Add augmentation provider plugin architecture with lifecycle phase support#99
Merged
vpetersson merged 4 commits intomasterfrom Jan 13, 2026
Merged
Add augmentation provider plugin architecture with lifecycle phase support#99vpetersson merged 4 commits intomasterfrom
vpetersson merged 4 commits intomasterfrom
Conversation
…pport Refactor SBOM augmentation to use a plugin-based architecture supporting multiple metadata sources with priority-based merging: - JSON config file (sbomify.json) - priority 10, local config - sbomify API - priority 50, backend metadata This enables standalone augmentation without a sbomify account by placing a sbomify.json config file in the project root. Add lifecycle_phase field support for CISA 2025 Generation Context: - CycloneDX 1.5+: metadata.lifecycles[].phase - CycloneDX 1.3/1.4: skipped (not supported in schema) - SPDX: creationInfo.creatorComment Update test_schema_compliance.py with version-specific lifecycle assertions to verify correct handling across all supported CycloneDX (1.3-1.7) and SPDX (2.2-2.3) versions.
vpetersson
changed the title
Contributor
There was a problem hiding this comment.
Pull request overview
This PR refactors SBOM augmentation to use a plugin architecture supporting multiple metadata sources with priority-based merging, enabling standalone augmentation without a sbomify account. It adds support for the CISA 2025 Generation Context requirement through lifecycle phase fields across CycloneDX 1.5+ and SPDX formats.
Changes:
- Introduced plugin architecture with JSON config (priority 10) and sbomify API (priority 50) providers
- Added lifecycle_phase field support with version-specific handling (CycloneDX 1.5+ and SPDX)
- Updated tests to validate lifecycle phase handling across all supported SBOM versions
Reviewed changes
Copilot reviewed 18 out of 18 changed files in this pull request and generated 1 comment.
Show a summary per file
| File | Description |
|---|---|
| tests/test_schema_compliance.py | Added lifecycle phase validation for CycloneDX 1.3-1.7 and SPDX 2.2-2.3 |
| tests/test_ntia_compliance.py | Added documentation references and lifecycle phase augmentation tests |
| tests/test_container_sbom_ntia_compliance.py | Added compliance documentation references |
| tests/test_augmentation_providers.py | New tests for augmentation provider plugin architecture |
| tests/test_augmentation_module.py | Updated to use new provider-based metadata fetching |
| sbomify_action/enrichment.py | Added NTIA and CISA compliance documentation |
| sbomify_action/augmentation.py | Refactored to use plugin architecture and added lifecycle phase support |
| sbomify_action/_enrichment/sources/purl.py | Added documentation for NTIA compliance |
| sbomify_action/_enrichment/enricher.py | Added documentation for NTIA compliance |
| sbomify_action/_augmentation/registry.py | New provider registry for managing augmentation plugins |
| sbomify_action/_augmentation/providers/sbomify_api.py | New sbomify API provider implementation |
| sbomify_action/_augmentation/providers/json_config.py | New JSON config file provider implementation |
| sbomify_action/_augmentation/providers/init.py | Provider module exports |
| sbomify_action/_augmentation/protocol.py | Protocol definition for augmentation providers |
| sbomify_action/_augmentation/metadata.py | Dataclass for normalized augmentation metadata |
| sbomify_action/_augmentation/init.py | Augmentation plugin architecture exports |
| docs/ntia_comparison.md | Updated documentation with CISA 2025 fields and schema mappings |
| README.md | Added documentation for standalone augmentation and config file format |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
Update test mocks from removed fetch_backend_metadata function to use the new SbomifyApiProvider via requests.get patching. - test_api_endpoint_audit.py: Use SbomifyApiProvider directly - test_container_sbom_ntia_compliance.py: Update 3 mock patches
Contributor
There was a problem hiding this comment.
Pull request overview
Copilot reviewed 19 out of 19 changed files in this pull request and generated 2 comments.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
- README.md: Correct SPDX field name to creationInfo.creatorComment - json_config.py: Fix docstring example field name from contact to contacts
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Refactor SBOM augmentation to use a plugin-based architecture supporting multiple metadata sources with priority-based merging:
This enables standalone augmentation without a sbomify account by placing a sbomify.json config file in the project root.
Add lifecycle_phase field support for CISA 2025 Generation Context:
Update test_schema_compliance.py with version-specific lifecycle assertions to verify correct handling across all supported CycloneDX (1.3-1.7) and SPDX (2.2-2.3) versions.