Fix SBOM SPDX references#22468
Open
MikeMcQuaid wants to merge 1 commit into
Open
Conversation
- Ensure SBOM relationships point at SPDX IDs emitted in the document - Preserve API patch metadata so patch relationships survive API loads - Cover patch packages and API-loaded patch regression cases
Contributor
There was a problem hiding this comment.
Pull request overview
This PR fixes Homebrew’s SPDX SBOM output to ensure all relationship references point to SPDX IDs that actually exist in the document, and restores patch metadata when formulae are loaded from the API so patch-related SBOM entries aren’t lost.
Changes:
- Fix SBOM relationship targets to reference emitted SPDX package/file IDs (e.g., source archive vs. bottle, archive vs. non-existent package-src IDs).
- Emit external patches as SPDX packages (with download location and checksum) and add a source-archive file entry when a checksum is available.
- Preserve and reload stable patch metadata through the API formula struct path, with regression tests for API-loaded patches.
Reviewed changes
Copilot reviewed 7 out of 7 changed files in this pull request and generated no comments.
Show a summary per file
| File | Description |
|---|---|
| Library/Homebrew/sbom.rb | Align relationship IDs with emitted packages/files; add patch packages and optional source file entry; centralize “described” package ID logic. |
| Library/Homebrew/formulary.rb | Rehydrate stable patches when instantiating formulae from API structs. |
| Library/Homebrew/api/formula/formula_struct_generator.rb | Preserve stable patch metadata (stable_patches) when generating the formula struct hash. |
| Library/Homebrew/api/formula_struct.rb | Add stable_patches field to the API formula struct. |
| Library/Homebrew/test/sbom_spec.rb | Add tests ensuring relationships reference defined SPDX IDs and that external patches are emitted as packages. |
| Library/Homebrew/test/formulary_spec.rb | Add regression test asserting patches load from API JSON. |
| Library/Homebrew/test/api/formula/formula_struct_generator_spec.rb | Add test ensuring stable patches are preserved in generated struct hashes. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
Code Coverage OverviewLanguages: Ruby Ruby / code-coverage/simplecovThe overall coverage in the branch remains at 78%, unchanged from the branch. Show a code coverage summary of the most impacted files.
Updated |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Fixes #22467
brew lgtm(style, typechecking and tests) with your changes locally?OpenAI Codex 5.5 xhigh with local review and testing.