agent that directly. It is assumed that the language agent knows how to detect all manifest files for that languages ecosystem, even in the case where the language ecosystem uses a variety of manifest file formats. For example, Maven and Gradle competing dependency managers in the Java ecosystem, and each one has its own manifest file format for documenting dependencies. It is assumed that the freshli-agent-java executable knows how to detect both file formats.

Global Options

• --cache-dir <path>
  • the location where the freshli command will write temporary files as part of it’s processing
  • default value: $HOME/.freshli

Command Options

• --workers
  • the number of worker processes that should be running at any given time. This defaults to twice the number of CPU cores.
  • default: N+1 where N is the number of cores that are detected in the CPU

Inspired by a conversation in pull request #81.

The Cache class is throwing exceptions containing information that needs to be written to the console. An exception class is best used for "exceptional" or unexcepted scenarios. The scenarios in question are expected to happen from time to time. A cleaner way of passing these messages to the console would be to use a logger instance that is wired up to output to the console, either to STDERR or STDOUT based on the method that is called on the logger.

This should simplify the calling code because it will not need to have knowledge about special kinds of exceptions that the Cache class might throw and route those to the correct output stream.

What’s this?

A re-imagining of Freshli that takes advantage of the ecosystem of tools that generate CycloneDX BOM files. The current idea is to drive this from the Freshli CLI.

Architecture

The CLI is going to be split into user-facing commands and internal commands. This is similar to the approach that’s taken by the git set of tools. In that ecosystem, there are a set of commands that are meant to be user-facing (called porcelain commands), and there are other commands that are in support of internal operations and other commands (called plumbing commands).

We’ll do our best to follow the Unix philosophy for building out these commands:

• Do one thing, and do it well
• The output of each command can be used as input for another command, with the ability to read information from STDIN and write information to STDOUT - sometimes this point will be deviated from when it makes more sense to persist output to the file system so that it can be used by multiple programs reading the same information at the same time

One reason for taking this approach is that it allows us to use the operating system’s process scheduling to get parallelization of activities. Another reason is that it allows us to interact with tools that we did not write, such as git for source code integration or mvn for build system integration or a command line tool that knows how to generate or manipulate CycloneDX BOM files.

It’s expected that many of the commands below will permit running multiple workers, with work to be completed stored in queue tables in the local database. The local database will also be used to cache information from various external sources and to cache the results of expensive computations.

One goal with caching is to make the analyze command run quickly against commits that it has already analyzed. This would be particularly useful when running the CLI from a CI environment, since most of them support storing cached information between builds.

flowchart LR
    start(analyze start)
    subgraph cache
        prepare
    end
    subgraph git
        clone --> compute-history
        compute-history --> checkout-histories
        checkout-histories --> compute-remaining-histories{{Histories\nRemain?}}
        compute-remaining-histories -->|Yes| checkout-history
        checkout-history --> compute-remaining-histories
        compute-remaining-histories -->|No| history-done(Done)
    end
    
    subgraph bom
        generate(generate start) --> generate-histories

        generate-histories --> generate-remaining-histories{{Histories\nRemain?}}
        generate-remaining-histories -->|Yes| generate-history
        generate-history --> generate-remaining-histories
        generate-remaining-histories -->|No| generate-done(Done)				
    end
    subgraph compute
        libyear
    end
    subgraph persist
        save-to-database
    end
    subgraph output
        create-local-report
    end
    subgraph publish
        send-to-freshli-web
    end
    start --> cache
    cache --> git
    git --> bom
    bom --> compute
    compute --> persist
    compute --> output
    compute --> publish

flowchart
    subgraph agent
        subgraph lang
            lang-detect-manifests[detect-manifests]
        end
    end

    subgraph agents
        agents-detect[detect]
    end

    subgraph bom
	generate-history --> detect-all-manifests
        detect-all-manifests --> agents-detect
	detect-all-manifests --> all-manifests-detected{{All\nManifests\nDetected}}
        all-manifests-detected -->|No| lang-detect-manifests
        lang-detect-manifests --> all-manifests-detected
        all-manifests-detected -->|Yes| process-all-manifests
    end

flowchart
    subgraph agent
        subgraph lang
            lang-process-manifest[process-manifest]
        end
    end

    subgraph bom
        process-all-manifests --> all-manifests-processed{{All\nManifests\nProcessed}}

        all-manifests-processed -->|No| lang-process-manifest
        lang-process-manifest --> all-manifests-processed
        all-manifests-processed -->|Yes| process-manifests-done(Done)
    end

The above graphs will be updated as more commands are identified and added to the pipeline.

