search

kubernetes-sigs / bom

A utility to generate SPDX-compliant Bill of Materials manifests
https://kubernetes-sigs.github.io/bom/
Apache License 2.0
337 stars 48 forks source link

JSON Parser: Support top-level elements defined with relationships #304

Closed puerco closed 1 year ago

puerco commented 1 year ago

What type of PR is this?

/kind cleanup /kind feature

What this PR does / why we need it:

SPDX supports defining the top-level elements of the SBOM using the documentDescribes field but also by linking elements to the document with a DESCRIBES relationship. This commit adds support to the JSON parser to detect top-level elements specified using the former method.

I'm also sneaking in a small change to improve printing the licenses in query results. bom will now detect better when licenses are NOASSERTION when choosing which licenses to print.

Signed-off-by: Adolfo García Veytia (Puerco) puerco@chainguard.dev

Which issue(s) this PR fixes:

None

Special notes for your reviewer:

/assign @cpanato @saschagrunert @xmudrii /cc @kubernetes-sigs/release-engineering

Does this PR introduce a user-facing change?

- The `bom` json parser now supports top-level elements specified with a `DESCRIBES` relationship to the document. `documentDescribes` is, of course, still suppoirted
- License printing in query results has better `NOASSERTION` detection when choosing which license to print.
k8s-ci-robot commented 1 year ago

@puerco: GitHub didn't allow me to request PR reviews from the following users: kubernetes-sigs/release-engineering.

Note that only kubernetes-sigs members and repo collaborators can review this PR, and authors cannot review their own PRs.

In response to [this](https://github.com/kubernetes-sigs/bom/pull/304): >#### What type of PR is this? > >/kind cleanup >/kind feature > >#### What this PR does / why we need it: > >SPDX supports defining the top-level elements of the SBOM using the `documentDescribes` field but also by linking elements to the document with a `DESCRIBES` relationship. This commit adds support to the JSON parser to detect top-level elements specified using the former method. > >I'm also sneaking in a small change to improve printing the licenses in query results. `bom` will now detect better when licenses are `NOASSERTION` when choosing which licenses to print. > >Signed-off-by: Adolfo García Veytia (Puerco) > >#### Which issue(s) this PR fixes: > >None > >#### Special notes for your reviewer: > >/assign @cpanato @saschagrunert @xmudrii >/cc @kubernetes-sigs/release-engineering > >#### Does this PR introduce a user-facing change? > > > >```release-note >- The `bom` json parser now supports top-level elements specified with a `DESCRIBES` relationship to the document. `documentDescribes` is, of course, still suppoirted >- License printing in query results has better `NOASSERTION` detection when choosing which license to print. >``` > Instructions for interacting with me using PR comments are available [here](https://git.k8s.io/community/contributors/guide/pull-requests.md). If you have questions or suggestions related to my behavior, please file an issue against the [kubernetes/test-infra](https://github.com/kubernetes/test-infra/issues/new?title=Prow%20issue:) repository.
k8s-ci-robot commented 1 year ago

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: cpanato, puerco

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files: - ~~[OWNERS](https://github.com/kubernetes-sigs/bom/blob/main/OWNERS)~~ [cpanato,puerco] Approvers can indicate their approval by writing `/approve` in a comment Approvers can cancel approval by writing `/approve cancel` in a comment