search

kubernetes-sigs / bom

A utility to generate SPDX-compliant Bill of Materials manifests
https://kubernetes-sigs.github.io/bom/
Apache License 2.0
329 stars 48 forks source link

Trim license patch from version tag, bump list to v3.24.0 #462

Closed puerco closed 1 month ago

puerco commented 1 month ago

What type of PR is this?

/kind bug /kind cleanup /kind failing-test

What this PR does / why we need it:

This PR trims the patch version from the SPDX license list datafile before writing it to the SBOM to fix a bug has kept our CI broken for months

This is because there was a change in the versioning scheme, the SPDX license now is released with a full semver with a patch while the spec only supports major.minor

This change modifies the logic when writing the document to parse out the patch from the version tag and make the documents compliant again. The downside is that we will never know exactly which license list version was used to generate the sbom but I don't think there is any way around it.

Which issue(s) this PR fixes:

Fixes the broken CI jobs

Special notes for your reviewer:

Ref: https://github.com/spdx/LicenseListPublisher/issues/181

/cc @cpanato @saschagrunert @xmudrii @Verolop

Does this PR introduce a user-facing change?

bom now supports the spdx license list's new versioning scheme with a patch number in the license tag.
k8s-ci-robot commented 1 month ago

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: cpanato, puerco

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files: - ~~[OWNERS](https://github.com/kubernetes-sigs/bom/blob/main/OWNERS)~~ [cpanato,puerco] Approvers can indicate their approval by writing `/approve` in a comment Approvers can cancel approval by writing `/approve cancel` in a comment