feat: added support for golang and python ecosystems

.eslintrc.js

@@ -0,0 +1,56 @@
+module.exports = {
+    "root": true,
+    "parser": "@typescript-eslint/parser",
+    "plugins": ["@typescript-eslint"],
+    "extends": [
+        "eslint:recommended",
+        "plugin:@typescript-eslint/eslint-recommended",
+        "plugin:@typescript-eslint/recommended"
+    ],
+    "rules": {
+        "@typescript-eslint/no-explicit-any": "off",
+        "@typescript-eslint/no-require-imports": "error",
+        "@typescript-eslint/no-unused-expressions": "error",
+        "@typescript-eslint/naming-convention": [ 
+            "error",
+            {
+                "selector": "default",
+                "format": ["camelCase"]
+            },
+            {
+                "selector": ["class", "interface", "enum"],
+                "format": ["PascalCase"]
+            },
+            {
+                "selector": ["enumMember", "variable", "property", "method"],
+                "format": ["UPPER_CASE", "camelCase"],
+                "leadingUnderscore": "allow"
+            }
+        ],
+        "@typescript-eslint/semi": ["error", "always"],
+        "@typescript-eslint/quotes": [
+            "error",
+            "single",
+            {
+                "allowTemplateLiterals": true,
+                "avoidEscape": true
+            }
+        ],
+        "@typescript-eslint/no-shadow": "error",
+        "@typescript-eslint/no-redeclare": "error",
+        "no-async-promise-executor": "off",
+        "no-redeclare": "off",
+        "no-duplicate-case": "error",
+        "no-shadow": "off",
+        "curly": "error",
+        "semi": "off",
+        "eqeqeq": ["error", "always"],
+        "quotes": "off",
+        "no-debugger": "error",
+        "no-empty": "error",
+        "no-var": "error",
+        "no-unsafe-finally": "error",
+        "new-parens": "error",
+        "no-throw-literal": "error",
+    }
+}

.gitignore

@@ -1,19 +1,23 @@
+# Dependency directories
+**/node_modules
+**/package-lock.json
+
+# test data directories
+test-workspace/
+
+# nyc test coverage directories
+coverage/
+.nyc_output/
+.vscode-test/
+
+# npm  config file
+.npmrc
+
+#others
 dist
 out
-node_modules
 ca-lsp-server.tar
 ca-lsp-server/
-*.vsix
-.vscode-test/
 .DS_Store
 *.tar.*
-coverage/
-.history
-target/
-coverage/
-.history
-target/
-test/resources/**/package-lock.json
-test/resources/**/node_modules
-.npmrc
-test-workspace/
+.history

.vscode/launch.json

@@ -18,7 +18,7 @@
 			"outFiles": [
 				"${workspaceFolder}/dist/*.js"
 			],
-			"preLaunchTask": "npm: webpack-dev"
+			"preLaunchTask": "npm: webpack-dev",
 		},
 		{
 			"name": "Launch Tests",

.vscodeignore

@@ -11,8 +11,6 @@ node_modules/**
 **/target
 **/*.map
 .gitignore
-tsconfig.json
-tslint.json
 vsc-extension-quickstart.md
 **/**.tar
 **/**.tar.gz

CHANGELOG.md

@@ -1,4 +1,7 @@
 # Change Log
+## 0.7.3 (Nov 7th 2023)
+- enhancement - Support for Golang and Python ecosystems. See [#645](https://github.com/fabric8-analytics/fabric8-analytics-vscode-extension/pull/645)
+- enhancement - A new setting for Python and Go environments to restrict package analysis when there is a package version mis-match between the environment and the manifest file. See the [Features section](https://github.com/fabric8-analytics/fabric8-analytics-vscode-extension/blob/master/README.md#features) of the README for more information.
 ## 0.7.0 (Sep 11th 2023)
 - fixes - Improved overall performance and stability with the analysis report.
 - informational - Alpha release of the new Red Hat Dependency Analytics (RHDA) extension.

README.md

@@ -1,43 +1,48 @@
 # Red Hat Dependency Analytics
 
 [![Visual Studio Marketplace](https://vsmarketplacebadges.dev/version/redhat.fabric8-analytics.svg)](https://marketplace.visualstudio.com/items?itemName=redhat.fabric8-analytics)
-![CI Build](https://github.com/fabric8-analytics/fabric8-analytics-vscode-extension/workflows/Tests/badge.svg?branch=master)
-[![codecov](https://codecov.io/gh/fabric8-analytics/fabric8-analytics-vscode-extension/branch/master/graph/badge.svg?token=rHIO4KNlJ0)](https://codecov.io/gh/fabric8-analytics/fabric8-analytics-vscode-extension)
+![CI](https://github.com/fabric8-analytics/fabric8-analytics-vscode-extension/workflows/CI/badge.svg?branch=master)
+[![Codecov](https://codecov.io/gh/fabric8-analytics/fabric8-analytics-vscode-extension/branch/master/graph/badge.svg?token=rHIO4KNlJ0)](https://codecov.io/gh/fabric8-analytics/fabric8-analytics-vscode-extension)
 
