Skip to content

Combined PR for Issue Resolution / New Features #27

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 90 commits into
base: main
Choose a base branch
from
Open

Combined PR for Issue Resolution / New Features #27

wants to merge 90 commits into from

Conversation

@cognitivegears
Copy link

This combined pull request includes several significant changes to the project, focusing on enhancing logging, improving argument parsing, and updating package analysis heuristics. This also implements additional defensive coding and a few bug fixes. The most important changes are summarized below:

Logging and Configuration Improvements:

  • Added logging functionality to Combobulator, along with command line arguments for a log file and logging level. This also supports the silent mode (called quiet mode) from Issue add --silent option to cli #12

Fix syntax errors and defensive coding:

  • Added defensive coding to address PR failed when try launch scan  #21
  • Fix multiline string formatting in combobulator.py
  • Better error handling in returns from API calls
  • Added pydoc and general code formatting enhancements
  • Fixed failure to add devDependencies on NPM package
  • Safety checks on dict usage from API results to gracefully handle unexpected API responses
  • Added short sleep on API calls to avoid throttling. Note, this can in some cases slow down execution a bit, but is "nicer" on the public APIs

Added source scanning for PyPi:

Package upgrades:

  • Upgraded commons-io:commons-io
  • Upgraded requests - multiple high priority vulnerabilities remediated

Added new functionality:

  • Added JSON output option to resolve Add JSON for output options #6
  • Added new exit codes and an option to exit with an error code when heuristic warnings present, to better enable integration with CI/CD
  • Added recursive scan option to scan sub-packages within a repository
  • Added new fields onto CSV (and JSON) for boolean condition checks on heuristic failures to avoid need to parse program output to determine failures

Argument Parsing and decoupling Enhancements:

  • Refactored argument parsing into a new src/args.py file, introducing new arguments for logging configuration, recursive scanning, and error handling.
  • Updated README.md to reflect the new argument options and supported package types.
  • Created new constants.py to avoid hardcoded and duplicate strings

Package Analysis Enhancements:

  • Improved heuristics in src/analysis/heuristics.py by adding detailed docstrings, refactoring function names for clarity, and incorporating additional risk checks.

Configuration Updates:

  • Updated .pylintrc to include an init-hook for setting the Python path. This allows for running PyLint against the project.
  • Added Python-specific settings to .vscode/settings.json for better development environment configuration.

And more:

  • See diff for full change set

dependabot bot and others added 30 commits November 19, 2024 20:04
@dependabot
Bump commons-io:commons-io from 2.10.0 to 2.14.0 in /tests
29995d5 
Bumps commons-io:commons-io from 2.10.0 to 2.14.0.

---
updated-dependencies:
- dependency-name: commons-io:commons-io
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot
Bump requests from 2.12.1 to 2.32.2
bbf1bf4 
Bumps [requests](https://github.com/psf/requests) from 2.12.1 to 2.32.2.
- [Release notes](https://github.com/psf/requests/releases)
- [Changelog](https://github.com/psf/requests/blob/main/HISTORY.md)
- [Commits](psf/requests@v2.12.1...v2.32.2)

---
updated-dependencies:
- dependency-name: requests
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
@cognitivegears
Merge pull request #1 from cognitivegears/dependabot/maven/tests/comm…
a2b5958 
…ons-io-commons-io-2.14.0

