Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Support ABOUT files for code that is patched or vendored #740

Closed
pombredanne opened this issue May 18, 2023 · 3 comments
Closed

Support ABOUT files for code that is patched or vendored #740

pombredanne opened this issue May 18, 2023 · 3 comments
Assignees
@tdruez

Comments

@pombredanne
Copy link
Member

pombredanne commented May 18, 2023
edited

We should likely consider ABOUT files as "curations" for packages and they may likely override other scans/manifest data collection.
Here is a design:

Using ABOUT file for overries and curations

Say I have reviewed and curated the origin and license of this JAR
https://repo1.maven.org/maven2/log4j/log4j/1.2.13/log4j-1.2.13.jar

This is stored in an ABOUT file and license file this way, side by side:

  • apache-2.0.LICENSE
  • log4j.NOTICE
  • log4j-1.2.13.jar.ABOUT

The ABOUT file has this content:

about_resource: log4j-1.2.13.jar
name: log4j
version: 1.2.13
download_url: https://repo1.maven.org/maven2/log4j/log4j/1.2.13/log4j-1.2.13.jar
package_url: pkg:maven/log4j/log4j@1.2.13
license_expression: apache-2.0
notice_file: log4j.NOTICE
licenses:
  - key: apache-2.0
    name: Apache License 2.0
    file: apache-2.0.LICENSE

These could live anywhere in the codebase inputs, typically in the FROM in a d2d pipeline for a start, but they could be in the TO or added as an extra input.

I would like that:

  • the package with this ABOUT file is added to the project packages
  • any "log4j-1.2.13.jar" present in the "TO" side in a d2d is mapped to this ABOUT file and being for this package (including any extracts)
  • no more matching, mapping or scanning should take place and the involved should be marked with a ststus that tells they have been processed
@pombredanne pombredanne self-assigned this May 18, 2023
@tdruez tdruez assigned tdruez and unassigned pombredanne Jun 8, 2023
@tdruez
Copy link
Member

tdruez commented Jun 8, 2023

the package with this ABOUT file is added to the project packages

In that example, about_resource: log4j-1.2.13.jar, the log4j-1.2.13.jar does not exists in the from/ side, right?
And only the .LICENSE, . NOTICE , and .ABOUT files are expected to be available in from/?

any "log4j-1.2.13.jar" present in the "TO" side in a d2d is mapped to this ABOUT file and being for this package (including any extracts)

What value are we using to map, the about_resource extact filename?

the package with this ABOUT file is added to the project packages

Do we want to create the DiscoveredPackage even if no about_resource instances were found on the to/ side?

@pombredanne
Copy link
Member Author

the package with this ABOUT file is added to the project packages

In that example, about_resource: log4j-1.2.13.jar, the log4j-1.2.13.jar does not exists in the from/ side, right? And only the .LICENSE, . NOTICE , and .ABOUT files are expected to be available in from/?

This is correct. If it existed on the From/ side we can decide later what to do

any "log4j-1.2.13.jar" present in the "TO" side in a d2d is mapped to this ABOUT file and being for this package (including any extracts)

What value are we using to map, the about_resource extact filename?

For a start, yes we are mapping on he exact filename. We may extend this later if this is not good enough (may be using a path pattern)

the package with this ABOUT file is added to the project packages

Do we want to create the DiscoveredPackage even if no about_resource instances were found on the to/ side?

No we do not want to create the DiscoveredPackage in this case.

tdruez added a commit that referenced this issue Jun 9, 2023
@tdruez
Add a mapper function for ABOUT file in d2d #740
172917b 
Signed-off-by: Thomas Druez <tdruez@nexb.com>
tdruez added a commit that referenced this issue Jun 9, 2023
@tdruez
Add unit test to cover the new ABOUT files mapping #740
dd3e53c 
Signed-off-by: Thomas Druez <tdruez@nexb.com>
tdruez added a commit that referenced this issue Jun 9, 2023
@tdruez
Add support for .NOTICE file in about file mapping #740
00fe131 
Signed-off-by: Thomas Druez <tdruez@nexb.com>
@tdruez
Copy link
Member

tdruez commented Jun 9, 2023

Implemented in #778

tdruez added a commit that referenced this issue Jun 9, 2023
@tdruez
DEBUG failing test #740
4991623 
Signed-off-by: Thomas Druez <tdruez@nexb.com>
tdruez added a commit that referenced this issue Jun 10, 2023
@tdruez
Remove MACOS files #740
1bd6a8c 
Signed-off-by: Thomas Druez <tdruez@nexb.com>
tdruez added a commit that referenced this issue Jun 10, 2023
@tdruez
Remove __MACOSX/ from zip files #740
9f6dc62 
Signed-off-by: Thomas Druez <tdruez@nexb.com>
tdruez added a commit that referenced this issue Jun 10, 2023
@tdruez
DEBUG statements #740
0489bd6 
Signed-off-by: Thomas Druez <tdruez@nexb.com>
tdruez added a commit that referenced this issue Jun 12, 2023
@tdruez
DEBUG statements #740
6729170 
Signed-off-by: Thomas Druez <tdruez@nexb.com>
tdruez added a commit that referenced this issue Jun 12, 2023
@tdruez
Fix test_scanpipe_deploy_to_develop_pipeline_with_about_file #740
419cee5 
Signed-off-by: Thomas Druez <tdruez@nexb.com>
tdruez added a commit that referenced this issue Jun 12, 2023
@tdruez
Support ABOUT files for code that is patched or vendored #740 (#778)
3e4a604 
Signed-off-by: Thomas Druez <tdruez@nexb.com>
@tdruez tdruez closed this as completed Jun 12, 2023
This was referenced Jul 13, 2023
Closed
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@tdruez tdruez

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@tdruez @pombredanne