J
I managed to implement the workaround for the uncached packages.
Right now I am doing the following:
API call to $"api/sca/builds?project={projectName}&version={version}"
Parse the build Id out of the ViewBuildUrl property
API call to native API $"api/json/Projects_GetBuildInfo?ProjectBuild_Id={projectBuildId}"
Cross reference ProjectBuildPackagesFeeds with ProjectBuildPackagesExtended to find out which packages could not be mapped to feeds
Call to the download button URL $"nuget/{feedName}/package/{packageName}/{packageVersion}" for each package that could not be mapped to any feed
API call to ($"api/sca/analyze-build?project={projectName}&version={version}" to update the build
While it does work, I'm not fully happy with the implementation and would like to ask for some improvements to the regular API.
Compliance information in PackageInfo
Right now the PackageInfo object does not contain any information about compliance violations. Would it be possible to extend it with the warnings that are shown in the compliance column of the /projects2/packages page?
Ideally, it would be some sort of enum, that has atomic values for all the known violations and can be filtered easily. This would help to to avoid the call to the native API in step 2, which as far as I understand you don't recommend using anyways.
{
"purl": "pkg:myGroup/myPackage@1.2.3",
"vulnerabilities": [],
"licenses": ["MIT", "Apache-2.0"],
"compilanceWarnings": [
"PackageNotFound",
"NoLicenseDetected",
"Deprecated"
]
}
What would also be nice to have is atomic values for the package name and version, so one doesn't have to parse it out of the purl.
Download Package API behavior
Right now the /api/packages/MyNugetFeed/download?purl=pkg:nuget/MyNugetPackage@1.0.0 API returns 404 when trying to download a package that is not cached yet.
As a workaround I am using the URL of the download button used in the UI, but I would prefer to use a proper API endpoint that has more chances to be stable in the future.
I think it would be good if the download API could be changed to also trigger package downloading and caching from connectors, so basically the same behavior as the endpoint behind the download button.