Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Bump Syft from 0.60.3 to 0.66.1 #440

Merged
merged 3 commits into from
Jan 17, 2023
Merged

Bump Syft from 0.60.3 to 0.66.1 #440

merged 3 commits into from
Jan 17, 2023

Conversation

sophiewigmore
Copy link
Member

@sophiewigmore sophiewigmore commented Jan 13, 2023
edited
Loading

Summary

  • Bump Syft from 0.60.3 to 0.66.1

  • Adds internal SPDX 2.2 support, since Syft v0.66.1 now supports 2.3

    • SPDX 2.2 SBOMs generated with packit now look slightly different than before. There are now fields that contain null or empty values.
    • This is a tradeoff of using the upstream Syft SPDX helpers, which do not have omitempty set for many fields, so they now show up with null entries. The old version of the code we were using before (v0.60.3) had the omitempty, so these fields didn't show up before.
    • As far as I can tell, all of these new fields are a part of the SPDX 2.2 spec, and shouldn't cause an issue with validity.
    • The alternative is to copy in the Syft 0.60.3 version of SPDX helpers so we can continue to produce identical SBOMs.

  • Clean up Syft and CycloneDX models by removing as much copied-in code as possible, and update test fixtures

  • Fixes long-failing SBOM test failures

  • Add clarifying comments

Addressing TODO items around picking up latest schema versions will not be addressed in this PR

Checklist

  • I have viewed, signed, and submitted the Contributor License Agreement.
  • I have linked issue(s) that this PR should close using keywords or the Github UI (See docs)
  • I have added an integration test, if necessary.
  • I have reviewed the styleguide for guidance on my code quality.
  • I'm happy with the commit history on this PR (I have rebased/squashed as needed).

dependabot bot and others added 2 commits January 5, 2023 05:04
@dependabot
Bump github.com/anchore/syft from 0.60.3 to 0.65.0
18ee5f9 
Bumps [github.com/anchore/syft](https://github.com/anchore/syft) from 0.60.3 to 0.65.0.
- [Release notes](https://github.com/anchore/syft/releases)
- [Changelog](https://github.com/anchore/syft/blob/main/.goreleaser.yaml)
- [Commits](anchore/syft@v0.60.3...v0.65.0)

---
updated-dependencies:
- dependency-name: github.com/anchore/syft
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <[email protected]>
Bump Syft from 0.60.3 to 0.66.1
4b79646 
- Adds internal SPDX 2.2 support, sine Syft 0.66.1 supports 2.3
- Clean up Syft and CycloneDX models, and update test fixtures
- Fixes long-failing SBOM test failures
- Add clarifying comments
@sophiewigmore sophiewigmore self-assigned this Jan 13, 2023
@sophiewigmore sophiewigmore marked this pull request as ready for review January 13, 2023 16:58
@sophiewigmore sophiewigmore requested a review from a team as a code owner January 13, 2023 16:58
@sophiewigmore sophiewigmore mentioned this pull request Jan 13, 2023
Closed
ryanmoran
ryanmoran previously approved these changes Jan 17, 2023
View reviewed changes
@joshuatcasey joshuatcasey mentioned this pull request Jan 17, 2023
Closed
@sophiewigmore sophiewigmore added the semver:patch A change requiring a patch version bump label Jan 17, 2023
@sophiewigmore sophiewigmore merged commit f959f31 into v2 Jan 17, 2023
@sophiewigmore sophiewigmore deleted the update-syft branch January 17, 2023 15:56
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@robdimsdale robdimsdale robdimsdale approved these changes

@ryanmoran ryanmoran ryanmoran left review comments

@fg-j fg-j Awaiting requested review from fg-j fg-j is a code owner automatically assigned from paketo-buildpacks/tooling-maintainers

Assignees

@sophiewigmore sophiewigmore

Labels
semver:patch A change requiring a patch version bump
Projects
Paketo Workstreams
Archived in project
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@sophiewigmore @ryanmoran @robdimsdale