The following issues are associated with this epic.

• #49
• #50
• #51
• #52
• #53
• #54
• #56
• #57
• #58
• #59
• #60
• #61
• #62
• #97

Compile and make the command line executable downloadable. Not sure where the best place to put the download is? For alpha releases my first thought would be GitHub either in the releases or possibly packages (if even possible). We will need to discuss where to put beta and production versions of the executables.

agents detect

Used to detect all of the language agents that are available for use.

freshli agents detect

What this command does?

Language agents are detected by searching the $PATH for a program name that starts with freshli-agent-. It is assumed that anything after this prefix is the language name, and would be used whenever referring to the agent that directly.

This command outputs the detected language name and the path to the language agent binary in a tabular format. One line of output is created for each language agent that is detected.

Our intention is to release this tool under the AGPL license, so we need to make sure that none of the NuGet packages we use are in conflict with this license.

Luckily there's an open-source project, which rather similar to this one in terms of how it works, that can help.
https://github.com/pivotal/LicenseFinder

Continuing the conversation from this comment: #112 (comment)
My initial idea was to just look at the absolute value of libyear:

// .Duration() will always return an absolute value.
// So even if the latest version was released before the current version you'll end up with a positive number.

Given a package with two releases. Version 8.0 was released on 11/29/2020, Version 7.4 was released on 11/29/2021. If your application is on version 7.4, and If you'd follow the guidelines than that would mean a libyear of -1. That doesn't make sense because the number should tell you how up-to-date you are. That can't be negative, you can only be behind or on-top. So what the number to means is that it's an indication of how far behind you are on the latest release. Since version 7.4 was released in 2021, you had a year already to upgrade to version 8. So a libyear of 1 as you are behind with updates.

@mscottford I'm continuing the conversation here asynchronously. I think that's better so we have some documentation later as well as it's a pretty important topic of the whole app. 😅

During the #28 the version of Freshli-Lib was updated. This case is just to capture that update in the release notes.

agents verify

Used to test all of the language agents that are available for use. It tests if all the agents are adhering to the contract. e.g. does it have the expected output for validating-repositories.

freshli [global options] agents verify [command options] [language-name]

What this command does?

When no language name is specified, delegates to the agents detect to detect each available for agent, and then operates as if the agents verify command had been called once for each available language.

When a language is specified invokes the language agent’s validating-repositories command to get the urls of a publicly available repositories that the agent can be validated against. Each provided repository is then cloned as a child of CACHE_ROOT/<lang>/ directory. It is up to the language agent to determine the correct number of repositories to validate against, but the expectation is that at least one repository url is provided for each manifest file format that the language agent knows how to detect and process. If any of the repositories fails to clone, then an error is generated.

For each repository that has been checked out, the language agent’s detect-manifests command is invoked. The command output is then validated to ensure that at least one manifest file has been detected. If no manifest files are detected, then then an error is generated.

For each repository, the language agent’s process-manifests command is then invoked. It is expected that the output of the command contains the following for each manifest file that was processed:

• manifest file location in the cache tree
• resulting bom file location in the cache tree
• optionally, if a modified manifest file was generated as part of the processing, the location in the cache tree of the original manifest file

If the language agent’s process-manifests command does not process the same number of manifests as were detected by the language agent’s detect-manifests command, then an error is generated.

If the output of the process-manifests command lists files that don’t exist or are empty, then an error is generated.

If the resulting CycloneDX bom file is not a valid JSON-formatted CycloneDX bom file, then an error is generated.

If the any residual modifications to the cloned source code repository are detected after process-manifests command has completed, then an error is thrown. This is the same validation that is performed when running the bom process-all-manifests command with the --verify-directories option.

For each language that this command evaluates, the result of the verification is listed along with the number of repositories that were tested and the amount of time that it took to perform the verification.

Global Options

• --cache-dir <path>
  • the location where the freshli command will write temporary files as part of it’s processing
  • default value: $HOME/.freshli

Command Options

• --workers
  • the number of worker processes that should be running at any given time. This defaults to twice the number of CPU cores.
  • default: N+1 where N is the number of cores that are detected in the CPU

There's a warning message in the build output when the build step ".NET Core 3 (GitReleaseManager)" runs.

Warning: .NET Core 3.0 is no longer supported and will not receive security updates in the future. Please refer to https://aka.ms/dotnet-core-support for more information about the .NET support policy.

I'm assuming that this is because the GitHub actions for GitReleaseManager (and perhaps GitVersion) are not running the latest versions.

compute libyear

freshli compute libyear [filepath]

What does this command do?

