-
Notifications
You must be signed in to change notification settings - Fork 17
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
add github dependency analysis #197
Conversation
Thanks @yazgoo. That looks like a great improvement. I'll take a closer look at it soon. |
Hi @adpi2 , is there something I can do to improve this PR ? |
Sorry, I did not get the time to review it yet. But it is near the top of my todo list. I will probably have time to review it next week. |
@yazgoo here is my feedback. I think that So I suggest that To find what pulls the vulnerable dependencies, one can use |
The issue with sbt-dependency-graph (and other dependency/CVE analysis tools I used) is that I don't get the same exact results as this plugin, this is why I implemented those functionalities. Another possibility is that I write a separate plugin with these functionaliities, but I'd like to use the snapshot in sbt state for this. |
group "alerts" and "cve" command in one command to make it easier to use.
@adpi2 does it look good to you with these latest changes ? |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Hi @yazgoo
Thank you for your work on this PR. I think it is good in term of functionality and I am okay to integrate it in.
Here are a few comments about the implementation, to improve its readability.
sbt-plugin/src/main/scala/ch/epfl/scala/AnalyzeDependencyGraph.scala
Outdated
Show resolved
Hide resolved
sbt-plugin/src/main/scala/ch/epfl/scala/AnalyzeDependencyGraph.scala
Outdated
Show resolved
Hide resolved
case "critical" => "\u001b[31m" | ||
case "high" => "\u001b[31m" | ||
case "medium" => "\u001b[33m" | ||
case "low" => "\u001b[32m" | ||
case _ => "\u001b[0m" |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
For these you can use Console.RED
, Console.YELLOW
etc, which are much easier to understand. There is Console.RESET
too.
sbt-plugin/src/main/scala/ch/epfl/scala/AnalyzeDependencyGraph.scala
Outdated
Show resolved
Hide resolved
sbt-plugin/src/main/scala/ch/epfl/scala/AnalyzeDependencyGraph.scala
Outdated
Show resolved
Hide resolved
sbt-plugin/src/main/scala/ch/epfl/scala/AnalyzeDependencyGraph.scala
Outdated
Show resolved
Hide resolved
sbt-plugin/src/main/scala/ch/epfl/scala/AnalyzeDependencyGraph.scala
Outdated
Show resolved
Hide resolved
sbt-plugin/src/main/scala/ch/epfl/scala/AnalyzeDependencyGraph.scala
Outdated
Show resolved
Hide resolved
sbt-plugin/src/main/scala/ch/epfl/scala/AnalyzeDependencyGraph.scala
Outdated
Show resolved
Hide resolved
does it LGTY @adpi2 ? |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks @yazgoo, I feel like this is almost ready to merge. Could you write the documentation in the readme file though, with an example maybe, that shows the output.
sbt-plugin/src/main/scala/ch/epfl/scala/AnalyzeDependencyGraph.scala
Outdated
Show resolved
Hide resolved
sbt-plugin/src/main/scala/ch/epfl/scala/AnalyzeDependencyGraph.scala
Outdated
Show resolved
Hide resolved
sbt-plugin/src/main/scala/ch/epfl/scala/GithubDependencyGraphPlugin.scala
Outdated
Show resolved
Hide resolved
Scalafmt check is failing |
How can I run scalafmt locally ? I tryied |
You need to install Then you should be able to run it:
|
Cool, thanks ! |
This adds a new command for interactive usage:
This aims at making dependency analysis easier and more in sync with what the snapshot actually contains.
Here is an example of session on this repo https://github.com/yazgoo/scala-meetup-june-2024
retrieve github alerts
check snapshot against alerts
list versions of libs in snapshot:
find what pulls the broken dependency