Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add support for CycloneDX SBOMs #1200

Merged
merged 8 commits into from
Aug 21, 2023
Merged

Add support for CycloneDX SBOMs #1200

merged 8 commits into from
Aug 21, 2023

Conversation

ejortega
Copy link
Contributor

@ejortega ejortega commented Aug 16, 2023
edited
Loading

Add support for parsing CycloneDX SBOMs.

Documentation on v1.5 specs
https://cyclonedx.org/docs/1.5/json/
https://cyclonedx.org/docs/1.5/xml/

Added test files for v1.3, v1.2 and v1.5.

Note: optional dependencies are skipped for now. @louislang and @furi0us333 suggested adding a flag to include those does when specified by the user.

Closes #1188

Checklist

  • Does this PR have an associated issue (i.e., closes #<issueNum> in description above)?
  • Have you ensured that you have met the expected acceptance criteria?
  • Have you created sufficient tests?
  • Have you updated all affected documentation?
  • Have you updated CHANGELOG.md (or extensions/CHANGELOG.md), if applicable

@ejortega ejortega requested a review from a team as a code owner August 16, 2023 22:36
cd-work
cd-work requested changes Aug 17, 2023
View reviewed changes
lockfile/src/cyclonedx.rs Outdated Show resolved Hide resolved
lockfile/src/cyclonedx.rs Outdated Show resolved Hide resolved
lockfile/src/cyclonedx.rs Show resolved Hide resolved
lockfile/src/cyclonedx.rs Show resolved Hide resolved
lockfile/src/cyclonedx.rs Outdated Show resolved Hide resolved
lockfile/src/cyclonedx.rs Show resolved Hide resolved
lockfile/src/cyclonedx.rs Outdated Show resolved Hide resolved
lockfile/src/cyclonedx.rs Outdated Show resolved Hide resolved
lockfile/src/cyclonedx.rs Outdated Show resolved Hide resolved
lockfile/src/cyclonedx.rs Outdated Show resolved Hide resolved
@maxrake maxrake mentioned this pull request Aug 17, 2023
Closed
@ejortega @cd-work
Update comment to match spec
f12d7a0 
Co-authored-by: Christian Dürr <[email protected]>
@ejortega ejortega force-pushed the cyclonedx-sbom branch 3 times, most recently from 543d8a7 to c3626f6 Compare August 17, 2023 18:16
@ejortega ejortega requested a review from cd-work August 17, 2023 18:30
@maxrake
Copy link
Contributor

maxrake commented Aug 17, 2023
edited
Loading

I did add test files for v1.4 and v1.3 specs but couldn't find a v1.5 example.

Can one be generated from a common/popular project and then included here? It appears the cyclonedx-npm tool provided by CycloneDX has a --spec-version option that includes v1.5.

EDIT: Further investigation on that repo shows that they already have a collection of examples to demo all the features. There are v1.5 samples included in there.

@ejortega
Copy link
Contributor Author

Thanks @maxrake, updated with those examples.

cd-work
cd-work requested changes Aug 18, 2023
View reviewed changes
Copy link
Contributor

@cd-work cd-work left a comment
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

300k lines of lockfiles seems a bit excessive to me. Do these files really bring 300k lines of benefit? I don't think we gain much by having excessively large lockfiles that just repeat the same thing over and over again and it would be really unfortunate to bloat up our repo through these.

Note these are currently our biggest lockfiles:

-rw-r--r-- 1 chris chris 3.7M May  2 14:56 spdx-2.3.spdx.json
-rw-r--r-- 1 chris chris 2.6M May  2 14:56 spdx-2.2.spdx
-rw-r--r-- 1 chris chris 1.7M Oct 13  2022 workspace-effective-pom.xml
-rw-r--r-- 1 chris chris 228K Feb 24 19:52 go.sum
-rw-r--r-- 1 chris chris 132K Jan 20  2023 Cargo_v3.lock

Where the 3.7M spdx lockfile is ~100k lines. This is a significant amount of disk space especially if anything ever changes about them (thus effectively doubling their size in the git history), and this can definitely impact git clone speed if it gets worse.

This patch changes the fixture directory size from 8.7M to 20M, more than doubling its size.

@ejortega ejortega requested a review from cd-work August 21, 2023 15:44
@ejortega ejortega merged commit 2f97d77 into main Aug 21, 2023
@ejortega ejortega deleted the cyclonedx-sbom branch August 21, 2023 20:55
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@maxrake maxrake maxrake left review comments

@cd-work cd-work cd-work approved these changes

@kylewillmon kylewillmon Awaiting requested review from kylewillmon

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Support parsing CycloneDX SBOMs
3 participants
@ejortega @maxrake @cd-work