andyfeller / gh-dependency-report Goto Github PK

View Code? Open in Web Editor NEW

37.0 37.0 3.0 2.67 MB

GitHub CLI extension for generating a report on repository dependencies.

License: MIT License

Go 100.00%

dependency-graph gh-extension go golang

gh-dependency-report's Introduction

Nice to meet you! 👋

About me 🧑‍💻

What are some honest, unfiltered things about you?

I have worked across many industries (higher education, marketing, security, telecom) in various stages of growth as software developer, site reliability engineer, platform engineer, and even a LAN administrator.
I absolutely 😻 cats and have a probably embarrasing number of cat t-shirts!
I 🧑‍🍳 a lot in a wide variety of styles, however 👎 on 🐟 🦐 🦀 🦞 🦑 🦪 and most 🧀 (mild white cheeses 👌)
I grew up around greater Baton Rouge area in Louisiana, eventually went to Louisiana State University, and marched as part of The Golden Band from TigerLand playing trombone.
I have been playing Final Fantasy 14 MMORPG off and on for 8 years and always love having others join me!
I am a connoisseur of 🍺, 🍔, ☕, 🍸, role playing games, card games, board games, and cajun/creole food; love to talk about any of them!
I listen to a lot of audiobooks via audible.com and recommend the following series:

What drives you nuts?

Disorder, conflict, confusion, and ambiguity
Coordination and communication without visuals, documentation, roadmaps, agendas, and/or setting expectations
Inconsistency without exception and reasoning

What are your quirks?

I tend to step in and potentially overstep when I perceive disorder, conflict, confusion, or ambiguity; please believe this comes from a good place.
I am a very visual person 🖼️ and might need to sketch or diagram problems to understand them better.
I might jokingly 😆 say I hate all programming languages or tools as a way of staying detached; they all have strengths, weaknesses, and idiosyncrasies.
I believe writing documentation or communications takes as much thought and effort as writing code; sometimes it takes time

What are some things that people might misunderstand about you that you should clarify?

Sometimes my 🤔 face gets confused with my 😠 or 😡 face; being a 👨‍🦲 makes facial features more distinct but 🙇 for patience

About my colleagues 👩‍💼

What qualities do you particularly value in your colleagues?

Proactive in communication and taking action
Prepared for events and discussions
Celebrate successes, achievements, and good fortunes of others
Genuine and introspective about who they are, where they come from, and what truly matters most to them

What do you wish colleagues didn’t do?

High-level planning and coordination efforts without data and/or roadmaps
Asking for help without relevant information provided upfront

How can people earn an extra gold star with you?

Be genuine celebrating others!
Be persistent in seeing a question answered or a problem solved!
Present short and long term solutions upfront; a majority of hard problems need both and this is often a cause of talking past one another!
Take and own responsibility actively!

About my interactions 🤝

How do you coach people to do their best work and develop their talents?

Celebrate others' efforts in channels / venues where their leaders can see and recognize it (Slack, formal accolade processes, etc)
Get to know colleagues (backgrounds, experiences, values, and aspirations) and include them in discussions and activities around them
Partner together on activities, training one another up in a safe space
Spend 1:1 time asking for feedback

What’s the best way to communicate with you?

Visuals are better than documentation, both are better than verbal knowledge sharing
Provide context, agendas, and any expectations prior to meetings so I can actively participate
Tell me how much time you need, so I can block that off for you especially; I prefer to be present for discussions as a courtesy for you

What’s the best way to convince you to do something?

Actively ask and engage me, give me space to ask questions
Demonstrate it is something everyone on the team and/or organization is doing
Affirm this is what will make me successful and celebrated
If there isn't data for this, then explicitly ask me for trust; this works especially when reciprocated if I need to ask for trust, too

How do you like to give feedback?

For feedback that might be potentially sensitive; personal; or emotional, I will ask for 1:1 time on video and might follow up with additional context after the conversation
I prefer giving feedback around the results of work and other external things as I try to disassociate people from the work done
I try to ask lots of questions because I really do want to understand; sometimes it’s a lot because situations are complex

How do you like to get feedback?

Help me feel like we collectively have something to improve and that we are in it together
Help me feel heard and understood even if you can't sympathize or empathize
Please reinforce the good things as much as improving others

gh-dependency-report's People

Stargazers

Watchers

Forkers

austinjaybecker sam1el ayuryshev

gh-dependency-report's Issues

Increase manifest query size

In #4, there are some concerns about the veracity of the responses from the manifest connection. This concern has been reported with some efforts being taken up, however we need a temporary workaround until that work comes to fruition. Apparently, this wasn't discovered previously as most people pull the full 100 around manifests.