The CycloneDX(SBOM) file passed to this command is generated by the bom:generate command. This file contains the Bill of Materials including the package URL.

This command will use the CycloneDX file to check each package what the current version is. It will use the packge URL for finding out what the current version is and which date it was released.

graph LR;
 subgraph what it should query
  queries-.-latest[What's the latest version? And it's release date?]
  queries-.-current[What's the currents version release date?]
 end

  subgraph different repositories
   Repositories-.-Composer
   Repositories-.-Bundler
   Repositories-.-Carton
   Repositories-.-Pip
   Repositories-.-NuGet
  end

 subgraph the flow
  purl[Package URL]-->Repository
  Repository-->query[Query info, find out where the code lives github.com etc.]
  query-->git[Ask git for the repository's tags and what date they were published]
  git-->calc[Calculate lib year]
 end

Command parameters

• filepath: Filepath of CycloneDX file containing the BOM history.

Notes

Fetching repository info with bundler:

root ➜ /code (calculate-libyear) $ bundle info sqlite3

  * sqlite3 (1.4.2)

        Summary: This module allows Ruby programs to interface with the SQLite3 database engine (http://www.sqlite.org)

        Homepage: https://github.com/sparklemotion/sqlite3-ruby

        Path: /usr/local/bundle/gems/sqlite3-1.4.2

Fetching repository info with carton (https://metacpan.org/dist/carton/view/lib/Carton/Doc/Show.pod):

carton show Module

bom process-all-manifests

Used to produce a CycloneDX file for each manifest file that has been detected for the provided repository-id and date-time pair.

freshli [global options] bom process-all-manifests [command options] <repository-id> <date-time>

What this command does?

For each language-specific agent that is detected, delegates to that language agent’s process-manifests command.

The same language agent that detected the manifest file will be used to process it. It is assumed that the language agent knows how to process any manifest file that it has detected, even in the case where the language ecosystem uses a variety of manifest file formats. For example, Maven and Gradle competing dependency managers in the Java ecosystem, and each one has its own manifest file format for documenting dependencies. It is assumed that the freshli-agent-java executable knows how to process both file formats.

Some language agent processors will generate a modified or translated version of the manifest file that it operated on. This modified or translated version of the manifest file is needed to replace version range expressions with specific versions that were available at the provided date-time value. Entries are created in the cache database for these modified manifests in a way that associates it with the manifest file that it originated from. The translated file is also stored in the cache for easy future retrieval.

Generating these modified manifest files requires exclusive access to a history directory tree. This means that no two instances of the same language agent processor is permitted to operate on a the same directory tree at the same time. This is regardless of the number of workers that have been specified via the --workers parameter.

An entry is created in the cache database for each CycloneDX bom.json file that is produced by this operation. The bom file’s entry includes a reference to the manifest file that it was generated from. These files are also stored in the cache file tree for examination or future processing by other commands.

It is expected that after a language agent’s process-manifests command has completed, the provided directory tree will appear unchanged. The --verify-directories option can be specified to enforce this rule.

Global Options

• --cache-dir <path>
  • the location where the freshli command will write temporary files as part of it’s processing
  • default value: $HOME/.freshli

Command Options

• --workers
  • the number of worker processes that should be running at any given time. This defaults to twice the number of CPU cores.
  • default: N+1 where N is the number of cores that are detected in the CPU
• --verify-directories
  • When specified, the contents of each processed history directory is validate before and after a language agent is run. This ensures that no residual changes were made to the directory tree by the language agent.

When running the CI the following warning is displayed:

##[warning]Unexpected input(s) 'tagName', valid inputs are ['owner', 'repository', 'token', 'milestone', 'assets', 'targetDirectory']

This is linked to the following CI step in ci.yml:

- name: "[Post Build] - Add Assets to Release Draft"
  if: ${{ github.event_name == 'push' }}
  uses: gittools/actions/gitreleasemanager/[email protected]
  with:
    token: ${{ secrets.GITHUB_TOKEN }}
    owner: 'corgibytes'
    repository: 'freshli-cli'
    milestone: 'v${{ steps.gitversion.outputs.majorMinorPatch }}'
    tagName: 'v${{ steps.gitversion.outputs.majorMinorPatch }}'
    assets: 'freshli-cli-${{ steps.gitversion.outputs.majorMinorPatch }}-win-x64.zip,freshli-cli-${{ steps.gitversion.outputs.majorMinorPatch }}-linux-x64.zip,freshli-cli-${{ steps.gitversion.outputs.majorMinorPatch }}-osx-x64.zip'

I don't think the tagName is valid argument, at least not anymore.

https://github.com/GitTools/actions/blob/main/gitreleasemanager/addasset/action.yml

Setup both badges and bot for all changes made to the CLI.

