Currently rust, should be cargo

Builds should be checked by GitHub Actions CI to ensure that the development branch is always in a working state.

CLI is using the Package type defined in this repo to deserialize responses from the API. I know we recently talked about getting rid of this repo, but as of now it's still being used and Brad has requested that this data be surfaced in the CLI.

We should add the data that was added to the API in the following PRs to the Package type in this repo:

• https://github.com/phylum-dev/api/pull/1129
• https://github.com/phylum-dev/api/pull/1130

Issues must have an id to be suppressed. This needs to be made non-optional.

effective-pom files containing a "site" section are failing when parsed via the CLI.

      <site>
        <id>apache.website</id>
        <url>scm:svn:https://svn.apache.org/repos/asf/maven/website/components/ref/3-LATEST</url>
      </site>

Attempting to analyze the file leads to the following error.

❯ phs analyze effective-pom.xml          
[2022-07-13T21:52:13Z ERROR phylum] Execution failed: Unable to locate any valid package in package lockfile
    
    Caused by:
        Expected token XmlEvent::Characters(s), found StartElement({http://maven.apache.org/POM/4.0.0}id, {"": "http://maven.apache.org/POM/4.0.0", "xml": "http://www.w3.org/XML/1998/namespace", "xmlns": "http://www.w3.org/2000/xmlns/", "xsi": "http://www.w3.org/2001/XMLSchema-instance"})
❗ Error: Execution failed caused by: Unable to locate any valid package in package lockfile

The type for pub site: Option<String>, is incorrect. Example can be found https://maven.apache.org/ref/3.8.4/maven-model/maven.html

<[site](https://maven.apache.org/ref/3.8.4/maven-model/maven.html#class_site) child.site.url.inherit.append.path=.. >
      <id/>
      <name/>
      <url/>
</site>

#[derive(Debug, Clone, Default, Serialize, Deserialize, PartialEq)]
pub struct DistributionManagement {
    pub repository: Option<Repository>,
    #[serde(rename = "snapshotRepository")]
    pub snapshot_repository: Option<Repository>,
    pub site: Option<String>,
    #[serde(rename = "downloadUrl")]
    pub download_url: Option<String>,
    pub relocation: Option<Relocation>,
    pub status: Option<String>,
}

Example file
effective-pom.xml.zip

Description

The license for this repository/project needs to change from the current MIT license to the GNU General Public License (GPL) v3.0 or later.

Additional Details

This change is directed towards all public repositories in the phylum-dev organization (with the exception of forked repos).

Acceptance Criteria

• The license is changed to GPLv3+
• Documentation is updated

pub struct PackageDescriptor {
    pub name: String,
    pub version: String,
    #[serde(rename = "type")]
    pub package_type: PackageType,
}

The current PackageDescriptor struggles to describe dependencies that do not come from the repository specified by PackageType (e.g., dependencies specified by URL). The current solution for this seems to be to put the URL in the version field, but this seems like a bit of a stretch of the meaning of that field.

I'm opening this issue to start a discussion about how this could be improved in the future.

While adding support for Golang I needed to extend the PackageType enum here and noticed that it feels a lot like the Ecosystem enum in common. Perhaps the PackageType::language(...) function doesn't map 100% onto the SourceFileType enum in common, however, I think we could easily introduce a Language enum and map between the two similar to what is done here.

I definitely don't have all the history/context for how this repo is used – but putting this out there as it seems like it would simplify things and make it easier to keep them consistent.

This is a ticket to track upcoming API v0 deprecations because we don't (yet) have a way for #[deprecated] in API code to be recognized when compiling phylum-types.

These are changes that have been made in the API but have not yet been released to production. The current fields will continue to work for now. The same information is included in both locations.

Package

• maintainers_recently_changed becomes maintainersRecentlyChanged
• is_abandonware becomes isAbandonware

PackageReleaseData

• first_release_date becomes firstReleaseDate
• last_release_date becomes lastReleaseDate

To be consistent with PURL, the PackageType enum should use gem instead of rubygems

Originally posted by @kylewillmon in phylum-dev/cli#805 (comment)