philips-software / bom-base Goto Github PK
View Code? Open in Web Editor NEWCaching repository for bill-of-materials metadata
License: Other
bom-base's People
Contributors
![dependabot[bot] avatar](https://avatars.githubusercontent.com/in/29110?v=4 "dependabot[bot]")
Stargazers
Watchers
bom-base's Issues
Automatically resolve license URL
When a license is found to be a (valid) URL, a harvester (or just the base repository harvester) could pass the URL to the license scanner to read the referenced license and use the result of the scan instead.
Add harvester for Debian
Add auto-converter for obvious (but formally wrong) SPDX license names
Add harvester for Maven
Show statistics on dashboard about workload
Would be nice to see how many tasks are remaining in the queue, and how many packages are currently stored.
Idea would be to provide this information on a status API, and have the main client screen periodically poll that information.
Verified releases do not work.
In #76 we tried to fix creating verified releases.
This does not seem to work see ( https://github.com/philips-software/bom-base/releases/tag/v0.2.1 )
Handle false information (e.g. non-existing source location)
Add harvester for Cargo
Add harvester for NuGet
Add scancode in dockerfile
Add scancode in dockerfile
Build UI in CI/CD
Add section in readme about analyse scripts.
In #74 we've added analyse scripts.
Please add some documentation on how to use this and why you want to use this.
Background
The scripts are part of a blog we're writing on the differences between Black Duck license information and other sources. We can also add a link to that blog in this README.
Retry failed harvesting attempts (e.g. when source offline)
Move known issues from readme to issues.
Current situation
There's a list of known issues in the readme.
Proposed Situation
Move the known issues from the readme to issues to make them more contributor friendly to resolve
Extra
It more easy to see who's working on what.
Add harvester for NPM
Harvesting metadata from inner source repositories
[NpmHarvester] Support UNMET dependencies.
Problem
Some npm trees have dependencies which are unmet. UNMET PEER DEPENDENCY
This will end-up with an 405 error in the harvester.
Example tree
├─┬ @svgr/[email protected]
│ ├── @babel/[email protected] deduped
│ ├─┬ @babel/[email protected]
│ │ └── @babel/[email protected]
│ ├─┬ @babel/[email protected]
│ │ ├── @babel/[email protected]
│ │ ├── UNMET PEER DEPENDENCY @babel/core@^7.13.0
│ │ ├─┬ @babel/[email protected]
Log
2021-07-08 15:07:38.305 ERROR 13310 --- [ pool-2] .a.i.SimpleAsyncUncaughtExceptionHandler : Unexpected exception occurred invoking async method: public void com.philips.research.bombase.core.meta.registry.QueuedTaskRunner.execute(com.github.packageurl.PackageURL,java.util.function.Consumer,java.util.function.Consumer)
com.philips.research.bombase.core.npm.NpmException: Failed to harvest pkg:npm/unmet%20peer%20dependency%20%40babel%2Fcore@%5E7.13.0
at com.philips.research.bombase.core.npm.domain.NpmHarvester.harvest(NpmHarvester.java:61) ~[classes!/:0.1.1-SNAPSHOT]
at com.philips.research.bombase.core.npm.domain.NpmHarvester.lambda$onUpdated$0(NpmHarvester.java:45) ~[classes!/:0.1.1-SNAPSHOT]
at com.philips.research.bombase.core.meta.registry.QueuedTaskRunner.lambda$execute$0(QueuedTaskRunner.java:38) ~[classes!/:0.1.1-SNAPSHOT]
at java.base/java.util.Optional.ifPresent(Optional.java:176) ~[na:na]
at com.philips.research.bombase.core.meta.registry.QueuedTaskRunner.execute(QueuedTaskRunner.java:36) ~[classes!/:0.1.1-SNAPSHOT]
at com.philips.research.bombase.core.meta.registry.QueuedTaskRunner$$FastClassBySpringCGLIB$$b8050159.invoke(<generated>) ~[classes!/:0.1.1-SNAPSHOT]
at org.springframework.cglib.proxy.MethodProxy.invoke(MethodProxy.java:218) ~[spring-core-5.3.7.jar!/:5.3.7]
at org.springframework.aop.framework.CglibAopProxy$CglibMethodInvocation.invokeJoinpoint(CglibAopProxy.java:779) ~[spring-aop-5.3.7.jar!/:5.3.7]
at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:163) ~[spring-aop-5.3.7.jar!/:5.3.7]
at org.springframework.aop.framework.CglibAopProxy$CglibMethodInvocation.proceed(CglibAopProxy.java:750) ~[spring-aop-5.3.7.jar!/:5.3.7]
at org.springframework.aop.interceptor.AsyncExecutionInterceptor.lambda$invoke$0(AsyncExecutionInterceptor.java:115) ~[spring-aop-5.3.7.jar!/:5.3.7]
at java.base/java.util.concurrent.FutureTask.run(FutureTask.java:264) ~[na:na]
at java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1130) ~[na:na]
at java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:630) ~[na:na]
at java.base/java.lang.Thread.run(Thread.java:832) ~[na:na]
Caused by: com.philips.research.bombase.core.npm.NpmException: NPM server responded with status 405
at com.philips.research.bombase.core.npm.domain.NpmClient.query(NpmClient.java:56) ~[classes!/:0.1.1-SNAPSHOT]
at com.philips.research.bombase.core.npm.domain.NpmClient.getPackage(NpmClient.java:45) ~[classes!/:0.1.1-SNAPSHOT]
at com.philips.research.bombase.core.npm.domain.NpmHarvester.harvest(NpmHarvester.java:50) ~[classes!/:0.1.1-SNAPSHOT]
... 14 common frames omitted
Add harvester for APK
Harvesters don't provide version info in (GIT) source location
Many package managers provide a generic repository URL as source location. When using this URL for download, this will yield the latest version of the default branch in the GIT repository. This is most probably not the source code for the actual package version.
The downloader understands a syntax of appending @ and the version number to a GIT URL, but this should be provided by the harvester.
Gotcha: Sometimes a Git URL is specified by a package manager with a "user" prefix, like: [email protected]/...
Autoconvert "LicenseRef-scancode-public-domain" to "Public Domain" license
The ScanCode Toolkit scanner could automatically convert this internal identifier into the more common phrasing of a component being generic "Public Domain".
Persist metadata in database
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.