Fast, portable and reliable dependency analysis for any codebase. Supports license & vulnerability scanning for large monoliths. Language-agnostic; integrates with 20+ build systems.
This PR adds partial support for dependency groups.
Previously, FOSSA CLI presumed, that when category was not provided, dependency was production dependency. This assumption is incorrect starting with v1.5.0 of poetry. This PR provides partial fix.
Acceptance criteria
Poetry lock file generated by Poetry v1.5.0 can be accurately analyzed
Testing plan
I relied on automated tests - but you can perform following.
[x] I added tests for this PR's change (or explained in the PR description why tests don't make sense).
[x] If this PR introduced a user-visible change, I added documentation into docs/.
[x] If this PR added docs, I added links as appropriate to the user manual's ToC in docs/README.ms and gave consideration to how discoverable or not my documentation is.
[x] If this change is externally visible, I updated Changelog.md. If this PR did not mark a release, I added my changes into an # Unreleased section at the top.
[x] If I made changes to .fossa.yml or fossa-deps.{json.yml}, I updated docs/references/files/*.schema.json AND I have updated example files used by fossa init command. You may also need to update these if you have added/removed new dependency type (e.g. pip) or analysis target type (e.g. poetry).
[x] If I made changes to a subcommand's options, I updated docs/references/subcommands/<subcommand>.md.
Overview
This PR adds partial support for
dependency groups.Previously, FOSSA CLI presumed, that when category was not provided, dependency was production dependency. This assumption is incorrect starting with v1.5.0 of poetry. This PR provides partial fix.
Acceptance criteria
Testing plan
I relied on automated tests - but you can perform following.
Place items from https://fossa.atlassian.net/browse/ANE-1281 in sandbox. (with these files you should see 0 deps)
Risks
N/A
References
https://fossa.atlassian.net/browse/ANE-1281
Checklist
docs/.docs/README.msand gave consideration to how discoverable or not my documentation is.Changelog.md. If this PR did not mark a release, I added my changes into an# Unreleasedsection at the top..fossa.ymlorfossa-deps.{json.yml}, I updateddocs/references/files/*.schema.jsonAND I have updated example files used byfossa initcommand. You may also need to update these if you have added/removed new dependency type (e.g.pip) or analysis target type (e.g.poetry).docs/references/subcommands/<subcommand>.md.