Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Relax SBOM validation #126

Open
dmikusa opened this issue Mar 25, 2022 · 6 comments
Open

Relax SBOM validation #126

dmikusa opened this issue Mar 25, 2022 · 6 comments
Labels
hacktoberfest note:ideal-for-contribution An issue that a contributor can help us with type:enhancement A general enhancement
Milestone

Comments

@dmikusa
Copy link
Contributor

dmikusa commented Mar 25, 2022

We validate SBOM formats in libcnb, but this only takes into consideration the core mime type, not any additional parameters/specifiers.

We need to improve the validation to take into consideration additional parameters or relax it so that they are ignored.

This is similar to the following change in the lifecycle:

The builder, when validating buildpack-output SBOM files against buildpack-declared SBOM formats, will omit optional parameters in the declared media type from the comparison, allowing buildpacks to specify parameters in buildpack.toml (buildpacks/lifecycle#834 by @natalieparellano)

@dmikusa dmikusa added the type:enhancement A general enhancement label Mar 25, 2022
@sambhav sambhav added this to the 2.0 milestone Jun 3, 2022
@dmikusa dmikusa added note:ideal-for-contribution An issue that a contributor can help us with hacktoberfest labels Oct 3, 2023
@sagnik3788
Copy link

@dmikusa , may I give it a try?

@dmikusa
Copy link
Contributor Author

dmikusa commented Jan 6, 2024

Absolutely. Let me know if you have questions or need me to take a look at a PR.

@sagnik3788
Copy link

What additional parameters can I add to validateSBOMFormats Can I include a CustomValidator or additionalMetadata if required? @dmikusa

@dmikusa
Copy link
Contributor Author

dmikusa commented Jan 17, 2024

@sagnik3788 Sorry for the delay, I was at a conference last week.

Technically you can add any parameters you want. That's a private method so we don't need to worry about breaking changes there.

My suggestion would be that you start by using the mime library to parse the mime types. One issue with the current implementation is that we process them as strings, which works Ok for basic mime types like application/zip but more complicated mime types like text/plain;charset=us-ascii will break it. Using the mime library will process those correctly.

The link above has an example of that.

@sagnik3788
Copy link

@dmikusa can you review the pr

@loewenstein
Copy link

@dmikusa is this in the 2.0 milestone because it cannot be done in 1.x or because it is a requirement to release 2.0?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
hacktoberfest note:ideal-for-contribution An issue that a contributor can help us with type:enhancement A general enhancement
Projects
None yet
Development

Successfully merging a pull request may close this issue.

5 participants