Add new command to "diff" two BOM versions and produce JSON Patch output (RFC 6902) #33
Conversation
Signed-off-by: Matt Rutkowski <mrutkows@us.ibm.com>
Signed-off-by: Matt Rutkowski <mrutkows@us.ibm.com>
Signed-off-by: Matt Rutkowski <mrutkows@us.ibm.com>
![sonatype-lift[bot]](https://avatars.githubusercontent.com/in/9843?s=60&v=4){kind=small}
cmd/diff.go
Outdated
| } | ||
|
|
||
| // Another JSON string | ||
| bRevisedData, err := ioutil.ReadFile(deltaFilename) |
There was a problem hiding this comment.
G304: Potential file inclusion via variable
ℹ️ Expand to see all @sonatype-lift commands
You can reply with the following commands. For example, reply with @sonatype-lift ignoreall to leave out all findings.
| Command | Usage |
|---|---|
@sonatype-lift ignore |
Leave out the above finding from this PR |
@sonatype-lift ignoreall |
Leave out all the existing findings from this PR |
@sonatype-lift exclude <file|issue|path|tool> |
Exclude specified file|issue|path|tool from Lift findings by updating your config.toml file |
Note: When talking to LiftBot, you need to refresh the page to see its response.
Click here to add LiftBot to another repo.
cmd/diff.go
Outdated
| defer getLogger().Exit() | ||
|
|
||
| // Prepare your JSON string as `[]byte`, not `string` | ||
| bBaseData, err := ioutil.ReadFile(baseFilename) |
There was a problem hiding this comment.
G304: Potential file inclusion via variable
ℹ️ Expand to see all @sonatype-lift commands
You can reply with the following commands. For example, reply with @sonatype-lift ignoreall to leave out all findings.
| Command | Usage |
|---|---|
@sonatype-lift ignore |
Leave out the above finding from this PR |
@sonatype-lift ignoreall |
Leave out all the existing findings from this PR |
@sonatype-lift exclude <file|issue|path|tool> |
Exclude specified file|issue|path|tool from Lift findings by updating your config.toml file |
Note: When talking to LiftBot, you need to refresh the page to see its response.
Click here to add LiftBot to another repo.
cmd/diff.go
Outdated
| switch format { | ||
| case FORMAT_TEXT: | ||
| var aJson map[string]interface{} | ||
| json.Unmarshal(bBaseData, &aJson) |
There was a problem hiding this comment.
G104: Errors unhandled.
❗❗ 2 similar findings have been found in this PR
🔎 Expand here to view all instances of this finding
| File Path | Line Number |
|---|---|
| cmd/diff.go | 122 |
| cmd/diff.go | 113 |
Visit the Lift Web Console to find more details in your report.
ℹ️ Expand to see all @sonatype-lift commands
You can reply with the following commands. For example, reply with @sonatype-lift ignoreall to leave out all findings.
| Command | Usage |
|---|---|
@sonatype-lift ignore |
Leave out the above finding from this PR |
@sonatype-lift ignoreall |
Leave out all the existing findings from this PR |
@sonatype-lift exclude <file|issue|path|tool> |
Exclude specified file|issue|path|tool from Lift findings by updating your config.toml file |
Note: When talking to LiftBot, you need to refresh the page to see its response.
Click here to add LiftBot to another repo.
Signed-off-by: Matt Rutkowski <mrutkows@us.ibm.com>
Signed-off-by: Matt Rutkowski <mrutkows@us.ibm.com>
cmd/diff.go
Outdated
| } | ||
| }() | ||
|
|
||
| Diff(utils.GlobalFlags) |
There was a problem hiding this comment.
G104: Errors unhandled.
ℹ️ Expand to see all @sonatype-lift commands
You can reply with the following commands. For example, reply with @sonatype-lift ignoreall to leave out all findings.
| Command | Usage |
|---|---|
@sonatype-lift ignore |
Leave out the above finding from this PR |
@sonatype-lift ignoreall |
Leave out all the existing findings from this PR |
@sonatype-lift exclude <file|issue|path|tool> |
Exclude specified file|issue|path|tool from Lift findings by updating your config.toml file |
Note: When talking to LiftBot, you need to refresh the page to see its response.
