From 90fe6189049a894f3cab4f9579db9fd1ba12b4fe Mon Sep 17 00:00:00 2001 From: d33bs Date: Tue, 5 Nov 2024 08:06:34 -0700 Subject: [PATCH] add comments to better describe sbom check --- .pre-commit-config.yaml | 2 ++ pyproject.toml | 8 ++++++-- 2 files changed, 8 insertions(+), 2 deletions(-) diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml index b204b19e..aea538bf 100644 --- a/.pre-commit-config.yaml +++ b/.pre-commit-config.yaml @@ -82,11 +82,13 @@ repos: args: ["--float-to-top"] - repo: local hooks: + # checks language use throughout the project. - id: vale.sh name: vale.sh writing checks entry: poetry run poe vale-checks language: system pass_filenames: false + # checks the almanack sbom file. - id: syft-sbom-check name: Syft SBOM Check entry: poetry run poe sbom-checks diff --git a/pyproject.toml b/pyproject.toml index 33785ca9..4b431039 100644 --- a/pyproject.toml +++ b/pyproject.toml @@ -131,7 +131,11 @@ if [ $(echo "$output" | wc -l) -gt 1 ]; then echo "$output"; exit 1; fi """ -# run check on the sbom to see if it needs to be updated +# Run check on the sbom to see if it needs to be updated. +# We create a new sbom from the existing source for the almanack, +# then compare it to the current sbom.json for differences. +# If the sbom is missing or differs, we throw a non-zero exit. +# Intended to be run through pre-commmit as a check on this repo. sbom-checks.shell = """ # Generate SBOM using Anchore Syft docker run --rm -v $(pwd):/workspace anchore/syft:latest scan dir:/workspace --output spdx-json > sbom-new.json @@ -140,7 +144,7 @@ docker run --rm -v $(pwd):/workspace anchore/syft:latest scan dir:/workspace --o if [ ! -f sbom.json ]; then echo "No existing SBOM found. Creating baseline SBOM." mv sbom-new.json sbom.json - exit 0 + exit 1 fi # Use sbomdiff to check for changes