Bump commons-io:commons-io from 2.10.0 to 2.14.0 in /tests
@cognitivegears
Merge pull request #2 from cognitivegears/dependabot/pip/requests-2.32.2
3fe4f10 
Bump requests from 2.12.1 to 2.32.2
@cognitivegears
Fix multiline string formatting in main function
109788d
@cognitivegears
Handle 404 status code and improve error handling in recv_pkg_info fu…
4a89de0 
…nction
@cognitivegears
Add PyPI scanner and update requirements for requirements-parser
ccff951
@cognitivegears
Refactor file path handling in Maven and NPM scanners to use os.path.…
0f9b594 
…join for improved compatibility
@cognitivegears
Fix argument parsing and improve error handling in package functions
1fdb1fc
@cognitivegears
Refactor package manager handling and error codes; introduce constant…
8ddbc6a 
…s for improved maintainability
@cognitivegears
Add logging functionality and improve error handling across package r…
a81e6c9 
…egistries
@cognitivegears
Add recursive scanning option for package managers and enhance error …
9a82db0 
…handling
@cognitivegears
Remove duplicate entries in dependency lists across Maven, NPM, and P…
8d100be 
…yPI scanners
@cognitivegears
Changed packages not exist to a warning
bebd71f
@cognitivegears
Add error handling for warnings and new exit code for package not found
98aa05d
@cognitivegears
Update project configuration and dependencies
3455502 
- Add .pylintrc for pylint configuration
- Update gql package version in requirements.txt
- Add .vscode/settings.json for Python path configuration
- Fix typo in public_checkers.py
- Enhance constants with documentation and improve formatting
- Refactor npm, pypi, and maven registry scanning functions for clarity
- Improve logging and error handling in registry modules
- Update heuristics tests for consistency and clarity
@cognitivegears
Enhance package analysis with detailed docstrings and logging improve…
05a0c23 
…ments
@cognitivegears
Add request timeout handling and constant for HTTP requests
b277998
@cognitivegears
Moved argument parsing for Combobulator
11460d6
@cognitivegears
Remove currently unused GitHub token argument
f8a39b2
@cognitivegears
Update README to include 'pypi' as a supported package manager type a…
60dc060 
…nd add new command-line arguments
@cognitivegears
Possible fix/workaround for old scan issue
5a52358
@cognitivegears
Version count conditional backwards
6bdbfcb
@cognitivegears
Added rate limiting, added additional npm info for heuristics, and ad…
5593b01 
…ded more defensive coding checks for unexpected responses
@cognitivegears
Remove unused imports from combobulator.py
2976da0
@cognitivegears
Add JSON export functionality and update README with new argument
ae5c7d7
@cognitivegears
Refactor heuristics scoring logic to use default thresholds from Defa…
e12bfa2 
…ultHeuristics class
@cognitivegears
Add risk assessment properties and update heuristics logic for packag…
e665ccb 
…e evaluation
@cognitivegears
Add risk assessment check and update export functions to include risk…
68ec38d 
… status
@cognitivegears
Update risk handling in combobulator.py to log identified risks and a…
f9a2ea9 
…djust exit codes
@cognitivegears
Fixed lookup of npm repo information
73acbf2
@cognitivegears
Matched version checking fixed
bf9f95d
@cognitivegears
Small change to wording
0d582af
@cognitivegears
Setting version information
12e4657
@cognitivegears
Fixed version lookup
95ae5c8
@cognitivegears
Fixed npm resolution for latest
6d27239
@cognitivegears
Improved release and tag comparisons
abd8b82
@cognitivegears
Added tests for recent changes
3dffc03
@cognitivegears
General cleanup
ac013f3
@cognitivegears
Enhanced config file
4545380
@cognitivegears
Added http rate limiting and retry support
c9d36a4
@cognitivegears
updated example
7bec27f
@cognitivegears
Initial version of policy based scans
ffadbf1
@cognitivegears
Changed command line arguments
6d6086e
@cognitivegears
Fixed pypi license checking
25a352d
@cognitivegears
Fixed npm license checking
affbe69
@cognitivegears
Fixed small bug with maven lookup
02ffa8f
@cognitivegears
Added depsdev for further enrichment
a5abc74
@cognitivegears
Fixes scanning lock files
5cd1532
@cognitivegears
Added dev and test dep detection, transitive and direct
7f7735f
@cognitivegears
Fixed regression in npm
d49ca6f
@cognitivegears
Fixed bug with npm naming
851f8b4
@cognitivegears
Refactoring
0ac25b6
@cognitivegears
Added new linked mode to validate package linkage
fd8eb39
@cognitivegears
Updated to use scan semantics
a916748
@cognitivegears
Updated version
4bdbe42
@cognitivegears
Added linked policy type
c5a94fe
@cognitivegears
Added partial match support
93a23b1
@cognitivegears
Merge pull request #8 from cognitivegears/dependabot/github_actions/a…
1ba0c19 
…ctions/setup-python-6

Bump actions/setup-python from 5 to 6
@cognitivegears
Merge pull request #9 from cognitivegears/dependabot/github_actions/a…
5815d8b 
…ctions/checkout-5

Bump actions/checkout from 4 to 5
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Add JSON for output options

1 participant

@cognitivegears