Skip to content

Commit 7f092c1

Browse files
agustingrohagustingroh
authored
v1.0.0
* chore:SP-2737 Update scanoss-py version to v1.26.1 * chore:SP-2739 Adds debug option * chore:SP-2741 Add 'debug' option unit tests * chore:SP-2738 Updates documentation * chore:Upgrades SCANOSS ADO version to v1.0.0 * chore:SP-2744 Removes suport for sbom.json file * chore:Updates PR example images
1 parent 08a2cd0 commit 7f092c1

18 files changed

Lines changed: 179 additions & 166 deletions

.github/assets/pr_comment_copyleft.png

102 KB
Loading

.github/assets/pr_comment_undeclared_components.png

117 KB
Loading

OVERVIEW.md

Lines changed: 56 additions & 23 deletions
Original file line numberDiff line numberDiff line change
@@ -4,6 +4,42 @@ The SCANOSS Code Scan task enhances your software development process by automat
44
## Usage
55
Before using the SCANOSS Code Scan Task, you need to install it from the Azure Marketplace. You can find it [here](https://marketplace.visualstudio.com/items?itemName=SCANOSS.scanoss-code-scan).
66

7+
## Breaking change v1.0.0
8+
9+
- Default runtime container updated to `ghcr.io/scanoss/scanoss-py:v1.26.1`
10+
- Removed parameters:
11+
- `sbomEnabled`
12+
- `sbomFilepath`
13+
- `sbomType`
14+
15+
### Converting from sbom.json to scanoss.json
16+
The SBOM configuration format has changed and the file name must be updated from **sbom.json** to **scanoss.json**. Here's how to convert your existing configuration:
17+
18+
Old format (sbom.json):
19+
```json
20+
{
21+
"components": [
22+
{
23+
"purl": "pkg:github/scanoss/scanner.c"
24+
}
25+
]
26+
}
27+
```
28+
29+
New format (scanoss.json):
30+
```json
31+
{
32+
"bom": {
33+
"include": [
34+
{
35+
"purl": "pkg:github/scanoss/scanner.c"
36+
}
37+
]
38+
}
39+
}
40+
```
41+
42+
743
### Set Up
844

945
The SCANOSS Code Scan Task uses the Azure API to create Checks and Comments on Pull Requests. Once the pipeline is available upstream, ensure you have the correct permissions set up on your repository:
@@ -106,29 +142,26 @@ When the pipeline is manually triggered or runs on a schedule, the results are u
106142
107143
### Action Input Parameters
108144
109-
| **Parameter** | **Description** | **Required** | **Default** |
110-
|--------------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------|--------------|--------------------------------------|
111-
| outputFilepath | Scan output file name. | Optional | `results.json` |
112-
| sbomEnabled | Enable or disable scanning based on the SBOM file | Optional | `true` |
113-
| sbomFilepath | Filepath of the SBOM file to be used for scanning | Optional | `sbom.json` |
114-
| sbomType | Type of SBOM operation: either 'identify' or 'ignore | Optional | `identify` |
115-
| dependenciesEnabled | Option to enable or disable scanning of dependencies. | Optional | `false` |
116-
| dependenciesScope | Gets development or production dependencies (scopes: dev - prod ) | Optional | - |
117-
| dependenciesScopeInclude | Custom list of dependency scopes to be included. Provide scopes as a comma-separated list. | Optional | - |
118-
| dependenciesScopeExclude | Custom list of dependency scopes to be excluded. Provide scopes as a comma-separated list. | Optional | - |
119-
| policies | List of policies separated by commas, options available are: copyleft, undeclared. | Optional | - |
120-
| policiesHaltOnFailure | Halt check on policy failure. If set to false checks will not fail. | Optional | `true` |
121-
| apiUrl | SCANOSS API URL | Optional | `https://api.osskb.org/scan/direct` |
122-
| apiKey | SCANOSS API Key | Optional | - |
123-
| runtimeContainer | Runtime URL | Optional | `ghcr.io/scanoss/scanoss-py:v1.20.4` |
124-
| licensesCopyleftInclude | List of Copyleft licenses to append to the default list. Provide licenses as a comma-separated list. | Optional | - |
125-
| licensesCopyleftExclude | List of Copyleft licenses to remove from default list. Provide licenses as a comma-separated list. | Optional | - |
126-
| licensesCopyleftExplicit | Explicit list of Copyleft licenses to consider. Provide licenses as a comma-separated list. | Optional | - |
127-
| skipSnippets | Skip the generation of snippets. (scan_files option must be enabled) | Optional | `false` |
128-
| scanFiles | Enable or disable file and snippet scanning | Optional | `true` |
129-
| scanossSettings | Settings file to use for scanning. See the SCANOSS settings [documentation](https://scanoss.readthedocs.io/projects/scanoss-py/en/latest/#settings-file) | Optional | `true` |
130-
| settingsFilepath | Filepath of the SCANOSS settings to be used for scanning | Optional | `scanoss.json` |
131-
145+
| **Parameter** | **Description** | **Required** | **Default** |
146+
|--------------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------|----------------|--------------------------------------|
147+
| outputFilepath | Scan output file name. | Optional | `results.json` |
148+
| dependenciesEnabled | Option to enable or disable scanning of dependencies. | Optional | `false` |
149+
| dependenciesScope | Gets development or production dependencies (scopes: dev - prod ) | Optional | - |
150+
| dependenciesScopeInclude | Custom list of dependency scopes to be included. Provide scopes as a comma-separated list. | Optional | - |
151+
| dependenciesScopeExclude | Custom list of dependency scopes to be excluded. Provide scopes as a comma-separated list. | Optional | - |
152+
| policies | List of policies separated by commas, options available are: copyleft, undeclared. | Optional | - |
153+
| policiesHaltOnFailure | Halt check on policy failure. If set to false checks will not fail. | Optional | `true` |
154+
| apiUrl | SCANOSS API URL | Optional | `https://api.osskb.org/scan/direct` |
155+
| apiKey | SCANOSS API Key | Optional | - |
156+
| runtimeContainer | Runtime URL | Optional | `ghcr.io/scanoss/scanoss-py:v1.26.1` |
157+
| licensesCopyleftInclude | List of Copyleft licenses to append to the default list. Provide licenses as a comma-separated list. | Optional | - |
158+
| licensesCopyleftExclude | List of Copyleft licenses to remove from default list. Provide licenses as a comma-separated list. | Optional | - |
159+
| licensesCopyleftExplicit | Explicit list of Copyleft licenses to consider. Provide licenses as a comma-separated list. | Optional | - |
160+
| skipSnippets | Skip the generation of snippets. (scan_files option must be enabled) | Optional | `false` |
161+
| scanFiles | Enable or disable file and snippet scanning | Optional | `true` |
162+
| scanossSettings | Settings file to use for scanning. See the SCANOSS settings [documentation](https://scanoss.readthedocs.io/projects/scanoss-py/en/latest/#settings-file) | Optional | `true` |
163+
| settingsFilepath | Filepath of the SCANOSS settings to be used for scanning | Optional | `scanoss.json` |
164+
| debug | Enable debugging | Optional | `false` |
132165

