owned this note changed 2 years ago
Published Linked with GitHub

spdx-sbom-generator Community Meeting Minutes

Times: Every Wednesday 9:30am-10:30am Pacific, 12:00pm-1:00pm EDT, 5:00pm-6:00pm UTC
Online meeting: https://meet.jit.si/SBOM-tools

Template

Enter Date Here

Attendees

  • attendees list

Notetaker

  • notetaker 🥇
  • backup notetaker 🥈

Agenda

  • enter agenda before meeting

Notes

Backlog

09/20/2023

Attendees

  • Rahul Tiwari

Agenda

  • Plugin Interface Design

Notes

  • Browse through the existing implementation to find scope of refactoring so that the new plugin interface fits in better.

09/20/2023

Attendees

  • Nisha Kumar

Agenda

  • Plugin Interface Design

Notes

  • Most straightforward implementation is 1 method to return an SPDX document. This should work for SPDX2.x
  • In the current refactor we have a document handler which is called by the generator implementation
type GeneratorImplementation interface {
	GetDocumentFormatHandler(*options.Options) (DocumentFormatHandler, error)
	GetCodeParsers(*options.Options) ([]plugin.Plugin, error)
	RunParser(*options.Options, plugin.Plugin) ([]meta.Package, error)
}

The GetDocumentFormatHandler handles different spdx specification versions

// GetDocumentFormatHandler gets a document handler according to the spdx schema version
func (di *defaultGeneratorImplementation) GetDocumentFormatHandler(opts *options.Options) (DocumentFormatHandler, error) {
	switch opts.SchemaVersion {
	case "2.3":
		return &v23.Handler{}, nil
	case "2.2":
		return &v22.Handler{}, nil
	default:
		return nil, errors.New("no document format handler defined")
	}
}


// a mapping between each plugin 


var plugins := make(map[string]DocumentFormatHandler)

type DocumentHandler interface {
	GetDocumentFormatHandler(*options.Options) (DocumentFormatHandler, error)
}

type Plugin interface {
    GetDocument(opts *options.Options)
}

func GetPluginHander(pluginName string) DocumentFormatHandler{
    return plugins[pluginName]
} 

package main

import "plugin"
import _ "plugins/python"

func main() {
    dfh := GetPluginHander("python")
    dfh.CreateDocument()
}

09/13/2023

Attendees

  • Nisha Kumar
  • Rahul Tiwari

Notetaker

  • Rahul Tiwari

Agenda

  • Proposal to update plugin architecture

Notes

08/23/2023

Attendees

  • Rahul Tiwari
  • Maximilian Huber

Notetaker

  • Rahul Tiwari

Notes

  • Glanced through the pnpm parser PR

08/09/2023

Attendees

  • Rahul Tiwari
  • Nisha Kumar

Notetaker

  • Rahul Tiwari

Agenda

  • Reviewing the refactor PR of the SBOM generator.
  • Discussing separating plugins out of the parsers project and its feasibility.

Notes

  • GSoC work
    • Fix the build job in the GitHub actions.

07/26/2023

Attendees

  • Rahul Tiwari
  • Nisha Kumar

Notetaker

  • Rahul Tiwari

Agenda

  • Discussing Nisha's PR supporting various lockfile versions for npm. The PR seems stale and needs to be revisited.

06/28/2023

Attendees

  • Rahul Tiwari
  • Nisha Kumar
  • Adolfo García Veytia

Notetaker

  • Rahul Tiwari

Agenda

  • GSoC work:
    • Start with integrating the parsers with spdx-sbom-generator as a new command maintaining backward compatibility.
    • Generate SBOMS from requirements.txt , packages.json

06/21/2023

Attendees

  • Rahul Tiwari
  • Nisha Kumar
  • Maximilian Huber

Notetaker

  • Rahul Tiwari

Agenda

  • GSoC work:
    • Continue adding more unit tests for poetry
  • Discussion about integrating the parsers with the spdx-sbom-generator

Notes

  • Continue on unit tests.

