Pin Syft's output format to CycloneDX 1.4#754
Pin Syft's output format to CycloneDX 1.4#754brunoapimentel wants to merge 1 commit intokonflux-ci:mainfrom
Conversation
Newer versions of Syft may default to newer versions of CycloneDX (as observed in the recent 0.99.0 version). The problem is that the schema is bound to change between CycloneDX versions, which can bring breaking changes to the pipelines, specially to the scripts that merge different SBOMS. This patch pins the output CycloneDX format to avoid unwanted breaking changes. Signed-off-by: Bruno Pimentel <bpimente@redhat.com>
|
brunoapimentel
assigned
tkdchen,
mmorhun and
chmeliik and unassigned
tkdchen,
mmorhun and
chmeliik
brunoapimentel
requested review from
chmeliik,
mkosiarc and
mmorhun
and removed request for
mkosiarc
|
I'm pretty sure it's been producing with 1.5 format for a while. So much so that we hard-coded 1.5 as the expected schema version in EC. I think we need to update EC to accept either. Can you confirm? |
While this is very odd, since apparently the 1.5 format was only adopted with this patch (which made it's way into 0.99), I can confirm Syft 0.98 already outputs CycloneDX 1.5 🤯 The initial reason for this proposed change is that the CI is failing when upgrading to Syft >=0.99. But the real reason for it is that Syft changed the format to specify Well, I think there's no point in reverting the CycloneDX version if updating Syft is not urgent right now. I'll close this PR, and the problem will be handled in hermetoproject/hermeto#452. |
5 participants
Newer versions of Syft may default to newer versions of CycloneDX (as observed in the recent 0.99.0 version). The problem is that the schema is bound to change between CycloneDX versions, which can bring breaking changes to the pipelines, specially to the scripts that merge different SBOMS.
This patch unblocks the update of Syft to
>=0.99(#722).