-
Notifications
You must be signed in to change notification settings - Fork 312
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
feat(scanner): add '--packages-depth' parameter. #8372
base: main
Are you sure you want to change the base?
Conversation
The '--packages-depth' parameter allows not to scan the whole dependency tree. For example, if you use 'scan --packages-depth 1' then the scan will be performed on projects and the first level of packages (i.e. the direct dependencies). By default, the value is -1, which means no limit, all packages will be scanned. Signed-off-by: François Barbe <[email protected]>
b28abce
to
a0f8f8c
Compare
We may consider to add a helper command to strip out dependencies for a given |
Thank for the contribution @fb33! A basic issue I see with the implementation is related to ORT's transparency about what has been scanned: When only looking at the ORT scan result, how do you know whether only a subset of the packages have been scanned vs. really only the listed findings were present? What I'm trying to say is: We need a way to record as part of the ORT result / in the scan result that only a subset (and which subset) of packages has been scanned. This could probably be solved as easily as adding the used depth (if But thinking further, if only scanning of e.g. direct dependencies is desired, should we also limit analysis to the configured depth already? That would automatically limit the scanning to those packages. Related issues: #2293, #5626, #8361 |
Hi, by the way, I'll think about your proposal to limit the depth at the analyzer time. |
This pull request was discussed in the ORT community meeting of March 21st, 2024. The people attending can see the usefulness of this feature as:
However there are various concerns:
Question is if we should protect users against themselves? Given other options in ORT our believe we should not. |
Sometimes we don't want to audit the whole dependencies of a project but only those declared in the project's package manager files.
To do this, I add a new parameter to the scanner to manage the depth in the dependency tree to scan.