-
Notifications
You must be signed in to change notification settings - Fork 314
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
feat(spdx): Deal with cycles in dependency relations
Circular dependency relations caused the SPDX package manager to run in a stack overflow. Avoid this by detecting cyclic dependencies and handle them gracefully. Signed-off-by: Oliver Heger <oliver.heger@bosch.io>
- Loading branch information
1 parent
d169fae
commit c9d2a49
Showing
4 changed files
with
354 additions
and
9 deletions.
There are no files selected for viewing
126 changes: 126 additions & 0 deletions
126
...gers/spdx/src/funTest/assets/projects/synthetic/cyclic-references/project-cyclic.spdx.yml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,126 @@ | ||
SPDXID: "SPDXRef-DOCUMENT" | ||
spdxVersion: "SPDX-2.2" | ||
creationInfo: | ||
created: "2020-07-23T18:30:22Z" | ||
creators: | ||
- "Organization: Example Inc." | ||
- "Person: Thomas Steenbergen" | ||
licenseListVersion: "3.9" | ||
name: "xyz-0.1.0" | ||
dataLicense: "CC0-1.0" | ||
documentNamespace: "http://spdx.org/spdxdocs/spdx-document-xyz" | ||
documentDescribes: | ||
- "SPDXRef-Package-xyz" | ||
packages: | ||
- SPDXID: "SPDXRef-Package-xyz" | ||
description: "Awesome product created by Example Inc." | ||
copyrightText: "Copyright (C) 2020 Example Inc." | ||
downloadLocation: "git+ssh://gitlab.example.com:3389/products/xyz.git@b2c358080011af6a366d2512a25a379fbe7b1f78" | ||
filesAnalyzed: false | ||
homepage: "https://example.com/products/xyz" | ||
licenseConcluded: "NOASSERTION" | ||
licenseDeclared: "Apache-2.0 AND curl AND LicenseRef-Proprietary-ExampleInc" | ||
name: "xyz" | ||
versionInfo: "0.1.0" | ||
originator: "Person: Thomas Steenbergen" | ||
- SPDXID: "SPDXRef-Package-abc-lib" | ||
description: "Awesome library created by Example Inc." | ||
copyrightText: "Copyright (C) 2020 Example Inc." | ||
downloadLocation: "git+ssh://gitlab.example.com:3389/products/abc.git@b2c358080011af6a366d2512a25a379fbe7b1f78" | ||
filesAnalyzed: false | ||
homepage: "https://example.com/products/abc" | ||
licenseConcluded: "NOASSERTION" | ||
licenseDeclared: "Apache-2.0 AND curl AND LicenseRef-Proprietary-ExampleInc" | ||
name: "abc" | ||
versionInfo: "0.1.1" | ||
originator: "Person: Thomas Steenbergen" | ||
- SPDXID: "SPDXRef-Package-def-lib" | ||
description: "Another awesome library created by Example Inc." | ||
copyrightText: "Copyright (C) 2020 Example Inc." | ||
downloadLocation: "git+ssh://gitlab.example.com:3389/products/def.git@b2c358080011af6a366d2512a25a379fbe7b1f78" | ||
filesAnalyzed: false | ||
homepage: "https://example.com/products/def" | ||
licenseConcluded: "NOASSERTION" | ||
licenseDeclared: "Apache-2.0 AND curl AND LicenseRef-Proprietary-ExampleInc" | ||
name: "def" | ||
versionInfo: "0.1.0" | ||
originator: "Person: Thomas Steenbergen" | ||
- SPDXID: "SPDXRef-Package-curl" | ||
description: "A command line tool and library for transferring data with URL syntax, supporting \ | ||
HTTP, HTTPS, FTP, FTPS, GOPHER, TFTP, SCP, SFTP, SMB, TELNET, DICT, LDAP, LDAPS, MQTT, FILE, \ | ||
IMAP, SMTP, POP3, RTSP and RTMP. libcurl offers a myriad of powerful features." | ||
copyrightText: "Copyright (c) 1996 - 2020, Daniel Stenberg, <daniel@haxx.se>, and many | ||
contributors, see the THANKS file." | ||
downloadLocation: "https://github.com/curl/curl/releases/download/curl-7_70_0/curl-7.70.0.tar.gz" | ||
