Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Make possible to parse metadata via parsers #300

Closed
wants to merge 1 commit into from
Closed

Make possible to parse metadata via parsers #300

wants to merge 1 commit into from

Conversation

moaddib666
Copy link

For now, there are no possibility to set metadata.component... via https://github.com/CycloneDX/cyclonedx-python.
After this patch would be possible to implement get_metadaa() in parser for example poetry to parse package from package.toml file. Also, I'd like to introduce some default parser that could parse env parameters.

@moaddib666 moaddib666 requested a review from a team as a code owner September 4, 2022 16:28
sonatype-lift[bot]
sonatype-lift bot reviewed Sep 4, 2022
View reviewed changes
cyclonedx/model/bom_meta.py
self.timestamp = datetime.now(tz=timezone.utc)
self.tools = tools or [] # type: ignore
self.authors = authors or [] # type: ignore
self.component = component
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Incompatible attribute type: Attribute component declared in class BomMetaData has type Component but is used as type Optional[Component].

ℹ️ Learn about @sonatype-lift commands

You can reply with the following commands. For example, reply with @sonatype-lift ignoreall to leave out all findings.

Command Usage
@sonatype-lift ignore Leave out the above finding from this PR
@sonatype-lift ignoreall Leave out all the existing findings from this PR
@sonatype-lift exclude <file|issue|path|tool> Exclude specified file|issue|path|tool from Lift findings by updating your config.toml file

Note: When talking to LiftBot, you need to refresh the page to see its response.
Click here to add LiftBot to another repo.

Was this a good recommendation?
[ 🙁 Not relevant ] - [ 😕 Won't fix ] - [ 😑 Not critical, will fix ] - [ 🙂 Critical, will fix ] - [ 😊 Critical, fixing now ]

@madpah
Copy link
Collaborator

madpah commented Sep 5, 2022

Hi @moaddib666 - thanks for getting involved with CycloneDX.

If I understand the purpose of the PR correctly (please correct me if I have miss-understood), you are raising this so that component can then be set from outside this core library? If that is the case, this is already possible (bom.metadata.component = my_component).

If I've not understood the purpose of this PR, please let us know.

Thanks again!

@moaddib666
Copy link
Author

moaddib666 commented Sep 5, 2022
edited
Loading

Hi, it's possible for custom code, not for CycloneDX/cyclonedx-python script itself, we have a pipeline for different languages and node/php implementation fill metadata.component from scratch. But python don't. I believe it's because env/pip does not have any, but poetry does. Also it looks to me that would be great Idea to parse env variables with metadata or pass it directly to the cli.

@madpah have a look:

pip install cyclonedx-bom
cyclonedx-bom -p -pb --format json
cat bom.json | jq .metadata
{
  "timestamp": "2022-09-05T08:45:11.893659+00:00",
  "tools": [
    {
      "vendor": "CycloneDX",
      "name": "cyclonedx-bom",
      "version": "3.5.0"
    },
    {
      "vendor": "CycloneDX",
      "name": "cyclonedx-python-lib",
      "version": "2.7.1",
      "externalReferences": [
        {
          "url": "https://github.com/CycloneDX/cyclonedx-python-lib/actions",
          "type": "build-system"
        },
        {
          "url": "https://pypi.org/project/cyclonedx-python-lib/",
          "type": "distribution"
        },
        {
          "url": "https://cyclonedx.github.io/cyclonedx-python-lib/",
          "type": "documentation"
        },
        {
          "url": "https://github.com/CycloneDX/cyclonedx-python-lib/issues",
          "type": "issue-tracker"
        },
        {
          "url": "https://github.com/CycloneDX/cyclonedx-python-lib/blob/main/LICENSE",
          "type": "license"
        },
        {
          "url": "https://github.com/CycloneDX/cyclonedx-python-lib/blob/main/CHANGELOG.md",
          "type": "release-notes"
        },
        {
          "url": "https://github.com/CycloneDX/cyclonedx-python-lib",
          "type": "vcs"
        },
        {
          "url": "https://cyclonedx.org",
          "type": "website"
        }
      ]
    }
  ]
}

jkowalleck
jkowalleck requested changes Sep 6, 2022
View reviewed changes
cyclonedx/model/bom_meta.py
from cyclonedx.model.component import Component


class BomMetaData:
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.


this looks like it was refactored to an own file/module. what is the purpose?
why was it needed to be moved? whats the benefit of yet another module? are there any other changes?

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hi this is due to dependency recursion while type check:
cyclonedx/model/bom.py

from ..parser import BaseParser

cyclonedx/parser/init.py

from ..model.bom_meta import BomMetaData

cyclonedx/model/bom.py
@@ -226,6 +54,7 @@ def from_parser(parser: BaseParser) -> 'Bom':
"""
bom = Bom()
bom.components.update(parser.get_components())
bom.metadata.update(parser.get_metadata())
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.


since this seams to be the only relevant change here, please add proper unit tests

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Sure will add, but as for me, it looks like it's should be covered by existing tests.

@jkowalleck
Copy link
Member

jkowalleck commented Sep 6, 2022
edited
Loading

re: #300 (comment)

Also it looks to me that would be great Idea to parse env variables with metadata or pass it directly to the cli.

I still dont get the point.

if you want to modify the resulting SBOM, then you might want to check: https://github.com/CycloneDX/cyclonedx-cli

@moaddib666
Copy link
Author

re: #300 (comment)

Also it looks to me that would be great Idea to parse env variables with metadata or pass it directly to the cli.

I still dont get the point.

if you want to modify the resulting SBOM, then you might want to check: https://github.com/CycloneDX/cyclonedx-cli

Make sense for env vars to update it via cyclonedx-cli.
But in case of poetry, we still can get metadata from project.toml

@jkowalleck jkowalleck marked this pull request as draft January 12, 2023 17:25
@jkowalleck
Copy link
Member

Parsers are planned to be removed via #489

@jkowalleck jkowalleck closed this Nov 27, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@sonatype-lift sonatype-lift[bot] sonatype-lift[bot] left review comments

@jkowalleck jkowalleck jkowalleck requested changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@moaddib666 @madpah @jkowalleck