Change ingestion to use Protobom

[neilnaveen]

• Changed ingestion to use Protobom
• Made the visualizer easier to understand

Summary by CodeRabbit

• New Features

  • Enhanced SBOM processing capabilities with a new reader for simplified handling of SBOM documents.
  • Improved visual representation of graphs with dynamic node sizing and coloring based on connections.
  • Added profiling functionality, allowing users to enable a profiling server for performance monitoring.

• Bug Fixes

  • Improved error handling in SBOM file operations for clearer feedback.

• Refactor

  • Streamlined dependency management and node processing logic.
  • Refactored node property calculations for better clarity and maintainability.

• Chores

  • Updated project dependencies to improve performance and functionality.
  • Simplified the testing process by removing Docker dependencies from the test target.

[coderabbitai]

Caution

Review failed

The pull request is closed.

Walkthrough

The recent changes enhance the Go project's dependency management and improve core functionalities. The go.mod file sees refined dependencies, while key code files, such as visualizer.go, sbom.go, and root.go, have undergone significant refactoring. These adjustments improve clarity, maintainability, and efficiency in SBOM processing, graph visualization, and command-line interface, ultimately enhancing the project’s overall performance and usability.

Changes

Files	Change Summary
go.mod	Removed direct dependency on github.com/CycloneDX/cyclonedx-go (now indirect); added new dependencies such as github.com/protobom/protobom and others; cleaned up unused indirect dependencies.
pkg/graph/visualizer.go, pkg/tools/ingest/sbom.go	Refactored functions for better clarity and maintainability; introduced new functions for node size and color calculations, and streamlined SBOM processing using the protobom reader for improved efficiency.
cmd/root/root.go, main.go	Expanded options struct for profiling capabilities; modified AddFlags method for new flags; updated main function to support optional profiling server with configuration from command line.
pkg/tools/ingest/sbom_test.go	Updated test file paths and adjusted expected outcomes for SBOM processing; refined test cases to align with new specifications and directory structure.
Makefile	Removed dependency on docker-up in the test target, allowing tests to run independently without Docker environment setup.
test/*.json	Updated specVersion fields from "1.4" to "1.5" in multiple JSON files to reflect the latest specification version.

Poem

🐰 In the fields of code I hop,
With changes bright, I’ll never stop!
Dependencies trimmed, a cleaner space,
Nodes now dance with vibrant grace.
Let's celebrate with joyful cheer,
For a codebase fresh, we hold so dear! 🎉

---

Thank you for using CodeRabbit. We offer it for free to the OSS community and would appreciate your support in helping us grow. If you find it useful, would you consider giving us a shout-out on your favorite social media?

Share

• X
• Mastodon
• Reddit
• LinkedIn

Tips

Chat

There are 3 ways to chat with CodeRabbit:

• Review comments: Directly reply to a review comment made by CodeRabbit. Example:
  • I pushed a fix in commit <commit_id>.
  • Generate unit testing code for this file.
  • Open a follow-up GitHub issue for this discussion.
• Files and specific lines of code (under the "Files changed" tab): Tag @coderabbitai in a new review comment at the desired location with your query. Examples:
  • @coderabbitai generate unit testing code for this file.
  • @coderabbitai modularize this function.
• PR comments: Tag @coderabbitai in a new PR comment to ask questions about the PR branch. For the best results, please provide a very specific query, as very limited context is provided in this mode. Examples:
  • @coderabbitai generate interesting stats about this repository and render them as a table.
  • @coderabbitai show all the console.log statements in this repository.
  • @coderabbitai read src/utils.ts and generate unit testing code.
  • @coderabbitai read the files in the src/scheduler package and generate a class diagram using mermaid and a README in the markdown format.
  • @coderabbitai help me debug CodeRabbit configuration file.

Note: Be mindful of the bot's finite context window. It's strongly recommended to break down tasks such as reading entire modules into smaller chunks. For a focused discussion, use review comments to chat about specific files and their changes, instead of using the PR comments.

CodeRabbit Commands (invoked as PR comments)

• @coderabbitai pause to pause the reviews on a PR.
• @coderabbitai resume to resume the paused reviews.
• @coderabbitai review to trigger an incremental review. This is useful when automatic reviews are disabled for the repository.
• @coderabbitai full review to do a full review from scratch and review all the files again.
• @coderabbitai summary to regenerate the summary of the PR.
• @coderabbitai resolve resolve all the CodeRabbit review comments.
• @coderabbitai configuration to show the current CodeRabbit configuration for the repository.
• @coderabbitai help to get help.

