Report Yarn v3/v4 patches as pedigree rather than components #784
+349
−100
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Signed-off-by: Taylor Madore <[email protected]>
In yarn v4, optional, builtin patches are now denoted with the prefix `optional!`. Handle this in addition to the yarn v3 prefix for the same Signed-off-by: Taylor Madore <[email protected]>
Adds an optional Pedigree for the Component model according to: https://cyclonedx.org/docs/1.6/json/#components_items_pedigree_patches For the PatchDiff model, provide a URL but not a text diff in the SBOM since it is not required by the schema. Signed-off-by: Taylor Madore <[email protected]>
Instead of reporting yarn patches as independent Components in the SBOM, report them instead as Pedigree for the parent, non-patch Component. Yarn has the concept of "builtin" patches that are applied by yarn itself to make certain features of yarn work. These are currently ignored and not reported. Signed-off-by: Taylor Madore <[email protected]>
taylormadore
commented
Jan 13, 2025
| @@ -28,6 +28,25 @@ class ExternalReference(pydantic.BaseModel): | |||
| type: Literal["distribution"] = "distribution" | |||
|
|
|||
|
|
|||
| class PatchDiff(pydantic.BaseModel): | |||
There was a problem hiding this comment.
The CycloneDX schema offers the option of a text diff for the patch, but it is not required. I opted not to include so as not to clutter the SBOM. Let me know if you disagree.
| """Map locators for dependencies that get patched to their Pedigree.""" | ||
| pedigree_mapping: dict[Locator, Pedigree] = {} | ||
| for patch_locator in patch_locators: | ||
| # Filter out builtin patches |
There was a problem hiding this comment.
Builtin patches are applied by Yarn itself and tied to a specific version of Yarn. They are used to make certain features of the package manager work correctly: example.
Do we want to report these?
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Yarn has a
patchprotocol for the package patching feature. Patches should not be reported as independent Components in the SBOM, but should instead be reported as pedigree for the patched "regular" package Component.Maintainers will complete the following section
Note: if the contribution is external (not from an organization member), the CI
pipeline will not run automatically. After verifying that the CI is safe to run:
/ok-to-test(as is the standard for Pipelines as Code)