Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Include the OS Information available in the SBOM model in the SPDX reports #3462

Open
wants to merge 3 commits into
base: main
Choose a base branch
from
Open

Include the OS Information available in the SBOM model in the SPDX reports #3462

wants to merge 3 commits into from

Conversation

josegomezr
Copy link

Description

Include the OS Information available in the SBOM model in the SPDX reports

Type of change

  • New feature (non-breaking change which adds functionality)

Checklist:

  • I have added unit tests that cover changed behavior
  • I have tested my code in common scenarios and confirmed there are no regressions
  • I have added comments to my code, particularly in hard-to-understand sections

TODO:

  • Understand the offset logic for {relationship,pkgCont}OffsetPerVersion

@josegomezr josegomezr mentioned this pull request Nov 18, 2024
Open
@popey
Copy link
Contributor

popey commented Nov 25, 2024

Thanks for the PR @josegomezr !

I gave it a quick test here, and it looks good from a functional point of view. I'll leave others for code review.

$ grep ">" diff.txt
                                                              >     },
                                                              >     {
                                                              >       "name": "debian",
                                                              >       "SPDXID": "SPDXRef-OperatingSystem-debian",
                                                              >       "versionInfo": "12",
                                                              >       "supplier": "NOASSERTION",
                                                              >       "downloadLocation": "NOASSERTION",
                                                              >       "filesAnalyzed": false,
                                                              >       "licenseConcluded": "NOASSERTION",
                                                              >       "licenseDeclared": "NOASSERTION",
                                                              >       "description": "Debian GNU/Linux 12 (bookworm)",
                                                              >       "primaryPackagePurpose": "OPERATING-SYSTEM"
                                                              >       "relationshipType": "CONTAINS"
                                                              >     },
                                                              >     {
                                                              >       "spdxElementId": "SPDXRef-DocumentRoot-Image-nextcloud"
                                                              >       "relatedSpdxElement": "SPDXRef-OperatingSystem-debian",

@josegomezr
Include the current linux distribution in the SPDX report as a package
d6047e5 
Add a new package reference describing the linux environment available
via `SBOM.Artifacts.LinuxDistribution`

When it's not found, it behaves as before this PR.

When found it'll interject the `OperatingSystem` reference between the
target and the packages to reflect:

Document DESCRIBES target
target CONTAINS OperatingSystem
OperatingSystem CONTAINS *Packages

Signed-off-by: Jose D. Gomez R <[email protected]>
@josegomezr
Adjust specs to include the Operating System in the report
5db18bb 
Signed-off-by: Jose D. Gomez R <[email protected]>
@josegomezr
Use distro ID as package name and string representation as description
8dcd37c 
Signed-off-by: Jose D. Gomez R <[email protected]>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

OS information missing in SPDX format SBOM for a container image
2 participants
@josegomezr @popey