Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Split source SBOM into multiple apps #9586

Merged
merged 15 commits into from
Mar 21, 2025
Merged

Split source SBOM into multiple apps #9586

merged 15 commits into from
Mar 21, 2025

Conversation

kikofernandez
Copy link
Contributor

Improves the compliance script making the following changes

  • Create SPDX packages for each ErlangOTP app
  • Create SPDX packages for each vendor package
  • Addition of purl for Erlang SPDX project and Erlang SPDX packages

@github-actions GitHub Actions
Copy link
Contributor

github-actions bot commented Mar 13, 2025
edited
Loading

CT Test Results

    7 files    290 suites   3h 11m 23s ⏱️
4 147 tests 4 039 ✅ 108 💤 0 ❌
5 312 runs  5 177 ✅ 135 💤 0 ❌

Results for commit fdf2359.

♻️ This comment has been updated with latest results.

To speed up review, make sure that you have read Contributing to Erlang/OTP and that all checks pass.

See the TESTING and DEVELOPMENT HowTo guides for details about how to run test locally.

Artifacts

// Erlang/OTP Github Action Bot

garazdawi
garazdawi reviewed Mar 13, 2025
View reviewed changes
garazdawi
garazdawi reviewed Mar 14, 2025
View reviewed changes
lib/stdlib/test/json_SUITE_data/vendor.info
"licenseDeclared": "MIT",
"name": "json-test-suite",
"versionInfo": "984defc2deaa653cb73cd29f4144a720ec9efe7c",
"path": "./lib/stdlib/test/json_SUITE_data",
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I assume we need to haver this type of thing for our unicode test data? and the xmerl test? ASN.1?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yes, if that was copied from other project, absolutely. I do not think I can add that for this rc2, but we should get it right for OTP-28. I will talk to more people to see where it was originally from.

@kikofernandez kikofernandez force-pushed the kiko/otp/sbom-app-split branch from 6dd5553 to a49acd1 Compare March 17, 2025 08:35
@IngelaAndin IngelaAndin added the team:VM Assigned to OTP team VM label Mar 17, 2025
@kikofernandez kikofernandez self-assigned this Mar 17, 2025
@kikofernandez
split SBOM into Erlang and vendor SPDX packages
0f3c13f 
splits the SBOM into Erlang and vendor SPDX packages. this allows to easily
remove dependencies that are not needed from OTP. Erlang applications
have also a purl that follows the EEF security working group guidelines,
as per https://erlef.github.io/security-wg/specs/otp_purl_type
@kikofernandez
add license to file
b95579d
@kikofernandez
fix supplier vendor info
b1eeb2f
@kikofernandez
test ort downloads text for licenseref
4fe9dae
@kikofernandez
skip snippet spdx generation
4ef9f24 
there are some errors in the current snippet generation that do not work
correctly. so we are skipping the snippet generation for now
@kikofernandez
fix snippet generation and .ort curation
6fcd5b9
@kikofernandez
fix documentation instructions
8cb04e8
@kikofernandez
add license to vendor.info files
4664286
@kikofernandez
add depends_on and opt_dependency between Erlang/Apps
7943c36
@kikofernandez
verify OTP table versions match SPDX results
966602e
@kikofernandez
fix scan-code.escript
c8a3dfa
@kikofernandez kikofernandez force-pushed the kiko/otp/sbom-app-split branch from e705165 to c8a3dfa Compare March 18, 2025 13:07
@kikofernandez kikofernandez force-pushed the kiko/otp/sbom-app-split branch from 8b3f81b to f8d4c7e Compare March 20, 2025 13:48
@kikofernandez
verify and upload generated sbom as artifact
ded4829
@kikofernandez
add extracted license information
fdf2359 
update "hasExtractedLicensingInfos" to consider LicenseRefs that are not
included in the repo. this information has been hard-coded (the license
text) but there is a check to see that we only add the license if it is
ever present in the repo. this means that if this license
`LicenseRef-scancode-wxwindows-free-doc-3` is not present in any
curation nor SPDX license identifier, then it will not be added to the
resulting SPDX
@kikofernandez kikofernandez force-pushed the kiko/otp/sbom-app-split branch from f8d4c7e to fdf2359 Compare March 20, 2025 13:48
@kikofernandez kikofernandez requested a review from garazdawi March 21, 2025 10:18
@kikofernandez kikofernandez merged commit 71f3faf into erlang:master Mar 21, 2025
29 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@garazdawi garazdawi garazdawi approved these changes

@rickard-green rickard-green Awaiting requested review from rickard-green

Assignees

@kikofernandez kikofernandez

Labels
team:VM Assigned to OTP team VM
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@kikofernandez @garazdawi @IngelaAndin