133166
## Policy Checks
134167
The SCANOSS Code Scan Task includes two configurable policies:

codescantask/app.input.ts

Lines changed: 3 additions & 5 deletions
Original file line numberDiff line numberDiff line change
@@ -33,13 +33,11 @@ export const API_KEY = tl.getInput('apiKey');
3333
export const API_URL = tl.getInput('apiUrl');
3434
export const OUTPUT_FILEPATH = tl.getInput('outputFilepath') || "results.json";
3535
export const REPO_DIR = tl.getVariable('Build.Repository.LocalPath') || ''; // Get repository path
36-
export const SBOM_ENABLED = tl.getInput('sbomEnabled') === 'true';
37-
export const SBOM_FILEPATH = tl.getInput('sbomFilepath') || "sbom.json" ;
38-
export const SBOM_TYPE = tl.getInput('sbomType');
3936
export const POLICIES_HALT_ON_FAILURE = tl.getInput('policiesHaltOnFailure') === 'true';
40-
export const RUNTIME_CONTAINER = tl.getInput('runtimeContainer') || "ghcr.io/scanoss/scanoss-py:v1.20.4";
37+
export const RUNTIME_CONTAINER = tl.getInput('runtimeContainer') || "ghcr.io/scanoss/scanoss-py:v1.26.1";
4138
export const SKIP_SNIPPETS = tl.getInput('skipSnippets') === 'true';
4239
export const SCAN_FILES = tl.getInput('scanFiles') === 'true';
4340
export const SCANOSS_SETTINGS = tl.getInput('scanossSettings') === 'true';
4441
export const SETTINGS_FILE_PATH = tl.getInput('settingsFilepath') || 'scanoss.json';
45-
export const EXECUTABLE = 'docker';
42+
export const EXECUTABLE = 'docker';
43+
export const DEBUG = tl.getInput('debug') === 'true';

codescantask/package-lock.json

Lines changed: 2 additions & 2 deletions
Some generated files are not rendered by default. Learn more about customizing how changed files appear on GitHub.

