chore: improve cyclonedx-mvn bom file check to include files with cus… #524
Conversation
oracle-contributor-agreement
bot
added
the
OCA Verified
|
Is it possible to have a unit test for the scenario of custom file name for the top path SBOM file? |
|
Since the |
…tom names Signed-off-by: Ben Selwyn-Smith <[email protected]>
…t for custom named maven sboms Signed-off-by: Ben Selwyn-Smith <[email protected]>
Signed-off-by: Ben Selwyn-Smith <[email protected]>
…est case Signed-off-by: Ben Selwyn-Smith <[email protected]>
Signed-off-by: Ben Selwyn-Smith <[email protected]>
Signed-off-by: Ben Selwyn-Smith <[email protected]>
Signed-off-by: Ben Selwyn-Smith <[email protected]>
Signed-off-by: Ben Selwyn-Smith <[email protected]>
benmss
force-pushed
the
518-support-named-cyclonedx-output
branch
from
04614ec to
f738040
Compare
Signed-off-by: Ben Selwyn-Smith <[email protected]>
|
|
||
| # Collect all the dependency files recursively. | ||
| child_paths = [ | ||
| Path(path) | ||
| for path in glob.glob(os.path.join(dir_path, "**", "target", self.file_name), recursive=True) | ||
| for path in glob.glob( | ||
| os.path.join(dir_path, "**", "target", "*.json" if top_path_altered else self.file_name), recursive=True |
There was a problem hiding this comment.
What would happen if there is multiple *.json files in the "children" taget directories, given that there exist a custom-named SBOM file in the top path?
Signed-off-by: Ben Selwyn-Smith <[email protected]>
Signed-off-by: Ben Selwyn-Smith <[email protected]>
There was a problem hiding this comment.
Because the BOM file can have a custom name, we also need to adjust the error message here and avoid printing the default file name to avoid confusion:
raise CycloneDXParserError(f"Unable to locate any BOM files at: {str(file_path.parent)}.")Signed-off-by: Ben Selwyn-Smith <[email protected]>
| if Path(path) != top_path | ||
| ] | ||
|
|
||
| # Ensure recursively found SBOMs are at most one per directory. | ||
| child_paths_set = set() |
There was a problem hiding this comment.
This set contains the parent directory names of all children SBOM files. I think we could re-name it to something like child_sbom_dir_names
tromai
dismissed
their stale review
I left some comments for the latest changes so I dismissed this approval.
Signed-off-by: Ben Selwyn-Smith <[email protected]>
…in projects and subprojects, and clarify in comments Signed-off-by: Ben Selwyn-Smith <[email protected]>
| directory. The name of the file is not considered because projects can be configured to produce a custom named | ||
| SBOM, which cannot be overridden if included at the parent POM level. | ||
| The presence of multiple JSON files within a target directory differs too greatly from the expectations of the | ||
| plugin's output. It is for this reason that an error is thrown in such cases. |
There was a problem hiding this comment.
| plugin's output. It is for this reason that an error is thrown in such cases. | |
| plugin's output. It is for this reason that these cases are treated as error and this method will return an empty dictionary. |
I think it's better to be explicitly on how the error are handled. We don't throw any error in this method, but only return an empty dictionary. Please feel free to change the comment accordingly, my suggestion here is only for references only.
| return {} | ||
| top_path = Path(possible_paths[0]) | ||
| top_path_altered = True | ||
| possible_paths = glob.glob(os.path.join(dir_path, "target", "*.json")) |
There was a problem hiding this comment.
I prefer the previous implementation which first checks for the expected file name. If that file cannot be found, we can look for other JSON files. This can avoid missing the BOM files when a project uses expected names but also produces other JSON files.
Signed-off-by: Ben Selwyn-Smith <[email protected]>
#524) Signed-off-by: Ben Selwyn-Smith <[email protected]>
Allows Macaron to discover
cyclonedx-mvnSBOM files that have been created with a non-default name.Does not provide support for custom directories or cases where multiple SBOM files end up in the expected
targetdirectory, as these would require POM parsing to properly detect.Closes #518