Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Support multiple purl identifiers in product_identification_helper #781

Open
wants to merge 1 commit into
base: add-multiple-purls
Choose a base branch
from

Conversation

mprpic
Copy link
Contributor

@mprpic mprpic commented Aug 30, 2024

This allows a vendor to specify multiple purl identifiers for a single component (present as a product version branch in the product tree). Multiple purls may identify the same component but point to different locations from where that component may be available. Thus, it is mandatory that if multiple purls are present in a single
product_identification_helper object, they must only differ in their qualifiers. Otherwise they should be set up as different product tree branches.

Resolves #774

@mprpic mprpic changed the title Support multiple purl identifiers in product_identification_helper Draft: Support multiple purl identifiers in product_identification_helper Aug 30, 2024
@mprpic
Copy link
Contributor Author

mprpic commented Aug 30, 2024

I'm unsure how to modify the examples to get the final text to build. When I run the make command, I get:

$ make build
bin/volatile.py
detected local reference for acknowledgments-type-example-eg-1 in (The example [eg](#acknowledgments-type-example-eg-1) above SHOULD lead to the following outcome in a human-readable advisory:)
The example \[[1](#acknowledgments-type-example-eg-1)\] above SHOULD lead to the following outcome in a human-readable advisory:
Traceback (most recent call last):
  File "/[...]/csaf/csaf_2.1/prose/edit/bin/volatile.py", line 575, in <module>
    sys.exit(main(sys.argv[1:]))
             ^^^^^^^^^^^^^^^^^^
  File "/[...]/csaf/csaf_2.1/prose/edit/bin/volatile.py", line 461, in main
    global_example_num = eg_global_from[magic_label]
                         ~~~~~~~~~~~~~~^^^^^^^^^^^^^
KeyError: 'purl-eg-2'
make: *** [Makefile:4: build] Error 1

@mprpic mprpic force-pushed the add-multiple-purls branch from abefd8e to 757ee67 Compare August 30, 2024 19:05
@tschmidtb51
Copy link
Contributor

@mprpic Thank you for the Draft. I didn't had time yet to do a complete review but here are some quick comments:

  • The qualifier test should be a separate one. Also, we need to add
    • valid examples
    • invalid examples
  • The guidance on size needs to be adapted.
  • The editorial change should be separate from the feature change (thanks for catching it).
  • Rebase after Editor revision for TC meeting 2024-08-28 #784 is merged.

@mprpic mprpic force-pushed the add-multiple-purls branch 2 times, most recently from f6e7b8c to ec4efed Compare October 29, 2024 13:31
@mprpic
Copy link
Contributor Author

mprpic commented Oct 29, 2024

* [ ]  The qualifier test should be a separate one. Also, we need to add
  * [ ]  valid examples
  * [ ]  invalid examples

Ack, I can move it to its own section with examples. Do you care if the original one remains as is and a new one is added with the next test number, i.e. tests-01-mndtr-13-purl.md stays as is and a new tests-01-mndtr-35-purl-qualifiers.md is added? Or do I need to sort them next to each other and bump all tests by one?

* [ ]  The guidance on size needs to be adapted.

Done!

* [ ]  The editorial change should be separate from the feature change (thanks for catching it).

So that's any changes to files under csaf_2.1/prose? Are you saying those should go into a separate PR after the schema changes one is merged?

* [ ]  Rebase after [Editor revision for TC meeting 2024-08-28 #784](https://github.com/oasis-tcs/csaf/pull/784) is merged.

Done!

@tschmidtb51
Copy link
Contributor

tschmidtb51 commented Oct 29, 2024

Ack, I can move it to its own section with examples. Do you care if the original one remains as is and a new one is added with the next test number, i.e. tests-01-mndtr-13-purl.md stays as is and a new tests-01-mndtr-35-purl-qualifiers.md is added? Or do I need to sort them next to each other and bump all tests by one?

Please keep the old file as they were (except for correcting the structure that changed). The new test should be tests-01-mndtr-38-purl-qualifiers.md. (Other ones are already taken.) To add that to the generated document, it must be added in csaf_2.1/prose/edit/etc/bind.txt.

So that's any changes to files under csaf_2.1/prose? Are you saying those should go into a separate PR after the schema changes one is merged?

No. It was specific to the change of brackets (which then resulted in #787).
Note: The suggested change is actually wrong as we are taking about the schema not a specific instance.

Copy link
Contributor

@tschmidtb51 tschmidtb51 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Please have a look at the suggested changes.

csaf_2.1/json_schema/csaf_json_schema.json Show resolved Hide resolved
csaf_2.1/prose/edit/src/guidance-on-size.md Show resolved Hide resolved
Comment on lines +244 to +246
List of purls (`purls`) of value type `array` with 1 or more items contains a list of package URL (purl) identifiers.
A purl is a `string` of 7 or more characters that meets the criteria of `pattern` (regular expression):
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Please make sure that aligns with other sections that use an array, e.g. remediations or notes.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Not sure I understand. In what way should the text align with those other sections?

Copy link
Contributor

@sthagen sthagen Dec 3, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think it does already (the text translation of the schema constraints into English prose)
... I compared the two text lines (245 and 246 of the new revision) to the notes section introductory prose.

@mprpic mprpic force-pushed the add-multiple-purls branch from ec4efed to 7380012 Compare December 3, 2024 19:15
This allows a vendor to specify multiple purl identifiers for a single
component (present as a product version branch in the product tree).
Multiple purls may identify the same component but point to different
locations from where that component may be available. Thus, it is mandatory
that if multiple purls are present in a single
product_identification_helper object, they must only differ in their
qualifiers. Otherwise they should be set up as different product
tree branches.
@mprpic mprpic force-pushed the add-multiple-purls branch from 7380012 to a6888cd Compare December 3, 2024 19:19
@mprpic mprpic changed the title Draft: Support multiple purl identifiers in product_identification_helper Support multiple purl identifiers in product_identification_helper Dec 3, 2024
Copy link
Contributor

@sthagen sthagen left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM. But, should we not target the current editorial branch editor-revision-2024-11-27 ?

Please retarget. ... and I will recreate the gap for your new tests-01-mndtr-38-... file to slot in. Thanks.

Update: The merge window for the editor revision of 2024-11-27 will close before this PR can be merged, so I retargeted to a feature branch instead. If approved and merged this change set will become part of the editor revision of December 2024 or later.

@sthagen sthagen changed the base branch from master to add-multiple-purls December 3, 2024 20:52
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

Support multiple purl identifiers in product_identification_helper
3 participants