Added shared module for jq template with SBOM generator #85
Conversation
Codecov Report
❗ Your organization needs to install the Codecov GitHub app to enable full functionality. @@ Coverage Diff @@
## master #85 +/- ##
=======================================
Coverage 73.10% 73.10%
=======================================
Files 7 7
Lines 714 714
=======================================
Hits 522 522
Misses 162 162
Partials 30 30 |
LaurentGoderre
force-pushed
the
jq-template-functions
branch
from
046642a to
9f99ccb
Compare
|
@whalelines I am not seeing other tests for scripts. I will go with what @yosifkit recommends |
scripts/jq-template.jq
Outdated
| referenceLocator: ("pkg:generic/" + .name + "@" + .version + "?" + (.params | [to_entries[] | .key + "=" + .value] | join("\u0026"))) | ||
| } | ||
| ], | ||
| licenseDeclared: .licenses | join(" AND "), |
There was a problem hiding this comment.
Is licenses required? If not, a conditional should be added to only add the licenseDeclared property if it is not null and not an empty array.
There was a problem hiding this comment.
Closest I could get is to output "NOASSERTION" when there is none
LaurentGoderre
force-pushed
the
jq-template-functions
branch
from
9f99ccb to
4919281
Compare
There was a problem hiding this comment.
🤔 I think I'd rather name it something descriptive for what it is, like template-helper-functions.jq. Maybe we'll add a few more useful global helper functions.
I'm still unsure if this is the best place for the logic. Maybe a scanner improvement to scan the Dockerfile and extract this information directly. I guess it'd have to be basically a shell interpreter 🙈, so maybe not easy to implement.
While the Dockerfile is the source of truth for what was installed and from where, this still adds burden to our external maintainers (and will be unlikely to be caught when it isn't updated on a version bump). Most official-images don't use our custom jq templating (even a few we maintain directly don't).
One other item we need to consider is where our tools and scripts will break on a heredoc. In reviewing something else, I ran into https://github.com/docker-library/official-images/blob/8a5c557a6a3fdbe8a83c09ec533bee7d3284f29b/diff-pr.sh#L222-L223 which might have issues with a Dockerfile heredoc. I have to assume that we may have other places where similar assumptions are made.
scripts/jq-template.jq
Outdated
| referenceType: "purl", | ||
| referenceLocator: ("pkg:generic/" + .name + "@" + .version + "?" + (.params | [to_entries[] | .key + "=" + .value] | join("\u0026"))) | ||
| } | ||
| ], |
There was a problem hiding this comment.
Should we add downloadLocation if it is given? Are there any other fields that would be useful or interesting to fill in?
There was a problem hiding this comment.
yeah, I was thinking that would be a next pass
LaurentGoderre
force-pushed
the
jq-template-functions
branch
from
4919281 to
08c9261
Compare
|
@yosifkit heredoc aren't even required. The following works |
Input
Output:
{ "spdxVersion": "SPDX-2.3", "SPDXID": "SPDXRef-DOCUMENT", "name": "erlang-sbom", "packages": [ { "name": "erlang", "versionInfo": "25.3.2.6", "SPDXID": "SPDXRef-Package--erlang", "externalRefs": [ { "referenceCategory": "PACKAGE-MANAGER", "referenceType": "purl", "referenceLocator": "pkg:generic/erlang@25.3.2.6?os_name=alpine&os_version=3.18" } ], "licenseDeclared": "Apache-2.0 AND MPL-2.0" } ] }