Skip to content

Make dependency resolution and analysis optional AND allow specifying the dep depth through CLI #838

New issue
New issue
Closed
Closed
Make dependency resolution and analysis optional AND allow specifying the dep depth through CLI#838
Assignees
tromai
Labels
clirelated to the Command-line Interface
@tromai

Description

@tromai
tromai
opened on Aug 21, 2024

Description

We have agreed that it's better to have dependency resolution optional for various reasons:

  • A lot of internal use cases don't require dependency analysis.
  • Dependency resolution and analysis can take a long time to run. For users that want to try Macaron out, it's not ideal to lock them in a very long running process.

In additions, we also want to let the user, if they want to enable automatic dependency resolution, specify the depth of dependency resolution (right not we only support 1. direct dependencies and 2. all transitive dependencies).

Solution

We will make dependency resolution and analysis off by default. If the user want to run dependency resolution, they must provide an additional flag.
The --skip-deps flag will still be left in the command line interface of Macaron, however, enabling it will not do anything, except printing out a DEPRECATED message. This flag will be completely removed after the next Macaron release (v0.13.0).

The addition flag will be called --deps-depth. This flag accepts a value that specify the depth level of dependencies.:

  • 1 means direct dependencies
  • 0 means no dependency resolution
  • inf means all transitive dependencies

In theory, we could accept any whole number as the value (e.g. 2, 3, etc.) if need arises in the future.

Tasks

  • Make --skip-deps do nothing.
  • Add deprecated message if --skip-deps is used.
  • Remove --skip-deps from existing test cases
  • Update the Sphinx documentation (e.g

    macaron/docs/source/pages/tutorials/detect_malicious_package.rst

    Lines 182 to 187 in ac8de70

    By default Macaron only checks the direct dependencies. To turn on recursive dependency analysis, add the following to the ``configurations.ini`` file:
    .. code-block:: ini
    [dependency.resolver]
    recursive = True
    or wherever we uses the recursive flag).
  • Update the Sphinx documentation where SBOM is provided as a CLI flag. Because right now we need to set --deps-depth for SBOM deps resolution to work.
  • Make sure that when --deps-depth=0, no dependency resolution is run even if an SBOM is provided,
  • Add --deps-depth=1 to all test cases that require direct dependency resolution
  • Add --deps-depth=inf to all test cases that require transitive dependency resolution
  • Add a flag --deps-depth
  • Remove the recursive option in [dependency.resolver] in defaults.ini
  • Integration tests on invalid/valid input to --deps-depth

Metadata

Metadata

Assignees

Labels

clirelated to the Command-line Interface

Type

No type

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions