fix: properly output and read the filesAnalyzed field in JSON/YAML #210
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Signed-off-by: Keith Zantow <kzantow@gmail.com>
lumjjb
reviewed
May 9, 2023
| @@ -71,6 +71,11 @@ func TestLoad(t *testing.T) { | |||
| func Test_Write(t *testing.T) { | |||
| want := example.Copy() | |||
|
|
|||
| // we always output FilesAnalyzed, even though we handle reading files where it is omitted | |||
There was a problem hiding this comment.
the weird part of filesAnalyzed is that if it is omitted technically the correct value is "true" but really no one does it this way... which is kind of cringe, because the intention is usually filesAnalyzed=false... if we actually did a validation check when reading, likely >90% of SPDX documents will fail since they assume omission is default false based on the programming language defaults, and thus they don't include VerificationCode which technically is required if filesAnalyzed=true.
I see trade offs both ways, but since we do require user to signify their intention and the use of the library is not asking users to provide a mandatory field, a golang user will think that it defaults to false. My thought is to perhaps maybe flip the IsFilesAnalyzedTagPresent to IsFilesAnalyzedTagOmitted, or make the default value to true... i don't quite want to break the interface. This may create a experience a bit more aligned with golang
This however, doesn't fix the issue of all the input SBOMs having their filesAnalyzed intent misinterpreted, which technically isn't an issue for the library... but i think it will break enough of the ecosystem that we have to consider it.
There was a problem hiding this comment.
i thought about it a bit more... maybe what we can do is that during reading, is that if we see no VerificationCode we can set filesAnalyzed=false.. wdyt @kzantow ?
There was a problem hiding this comment.
the more i look into this, the worse it gets... since filesAnalyzed=false is also an indication that a package doesn't contain any files, this messes things up..
I think my new thoughts around this is to just output it IsFilesAnalyzedTagPresent=true, and otherwise omit it and not assert anything about its intended value but to parse it as is.. We think we will need to support this bad behavior as accounting for a deficiency of the spec.
|
Just FYI - I check the Java tools to see if it handles If you call the Note that this will not cause any parsing error - it only reports the issue in the Note - there was an issue in the Java library which may have masked the verification failures for some deeply nested dependencies - this has been fixed in the latest release. |
|
After discussion with @lumjjb we've decided to merge this PR and look at removing |
another-rex
pushed a commit
to google/osv-scanner
that referenced
this pull request
Jun 6, 2023
[](https://renovatebot.com) This PR contains the following updates: | Package | Type | Update | Change | |---|---|---|---| | [github.com/BurntSushi/toml](https://togithub.com/BurntSushi/toml) | require | minor | `v1.2.1` -> `v1.3.0` | | [github.com/go-git/go-git/v5](https://togithub.com/go-git/go-git) | require | minor | `v5.6.1` -> `v5.7.0` | | [github.com/spdx/tools-golang](https://togithub.com/spdx/tools-golang) | require | patch | `v0.5.0` -> `v0.5.1` | | [github.com/urfave/cli/v2](https://togithub.com/urfave/cli) | require | patch | `v2.25.3` -> `v2.25.5` | | golang.org/x/exp | require | digest | `dd950f8` -> `2e198f4` | | golang.org/x/tools | require | patch | `v0.9.1` -> `v0.9.3` | --- ### Release Notes <details> <summary>BurntSushi/toml</summary> ### [`v1.3.0`](https://togithub.com/BurntSushi/toml/releases/tag/v1.3.0) [Compare Source](https://togithub.com/BurntSushi/toml/compare/v1.2.1...v1.3.0) New features: - Support upcoming TOML 1.1 While it looks like TOML 1.1 is mostly stable and I don't expect any further major changes, there are *NO* compatibility guarantees as it is *NOT* yet released and *anything can still change*. To use it, set the `BURNTSUSHI_TOML_110` environment variable to any value, which can be done either with `os.SetEnv()` or by the user running a program. A full list is changes is available in the [TOML ChangeLog]; the two most notable ones are that newlines and