-
Notifications
You must be signed in to change notification settings - Fork 2.4k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
feat: add workspaceRelationship
#7889
feat: add workspaceRelationship
#7889
Conversation
pkg/sbom/io/encode.go
Outdated
@@ -418,23 +418,38 @@ func (*Encoder) vulnerability(vuln types.DetectedVulnerability) core.Vulnerabili | |||
} | |||
|
|||
// belongToParent determines if a package should be directly included in the parent based on its relationship and dependencies. | |||
func (*Encoder) belongToParent(pkg ftypes.Package, parents map[string]ftypes.Packages) bool { | |||
// Case 1: Direct/Indirect: known , DependsOn: known | |||
func (*Encoder) belongToParent(pkg ftypes.Package, pkgType ftypes.TargetType, parents map[string]ftypes.Packages) bool { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This code must be package-type agnostic. I'm thinking about implementation now.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I looked at it again with clear thoughtsю
What if we will check parents types:
// Case 1-1: direct packages
case pkg.Relationship == ftypes.RelationshipDirect:
pkgParents, ok := parents[pkg.ID]
// direct package is not related with root package
if !ok {
return true
}
// Add a package to the parent relation if one of the parents is a root package
if _, found := lo.Find(pkgParents, func(p ftypes.Package) bool {
return p.Relationship == ftypes.RelationshipRoot
}); found {
return true
}
// Case where this package is a child of workspace(s) only
// Case 1-4
return false
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think we should construct the dependency relationship between root and direct packages on the analyzer/parser end. Then, we can check whether the package has a parent. If the package is direct and has any parent (root
or workspace
), belongToParent
should return false.
I'm not sure if this approach works. Please let me try. This is the first PR relevant to my idea. #7973
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think we should construct the dependency relationship between root and direct packages on the analyzer/parser end.
That seems like a good idea too.
Let me know if i can help you.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Can you do the same thing as #7973 for go modules?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
no problem.
Can I add the changes to your PR or should I create a new PR for go modules
?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Better to create a new PR
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Created #7977
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
c0c4bf1
to
775ae7f
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Looks simple now! Do we have any leftovers? If not, you can merge this PR.
Description
Add
workspaceRelationship
.workspaceRelationship
will be used forcargo
,npm
,maven
, etc. packages.See #7802 for more details.
This PR also adds
workspaceRelationship
for maven modules.Related issues
pom.xml
files with modules when using SBOM formats #7802Checklist