forked from project-ncl/dependency-analysis
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathusers-documentation.html
428 lines (385 loc) · 21.2 KB
/
users-documentation.html
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
<!DOCTYPE html>
<html lang="en">
<head>
<meta charset="utf-8" />
<title>Dependency Analyser - User's documentation</title>
<meta name="author" content="Dependency analysis team">
<meta name="description" content="User's documentation of Dependency Analyser" />
<link rel="stylesheet" href="users-documentation.css" />
</head>
<body>
<div id="main">
<h1>Dependency Analyser - User's documentation</h1>
<h2>Introduction</h2>
<p>This project is a service, which provides information about built artifacts and
analyse the projects' dependencies. It can lookup the Red Hat build artifacts and inform
the users about alternatives instead of the artifacts used in their projects, produces
dependency reports of artifacts and resolves dependency tree.</p>
<p>The Dependency Analyser also maintains a database of whitelisted and blacklisted
artifacts, which should help the user to decide, which artifacts to use in their
projects.</p>
<p>
This project is hosted on
<a href="https://github.com/project-ncl/dependency-analysis">GitHub</a>
and developed mainly by the JBoss Productization team, but external contributors are
welcome.
</p>
<h3>Blacklist / Whitelist</h3>
<p>The service maintains the database of the whitelisted and blacklisted artifacts. This
data in the database can be change by any user right now, but in future it will be
restricted only to authorized users.</p>
<p>The meaning of the this lists is:</p>
<ul>
<li>
<span class="strong">Whitelist</span>
- contains artifacts, which are the best option to be used in the projects. Each
artifact is associated to a particular product. These
artifacts are used in the latest versions of the most important products and
therefore they are supported. The inserted artifacts are restricted to RedHat build
versions of artifacts (e.g. 4.2.18.Final).
</li>
<li>
<span class="strong">Blacklist</span>
- contains artifacts, which should not be used in the projects. There are typically
artifacts, which cannot be built, has unacceptable license, contains
vulnerabilities, etc. The inserted artifacts are restricted to community versions of
artifacts (e.g. 4.2.18.Final).
</li>
</ul>
<p>Artifacts, which are not in any of the lists are treated as graylisted, so there is
no guarantee they are suitable to be used in products and they should instead be judged
manually.</p>
<h3>Lookup of built artifacts</h3>
<p>The Dependency Analyser can lookup the Red Hat built artifacts and tell the user if
the artifact was built or not and provide him alternative versions of the artifact. The
user gets the information about:</p>
<ul>
<li>The latest built version of the artifact</li>
<li>All built versions of artifacts with the same GroupId, ArtifactId</li>
<li>Blacklist/whitelist status of the requested artifact</li>
</ul>
<h3>Dependency reports</h3>
The system is able to provide information about the dependencies of a project. It can
analyse a specific GAV or a repository specified by the URL (+ revision). This feature
extends the lookup and it resolves whole dependency tree and provides information for every
artifact in the tree and also some helper data like how many dependencies are not built.
<h3>Data source</h3>
<p>
Currently data about built artifacts are gathered from the public product repository
(<a href="http://maven.repository.redhat.com/ga">maven.repository.redhat.com</a>).
The dependency analyser has an option to easily add any Maven repository as a source
of supported built artifacts.
</p>
<p>The integration with Brew/MEAD repositories is mostly done and soon the DA
will proxy also artifacts from the candidate tags. There is also a possibility to add any Mead repository as a
source repository for the Dependency Analyser (e.g. repositories of the latest products
builds).</p>
<p>In the future the Dependency Analyser will provide also built artifacts from the Project
Newcastle build system, once it is in production.</p>
<h2>Interfaces</h2>
<p>
The Dependency Analyser is a server side application and there are two ways how to use
it. The
<span class="strong">REST API</span>,
which provides the main logic of the system and provides an easy way to use it in
other applications, and the
<span class="strong">CLI tools</span>,
which are more handy for the manual usage. The CLI tools are mainly a thin client,
which performs gets all data from the service using the REST API.
</p>
<p>It's planned to have a third interface, which will be the UI of the Project Newcastle
build system.</p>
<h3>REST API</h3>
<p>
The REST API is based on the Swagger documentation, which provides an easy way to have
an up to date documentation and also a simple way to try the REST API from the browser.
The path to the Swagger documentation is
<span class="strong">/da/doc </span>
. From this endpoint there is also link to the latest API version.
</p>
<p>This interface is also versioned in the URL (e.g. v-0.3). The same version
guarantees, that there are no backward incompatible changes. Currently only the latest
version of REST API is maintained, but in production there can be more running API
versions.</p>
<h3>CLI tools</h3>
<p>The CLI tools are more handy for the manual usage. Most of the data is obtained from
the server application, so it is not possible to use the CLI tools without connection to
the server. The tools are a simple Bash/Python scripts, which requires to have installed
interprets for Bash and Python 2.7.</p>
<p>There are 2 CLI tools:</p>
<ol>
<li>
<span class="strong">The users tool</span>
- provides all operations except modification of the Blacklist/Whitelist.
</li>
<li>
<span class="strong">The admin tool</span>
- provides all operations. In future this tool will require authentication.
