Open prabhu opened 1 year ago
varkakumani
commented
1 year ago Are you planning to parse the output of try and extract the results?
The major problem I see is the scaling for future use cases. Gradle / POM have standard formats and they don't make changes quite frequently, but the output of these commands itself can change pretty rapidly. Then you we have to adapt to those changes in cdxgen as well.
prabhu
commented
1 year ago @varkakumani I was thinking of reimplementing it in node.js. The try bash script looked relatively simple.
varkakumani
commented
1 year ago Got it. I still have to read and understand how it works. If this is going to be useful only for Java then I am not sure if it's worth the implementation because most of the recent startups/companies stopped using Java. Mostly it's Golang, TS, Node and Python I see in most of the companies.
If there are some stats available (from something like https://stackshare.io/) maybe that can be used to validate which ideas can be prioritized based on the trending languages and package managers.
varkakumani
commented
1 year ago These stats are from StackOverflow 2022 annual survey. MIght be useful.
prabhu
commented
1 year ago @varkakumani Something like unshare is for executing os commands safely. cdxgen invoke tools such as maven, gradle or pip (or any overridden commands via env vars) but have no idea what underlying changes these tools might cause. At times, these commands could change the lock file, make builds fail or introduce unwanted changes. Let's wait a bit and see how it goes.
Inspired by this wonderful project
https://github.com/binpash/try/blob/main/try
Instead of installing dependencies directly or in temp directories, cdxgen could use unshare with overlayfs to track the dependencies installed like this script to generate an SBoM. I can imagine this offering immediate help with the Java ecosystem since we can track all jars downloaded more reliably, thus going beyond pom.xml and gradle files.