From 1946007a3efb36a57d9c3d3f5676e42aa91b87a1 Mon Sep 17 00:00:00 2001 From: Henri Rosten Date: Mon, 20 Mar 2023 11:19:16 +0200 Subject: [PATCH] sbomnix: release v1.4.4 - repology_cli: fix a bug that caused repology package info to be ignored for some sbom input packages. The issue occurred if the package info had already been processed by an earlier repology query, but had not been included to the result collection. - repology_cli: improve local version classification - repology_cli: fix the url in user-agent - nixgraph: match inverse regex against full store paths. Earlier match was done only against the package name. This change allows querying inverse graphs starting from specific nix store objects, discarding possible duplicate package names. - sbomnix: fix usage example in `--help` output - update nix flake lock file - bump sbomnix version to v1.4.4 Signed-off-by: Henri Rosten --- default.nix | 2 +- flake.lock | 6 +++--- nixgraph/graph.py | 4 ++-- nixgraph/main.py | 4 ++-- sbomnix/main.py | 4 +--- scripts/repology/repology_cli.py | 22 ++++++++++++++++------ 6 files changed, 25 insertions(+), 17 deletions(-) diff --git a/default.nix b/default.nix index 46db7a9..1b393af 100644 --- a/default.nix +++ b/default.nix @@ -9,7 +9,7 @@ pythonPackages.buildPythonPackage rec { pname = "sbomnix"; - version = "1.4.3"; + version = "1.4.4"; format = "setuptools"; src = ./.; diff --git a/flake.lock b/flake.lock index 2981955..f1104ff 100644 --- a/flake.lock +++ b/flake.lock @@ -2,11 +2,11 @@ "nodes": { "nixpkgs": { "locked": { - "lastModified": 1677407201, - "narHash": "sha256-3blwdI9o1BAprkvlByHvtEm5HAIRn/XPjtcfiunpY7s=", + "lastModified": 1679172431, + "narHash": "sha256-XEh5gIt5otaUbEAPUY5DILUTyWe1goAyeqQtmwaFPyI=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "7f5639fa3b68054ca0b062866dc62b22c3f11505", + "rev": "1603d11595a232205f03d46e635d919d1e1ec5b9", "type": "github" }, "original": { diff --git a/nixgraph/graph.py b/nixgraph/graph.py index a66469c..3745dba 100644 --- a/nixgraph/graph.py +++ b/nixgraph/graph.py @@ -91,8 +91,8 @@ def draw(self, start_path, args): if self.inverse_regex: # If inverse_regex is specified, draw the graph backwards starting - # from nodes where src_pname matches the specified regex - df = df_regex_filter(self.df, "src_pname", self.inverse_regex) + # from nodes where src_path matches the specified regex + df = df_regex_filter(self.df, "src_path", self.inverse_regex) for row in df.itertuples(): inverse_path = row.src_path _LOG.debug("Start path inverse: %s", inverse_path) diff --git a/nixgraph/main.py b/nixgraph/main.py index 0449b13..60626b6 100755 --- a/nixgraph/main.py +++ b/nixgraph/main.py @@ -45,8 +45,8 @@ def getargs(): parser.add_argument("--depth", help=helps, type=check_positive, default=1) helps = ( - "Draw inverse graph starting from nodes that match the specified " - "regular expression" + "Draw inverse graph starting from node (path) names that match the " + "specified regular expression" ) parser.add_argument("--inverse", help=helps) diff --git a/sbomnix/main.py b/sbomnix/main.py index 9e685fc..751e411 100755 --- a/sbomnix/main.py +++ b/sbomnix/main.py @@ -31,9 +31,7 @@ def getargs(): "in NIX_PATH and " "writes SBOM file(s) as specified in output arguments." ) - epil = ( - "Example: sbomnix /path/to/derivation.drv --meta /path/to/meta.json --runtime" - ) + epil = "Example: sbomnix /path/to/nix/out --meta /path/to/meta.json" parser = argparse.ArgumentParser(description=desc, epilog=epil) helps = "Path to nix artifact, e.g.: derivation file or nix output path" diff --git a/scripts/repology/repology_cli.py b/scripts/repology/repology_cli.py index a33f9ef..17f8286 100755 --- a/scripts/repology/repology_cli.py +++ b/scripts/repology/repology_cli.py @@ -132,7 +132,7 @@ def __init__(self): # - Cache all responses locally for 3600 seconds self.session = CachedLimiterSession(per_second=1, expire_after=3600) ua_product = "repology_cli/0" - ua_comment = "(https://github.com/tiiuae/sbomnix/scripts/repology)" + ua_comment = "(https://github.com/tiiuae/sbomnix/tree/main/scripts/repology)" self.headers = {"User-Agent": f"{ua_product} {ua_comment}"} def _packages_to_df(self, args, re_pkg_internal=None): @@ -389,6 +389,7 @@ def _parse_pkg_search_resp(self, resp, repo, pkg_stop=None): self.pkgs_dict.setdefault("newest_upstream_release", []).append( ";".join(newest_releases) ) + _LOG.log(LOG_SPAM, "Added: %s:%s:%s", pkg_name, ver, status) # API returns at most 200 projects per one request. If the number # or returned projects is 200, we know we need to make another # query starting from the last returned project, for more details, @@ -490,6 +491,7 @@ def _query_sbom_cdx(self, args): pkg_id = f"{args.repository}:{cmp.name}" if pkg_id in self.processed: _LOG.debug("Package '%s' in sbom already processed", cmp.name) + self._packages_to_df(args, re_pkg_internal=cmp.name) continue if not cmp.version: self.pkgs_dict.setdefault("repo", []).append(args.repository) @@ -545,11 +547,19 @@ def _repo_row_classify(row): def _sbom_row_classify(row): - if row.status in ["outdated", "devel", "unique"]: - if version.parse(row.version_sbom) <= version.parse(row.version): - return "sbom_pkg_needs_update" - if row.status in ["newest"]: - if version.parse(row.version_sbom) < version.parse(row.version): + if row.status == "outdated": + # If repo version is outdated, assume the local version must also + # be outdated + return "sbom_pkg_needs_update" + if row.status in ["devel", "unique", "newest"]: + # For devel, unique, and newest package versions, remove all execpt + # numbers and dots from the version strings to make the two version + # strings of the same package comparable with version.parse + re_ver = re.compile("[^0-9.]+") + ver_sbom = re_ver.sub(r"", row.version_sbom) + ver_repo = re_ver.sub(r"", row.version) + # If local version is smaller than repo version, classify accordingly + if version.parse(ver_sbom) < version.parse(ver_repo): return "sbom_pkg_needs_update" return ""