Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

sbomqs score directly from git URLs #280

Open
wants to merge 15 commits into
base: main
Choose a base branch
from
Open

sbomqs score directly from git URLs #280

wants to merge 15 commits into from

Conversation

viveksahu26
Copy link
Collaborator

closes: #266
This PR add support for sbomqs score command to score directly from git URLs. Till now it funtionality limited to local files. For example:
$ sbomqs score -b <sbom.spdx.json file>

New feature supports:

$ sbomqs score -b  https://github.com/interlynk-io/sbomqs/blob/main/samples/
or 
$ sbomqs score -b https://github.com/interlynk-io/sbomqs/blob/main/samples/sbomqs-spdx-syft.json
or 
$ sbomqs score -b  https://github.com/spdx/ntia-conformance-checker/blob/main/tests/data/ -b 
or 
$ sbomqs score -b  https://github.com/spdx/ntia-conformance-checker/blob/main/tests/data/SPDXSBOMExampleTests/ -b

Example:

$ go run main.go score https://github.com/interlynk-io/sbomqs/blob/main/samples/ -b
Enumerating objects: 561, done.
Counting objects: 100% (561/561), done.
Compressing objects: 100% (354/354), done.
Total 561 (delta 363), reused 330 (delta 190), pack-reused 0
7.7     spdx    2.3     json    samples/photon.spdx.json
6.5     cdx     1.4     json    samples/sbomqs-cdx-cgomod.json
6.5     spdx    2.3     json    samples/sbomqs-spdx-sbtool.json
6.4     spdx    2.3     json    samples/sbomqs-spdx-syft.json

@viveksahu26
add new args fs in processFile func
631ffae 
Signed-off-by: Vivek Kumar Sahu <[email protected]>
@viveksahu26
add functionality for handling git urls
feeb92b 
Signed-off-by: Vivek Kumar Sahu <[email protected]>
@viveksahu26
refractor clone functionality into separate func
45b0617 
Signed-off-by: Vivek Kumar Sahu <[email protected]>
@viveksahu26
add a separatef func for get branch
ce6615e 
Signed-off-by: Vivek Kumar Sahu <[email protected]>
@viveksahu26
no need to validate path here
4d7abf2 
Signed-off-by: Vivek Kumar Sahu <[email protected]>
@viveksahu26
separate function for retreiving required fields
08142b9 
Signed-off-by: Vivek Kumar Sahu <[email protected]>
@viveksahu26
remove unncessary print stmt
b2572a5 
Signed-off-by: Vivek Kumar Sahu <[email protected]>
@viveksahu26
update dependencies
dcd39ba 
Signed-off-by: Vivek Kumar Sahu <[email protected]>
@riteshnoronha
Copy link
Contributor

@viveksahu26 not sure cloning the entire repo just to get the files is a good idea. Is there a way just to pull files that are sboms. We can fix what extensions we look at.

@viveksahu26
Copy link
Collaborator Author

So, yeah @riteshnoronha . It is possible to implement in a different way i.e. apart form cloning whole repo:

  • Basically fetching URL directly. Which gives the information related to files and it's content. And then writing it's content to a file in a memory instead of local storage.

@viveksahu26
remove all cloning related functionality
75bffe3 
Signed-off-by: Vivek Kumar Sahu <[email protected]>
@viveksahu26
add test for source package
8ec1ef3 
Signed-off-by: Vivek Kumar Sahu <[email protected]>
@viveksahu26
update dependencies
6c96e8c 
Signed-off-by: Vivek Kumar Sahu <[email protected]>
@viveksahu26
add test for checking git url and http urls
a56f0a8 
Signed-off-by: Vivek Kumar Sahu <[email protected]>
@viveksahu26
update test
5e9d1b1 
Signed-off-by: Vivek Kumar Sahu <[email protected]>
@riteshnoronha
Copy link
Contributor

@viveksahu26 let me know if this is ready for review

@viveksahu26
Copy link
Collaborator Author

@viveksahu26 let me know if this is ready for review

Yeah it's ready for review...

riteshnoronha
riteshnoronha requested changes Jul 10, 2024
View reviewed changes
pkg/source/source.go
@@ -0,0 +1,223 @@
package source
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We should not limit ourselves to only GitHub urls. An SBOM could be on any URL, we should just check if this path is a url and download the file and run sbomqs on it. This is adding too much complexity.

Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I hope you mean downloading the file in memory instead of local storage.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@riteshnoronha riteshnoronha riteshnoronha requested changes

Requested changes must be addressed to merge this pull request.

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Should be able to score SBOM found at a URL path.
2 participants
@viveksahu26 @riteshnoronha