Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

BOM: Feature complete SPDX and license packages #2064

Merged
merged 9 commits into from
May 18, 2021
Merged

BOM: Feature complete SPDX and license packages #2064

merged 9 commits into from
May 18, 2021

Conversation

puerco
Copy link
Member

@puerco puerco commented May 16, 2021
edited
Loading

What type of PR is this?

/kind feature

What this PR does / why we need it:

This PR contains the final updates to the go packages needed to produce the SPDX Bill of Materials for Kubernetes releases. This code now produces SPDX compliant manifests from naked files, docker archives, and images pulled from registries.

This PR does the following:

  • Rips the SPDX code from the license package code into a new spdx pkg
  • Moves the license lookup code into a new license.Catalog object
  • Implements the first set of image analyzers to enrich the SPDX data for the distroless and go-runner base images
  • Corrects a bug with the license downloader where license data was not available when first downloaded.

Which issue(s) this PR fixes:

Part of #1837

Special notes for your reviewer:

This is the first commit of the final form of the packages. The packages are not in use yet by anything. The tests and fakes for the spdx package are coming in a follow-up

Does this PR introduce a user-facing change?

- New `SPDX` package for generating SPDX compliant manifests of artifacts.
- The `license` package now includes a new `Catalog` object to interact with spdx license data 
- First set of image analyzers to enrich the BOM generated for the go-runner and distroless base images
- Corrects a bug with the license downloader where license data was not available when first downloaded.

@puerco
Spin SPDX into own package
a517b24 
Signed-off-by: Adolfo García Veytia (Puerco) <adolfo.garcia@uservers.net>
@puerco
Refactor SPDX pkg to implementation
db7eeaa 
Signed-off-by: Adolfo García Veytia (Puerco) <adolfo.garcia@uservers.net>
@puerco
SPDX Document builder
88d953e 
Signed-off-by: Adolfo García Veytia (Puerco) <adolfo.garcia@uservers.net>
@puerco
Image analyzer packages
303bcd3 
Signed-off-by: Adolfo García Veytia (Puerco) <adolfo.garcia@uservers.net>
@puerco
Split license interface to catalog obj
447bb9e 
Signed-off-by: Adolfo García Veytia (Puerco) <adolfo.garcia@uservers.net>
@puerco
Split license logic to implementation
afa3e74 
Signed-off-by: Adolfo García Veytia (Puerco) <adolfo.garcia@uservers.net>
@puerco
Update license and download code to new interfaces
35ac488 
Signed-off-by: Adolfo García Veytia (Puerco) <adolfo.garcia@uservers.net>
@k8s-ci-robot k8s-ci-robot added release-note Denotes a PR that will be considered when it comes time to generate release notes. kind/feature Categorizes issue or PR as related to a new feature. cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. needs-priority labels May 16, 2021
@k8s-ci-robot k8s-ci-robot added area/release-eng Issues or PRs related to the Release Engineering subproject sig/release Categorizes an issue or PR as relevant to SIG Release. approved Indicates a PR has been approved by an approver from all required OWNERS files. size/XXL Denotes a PR that changes 1000+ lines, ignoring generated files. labels May 16, 2021
@puerco puerco mentioned this pull request May 16, 2021
Closed
@puerco puerco changed the title Sbom spdx BOM: Feature complete SPDX and license packages May 16, 2021
@puerco puerco mentioned this pull request May 16, 2021
Merged
saschagrunert
saschagrunert reviewed May 17, 2021
View reviewed changes
pkg/license/catalog.go Outdated Show resolved Hide resolved
pkg/license/catalog.go Outdated Show resolved Hide resolved
pkg/license/catalog.go Outdated Show resolved Hide resolved
pkg/license/catalog.go Outdated Show resolved Hide resolved
@puerco
Write license files in prallel and unexport catalog options
9fec4c1 
Signed-off-by: Adolfo García Veytia (Puerco) <adolfo.garcia@uservers.net>
@puerco
Update license tests and fakes
5aacf5f 
Signed-off-by: Adolfo García Veytia (Puerco) <adolfo.garcia@uservers.net>
@puerco puerco mentioned this pull request May 18, 2021
Merged
@k8s-ci-robot k8s-ci-robot added the lgtm "Looks good to me", indicates that a PR is ready to be merged. label May 18, 2021
@k8s-ci-robot
Copy link
Contributor

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: puerco, saschagrunert

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@saschagrunert
Copy link
Member

This PR is heavy and I did not manage to review in every detail. Let's iterate on it and get the main functionality in. Great work! 🥳

@k8s-ci-robot k8s-ci-robot merged commit 8c21b23 into kubernetes:master May 18, 2021
@k8s-ci-robot k8s-ci-robot added this to the v1.22 milestone May 18, 2021
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@saschagrunert saschagrunert saschagrunert approved these changes

@cpanato cpanato Awaiting requested review from cpanato

@xmudrii xmudrii Awaiting requested review from xmudrii

Assignees

@saschagrunert saschagrunert

Labels
approved Indicates a PR has been approved by an approver from all required OWNERS files. area/release-eng Issues or PRs related to the Release Engineering subproject cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. kind/feature Categorizes issue or PR as related to a new feature. lgtm "Looks good to me", indicates that a PR is ready to be merged. needs-priority release-note Denotes a PR that will be considered when it comes time to generate release notes. sig/release Categorizes an issue or PR as relevant to SIG Release. size/XXL Denotes a PR that changes 1000+ lines, ignoring generated files.
Projects
None yet
Milestone
v1.22
Development

Successfully merging this pull request may close these issues.
3 participants
@puerco @k8s-ci-robot @saschagrunert