Harvested out of a recent code review.

version

Used to determine the current version of the Freshli CLI

freshli version

What this command does?

Outputs the application version number of the Freshli executable to the console.

The CLA build process works, at least it appears too, but generates the below warning:

Warning: Unexpected input(s) 'path-to-cla-document', valid inputs are ['path-to-signatures', 'branch', 'allowlist', 'remote-repository-name', 'remote-organization-name', 'path-to-document', 'signed-commit-message', 'signed-empty-commit-message', 'create-file-commit-message', 'custom-notsigned-prcomment', 'custom-pr-sign-comment', 'custom-allsigned-prcomment', 'use-dco-flag']
Run cla-assistant/[email protected]
  with:
    path-to-signatures: CLA/signatures/v1.0/cla.json
    path-to-cla-document: https://github.com/corgibytes/freshli-cli/blob/main/CLA/CLA-v1.0.md
    branch: main
    allowlist: dependabot[bot]
    create-file-commit-message: Adds file for storing CLA Signatures
    signed-commit-message: Adds CLA signature for $contributorName (PR #$pullRequestNo)
    custom-notsigned-prcomment: Thank you for your submission to Freshli! Like many open-source projects, we ask that you agree to our [Contributor License Agreement](https://github.com/corgibytes/freshli-cli/blob/main/CLA/CLA-v1.0.md) before we can accept your contribution. You can sign the CLA by posting a comment in this PR matching the text below:
    use-dco-flag: false
  env:
    GITHUB_TOKEN: ***
    PERSONAL_ACCESS_TOKEN: ***
CLA Assistant GitHub Action bot has started the process
Locking the Pull Request to safe guard the Pull Request CLA Signatures
successfully locked the pull request 29

I think the fix is the change the path-to-cla-document to path-to-document. See issue contributor-assistant/github-action#66 for more details.

Use Aruba to verify the CLI on the executable. This will need to be:

1. Added to the project,
2. Configured,
3. Appropriate run instructions added to the README.md,
4. Added to CI pipeline.

See https://github.com/cucumber/aruba/blob/main/features/01_getting_started_with_aruba/run_commands.feature

git compute-history

Used to examine the history of the specified repository and determine the sha hashes that will need to be checked out to complete a historical analysis at the intervals specified.

freshli [global options] git compute-history [command options] <respository-id>

What this command does?

Creates a row in the repository_histories table for each history interval stop and records the sha hash that is detected for that point in time. Each date/time and sha hash pair is also output to STDOUT on a single line per row.

Global Options

• --cache-dir <path>
  • the location where the freshli command will write temporary files as part of it’s processing
  • default value: $HOME/.freshli

Command Options

• --git-path

  • Path to the git binary
  • default value: git

• --commit-history

  • Analyzes only the points in time when files have changed in the commit history. This can be combined with --history-invertal to make sure that every commit is included in the result set. If --history-interval is not used, then only the values from each commit will be present in the output, meaning that the data will show the metrics at the time that the files were changed, but will not show how the metrics changed between commits.

• --history-interval <duration>

  • As the analyze command moves backwards in time through the history of the project, what time interval should it use to determine the points in time that are sampled
  • default value: 1m
  • valid values: /\d+[ymwd]?/
    • y suffix – specifies duration in years
    • m suffix – specifies duration in months
    • w suffix – specifies duration in weeks
    • d suffix – specifies duration in days
    • If no suffix is provided, then the duration is assumed to be a number of months
  • When walking backward in time the following approach will be taken: given current time T, subtract the smallest amount of time to produce time T' such that T' when be an even interval of the specified duration suffix.
    • Example:
      • Assume
        • T = 2022-02-01 23:11:43Z
        • Interval duration — 1d
        • Timezone offset — -04:00
        • Then T' would be set to 2022-02-01 00:00:00-04:00
        • The value of T' would be decremented by one calendar day until the earliest commit date is reached

bom generate-history

Used to generate CycloneDX BOM files for the specified historical point for the given repository.

freshli [global options] bom generate-history [command options] <repository-id> <date-time>

What this command does?

Delegates to the bom detect-all-manifests command to detect all of the manifest files that are available for the git history that’s been checked out for the provided date-time value. After bom detect-all-manifests has completed, delegates to the bom process-all-manifests command for processing all of the manifests that have been detected.
Global Options

• --cache-dir <path>
  • the location where the freshli command will write temporary files as part of it’s processing
  • default value: $HOME/.freshli

The executable name is currently Corgibytes.Freshli.Cli. It should simply be freshli.