externalRefs: | ||
- referenceCategory: "SECURITY" | ||
referenceLocator: "cpe:2.3:a:http:curl:7.70.0:*:*:*:*:*:*:*" | ||
referenceType: "cpe23Type" | ||
filesAnalyzed: false | ||
homepage: "https://curl.haxx.se/" | ||
licenseConcluded: "NOASSERTION" | ||
licenseDeclared: "curl" | ||
name: "curl" | ||
versionInfo: "7.70.0" | ||
originator: "Person: Daniel Stenberg (daniel@haxx.se)" | ||
packageFileName: "../libs/curl" | ||
- SPDXID: "SPDXRef-Package-openssl" | ||
description: "OpenSSL is a robust, commercial-grade, full-featured Open Source Toolkit for the \ | ||
Transport Layer Security (TLS) protocol formerly known as the Secure Sockets Layer (SSL) \ | ||
protocol. The protocol implementation is based on a full-strength general purpose cryptographic \ | ||
library, which can also be used stand-alone." | ||
copyrightText: "copyright 2004-2020 The OpenSSL Project Authors. All Rights Reserved." | ||
downloadLocation: "git+ssh://github.com/openssl/openssl.git@e2e09d9fba1187f8d6aafaa34d4172f56f1ffb72" | ||
externalRefs: | ||
- referenceCategory: "PACKAGE_MANAGER" | ||
referenceLocator: "pkg:a-name/openssl@1.1.1g" | ||
referenceType: "purl" | ||
- referenceCategory: "SECURITY" | ||
referenceLocator: "cpe:2.3:a:a-name:openssl:1.1.1g:*:*:*:*:*:*:*" | ||
referenceType: "cpe23Type" | ||
filesAnalyzed: false | ||
homepage: "https://www.openssl.org/" | ||
licenseConcluded: "NOASSERTION" | ||
licenseDeclared: "Apache-2.0" | ||
name: "openssl" | ||
versionInfo: "1.1.1g" | ||
originator: "Organization: OpenSSL Development Team" | ||
packageFileName: "../libs/openssl" | ||
- SPDXID: "SPDXRef-Package-zlib" | ||
description: "zlib 1.2.11 is a general purpose data compression library." | ||
copyrightText: "(C) 1995-2017 Jean-loup Gailly and Mark Adler" | ||
downloadLocation: "http://zlib.net/zlib-1.2.11.tar.gz" | ||
externalRefs: | ||
- referenceCategory: "SECURITY" | ||
referenceLocator: "cpe:/a:compress:zlib:1.2.11:::en-us" | ||
referenceType: "cpe22Type" | ||
filesAnalyzed: false | ||
homepage: "http://zlib.net" | ||
licenseConcluded: "NOASSERTION" | ||
licenseDeclared: "Zlib" | ||
name: "zlib" | ||
versionInfo: "1.2.11" | ||
originator: "Person: Mark Adler, Jean-loup Gailly" | ||
packageFileName: "../libs/zlib" | ||
relationships: | ||
- spdxElementId: "SPDXRef-Package-curl" | ||
relationshipType: "TEST_DEPENDENCY_OF" | ||
relatedSpdxElement: "SPDXRef-Package-xyz" | ||
- spdxElementId: "SPDXRef-Package-xyz" | ||
relationshipType: "DEPENDS_ON" | ||
relatedSpdxElement: "SPDXRef-Package-openssl" | ||
- spdxElementId: "SPDXRef-Package-xyz" | ||
relationshipType: "DYNAMIC_LINK" | ||
relatedSpdxElement: "SPDXRef-Package-curl" | ||
- spdxElementId: "SPDXRef-Package-xyz" | ||
relationshipType: "STATIC_LINK" | ||
relatedSpdxElement: "SPDXRef-Package-zlib" | ||
- spdxElementId: "SPDXRef-Package-xyz" | ||
relationshipType: "DYNAMIC_LINK" | ||
relatedSpdxElement: "SPDXRef-Package-abc-lib" | ||
- spdxElementId: "SPDXRef-Package-abc-lib" | ||
relationshipType: "DYNAMIC_LINK" | ||
relatedSpdxElement: "SPDXRef-Package-def-lib" | ||
- spdxElementId: "SPDXRef-Package-def-lib" | ||
relationshipType: "DEPENDS_ON" | ||
relatedSpdxElement: "SPDXRef-Package-xyz" |
196 changes: 196 additions & 0 deletions
196
...nagers/spdx/src/funTest/assets/projects/synthetic/spdx-project-cyclic-expected-output.yml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,196 @@ | ||
--- | ||
project: | ||
