Fix SBOM schema validation #17987
Fix SBOM schema validation #17987
Conversation
Bo98
force-pushed
the
sbom-schema-fix
branch
2 times, most recently
from
e51c2d7 to
e8809d6
Compare
Can't we add this back at pour time so that the on-disk SBOM is valid? In any case: the SBOMs in the bottle are incomplete anyway, and shouldn't be used. We should maybe rename them while they're still in the bottle so it's not misleading. |
We can add it at pour time and I think we do. Though at which point: why ship an incomplete SBOM in the bottle at all when we can generate it entirely on install like we do for tabs? |
Not sure; I actually thought that we stopped shipping SBOMs in bottles entirely because they broke bottle reproducibility. |
We could set it to the
I agree, with hindsight, though that putting the SBOM as part of the OCI manifest/metadata seems like it would be a smarter move (although that comes with downsides, too, noted below).
Yes, this is bad and something else that should be fixed.
This is binary thinking; being incomplete does not make these SBOMs useless. I think there's still some value in having something inside the bottle. It's easier to download and consume a bottle than our tab metadata. It's also more trustworthy to have said SBOM be part of the checksummed object rather than in the OCI manifest/metadata that can be overwritten at any time with a Homebrew/core change.
Because:
I think the short-term best solutions are:
And, in the longer term:
|
Another thing: we should really have some regression tests for ensuring that we can create reproducible bottles. A lot of issues in SBOM and elsewhere would have been caught by this. |
- Remove/change data from bottle SBOM to avoid harming reproduciblity - Add `schema_validation_errors` method to provide nicer test failures - Add tests more tests for SBOM when bottling - Cleanup SBOM tests to use more typical RSpec form and be DRYer
|
Should have fixed the short-term issues mentioned here as well as adding some more tests. |
|
Thanks for the PR @Bo98! I'm definitely game to make bigger changes but felt like it was important to resolve the issues you flagged here ASAP. |
So our schema validation has never worked. It's always been using the wrong format - some JSON LD from SPDX 3.0. We're using SPDX 2.3 and we want a JSON Schema - not JSON LD.
This PR fixes it and did detect some issues, e.g. the
createddate was in the incorrect format (should have been ISO 8601).There's an outstanding problem here: our stripping of
createdfor bottles is producing an invalid SBOM. Thecreatedfield is mandatory.I'm not sure what the correct fix for that would be. There's also a number of other outstanding issues of reproducibility - a bottle built one week is currently producing a different SBOM to one build the next week when
brewtags are made. Seems like we're currently undoing all of the benefits of--only-json-tab, where we made sure the tab is stored in the package manifest rather than the bottle tarball itself.