Add format 'cyclonedx' as output format for the graph command #14405
Conversation
|
|
|
Hi, this is my first PR. I am not sure whether I work on the correct branches |
|
The resulting JSON can be parsed by dependencytrack. Here is an example: |
There was a problem hiding this comment.
Thanks for your contribution @hedtke
At this moment we are avoiding this kind of specialized formats as built-in, and we are implementing them as extensions in https://github.com/conan-io/conan-extensions (thanks to conan config install it is very easy to use them).
No need to do any changes, we will check this, investigate a bit and discuss the approaches and let you know. Thanks!
| @@ -7,3 +7,4 @@ fasteners>=0.15 | |||
| distro>=1.4.0, <=1.8.0; sys_platform == 'linux' or sys_platform == 'linux2' | |||
| Jinja2>=3.0, <4.0.0 | |||
| python-dateutil>=2.8.0, <3 | |||
| packageurl-python>=0.10.0 | |||
There was a problem hiding this comment.
We are avoiding adding new dependencies like this one, unless it is extremely necessary. Every additional Python dependency has proven to be a liability (the state of dependency management in Python is not great), so we prefer to avoid this.
|
I hope this PR is approved. Every organization have to deal with SBOM generation and having it built in just makes it easier for all of us. |
There was a problem hiding this comment.
We have had a look at this, and the main problem is that the full cycloneDX specification is way more complete than the currently proposed one: https://cyclonedx.org/specification/overview/
This means that this is very likely to evolve, and we would like Conan to create a more complete one, and this cannot be implemented in a "formatter", it is too much responsibility for it. Having it in the core as built-in is also problematic for faster evolution.
So my recommendation is to move it to the conan-extensions repository, it fits much better there. There is already a very similar functionality which is the creation of "BuildInfo" (another type of SBOM).
We can discuss there what is the best approach for it, if it is a custom command or a deployer. I'd say try with a custom command first. We also need to think about the "Location" where a potential new command like this belongs, the command naming too, etc.
| result["graph"].serialize() # fills ids | ||
| deps = result["graph"].nodes[1:] # first node is app itself | ||
| cyclonedx = { | ||
| "bomFormat": "CycloneDX", |
There was a problem hiding this comment.
would you add the schema to the json, so its more clear how to validate the result?
"$schema": "http://cyclonedx.org/schema/bom-1.4.schema.json",| "name": n.name, | ||
| "version": n.conanfile.version, | ||
| "supplier": { | ||
| "url": [n.conanfile.homepage] |
There was a problem hiding this comment.
homepage - why not externalReferences of type website?
see https://cyclonedx.org/use-cases/#external-references
There was a problem hiding this comment.
What is the advantage of using that over supplier? external references are not part of the BOM: https://cyclonedx.org/docs/1.4/json/#components_items_supplier VS https://cyclonedx.org/docs/1.4/json/#components_items_externalReferences
There was a problem hiding this comment.
What is the advantage of using that over supplier
It's a matter of correctness.
One is the URL to the homepage of a supplier(or contractor, legal proxy, etc),
the other is the URL to the homepage of the component/project.
From what I've seen, n.conanfile.homepage contains the project's homepage, not the homepage of an author or supplier.
see https://docs.conan.io/2/reference/conanfile/attributes.html?highlight=homepage#homepage
I found that n.conanfile.url could be the externalReference of type vcs
see https://docs.conan.io/2/reference/conanfile/attributes.html?highlight=url#url
Linking a component's metadata and URLs via externalReferences is the intended way.
see the many examples here: https://cyclonedx.org/use-cases/
There was a problem hiding this comment.
conanfile.url points to the GitHub repo of conan-center. Not sure that is useful in this case.
I will use the homepage attribute and move it to externalReferences
| @@ -229,6 +231,29 @@ def serialize(self): | |||
| result["test"] = self.test | |||
| return result | |||
|
|
|||
| def package_url(self): | |||
| """ | |||
| Creates a PURL following https://github.com/package-url/purl-spec/blob/master/PURL-TYPES.rst | |||
There was a problem hiding this comment.
There was a problem hiding this comment.
Do you want me to change the comment, or is there an error in how I build the JSON?
There was a problem hiding this comment.
wanted to put a more precise link here, so nobody needs to scroll trough the whole document.
| "bomFormat": "CycloneDX", | ||
| "specVersion": "1.4", | ||
| "version": 1, | ||
| "dependencies": [n.id for n in deps], |
There was a problem hiding this comment.
This code looks wrong, according to CycloneDX spec.
Could you provide an example SBOM generated with your code, so we can check if the JSON results is actually valid according to http://cyclonedx.org/schema/bom-1.4.schema.json
There was a problem hiding this comment.
Thanks, that is not correct. I will fix it in the conan extension
|
@hedtke it seems the review from @jkowalleck is also supporting our conclusions above: this would be better as an "extension" where all these matters are way easier to fix and evolve. |
|
Here is the "extension" version: conan-io/conan-extensions#66 |
|
Ok, thanks very much, lets follow up everyone in the extensions repo: conan-io/conan-extensions#66 |
Changelog: Feature: Add format 'cyclonedx' as output format for the graph command
Docs: https://github.com/conan-io/docs/pull/XXXX
Close #9787
The new output format
cyclonedxfor the graph command creates a SBOM in CycloneDX JSON 1.4 format to be parsed by dependency management / vulnerability tools like https://www.dependencytrack.org/developbranch, documenting this one.