Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Update the SBOM merge script to handle the newer metadata.tools format #448

Merged
merged 1 commit into from
Feb 15, 2024
Merged

Update the SBOM merge script to handle the newer metadata.tools format #448

merged 1 commit into from
Feb 15, 2024

Conversation

brunoapimentel
Copy link
Contributor

@brunoapimentel brunoapimentel commented Jan 10, 2024
edited
Loading

There's a new version of the CycloneDX (1.5) which introduced changes in the way to specify .metadata.tools, and marks the current format as deprecated.

CycloneDX 1.4:

{
   "metadata": {
      "tools": [
          {
             "vendor": "red hat",
             "name": "cachi2"
          }
      ]
   }
}

CycloneDX 1.5:

{
   "metadata": {
      "tools": {
        "components": [
            {
               "type": "application",
               "author": "red hat",
               "name": "cachi2"
            }
        ]
    }
}

Syft has also adopted the newer format starting from version 0.99.0. This makes the 'merge_syft_sbom.py' script to fail in case a newer Syft SBOM is used. This PR also updates the script so both formats can be handled in Syft SBOMs.

Maintainers will complete the following section

  • Commit messages are descriptive enough
  • Code coverage from testing does not decrease and new code is covered
  • [n/a] Docs updated (if applicable)
  • [n/a] Docs links in the code are still valid (if docs were updated)

@brunoapimentel
Copy link
Contributor Author

brunoapimentel commented Jan 10, 2024
edited
Loading

We should probably also create a mechanism to add the current Cachi2 version to the metadata.tools output:

  "metadata": {
    "tools": {
      "components": [
        {
          "type": "application",
          "author": "red hat"
          "name": "cachi2",
          "version": "0.4.0"
        }
      ]
    }
  }

chmeliik
chmeliik reviewed Jan 10, 2024
View reviewed changes
utils/merge_syft_sbom.py Outdated Show resolved Hide resolved
@taylormadore
Copy link
Contributor

Do we need to bump the schema version we're using in the integration tests?

cachi2/tests/integration/utils.py

Lines 33 to 35 in eb4cb6c

CYCLONEDX_SCHEMA_URL = (
"https://raw.githubusercontent.com/CycloneDX/specification/1.4/schema/bom-1.4.schema.json"
)

@brunoapimentel brunoapimentel force-pushed the update-cyclonedx-version branch 2 times, most recently from 20ddee2 to 286972e Compare January 25, 2024 03:52
@brunoapimentel brunoapimentel mentioned this pull request Jan 25, 2024
Closed
2 tasks
@brunoapimentel
Copy link
Contributor Author

New pushes: added a commit that updates the merge_syft_sbom.py script.

chmeliik
chmeliik reviewed Feb 13, 2024
View reviewed changes
cachi2/core/models/sbom.py Outdated Show resolved Hide resolved
utils/merge_syft_sbom.py Outdated Show resolved Hide resolved
@chmeliik
Copy link
Contributor

chmeliik commented Feb 13, 2024
edited
Loading

Blocks konflux-ci/build-definitions#722, which blocks the latest rh-syft build

(Syft < 0.99.0 panics when processing the source directory of Syft >= 0.99.0)

@ben-alkov ben-alkov self-requested a review February 13, 2024 20:06
@brunoapimentel brunoapimentel force-pushed the update-cyclonedx-version branch 2 times, most recently from e6f6f74 to db1edd5 Compare February 15, 2024 14:07
@brunoapimentel brunoapimentel changed the title Update Cachi2 CycloneDX version to 1.5 Update merge script to handle the newer metadata.tools format from CycloneDx 1.5 Feb 15, 2024
@brunoapimentel brunoapimentel changed the title Update merge script to handle the newer metadata.tools format from CycloneDx 1.5 Update the SBOM merge script to handle the newer metadata.tools format Feb 15, 2024
@brunoapimentel
Copy link
Contributor Author

New push completely reworks the PR:

  • To avoid breaking changes, we're keeping Cachi2's SBOM in CycloneDX 1.4
  • The merge script is updated so either .metadata.tools format can be handled (assuming Cachi2's SBOM will be kept in 1.4)

chmeliik
chmeliik approved these changes Feb 15, 2024
View reviewed changes
Copy link
Contributor

@chmeliik chmeliik left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM with minor nitpicks

utils/merge_syft_sbom.py Outdated
Comment on lines 133 to 146
if type(syft_tools) is dict:
components = []

for t in cachi2_tools:
components.append(
{
"author": t["vendor"],
"name": t["name"],
"type": "application",
}
)

syft_tools["components"].extend(components)
elif type(syft_tools) is list:
Copy link
Contributor

@chmeliik chmeliik Feb 15, 2024
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

nitpick: unnecessary elif condition

or missing else: explode

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Added a else: explode.

utils/merge_syft_sbom.py Outdated
syft_tools = syft_sbom["metadata"]["tools"]
cachi2_tools = cachi2_sbom["metadata"]["tools"]

if type(syft_tools) is dict:
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

nitpick:

Suggested change
if type(syft_tools) is dict:
if isinstance(syft_tools, dict):

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Fixed.

@brunoapimentel
Support new tool metadata format in the merge syft sbom script
dccda6b 
CycloneDX 1.5 changes the way to define tools in the metadata section,
and marks the 1.4 way as deprecated.

Syft has adopted the newer format starting from version 0.99.0. This
makes the 'merge_syft_sbom.py' script to fail in case a newer Syft
SBOM is used.

This patch updates the script so both formats can be handled. It assumes
the Cachi2 SBOM is in the 1.4 format.

Signed-off-by: Bruno Pimentel <[email protected]>
@brunoapimentel brunoapimentel added this pull request to the merge queue Feb 15, 2024
Merged via the queue into containerbuildsystem:main with commit 6129c17 Feb 15, 2024
15 checks passed
@brunoapimentel brunoapimentel deleted the update-cyclonedx-version branch April 13, 2024 12:48
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@chmeliik chmeliik chmeliik approved these changes

@ben-alkov ben-alkov ben-alkov approved these changes

@taylormadore taylormadore taylormadore approved these changes

@eskultety eskultety Awaiting requested review from eskultety

@slimreaper35 slimreaper35 Awaiting requested review from slimreaper35

@ejegrova ejegrova Awaiting requested review from ejegrova

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
5 participants
@brunoapimentel @taylormadore @chmeliik @ben-alkov @ejegrova