cdxgen icon indicating copy to clipboard operation
cdxgen copied to clipboard
verified publisher icon CycloneDX

feat: Dependency track tags reporting

Open gschafra opened this issue 4 months ago • 8 comments

  • Allow providing (multiple) tags for dependency track reporting

gschafra avatar Oct 13 '25 14:10 gschafra

Can you please add some tests for this feature, so we actually know it works correctly? Also, can you please sign off on your commit? See git documentation on how to do this, if you're no familiar.

malice00 avatar Oct 13 '25 17:10 malice00

Can you please add some tests for this feature, so we actually know it works correctly? Also, can you please sign off on your commit? See git documentation on how to do this, if you're no familiar.

Are there already any tests in place concerning the reporting to dependency check using command line parameters (like --project-id)? If yes, where can I find those?

AFAICS for the Dependency-Track SBOM submission/reporting features (e.g. --project-id) there seem no tests at all :disappointed:, so I'm missing the test method (unit, integration?) for this use case (CLI param -> expected result).

gschafra avatar Oct 13 '25 17:10 gschafra

O.k.. sorry... find a way using quibble for mocking and call expectations of got() in submitBom(). Test will follow tomorrow.

gschafra avatar Oct 13 '25 17:10 gschafra

You are correct, we don't have tests for that yet! All the more reason to add some imho. Preferably they're unit tests (check the xx.poku.js files), but if it's easier, you can check our repotests.yml-workflow and add your repo (if possible, don't want to force proprietary stuff to become public 😉) with tests to it.

malice00 avatar Oct 13 '25 18:10 malice00

Will try to implement unit tests next week. Still try to find a way and the code location to test by mocking out the client (using quibble?) doing the requests to dtrack and verify against against call (parameter) expectations (using Sinon.js?). This seems not so easy in the JS world :disappointed:

gschafra avatar Oct 17 '25 14:10 gschafra

You are correct, we don't have tests for that yet! All the more reason to add some imho. Preferably they're unit tests (check the xx.poku.js files), but if it's easier, you can check our repotests.yml-workflow and add your repo (if possible, don't want to force proprietary stuff to become public 😉) with tests to it.

Question: How do you manage the fixed package version overrides in the package.json? I've to add quibble and sinon for mocking and enhanced assertion to the dev packages. As I've seen, ALL packages including their peer dependencies are listed in the "overrides" section of package.json and putting all of them manually is ... painful (?). Are you using any tooling for this?

gschafra avatar Oct 22 '25 14:10 gschafra

Question: How do you manage the fixed package version overrides in the package.json? I've to add quibble and sinon for mocking and enhanced assertion to the dev packages. As I've seen, ALL packages including their peer dependencies are listed in the "overrides" section of package.json and putting all of them manually is ... painful (?). Are you using any tooling for this?

Yeah, unfortunately that's a manual thing -- currently. I added this a couple of days ago and the idea is to at least consciously think about our dependencies, but some form of listing what is missing for easier adding would be nice... I hope I find some time to do that in the next couple of days.

malice00 avatar Oct 22 '25 18:10 malice00

So, the version locking was not a success... I reverted those changes and I kindly ask you to rebase your PR again. If it's not too complicated, you can remove your overrides as well -- or leave them in if everything works with them there.

malice00 avatar Oct 22 '25 21:10 malice00