Skip to content

feat: support running the analysis with SBOM and the main software component with no repository#165

Merged
tromai merged 13 commits into
stagingfrom
157-treat-the-main-target-as-empty-if-its-not-provided-together-with-the-sbom
Oct 4, 2023
Merged

feat: support running the analysis with SBOM and the main software component with no repository#165
tromai merged 13 commits into
stagingfrom
157-treat-the-main-target-as-empty-if-its-not-provided-together-with-the-sbom

Conversation

@tromai

@tromai tromai commented Apr 17, 2023
edited
Loading

Copy link
Copy Markdown
Contributor

Closes #157

Feature Description

We want to allow the use case of: running the analysis on the dependencies listed in an SBOM generated for an artifact while the repository URL for that artifact is not available (e.g. the repository is in a private domain that Macaron cannot access).
Example usage:

macaron analyze -purl pkg:domain.com/org/name -sbom <path_to_sbom>

Current state

  • When Macaron cannot resolve the repository for the main software component, Macaron will not collect any dependencies and analyze them. This is because the implementation for both collecting dependencies from a provided SBOM (through --sbom-path) and collecting dependencies by running the SBOM generator are bundled in the same location (see here) and this method is only run if the repository for the main software component is found (see here).
  • For all software components, when Macaron cannot resolve the repository for it, the analysis will be skipped for it.
    • For dependencies, the skipping happens here.
    • For the main software component, the skipping happens here.

Expected behavior

Core engine

  • For all software component, the analysis will not be skipped if the repository is not found.
  • When Macaron cannot resolve main software component's repository and a PURL string is provided by the user (via -purl), it will still collect the dependencies from the SBOM and run the analysis for those dependencies.

HTML reports

  • When the repository is not found for a software component, display a small message in the Target Information section to notify the users.
  • When all the checks are failing for a software component, we collapse the check report table. This is because we have now only repository-based checks. Therefore, when the repository is not found for a software component, no check will pass. We hide the table for visibility.

Example report

image

@tromai tromai self-assigned this Apr 17, 2023
@oracle-contributor-agreement oracle-contributor-agreement Bot added the OCA Verified All contributors have signed the Oracle Contributor Agreement. label Apr 17, 2023
@tromai tromai linked an issue Apr 17, 2023 that may be closed by this pull request
Treat the main target as empty if it's not provided together with the SBOM. #157
Closed
@tromai tromai force-pushed the 157-treat-the-main-target-as-empty-if-its-not-provided-together-with-the-sbom branch from e87456c to a7aa5ec Compare April 19, 2023 04:46
@tromai

tromai commented Apr 19, 2023

Copy link
Copy Markdown
Contributor Author

This rebase is to get the changes for #125

@tromai tromai added this to the Release v0.1.0 milestone Apr 20, 2023
@tromai tromai mentioned this pull request Apr 21, 2023
Closed
@tromai tromai force-pushed the 157-treat-the-main-target-as-empty-if-its-not-provided-together-with-the-sbom branch from f6700b6 to 8c221a8 Compare April 26, 2023 00:01
@tromai tromai force-pushed the 157-treat-the-main-target-as-empty-if-its-not-provided-together-with-the-sbom branch from 8c221a8 to 184ecfa Compare July 26, 2023 04:19
tromai
tromai commented Jul 26, 2023
View reviewed changes
Comment thread src/macaron/__main__.py Outdated
tromai
tromai commented Jul 26, 2023
View reviewed changes
Comment thread src/macaron/output_reporter/results.py Outdated
@tromai tromai added the SBOM related to SBOM handling label Jul 26, 2023
@tromai tromai changed the title feat: support running the analysis using SBOM without providing the main target feat: support running the analysis with SBOM and a software component with no repository Sep 8, 2023
@tromai tromai force-pushed the 157-treat-the-main-target-as-empty-if-its-not-provided-together-with-the-sbom branch 7 times, most recently from 5b9a924 to 0c12aca Compare September 18, 2023 03:19
@tromai tromai force-pushed the 157-treat-the-main-target-as-empty-if-its-not-provided-together-with-the-sbom branch from 0c12aca to 19ba5bb Compare September 19, 2023 06:57
@tromai tromai marked this pull request as ready for review September 20, 2023 01:21
@tromai tromai requested a review from behnazh-w as a code owner September 20, 2023 01:21
@tromai tromai changed the title feat: support running the analysis with SBOM and a software component with no repository feat: support running the analysis with SBOM and the main software component with no repository Sep 20, 2023
@behnazh-w behnazh-w requested a review from nicallen September 20, 2023 20:33
Trong Nhan Mai added 3 commits September 22, 2023 17:18
chore: move sub-section of the html report out of base_template.html …
f78520e 
…and handle everything in macaron.html

