Add support for Elixir Ecosystem for dependency graphs since the package manager hex.pm is already used for Erlang #1661
Comments
|
Would love this, please consider adding Elixir to the supported ecosystems |
|
Would love this too, please. |
|
Is this open source? |
|
👋 Hi from the dependency graph team -- Elixir support is near the top of our list for additional ecosystems to support, but we don't currently have a timeline. Our core isn't open source, but we do have the dependency submission API that can submit dependencies for other ecosystems. Some folks have created GitHub Actions to do this for various ecosystems -- if anyone wants to go that route, we have the dependency submission toolkit that can help with developing actions for dependency submission. You'll receive Dependabot alerts for any submitted dependencies. Hope this helps a bit! |
|
Good to know you're working on it. It'll truly help having it. |
|
Interesting, It'll truly useful and help. |
|
Really, if it supports Erlang, it should support Elixir, after all, the Elixir people wrote hex.pm. |
|
I'd also like to support this feature request. Actually, there are several languages which run on the Erlang VM. Ideally, the graphs would support most of them. And a pony... :-) |
|
Would love to see Elixir support too |
SupaMic
changed the title
SupaMic
changed the title
Unfortunately, the submission API does not support Hex purls. All reported dependencies are show as Hex purl Spec: https://github.com/hexpm/specifications/blob/main/package-url.md
When downloading the SBoM: // ...
{
"SPDXID": "SPDXRef-unknown-dialyxir-1.4.4",
"name": "unknown:dialyxir",
"versionInfo": "1.4.4",
"downloadLocation": "NOASSERTION",
"filesAnalyzed": false,
"supplier": "NOASSERTION",
"externalRefs": [
{
"referenceCategory": "PACKAGE-MANAGER",
"referenceLocator": "pkg:unknown/dialyxir@1.4.4",
"referenceType": "purl"
}
]
}
// ...Expected: // ...
{
"SPDXID": "SPDXRef-hex-dialyxir-1.4.4",
"name": "hex:dialyxir",
"versionInfo": "1.4.4",
"downloadLocation": "NOASSERTION",
"filesAnalyzed": false,
"supplier": "NOASSERTION",
"externalRefs": [
{
"referenceCategory": "PACKAGE-MANAGER",
"referenceLocator": "pkg:hex/dialyxir@1.4.4",
"referenceType": "purl"
}
]
}
// ...Reported: https://github.com/maennchen/mix-dependency-submission/actions/runs/11507378792/job/32033446490 {
"version": 0,
"metadata": {},
"ref": "refs/heads/main",
"manifests": {
"mix.exs": {
"name": "mix.exs",
"file": {
"source_location": "mix.exs"
},
"metadata": {},
"resolved": {
// ...
"dialyxir": {
"scope": "development",
"metadata": {
"name": "dialyxir"
},
"dependencies": [],
"package_url": "pkg:hex/dialyxir@1.4.4",
"relationship": "direct"
},
// ...
}
}
},
"detector": {
"name": "mix_dependency_submission",
"version": "1.0.0-beta.1",
"url": "https://github.com/maennchen/mix-dependency-submission"
},
"sha": "71d59cd5aadc839808701997f2c9b6f50513eb35",
"job": {
"id": "escript",
"correlator": "Main Branchescript"
},
"scanned": "2024-10-24T21:01:37.127673Z"
} |
You already support Erlang (registry: https://hex.pm/) to build dependency graphs so you should implement the same functionality for Elixir projects which use the mix.exs script in root of a project (and within nested application root folders) and they mostly use the same registry; hex.pm (although they can link to github or or other repos directly)
The text was updated successfully, but these errors were encountered: