Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

feat: warn if parsing newer SBOM #1810

Merged
merged 3 commits into from
May 11, 2023
Merged

feat: warn if parsing newer SBOM #1810

merged 3 commits into from
May 11, 2023

Conversation

willmurphyscode
Copy link
Contributor

If syft is asked to parse an SBOM that was written by a newer version of syft, emit a warning.

Suggested during #1812 - it's likely more helpful to warn that syft is being asked to parse an SBOM written by newer syft than it is to warn every single instance of a new type.

Note that this pulls in https://github.com/Masterminds/semver. It could have used https://github.com/anchore/go-version, but the version structs here expose Major, Minor, and Patch directly, which I thought I would need. Also, it might be good to get off https://github.com/anchore/go-version, which is an old fork, so I didn't want to use it in a new place.

@willmurphyscode
feat: warn if parsing newer SBOM
23c92d9 
If syft is ask to parse an SBOM that was written by a newer version of
syft, emit a warning.

Signed-off-by: Will Murphy <will.murphy@anchore.com>
@github-actions
Copy link

github-actions bot commented May 10, 2023
edited
Loading

Benchmark Test Results

Benchmark results from the latest changes vs base branch 
goos: linux%0Agoarch: amd64%0Apkg: github.com/anchore/syft/test/integration%0Acpu: Intel(R) Xeon(R) Platinum 8272CL CPU @ 2.60GHz%0A                                                          │ ./.tmp/benchmark-12d19e5.txt │%0A                                                          │            sec/op            │%0AImagePackageCatalogers/alpmdb-cataloger-2                                    11.81m ± 1%25%0AImagePackageCatalogers/apkdb-cataloger-2                                     658.0µ ± 6%25%0AImagePackageCatalogers/binary-cataloger-2                                    214.9µ ± 2%25%0AImagePackageCatalogers/dpkgdb-cataloger-2                                    598.0µ ± 2%25%0AImagePackageCatalogers/dotnet-deps-cataloger-2                               1.238m ± 1%25%0AImagePackageCatalogers/go-module-binary-cataloger-2                          94.31µ ± 0%25%0AImagePackageCatalogers/java-cataloger-2                                      13.11m ± 1%25%0AImagePackageCatalogers/graalvm-native-image-cataloger-2                      93.36µ ± 8%25%0AImagePackageCatalogers/javascript-package-cataloger-2                        401.0µ ± 1%25%0AImagePackageCatalogers/nix-store-cataloger-2                                 282.0µ ± 4%25%0AImagePackageCatalogers/php-composer-installed-cataloger-2                    792.9µ ± 1%25%0AImagePackageCatalogers/portage-cataloger-2                                   402.8µ ± 1%25%0AImagePackageCatalogers/python-package-cataloger-2                            3.207m ± 2%25%0AImagePackageCatalogers/r-package-cataloger-2                                 178.1µ ± 2%25%0AImagePackageCatalogers/rpm-db-cataloger-2                                    534.9µ ± 1%25%0AImagePackageCatalogers/ruby-gemspec-cataloger-2                              905.2µ ± 1%25%0AImagePackageCatalogers/sbom-cataloger-2                                      121.0µ ± 1%25%0Ageomean                                                                      600.7µ%0A%0A                                                          │ ./.tmp/benchmark-12d19e5.txt │%0A                                                          │             B/op             │%0AImagePackageCatalogers/alpmdb-cataloger-2                                   5.118Mi ± 0%25%0AImagePackageCatalogers/apkdb-cataloger-2                                    146.4Ki ± 0%25%0AImagePackageCatalogers/binary-cataloger-2                                   32.04Ki ± 0%25%0AImagePackageCatalogers/dpkgdb-cataloger-2                                   170.7Ki ± 0%25%0AImagePackageCatalogers/dotnet-deps-cataloger-2                              410.8Ki ± 0%25%0AImagePackageCatalogers/go-module-binary-cataloger-2                         10.06Ki ± 0%25%0AImagePackageCatalogers/java-cataloger-2                                     2.785Mi ± 0%25%0AImagePackageCatalogers/graalvm-native-image-cataloger-2                     8.750Ki ± 0%25%0AImagePackageCatalogers/javascript-package-cataloger-2                       98.60Ki ± 0%25%0AImagePackageCatalogers/nix-store-cataloger-2                                49.42Ki ± 0%25%0AImagePackageCatalogers/php-composer-installed-cataloger-2                   179.5Ki ± 0%25%0AImagePackageCatalogers/portage-cataloger-2                                  86.39Ki ± 0%25%0AImagePackageCatalogers/python-package-cataloger-2                           977.8Ki ± 0%25%0AImagePackageCatalogers/r-package-cataloger-2                                41.59Ki ± 0%25%0AImagePackageCatalogers/rpm-db-cataloger-2                                   178.2Ki ± 0%25%0AImagePackageCatalogers/ruby-gemspec-cataloger-2                             139.7Ki ± 0%25%0AImagePackageCatalogers/sbom-cataloger-2                                     14.20Ki ± 0%25%0Ageomean                                                                     125.4Ki%0A%0A                                                          │ ./.tmp/benchmark-12d19e5.txt │%0A                                                          │          allocs/op           │%0AImagePackageCatalogers/alpmdb-cataloger-2                                    87.63k ± 0%25%0AImagePackageCatalogers/apkdb-cataloger-2                                     3.682k ± 0%25%0AImagePackageCatalogers/binary-cataloger-2                                     896.0 ± 0%25%0AImagePackageCatalogers/dpkgdb-cataloger-2                                    2.998k ± 0%25%0AImagePackageCatalogers/dotnet-deps-cataloger-2                               6.326k ± 0%25%0AImagePackageCatalogers/go-module-binary-cataloger-2                           281.0 ± 0%25%0AImagePackageCatalogers/java-cataloger-2                                      39.46k ± 0%25%0AImagePackageCatalogers/graalvm-native-image-cataloger-2                       228.0 ± 0%25%0AImagePackageCatalogers/javascript-package-cataloger-2                        1.321k ± 0%25%0AImagePackageCatalogers/nix-store-cataloger-2                                  893.0 ± 0%25%0AImagePackageCatalogers/php-composer-installed-cataloger-2                    3.796k ± 0%25%0AImagePackageCatalogers/portage-cataloger-2                                   1.668k ± 0%25%0AImagePackageCatalogers/python-package-cataloger-2                            15.96k ± 0%25%0AImagePackageCatalogers/r-package-cataloger-2                                  805.0 ± 0%25%0AImagePackageCatalogers/rpm-db-cataloger-2                                    3.879k ± 0%25%0AImagePackageCatalogers/ruby-gemspec-cataloger-2                              2.279k ± 0%25%0AImagePackageCatalogers/sbom-cataloger-2                                       394.0 ± 0%25%0Ageomean                                                                      2.467k