id: "SpdxDocumentFile::xyz:0.1.0" | ||
definition_file_path: "<REPLACE_DEFINITION_FILE_PATH>" | ||
authors: | ||
- "Thomas Steenbergen" | ||
declared_licenses: | ||
- "Apache-2.0 AND curl AND LicenseRef-Proprietary-ExampleInc" | ||
declared_licenses_processed: | ||
spdx_expression: "Apache-2.0 AND LicenseRef-Proprietary-ExampleInc AND curl" | ||
vcs: | ||
type: "Git" | ||
url: "<REPLACE_URL_PROCESSED>" | ||
revision: "<REPLACE_REVISION>" | ||
path: "<REPLACE_PATH>" | ||
vcs_processed: | ||
type: "Git" | ||
url: "<REPLACE_URL_PROCESSED>" | ||
revision: "<REPLACE_REVISION>" | ||
path: "<REPLACE_PATH>" | ||
homepage_url: "https://example.com/products/xyz" | ||
scopes: | ||
- name: "default" | ||
dependencies: | ||
- id: "SpdxDocumentFile::abc:0.1.1" | ||
dependencies: | ||
- id: "SpdxDocumentFile::def:0.1.0" | ||
dependencies: | ||
- id: "SpdxDocumentFile::xyz:0.1.0" | ||
- id: "SpdxDocumentFile::zlib:1.2.11" | ||
linkage: "STATIC" | ||
- id: "SpdxDocumentFile:OpenSSL Development Team:openssl:1.1.1g" | ||
- name: "test" | ||
dependencies: | ||
- id: "SpdxDocumentFile::curl:7.70.0" | ||
packages: | ||
- id: "SpdxDocumentFile::abc:0.1.1" | ||
purl: "pkg:generic/abc@0.1.1" | ||
authors: | ||
- "Thomas Steenbergen" | ||
declared_licenses: | ||
- "Apache-2.0 AND curl AND LicenseRef-Proprietary-ExampleInc" | ||
declared_licenses_processed: | ||
spdx_expression: "Apache-2.0 AND LicenseRef-Proprietary-ExampleInc AND curl" | ||
description: "Awesome library created by Example Inc." | ||
homepage_url: "https://example.com/products/abc" | ||
binary_artifact: | ||
url: "" | ||
hash: | ||
value: "" | ||
algorithm: "" | ||
source_artifact: | ||
url: "" | ||
hash: | ||
value: "" | ||
algorithm: "" | ||
vcs: | ||
type: "Git" | ||
url: "<REPLACE_URL>" | ||
revision: "<REPLACE_REVISION>" | ||
path: "plugins/package-managers/spdx/src/funTest/assets/projects/synthetic/cyclic-references" | ||
vcs_processed: | ||
type: "Git" | ||
url: "<REPLACE_URL_PROCESSED>" | ||
revision: "<REPLACE_REVISION>" | ||
path: "plugins/package-managers/spdx/src/funTest/assets/projects/synthetic/cyclic-references" | ||
- id: "SpdxDocumentFile::curl:7.70.0" | ||
purl: "pkg:generic/curl@7.70.0?download_url=https://github.com/curl/curl/releases/download/curl-7_70_0/curl-7.70.0.tar.gz" | ||
cpe: "cpe:2.3:a:http:curl:7.70.0:*:*:*:*:*:*:*" | ||
authors: | ||
- "Daniel Stenberg (daniel@haxx.se)" | ||
declared_licenses: | ||
- "curl" | ||
declared_licenses_processed: | ||
spdx_expression: "curl" | ||
description: "A command line tool and library for transferring data with URL syntax,\ | ||
\ supporting HTTP, HTTPS, FTP, FTPS, GOPHER, TFTP, SCP, SFTP, SMB, TELNET, DICT,\ | ||
\ LDAP, LDAPS, MQTT, FILE, IMAP, SMTP, POP3, RTSP and RTMP. libcurl offers a myriad\ | ||
\ of powerful features." | ||
homepage_url: "https://curl.haxx.se/" | ||
binary_artifact: | ||
url: "" | ||
hash: | ||
value: "" | ||
algorithm: "" | ||
source_artifact: | ||
url: "https://github.com/curl/curl/releases/download/curl-7_70_0/curl-7.70.0.tar.gz" | ||
hash: | ||
value: "" | ||
algorithm: "" | ||
vcs: | ||
type: "Git" | ||
url: "<REPLACE_URL>" | ||
revision: "<REPLACE_REVISION>" | ||
path: "plugins/package-managers/spdx/src/funTest/assets/projects/synthetic/libs/curl" | ||
vcs_processed: | ||
type: "Git" | ||
url: "<REPLACE_URL_PROCESSED>" | ||
revision: "<REPLACE_REVISION>" | ||
path: "plugins/package-managers/spdx/src/funTest/assets/projects/synthetic/libs/curl" | ||
