[DNM] Generate SBOMs for repaired libraries #577
Conversation
Codecov ReportAll modified and coverable lines are covered by tests ✅
Additional details and impacted files@@ Coverage Diff @@
## main #577 +/- ##
==========================================
+ Coverage 92.78% 92.93% +0.14%
==========================================
Files 21 22 +1
Lines 1760 1797 +37
Branches 332 336 +4
==========================================
+ Hits 1633 1670 +37
Misses 77 77
Partials 50 50 ☔ View full report in Codecov by Sentry. 🚀 New features to boost your workflow:
|
|
Taking this pull request out of draft to begin inviting reviews. I still need to add some integration tests to show that the SBOM documents get generated for many different operating systems offered by manylinux images :) cc @lkollar, @mayeut, and @captn3m0 who expressed interested in the linked issues. |
| @@ -0,0 +1,359 @@ | |||
| # SPDX-License-Identifier: MIT | |||
There was a problem hiding this comment.
This is a vendored project "whichprovides" which I maintain. It's the abstraction of the package provider detection that was mentioned here: #541 (comment)
Please feel free to read and review this code, too. This code hasn't been reviewed by anyone except myself, so your perspective is more than welcome!
(Draft, do not merge) This is my initial pull request for adding automatic SBOM generation based on package manager info for libraries that are repaired into wheels. I've tested locally by building wheels from various projects and operating systems, will work on getting those pulled into the test suite.
The majority of the "logic" comes from the project "whichprovides" which gets bundled into auditwheel as a single file. You can review that project in its entirety within this pull request. If you'd like to submit comments that you have about "whichprovides" you can do so here and I'll get them addressed in the upstream project.
Closes #541
Closes #398