sbom/spdx: add SPDX decoder#1745
Closed
BradLugo wants to merge 2033 commits intoquay:gh-pagesfrom
Closed
Conversation
This updaterset is no longer used as Red Hat's OVAL data is seen as deprecated. It's functionality is replaced with the rhel/vex.Factory which is reading data from Red Hat's VEX files. Signed-off-by: crozzy <joseph.crosland@gmail.com>
The pulp package was used by the removed rhel OVAL updaterset, it is not used by any other part of the codebase. Signed-off-by: crozzy <joseph.crosland@gmail.com>
These remnants were left over from the earlier cleanup work. Signed-off-by: crozzy <joseph.crosland@gmail.com>
Bumps [modernc.org/sqlite](https://gitlab.com/cznic/sqlite) from 1.38.0 to 1.38.2. - [Commits](https://gitlab.com/cznic/sqlite/compare/v1.38.0...v1.38.2) --- updated-dependencies: - dependency-name: modernc.org/sqlite dependency-version: 1.38.2 dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com>
Bumps the golang-x group with 5 updates: | Package | From | To | | --- | --- | --- | | [golang.org/x/crypto](https://github.com/golang/crypto) | `0.40.0` | `0.41.0` | | [golang.org/x/net](https://github.com/golang/net) | `0.42.0` | `0.43.0` | | [golang.org/x/sys](https://github.com/golang/sys) | `0.34.0` | `0.35.0` | | [golang.org/x/text](https://github.com/golang/text) | `0.27.0` | `0.28.0` | | [golang.org/x/tools](https://github.com/golang/tools) | `0.35.0` | `0.36.0` | Updates `golang.org/x/crypto` from 0.40.0 to 0.41.0 - [Commits](golang/crypto@v0.40.0...v0.41.0) Updates `golang.org/x/net` from 0.42.0 to 0.43.0 - [Commits](golang/net@v0.42.0...v0.43.0) Updates `golang.org/x/sys` from 0.34.0 to 0.35.0 - [Commits](golang/sys@v0.34.0...v0.35.0) Updates `golang.org/x/text` from 0.27.0 to 0.28.0 - [Release notes](https://github.com/golang/text/releases) - [Commits](golang/text@v0.27.0...v0.28.0) Updates `golang.org/x/tools` from 0.35.0 to 0.36.0 - [Release notes](https://github.com/golang/tools/releases) - [Commits](golang/tools@v0.35.0...v0.36.0) --- updated-dependencies: - dependency-name: golang.org/x/crypto dependency-version: 0.41.0 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: golang-x - dependency-name: golang.org/x/net dependency-version: 0.43.0 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: golang-x - dependency-name: golang.org/x/sys dependency-version: 0.35.0 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: golang-x - dependency-name: golang.org/x/text dependency-version: 0.28.0 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: golang-x - dependency-name: golang.org/x/tools dependency-version: 0.36.0 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: golang-x ... Signed-off-by: dependabot[bot] <support@github.com>
Signed-off-by: Hank Donnay <hdonnay@redhat.com>
Signed-off-by: Hank Donnay <hdonnay@redhat.com>
Signed-off-by: Hank Donnay <hdonnay@redhat.com>
Signed-off-by: Hank Donnay <hdonnay@redhat.com>
Signed-off-by: Hank Donnay <hdonnay@redhat.com>
Signed-off-by: Hank Donnay <hdonnay@redhat.com>
Signed-off-by: Hank Donnay <hdonnay@redhat.com>
Signed-off-by: Hank Donnay <hdonnay@redhat.com>
Bumps [actions/checkout](https://github.com/actions/checkout) from 4 to 5. - [Release notes](https://github.com/actions/checkout/releases) - [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md) - [Commits](actions/checkout@v4...v5) --- updated-dependencies: - dependency-name: actions/checkout dependency-version: '5' dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] <support@github.com>
Bumps [go.uber.org/mock](https://github.com/uber/mock) from 0.5.2 to 0.6.0. - [Release notes](https://github.com/uber/mock/releases) - [Changelog](https://github.com/uber-go/mock/blob/main/CHANGELOG.md) - [Commits](uber-go/mock@v0.5.2...v0.6.0) --- updated-dependencies: - dependency-name: go.uber.org/mock dependency-version: 0.6.0 dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com>
Bumps [github.com/prometheus/client_golang](https://github.com/prometheus/client_golang) from 1.22.0 to 1.23.0. - [Release notes](https://github.com/prometheus/client_golang/releases) - [Changelog](https://github.com/prometheus/client_golang/blob/main/CHANGELOG.md) - [Commits](prometheus/client_golang@v1.22.0...v1.23.0) --- updated-dependencies: - dependency-name: github.com/prometheus/client_golang dependency-version: 1.23.0 dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com>
Bumps [github.com/ulikunitz/xz](https://github.com/ulikunitz/xz) from 0.5.11 to 0.5.14. - [Commits](ulikunitz/xz@v0.5.11...v0.5.14) --- updated-dependencies: - dependency-name: github.com/ulikunitz/xz dependency-version: 0.5.14 dependency-type: direct:production ... Signed-off-by: dependabot[bot] <support@github.com>
Signed-off-by: RTann <rtannenb@redhat.com> rh-pre-commit.version: 2.3.2 rh-pre-commit.check-secrets: ENABLED
