(tooling-trusted-release) branch main updated: Add CycloneDX JSON and XML files to the list of known artifact metadata

Fri, 29 Aug 2025 08:24:47 -0700 

This is an automated email from the ASF dual-hosted git repository.

sbp pushed a commit to branch main
in repository https://gitbox.apache.org/repos/asf/tooling-trusted-release.git


The following commit(s) were added to refs/heads/main by this push:
     new 8d8cc39  Add CycloneDX JSON and XML files to the list of known 
artifact metadata
8d8cc39 is described below

commit 8d8cc39df3f8a2a2de6a4369917afb11580bc93e
Author: Sean B. Palmer <[email protected]>
AuthorDate: Fri Aug 29 16:23:15 2025 +0100

    Add CycloneDX JSON and XML files to the list of known artifact metadata
---
 atr/analysis.py           |  2 ++
 atr/tasks/checks/paths.py | 12 ++++++++++--
 2 files changed, 12 insertions(+), 2 deletions(-)

diff --git a/atr/analysis.py b/atr/analysis.py
index 3526649..96c89c2 100755
--- a/atr/analysis.py
+++ b/atr/analysis.py
@@ -68,6 +68,8 @@ METADATA_SUFFIXES: Final[list[str]] = [
     "asc.sha1",
     "asc.sha256",
     "asc.sha512",
+    "cdx.json",
+    "cdx.xml",
     "sha512.asc",
     "sha512.md5",
     "sha512.sha1",
diff --git a/atr/tasks/checks/paths.py b/atr/tasks/checks/paths.py
index 76b7fcf..a79a53d 100644
--- a/atr/tasks/checks/paths.py
+++ b/atr/tasks/checks/paths.py
@@ -18,6 +18,7 @@
 import asyncio
 import pathlib
 import re
+from typing import Final
 
 import aiofiles.os
 
@@ -28,7 +29,14 @@ import atr.tasks.checks as checks
 import atr.user as user
 import atr.util as util
 
-_ALLOWED_TOP_LEVEL = {"CHANGES", "LICENSE", "NOTICE", "README"}
+_ALLOWED_TOP_LEVEL: Final = frozenset(
+    {
+        "CHANGES",
+        "LICENSE",
+        "NOTICE",
+        "README",
+    }
+)
 
 
 async def check(args: checks.FunctionArguments) -> results.Results | None:
@@ -147,7 +155,7 @@ async def _check_metadata_rules(
     # not be provided, unless named as indicated above." (RDP)
     # Also .mds is allowed, but we'll ignore that for now
     # TODO: Is .mds supported in analysis.METADATA_SUFFIXES?
-    if ext_metadata not in {".asc", ".sha256", ".sha512", ".md5", ".sha", 
".sha1"}:
+    if ext_metadata not in {".asc", ".cdx.json", ".sha256", ".sha512", ".md5", 
".sha", ".sha1"}:
         warnings.append("The use of this metadata file is discouraged")
 
     # Check whether the corresponding artifact exists


---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to