Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

sbom: use relationship data to reconstruct package files #17

Merged
merged 1 commit into from
Feb 9, 2023
Merged

sbom: use relationship data to reconstruct package files #17

merged 1 commit into from
Feb 9, 2023

Conversation

jedevc
Copy link
Contributor

@jedevc jedevc commented Jan 30, 2023

⬆️ Follow-up to #6.

Scanners producing SPDX documents do not neccessarily use the hasFiles key to define available files belonging to a package.

We need to use the relationship data to reconstruct this information.

@jedevc jedevc requested a review from tonistiigi January 30, 2023 15:51
tonistiigi
tonistiigi reviewed Feb 1, 2023
View reviewed changes
Copy link
Member

@tonistiigi tonistiigi left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Scanners producing SPDX documents do not neccessarily use

"do not neccessarily use" or never use it without relationship to doc level file being defined as well?

sbom.go Outdated Show resolved Hide resolved
@jedevc
Copy link
Contributor Author

jedevc commented Feb 1, 2023
edited
Loading

"do not neccessarily use" or never use it without relationship to doc level file being defined as well?

The field is now deprecated - but ugh, yeah, this doesn't guarantee that people produce it or not. We could do both? Just to be sure? That said, it's not even really documented in the most recent spec, so I'm tempted to just omit it - we can always add it back if people add support for scanners that do this.

@jedevc
sbom: use relationship data to reconstruct package files
97aad90 
Scanners producing SPDX documents do not neccessarily use the hasFiles
key to define available files belonging to a package.

We need to use the relationship data to reconstruct this information.

Signed-off-by: Justin Chadwell <[email protected]>
@jedevc jedevc force-pushed the spdx-use-file-relationships branch from 923861d to 97aad90 Compare February 1, 2023 10:35
@tonistiigi
Copy link
Member

We could do both?

I think it is simple enough to have that additional check.

@jedevc
Copy link
Contributor Author

jedevc commented Feb 6, 2023

On further inspection, the new SPDX parser in https://github.com/spdx/tools-golang/ doesn't support extracting the old hasFiles field at all.

Glancing over the specs in https://spdx.dev/specifications/, it looks like hasFile was deprecated entirely with SPDX 2 - I don't believe it's something worth supporting, given that SPDX 2.0 was released in 2015.

So any SBOM generator that still produces these deprecated fields shouldn't be.

@jedevc jedevc requested a review from tonistiigi February 7, 2023 11:02
@tonistiigi tonistiigi merged commit e405fbd into docker:main Feb 9, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@tonistiigi tonistiigi tonistiigi approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@jedevc @tonistiigi