Retain cataloged SBOM relationships#1509
Conversation
|
@houdini91 this looks good but are you able to fix the tests? |
|
@kzantow No problem. I can also go and push all the relationships statically in to the test but there are like 150 so it will be a large list. Any suggestion are welcome. |
| if err := SubsetRelationship(p.expectedRelationships, relationships, p.compareOptions...); err != nil { | ||
| diff := cmp.Diff(p.expectedRelationships, relationships, p.compareOptions...) | ||
| t.Errorf("unexpected %s relationships from parsing (-expected +actual)\n%s", err, diff) |
There was a problem hiding this comment.
I'm not entirely sure this is ideal -- if there is a diff, the diff will be very noisy and not represent what the check is actually doing. Could we just update the individual tests to have the right expected relationships?
There was a problem hiding this comment.
Np, do you want me to as simply 150 relationship to the static go code? Should we remove some from the sbom?
There was a problem hiding this comment.
Fyi the diff line in the snippet your referring is simply to output for failed subset check above it was simpler for me to use it's full diff output for test outpu
But I understand you concern about the subset comparison
There was a problem hiding this comment.
I'd be good with updating the source SBOM to make a manageable set of relationships to add explicitly to the tests.
|
@houdini91 I think you may also just need to run |
houdini91
force-pushed
the
suggestion/sbom_cataloger_relationships_fix
branch
from
8b2d0ce to
f7dae77
Compare
Signed-off-by: Eitan Goldenstein <eitan@scribesecurity.com>
houdini91
force-pushed
the
suggestion/sbom_cataloger_relationships_fix
branch
from
9222893 to
f44839e
Compare
|
@kzantow Hi, sorry for the delay, i admittedly forgot about this PR. |
|
Thanks @houdini91 ! |
kzantow
changed the title
* main: (32 commits) chore(deps): bump github.com/google/go-containerregistry (#1823) chore(deps): bump github.com/sirupsen/logrus from 1.9.0 to 1.9.1 (#1822) chore(deps): bump github.com/docker/docker (#1824) fix: update field plurality of 8.0.0 schema before release (#1820) fix: update cataloger to check for expressions before split (#1819) feat: update syft license concept to complex struct (#1743) fix: cyclonedx depends-on relationship inverted (#1816) fix: retain sbom cataloger relationships (#1509) feat: warn if parsing newer SBOM (#1810) feat: Add R cataloger (#1790) update cosign to v2 release (different go module) (#1805) fix: Reduce log spam on unknown relationship type (#1797) chore(deps): update bootstrap tools to latest versions (#1807) chore(deps): bump golang.org/x/net from 0.9.0 to 0.10.0 (#1802) chore(deps): bump github.com/docker/docker (#1795) chore(deps): bump github.com/google/go-containerregistry (#1796) chore(deps): update bootstrap tools to latest versions (#1792) Print package list when extra packages found (#1791) chore(deps): update bootstrap tools to latest versions (#1786) chore(deps): bump golang.org/x/term from 0.7.0 to 0.8.0 (#1787) ... Signed-off-by: Christopher Phillips <christopher.phillips@anchore.com>
Signed-off-by: Eitan Goldenstein <eitan@scribesecurity.com> Co-authored-by: Eitan Goldenstein <eitan@scribesecurity.com>
4 participants
Hi,
I noticed using the sbom cataloger the relations that are read from the sbom are not aggregated in to the Syft model sbom.
I have a small fix suggestion, not sure if there was a reason behind it or simply a typo.
Are there any tests you would like me to add for this PR?
Signed-off-by: houdini91 mdstrauss91@gmail.com