-
Notifications
You must be signed in to change notification settings - Fork 10
fix: add uv to root-level ignore and use explicit paths #448
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Merged
ruromero
merged 2 commits into
guacsec:main
from
ruromero:fix/dependabot-suppress-fixtures
Apr 30, 2026
Merged
Changes from all commits
Commits
Show all changes
2 commits
Select commit
Hold shift + click to select a range
File filter
Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,2 @@ | ||
| /cache | ||
| /project.local.yml |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,29 @@ | ||
| # GoModulesProvider Architecture | ||
|
|
||
| ## Dependency Resolution Flow | ||
| 1. `getDependenciesSbom(Path, boolean)` orchestrates: runs `go mod graph`, `go mod edit -json`, determines main module version | ||
| 2. `buildGoModulesDependencies(Path)` - runs `go mod graph` to get full dependency graph | ||
| 3. `getDirectDependencyPaths(Path)` - runs `go mod edit -json` to identify direct vs indirect deps | ||
| 4. For stack analysis: `buildSbomFromGraph` builds full dependency tree | ||
| 5. For component analysis: `buildSbomFromList` lists only direct dependencies | ||
|
|
||
| ## Direct vs Indirect Filtering (TC-4300) | ||
| - Since Go 1.17, `go mod tidy` adds all transitively-imported modules to go.mod with `// indirect` marker | ||
| - `go mod graph` emits root-level edges for ALL modules in go.mod (both direct and indirect) | ||
| - `go mod edit -json` returns structured JSON with `Require` array where each entry has optional `Indirect: true` | ||
| - Both `buildSbomFromGraph` and `buildSbomFromList` filter root-level deps to only include direct ones | ||
|
|
||
| ## Key Gotcha: MVS Version Suffix | ||
| After MVS processing (`getFinalPackagesVersionsForModule`), the root key in the edges map changes from `module/path` to `module/path@v0.0.0`. The root comparison must use `getModulePath()` to strip the version suffix for both sides, otherwise the filtering silently does nothing when MVS is enabled. | ||
|
|
||
| ## Helper Methods | ||
| - `getModulePath(String)` - strips `@version` suffix from `go mod graph` entries (e.g., `github.com/foo/bar@v1.2.3` -> `github.com/foo/bar`) | ||
| - `extractPackageName(String)` - strips `//` comment from go.mod require lines (different purpose, don't confuse) | ||
| - `getParentVertex(String)` / `getChildVertex(String)` - split `go mod graph` edge lines on space | ||
| - `isGoToolchainEntry(String)` - filters out `go@` and `toolchain@` entries | ||
|
|
||
| ## Test Fixtures | ||
| - `src/test/resources/tst_manifests/golang/` - main test fixtures with 6 test folders | ||
| - `src/test/resources/msc/golang/mvs_logic/` - MVS-specific test fixtures | ||
| - Tests use `dropIgnoredKeepFormat()` to strip timestamps and goarch/goos before comparison | ||
| - Tests use `prettyJson()` (Jackson) to normalize JSON formatting |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,31 @@ | ||
| # exhort-java-api Project Overview | ||
|
|
||
| ## Purpose | ||
| Java client library for the Dependency Analytics (DA) / Exhort vulnerability analysis backend. Generates SBOMs (CycloneDX JSON) from project manifests and submits them for analysis. | ||
|
|
||
| ## Tech Stack | ||
| - Java 17+, Maven build | ||
| - Jackson for JSON, TOML parsing (com.moandjiezana.toml) | ||
| - XMLStreamReader for POM parsing | ||
| - CycloneDX SBOM model (custom `Sbom` class) | ||
|
|
||
| ## Key Directories | ||
| - `src/main/java/io/github/guacsec/trustifyda/providers/` - Provider implementations per ecosystem | ||
| - `src/main/java/io/github/guacsec/trustifyda/tools/` - Utilities (Operations, Ecosystem, Environment) | ||
| - `src/main/java/io/github/guacsec/trustifyda/utils/` - Shared utilities (IgnorePatternDetector, PythonControllerBase) | ||
| - `src/test/resources/tst_manifests/` - Test fixtures per ecosystem | ||
|
|
||
| ## Provider Pattern | ||
| Each ecosystem has a Provider class extending `Provider` abstract class with methods: | ||
| - `provideStack()` - Full dependency tree SBOM | ||
