-
Notifications
You must be signed in to change notification settings - Fork 157
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Attach hasSBOM nodes to artifacts instead of packages #1883
Attach hasSBOM nodes to artifacts instead of packages #1883
Conversation
21544b4
to
e7823f0
Compare
e7823f0
to
2ffed5a
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM
738c086
to
b9d9f9b
Compare
Edit: after some discussion with Parth I reworked the PR and force pushed, replacing the last two commits with 6fbda04. Things should look better now and the comment that used to be here can now be ignored. |
b1dcb2e
to
6fbda04
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks for picking this up @nchelluri! A few comments
Thanks for the review Marco; I think your suggestions will improve the PR, and I aim to have them implemented over the next little while. I will re-request your review at that point. |
6fbda04
to
e880067
Compare
- If possible (i.e. a digest is available for the subject of an SBOM), hasSBOM nodes will be attached to artifacts now, not packages. - Also removed some unneeded parser map accessor funcs, and added a slice utility func used in this branch. Signed-off-by: Narsimham Chelluri (Narsa) <narsa@kusari.dev>
Signed-off-by: Narsimham Chelluri (Narsa) <narsa@kusari.dev>
Signed-off-by: Narsimham Chelluri (Narsa) <narsa@kusari.dev>
- In this PR I introduced a bug where files in the SBOM were not promoted to top-level Document file artifacts and packages even if there was a relationship that indicated they were such. I fixed that here. Signed-off-by: Narsimham Chelluri (Narsa) <narsa@kusari.dev>
- We pass it into both callers instead of calling it in each one. - Also rename the function since: 1. It is not just getting package SPIDs anymore. 2. We want to comply with https://go.dev/wiki/CodeReviewComments#initialisms Signed-off-by: Narsimham Chelluri (Narsa) <narsa@kusari.dev>
- We don't actually need maps for this as we only ever access the key SPDXRef-DOCUMENT within those maps. - So make them slices. And we need just one slice for top-level artifacts, be they from packages or files. - This makes it possible to delete the slice concat utilty func as well. Signed-off-by: Narsimham Chelluri (Narsa) <narsa@kusari.dev>
Signed-off-by: Narsimham Chelluri (Narsa) <narsa@kusari.dev>
e880067
to
2ae8795
Compare
@mdeicas can you take a look again please? |
c37ccff
to
bb49159
Compare
Signed-off-by: Narsimham Chelluri (Narsa) <narsa@kusari.dev>
bb49159
to
a2bfc76
Compare
* Attach hasSBOM nodes to artifacts instead of packages - If possible (i.e. a digest is available for the subject of an SBOM), hasSBOM nodes will be attached to artifacts now, not packages. - Also removed some unneeded parser map accessor funcs, and added a slice utility func used in this branch. Signed-off-by: Narsimham Chelluri (Narsa) <narsa@kusari.dev> * Fix top level artifacts not being added with the DOCUMENT key Signed-off-by: Narsimham Chelluri (Narsa) <narsa@kusari.dev> * Update tests to cover new HasSBOM artifact behavior Signed-off-by: Narsimham Chelluri (Narsa) <narsa@kusari.dev> * Fix SPDX file artifact parsing - In this PR I introduced a bug where files in the SBOM were not promoted to top-level Document file artifacts and packages even if there was a relationship that indicated they were such. I fixed that here. Signed-off-by: Narsimham Chelluri (Narsa) <narsa@kusari.dev> * Call s.getTopLevelSPDXIDs() just once and store it - We pass it into both callers instead of calling it in each one. - Also rename the function since: 1. It is not just getting package SPIDs anymore. 2. We want to comply with https://go.dev/wiki/CodeReviewComments#initialisms Signed-off-by: Narsimham Chelluri (Narsa) <narsa@kusari.dev> * Simplify collection of top-level components - We don't actually need maps for this as we only ever access the key SPDXRef-DOCUMENT within those maps. - So make them slices. And we need just one slice for top-level artifacts, be they from packages or files. - This makes it possible to delete the slice concat utilty func as well. Signed-off-by: Narsimham Chelluri (Narsa) <narsa@kusari.dev> * Make test a bit clearer Signed-off-by: Narsimham Chelluri (Narsa) <narsa@kusari.dev> * Log if t-l art count differs from t-l pkg count Signed-off-by: Narsimham Chelluri (Narsa) <narsa@kusari.dev> --------- Signed-off-by: Narsimham Chelluri (Narsa) <narsa@kusari.dev> Signed-off-by: Soham Arora <arorasoham9@gmail.com>
Description of the PR
PR Checklist
-s
flag togit commit
.make generate
has been runmake generate
has been runcollectsub
protobuf has been changed,make proto
has been run