Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[pull] master from erlang:master #255

Merged
merged 22 commits into from
Mar 21, 2025
Merged

[pull] master from erlang:master #255

merged 22 commits into from
Mar 21, 2025

Conversation

pull[bot]
Copy link

@pull pull bot commented Mar 21, 2025
edited
Loading

See Commits and Changes for more details.

Created by pull[bot] (v2.0.0-alpha.1)

Can you help keep this open source service alive? 💖 Please sponsor : )

dominicletz and others added 22 commits March 5, 2025 15:33
@dominicletz
Call gethostbyname only AFTER ERL_INETRC has been read.
7c82d2b
@kikofernandez
split SBOM into Erlang and vendor SPDX packages
0f3c13f 
splits the SBOM into Erlang and vendor SPDX packages. this allows to easily
remove dependencies that are not needed from OTP. Erlang applications
have also a purl that follows the EEF security working group guidelines,
as per https://erlef.github.io/security-wg/specs/otp_purl_type
@kikofernandez
add license to file
b95579d
@kikofernandez
fix supplier vendor info
b1eeb2f
@kikofernandez
test ort downloads text for licenseref
4fe9dae
@kikofernandez
skip snippet spdx generation
4ef9f24 
there are some errors in the current snippet generation that do not work
correctly. so we are skipping the snippet generation for now
@kikofernandez
fix snippet generation and .ort curation
6fcd5b9
@kikofernandez
fix documentation instructions
8cb04e8
@kikofernandez
add license to vendor.info files
4664286
@kikofernandez
add depends_on and opt_dependency between Erlang/Apps
7943c36
@kikofernandez
verify OTP table versions match SPDX results
966602e
@kikofernandez
fix scan-code.escript
c8a3dfa
@kikofernandez
add curation to otp-compliance escript
71cb9a6
@garazdawi @kikofernandez
gh: Use built Erlang for sbom generation
cfb83ee
@kikofernandez
verify and upload generated sbom as artifact
ded4829
@kikofernandez
add extracted license information
fdf2359 
update "hasExtractedLicensingInfos" to consider LicenseRefs that are not
included in the repo. this information has been hard-coded (the license
text) but there is a check to see that we only add the license if it is
ever present in the repo. this means that if this license
`LicenseRef-scancode-wxwindows-free-doc-3` is not present in any
curation nor SPDX license identifier, then it will not be added to the
resulting SPDX
@bjorng
Polish documentation for the sofs module
3836a12 
Ensure that the first paragraph describing each function makes sense
by itself when shown in the Summary part of the documentation.

Add examples to functions lacking examples.

While at it, do some other minor clean ups.
@kikofernandez
Merge pull request #9586 from kikofernandez/kiko/otp/sbom-app-split/O…
71f3faf 
…TP-19553

Split source SBOM into multiple apps

OTP-19553
@frazze-jobb
crypto: update license
d53ba8d 
OTP-19554
@frazze-jobb
Merge branch 'frazze/crypto/update_license'
f211935 
* frazze/crypto/update_license:
  crypto: update license

OTP-19554
@bjorng
Merge pull request #9613 from bjorng/bjorn/stdlib/polish-sofs-documen…
8c88e0e 
…tation

Polish documentation for the sofs module
@RaimoNiskanen
Merge pull request #9543 from diodechain/fix_gethostbyname_gnoring_er…
f18d83f 
…l_inetrc OTP-19555

Bugfix: gethostbyname fails to respect ERL_INETRC on first call during initialization on linux
@pull pull bot added the ⤵️ pull label Mar 21, 2025
@pull pull bot merged commit f18d83f into garazdawi:master Mar 21, 2025
@sourcery-ai Sourcery AI
Copy link

sourcery-ai bot commented Mar 21, 2025
edited
Loading

Reviewer's Guide by Sourcery

This pull request introduces an escript for generating and testing SPDX SBOMs, updates the sofs module to improve documentation and fix minor issues, removes redundant code and improves DNS lookup configuration, and adds a license header to crypto_ec_curves.erl.

Sequence diagram for SBOM generation and verification

sequenceDiagram
    participant GH as GitHub Actions
    participant ORT as OSS Review Toolkit
    participant OTP as otp-compliance.es

    GH->>ORT: Runs ORT analyzer
    activate ORT
    ORT-->>GH: Analyzer result
    deactivate ORT
    GH->>ORT: Runs ORT scanner
    activate ORT
    ORT-->>GH: Scanner result
    deactivate ORT
    GH->>OTP: Executes otp-compliance.es sbom otp-info
    activate OTP
    OTP-->>GH: Fixed SBOM
    deactivate OTP
    GH->>OTP: Executes otp-compliance.es sbom test-file
    activate OTP
    OTP-->>GH: SBOM verification result
    deactivate OTP
Loading

Entity Relationship Diagram for vendor.info

erDiagram
    vendor_info {
        string ID PK
        string description
        string copyrightText
        string downloadLocation
        string homepage
        string licenseDeclared
        string name
        string versionInfo
        string path
        string supplier
    }
    note for vendor_info "Represents metadata for a vendor dependency."
Loading

