feat: add hierarchical option to merge command #338
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
github-actions
bot
added
documentation
Coverage Report •
|
||||||||||||||||||||||||||||||||||||||||
italvi
changed the title
italvi
changed the title
italvi
requested changes
Dec 17, 2024
There was a problem hiding this comment.
The coverage of 94% got me confused, but it seems we still have 95%, so that's why the pipeline did not break.
Further I noticed two bugs:
During testing the hierarchical flag, I observed the following bug:
If I have an SBOM with components within a component of components, i.e.
{
"$schema": "http://cyclonedx.org/schema/bom-1.4.schema.json",
"bomFormat": "CycloneDX",
"specVersion": "1.4",
"version": 1,
"metadata": {
"tools": [
{
"vendor": "@cyclonedx",
"name": "cyclonedx-library",
"version": "1.13.3",
"externalReferences": [
{
"url": "https://github.com/CycloneDX/cyclonedx-javascript-library/issues",
"type": "issue-tracker",
"comment": "as detected from PackageJson property \"bugs.url\""
},
{
"url": "git+https://github.com/CycloneDX/cyclonedx-javascript-library.git",
"type": "vcs",
"comment": "as detected from PackageJson property \"repository.url\""
},
{
"url": "https://github.com/CycloneDX/cyclonedx-javascript-library#readme",
"type": "website",
"comment": "as detected from PackageJson property \"homepage\""
}
]
},
{
"vendor": "@cyclonedx",
"name": "cyclonedx-npm",
"version": "1.9.2",
"externalReferences": [
{
"url": "https://github.com/CycloneDX/cyclonedx-node-npm/issues",
"type": "issue-tracker",
"comment": "as detected from PackageJson property \"bugs.url\""
},
{
"url": "git+https://github.com/CycloneDX/cyclonedx-node-npm.git",
"type": "vcs",
"comment": "as detected from PackageJson property \"repository.url\""
},
{
"url": "https://github.com/CycloneDX/cyclonedx-node-npm#readme",
"type": "website",
"comment": "as detected from PackageJson property \"homepage\""
}
]
}
],
"component": {
"type": "application",
"name": "juice-shop",
"version": "14.1.1",
"bom-ref": "[email protected]",
"author": "Björn Kimminich",
"description": "Probably the most modern and sophisticated insecure web application",
"licenses": [
{
"license": {
"id": "MIT"
}
}
],
"purl": "pkg:npm/[email protected]?vcs_url=git%2Bhttps%3A//github.com/juice-shop/juice-shop.git",
"externalReferences": [
{
"url": "https://github.com/juice-shop/juice-shop/issues",
"type": "issue-tracker",
"comment": "as detected from PackageJson property \"bugs.url\""
},
{
"url": "git+https://github.com/juice-shop/juice-shop.git",
"type": "vcs",
"comment": "as detected from PackageJson property \"repository.url\""
},
{
"url": "https://owasp-juice.shop",
"type": "website",
"comment": "as detected from PackageJson property \"homepage\""
}
],
"properties": [
{
"name": "cdx:npm:package:path",
"value": ""
},
{
"name": "cdx:npm:package:private",
"value": "true"
}
]
}
},
"components": [
{
"type": "library",
"name": "node-pre-gyp",
"group": "@mapbox",
"version": "1.0.10",
"bom-ref": "@mapbox/[email protected]",
"author": "Dane Springmeyer",
"description": "Node.js native addon binary install tool",
"hashes": [
{
"alg": "SHA-512",
"content": "e324a8e028f34adba9accc24df91f9a4f6e4ca68efd521778c62e3eab007a7fc53fd117b4cbedb77d0939b5c43638f4adaa17b8e647f83b93e4a42c44cfea8a4"
}
],
"licenses": [
{
"license": {
"id": "BSD-3-Clause"
}
}
],
"purl": "pkg:npm/%40mapbox/[email protected]",
"externalReferences": [
{
"url": "https://registry.npmjs.org/@mapbox/node-pre-gyp/-/node-pre-gyp-1.0.10.tgz",
"type": "distribution",
"comment": "as detected from npm-ls property \"resolved\""
},
{
"url": "https://github.com/mapbox/node-pre-gyp/issues",
"type": "issue-tracker",
"comment": "as detected from PackageJson property \"bugs.url\""
},
{
"url": "git://github.com/mapbox/node-pre-gyp.git",
"type": "vcs",
"comment": "as detected from PackageJson property \"repository.url\""
},
{
"url": "https://github.com/mapbox/node-pre-gyp#readme",
"type": "website",
"comment": "as detected from PackageJson property \"homepage\""
}
],
"properties": [
{
"name": "cdx:npm:package:path",
"value": "node_modules/@mapbox/node-pre-gyp"
}
],
"components": [
{
"type": "library",
"name": "ansi-regex",
"version": "5.0.1",
"bom-ref": "@mapbox/[email protected]|[email protected]",
"author": "Sindre Sorhus",
"description": "Regular expression for matching ANSI escape codes",
"hashes": [
{
"alg": "SHA-512",
"content": "aae2505e54d25062f62c7f52517a3c570b18e2ca1a9e1828e8b3529bce04d4b05c13cb373b4c29762473c91f73fd9649325316bf7eea38e6fda5d26531410a15"
}
],
"licenses": [
{
"license": {
"id": "MIT"
}
}
],
"purl": "pkg:npm/[email protected]",
"externalReferences": [
{
"url": "https://registry.npmjs.org/ansi-regex/-/ansi-regex-5.0.1.tgz",
"type": "distribution",
"comment": "as detected from npm-ls property \"resolved\""
},
{
"url": "https://github.com/chalk/ansi-regex/issues",
"type": "issue-tracker",
"comment": "as detected from PackageJson property \"bugs.url\""
},
{
"url": "git+https://github.com/chalk/ansi-regex.git",
"type": "vcs",
"comment": "as detected from PackageJson property \"repository.url\""
},
{
"url": "https://github.com/chalk/ansi-regex#readme",
"type": "website",
"comment": "as detected from PackageJson property \"homepage\""
}
],
"properties": [
{
"name": "cdx:npm:package:path",
"value": "node_modules/@mapbox/node-pre-gyp/node_modules/ansi-regex"
}
]
}
]
}
]
}Then a simple merge leads to:
meaning the square brackets from the array are also copied.