Additionally, you can add @coderabbitai ignore anywhere in the PR description to prevent this PR from being reviewed.

CodeRabbit Configuration File (.coderabbit.yaml)

• You can programmatically configure CodeRabbit by adding a .coderabbit.yaml file to the root of your repository.
• Please see the configuration documentation for more information.
• If your editor has YAML language server enabled, you can add the path at the top of this file to enable auto-completion and validation: # yaml-language-server: $schema=https://coderabbit.ai/integrations/schema.v2.json

Documentation and Community

• Visit our Documentation for detailed information on how to use CodeRabbit.
• Join our Discord Community to get help, request features, and share feedback.
• Follow us on X/Twitter for updates and announcements.

[codecov]

Codecov Report

Attention: Patch coverage is 20.31250% with 51 lines in your changes missing coverage. Please review.

Files	Patch %	Lines
pkg/graph/visualizer.go	0.00%	40 Missing ⚠️
pkg/tools/ingest/sbom.go	54.16%	6 Missing and 5 partials ⚠️

Files	Coverage Δ
pkg/tools/ingest/sbom.go	50.00% <54.16%> (-2.39%)	⬇️
pkg/graph/visualizer.go	0.00% <0.00%> (ø)

[coderabbitai]

Actionable comments posted: 0

Outside diff range, codebase verification and nitpick comments (1)

pkg/tools/ingest/sbom.go (1)

13-13: Updated comment for SBOM function.

The comment now accurately reflects the function's purpose of ingesting SBOM files or directories. Ensure the comment remains updated with future changes.

Review details

Configuration used: CodeRabbit UI
Review profile: CHILL

Commits

Files that changed from the base of the PR and between f743b5c and a9e4d5b.

Files ignored due to path filters (1)

• go.sum is excluded by !**/*.sum

Files selected for processing (3)

• go.mod (2 hunks)
• pkg/graph/visualizer.go (3 hunks)
• pkg/tools/ingest/sbom.go (3 hunks)

Additional comments not posted (17)

go.mod (7)

12-12: Addition of protobom dependency.

The addition of github.com/protobom/protobom v0.4.3 suggests the integration of Protobom for SBOM processing, aligning with the PR objectives. Ensure this dependency is necessary and used effectively.

---

25-25: Modification of cyclonedx-go dependency to indirect.

Changing github.com/CycloneDX/cyclonedx-go v0.9.0 to an indirect dependency indicates it's no longer directly used. Verify if all direct usages have been replaced or removed.

---

28-28: Addition of semver dependency.

The addition of github.com/blang/semver/v4 v4.0.0 as an indirect dependency might be for version management. Ensure its usage is justified.

---

31-31: Addition of uuid dependency.

The addition of github.com/google/uuid v1.6.0 as an indirect dependency suggests UUID generation is required. Verify its necessity.

---

35-35: Addition of logrus dependency.

The addition of github.com/sirupsen/logrus v1.9.3 as an indirect dependency suggests enhanced logging capabilities. Ensure its usage is consistent across the codebase.

---

36-36: Addition of spdx/tools-golang dependency.

The addition of github.com/spdx/tools-golang v0.5.4 as an indirect dependency might be for SPDX processing. Verify its necessity.

---

42-42: Addition of protobuf dependency.

The addition of google.golang.org/protobuf v1.34.1 as an indirect dependency aligns with Protobom integration. Ensure its usage is necessary and correct.

pkg/tools/ingest/sbom.go (7)

10-10: Import of Protobom reader.

The import of github.com/protobom/protobom/pkg/reader aligns with the shift to Protobom for SBOM processing. Ensure this import is used effectively throughout the code.

---

45-45: Improved error handling for file opening.

The error message is clear and provides context about the failure to open a file. This enhances debugging and user feedback.

---

48-49: Creation of Protobom reader.

The creation of a new Protobom reader is a key part of the refactoring. Ensure that this reader is correctly initialized and used.

---

51-54: Parsing SBOM file with Protobom.

The use of r.ParseFile(filePath) simplifies SBOM parsing. Verify that this method handles all necessary SBOM formats and edge cases.

---

57-60: Retrieving node list from Protobom document.

