Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

chore: Update release candidate #5185

Merged
merged 59 commits into from
Apr 22, 2024

Conversation

PeterSchafer
Copy link
Contributor

Release Candidate

thisislawatts and others added 30 commits March 11, 2024 15:55
* chore(ci): switch to small go image

Context: p95 duration for this job over the last 90 days is 2m 17s

Solution: Switch from 2.3Gb image to generic 513mb image.

Fetching the `bastiandoetsch209/cli-build` image can increase
the Job time by ~60 seconds if the image is not cached.

```
Warning: No authentication provided, using CircleCI credentials
for pulls from Docker Hub.
image cache not found on this host, downloading bastiandoetsch209/cli-build:20240214-145818
…
bastiandoetsch209/cli-build:20240214-145818:
  using image bastiandoetsch209/cli-build@sha256:1504fdbb34f02aab15475c3eacf8c0fc82be83059cda435b91327e43a98cb863
pull stats: download 2.279GiB in 23.682s (98.54MiB/s), extract 2.31GiB in 58.549s (40.39MiB/s)
```

Even pipelines run within minutes of each other do not necessarily hit the same image cache.
The caching layer at use here is entirely opaque to me, but the observed affects are
that the `Spin up environment` step can take either 0 or 60 seconds.

Switching to one of the Circle CI provided images which also tend to be smaller could help here.
Perhaps the inscrutable image caching is more likely to be optimised for their own images.

* chore(ci): removes unused dep to speed up feedback cycle
i
The test-go job has dependency on the artifacts generated as
part of the prepare-build job. Running this asap to reduce time
to results.
As of Composer v2.7.2 the tool will emit an error
if the version has not been defined on the root composer.json
https://github.com/composer/composer/releases/tag/2.7.2
Windows is the slowest test run, a problem made worse
by the time consuming build process that runs before it.

Perhaps a short term workaround until we have time to
optimise the build step is to increase the number of shards.
* fix: validate PR title

* chore: introduce linting for GitHub PR titles

* chore: update node for danger job

* chore: attempt at tracking edits to PRs
* fix: add support for development python versions

* test: explicitly state project version (#5108)

As of Composer v2.7.2 the tool will emit an error
if the version has not been defined on the root composer.json
https://github.com/composer/composer/releases/tag/2.7.2

* chore: introduce script to help create release (#5107)

---------

Co-authored-by: Luke Watts <luke@snyk.io>
Co-authored-by: Avishagp <noreply@snyk.io>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
- feat: support verbose for maven

Support passing -Dverbose to resolve omitted dependencies using maven-dependency-plugin.

When verbose is being used execute a specific version of the maven-dependency-plugin.
This is becuase on lower version of this plugin outputType=dot is not supported, and it will output a tree.

When verbose is on skip pruning and ensure all dependency lines are traversed fully, using breadth first, first in wins for version resolution.

- fix: record and use visited dependency information

In preparation for supporting -Dverbose the breadth first search needs to retain
previously visited dependency information.

At the moment we record whether a dependency has been seen (true/false)
based on the maven graph node id. This id contains the dependency version.
For example 'com.example:my-app:jar:jdk8:1.2.3:compile'.

However when maven is determining whether a dependency has already been
seen only four properties are used:

* groupId
* artifactId
* type
* classifier (optional)

These are the properties that uniquely identify a dependency in Maven.

Changing visited to be keyed by these four properties instead.

In addition we then record the parsed dependency for these visited dependencies
so that we can use that information when adding and connecting the dep-graph nodes.

The effect is that if a duplicate node is found, the previously visited version
is preferred regardless of what the duplicate node is set to.

This doesn't really effect the current implementation because maven-dependency-plugin
hides duplicates. Another PR will start to support -Dverbose where this becomes
important that we select the effective version being resolved by Maven.
* chore: add a simple script to install dev tools

* chore: use Brewfile
* chore: create create-release script to create/update release branches

* chore: push patch branch in create-release.sh

* chore: can dry-run create-release.sh
* chore: allow unknown flags for code test

* chore(dep): bump gaf to latest

* chore: introduce go entry point for snyk code test

* test: switch to validating output against previous run

---------

Co-authored-by: Peter Schäfer <101886095+PeterSchafer@users.noreply.github.com>
…[CLI-73] (#5093)

* fix: Support large json data structures via --json

---------

Co-authored-by: Peter Schäfer <101886095+PeterSchafer@users.noreply.github.com>
- Updated `snyk sbom` to accept CycloneDX 1.5
- Updated `snyk container sbom` to accept CycloneDX 1.5

Co-authored-by: Paul Rosca <paul.rosca@snyk.io>
Co-authored-by: PeterSchafer <noreply@snyk.io>
* refactor: mark less recommended path as deprecated

* chore: introduce test helper to isolate port selection

* refactor: switch to using helper to determine port

We need to know about the port ahead of time so that we can
use it in our configuration. This supports iterating on fixed
ports to random ports so we can support running in parallel and
ensure no collision between our tests.