06/14/2023

Attendees

  • Rahul Tiwari

Notetaker

  • Rahul Tiwari

Agenda

  • GSoC work:
    • Setup unit testing for poetry

Notes

  • Continue on unit tests.

06/07/2023

Attendees

  • Rahul Tiwari
  • Nisha Kumar
  • Adolfo García Veytia

Notetaker

  • Rahul Tiwari

Agenda

  • GSoC work:
    • Finalize the approach for unit tests for the poetry package manager.

Notes

  • Rahul to rethink and go bottom up for writing unit tests for poetry.

05/24/2023

Attendees

  • Rahul
  • Nisha

Agenda

Notes

  • Rahul to work on issue 57
  • Nisha to find out more about the cargo mocks

03/08/2023

Attendees

  • Adolfo García Veytia
  • Nisha Kumar
  • Ivana Atanasova
  • Rahul Tiwari

Notetaker

  • Nisha 🥇

Notes:

  • Kubeflow is having trouble with using spdx-sbom-generators with python
    • Nisha: need to know what python package manager they are using; some of the parsers are broken
  • Project Layout:
    • parsers will contain just parsers of files that exist on the filesystem.
    • We don't know if any of the ecosystems require network calls to fetch package information. - Needs to be investigated.
    • It was decided that functionality where we shell out to package managers or external tools exists in another project.
    • Conformance tests: we need specific test data to test expectations.
      • Nisha: testdata layout in npm PR works reasonably well.
  • Submission of sbom-composer to opensbom-generator org
    • Ivana will let others know when it's ready to be moved.
  • Welcome Rahul!

No attendees

Image Not Showing Possible Reasons
  • The image file may be corrupted
  • The server hosting the image is unavailable
  • The image path is incorrect
  • The image format is not supported
Learn More →

11/23/2022

Attendees

  • Adolfo García Veytia

Notetaker

  • notetaker 🥇
  • backup notetaker 🥈

Agenda

  • Parsers Package and Plugin Model

Notes

No attendees

Image Not Showing Possible Reasons
  • The image file may be corrupted
  • The server hosting the image is unavailable
  • The image path is incorrect
  • The image format is not supported
Learn More →

11/09/2022

Attendees

  • Adolfo
  • Nisha Kumar

Notetaker

  • Nisha 🥇
  • backup notetaker 🥈

Agenda

  • Parsers Package and Plugin Model

Notes

  • Decision:
    • Make parser functionality testable
    • Continue to use the current plugin and meta package

10/12/2022

Attendees

  • Adolfo
  • Nisha Kumar

Notetaker

  • Nisha 🥇
  • backup notetaker 🥈

Agenda

  • Manifest Parsers

Notes

  • Manifest parsers
    • Action: Nisha to make Adolfo maintainer of org and repo
    • Action: Adolfo creates "parser" repo
      • Before that, create a document on how this is structured.
    • Perhaps keep all parsers in this repo?
      • Ask Gary in the ACT call

09/28/2022

Attendees

  • attendees list

Notetaker

  • notetaker 🥇
  • backup notetaker 🥈

Agenda

Notes

  • So many tools!
    • Adolfo's ideas:
      • Pluggable model in bom: go package with some options and it will produce an SPDX object
      • SPDX generator: could reuse the language analyzers
    • We want to link this to some best practices
    • Universal lock file?
    • SBOM Guidance (going to be presented in OpenSSF Securing repos wg) In order to produce an SBOM you need a lock file. For example, go.mod/go.sum,
    • Use top level project metadata then add build metadata when invoking a build
    • Maybe also adding in-toto
    • Adolfo: most valuable use case is to generate a good quality SPDX SBOM
    • Example of bom's upcoming plugin model. As simple as: 
      ​​​​​​​​type PackageGenerator interface {
​​​​​​​​    Generate(interface{}) (*spdx.Package, error)
​​​​​​​​}
Select a repo