search

sonatype-nexus-community / jake

Check your Python environments for vulnerable Open Source packages with OSS Index or Sonatype Nexus Lifecycle.
https://jake.readthedocs.io/
Apache License 2.0
114 stars 24 forks source link

Migrate `jake` to utilise external CycloneDX and OSSIndex libraries #64

Closed madpah closed 3 years ago

madpah commented 3 years ago

This PR aims to migrate jake to use two new public libraries:

The reasons for this are:

  1. Get the inherent benefits of the more complete implementation of the CycloneDX standard from the cyclonedx-python-lib library (jake was stuck on an incomplete implementation of v1.1 in XML only, and the cyclonedx-python-lib arguably has better detection of Python packages installed in your environment)
  2. Enable better code re-use (splitting out our OSS Index implementation means that can be used outside of jake)
  3. General house-keeping for Jake to make it more maintainable and extensible moving forwards!

This PR also addresses the following issues:

cc @bhamail / @DarthHater

DarthHater commented 3 years ago

@madpah what did you do with the cyclonedx-python-lib that improved finding libraries that are installed? All jake did was query the actual python runtime, iirc. Mostly curious because I saw your comment!

madpah commented 3 years ago

@madpah what did you do with the cyclonedx-python-lib that improved finding libraries that are installed? All jake did was query the actual python runtime, iirc. Mostly curious because I saw your comment!

cyclonedx-python-lib by default reads installed packaged from the current Python environment. The library also supports:

  1. Specifically parsing requirements.txt
  2. Specifically parsing poetry.lock

More coming soon :-)