Currently the messages displayed by the Freshli-CLI are not localized but are just hard coded English strings. This case is to localize any messages displayed by the CLI including help. The command line arguments won't be localized.

This issue only covers the CLI. If any messages are displayed from Lib they will either still be displayed unfocalized (i.e. in English) or the CLI will have to override the message.

Also this issue only covers localizing the current English messages. New cases will be created to actually adding new languages.

Some documentation on how to localize .NET applications can be found here

Document the style guidelines for the project. Inspired by a recent code review.

Where possible, enable Roslyn analyzers that help enforce the project style.

Auto generate the change log and GitHub releases using GitReleaseManager which is made by the same people who made GitVersion.

GitReleaseManager works by having creating a milestone with version number (e.g. v0.3.0 and assigning issues to that milestone. Then in the CI we run the GitReleaseMangaer to generate both the GitHub Release and the change log.

I tested this in another project and it seemed to work pretty well. An example of the GitHub action file is:

# Assume we have the next version number via GitVersion.

- uses: gittools/actions/gitreleasemanager/[email protected]
name: Install GitReleaseManager
with:
  versionSpec: '0.11.0'

- uses: gittools/actions/gitreleasemanager/[email protected]
name: Create GitHub Release for ${{ steps.gitversion.outputs.majorMinorPatch }}  if it Does not Exist
continue-on-error: true
with:
  token: ${{ secrets.GITHUB_TOKEN }}
  owner: 'repo-owner'
  repository: 'my-repo'
  milestone: 'v${{ steps.gitversion.outputs.majorMinorPatch }}' 

# This will generate the change log for all the GitHub Releases.
- name: Generate Change Log (no GitHub Action)
run: |
  dotnet-gitreleasemanager export --token ${{ secrets.GITHUB_TOKEN }} -o 'repo-owner' -r 'my-repo' -f 'CHANGELOG.md'
  cat CHANGELOG.md

- uses: stefanzweifel/git-auto-commit-action@v4
name: Commit Change Log if it Changed
with:
  commit_message: Committing auto generated change log.
  file_pattern: CHANGELOG.md

This spike originates here: #112 (comment)

The problem is as follows. Given a class that extends the CommandOptions class. For example:

public class ComputeLibYearCommandOptions : CommandOptions
{
    public FileInfo FilePath { get; set; }
}

There's some magic going on behind the scene to connect a command line parameter to the CommandOptions object.
E.g. passing --filepath=/opt/home/things is set to the FilePath property of ComputeLibYearCommandOptions behind the scene.
However, can we change it so that FilePath can have a different name? In this example it's not descriptive, and tells us nothing about the context. We want to know it's about a CycloneDX file here. Can we rename FilePath?

At present, the project's nullable setting is disabled, necessitating the use of #nullable enable whenever we need that. We should inspect whether it would be practical to set nullable to enabled across the project. (I already know this will require some code changes.)

You didn't create this, so I think this little bit of clean-up can be pushed into a code clean-up issue.

Since we're using the FluentAssertions library, it would be cleanest to rely on its support for adding new matchers.

So this would end up looking like something like this: (I haven't tried to compile this.)

public static class Command
{
    public static CommandOptionAssertions ShouldContainOptionAlias(this Command command, string alias)
    {
        return new CommandAssertions(command, alias);
    }
}

public class CommandOptionAssertions: ReferenceTypeAssertions<Option, CommandOptionAssertions>
{
    private string alias;
    private Command command;
    public CommandOptionAssertions(Command command, string alias): base(command)
    {
        this.command = command;
        this.alias = alias;
    }

    public AndConstraint<CommandAssertions> DoesAllowMultipleArgumentsPerToken()
    {
        Option option = command.Options.FirstOrDefault(x => x.Aliases.Contains(alias));
        Execute.Assertion
            .ForCondition(option != null)
            .FailWith("Alias with name {0} was not found", _ => alias)
            .Then
            .ForCondition(option.AllMultipleArgumentsPerToken)
            .FailWith("Expected to support multiple arguments per token")

        return new AndConstraint<CommandAssertions>(this);
    }

    public AndConstraint<CommandAssertions> DoesNotAllowMultipleArgumentsPerToken()
    {
        Option option = command.Options.FirstOrDefault(x => x.Aliases.Contains(alias));
        Execute.Assertion
            .ForCondition(option != null)
            .FailWith("Alias with name {0} was not found", _ => alias)
            .Then
            .ForCondition(!option.AllMultipleArgumentsPerToken)
            .FailWith("Expected to _not_ support multiple arguments per token")

        return new AndConstraint<CommandAssertions>(this);
    }

    public AndConstraint<CommandAssertions> HavingArity(int arity)
    {
        Option option = command.Options.FirstOrDefault(x => x.Aliases.Contains(alias));
        Execute.Assertion
            .ForCondition(option != null)
            .FailWith("Alias with name {0} was not found", _ => alias)
            .Then
            .BecauseOf(arity)
            .ForCondition(option.Arity == arity)
        return new AndConstraint<CommandAssertions>(this);
    }
}