Click here to add LiftBot to another repo.
Signed-off-by: Matt Rutkowski <mrutkows@us.ibm.com>
Signed-off-by: Matt Rutkowski <mrutkows@us.ibm.com>
Signed-off-by: Matt Rutkowski <mrutkows@us.ibm.com>
Signed-off-by: Matt Rutkowski <mrutkows@us.ibm.com>
Signed-off-by: Matt Rutkowski <mrutkows@us.ibm.com>
cmd/diff.go
Outdated
|
|
||
| "github.com/CycloneDX/sbom-utility/utils" | ||
| "github.com/spf13/cobra" | ||
| "github.com/yudai/gojsondiff" |
There was a problem hiding this comment.
ST1019: package "github.com/yudai/gojsondiff" is being imported more than once
ℹ️ Expand to see all @sonatype-lift commands
You can reply with the following commands. For example, reply with @sonatype-lift ignoreall to leave out all findings.
| Command | Usage |
|---|---|
@sonatype-lift ignore |
Leave out the above finding from this PR |
@sonatype-lift ignoreall |
Leave out all the existing findings from this PR |
@sonatype-lift exclude <file|issue|path|tool> |
Exclude specified file|issue|path|tool from Lift findings by updating your config.toml file |
Note: When talking to LiftBot, you need to refresh the page to see its response.
Click here to add LiftBot to another repo.
Signed-off-by: Matt Rutkowski <mrutkows@us.ibm.com>
Signed-off-by: Matt Rutkowski <mrutkows@us.ibm.com>
Signed-off-by: Matt Rutkowski <mrutkows@us.ibm.com>
Signed-off-by: Matt Rutkowski <mrutkows@us.ibm.com>
cmd/diff.go
Outdated
|
|
||
| // TODO: Enable only for debug | ||
| deltas := d.Deltas() | ||
| debugDeltas(deltas, "") |
There was a problem hiding this comment.
G104: Errors unhandled.
❗❗ 3 similar findings have been found in this PR
🔎 Expand here to view all instances of this finding
| File Path | Line Number |
|---|---|
| cmd/diff.go | 159 |
| cmd/diff.go | 152 |
| cmd/diff.go | 146 |
Visit the Lift Web Console to find more details in your report.
ℹ️ Expand to see all @sonatype-lift commands
You can reply with the following commands. For example, reply with @sonatype-lift ignoreall to leave out all findings.
| Command | Usage |
|---|---|
@sonatype-lift ignore |
Leave out the above finding from this PR |
@sonatype-lift ignoreall |
Leave out all the existing findings from this PR |
@sonatype-lift exclude <file|issue|path|tool> |
Exclude specified file|issue|path|tool from Lift findings by updating your config.toml file |
Note: When talking to LiftBot, you need to refresh the page to see its response.
Click here to add LiftBot to another repo.
Signed-off-by: Matt Rutkowski <mrutkows@us.ibm.com>
cmd/diff.go
Outdated
| //deltaJson[d.Position.String()], err = f.formatObject(d.Deltas) | ||
| case *diff.Array: | ||
| fmt.Printf("%s[Array]: %v, PostPosition(): %v (Position: %s), # Deltas: %v\n", indent, pointer, pointer.PostPosition(), pointer.Position, len(pointer.Deltas)) | ||
| debugDeltas(pointer.Deltas, indent2) |
There was a problem hiding this comment.
G104: Errors unhandled.
❗❗ 2 similar findings have been found in this PR
🔎 Expand here to view all instances of this finding
| File Path | Line Number |
|---|---|
| cmd/diff.go | 213 |
| cmd/diff.go | 168 |
Visit the Lift Web Console to find more details in your report.