 Red Hat's Dependency Analytics (RHDA) extension gives you awareness to security concerns within your software supply chain while you build your application.
-The Dependency Analytics extension uses the Snyk REST API to query [Snyk's Vulnerability Database](https://snyk.io/product/vulnerability-database/) for the most up-to-date vulnerability information available.
+The Red Hat Dependency Analytics extension uses the Snyk REST API to query [Snyk's Vulnerability Database](https://snyk.io/product/vulnerability-database/) for the most up-to-date vulnerability information available.
 Snyk uses industry-leading security intelligence by pulling from many data sources to give you exact vulnerability information.
 
 **NOTE:**
 <br >The Red Hat Dependency Analytics extension is an online service hosted and maintained by Red Hat.
-Dependency Analytics only accesses your manifest files to analyze your application dependencies before displaying the vulnerability report.
+Red Hat Dependency Analytics only accesses your manifest files to analyze your application dependencies before displaying the vulnerability report.
 
 **IMPORTANT:**
-<br >Currently, Dependency Analytics only supports projects that use Maven (`mvn`), and Node ecosystems (`npm`).
+<br >Currently, Red Hat Dependency Analytics only supports projects that use Maven (`mvn`), Node (`npm`), Golang (`go mod`) and Python (`pip`) ecosystems.
 In future releases, Red Hat plans to support other programming languages.
 
 ##### Table of Contents
-- [Quick start](#quick-start)
-- [Configuration](#configuration)
-- [Features](#features)
-- [Using Red Hat Dependency Analytics for CI builds](#using-red-hat-dependency-analytics-for-ci-builds)
-- [Know more about the Red Hat Dependency Analytics platform](#know-more-about-the-red-hat-dependency-analytics-platform)
-- [Data and telemetry](#data-and-telemetry)
-- [Support, feedback \& questions](#support-feedback--questions)
-- [License](#license)
+- [Red Hat Dependency Analytics](#red-hat-dependency-analytics)
+				- [Table of Contents](#table-of-contents)
+	- [Quick start](#quick-start)
+	- [Configuration](#configuration)
+		- [Configurable parameters](#configurable-parameters)
+	- [Features](#features)
+	- [Using Red Hat Dependency Analytics for CI builds](#using-red-hat-dependency-analytics-for-ci-builds)
+	- [Know more about the Red Hat Dependency Analytics platform](#know-more-about-the-red-hat-dependency-analytics-platform)
+	- [Data and telemetry](#data-and-telemetry)
+	- [Support, feedback \& questions](#support-feedback--questions)
+	- [License](#license)
 
 ## Quick start
 
 **Prerequisites**
 
 - For Maven projects, analyzing a `pom.xml` file, you must have the `mvn` binary in your system’s `PATH` environment.
 - For Node projects, analyzing a `package.json` file, you must have the `npm` binary in your system’s `PATH` environment.
+- For Golang projects, analyzing a `go.mod` file, you must have the `go` binary in your system’s `PATH` environment.
+- For Python projects, analyzing a `requirements.txt` file, you must have the `python3/pip3` or `python/pip` binaries in your system’s `PATH` environment.
 
 <br >**IMPORTANT:** 
 <br >Visual Studio Code by default executes binaries directly in a terminal found in your system's `PATH` environment.
 You can configure Visual Studio Code to look somewhere else to run the necessary binaries.
 You can configure this by accessing the [extension settings](https://code.visualstudio.com/docs/getstarted/settings).
-Click the **Workspace** tab, search for the word _executable_, and specify the absolute path to the binary file you want to use for Maven or Node.
+Click the **Workspace** tab, search for the word _executable_, and specify the absolute path to the binary file you want to use for Maven, Node or Golang.
 
 **Procedure**
 
@@ -51,7 +56,7 @@ Click the **Workspace** tab, search for the word _executable_, and specify the a
    - Open a manifest file, and click the **pie chart** icon ![ Pie chart icon ](icon/report-icon.png).
    - Right click on a manifest file in the **Explorer** view, and click **Red Hat Dependency Analytics Report...**.
    - From the vulnerability pop-up alert message, click **Open detailed vulnerability report**.
-7. (OPTIONAL) You can link your Snyk account to Dependency Analytics by doing the following:
+7. (OPTIONAL) You can link your Snyk account to Red Hat Dependency Analytics by doing the following:
    1. Log into your [Snyk account](https://app.snyk.io/login?utm_campaign=Code-Ready-Analytics-2020&utm_source=code_ready&code_ready=FF1B53D9-57BE-4613-96D7-1D06066C38C9).
    2. On the account landing page, you can find your Snyk Token, copy the token.
    3. Open the Red Hat Dependency Analytics extension settings.
@@ -88,20 +93,20 @@ If you need a new Snyk token, you can generate a new token [here](https://app.sn
 
 **Red Hat Dependency Analytics Report File Path** :
 
-Specify the local path to create the Dependency Analytics report file.
+Specify the local path to create the Red Hat Dependency Analytics report file.
 The default path is `/tmp/redhatDependencyAnalyticsReport.html`.
 