@willmurphyscode
wrap semver parse errors
e0bc2e4 
Signed-off-by: Will Murphy <will.murphy@anchore.com>
@willmurphyscode
rename method based on feedback
3577eb5 
Signed-off-by: Will Murphy <will.murphy@anchore.com>
@willmurphyscode willmurphyscode merged commit e925d9d into main May 11, 2023
@willmurphyscode willmurphyscode deleted the warn-when-reading-newer-sbom branch May 11, 2023 12:55
spiffcs added a commit that referenced this pull request May 11, 2023
@spiffcs
Merge branch 'main' into 1577-license-revamp
1e10714 
* main:
  feat: warn if parsing newer SBOM (#1810)
  feat: Add R cataloger (#1790)
  update cosign to v2 release (different go module) (#1805)

Signed-off-by: Christopher Phillips <christopher.phillips@anchore.com>
spiffcs added a commit that referenced this pull request May 18, 2023
@spiffcs
Merge branch 'main' into fix-portage-license-handling
f8cc0c9 
* main: (32 commits)
  chore(deps): bump github.com/google/go-containerregistry (#1823)
  chore(deps): bump github.com/sirupsen/logrus from 1.9.0 to 1.9.1 (#1822)
  chore(deps): bump github.com/docker/docker (#1824)
  fix: update field plurality of 8.0.0 schema before release (#1820)
  fix: update cataloger to check for expressions before split (#1819)
  feat: update syft license concept to complex struct (#1743)
  fix: cyclonedx depends-on relationship inverted (#1816)
  fix: retain sbom cataloger relationships (#1509)
  feat: warn if parsing newer SBOM (#1810)
  feat: Add R cataloger (#1790)
  update cosign to v2 release (different go module) (#1805)
  fix: Reduce log spam on unknown relationship type (#1797)
  chore(deps): update bootstrap tools to latest versions (#1807)
  chore(deps): bump golang.org/x/net from 0.9.0 to 0.10.0 (#1802)
  chore(deps): bump github.com/docker/docker (#1795)
  chore(deps): bump github.com/google/go-containerregistry (#1796)
  chore(deps): update bootstrap tools to latest versions (#1792)
  Print package list when extra packages found (#1791)
  chore(deps): update bootstrap tools to latest versions (#1786)
  chore(deps): bump golang.org/x/term from 0.7.0 to 0.8.0 (#1787)
  ...

Signed-off-by: Christopher Phillips <christopher.phillips@anchore.com>
@wagoodman wagoodman added the enhancement New feature or request label May 22, 2023
This was referenced May 22, 2023
Merged
Closed
Closed
Merged
Closed
Closed
Closed
Closed
Closed
Closed
Closed
Closed
Closed
Closed
GijsCalis pushed a commit to GijsCalis/syft that referenced this pull request Feb 19, 2024
@willmurphyscode
feat: warn if parsing newer SBOM (anchore#1810)
cb7a061 
If syft is asked to parse an SBOM that was written by a newer version of
syft, emit a warning, since the current version of syft doesn't know about 
fields that may be added in the future.

Signed-off-by: Will Murphy <will.murphy@anchore.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@wagoodman wagoodman wagoodman approved these changes

Assignees
No one assigned
Labels
enhancement New feature or request
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@willmurphyscode @wagoodman