Updating "ComponentFilePaths" list of Yarn's Workspace Dependencies. #565
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
…th_In_YarnDetector
|
Can you add new tests to validate the behaviour? |
added 2 commits
May 18, 2023 16:04
…etector' of https://github.com/siyadava-sindhu/component-detection into users/siyadava/Adding_PackageJson_LocationPath_In_YarnDetector
Added 'WellFormedYarnLockV1WithWorkspace_CheckFilePathsAsync' test in YarnLockDetectorTests to validate Workspace's filepath functionality. |
melotic
reviewed
Jun 2, 2023
test/Microsoft.ComponentDetection.Detectors.Tests/YarnLockDetectorTests.cs
Outdated
Show resolved
Hide resolved
|
@JamieMagee This looks good to me, but I'm not too knowledgeable in the yarn ecosystem to be 100% confident. |
Addressing iteration-2 comments, and using FluentAssertions
grvillic
reviewed
Jun 14, 2023
src/Microsoft.ComponentDetection.Detectors/yarn/YarnLockComponentDetector.cs
Outdated
Show resolved
Hide resolved
grvillic
reviewed
Jun 14, 2023
src/Microsoft.ComponentDetection.Detectors/yarn/YarnLockComponentDetector.cs
Outdated
Show resolved
Hide resolved
src/Microsoft.ComponentDetection.Detectors/yarn/YarnLockComponentDetector.cs
Outdated
Show resolved
Hide resolved
test/Microsoft.ComponentDetection.Detectors.Tests/YarnLockDetectorTests.cs
Outdated
Show resolved
Hide resolved
…Path logic to check Package.json entry existence alone.
grvillic
reviewed
Jun 14, 2023
src/Microsoft.ComponentDetection.Detectors/yarn/YarnLockComponentDetector.cs
Outdated
Show resolved
Hide resolved
grvillic
approved these changes
Jun 18, 2023
|
👋 Hi! It looks like you modified some files in the
If none of the above scenarios apply, feel free to ignore this comment 🙂 |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Issue
Issue information with 1JS repo usecase
Consider "1gql-schema/package.json" file of 1JS repo at 'https://office.visualstudio.com/Office/_git/1JS?path=/midgard/packages/1gql-schema/package.json' which has one of devDependency as "@graphql-codegen/add(3.2.1-resolved version)"
On successful run of CG in 1JS ecosystem, in locationFoundAt list of "@graphql-codegen/add" we can see only source-folder entry as "Yarn.lock" but not ""1gql-schema/package.json"" in which code reference of '@graphql-codegen/add' exists.
since actual usage of '@graphql-codegen/add' is in "1gql-schema/package.json" file from above example, in this PR aiming to add '"1gql-schema/package.json"' also one of the locationsFoundAt entry.
one of CG-REST api call of locationsFoundAT values of 1JS(midgard) repo for quick reference of above example is as follows:
https://governance.dev.azure.com/office/Office/_apis/componentgovernance/GovernedRepositories/169528/componentlocationsfile?snapshotId=114646097&api-version=7.1-preview.1
Above REST-API has following values list w.r.t mentioned example:
"""""
"@graphql-codegen/add 3.2.1 -Npm:[
{
"filePath":/s/midgard/.store/@graphql-codegen-add@3.2.1-9682c5a89873a23a208f/node_modules/@graphql-codegen/add/package.json
},
{
"filePath":/s/midgard/.store/@graphql-codegen-import-types-preset@2.2.3-1725db1442e85dd3e793/node_modules/@graphql-codegen/add/package.json
},
{
"filePath":"/s/midgard/yarn.lock"
}
],
""""""""""
Reason and fix
-->currenlty for 'Yarn Ecosystem' summarized logic of parsing is that:
(1) YarnLockComponentDetector gets triggered when any 'yarn.lock' file gets found
(2) Inside 'YarnLockComponentDetector' class, "GetWorkspaceDependencies" API gets called to identify all "package.json" file's dependencies ,in workspace folder to which #1 yarn.lock is acting as semver-resolver..
-->in above steps, during execution of #2 step, (which gets spawned because of #1),No extra logic to add respective package.json's filelocation exists, and since source-trigger file of #2's package.json file is also #1's yarn.lock file
only "Location to which corresponding component belongs to" is added as Yarn.lock.
-->In this PR added extra logic at step-#2 to add respective package.json filepath also to LocationsFoundAt list, since actual usage of dependency is found at corresponding package.json.
why we are updating LocationsPath to add package.json data too
component is identified, and further using ownership-extension (with filepath) to know owner of respective filepath.
Validations
-->By parsing 1Js repo validated locally that along with yarn.lock filepath, respective package.json path is also showing up in locationsFoundAt list for workspaceDependency entries,