New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add support for SCA Elixir manifest/lockfile parsing #10022
Conversation
PR checklist:
If you're unsure about any of this, please see: |
51c413d
to
6d68a2a
Compare
semgrep-compare-github-q5w31 resultsRan benchmark on 38 repositories Whole benchmark is 2.1% slower (a bit of noise is expected) Relative speed improvement is 0.98 on average
Relative memory improvement is 1.00 on average |
6d68a2a
to
11cf946
Compare
semgrep-compare-github-rg4hf resultsRan benchmark on 38 repositories Whole benchmark is 1.5% faster (a bit of noise is expected) Relative speed improvement is 1.05 on average
Relative memory improvement is 1.00 on average |
Don't worry about the failing build-test-core-x86-ocaml5 job |
In #10022, Elixir incorrectly used `Mix` as the ecosystem instead of `Hex`. Mix is an Elixir build tool, where Hex is the ecosystem.
Supply Chain is adding support for Elixir when using Mix. This adds lockfile and manifest parsing to extract relevant package information used by SSC.
Since elixir is a pro-only language, e2e testing cannot be executed since OSS semgrep cannot parse Elixir. Instead, testing for the full manifest/lockfiles have been included.