And then I'm pretty sure it would be invoked like this:

[Theory]
[InlineData("--output")]
[InlineData("-o")]
public void Verify_output_options_configuration(string alias)
{
    (new ScanCommand())
        .ShouldHaveOptionWithAlias("-o")
        .HavingArity(ArgumentArity.OneOrMore)
        .DoesAllowMultipleArgumentsPerToken();
}

Originally posted by @mscottford in #67 (comment)

git checkout-histories

Used to checkout all of the histories that have been detected for a given repository.

freshli [global options] git checkout-histories [command options] <repository-id>

What this command does?

Determines if there are histories that have not been checked out for the given repository and then delegates to the cache checkout-history command to perform the actual work of doing the checkout. The number of copies of the cache checkout-history command that are allowed to run at one time is controlled by the --workers parameter.

Global Otions

• --cache-dir <path>
  • the location where the freshli command will write temporary files as part of it’s processing
  • default value: $HOME/.freshli

Command Options

• --workers
  • the number of worker processes that should be running at any given time. This defaults to twice the number of CPU cores.
  • default: N+1 where N is the number of cores that are detected in the CPU

cache destroy

Used to completely remove the cache directory and all of its contents, including the cache database.

freshli [global options] cache destroy [command options]

What this command does?

Deletes the cache directory and all files that it contains.

Global Otions

• --cache-dir <path>
  • the location where the freshli command will write temporary files as part of it’s processing
  • default value: $HOME/.freshli

Command Options

• --force
  • Skips the prompt confirming that operation should proceed

Freshli-CLI should be installable as a .NET tool. For example:

dotnet tool install freshli

.NET tools are usually downloaded from NuGet. For more details on how to create a .NET tool see:

https://docs.microsoft.com/en-us/dotnet/core/tools/global-tools-how-to-create

git clone

Used to clone the project into the cache directory.

freshli [global options] git clone [command options] <repository-url>

What this command does?

Uses the git command to clone the repository under the $CACHE_ROOT/repositories/ directory. A unique ID will also be generated for the repository. Repository ID, url, and path will be added to the repositories table in the cache database. The command’s only output to STDOUT is the repository id.

Global Otions

• --cache-dir <path>
  • the location where the freshli command will write temporary files as part of it’s processing
  • default value: $HOME/.freshli

Command Otions

• --git-path
  • Path to the git binary
  • default value: git
• --branch <name>
  • The branch to checkout after cloning the repository
  • If the option is not specified, then no checkout command will be issued. The remote server’s default branch will be used instead.

git checkout-history

Used to checkout a specific historical point for a given repository.

freshli [global options] git checkout-history [command options] <repository-id> <sha>

What this command does?

Delegates to the git archive command to create an archive of the specified sha, and then extract that archive into the $CACHE_ROOT/histories/<repository id>/<sha> directory.

Global Options

• --cache-dir <path>
  • the location where the freshli command will write temporary files as part of it’s processing
  • default value: $HOME/.freshli

Command Options

• --git-path
  • Path to the git binary
  • default value: git

Edit: Changed this case to create an automated build for the CLI. Didn't notice one did not exist yet. Leaving the below notes on GitVersion as using GitVersion will be part of the build process to determine the exe version.

Use GitVersion to generate the version number for this project. Actually the plan is to use the GitHub Action. GitVersion will be setup to support the Cactus Branching model (see below for details) which requires a setup like:

# GitVersion.yml
branches:
  master:
    mode: ContinuousDeployment
    tag: 'alpha'
    increment: Minor
    prevent-increment-of-merged-branch-version: false
    track-merge-target: true
  release:
    tag: 'beta'
    increment: Patch
    prevent-increment-of-merged-branch-version: true
    track-merge-target: false

The idea is that only release-X.Y branches are tagged something like vX.Y.Z. Then this tag is merged back to main GitVersion will calculate the next version number as vX.Y+1.0.0.

When a feature branch is merged to release-X.Y for a bug fix only the patch number will be incremented and the major, minor, and patch numbers left as is.

