Address compilation warning:

Warning: http_uri:encode/1 is deprecated and will be removed in OTP 25; use uri_string functions instead

@voltone, continuing from #16, but opening as a new issue since they're only slightly related, not the same thing.

This is more of a feature request.

As ninenines/cowboy#1651 surfaced, it's possible non-rebar3 libraries are being consumed by rebar3_sbom to generate the bill of materials. Taking this into account, and assuming Hex.pm as the de facto online package manager for Erlang/OTP, would you be willing to allow extending the plugin to read the license information from hex_metadata.config, too?

(I'm trying to find more information on this file, or how it's referenced, to understand how to proceed, but opened this parallel discussion to try to find common ground between these two approaches - .app.src and .app/no-rebar3)

Hi there and thanks for this plugin.

Problem
I don't have much experience with erlang/rebar3 but I need to use this plugin. For some projects, a complete list of dependencies is not generated, although in my opinion they should be in the bom.xml file. For example:

Project one
https://github.com/erlcloud/erlcloud

part of file rebar.config:

{deps, [
        {jsx, "2.11.0"},
        {lhttpc, "1.6.2"},
        {eini, "1.2.9"},
        {base16, "1.0.0"}
       ]}.

{overrides,
 [
  %% do not pull in the covertool plugin or repo, cause it fetches rebar and
  %% breaks rebar3!
  {override, eini, [{plugins, []},{deps, []}]}
 ]}.

{profiles, [
            {test, [{deps, [{meck, "0.9.0"}]}, {erl_opts, [warnings_as_errors]}]}
           ,{warnings, [{erl_opts, [warnings_as_errors]}]}
           ]}.

As I understand it, the dependencies of this project will be jsx, lhttpc, eini, base16
Output of command rebar3 deps:

===> Verifying dependencies...
base16 (locked pkg source)
eini (locked pkg source)
jsx (locked pkg source)
lhttpc (locked pkg source)

Bom.xml does not contain any components for this project with any profiles (default, default, test, docs)
I mean this: rebar3 as default,test,docs sbom -o dev_bom.xml

Project two
https://github.com/kivra/restclient

part of file rebar.config:

{deps, [{hackney,"1.17.4"},
        {jsx,"2.11.0"},
        {erlsom,"1.5.0"}
       ]}.

{profiles,
    [{test, [
        {erl_opts, [nowarn_export_all]},
        {deps, [ proper
               , {meck, "0.8.13"}
               ]}
    ]}
]}.

As I understand it, the dependencies of this project will be hackney, jsx, erlsom
Output of command rebar3 deps:

===> Verifying dependencies...
erlsom (locked pkg source)
hackney (locked pkg source)
jsx* (locked package 2.9.0 <> pkg source)

Bom.xml does not contain any components for this project with any profiles (default, default, test, docs)
I mean this: rebar3 as default,test,docs sbom -o dev_bom.xml

Question
I randomly chose projects for testing, I think I can find such patterns for other projects. Tell me please, does the plugin work correctly or should these dependencies be contained in the bom.xml report?

I was testing the plugin in one of the repositories at work. We would like to use the plugin and we are a big company with more than 300 repositories. There was an error if the version in app.src tuple is an atom e.x {vsn, git}.

It is fixed if we consider the case of Version being an atom.

These are the logs from rebar

===> Uncaught error: badarg
===> Stack trace to the error location:
[{erlang,binary_to_list,[git],[]},
 {xmerl_lib,export_text,2,[{file,"xmerl_lib.erl"},{line,69}]},
 {xmerl,export_content,2,[{file,"xmerl.erl"},{line,191}]},
 {xmerl,export_element,2,[{file,"xmerl.erl"},{line,224}]},
 {xmerl,export_content,2,[{file,"xmerl.erl"},{line,199}]},
 {xmerl,export_content,2,[{file,"xmerl.erl"},{line,199}]},
 {xmerl,export_element,2,[{file,"xmerl.erl"},{line,224}]},
 {xmerl,export_content,2,[{file,"xmerl.erl"},{line,199}]}]

See discussion in #11

Great plugin, seems that hex is not providing the latest version from master branch.

{rebar3_sbom, "0.5.0"} - is pointing to a tag 0.5.0 - but I could not locate it in this github-repo.

Since the master fixes an issue which I hit - maybe one could redeploy it on hex with a new version.

Thanks again,
Kind regards.

Hi @voltone

Not an issue, just a note about it.

The github API is rate limited (ref https://docs.github.com/en/rest/using-the-rest-api/rate-limits-for-the-rest-api?apiVersion=2022-11-28).

Few months ago we went down the same attempt but rolled back as soon as we tested in CI, we are able to reach the limit (authenticated or not) very soon give the numebre of component an daily build we trigger.

Anyway, the current implementation ignore errors (no matter if conn error, 4xx / 5xx) and fallback to not filling the missing license.
In case of error this will lead to non-deterministic SBOM reports.

I would not make the generation non-deterministic, even more introducing a dependency on an external (rate limited) service.

👋

First of all, great work on this plugin.

I'm using it in CI to automate license validation.

I'm wondering, though, why certain licenses aren't present, like e.g. ssl_verify_fun's MIT, ranch's ISC, etc.

I'm mostly pulling from Hex, and am willing to go knock on doors where information is missing, but (I didn't yet look at the code) it's possible starting here is a good option.

Also willing (and able) to pull request to "fix"/"improve" whatever the plugin needs, regarding the issue at hand.

Thanks.