Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

feat: write sbom result to disk #822

Merged
merged 1 commit into from
Sep 20, 2022
Merged

feat: write sbom result to disk #822

merged 1 commit into from
Sep 20, 2022

Conversation

developer-guy
Copy link
Collaborator

Signed-off-by: Batuhan Apaydın batuhan.apaydin@trendyol.com

Fixes #728

@codecov-commenter
Copy link

Codecov Report

Merging #822 (9e93ca2) into main (bb84aa3) will decrease coverage by 0.26%.
The diff coverage is 18.51%.

@@            Coverage Diff             @@
##             main     #822      +/-   ##
==========================================
- Coverage   51.37%   51.10%   -0.27%     
==========================================
  Files          44       44              
  Lines        3354     3381      +27     
==========================================
+ Hits         1723     1728       +5     
- Misses       1408     1428      +20     
- Partials      223      225       +2
Impacted Files Coverage Δ
pkg/commands/resolver.go 33.44% <0.00%> (-0.89%) ⬇️
pkg/build/options.go 62.92% <11.11%> (-5.83%) ⬇️
pkg/build/gobuild.go 58.57% <25.00%> (-0.34%) ⬇️
pkg/commands/options/build.go 70.08% <100.00%> (+0.52%) ⬆️

Help us with your feedback. Take ten seconds to tell us how you rate us. Have a feature suggestion? Share it here.

imjasonh
imjasonh reviewed Sep 14, 2022
View reviewed changes
pkg/commands/resolver.go Outdated
@@ -120,6 +120,17 @@ func gobuildOptions(bo *options.BuildOptions) ([]build.Option, error) {
opts = append(opts, build.WithConfig(bo.BuildConfigs))
}

if bo.SBOMDir != "" {
if bo.SBOMDir == "." {
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We shouldn't special-case ., since users might also do ../foo etc. Look into what --image-refs does, so we're at least consistent. If that doesn't support .. etc (I doubt it does), that's okay, but we should be consistent.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

ping on this comment.

pkg/build/gobuild.go Outdated
Comment on lines 884 to 890
if g.sbomDir != "" {
fp := fmt.Sprintf("%s.%s", filepath.Join(g.sbomDir, appFilename(ref.Path())), g.sbomType)
log.Printf("Writing an SBOM to %s", fp)
if err := os.WriteFile(fp, sbom, 0644); err != nil {
return nil, err
}
}
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Can this be part of the sbomber impl's responsibility? It already knows the type of SBOM it's generating, and can also know its file name extension.

Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

yes, it can but wouldn't it cause code duplication? Because I need to add this logic into all of the somber impls. WDYT?

Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I updated the code according to your feedback, can you please take a look? Thx

pkg/build/options.go Outdated Show resolved Hide resolved
@developer-guy developer-guy force-pushed the feature/728 branch 4 times, most recently from 7c85f0c to 1395e4c Compare September 15, 2022 10:16
imjasonh
imjasonh reviewed Sep 16, 2022
View reviewed changes
pkg/build/gobuild.go Outdated Show resolved Hide resolved
pkg/build/gobuild.go Outdated Show resolved Hide resolved
pkg/build/gobuild.go Outdated Show resolved Hide resolved
pkg/build/gobuild.go Outdated Show resolved Hide resolved
pkg/build/gobuild.go Outdated Show resolved Hide resolved
pkg/commands/options/build.go Outdated Show resolved Hide resolved
doc/ko_run.md Outdated
@@ -44,6 +44,7 @@ ko run IMPORTPATH [flags]
-P, --preserve-import-paths Whether to preserve the full import path after KO_DOCKER_REPO.
--push Push images to KO_DOCKER_REPO (default true)
--sbom string The SBOM media type to use (none will disable SBOM synthesis and upload, also supports: spdx, cyclonedx, go.version-m). (default "spdx")
--sbom-dir string The directory to write the SBOM to.
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
--sbom-dir string The directory to write the SBOM to.
--sbom-dir string Path to file where the SBOM will be written.

I'd like to think about making this more consistent with --image-refs if possible, which takes a path to a file, instead of a directory.

That may bite us later if/when we end up generating multiple SBOMs, but I'm not sure we'll do that anyway. If we do, we can only write the first one to disk or something. WDYT?

Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'd like to think about making this more consistent with --image-refs if possible, which takes a path to a file instead of a directory.

That's also ok for me. It should change the logic of determining the file path, that's all (I guess?). But what if I'm building more than one binary configured via the builds section?

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yeah good point. You could be ko resolveing, or eventually ko build ./...ing, so there might be multiple SBOMs.

In that case a dir sounds better, with files named after the app. So let's keep it like this.

Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Is there anything left that you want me to do? Or are we all good 🕺🏻

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

What do you think about adding an e2e test in e2e.yaml? You could even have it --push=false with --sbom-dir then check that the file exists and can be read with jq . <file>.

Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I have added a test, can you please take a look at them? Thx

@developer-guy developer-guy force-pushed the feature/728 branch 2 times, most recently from adcfc0d to 5fe3926 Compare September 19, 2022 14:13
@developer-guy developer-guy force-pushed the feature/728 branch 8 times, most recently from 483642f to 47087bb Compare September 19, 2022 21:47
@developer-guy developer-guy force-pushed the feature/728 branch 5 times, most recently from fb4374c to aa6219b Compare September 20, 2022 09:05
@developer-guy
feat: write sbom result to disk
b57104e 
Signed-off-by: Batuhan Apaydın <batuhan.apaydin@trendyol.com>
@imjasonh imjasonh merged commit 5e0452a into ko-build:main Sep 20, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@imjasonh imjasonh imjasonh approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Output SBOM to file in addition to pushing
3 participants
@developer-guy @codecov-commenter @imjasonh