Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

test: validate SPDX with the JSON schema #5124

Merged
merged 3 commits into from
Sep 14, 2023
Merged

test: validate SPDX with the JSON schema #5124

merged 3 commits into from
Sep 14, 2023
+24 −9

Conversation

nikpivkin
Copy link
Contributor

@nikpivkin nikpivkin commented Sep 5, 2023
edited
Loading

Description

This PR adds validation of the SDPX-JSON report using the SPDX JSON schema.

Checklist

  • I've read the guidelines for contributing to this repository.
  • I've followed the conventions in the PR title.
  • I've added tests that prove my fix is effective or that my feature works.
  • I've updated the documentation with the relevant information (if needed).
  • I've added usage information (if the PR introduces new options)
  • I've included a "before" and "after" example to the description (if the PR is a user interface change).

Sorry, something went wrong.

@nikpivkin
test: validate SPDX with the JSON schema

Unverified

The signing certificate or its chain could not be verified.
Certificate subject
Certificate issuer
CN sigstore-intermediate
O sigstore.dev
Learn about vigilant mode
cf83fe7
@nikpivkin
Copy link
Contributor Author

@knqyf263 SPDX does not specify the patch version, so would it be correct to use the version 2.3.1 scheme for validation?

@knqyf263
Copy link
Collaborator

knqyf263 commented Sep 8, 2023

@nikpivkin I think so.

@nikpivkin nikpivkin marked this pull request as ready for review September 11, 2023 16:25
@nikpivkin nikpivkin requested a review from knqyf263 as a code owner September 11, 2023 16:25
knqyf263
knqyf263 reviewed Sep 12, 2023
View reviewed changes
integration/integration_test.go Outdated
@@ -34,6 +34,8 @@ import (

var update = flag.Bool("update", false, "update golden files")

const SPDXSchema = "https://raw.githubusercontent.com/spdx/spdx-spec/development/v2.3.1/schemas/spdx-schema.json"
Copy link
Collaborator

@knqyf263 knqyf263 Sep 12, 2023
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'm sure we will forget to bump the version. Can we use spdx.Version somehow as it is used here?

https://github.com/spdx/tools-golang/blob/6a271aaa7370038495ab7acdd0eab38e72666c9c/spdx/v2/v2_3/document.go#L15

I see a problem between v2.3 and v2.3.1. If it is hard to identify the patch version, I think it is ok to use v2.3.

@nikpivkin nikpivkin requested a review from knqyf263 September 13, 2023 07:20
@knqyf263 knqyf263 added this pull request to the merge queue Sep 14, 2023
@knqyf263
Copy link
Collaborator

@nikpivkin Are you going to open another PR for ValidateDocument? If I understand correctly, we want to call that to validate SPDX documents in our integration tests, right?
https://github.com/spdx/tools-golang/blob/6a271aaa7370038495ab7acdd0eab38e72666c9c/spdxlib/documents.go#L14

@nikpivkin
Copy link
Contributor Author

@knqyf263 I added document validation in this commit d8dfeb9

@knqyf263
Copy link
Collaborator

Oh, I missed it. Thanks.

Merged via the queue into aquasecurity:main with commit 9ebc25d Sep 14, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@knqyf263 knqyf263

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
2 participants
@nikpivkin @knqyf263