Updated class diagram for spdx_package record

classDiagram
    class spdx_package {
        -SPDXID
        -versionInfo
        -description
        -name
        -copyrightText
        -filesAnalyzed
        -hasFiles
        -homepage
        -licenseConcluded
        -licenseDeclared
        -licenseInfoFromFiles
        -downloadLocation
        -packageVerificationCode
        -supplier
        -relationships
    }
    note for spdx_package "Represents an SPDX package with detailed metadata."
Loading

Class diagram for app_info record

classDiagram
    class app_info {
        -description
        -id
        -vsn
        -modules
        -applications
        -included_applications
        -optional_applications
    }
    note for app_info "Represents information about an Erlang application."
Loading

File-Level Changes

Change Details Files
Introduces a new escript, otp-compliance.es, for generating and testing SPDX SBOMs, enhancing license and copyright compliance.
  • Adds commands for generating, fixing, and testing SPDX SBOMs.
  • Improves SBOM data with license and copyright information from scan results.
  • Splits SPDX by app and adds vendor dependencies.
  • Includes functions for generating SPDX mappings, packages, and vendor packages.
  • Adds functions for creating relationships between OTP and vendor packages.
  • Introduces test functions for verifying the generated SBOM.
  • Adds functions for extracting license information and handling snippets.
  • Updates the OTP compliance script to improve SPDX generation and testing.
  • Adds a new github action to verify the SBOM.
 .github/scripts/otp-compliance.es
.github/workflows/main.yaml
.ort.yml
erts/emulator/ryu/d2s.c
lib/stdlib/test/sofs_SUITE.erl
scripts/scan-code.escript
lib/wx/src/wx.erl
HOWTO/SBOM.md
erts/autoconf/vendor.info
erts/emulator/asmjit/vendor.info
erts/emulator/beam/vendor.info
erts/emulator/openssl/vendor.info
erts/emulator/pcre/vendor.info
erts/emulator/ryu/vendor.info
erts/emulator/zlib/vendor.info
erts/emulator/zstd/vendor.info
lib/common_test/priv/vendor.info
lib/common_test/test_server/vendor.info
lib/erl_interface/src/openssl/vendor.info
lib/stdlib/test/json_SUITE_data/vendor.info
lib/wx/vendor.info
make/autoconf/vendor.info
Updates the sofs module to improve documentation and fix minor issues.
  • Adds documentation to functions.
  • Fixes types in documentation.
  • Adds examples to functions.
  • Fixes minor issues.
 lib/stdlib/src/sofs.erl
lib/stdlib/doc/src/sofs.md
Removes redundant code and improves DNS lookup configuration.
  • Removes redundant code in inet_config.erl.
  • Improves DNS lookup configuration.
 lib/kernel/src/inet_config.erl
Adds a license header to crypto_ec_curves.erl.
  • Adds a license header to crypto_ec_curves.erl.
 lib/crypto/src/crypto_ec_curves.erl
Tips and commands

Interacting with Sourcery

  • Trigger a new review: Comment @sourcery-ai review on the pull request.
  • Continue discussions: Reply directly to Sourcery's review comments.
  • Generate a GitHub issue from a review comment: Ask Sourcery to create an
    issue from a review comment by replying to it. You can also reply to a
    review comment with @sourcery-ai issue to create an issue from it.
  • Generate a pull request title: Write @sourcery-ai anywhere in the pull
    request title to generate a title at any time. You can also comment
    @sourcery-ai title on the pull request to (re-)generate the title at any time.
  • Generate a pull request summary: Write @sourcery-ai summary anywhere in
    the pull request body to generate a PR summary at any time exactly where you
    want it. You can also comment @sourcery-ai summary on the pull request to
    (re-)generate the summary at any time.
  • Generate reviewer's guide: Comment @sourcery-ai guide on the pull
    request to (re-)generate the reviewer's guide at any time.
  • Resolve all Sourcery comments: Comment @sourcery-ai resolve on the
    pull request to resolve all Sourcery comments. Useful if you've already
    addressed all the comments and don't want to see them anymore.
  • Dismiss all Sourcery reviews: Comment @sourcery-ai dismiss on the pull
    request to dismiss all existing Sourcery reviews. Especially useful if you
    want to start fresh with a new review - don't forget to comment
    @sourcery-ai review to trigger a new review!
  • Generate a plan of action for an issue: Comment @sourcery-ai plan on
    an issue to generate a plan of action for it.

Customizing Your Experience

Access your dashboard to:

  • Enable or disable review features such as the Sourcery-generated pull request
    summary, the reviewer's guide, and others.
  • Change the review language.
  • Add, remove or edit custom review instructions.
  • Adjust other review settings.

Getting Help

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
⤵️ pull
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
6 participants
@dominicletz @kikofernandez @garazdawi @bjorng @frazze-jobb @RaimoNiskanen