Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Makes CycloneDX SBOM Reproducible #369

Merged
merged 4 commits into from
Aug 3, 2022
Merged

Makes CycloneDX SBOM Reproducible #369

merged 4 commits into from
Aug 3, 2022

Conversation

ForestEckhardt
Copy link
Contributor

  • Removes the serial number and timestamp in the FormatterReader.Read()
    function

Resolves #367

Checklist

  • I have viewed, signed, and submitted the Contributor License Agreement.
  • I have linked issue(s) that this PR should close using keywords or the Github UI (See docs)
  • I have added an integration test, if necessary.
  • I have reviewed the styleguide for guidance on my code quality.
  • I'm happy with the commit history on this PR (I have rebased/squashed as needed).

@ForestEckhardt
Makes CycloneDX SBOM Reproducible
91dcd98 
- Removes the serial number and timestamp in the FormatterReader.Read()
  function
@ForestEckhardt ForestEckhardt requested a review from a team as a code owner August 2, 2022 17:39
@ForestEckhardt
Copy link
Contributor Author

I would like to solve #368 using the same method as this so I would like to see this get approved and then I will happily go in and use the same FormatterReader.Read() manipulation method.

@ForestEckhardt ForestEckhardt added the semver:minor A change requiring a minor version bump label Aug 2, 2022
@fg-j
Copy link

fg-j commented Aug 3, 2022
edited
Loading

Now that we're fiddling with the outputted CycloneDX JSON, I think it'd be useful to have stronger tests around the validity of the CycloneDX output. Perhaps asserting that the output JSON exactly matches a known-good output or using CycloneDX JSON 1.3 and 1.4 parsers to validate that the JSON still parses as expected. In other words, we can be sure that our SBOM output is actually CycloneDX 1.3 or 1.4 by passing it to a tool or function that consumes that SBOM format and seeing the tool succeed in parsing the input.

Edit: Resolved in recent commit using syft.IdentifyFormat().

ForestEckhardt
ForestEckhardt commented Aug 3, 2022
View reviewed changes
sbom/formatted_reader.go
@@ -53,6 +54,30 @@ func (f *FormattedReader) Read(b []byte) (int, error) {
return 0, fmt.Errorf("failed to format sbom: %w", err)
}

// Makes CycloneDX SBOM more reproducible, see
// https://github.com/paketo-buildpacks/packit/issues/367 for more details.
if f.format.ID() == "cyclonedx-1.3-json" || f.format.ID() == "cyclonedx-1-json" {
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

That is the generic ID term for cycloneDX 1.4

ForestEckhardt and others added 2 commits August 3, 2022 11:06
sophiewigmore
sophiewigmore reviewed Aug 3, 2022
View reviewed changes
sbom/sbom_outputs_test.go
Comment on lines +20 to +24
BOMFormat string `json:"bomFormat"`
SpecVersion string `json:"specVersion"`
SerialNumber string `json:"serialNumber"`
Metadata struct {
Timestamp string `json:"timestamp"`
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Do you think it would be clearer if the serial number and timestamp fields were omitted if empty so they don't show up at all?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I don't know I would test for their absence if they were omitted

Copy link
Member

@sophiewigmore sophiewigmore Aug 3, 2022
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

it's alright - tested this out in a build and the fields are omitted from the final JSON anyway.

@sophiewigmore
Copy link
Member

Overall looks great, just nitpicks from me.

@fg-j
Copy link

fg-j commented Aug 3, 2022

LGTM. Deferring to other @paketo-buildpacks/tooling-maintainers for an approval since this is heavily borrowed from a spike I put together.

@sophiewigmore sophiewigmore merged commit 3b843c5 into v2 Aug 3, 2022
@sophiewigmore sophiewigmore deleted the cyclonedx-reproducible branch August 3, 2022 15:40
@ForestEckhardt ForestEckhardt added this to the v2.4.0 milestone Aug 4, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@fg-j fg-j fg-j left review comments

@sophiewigmore sophiewigmore sophiewigmore approved these changes

@ryanmoran ryanmoran Awaiting requested review from ryanmoran ryanmoran is a code owner automatically assigned from paketo-buildpacks/tooling-maintainers

@paketo-bot-reviewer paketo-bot-reviewer Awaiting requested review from paketo-bot-reviewer paketo-bot-reviewer is a code owner automatically assigned from paketo-buildpacks/tooling-maintainers

Assignees
No one assigned
Labels
semver:minor A change requiring a minor version bump
Projects
None yet
Milestone
v2.4.0
Development

Successfully merging this pull request may close these issues.

Implement RFC0038 Amendment: Reproducible CycloneDX SBOMs
3 participants
@ForestEckhardt @fg-j @sophiewigmore