* fix bug where pipreport used index urls in requirements.txt
* update tests
* docs
* add --no-input to pip install, so we do not hang waiting for user input
* pr feedback: performance and cleanup
* bump version
* revert experiment graduation, bump threads, and enable fast deps
* put reqs back
* add ability for pip to detect pregenerated reports with a specific naming scheme
* better directory handling
* improve logging
* add fallback logic to pipreport for cases where we shouldn't reach out to remote feed, and should parse source instead
* add the manual detection as fallback if pip report fails
* add option to skip or fallback to a source code scan
* add docs and fix tests
* remove fallback
* add fallback back, and env var to allow for skipping fallback
* Support development dependencies for the Gradle detector
Lack of development dependency detection for Gradle is a problem for
Android teams, especially in the context of Component Governance
alerts. Unfortunately Gradle doesn't provide enough information to
definitively identify dev dependencies in all cases, so manual
configuration is required. This change adds dev dependency
classification through two mechanisms
1. `buildscript-gradle.lockfile` and `settings-gradle.lockfile`
contain only build-system dependencies, so always classify these as
development dependencies.
2. Processing based on two new environment variables:
`GRADLE_PROD_CONFIGURATIONS_REGEX` and
`GRADLE_DEV_CONFIGURATIONS_REGEX`. Gradle lockfiles indicate which
Gradle configuration(s) each dependency is required by.
`GRADLE_PROD_CONFIGURATIONS_REGEX` allows specifying
production configurations explicitly. All other configurations are
considered development. Alternately, dev configurations may be
specified in `GRADLE_DEV_CONFIGURATIONS_REGEX` and all others are
considered production.
* Changes based on meeting prior to the holidays
* fluent assertions
* Visual studio recommendations
* More fluent assertsions
* Fix test to be cross-platform
* Fix the cross-platform test fix
* Fix code coverage by removing dead code check
* Address code review comments
* Add a new detector: CondaComponentDetector
---------
Signed-off-by: Max Magorsch <maxmagorsch@microsoft.com>
Co-authored-by: Pawel <pjanowski@users.noreply.github.com>
* WIP
* Updated some Nett reference -> Toml
* More changes for Nett to Tomlyn
* Changing ref back to Nett since project_assets_2_2 is only used in tests
* Updated Data attributes and removed unnecessary comments
* Updated Data attributes in PoetryLock file
* Made property type more specific
* Formatting fixes
* Made updates to add or ignore rproperties used in Toml Deserialization
* Added documentation for running verification tests
Co-authored-by: Jamie Magee <jamie.magee@gmail.com>
When the detector found a link dependency it failed the detection and the rest of components where not scanned. This change ignore the link dependencies and allow the dectector to continue parsing the rest of the file.
Previously, the Go-Detector by default scanned the manifest and generated components. We were using EnableGoCliScan env. variable to activate the Go Cli Detector. With this change, the use of EnableGoCliScan is removed. The Go detector by default uses Cli scan.
To manually override this behavior, new env. variable DisableGoCliScan is introduced.