-
-
Notifications
You must be signed in to change notification settings - Fork 9.9k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
feat: add generated SPDX file on bottling #16594
Conversation
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks for the PR!
- feels a bit weird this living on
Tab
when it's got little in common there - do we have requests for these files anywhere you can link to?
Library/Homebrew/tab.rb
Outdated
@@ -407,4 +430,151 @@ def to_s | |||
end | |||
s.join(" ") | |||
end | |||
|
|||
sig { returns(Hash) } | |||
def to_spdx_sbom |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Is this an officially defined format somewhere? If so: we should be using some sort of validator here ideally both at brew bottle
and brew tests
times.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I believe the SPDX spec is defined here: https://spdx.github.io/spdx-spec/v2.3/
In terms of a Ruby validator, I'm not sure. I can look into this 🙂
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
full ack. get the results validated. the current implementation produces invalid data.
see #16594 (comment)
Yeah, I was considering splitting it out of tab, but it is sort of the same thing so wanted to get it public first.
No, but I can see the tooling being available in the larger ecosystem be useful. And I chatted with some people about this and they seemed interested. |
Cool, all good, as long as done before merged 👍🏻
I think this is the sort of thing I'd like to see some more requests for before we consider integration here. |
Yeah this is certainly something that I see to be useful in homebrew. With the significant pressure companies/projects are being put under to provide SBOMs it would be useful for projects to be able to easily determine the exact set of deps in homebrew formulas. |
This pull request has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. |
0e3db6e
to
8c63729
Compare
The resulting data structure seams invalid to the SPDX 2.3 JSON schema. |
2166dde
to
af7e6fe
Compare
New generated SBOM: That should pass validation and have some more information than the previous one. |
af7e6fe
to
8a52c56
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Looking better!
Blockers needed before merge:
- tests, ideally with 100% coverage of
sbom.rb
- uses
JSONSchemer.schema
(likegithub_packages.rb
) to do schema validation on write
Didn't know we had that, it sounds awesome. Do we use that for the API already? Otherwise I'm adding that to my list. |
It is good for catching problems for sure.
No(t yet). We'd need to create and publish a schema, too. Might want to sync up with @apainintheneck and save this for API v3 rather than create a v2 schema that won't be around in a year. |
I sent @SMillerDev some info but honestly API v3 still seems a ways off since the way we handle dependencies for formulae is still undecided and cask v3 is currently blocked by potential scope creep. Either we hold off on validating API v2 for now or we add validation knowing it might get removed in a few months. |
8a52c56
to
18ae7dc
Compare
Does anyone know where stdlib information comes from in the install tab etc? Or is that only for Linux and that's why I can't find it? |
4cf1dd2
to
fd8dad2
Compare
f55bd13
to
919d77e
Compare
Any suggestions to fix this? Error: bottling failed
Error: cannot load such file -- json_schemer |
Library/Homebrew/sbom.rb
Outdated
# typed: true | ||
# frozen_string_literal: true | ||
|
||
require "json_schemer" |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@SMillerDev This will only be available for dev-cmd
so may need to get moved into a method call instead. I suspect that's needed to fix CI failures.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I'm not sure what you mean by a method call, do you mean to make a command to generate an SBOM?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Move the require
inside a def something
72365d6
to
2ad8e6b
Compare
We cannot vendor it for all as it unfortunately depends on a native extension (via We already have |
2ad8e6b
to
7b040c1
Compare
I think/hope this is ready for a final review |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Great work so far @SMillerDev, think this is pretty close.
6ad273d
to
44c4ca3
Compare
Not sure how to resolve this Library/Homebrew/sbom.rb:79:5: C: Homebrew/InstallBundlerGems: Only use Homebrew.install_bundler_gems! in dev-cmd.
Homebrew.install_bundler_gems!(groups: ["bottle"])
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ |
Need to move that call to the relevant |
8b64aeb
to
5b5eda0
Compare
Okay, after my latest changes it definitely hits those paths, but I guess codecov isn't based on the online run? |
It should be: https://github.com/Homebrew/brew/actions/runs/8973658512/job/24644407661?pr=16594#step:13:52 We don't run online tests on macOS in case that's it? CC @Bo98 for ideas. |
5b5eda0
to
e9bb075
Compare
e9bb075
to
a43b746
Compare
Checked the patches and simplified the test a little bit since I think it ran as generic (and would never take those patches). I think we're good to merge now. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks again @SMillerDev!
brew style
with your changes locally?brew typecheck
with your changes locally?brew tests
with your changes locally?Attached is an example SBOM.
spdx.sbom.json
This should allow us to have some more tracking of what goes into our bottles, but also allow others to have some insight into it.