* Use MSTest meta package
This enables running MSTest Analyzers on test code to help avoid common test problems.
* Fix code coverage
* Fixes
Upgrade to latest and fix unnecessary type param
* Fix tests
* PR feedback
* Fix CC
* fix bug where pipreport used index urls in requirements.txt
* update tests
* docs
* add --no-input to pip install, so we do not hang waiting for user input
* pr feedback: performance and cleanup
* bump version
* Support development dependencies for the Gradle detector
Lack of development dependency detection for Gradle is a problem for
Android teams, especially in the context of Component Governance
alerts. Unfortunately Gradle doesn't provide enough information to
definitively identify dev dependencies in all cases, so manual
configuration is required. This change adds dev dependency
classification through two mechanisms
1. `buildscript-gradle.lockfile` and `settings-gradle.lockfile`
contain only build-system dependencies, so always classify these as
development dependencies.
2. Processing based on two new environment variables:
`GRADLE_PROD_CONFIGURATIONS_REGEX` and
`GRADLE_DEV_CONFIGURATIONS_REGEX`. Gradle lockfiles indicate which
Gradle configuration(s) each dependency is required by.
`GRADLE_PROD_CONFIGURATIONS_REGEX` allows specifying
production configurations explicitly. All other configurations are
considered development. Alternately, dev configurations may be
specified in `GRADLE_DEV_CONFIGURATIONS_REGEX` and all others are
considered production.
* Changes based on meeting prior to the holidays
* fluent assertions
* Visual studio recommendations
* More fluent assertsions
* Fix test to be cross-platform
* Fix the cross-platform test fix
* Fix code coverage by removing dead code check
* Address code review comments
* Add explicit reference to System.Threading.Tasks.Dataflow
Add explicit reference to System.Threading.Tasks.Dataflow to avoid version resolution conflicts.
* Force resolve System.Threading.Tasks.Dataflow
* fix IDE0120: Simplify LINQ expression
* fixed IDE0037: Member name can be simplified
* fix: IDE0071: Interpolation can be simplified
* fixed IDE0052: Private member can be removed as the value assigned to it is never read
* fixed IDE0032: Use auto property
* IDE0054: Use compound assignment
* fixed SA1203: connstant fields should not be after the non-constant
* fixed IDE0037 by reformatting
* fixed SA1316: Tuple element names should use correct casing
* fixed SA1216: Using static directives should be placed at the correct location
* fixed SA1401: field should be private
* Fis SA1202
* removed whitespac
* reverted this file
* reverted this file
* Reverted this file
* Fixing indentation
* Removed whitespace
* Removed whitespace
* changed location of static variable
* took out the SA1202 suggestion
* changed private method to come after public methods
* Added supression message for access level order
Co-authored-by: Amitla Vannikumar <avannikumar@microsoft.com>
Previously, the Go-Detector by default scanned the manifest and generated components. We were using EnableGoCliScan env. variable to activate the Go Cli Detector. With this change, the use of EnableGoCliScan is removed. The Go detector by default uses Cli scan.
To manually override this behavior, new env. variable DisableGoCliScan is introduced.
* Added "DependencyScope" for scanned component. Currently detection is only active for maven components.
* Added telemetry to keep track of each recorded component.
* refactor(linux): use a smaller image to test base image annotations
Currently we're using an Ubuntu image, which is >100MB for unit tests. This is a large image for build machines and users to pull in for a single unit test, especially when we're only checking annotations.
This PR instead uses the `docker.io/library/hello-world:latest` image, which weighs in at a whopping 13KB.
* UTC time
* Support case-insensitive on non-Windows OSs.
The environment variable EnableGoCliScan existence gates usage of the Go
CLI tools for determing what modules are in-use. The current check does
a get of the environment variable, and if it exists behavior is enabled.
On Windows this is case-insensitive, but on Linux (or MacOS) this is
case-sensitive so the user must exactly use the casing of
'EnableGoCliScan'.
Our CI system automatically capitalizes all environment variables when
they are defined, so EnableGoCliScan becomes ENABLEGOCLISCAN. I am not
aware of a way to control this behavior, so there is no way to enable Go
CLI tooling. My fix is to treat all environment variable exitence
checks as case-insensitive.
* New components can be detected with Env Variable change
Co-authored-by: Greg Villicana <gregory.villicana@microsoft.com>