-
Notifications
You must be signed in to change notification settings - Fork 597
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
feat: add RelationshipsBySourceOwnership to syft json output #1248
Conversation
Signed-off-by: Christopher Phillips <[email protected]>
Signed-off-by: Christopher Phillips <[email protected]>
Update json schema to include the optional source id field. This new field allows users to view relationships between packages and the source. Currently src --> contains all packages cataloged. This will become more nuanced as multiple source support is added. Eventually we can generate an SBOM with a single root node that contains multiple sources, which then contain multiple packages, which then contain some amount of files. These entities are also not strictly confined into the described tree structure and can behave more like a graph where other directional edges may be applied across entities. Signed-off-by: Christopher Phillips <[email protected]>
Benchmark Test ResultsBenchmark results from the latest changes vs base branch
|
Signed-off-by: Christopher Phillips <[email protected]>
update integration tests to pass by refactoring ID onto metadata and promote schema changes to be non optional Signed-off-by: Christopher Phillips <[email protected]>
newSrc := &source.Source{ | ||
Metadata: *toSyftSourceData(s), | ||
} | ||
newSrc.SetID() |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This method will generate a consistent ID for the source across encode/decode
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Will this source ID change if other fields are set? It seems this is unnecessary to do here since we're using the incoming doc.Source.ID
to do the mappings?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
“We need to call SetID since id is a private field. Even if doc was in the function signature newSrc.id = doc.Source.ID is invalid
Our SetID should be consistent across serialization/deserialization as long as the source metadata remains unchanged between the ser/deser calls. SetID() will consistently produce the same ID. This is also shown to be correct in this case since our encode/decode integration tests are passing with the current changes.
I could also update SetID for this case to take (id string) as an argument which would override the field rather than calculate the hash.”
^--^ ^------------^ | | | +-> Summary in present tense. | +-------> Type: chore, docs, feat, fix, refactor, style, or test. [optional body] [optional footer(s)] Signed-off-by: Christopher Phillips <[email protected]>
Signed-off-by: Christopher Phillips <[email protected]>
* main: refactor: Remove experimental Anchore Enterprise upload functionality (#1257) Update syft bootstrap tools to latest versions. (#1254) Update Stereoscope to d24c9d626b33fa720210b007a20767801827b532 (#1253) Update syft bootstrap tools to latest versions. (#1244) fix apkdb checksum representation (#1247)
Signed-off-by: Christopher Phillips <[email protected]>
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
No blocking comments, just a few questions 👍
newSrc := &source.Source{ | ||
Metadata: *toSyftSourceData(s), | ||
} | ||
newSrc.SetID() |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Will this source ID change if other fields are set? It seems this is unnecessary to do here since we're using the incoming doc.Source.ID
to do the mappings?
Signed-off-by: Christopher Phillips <[email protected]>
syft/formats/syftjson/test-fixtures/snapshot/TestDirectoryEncoder.golden
Outdated
Show resolved
Hide resolved
Signed-off-by: Christopher Phillips <[email protected]>
Signed-off-by: Christopher Phillips <[email protected]>
syft/formats/syftjson/test-fixtures/snapshot/TestEncodeFullJSONDocument.golden
Outdated
Show resolved
Hide resolved
@@ -17,8 +17,6 @@ import ( | |||
) | |||
|
|||
// ToFormatModel transforms the sbom import a format-specific model. | |||
// note: this is needed for anchore import functionality | |||
// TODO: unexport this when/if anchore import functionality is removed |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This is still needed to be exported since thetemplate
package is using it in its Encode
function
Signed-off-by: Christopher Phillips <[email protected]>
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
👍
* main: (45 commits) feat: add RelationshipsBySourceOwnership to syft json output (#1248) fix: reset merged package into map; (#1258) refactor: Remove experimental Anchore Enterprise upload functionality (#1257) Update syft bootstrap tools to latest versions. (#1254) Update Stereoscope to d24c9d626b33fa720210b007a20767801827b532 (#1253) Update syft bootstrap tools to latest versions. (#1244) fix apkdb checksum representation (#1247) feat: add identifiable field to source object (#1243) feat: attest support for Singularity images (#1201) Update syft bootstrap tools to latest versions. (#1239) Update Stereoscope to 1b1b744a919964f38d14e1416fb3f25221b761ce (#1240) fix: Follow symlinks when searching for globs in all-layers scope (#1221) update requires to use list; remove field (#1234) Add Conan (C/C++) conan.lock file support (#1230) add sequence diagrams and flesh out TODO notes (#1233) Do not fail if unable to parse `.rpm` file (#1232) fix: support exclude patterns on Windows (#1228) Update syft bootstrap tools to latest versions. (#1225) Update Stereoscope to 56552770e555d764ea72b99d3c810326b27ead4a (#1224) Update syft bootstrap tools to latest versions. (#1223) ... Signed-off-by: Christopher Phillips <[email protected]>
Signed-off-by: Christopher Phillips <[email protected]>
Signed-off-by: Christopher Phillips <[email protected]>
feat: add new optional source id to json schema
Update json schema to include the source id field.
This new field allows users to view relationships between a source and its packages
Currently src --> packages contain all cataloged packages.
This will become more nuanced as multiple source support is added.
Eventually, syft will be able to generate an SBOM with a single root node that contains multiple
sources, which then contain multiple packages, which then contain some
amount of files.
These entities are also not strictly confined to the described tree structure.
They can behave more like a graph where other directional edges may be applied across entities.
TODO:
Signed-off-by: Christopher Phillips [email protected]