diff --git a/CHANGELOG.md b/CHANGELOG.md index 9649e1ef4..368cc9951 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,6 +1,7 @@ # Change Log ## 0.7.3 (Oct 10th 2023) - enhancement - Support for Golang and Python ecosystems. See [#645](https://github.com/fabric8-analytics/fabric8-analytics-vscode-extension/pull/645) +- enhancement - A new setting for Python and Go environments to restrict package analysis when there is a package version mis-match between the environment and the manifest file. See the [Features section](https://github.com/fabric8-analytics/fabric8-analytics-vscode-extension/blob/master/README.md#features) of the README for more information. ## 0.7.0 (Sep 11th 2023) - fixes - Improved overall performance and stability with the analysis report. - informational - Alpha release of the new Red Hat Dependency Analytics (RHDA) extension. diff --git a/README.md b/README.md index 0ebc42dae..59c9753c5 100644 --- a/README.md +++ b/README.md @@ -5,26 +5,29 @@ [![Codecov](https://codecov.io/gh/fabric8-analytics/fabric8-analytics-vscode-extension/branch/master/graph/badge.svg?token=rHIO4KNlJ0)](https://codecov.io/gh/fabric8-analytics/fabric8-analytics-vscode-extension) Red Hat's Dependency Analytics (RHDA) extension gives you awareness to security concerns within your software supply chain while you build your application. -The Dependency Analytics extension uses the Snyk REST API to query [Snyk's Vulnerability Database](https://snyk.io/product/vulnerability-database/) for the most up-to-date vulnerability information available. +The Red Hat Dependency Analytics extension uses the Snyk REST API to query [Snyk's Vulnerability Database](https://snyk.io/product/vulnerability-database/) for the most up-to-date vulnerability information available. Snyk uses industry-leading security intelligence by pulling from many data sources to give you exact vulnerability information. **NOTE:**
The Red Hat Dependency Analytics extension is an online service hosted and maintained by Red Hat. -Dependency Analytics only accesses your manifest files to analyze your application dependencies before displaying the vulnerability report. +Red Hat Dependency Analytics only accesses your manifest files to analyze your application dependencies before displaying the vulnerability report. **IMPORTANT:** -
Currently, Dependency Analytics only supports projects that use Maven (`mvn`), Node (`npm`), Golang (`go mod`) and Python (`pip`) ecosystems. +
Currently, Red Hat Dependency Analytics only supports projects that use Maven (`mvn`), Node (`npm`), Golang (`go mod`) and Python (`pip`) ecosystems. In future releases, Red Hat plans to support other programming languages. ##### Table of Contents -- [Quick start](#quick-start) -- [Configuration](#configuration) -- [Features](#features) -- [Using Red Hat Dependency Analytics for CI builds](#using-red-hat-dependency-analytics-for-ci-builds) -- [Know more about the Red Hat Dependency Analytics platform](#know-more-about-the-red-hat-dependency-analytics-platform) -- [Data and telemetry](#data-and-telemetry) -- [Support, feedback \& questions](#support-feedback--questions) -- [License](#license) +- [Red Hat Dependency Analytics](#red-hat-dependency-analytics) + - [Table of Contents](#table-of-contents) + - [Quick start](#quick-start) + - [Configuration](#configuration) + - [Configurable parameters](#configurable-parameters) + - [Features](#features) + - [Using Red Hat Dependency Analytics for CI builds](#using-red-hat-dependency-analytics-for-ci-builds) + - [Know more about the Red Hat Dependency Analytics platform](#know-more-about-the-red-hat-dependency-analytics-platform) + - [Data and telemetry](#data-and-telemetry) + - [Support, feedback \& questions](#support-feedback--questions) + - [License](#license) ## Quick start @@ -53,7 +56,7 @@ Click the **Workspace** tab, search for the word _executable_, and specify the a - Open a manifest file, and click the **pie chart** icon ![ Pie chart icon ](icon/report-icon.png). - Right click on a manifest file in the **Explorer** view, and click **Red Hat Dependency Analytics Report...**. - From the vulnerability pop-up alert message, click **Open detailed vulnerability report**. -7. (OPTIONAL) You can link your Snyk account to Dependency Analytics by doing the following: +7. (OPTIONAL) You can link your Snyk account to Red Hat Dependency Analytics by doing the following: 1. Log into your [Snyk account](https://app.snyk.io/login?utm_campaign=Code-Ready-Analytics-2020&utm_source=code_ready&code_ready=FF1B53D9-57BE-4613-96D7-1D06066C38C9). 2. On the account landing page, you can find your Snyk Token, copy the token. 3. Open the Red Hat Dependency Analytics extension settings. @@ -90,7 +93,7 @@ If you need a new Snyk token, you can generate a new token [here](https://app.sn **Red Hat Dependency Analytics Report File Path** : -Specify the local path to create the Dependency Analytics report file. +Specify the local path to create the Red Hat Dependency Analytics report file. The default path is `/tmp/redhatDependencyAnalyticsReport.html`. ## Features @@ -103,7 +106,7 @@ The default path is `/tmp/redhatDependencyAnalyticsReport.html`. **NOTE:** Add the `target` folder to your `.gitignore` file to exclude it from Git monitoring. - ![ Animated screenshot showing the inline reporting feature of Dependency Analytics ](images/screencasts/component-analysis.gif) + ![ Animated screenshot showing the inline reporting feature of Red Hat Dependency Analytics ](images/screencasts/component-analysis.gif) - **Excluding dependencies with `exhortignore`**
You can exclude a package from analysis by marking the package for exclusion. @@ -211,6 +214,20 @@ The default path is `/tmp/redhatDependencyAnalyticsReport.html`. Closing the tab removes the temporary HTML file. You can specify the file name by [modifying the _Red Hat Dependency Analytics: Red Hat Dependency Analytics Report File Path_ field](#configuration) in the extension settings. +- **Python and Go package manager behavior** +
When a user requests a Python or a Go package analysis, Red Hat Dependency Analytics performs the analysis by looking at the version tags from those environments, and not from the manifest files of those environments. + This can result in the user receiving information that does not match their intended request. + Because of this behavior, Red Hat Dependency Analytics has a new configurable setting. + By default, the `MATCH_MANIFEST_VERSIONS` setting restricts Red Hat Dependency Analytics from doing an analysis on package versions that do not match the versions defined by the manifest files. + When Red Hat Dependency Analytics finds a package version mis-match, an alert message asks the user to switch this setting. + If the user decides to disable this restriction, Red Hat Dependency Analytics performs the analysis on versions given by the package manager only. + This setting applies to Python and Go environments. + +
An alternative workaround exists for Python environments only. + The user can start Visual Studio Code with the [`EXHORT_PYTHON_VIRTUAL_ENV`](https://github.com/RHEcosystemAppEng/exhort-javascript-api#:~:text=EXHORT_PYTHON_VIRTUAL_ENV) variable set to `true`. + Doing this allows Red Hat Dependency Analytics to install Python packages into a virtual environment to perform the analysis. + The benefit is having a clean Python environment not influenced by earlier installations, but the downside is a significantly slower analysis process. + ## Using Red Hat Dependency Analytics for CI builds You can automate the analysis of your application's vulnerabilities within the build and release pipeline.