For now, that seems to be an acceptable workaround until #4 is fixed and we can retailor the query appropriately.

Refactor logger init to reduce duplication

During earlier work fixing the logging of the extension, I didn't consider the redundancy between the logging configuration within the main module and reconfiguring the logging within the root command. This led to redundant logic for initializing logging. Instead, I want to simplify it by pulling the logic into the main module"

Setup automation to generate OSS licenses used with `go-licenses`

Overview

Being an open source project, gh-dependency-report should generate and
present information about the licenses of its dependencies in order to be a
good OSS citizen.

This issue is to implement GitHub Actions workflow to compile this information
using google/go-licenses being a
Go-based CLI extension.

Action Items

Tasks

Beta Give feedback

Implement workflow that generates Go license information and commits to repository
Options

Simplify report output handling

The initial implementation of gh-dependency-report defaults to using standard out for the CSV report with progress / log being emitted via standard err. This is a little confusing for anyone who hasn't looked at the usage statement or intrinsically know to redirect stdout.

andyfeller@Andrews-MacBook-Pro:andyfeller/gh-dependency-report ‹main*›$ go run main.go andyfeller
2022-01-28T08:09:58.099-0500	INFO	cmd/root.go:80	Processing repos: [andyfeller argo-cd argo-helm argocd-notifications bespoke branch-protection-enforcer-app chef codeql-action-configs docker-alpine-abuild docker.github.io docs dotfiles fabric8-pipeline-library gh-dependency-report integrations-core jenkins-openshift-login-plugin jenkins-pipeline-library linux mockserver my-py-grpc-repo openshift-cassandra openshift-sync-plugin populate-project powershell-poc private-stack python stacks-experiment]
2022-01-28T08:09:58.099-0500	DEBUG	cmd/root.go:122	Processing andyfeller/andyfeller
2022-01-28T08:09:58.261-0500	DEBUG	cmd/root.go:122	Processing andyfeller/argo-cd
2022-01-28T08:09:58.374-0500	DEBUG	cmd/root.go:122	Processing andyfeller/argo-helm
2022-01-28T08:09:58.489-0500	DEBUG	cmd/root.go:122	Processing andyfeller/argocd-notifications
2022-01-28T08:09:58.606-0500	DEBUG	cmd/root.go:122	Processing andyfeller/bespoke
2022-01-28T08:09:59.071-0500	DEBUG	cmd/root.go:143	Processing andyfeller/bespoke > .github/workflows/init.yml
2022-01-28T08:09:59.315-0500	DEBUG	cmd/root.go:154	Processing andyfeller/bespoke > .github/workflows/init.yml > actions/checkout
2022-01-28T08:09:59.315-0500	DEBUG	cmd/root.go:143	Processing andyfeller/bespoke > .github/actions/populate_project/package-lock.json
2022-01-28T08:10:00.099-0500	DEBUG	cmd/root.go:154	Processing andyfeller/bespoke > .github/actions/populate_project/package-lock.json > @actions/core
2022-01-28T08:10:00.099-0500	DEBUG	cmd/root.go:154	Processing andyfeller/bespoke > .github/actions/populate_project/package-lock.json > @actions/github
2022-01-28T08:10:00.099-0500	DEBUG	cmd/root.go:154	Processing andyfeller/bespoke > .github/actions/populate_project/package-lock.json > @actions/http-client
2022-01-28T08:10:00.099-0500	DEBUG	cmd/root.go:154	Processing andyfeller/bespoke > .github/actions/populate_project/package-lock.json > @octokit/auth-token
2022-01-28T08:10:00.100-0500	DEBUG	cmd/root.go:154	Processing andyfeller/bespoke > .github/actions/populate_project/package-lock.json > @octokit/core
2022-01-28T08:10:00.100-0500	DEBUG	cmd/root.go:154	Processing andyfeller/bespoke > .github/actions/populate_project/package-lock.json > @octokit/endpoint
2022-01-28T08:10:00.100-0500	DEBUG	cmd/root.go:154	Processing andyfeller/bespoke > .github/actions/populate_project/package-lock.json > @octokit/graphql
2022-01-28T08:10:00.100-0500	DEBUG	cmd/root.go:154	Processing andyfeller/bespoke > .github/actions/populate_project/package-lock.json > @octokit/openapi-types
2022-01-28T08:10:00.100-0500	DEBUG	cmd/root.go:154	Processing andyfeller/bespoke > .github/actions/populate_project/package-lock.json > @octokit/plugin-paginate-rest
2022-01-28T08:10:00.100-0500	DEBUG	cmd/root.go:154	Processing andyfeller/bespoke > .github/actions/populate_project/package-lock.json > @octokit/plugin-rest-endpoint-methods
