GitHubTagsAPI vs GitTagsAPI

[Hritik14]

Currently we are scraping Github for tags for VersionAPI
https://github.com/nexB/vulnerablecode/blob/e9943b014f5f07b970988f910b2aaebcec0a6e58/vulnerabilities/package_managers.py#L414-L466

Imo, we could have a GitTagsAPI looking at the GitDataSource's git filesystem and find out all the contained tags. This would avoid GitHub scraping without a proper API, plus it would work for all git repositories, regardless of being on GitHub.

Also, if we happen to move with GitHubTagsAPI, should we focus more on the releases part than the tags part ? Eg: https://api.github.com/repos/nexB/vulnerablecode/releases. This might not be favorable in all cases, I'd like some suggestions here.

[sbs2001]

@Hritik14 GitHubTagsAPI is used for getting tags without cloning the whole repo.

For tags vs releases:

1. tag is a git feature while release is a github feature.
2. A tag can exist without a release but the vice versa is not true. Hence tag is more authoritative.

The implication of (1) is that release is not used by projects which just have their mirrors on github, or have some other way to distribute. Eg https://api.github.com/repos/nginx/nginx/releases

[Hritik14]

Agreed. We could have used git ls-remote to get the remote tags without cloning the repo but after the addition of time travel (eec65ab) which needs the tag date, I don't think it would be possible now.

[pombredanne]

FWIW, probably too late ... if this helps:
https://github.com/nexB/scancode-toolkit/blob/3f7da81d6b207ac2b1d384defb83a5f2c82216f4/etc/scripts/licenses/synclic.py#L339 is a small utility function that I use to fetch tags using the GH api and then fetch a release archive from some repos.