Report Yarn v3/v4 patches as pedigree rather than components #784
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
taylormadore
commented
Jan 13, 2025
eskultety
reviewed
Jan 16, 2025
taylormadore
force-pushed
the
yarn-patches
branch
2 times, most recently
from
011244f to
d277261
Compare
eskultety
reviewed
Jan 22, 2025
brunoapimentel
approved these changes
Jan 22, 2025
eskultety
reviewed
Jan 23, 2025
eskultety
approved these changes
Jan 23, 2025
taylormadore
force-pushed
the
yarn-patches
branch
from
d277261 to
37b9ef7
Compare
![github-advanced-security[bot]](https://avatars.githubusercontent.com/in/57789?s=60&v=4){kind=small}
Signed-off-by: Taylor Madore <[email protected]>
In yarn v4, optional, builtin patches are now denoted with the prefix `optional!`. Handle this in addition to the yarn v3 prefix for the same Signed-off-by: Taylor Madore <[email protected]>
Adds an optional Pedigree for the Component model according to: https://cyclonedx.org/docs/1.6/json/#components_items_pedigree_patches For the PatchDiff model, provide a URL but not a text diff in the SBOM since it is not required by the schema. Signed-off-by: Taylor Madore <[email protected]>
Instead of reporting yarn patches as independent Components in the SBOM, report them instead as Pedigree for the parent, non-patch Component. This uses the Pedigree model of SBOM Components, which was implemented in accordance with: https://cyclonedx.org/docs/1.6/json/#components_items_pedigree_patches Yarn has the concept of "builtin" patches that are applied by yarn itself to make certain features of yarn work. These are reported out of the Yarn source repository for currently known patches from the compat plugin. Signed-off-by: Taylor Madore <[email protected]>
taylormadore
force-pushed
the
yarn-patches
branch
from
37b9ef7 to
f9f4502
Compare
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Yarn has a
patchprotocol for the package patching feature. Patches should not be reported as independent Components in the SBOM, but should instead be reported as pedigree for the patched "regular" package Component.Maintainers will complete the following section
Note: if the contribution is external (not from an organization member), the CI
pipeline will not run automatically. After verifying that the CI is safe to run:
/ok-to-test(as is the standard for Pipelines as Code)