trailing commas are now allowed in inline tables, and Unicode in bare keys can now be used – this is now a valid document: lëttërs = { ä = "a with diaeresis", è = "e with accent grave", } [TOML ChangeLog]: https://togithub.com/toml-lang/toml/blob/main/CHANGELOG.md - Allow MarshalTOML and MarshalText to be used on the document type itself, instead of only fields ([#​383](https://togithub.com/BurntSushi/toml/issues/383)). Bufixes: - `\` escapes at the end of line weren't processed correctly in multiline strings ([#​372](https://togithub.com/BurntSushi/toml/issues/372)). - Read over UTF-8 BOM ([#​381](https://togithub.com/BurntSushi/toml/issues/381)). - `omitempty` struct tag did not work for pointer values ([#​371](https://togithub.com/BurntSushi/toml/issues/371)). - Fix encoding anonymous structs on 32bit systems ([#​374](https://togithub.com/BurntSushi/toml/issues/374)). </details> <details> <summary>go-git/go-git</summary> ### [`v5.7.0`](https://togithub.com/go-git/go-git/releases/tag/v5.7.0) [Compare Source](https://togithub.com/go-git/go-git/compare/v5.6.1...v5.7.0) #### What's Changed - \*: Add support for initializing SHA256 repositories by [@​pjbgf](https://togithub.com/pjbgf) in [go-git/go-git#707 - git: add mirror clone option by [@​aymanbagabas](https://togithub.com/aymanbagabas) in [go-git/go-git#735 - git: Add support to ls-remote with peeled references. Fixes [#​749](https://togithub.com/go-git/go-git/issues/749) by [@​pjbgf](https://togithub.com/pjbgf) in [go-git/go-git#750 - git: fix cloning with branch name by [@​AriehSchneier](https://togithub.com/AriehSchneier) in [go-git/go-git#755 - git: Worktree, add check to see if file already checked in. Fixes [#​718](https://togithub.com/go-git/go-git/issues/718) by [@​cbbm142](https://togithub.com/cbbm142) in [go-git/go-git#719 - git: Worktree, git grep bare repositories by [@​aymanbagabas](https://togithub.com/aymanbagabas) in [go-git/go-git#728 - git: Add Depth to SubmoduleUpdateOptions by [@​matejrisek](https://togithub.com/matejrisek) in [go-git/go-git#754 - git: Testing, Fix tests not cleaning temp folders by [@​AriehSchneier](https://togithub.com/AriehSchneier) in [go-git/go-git#769 - git: remote, add support for a configurable timeout. by [@​andrewpollock](https://togithub.com/andrewpollock) in [go-git/go-git#753 - git: Allow Initial Branch to be configurable by [@​techknowlogick](https://togithub.com/techknowlogick) in [go-git/go-git#764 - storage: filesystem/dotgit, Improve load packed-refs by [@​fcharlie](https://togithub.com/fcharlie) in [go-git/go-git#743 - storage: filesystem, Populate index before use. Fixes [#​148](https://togithub.com/go-git/go-git/issues/148) by [@​AriehSchneier](https://togithub.com/AriehSchneier) in [go-git/go-git#722 - plumbing: resolve non-external delta references by [@​ZauberNerd](https://togithub.com/ZauberNerd) in [go-git/go-git#485 - plumbing/transport: fix regression in scp-like match by [@​jotadrilo](https://togithub.com/jotadrilo) in [go-git/go-git#715 - plumbing/transport: Add support for custom proxy settings by [@​aryan9600](https://togithub.com/aryan9600) in [go-git/go-git#744 - \*: small fixes across the codebase by [@​pjbgf](https://togithub.com/pjbgf) in [go-git/go-git#770 - \*: bump github.com/cloudflare/circl from 1.1.0 to 1.3.3 by [@​dependabot](https://togithub.com/dependabot) in [go-git/go-git#776 - \*: bump dependencies by [@​pjbgf](https://togithub.com/pjbgf) in [go-git/go-git#748 - \*: bump Go version to 1.18 on go.mod by [@​pjbgf](https://togithub.com/pjbgf) in [go-git/go-git#774 - \*: add Codeql workflow and bump dependencies by [@​pjbgf](https://togithub.com/pjbgf) in [go-git/go-git#775 - ci: fix upstream git build for master branch by [@​pjbgf](https://togithub.com/pjbgf) in [go-git/go-git#739 #### New Contributors - [@​ZauberNerd](https://togithub.com/ZauberNerd) made their first contribution in [go-git/go-git#485 - [@​jotadrilo](https://togithub.com/jotadrilo) made their first contribution in [go-git/go-git#715 - [@​fcharlie](https://togithub.com/fcharlie) made their first contribution in [go-git/go-git#743 - [@​AriehSchneier](https://togithub.com/AriehSchneier) made their first contribution in [go-git/go-git#755 - [@​cbbm142](https://togithub.com/cbbm142) made their first