[SBOM] Drop support for cyclonedx-python-lib v4 #89
Conversation
There was a problem hiding this comment.
This looks good, thanks for the contribution.
I'd like to ask if there are strong reasons to provide support for version 3. Maybe we can jump directly to support version 5 only, and simplify things? I guess that cyclonedx community is also moving forward, tooling, etc, will be supporting the latest versions, so we can move forward without issues and drop 3 support?
The GitHub Workflow for the Conan extensions works with python 3.6, and there only v3 is supported. I was surprised by the usage of such an old python version when I wrote the first version of the extension: #66 (comment) |
| component.external_references.add(ExternalReference( | ||
| type=ExternalReferenceType.WEBSITE, # noqa | ||
| url=XsUri(node.conanfile.homepage), | ||
| )) # noqa | ||
| return component | ||
|
|
||
| def me_as_tool() -> Tool: | ||
| tool = Tool(name="conan extension recipe:create-sbom") | ||
| if cyclonedx_major_version_is_4(): | ||
| tool = Tool(name="conan extension sbom:cyclonedx") |
There was a problem hiding this comment.
this change of the route - is a breaking change, right?
... even though it was already documented as the "new" value in the README.
There was a problem hiding this comment.
I am not sure what you mean by "route". I just stumbled across this outdated tool name. Something that I overlooked in #66. Should we keep it as it was?
It is true that Conan itself still supports Python 3.6, this is our backward and stability commitment. If this is important and allows to simplify things and have a cleaner and simpler integration, I think we can increase the Python version requirement, and use something newer to test it. What minimum Python version would be necessary for version 5? |
Python 3.8, https://pypi.org/project/cyclonedx-python-lib/ |
|
I would then drop the support for v3 of cyclonedx-python-lib completely |
|
|
|
What do we do here? Wait for minimum Python 3.8, or continue with supporting two different versions of |
I think we should be able to require Python 3.8 in the CI of this repo so this can be tested, and the extension could have a check for minimum Python version to give a good error in case some user tries to use it with older Python versions. But I need to discuss this with the team and get feedback, sorry I haven't been able to do this yet, I'll do it as soon as possible. |
|
I'd like to ping here 😸 |
Hi @hedtke, I have just update the python version the CI runs to 3.8, so you can update the PR accordingly and add a warning to the extension and check for minimum Python version in the extension to give a good error in case some user tries to use it with older Python versions. |
|
Sorry, it took me a while to continue here. Ready for the next review round. Support for cyclonedx-python-lib v4 dropped and Python 3.8 now required |
| def package_type_to_component_type(pt: str) -> ComponentType: | ||
| return ComponentType.APPLICATION if pt == "application" else ComponentType.LIBRARY | ||
|
|
||
| def licenses(ls: Optional[Union[Tuple[str, ...], Set[str], List[str], str]]) -> Optional[Iterable[LicenseChoice]]: | ||
| def licenses(ls: Optional[Union[Tuple[str, ...], Set[str], List[str], str]]): |
There was a problem hiding this comment.
where is the return type hint gone?
There was a problem hiding this comment.
I had to drop it when we supported v3 and v5 which returned different things. I re-added them
| return [LicenseChoice(license=LicenseFactory().make_from_string(i)) for i in ls] # noqa | ||
| else: | ||
| return [LicenseChoice(license_=LicenseFactory().make_from_string(i)) for i in ls] | ||
| return [LicenseFactory().make_from_string(i) for i in ls] # noqa |
There was a problem hiding this comment.
why is that # noqa needed?
There was a problem hiding this comment.
sorry, they were required when parts of the code were not tested in the CI, I dropped it
| ) | ||
| if node.conanfile.homepage and cyclonedx_major_version_is_4(): # bug in cyclonedx 3 enforces hashes | ||
| component = Component( | ||
| type=package_type_to_component_type(node.conanfile.package_type), # noqa |
There was a problem hiding this comment.
why uis this # noqa needed?
There was a problem hiding this comment.
sorry, they were required when parts of the code were not tested in the CI, I dropped it
Co-authored-by: Carlos Zoido <[email protected]>
* Add conan-recipes * Add generate conan sboms for zenoh-c and zenoh-cpp * fix: Conan SBOM filename * feat: Support zenoh-pico * fix: Update zenoh-recipes submodule * chore: Rerun workflows * chore: Rerun workflows (again) * fix: Update cyclonedx-python-lib requirement See conan-io/conan-extensions#89. * fix: Autodetect Conan profile * fix: Collapse path to Conan SBOMs * fix: Handle error from `conan profile detect` --------- Co-authored-by: Mahmoud Mazouz <[email protected]>
This PR drops support for cyclonedx-python-lib v4 as dependency track cannot parse the resulting XML. We now support only v5.
New XML was tested with dependency track v4.9.1 and it works now
fixes #88