fabric8-analytics / fabric8-analytics-vscode-extension Goto Github PK

View Code? Open in Web Editor NEW

220.0 17.0 158.0 31.09 MB

Red Hat Dependency Analytics extension

Home Page: https://marketplace.visualstudio.com/items?itemName=redhat.fabric8-analytics

License: Apache License 2.0

TypeScript 95.93% Shell 2.19% JavaScript 1.88%

dependency-analytics security-vulnerability insights cve nvd online-flow ide-extension

fabric8-analytics-vscode-extension's Introduction

Red Hat Dependency Analytics

Red Hat's Dependency Analytics (RHDA) extension gives you awareness to security concerns within your software supply chain while you code your application. The Red Hat Dependency Analytics extension uses vulnerability data sources for the most up-to-date vulnerability information available.

NOTE:
The Red Hat Dependency Analytics extension is an online service hosted and maintained by Red Hat. Red Hat Dependency Analytics only accesses your manifest files to analyze your application dependencies before displaying the vulnerability report.

IMPORTANT:
Currently, Red Hat Dependency Analytics only supports projects that use Maven (mvn), Node (npm), Golang (go mod) and Python (pip) ecosystems. In future releases, Red Hat plans to support other programming languages.

Red Hat Dependency Analytics - Table of Contents

Quick start

Prerequisites

For Maven projects, analyzing a pom.xml file, you must have the mvn binary in your system’s PATH environment.
For Node projects, analyzing a package.json file, you must have the npm binary in your system’s PATH environment.
For Golang projects, analyzing a go.mod file, you must have the go binary in your system’s PATH environment.
For Python projects, analyzing a requirements.txt file, you must have the python3/pip3 or python/pip binaries in your system’s PATH environment.

IMPORTANT:
Visual Studio Code by default executes binaries directly in a terminal found in your system's PATH environment. You can configure Visual Studio Code to look somewhere else to run the necessary binaries. You can configure this by accessing the extension settings. Click the Workspace tab, search for the word executable, and specify the absolute path to the binary file you want to use for Maven, Node or Golang.

Procedure

Install Visual Studio Code on your workstation.
After the installation finishes, open the Visual Studio Code application.
From the file menu, click View, and click Extensions.
Search the Marketplace for Red Hat Dependency Analytics.
Click the Install button to install the extension.
To start scanning your application for security vulnerabilities, and view the vulnerability report, you can do one of the following:
- Open a manifest file, hover over a dependency marked by the inline Component Analysis, indicated by the wavy-red line under a version number or dependency name, click Quick Fix, and click Detailed Vulnerability Report.
- Open a manifest file, and click the pie chart icon .
- Right click on a manifest file in the Explorer view, and click Red Hat Dependency Analytics Report....
- From the vulnerability pop-up alert message, click Open detailed vulnerability report.

Configuration

The Red Hat Dependency Analytics extension has some configurable parameters that allows you to customize its behavior according to your preferences.

Procedure

Open the Visual Studio Code application.
From the file menu, click View, and click Extensions.
Find the installed Red Hat Dependency Analytics extension, and click the Gear icon.
Click Extension Settings.

Configurable parameters

Red Hat Dependency Analytics Report File Path :
Specify the local path to create the Red Hat Dependency Analytics report file. The default path is /tmp/redhatDependencyAnalyticsReport.html.

IMPORTANT:
The redHatDependencyAnalyticsReportFilePath setting name has changed to reportFilePath.

Inline Vulnerability Severity Alerts :
You can set the vulnerability severity alert level to Error or Warning for inline notifications of detected vulnerabilities.

Features

Component analysis
Upon opening a manifest file, such as a pom.xml, package.json, go.mod or requirements.txt file, a scan starts the analysis process. The scan provides immediate inline feedback on detected security vulnerabilities for your application's dependencies. Such dependencies are appropriately underlined in red, and hovering over it gives you a short summary of the security concern from the available data sources. The summary has the full package name, version number, the amount of known security vulnerabilities, and the highest severity status of said vulnerabilities.

NOTE: Add the target folder to your .gitignore file to exclude it from Git monitoring.
Recommendations and remediations
After running a detailed analysis report on a specific component version, you can view recommendations and remediations by using the Quick Fix... menu. If there is a Red Hat recommended package version available, you can replace your version with Red Hat's version.

IMPORTANT: For Maven projects only, when analyzing a pom.xml file. You must configure Red Hat's generally available (GA) repository to use the recommendations or remediations. Add this repository, https://maven.repository.redhat.com/ga/, to your project's configuration.
Excluding dependencies with exhortignore
You can exclude a package from analysis by marking the package for exclusion. If you wish to ignore vulnerabilities for a dependency in a pom.xml file, you must add exhortignore as a comment against the dependency, group id, artifact id, or version scopes of that particular dependency in the manifest file. For example:
```
 <dependency> 
 	<groupId>...</groupId>
 	<artifactId>...</artifactId>
 	<version>...</version>
 </dependency>
```
If you wish to ignore vulnerabilities for a dependency in a package.json file, you must add exhortignore as a attribute-value pair. If exhortignore is followed by a list of comma-separated vulnerability IDs, only the listed vulnerabilities are ignored during analysis. For example:
```
 {
 	"name": "sample",
 	"version": "1.0.0",
 	"description": "",
 	"main": "index.js",
 	"keywords": [],
 	"author": "",
 	"license": "ISC",
 	"dependencies": {
 		"dotenv": "^8.2.0",
 		"express": "^4.17.1",
 		"jsonwebtoken": "^8.5.1",
 		"mongoose": "^5.9.18"
 	},
 	"exhortignore": [
 		"jsonwebtoken"
 	]
 }
```
If you want to ignore vulnerabilities for a dependency in a go.mod file, you must add exhortignore as a comment against the dependency in the manifest file. For example:
```
 require (
 	golang.org/x/sys v1.6.7 // exhortignore
 )
```
If you want to ignore vulnerabilities for a dependency in a requirements.txt file, you must add exhortignore as a comment against the dependency in the manifest file. For example:
```
 requests==2.28.1 # exhortignore
```

Excluding developmental or test dependencies
Red Hat Dependency Analytics does not analyze dependencies marked as dev or test, these dependencies are ignored.

