From 121b9aa32b2c024c5252d302ce013a83f7c8af18 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 9 Oct 2023 09:04:50 -0700 Subject: [PATCH 01/11] build(deps): bump ossf/scorecard-action from 2.2.0 to 2.3.0 (#841) Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- .github/workflows/ossf-scorecard.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/ossf-scorecard.yml b/.github/workflows/ossf-scorecard.yml index 20c1662a1..0d82c78fe 100644 --- a/.github/workflows/ossf-scorecard.yml +++ b/.github/workflows/ossf-scorecard.yml @@ -37,7 +37,7 @@ jobs: persist-credentials: false - name: "Run analysis" - uses: ossf/scorecard-action@08b4669551908b1024bb425080c797723083c031 # v2.2.0 + uses: ossf/scorecard-action@483ef80eb98fb506c348f7d62e28055e49fe2398 # v2.3.0 with: results_file: results.sarif results_format: sarif From e7160bcf2f7d86b76dd99c1c5ed79d22d3e08cf9 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 9 Oct 2023 09:05:25 -0700 Subject: [PATCH 02/11] build(deps): bump stefanzweifel/git-auto-commit-action from 4.16.0 to 5.0.0 (#842) Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- .github/workflows/gen-docs.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/gen-docs.yml b/.github/workflows/gen-docs.yml index 82a4ae621..33543f071 100644 --- a/.github/workflows/gen-docs.yml +++ b/.github/workflows/gen-docs.yml @@ -43,7 +43,7 @@ jobs: EOF - name: Commit - uses: stefanzweifel/git-auto-commit-action@3ea6ae190baf489ba007f7c92608f33ce20ef04a # v4 + uses: stefanzweifel/git-auto-commit-action@8756aa072ef5b4a080af5dc8fef36c5d586e521d # v4 with: commit_message: 'Update docs' file_pattern: '*.md' \ No newline at end of file From 75476010d5cbced51be17cc0b3ac3e2dea826e72 Mon Sep 17 00:00:00 2001 From: "renovate[bot]" <29139614+renovate[bot]@users.noreply.github.com> Date: Mon, 9 Oct 2023 09:05:48 -0700 Subject: [PATCH 03/11] chore(deps): update shogo82148/actions-upload-release-asset action to v1.7.0 (#835) Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> --- .github/workflows/release.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 75c678029..1eae6e859 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -36,7 +36,7 @@ jobs: run: dotnet publish --configuration Release --output ./bin --self-contained --runtime ${{ matrix.rid }} -p:PublishSingleFile=true -p:IncludeAllContentForSelfExtract=true -p:DebugType=None -p:PublishTrimmed=false ./src/Microsoft.ComponentDetection - name: Publish CLI tool - uses: shogo82148/actions-upload-release-asset@953d19cc84d8e8ecf80beec5afef40ca68b7e633 # v1.6.6 + uses: shogo82148/actions-upload-release-asset@dbfb35b0d9069ff70bc1f9e47faba33ee30b2681 # v1.7.0 continue-on-error: true with: upload_url: ${{ github.event.release.upload_url }} From 6b922cdccbd46019d2ee819e3d4903651eab3a46 Mon Sep 17 00:00:00 2001 From: "renovate[bot]" <29139614+renovate[bot]@users.noreply.github.com> Date: Mon, 9 Oct 2023 09:06:24 -0700 Subject: [PATCH 04/11] chore(deps): update dependency yamldotnet to v13.5.2 (#832) Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> --- Directory.Packages.props | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Directory.Packages.props b/Directory.Packages.props index 103a2ee6a..3a8f863bf 100644 --- a/Directory.Packages.props +++ b/Directory.Packages.props @@ -51,7 +51,7 @@ - + From 85b50ee52ac18ebe4185c8f6d419bcccc2559f02 Mon Sep 17 00:00:00 2001 From: "renovate[bot]" <29139614+renovate[bot]@users.noreply.github.com> Date: Mon, 9 Oct 2023 09:06:46 -0700 Subject: [PATCH 05/11] chore(deps): update github/codeql-action action to v2.22.1 (#834) Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> --- .github/workflows/codeql-analysis.yml | 6 +++--- .github/workflows/ossf-scorecard.yml | 2 +- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml index