Feat syft sboms

[vladklokun]

PR Type:

Enhancement

---

PR Description:

This PR introduces changes to migrate from SPDX to Syft Software Bill of Materials (SBOMs). The main changes include:

• Addition of new Syft types in the software composition API.
• Generation of clientset, informers, and listers for the new types.
• Creation of new strategies for SBOMSyft in the registry.
• Update of the existing deepcopy functions to accommodate the new Syft types.
• Bumping up of dependencies.

---

PR Main Files Walkthrough:

files:

• pkg/apis/softwarecomposition/v1beta1/zz_generated.deepcopy.go: Updated the autogenerated deepcopy functions to include the new Syft types.
• pkg/registry/softwarecomposition/sbomsyfts/strategy.go: Introduced a new strategy for SBOMSyft, including functions for object validation, preparation for create/update, and other necessary operations.
• pkg/apis/softwarecomposition/v1beta1/syfttypes.go: Added new Syft types to the software composition API.
• pkg/generated/clientset/versioned/typed/softwarecomposition/v1beta1/sbomsyft.go: Generated clientset for the new SBOMSyft type.
• pkg/generated/listers/softwarecomposition/v1beta1/sbomsyft.go: Generated listers for the new SBOMSyft type.
• pkg/generated/informers/externalversions/softwarecomposition/v1beta1/sbomsyft.go: Generated informers for the new SBOMSyft type.
• pkg/apis/softwarecomposition/packagemetadata/packagemetadata.go: Updated the package metadata to accommodate the new Syft types.
• pkg/registry/softwarecomposition/sbomsyfts/etcd.go: Added new functions to handle SBOMSyft objects in etcd storage.
• pkg/apiserver/apiserver.go: Updated the API server to handle requests related to the new SBOMSyft type.
• pkg/cmd/server/start.go: Updated the server start command to include the new SBOMSyft type.

---

User Description:

What this PR changes?

This PR adds Custom Resources needed to migrate from SPDX to Syft SBOMs.

[codiumai-pr-agent]

PR Analysis

• 🎯 Main theme: Migrating from SPDX to Syft Software Bill of Materials (SBOMs)
• 📝 PR summary: This PR introduces changes to migrate from SPDX to Syft Software Bill of Materials (SBOMs). The changes include the addition of new Syft types in the software composition API, generation of clientset, informers, and listers for the new types, creation of new strategies for SBOMSyft in the registry, update of the existing deepcopy functions to accommodate the new Syft types, and bumping up of dependencies.
• 📌 Type of PR: Enhancement
• 🧪 Relevant tests added: No
• ⏱️ Estimated effort to review [1-5]: 3, because the PR includes a significant amount of new code, including new types and functions, which requires a thorough review to ensure correctness and compatibility with existing code.
• 🔒 Security concerns: No security concerns found

PR Feedback

• 💡 General suggestions: The PR is well-structured and the changes are logically grouped. However, it would be beneficial to include tests that verify the new functionality, especially given the complexity of the changes. Additionally, it would be helpful to include more detailed comments in the code to explain the purpose and functionality of new types and functions.

• 🤖 Code feedback:

  • relevant file: pkg/apis/softwarecomposition/v1beta1/syfttypes.go
    suggestion: Consider breaking down the large SyftDocument struct into smaller, more manageable structs. This can improve readability and maintainability of the code. [medium]
    relevant line: type SyftDocument struct {

  • relevant file: pkg/apis/softwarecomposition/v1beta1/syfttypes.go
    suggestion: The UnmarshalJSON function seems to be doing a lot of work and might be simplified by breaking it down into smaller functions. This can improve readability and testability of the code. [medium]
    relevant line: func (p *SyftPackage) UnmarshalJSON(b []byte) error {

  • relevant file: pkg/generated/listers/softwarecomposition/v1beta1/sbomsyft.go
    suggestion: The generated lister functions could benefit from error handling improvements. Currently, if an error occurs during the listing process, the function returns the error immediately. It might be more robust to continue processing the remaining items and return a list of all errors encountered. [medium]
    relevant line: func (s *sBOMSyftLister) List(selector labels.Selector) (ret []*v1beta1.SBOMSyft, err error) {

  • relevant file: pkg/apis/softwarecomposition/v1beta1/syfttypes.go
    suggestion: The unpackPkgMetadata function could be simplified by using a map of functions for each metadata type, instead of a switch statement. This can improve the readability and extensibility of the code. [medium]
    relevant line: func unpackPkgMetadata(p *SyftPackage, unpacker packageMetadataUnpacker) error {

How to use

To invoke the PR-Agent, add a comment using one of the following commands:
/review [-i]: Request a review of your Pull Request. For an incremental review, which only considers changes since the last review, include the '-i' option.
/describe: Modify the PR title and description based on the contents of the PR.
/improve [--extended]: Suggest improvements to the code in the PR. Extended mode employs several calls, and provides a more thorough feedback.
/ask <QUESTION>: Pose a question about the PR.
/update_changelog: Update the changelog based on the PR's contents.

To edit any configuration parameter from configuration.toml, add --config_path=new_value
For example: /review --pr_reviewer.extra_instructions="focus on the file: ..."
To list the possible configuration parameters, use the /config command.

[vladklokun]

Make changes.

[vladklokun]

Suggested change

	// RequestWatchProgress fulfills the interface.Storage
	// RequestWatchProgress fulfills the storage.Interface

[vladklokun]

Fixed.

[github-actions]

Summary:

• License scan: failure
• Credentials scan: success
• Vulnerabilities scan: success
• Unit test: success
• Go linting: failure

[github-actions]

Summary:

• License scan: failure
• Credentials scan: success
• Vulnerabilities scan: success
• Unit test: success
• Go linting: failure