Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add support for CycloneDX 1.4 to the "inspect-manifest" pipeline to import the SBOM into a Project #583

Closed
DennisClark opened this issue Jan 12, 2023 · 5 comments · Fixed by #592 or #634
Assignees
Milestone

Comments

@DennisClark
Copy link
Member

Add support for CycloneDX 1.4 to the "inspect-manifest" pipeline to import the SBOM into a Project

@DennisClark
Copy link
Member Author

we need to provide a good example of an SPDX 2.3 import to indicate how this might best be done.

@pombredanne
Copy link
Member

This may depend on CycloneDX/cyclonedx-python-lib#290
@madpah gentle ping

keshav-space added a commit to keshav-space/scancode.io that referenced this issue Jan 27, 2023
- A CycloneDx `component` can have a `list of components`, those are dumped to extra_data as `nestedComponents`. Furthermore, these lists of components are recursively parsed and treated as normal package.
- The Component may have multiple URLs in externalReferences. The first URL of the reference is added to the applicable package_data URL, while the rest are dumped in extra_data as externalReferences.

fixes aboutcode-org#583

Signed-off-by: Keshav Priyadarshi <[email protected]>
keshav-space added a commit to keshav-space/scancode.io that referenced this issue Jan 30, 2023
- CycloneDx `component` can have a `list of components`, those are dumped to extra_data as `nestedComponents`. Furthermore, these lists of components are recursively parsed and treated as normal package.
- The Component may have multiple URLs in externalReferences. The first URL of the reference is added to the applicable package_data URL, while the rest are dumped in extra_data as externalReferences.

fixes aboutcode-org#583

Signed-off-by: Keshav Priyadarshi <[email protected]>
keshav-space added a commit to keshav-space/scancode.io that referenced this issue Jan 30, 2023
- CycloneDx `component` can have a `list of components`, those are dumped to extra_data as `nestedComponents`. Furthermore, these lists of components are recursively parsed and treated as normal package.
- The Component may have multiple URLs in externalReferences. The first URL of the reference is added to the applicable package_data URL, while the rest are dumped in extra_data as externalReferences.

fixes aboutcode-org#583

Signed-off-by: Keshav Priyadarshi <[email protected]>
keshav-space added a commit to keshav-space/scancode.io that referenced this issue Feb 15, 2023
- CycloneDx `component` can have a `list of components`, those are dumped to extra_data as `nestedComponents`. Furthermore, these lists of components are recursively parsed and treated as normal package.
- The Component may have multiple URLs in externalReferences. The first URL of the reference is added to the applicable package_data URL, while the rest are dumped in extra_data as externalReferences.

fixes aboutcode-org#583

Signed-off-by: Keshav Priyadarshi <[email protected]>
keshav-space added a commit to keshav-space/scancode.io that referenced this issue Feb 20, 2023
- CycloneDx `component` can have a `list of components`, those are dumped to extra_data as `nestedComponents`. Furthermore, these lists of components are recursively parsed and treated as normal package.
- The Component may have multiple URLs in externalReferences. The first URL of the reference is added to the applicable package_data URL, while the rest are dumped in extra_data as externalReferences.

Fixes aboutcode-org#583

Signed-off-by: Keshav Priyadarshi <[email protected]>
keshav-space added a commit to keshav-space/scancode.io that referenced this issue Mar 2, 2023
- CycloneDx `component` can have a `list of components`, those are dumped to extra_data as `nestedComponents`. Furthermore, these lists of components are recursively parsed and treated as normal package.
- The Component may have multiple URLs in externalReferences. The first URL of the reference is added to the applicable package_data URL, while the rest are dumped in extra_data as externalReferences.

Fixes aboutcode-org#583

Signed-off-by: Keshav Priyadarshi <[email protected]>
tdruez pushed a commit that referenced this issue Mar 3, 2023
- CycloneDx `component` can have a `list of components`, those are dumped to extra_data as `nestedComponents`. Furthermore, these lists of components are recursively parsed and treated as normal package.
- The Component may have multiple URLs in externalReferences. The first URL of the reference is added to the applicable package_data URL, while the rest are dumped in extra_data as externalReferences.

Signed-off-by: Keshav Priyadarshi <[email protected]>
tdruez added a commit that referenced this issue Mar 3, 2023
tdruez added a commit that referenced this issue Mar 3, 2023
@tdruez
Copy link
Contributor

tdruez commented Mar 13, 2023

@keshav-space re-opening as the validate_document function as a dependency on internet access that need to be removed.

To reproduce, turn-off your internet connection and the following unit tests will fail:

  • test_scanpipe_inspect_manifest_pipeline_cyclonedx_integration_test
  • test_scanpipe_cyclonedx_validate_document

The seems to be an issue with the validate_document function. That code and the tests should never depend on having internet connectivity.

@tdruez tdruez reopened this Mar 13, 2023
@keshav-space
Copy link
Member

@tdruez turns out RefResolver was not using the local file path provided in base_uri.
Its been fixed in #634 and now it works offline.

@tdruez
Copy link
Contributor

tdruez commented Mar 14, 2023

@keshav-space fix confirmed, thanks!

tdruez added a commit that referenced this issue Mar 17, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment