Add draft conventions documentation for AboutCode Data (i.e. ABCD) #2
Conversation
Signed-off-by: Philippe Ombredanne <pombredanne@nexb.com>
|
@tdruez @jdaguil @chinyeungli @mjherzog @DennisClark @MaJuRG @johnmhoran @sschuberth @JonoYang @pkunz @nspsjsu and others: This is a draft and feedback is welcomed |
| technology-specific. | ||
|
|
||
| Recently there have been efforts to collect and expose more data such | ||
| as: |
There was a problem hiding this comment.
Maybe add https://dependencyci.com/ to the list?
aboutcode-data/README.rst
Outdated
| dependencies. It only provides information (metadata) about the code. | ||
|
|
||
| The vision for the ABC Data structure is to provide a common way to | ||
| exchange data about code between all nexB tools, such that these tools |
There was a problem hiding this comment.
Nit: Superfluous space in "nexB tools".
aboutcode-data/README.rst
Outdated
| underscores. Names cannot start with a number. Names cannot contain | ||
| spaces nor other punctuation, not even a dot or period. | ||
|
|
||
| - Names are NOT case sensitive: upper or lowercase does not matter and |
There was a problem hiding this comment.
Nit: Superfluous space in ": upper".
|
I haven't read it fully yet, but looks good so far 👍 I'd be eager to implement some sort of "meta-dependency-manager" that is able to query various native dependency managers like Maven, npm / yarn, pip etc. to output the dependency tree in a common format, namely, ABCD, instead of each using their own data format. This intermediate representation of the dependency tree could the be passed to another tool (a new one, or an extended version of extractcode?) to download and extract the source code of the dependencies, which then finally get scanned by scancode (or any other scanner) to get the full proctive of that really goes into a specific piece of software. |
|
@sschuberth you wrote:
that would be awesomely great! and I have thought about it too. Eventually the difficulty is that each package manager may implement some arcane and specific way to resolve a version of a package .... So the only correct way to do this is to rely on the dependency resolution algorithms of each package manager directly, meaning eventually running code. On the ABCD side, the thing is to capture:
On the tooling side, the things needed would be a way to either compute or run package managers to get resolved deps, eventually using a container that would have all the required package manager installed. Possibly adding/creating some package manager plugins (e.g Maven or similar) to help were needed. Or have parser (like in And re:
I would see two things there:
|
|
Actually let's start a repo and project for this: https://github.com/nexB/dependentcode :) |
Thank you to @sschuberth for the review Signed-off-by: Philippe Ombredanne <pombredanne@nexb.com>
Correct, and that matches what we already discussed by mail once. I'd just clarify that "running code" could mean "running the native dependency manager executable" (and capturing / parsing its output).
If by "constraints" you mean e.g. Maven scope, or Gradle configurations, I completely agree. For our use case, we'd also need to capture the download / clone URL for the dependency's source code. In case of an SCM, maybe we could re-use Maven's SCM URL format even for non-Maven project, simply to standardize on something.
Hold yer horses! ;-) As you know, we already have this implements internally for several major dependency managers, and I'm looking into going over the code to make it publicly available. |
actually this part has been spec'ed by yours truly in SPDX and is loosely modelled after
😆 I need some place to spec/design this in anycase... so there is no conflict. |
|
FWIW, the advantage of using a |
|
Well, the latter basically is also the case for Maven SCM (and the accompanying plugin), but I have no strong opinion about |
Agreed. Eventually converting from one scheme to the other should be easy-peasy and supported here. |
|
Sorry for becoming a bit off topic, but speaking of the |
You cannot get this consistently unfortunately: it may be in homepage url field or elsewhere. The way it is used in pip is when you call this: It could also be in a requirements file. The part we care for in SPDX and here would be: |
Ugh. Or nowhere, it seems. At the example of Jinja2 I was only able to the to the source code location by manually navigating to the homepage, and form there clicking on the GitHub banner. If you ever want to work on PEP stuff again, try establishing a meta-data field for the SCM URL ;-) |
|
yep... the only packages manifests OTH that are clear there wrt to always having a VCS location are Go deps/ven/weorkspace (many variants) and packagist for PHP where the fetching is primarily or only done from VCS directly... :| |
|
Also NPM almost always fetches directly from SCM / GitHub, and Maven POMs also often contain the |
This has not been my experience with npm fetches, but the VCS info is often readily there. And Maven POMs contain the scm tag, but only sometimes. |
|
Merging this. The conversation can continue in tickets or elsewhere.Thank for the feedback. |
* Add PEP 517/518 pyproject.toml file * Add setuptools_scm to handle versioning * Add setup.py content to setup.cfg * Update setup.py to act as a shim (so pip install -e works) Addresses: #2 Signed-off-by: Steven Esser <sesser@nexb.com>
Signed-off-by: Philippe Ombredanne pombredanne@nexb.com