cosign icon indicating copy to clipboard operation
cosign copied to clipboard

Published 20 hours ago verified publisher icon sigstore

cyclonedxxml predicate type

Open chaospuppy opened this issue 3 years ago • 9 comments

Summary

This adds to ability to unmarshal xml-formatted CycloneDX SBOMs and add them as attestation payloads. Previous it was a little ambiguous as to which file format was expected for cyclonedx predicate types, and this removes that ambiguity.

Closes #2230

Release Note

Updates available cosign attest --type options to include cyclonedxxml. --type cyclonedx is unaffected and still expect a JSON formatted CycloneDX SBOM.

Documentation

chaospuppy avatar Sep 07 '22 18:09 chaospuppy

Overall it is LGTM, thx @chaospuppy, could you please rebase from main?

developer-guy avatar Sep 19 '22 07:09 developer-guy

@developer-guy rebased!

chaospuppy avatar Sep 19 '22 16:09 chaospuppy

Looks like I forgot to sign off on the last commit, I can go ahead and sign off and repush if that's preferable.

chaospuppy avatar Sep 19 '22 16:09 chaospuppy

@hectorj2f somewhere in here make sense?

chaospuppy avatar Sep 19 '22 16:09 chaospuppy

Yep, the e2e tests would be a good place, or adding unit tests.

haydentherapper avatar Sep 19 '22 21:09 haydentherapper

Codecov Report

Merging #2231 (27f7887) into main (c1322bc) will increase coverage by 0.44%. The diff coverage is 0.00%.

@@            Coverage Diff             @@
##             main    #2231      +/-   ##
==========================================
+ Coverage   28.57%   29.02%   +0.44%     
==========================================
  Files         131      131              
  Lines        7852     7872      +20     
==========================================
+ Hits         2244     2285      +41     
+ Misses       5302     5275      -27     
- Partials      306      312       +6
Impacted Files Coverage Δ
cmd/cosign/cli/options/predicate.go 0.00% <0.00%> (ø)
pkg/cosign/tlog.go 37.75% <0.00%> (-0.80%) :arrow_down:
cmd/cosign/cli/verify/verify_blob.go 45.09% <0.00%> (-0.17%) :arrow_down:
...ernal/pkg/cosign/fulcio/fulcioroots/fulcioroots.go 57.77% <0.00%> (+3.01%) :arrow_up:
cmd/cosign/cli/verify/verify.go 19.34% <0.00%> (+13.37%) :arrow_up:

Help us with your feedback. Take ten seconds to tell us how you rate us. Have a feature suggestion? Share it here.

codecov-commenter avatar Sep 25 '22 13:09 codecov-commenter

@chaospuppy lgtm, but you need to update the cli docs.

hectorj2f avatar Sep 26 '22 08:09 hectorj2f

Yep, the e2e tests would be a good place, or adding unit tests.

I'd be happy to add some unit tests to some commands going forward, when I have some more time!

chaospuppy avatar Sep 26 '22 15:09 chaospuppy

It looks like the docsign failed because of some whitespace I removed after --replace in the cli docs, and then the "Test attest" check failed for dubious reasons.

chaospuppy avatar Sep 27 '22 21:09 chaospuppy

This PR is stale because it has been open 30 days with no activity. Remove stale label or comment or this will be closed in 10 days.

github-actions[bot] avatar Nov 27 '22 02:11 github-actions[bot]

This PR was closed because it has been stalled for 10 days with no activity.

github-actions[bot] avatar Dec 08 '22 02:12 github-actions[bot]