Skip to content

[K9VULN-11577] Support both canonical and legacy SBOM component property names in the datadog-ci#2138

Merged
cespio merged 2 commits intomasterfrom
francesco.contaldo/K9VULN-11577-update-datog-ci-sbom-tag-translation
Mar 3, 2026
Merged

[K9VULN-11577] Support both canonical and legacy SBOM component property names in the datadog-ci#2138
cespio merged 2 commits intomasterfrom
francesco.contaldo/K9VULN-11577-update-datog-ci-sbom-tag-translation

Conversation

@cespio
Copy link
Contributor

@cespio cespio commented Mar 2, 2026
edited
Loading

🚀 Motivation

SBOM component property keys are being migrated from vendor-specific prefixes (osv-scanner:, datadog-sbom-generator:) to a unified canonical format (datadog:). During this transition period, SBOMs can contain either the old legacy keys or the new canonical keys (or both). datadog-ci must be able to handle both formats seamlessly to avoid dropping data.

📝 Summary

  • Renamed existing SBOM property constants to LEGACY_* (osv-scanner: and datadog-sbom-generator: prefixes) and introduced new canonical constants with datadog: prefix (PACKAGE_MANAGER_PROPERTY_KEY, IS_DEPENDENCY_DIRECT_PROPERTY_KEY, IS_DEPENDENCY_DEV_ENVIRONMENT_PROPERTY_KEY, EXCLUSION_KEY, REACHABLE_SYMBOL_LOCATION_KEY_PREFIX).
  • Updated payload.ts to parse both legacy and canonical property names when building dependencies. Canonical (datadog:) values take precedence over legacy ones when both are present.
  • Exclusions from legacy (datadog-sbom-generator:exclusion) and canonical (datadog:exclusion) keys are merged via a Set to avoid duplicates.
  • Reachable symbol location entries from both datadog-sbom-generator:reachable-symbol-location:* and datadog:reachable-symbol-location:* are collected together; deduplication is delegated to another component.
  • Added a new fixture (sbom-with-both-legacy-canonical-properties.json) and a corresponding test case that validates the dual-parsing behaviour, priority rules, and merging logic.

🧪 Testing

  • New tests were added for new logic.
  • Existing tests were updated for new logic, and not only so that they pass!
  • Benchmark results prove that performance is the same or better.

🚧 Staging validation

  • Deployed and monitored using Datadog dashboards.
  • Proof that it works as expected, including profiling or UX screenshots.

Tested locally comparing the payload output using as input different SBOM files

🆘 Recovery

Notes for on-call - select only one:

  • The change can be rolled back.
  • Do not roll back. Why?:

@cespio cespio added the datadog-ci For PRs spanning multiple commands, and repo-wide changes label Mar 3, 2026
@cespio cespio force-pushed the francesco.contaldo/K9VULN-11577-update-datog-ci-sbom-tag-translation branch from de4350c to 10e329c Compare March 3, 2026 09:15
@cespio cespio changed the title [plugin-sbom] Support both canonical and legacy SBOM component property names [K9VULN-11577] Support both canonical and legacy SBOM component property names in the datadog-ci Mar 3, 2026
@cespio cespio marked this pull request as ready for review March 3, 2026 12:05
@cespio cespio requested review from a team as code owners March 3, 2026 12:05
@cespio cespio force-pushed the francesco.contaldo/K9VULN-11577-update-datog-ci-sbom-tag-translation branch from 46b3301 to e709d02 Compare March 3, 2026 12:24
@Drarig29 Drarig29 added static-analysis Related to [sarif, sbom] and removed datadog-ci For PRs spanning multiple commands, and repo-wide changes labels Mar 3, 2026
piloulacdog
piloulacdog approved these changes Mar 3, 2026
View reviewed changes
Copy link
Contributor

@piloulacdog piloulacdog left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@cespio cespio merged commit 2bd53a6 into master Mar 3, 2026
26 checks passed
@cespio cespio deleted the francesco.contaldo/K9VULN-11577-update-datog-ci-sbom-tag-translation branch March 3, 2026 16:22
@vishal-joshi-datadog vishal-joshi-datadog mentioned this pull request Mar 3, 2026
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@Drarig29 Drarig29 Drarig29 approved these changes

@piloulacdog piloulacdog piloulacdog approved these changes

Assignees

No one assigned

Labels

static-analysis Related to [sarif, sbom]

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@cespio @Drarig29 @piloulacdog