GitVersion generates several different version number formats such as:

• AssemblySemVer: 0.8.0.0
• NuGetVersionV2: 0.8.0-alpha0001
• MajorMinorPatch: 0.8.0

GitVersion can set the version in C# Assembly Version files now that they have fixed this issue.

An example of the Cactus or Trident Branching model:

Spawned from #23 and depends on #25 being completed first.

We would like to use Freshli in continuous integration (CI) builds to calculate the Freshness score of the project for the commit being built. To do this we will need a Freshli-CLI to return a Freshness score for the current commit which the Freshli-CLI does not support.

The command should look something like:

freshli-cli score [threshold] [--directory directory]

The score command will analysis dependencies in the current directly, or in the directory argument, and return a Freshness score. The Freshness score will be a single number that represents the Freshness for the entire directory. For example if the directory has NuGet and NPM packages it will return the score both files combined.

If the Freshness score is greater then then threshold argument the command will fail. For example, if the a project always wants a Freshness score of 10 or less then they would run a command like:

freshli-cli score 10

In a GitHub Action I see using it as:

# Assume .NET 5.0 is installed.
- name: Run Freshli
  run: |
    dotnet tools install freshli-cli
    freshli-cli score 10

If you want the Freshness value to use in a different GitHub action:

- name: Run Freshli
  id: freshli
  run: |
      dotnet tools install freshli-cli
      echo "::set-output name=FRESHNESS::$(freshli-cli score)"

- name: Display Freshness
  run: echo "Freshness: ${{ steps.freshli.outputs.FRESHNESS }}"

I don't think Freshli-Lib currently supports computing just the Freshness score for the currently checked out commit. If not we will have to add the API methods.

Would like to set up Dev Containers to allow for easy development for the project, including pulling down the Freshli core.

I do want to extend this to other IDEs, but going to focus this task on just setting up VSCode, since the Dockerfile created will probably extend to other IDEs.

Update the ReadMe with steps on how to get the Freshli CLI (i.e. where to download, install use dotnet tool, etc). Should include examples of using the CLI and example results. It should also list the languages Freshli supports as well as a summary of known issues.

GitReleaseManager will fail if it finds an issue in the GitHub Milestone that has a label it does not recognize. A list of labels GitReleaseManager recognizes can be found here and include:

- Breaking Change
- Bug
- Documentation
- Feature
- Good First Issue
- Help Wanted
- Improvement
- Question

To fix the issue the GitReleaseManager.yaml file needs to be updated to support labels such as dev-ops. You can find documentation about GitReleaseManager issue to include here and label aliases here. You can also see an example in the GitReleaseManager.yaml in Freshli-Lib.

P.S. - Note the GitReleaseManager.yaml file must end in yaml. This is a known issue.

Try to use the CLI in automated builds and find out what features would be useful. Trying to use the CLI in automated builds will hopefully create some discussion in this case and also issue/PRs for both the CLI and Lib.

On example of using Freshli CLI in an automated build is to get a Freshness score and fail the build the score is too high (i.e. dependencies our too out of date). How high is too high? Can we compare it with the previous builds Freshness score?

Another example is can the CLI produce data that can be used by the Continuous Integration platform in a graph? Can it upload the data somewhere useful to the user? Perhaps upload it to Freshli Web?

Any other ideas?

Note: Currently this issue is assigned to @mfcorgi but I'm hoping that others will try the CLI in their automated build and give us feedback.

cache prepare

Used to ensure that the cache directory exists and that it contains a valid cache database instance. If an existing cache database is found, then the database will be checked to determine if migrations need to be run against it.

freshli [global options] cache prepare

What this command does?

Ensures that the cache directory exists and that the database that it contains is valid and up-to-date.

Global Otions

• --cache-dir <path>
  • the location where the freshli command will write temporary files as part of it’s processing
  • default value: $HOME/.freshli

This needs to include the dependencies that are defined in the following locations:

• *.csproj
• Gemfile/Gemfile.lock
• GitHub actions referenced by .github/workflows/*.yml

After merging #25 the CLI now spits out a bunch of debug information. This debug information should not be displayed when running the CLI unless specifically asked for. For example running the CLI with no arguments produces:

> Corgibytes.Freshli.Cli.exe
info: Microsoft.Hosting.Lifetime[0]
      Application started. Press Ctrl+C to shut down.
info: Microsoft.Hosting.Lifetime[0]
      Hosting environment: Production
info: Microsoft.Hosting.Lifetime[0]
      Content root path: C:\Repos\freshli-cli\Corgibytes.Freshli.Cli\bin\Debug\net5.0
[Command Execution Invocation Started  - ParseResult: ![ Corgibytes.Freshli.Cli ] ]
[Command Execution Invocation Ended - ParseResult: ![ Corgibytes.Freshli.Cli ] ]
info: Microsoft.Hosting.Lifetime[0]
      Application is shutting down...
Required command was not provided.
Corgibytes.Freshli.Cli
  Root Command

