[Bug 475400] Automatically generate list of third-party dependencies (reduce need for piggyback CQs)
Bugzilla Link | 475400 |
Status | NEW |
Importance | P3 normal |
Reported | Aug 19, 2015 11:27 EDT |
Modified | Jul 20, 2020 09:54 EDT |
Blocks | 552967 |
Description
We need to be able to automatically generate a list of third party dependencies used by a project for inclusion in IP Logs. This is currently achieved by maintaining a list of CQs and "piggyback" CQs in IPZilla. The goal is to eliminate the use of piggyback CQs as much as possible.
From the perspective of an IP Log, there is little distinction between a CQ and a piggyback CQ. What we need in the IP log is a list of approved third party libraries referenced by the project. So what we need is a mechanism for scouring code for references to third party libraries and matching them against what we know to be approved (i.e. it's really not about finding just piggybacks).
Just getting OSGi-based projects right will be a big win, but as a longer term goal we need to do what we can for projects using other technology. Taking this one step further, any first implementation of this will likely only consider dependencies on libraries hosted by Orbit.
Any generated list of third-party dependencies will have to be augmented by IPZilla CQs. We'll need to avoid duplication where possible. I assume that automatic detection will trace back to "root" CQs. Any process that merges a list of piggyback CQs into a generated list will have to track piggyback CQ back to the root CQ to avoid duplication.
Where possible, I'd prefer to use existing, out-of-the-box technology. Can we extend Sonar to do this? Is it a matter of scanning manifests and build scripts?