For example, setting test in the scope tag within a pom.xml file:

 <dependency>
 	<groupId>...</groupId>
 	<artifactId>...</artifactId>
 	<version>...</version>
 	<scope>test</scope>
 </dependency>

For example, setting devDependencies attributte in the package.json file:

 {
 	"name": "sample",
 	"version": "1.0.0",
 	"description": "",
 	"main": "index.js",
 	"keywords": [],
 	"author": "",
 	"license": "ISC",
 	"dependencies": {
 		"dotenv": "^8.2.0",
 		"express": "^4.17.1",
 		"jsonwebtoken": "^8.5.1",
 		"mongoose": "^5.9.18"
 	},
 	"devDependencies": {
 		"axios": "^0.19.0"
 	}
 }

For example, setting exclude attributte in the go.mod file:

 exclude golang.org/x/sys v1.6.7

 exclude (
 	golang.org/x/sys v1.6.7
 )

For example, creating an alternative file to requirements.txt, like requirements-dev.txt or requirements-test.txt and adding the dev or test dependencies there instead.

Red Hat Dependency Analytics report
The Red Hat Dependency Analytics report is a temporary HTML file that exist if the Red Hat Dependency Analytics Report tab remains open. Closing the tab removes the temporary HTML file. You can specify the file name by modifying the Red Hat Dependency Analytics: Red Hat Dependency Analytics Report File Path field in the extension settings.
Python and Go package manager behavior
When a user requests a Python or a Go package analysis, Red Hat Dependency Analytics performs the analysis by looking at the version tags from those environments, and not from the manifest files of those environments. This can result in the user receiving information that does not match their intended request. Because of this behavior, Red Hat Dependency Analytics has a new configurable workspace setting. By default, the Match Manifest Versions (MATCH_MANIFEST_VERSIONS) setting restricts Red Hat Dependency Analytics from doing an analysis on package versions that do not match the versions defined by the manifest files. When Red Hat Dependency Analytics finds a package version mis-match, an alert message asks the user to switch this setting. If the user decides to disable this restriction, Red Hat Dependency Analytics performs the analysis on versions given by the package manager only. This setting applies to Python and Go environments.

An alternative workaround exists for Python environments only. The user can start Visual Studio Code with the EXHORT_PYTHON_VIRTUAL_ENV variable set to true. Doing this allows Red Hat Dependency Analytics to install Python packages into a virtual environment to perform the analysis. The benefit is having a clean Python environment not influenced by earlier installations, but the downside is a significantly slower analysis process.

Using Red Hat Dependency Analytics for CI builds

You can automate the analysis of your application's vulnerabilities within the build and release pipeline. Red Hat offers integration with these Continuous Integration (CI) platforms:

Know more about the Red Hat Dependency Analytics platform

The goal of this project is to significantly enhance a developer's experience by providing helpful vulnerability insights for their applications.

GitHub Organization

Data and telemetry

The Red Hat Dependency Analytics Extension for Visual Studio Code collects anonymous usage data and sends it to Red Hat servers to help improve our products and services. Read our privacy statement to learn more. This extension respects the redhat.telemetry.enabled setting, which you can learn more about here.

Support, feedback & questions

There are two ways you can contact us:

You can reach out to us at [email protected] with any questions, feedback, and general support.
You can also file a GitHub Issue.

License

Apache 2.0, See LICENSE for more information.

fabric8-analytics-vscode-extension's People

Contributors

Stargazers

Watchers

Forkers

invinciblejai arunkumars08 ravsa sanketpathak preeticp sunilk747 bmicklea gorkem mraipsec-mra rootavish sudhirverma jyasveer sivaavkd geetikabatra jeffmaury arajkumar dvandra mathur07 hwpplayers dgpatelgit pombredanne deepak1725 dgolovin rafiu007 saumya1singh nilesh-kr hx9111 macdigital360 ortega-dan benitomarculanoribeiro dragancajic immanishbainsla moruoxian hixio-mh kyzitemelos ale-fuentes akshaybhansali18 mbharatk sarrac3873 skylarmic25 raj152000 vinodreddybandalla zdx1231 towboy88 unalkulekci straiforos ajubin sordie ashutoshm10 nightammi garen4 baby636 rangereric2 kumaranil0296 jacquelinevv0693 justnondev pinkdiamond1 systematiccaos jparsai odockal jesuscnb rajks24 botcahx chmodawk crystaltav eggda11 setland34 cloakedsec zalain13 jesuis33 patrickthestarfish01 tolgaaydemir97 redezalla johnperez416 mjfrancomeli doublekik tonlsv farciok joolstorrentecalo summersk devansh08 jimimaku nour-derwich kleber89 nobodywanttobenobody jawadghost nathanielcrosby1 han0147 islamicity francis539 tomerfi ilonashishov twz123 mortimersc gary-kc-lee jianrongzhang89 alisoft69 olavtar ilan-pinto rhecosystemappeng

fabric8-analytics-vscode-extension's Issues

Lack of padding in some text label containers

For an instance, There's no padding/gapping between label and value in "Companion Components" area inside Insights card.

