Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Additional updates for SBOM Support #97
Additional updates for SBOM Support #97
Changes from all commits
66f3e9f
File filter
Filter by extension
Conversations
Jump to
There are no files selected for viewing
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Can we make this private?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Technically yes. It makes testing much harder though because it's being used in build, so you have to set up and run the entire build to test it. Given what it's doing, I wanted to make sure the test coverage was solid so I opted to leave it public.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Could we make it internal then? I would prefer to reduce our support surface area in terms of the public api to things that are strictly necessary - it makes it easier to modify/update code without breaking dependents.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
That is appearing to be difficult as well. We're using
libcnb.SBOMFormatFromString
from insideValidateSBOMFormats
which creates a import cycle, internal -> libcnb -> internal...If I move
SBOMFormatFromString
into internal as well, I then get more references to libcnb, so it's not clear about how to break that import cycle.There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@dmikusa-pivotal couldn't find a good way either. Ended up just making it private and testing it the long way in #98. If that looks good, let's merge it.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Should we create a slice of all known sbom formats? That way we can just iterate over them.
This will also help with the validate sbom function where we can check the file suffix to match with the known formats. Lmk what you think.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Sounds reasonable. Go question for you about this. How would you achieve this? I thought you couldn't have a const slice. I know I could define the strings as const and use them in the slice, maybe that's better? Is there a common pattern for doing something like this that you've seen? Thanks
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I moved the strings to consts & used the consts in the array. I did a quick google search and const arrays/slices are not a thing, as far as I can tell, so I'm not sure we can do much more. If I'm missing something, which is totally possible, do let me know.
I thought about a global var, but I don't think using a global var would be good. I think that could potentially allow someone to modify the list, which wouldn't be desirable, IMHO.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
https://github.com/dmarkham/enumer looks like a good way to manage auto generation of all these methods.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
That project looks interesting, but I don't see a way to do custom transformations (let me know if I'm missing something). If we were going from SomeConst and wanted the string representation to be
SomeConst
orsome_const
orsome-const
, it looks like we could use this. From what I see in the docs, there's no custom transformation to makeSomeConst
turn intosome.json
and vise versa, which is what we need.It also looks like it's generating a global var which would have the same limitation, someone could potentially mess with the list.
The lists are fairly small and shouldn't grow a ton over time. It seems like we could keep them hand-written and not take on too much burden, IMHO (adding dependencies for this functionality also has its own risks).
I'll acknowledge that there is some room for error with using the arrays to convert from enum to string, and a new type needs to be added. If you forget to update the arrays, you'll get a runtime panic. I could change that to use switch statements instead. It's more code, but when a type is added if you forget to update the conversion methods, you will end up with an unknown value instead of a runtime panic so it's a little safer. Would that be preferred?