Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Dependency pinning enhancement #383

Open
laurentsimon opened this issue Apr 30, 2021 · 2 comments
Open

Dependency pinning enhancement #383

laurentsimon opened this issue Apr 30, 2021 · 2 comments
Labels
kind/enhancement New feature or request

Comments

@laurentsimon
Copy link
Contributor

laurentsimon commented Apr 30, 2021
edited
Loading

The Pinning-Dep checks for known file names for various languages. However, as soon as it finds one, it returns success.
Some repos may contain more than one language -- Tink crypto library is an example, protobuf is another one.

We could use the language APIs to automatically detect the languages used, and validate that the filenames we find correspond to the languages used. We need not check all languages, but only the prominent ones used in the repo.

Note that the language API does not give us the folders that contain the code. So an alternative approach may be to list all files, count their LoC ourselves instead.

This will allow scorecard to report what languages we tested the repo for and which folders passed the tests. We may report a score that is the percentage of lines of code 'pinned' over the number of lines non 'pinned'. Running scorecard on envoy currently fails to detect the following files since we only check for files in the root folder.

name ci/flaky_test/requirements.txt
name configs/requirements.txt
name docs/requirements.txt
name examples/grpc-bridge/client/requirements.txt
name source/common/common/compiler_requirements.h
name source/extensions/filters/network/kafka/requirements.txt
name test/extensions/filters/network/thrift_proxy/requirements.txt
name tools/code_format/requirements.txt
name tools/config_validation/requirements.txt
name tools/dependency/requirements.txt
name tools/deprecate_features/requirements.txt
name tools/deprecate_version/requirements.txt
name tools/envoy_headersplit/requirements.txt
name tools/github/requirements.txt
name tools/protodoc/requirements.txt
name tools/testing/requirements.txt

This suggests that long-term, it would be useful to have a comprehensive config file for each repo.

Related to #404 #403
@laurentsimon laurentsimon added the kind/enhancement New feature or request label Apr 30, 2021
@laurentsimon
Copy link
Contributor Author

An idea could be to search for dependency files, and when we find one, look for the corresponding lock files that should live in the same folder. Everything that lives outside this folder could be considered not pinned. We can then compute the percentage of LoC that is pinned vs non-pinned; and use this as a score.

@jeffmendoza FYI

@laurentsimon
Copy link
Contributor Author

@asraa FYI

@laurentsimon laurentsimon added this to the milestone-q3 milestone Aug 30, 2021
@afmarcum afmarcum removed this from the milestone-q3 milestone Mar 8, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
kind/enhancement New feature or request
Projects
Scorecard - NEW
Status: No status
Milestone
No milestone
Development

No branches or pull requests
2 participants
@laurentsimon @afmarcum