Bumps [github.com/ulikunitz/xz](https://github.com/ulikunitz/xz) from 0.5.14 to 0.5.15. - [Commits](ulikunitz/xz@v0.5.14...v0.5.15) --- updated-dependencies: - dependency-name: github.com/ulikunitz/xz dependency-version: 0.5.15 dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com>
Bumps the otel group with 1 update: [go.opentelemetry.io/otel/trace](https://github.com/open-telemetry/opentelemetry-go). Updates `go.opentelemetry.io/otel/trace` from 1.37.0 to 1.38.0 - [Release notes](https://github.com/open-telemetry/opentelemetry-go/releases) - [Changelog](https://github.com/open-telemetry/opentelemetry-go/blob/main/CHANGELOG.md) - [Commits](open-telemetry/opentelemetry-go@v1.37.0...v1.38.0) --- updated-dependencies: - dependency-name: go.opentelemetry.io/otel/trace dependency-version: 1.38.0 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: otel ... Signed-off-by: dependabot[bot] <support@github.com>
Bumps [actions/github-script](https://github.com/actions/github-script) from 7 to 8. - [Release notes](https://github.com/actions/github-script/releases) - [Commits](actions/github-script@v7...v8) --- updated-dependencies: - dependency-name: actions/github-script dependency-version: '8' dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] <support@github.com>
Bumps the golang-x group with 2 updates in the / directory: [golang.org/x/crypto](https://github.com/golang/crypto) and [golang.org/x/time](https://github.com/golang/time). Updates `golang.org/x/crypto` from 0.41.0 to 0.42.0 - [Commits](golang/crypto@v0.41.0...v0.42.0) Updates `golang.org/x/sync` from 0.16.0 to 0.17.0 - [Commits](golang/sync@v0.16.0...v0.17.0) Updates `golang.org/x/sys` from 0.35.0 to 0.36.0 - [Commits](golang/sys@v0.35.0...v0.36.0) Updates `golang.org/x/text` from 0.28.0 to 0.29.0 - [Release notes](https://github.com/golang/text/releases) - [Commits](golang/text@v0.28.0...v0.29.0) Updates `golang.org/x/time` from 0.12.0 to 0.13.0 - [Commits](golang/time@v0.12.0...v0.13.0) --- updated-dependencies: - dependency-name: golang.org/x/crypto dependency-version: 0.42.0 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: golang-x - dependency-name: golang.org/x/sync dependency-version: 0.17.0 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: golang-x - dependency-name: golang.org/x/sys dependency-version: 0.36.0 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: golang-x - dependency-name: golang.org/x/text dependency-version: 0.29.0 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: golang-x - dependency-name: golang.org/x/time dependency-version: 0.13.0 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: golang-x ... Signed-off-by: dependabot[bot] <support@github.com>
Previously, a cassandra tar.gz was used that was hosted at archive.apache.org. Downloads from the domain are extremely slow and time-out the CI process. orientdb-community is served from maven central and has a similar composition to the cassandra bundle. Signed-off-by: crozzy <joseph.crosland@gmail.com>
Bumps [github.com/prometheus/client_golang](https://github.com/prometheus/client_golang) from 1.23.0 to 1.23.2. - [Release notes](https://github.com/prometheus/client_golang/releases) - [Changelog](https://github.com/prometheus/client_golang/blob/main/CHANGELOG.md) - [Commits](prometheus/client_golang@v1.23.0...v1.23.2) --- updated-dependencies: - dependency-name: github.com/prometheus/client_golang dependency-version: 1.23.2 dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com>
Bumps [actions/setup-go](https://github.com/actions/setup-go) from 5 to 6. - [Release notes](https://github.com/actions/setup-go/releases) - [Commits](actions/setup-go@v5...v6) --- updated-dependencies: - dependency-name: actions/setup-go dependency-version: '6' dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] <support@github.com>
It was annoying as PRs that needed changelog entries were being displayed without line breaks so it was difficult to parse. Signed-off-by: crozzy <joseph.crosland@gmail.com> Signed-off-by: Hank Donnay <hdonnay@redhat.com>
Signed-off-by: RTann <rtannenb@redhat.com> rh-pre-commit.version: 2.3.2 rh-pre-commit.check-secrets: ENABLED
Because of the order differences in the JSON keys of the data between v1.1 and v2 the hashing mechanism doesn't recognize new v2 rows as duplicates. This change removes the old CVSS enricher data before the v2 CVSS updater runs. Signed-off-by: crozzy <joseph.crosland@gmail.com>
When updating the enrichment entries there is an association query that contains a sub-query to look up an enrichment's ID based on the hash_kind, hash and updater. This query was causing the planner to prefer the updater index (which is pretty much all the records) and not the hash_kind, hash index. Because there is already a unique contraint on hash_kind, hash the updater condition was redundant and could be removed. Signed-off-by: crozzy <joseph.crosland@gmail.com>
