spdx: initial sbom framwork + spdx encoder #1468
Conversation
BradLugo
changed the title
|
Should be moved out of the Rambling on whyThe |
BradLugo
force-pushed
the
add-spdx-converter
branch
from
0e7bc81 to
ae67e46
Compare
BradLugo
force-pushed
the
add-spdx-converter
branch
3 times, most recently
from
11f31ac to
be73a74
Compare
|
If anyone has a suggestion on testing something that bakes in |
You can put together a |
BradLugo
force-pushed
the
add-spdx-converter
branch
from
3abf86b to
aa194f1
Compare
|
I'll start using fixup commits from this point on to help reviewers until I get approvals, then I'll rebase all the fixup commits. |
BradLugo
requested review from
hdonnay,
dcaravel and
crozzy
and removed request for
a team
BradLugo
force-pushed
the
add-spdx-converter
branch
from
ac99a3b to
40685d2
Compare
Signed-off-by: Brad Lugo <[email protected]>
BradLugo
force-pushed
the
add-spdx-converter
branch
3 times, most recently
from
29c8071 to
f8bb863
Compare
BradLugo
force-pushed
the
add-spdx-converter
branch
from
f8bb863 to
795e5f2
Compare
sbom/sbom.go
Outdated
| "io" | ||
| ) | ||
|
|
||
| // Encoder is an interface to convert a claircore.IndexReport into an io.Reader |
There was a problem hiding this comment.
| // Encoder is an interface to convert a claircore.IndexReport into an io.Reader | |
| // Encoder is an interface to write a Software Bill of Materials (SBOM) representation of a [claircore.IndexReport] to an output stream. |
There was a problem hiding this comment.
Don't forget about this one ^ :)
sbom/sbom.go
Outdated
| "io" | ||
| ) | ||
|
|
||
| // Encoder is an interface to convert a claircore.IndexReport into an io.Reader |
There was a problem hiding this comment.
Don't forget about this one ^ :)
sbom/spdx/encoder.go
Outdated
|
|
||
| // Record Distributions for this package. | ||
| if r.Distribution != nil { | ||
| rDistId, err := strconv.Atoi(r.Distribution.ID) |
There was a problem hiding this comment.
just realized, do we use the IDs for anything other than converting them into ints? If not, then can we just keep them as strings and make the map key string instead of int? Same idea for the slices. Not sure if we have to keep doing this conversion
There was a problem hiding this comment.
We convert them to ints to sort them. The return from IndexReport.IndexRecords() is non-deterministic because it iterates over IndexReport.Packages, which is a map. In order to have a deterministic output, both to test against and for users to be able to run a diff between reports, we need to have some sort of ordering structuring. This is what I came up with, but I'm happy to revisit how we do it (perhaps in a follow up PR 🙂)
Some of this context is captured in a comment here: Some context here: https://github.com/quay/claircore/pull/1468/files#diff-9730b2b5baa2c38c549f0b3c1077fddf654896f316b79c2c8f3f77d5fb7ccd1cR273-R276
There was a problem hiding this comment.
so if we just cared about sorting for determinism, then I think we can keep it as strings. If we also want to have the IDs in increasing order, then converting to int makes sense. Feel free to change in a followup if you decide to change it
sbom/spdx/encoder.go
Outdated
| return nil, err | ||
| } | ||
|
|
||
| srcPkg, ok := pkgs[rSrcPkgId] |
There was a problem hiding this comment.
won't block the PR over this, but wondering why we add the source here instead of just waiting until we see it? Do we not always see it? In the case we add it here and then see it again later, do we risk potentially duplicating data?
There was a problem hiding this comment.
@crozzy will likely be able to explain this better, but my understanding is that source packages aren't always recorded as root-level packages. In fact, I think rhcc source packages are the only ones that are also recorded as root-level packages.
For clarity, when I say "root-level packages" here, I'm referring to IndexReport.Packages as opposed to IndexReport.Packages.Source.
There was a problem hiding this comment.
Yeah, I think it depends on what the Scan() method kicks back. If the indexer reports something as a source I think we should add it as a source package in the SBOM.
|
don't forget to sign your commits :) Also looks like there are still a bunch. Seems like you are on top of that, though, with the |
Yup, thank you! It's a new thing I'm trying. The fixup commits have a message body detailing more about the commit and giving reviewers an easier history to work with. Then, when I get approvals from all participating reviewers, I |
Adding a function to be able to convert index reports into SPDX documents and SPDX documents into index reports. Signed-off-by: crozzy <[email protected]> Signed-off-by: Brad Lugo <[email protected]>
BradLugo
force-pushed
the
add-spdx-converter
branch
from
9127d9d to
0075f4a
Compare
|
autosquashing commits; no changes. |
Description
These changes introduce the initial SBOM framework into claircore, generating an SPDX 2.3 JSON document from a
claircore.IndexReport.Design
Design doc: https://docs.google.com/document/d/1dRKMWjmkpYO5oN_Y-S_0R2vwyvcdXHCNejM3C-F2DIc/edit?tab=t.0