Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

feat: expose sbom generation functionality #114

Merged
merged 28 commits into from
Jan 26, 2022
Merged

feat: expose sbom generation functionality #114

merged 28 commits into from
Jan 26, 2022

Conversation

nscuro
Copy link
Member

@nscuro nscuro commented Jan 8, 2022
edited

This WIP PR aims to expose the core functionality of cyclonedx-gomod, so it can be used by other applications.
"Core functionality" referring to the three SBOM generation commands app, bin and mod.

Addresses #99, #108.

Tasks

  • Define public API
  • Migrate app logic
  • Migrate bin logic
  • Migrate mod logic
  • Ensure that there's Godoc for everything public
  • Figure out how to deal with internal functionality that uses the global zerolog logger.
    For a clean experience, everything should use the loggers passed to the Generator implementation's constructors,
    but that will require quite a bit of refactoring.
    • Refactored internal functions that log to accept a logger parameter. Feels dirty, but does the job for now.
  • Add a disclaimer somewhere that cyclonedx-gomod will not be investing in staying compatible with older Go versions.
    For example, we may adapt Go 1.18 features shortly after its GA.
  • Ensure tests continue to work across multiple platforms
    I don't want to continue dragging reproducible flags through the code, but it's also quite challenging to emulate static environments (wrt Go version, GOOS, GOARCH etc.). Maybe stripping some fields of the BOM before comparing it to its snapshot is the way to go here...

@nscuro nscuro added the enhancement New feature or request label Jan 8, 2022
@nscuro nscuro added this to the v1.2.0 milestone Jan 8, 2022
@nscuro nscuro mentioned this pull request Jan 8, 2022
Closed
@nscuro nscuro changed the title Expose SBOM generation functionality feat: expose sbom generation functionality Jan 9, 2022
@samj1912 samj1912 mentioned this pull request Jan 20, 2022
Closed
@nscuro
fix gitignore for bin directory
c1663b5 
Signed-off-by: nscuro <nscuro@protonmail.com>
@nscuro
introduce public generator api
c9d7d13 
Signed-off-by: nscuro <nscuro@protonmail.com>
@nscuro
migrate bin generation logic to public api
8118c2f 
Signed-off-by: nscuro <nscuro@protonmail.com>
@nscuro
move main.go to cmd directory to avoid warnings during go get
76041a6 
Signed-off-by: nscuro <nscuro@protonmail.com>
@nscuro
refactor to not use global logger instance anymore
50dc7e7 
Signed-off-by: nscuro <nscuro@protonmail.com>
@nscuro
migrate mod generation logic to public api
befc3fc 
Signed-off-by: nscuro <nscuro@protonmail.com>
@nscuro
introduce bomtest package for shared testing funcs
7a68640 
Signed-off-by: nscuro <nscuro@protonmail.com>
@nscuro
move bin e2e tests to generator package
cd7d5e3 
Signed-off-by: nscuro <nscuro@protonmail.com>
@nscuro
revert 6699cea and 8aec93d
a65a70f 
keep the e2e tests for testing the generation logic for now. we may change this in the future, but for now it'd cause too much refactoring work.

Signed-off-by: nscuro <nscuro@protonmail.com>
@nscuro
re-add basic tests for bin generator and its options
2a7d85b 
Signed-off-by: nscuro <nscuro@protonmail.com>
@nscuro
basic tests for mod generator
9853fda 
Signed-off-by: nscuro <nscuro@protonmail.com>
@nscuro
documentation
9674f8c 
Signed-off-by: nscuro <nscuro@protonmail.com>
@nscuro
migrate app generation logic to public api
f978400 
Signed-off-by: nscuro <nscuro@protonmail.com>
@nscuro
fix TestModWhy
7b47172 
i know, i know... this test should be deterministic.

Signed-off-by: nscuro <nscuro@protonmail.com>
@nscuro
add changelog entry
8b17eae 
Signed-off-by: nscuro <nscuro@protonmail.com>
@nscuro
more godoc
de3255a 
Signed-off-by: nscuro <nscuro@protonmail.com>
@nscuro
use logger for go command output as well
a35d355 
Signed-off-by: nscuro <nscuro@protonmail.com>
@nscuro
move generator tests to pkg
c926bda 
still need a solution to strip dynamic data from generated boms before comparing them to snapshots though

Signed-off-by: nscuro <nscuro@protonmail.com>
@nscuro
address gosec findings
dbeb35e 
Signed-off-by: nscuro <nscuro@protonmail.com>
@nscuro
address gosec findings
6f8b421 
Signed-off-by: nscuro <nscuro@protonmail.com>
@nscuro
test+redact dynamic properties before comparing to snapshot
f4ba6e9 
Signed-off-by: nscuro <nscuro@protonmail.com>
@nscuro
implement redacting of stdlib versions for snapshot tests
f3ce037 
Signed-off-by: nscuro <nscuro@protonmail.com>
@nscuro
make linter happy
cfd69ee 
Signed-off-by: nscuro <nscuro@protonmail.com>
@nscuro
re-add missing logic for bin
175ec49 
Signed-off-by: nscuro <nscuro@protonmail.com>
@nscuro
regenerate example sboms
fbc1884 
Signed-off-by: nscuro <nscuro@protonmail.com>
@nscuro
ensure bom file is closed before validating it with cdx cli
8a6bec5 
Signed-off-by: nscuro <nscuro@protonmail.com>
@nscuro
remove internal reproducible flag
d3e886e 
Signed-off-by: nscuro <nscuro@protonmail.com>
@nscuro
add disclaimer
14b018d 
Signed-off-by: nscuro <nscuro@protonmail.com>
@nscuro nscuro marked this pull request as ready for review January 26, 2022 13:08
@nscuro nscuro merged commit bc4414e into main Jan 26, 2022
@nscuro nscuro deleted the issue-99 branch January 26, 2022 14:22
@nscuro nscuro mentioned this pull request Jan 26, 2022
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@sonatype-lift sonatype-lift[bot] sonatype-lift left review comments

Assignees
No one assigned
Labels
enhancement New feature or request
Projects
None yet
Milestone
v1.2.0
Development

Successfully merging this pull request may close these issues.

None yet
1 participant
@nscuro