Add bom process-all-manifests command

[mscottford]

bom process-all-manifests

Used to produce a CycloneDX file for each manifest file that has been detected for the provided repository-id and date-time pair.

freshli [global options] bom process-all-manifests [command options] <repository-id> <date-time>

What this command does?

For each language-specific agent that is detected, delegates to that language agent’s process-manifests command.

The same language agent that detected the manifest file will be used to process it. It is assumed that the language agent knows how to process any manifest file that it has detected, even in the case where the language ecosystem uses a variety of manifest file formats. For example, Maven and Gradle competing dependency managers in the Java ecosystem, and each one has its own manifest file format for documenting dependencies. It is assumed that the freshli-agent-java executable knows how to process both file formats.

Some language agent processors will generate a modified or translated version of the manifest file that it operated on. This modified or translated version of the manifest file is needed to replace version range expressions with specific versions that were available at the provided date-time value. Entries are created in the cache database for these modified manifests in a way that associates it with the manifest file that it originated from. The translated file is also stored in the cache for easy future retrieval.

Generating these modified manifest files requires exclusive access to a history directory tree. This means that no two instances of the same language agent processor is permitted to operate on a the same directory tree at the same time. This is regardless of the number of workers that have been specified via the --workers parameter.

An entry is created in the cache database for each CycloneDX bom.json file that is produced by this operation. The bom file’s entry includes a reference to the manifest file that it was generated from. These files are also stored in the cache file tree for examination or future processing by other commands.

It is expected that after a language agent’s process-manifests command has completed, the provided directory tree will appear unchanged. The --verify-directories option can be specified to enforce this rule.

Global Options

• --cache-dir <path>
  • the location where the freshli command will write temporary files as part of it’s processing
  • default value: $HOME/.freshli

Command Options

• --workers
  • the number of worker processes that should be running at any given time. This defaults to twice the number of CPU cores.
  • default: N+1 where N is the number of cores that are detected in the CPU
• --verify-directories
  • When specified, the contents of each processed history directory is validate before and after a language agent is run. This ensures that no residual changes were made to the directory tree by the language agent.

[mscottford]

With the implementation of #135 in progress, this command no longer needs to be implemented.