Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

yarn: SBOM components #739

Open
wants to merge 4 commits into
base: main
Choose a base branch
from

Commits on Nov 22, 2024

  1. Add str magic method to ChecksumInfo class

    The class is very often interpreted as `algorithm:hash`. Let's make use
    of builtin __str__ magic method and return the same format.
    
    Signed-off-by: Michal Šoltis <[email protected]>
    slimreaper35 committed Nov 22, 2024
    Configuration menu
    Copy the full SHA
    5694c8a View commit details
    Browse the repository at this point in the history
  2. Add purl properties to all yarn classic packages

    Each "yarn classic" package type has a property that returns the package
    URL based on its attributes and community PURL specification [1].
    
    All package types share the same base -> name, version, and type which
    is set to "npm" ("yarn" does not exist).
    
    - `FilePackage`, `WorkspacePackage`, `LinkPackage` have in addition
      subpath component (extra subpath within a package, relative to the
      package root)
    
    - `UrlPackage` has one extra qualifier -> its URL as it is definied
    
    - `GitPackage` has one extra qualifier -> package version control system
      URL with a specific syntax [2]
    
    - `RegistryPackage` has two extra qualifiers -> repository_url (default
      repository/registry for "npm" is https://registry.npmjs.org so
      alternative registries such as https://registry.yarnpkg.com should be
      qualified via the qualifier) [3], [4] + the checksum of the package
      converted from Subresource Integrity representation
    
    ---
    [1]: https://github.com/package-url/purl-spec/blob/master/PURL-SPECIFICATION.rst
    [2]: https://github.com/spdx/spdx-spec/blob/cfa1b9d08903/chapters/3-package-information.md#37-package-download-location-
    [3]: https://github.com/package-url/purl-spec/blob/master/PURL-TYPES.rst#npm
    [4]: https://github.com/package-url/purl-spec/blob/master/PURL-SPECIFICATION.rst#known-qualifiers-keyvalue-pairs
    
    Signed-off-by: Michal Šoltis <[email protected]>
    slimreaper35 committed Nov 22, 2024
    Configuration menu
    Copy the full SHA
    8bd075e View commit details
    Browse the repository at this point in the history
  3. Create SBOM components for yarn-classic packages

    After a successful pre-fetching of all packages, report all downloaded
    packages as components in the final SBOM.
    
    Create the `Component` object from each package based on package
    attributes.
    
    Dev packages should have `cdx:npm:package:development` property, that is
    added to the component if package is marked for development -> `dev`
    attribute is set to True.
    
    Move the rest of the unit test logic to `test_fetch_yarn_source` from
    its predecessor in yarn-berry implementation.
    
    closes containerbuildsystem#636
    
    Signed-off-by: Michal Šoltis <[email protected]>
    slimreaper35 committed Nov 22, 2024
    Configuration menu
    Copy the full SHA
    b233210 View commit details
    Browse the repository at this point in the history
  4. Update bom.json for yarn-classic e2e tests

    The commit follows the previous one, that implements generating SBOM
    components. Now e2e tests that generate SBOMs should be updated to
    reflect this change by running integration tests and setting our custom
    env variable: `CACHI2_GENERATE_TEST_DATA=true`
    
    Signed-off-by: Michal Šoltis <[email protected]>
    slimreaper35 committed Nov 22, 2024
    Configuration menu
    Copy the full SHA
    6f09800 View commit details
    Browse the repository at this point in the history