| - `provideComponent()` - Direct dependencies only SBOM | ||
| - `readLicenseFromManifest()` - License extraction | ||
| - `validateLockFile(Path)` - Lock file validation | ||
|
|
||
| ## Ignore Pattern Detection | ||
| Centralized in `IgnorePatternDetector` with constants `IGNORE_PATTERN` ("trustify-da-ignore") and `LEGACY_IGNORE_PATTERN` ("exhortignore"). | ||
|
|
||
| ## Commands | ||
| - Build: `mvn clean install` | ||
| - Test: `mvn test` | ||
| - Format: `mvn spotless:apply` |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,127 @@ | ||
| # the name by which the project can be referenced within Serena | ||
| project_name: "trustify-da-java-client" | ||
|
|
||
|
|
||
| # list of languages for which language servers are started; choose from: | ||
| # al ansible bash clojure cpp | ||
| # cpp_ccls crystal csharp csharp_omnisharp dart | ||
| # elixir elm erlang fortran fsharp | ||
| # go groovy haskell haxe hlsl | ||
| # java json julia kotlin lean4 | ||
| # lua luau markdown matlab msl | ||
| # nix ocaml pascal perl php | ||
| # php_phpactor powershell python python_jedi python_ty | ||
| # r rego ruby ruby_solargraph rust | ||
| # scala solidity swift systemverilog terraform | ||
| # toml typescript typescript_vts vue yaml | ||
| # zig | ||
| # (This list may be outdated. For the current list, see values of Language enum here: | ||
| # https://github.com/oraios/serena/blob/main/src/solidlsp/ls_config.py | ||
| # For some languages, there are alternative language servers, e.g. csharp_omnisharp, ruby_solargraph.) | ||
| # Note: | ||
| # - For C, use cpp | ||
| # - For JavaScript, use typescript | ||
| # - For Free Pascal/Lazarus, use pascal | ||
| # Special requirements: | ||
| # Some languages require additional setup/installations. | ||
| # See here for details: https://oraios.github.io/serena/01-about/020_programming-languages.html#language-servers | ||
| # When using multiple languages, the first language server that supports a given file will be used for that file. | ||
| # The first language is the default language and the respective language server will be used as a fallback. | ||
| # Note that when using the JetBrains backend, language servers are not used and this list is correspondingly ignored. | ||
| languages: | ||
| - java | ||
|
|
||
| # the encoding used by text files in the project | ||
| # For a list of possible encodings, see https://docs.python.org/3.11/library/codecs.html#standard-encodings | ||
| encoding: "utf-8" | ||
|
|
||
| # line ending convention to use when writing source files. | ||
| # Possible values: unset (use global setting), "lf", "crlf", or "native" (platform default) | ||
| # This does not affect Serena's own files (e.g. memories and configuration files), which always use native line endings. | ||
| line_ending: | ||
|
|
||
| # The language backend to use for this project. | ||
| # If not set, the global setting from serena_config.yml is used. | ||
| # Valid values: LSP, JetBrains | ||
| # Note: the backend is fixed at startup. If a project with a different backend | ||
| # is activated post-init, an error will be returned. | ||
| language_backend: | ||
|
|
||
| # whether to use project's .gitignore files to ignore files | ||
| ignore_all_files_in_gitignore: true | ||
|
|
||
| # list of additional paths to ignore in this project. | ||
| # Same syntax as gitignore, so you can use * and **. | ||
| # Note: global ignored_paths from serena_config.yml are also applied additively. | ||
| ignored_paths: [] | ||
|
|
||
| # whether the project is in read-only mode | ||
| # If set to true, all editing tools will be disabled and attempts to use them will result in an error | ||
| # Added on 2025-04-18 | ||
| read_only: false | ||
|
|
||
| # list of tool names to exclude. | ||
| # This extends the existing exclusions (e.g. from the global configuration) | ||
| # Find the list of tools here: https://oraios.github.io/serena/01-about/035_tools.html | ||
| excluded_tools: [] | ||
|
|
||
| # list of tools to include that would otherwise be disabled (particularly optional tools that are disabled by default). | ||