Take off tip info in loading screen

Extension breaks if try to run on Workspace which has space in it's name

401 error right after authentication

I have encountered the following error dialog when I finished the authentication

https://chat.openshift.io/developers/channels/7bckqkca4byqtbrcqhiem4ifze__irzktxnmk7g1umsrzzd6b9zj5w#

If try to trigger "generate fabric8-analytics stack report on workspace" on VSCode without having any workspace it shows loading screen

Refactor and remove language server code from this extension, should handle LSP from it's own repo

Take off extra toast notification on stack-report, keep the last one "Stack report has been generated"

Click on tabs in the stack report does not select the security card by default

PFA the screenshot

Stack report UI should be responsive enough to handle the page dimensions

PFA the screenshot

Show notification to user if not authorised with OSIO "To leverage stack analysis , you need to authorise OSIO"

Security max bar color is not properly visible. (Full width of the bar)

stack report generation starts from beginning when user navigates away and then revert back.

While using VS code extension, stack report generation starts from beginning when I move away from the stack-report tab to some other tab and then revert back to the stack report tab. Lack of caching?

4 pom.xml present in the repo, only 2 stack reports generated

Repository : https://github.com/invincibleJai/maven-multi-module-example-2

Use "generate f8-analytics stack report" instead of "show f8-analytics stack report"

Stack-analysis fails on particular pom

clone : https://github.com/eclipse/eclipse.jdt.ls/

Run stack analysis on org.eclipse.jdt.ls.repository/pom.xml

Error :

Command failed: mvn help:effective-pom -f "/Users/samuzzal/eclipse.jdt.ls/org.eclipse.jdt.ls.repository/pom.xml" -Doutput="target/pom.xml"

Q: Are there plans to support Golang?

Hi,

this is a great extension! Are there plans to support Golang?

Currently there's no de-facto package manager for Go but we (fabric8-wit) have made good experience with a tool called glide.

IIRC in Go 1.10 there will be an integrated package manager.

To give you an idea of how a packaging file looks like in glide, this is ours: https://github.com/fabric8-services/fabric8-wit/blob/master/glide.yaml

package: github.com/fabric8-services/fabric8-wit
homepage: https://github.com/fabric8-services/fabric8-wit
license: Apache-2.0
import:
- package: github.com/fabric8-services/fabric8-tenant
  subpackages:
  - design
- package: github.com/fabric8-services/fabric8-notification
  subpackages:
  - design
- package: github.com/fabric8-services/fabric8-auth
  version: da575b14ac9ceb113f18f1c1cab75be256460d64
  subpackages:
  - design
- package: github.com/dgrijalva/jwt-go
  version: ^3.0.0
- package: github.com/goadesign/goa
  version: ^1.3.0
  vcs: git
  subpackages:
  - client
  - cors
  - design
  - design/apidsl
  - goagen
  - goagen/codegen
  - goagen/gen_app
  - goagen/gen_controller
  - goagen/utils
  - goatest
  - middleware
  - middleware/security/jwt
- package: github.com/armon/go-metrics
  version: 9a4b6e10bed6220a1665955aa2b75afc91eb10b3
- package: gopkg.in/square/go-jose.v2
  version: ^2.1.2
- package: github.com/dimfeld/httptreemux
  version: ^3.1.0
- package: github.com/lsegal/gucumber
- package: github.com/spf13/cobra
- package: golang.org/x/net
  subpackages:
  - context
- package: github.com/jteeuwen/go-bindata
  version: ^3.0.7
  subpackages:
  - '...'
- package: github.com/elazarl/go-bindata-assetfs
  subpackages:
  - go-bindata-assetfs
- package: golang.org/x/tools
  subpackages:
  - go/ast/astutil
- package: gopkg.in/yaml.v2
- package: github.com/kr/pretty
- package: github.com/kr/text
- package: github.com/pilu/fresh
- package: github.com/howeyc/fsnotify
- package: github.com/mattn/go-colorable
- package: github.com/pilu/config
- package: github.com/jinzhu/gorm
  version: 9c9de896864248929269a7cb2d64ed73b5fdf834
- package: github.com/mattn/go-isatty
  version: ^0.0.1
- package: github.com/axw/gocov
  subpackages:
  - gocov
- package: github.com/wadey/gocovmerge
- package: gopkg.in/asaskevich/govalidator.v4
- package: github.com/lib/pq
- package: github.com/stretchr/testify
  version: ^1.1.4
  subpackages:
  - assert
  - suite
- package: github.com/robfig/cron
  version: ^1.0.0
- package: github.com/andygrunwald/go-jira
- package: github.com/google/go-github
  subpackages:
  - github
- package: github.com/google/go-querystring
  subpackages:
  - query
- package: github.com/spf13/viper
- package: github.com/fsnotify/fsnotify
  version: ^1.3.1
- package: github.com/hashicorp/hcl
- package: github.com/magiconair/properties
  version: ^1.7.0
- package: github.com/mitchellh/mapstructure
- package: github.com/pelletier/go-toml
  version: ^0.5.0
- package: github.com/pkg/errors
  version: ^0.8.0
- package: github.com/spf13/afero
- package: github.com/spf13/cast
- package: github.com/spf13/jwalterweatherman
- package: golang.org/x/oauth2
- package: github.com/dnaeon/go-vcr
  version: 9d71b8a6df86e00127f96bc8dabc09856ab8afdb
  subpackages:
  - recorder
- package: github.com/russross/blackfriday
- package: github.com/microcosm-cc/bluemonday
- package: github.com/shurcooL/sanitized_anchor_name
- package: github.com/golang/lint
  subpackages:
  - golint
- package: github.com/fzipp/gocyclo
- package: github.com/sirupsen/logrus
- package: github.com/sourcegraph/syntaxhighlight
- package: github.com/jstemmer/go-junit-report
- package: github.com/sourcegraph/annotate
- package: github.com/sergi/go-diff
  subpackages:
  - diffmatchpatch
- package: github.com/xeipuuv/gojsonschema
- package: github.com/xeipuuv/gojsonreference
- package: github.com/xeipuuv/gojsonpointer
- package: github.com/prometheus/client_golang

