ibm / gauge Goto Github PK
View Code? Open in Web Editor NEWMeasure release insights and recommendations for open-source dependencies. Note: this project is archived.
Measure release insights and recommendations for open-source dependencies. Note: this project is archived.
Is your feature request related to a problem? Please describe.
No
Describe the solution you'd like
Add support in gauge to store results in JSON format
Describe the bug
Deepscan flag is only interpreted on SBOM type scans. When scanning package and defining -d, gauge does not run and instructs to define valid flags
Expected behavior
Gauge should be able to handle running gauge on package scans with "-d true" set as well
Additional context
In function SBOM() in cmd/gauge/cli/sbom.go, the deepscan variable is defined. To fix, define deepscan variable also in cmd/gauge/cli/package.go
Is your feature request related to a problem? Please describe.
while running gauge
against colors.js
repo, discovered that projects might just tag
the releases on GitHub source, but not create an explicit release
. So, add a support for discovering these tags
.
Describe the solution you'd like
Support discoverability of releases through tags
. Also, need to make differentiate release tags vs operational tags.
Additional context
When ran against colors.js
repo, with additional debug statements:
./gauge package -p colors -e Node -t v1.3.3 -r https://github.com/Marak/colors.js
err GET https://api.github.com/repos/Marak/colors.js/releases/latest: 404 Not Found []
Is your feature request related to a problem? Please describe.
No
Describe the solution you'd like
Currently, gauge accepts package name as input. Add support for it to accept SBOM as input and run gauge against every OSS dependency in the SBOM
Describe alternatives you've considered
None
Additional context
None
Describe the bug
For packages such as neo4j, their use of Releases has been stale since 2017, though they still update tags with release numbers. This causes Gauge to misidentify the latest release tag name.
Tags link: https://github.com/neo4j/neo4j/tags
To Reproduce
Steps to reproduce the behavior:
run gauge with the following command:
./gauge package -p neo4j -e unknown -t 0 -r https://github.com/neo4j/neo4j -f output.json
View output file with incorrect latest release:
{
"release_report": {
"recommendations": {
"package_name": "neo4j",
"recommended_version": "3.2.0-alpha08",
"release_timestamp": "2017-04-11T08:35:10Z",
"num_uniq_authors": 0,
"num_uniq_reviewers": 0,
"zombie_commits": 0,
"non_peer_reviewed_prs": 0,
"change_annotations": null
},
"insights": {
"package_name": "neo4j",
"current_version": "0",
"repo": "https://github.com/neo4j/",
"latest_version": "3.2.0-alpha08",
"latest_release_timestamp": "2017-04-11T08:35:10Z",
"is_latest": false,
"release_lag": 65,
"major_release_lag": 65,
"release_time_lag": "106751 days",
"annotations": null,
"commit_history": {
"Changes": null,
"Contributors": 0,
"Approvers": 0,
"ZombieChanges": 0
}
}
},
Expected behavior
The latest release should be labeled as "4.4.9" instead of "3.2.0-alpha08".
** Notes **
If a project isn't using the release feature, that may not be a common occurrence and I recommend resolving this issue if this keeps coming up with different projects.
Describe the bug
When using an expired or invalid Github PAT, I was able to run Gauge against SBOMs fully in suspiciously quick times, with no clear error message that the PAT token was invalid or that a 401 Unauthorized was returned when reaching Github API. Instead, during the run many messages of "** contributor stats not available **" appeared, which was not clear to me that it was a Github token issue.
Expected behavior is to get error of 401 Unauthorized for the Github API or invalid token message.
To Reproduce
Steps to reproduce the behavior:
Expected behavior
Expected behavior is to get error of 401 Unauthorized for the Github API or invalid token message shown.
Desktop (please complete the following information):
Describe the bug
In pkg/ghapis/release.go, function GetChangeInsights, the repository Tags are looped to get the commit SHA for the current release and the latest release. This function does not fully search all the tags because the query params are set to default, to list 30 (reference to default 30 here.
Expected behavior
To get commit_history accurately, all tags should be searched to compare current vs latest tag and the changes between the two.
Additional context
To fix, loop through the tags and also page through all pages similar to how it is performed in the same file releases.go, GetAllReleases function.
Is your feature request related to a problem? Please describe.
No
Describe the solution you'd like
Add support in gauge to store results in JSON format
A declarative, efficient, and flexible JavaScript library for building user interfaces.
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. ๐๐๐
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google โค๏ธ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.