2022-01-28T08:10:00.100-0500	DEBUG	cmd/root.go:154	Processing andyfeller/bespoke > .github/actions/populate_project/package-lock.json > @octokit/request
2022-01-28T08:10:00.100-0500	DEBUG	cmd/root.go:154	Processing andyfeller/bespoke > .github/actions/populate_project/package-lock.json > @octokit/request-error
2022-01-28T08:10:00.100-0500	DEBUG	cmd/root.go:154	Processing andyfeller/bespoke > .github/actions/populate_project/package-lock.json > @octokit/types
2022-01-28T08:10:00.100-0500	DEBUG	cmd/root.go:154	Processing andyfeller/bespoke > .github/actions/populate_project/package-lock.json > argparse
2022-01-28T08:10:00.100-0500	DEBUG	cmd/root.go:154	Processing andyfeller/bespoke > .github/actions/populate_project/package-lock.json > before-after-hook
2022-01-28T08:10:00.100-0500	DEBUG	cmd/root.go:154	Processing andyfeller/bespoke > .github/actions/populate_project/package-lock.json > deprecation
2022-01-28T08:10:00.100-0500	DEBUG	cmd/root.go:154	Processing andyfeller/bespoke > .github/actions/populate_project/package-lock.json > handlebars
2022-01-28T08:10:00.100-0500	DEBUG	cmd/root.go:154	Processing andyfeller/bespoke > .github/actions/populate_project/package-lock.json > is-plain-object
2022-01-28T08:10:00.100-0500	DEBUG	cmd/root.go:154	Processing andyfeller/bespoke > .github/actions/populate_project/package-lock.json > js-yaml
2022-01-28T08:10:00.100-0500	DEBUG	cmd/root.go:154	Processing andyfeller/bespoke > .github/actions/populate_project/package-lock.json > minimist
2022-01-28T08:10:00.100-0500	DEBUG	cmd/root.go:154	Processing andyfeller/bespoke > .github/actions/populate_project/package-lock.json > neo-async
2022-01-28T08:10:00.100-0500	DEBUG	cmd/root.go:154	Processing andyfeller/bespoke > .github/actions/populate_project/package-lock.json > node-fetch
2022-01-28T08:10:00.100-0500	DEBUG	cmd/root.go:154	Processing andyfeller/bespoke > .github/actions/populate_project/package-lock.json > once
2022-01-28T08:10:00.100-0500	DEBUG	cmd/root.go:154	Processing andyfeller/bespoke > .github/actions/populate_project/package-lock.json > source-map
Owner,Repo,Manifest,Exceeds Max Size,Parseable,Package Manager,Dependency,Has Dependencies?,Requirements,License,License Url
andyfeller,bespoke,.github/workflows/init.yml,false,true,ACTIONS,actions/checkout,true,= 2,MIT,http://choosealicense.com/licenses/mit/
andyfeller,bespoke,.github/actions/populate_project/package-lock.json,false,true,NPM,@actions/core,true,= 1.6.0,MIT,http://choosealicense.com/licenses/mit/
andyfeller,bespoke,.github/actions/populate_project/package-lock.json,false,true,NPM,@actions/github,true,= 5.0.0,MIT,http://choosealicense.com/licenses/mit/
andyfeller,bespoke,.github/actions/populate_project/package-lock.json,false,true,NPM,@actions/http-client,true,= 1.0.11,NOASSERTION,http://choosealicense.com/licenses/other/
andyfeller,bespoke,.github/actions/populate_project/package-lock.json,false,true,NPM,@octokit/auth-token,true,= 2.5.0,MIT,http://choosealicense.com/licenses/mit/
andyfeller,bespoke,.github/actions/populate_project/package-lock.json,false,true,NPM,@octokit/core,true,= 3.5.1,MIT,http://choosealicense.com/licenses/mit/
andyfeller,bespoke,.github/actions/populate_project/package-lock.json,false,true,NPM,@octokit/endpoint,true,= 6.0.12,MIT,http://choosealicense.com/licenses/mit/
andyfeller,bespoke,.github/actions/populate_project/package-lock.json,false,true,NPM,@octokit/graphql,true,= 4.8.0,MIT,http://choosealicense.com/licenses/mit/
andyfeller,bespoke,.github/actions/populate_project/package-lock.json,false,true,NPM,@octokit/openapi-types,false,= 11.2.0,MIT,http://choosealicense.com/licenses/mit/
andyfeller,bespoke,.github/actions/populate_project/package-lock.json,false,true,NPM,@octokit/plugin-paginate-rest,true,= 2.17.0,NOASSERTION,http://choosealicense.com/licenses/other/
andyfeller,bespoke,.github/actions/populate_project/package-lock.json,false,true,NPM,@octokit/plugin-rest-endpoint-methods,true,= 5.13.0,MIT,http://choosealicense.com/licenses/mit/
andyfeller,bespoke,.github/actions/populate_project/package-lock.json,false,true,NPM,@octokit/request,true,= 5.6.2,MIT,http://choosealicense.com/licenses/mit/
andyfeller,bespoke,.github/actions/populate_project/package-lock.json,false,true,NPM,@octokit/request-error,true,= 2.1.0,MIT,http://choosealicense.com/licenses/mit/

