yammine
commented
1 year ago Would love this, please consider adding Elixir to the supported ecosystems
Open SupaMic opened 1 year ago
yammine
commented
1 year ago Would love this, please consider adding Elixir to the supported ecosystems
cj1128
commented
1 year ago Would love this too, please.
pgbezerra
commented
1 year ago Is this open source? Can we do something to implement the dependency graph for elixir?
courtneycl
commented
1 year ago 👋 Hi from the dependency graph team -- Elixir support is near the top of our list for additional ecosystems to support, but we don't currently have a timeline.
Our core isn't open source, but we do have the dependency submission API that can submit dependencies for other ecosystems. Some folks have created GitHub Actions to do this for various ecosystems -- if anyone wants to go that route, we have the dependency submission toolkit that can help with developing actions for dependency submission. You'll receive Dependabot alerts for any submitted dependencies. Hope this helps a bit!
dimitarvp
commented
1 year ago Good to know you're working on it. It'll truly help having it.
dnovais
commented
1 year ago Interesting, It'll truly useful and help.
binarytemple
commented
1 year ago Really, if it supports Erlang, it should support Elixir, after all, the Elixir people wrote hex.pm.
RichMorin
commented
1 year ago I'd also like to support this feature request. Actually, there are several languages which run on the Erlang VM. Ideally, the graphs would support most of them. And a pony... :-)
InFo555
commented
1 year ago Would love to see Elixir support too
maennchen
commented
1 week ago @courtneycl
Our core isn't open source, but we do have the dependency submission API that can submit dependencies for other ecosystems.
Unfortunately, the submission API does not support Hex purls. All reported dependencies are show as pkg:unknown.
Hex purl Spec: https://github.com/hexpm/specifications/blob/main/package-url.md Action / Tool: https://github.com/maennchen/mix-dependency-submission Dependencies: https://github.com/maennchen/mix-dependency-submission/network/dependencies?page=2
When downloading the SBoM:
// ...
{
"SPDXID": "SPDXRef-unknown-dialyxir-1.4.4",
"name": "unknown:dialyxir",
"versionInfo": "1.4.4",
"downloadLocation": "NOASSERTION",
"filesAnalyzed": false,
"supplier": "NOASSERTION",
"externalRefs": [
{
"referenceCategory": "PACKAGE-MANAGER",
"referenceLocator": "pkg:unknown/dialyxir@1.4.4",
"referenceType": "purl"
}
]
}
// ...Expected:
// ...
{
"SPDXID": "SPDXRef-hex-dialyxir-1.4.4",
"name": "hex:dialyxir",
"versionInfo": "1.4.4",
"downloadLocation": "NOASSERTION",
"filesAnalyzed": false,
"supplier": "NOASSERTION",
"externalRefs": [
{
"referenceCategory": "PACKAGE-MANAGER",
"referenceLocator": "pkg:hex/dialyxir@1.4.4",
"referenceType": "purl"
}
]
}
// ...Reported:
https://github.com/maennchen/mix-dependency-submission/actions/runs/11507378792/job/32033446490
{
"version": 0,
"metadata": {},
"ref": "refs/heads/main",
"manifests": {
"mix.exs": {
"name": "mix.exs",
"file": {
"source_location": "mix.exs"
},
"metadata": {},
"resolved": {
// ...
"dialyxir": {
"scope": "development",
"metadata": {
"name": "dialyxir"
},
"dependencies": [],
"package_url": "pkg:hex/dialyxir@1.4.4",
"relationship": "direct"
},
// ...
}
}
},
"detector": {
"name": "mix_dependency_submission",
"version": "1.0.0-beta.1",
"url": "https://github.com/maennchen/mix-dependency-submission"
},
"sha": "71d59cd5aadc839808701997f2c9b6f50513eb35",
"job": {
"id": "escript",
"correlator": "Main Branchescript"
},
"scanned": "2024-10-24T21:01:37.127673Z"
}
You already support Erlang (registry: https://hex.pm/) to build dependency graphs so you should implement the same functionality for Elixir projects which use the mix.exs script in root of a project (and within nested application root folders) and they mostly use the same registry; hex.pm (although they can link to github or or other repos directly)