Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

WIP: Adding optional RPM summary to SBOMs #762

Draft
wants to merge 1 commit into
base: main
Choose a base branch
from

Conversation

a-ovchinnikov
Copy link
Collaborator

This change adds an option to include RPM summary in a SBOM.

TODO: split into multiple commits

Maintainers will complete the following section

  • Commit messages are descriptive enough
  • Code coverage from testing does not decrease and new code is covered
  • Docs updated (if applicable)
  • Docs links in the code are still valid (if docs were updated)

Note: if the contribution is external (not from an organization member), the CI
pipeline will not run automatically. After verifying that the CI is safe to run:

@a-ovchinnikov a-ovchinnikov requested review from eskultety and brunoapimentel and removed request for eskultety December 4, 2024 10:57
@@ -87,6 +92,8 @@ def to_properties(self) -> list[Property]:
props.append(Property(name="cachi2:pip:package:binary", value="true"))
if self.bundler_package_binary:
props.append(Property(name="cachi2:bundler:package:binary", value="true"))
if self.add_rpm_summary:
props.append(Property(name="cachi2:bundler:package:binary", value="true"))
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Won't this property be a bool in the output after the component properties are merged? Also, shouldn't the name of this Property be cachi2:rpm_summary?

Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Ouch, you are right, I meant a totally different thing, an actual string property, but apparently got it mixed up with the flag turning this feature on.

@@ -7,6 +7,7 @@
PropertyName = Literal[
"cachi2:bundler:package:binary",
"cachi2:found_by",
"cachi2:rpm_summary",
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Should we use a custom cachi2 property or perhaps the description field for a CycloneDX Component instead?

Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Maybe. I'll need to think about it more. A Property looks the least invasive way of doing this.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

If we decide to go the component.description path, we might be able to map it to SPDX similarly:
https://spdx.github.io/spdx-spec/v2.3/package-information/#718-package-summary-description-field

Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

FWIW properties can be straightforwardly converted to annotations.

This change adds an option to include RPM summary in a SBOM.

TODO: split into multiple commits

Signed-off-by: Alexey Ovchinnikov <[email protected]>
@@ -216,6 +216,7 @@ class RpmPackageInput(_PackageInputBase):
"""Accepted input for a rpm package."""

type: Literal["rpm"]
add_rpm_summary: bool = False
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

what is the reasoning behind making this configurable? On its own the option doesn't IMO make much sense and I'd like to avoid littering the code with semi-random single-purpose tailored SBOM options in the future by setting this precedent. It's a straightforward change, so why don't we make it the default?

Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think the following reasons are for making it optional: it is PM-specific, the original implementation did not have it, it was requested as an enhancement for a very specific use case, it increases SBOM size (which might or might not be of concern). I don't think having a summary around actually improves a SBOM. While this sets a bad(?) precedent the option is limited in scope to one PM (which is essentially a plug-in for handling packages of a specific format). The option addresses a specific need and everyone else is not affected by its addition.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

4 participants