Given we have support for the extension to write the report to a named file, we shall instead change the extension so it always writes output to a file. The filename will be randomly generated if not provided, based on the current date/time more than likely.

andyfeller@Andrews-MacBook-Pro:andyfeller/gh-dependency-report ‹main*›$ go run main.go           
Error: requires at least 1 arg(s), only received 0
Usage:
  gh-dependency-report [flags] owner [repo ...]

Flags:
  -e, --exclude strings      Repositories to exclude from report
  -h, --help                 help for gh-dependency-report
  -o, --output-file string   Name of file to write CSV report, defaults to stdout

Add support for verbose logging flag

During the prototyping of the gh-dependency-report extension and learning the https://github.com/uber-go/zap library, logging was implemented using DEBUG as the default logging level. This can be a bit noisy if someone doesn't want that much detail, so we're going to change the default logging level to INFO with the option via -v, --verbose to lower it back to DEBUG.

andyfeller@Andrews-MacBook-Pro:andyfeller/gh-dependency-report ‹main*›$ go run main.go           
Error: requires at least 1 arg(s), only received 0
Usage:
  gh-dependency-report [flags] owner [repo ...]

Flags:
  -e, --exclude strings      Repositories to exclude from report
  -h, --help                 help for gh-dependency-report
  -o, --output-file string   Name of file to write CSV report, defaults to stdout

exit status 1
andyfeller@Andrews-MacBook-Pro:andyfeller/gh-dependency-report ‹main*›$ go run main.go andyfeller
2022-01-28T08:15:43.465-0500	INFO	cmd/root.go:80	Processing repos: [andyfeller argo-cd argo-helm argocd-notifications bespoke branch-protection-enforcer-app chef codeql-action-configs docker-alpine-abuild docker.github.io docs dotfiles fabric8-pipeline-library gh-dependency-report integrations-core jenkins-openshift-login-plugin jenkins-pipeline-library linux mockserver my-py-grpc-repo openshift-cassandra openshift-sync-plugin populate-project powershell-poc private-stack python stacks-experiment]
2022-01-28T08:15:43.465-0500	DEBUG	cmd/root.go:122	Processing andyfeller/andyfeller
2022-01-28T08:15:43.607-0500	DEBUG	cmd/root.go:122	Processing andyfeller/argo-cd
2022-01-28T08:15:43.737-0500	DEBUG	cmd/root.go:122	Processing andyfeller/argo-helm
2022-01-28T08:15:43.869-0500	DEBUG	cmd/root.go:122	Processing andyfeller/argocd-notifications
2022-01-28T08:15:44.030-0500	DEBUG	cmd/root.go:122	Processing andyfeller/bespoke
2022-01-28T08:15:44.560-0500	DEBUG	cmd/root.go:143	Processing andyfeller/bespoke > .github/workflows/init.yml
2022-01-28T08:15:44.778-0500	DEBUG	cmd/root.go:154	Processing andyfeller/bespoke > .github/workflows/init.yml > actions/checkout
2022-01-28T08:15:44.778-0500	DEBUG	cmd/root.go:143	Processing andyfeller/bespoke > .github/actions/populate_project/package-lock.json

Update repository README.md

In order for this extension to be easily consumable and leveraged, the repository README.md file needs to be fully fleshed out:

examples of various use cases
maybe a nice gif showing its final usage
ideas on how this information might be useful

Refactor graphql object functions to internal packages

As in #13, the extension code is understandably cluttered being a prototype as well as the author's first go project. The spf13/cobra command could be tighter if the logic and structures for GitHub resources was refactored into internal subpackages.

