Skip to content

Add filename annotation post-processing to LoadSBOMFromFile and LoadArtifactFromFile #27

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
ridhoq merged 3 commits into from
Jul 22, 2025
Merged

Add filename annotation post-processing to LoadSBOMFromFile and LoadArtifactFromFile #27

ridhoq merged 3 commits into from
Jul 22, 2025

Conversation

@JeromySt
Copy link
Member

@JeromySt JeromySt commented Jul 21, 2025

  • LoadSBOMFromFile and LoadArtifactFromFile now check if the descriptor has a title annotation
  • If no title annotation exists, they add one using filepath.Base(filename)
  • This ensures only the filename (not the full path) is used in the annotation
  • LoadSBOMFromReader and LoadArtifactFromReader remain unchanged (no annotations added)
  • Added comprehensive tests to verify the behavior
  • Tests ensure annotations are only added by *FromFile functions, not *FromReader functions
  • Maintains backward compatibility and doesn't overwrite existing annotations

@Jstatia
Add filename annotation post-processing to LoadSBOMFromFile and LoadA…
fbcb43a 
…rtifactFromFile

- LoadSBOMFromFile and LoadArtifactFromFile now check if the descriptor has a title annotation
- If no title annotation exists, they add one using filepath.Base(filename)
- This ensures only the filename (not the full path) is used in the annotation
- LoadSBOMFromReader and LoadArtifactFromReader remain unchanged (no annotations added)
- Added comprehensive tests to verify the behavior
- Tests ensure annotations are only added by *FromFile functions, not *FromReader functions
- Maintains backward compatibility and doesn't overwrite existing annotations
@ridhoq
Copy link
Member

ridhoq commented Jul 22, 2025 

➜  obom git:(users/jstatia/add_filename_annotation_postprocess) ./obom push -f /path/to/my/sbom/grafana-10.4.4.json ridhoq.azurecr.io/sboms/grafana:10.4.4
================================================================================
Document Name:         docker.io/grafana/grafana
Document Namespace:    https://anchore.com/syft/image/docker.io/grafana/grafana-f58f1584-bbb9-4388-90ff-515b2b0c6a13
SPDX Version:          SPDX-2.3
Creation Date:         2024-06-19T19:41:41Z
Creators:              Anchore, Inc
                       syft-1.1.1
Packages:              428
Files:                 1103
Digest:                sha256:228f2967a14c4df0a41b801b77274534921d043a815059cb24f3be1b30f44d91
================================================================================
Pushing SBOM to ridhoq.azurecr.io/sboms/grafana:10.4.4@sha256:228f2967a14c4df0a41b801b77274534921d043a815059cb24f3be1b30f44d91...
SBOM pushed to ridhoq.azurecr.io/sboms/grafana:10.4.4@sha256:cd98a5fd8b33702fa06ea7aa83f4bd7065c3f4c12e405c0b4d10b5898770d1ae
➜  obom git:(users/jstatia/add_filename_annotation_postprocess) oras manifest fetch ridhoq.azurecr.io/sboms/grafana:10.4.4 | jq .
{
  "schemaVersion": 2,
  "mediaType": "application/vnd.oci.image.manifest.v1+json",
  "artifactType": "application/spdx+json",
  "config": {
    "mediaType": "application/vnd.oci.empty.v1+json",
    "digest": "sha256:44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a",
    "size": 2,
    "data": "e30="
  },
  "layers": [
    {
      "mediaType": "application/spdx+json",
      "digest": "sha256:228f2967a14c4df0a41b801b77274534921d043a815059cb24f3be1b30f44d91",
      "size": 1775331,
      "annotations": {
        "org.opencontainers.image.title": "grafana-10.4.4.json"
      }
    }
  ],
  "annotations": {
    "org.opencontainers.image.created": "2025-07-22T02:04:49Z",
    "org.spdx.created": "2024-06-19T19:41:41Z",
    "org.spdx.creator": "Organization: Anchore, Inc, Tool: syft-1.1.1",
    "org.spdx.name": "docker.io/grafana/grafana",
    "org.spdx.namespace": "https://anchore.com/syft/image/docker.io/grafana/grafana-f58f1584-bbb9-4388-90ff-515b2b0c6a13",
    "org.spdx.version": "SPDX-2.3"
  }
}

Local testing looks good 👍🏽

ridhoq
ridhoq reviewed Jul 22, 2025
View reviewed changes
ridhoq
ridhoq reviewed Jul 22, 2025
View reviewed changes
Copy link
Member

@ridhoq ridhoq left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Left a suggestion, but otherwise looks good. Thanks!

Jstatia added 2 commits July 22, 2025 08:23
@Jstatia
Refactor filename annotation handling in LoadArtifactFromFile and Loa…
970cee5 
…dSBOMFromFile; add tests for AddFilenameAnnotationIfMissing
@Jstatia
Improve filename annotation handling in AddFilenameAnnotationIfMissin…
8505840 
…g to support both Unix and Windows path separators
@JeromySt JeromySt requested a review from ridhoq July 22, 2025 15:42
ridhoq
ridhoq approved these changes Jul 22, 2025
View reviewed changes
Copy link
Member

@ridhoq ridhoq left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM, thanks again!

@ridhoq ridhoq merged commit 3c6cff7 into Azure:main Jul 22, 2025
4 checks passed
@JeromySt JeromySt deleted the users/jstatia/add_filename_annotation_postprocess branch July 22, 2025 16:17
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@ridhoq ridhoq ridhoq approved these changes

@bbishopMSFT bbishopMSFT Awaiting requested review from bbishopMSFT bbishopMSFT is a code owner

@sajayantony sajayantony Awaiting requested review from sajayantony sajayantony is a code owner

@AndreHamilton-MSFT AndreHamilton-MSFT Awaiting requested review from AndreHamilton-MSFT AndreHamilton-MSFT is a code owner

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@JeromySt @ridhoq @Jstatia