Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

CycloneDX 1.6 PoC #1076

Merged
merged 4 commits into from
Dec 10, 2024
Merged

CycloneDX 1.6 PoC #1076

merged 4 commits into from
Dec 10, 2024

Conversation

ctron
Copy link
Contributor

@ctron ctron commented Dec 5, 2024
edited
Loading

Here's a PoC, trying to leverage a different parsing library for the CycloneDX SBOMs. It supports 1.6 and has a simpler approach to generating the structs from the schema. Thus I'd expect less delays with future versions.

Just to be clear, this doesn't extract any of the new 1.6 information. It just ensures we can parse such files.

@ctron ctron force-pushed the feature/cdx_16_1 branch 2 times, most recently from c14b342 to cae7c74 Compare December 5, 2024 13:16
@JimFuller-RedHat
Copy link
Collaborator

JimFuller-RedHat commented Dec 6, 2024
edited
Loading

Not that I think we should overload this PR to implement 'all the things'... but a little foreshadowing ;)

tldr on cdx 1.6 support for prodsec:

  • Set relationships to represent SRPM->binaryRPM, image index -> arch-specific image, image contains component, and others).
  • Components with identities represented by multiple identifiers (aka multiple purls and CPEs for one component).
  • Evidence, pedigree and provenance object support introspection (eg. able to retrieve/query on these values).

@ctron ctron force-pushed the feature/cdx_16_1 branch 3 times, most recently from 2575643 to cd26af6 Compare December 9, 2024 09:07
@ctron ctron marked this pull request as ready for review December 9, 2024 09:08
@ctron
Copy link
Contributor Author

ctron commented Dec 9, 2024

I think we should discuss if we want to merge this, or not. I know it doesn't add any new data extraction, only allows to actually parse CDX 1.6.

@ctron
Copy link
Contributor Author

ctron commented Dec 9, 2024

The one thing I am not sure about is, it it is good enough to only parse using the 1.6 structures. All our tests (which are pre 1.6) pass. So it looks ok.

JimFuller-RedHat
JimFuller-RedHat approved these changes Dec 9, 2024
View reviewed changes
Copy link
Collaborator

@JimFuller-RedHat JimFuller-RedHat left a comment
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We got clarification that we are only interested (for now) in the software composition capabilities of cdx1.6 (eg. not AIBOM, CBOM, etc) - I think this is a important step - we take earlier rather then later - LGTM

@jcrossley3
Copy link
Contributor

The one thing I am not sure about is, it it is good enough to only parse using the 1.6 structures. All our tests (which are pre 1.6) pass. So it looks ok.

I guess we have some gaps in our testing because this doesn't seem correct in light of this PR.

@ctron
Copy link
Contributor Author

ctron commented Dec 9, 2024

The one thing I am not sure about is, it it is good enough to only parse using the 1.6 structures. All our tests (which are pre 1.6) pass. So it looks ok.

I guess we have some gaps in our testing because this doesn't seem correct in light of this PR.

Indeed.

@ctron
Copy link
Contributor Author

ctron commented Dec 9, 2024

The one thing I am not sure about is, it it is good enough to only parse using the 1.6 structures. All our tests (which are pre 1.6) pass. So it looks ok.

I guess we have some gaps in our testing because this doesn't seem correct in light of this PR.

Indeed.

@jcrossley3 added a test for this, and fixed the detection.

@ctron ctron added this pull request to the merge queue Dec 10, 2024
Merged via the queue into trustification:main with commit b168e26 Dec 10, 2024
2 checks passed
@ctron ctron deleted the feature/cdx_16_1 branch December 10, 2024 08:00
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@JimFuller-RedHat JimFuller-RedHat JimFuller-RedHat approved these changes

@jcrossley3 jcrossley3 Awaiting requested review from jcrossley3

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@ctron @JimFuller-RedHat @jcrossley3