feat: add SBOM-based dependency diff workflow #14
Conversation
- contains some changes of the following commits in accumulating files (e.g. dist/index.js, package.json) related to camunda/camunda-bpm-platform#2781
ThorbenLindhauer
force-pushed
the
2781-dependency-updates
branch
from
8a52948 to
583276c
Compare
|
I have restructured the PR into five meaningful increments. Note that the first commit contains some content in shared files (e.g. |
There was a problem hiding this comment.
Looks really nice! I added some minor comments, mostly about obvious code smells and a few questions.
💬 Since it contains a lot of code it might be good to see some details in the job log in case we need to look into something. GitHub has the log grouping feature which makes reading big logs easier. Maybe we could use it here?
Some ideas (link):
- 🔧 Group the git and maven executions.
- 🔧 We could also print the head and base sbom in groups. Maybe print some intermediate infos during analysis.
What do you think?
| const partialPaths = [ | ||
| 'componentDetails:../java-dependency-check/component-details.hbs', | ||
| 'componentDiff:../java-dependency-check/component-diff.hbs', | ||
| 'componentTree:../java-dependency-check/component-tree.hbs', | ||
| 'componentVersion:../java-dependency-check/component-version.hbs' | ||
| ]; | ||
|
|
||
| const partials = partialPaths.reduce( | ||
| (result, input) => { | ||
| [ partialId, partialPath ] = input.split(':'); | ||
| result[partialId.trim()] = readFile(partialPath.trim()); | ||
| return result; | ||
| }, | ||
| {} | ||
| ); |
There was a problem hiding this comment.
💬 Interesting way of doing this :) But it does the job.
I guess it's because it uses the (almost) same format as the workflow parameter.
There was a problem hiding this comment.
Let me know if there's a more elegant way to convert these parameters into a map. I have rather basic Javascript standard library knowledge (and google skills).
There was a problem hiding this comment.
It's okay!
I later realized that it uses the same format as the workflow input parameter (which is just a string not a JSON object or map), so it makes sense. 👍
common/dist/xhr-sync-worker.js
Outdated
There was a problem hiding this comment.
This is generated by ncc build index.js -o dist that bundles and minifies code along with the npm dependencies. I cannot tell exactly why it is like that, it appeared with adding one of the dependencies. My guess would be that this is a transitive dependency of one of the dependencies and it has some configuration that prevents bundling/minification.
There was a problem hiding this comment.
Ah okay, thanks.
I really tried to understand why it's needed but couldn't figure it out. 😀
common/diff-sboms-standalone.js
Outdated
|
|
||
| var args = process.argv.slice(2); // first two arguments are the executable and the JS file | ||
|
|
||
| if (args.length != 3) { |
There was a problem hiding this comment.
🔧
| if (args.length != 3) { | |
| if (args.length !== 3) { |
common/src/diff-sboms.js
Outdated
| core.info(`Dependency diff:`); | ||
| core.info(diff.fullDiff); | ||
|
|
||
| octokit.rest.issues.createComment({ |
There was a problem hiding this comment.
❓Should we maybe wait for this?
| octokit.rest.issues.createComment({ | |
| await octokit.rest.issues.createComment({ |
common/src/sbom-diff/differ.js
Outdated
| dependency the traversal belongs | ||
| */ | ||
|
|
||
| var componentDiff = sbomDiff.getComponentDiff(baseComponent, comparingComponent); |
There was a problem hiding this comment.
🔧
| var componentDiff = sbomDiff.getComponentDiff(baseComponent, comparingComponent); | |
| let componentDiff = sbomDiff.getComponentDiff(baseComponent, comparingComponent); |
common/src/test/sbom-matchers.js
Outdated
| var baseComponent = actual.baseComponent; | ||
| var comparingComponent = actual.comparingComponent; |
There was a problem hiding this comment.
🔧
| var baseComponent = actual.baseComponent; | |
| var comparingComponent = actual.comparingComponent; | |
| const baseComponent = actual.baseComponent; | |
| const comparingComponent = actual.comparingComponent; |
common/src/test/sbom-matchers.js
Outdated
|
|
||
| const actualChanges = Object.assign({}, actual.changedDependencies); | ||
| const unmatchedChanges = []; | ||
| var allChangesMatch = true; |
There was a problem hiding this comment.
🔧
| var allChangesMatch = true; | |
| let allChangesMatch = true; |
common/src/test/sbom-parse.test.js
Outdated
|
|
||
| expect(components.size).toEqual(19); | ||
|
|
||
| var numThirdPartyComponents = 0; |
There was a problem hiding this comment.
| var numThirdPartyComponents = 0; | |
| let numThirdPartyComponents = 0; |
|
|
||
| expect.extend(sbomMatchers); | ||
|
|
||
| describe("SBOM diff", () => { |
There was a problem hiding this comment.
🔧 These tests could also have the given-when-then comments.
| mkdir -p target/diff | ||
|
|
||
| mvn -s "$1" --no-transfer-progress org.cyclonedx:cyclonedx-maven-plugin:2.7.9:makeAggregateBom | ||
|
|
||
| echo "SBOM generated for github ref HEAD" | ||
|
|
||
| cp target/bom.json target/diff/head.json |
There was a problem hiding this comment.
💬 The job log output is pretty big, maybe we could take advantage of GitHub log grouping? (I haven't tried this)
| mkdir -p target/diff | |
| mvn -s "$1" --no-transfer-progress org.cyclonedx:cyclonedx-maven-plugin:2.7.9:makeAggregateBom | |
| echo "SBOM generated for github ref HEAD" | |
| cp target/bom.json target/diff/head.json | |
| echo "::group::SBOM head" | |
| mkdir -p target/diff | |
| mvn -s "$1" --no-transfer-progress org.cyclonedx:cyclonedx-maven-plugin:2.7.9:makeAggregateBom | |
| echo "SBOM generated for github ref HEAD" | |
| cp target/bom.json target/diff/head.json | |
| echo "::endgroup::" |
There was a problem hiding this comment.
*I mixed up the jobs, the output is actually not that big as I thought.
java-dependency-check/diff.hbs
Outdated
|
|
||
| {{#each diff.addedDependencies}} | ||
| {{#if thirdParty}} | ||
| - [ ] {{name}}:{{>componentVersion}} |
There was a problem hiding this comment.
🔧
| - [ ] {{name}}:{{>componentVersion}} | |
| - [ ] {{name}}: {{>componentVersion}} |
|
Re log grouping: I can have a look and add it for the git and Maven output. I wouldn't log the SBOM files though. They are ~10,000 lines, which makes searching and browsing them very hard in the log file. github also adds the timestamp to each line so it's rather impossible to copy them into an editor from there. Instead I decided to add them as workflow artifacts (check the zip file in the build summary). I think that is easier to work with. |
|
@danielkelemen I have applied all the review hints that I didn't comment on and I have added log grouping to the step that generates SBOMs (see https://github.com/camunda/camunda-bpm-platform/actions/runs/6433372444/job/17470293552?pr=3581). Please re-review and let me know what you think about the items I commented on. |
ThorbenLindhauer
force-pushed
the
2781-dependency-updates
branch
from
e8162e9 to
3dfe8c2
Compare
related to camunda/camunda-bpm-platform#2781