Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Supplier count bug #281

Merged
merged 1 commit into from
Jul 5, 2024
Merged

Supplier count bug #281

merged 1 commit into from
Jul 5, 2024

Conversation

briancaine
Copy link
Contributor

I noticed a bug with the comp_with_supplier rule. I scored CycloneDX SBOMs and couldn't get any of them to recognize any suppliers.

Example SBOM:

{
  "bomFormat": "CycloneDX",
  "specVersion": "1.4",
  "serialNumber": "urn:uuid:d7700b83-651a-458a-9764-1998b615a8d5",
  "version": 1,
  "metadata": {
    "component": {
      "bom-ref": "foobar",
      "type": "library",
      "name": "some other library here",
      "version": "v0.111.0",
      "supplier": { "name": "foobar supplier" }
    }
  },
  "components": [
    {
      "bom-ref": "zipzap",
      "type": "library",
      "name": "some library here",
      "version": "v0.9.0",
      "scope": "required",
      "supplier": { "name": "zipzap supplier" }
    }
  ]
}

When I score this, I get:

$ sbomqs score /tmp/sample.cdx.json | grep comp_with_supplier
|                       | comp_with_supplier             | 0.0/10.0  | 0/2 have supplier names        |

This PR should fix this.

@riteshnoronha riteshnoronha self-requested a review July 5, 2024 18:48
riteshnoronha
riteshnoronha approved these changes Jul 5, 2024
View reviewed changes
Copy link
Contributor

@riteshnoronha riteshnoronha left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

💯 nice one.

@riteshnoronha
Copy link
Contributor

@briancaine this is approved, however i cannot merge it as its not signed. Please do sign it https://docs.github.com/en/authentication/managing-commit-signature-verification/signing-commits

@briancaine
Copy link
Contributor Author

Yep, just saw that. Will do.

@briancaine briancaine force-pushed the supplier-name-count-fix branch from 0a426ca to a21a2b8 Compare July 5, 2024 18:58
@briancaine
Copy link
Contributor Author

@riteshnoronha There we go, should be signed now.

@riteshnoronha
Copy link
Contributor

BOOM.. nice one. Ok have merged, we are moving our release cycle to bi-weekly. However if you need this earlier let me know.

@riteshnoronha riteshnoronha merged commit 634b36d into interlynk-io:main Jul 5, 2024
2 checks passed
@riteshnoronha
Copy link
Contributor

@briancaine v0.1.6 has been released.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@riteshnoronha riteshnoronha riteshnoronha approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@briancaine @riteshnoronha