Signed-off-by: Trong Nhan Mai <trong.nhan.mai@oracle.com>
chore: hide the information, provenance and check status section of a…
0dce0b8 
… software component if no repository is found

Signed-off-by: Trong Nhan Mai <trong.nhan.mai@oracle.com>
chore: add documentation in macaron.html on how to handle the data pa…
6c4d94a 
…ssed into the template and the dependency section

Signed-off-by: Trong Nhan Mai <trong.nhan.mai@oracle.com>
Trong Nhan Mai added 6 commits September 22, 2023 17:22
chore: allow the main analysis to continue if there is no repository …
a64b805 
…for the main software component but an SBOM is provided
chore: remove unused for loop in results.py
8f7dd28 
Signed-off-by: Trong Nhan Mai <trong.nhan.mai@oracle.com>
chore: add integration test for the use case of analyzing a software …
1c353bc 
…component without a repository and an sbom

Signed-off-by: Trong Nhan Mai <trong.nhan.mai@oracle.com>
chore: do not skip analyzing a dependency software component if we ca…
7cac248 
…nnot find the repository for it

Signed-off-by: Trong Nhan Mai <trong.nhan.mai@oracle.com>
chore: hide the check report table when first open the HTML report wh…
db0fc5d 
…en there is no passing check

Signed-off-by: Trong Nhan Mai <trong.nhan.mai@oracle.com>
chore: update sphinx documentation for the use case of SBOM without m…
f190924 
…ain software component's repository available
@tromai tromai force-pushed the 157-treat-the-main-target-as-empty-if-its-not-provided-together-with-the-sbom branch from 0caee7d to f190924 Compare September 22, 2023 07:23
chore: revert the changes in DependencyAnalyzer.resolve_dependencies
ebc9696 
These changes were to separate the resolving dependencies using SBOM generator and resolving dependencies
from SBOM files. These changes were necessary for this PR back when I first work on it (before the merging
of #388). However, after #388 is merged and further discussion, this change is no longer necessary.

Signed-off-by: Trong Nhan Mai <trong.nhan.mai@oracle.com>
nicallen
nicallen requested changes Sep 26, 2023
View reviewed changes
Comment thread scripts/dev_scripts/integration_tests.sh Outdated
Comment thread src/macaron/output_reporter/templates/base_template.html Outdated
Comment thread src/macaron/output_reporter/templates/base_template.html Outdated
Trong Nhan Mai added 3 commits September 28, 2023 15:25
chore: update the integration test to reflect the use case of non-rep…
82ca751 
…o target software component

Signed-off-by: Trong Nhan Mai <trong.nhan.mai@oracle.com>
chore: keep the original start year in base_template.html
927bfe1 
Signed-off-by: Trong Nhan Mai <trong.nhan.mai@oracle.com>
chore: fix typo in base_template.html
3a18c96 
Signed-off-by: Trong Nhan Mai <trong.nhan.mai@oracle.com>
behnazh-w
behnazh-w reviewed Oct 3, 2023
View reviewed changes
Comment thread src/macaron/slsa_analyzer/analyzer.py
@tromai tromai merged commit abd2c31 into staging Oct 4, 2023
@tromai tromai deleted the 157-treat-the-main-target-as-empty-if-its-not-provided-together-with-the-sbom branch October 4, 2023 02:44
@tromai tromai mentioned this pull request Nov 2, 2023
Merged
art1f1c3R pushed a commit that referenced this pull request Nov 29, 2024
feat: support running the analysis with SBOM and the main software co…
e6be4d2 
…mponent with no repository (#165)

Core engine:
* For all software components (main target and dependencies), the analysis will not be skipped if the repository URL is not found.
* Collect and run the analysis for dependencies from the SBOM (if provided) even when the repository URL is not available for the main target.
HTML reports:
* Display a small message in the Target Information section when the repository is not available.
* Collapse the check report table when all checks fail.

Signed-off-by: Trong Nhan Mai <trong.nhan.mai@oracle.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@nicallen nicallen nicallen approved these changes

@behnazh-w behnazh-w behnazh-w approved these changes

Assignees

@tromai tromai

Labels

OCA Verified All contributors have signed the Oracle Contributor Agreement. SBOM related to SBOM handling

Projects

None yet

Milestone

Change the data model to allow analys...

Development

Successfully merging this pull request may close these issues.

Treat the main target as empty if it's not provided together with the SBOM.

3 participants

@tromai @nicallen @behnazh-w