Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

SPDX bug fixes found during v1.22.0-beta.0 #2147

Merged
merged 7 commits into from
Jul 2, 2021
Merged

SPDX bug fixes found during v1.22.0-beta.0 #2147

merged 7 commits into from
Jul 2, 2021

Conversation

puerco
Copy link
Member

@puerco puerco commented Jun 29, 2021

What type of PR is this?

/kind bug
/kind cleanup
/kind feature

What this PR does / why we need it:

This PR fixes a number of bugs and adds a few features that surfaced during the v1.22.0-beta.0 cut.

  • Fixes a bug that was causing errors downloading go packages, except for a few deps we now have licensing data for all packages.
  • Correct a bug where HTML entities were being introduced into the spdx licenses and output. The code was wrongly using html/template instead of text/template.
  • There is now a new Relationship type and a better way to relate objects among themselves via a new spdx.Object interface
  • New SPDX object interface. This is important as we will start having functions that can take either packages or files, hence we create the interface to address them both
  • Changes the way image references are treated when generating an SBOM from an image reference. Now, The spdx package will now fetch all images for all architectures found
  • New function to generates a valid SPDX ID string, optionally it can take strings as seeds to generate a more intuitive ID for packages and files.
  • Fixes a bug where month and day were in the wrong order in the SPDX document date.

With these changes in place, we can now start working on the final form of the Kubernetes SBOMs.

Which issue(s) this PR fixes:

Part of #1837

Special notes for your reviewer:

/milestone v1.22

Does this PR introduce a user-facing change?

* Fixed a bug that was causing errors downloading go packages, except for a few specific deps, we now have licensing data for all packages.
* Correct a bug where HTML entities were being introduced into the spdx licenses and output. The code was wrongly using html/template instead of text/template.
*  There is now a new Relationship type and a better way to relate objects among themselves via a new `spdx.Object` interface
* New SPDX object interface. This is important as we will start having functions that can take either packages or files, hence we create the interface to address them both
* Changes the way image references are treated when generating an SBOM from an image reference. Now, The spdx package will now fetch all images for all architectures found 
* New function to generates a valid SPDX ID string, optionally it can take strings as seeds to generate a more intuitive ID for packages and files.
* Fixes a bug where month and day were in the wrong order in the SPDX document date.

puerco added 7 commits June 25, 2021 22:04
@puerco
spdx.buildIDString function
24657ad 
This new functions generates a valid SPDX ID string, optionally
it can take strings as seeds to generate a more intuitive ID for
packages and files.

Signed-off-by: Adolfo García Veytia (Puerco) <adolfo.garcia@uservers.net>
@puerco
Fix spdx date bug
db316bc 
Fixes a bug where month and day where on the wrong
order in the SPDX document date.

Signed-off-by: Adolfo García Veytia (Puerco) <adolfo.garcia@uservers.net>
@puerco
Download all platforms when generating spdx packages from images
f7b711a 
This commit changes the way image references are treated when generating
an SBOM from an image reference. Now, The spdx package will fetch all
images for all architectures found in the index manifest and add all of
them as independent spdx sub packages contained in the main pkg, referenced
by their digest.

Signed-off-by: Adolfo García Veytia (Puerco) <adolfo.garcia@uservers.net>
@puerco
Object interface
9045dd9 
This introduces the SPDX object interface. This is important as we will
start having functions that can take either packges or files, hence we
create the interface to address them both.

Signed-off-by: Adolfo García Veytia (Puerco) <adolfo.garcia@uservers.net>
@puerco
SPDX Relationships
d387849 
This PR reworks the way we relate objects in the spdx package.
Instead of having a simple subpackage method, this commit
introduces a new Relationship type and a way to relate objects
among themselves via a new spdx.Object interface.

Both spdx.File and spdx.Package both embed a new type Entity which
implements most of the SPDX Object interface. This simplifies the
code a lot as I was able to remove a lot of redundant functions.

Signed-off-by: Adolfo García Veytia (Puerco) <adolfo.garcia@uservers.net>
@puerco
Fix template bug
5009893 
This commit fixes a bug where html entities where beign introduced into the
spdx licenses and output. The code was wrongly using html/template instead of
text/template.

Signed-off-by: Adolfo García Veytia (Puerco) <adolfo.garcia@uservers.net>
@puerco
Fix bug downloading packages
17700c4 
This commit fixes a bug that was causing errors downloading go packages
by fixing two things:

1. When packages have no revision, ie are imported without specifying
a version, we now call the VCS at the latest revision, previously it
was calling go VCS with an empty string as revision.

2. We now only pull packages without version only when they are imported
that way. If we have a specific version we do not pull non versioned
packages anymore.

Signed-off-by: Adolfo García Veytia (Puerco) <adolfo.garcia@uservers.net>
@k8s-ci-robot k8s-ci-robot added release-note Denotes a PR that will be considered when it comes time to generate release notes. kind/bug Categorizes issue or PR as related to a bug. kind/cleanup Categorizes issue or PR as related to cleaning up code, process, or technical debt. kind/feature Categorizes issue or PR as related to a new feature. labels Jun 29, 2021
@k8s-ci-robot k8s-ci-robot added this to the v1.22 milestone Jun 29, 2021
@k8s-ci-robot k8s-ci-robot added needs-priority cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. labels Jun 29, 2021
@k8s-ci-robot k8s-ci-robot added area/release-eng Issues or PRs related to the Release Engineering subproject sig/release Categorizes an issue or PR as relevant to SIG Release. approved Indicates a PR has been approved by an approver from all required OWNERS files. size/XXL Denotes a PR that changes 1000+ lines, ignoring generated files. labels Jun 29, 2021
@k8s-ci-robot k8s-ci-robot added the lgtm "Looks good to me", indicates that a PR is ready to be merged. label Jul 2, 2021
@k8s-ci-robot
Copy link
Contributor

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: puerco, saschagrunert

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@k8s-ci-robot k8s-ci-robot merged commit 6e3b30b into kubernetes:master Jul 2, 2021
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@saschagrunert saschagrunert saschagrunert approved these changes

@xmudrii xmudrii Awaiting requested review from xmudrii

Assignees

@saschagrunert saschagrunert

Labels
approved Indicates a PR has been approved by an approver from all required OWNERS files. area/release-eng Issues or PRs related to the Release Engineering subproject cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. kind/bug Categorizes issue or PR as related to a bug. kind/cleanup Categorizes issue or PR as related to cleaning up code, process, or technical debt. kind/feature Categorizes issue or PR as related to a new feature. lgtm "Looks good to me", indicates that a PR is ready to be merged. needs-priority release-note Denotes a PR that will be considered when it comes time to generate release notes. sig/release Categorizes an issue or PR as relevant to SIG Release. size/XXL Denotes a PR that changes 1000+ lines, ignoring generated files.
Projects
None yet
Milestone
v1.22
Development

Successfully merging this pull request may close these issues.
3 participants
@puerco @k8s-ci-robot @saschagrunert