- id: "SpdxDocumentFile::def:0.1.0" | ||
purl: "pkg:generic/def@0.1.0" | ||
authors: | ||
- "Thomas Steenbergen" | ||
declared_licenses: | ||
- "Apache-2.0 AND curl AND LicenseRef-Proprietary-ExampleInc" | ||
declared_licenses_processed: | ||
spdx_expression: "Apache-2.0 AND LicenseRef-Proprietary-ExampleInc AND curl" | ||
description: "Another awesome library created by Example Inc." | ||
homepage_url: "https://example.com/products/def" | ||
binary_artifact: | ||
url: "" | ||
hash: | ||
value: "" | ||
algorithm: "" | ||
source_artifact: | ||
url: "" | ||
hash: | ||
value: "" | ||
algorithm: "" | ||
vcs: | ||
type: "Git" | ||
url: "<REPLACE_URL>" | ||
revision: "<REPLACE_REVISION>" | ||
path: "plugins/package-managers/spdx/src/funTest/assets/projects/synthetic/cyclic-references" | ||
vcs_processed: | ||
type: "Git" | ||
url: "<REPLACE_URL_PROCESSED>" | ||
revision: "<REPLACE_REVISION>" | ||
path: "plugins/package-managers/spdx/src/funTest/assets/projects/synthetic/cyclic-references" | ||
- id: "SpdxDocumentFile::zlib:1.2.11" | ||
purl: "pkg:generic/zlib@1.2.11?download_url=http://zlib.net/zlib-1.2.11.tar.gz" | ||
cpe: "cpe:/a:compress:zlib:1.2.11:::en-us" | ||
authors: | ||
- "Jean-loup Gailly" | ||
- "Mark Adler" | ||
declared_licenses: | ||
- "Zlib" | ||
declared_licenses_processed: | ||
spdx_expression: "Zlib" | ||
description: "zlib 1.2.11 is a general purpose data compression library." | ||
homepage_url: "http://zlib.net" | ||
binary_artifact: | ||
url: "" | ||
hash: | ||
value: "" | ||
algorithm: "" | ||
source_artifact: | ||
url: "http://zlib.net/zlib-1.2.11.tar.gz" | ||
hash: | ||
value: "" | ||
algorithm: "" | ||
vcs: | ||
type: "Git" | ||
url: "<REPLACE_URL>" | ||
revision: "<REPLACE_REVISION>" | ||
path: "plugins/package-managers/spdx/src/funTest/assets/projects/synthetic/libs/zlib" | ||
vcs_processed: | ||
type: "Git" | ||
url: "<REPLACE_URL_PROCESSED>" | ||
revision: "<REPLACE_REVISION>" | ||
path: "plugins/package-managers/spdx/src/funTest/assets/projects/synthetic/libs/zlib" | ||
- id: "SpdxDocumentFile:OpenSSL Development Team:openssl:1.1.1g" | ||
purl: "pkg:a-name/openssl@1.1.1g" | ||
cpe: "cpe:2.3:a:a-name:openssl:1.1.1g:*:*:*:*:*:*:*" | ||
authors: | ||
- "OpenSSL Development Team" | ||
declared_licenses: | ||
- "Apache-2.0" | ||
declared_licenses_processed: | ||
spdx_expression: "Apache-2.0" | ||
description: "OpenSSL is a robust, commercial-grade, full-featured Open Source Toolkit\ | ||
\ for the Transport Layer Security (TLS) protocol formerly known as the Secure\ | ||
\ Sockets Layer (SSL) protocol. The protocol implementation is based on a full-strength\ | ||
\ general purpose cryptographic library, which can also be used stand-alone." | ||
homepage_url: "https://www.openssl.org/" | ||
binary_artifact: | ||
url: "" | ||
hash: | ||
value: "" | ||
algorithm: "" | ||
source_artifact: | ||
url: "" | ||
hash: | ||
value: "" | ||
algorithm: "" | ||
vcs: | ||
type: "Git" | ||
url: "<REPLACE_URL>" | ||
revision: "<REPLACE_REVISION>" | ||
path: "plugins/package-managers/spdx/src/funTest/assets/projects/synthetic/libs/openssl" | ||
vcs_processed: | ||
type: "Git" | ||
url: "<REPLACE_URL_PROCESSED>" | ||
revision: "<REPLACE_REVISION>" | ||
path: "plugins/package-managers/spdx/src/funTest/assets/projects/synthetic/libs/openssl" |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Oops, something went wrong.