codescantask/package.json

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -1,6 +1,6 @@
11
{
22
"name": "azure-devops-integration",
3-
"version": "0.1.5",
3+
"version": "1.0.0",
44
"description": "",
55
"main": "index.js",
66
"scripts": {

codescantask/policies/copyleft-policy-check.ts

Lines changed: 2 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -25,7 +25,7 @@ import { PolicyCheck } from './policy-check';
2525
import * as tl from "azure-pipelines-task-lib";
2626
import {
2727
COPYLEFT_LICENSE_EXCLUDE, COPYLEFT_LICENSE_EXPLICIT,
28-
COPYLEFT_LICENSE_INCLUDE, EXECUTABLE,
28+
COPYLEFT_LICENSE_INCLUDE, DEBUG, EXECUTABLE,
2929
OUTPUT_FILEPATH,
3030
REPO_DIR,
3131
RUNTIME_CONTAINER
@@ -67,6 +67,7 @@ export class CopyleftPolicyCheck extends PolicyCheck {
6767
'--format',
6868
'md',
6969
...this.buildCopyleftArgs(),
70+
...(DEBUG ? ['--debug'] : [])
7071
];
7172
}
7273

codescantask/policies/undeclared-policy-check.ts

Lines changed: 3 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -22,7 +22,7 @@
2222
*/
2323

2424
import { PolicyCheck } from './policy-check';
25-
import {EXECUTABLE, OUTPUT_FILEPATH, REPO_DIR, RUNTIME_CONTAINER, SCANOSS_SETTINGS} from '../app.input';
25+
import {DEBUG, EXECUTABLE, OUTPUT_FILEPATH, REPO_DIR, RUNTIME_CONTAINER, SCANOSS_SETTINGS} from '../app.input';
2626
import * as tl from 'azure-pipelines-task-lib';
2727

2828
/**
@@ -42,7 +42,8 @@ export class UndeclaredPolicyCheck extends PolicyCheck {
4242
private buildArgs(): Array<string> {
4343
return ['run', '-v', `${REPO_DIR}:/scanoss`, RUNTIME_CONTAINER, 'inspect', 'undeclared', '--input',
4444
OUTPUT_FILEPATH, '--format', 'md',
45-
...(!SCANOSS_SETTINGS ? ['--sbom-format', 'legacy']: []) // Sets sbom format output to legacy if SCANOSS_SETTINGS is not true
45+
...(!SCANOSS_SETTINGS ? ['--sbom-format', 'legacy']: []), // Sets sbom format output to legacy if SCANOSS_SETTINGS is not true
46+
...(DEBUG ? ['--debug'] : [])
4647
];
4748
}
4849

codescantask/policy-check-copyleft-results.md

Lines changed: 5 additions & 5 deletions
Original file line numberDiff line numberDiff line change
@@ -1,7 +1,7 @@
11
### Copyleft licenses
2-
| Component | Version | License | URL | Copyleft |
3-
| - | :-: | - | - | :-: |
4-
| pkg:npm/%40grpc/grpc-js | 1.12.2 | Apache-2.0 | https://spdx.org/licenses/Apache-2.0.html | YES |
5-
| pkg:npm/abort-controller | 3.0.0 | MIT | https://spdx.org/licenses/MIT.html | YES |
6-
| pkg:npm/adm-zip | 0.5.16 | MIT | https://spdx.org/licenses/MIT.html | YES |
2+
| Component | License | URL | Copyleft |
3+
| - | :-: | - | - |
4+
| pkg:npm/%40grpc/grpc-js | Apache-2.0 | https://spdx.org/licenses/Apache-2.0.html | YES |
5+
| pkg:npm/abort-controller | MIT | https://spdx.org/licenses/MIT.html | YES |
6+
| pkg:npm/adm-zip | MIT | https://spdx.org/licenses/MIT.html | YES |
77

codescantask/policy-check-undeclared-results.md

Lines changed: 5 additions & 17 deletions
Original file line numberDiff line numberDiff line change
@@ -1,14 +1,11 @@
11
### Undeclared components
2-
| Component | Version | License |
3-
| - | - | - |
4-
| pkg:github/scanoss/wfp | 6afc1f6 | Zlib - GPL-2.0-only |
5-
| pkg:github/scanoss/scanner.c | 1.3.3 | BSD-2-Clause - GPL-2.0-only |
6-
| pkg:npm/%40grpc/grpc-js | 1.12.2 | Apache-2.0 |
7-
| pkg:npm/abort-controller | 3.0.0 | MIT |
8-
| pkg:npm/adm-zip | 0.5.16 | MIT |
2+
| Component | License |
3+
| - | - |
4+
| pkg:github/scanoss/wfp | GPL-2.0-only |
5+
| pkg:github/scanoss/scanner.c | GPL-2.0-only |
96

107

11-
5 undeclared component(s) were found.
8+
2 undeclared component(s) were found.
129
Add the following snippet into your `scanoss.json` file
1310

1411
```json
@@ -20,15 +17,6 @@ Add the following snippet into your `scanoss.json` file
2017
},
2118
{
2219
"purl": "pkg:github/scanoss/scanner.c"
23-
},
24-
{
25-
"purl": "pkg:npm/%40grpc/grpc-js"
26-
},
27-
{
28-
"purl": "pkg:npm/abort-controller"
29-
},
30-
{
31-
"purl": "pkg:npm/adm-zip"
3220
}
3321
]
3422
}

0 commit comments

Comments
 (0)