In order to have reproducible builds, there's also a lock file to contain exact (hash) version information. This is our lock file: https://github.com/fabric8-services/fabric8-wit/blob/master/glide.lock

hash: caa9d898279820017887be76710f5ceccd0a6ba8d7fc4ccc3bbd40578fdfa4c4
updated: 2017-11-08T03:37:24.617276964+01:00
imports:
- name: github.com/andygrunwald/go-jira
  version: 9d1f282f93af41553ddb53b0116a8cdb75b4837a
- name: github.com/armon/go-metrics
  version: 9a4b6e10bed6220a1665955aa2b75afc91eb10b3
- name: github.com/asaskevich/govalidator
  version: 7b3beb6df3c42abd3509abfc3bcacc0fbfb7c877
- name: github.com/axw/gocov
  version: c77561ca0c0cb1ed5d4ce4a912a75f5532566422
  subpackages:
  - gocov
- name: github.com/beorn7/perks
  version: 3ac7bf7a47d159a033b107610db8a1b6575507a4
  subpackages:
  - quantile
- name: github.com/davecgh/go-spew
  version: 6d212800a42e8ab5c146b8ace3490ee17e5225f9
  subpackages:
  - spew
- name: github.com/dgrijalva/jwt-go
  version: dbeaa9332f19a944acb5736b4456cfcc02140e29
- name: github.com/dimfeld/httppath
  version: c8e499c3ef3c3e272ed8bdcc1ccf39f73c88debc
- name: github.com/dimfeld/httptreemux
  version: 13dde8a00d96b369e7398490fd8a3af9ca114b84
- name: github.com/dnaeon/go-vcr
  version: 9d71b8a6df86e00127f96bc8dabc09856ab8afdb
  subpackages:
  - cassette
  - recorder
- name: github.com/elazarl/go-bindata-assetfs
  version: 9a6736ed45b44bf3835afeebb3034b57ed329f3e
  subpackages:
  - go-bindata-assetfs
- name: github.com/fabric8-services/fabric8-auth
  version: da575b14ac9ceb113f18f1c1cab75be256460d64
  subpackages:
  - configuration
  - design
  - errors
  - log
  - login/tokencontext
  - rest
  - token
- name: github.com/fabric8-services/fabric8-notification
  version: a3c7adb29a8ec1e0aab2af4f9a2d3c852d0daaef
  subpackages:
  - design
- name: github.com/fabric8-services/fabric8-tenant
  version: 5ce38dea6287d9bac7789a8bc24556867a4fcee6
  subpackages:
  - design
- name: github.com/fatih/structs
  version: dc3312cb1a4513a366c4c9e622ad55c32df12ed3
- name: github.com/fsnotify/fsnotify
  version: 629574ca2a5df945712d3079857300b5e4da0236
- name: github.com/fzipp/gocyclo
  version: 6acd4345c835499920e8426c7e4e8d7a34f1bb83
- name: github.com/goadesign/goa
  version: 5646a430cdeb66983d5ace3384e0a667c185abc7
  vcs: git
  subpackages:
  - client
  - cors
  - design
  - design/apidsl
  - dslengine
  - goagen
  - goagen/codegen
  - goagen/gen_app
  - goagen/gen_controller
  - goagen/utils
  - goatest
  - logging/logrus
  - middleware
  - middleware/gzip
  - middleware/security/jwt
  - uuid
  - version
- name: github.com/golang/lint
  version: c7bacac2b21ca01afa1dee0acf64df3ce047c28f
  subpackages:
  - golint
- name: github.com/golang/protobuf
  version: 8ee79997227bf9b34611aee7946ae64735e6fd93
  subpackages:
  - proto
- name: github.com/google/go-github
  version: 5c45bca952b96dedace6c307caff915483013003
  subpackages:
  - github
- name: github.com/google/go-querystring
  version: 9235644dd9e52eeae6fa48efd539fdc351a0af53
  subpackages:
  - query
- name: github.com/hashicorp/go-immutable-radix
  version: 8aac2701530899b64bdea735a1de8da899815220
- name: github.com/hashicorp/golang-lru
  version: 0a025b7e63adc15a622f29b0b2c4c3848243bbf6
  subpackages:
  - simplelru
- name: github.com/hashicorp/hcl
  version: 37ab263305aaeb501a60eb16863e808d426e37f2
  subpackages:
  - hcl/ast
  - hcl/parser
  - hcl/scanner
  - hcl/strconv
  - hcl/token
  - json/parser
  - json/scanner
  - json/token
- name: github.com/howeyc/fsnotify
  version: f0c08ee9c60704c1879025f2ae0ff3e000082c13
- name: github.com/inconshreveable/mousetrap
  version: 76626ae9c91c4f2a10f34cad8ce83ea42c93bb75
- name: github.com/jinzhu/gorm
  version: 9c9de896864248929269a7cb2d64ed73b5fdf834
- name: github.com/jinzhu/inflection
  version: 74387dc39a75e970e7a3ae6a3386b5bd2e5c5cff
- name: github.com/jstemmer/go-junit-report
  version: 15422cf504f9dc030386499a5c68053a38763e58
- name: github.com/jteeuwen/go-bindata
  version: bbd0c6e271208dce66d8fda4bc536453cd27fc4a
  subpackages:
  - '...'
- name: github.com/kr/pretty
  version: cfb55aafdaf3ec08f0db22699ab822c50091b1c4
- name: github.com/kr/text
  version: 7cafcd837844e784b526369c9bce262804aebc60
- name: github.com/lib/pq
  version: 4a82388ebc5138c8289fe9bc602cb0b3e32cd617
  subpackages:
  - oid
- name: github.com/lsegal/gucumber
  version: 71608e2f6e76fd4da5b09a376aeec7a5c0b5edbc
- name: github.com/magiconair/properties
  version: be5ece7dd465ab0765a9682137865547526d1dfb
- name: github.com/manveru/faker
  version: 717f7cf83fb78669bfab612749c2e8ff63d5be11
- name: github.com/mattn/go-colorable
  version: d228849504861217f796da67fae4f6e347643f15
- name: github.com/mattn/go-isatty
