feat: add generated SPDX file on bottling

[SMillerDev]

• [x] Have you followed the guidelines in our Contributing document?
• [ ] Have you checked to ensure there aren't other open Pull Requests for the same change?
• [x] Have you added an explanation of what your changes do and why you'd like us to include them?
• [ ] Have you written new tests for your changes? Here's an example.
• [ ] Have you successfully run brew style with your changes locally?
• [ ] Have you successfully run brew typecheck with your changes locally?
• [ ] Have you successfully run brew tests with your changes locally?

---

Attached is an example SBOM. spdx.sbom.json

This should allow us to have some more tracking of what goes into our bottles, but also allow others to have some insight into it.

[SMillerDev]

feels a bit weird this living on Tab when it's got little in common there

Yeah, I was considering splitting it out of tab, but it is sort of the same thing so wanted to get it public first.

do we have requests for these files anywhere you can link to?

No, but I can see the tooling being available in the larger ecosystem be useful. And I chatted with some people about this and they seemed interested. @gdams for example.

[MikeMcQuaid]

Yeah, I was considering splitting it out of tab, but it is sort of the same thing so wanted to get it public first.

Cool, all good, as long as done before merged 👍🏻

No, but I can see the tooling being available in the larger ecosystem be useful. And I chatted with some people about this and they seemed interested. @gdams for example.

I think this is the sort of thing I'd like to see some more requests for before we consider integration here.

[gdams]

Yeah this is certainly something that I see to be useful in homebrew. With the significant pressure companies/projects are being put under to provide SBOMs it would be useful for projects to be able to easily determine the exact set of deps in homebrew formulas.

[github-actions[bot]]

This pull request has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs.

[jkowalleck]

Attached is an example SBOM. spdx.sbom.json

The resulting data structure seams invalid to the SPDX 2.3 JSON schema. Tested with https://www.jsonschemavalidator.net/ and https://www.liquid-technologies.com/online-json-schema-validator

[SMillerDev]

New generated SBOM: sbom.spdx.json

That should pass validation and have some more information than the previous one.

[SMillerDev]

uses JSONSchemer.schema (like github_packages.rb) to do schema validation on write

Didn't know we had that, it sounds awesome. Do we use that for the API already? Otherwise I'm adding that to my list.

[MikeMcQuaid]

Didn't know we had that, it sounds awesome.

It is good for catching problems for sure.

Do we use that for the API already?

No(t yet). We'd need to create and publish a schema, too. Might want to sync up with @apainintheneck and save this for API v3 rather than create a v2 schema that won't be around in a year.

[apainintheneck]

I sent @SMillerDev some info but honestly API v3 still seems a ways off since the way we handle dependencies for formulae is still undecided and cask v3 is currently blocked by potential scope creep. Either we hold off on validating API v2 for now or we add validation knowing it might get removed in a few months.

[SMillerDev]

Does anyone know where stdlib information comes from in the install tab etc? Or is that only for Linux and that's why I can't find it?

[SMillerDev]

Any suggestions to fix this?

  Error: bottling failed
  Error: cannot load such file -- json_schemer

[SMillerDev]

Now this is in the test

  Error: cannot load such file -- json_schemer

[MikeMcQuaid]

@Bo98 may be able to help out here

[Bo98]

Because json_schemer is only a part of the pr_upload group. You would need to create a bottle group, add it to there too and update brew bottle to install_bundler_gems! that group (and potentially update test-bot's install for that too).

[SMillerDev]

Since we want to use it for bottle and also for API generation, wouldn't a broader install be better?

[Bo98]

We cannot vendor it for all as it unfortunately depends on a native extension (via simpleidn -> unf -> unf_ext).

We already have rexml in multiple groups so it isn't really a problem having it in potentially many groups.

[SMillerDev]

I think/hope this is ready for a final review

[SMillerDev]

Not sure how to resolve this

Library/Homebrew/sbom.rb:79:5: C: Homebrew/InstallBundlerGems: Only use Homebrew.install_bundler_gems! in dev-cmd.
    Homebrew.install_bundler_gems!(groups: ["bottle"])
    ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

[MikeMcQuaid]

Not sure how to resolve this

Need to move that call to the relevant dev-cmd instead e.g. bottle.

[SMillerDev]

Okay, after my latest changes it definitely hits those paths, but I guess codecov isn't based on the online run?

[MikeMcQuaid]

Okay, after my latest changes it definitely hits those paths, but I guess codecov isn't based on the online run?

It should be: https://github.com/Homebrew/brew/actions/runs/8973658512/job/24644407661?pr=16594#step:13:52

We don't run online tests on macOS in case that's it?

CC @Bo98 for ideas.

[SMillerDev]

Checked the patches and simplified the test a little bit since I think it ran as generic (and would never take those patches). I think we're good to merge now.