Fast, portable and reliable dependency analysis for any codebase. Supports license & vulnerability scanning for large monoliths. Language-agnostic; integrates with 20+ build systems.
Some customers have encountered issues where the CLI fails to resolve one of their transitive dependencies and then fails analysis for that whole project. I haven't been able to track down under exactly what conditions this happens and how to patch it, so for now this PR changes the behavior to emit a warning rather than failing analysis.
Acceptance criteria
The CLI no longer fails when it gets a Can't find package for descriptor... error.
Scanning with the current master version of fossa results in failed projects and no dependencies.
Scanning with the version of the CLI on this branch will return results and warn about the missing dependencies.
[ ] I added tests for this PR's change (or explained in the PR description why tests don't make sense).
[x] If this PR introduced a user-visible change, I added documentation into docs/.
[x] If this PR added docs, I added links as appropriate to the user manual's ToC in docs/README.ms and gave consideration to how discoverable or not my documentation is.
[ ] If this change is externally visible, I updated Changelog.md. If this PR did not mark a release, I added my changes into an # Unreleased section at the top.
[x] If I made changes to .fossa.yml or fossa-deps.{json.yml}, I updated docs/references/files/*.schema.json AND I have updated example files used by fossa init command. You may also need to update these if you have added/removed new dependency type (e.g. pip) or analysis target type (e.g. poetry).
[x] If I made changes to a subcommand's options, I updated docs/references/subcommands/<subcommand>.md.
Overview
Some customers have encountered issues where the CLI fails to resolve one of their transitive dependencies and then fails analysis for that whole project. I haven't been able to track down under exactly what conditions this happens and how to patch it, so for now this PR changes the behavior to emit a warning rather than failing analysis.
Acceptance criteria
Can't find package for descriptor...error.Testing plan
I used as an example backstage.
Scanning with the current master version of
fossaresults in failed projects and no dependencies. Scanning with the version of the CLI on this branch will return results and warn about the missing dependencies.Risks
None.
Metrics
References
Checklist
docs/.docs/README.msand gave consideration to how discoverable or not my documentation is.Changelog.md. If this PR did not mark a release, I added my changes into an# Unreleasedsection at the top..fossa.ymlorfossa-deps.{json.yml}, I updateddocs/references/files/*.schema.jsonAND I have updated example files used byfossa initcommand. You may also need to update these if you have added/removed new dependency type (e.g.pip) or analysis target type (e.g.poetry).docs/references/subcommands/<subcommand>.md.