search

rust-secure-code / cargo-supply-chain

Gather author, contributor and publisher data on crates in your dependency graph.
Apache License 2.0
316 stars 19 forks source link

Initial stab at structured output in JSON #51

Closed Shnatsel closed 3 years ago

Shnatsel commented 3 years ago

This is an alternative approach to structured output, heavily inspired by #50. I believe this is will be easier to maintain in the long run, and also provides the consumers with more detailed info.

This is not entirely complete because I still need to add help text and test CLI parsing, so opening it as a draft PR.

@zebambam would this work for your use case? If not, what should we change to make it work?

zebambam commented 3 years ago

I just made it pretty and lgtm:

diff --git a/src/subcommands/json.rs b/src/subcommands/json.rs
index 14fc4fd..e818a99 100644
--- a/src/subcommands/json.rs
+++ b/src/subcommands/json.rs
@@ -39,6 +39,6 @@ pub fn json(args: Vec<String>, max_age: std::time::Duration) -> Result<(), std::
     // Print the result to stdout
     let stdout = std::io::stdout();
     let handle = stdout.lock();
-    serde_json::to_writer(handle, &output)?;
+    serde_json::to_writer_pretty(handle, &output)?;
     Ok(())
 }
Shnatsel commented 3 years ago

This is intended for machine consumption, so I'd rather keep the compact, condensed version. Anyone who needs it pretty-printed can just pipe it to jq or their preferred equivalent.

Shnatsel commented 3 years ago

On the other hand I'm also considering sorting all the collections in the output to make the output diffable, similar to #54.

One more thing that's been raised is that we can include the source information for crates that are not local and not from crates.io

Shnatsel commented 3 years ago

Should be good to go now.

Shnatsel commented 3 years ago

The help texts could use some love, but I'll handle that in a separate PR. I don't want to lump it together with JSON support.

zebambam commented 3 years ago

This is intended for machine consumption, so I'd rather keep the compact, condensed version. Anyone who needs it pretty-printed can just pipe it to jq or their preferred equivalent.

If you're looking for a compact representation, can I suggest not using json? The entire purpose of json is to be simple for both people and computers to read and understand. Making a json representation deliberately 'compact' by removing whitespace makes sense if you're paying for bandwidth by the byte, but not otherwise.

Shnatsel commented 3 years ago

I have a WIP PR that keeps the condensed output by default, but provides a flag that enables pretty-printing: https://github.com/rust-secure-code/cargo-supply-chain/pull/62

Does that sound like an acceptable solution?