Plugin: Add example for SPDX SBOM generator plugin #307
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
|
Nisha,
This is great news. I’m very interested in testing the SPDX 2.3 SBOM in SAG-PM. This would be the first SPDX V 2.3 SBOM to be tested that can from outside REA so I’m looking at this as a good interop test too.
Please provide a link to an SPDX V2.3 SBOM created using the plugin. Thanks very much.
Thanks,
Dick Brooks
Active Member of the CISA Critical Manufacturing Sector,
Sector Coordinating Council – A Public-Private Partnership
<https://reliableenergyanalytics.com/products> Never trust software, always verify and report! ™
<http://www.reliableenergyanalytics.com/> http://www.reliableenergyanalytics.com
Email: ***@***.***> ***@***.***
Tel: +1 978-696-1788
From: nisha ***@***.***>
Sent: Thursday, January 11, 2024 7:03 PM
To: opensbom-generator/spdx-sbom-generator ***@***.***>
Cc: Subscribed ***@***.***>
Subject: [opensbom-generator/spdx-sbom-generator] Plugin: Add example for SPDX SBOM generator plugin (PR #307)
* Includes the plugin package which is an interface to be implemented by plugins.
* Includes an example of an implementation of a plugin where a pom.xml file is parsed and the data is used to create an SPDX 2.3 JSON document.
…_____
You can view, comment on, or merge this pull request online at:
#307
Commit Summary
* ceffa8d <ceffa8d> Plugin: Add example for SPDX SBOM generator plugin
File Changes
(5 <https://github.com/opensbom-generator/spdx-sbom-generator/pull/307/files> files)
* A examples/pomtospdx/README.md <https://github.com/opensbom-generator/spdx-sbom-generator/pull/307/files#diff-3a5e9eca6da57e5870dea1bf6d560c63d75c81ec97058760495aebe25079bc71> (13)
* A examples/pomtospdx/main.go <https://github.com/opensbom-generator/spdx-sbom-generator/pull/307/files#diff-32a07bc441f584afe7a8eb3694e8afbf1afb3baa7a54c5fc2cf398d0a00f8175> (25)
* A examples/pomtospdx/mvnpom/mvnpom.go <https://github.com/opensbom-generator/spdx-sbom-generator/pull/307/files#diff-bc66615feb0fe3ecd782326cdbf84636fb54ccfe8eae3c5c8a45b63224155a56> (171)
* A examples/pomtospdx/pom.xml <https://github.com/opensbom-generator/spdx-sbom-generator/pull/307/files#diff-e311906f7ea45de96bc3cf999e170798eb40458fb5dc589ff67b1ec679ea0a03> (330)
* A pkg/plugin/plugin.go <https://github.com/opensbom-generator/spdx-sbom-generator/pull/307/files#diff-fc137d62147eb6a9c89c0566479ff219320ca691f2505631ebacbe513bcc8108> (42)
Patch Links:
* https://github.com/opensbom-generator/spdx-sbom-generator/pull/307.patch
* https://github.com/opensbom-generator/spdx-sbom-generator/pull/307.diff
—
Reply to this email directly, view it on GitHub <#307> , or unsubscribe <https://github.com/notifications/unsubscribe-auth/ABFI3NECHEPBC3BU7QLBRQTYOB4R3AVCNFSM6AAAAABBXJZCSWVHI2DSMVQWIX3LMV43ASLTON2WKOZSGA3TONZZHAYDANI> .
You are receiving this because you are subscribed to this thread.Message ID: ***@***.***>
|
- Includes the `plugin` package which is an interface to be implemented by plugins. - Includes an example of an implementation of a plugin where a pom.xml file is parsed and the data is used to create an SPDX 2.3 JSON document. Signed-off-by: Nisha Kumar <[email protected]>
nishakm
force-pushed
the
plugin-scaffolding
branch
from
ceffa8d
to
52be74d
Compare
|
@rjb4standards Hi Dick, wow really? I believe Tern and Syft can generate SPDX V 2.3 SBOMs now. This is just an example of how this particular project can be used as an entrypoint for which other file/package analyzers can write plugins for. |
|
Thanks, Nisha. I’ll check for SPDX V 2.3 SBOM’s from Tern and Syft.
Thanks,
Dick Brooks
Active Member of the CISA Critical Manufacturing Sector,
Sector Coordinating Council – A Public-Private Partnership
<https://reliableenergyanalytics.com/products> Never trust software, always verify and report! ™
<http://www.reliableenergyanalytics.com/> http://www.reliableenergyanalytics.com
Email: ***@***.***> ***@***.***
Tel: +1 978-696-1788
From: nisha ***@***.***>
Sent: Saturday, January 13, 2024 4:25 PM
To: opensbom-generator/spdx-sbom-generator ***@***.***>
Cc: Dick Brooks (REA) ***@***.***>; Mention ***@***.***>
Subject: Re: [opensbom-generator/spdx-sbom-generator] Plugin: Add example for SPDX SBOM generator plugin (PR #307)
@rjb4standards <https://github.com/rjb4standards> Hi Dick, wow really? I believe Tern and Syft can generate SPDX V 2.3 SBOMs now. This is just an example of how this particular project can be used as an entrypoint for which other file/package analyzers can write plugins for.
—
Reply to this email directly, view it on GitHub <#307 (comment)> , or unsubscribe <https://github.com/notifications/unsubscribe-auth/ABFI3NBLBWP4C7XRBCJFK6DYOL3SXAVCNFSM6AAAAABBXJZCSWVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMYTQOJQG43TENJWGY> .
You are receiving this because you were mentioned.Message ID: ***@***.***>
|
puerco
reviewed
Jan 17, 2024
Comment on lines
+12
to
+14
| type Plugin interface { | ||
| GetSpdxDocument() (common.AnyDocument, error) | ||
| } |
There was a problem hiding this comment.
Why not leverage the plugin object we're putting together in the parsers project? It is the project's plugin afterall:
|
|
||
| // plugins stores a mapping of the plugin name and its | ||
| // corresponding Plugin object | ||
| var plugins = make(map[string]Plugin) |
There was a problem hiding this comment.
How is the name we're using to key supposed to be used? Will we support more than one plugin for each ecosystem? I see it is the argument to GetPlugin() but should we have a keying scheme tied to the specific ecosystem?
I expect to look for plugins based on what the generator finds in the code repository, so more than a name should this be an ecocystem label or another moniker?
| // init function | ||
| func Register(name string, p Plugin) { | ||
| if p == nil { | ||
| panic("A Plugin object is required, but is nil") |
There was a problem hiding this comment.
Since this is a plugin system potentially used by third parties, don't panic here. Return an error and let the application handle it.
|
|
||
| In this example, we will parse an example pom.xml file and create an SPDX document with the data. The plugin is called `mvnpom`. We use an existing pom.xml parser to get the data. We have restricted parsing to only SPDX 2.3 as the SPDX version and JSON as the data format, but other versions and formats can be supported. | ||
|
|
||
| The required function to implement for the plugin is the `GetSpdxDocument` method. This must return an object of type `AnyDocument`. |
There was a problem hiding this comment.
If you think about it, the plugin's job is not to return the document. The plugin should only return a data structure representing the data it knows about (probably a package representing the code and its dependencies). That structure may be part of a document with more than one code repository, for example.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
pluginpackage which is an interface to be implemented by plugins.