feat(scanner): add '--packages-depth' parameter. #8372
Conversation
The '--packages-depth' parameter allows not to scan the whole dependency tree. For example, if you use 'scan --packages-depth 1' then the scan will be performed on projects and the first level of packages (i.e. the direct dependencies). By default, the value is -1, which means no limit, all packages will be scanned. Signed-off-by: François Barbe <f.barbe@lectra.com>
fb33
force-pushed
the
feat/packages-depth
branch
from
b28abce
to
a0f8f8c
Compare
|
We may consider to add a helper command to strip out dependencies for a given |
|
Thank for the contribution @fb33! A basic issue I see with the implementation is related to ORT's transparency about what has been scanned: When only looking at the ORT scan result, how do you know whether only a subset of the packages have been scanned vs. really only the listed findings were present? What I'm trying to say is: We need a way to record as part of the ORT result / in the scan result that only a subset (and which subset) of packages has been scanned. This could probably be solved as easily as adding the used depth (if But thinking further, if only scanning of e.g. direct dependencies is desired, should we also limit analysis to the configured depth already? That would automatically limit the scanning to those packages. Related issues: #2293, #5626, #8361 |
|
Hi, by the way, I'll think about your proposal to limit the depth at the analyzer time. |
|
This pull request was discussed in the ORT community meeting of March 21st, 2024. The people attending can see the usefulness of this feature as:
However there are various concerns:
Question is if we should protect users against themselves? Given other options in ORT our believe we should not. |
Sometimes we don't want to audit the whole dependencies of a project but only those declared in the project's package manager files.
To do this, I add a new parameter to the scanner to manage the depth in the dependency tree to scan.