  version: 0360b2af4f38e8d38c7fce2a9f4e702702d73a39
- name: github.com/matttproud/golang_protobuf_extensions
  version: fc2b8d3a73c4867e51861bbdd5ae3c1f0869dd6a
  subpackages:
  - pbutil
- name: github.com/microcosm-cc/bluemonday
  version: e79763773ab6222ca1d5a7cbd9d62d83c1f77081
- name: github.com/mitchellh/mapstructure
  version: 5a0325d7fafaac12dda6e7fb8bd222ec1b69875e
- name: github.com/pelletier/go-buffruneio
  version: c37440a7cf42ac63b919c752ca73a85067e05992
- name: github.com/pelletier/go-toml
  version: 13d49d4606eb801b8f01ae542b4afc4c6ee3d84a
- name: github.com/pilu/config
  version: 3eb99e6c0b9a2dae0f56f05552c06ca5a643919b
- name: github.com/pilu/fresh
  version: 315385b584ff3845a255844aeb2b7d14a26648b0
- name: github.com/pkg/errors
  version: 645ef00459ed84a119197bfb8d8205042c6df63d
- name: github.com/pmezard/go-difflib
  version: d8ed2627bdf02c080bf22230dbb337003b7aba2d
  subpackages:
  - difflib
- name: github.com/prometheus/client_golang
  version: e51041b3fa41cece0dca035740ba6411905be473
  subpackages:
  - prometheus
- name: github.com/prometheus/client_model
  version: fa8ad6fec33561be4280a8f0514318c79d7f6cb6
  subpackages:
  - go
- name: github.com/prometheus/common
  version: a6ab08426bb262e2d190097751f5cfd1cfdfd17d
  subpackages:
  - expfmt
  - internal/bitbucket.org/ww/goautoneg
  - model
- name: github.com/prometheus/procfs
  version: 454a56f35412459b5e684fd5ec0f9211b94f002a
- name: github.com/robfig/cron
  version: b024fc5ea0e34bc3f83d9941c8d60b0622bfaca4
- name: github.com/russross/blackfriday
  version: 5f33e7b7878355cd2b7e6b8eefc48a5472c69f70
- name: github.com/satori/go.uuid
  version: b061729afc07e77a8aa4fad0a2fd840958f1942a
- name: github.com/sergi/go-diff
  version: feef008d51ad2b3778f85d387ccf91735543008d
  subpackages:
  - diffmatchpatch
- name: github.com/shurcooL/sanitized_anchor_name
  version: 1dba4b3954bc059efc3991ec364f9f9a35f597d2
- name: github.com/sirupsen/logrus
  version: c078b1e43f58d563c74cebe63c85789e76ddb627
- name: github.com/sourcegraph/annotate
  version: f4cad6c6324d3f584e1743d8b3e0e017a5f3a636
- name: github.com/sourcegraph/syntaxhighlight
  version: c95ac474b7cb9c711f4591b553a2caaa24ea3d37
- name: github.com/spf13/afero
  version: 2f30b2a92c0e5700bcfe4715891adb1f2a7a406d
  subpackages:
  - mem
- name: github.com/spf13/cast
  version: 24b6558033ffe202bf42f0f3b870dcc798dd2ba8
- name: github.com/spf13/cobra
  version: 9495bc009a56819bdb0ddbc1a373e29c140bc674
- name: github.com/spf13/jwalterweatherman
  version: 33c24e77fb80341fe7130ee7c594256ff08ccc46
- name: github.com/spf13/pflag
  version: 5ccb023bc27df288a957c5e994cd44fd19619465
- name: github.com/spf13/viper
  version: 651d9d916abc3c3d6a91a12549495caba5edffd2
- name: github.com/stretchr/testify
  version: 69483b4bd14f5845b5a1e55bca19e954e827f1d0
  subpackages:
  - assert
  - require
  - suite
- name: github.com/trivago/tgo
  version: 4a656addb20609ba4cb4d20219a2f6c27aeb142c
  subpackages:
  - tcontainer
- name: github.com/wadey/gocovmerge
  version: b5bfa59ec0adc420475f97f89b58045c721d761c
- name: github.com/xeipuuv/gojsonpointer
  version: 6fe8760cad3569743d51ddbb243b26f8456742dc
- name: github.com/xeipuuv/gojsonreference
  version: e02fc20de94c78484cd5ffb007f8af96be030a45
- name: github.com/xeipuuv/gojsonschema
  version: 3f523f4c14b6e925da10475eb0447c2f28614aac
- name: github.com/zach-klippenstein/goregen
  version: 795b5e3961ea1912fde60af417ad85e86acc0d6a
- name: golang.org/x/crypto
  version: 81e90905daefcd6fd217b62423c0908922eadb30
  subpackages:
  - ed25519
  - ed25519/internal/edwards25519
- name: golang.org/x/net
  version: b1a2d6e8c8b5fc8f601ead62536f02a8e1b6217d
  subpackages:
  - context
  - html
  - html/atom
  - websocket
- name: golang.org/x/oauth2
  version: da3ce8d62a7f77aadfda06cb82bd604d6469c645
  subpackages:
  - internal
- name: golang.org/x/sys
  version: 478fcf54317e52ab69f40bb4c7a1520288d7f7ea
  subpackages:
  - unix
- name: golang.org/x/text
  version: 47a200a05c8b3fd1b698571caecbb68beb2611ec
  subpackages:
  - transform
  - unicode/norm
- name: golang.org/x/tools
  version: a888bfdffa4526cc6987572bca9a2c6b7758290f
  subpackages:
  - go/ast/astutil
- name: google.golang.org/appengine
  version: ca59ef35f409df61fa4a5f8290ff289b37eccfb8
  subpackages:
  - internal
  - internal/base
  - internal/datastore
  - internal/log
  - internal/remote_api
  - internal/urlfetch
  - urlfetch
- name: gopkg.in/asaskevich/govalidator.v4
  version: 7664702784775e51966f0885f5cd27435916517b
- name: gopkg.in/square/go-jose.v2
  version: f8f38de21b4dcd69d0413faf231983f5fd6634b1
  subpackages:
  - cipher
  - json
- name: gopkg.in/yaml.v2
  version: a5b47d31c556af34a302ce5d659e6fea44d90de0
testImports: []

