Skip to content

chore(dep-resolution): add option to specify dependency configurations to include #421

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
bkettle wants to merge 1 commit into
base: main
Choose a base branch
from
Open

chore(dep-resolution): add option to specify dependency configurations to include #421

bkettle wants to merge 1 commit into from
+77 −8

Conversation

@bkettle
Copy link
Contributor

@bkettle bkettle commented Nov 15, 2025

Adds a new parameter to the ResolveDependencies RPC that allows specifying a
list of configurations to include in the resolution. We could alternately do
this by RPC, but it seemed worth it to do it as a CLI flag so we can potentially
use it in the future.

  • I ran make setup && make to update the generated code after editing a .atd file (TODO: have a CI check)
  • I made sure we're still backward compatible with old versions of the CLI.
    For example, the Semgrep backend need to still be able to consume data
    generated by Semgrep 1.50.0.
    See https://atd.readthedocs.io/en/latest/atdgen-tutorial.html#smooth-protocol-upgrades
    Note that the types related to the semgrep-core JSON output or the
    semgrep-core RPC do not need to be backward compatible!
  • Any accompanying changes in semgrep-proprietary are approved and ready to merge once this PR is merged

@bkettle bkettle force-pushed the bk/dependency-configuration branch from 8f7915d to 7107cd5 Compare November 15, 2025 01:17
@github-actions
Copy link

github-actions bot commented Nov 15, 2025

Backwards compatibility summary:

Checking backward compatibility of semgrep_output_v1.atd against past version v1.100.0
Checking backward compatibility of semgrep_output_v1.atd against past version v1.101.0
Skipping v1.102.0 because commit 1c82453e89e0b569630e48ddde015e201df0e5f9 has already been checked
Checking backward compatibility of semgrep_output_v1.atd against past version v1.103.0
Checking backward compatibility of semgrep_output_v1.atd against past version v1.104.0
Skipping v1.106.0 because commit 5e0c767ec323f3f2356d3bf8dbdf7c7836497d8a has already been checked
Skipping v1.107.0 because commit 5e0c767ec323f3f2356d3bf8dbdf7c7836497d8a has already been checked
Checking backward compatibility of semgrep_output_v1.atd against past version v1.108.0
Checking backward compatibility of semgrep_output_v1.atd against past version v1.109.0
Checking backward compatibility of semgrep_output_v1.atd against past version v1.110.0
Checking backward compatibility of semgrep_output_v1.atd against past version v1.111.0
Checking backward compatibility of semgrep_output_v1.atd against past version v1.112.0
Checking backward compatibility of semgrep_output_v1.atd against past version v1.113.0
Checking backward compatibility of semgrep_output_v1.atd against past version v1.114.0
Checking backward compatibility of semgrep_output_v1.atd against past version v1.116.0
Skipping v1.117.0 because commit 5c6a8f569d16845ba10c27d17eeae68e481340d6 has already been checked
Checking backward compatibility of semgrep_output_v1.atd against past version v1.118.0
Checking backward compatibility of semgrep_output_v1.atd against past version v1.119.0
Checking backward compatibility of semgrep_output_v1.atd against past version v1.120.0
Checking backward compatibility of semgrep_output_v1.atd against past version v1.121.0
Checking backward compatibility of semgrep_output_v1.atd against past version v1.122.0
Checking backward compatibility of semgrep_output_v1.atd against past version v1.123.0
Checking backward compatibility of semgrep_output_v1.atd against past version v1.124.0
Skipping v1.124.1 because commit 75ab2f389a373af38a2a29872b4fa1c654d182f0 has already been checked
Checking backward compatibility of semgrep_output_v1.atd against past version v1.125.0
Skipping v1.126.0 because commit 02c7c65f6508daac0c9d5c0c54981731a134b038 has already been checked
Checking backward compatibility of semgrep_output_v1.atd against past version v1.127.0
Skipping v1.127.1 because commit 80fa4d2466c737b570c4f363edadc2b336e5696d has already been checked
Skipping v1.128.0 because commit 80fa4d2466c737b570c4f363edadc2b336e5696d has already been checked
Skipping v1.128.1 because commit 80fa4d2466c737b570c4f363edadc2b336e5696d has already been checked
Checking backward compatibility of semgrep_output_v1.atd against past version v1.130.0
Checking backward compatibility of semgrep_output_v1.atd against past version v1.131.0
Checking backward compatibility of semgrep_output_v1.atd against past version v1.132.0
Checking backward compatibility of semgrep_output_v1.atd against past version v1.132.1
Checking backward compatibility of semgrep_output_v1.atd against past version v1.133.0
Checking backward compatibility of semgrep_output_v1.atd against past version v1.134.0
Checking backward compatibility of semgrep_output_v1.atd against past version v1.135.0
Skipping v1.136.0 because commit 85c728ef38c1aef822f28035078fa2671ec7d10a has already been checked
Checking backward compatibility of semgrep_output_v1.atd against past version v1.137.0
Checking backward compatibility of semgrep_output_v1.atd against past version v1.137.1
Checking backward compatibility of semgrep_output_v1.atd against past version v1.138.0
Checking backward compatibility of semgrep_output_v1.atd against past version v1.139.0
Skipping v1.140.0 because commit 8baadf6b8604b59c9a660dbb371726c12a3666b8 has already been checked
Skipping v1.141.0 because commit 8baadf6b8604b59c9a660dbb371726c12a3666b8 has already been checked
Checking backward compatibility of semgrep_output_v1.atd against past version v1.142.0
Checking backward compatibility of semgrep_output_v1.atd against past version v1.143.0
Checking backward compatibility of semgrep_output_v1.atd against past version v1.75.0
Skipping v1.76.0 because commit 9102031608aa4154e1c37f557550ec4eabc8780c has already been checked
Checking backward compatibility of semgrep_output_v1.atd against past version v1.77.0
Skipping v1.78.0 because commit dcb5d77b420ddee61f58aadd3c2c7aef38778154 has already been checked
Checking backward compatibility of semgrep_output_v1.atd against past version v1.79.0
Checking backward compatibility of semgrep_output_v1.atd against past version v1.80.0
Checking backward compatibility of semgrep_output_v1.atd against past version v1.81.0
Skipping v1.82.0 because commit 9e0f3bec26b07b4fb6753a32cb75277f45f2572c has already been checked
Skipping v1.83.0 because commit 9e0f3bec26b07b4fb6753a32cb75277f45f2572c has already been checked
Checking backward compatibility of semgrep_output_v1.atd against past version v1.84.0
Skipping v1.84.1 because commit 3daef49297ada205359cc1d2996354c94b628b0d has already been checked
Checking backward compatibility of semgrep_output_v1.atd against past version v1.85.0
Checking backward compatibility of semgrep_output_v1.atd against past version v1.86.0
Checking backward compatibility of semgrep_output_v1.atd against past version v1.87.0
Skipping v1.88.0 because commit 512c0bd97db59c48a5705b2741662a338776e438 has already been checked
Skipping v1.89.0 because commit 512c0bd97db59c48a5705b2741662a338776e438 has already been checked
Checking backward compatibility of semgrep_output_v1.atd against past version v1.90.0
Checking backward compatibility of semgrep_output_v1.atd against past version v1.91.0
Skipping v1.92.0 because commit 2351c5e528cb7430422208dc66707894c066b508 has already been checked
Checking backward compatibility of semgrep_output_v1.atd against past version v1.93.0
Checking backward compatibility of semgrep_output_v1.atd against past version v1.94.0
Checking backward compatibility of semgrep_output_v1.atd against past version v1.95.0
Checking backward compatibility of semgrep_output_v1.atd against past version v1.96.0
Checking backward compatibility of semgrep_output_v1.atd against past version v1.97.0
Checking backward compatibility of semgrep_output_v1.atd against past version v1.98.0
Skipping v1.99.0 because commit 60809032a2e39742f42910d46b3e5dd305b8b8cf has already been checked

