search

kubernetes-sigs / bom

A utility to generate SPDX-compliant Bill of Materials manifests
https://kubernetes-sigs.github.io/bom/
Apache License 2.0
337 stars 48 forks source link

Keep reading SBOM until encoding is found #259

Closed puerco closed 1 year ago

puerco commented 1 year ago

What type of PR is this?

/kind bug /kind cleanup

What this PR does / why we need it:

This PR modifies the encoding detection function to read the as much of the SBOM as required to detect the encoding.

Some tools (notably Microsoft's sbom-tool) put the document creation data at the end of the document and we could not detect it by reading just a few bytes from the top.

I pushed another commit removing some debugging output I accidentally checked in.

Which issue(s) this PR fixes:

None

Special notes for your reviewer:

Does this PR introduce a user-facing change?

- bom will now read the SBOM until it detects the SBOM encoding data, enabling it to parse SBOMs with the document data defined at the end of the file.
- When trying to ingest a CycloneDX document, bom will now print a more useful warning
k8s-ci-robot commented 1 year ago

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: cpanato, puerco

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files: - ~~[OWNERS](https://github.com/kubernetes-sigs/bom/blob/main/OWNERS)~~ [cpanato,puerco] Approvers can indicate their approval by writing `/approve` in a comment Approvers can cancel approval by writing `/approve cancel` in a comment