Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

SPDX: Fix package manager label #801

Merged
merged 2 commits into from
Aug 26, 2022
Merged

SPDX: Fix package manager label #801

merged 2 commits into from
Aug 26, 2022

Conversation

puerco
Copy link
Contributor

@puerco puerco commented Aug 26, 2022

This commit fixes the package manager label in external references
to make them conform to the SPDX spec.

/cc @imjasonh

Signed-off-by: Adolfo Garcia Veytia (puerco) puerco@chainguard.dev

@puerco
SPDX: Fix package manager label
53f6c72 
This commit fixes the package manager label in external references
to make them [conform to the spec](https://spdx.github.io/spdx-spec/package-information/#721-external-reference-field).

Signed-off-by: Adolfo Garcia Veytia (puerco) <puerco@chainguard.dev>
@codecov-commenter
Copy link

Codecov Report

Merging #801 (53f6c72) into main (f9775dc) will not change coverage.
The diff coverage is n/a.

@@           Coverage Diff           @@
##             main     #801   +/-   ##
=======================================
  Coverage   51.40%   51.40%           
=======================================
  Files          44       44           
  Lines        3354     3354           
=======================================
  Hits         1724     1724           
  Misses       1408     1408           
  Partials      222      222

Help us with your feedback. Take ten seconds to tell us how you rate us. Have a feature suggestion? Share it here.

@puerco
Bump SPDX tools to 1.1.0
4d0688f 
This commit bumps SPDX tools to 1.1.0 preparing the CI to
validate SPDX 2.3 documents.

Signed-off-by: Adolfo Garcia Veytia (puerco) <puerco@chainguard.dev>
@imjasonh imjasonh merged commit 7a8f1b9 into ko-build:main Aug 26, 2022
@imjasonh
Copy link
Member

Thanks for this! Do you think this is something that warrants a v0.12.1 release?

@puerco
Copy link
Contributor Author

puerco commented Aug 26, 2022

Mmh no, I think we should instead move to have ko@HEAD generate SPDX 2.3. This uncovered a bug in the SPDX tools, between 2.2.2 and 2.3 the external reference category label in the json schema was changed from using a dash to an underscore:

https://github.com/spdx/spdx-spec/blob/master/schemas/spdx-schema.json#L325

https://github.com/spdx/spdx-spec/blob/development/v2.2.2/schemas/spdx-schema.json#L320

But it seems the spdx tools will use the latest json schema published regardless of the version stated in the doc. So right now, we have an invalid 2.2 document that passes the tests. I'll modify the code to generate SPDX 2.3 documents and file a bug on the SPDX tools project

@puerco
Copy link
Contributor Author

puerco commented Aug 26, 2022

Ref: spdx/tools-java#74

@imjasonh
Copy link
Member

Thanks @puerco! ❤️

@puerco puerco mentioned this pull request Aug 26, 2022
Merged
@antoineco
Copy link
Contributor

I was looking at the changelog and noticed that the original link is dead, so here is the current version: https://spdx.github.io/spdx-spec/v2.3/package-information/#7211-description

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@imjasonh imjasonh imjasonh approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
4 participants
@puerco @codecov-commenter @imjasonh @antoineco