ee92cab1f..bbbaf165d 100644 --- a/.github/workflows/codeql-analysis.yml +++ b/.github/workflows/codeql-analysis.yml @@ -26,12 +26,12 @@ jobs: fetch-depth: 0 - name: Initialize CodeQL - uses: github/codeql-action/init@ddccb873888234080b77e9bc2d4764d5ccaaccf9 # v2.21.9 + uses: github/codeql-action/init@fdcae64e1484d349b3366718cdfef3d404390e85 # v2.22.1 with: languages: 'csharp' - name: Autobuild - uses: github/codeql-action/autobuild@ddccb873888234080b77e9bc2d4764d5ccaaccf9 # v2.21.9 + uses: github/codeql-action/autobuild@fdcae64e1484d349b3366718cdfef3d404390e85 # v2.22.1 - name: Perform CodeQL Analysis - uses: github/codeql-action/analyze@ddccb873888234080b77e9bc2d4764d5ccaaccf9 # v2.21.9 + uses: github/codeql-action/analyze@fdcae64e1484d349b3366718cdfef3d404390e85 # v2.22.1 diff --git a/.github/workflows/ossf-scorecard.yml b/.github/workflows/ossf-scorecard.yml index 0d82c78fe..863355ee1 100644 --- a/.github/workflows/ossf-scorecard.yml +++ b/.github/workflows/ossf-scorecard.yml @@ -67,6 +67,6 @@ jobs: # Upload the results to GitHub's code scanning dashboard. - name: "Upload to code-scanning" - uses: github/codeql-action/upload-sarif@ddccb873888234080b77e9bc2d4764d5ccaaccf9 # v2.21.9 + uses: github/codeql-action/upload-sarif@fdcae64e1484d349b3366718cdfef3d404390e85 # v2.22.1 with: sarif_file: results.sarif From 23b192e5a7b7768a96d05e1f2ae834ad239f85ab Mon Sep 17 00:00:00 2001 From: "renovate[bot]" <29139614+renovate[bot]@users.noreply.github.com> Date: Mon, 9 Oct 2023 16:18:54 +0000 Subject: [PATCH 06/11] chore(deps): update stefanzweifel/git-auto-commit-action action to v5 (#837) Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> --- .github/workflows/gen-docs.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/gen-docs.yml b/.github/workflows/gen-docs.yml index 33543f071..6ad35e8c1 100644 --- a/.github/workflows/gen-docs.yml +++ b/.github/workflows/gen-docs.yml @@ -43,7 +43,7 @@ jobs: EOF - name: Commit - uses: stefanzweifel/git-auto-commit-action@8756aa072ef5b4a080af5dc8fef36c5d586e521d # v4 + uses: stefanzweifel/git-auto-commit-action@8756aa072ef5b4a080af5dc8fef36c5d586e521d # v5 with: commit_message: 'Update docs' file_pattern: '*.md' \ No newline at end of file From b22f08d22d17a794c80dc6824db9c33d7b4266d1 Mon Sep 17 00:00:00 2001 From: Justin Perez Date: Mon, 9 Oct 2023 09:30:45 -0700 Subject: [PATCH 07/11] fix(cmd): allow `ScanSettings` to be serialized --- .../Commands/ScanSettings.cs | 10 ++++++++++ .../Commands/ScanSettingsTests.cs | 17 +++++++++++++++++ 2 files changed, 27 insertions(+) diff --git a/src/Microsoft.ComponentDetection.Orchestrator/Commands/ScanSettings.cs b/src/Microsoft.ComponentDetection.Orchestrator/Commands/ScanSettings.cs index 9f2b47041..3e134a6b6 100644 --- a/src/Microsoft.ComponentDetection.Orchestrator/Commands/ScanSettings.cs +++ b/src/Microsoft.ComponentDetection.Orchestrator/Commands/ScanSettings.cs @@ -3,6 +3,7 @@ namespace Microsoft.ComponentDetection.Orchestrator.Commands; using System.Collections.Generic; using System.ComponentModel; using System.IO; +using System.Text.Json.Serialization; using Microsoft.ComponentDetection.Orchestrator.Extensions; using Spectre.Console; using Spectre.Console.Cli; @@ -25,12 +26,18 @@ public class ScanSettings : BaseSettings [CommandOption("--SourceDirectory")] [Description("Directory to operate on.")] + [JsonIgnore] public DirectoryInfo SourceDirectory { get; set; } + public string SourceDirectorySerialized => this.SourceDirectory?.ToString(); + [CommandOption("--SourceFileRoot")] [Description("Directory where source files can be found.")] + [JsonIgnore] public DirectoryInfo SourceFileRoot { get; set; } + public string SourceFileRootSerialized => this.SourceFileRoot?.ToString(); + [CommandOption("--DetectorArgs")] [Description( "Comma separated