Final fixes for initial 2-SBOM release #2156
Merged
Commits on Jul 8, 2021
-
This commit changes the stated license as Apache-2.0 in both SBOMs. Signed-off-by: Adolfo García Veytia (Puerco) <[email protected]>
-
Add ExternalDocRef to SPDX package
This commit adds the capability to the spdx package to reference external documents. This is achieved by a new type ExternalDocumentRef which gets rendered in the document. This commit also modifies the YAML configuration support to enable the definition of external document references: ```yaml external-docs: - id: kubernetes-source uri: http://gcr.io/k8s.spdx checksums: {sha256: 5167fec9c11112ee8ea3f2b21345df18d4a4aec5a5dcbeb03d0d2c8c438eada7} ``` A test for the correct rendering of the new type is included. Signed-off-by: Adolfo García Veytia (Puerco) <[email protected]> -
Artifacts listing funcs in workspace
This commit adds three functions to workspace.go to get the artifacts produced for a given version: ListBuildImages: Returns a list if the image archives ListBuildTarballs: Returns the various tarballs before staging ListBuildBinaries: Returns a struct of binaries, organized by arch and platform Signed-off-by: Adolfo García Veytia (Puerco) <[email protected]>
-
Add binaries and tarballs to SBOM
This commit modifies GenerateVersionArtifactsBOM to add binaries and workspace files independently to list the bucket paths that will hold them after release. Previously, the SBOM listed binaries in in their staging paths and tarballs where missing. Signed-off-by: Adolfo García Veytia (Puerco) <[email protected]>
-
Signed-off-by: Adolfo García Veytia (Puerco) <[email protected]>
-
Regenrate layer SPDX ID to add imageref
When generating a conatiner image PSDX package, we now generate the SPDX IDs for the layers incorporating the image ref. This avoids ID clashes when two images containt the same layer (ie the same base image). Signed-off-by: Adolfo García Veytia (Puerco) <[email protected]>
-
SBOM: Link source SBOM to artifacts SBOM
This commit links the artifacts sbom with the artifacts sbom using a SPDX ExternalDocumentRef. To do this, we now add a new function to the ExternalDocumentRef type to calculate the sha1 checksum from a local file. A test is included for the new function. Signed-off-by: Adolfo García Veytia (Puerco) <[email protected]>
-
Ensure SPDX relationship rednering
This commit improves the handling of the SPDX relationships rendering by catching potential inconsistencies. A new test for the function is included. Signed-off-by: Adolfo García Veytia (Puerco) <[email protected]>
-
SPDX: Support relationships with remote entities
This commit introduces a change to correctly handle relationships with remote SPDX entities. Before this change, only local objects could be referenced in the SBOM. Signed-off-by: Adolfo García Veytia (Puerco) <[email protected]>
-
Correct external link to kubernetes source SBOM
This PR corrects the external reference linking the kubernetes source sbom and the release sbom now that the SPDX package supports external references in relationships. Signed-off-by: Adolfo García Veytia (Puerco) <[email protected]>
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.