Bundle Auth extension with f8-analytics extension, it will have other one(AUTH) as dependency so it'll be installed along with f8-analytics

Language server should ignore generated poms

Language server reports issues on the target/stackinfo/poms/pom.xml even though I have not opened that file. I think the generating the report for the workspace actually causes LSP to be invoked for the generated effective pom. IMHO generated files should be ignored.

Switching to report page is slow

After opening the report opening another editor tab and coming back to the analytics report is unexpectedly slow.

Effective POM generation taking too long

For the repository:https://github.com/fabric8-analytics/fabric8-analytics-devstudio-plugin, effective pom generation took well over five-ten minutes. Can be a possible bandwidth issue.

/cc @geetikabatra Might want to add more details here.

Sort of failure to generate the analytics report

After logging into OSIO, I tried to get the analytics report on this pom.xml

<?xml version="1.0" encoding="UTF-8"?>
<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
	xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
	<modelVersion>4.0.0</modelVersion>

	<groupId>com.redhat.vscode.demo</groupId>
	<artifactId>vscode-java-demo</artifactId>
	<version>0.0.1-SNAPSHOT</version>
	<packaging>jar</packaging>

	<name>devoxx</name>
	<description>Demo project for Spring Boot</description>

	<parent>
		<groupId>org.springframework.boot</groupId>
		<artifactId>spring-boot-starter-parent</artifactId>
		<version>1.5.2.RELEASE</version>
		<relativePath/>
		<!-- lookup parent from repository -->
	</parent>
	<properties>
		<project.build.sourceEncoding>UTF-8</project.build.sourceEncoding>
		<project.reporting.outputEncoding>UTF-8</project.reporting.outputEncoding>
		<java.version>1.8</java.version>
	</properties>

	<dependencies>

		<dependency>
			<groupId>io.vertx</groupId>
			<artifactId>vertx-service-discovery</artifactId>
			<version>3.4.1</version>
			<scope>compile</scope>
		</dependency>
		<dependency>
			<groupId>ch.qos.logback</groupId>
			<artifactId>logback-core</artifactId>
			<version>1.1.0</version>
		</dependency>
		<dependency>
			<groupId>io.vertx</groupId>
			<artifactId>vertx-health-check</artifactId>
			<version>3.4.1</version>
			<scope>compile</scope>
		</dependency>
		<dependency>
			<groupId>javax.servlet</groupId>
			<artifactId>javax.servlet-api</artifactId>
			<version>3.0.1</version>
			<scope>provided</scope>
		</dependency>
		<dependency>
			<groupId>com.github.jsimone</groupId>
			<artifactId>webapp-runner</artifactId>
			<version>7.0.22.3</version>
			<scope>provided</scope>
		</dependency>
		<dependency>
			<groupId>org.springframework.boot</groupId>
			<artifactId>spring-boot-starter-data-mongodb</artifactId>
		</dependency>
		<dependency>
			<groupId>org.springframework.boot</groupId>
			<artifactId>spring-boot-starter-thymeleaf</artifactId>
		</dependency>
		<dependency>
			<groupId>org.springframework.boot</groupId>
			<artifactId>spring-boot-starter-actuator</artifactId>
		</dependency>
		<dependency>
			<groupId>org.springframework.boot</groupId>
			<artifactId>spring-boot-starter-web</artifactId>
		</dependency>
		<dependency>
			<groupId>commons-collections</groupId>
			<artifactId>commons-collections</artifactId>
			<version>3.2.1</version>
		</dependency>
		<dependency>
			<groupId>org.springframework.boot</groupId>
			<artifactId>spring-boot-devtools</artifactId>
			<scope>runtime</scope>
		</dependency>
		<dependency>
			<groupId>org.springframework.boot</groupId>
			<artifactId>spring-boot-starter-test</artifactId>
			<scope>test</scope>
		</dependency>
		<dependency>
			<groupId>org.projectlombok</groupId>
			<artifactId>lombok</artifactId>
			<version>1.16.14</version>
		</dependency>
	</dependencies>

