Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

feat: adding SBOM to package #2810

Merged
merged 4 commits into from
Mar 30, 2023
Merged

feat: adding SBOM to package #2810

merged 4 commits into from
Mar 30, 2023

Conversation

Rexbeast2
Copy link
Contributor

fixes #2687

@codecov-commenter
Copy link

codecov-commenter commented Mar 11, 2023
edited
Loading

Codecov Report

Merging #2810 (11c0b46) into main (63543d0) will increase coverage by 2.03%.
The diff coverage is n/a.

@@            Coverage Diff             @@
##             main    #2810      +/-   ##
==========================================
+ Coverage   81.11%   83.14%   +2.03%     
==========================================
  Files         648      651       +3     
  Lines       10168    10254      +86     
  Branches     1369     1382      +13     
==========================================
+ Hits         8248     8526     +278     
+ Misses       1558     1376     -182     
+ Partials      362      352      -10
Flag Coverage Δ
longtests 76.12% <ø> (-4.50%) ⬇️
win-longtests 80.81% <ø> (+2.25%) ⬆️

Flags with carried forward coverage won't be shown. Click here to find out more.

see 18 files with indirect coverage changes

📣 We’re building smart automated test selection to slash your CI/CD build times. Learn more

terriko
terriko requested changes Mar 15, 2023
View reviewed changes
Copy link
Contributor

@terriko terriko left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Not sure whether we should be removing the markdown generator or using the output somewhere, but I think this may need some changes. I'd probably default to just taking the lines out of the .yml file but I'll let @anthonyharrison review this PR first in case I'm missing something.

.github/workflows/sbom.yml Outdated
pip install . --upgrade --upgrade-strategy=eager
- name: Generate SBOM for cve-bin-tool
run: |
sbom4python --module cve-bin-tool --output cve-bin-tool-py${{ matrix.python }}.spdx
sbom4python --module cve-bin-tool --sbom cyclonedx --format json --output cve-bin-tool-py${{ matrix.python }}.json
- name: Generate Markdown for SBOM
run: |
sbom2doc --input-file cve-bin-tool-py${{ matrix.python }}.spdx --format markdown --output-file cve-bin-tool-py${{ matrix.python }}.html
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This appears to generate a markdown version of the sbom but then it doesn't look like you use it anywhere. What was the goal here?

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@terriko The idea I had was to create a release note which included the SBOM information. I suggested that we use my sbom2doc utility as it produces a markdown version of the SBOM and the idea (which I probably didn't share with @Rexbeast2) was to use this file as part of a bigger document. Does this seem like a resonable goal @terriko ?

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Sounds good long-term, but if that's how it's going to be used, let's add it into a docs build step rather than updating it every week alongside the SBOM. So we can take it out of here and build it into a different PR when we're actually prepared to use it. They can be generated at any time since we'll have the weekly sboms anyhow.

terriko
terriko requested changes Mar 15, 2023
View reviewed changes
.github/workflows/sbom.yml Outdated
pip install . --upgrade --upgrade-strategy=eager
- name: Generate SBOM for cve-bin-tool
run: |
sbom4python --module cve-bin-tool --output cve-bin-tool-py${{ matrix.python }}.spdx
sbom4python --module cve-bin-tool --sbom cyclonedx --format json --output cve-bin-tool-py${{ matrix.python }}.json
- name: Generate Markdown for SBOM
run: |
sbom2doc --input-file cve-bin-tool-py${{ matrix.python }}.spdx --format markdown --output-file cve-bin-tool-py${{ matrix.python }}.html
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Sounds good long-term, but if that's how it's going to be used, let's add it into a docs build step rather than updating it every week alongside the SBOM. So we can take it out of here and build it into a different PR when we're actually prepared to use it. They can be generated at any time since we'll have the weekly sboms anyhow.

@Rexbeast2
Copy link
Contributor Author

@terriko if there are any more changes you want. let me know.

terriko
terriko requested changes Mar 23, 2023
View reviewed changes
Copy link
Contributor

@terriko terriko left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I've changed the sbom suggestions so you should be able to just click and remove those sections and then this should be ready to merge. We'll probably move the sbom generation into the docs/ build files in a separate PR; I'll open an issue about it.

.github/workflows/testing.yml Outdated
@@ -37,10 +37,14 @@ jobs:
python -m pip install --upgrade setuptools
python -m pip install --upgrade wheel
python -m pip install --upgrade -r doc/requirements.txt
python -m pip install --upgrade sbom2doc
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
python -m pip install --upgrade sbom2doc

Removing this for now until we're ready to use the generated sbom docs.

.github/workflows/testing.yml Outdated
Comment on lines 45 to 47
- name: Generate Markdown for SBOM
run: |
sbom2doc --input-file cve-bin-tool-py${{ matrix.python }}.spdx --format markdown --output-file cve-bin-tool-py${{ matrix.python }}.html
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
- name: Generate Markdown for SBOM
run: |
sbom2doc --input-file cve-bin-tool-py${{ matrix.python }}.spdx --format markdown --output-file cve-bin-tool-py${{ matrix.python }}.html

As elsewhere, removing the sbom->doc translation for now until we're ready to use the results in our docs somewhere. I think this will go into the docs build script rather than in testing.yml in the future.

@terriko terriko mentioned this pull request Mar 23, 2023
Closed
anthonyharrison
anthonyharrison reviewed Mar 30, 2023
View reviewed changes
Copy link
Contributor

@anthonyharrison anthonyharrison left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

OK

terriko
terriko approved these changes Mar 30, 2023
View reviewed changes
Copy link
Contributor

@terriko terriko left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Okay, I think we're ready to get this merged. Thank you!

@terriko terriko merged commit 0b2987d into intel:main Mar 30, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@anthonyharrison anthonyharrison anthonyharrison left review comments

@terriko terriko terriko approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Publish SBOM with each release
4 participants
@Rexbeast2 @codecov-commenter @terriko @anthonyharrison