Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add support for SCA Elixir manifest/lockfile parsing #10022

Merged
merged 4 commits into from Mar 29, 2024
Merged

Add support for SCA Elixir manifest/lockfile parsing #10022

merged 4 commits into from Mar 29, 2024

Conversation

jarrydlee
Copy link
Contributor

Supply Chain is adding support for Elixir when using Mix. This adds lockfile and manifest parsing to extract relevant package information used by SSC.

Since elixir is a pro-only language, e2e testing cannot be executed since OSS semgrep cannot parse Elixir. Instead, testing for the full manifest/lockfiles have been included.

@github-actions GitHub Actions
Copy link
Contributor

PR checklist:

  • Purpose of the code is evident to future readers
  • Tests included or PR comment includes a reproducible test plan
  • Documentation is up-to-date
  • A changelog entry was added to changelog.d for any user-facing change
  • Change has no security implications (otherwise, ping security team)

If you're unsure about any of this, please see:

@r2c-argo
Copy link
Contributor

r2c-argo bot commented Mar 28, 2024

semgrep-compare-github-q5w31 results

Ran benchmark on 38 repositories

Whole benchmark is 2.1% slower (a bit of noise is expected)

Relative speed improvement is 0.98 on average

  • 3% of scans are significantly slower

Relative memory improvement is 1.00 on average

@r2c-argo
Copy link
Contributor

r2c-argo bot commented Mar 28, 2024

semgrep-compare-github-rg4hf results

Ran benchmark on 38 repositories

Whole benchmark is 1.5% faster (a bit of noise is expected)

Relative speed improvement is 1.05 on average

  • 3% of scans are significantly faster

Relative memory improvement is 1.00 on average

@mmcqd
Copy link
Member

mmcqd commented Mar 28, 2024

Don't worry about the failing build-test-core-x86-ocaml5 job

@jarrydlee jarrydlee merged commit 1425b40 into develop Mar 29, 2024
51 of 52 checks passed
@jarrydlee jarrydlee deleted the jl/elixir-mix-parser branch March 29, 2024 00:04
@jarrydlee jarrydlee mentioned this pull request Apr 1, 2024
Merged
jarrydlee added a commit that referenced this pull request Apr 2, 2024
@jarrydlee
Fix incorrect ecosystem being used for elixir (#10037)
8bbbdfe 
In #10022, Elixir incorrectly
used `Mix` as the ecosystem instead of `Hex`. Mix is an Elixir build
tool, where Hex is the ecosystem.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@mmcqd mmcqd mmcqd approved these changes

@brendongo brendongo Awaiting requested review from brendongo

Assignees
No one assigned
Labels
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
2 participants
@jarrydlee @mmcqd