Skip to main content

Week 11

(Aug, 09 2024 - Aug 15, 2024)

Meeting 1

(Aug 14, 2024)

Attendees

Discussions

  • Showed the demo of the download dependencies feature to Gaurav and got feedback for the same.
  • Discussed using the ununpack agent for unpacking the downloaded packages rather than the current dependency on python libraries.
  • Rather than taking an input directory as input to the --sbom-path, it would be better to take a single file as input.
    • Software projects only have one sbom as a convention. So, if the project is using multiple languages or dependencies, then they are combined to a single sbom file, which can be passed to our scanner.
    • We want to implement different parsers for different languages. So, we need a parent class of the parsers whose job is to set which parser should handle a particular component.
    • We can differentiate between languages and which parser to use based on the purl for the component.
  • Got a new feature request in order to allow scanning a particular directory by providing the path to it via CLI.

Work Done

  • Implemented the feature of scanning dependencies using fossologyscanner.
    • Introduced a module ScanDeps that has a Parsers file that contains specific parsers for each supported language.
    • Currently, it has PythonParser only. Working on NPMParser. The job of the parsers is to take the sbom file and extract the download urls from it, save it in a particular format like a tuple of (<package_name> , <download_url>).
    • These results are then fed to a Downloader class that has methods to concurrently download these packages from the urls, and then extract them from their respective formats to a directory called pkg_downloads.
      • The download_concurrently method improves the speed of downloading and exporting packages significantly by allowing multiple downloads to run on different threads parallelly.
  • Started working on the new feature and improving the different parsers.

Planning for next week

  • Complete the PythonParser and raise a PR for the same.
  • Complete the directory scan feature and raise a PR.
  • Start working on NPMParser next.