cdxgen icon indicating copy to clipboard operation
cdxgen copied to clipboard
verified publisher icon CycloneDX

[ocaml] opam support

Open prabhu opened this issue 2 years ago • 3 comments

opam.locked file has pinned versions.

https://github.com/facebook/infer/blob/54c6397a1a9b73f752e05bf933993bf849ff4bc9/opam/infer.opam.locked

Have to check if opam show command can be used to construct the dependency tree since the lock file appears quite rudimentary.

Questions for ocaml/opam developers

  • Many .opam files have no name or version for the parent component. Can these be made mandatory?
  • There is no concept of a group or namespace. There is a homepage, github.com in most cases, so there is some possibility of constructing a namespace to avoid collisions.
  • There are no hashes of any kind in the lock files. How can this be acceptable?
  • While opam lock command has --direct-only, this information is not persisted in the lock file, so a tool that parses the lock file directly has no clue how it was generated.

Useful links

  • https://opam.ocaml.org/doc/man/opam-lock.html
  • https://github.com/ocaml/opam/wiki/Spec-for-opam-lock-integration
  • https://github.com/janestreet/accessor/blob/master/accessor.opam

prabhu avatar Dec 26 '23 15:12 prabhu

Many .opam files have no name or version for the parent component. Can these be made mandatory?

I don't think this can be made mandatory. Some folks add version from git tag when publishing opam package to repository and .opam file itself has no version at all, or some "1.0" placeholder. Same is popular with Rust crates that are being published from pipelines, version number is overridden by the pipeline.

There is no concept of a group or namespace. There is a homepage, github.com in most cases, so there is some possibility of constructing a namespace to avoid collisions.

Opam has notion of repository, and multiple repositories can be added. opam show outputs both package version and repository from which it comes. This repository can be though of a namespace.

There are no hashes of any kind in the lock files. How can this be acceptable?

Sadly this is true. There are some hashes for packages downloaded in local cache, see here for some info on that.

While opam lock command has --direct-only, this information is not persisted in the lock file, so a tool that parses the lock file directly has no clue how it was generated

In case of CI pipeline which builds the project and needs to produce the SBOM, probably opam should better be interrogated about the state of dependency tree, versions, hash sums, etc. This will give the precise information. Opam has corresponding OCaml library to work with opam state, it's pretty straightforward to emit this kind of information. "Offline" SBOM for some repository without any opam environment seems to be challenging indeed.

Summoning some opam/ocaml people. cc @AltGr @avsm @kit-ty-kate

Would be great to see SBOM generation support for opam.

Lupus avatar Mar 05 '24 13:03 Lupus

One more link on opam supply chain https://github.com/ocaml/opam/wiki/Opam-supply-chain

Lupus avatar Mar 05 '24 13:03 Lupus

I suggest looking into opam switch export --full --freeze which creates a file that is independent of the opam-repository and includes the tarball checksums, build instruction, etc.

hannesm avatar Mar 05 '24 17:03 hannesm