Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Connect SBOMs with SPDX support. #511

Merged
merged 2 commits into from
Nov 22, 2021
Merged

Connect SBOMs with SPDX support. #511

merged 2 commits into from
Nov 22, 2021

Conversation

mattmoor
Copy link
Collaborator

This combines Jason's SPDX stuff and my SBOM stuff to support
SPDX-based SBOMs by default instead of our go version -m
invention.

To simplify things, I got rid of disableSBOM in favor of supporting
nil and simply eliding the SBOM call.

@google-cla google-cla bot added the cla: yes label Nov 22, 2021
@codecov-commenter
Copy link

codecov-commenter commented Nov 22, 2021
edited
Loading

Codecov Report

Merging #511 (0fda65b) into main (af2ff52) will decrease coverage by 0.32%.
The diff coverage is 40.54%.

Impacted file tree graph

@@            Coverage Diff             @@
##             main     #511      +/-   ##
==========================================
- Coverage   50.83%   50.51%   -0.33%     
==========================================
  Files          41       41              
  Lines        2028     2051      +23     
==========================================
+ Hits         1031     1036       +5     
- Misses        826      840      +14     
- Partials      171      175       +4
Impacted Files Coverage Δ
pkg/commands/resolver.go 30.62% <0.00%> (-0.60%) ⬇️
pkg/build/options.go 78.04% <14.28%> (-13.38%) ⬇️
pkg/build/gobuild.go 56.45% <50.00%> (-0.53%) ⬇️
pkg/commands/options/build.go 64.17% <100.00%> (ø)

Continue to review full report at Codecov.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update af2ff52...0fda65b. Read the comment docs.

@mattmoor
Connect SBOMs with SPDX support.
0fda65b 
This combines Jason's SPDX stuff and my SBOM stuff to support
SPDX-based SBOMs by default instead of our `go version -m`
invention.
imjasonh
imjasonh previously approved these changes Nov 22, 2021
View reviewed changes
Copy link
Member

@imjasonh imjasonh left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🎉🎉🎉

pkg/build/gobuild.go
dir: dir,
sbom: spdx("(none)"),
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Should this pass a real version value?

Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

So this is something I spent a bit of time futzing around with, so LMK if you have idea wrt plumbing, but basically the place we inject Version today is in the consuming pkg/commands package. The way the CLI defaults are set up, this is always overridden with WithSPDX(Version) so we get (devel) at HEAD today, and presumably even better with releases. However, I wanted the library default to be SPDX as well, and used (none) to distinguish.

pkg/build/options.go
@@ -116,6 +116,24 @@ func withBuilder(b builder) Option {
}
}

// WithGoVersionSBOM is a functional option to direct ko to use
// go version -m for SBOM format.
func WithGoVersionSBOM() Option {
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'll probably make this WithSBOM(impl) but that can happen later.

Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I hate the signature for sbomber, so I didn't go that route (I started to), but I'd love to head that direction if you have ideas.

.github/workflows/kind-e2e.yaml Outdated Show resolved Hide resolved
@imjasonh imjasonh merged commit 3edb68b into ko-build:main Nov 22, 2021
@mattmoor mattmoor deleted the add-spdx-sboms branch November 22, 2021 22:46
@mattmoor mattmoor mentioned this pull request Dec 6, 2021
Closed
@developer-guy developer-guy mentioned this pull request Dec 6, 2021
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@imjasonh imjasonh imjasonh approved these changes

@jonjohnsonjr jonjohnsonjr Awaiting requested review from jonjohnsonjr

Assignees
No one assigned
Labels
cla: yes
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@mattmoor @codecov-commenter @imjasonh