</li>
</ol>
<h2>CLI tools manual</h2>
<p>In this section will be described how to use the CLI tools and what are their
options.</p>
<h3>Installation</h3>
<ul>
<li>
<p>
The easiest way to make the CLI tools running is to
<a href="https://github.com/project-ncl/dependency-analysis/raw/master/cli-wrap/da-cli-tools-0.8.1-pack.zip">download the ZIP archive</a>
from GitHub, which contains all the required support scripts and both CLI tools. The
latest versions of the tools are always placed in the folder /cli. When you download the
ZIP file, you can unzip the file and start using it.
How to do that?
<ol>
<li>Unzip the CLI: unzip da-cli-tools-0.8.1-pack.zip</li>
<li>Enter the folder with CLI: cd da-cli-tools-0.8.1</li>
<li>Change permissions: chmod +x *.py *.sh</li>
<li>Run the script. E.g.: ./da-cli.sh lookup org.hibernate:hibernate-core:4.2.21.Final</li>
</ol>
</p>
</li>
<li>
<p>
Second option is to clone Dependency Analyser repository via git:
<ol>
<li>Clone the repository: git clone https://github.com/project-ncl/dependency-analysis</li>
<li>Enter the directory with the CLI: cd dependency-analysis/cli-wrap/src/main/resources/cli/</li>
<li>Change permissions: chmod +x *.py *.sh</li>
<li>Run the CLI. E.g.: ./da-cli.sh lookup org.hibernate:hibernate-core:4.2.21.Final</li>
</ol>
</p>
</li>
</ul>
<p>Note: There is no configuration option to specify the URL of the server. Currently it
is hardcoded in the scripts to simplify the distribution to the users, but of course it
will be added later.</p>
<h3>Options description</h3>
<p>There is a couple of options, which can define the behavior of the CLI tool. The more
complex options are described in this section. If you want to see description of all the
available options you can find it in the help of the tool.</p>
<p>The output of the tool is delimited by the tab, but in this section the data are
displayed in the list, which strictly conforms to the order of the output</p>
<ul id="options">
<li>
<span class="strong">No parameters</span>
<ul>
<li>The tool will print the help with a basic description of options</li>
</ul>
</li>
<li>
<span class="strong">Lookup built artifacts (lookup)</span>
<ul>
<li>Lookups all built versions of the requested GA and reports if there is
any exact match to the requested GAV</li>
<li>
<span class="strong">Output:</span>
<ul>
<li>Requested GAV</li>
<li>RH version of the artifact or "None" if the artifact was not
found</li>
<li>blacklisted/greylisted/whitelisted</li>
<li>All built versions of the requested GA</li>
</ul>
<li>
<span class="strong">Usage:</span>
./da-cli.sh lookup [GROUP_ID:ARTIFACT_ID[:PACKAGING[:CLASSIFIER]]:VERSION[:SCOPE]] [--products PRODUCTS] [--productIDs IDS]
<br />
When GROUP_ID:ARTIFACT_ID:VERSION is specified finds corresponding redhat versions for it.
When it is not specified, reads G:A:Vs from standard input and finds corresponding redhat versions for all of them.
Packaging, classifier and scope is ignored in both cases.
Consider artifact only from products specified by IDs ([--productIDs IDS]) or names ([--products PRODUCTS]).
</li>
</ul>
</li>
<li>
<span id="optionReport" class="strong">Dependency report of a GAV (report)</span>
<ul>
<li>
Creates a dependency report for a single GAV. This option provides the
information from the lookup plus the same information also for dependencies
and some additional information like "how many transitive dependencies is
not built".
<br />
To make the output better readable the all available builds of GAVs are
collapsed to the single information "how many builds of GAV exists". To
display all the builds you can use parameter "--raw", which also provides
script-friendly output.
</li>
<li>
<span class="strong">Output:</span>
<ul>
<li>GAV</li>
<li>RH version of the artifact or "None" if the artifact was not
found</li>
<li>blacklisted/greylisted/whitelisted</li>
<li>Number of not built transitive dependencies (XY dependencies
not built) or "all dependencies built"</li>
<li>All available versions</li>
</ul>
<li>
<span class="strong">Usage:</span>
./da-cli.sh report [--raw|--json] [--products PRODUCTS] [--productIDs IDS] GROUP_ID:ARTIFACT_ID:VERSION
</li>
</ul>
</li>
<li>
<span id="optionScmReport" class="strong">Dependency report of a SCM
repository (scm-report)</span>
<ul>
<li>
Creates a dependency report for a single SCM repository (Currently only Git
repositories are supported). This option provides the same information as
the
<a href="#optionReport">report</a>
option. The dependency report is expected to start from some module/POM in
the project and analyses the POM dependencies.
</li>
<li>
<span class="strong">Output:</span>
The same as in the option
<a href="#optionReport">report</a>
.
