fix: update PURL version when COMPONENT_VERSION is set#108
fix: update PURL version when COMPONENT_VERSION is set#108vpetersson merged 2 commits intomasterfrom
Conversation
When COMPONENT_VERSION is used to override the root component version, the PURL was not being updated, leaving an inconsistency between component.version and component.purl. Changes: - Add _update_component_purl_version() helper for CycloneDX components - Add _update_spdx_package_purl_version() helper for SPDX packages - Update augment_cyclonedx_sbom() and augment_spdx_sbom() to sync PURL - Fix broken SPDX version override in _apply_sbom_version_override() that was incorrectly trying to set metadata.component.version (SPDX uses packages[0].versionInfo instead) The SPDX fix addresses a bug where the version override path was manipulating a non-existent JSON structure, causing version overrides to silently fail for SPDX SBOMs.
There was a problem hiding this comment.
Pull request overview
This PR fixes an inconsistency where the PURL version was not being updated when COMPONENT_VERSION overrides the root component version, and fixes a broken SPDX version override that was manipulating non-existent JSON structure.
Changes:
- Added helper functions to update PURL versions in both CycloneDX and SPDX formats
- Fixed broken SPDX version override to use correct JSON path (
packages[0].versionInfoinstead ofmetadata.component.version) - Updated augmentation functions to synchronize PURL versions when component version is overridden
Reviewed changes
Copilot reviewed 3 out of 3 changed files in this pull request and generated 1 comment.
| File | Description |
|---|---|
| tests/test_augmentation_module.py | Adds comprehensive test coverage for PURL version updates in both CycloneDX and SPDX formats |
| sbomify_action/cli/main.py | Adds PURL update logic and fixes SPDX version override to use correct JSON structure |
| sbomify_action/augmentation.py | Adds helper functions for updating component PURL versions and integrates them into augmentation flow |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
There was a problem hiding this comment.
Pull request overview
Copilot reviewed 3 out of 3 changed files in this pull request and generated 2 comments.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
There was a problem hiding this comment.
Pull request overview
Copilot reviewed 3 out of 3 changed files in this pull request and generated 1 comment.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
1 participant
When COMPONENT_VERSION is used to override the root component version, the PURL was not being updated, leaving an inconsistency between component.version and component.purl.
Changes:
The SPDX fix addresses a bug where the version override path was manipulating a non-existent JSON structure, causing version overrides to silently fail for SPDX SBOMs.