Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add SPDX 2.3 support #13

Merged
merged 9 commits into from
Jan 12, 2023
Merged

Add SPDX 2.3 support #13

merged 9 commits into from
Jan 12, 2023

Conversation

puerco
Copy link
Contributor

@puerco puerco commented Dec 16, 2022

This PR adds SPDX 2.3 support SBOM Scorecard.

While the number of SPDX fields in use is still low, we can create an abstract document model we can use to test against.

The main test report has been modified to use the abstract document. The document.go package lays the groundwork for the extensible doc model and adds a few functions to read and populate the common model with the fields the report cares about. The abstract document can be expanded to add more fields as the tests get more sophisticated.

A simple test of the new loader and test SBOMs are included.

@puerco
Pull SPDX libraries at head to pickup 2.3 support
8f10226 
Signed-off-by: Adolfo García Veytia (Puerco) <[email protected]>
@puerco
Add SPDX 2.3 support
70b3ca7 
This commit introduces a document model to handle SPDX 2.2 and 2.3 packages.
The model is intended to avoid code duplication in the application while working
with the SPDX libraries.

Signed-off-by: Adolfo García Veytia (Puerco) <[email protected]>
@puerco
Bundle document errors when opening fails
c2a00d4 
Signed-off-by: Adolfo García Veytia (Puerco) <[email protected]>
@puerco
Import testify for testing
2e753f4 
Signed-off-by: Adolfo García Veytia (Puerco) <[email protected]>
@puerco
Add document simple loading test and test files
5fa04c9 
Signed-off-by: Adolfo García Veytia (Puerco) <[email protected]>
@puerco
Fix bug where packages without extrefs misssed versions
9c5ad9f 
Signed-off-by: Adolfo García Veytia (Puerco) <[email protected]>
@puerco
Fix bug where files where reported as zero
8a7fce1 
Signed-off-by: Adolfo García Veytia (Puerco) <[email protected]>
@justinabrahms
Copy link
Contributor

Thanks so much for this PR. I'm going to delay merging until very early January, as I'm hoping to spend time away from coding for a bit. If I cave during this vacation.. it might make it in earlier, but wanted to set some expectations.

justinabrahms
justinabrahms reviewed Jan 3, 2023
View reviewed changes
Copy link
Contributor

@justinabrahms justinabrahms left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This looks good. Few minor comments. Thanks for adding 2.3 support. :D

@justinabrahms
Copy link
Contributor

Hey @puerco . Just checking in to see if I should pick this PR up and carry it forward or if you're planning to make the changes.

Thanks again for getting it this far. :)

@justinabrahms justinabrahms merged commit d267598 into eBay:main Jan 12, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@justinabrahms justinabrahms justinabrahms left review comments

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@puerco @justinabrahms