It's possible for the bulk updating to leave the table stats in an unrepresentative way. This means that subsequent queries (be they updates, gets or deletes) run very slow and hold table locks for an unreasonable period of time. This change manually performs ANALYSIS to keep the table stats up to date. Signed-off-by: crozzy <joseph.crosland@gmail.com>
Add GeneratePURL and ParsePURL to translate from IndexRecord to Maven PURLs and back. The group ID is extracted from the Package.Name and used as the PURL Namespace. Signed-off-by: crozzy <joseph.crosland@gmail.com>
Add GeneratePURL and ParsePURL to translate from IndexRecord to PURL and back. Signed-off-by: crozzy <joseph.crosland@gmail.com>
Add GeneratePURL and ParsePURL to translate from IndexRecord to PURL and back. Signed-off-by: crozzy <joseph.crosland@gmail.com>
Add GeneratePURL and ParsePURL to translate from IndexRecord to PURL and back. Signed-off-by: crozzy <joseph.crosland@gmail.com>
Add GeneratePURL and ParsePURL to translate from IndexRecord to PURL and back. Signed-off-by: crozzy <joseph.crosland@gmail.com>
Add GeneratePURL and ParsePURL to translate from IndexRecord to PURL and back. Uses distro qualifier to pass DID-VERSION but also supports distro_cpe as SUSE is a distro that includes a CPE in their os-release file. Signed-off-by: crozzy <joseph.crosland@gmail.com>
Add GeneratePURL and ParsePURL to translate from IndexRecord to PURL and back. Uses distro qualifier to pass DID-VERSION but also supports distro_cpe as amazon linux is a distro that includes a CPE in their os-release file. Signed-off-by: crozzy <joseph.crosland@gmail.com>
Add GeneratePURL and ParsePURL to translate from IndexRecord to PURL and back. Signed-off-by: crozzy <joseph.crosland@gmail.com>
Add GeneratePURL and ParsePURL to translate from IndexRecord to PURL and back. Signed-off-by: crozzy <joseph.crosland@gmail.com>
There are now versions 4 and 5 that should be referenced in the code because this is not an updater that supports dynamic distribution discovery (yet). Signed-off-by: crozzy <joseph.crosland@gmail.com>
Signed-off-by: Mark Frost <frostmar@uk.ibm.com>
Bumps [github.com/klauspost/compress](https://github.com/klauspost/compress) from 1.18.2 to 1.18.3. - [Release notes](https://github.com/klauspost/compress/releases) - [Commits](klauspost/compress@v1.18.2...v1.18.3) --- updated-dependencies: - dependency-name: github.com/klauspost/compress dependency-version: 1.18.3 dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com>
Bumps [github.com/spdx/tools-golang](https://github.com/spdx/tools-golang) from 0.5.6 to 0.5.7. - [Release notes](https://github.com/spdx/tools-golang/releases) - [Changelog](https://github.com/spdx/tools-golang/blob/main/RELEASE-NOTES.md) - [Commits](spdx/tools-golang@v0.5.6...v0.5.7) --- updated-dependencies: - dependency-name: github.com/spdx/tools-golang dependency-version: 0.5.7 dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com>
This adds support for cases where the rpm header blobs are small enough to be stored in-line instead of in dedicated "overflow" pages. Signed-off-by: Hank Donnay <hdonnay@redhat.com> See-also: https://issues.redhat.com/browse/CLAIRDEV-229
Signed-off-by: Hank Donnay <hdonnay@redhat.com>
The matching logic requires that a claircore.Package contain a non-nil Source field value. Signed-off-by: Brad Lugo <blugo@redhat.com>
Prepare for decoder implementation: - Extract Format and Version types to shared spdx.go - Rename Option to EncoderOption to distinguish from future DecoderOption Signed-off-by: Brad Lugo <blugo@redhat.com>
BradLugo
force-pushed
the
blugo/sbom-decoder
branch
from
1233b07 to
6327f3a
Compare
Contributor
Author
|
Note for reviewers: while the SBOMs in the test data are real, it might not be worth committing the files given their size. Let me know what yall think. |
Adds a Decoder interface to the sbom package and implements an SPDX JSON decoder that converts SPDX documents back to IndexReport format. Includes round-trip tests and test coverage with real-world SPDX documents from Konflux. Signed-off-by: Brad Lugo <blugo@redhat.com>
BradLugo
force-pushed
the
blugo/sbom-decoder
branch
from
6327f3a to
5ff8fb6
Compare
This was referenced Jan 27, 2026
Contributor
Author
|
GitHub wasn't updating this PR's commit diff after #1744 was merged. To attempt to "refresh" it, I decided to switch to a different base branch, intending to switch it back and check whether GitHub could correctly figure out the difference. Apparently, I chose a branch that doesn't share a common ancestor with my branch, so GitHub force-closed this PR, and I can't reopen or change the base branch here. Please review #1746 instead. |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
7 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Adds a Decoder interface to the sbom package and implements an SPDX JSON decoder that converts SPDX documents back to IndexReport format. There's also an encoder refactoring patch to make the decoder implementation a bit nicer.
Requires #1744.