<li>
<span class="strong">Usage:</span>
./da-cli.sh scm-report [--raw|--json] scm tag pom-path [--products PRODUCTS] [--productIDs IDS]
<ul>
<li>scm - URL to the remote SCM repository</li>
<li>tag - Tag, branch or revision of the SCM</li>
<li>pom-path - Path to the POM in the repository, which will be the
starting POM for the analysis</li>
<li>Consider artifact only from products specified by IDs ([--productIDs IDS]) or names ([--products PRODUCTS])</li>
</ul>
</li>
</ul>
</li>
<li>
<span class="strong">Advanced dependency report of a SCM repository
(scm-report-advanced)</span>
<ul>
<li>
This option extends the standard
<a href="#optionScmReport">SCM dependency report</a>
with the some summarizing information related directly to the analysed
project.
<br />
The new information are: which project GAVs are whitelisted / blacklisted,
which GAVs are already built / not built / built in the different versions.
</li>
<li>
<span class="strong">Output:</span>
<ul>
<li>Blacklisted artifacts in a project</li>
<li>Whitelisted artifacts in a project</li>
<li>Built community artifacts, which were built internally</li>
<li>Community artifacts with other built version - artifacts, which wasn't built, but there are builds of the same GA</li>
<li>Community artifacts - artifacts, which weren't been built</li>
<li>
The same dependency tree as in the regular
<a href="#optionReport">dependency report</a>
</li>
</ul>
All the summarizing informations are only for the top-level dependencies
(dependencies in projects' POMs) of the project's modules.
<li>
<span class="strong">Usage:</span>
./da-cli.sh scm-report-advanced [--json] scm tag pom-path [--products PRODUCTS] [--productIDs IDS]
<ul>
<li>scm - URL to the remote SCM repository</li>
<li>tag - Tag, branch or revision of the SCM</li>
<li>pom-path - Path to the POM in the repository, which will be the
starting POM for the analysis</li>
<li>Consider artifact only from products specified by IDs ([--productIDs IDS]) or names ([--products PRODUCTS])</li>
</ul>
</li>
</ul>
</li>
<li>
<span class="strong">Align report</span>
<ul>
<li>
This option checks toplevel dependencies of all modules from git-scm link and prints sumarized information.
</li>
<li>
<span class="strong">Output:</span>
<ul>
<li>Internaly built:
MODULE
DEPENDENCY - BUILT_VERSION (PRODUCT)
</li>
<li>Built in different version:
MODULE
DEPENDENCY - BUILT_VERSION (PRODUCT)
</li>
<li>Not built:
MODULE
DEPENDENCY
</li>
<li>Blacklisted:
MODULE
DEPENDENCY
</li>
</ul>
</li>
<li>
<span class="strong">Usage</span>
./da-cli.sh align-report [--json] [--unknown] [--productIDs IDS]... [--repository REPOSITORY]... SCM TAG [POM-PATH]
<ul>
<li>--json Output unparsed response from Dependency Analyzer.</li>
<li>--unknown Consider artifacts from unknown products.</li>
<li>--productIDs IDS Consider artifact only from specified product IDs. IDS should be comma separated.</li>
<li>--repository REPOSITORY Aditional maven repositories required by the analysed project. You can specify this
option multiple times.</li>
</ul>
</li>
</ul>
</li>
<li>
<span class="strong">Difference of products</span>
<ul>
<li>
Returns list of different versions of artifacts between two products given by their IDs
</li>
<li>
<span class="strong">Output:</span>
<ul>
<li>
List of different versions
</li>
</ul>
</li>
<li>
<span class="strong">Usage</span>
./da-cli.sh difference [--json] leftID rightID
<ul>
<li>--json Output unparsed response from Dependency Analyzer.</li>
<li>leftID ID of first product</li>
<li>rightID ID of second product</li>
</ul>
</li>
</ul>
</ul>
<h3>Examples</h3>
<dl>
<dt>List all artifacts in the whitelist</dt>
<dd>./da-cli.sh list white</dd>
<dt>Add a product to whitelist</dt>
<dd>./da-cli-admin.sh add whitelist-product eap:7.0.0 SUPPORTED</dd>
<dt>Add an artifact to whitelist</dt>
<dd>./da-cli-admin.sh add white org.jboss.hibernate:hibernate-core:3.4.2.redhat-1 eap:7.0.0</dd>
<dt>Remove an artifact from blacklist</dt>
<dd>./da-cli-admin.sh delete black org.jboss.hibernate:hibernate-core:3.4.2</dd>
<dt>Check all dependencies from pom and print their black/white list status</dt>
<dd>./da-cli.sh pom-bw <PATH_TO_DIRECTORY></dd>
<dt>Check all dependencies from pom and print their report status</dt>
<dd>./da-cli.sh pom-report <PATH_TO_DIRECTORY></dd>
<dt>Lookup built versions of an artifact</dt>
<dd>./da-cli.sh lookup org.hibernate:hibernate-core:4.2.18.Final</dd>
<dt>Create dependency report of an artifact</dt>
<dd>./da-cli.sh report org.hibernate:hibernate-core:4.2.18.Final</dd>
<dt>Create SCM report for a project module</dt>
<dd>./da-cli.sh scm-report https://github.com/jboss-fuse/fuse
fuseenterprise-6.2.1.redhat-084 ./esb/pom.xml</dd>
</dl>
</div>
</body>
</html>