search

containerbuildsystem / cachi2

Cachi2 is a CLI tool that pre-fetches your project's dependencies to aid in making your build process network-isolated.
GNU General Public License v3.0
9 stars 27 forks source link

Update the SBOM merge script to handle the newer metadata.tools format #448

Closed brunoapimentel closed 8 months ago

brunoapimentel commented 10 months ago

There's a new version of the CycloneDX (1.5) which introduced changes in the way to specify .metadata.tools, and marks the current format as deprecated.

CycloneDX 1.4:

{
   "metadata": {
      "tools": [
          {
             "vendor": "red hat",
             "name": "cachi2"
          }
      ]
   }
}

CycloneDX 1.5:

{
   "metadata": {
      "tools": {
        "components": [
            {
               "type": "application",
               "author": "red hat",
               "name": "cachi2"
            }
        ]
    }
}

Syft has also adopted the newer format starting from version 0.99.0. This makes the 'merge_syft_sbom.py' script to fail in case a newer Syft SBOM is used. This PR also updates the script so both formats can be handled in Syft SBOMs.

Maintainers will complete the following section

brunoapimentel commented 10 months ago

We should probably also create a mechanism to add the current Cachi2 version to the metadata.tools output:

  "metadata": {
    "tools": {
      "components": [
        {
          "type": "application",
          "author": "red hat"
          "name": "cachi2",
          "version": "0.4.0"
        }
      ]
    }
  }
taylormadore commented 10 months ago

Do we need to bump the schema version we're using in the integration tests? https://github.com/containerbuildsystem/cachi2/blob/eb4cb6c9bd2dedbd8cd766c086fa16db290ffbfb/tests/integration/utils.py#L33-L35

brunoapimentel commented 9 months ago

New pushes: added a commit that updates the merge_syft_sbom.py script.

chmeliik commented 8 months ago

Blocks https://github.com/redhat-appstudio/build-definitions/pull/722, which blocks the latest rh-syft build

(Syft < 0.99.0 panics when processing the source directory of Syft >= 0.99.0)

brunoapimentel commented 8 months ago

New push completely reworks the PR: