Comments (1)
tromai
commented on August 15, 2024
After looking through it. It looks like that we have long been assuming that the repositories we analyzes in Macaron has a valid remote origin url (i.e all the repositories are cloned from a remote URL) even when we are analyzing a local repository.
However, this isn't usually the case as we have discovered that we can clone from a local repository or clone from a git bundle. In these cases, the origin remote of those repositories will not have a remote URL (e.g https://...).
For example, given a file.bundle at /tmp/bundle/file.bundle, when we run cd /tmp/repo/ && git clone ../bundle/file.bundle the repository will be cloned to /tmp/repo/file. When we run git remote get-url origin inside the return value is /tmp/bundle/file.bundle. In these cases, Macaron won't be able to process and extract git services, full name (org/name) out of it.
Therefore, to address this issue, we need to look into these aspects:
- How we can support a local repository with
originbeing a local path. - Make sure that we could get the format
org/namefor the directory where the report files are stored. The full name could be made up oflocal_reposand thebasenamefrom that local path. For example: the reports for/tmp/bundle/file.bundlewould be stored inoutput/reports/local_repos/file.bundle. - This would also indirectly affect this part, where we shouldn't try to assume that the origin remote path must always a remote URL.
- I think we need to implement a better way to come up with a unique ID for each target repository in the analysis.
- Another aspect that I have observed is that the way we distinguish duplicated Records is by using the remote path of the repository only. When we come up with a better unique ID solution for each target repository, we need to changes this mechanism too. One challenge I can see at the moment is that the duplicated records only have the config values (which mean we might not have branch, digest values ready - i.e this part). I think at the moment, we don't have the way to obtain the exact digest for a target repo from the dependencies found from the dependency solver anyway. I need to think more about this.
from macaron.
Related Issues (20)
- Use priority ordering when retrieving SCM fields from POM files
- Update Repo Finder e2e test for new indirect URL feature
- Check GitHub repository tags via API calls before cloning HOT 2
- Improve checks registering and scheduling
- Create a Macaron release image for the Arm architecture
- Add a tutorial to showcase the new check include-exclude feature
- Update the Repo Finder to work with deps.dev official v3 release
- Differentiate when a repo commit is found from the provenance vs tags
- Add integration test alongside provenance extraction validation
- Improve Commit Finder Matching Accuracy
- Repo finder configuration does not disable the redirect feature in tests
- Incompatibility Issues with OL7 and Docker
- Support defining a generic Git Service through defaults.ini for build tool detection HOT 6
- Update run_macaron.sh to mount the provenance file into the Docker container file system.
- Improve testing of Commit Finder algorithm
- Potential problem for commit finder when packages do not use semver. HOT 9
- Allow repo and commit extraction from provenance to be independent
- Report via check when a project does not use semantic versioning HOT 3
- Implement license checks in Macaron HOT 1
- Obtain the triggering build workflows from provenances for static analysis
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from macaron.