Skip to content

Update the SBOM merge script to handle the newer metadata.tools format#448

Merged
brunoapimentel merged 1 commit intohermetoproject:mainfrom
brunoapimentel:update-cyclonedx-version
Feb 15, 2024
Merged

Update the SBOM merge script to handle the newer metadata.tools format#448
brunoapimentel merged 1 commit intohermetoproject:mainfrom
brunoapimentel:update-cyclonedx-version

Conversation

@brunoapimentel
Copy link
Copy Markdown
Member

@brunoapimentel brunoapimentel commented Jan 10, 2024
edited
Loading

There's a new version of the CycloneDX (1.5) which introduced changes in the way to specify .metadata.tools, and marks the current format as deprecated.

CycloneDX 1.4:

{
   "metadata": {
      "tools": [
          {
             "vendor": "red hat",
             "name": "cachi2"
          }
      ]
   }
}

CycloneDX 1.5:

{
   "metadata": {
      "tools": {
        "components": [
            {
               "type": "application",
               "author": "red hat",
               "name": "cachi2"
            }
        ]
    }
}

Syft has also adopted the newer format starting from version 0.99.0. This makes the 'merge_syft_sbom.py' script to fail in case a newer Syft SBOM is used. This PR also updates the script so both formats can be handled in Syft SBOMs.

Maintainers will complete the following section

  • Commit messages are descriptive enough
  • Code coverage from testing does not decrease and new code is covered
  • [n/a] Docs updated (if applicable)
  • [n/a] Docs links in the code are still valid (if docs were updated)

@brunoapimentel
Copy link
Copy Markdown
Member Author

brunoapimentel commented Jan 10, 2024
edited
Loading

We should probably also create a mechanism to add the current Cachi2 version to the metadata.tools output:

  "metadata": {
    "tools": {
      "components": [
        {
          "type": "application",
          "author": "red hat"
          "name": "cachi2",
          "version": "0.4.0"
        }
      ]
    }
  }

@brunoapimentel brunoapimentel force-pushed the update-cyclonedx-version branch from 21a08f5 to b1afb7c Compare January 10, 2024 14:31
chmeliik
chmeliik reviewed Jan 10, 2024
View reviewed changes
Comment thread utils/merge_syft_sbom.py Outdated
@taylormadore
Copy link
Copy Markdown
Member

taylormadore commented Jan 10, 2024

Do we need to bump the schema version we're using in the integration tests? https://github.com/containerbuildsystem/cachi2/blob/eb4cb6c9bd2dedbd8cd766c086fa16db290ffbfb/tests/integration/utils.py#L33-L35

@brunoapimentel brunoapimentel force-pushed the update-cyclonedx-version branch from b1afb7c to 2b46376 Compare January 10, 2024 20:56
@brunoapimentel brunoapimentel force-pushed the update-cyclonedx-version branch 2 times, most recently from 20ddee2 to 286972e Compare January 25, 2024 03:52
@brunoapimentel brunoapimentel mentioned this pull request Jan 25, 2024
Closed
2 tasks
@brunoapimentel
Copy link
Copy Markdown
Member Author

brunoapimentel commented Jan 25, 2024

New pushes: added a commit that updates the merge_syft_sbom.py script.

chmeliik
chmeliik reviewed Feb 13, 2024
View reviewed changes
Comment thread cachi2/core/models/sbom.py Outdated
Comment thread utils/merge_syft_sbom.py Outdated
@chmeliik
Copy link
Copy Markdown
Contributor

chmeliik commented Feb 13, 2024
edited
Loading

Blocks konflux-ci/build-definitions#722, which blocks the latest rh-syft build

(Syft < 0.99.0 panics when processing the source directory of Syft >= 0.99.0)

@ben-alkov ben-alkov self-requested a review February 13, 2024 20:06
@brunoapimentel brunoapimentel force-pushed the update-cyclonedx-version branch 2 times, most recently from e6f6f74 to db1edd5 Compare February 15, 2024 14:07
@brunoapimentel brunoapimentel changed the title Update Cachi2 CycloneDX version to 1.5 Update merge script to handle the newer metadata.tools format from CycloneDx 1.5 Feb 15, 2024
@brunoapimentel brunoapimentel changed the title Update merge script to handle the newer metadata.tools format from CycloneDx 1.5 Update the SBOM merge script to handle the newer metadata.tools format Feb 15, 2024
@brunoapimentel
Copy link
Copy Markdown
Member Author

brunoapimentel commented Feb 15, 2024

New push completely reworks the PR:

  • To avoid breaking changes, we're keeping Cachi2's SBOM in CycloneDX 1.4
  • The merge script is updated so either .metadata.tools format can be handled (assuming Cachi2's SBOM will be kept in 1.4)

chmeliik
chmeliik approved these changes Feb 15, 2024
View reviewed changes
Copy link
Copy Markdown
Contributor

@chmeliik chmeliik left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM with minor nitpicks

Comment thread utils/merge_syft_sbom.py Outdated
Comment on lines +133 to +146
if type(syft_tools) is dict:
components = []

for t in cachi2_tools:
components.append(
{
"author": t["vendor"],
"name": t["name"],
"type": "application",
}
)

syft_tools["components"].extend(components)
elif type(syft_tools) is list:
Copy link
Copy Markdown
Contributor

@chmeliik chmeliik Feb 15, 2024
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

nitpick: unnecessary elif condition

or missing else: explode

Copy link
Copy Markdown
Member Author

@brunoapimentel brunoapimentel Feb 15, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Added a else: explode.

Comment thread utils/merge_syft_sbom.py Outdated
syft_tools = syft_sbom["metadata"]["tools"]
cachi2_tools = cachi2_sbom["metadata"]["tools"]

if type(syft_tools) is dict:
Copy link
Copy Markdown
Contributor

@chmeliik chmeliik Feb 15, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

nitpick:

Suggested change
if type(syft_tools) is dict:
if isinstance(syft_tools, dict):

Copy link
Copy Markdown
Member Author

@brunoapimentel brunoapimentel Feb 15, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Fixed.

@brunoapimentel
Support new tool metadata format in the merge syft sbom script
dccda6b 
CycloneDX 1.5 changes the way to define tools in the metadata section,
and marks the 1.4 way as deprecated.

Syft has adopted the newer format starting from version 0.99.0. This
makes the 'merge_syft_sbom.py' script to fail in case a newer Syft
SBOM is used.

This patch updates the script so both formats can be handled. It assumes
the Cachi2 SBOM is in the 1.4 format.

Signed-off-by: Bruno Pimentel <bpimente@redhat.com>
@brunoapimentel brunoapimentel force-pushed the update-cyclonedx-version branch from db1edd5 to dccda6b Compare February 15, 2024 19:34
@ben-alkov ben-alkov requested a review from ejegrova February 15, 2024 19:39
@brunoapimentel brunoapimentel added this pull request to the merge queue Feb 15, 2024
Merged via the queue into hermetoproject:main with commit 6129c17 Feb 15, 2024
@brunoapimentel brunoapimentel deleted the update-cyclonedx-version branch April 13, 2024 12:48
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@taylormadore taylormadore taylormadore approved these changes

@ben-alkov ben-alkov ben-alkov approved these changes

@chmeliik chmeliik chmeliik approved these changes

@eskultety eskultety Awaiting requested review from eskultety

@slimreaper35 slimreaper35 Awaiting requested review from slimreaper35

@ejegrova ejegrova Awaiting requested review from ejegrova

Assignees

No one assigned

Labels

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

5 participants

@brunoapimentel @taylormadore @chmeliik @ben-alkov @ejegrova