Usage:
  Corgibytes.Freshli.Cli [options] [command]

Options:
  -?, -h, --help  Show help and usage information


Commands:
  scan <path>  Scan command returns metrics results for given local repository path

The info: and [Command Execution Invocation] should not be displayed when running the application. You will see similar info lines when running the scan command:

> Corgibytes.Freshli.Cli.exe scan https://github.com/corgibytes/freshli-fixture-ruby-nokotest.git
info: Microsoft.Hosting.Lifetime[0]
      Application started. Press Ctrl+C to shut down.
info: Microsoft.Hosting.Lifetime[0]
      Hosting environment: Production
info: Microsoft.Hosting.Lifetime[0]
      Content root path: C:\Repos\freshli-cli\Corgibytes.Freshli.Cli\bin\Debug\net5.0
[Command Execution Invocation Started  - ParseResult: [ Corgibytes.Freshli.Cli [ scan <https://github.com/corgibytes/freshli-fixture-ruby-nokotest.git> *[ --format <Json> ] *[ --output <Console> ] ] ] ]
CliOutput.ScanCommand_ScanCommand_Executing_scan_command_handler
Sending metrics to Console
[
  {
    "Filename": "Gemfile.lock",
    "MetricResults": [
      {
        "Date": "2017-01-01T23:59:59.9999999",
        "LibYear": [
          {
 <... More JSON...>

The main issue to remove the debug information when running the application. Time permitting it would be nice to add a verbose argument. Something like:

 Corgibytes.Freshli.Cli.exe  -verbose scan https://github.com/corgibytes/freshli-fixture-ruby-nokotest.git

This argument would be apply to all commands and display the info information. If need be we can also set a verbose level, something like:

 Corgibytes.Freshli.Cli.exe -verbose [debug|info] scan https://github.com/corgibytes/freshli-fixture-ruby-nokotest.git

The above are just examples, feel free to suggest better ways to display debug/verbose information.

When trying to create a GitHub Release using GitReleaseManager it will fail if there are no closed issues. Error occurs in this action:

https://github.com/corgibytes/freshli-cli/actions/runs/719767690

[Draft Release] - Create/Update GitHub Release 0.4.0
2s
Run gittools/actions/gitreleasemanager/[email protected]
Command: dotnet-gitreleasemanager create --owner corgibytes --repository freshli-cli --token *** --targetDirectory /home/runner/work/freshli-cli/freshli-cli --milestone v0.4.0
/opt/hostedtoolcache/GitReleaseManager.Tool/0.11.0/x64/dotnet-gitreleasemanager create --owner corgibytes --repository freshli-cli --token *** --targetDirectory /home/runner/work/freshli-cli/freshli-cli --milestone v0.4.0

   ____ ____  __  __
  / ___|  _ \|  \/  |
 | |  _| |_) | |\/| |
 | |_| |  _ <| |  | |
  \____|_| \_\_|  |_|
               0.11.0

Creating release...
[WRN] Yaml not found, that's ok! Learn more at https://gittools.github.io/GitReleaseManager/docs/yaml
Using GitHub as VCS Provider
[WRN] Unable to find tag for milestone, so commit count will be returned as zero
[FTL] No closed issues have been found for milestone v0.4.0, or all assigned issues are meant to be excluded from release notes, aborting creation of release.
System.InvalidOperationException: No closed issues have been found for milestone v0.4.0, or all assigned issues are meant to be excluded from release notes, aborting creation of release.
   at GitReleaseManager.Core.ReleaseNotesBuilder.BuildReleaseNotes()
   at GitReleaseManager.Core.GitHubProvider.CreateReleaseFromMilestone(String owner, String repository, String milestone, String releaseName, String targetCommitish, IList`1 assets, Boolean prerelease)
   at GitReleaseManager.Cli.Program.CreateReleaseAsync(CreateSubOptions subOptions) in C:\projects\gitreleasemanager\Source\GitReleaseManager.Cli\Program.cs:line 164
   at GitReleaseManager.Cli.Program.Main(String[] args) in C:\projects\gitreleasemanager\Source\GitReleaseManager.Cli\Program.cs:line 41
Error: The process '/opt/hostedtoolcache/GitReleaseManager.Tool/0.11.0/x64/dotnet-gitreleasemanager' failed with exit code 1