Skip to content

SBOM report ane 2277 #1534

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 12 commits into
base: master
Choose a base branch
from
Open

SBOM report ane 2277 #1534

wants to merge 12 commits into from

Conversation

csasarak
Copy link
Contributor

@csasarak csasarak commented Apr 18, 2025
edited by jira bot
Loading

Overview

This PR makes it possible to download attribution reports for SBOM-based projects from FOSSA.

Acceptance criteria

  • If a file is given to fossa report attribution the CLI downloads an SBOM attribution report.
  • If a project and version are given using --project and --version the CLI will try to fetch both custom+ attribution reports and fall back to sbom+ attribution reports.
  • If a project directory is given, the CLI tries to download a report for a custom+ project.

Testing plan

I copied the existing tests and tried made them work with both types of target. For the actual user interactions, I tested by analyzing using fossa sbom analyze <sbom> and then fossa report attribution --format json <sbom>.

fossa sbom analyze --revision 1 sbomfile.txt
fossa report attribution --format json sbomfile.txt
fossa sbom analyze --project sbomfile.txt --revision 1

I also tested the same sequence, but with fossa analyze <dir>, and tested downloading an SBOM using --project...

If you try to fetch a non-existent project you get an error that indicates the CLI tried to download both forms and failed:

Screenshot 2025-04-18 at 3 28 20 PM

Risks

None.

References

Checklist

  • I added tests for this PR's change (or explained in the PR description why tests don't make sense).
  • If this PR introduced a user-visible change, I added documentation into docs/.
  • If this PR added docs, I added links as appropriate to the user manual's ToC in docs/README.ms and gave consideration to how discoverable or not my documentation is.
  • If this change is externally visible, I updated Changelog.md. If this PR did not mark a release, I added my changes into an ## Unreleased section at the top.
  • If I made changes to .fossa.yml or fossa-deps.{json.yml}, I updated docs/references/files/*.schema.json AND I have updated example files used by fossa init command. You may also need to update these if you have added/removed new dependency type (e.g. pip) or analysis target type (e.g. poetry).
  • If I made changes to a subcommand's options, I updated docs/references/subcommands/<subcommand>.md.

@csasarak csasarak marked this pull request as ready for review April 18, 2025 20:30
@csasarak csasarak requested a review from a team as a code owner April 18, 2025 20:30
@csasarak csasarak requested a review from spatten April 18, 2025 20:30
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@spatten spatten Awaiting requested review from spatten spatten is a code owner automatically assigned from fossas/analysis

At least 1 approving review is required to merge this pull request.

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
1 participant
@csasarak