-
Notifications
You must be signed in to change notification settings - Fork 554
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
WIP: Add component type to pkg #2146
base: main
Are you sure you want to change the base?
Conversation
Signed-off-by: Benji Visser <benji@093b.org>
Hey @noqcks, sorry for the delay getting back to you. I will see if we can get a review on this soon, if you are still interested in working on it. Much appreciated! |
Yep, I am! Although this is only a WIP/example PR for this issue: #2145 I can clean it up if the direction described in the issue makes sense. |
Locations file.LocationSet // the locations that lead to the discovery of this package (note: this is not necessarily the locations that make up this package) | ||
Licenses LicenseSet // licenses discovered with the package metadata | ||
Language Language `hash:"ignore" cyclonedx:"language"` // the language ecosystem this package belongs to (e.g. JavaScript, Python, etc) | ||
ComponentType ComponentType `cyclonedx:"type"` // the type of component (e.g. application, library, framework, etc) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Hey @noqcks -- sorry for the delay here, I also left a comment on the related issue, but this gist is that instead of modifying this package, we should modify the DotnetDepsMetadata with the appropriate field(s) here: https://github.com/anchore/syft/blob/main/syft/pkg/dotnet.go#L4-L10
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
are we able to access DotnetDepsMetadata from the cyclonedx formatter? from my understanding you can only access the package Struct
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yes, you can access the metadata from the formatter, you just need to type assert the metadata field here is an example extracting the author in CycloneDX
See issue #2145
This PR is failing right now because adding a new field to Pkg recomputes packageIDs (I believe). If this PR were to be deemed appropriate, I would update all tests where needed. Looking for an approval first before I update all the tests.