feat: Dependency track tags reporting

[gschafra]

• Allow providing (multiple) tags for dependency track reporting

[malice00]

Can you please add some tests for this feature, so we actually know it works correctly? Also, can you please sign off on your commit? See git documentation on how to do this, if you're no familiar.

[gschafra]

Can you please add some tests for this feature, so we actually know it works correctly? Also, can you please sign off on your commit? See git documentation on how to do this, if you're no familiar.

Are there already any tests in place concerning the reporting to dependency check using command line parameters (like --project-id)? If yes, where can I find those?

AFAICS for the Dependency-Track SBOM submission/reporting features (e.g. --project-id) there seem no tests at all 😞, so I'm missing the test method (unit, integration?) for this use case (CLI param -> expected result).

[gschafra]

O.k.. sorry... find a way using quibble for mocking and call expectations of got() in submitBom(). Test will follow tomorrow.

[malice00]

You are correct, we don't have tests for that yet! All the more reason to add some imho.
Preferably they're unit tests (check the xx.poku.js files), but if it's easier, you can check our repotests.yml-workflow and add your repo (if possible, don't want to force proprietary stuff to become public 😉) with tests to it.

[prabhu]

Thank you! I didn't know about this useful feature before.

[gschafra]

Will try to implement unit tests next week. Still try to find a way and the code location to test by mocking out the client (using quibble?) doing the requests to dtrack and verify against against call (parameter) expectations (using Sinon.js?). This seems not so easy in the JS world 😞

[gschafra]

You are correct, we don't have tests for that yet! All the more reason to add some imho. Preferably they're unit tests (check the xx.poku.js files), but if it's easier, you can check our repotests.yml-workflow and add your repo (if possible, don't want to force proprietary stuff to become public 😉) with tests to it.

Question: How do you manage the fixed package version overrides in the package.json? I've to add quibble and sinon for mocking and enhanced assertion to the dev packages. As I've seen, ALL packages including their peer dependencies are listed in the "overrides" section of package.json and putting all of them manually is ... painful (?). Are you using any tooling for this?

[malice00]

Question: How do you manage the fixed package version overrides in the package.json? I've to add quibble and sinon for mocking and enhanced assertion to the dev packages. As I've seen, ALL packages including their peer dependencies are listed in the "overrides" section of package.json and putting all of them manually is ... painful (?). Are you using any tooling for this?

Yeah, unfortunately that's a manual thing -- currently. I added this a couple of days ago and the idea is to at least consciously think about our dependencies, but some form of listing what is missing for easier adding would be nice... I hope I find some time to do that in the next couple of days.

[malice00]

So, the version locking was not a success... I reverted those changes and I kindly ask you to rebase your PR again. If it's not too complicated, you can remove your overrides as well -- or leave them in if everything works with them there.

[malice00]

You're doing such an awesome job, that I hate to bring this up: isn't this just a copy of the above test except now it has a parent set? I'm asking because the test-description says 'multiple' (although it also says 'single'), so I figured this would test with multiple tags...

[gschafra]

Yup, test is not ready yet... I'm massively struggling with test stubs (from ESM modules [got]) , which seems not to reset correctly between tests or/and affecting each other concerning expecations (call count). I've "consultated" various info sources (yes, even GPT and co.) but unfortunately without success. I'll dive deeper into this next week when I have some free time.

[prabhu]

Please take your time. It will be super cool to have such advanced tests!