Fast, portable and reliable dependency analysis for any codebase. Supports license & vulnerability scanning for large monoliths. Language-agnostic; integrates with 20+ build systems.
This PR wont affect current locators as core already strips auth when generating a custom locator, however the CLI will send a locator of custom+{orgId}/username@bitbucket.org/owner/repo for all other endpoints. This was only happening to projects cloned from a bitbucket url with a username.
Changes:
PR removes auth from projects cloned via a url
Acceptance criteria
locators do not have auth in them in a URL
Testing plan
if you dont have a bitbucket project then just modify .git/config for testing:
under [remote "origin"] change the url to https://user@bitbucket.org/owner/repo.git
ensure FOSSA_API_KEY is set
run cabal run fossa -- analyze /path/to/local_repo/
you should see a new project for custom+{orgId}/bitbucket.org/owner/repo
run cabal run fossa -- test /path/to/local_repo and the command works
repeat for https://bitbucket.org/owner/repo.git
for git@github.com:repo/owner the "url" is unchanged.
[ ] I added tests for this PR's change (or explained in the PR description why tests don't make sense).
[ ] If this PR introduced a user-visible change, I added documentation into docs/.
[ ] If this PR added docs, I added links as appropriate to the user manual's ToC in docs/README.ms and gave consideration to how discoverable or not my documentation is.
[ ] If this change is externally visible, I updated Changelog.md. If this PR did not mark a release, I added my changes into an # Unreleased section at the top.
[ ] If I made changes to .fossa.yml or fossa-deps.{json.yml}, I updated docs/references/files/*.schema.json AND I have updated example files used by fossa init command. You may also need to update these if you have added/removed new dependency type (e.g. pip) or analysis target type (e.g. poetry).
[ ] If I made changes to a subcommand's options, I updated docs/references/subcommands/<subcommand>.md.
Overview
This PR wont affect current locators as core already strips auth when generating a custom locator, however the CLI will send a locator of
custom+{orgId}/username@bitbucket.org/owner/repofor all other endpoints. This was only happening to projects cloned from a bitbucket url with a username.Changes:
Acceptance criteria
Testing plan
.git/configfor testing:[remote "origin"]change the url tohttps://user@bitbucket.org/owner/repo.gitFOSSA_API_KEYis setcabal run fossa -- analyze /path/to/local_repo/custom+{orgId}/bitbucket.org/owner/repocabal run fossa -- test /path/to/local_repoand the command workshttps://bitbucket.org/owner/repo.gitgit@github.com:repo/ownerthe "url" is unchanged.Here's the debug logs for the urls:
Risks
Minimal risks, we're already stripping the auth part in core when creating the locator.
Metrics
Is this change something that can or should be tracked? If so, can we do it today? And how? If its easy, do it
References
See https://fossa.atlassian.net/browse/ANE-1864 for more info
Checklist
docs/.docs/README.msand gave consideration to how discoverable or not my documentation is.Changelog.md. If this PR did not mark a release, I added my changes into an# Unreleasedsection at the top..fossa.ymlorfossa-deps.{json.yml}, I updateddocs/references/files/*.schema.jsonAND I have updated example files used byfossa initcommand. You may also need to update these if you have added/removed new dependency type (e.g.pip) or analysis target type (e.g.poetry).docs/references/subcommands/<subcommand>.md.