Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

SBOM: fix issue with unresolved artifacts and empty "components" #688

Merged
merged 2 commits into from
Feb 14, 2025
Merged

SBOM: fix issue with unresolved artifacts and empty "components" #688

merged 2 commits into from
Feb 14, 2025
+22 −8

Conversation

rudsberg
Copy link
Contributor

@rudsberg rudsberg commented Jan 31, 2025
edited
Loading

This PR fixes two issues:

  • If an artifact cannot be resolved via the RepositorySystem it can throw an ArtifactResolutionException, causing the SBOM generation to fail. This can happen for an artifact that cannot be located locally or on maven central. An example of such an artifact: com.example:demo:jar:sources:0.0.1-SNAPSHOT. The fix is catch the ArtifactResolutionException and return Optional.empty() from resolvePackageNamesFromArtifact. Such components will not be pruned by Native Image and will be included under components.
  • The SBOM for a simple app with no dependencies will only contain the application component and it will be listed under metadata/component and the components list will be empty. Previously we incorrectly threw an exception for such cases. The fix is to simply return from the augmentSBOM method instead of throwing the exception.

I also added a fallback mechanism: if the SBOMGenerator for some reason fails for users that didn't explicitly opt-in to using an augmentedSBOM, we absorb the failure and proceed with a non-augmented SBOM.

@oracle-contributor-agreement oracle-contributor-agreement bot added the OCA Verified All contributors have signed the Oracle Contributor Agreement. label Jan 31, 2025
@rudsberg rudsberg marked this pull request as draft January 31, 2025 12:34
@rudsberg rudsberg force-pushed the bug/sbom-unresolved-artifact branch 3 times, most recently from 73b8a47 to 1071aad Compare January 31, 2025 13:27
@rudsberg rudsberg requested review from melix and dnestoro January 31, 2025 13:30
@rudsberg rudsberg marked this pull request as ready for review February 6, 2025 16:09
@rudsberg
SBOM: fix issue with unresolved artifact

Verified

This commit was signed with the committer’s verified signature. The key has expired.
sbueringer Stefan Büringer
GPG key ID: 6575D5BC46948252
Expired
Verified
Learn about vigilant mode
f60ed42
@rudsberg
SBOM: fallback if augmented SBOM generation fails
Loading
Loading status checks…
5532735
@rudsberg rudsberg force-pushed the bug/sbom-unresolved-artifact branch from 1071aad to 5532735 Compare February 10, 2025 11:16
@dnestoro
Copy link
Collaborator

dnestoro commented Feb 13, 2025
edited
Loading

@rudsberg please wait for @melix approval as well before merging

melix
melix approved these changes Feb 13, 2025
View reviewed changes
Copy link
Collaborator

@melix melix left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@dnestoro can we merge again? If so we should think of a better way to handle releases, because I also have pending PRs for weeks, and having to come back and rebase everything is not fun.

@dnestoro dnestoro merged commit cf723b8 into master Feb 14, 2025
135 checks passed
@dnestoro dnestoro deleted the bug/sbom-unresolved-artifact branch February 14, 2025 14:58
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@melix melix

@dnestoro dnestoro

Assignees
No one assigned
Labels
OCA Verified All contributors have signed the Oracle Contributor Agreement.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
3 participants
@rudsberg @dnestoro @melix