software-gardening · d33bs · Nov 21, 2024 · Nov 21, 2024 · Nov 21, 2024
diff --git a/.github/workflows/dependabot-pre-commit.yaml b/.github/workflows/dependabot-pre-commit.yaml
diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml
@@ -157,13 +157,3 @@ repos:
         entry: poetry run poe vale-checks
         language: system
         pass_filenames: false
-      # Checks that the sbom.json (software bill of materials) file
-      # is up to date with accurate data for the dependencies within
-      # the project. This file is important for providing an accurate
-      # and standardized reference of all components used to implement
-      # or build this software.
-      - id: syft-sbom-check
-        name: Syft SBOM Check
-        entry: poetry run poe sbom-checks
-        language: system
-        pass_filenames: false
diff --git a/CITATION.cff b/CITATION.cff
@@ -67,12 +67,3 @@ references:
     url: https://doi.org/10.1109/ICSE.2009.5070510
     notes: |
       This article is a related resource that serves as inspiration in deriving our entropy calculation.
-  - authors:
-      - name: "Various dependency authors"
-    title: "Software Bill of Materials (SBOM)"
-    date-released: "2024-11-02"
-    type: "data"
-    url: "https://github.com/software-gardening/almanack/blob/main/sbom.json"
-    abstract: >
-      This Software Bill of Materials (SBOM) provides a detailed list of dependencies
-      for the Software Gardening Almanack, generated to enhance transparency of dependencies.
diff --git a/poetry.lock b/poetry.lock
diff --git a/pyproject.toml b/pyproject.toml
@@ -51,7 +51,6 @@ kaleido = "0.2.1"
 pygithub = "^2.3.0"
 jupyterlab-spellchecker = "^0.8.4"
 jsonschema = "^4.23.0"
-sbomdiff = "^0.5.6"
 
 [tool.poetry.scripts]
 almanack = "almanack.cli:cli_get_table"
@@ -135,33 +134,6 @@ if [ $(echo "$output" | wc -l) -gt 1 ]; then
 echo "$output"; exit 1;
 fi
 """
-# Run check on the sbom to see if it needs to be updated.
-# We create a new sbom from the existing source for the almanack,
-# then compare it to the current sbom.json for differences.
-# If the sbom is missing or differs, we throw a non-zero exit.
-# Intended to be run through pre-commmit as a check on this repo.
-sbom-checks.shell = """
-# Generate SBOM using Anchore Syft
-docker run --rm -v $(pwd):/workspace anchore/syft:latest scan dir:/workspace --output spdx-json > sbom-new.json
-
-# If an existing SBOM file doesn't exist, save the new one as the baseline
-if [ ! -f sbom.json ]; then
-  echo "No existing SBOM found. Creating baseline SBOM."
-  mv sbom-new.json sbom.json
-  exit 1
-fi
-
-# Use sbomdiff to check for changes
-if ! sbomdiff sbom-new.json sbom.json; then
-  echo "SBOM has changed! Please review and commit the updated SBOM."
-  mv sbom-new.json sbom.json
-  exit 1
-else
-  echo "SBOM is up-to-date."
-  rm sbom-new.json
-  exit 0
-fi
-"""
 # add a convenience task for package-focused testing
 pkg-tests.shell = """
 pytest --ignore tests/test_build.py

diff --git a/sbom.json b/sbom.json