Second bug: If I have a components within a components of a components so a subsystem of a subsystem, only the first subsystem is copied. Everything else is just dropped.
…onents in merge components
CBeck-96
force-pushed
the
152-merge-is-not-hierarchical
branch
from
7ac5388 to
64796a2
Compare
italvi
requested changes
Jan 26, 2025
There was a problem hiding this comment.
The hierarchical flag seems to work now, however, if I have a components within a components of a component, i.e.
{
"components": [
{
"type": "library",
"name": "node-pre-gyp",
"group": "@mapbox",
"version": "1.0.10",
"bom-ref": "@mapbox/[email protected]",
"author": "Dane Springmeyer",
"description": "Node.js native addon binary install tool",
"hashes": [
{
"alg": "SHA-512",
"content": "e324a8e028f34adba9accc24df91f9a4f6e4ca68efd521778c62e3eab007a7fc53fd117b4cbedb77d0939b5c43638f4adaa17b8e647f83b93e4a42c44cfea8a4"
}
],
"licenses": [
{
"license": {
"id": "BSD-3-Clause"
}
}
],
"purl": "pkg:npm/%40mapbox/[email protected]",
"externalReferences": [
{
"url": "https://registry.npmjs.org/@mapbox/node-pre-gyp/-/node-pre-gyp-1.0.10.tgz",
"type": "distribution",
"comment": "as detected from npm-ls property \"resolved\""
},
{
"url": "https://github.com/mapbox/node-pre-gyp/issues",
"type": "issue-tracker",
"comment": "as detected from PackageJson property \"bugs.url\""
},
{
"url": "git://github.com/mapbox/node-pre-gyp.git",
"type": "vcs",
"comment": "as detected from PackageJson property \"repository.url\""
},
{
"url": "https://github.com/mapbox/node-pre-gyp#readme",
"type": "website",
"comment": "as detected from PackageJson property \"homepage\""
}
],
"properties": [
{
"name": "cdx:npm:package:path",
"value": "node_modules/@mapbox/node-pre-gyp"
}
],
"components": [
{
"type": "library",
"name": "ansi-regex",
"version": "5.0.1",
"bom-ref": "@mapbox/[email protected]|[email protected]",
"author": "Sindre Sorhus",
"description": "Regular expression for matching ANSI escape codes",
"hashes": [
{
"alg": "SHA-512",
"content": "aae2505e54d25062f62c7f52517a3c570b18e2ca1a9e1828e8b3529bce04d4b05c13cb373b4c29762473c91f73fd9649325316bf7eea38e6fda5d26531410a15"
}
],
"licenses": [
{
"license": {
"id": "MIT"
}
}
],
"purl": "pkg:npm/[email protected]",
"externalReferences": [
{
"url": "https://registry.npmjs.org/ansi-regex/-/ansi-regex-5.0.1.tgz",
"type": "distribution",
"comment": "as detected from npm-ls property \"resolved\""
},
{
"url": "https://github.com/chalk/ansi-regex/issues",
"type": "issue-tracker",
"comment": "as detected from PackageJson property \"bugs.url\""
},
{
"url": "git+https://github.com/chalk/ansi-regex.git",
"type": "vcs",
"comment": "as detected from PackageJson property \"repository.url\""
},
{
"url": "https://github.com/chalk/ansi-regex#readme",
"type": "website",
"comment": "as detected from PackageJson property \"homepage\""
}
],
"properties": [
{
"name": "cdx:npm:package:path",
"value": "node_modules/@mapbox/node-pre-gyp/node_modules/ansi-regex"
}
]
}
]
}
]
}Then it does not work as you describe it in the documentation: The component "ansi-regex" is still just copied within "node-pre-gyp" and not separately on the highest level.
…without hierarchical
italvi
requested changes
Feb 3, 2025
italvi
requested changes
Feb 4, 2025
italvi
approved these changes
Feb 5, 2025
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
closes #152