intel
feat: SBOM management (Fixes #1646)
Codecov Report
Merging #1912 (81d83f6) into main (64c1393) will decrease coverage by
6.32%. The diff coverage isn/a.
@@ Coverage Diff @@
## main #1912 +/- ##
==========================================
- Coverage 89.64% 83.32% -6.33%
==========================================
Files 316 489 +173
Lines 7226 8383 +1157
Branches 1176 1004 -172
==========================================
+ Hits 6478 6985 +507
- Misses 484 1129 +645
- Partials 264 269 +5
| Flag | Coverage Δ | |
|---|---|---|
| longtests | 79.47% <ø> (+0.64%) |
:arrow_up: |
| win-longtests | 80.57% <ø> (-8.07%) |
:arrow_down: |
Flags with carried forward coverage won't be shown. Click here to find out more.
| Impacted Files | Coverage Δ | |
|---|---|---|
| cve_bin_tool/data_sources/curl_source.py | 39.56% <0.00%> (-56.05%) |
:arrow_down: |
| cve_bin_tool/nvd_api.py | 24.00% <0.00%> (-52.80%) |
:arrow_down: |
| cve_bin_tool/cvedb.py | 43.00% <0.00%> (-43.69%) |
:arrow_down: |
| cve_bin_tool/data_sources/nvd_source.py | 36.75% <0.00%> (-43.25%) |
:arrow_down: |
| test/test_nvd_api.py | 50.87% <0.00%> (-40.36%) |
:arrow_down: |
| cve_bin_tool/data_sources/osv_source.py | 51.25% <0.00%> (-39.12%) |
:arrow_down: |
| test/test_cvedb.py | 65.38% <0.00%> (-34.62%) |
:arrow_down: |
| test/test_scanner.py | 73.28% <0.00%> (-21.12%) |
:arrow_down: |
| test/test_json.py | 73.33% <0.00%> (-16.67%) |
:arrow_down: |
| test/test_cli.py | 80.14% <0.00%> (-8.59%) |
:arrow_down: |
| ... and 226 more |
:mega: We’re building smart automated test selection to slash your CI/CD build times. Learn more
Whoops, my first attempt at a fix handled fixing the filename used for the checked in file but then broke the generated one because I wasn't paying enough attention. Committing another change to address that and see if I can get CI behaving.
Okay, now I've got it so the files differ, and I've got to run in a few minutes, so I'll leave the rest of the debugging up to you @anthonyharrison !
@terriko
They are lots of differences in the SBOM files primarily due to changes to the implicit dependencies
- frozenlist: Version changed from 1.3.0 to 1.3.1
- attrs: Version changed from 21.4.0 to 22.1.0
- charset-normalizer: Version changed from 2.0.10 to 2.1.1
- multidict: Version changed from 5.2.0 to 6.0.2
- yarl: Version changed from 1.7.2 to 1.8.1
- idna: Version changed from 2.10 to 3.3
- idna: License changed from NOASSERTION to BSD-3-Clause
- beautifulsoup4: Version changed from 4.10.0 to 4.11.1
- soupsieve: Version changed from 2.3.1 to 2.3.2.post1
- soupsieve: License changed from MIT to NOASSERTION
- distro: Version changed from 1.6.0 to 1.7.0
- gsutil: Version changed from 5.11 to 5.12
- pyparsing: Version changed from 3.0.6 to 3.0.9
- pyparsing: License changed from MIT to NOASSERTION
- cffi: Version changed from 1.15.0 to 1.15.1
- retry-decorator: Version changed from 2.0a1 to 1.1.1
- google-auth: Version changed from 2.9.1 to 2.11.0
- jinja2: Version changed from 3.0.3 to 3.1.2
- markupsafe: Version changed from 2.0.1 to 2.1.1
- jsonschema: Version changed from 4.4.0 to 4.14.0
- plotly: Version changed from 5.5.0 to 5.10.0
- requests: Version changed from 2.27.1 to 2.28.1
- certifi: Version changed from 2021.10.8 to 2022.6.15
- urllib3: Version changed from 1.26.8 to 1.26.12
- rich: Version changed from 11.0.0 to 12.5.1
- pygments: Version changed from 2.11.2 to 2.13.0
- xmlschema: Version changed from 1.9.2 to 2.0.2
- elementpath: Version changed from 2.4.0 to 3.0.2
- zstandard: Version changed from 0.17.0 to 0.18.0
I thought that pip install -r requirements.txt --upgrade would upgrade all of the packages but it only appears to be updating the following (which are the direct dependencies):
- Jinja2-3.1.2
- beautifulsoup4-4.11.1
- distro-1.7.0
- elementpath-3.0.2
- gsutil-5.12
- jsonschema-4.14.0
- plotly-5.10.0
- requests-2.28.1
- rich-12.5.1
- urllib3-1.26.12
- xmlschema-2.0.2
- zstandard-0.18.0
Will update the reference SBOM file so it should work but it will probably fail more often than not as the versions of the files will be continually changing. Maybe we need to make this workflow optional?
@terriko Added continue-on-error to the job and the job now runs to completion even when there is a difference detected. However the overall job status is still a Fail.
Oh, right, github's continue-on-error is only what it says it is and the jobs will still fail. Hm. I don't think that's helpful. Let's see if we can put an || true or something in there for now so the diff prints but doesn't fail the job while we're just using it to gather data.
Alternatively: should we really be running this on every PR, or do we just want to run it on a timed job for the main branch? It might be less annoying to have it fail if it wasn't on PRs.
Not sure from your comment: did you want to merge this now? It looks like it's at the point where it won't get in the way of our regular CI.
Not sure from your comment: did you want to merge this now? It looks like it's at the point where it won't get in the way of our regular CI.
@terriko Let's merge it and see what happens. I have just changed the workflow to generate the SBOM on a schedule in the short-term while we work out what to do in the long term with the differences.