Add new command sbom:cyclonedx #66
Conversation
|
If this could be a replacement for https://github.com/CycloneDX/cyclonedx-conan, it would be great to ping them and make them aware explicitly, maybe a ticket in their repo, to potentially centralize efforts somewhere. As the proposal is a new custom command, it is really not critical where is it, because it can be integrated easily with |
|
Ok, I see that you already did in CycloneDX/cyclonedx-conan#84. Commenting there. |
|
Hi, I am the maintainer of https://github.com/CycloneDX/cyclonedx-conan, for the following reasons, i would invite you to chat and discuss in CycloneDX slack channel #conan. I see some misconceptions and missing spots in this PR:
|
|
re: #66 (comment)
I will discuss with the CycloneDX Core team a possible adoption of a Coann2 extension. PS: see the response here CycloneDX/cyclonedx-conan#84 (comment) |
|
It would also be very helpful to add at least one or two tests. |
IMHO it would be better for this functionality to be maintained in the Conan ecosystem rather than the CycloneDX project. Package managers and build systems are complicated. And they all behave a bit differently. IMO it's much more likely to attract the required expertise and experience here. The CycloneDX team are happy to provide support, feedback, answer questions, etc. |
Test added |
|
Ready for next review round. I think I addressed everything. Thank you all for the helpful comments! |
|
I added support for cyclonedx-python-lib 3 which is the latest major version supported for python 3.6 |
|
Not easy to get everything right. I found a way to differentiate between cyclonedx v3 (for Python 3.6) and v4 (for later) without using |
prince-chrismc
dismissed
memsharded’s stale review
there are lots of changes since the tick
|
Unfortunately I do not have the knowledge to review this at a technical level. At a high level this looks really good with my background using them in the past. I like the CLI for this is the most intuitive so far, I think it's a great start 👏 I also like the pattern for using extern deps + the error message - very well done 👍 As for the code, and getting this merged we'll need to wait for someone of the team to make that decision :) |
Thanks. :D |
There was a problem hiding this comment.
I think this is ready to be merged from your side, it just needs a first quick round of internal testing and feedback from our side.
We will play a little bit with it, probably try to refactor a bit the code to be more aligned with some of our style, and consider and think about some changes like the "layer" ("recipe") name. Sorry we haven't managed to do this yet, we have been swamped, but we haven't forgot about this PR. Thanks!
extensions/commands/recipe/README.md
Outdated
|
|
||
| ```shellSession | ||
| $ cd conan-center-index/recipes/gmp/all | ||
| $ conan recipe:create-sbom --sbom_format 1.4_json . |
There was a problem hiding this comment.
Why --sbom_format and not the generic --format common to all Conan commands?
Maybe to be able to embed the imports in the command?
There was a problem hiding this comment.
actually there was a pythonic and pretty implementation for this,
at state 4ce29c0
conan-extensions/extensions/commands/recipe/cmd_create_sbom.py
Lines 16 to 29 in 4ce29c0
... but it got changed to what it is now ... and not for the better, i would say.
There was a problem hiding this comment.
Changed back to use the formatters
extensions/commands/recipe/README.md
Outdated
|
|
||
| ```shellSession | ||
| $ cd conan-center-index/recipes/gmp/all | ||
| $ conan recipe:create-sbom --sbom_format 1.4_json . |
There was a problem hiding this comment.
I think we still need to look for a better "layer" name than "recipe"
There was a problem hiding this comment.
i'd suggest conan sbom:cyclonedx --format 1.4_xml as stated here: #66 (comment)
There was a problem hiding this comment.
OK, I changed the name of the command to conan sbom:cyclonedx --format 1.4_xml
|
Ready for the next review round |
hedtke
changed the title
|
Ok, so this PR is merged, thanks very much all @hedtke for the contributions and all the reviewers! This is a great first step. We still have some work ahead, while the APIs stabilize, there will probably be breakages that we will need to fix. We would like also take the chance of future fixes and other tasks to probably go over the code and propose some refactors or style changes to align a bit better with the rest of the Conan codebases, but that shouldn't be very relevant. |
|
For new features, command args changes, etc (anything beyond bugfixes), I'd recommend submitting issues, discussing there the design, etc, and then move to PRs after alignement. |
This replaces the proposal conan-io/conan#14405
It closes conan-io/conan#9787
It is a possible replacement for https://github.com/CycloneDX/cyclonedx-conan