Skip to content

added verification for dockerfile and spdx detector, minor bug fixes#322

Merged
RushabhBhansali merged 3 commits into
mainfrom
user/rbhansali/dockerfile-detection-verificationtest
Oct 24, 2022
Merged

added verification for dockerfile and spdx detector, minor bug fixes#322
RushabhBhansali merged 3 commits into
mainfrom
user/rbhansali/dockerfile-detection-verificationtest

Conversation

@RushabhBhansali
Copy link
Copy Markdown
Contributor

@RushabhBhansali RushabhBhansali commented Oct 21, 2022
edited
Loading

  • Enabled verification tests for DockerReference and SPDX22SBOM detectors
  • minor bug fix in DockerRefernce detection that detected Repository kind as canonical.
  • bug fix in de-serialization of "spdx" component during verification tests.

Note: verification tests are expected to fail because new detectors are enabled in this PR.

@RushabhBhansali RushabhBhansali force-pushed the user/rbhansali/dockerfile-detection-verificationtest branch from 2fb66d5 to dcf9df8 Compare October 21, 2022 17:07
RushabhBhansali
RushabhBhansali commented Oct 21, 2022
View reviewed changes
Comment thread src/Microsoft.ComponentDetection.Contracts/DockerReference.cs
@RushabhBhansali RushabhBhansali marked this pull request as ready for review October 21, 2022 17:12
@RushabhBhansali RushabhBhansali requested a review from a team as a code owner October 21, 2022 17:12
@RushabhBhansali RushabhBhansali requested a review from cobya October 21, 2022 17:12
@RushabhBhansali RushabhBhansali enabled auto-merge (squash) October 21, 2022 17:12
@JamieMagee
Copy link
Copy Markdown
Member

JamieMagee commented Oct 21, 2022

Two points:

It looks like the serialization of SPDX components is wrong. They're all serialized as

Expected foundComponent to be true because The component for SPDX22SBOM--- was not present in the old manifest file. Verify this is expected behavior before proceeding, but found False.

I'd expect a name and version in the output.

Secondly, I'd rather some more targeted Dockerfiles to test with i.e. testing each different reference type, testing AS statements, testing variable resolutions.

FROM ubuntu AS base

FROM base

or

ARG tag
FROM ubuntu:${tag} as base

FROM base

@RushabhBhansali
Copy link
Copy Markdown
Contributor Author

RushabhBhansali commented Oct 24, 2022
edited
Loading

It looks like the serialization of SPDX components is wrong. They're all serialized as

Expected foundComponent to be true because The component for SPDX22SBOM--- was not present in the old manifest file. Verify this is expected behavior before proceeding, but found False.

I'd expect a name and version in the output.

Fixed it by addiing setter in SpdxComponent class.

@RushabhBhansali
Copy link
Copy Markdown
Contributor Author

RushabhBhansali commented Oct 24, 2022
edited
Loading

Secondly, I'd rather some more targeted Dockerfiles to test with i.e. testing each different reference type, testing AS statements, testing variable resolutions.

I have covered Canonical = 0, Tagged = 2, Dual = 3, Digest = 4, in the existing examples in the PR. Only Respository = 1 is not reproducible because if I don't provide domain in the dockerfile, code deafults it to docker.io/ and its identified as canonical.

added python,dockerfile to identify

FROM ubuntu AS base

FROM base

pattern.

@RushabhBhansali RushabhBhansali merged commit e90745d into main Oct 24, 2022
@RushabhBhansali RushabhBhansali deleted the user/rbhansali/dockerfile-detection-verificationtest branch October 24, 2022 16:13
daniel-akili pushed a commit that referenced this pull request Oct 26, 2022
@RushabhBhansali
added verification for dockerfile and spdx detector, minor bug fixes (#…
87fe38a 
…322)
daniel-akili added a commit that referenced this pull request Oct 26, 2022
@daniel-akili @RushabhBhansali
@renovate @cobya
fix: IDE0052, IDE0055, IDE0057 (#330)
414f1b8 
* fix: IDE0052, IDE0055

* fix: IDE0057

* added verification for dockerfile and spdx detector, minor bug fixes (#322)

* chore(deps): update dependency fluentassertions to v6.8.0 (#324)

Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>

* chore(deps): update dependency microsoft.visualstudio.threading.analyzers to v17.3.48 (#323)

Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>

* remove linux-container detection stage (#327)

* resolved local merge conflicts

* Add new exclusions to .editorconfig (#328)

Add the IDE0053, IDE0200, CA1311, CA1852, and CA1854 exlcusions to .editorconfig to avoid build breaks.

* Add IDE0052 to warning exclusion (#329)

Add IDE0052 to warning exclusion

* resolved PR build failures

Co-authored-by: Daniel Akili <danielakili@microsoft.com>
Co-authored-by: Rushabh <rbhansali@microsoft.com>
Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
Co-authored-by: Coby Allred <cobyallred@gmail.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@JamieMagee JamieMagee JamieMagee approved these changes

@cobya cobya Awaiting requested review from cobya cobya is a code owner automatically assigned from microsoft/ose-component-detection-maintainers

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@RushabhBhansali @JamieMagee