| # This extends the existing inclusions (e.g. from the global configuration). | ||
| # Find the list of tools here: https://oraios.github.io/serena/01-about/035_tools.html | ||
| included_optional_tools: [] | ||
|
|
||
| # fixed set of tools to use as the base tool set (if non-empty), replacing Serena's default set of tools. | ||
| # This cannot be combined with non-empty excluded_tools or included_optional_tools. | ||
| # Find the list of tools here: https://oraios.github.io/serena/01-about/035_tools.html | ||
| fixed_tools: [] | ||
|
|
||
| # list of mode names to that are always to be included in the set of active modes | ||
| # The full set of modes to be activated is base_modes + default_modes. | ||
| # If the setting is undefined, the base_modes from the global configuration (serena_config.yml) apply. | ||
| # Otherwise, this setting overrides the global configuration. | ||
| # Set this to [] to disable base modes for this project. | ||
| # Set this to a list of mode names to always include the respective modes for this project. | ||
| base_modes: | ||
|
|
||
| # list of mode names that are to be activated by default, overriding the setting in the global configuration. | ||
| # The full set of modes to be activated is base_modes (from global config) + default_modes + added_modes. | ||
| # If the setting is undefined/empty, the default_modes from the global configuration (serena_config.yml) apply. | ||
| # Otherwise, this overrides the setting from the global configuration (serena_config.yml). | ||
| # Therefore, you can set this to [] if you do not want the default modes defined in the global config to apply | ||
| # for this project. | ||
| # This setting can, in turn, be overridden by CLI parameters (--mode). | ||
| # See https://oraios.github.io/serena/02-usage/050_configuration.html#modes | ||
| default_modes: | ||
|
|
||
| # initial prompt for the project. It will always be given to the LLM upon activating the project | ||
| # (contrary to the memories, which are loaded on demand). | ||
| initial_prompt: "" | ||
|
|
||
| # time budget (seconds) per tool call for the retrieval of additional symbol information | ||
| # such as docstrings or parameter information. | ||
| # This overrides the corresponding setting in the global configuration; see the documentation there. | ||
| # If null or missing, use the setting from the global configuration. | ||
| symbol_info_budget: | ||
|
|
||
| # list of regex patterns which, when matched, mark a memory entry as read‑only. | ||
| # Extends the list from the global configuration, merging the two lists. | ||
| read_only_memory_patterns: [] | ||
|
|
||
| # list of regex patterns for memories to completely ignore. | ||
| # Matching memories will not appear in list_memories or activate_project output | ||
| # and cannot be accessed via read_memory or write_memory. | ||
| # To access ignored memory files, use the read_file tool on the raw file path. | ||
| # Extends the list from the global configuration, merging the two lists. | ||
| # Example: ["_archive/.*", "_episodes/.*"] | ||
| ignored_memory_patterns: [] | ||
|
|
||
| # advanced configuration option allowing to configure language server-specific options. | ||
| # Maps the language key to the options. | ||
| # Have a look at the docstring of the constructors of the LS implementations within solidlsp (e.g., for C# or PHP) to see which options are available. | ||
| # No documentation on options means no options are available. | ||
| ls_specific_settings: {} | ||
|
|
||
| # list of mode names to be activated additionally for this project, e.g. ["query-projects"] | ||
| # The full set of modes to be activated is base_modes (from global config) + default_modes + added_modes. | ||
| # See https://oraios.github.io/serena/02-usage/050_configuration.html#modes | ||
| added_modes: |
Oops, something went wrong.
Oops, something went wrong.
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Uh oh!
There was an error while loading. Please reload this page.