ℹ️ Expand to see all @sonatype-lift commands
You can reply with the following commands. For example, reply with @sonatype-lift ignoreall to leave out all findings.
| Command | Usage |
|---|---|
@sonatype-lift ignore |
Leave out the above finding from this PR |
@sonatype-lift ignoreall |
Leave out all the existing findings from this PR |
@sonatype-lift exclude <file|issue|path|tool> |
Exclude specified file|issue|path|tool from Lift findings by updating your config.toml file |
Note: When talking to LiftBot, you need to refresh the page to see its response.
Click here to add LiftBot to another repo.
Signed-off-by: Matt Rutkowski <mrutkows@us.ibm.com>
Signed-off-by: Matt Rutkowski <mrutkows@us.ibm.com>
cmd/diff.go
Outdated
| return | ||
| } | ||
|
|
||
| func debugDeltas(deltas []diff.Delta, indent string) (err error) { |
There was a problem hiding this comment.
U1000: func debugDeltas is unused
ℹ️ Expand to see all @sonatype-lift commands
You can reply with the following commands. For example, reply with @sonatype-lift ignoreall to leave out all findings.
| Command | Usage |
|---|---|
@sonatype-lift ignore |
Leave out the above finding from this PR |
@sonatype-lift ignoreall |
Leave out all the existing findings from this PR |
@sonatype-lift exclude <file|issue|path|tool> |
Exclude specified file|issue|path|tool from Lift findings by updating your config.toml file |
Note: When talking to LiftBot, you need to refresh the page to see its response.
Click here to add LiftBot to another repo.
Signed-off-by: Matt Rutkowski <mrutkows@us.ibm.com>
Signed-off-by: Matt Rutkowski <mrutkows@us.ibm.com>
Signed-off-by: Matt Rutkowski <mrutkows@us.ibm.com>
Signed-off-by: Matt Rutkowski <mrutkows@us.ibm.com>
| } | ||
|
|
||
| getLogger().Infof("Reading file (--input-revision): `%s` ...", deltaFilename) | ||
| bRevisedData, errReadDelta := ioutil.ReadFile(deltaFilename) |
There was a problem hiding this comment.
G304: Potential file inclusion via variable
ℹ️ Expand to see all @sonatype-lift commands
You can reply with the following commands. For example, reply with @sonatype-lift ignoreall to leave out all findings.
| Command | Usage |
|---|---|
@sonatype-lift ignore |
Leave out the above finding from this PR |
@sonatype-lift ignoreall |
Leave out all the existing findings from this PR |
@sonatype-lift exclude <file|issue|path|tool> |
Exclude specified file|issue|path|tool from Lift findings by updating your config.toml file |
Note: When talking to LiftBot, you need to refresh the page to see its response.
Click here to add LiftBot to another repo.
|
|
||
| // JSON string as `[]byte`, not `string` | ||
| getLogger().Infof("Reading file (--input-file): `%s` ...", baseFilename) | ||
| bBaseData, errReadBase := ioutil.ReadFile(baseFilename) |
There was a problem hiding this comment.
G304: Potential file inclusion via variable
ℹ️ Expand to see all @sonatype-lift commands
You can reply with the following commands. For example, reply with @sonatype-lift ignoreall to leave out all findings.
| Command | Usage |
|---|---|
@sonatype-lift ignore |
Leave out the above finding from this PR |
@sonatype-lift ignoreall |
Leave out all the existing findings from this PR |
@sonatype-lift exclude <file|issue|path|tool> |
Exclude specified file|issue|path|tool from Lift findings by updating your config.toml file |
Note: When talking to LiftBot, you need to refresh the page to see its response.
Click here to add LiftBot to another repo.
Signed-off-by: Matt Rutkowski <mrutkows@us.ibm.com>
cmd/diff.go
Outdated
| }() | ||
|
|
||
| // JSON string as `[]byte`, not `string` | ||
| baseFilename = filepath.Clean(baseFilename) |
There was a problem hiding this comment.
