Skip to content

Commit

Permalink
sbomnix: release v1.4.4
Browse files Browse the repository at this point in the history
- repology_cli: fix a bug that caused repology package info to be
  ignored for some sbom input packages. The issue occurred if the
  package info had already been processed by an earlier repology
  query, but had not been included to the result collection.

- repology_cli: improve local version classification

- repology_cli: fix the url in user-agent

- nixgraph: match inverse regex against full store paths. Earlier match
  was done only against the package name. This change allows querying
  inverse graphs starting from specific nix store objects, discarding
  possible duplicate package names.

- sbomnix: fix usage example in `--help` output

- update nix flake lock file

- bump sbomnix version to v1.4.4

Signed-off-by: Henri Rosten <henri.rosten@unikie.com>
  • Loading branch information
henrirosten committed Mar 20, 2023
1 parent 4df666b commit 1946007
Show file tree
Hide file tree
Showing 6 changed files with 25 additions and 17 deletions.
2 changes: 1 addition & 1 deletion default.nix
Original file line number Diff line number Diff line change
Expand Up @@ -9,7 +9,7 @@

pythonPackages.buildPythonPackage rec {
pname = "sbomnix";
version = "1.4.3";
version = "1.4.4";
format = "setuptools";

src = ./.;
Expand Down
6 changes: 3 additions & 3 deletions flake.lock

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

4 changes: 2 additions & 2 deletions nixgraph/graph.py
Original file line number Diff line number Diff line change
Expand Up @@ -91,8 +91,8 @@ def draw(self, start_path, args):

if self.inverse_regex:
# If inverse_regex is specified, draw the graph backwards starting
# from nodes where src_pname matches the specified regex
df = df_regex_filter(self.df, "src_pname", self.inverse_regex)
# from nodes where src_path matches the specified regex
df = df_regex_filter(self.df, "src_path", self.inverse_regex)
for row in df.itertuples():
inverse_path = row.src_path
_LOG.debug("Start path inverse: %s", inverse_path)
Expand Down
4 changes: 2 additions & 2 deletions nixgraph/main.py
Original file line number Diff line number Diff line change
Expand Up @@ -45,8 +45,8 @@ def getargs():
parser.add_argument("--depth", help=helps, type=check_positive, default=1)

helps = (
"Draw inverse graph starting from nodes that match the specified "
"regular expression"
"Draw inverse graph starting from node (path) names that match the "
"specified regular expression"
)
parser.add_argument("--inverse", help=helps)

Expand Down
4 changes: 1 addition & 3 deletions sbomnix/main.py
Original file line number Diff line number Diff line change
Expand Up @@ -31,9 +31,7 @@ def getargs():
"in NIX_PATH and "
"writes SBOM file(s) as specified in output arguments."
)
epil = (
"Example: sbomnix /path/to/derivation.drv --meta /path/to/meta.json --runtime"
)
epil = "Example: sbomnix /path/to/nix/out --meta /path/to/meta.json"
parser = argparse.ArgumentParser(description=desc, epilog=epil)

helps = "Path to nix artifact, e.g.: derivation file or nix output path"
Expand Down
22 changes: 16 additions & 6 deletions scripts/repology/repology_cli.py
Original file line number Diff line number Diff line change
Expand Up @@ -132,7 +132,7 @@ def __init__(self):
# - Cache all responses locally for 3600 seconds
self.session = CachedLimiterSession(per_second=1, expire_after=3600)
ua_product = "repology_cli/0"
ua_comment = "(https://github.com/tiiuae/sbomnix/scripts/repology)"
ua_comment = "(https://github.com/tiiuae/sbomnix/tree/main/scripts/repology)"
self.headers = {"User-Agent": f"{ua_product} {ua_comment}"}

def _packages_to_df(self, args, re_pkg_internal=None):
Expand Down Expand Up @@ -389,6 +389,7 @@ def _parse_pkg_search_resp(self, resp, repo, pkg_stop=None):
self.pkgs_dict.setdefault("newest_upstream_release", []).append(
";".join(newest_releases)
)
_LOG.log(LOG_SPAM, "Added: %s:%s:%s", pkg_name, ver, status)
# API returns at most 200 projects per one request. If the number
# or returned projects is 200, we know we need to make another
# query starting from the last returned project, for more details,
Expand Down Expand Up @@ -490,6 +491,7 @@ def _query_sbom_cdx(self, args):
pkg_id = f"{args.repository}:{cmp.name}"
if pkg_id in self.processed:
_LOG.debug("Package '%s' in sbom already processed", cmp.name)
self._packages_to_df(args, re_pkg_internal=cmp.name)
continue
if not cmp.version:
self.pkgs_dict.setdefault("repo", []).append(args.repository)
Expand Down Expand Up @@ -545,11 +547,19 @@ def _repo_row_classify(row):


def _sbom_row_classify(row):
if row.status in ["outdated", "devel", "unique"]:
if version.parse(row.version_sbom) <= version.parse(row.version):
return "sbom_pkg_needs_update"
if row.status in ["newest"]:
if version.parse(row.version_sbom) < version.parse(row.version):
if row.status == "outdated":
# If repo version is outdated, assume the local version must also
# be outdated
return "sbom_pkg_needs_update"
if row.status in ["devel", "unique", "newest"]:
# For devel, unique, and newest package versions, remove all execpt
# numbers and dots from the version strings to make the two version
# strings of the same package comparable with version.parse
re_ver = re.compile("[^0-9.]+")
ver_sbom = re_ver.sub(r"", row.version_sbom)
ver_repo = re_ver.sub(r"", row.version)
# If local version is smaller than repo version, classify accordingly
if version.parse(ver_sbom) < version.parse(ver_repo):
return "sbom_pkg_needs_update"
return ""

Expand Down

0 comments on commit 1946007

Please sign in to comment.