	<build>
		<plugins>
			<plugin>
				<groupId>org.springframework.boot</groupId>
				<artifactId>spring-boot-maven-plugin</artifactId>
				<configuration>
					<addResources>true</addResources>
				</configuration>
			</plugin>
		</plugins>
	</build>
</project>

Analytics page showed a spinner for a bit, then I got an error message (server failed 5 times), then the report opened:

Here's the Language Server Example (sic) output

events.js:163
      throw er; // Unhandled 'error' event
      ^

Error: getaddrinfo ENOTFOUND 3scale-gateway.api.openshift.io 3scale-gateway.api.openshift.io:443
    at errnoException (dns.js:28:10)
    at GetAddrInfoReqWrap.onlookup [as oncomplete] (dns.js:73:26)
[Info  - 15:48:52] Connection to server got closed. Server will restart.
events.js:163
      throw er; // Unhandled 'error' event
      ^

Error: getaddrinfo ENOTFOUND 3scale-gateway.api.openshift.io 3scale-gateway.api.openshift.io:443
    at errnoException (dns.js:28:10)
    at GetAddrInfoReqWrap.onlookup [as oncomplete] (dns.js:73:26)
[Info  - 15:48:54] Connection to server got closed. Server will restart.
events.js:163
      throw er; // Unhandled 'error' event
      ^

Error: getaddrinfo ENOTFOUND 3scale-gateway.api.openshift.io 3scale-gateway.api.openshift.io:443
    at errnoException (dns.js:28:10)
    at GetAddrInfoReqWrap.onlookup [as oncomplete] (dns.js:73:26)
[Info  - 15:48:55] Connection to server got closed. Server will restart.
events.js:163
      throw er; // Unhandled 'error' event
      ^

Error: getaddrinfo ENOTFOUND 3scale-gateway.api.openshift.io 3scale-gateway.api.openshift.io:443
    at errnoException (dns.js:28:10)
    at GetAddrInfoReqWrap.onlookup [as oncomplete] (dns.js:73:26)
[Info  - 15:48:57] Connection to server got closed. Server will restart.
events.js:163
      throw er; // Unhandled 'error' event
      ^

Error: getaddrinfo ENOTFOUND 3scale-gateway.api.openshift.io 3scale-gateway.api.openshift.io:443
    at errnoException (dns.js:28:10)
    at GetAddrInfoReqWrap.onlookup [as oncomplete] (dns.js:73:26)
[Error - 15:48:58] Connection to server got closed. Server will not be restarted.

404 error when generating stack report

I updated my extensions using the latest vsix files (fabric8-analytics-0.0.19.vsix and osio-auth-service-0.0.17.vsix)... I was able to generate Stack Report..

But, I found an issue after that. saw that there is an update for VSCode in the settings icon (bottom left corner).. I clicked on "Reload to update".. Then, VSCode editor reloaded and Stack report is not coming up now. It is showing an error, "Failed to trigger stack analysis, Status:404"

after reload of VSCode, it is now "Version 1.19.3"

Please rename the Language Server Example

See the output folder:

Handle auth wrt osio-auth extension for all scenarios

Handle auth with osio-auth extension for below scenarios

For stack analysis manifest file
For stack analysis on workspace
For lsp (language-server) auth

On unauthorization, multiple markers appear.

Authorize to OSIO appears multiple times when user unauthorizes repeatedly.

Version - 1.19

400 error on triggering stack analysis

"Generate stack report on manifest" gives 400 error for twitter-core folder, works for workspace but with default maven, analyses dependencies are reported as 0.

Repository: https://github.com/yusuke/twitter4j
tried with https://github.com/yusuke/twitter4j/tree/master/twitter4j-core

/cc @sara-02 You might want to add additional info here.

Stack Report fails for VSCode v1.25.1 on Linux

On VScode 1.25 the stack report generation is failing with the error

 Failed to trigger stack analysis: 
/usr/share/code/resources/app/out/vs/workbench/workbench.main.js:2364

VSCode Details

Version: 1.25.1
Commit: 1dfc5e557209371715f655691b1235b6b26a06be
Date: 2018-07-11T15:40:20.190Z
Electron: 1.7.12
Chrome: 58.0.3029.110
Node.js: 7.9.0
V8: 5.8.283.38
Architecture: x64

The component analysis is working as expected for the same.

Stack analysis for NPM workspace fails due to target error

When I am at the package.json and run stack analysis for the whole workspace, it gets into a target not getting generated error.
For the same package.json when stack report is run for given package, I am stuck at generating stack report, but progress is logged in the developer toggle.

Error log:


e.$onExtensionRuntimeError @ /usr/share/code/resources/app/out/vs/workbench/workbench.main.js:3227