list of properties that can affect the detectors execution, like EnableIfDefaultOff that allows a specific detector that is in beta to run, the format for this property is DetectorId=EnableIfDefaultOff, for example Pip=EnableIfDefaultOff.")] @@ -50,8 +57,11 @@ public class ScanSettings : BaseSettings [CommandOption("--ManifestFile")] [Description("The file to write scan results to.")] + [JsonIgnore] public FileInfo ManifestFile { get; set; } + public string ManifestFileSerialized => this.ManifestFile?.ToString(); + [CommandOption("--PrintManifest")] [Description("Prints the manifest to standard output. Logging will be redirected to standard error.")] public bool PrintManifest { get; set; } diff --git a/test/Microsoft.ComponentDetection.Orchestrator.Tests/Commands/ScanSettingsTests.cs b/test/Microsoft.ComponentDetection.Orchestrator.Tests/Commands/ScanSettingsTests.cs index ec87df249..9a94f31a3 100644 --- a/test/Microsoft.ComponentDetection.Orchestrator.Tests/Commands/ScanSettingsTests.cs +++ b/test/Microsoft.ComponentDetection.Orchestrator.Tests/Commands/ScanSettingsTests.cs @@ -1,6 +1,7 @@ namespace Microsoft.ComponentDetection.Orchestrator.Tests.Commands; using System.IO; +using System.Text.Json; using FluentAssertions; using Microsoft.ComponentDetection.Orchestrator.Commands; using Microsoft.VisualStudio.TestTools.UnitTesting; @@ -45,4 +46,20 @@ public void Validate_FailIfSourceDirectoryDoesntExist() result.Successful.Should().BeFalse(); } + + [TestMethod] + public void CanSerialize() + { + var settings = new ScanSettings + { + SourceDirectory = new DirectoryInfo(Path.GetTempPath()), + Output = "C:\\", + ManifestFile = new FileInfo(Path.GetTempFileName()), + SourceFileRoot = new DirectoryInfo(Path.GetTempPath()), + }; + + var action = () => JsonSerializer.Serialize(settings); + + action.Should().NotThrow(); + } } From 7221fd43885352585da4480dd5c50486eb35f5b7 Mon Sep 17 00:00:00 2001 From: Omotola Date: Mon, 9 Oct 2023 09:36:40 -0700 Subject: [PATCH 08/11] move simple pip to default off (#836) --- .../pip/SimplePipComponentDetector.cs | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/Microsoft.ComponentDetection.Detectors/pip/SimplePipComponentDetector.cs b/src/Microsoft.ComponentDetection.Detectors/pip/SimplePipComponentDetector.cs index 088251532..83d758a94 100644 --- a/src/Microsoft.ComponentDetection.Detectors/pip/SimplePipComponentDetector.cs +++ b/src/Microsoft.ComponentDetection.Detectors/pip/SimplePipComponentDetector.cs @@ -10,7 +10,7 @@ namespace Microsoft.ComponentDetection.Detectors.Pip; using Microsoft.ComponentDetection.Contracts.TypedComponent; using Microsoft.Extensions.Logging; -public class SimplePipComponentDetector : FileComponentDetector, IExperimentalDetector +public class SimplePipComponentDetector : FileComponentDetector, IDefaultOffComponentDetector { private readonly IPythonCommandService pythonCommandService; private readonly ISimplePythonResolver pythonResolver; From 25e572f6b151b869798c24cf264b2ff20cf888ec Mon Sep 17 00:00:00 2001 From: "renovate[bot]" <29139614+renovate[bot]@users.noreply.github.com> Date: Tue, 10 Oct 2023 11:09:56 -0700 Subject: [PATCH 09/11] chore(deps): update mcr.microsoft.com/dotnet/runtime-deps:6.0-cbl-mariner2.0 docker digest to 98e5a9a (#845) Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> --- Dockerfile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Dockerfile b/Dockerfile index 82de5f243..ca0535c7b 100644 --- a/Dockerfile +++ b/Dockerfile @@ -10,7 +10,7 @@ RUN dotnet publish -c Release -o out \ -p:PublishSingleFile=true \ ./src/Microsoft.ComponentDetection -FROM mcr.microsoft.com/dotnet/runtime-deps:6.0-cbl-mariner2.0@sha256:b98ce459b124ed1f46f6f061716d8ac209a754b04090eeebb33e68fd11a7bca5 AS runtime +FROM