This issue is aimed at some minor refactoring to separate various concerns, leaving the cmd logic cleaner and easier to read.

Scheduled and ad-hoc dependency audit MVP

In order to truly judge whether this CLI extension is fit for a v1.0.0 milestone, it needs to fulfill an end rather than just being a means. One of the motivations for building this extension was to make it easier for GitHub enterprises to audit dependencies and take action. This issue aims to capture the requirements and design of a minimally viable product that can run on a schedule and/or ad-hoc to do just that.

Implement workflow(s) to perform unit testing on pull requests and/or pushes to main

The current scaffolding around creating a gh precompiled extension doesn't create a workflow that enforces unit testing, only a release process. Given the contribution from @vilmibm , this project should have proper branch protection and checks in place to ensure unit testing occurs.

Add support for secure token storage

Token storage change in latest release of gh

This is a message from the GitHub CLI team, maintainers of gh, writing to inform you that the most recent release of gh contains changes which may affect your extension. The latest release introduces the feature of storing authentication tokens in the system keyring (encrypted storage) instead of in a plain text file.
The keyrings that are supported are:

Keychain on macOS
GNOME Keyring on Linux (Secret Service dbus interface)
Wincred on Windows

This has huge security benefits for the users of our tool and was one of our oldest outstanding issues. Unfortunately this change has the potential to break extensions that rely on utilizing the users authentication token to work.

In order to have continued compatibility with gh there are some actions you, as an extension author, need to take. These actions will depend on the implementation of your extension.

Extensions built in Go using go-gh:

Upgrade your go-gh version to v1.2.1, the latest version.
- This can be done using go get github.com/cli/[email protected]
Verify that in your extension retrieval of the user authentication token is done using the auth.TokenForHost function.
- If you were previously accessing the authentication token using any other method it will no longer work.
- Automatic resolution of the authentication token when using the API clients will continue to work without changes.

All other extensions:

Verify that in your extension retrieval of the user authentication token is done by shelling out to the gh auth token command.
- If you were previously accessing the authentication token using the gh config get command, reading the configuration file directly, or any other methods it will no longer work.

As of right now storing the authentication token in the system keyring is an opt-in feature, but in the near future it will be required and at that point if the changes above are not made then your extension will be broken for all users. If you have any questions/concerns about this change please feel free to open a discussion in the gh repo.

Thanks,
The GitHub CLI Team

Add support for dependency submission snapshots API

Overview

Announced in https://github.blog/changelog/2022-06-17-dependency-graph-has-a-rest-api-for-submitting-dependencies-detected-at-build-time/, GitHub dependency graph has a new capability for analyzing dependencies at build time.

Currently, this information is only accessible via the Insights > Dependency Graph section within the GitHub UI. Once the feature comes out of public beta with REST and/or GraphQL APIs, then that information should be incorporated here.

Thanks for @AustinJayBecker for raising this feature up! ✨

Action Items

Monitor GitHub Blog section on Dependency Graph for news
Review and incorporate capability

Veracity of manifest and dependency information in report

This is harder to qualify and requires information I cannot make public, however there are some concerns about the veracity of the report. To this end, efforts to determine if there are problems with the accuracy of the report or the completeness of it should be captured as well as the efforts to verify it.

andyfeller / gh-dependency-report Goto Github PK

gh-dependency-report's Introduction

Nice to meet you! 👋

About me 🧑‍💻

About my colleagues 👩‍💼

About my interactions 🤝

gh-dependency-report's People

Stargazers

Watchers

Forkers

gh-dependency-report's Issues

Overview

Action Items

Tasks

Token storage change in latest release of gh

Extensions built in Go using go-gh:

All other extensions:

Overview

Action Items

Recommend Projects

Recommend Topics

Recommend Org