 ## Features
 
 - **Component analysis**
-	<br >Upon opening a manifest file, such as a `pom.xml` or `package.json` file, a scan starts the analysis process.
+	<br >Upon opening a manifest file, such as a `pom.xml`, `package.json`, `go.mod` or `requirements.txt` file, a scan starts the analysis process.
 	The scan provides immediate inline feedback on detected security vulnerabilities for your application's dependencies.
 	Such dependencies are appropriately underlined in red, and hovering over it gives you a short summary of the security concern.
 	The summary has the full package name, version number, the amount of known security vulnerabilities, and the highest severity status of said vulnerabilities.
 
 	**NOTE:** Add the `target` folder to your `.gitignore` file to exclude it from Git monitoring.
 
-	![ Animated screenshot showing the inline reporting feature of Dependency Analytics ](images/screencasts/component-analysis.gif)
+	![ Animated screenshot showing the inline reporting feature of Red Hat Dependency Analytics ](images/screencasts/component-analysis.gif)
 
 - **Excluding dependencies with `exhortignore`**
 	<br >You can exclude a package from analysis by marking the package for exclusion.
@@ -141,8 +146,23 @@ The default path is `/tmp/redhatDependencyAnalyticsReport.html`.
 	}
 	```
 
+	If you wish to ignore vulnerabilities for a dependency in a `go.mod` file, you must add `exhortignore` as a comment against the dependency in the manifest file.
+	For example:
+	```
+	require (
+		golang.org/x/sys v1.6.7 // exhortignore
+	)
+	```
+
+	If you wish to ignore vulnerabilities for a dependency in a `requirements.txt` file, you must add `exhortignore` as a comment against the dependency in the manifest file.
+	For example:
+	```
+	requests==2.28.1 # exhortignore
+	```
+
 - **Excluding developmental or test dependencies**
 	<br >Red Hat Dependency Analytics does not analyze dependencies marked as `dev` or `test`, these dependencies are ignored.
+
 	For example, setting `test` in the `scope` tag within a `pom.xml` file:
 
 	```xml
@@ -177,11 +197,37 @@ The default path is `/tmp/redhatDependencyAnalyticsReport.html`.
 	}
 	```
 
+	For example, setting `exclude` attributte in the `go.mod` file:
+
+	```
+	exclude golang.org/x/sys v1.6.7
+
+	exclude (
+		golang.org/x/sys v1.6.7
+	)
+	```
+
+	For example, creating an alternative file to `requirements.txt`, like `requirements-dev.txt` or `requirements-test.txt` and adding the dev or test dependencies there istead.
+
 - **Red Hat Dependency Analytics report** 
 	<br >The Red Hat Dependency Analytics report is a temporary HTML file that exist if the **Red Hat Dependency Analytics Report** tab remains open.
 	Closing the tab removes the temporary HTML file.
 	You can specify the file name by [modifying the _Red Hat Dependency Analytics: Red Hat Dependency Analytics Report File Path_ field](#configuration) in the extension settings.
 
+- **Python and Go package manager behavior**
+    <br >When a user requests a Python or a Go package analysis, Red Hat Dependency Analytics performs the analysis by looking at the version tags from those environments, and not from the manifest files of those environments.
+	This can result in the user receiving information that does not match their intended request.
+	Because of this behavior, Red Hat Dependency Analytics has a new configurable workspace setting.
+	By default, the `Match Manifest Versions` (MATCH_MANIFEST_VERSIONS) setting restricts Red Hat Dependency Analytics from doing an analysis on package versions that do not match the versions defined by the manifest files.
+	When Red Hat Dependency Analytics finds a package version mis-match, an alert message asks the user to switch this setting.
+	If the user decides to disable this restriction, Red Hat Dependency Analytics performs the analysis on versions given by the package manager only.
+	This setting applies to Python and Go environments.
+
+	<br >An alternative workaround exists for Python environments only.
+	The user can start Visual Studio Code with the [`EXHORT_PYTHON_VIRTUAL_ENV`](https://github.com/RHEcosystemAppEng/exhort-javascript-api#:~:text=EXHORT_PYTHON_VIRTUAL_ENV) variable set to `true`.
+	Doing this allows Red Hat Dependency Analytics to install Python packages into a virtual environment to perform the analysis.
+	The benefit is having a clean Python environment not influenced by earlier installations, but the downside is a significantly slower analysis process.
+
 ## Using Red Hat Dependency Analytics for CI builds
 
 You can automate the analysis of your application's vulnerabilities within the build and release pipeline.