GO-2023-1568: A path traversal vulnerability exists in filepath.Clean on Windows.
On Windows, the filepath.Clean function could transform an invalid path such as "a/../c:/b" into the valid path "c:\b". This transformation of a relative (if invalid) path into an absolute path could enable a directory traversal attack.
After fix, the filepath.Clean function transforms this path into the relative (but still invalid) path ".\c:\b".
ℹ️ Expand to see all @sonatype-lift commands
You can reply with the following commands. For example, reply with @sonatype-lift ignoreall to leave out all findings.
| Command | Usage |
|---|---|
@sonatype-lift ignore |
Leave out the above finding from this PR |
@sonatype-lift ignoreall |
Leave out all the existing findings from this PR |
@sonatype-lift exclude <file|issue|path|tool> |
Exclude specified file|issue|path|tool from Lift findings by updating your config.toml file |
Note: When talking to LiftBot, you need to refresh the page to see its response.
Click here to add LiftBot to another repo.
Signed-off-by: Matt Rutkowski <mrutkows@us.ibm.com>
cmd/diff.go
Outdated
| }() | ||
|
|
||
| // JSON string as `[]byte`, not `string` | ||
| baseFilename, err = filepath.Abs(baseFilename) |
There was a problem hiding this comment.
GO-2023-1568: A path traversal vulnerability exists in filepath.Clean on Windows.
On Windows, the filepath.Clean function could transform an invalid path such as "a/../c:/b" into the valid path "c:\b". This transformation of a relative (if invalid) path into an absolute path could enable a directory traversal attack.
After fix, the filepath.Clean function transforms this path into the relative (but still invalid) path ".\c:\b".
ℹ️ Expand to see all @sonatype-lift commands
You can reply with the following commands. For example, reply with @sonatype-lift ignoreall to leave out all findings.
| Command | Usage |
|---|---|
@sonatype-lift ignore |
Leave out the above finding from this PR |
@sonatype-lift ignoreall |
Leave out all the existing findings from this PR |
@sonatype-lift exclude <file|issue|path|tool> |
Exclude specified file|issue|path|tool from Lift findings by updating your config.toml file |
Note: When talking to LiftBot, you need to refresh the page to see its response.
Click here to add LiftBot to another repo.
Signed-off-by: Matt Rutkowski <mrutkows@us.ibm.com>
Signed-off-by: Matt Rutkowski <mrutkows@us.ibm.com>
Signed-off-by: Matt Rutkowski <mrutkows@us.ibm.com>
Signed-off-by: Matt Rutkowski <mrutkows@us.ibm.com>
cmd/diff.go
Outdated
|
|
||
| getLogger().Infof("Reading file (--input-file): `%s` ...", baseFilename) | ||
| // #nosec G304 (suppress warning) | ||
| bBaseData, errReadBase := ioutil.ReadFile(filepath.Clean(baseFilename)) |
There was a problem hiding this comment.
GO-2023-1568: A path traversal vulnerability exists in filepath.Clean on Windows.
On Windows, the filepath.Clean function could transform an invalid path such as "a/../c:/b" into the valid path "c:\b". This transformation of a relative (if invalid) path into an absolute path could enable a directory traversal attack.
After fix, the filepath.Clean function transforms this path into the relative (but still invalid) path ".\c:\b".
ℹ️ Expand to see all @sonatype-lift commands
You can reply with the following commands. For example, reply with @sonatype-lift ignoreall to leave out all findings.
| Command | Usage |
|---|---|
@sonatype-lift ignore |
Leave out the above finding from this PR |
@sonatype-lift ignoreall |
Leave out all the existing findings from this PR |
@sonatype-lift exclude <file|issue|path|tool> |
Exclude specified file|issue|path|tool from Lift findings by updating your config.toml file |
Note: When talking to LiftBot, you need to refresh the page to see its response.
Click here to add LiftBot to another repo.
Signed-off-by: Matt Rutkowski <mrutkows@us.ibm.com>
No description provided.