-
Notifications
You must be signed in to change notification settings - Fork 594
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Include the OS Information available in the SBOM model in the SPDX reports #3462
base: main
Are you sure you want to change the base?
Conversation
Thanks for the PR @josegomezr ! I gave it a quick test here, and it looks good from a functional point of view. I'll leave others for code review.
|
Add a new package reference describing the linux environment available via `SBOM.Artifacts.LinuxDistribution` When it's not found, it behaves as before this PR. When found it'll interject the `OperatingSystem` reference between the target and the packages to reflect: Document DESCRIBES target target CONTAINS OperatingSystem OperatingSystem CONTAINS *Packages Signed-off-by: Jose D. Gomez R <[email protected]>
Signed-off-by: Jose D. Gomez R <[email protected]>
Signed-off-by: Jose D. Gomez R <[email protected]>
Thanks @josegomezr! I'm taking a look at this now. |
I kicked off the tests and CI so we have that green going into our livestream this week - I've added a I think the team has varying opinions on adding distro information to the package list of other formats. Opinion: If we were to take this change it would first be reflected in the core model of the This keeps the behavior separated and easier to reason about as a developer on the project so one doesn't have to track every special case for every format model behavior and how it might mutate(additive, subtract, or modify) of core parts of Very much TY for the PR since this puts the ball in our court as far as how we want to address Dev note: CLI tests are catching a schema validation error for the new package that we would have to track down if we decided to add distro as a package to the core syft model. |
Side note, CI fails with:
But Section 7.24.1 of the SPDX v3 spec uses dash instead of underscore for |
Ahh Thanks for the highlight here - Looks like we're still using the 2.3 schema found here for this test. https://github.com/anchore/syft/blob/main/test/cli/spdx_json_schema_test.go |
This definitely makes a lot of sense. Thanks for the info @spiffcs I'll be waiting for news on your side. |
Description
Include the OS Information available in the SBOM model in the SPDX reports
Type of change
Checklist:
TODO:
{relationship,pkgCont}OffsetPerVersion