scylladb / scylla-cqlsh

A fork of the cqlsh code
Apache License 2.0
16 stars 32 forks source link

SBOM for the cqlsh tool #41

Closed mykaul closed 1 year ago

mykaul commented 1 year ago

As part of the release process, we should provide a SBOM (Software Bill of materials) for the release. See https://github.com/scylladb/scylla-pkg/issues/3202#issuecomment-1619753664 for an example. (Unless it is covered as part of ScyllaDB build?)

fruch commented 1 year ago

@yaronkaikov can your team take as they do it for the core ?

Annamikhlin commented 1 year ago

By using the tool, the following sbom report was generated:

annamikhlin@annamikhlin ~/Downloads/sbom/sbom $ ./syft dir:scylla-cqlsh/ --scope all-layers 
[0000]  WARN no explicit name and version provided for directory source, deriving artifact ID from the given path (which is not ideal)
 ✔ Indexed file system                                                                                                                                                          scylla-cqlsh
 ✔ Cataloged packages              [4 packages]  
NAME           VERSION      TYPE   
PyYAML         6.0          python  
click          8.1.3        python  
geomet         0.2.1.post1  python  
scylla-driver  3.26.0       python

The license field is empty also here (tool limitation):

annamikhlin@annamikhlin ~/Downloads/sbom/sbom $ ./syft dir:scylla-cqlsh/ --scope all-layers --output template -t sbom.tmpl
 ✔ Indexed file system                                                                                                                          scylla-cqlsh
 ✔ Cataloged packages              [4 packages]  
[0000]  WARN no explicit name and version provided for directory source, deriving artifact ID from the given path (which is not ideal)
SBOM Report:

============================= 
Package Name: PyYAML
Version: 6.0
Type: python
License: []
============================= 
Package Name: click
Version: 8.1.3
Type: python
License: []
============================= 
Package Name: geomet
Version: 0.2.1.post1
Type: python
License: []
============================= 
Package Name: scylla-driver
Version: 3.26.0
Type: python
License: []

I'm not sure we have here any added value by using this tool, we have all the same info in requirements.txt file https://github.com/scylladb/scylla-cqlsh/blob/e651e12e36262a800c67f6f6d17538e84cd09286/requirements.txt#L1-L4

yaronkaikov commented 1 year ago

By using the tool, the following sbom report was generated:

annamikhlin@annamikhlin ~/Downloads/sbom/sbom $ ./syft dir:scylla-cqlsh/ --scope all-layers 
[0000]  WARN no explicit name and version provided for directory source, deriving artifact ID from the given path (which is not ideal)
 ✔ Indexed file system                                                                                                                                                          scylla-cqlsh
 ✔ Cataloged packages              [4 packages]  
NAME           VERSION      TYPE   
PyYAML         6.0          python  
click          8.1.3        python  
geomet         0.2.1.post1  python  
scylla-driver  3.26.0       python

The license field is empty also here (tool limitation):

annamikhlin@annamikhlin ~/Downloads/sbom/sbom $ ./syft dir:scylla-cqlsh/ --scope all-layers --output template -t sbom.tmpl
 ✔ Indexed file system                                                                                                                          scylla-cqlsh
 ✔ Cataloged packages              [4 packages]  
[0000]  WARN no explicit name and version provided for directory source, deriving artifact ID from the given path (which is not ideal)
SBOM Report:

============================= 
Package Name: PyYAML
Version: 6.0
Type: python
License: []
============================= 
Package Name: click
Version: 8.1.3
Type: python
License: []
============================= 
Package Name: geomet
Version: 0.2.1.post1
Type: python
License: []
============================= 
Package Name: scylla-driver
Version: 3.26.0
Type: python
License: []

I'm not sure we have here any added value by using this tool, we have all the same info in requirements.txt file

https://github.com/scylladb/scylla-cqlsh/blob/e651e12e36262a800c67f6f6d17538e84cd09286/requirements.txt#L1-L4

@mykaul ^^

mykaul commented 1 year ago

That's OK - if that's what we get, it's good enough for now - we'll use this, as it is a standard format. It is a bit strange it doesn't go the extra mile for Python packages...

mykaul commented 1 year ago

https://github.com/anchore/syft/issues/2023

Annamikhlin commented 1 year ago

Ok, we can use json format also here, the output will be we following:

{
 "artifacts": [
  {
   "id": "c9f8a6fdb5568416",
   "name": "PyYAML",
   "version": "6.0",
   "type": "python",
   "foundBy": "python-index-cataloger",
   "locations": [
    {
     "path": "/requirements.txt",
     "annotations": {
      "evidence": "primary"
     }
    }
   ],
   "licenses": [],
   "language": "python",
   "cpes": [
    "cpe:2.3:a:python-PyYAML:python-PyYAML:6.0:*:*:*:*:*:*:*",
    "cpe:2.3:a:python-PyYAML:python_PyYAML:6.0:*:*:*:*:*:*:*",
    "cpe:2.3:a:python_PyYAML:python-PyYAML:6.0:*:*:*:*:*:*:*",
    "cpe:2.3:a:python_PyYAML:python_PyYAML:6.0:*:*:*:*:*:*:*",
    "cpe:2.3:a:PyYAML:python-PyYAML:6.0:*:*:*:*:*:*:*",
    "cpe:2.3:a:PyYAML:python_PyYAML:6.0:*:*:*:*:*:*:*",
    "cpe:2.3:a:python-PyYAML:PyYAML:6.0:*:*:*:*:*:*:*",
    "cpe:2.3:a:python:python-PyYAML:6.0:*:*:*:*:*:*:*",
    "cpe:2.3:a:python:python_PyYAML:6.0:*:*:*:*:*:*:*",
    "cpe:2.3:a:python_PyYAML:PyYAML:6.0:*:*:*:*:*:*:*",
    "cpe:2.3:a:PyYAML:PyYAML:6.0:*:*:*:*:*:*:*",
    "cpe:2.3:a:python:PyYAML:6.0:*:*:*:*:*:*:*"
   ],
   "purl": "pkg:pypi/PyYAML@6.0",
   "metadataType": "PythonRequirementsMetadata",
   "metadata": {
    "name": "PyYAML",
    "versionConstraint": "==6.0"
   }
  },

The license is missing but there is some additional info.

Full report: cqlsh_json_report.txt

fruch commented 1 year ago

maybe https://github.com/ninoseki/pycomponents is a bit better for python packages ?

mykaul commented 1 year ago

maybe https://github.com/ninoseki/pycomponents is a bit better for python packages ?

Single maintainer, unmaintained, ...

I'm happy with staying with what we have right now. It'll improve in time. There's a benefit of having a single tool for all languages (and we have enough of those).