contribution in [go-git/go-git#719 - [@​aryan9600](https://togithub.com/aryan9600) made their first contribution in [go-git/go-git#744 - [@​matejrisek](https://togithub.com/matejrisek) made their first contribution in [go-git/go-git#754 - [@​andrewpollock](https://togithub.com/andrewpollock) made their first contribution in [go-git/go-git#753 - [@​techknowlogick](https://togithub.com/techknowlogick) made their first contribution in [go-git/go-git#764 **Full Changelog**: go-git/go-git@v5.6.1...v5.7.0 </details> <details> <summary>spdx/tools-golang</summary> ### [`v0.5.1`](https://togithub.com/spdx/tools-golang/releases/tag/v0.5.1) [Compare Source](https://togithub.com/spdx/tools-golang/compare/v0.5.0...v0.5.1) #### What's Changed - Add ability to specify JSON output options by [@​DmitriyLewen](https://togithub.com/DmitriyLewen) in [spdx/tools-golang#213 - Fix some optional params: `copyrightText`, `licenseListVersion`, `packageVerificationCode` by [@​lumjjb](https://togithub.com/lumjjb) in [spdx/tools-golang#215 - Properly output and read the `filesAnalyzed` field in JSON/YAML by [@​kzantow](https://togithub.com/kzantow) in [spdx/tools-golang#210 - Ensure no duplicates in relationships when shortcut fields are used. by [@​lumjjb](https://togithub.com/lumjjb) in [spdx/tools-golang#218 #### New Contributors - [@​testwill](https://togithub.com/testwill) made their first contribution in [spdx/tools-golang#212 - [@​DmitriyLewen](https://togithub.com/DmitriyLewen) made their first contribution in [spdx/tools-golang#213 **Full Changelog**: spdx/tools-golang@v0.5.0...v0.5.1 </details> <details> <summary>urfave/cli</summary> ### [`v2.25.5`](https://togithub.com/urfave/cli/releases/tag/v2.25.5) [Compare Source](https://togithub.com/urfave/cli/compare/v2.25.4...v2.25.5) #### What's Changed - Fix:(issue\_1737) Set bool count by taking care of num of aliases by [@​dearchap](https://togithub.com/dearchap) in [urfave/cli#1740 **Full Changelog**: urfave/cli@v2.25.4...v2.25.5 ### [`v2.25.4`](https://togithub.com/urfave/cli/releases/tag/v2.25.4) [Compare Source](https://togithub.com/urfave/cli/compare/v2.25.3...v2.25.4) #### What's Changed - Bug/fix issue 1703 by [@​jojje](https://togithub.com/jojje) in [urfave/cli#1728 - Fix:(issue\_1734) Show categories for subcommands by [@​dearchap](https://togithub.com/dearchap) in [urfave/cli#1735 - Fix:(issue\_1610). Keep RunAsSubcommand behaviour as before by [@​dearchap](https://togithub.com/dearchap) in [urfave/cli#1736 - Fix:(issue\_1731) Add fix for checking if aliases are set by [@​dearchap](https://togithub.com/dearchap) in [urfave/cli#1732 - Fix func name referenced in doc comment by [@​meatballhat](https://togithub.com/meatballhat) in [urfave/cli#1738 #### New Contributors - [@​jojje](https://togithub.com/jojje) made their first contribution in [urfave/cli#1728 **Full Changelog**: urfave/cli@v2.25.3...v2.25.4 </details> --- ### Configuration 📅 **Schedule**: Branch creation - "before 6am on monday" in timezone Australia/Sydney, Automerge - At any time (no schedule defined). 🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied. ♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox. 👻 **Immortal**: This PR will be recreated if closed unmerged. Get [config help](https://togithub.com/renovatebot/renovate/discussions) if that's undesired. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR has been generated by [Mend Renovate](https://www.mend.io/free-developer-tools/renovate/). View repository job log [here](https://app.renovatebot.com/dashboard#github/google/osv-scanner). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiIzNS40OC4yIiwidXBkYXRlZEluVmVyIjoiMzUuMTAyLjEwIiwidGFyZ2V0QnJhbmNoIjoibWFpbiJ9-->
](https://renovatebot.com){kind=link}
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
The Package
FilesAnalyzedfield has somewhat backwards behavior from standard Go JSON -- if it's omitted, the value istrue. It had been set asomitempty, which means it was omitted if false (the default for a bool value). This resulted in an impossibility of setting it tofalse, since it would be omitted from the JSON, which then should be interpreted astrue. This PR adjust the behavior so the field is always output, and handles interpreting missing values astrue.Fixes #209