ibm / gauge Goto Github PK

Is your feature request related to a problem? Please describe.
No

Describe the solution you'd like
Add support in gauge to store results in JSON format

Describe alternatives you've considered

Additional context

Describe the bug
Deepscan flag is only interpreted on SBOM type scans. When scanning package and defining -d, gauge does not run and instructs to define valid flags

Expected behavior
Gauge should be able to handle running gauge on package scans with "-d true" set as well

Additional context
In function SBOM() in cmd/gauge/cli/sbom.go, the deepscan variable is defined. To fix, define deepscan variable also in cmd/gauge/cli/package.go

Is your feature request related to a problem? Please describe.
while running gauge against colors.js repo, discovered that projects might just tag the releases on GitHub source, but not create an explicit release. So, add a support for discovering these tags.

Describe the solution you'd like
Support discoverability of releases through tags. Also, need to make differentiate release tags vs operational tags.

Additional context
When ran against colors.js repo, with additional debug statements:

./gauge package -p colors -e Node -t v1.3.3 -r https://github.com/Marak/colors.js
err GET https://api.github.com/repos/Marak/colors.js/releases/latest: 404 Not Found []

Is your feature request related to a problem? Please describe.
No

Describe the solution you'd like
Currently, gauge accepts package name as input. Add support for it to accept SBOM as input and run gauge against every OSS dependency in the SBOM

Describe alternatives you've considered
None

Additional context
None

Describe the bug
For packages such as neo4j, their use of Releases has been stale since 2017, though they still update tags with release numbers. This causes Gauge to misidentify the latest release tag name.

Tags link: https://github.com/neo4j/neo4j/tags

To Reproduce
Steps to reproduce the behavior:

1. run gauge with the following command:
   ./gauge package -p neo4j -e unknown -t 0 -r https://github.com/neo4j/neo4j -f output.json

2. View output file with incorrect latest release:

{
"release_report": {
"recommendations": {
"package_name": "neo4j",
"recommended_version": "3.2.0-alpha08",
"release_timestamp": "2017-04-11T08:35:10Z",
"num_uniq_authors": 0,
"num_uniq_reviewers": 0,
"zombie_commits": 0,
"non_peer_reviewed_prs": 0,
"change_annotations": null
},
"insights": {
"package_name": "neo4j",
"current_version": "0",
"repo": "https://github.com/neo4j/",
"latest_version": "3.2.0-alpha08",
"latest_release_timestamp": "2017-04-11T08:35:10Z",
"is_latest": false,
"release_lag": 65,
"major_release_lag": 65,
"release_time_lag": "106751 days",
"annotations": null,
"commit_history": {
"Changes": null,
"Contributors": 0,
"Approvers": 0,
"ZombieChanges": 0
}
}
},

Expected behavior
The latest release should be labeled as "4.4.9" instead of "3.2.0-alpha08".

** Notes **
If a project isn't using the release feature, that may not be a common occurrence and I recommend resolving this issue if this keeps coming up with different projects.

Describe the bug
When using an expired or invalid Github PAT, I was able to run Gauge against SBOMs fully in suspiciously quick times, with no clear error message that the PAT token was invalid or that a 401 Unauthorized was returned when reaching Github API. Instead, during the run many messages of "** contributor stats not available **" appeared, which was not clear to me that it was a Github token issue.

Expected behavior is to get error of 401 Unauthorized for the Github API or invalid token message.

To Reproduce
Steps to reproduce the behavior:

1. set export GITHUB_API_KEY=abcd
2. run Gauge, example: ./gauge package -p flask -e python -t 2.1.1 -r https://github.com/pallets/flask
3. observe run and see that there is no clear error and output is blank and log results are also empty

Expected behavior
Expected behavior is to get error of 401 Unauthorized for the Github API or invalid token message shown.

Desktop (please complete the following information):

• OS: MacOS Monterey 12.4
• go version go1.17.5 darwin/amd64

Describe the bug
In pkg/ghapis/release.go, function GetChangeInsights, the repository Tags are looped to get the commit SHA for the current release and the latest release. This function does not fully search all the tags because the query params are set to default, to list 30 (reference to default 30 here.

Expected behavior
To get commit_history accurately, all tags should be searched to compare current vs latest tag and the changes between the two.

Additional context
To fix, loop through the tags and also page through all pages similar to how it is performed in the same file releases.go, GetAllReleases function.

Is your feature request related to a problem? Please describe.
No

Describe the solution you'd like
Add support in gauge to store results in JSON format

Describe alternatives you've considered

Additional context