* chore: apply formatting
* chore(deps): upgrade jest to latest

* test: update snapshot
* test: migrate code tests to acceptance

* test: succeed testing with correct exit code - with sarif oputput and no markdown

* test: track analytics are called added

* test: should fail - when server returns error codes

* test: Always calls code-client with url coming from sastSettings

* chore: address lint issues
Co-authored-by: Avishagp <noreply@snyk.io>
These files are not tracked by git and result in a noticeable
lag in prettier whilst they are being processed.

See here for an example of the ~4.5second delay caused by prettier.

```
.tap/coverage/01fec6e5-492e-4f01-baa6-69022efbebfc.json 15ms
.tap/coverage/05a96cf2-7cea-4e31-8d82-745c88fbd122.json 224ms
.tap/coverage/093b21d5-b8a4-4dd1-9815-e669729363b2.json 80ms
.tap/coverage/4c57c24d-61e9-41d8-912a-8944b9e3dd85.json 15ms
.tap/coverage/51be6d29-8498-42b5-b648-4331a8cc1620.json 2430ms
.tap/coverage/77a86007-79d2-403a-9fd0-0099176628eb.json 58ms
.tap/coverage/ad188bc4-8e9f-42ed-bdbb-febdf9e2fd70.json 2213ms
.tap/coverage/e3b30972-2569-41f3-a2f0-0b516524c56e.json 56ms
.tap/coverage/e4e079ea-f384-434c-8a8f-430f6bda7501.json 16ms
.tap/coverage/ec4b832d-d31c-40b7-8657-48b874219100.json 18ms
.tap/coverage/f47299fe-8a09-46ac-99f8-33209e0bb687.json 5ms
.tap/processinfo/01fec6e5-492e-4f01-baa6-69022efbebfc.json 4ms
.tap/processinfo/05a96cf2-7cea-4e31-8d82-745c88fbd122.json 5ms
.tap/processinfo/093b21d5-b8a4-4dd1-9815-e669729363b2.json 4ms
.tap/processinfo/4c57c24d-61e9-41d8-912a-8944b9e3dd85.json 3ms
.tap/processinfo/51be6d29-8498-42b5-b648-4331a8cc1620.json 5ms
.tap/processinfo/77a86007-79d2-403a-9fd0-0099176628eb.json 4ms
.tap/processinfo/ad188bc4-8e9f-42ed-bdbb-febdf9e2fd70.json 5ms
.tap/processinfo/e3b30972-2569-41f3-a2f0-0b516524c56e.json 4ms
.tap/processinfo/e4e079ea-f384-434c-8a8f-430f6bda7501.json 3ms
.tap/processinfo/ec4b832d-d31c-40b7-8657-48b874219100.json 4ms
.tap/processinfo/f47299fe-8a09-46ac-99f8-33209e0bb687.json 3ms
```
thisislawatts and others added 24 commits April 8, 2024 10:38
This safe-guards and enforces that global ignores functionality has the necessary commands available.
* feat: parse workflow data to determine errors

* fix: switch to align with finalised schema

* chore(deps): bump gaf to latest

* test: refactor to support integration test

* fix: introduce custom error for storing exit code

* chore: adjust wording on json error

* test: update to match new error

* chore: remove file

* chore(deps): update go-application-framework to latest

* chore: reorder imports

* chore: remove unused code

* refactor: switch to structured test data

* chore: fix formatting

* chore: rename to include global prefix

* fix: switch to content_type ref

* chore: remove unused file

* refactor: switch to exported type

* refactor: introduce tests for displayError

We want to ensure that nothing is displayed for
the new Error being generated from TestSummary payload

* test: switch to NewInMemory configuration

* fix: display error logic to handle ExitCode errors

* fix: broken import

* test: remove defunct test

---------

Co-authored-by: Peter Schäfer <101886095+PeterSchafer@users.noreply.github.com>
* feat: snyk woof ro language support and tests

* chore: use jest table tests instead of forEach
* feat(sbom): Introduce experimental sbom test command

---------

Co-authored-by: Tim Pickles <tim.pickles@snyk.io>
Co-authored-by: mcombuechen <noreply@snyk.io>
* chore(ci): enable stable release channels

* chore: add release scripts to makefile

* chore: add additional instructions to prepare-release

* chore: run formatter after generating release notes

* chore: remove unused variable

* chore: ensure to use the correct version in release notes

* chore: use correct version in create-release

* chore: use long form of semver --coerce

* chore: add comment on version cleanup
@PeterSchafer PeterSchafer marked this pull request as ready for review April 19, 2024 16:07
@PeterSchafer PeterSchafer requested a review from a team as a code owner April 19, 2024 16:07
@PeterSchafer PeterSchafer merged commit 6cb942c into release-candidate Apr 22, 2024
6 of 10 checks passed
@PeterSchafer PeterSchafer deleted the tmp/1713542475-release-candidate branch April 22, 2024 09:59
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet