Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

backpopulate supplier & set filesAnalyzed=false #1137

Merged
merged 5 commits into from
May 24, 2024
Merged

backpopulate supplier & set filesAnalyzed=false #1137

merged 5 commits into from
May 24, 2024

Commits on May 24, 2024

  1. spdx: rename expected.spdx.json ahead of more tests 

    Signed-off-by: Dimitri John Ledkov <dimitri.ledkov@chainguard.dev>
    @xnox
    xnox committed May 24, 2024
    Configuration menu
    Copy the full SHA
    80a73b1 View commit details
    Browse the repository at this point in the history

  2. spdx: Add test case of merging pkg SBOM without supplier 

    Image SBOM should contain supplier and originator for every package,
when package SBOM does not have one, expect one based on the image
layer supplier.

Signed-off-by: Dimitri John Ledkov <dimitri.ledkov@chainguard.dev>
    @xnox
    xnox committed May 24, 2024
    Configuration menu
    Copy the full SHA
    d952ba1 View commit details
    Browse the repository at this point in the history

  3. spdx: backpopulate supplier & originator for packages 

    This way image SBOM is correct, without rebuilding package SBOMs.

Note some packages have neither originator nor supplier, some have
originator without supplier. Hence set originator first, then copy it
to supplier.

Also update golden test data for affected integration tests.

Signed-off-by: Dimitri John Ledkov <dimitri.ledkov@chainguard.dev>
    @xnox
    xnox committed May 24, 2024
    Configuration menu
    Copy the full SHA
    7df43d4 View commit details
    Browse the repository at this point in the history

  4. spdx: fixup filesAnalyzed setting 

    Current implementation strips filesAnalyzed from individual package
SBOMs upon aggregation into image SBOM. When doing so, update package
stanza to say filesAnalyzed=false, as indeed FileRefs are missing.

Signed-off-by: Dimitri John Ledkov <dimitri.ledkov@chainguard.dev>
    @xnox
    xnox committed May 24, 2024
    Configuration menu
    Copy the full SHA
    8231da0 View commit details
    Browse the repository at this point in the history

  5. spdx: fixup PackageVerificationCode setting 

    Current implementation strips filesAnalyzed from individual package
SBOMs upon aggregation into image SBOM. When doing so, omit
PackageVerificationCode as without files there cannot be verification
code (it is defined as ordered hash of files). Also observe that newly
generated packages without files do not have VerifcationCode.

As a pleasant side-effect this removes SHA1 from arch-specific package
manifest and makes it year 2030 safe.

Signed-off-by: Dimitri John Ledkov <dimitri.ledkov@chainguard.dev>
    @xnox
    xnox committed May 24, 2024
    Configuration menu
    Copy the full SHA
    4690135 View commit details
    Browse the repository at this point in the history