The retrieval of a node list directly from the document streamlines processing. Ensure that the node list is correctly populated and utilized.

---

Line range hint 67-81: Processing nodes and adding to graph storage.

The new approach to processing nodes and adding them to storage is more direct. Ensure that node IDs and dependencies are correctly managed.

---

83-102: Handling of edges and dependencies.

The refined handling of edges ensures no duplicate edges are created. Verify that all dependencies are correctly represented in the graph.

pkg/graph/visualizer.go (3)

91-92: Use of calculateSymbolSize and getColorForSize.

The refactoring to use dedicated functions for symbol size and color improves clarity. Ensure these functions are correctly implemented and efficient.

---

159-191: Implementation of getColorForSize.

This function dynamically assigns colors based on node size, enhancing visual representation. Ensure the color interpolation logic is correct.

---

193-205: Implementation of calculateSymbolSize.

The function uses a logarithmic scale to determine node size, which is efficient for large ranges. Ensure the size mapping aligns with expected visual outcomes.

[coderabbitai]

Actionable comments posted: 1

Outside diff range, codebase verification and nitpick comments (2)

cmd/root/root.go (1)

17-19: Method modifications approved; suggest adding documentation.

The changes to the AddFlags method are correctly implemented. It's recommended to add documentation or comments explaining the new flags for future maintainability.

pkg/tools/ingest/sbom.go (1)

66-102: Refined node and dependency processing.

The transition to using protobom has streamlined the node processing. The mapping of nodes to their Package URLs and the management of dependencies are clear and maintainable.

However, consider adding more detailed logging or comments explaining the logic for handling nodes and dependencies, especially for complex graphs.

Review details

Configuration used: CodeRabbit UI
Review profile: CHILL

Commits

Files that changed from the base of the PR and between a9e4d5b and 024af69.

Files ignored due to path filters (1)

• go.sum is excluded by !**/*.sum

Files selected for processing (5)

• cmd/root/root.go (2 hunks)
• go.mod (2 hunks)
• main.go (1 hunks)
• pkg/graph/visualizer.go (3 hunks)
• pkg/tools/ingest/sbom.go (3 hunks)

Files skipped from review as they are similar to previous changes (1)

• pkg/graph/visualizer.go

Additional comments not posted (7)

cmd/root/root.go (1)

12-14: Structural additions approved.

The additions of pprofEnabled and pprofAddr to the options struct are appropriate for enabling and configuring the pprof server.

main.go (1)

16-17: Variable declarations approved.

The addition of pprofEnabled and pprofAddr variables is necessary for the new profiling functionality.

go.mod (1)

Line range hint 13-44: Dependency management changes approved; verify removal impact.

The updates to the go.mod file are well-aligned with the project's new requirements. However, ensure that the removal of github.com/kr/pretty does not impact any existing functionality.

Run the following script to verify the impact of the removal:

Verification successful

---

Removal of github.com/kr/pretty confirmed without impact

The absence of github.com/kr/pretty in both the codebase and the go.mod file confirms that its removal does not affect existing functionality. No further action is required.

Scripts executed

The following scripts were executed for the analysis:

Script:

#!/bin/bash
# Description: Verify the impact of removing `github.com/kr/pretty`.

# Test: Search for usage of `github.com/kr/pretty`. Expect: No occurrences.
rg --type go 'github.com/kr/pretty'

Length of output: 35

---

Script:

#!/bin/bash
# Description: Verify the presence of `github.com/kr/pretty` in go.mod to confirm its removal.

# Test: Search for `github.com/kr/pretty` in go.mod. Expect: No occurrences.
rg 'github.com/kr/pretty' go.mod

Length of output: 32

pkg/tools/ingest/sbom.go (4)

14-14: Updated function documentation.

The comment update clarifies the function's purpose, aligning with the changes made to use the protobom library.

---

28-28: Review recursive SBOM processing and logging.

The recursive processing of directories is correctly implemented. The added logging provides useful traceability for the ingestion process.

Also applies to: 34-34

---

48-48: Enhanced error handling.

The error messages are now more descriptive, improving the debugging process. The use of fmt.Errorf with %w for wrapping errors is a good practice.

Also applies to: 57-57, 89-89, 96-96

---

51-57: Introduction of protobom reader for parsing.

The use of protobom reader simplifies the file parsing process, reducing the complexity and potential for bugs compared to the previous manual decoding.