Add repo dependency ingester #5030
Conversation
| Identifiers: map[int32]string{ | ||
| int32(sbom.SoftwareIdentifierType_PURL): inv.Extractor.ToPURL(inv).String(), | ||
| // TODO: scalibr returns a _list_ of CPEs, but protobom will store one. | ||
| // use the first? |
There was a problem hiding this comment.
Ideally the most specific one. Now that package URL has official support for ranges, the one-purl-per-package rule is now obsolete. This means that, perhaps, we should create a new identifier list to capture more than one.
There was a problem hiding this comment.
I'm slightly confused about what you're suggesting here. I can see why PURLs supporting ranges would be useful in general, but I'm not sure if you're suggesting:
- That upstream
protobomneeds a change in theidentifierstype. - That Scalibr needs a change in the
ToPURLfunction. - That this code should be parsing the purl / Inventory and creating multiple
Nodeobjects when the Inventory contains certain types of data.
Looking at the scalibr code, it looks like CPEs are only reported from the SPDX and CDX extractors, so multiple (or > 0) CPEs seems moot for our current use cases. :puzzled:
There was a problem hiding this comment.
I meant number 1, but there are use cases when you may also want to return purls with ranges, more than one purl, and/or more than one CPE. It all depends on what you are trying to match.
evankanderson
force-pushed
the
deps-ingest
branch
from
3a35fe8
to
c09e0a5
Compare
Summary
Add a dedicate ingestion mode for repository dependencies which uses https://github.com/google/osv-scalibr to extract the dependencies from various lockfile and other dependency files in the repository.
See this design doc for the long term direction on dependency ingest; this is part of "stage 1" (but needs tests)
Change Type
Mark the type of change your PR introduces:
Testing
Still work in progress... Feel free to pick this up and patch it in while I am out.
Review Checklist: