feat: Add the main file for determine package reachability level of Python project #2131
Conversation
p1gc0rn
changed the title
p1gc0rn
changed the title
|
can you add some description for this PR? |
p1gc0rn
changed the title
| @@ -0,0 +1,415 @@ | |||
| # This file is automatically @generated by Poetry 2.1.3 and should not be changed by hand. | |||
There was a problem hiding this comment.
I don't see this example project is being referenced anywhere in test?
| Dependencies []string // Direct dependencies declared in library's metadata | ||
| } | ||
|
|
||
| // Constants for terminal output formatting |
There was a problem hiding this comment.
this comment should be removed?
|
|
||
| // 6. Comparison between the collected imported libraries and the PYPI dependencies of the libraries | ||
| // to find the reachability of the PYPI dependencies. | ||
| for _, library := range importedLibraries { |
There was a problem hiding this comment.
let's make a struct for the output so that we can test the reachability result properly as well.
There was a problem hiding this comment.
https://github.com/google/osv-scalibr/blob/main/enricher/reachability/java/java.go can be a reference about what the results should look like.
|
|
||
| for _, tc := range testCases { | ||
| t.Run(tc.name, func(t *testing.T) { | ||
| ctx := context.Background() |
There was a problem hiding this comment.
you may use t.Context() for context in testing
| } | ||
| } | ||
|
|
||
| // To compare slices, we need a canonical order. |
There was a problem hiding this comment.
I assume the main entry point will be a single string so we probably don't need to sort it.
| response, _ := reg.GetIndex(ctx, libraryInfo.Name) | ||
| downloadURL := "" | ||
| fileName := strings.ToLower(fmt.Sprintf(`%s-%s.tar.gz`, libraryInfo.Name, libraryInfo.Version)) | ||
| for _, file := range response.Files { |
There was a problem hiding this comment.
you may use pypi.SdistVersion to check what is the version of the file name, see https://github.com/google/osv-scalibr/blob/629500d6fb6a1392afe40e0c9327c48a787358d8/clients/resolution/pypi_registry_client.go#L95
|
|
||
| //fmt.Printf("Looking for file %s\n", fileName) | ||
| if file.Name == fileName { | ||
| downloadURL = file.URL |
There was a problem hiding this comment.
break the loop? since the file is found
| } | ||
| } | ||
|
|
||
| downloadFileSource, err := downloadPackageSource(downloadURL) |
There was a problem hiding this comment.
| @@ -0,0 +1 @@ | |||
| #!/bin/bash No newline at end of file | |||
There was a problem hiding this comment.
is there any particular reason that we want to keep this shell script?
| @@ -0,0 +1,3 @@ | |||
| print('hello') | |||
There was a problem hiding this comment.
let's add newline to end of these test files if that won't bring any trouble
|
we probably need |
2 participants
The new feature helps determine the reachability of imported Python libraries in a Python project. This is part of the under developing project for imported Python libraries' reachability.
This PR includes the support for imported Python libraries defined in poetry.lock file.