Fast, portable and reliable dependency analysis for any codebase. Supports license & vulnerability scanning for large monoliths. Language-agnostic; integrates with 20+ build systems.
This PR replaces tomland with toml-parser. The reason for the switch is because tomland has an issue with handling explicit vs implicit tables. toml-parser does not have the same issue.
The issue mainly affected poetry toml files, and as shown in ANE-1827 was cuasing CLI to believe there were no dependencies in tool.poetry.dependencies.
Switching to toml-parser also seems to resolve an issue with poetry.lock files where keys wrapped in quotes contained the quotes after parsing:
"backports.entry-points-selectable" = [ ... ]
was being recorded as pip+"backports.entry-points-selectable" instead of pip+backports-entry-points-selectable
running the same command using the latest fossa release report no dependencies
Risks
toml-parser doesn't provide a way to deal with nested values/tables, so I had to change some of the datatypes to better match the toml formats. However each of them is covered by tests.
Metrics
Is this change something that can or should be tracked? If so, can we do it today? And how? If its easy, do it
[x] I added tests for this PR's change (or explained in the PR description why tests don't make sense).
[x] If this PR introduced a user-visible change, I added documentation into docs/.
[x] If this PR added docs, I added links as appropriate to the user manual's ToC in docs/README.ms and gave consideration to how discoverable or not my documentation is.
[x] If this change is externally visible, I updated Changelog.md. If this PR did not mark a release, I added my changes into an # Unreleased section at the top.
[x] If I made changes to .fossa.yml or fossa-deps.{json.yml}, I updated docs/references/files/*.schema.json AND I have updated example files used by fossa init command. You may also need to update these if you have added/removed new dependency type (e.g. pip) or analysis target type (e.g. poetry).
[x] If I made changes to a subcommand's options, I updated docs/references/subcommands/<subcommand>.md.
Overview
This PR replaces
tomlandwithtoml-parser. The reason for the switch is becausetomlandhas an issue with handling explicit vs implicit tables.toml-parserdoes not have the same issue.The issue mainly affected poetry toml files, and as shown in ANE-1827 was cuasing CLI to believe there were no dependencies in
tool.poetry.dependencies.Switching to
toml-parseralso seems to resolve an issue withpoetry.lockfiles where keys wrapped in quotes contained the quotes after parsing:was being recorded as
pip+"backports.entry-points-selectable"instead ofpip+backports-entry-points-selectableAcceptance criteria
Testing plan
cabal run fossa -- analyze /path/to/extracted_files -o --only-target poetry | jq -c ".sourceUnits[0].Build.Dependencies"Risks
Metrics
Is this change something that can or should be tracked? If so, can we do it today? And how? If its easy, do it
References
https://fossa.atlassian.net/browse/ANE-1827
Checklist
docs/.docs/README.msand gave consideration to how discoverable or not my documentation is.Changelog.md. If this PR did not mark a release, I added my changes into an# Unreleasedsection at the top..fossa.ymlorfossa-deps.{json.yml}, I updateddocs/references/files/*.schema.jsonAND I have updated example files used byfossa initcommand. You may also need to update these if you have added/removed new dependency type (e.g.pip) or analysis target type (e.g.poetry).docs/references/subcommands/<subcommand>.md.