Fix tool.SBOM.cyclonedx with empty components#17925
Fix tool.SBOM.cyclonedx with empty components#17925memsharded merged 5 commits intoconan-io:develop2from
Conversation
|
|
|
Hi @NokiDev, I’ve been looking into the issue, and there is indeed a problem. The line that fixes it is: I see too many changes unrelated to the main issue, and I believe it would be better to discuss those in a separate PR. Regarding the author field, it is indeed incorrect to use "conan" since the standard refers to "The person(s) or organization(s) that authored the component." I think it would be best to remove it altogether, as it is not a mandatory field in the standard, and it is not filled in the Conan Center Index recipes, which could cause issues. |
NokiDev
force-pushed
the
fix-tool.sbom.cyclonedx-with-empty-components
branch
from
ddbc133 to
cb5750a
Compare
ErniGH
left a comment
ErniGH
left a comment
There was a problem hiding this comment.
LGTM Thanks for your PR 😄
|
@ErniGH, I've followed your advice and limited PR change to the fix. |
|
@NokiDev I feel a bit uneasy about not having had a test that could catch this error. I'm trying to add a small test to cover this case, but I'm unable to replicate the issue you had when the component list was empty. Could you help me? What was your use case for triggering an empty component list? |
|
Sure, in my case I was using a conanfile with tool_requires and calling the function with use_build=False (the default I believe) But without any requires that should also work no ? If you still struggle, I can add a test tomorrow - not sure how testing a hook with conan TestClient tough |
|
I have added a test that has a "post_package" hook with |
NokiDev
force-pushed
the
fix-tool.sbom.cyclonedx-with-empty-components
branch
from
0b6f0ba to
4552ed2
Compare
| class FooPackage(ConanFile): | ||
| name = "foo" | ||
| version = "1.0" | ||
| package_type = "build-scripts" |
There was a problem hiding this comment.
I achieved to reproduce the issue when there is no components by setting package-type = "build-scripts"
Not really sure why, it triggers correctly the variable has_special_root_node which in turn would strip 1st component from the graph and triggers the issue.
| bar_layout = tc.created_layout() | ||
| assert os.path.exists(os.path.join(bar_layout.metadata(), "sbom.cdx.json")) | ||
|
|
||
| def test_sbom_with_dependencies(hook_setup_post_package_default): |
There was a problem hiding this comment.
Modified this test to ensure sbom is generated with appropriate component ref in the metadata.
|
@ErniGH Achieved to reproduce, I believe I might have tried to use the post_generate hook too when issue occured. My bad. I updated the tests to reflect the changes I made. BTW if you have a less weird way to trigger the has_special_root_node behaviour, feel free to update the test. I found that having package_type set as build scripts works. IMHO stripping the 1st component shall be the default behaviour since information will be present in the metadata section Edit: This seems really weird because has_special_root_node is True, thus the special id is used in bom-ref and it shouldn't execute the else clause where c.name etc... are used but it seems to evaluate the else clause as well. |
NokiDev
force-pushed
the
fix-tool.sbom.cyclonedx-with-empty-components
branch
from
4552ed2 to
f01d7f9
Compare
|
@NokiDev The problem here is that the subgraph generated of a |
4 participants
Changelog: BugFix: Add correct info in metadata + prevent crash when no component is associated to root_node.
Docs: Omit
Fix issue #17924
developbranch, documenting this one.