-
Notifications
You must be signed in to change notification settings - Fork 174
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add a transitive dependencies endpoint to the REST API #1867
Conversation
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This is really well laid out and high quality. Thanks Marco!
Probably the design decisions and/or algorithm may be tweaked as folks use this and have feedback, but that can be iterated on.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thank you, Marco!
Signed-off-by: Marco Deicas <[email protected]>
Signed-off-by: Marco Deicas <[email protected]>
Signed-off-by: Marco Deicas <[email protected]>
Signed-off-by: Marco Deicas <[email protected]>
Signed-off-by: Marco Deicas <[email protected]>
e31535d
to
aa2dcb2
Compare
|
||
/********* Implementations of the interface *********/ | ||
|
||
func (eg byDigest) getDirectDependencies(ctx context.Context, v node) ([]node, error) { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
very nice abstractions!
t.Logf("Graphql server shut down") | ||
} | ||
} | ||
t.Cleanup(closeFunc) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
nice!
* client testing support Signed-off-by: Marco Deicas <[email protected]> * Add HashEquals and IsOccurrences queries to gql client Signed-off-by: Marco Deicas <[email protected]> * Change Paginate to take pointer to PaginationSpec Signed-off-by: Marco Deicas <[email protected]> * Add better logging Signed-off-by: Marco Deicas <[email protected]> * Implement transitive dependency search Signed-off-by: Marco Deicas <[email protected]> --------- Signed-off-by: Marco Deicas <[email protected]> Signed-off-by: Soham Arora <[email protected]>
Description of the PR
Adds an endpoint to the REST API to get the transitive dependencies of an artifact or package.
This PR is dependent on and duplicates the changes from #1864 (everything in
internal/testing
). Once that is merged, I'll rebase this one.Some design decisions taken were:
Other things done on this PR are:
Explanation of the
linkCondition
parameterThis parameter intends to configure the accuracy of the results. If
digest
is specified, predicates attached to packages are not used for the graph traversal, because this can lead inconsistencies. For example, suppose there is an artifact A1 that is an occurrence of package P, and there is an SBOM attached to P. It may be misleading to use that SBOM in finding the dependencies of A1, because that SBOM may have been generated for some other artifact A2 -- we don't know.Asking for accuracy by setting
linkCondition = digest
requires good data (e.g. SBOMs need to provide the digest of the subject, which I believe Syft does not). In the absence of this, predicates attached to packages can be used for the grpah traversal by settinglinkCondition = name
.PR Checklist
-s
flag togit commit
.make generate
has been runmake generate
has been runcollectsub
protobuf has been changed,make proto
has been run