Error: ENOENT: no such file or directory, mkdir '/home/smasud/sententree/target'
	at Object.fs.mkdirSync (fs.js:885:18)
	at getDependencyVersion (/home/smasud/.vscode/extensions/redhat.fabric8-analytics-0.0.3/out/src/ProjectDataProvider.js:149:16)
	at Object.ProjectDataProvider.effectivef8Package (/home/smasud/.vscode/extensions/redhat.fabric8-analytics-0.0.3/out/src/ProjectDataProvider.js:71:9)
	at vscode.workspace.findFiles.then (/home/smasud/.vscode/extensions/redhat.fabric8-analytics-0.0.3/out/src/extension.js:130:75)
	at Object.g [as _notify] (/usr/share/code/resources/app/out/vs/workbench/node/extensionHostProcess.js:77:971)
	at Object.enter (/usr/share/code/resources/app/out/vs/workbench/node/extensionHostProcess.js:81:277)
	at n.Class.derive._oncancel._run (/usr/share/code/resources/app/out/vs/workbench/node/extensionHostProcess.js:83:100)
	at n.Class.derive._oncancel._completed (/usr/share/code/resources/app/out/vs/workbench/node/extensionHostProcess.js:82:559)
	at e.resolveOk (/usr/share/code/resources/app/out/vs/workbench/node/extensionHostProcess.js:573:721)
	at e._receiveReply (/usr/share/code/resources/app/out/vs/workbench/node/extensionHostProcess.js:671:316)
	at e._receiveOneMessage (/usr/share/code/resources/app/out/vs/workbench/node/extensionHostProcess.js:670:609)
	at /usr/share/code/resources/app/out/vs/workbench/node/extensionHostProcess.js:669:452
	at /usr/share/code/resources/app/out/vs/workbench/node/extensionHostProcess.js:672:575
	at /usr/share/code/resources/app/out/vs/workbench/node/extensionHostProcess.js:96:903
	at e.fire (/usr/share/code/resources/app/out/vs/workbench/node/extensionHostProcess.js:98:218)
	at a (/usr/share/code/resources/app/out/vs/workbench/node/extensionHostProcess.js:162:713)
	at Socket._socketDataListener (/usr/share/code/resources/app/out/vs/workbench/node/extensionHostProcess.js:162:932)
	at emitOne (events.js:116:13)
	at Socket.emit (events.js:211:7)
	at addChunk (_stream_readable.js:263:12)
	at readableAddChunk (_stream_readable.js:250:11)
	at Socket.Readable.push (_stream_readable.js:208:10)
	at Pipe.onread (net.js:594:20)

VSCode: 1.26.1
Os: Fedora
Package: sententree
Github: https://github.com/twitter/SentenTree

"Not correct pom" error in effective pom generation

For the repository: https://github.com/alibaba/Sentinel

/cc @sara-02

Infinite Looping error with user's npm

My node was properly installed, but there was some error with ppm, even npm -v was not correctly working.
When I generated the stack report for a package.json, the process of generating effective pom went into an infinite loop of failure, instead of existing after the first try with a message.
After fixing my npm, the report worked as expected

VScode: 1.26.1
OS: Fedora
Packag.json: yarn
https://github.com/yarnpkg/yarn

Caching issue with portal on VSC preview

Sentences have to be corrected for Generic No Data Scenario

Number of manifest files on workspace !== Number of tabs on the stack report UI

PFA the screenshot

Stack analysis fails on some projects

Tried with https://github.com/eclipse/eclipse.jdt.ls/ and stack analysis report fails

Size of extension is huge like 94MB

Don't reload stack report on tab change in VS code

Currently, stack report is reloaded for the same stack when the user navigates away and then comes back to the stack report tab. It would be better if we can cache the result and not reload it every time for this scenario.

Accordion click has to be only on arrow (detailed view)

Remove unwanted popups

triggers on stack-analysis
analysis in progress

UI Freeze on repositories that have a very large number of pom.xml files

For the repository: https://github.com/apache/incubator-dubbo

There are a very large number of pom.xml files present, in these cases the UI freezes up and you are not able to switch tabs.

/cc @sara-02

Old data being shown on changing the manifest tab in case of multiple manifests

As seen above, even when the manifest file is changed and the number of analyzed components are 3, the UI shows 5 components of the previous manifest.

Provide Support for multi workspace in VSCode

For NPM ecosystem, triggering stack analysis either on workspace or on manifest file results in "Failed to resolve dependencies error"

Tried with the repositories:

https://github.com/sindresorhus/refined-twitter
https://github.com/chalk/chalk

Tried triggering stack analysis through both the workspace and manifest option, but both times it failed to generate package.json in "target" folder with the message:
"Failed to resolve dependencies". VSCode version was 1.26.0.

/cc @ravsa I think he faced the same issue.

Command fails if no editors are open

Invoking generate application stack report when no editors are open fails with the following error.
I used the command palette (F1) to invoke the command.
Running the contributed command:'extension.fabric8AnalyticsWidget' failed.

Not all dependencies sent for analysis when triggering stack analysis for NPM

stack report generatation for NPM shows effective pom specific log on the IDE
NPM package @angular/core ^6.1.0 was not version resolved properly and hence was not displayde as an unknown component in the stack report. (PeerDependencies were set as Dependencies for testing)

/cc @samuzzal-choudhury

Improve On-click stack-report sentence

A minor suggestion:
Instead of saying Generate fabric8-analytics stack report and Generate fabric8-analytics stack report on Workspace
we can be more specific by saying Generate fabric8-analytics stack report for the pom and Generate fabric8-analytics stack report for the workspace

Extension breaks if try to open and run on just single manifest file in IDE i.e no root workspace is there

Error handling in VSCode extension

When I found the issue mentioned #116 , I also saw that error was not handled properly. The status bar in the bottom of the VSCode window is showing "Analyzing your stack ..." continuously. Shouldn't it time out after sometime ? It is still showing up even after I close the stack report tab.

Wrong status message on running "stack analysis at workspace" for npm

Wrong status message on running "stack analysis at workspace" for npm

fabric8-analytics / fabric8-analytics-vscode-extension Goto Github PK

fabric8-analytics-vscode-extension's Introduction

Red Hat Dependency Analytics

Table of Contents

Quick start

Configuration

Configurable parameters

Features

Using Red Hat Dependency Analytics for CI builds

Know more about the Red Hat Dependency Analytics platform

Data and telemetry

Support, feedback & questions

License

fabric8-analytics-vscode-extension's People

Contributors

Stargazers

Watchers

Forkers

fabric8-analytics-vscode-extension's Issues

Recommend Projects

Recommend Topics

Recommend Org