Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

feat: support running the analysis with SBOM and the main software component with no repository #165

Merged
merged 13 commits into from
Oct 4, 2023
Merged

feat: support running the analysis with SBOM and the main software component with no repository #165

merged 13 commits into from
Oct 4, 2023

Conversation

tromai
Copy link
Member

@tromai tromai commented Apr 17, 2023
edited
Loading

Closes #157

Feature Description

We want to allow the use case of: running the analysis on the dependencies listed in an SBOM generated for an artifact while the repository URL for that artifact is not available (e.g. the repository is in a private domain that Macaron cannot access).
Example usage:

macaron analyze -purl pkg:domain.com/org/name -sbom <path_to_sbom>

Current state

  • When Macaron cannot resolve the repository for the main software component, Macaron will not collect any dependencies and analyze them. This is because the implementation for both collecting dependencies from a provided SBOM (through --sbom-path) and collecting dependencies by running the SBOM generator are bundled in the same location (see here) and this method is only run if the repository for the main software component is found (see here).
  • For all software components, when Macaron cannot resolve the repository for it, the analysis will be skipped for it.
    • For dependencies, the skipping happens here.
    • For the main software component, the skipping happens here.

Expected behavior

Core engine

  • For all software component, the analysis will not be skipped if the repository is not found.
  • When Macaron cannot resolve main software component's repository and a PURL string is provided by the user (via -purl), it will still collect the dependencies from the SBOM and run the analysis for those dependencies.

HTML reports

  • When the repository is not found for a software component, display a small message in the Target Information section to notify the users.
  • When all the checks are failing for a software component, we collapse the check report table. This is because we have now only repository-based checks. Therefore, when the repository is not found for a software component, no check will pass. We hide the table for visibility.

Example report

image

@tromai tromai self-assigned this Apr 17, 2023
@oracle-contributor-agreement oracle-contributor-agreement bot added the OCA Verified All contributors have signed the Oracle Contributor Agreement. label Apr 17, 2023
@tromai tromai linked an issue Apr 17, 2023 that may be closed by this pull request
Treat the main target as empty if it's not provided together with the SBOM. #157
Closed
@tromai tromai force-pushed the 157-treat-the-main-target-as-empty-if-its-not-provided-together-with-the-sbom branch from e87456c to a7aa5ec Compare April 19, 2023 04:46
@tromai
Copy link
Member Author

tromai commented Apr 19, 2023

This rebase is to get the changes for #125

@tromai tromai added this to the Release v0.1.0 milestone Apr 20, 2023
@tromai tromai mentioned this pull request Apr 21, 2023
Closed
@tromai tromai force-pushed the 157-treat-the-main-target-as-empty-if-its-not-provided-together-with-the-sbom branch from f6700b6 to 8c221a8 Compare April 26, 2023 00:01
@tromai tromai force-pushed the 157-treat-the-main-target-as-empty-if-its-not-provided-together-with-the-sbom branch from 8c221a8 to 184ecfa Compare July 26, 2023 04:19
tromai
tromai commented Jul 26, 2023
View reviewed changes
src/macaron/__main__.py Outdated Show resolved Hide resolved
@tromai tromai added the SBOM related to SBOM handling label Jul 26, 2023
@tromai tromai changed the title feat: support running the analysis using SBOM without providing the main target feat: support running the analysis with SBOM and a software component with no repository Sep 8, 2023
@tromai tromai force-pushed the 157-treat-the-main-target-as-empty-if-its-not-provided-together-with-the-sbom branch 7 times, most recently from 5b9a924 to 0c12aca Compare September 18, 2023 03:19
@tromai tromai force-pushed the 157-treat-the-main-target-as-empty-if-its-not-provided-together-with-the-sbom branch from 0c12aca to 19ba5bb Compare September 19, 2023 06:57
@tromai tromai marked this pull request as ready for review September 20, 2023 01:21
@tromai tromai requested a review from behnazh-w as a code owner September 20, 2023 01:21
@tromai tromai changed the title feat: support running the analysis with SBOM and a software component with no repository feat: support running the analysis with SBOM and the main software component with no repository Sep 20, 2023
@behnazh-w behnazh-w requested a review from nicallen September 20, 2023 20:33
@tromai
chore: move sub-section of the html report out of base_template.html …
f78520e 
…and handle everything in macaron.html