@bkettle bkettle requested review from a team, TikhonJelvis and mjambon November 20, 2025 20:25
mjambon
mjambon approved these changes Nov 20, 2025
View reviewed changes
Copy link
Member

@mjambon mjambon left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Note that you'll get merge conflicts since the comments are now <doc text="..."> annotations.

semgrep_output_v1.atd
allow_local_builds: bool;
(* the configurations (e.g. gradle configurations) to resolve. If not specified,
* all configurations will be resolved. Supported only for Gradle currently. *)
include_dependency_configurations: string list option;
Copy link
Member

@mjambon mjambon Nov 20, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It should be:

?include_dependency_configurations: string list option;

because it makes the field optional (otherwise it's a weird JSON representation and probably a weird python representation too)

Copy link
Member

@mjambon mjambon Nov 20, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hmm, ok, the Python interface isn't bad. It's just the JSON representation for the option type that's unidiomatic if you don't pair option with a question mark on the field name.

Copy link
Member

@mjambon mjambon Nov 20, 2025
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Note that if you want to default to the empty list rather than a None, it is achieved with

~include_dependency_configurations: string list;

Copy link
Contributor Author

@bkettle bkettle Nov 20, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hmm, doing so will make the Python argument optional, right? I wanted to have the argument be required but nullable. But it's not important, I can change it

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@mjambon mjambon mjambon approved these changes

@TikhonJelvis TikhonJelvis Awaiting requested review from TikhonJelvis TikhonJelvis was automatically assigned from semgrep/supply-chain

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@bkettle @mjambon