mcr.microsoft.com/dotnet/runtime-deps:6.0-cbl-mariner2.0@sha256:98e5a9a0d1f8b55564e7412702258996e420e6bc8dbc973a9d0caad0469e8824 AS runtime WORKDIR /app COPY --from=build /app/out ./ From a54cb7cd51d8ecb41d84e37444f9a5ab8321ea75 Mon Sep 17 00:00:00 2001 From: Amitla Vannikumar <46578839+amitla1@users.noreply.github.com> Date: Sun, 15 Oct 2023 23:56:16 -0700 Subject: [PATCH 10/11] Add Properties VCPKG (#855) * added properties * changed download location parsing to sanitize better * added more checks --------- Co-authored-by: Amitla Vannikumar --- .../TypedComponent/VcpkgComponent.cs | 30 ++++++++++++++++++- 1 file changed, 29 insertions(+), 1 deletion(-) diff --git a/src/Microsoft.ComponentDetection.Contracts/TypedComponent/VcpkgComponent.cs b/src/Microsoft.ComponentDetection.Contracts/TypedComponent/VcpkgComponent.cs index a60a7bf98..26577e341 100644 --- a/src/Microsoft.ComponentDetection.Contracts/TypedComponent/VcpkgComponent.cs +++ b/src/Microsoft.ComponentDetection.Contracts/TypedComponent/VcpkgComponent.cs @@ -1,5 +1,6 @@ -namespace Microsoft.ComponentDetection.Contracts.TypedComponent; +namespace Microsoft.ComponentDetection.Contracts.TypedComponent; +using System.Linq; using PackageUrl; public class VcpkgComponent : TypedComponent @@ -20,6 +21,11 @@ public VcpkgComponent(string spdxid, string name, string version, string triplet this.Triplet = triplet; this.Description = description; this.DownloadLocation = downloadLocation; + + if (!string.IsNullOrEmpty(downloadLocation) && downloadLocation.ToLower().Contains("https://github.com/")) + { + this.SetGitRepoProperties(); + } } public string SPDXID { get; set; } @@ -36,6 +42,10 @@ public VcpkgComponent(string spdxid, string name, string version, string triplet public int PortVersion { get; set; } + public string GitRepositoryOwner { get; set; } + + public string GitRepositoryName { get; set; } + public override ComponentType Type => ComponentType.Vcpkg; public override string Id @@ -71,4 +81,22 @@ public override PackageURL PackageUrl } } } + + private void SetGitRepoProperties() + { + /* example download locations + * "git+https://github.com/leethomason/tinyxml2@9.0.0" + * "git+https://github.com/Microsoft/vcpkg#ports/nlohmann-json" + */ + var locationArr = this.DownloadLocation.Split('/'); + if (!string.IsNullOrEmpty(locationArr[2])) + { + this.GitRepositoryOwner = locationArr[2]; + } + + if (!string.IsNullOrEmpty(locationArr[3])) + { + this.GitRepositoryName = locationArr[3].TakeWhile(ch => char.IsLetterOrDigit(ch)).ToString(); + } + } } From 62c482be94b8556869a8c2d6a31a828ef22ded39 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Wed, 18 Oct 2023 08:37:51 -0700 Subject: [PATCH 11/11] build(deps): bump release-drafter/release-drafter from 5.24.0 to 5.25.0 (#866) Bumps [release-drafter/release-drafter](https://github.com/release-drafter/release-drafter) from 5.24.0 to 5.25.0. - [Release notes](https://github.com/release-drafter/release-drafter/releases) - [Commits](https://github.com/release-drafter/release-drafter/compare/65c5fb495d1e69aa8c08a3317bc44ff8aabe9772...09c613e259eb8d4e7c81c2cb00618eb5fc4575a7) --- updated-dependencies: - dependency-name: release-drafter/release-drafter dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- .github/workflows/release-drafter.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/release-drafter.yml b/.github/workflows/release-drafter.yml index 98f38be16..7e4ab26be 100644 --- a/.github/workflows/release-drafter.yml +++ b/.github/workflows/release-drafter.yml @@ -16,7 +16,7 @@ jobs: pull-requests: read runs-on: ubuntu-latest steps: - - uses: release-drafter/release-drafter@65c5fb495d1e69aa8c08a3317bc44ff8aabe9772 # v5 + - uses: release-drafter/release-drafter@09c613e259eb8d4e7c81c2cb00618eb5fc4575a7 # v5 with: disable-autolabeler: true env: