Convert our SPDX SBOMs to spdx+json. #740
Conversation
Codecov Report
@@ Coverage Diff @@
## main #740 +/- ##
=======================================
Coverage 51.38% 51.38%
=======================================
Files 44 44
Lines 3295 3295
=======================================
Hits 1693 1693
Misses 1390 1390
Partials 212 212
Continue to review full report at Codecov.
|
.github/workflows/sbom.yaml
Outdated
|
|
||
| java -jar ./spdx-tools-2.2.7-jar-with-dependencies.jar Verify sbom.txt | ||
| java -jar ./spdx-tools-2.2.7-jar-with-dependencies.jar Verify sbom.json |
There was a problem hiding this comment.
This jar has been deprecated for the new version of the tools. The new URL to download the new jar is:
https://github.com/spdx/tools-java/releases/download/v1.0.4/tools-java-1.0.4.zip
(the version is lower but the jar is newer)
There was a problem hiding this comment.
this was a big help, I think it caught a bunch of things we'd missed with the old tool 🙏
| Name: bi.Main.Path, | ||
| ID: mainPackageID, | ||
| // TODO: PackageSupplier: "Organization: " + bs.Main.Path | ||
| DownloadLocation: "https://" + bi.Main.Path, |
There was a problem hiding this comment.
This isn't very likely to work. Can we make this a proxy.golang.org URL? 🤔
There was a problem hiding this comment.
We used this before 🤔
I can TAL later, my tether time is up :)
| Version = "SPDX-2.2" | ||
| ) | ||
|
|
||
| type Document struct { |
There was a problem hiding this comment.
Nit since it's internal anyway but these types can be unexported
There was a problem hiding this comment.
I was trying to avoid touching this code too much. I was about to change, but remembered this is in internal/ so I'm sort of inclined to leave it. WDYT?
I mapped all of the fields from what we had to the new struct.
cc @imjasonh @jonjohnsonjr @puerco