-
-
Notifications
You must be signed in to change notification settings - Fork 9.6k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Fix SBOM schema validation #17987
Fix SBOM schema validation #17987
Conversation
e51c2d7
to
e8809d6
Compare
Can't we add this back at pour time so that the on-disk SBOM is valid? In any case: the SBOMs in the bottle are incomplete anyway, and shouldn't be used. We should maybe rename them while they're still in the bottle so it's not misleading. |
We can add it at pour time and I think we do. Though at which point: why ship an incomplete SBOM in the bottle at all when we can generate it entirely on install like we do for tabs? |
Not sure; I actually thought that we stopped shipping SBOMs in bottles entirely because they broke bottle reproducibility. |
We could set it to the
I agree, with hindsight, though that putting the SBOM as part of the OCI manifest/metadata seems like it would be a smarter move (although that comes with downsides, too, noted below).
Yes, this is bad and something else that should be fixed.
This is binary thinking; being incomplete does not make these SBOMs useless. I think there's still some value in having something inside the bottle. It's easier to download and consume a bottle than our tab metadata. It's also more trustworthy to have said SBOM be part of the checksummed object rather than in the OCI manifest/metadata that can be overwritten at any time with a Homebrew/core change.
Because:
I think the short-term best solutions are:
And, in the longer term:
|
Another thing: we should really have some regression tests for ensuring that we can create reproducible bottles. A lot of issues in SBOM and elsewhere would have been caught by this. |
- Remove/change data from bottle SBOM to avoid harming reproduciblity - Add `schema_validation_errors` method to provide nicer test failures - Add tests more tests for SBOM when bottling - Cleanup SBOM tests to use more typical RSpec form and be DRYer
Should have fixed the short-term issues mentioned here as well as adding some more tests. |
Thanks for the PR @Bo98! I'm definitely game to make bigger changes but felt like it was important to resolve the issues you flagged here ASAP. |
So our schema validation has never worked. It's always been using the wrong format - some JSON LD from SPDX 3.0. We're using SPDX 2.3 and we want a JSON Schema - not JSON LD.
This PR fixes it and did detect some issues, e.g. the
created
date was in the incorrect format (should have been ISO 8601).There's an outstanding problem here: our stripping of
created
for bottles is producing an invalid SBOM. Thecreated
field is mandatory.I'm not sure what the correct fix for that would be. There's also a number of other outstanding issues of reproducibility - a bottle built one week is currently producing a different SBOM to one build the next week when
brew
tags are made. Seems like we're currently undoing all of the benefits of--only-json-tab
, where we made sure the tab is stored in the package manifest rather than the bottle tarball itself.