Signed-off-by: Trong Nhan Mai <[email protected]>
@tromai
chore: hide the information, provenance and check status section of a…
0dce0b8 
… software component if no repository is found

Signed-off-by: Trong Nhan Mai <[email protected]>
@tromai
chore: add documentation in macaron.html on how to handle the data pa…
6c4d94a 
…ssed into the template and the dependency section

Signed-off-by: Trong Nhan Mai <[email protected]>
@tromai
chore: allow the main analysis to continue if there is no repository …
a64b805 
…for the main software component but an SBOM is provided
@tromai
chore: remove unused for loop in results.py
8f7dd28 
Signed-off-by: Trong Nhan Mai <[email protected]>
@tromai
chore: add integration test for the use case of analyzing a software …
1c353bc 
…component without a repository and an sbom

Signed-off-by: Trong Nhan Mai <[email protected]>
@tromai
chore: do not skip analyzing a dependency software component if we ca…
7cac248 
…nnot find the repository for it

Signed-off-by: Trong Nhan Mai <[email protected]>
@tromai
chore: hide the check report table when first open the HTML report wh…
db0fc5d 
…en there is no passing check

Signed-off-by: Trong Nhan Mai <[email protected]>
@tromai
chore: update sphinx documentation for the use case of SBOM without m…
f190924 
…ain software component's repository available
@tromai tromai force-pushed the 157-treat-the-main-target-as-empty-if-its-not-provided-together-with-the-sbom branch from 0caee7d to f190924 Compare September 22, 2023 07:23
@tromai
chore: revert the changes in DependencyAnalyzer.resolve_dependencies
ebc9696 
These changes were to separate the resolving dependencies using SBOM generator and resolving dependencies
from SBOM files. These changes were necessary for this PR back when I first work on it (before the merging
of #388). However, after #388 is merged and further discussion, this change is no longer necessary.

Signed-off-by: Trong Nhan Mai <[email protected]>
nicallen
nicallen requested changes Sep 26, 2023
View reviewed changes
scripts/dev_scripts/integration_tests.sh Outdated Show resolved Hide resolved
src/macaron/output_reporter/templates/base_template.html Outdated Show resolved Hide resolved
src/macaron/output_reporter/templates/base_template.html Outdated Show resolved Hide resolved
@tromai tromai merged commit abd2c31 into staging Oct 4, 2023
15 checks passed
@tromai tromai deleted the 157-treat-the-main-target-as-empty-if-its-not-provided-together-with-the-sbom branch October 4, 2023 02:44
@tromai tromai mentioned this pull request Nov 2, 2023
Merged
art1f1c3R pushed a commit that referenced this pull request Nov 29, 2024
@tromai
feat: support running the analysis with SBOM and the main software co…
e6be4d2 
…mponent with no repository (#165)

Core engine:
* For all software components (main target and dependencies), the analysis will not be skipped if the repository URL is not found.
* Collect and run the analysis for dependencies from the SBOM (if provided) even when the repository URL is not available for the main target.
HTML reports:
* Display a small message in the Target Information section when the repository is not available.
* Collapse the check report table when all checks fail.

Signed-off-by: Trong Nhan Mai <[email protected]>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@behnazh-w behnazh-w behnazh-w approved these changes

@nicallen nicallen nicallen approved these changes

Assignees

@tromai tromai

Labels
OCA Verified All contributors have signed the Oracle Contributor Agreement. SBOM related to SBOM handling
Projects
None yet
Milestone
Change the data model to allow analys...
Development

Successfully merging this pull request may close these issues.

Treat the main target as empty if it's not provided together with the SBOM.
3 participants
@tromai @nicallen @behnazh-w