Adding optional RPM summary to SBOMs #762
Conversation
a-ovchinnikov
requested review from
eskultety and
brunoapimentel
and removed request for
eskultety
| @@ -7,6 +7,7 @@ | |||
| PropertyName = Literal[ | |||
| "cachi2:bundler:package:binary", | |||
| "cachi2:found_by", | |||
| "cachi2:rpm_summary", | |||
There was a problem hiding this comment.
Should we use a custom cachi2 property or perhaps the description field for a CycloneDX Component instead?
There was a problem hiding this comment.
Maybe. I'll need to think about it more. A Property looks the least invasive way of doing this.
There was a problem hiding this comment.
If we decide to go the component.description path, we might be able to map it to SPDX similarly:
https://spdx.github.io/spdx-spec/v2.3/package-information/#718-package-summary-description-field
There was a problem hiding this comment.
FWIW properties can be straightforwardly converted to annotations.
There was a problem hiding this comment.
Should we use a custom cachi2 property or perhaps the description field for a CycloneDX Component instead?
Description feels more natural, but then we need to sit down and define what description is expected to represent a particular PM backend's component to remain consistent across all backends. In that case, also for consistency reasons, we should also introduce the same functionality to the rest of the backends in a short timeline span in order not to leave the rest of PMs behind; note that a custom property IMO feels like less of a problem for consistency than making use of an existing CycloneDX field suited directly for this purpose.
There was a problem hiding this comment.
@taylormadore would you care enough to create an issue on investigating the possibility of adopting a more general approach covering all backends via the built-in description field? I like the idea in general and I feel we should invest some time into exploring the possibility before ruling it out completely.
a-ovchinnikov
force-pushed
the
rpm_adding_summary
branch
from
660aada to
4f7631b
Compare
a-ovchinnikov
changed the title
a-ovchinnikov
force-pushed
the
rpm_adding_summary
branch
from
4f7631b to
bdc850d
Compare
|
/retest |
cachi2/core/models/input.py
Outdated
| @@ -216,6 +216,7 @@ class RpmPackageInput(_PackageInputBase): | |||
| """Accepted input for a rpm package.""" | |||
|
|
|||
| type: Literal["rpm"] | |||
| add_rpm_summary: bool = False | |||
There was a problem hiding this comment.
nitpick - it's part of RpmPackageInput already so the 'rpm' part of the option name is redundant, but at the same time the name itself doesn't indicate this is an SBOM only flag - what about sbom_inlude_summary OR include_summary_in_sbom? What I'm after is some kind of naming pattern that could be reasonably reusable for other such flags we might be required to add, IOW include_XYZ_in_sbom.
There was a problem hiding this comment.
same naming nitpick - I apologize for not having been clearer in my initial response, but I having "sbom" somehow mentioned in the option would be beneficial. If this were an internal variable I would have resolved the thread already, but sadly this is an input JSON option which isn't properly documented (I mean you can't really run a help on the input json like you would on other CLI options) and so having a clear descriptive name on the option so that users immediately know what to expect from the flag is a huge plus IMO.
There was a problem hiding this comment.
Good point, done.
a-ovchinnikov
force-pushed
the
rpm_adding_summary
branch
from
bdc850d to
376c6f2
Compare
|
/retest |
| "value": "cachi2" | ||
| }, | ||
| { | ||
| 'name': 'cachi2:rpm_summary', |
There was a problem hiding this comment.
nitpick: single quotes instead of double quotes (multiple occurrences). I would not even notice if GH UI wouldn't flag this in red for me, that's why I'm mentioning it (it's also the only bom.json with this pattern so it would be inconsistent :) ).
cachi2/core/models/input.py
Outdated
| @@ -216,6 +216,7 @@ class RpmPackageInput(_PackageInputBase): | |||
| """Accepted input for a rpm package.""" | |||
|
|
|||
| type: Literal["rpm"] | |||
| add_rpm_summary: bool = False | |||
There was a problem hiding this comment.
same naming nitpick - I apologize for not having been clearer in my initial response, but I having "sbom" somehow mentioned in the option would be beneficial. If this were an internal variable I would have resolved the thread already, but sadly this is an input JSON option which isn't properly documented (I mean you can't really run a help on the input json like you would on other CLI options) and so having a clear descriptive name on the option so that users immediately know what to expect from the flag is a huge plus IMO.
This change adds an option to include RPM summary in a SBOM. Signed-off-by: Alexey Ovchinnikov <[email protected]>
a-ovchinnikov
force-pushed
the
rpm_adding_summary
branch
from
376c6f2 to
30b574d
Compare
38f8cd9
This change adds an option to include RPM summary in a SBOM.
Maintainers will complete the following section
Note: if the contribution is external (not from an organization member), the CI
pipeline will not run automatically. After verifying that the CI is safe to run:
/ok-to-test(as is the standard for Pipelines as Code)