alitheg commented on code in PR #430:
URL:
https://github.com/apache/tooling-trusted-releases/pull/430#discussion_r2635456818
##########
atr/tasks/sbom.py:
##########
@@ -145,31 +144,29 @@ async def osv_scan(args: FileArgs) -> results.Results |
None:
components = [results.OSVComponent(purl=v.ref,
vulnerabilities=v.vulnerabilities) for v in vulnerabilities]
new_full_path: str | None = None
- if patch_ops:
- sbom.utilities.record_task("osv-scan", args.revision_number,
bundle.doc, patch_ops)
- patch_data = sbom.utilities.patch_to_data(patch_ops)
- merged = bundle.doc.patch(yyjson.Document(patch_data))
- description = "SBOM vulnerability scan through web interface"
- async with storage.write(args.asf_uid) as write:
- wacp = await
write.as_project_committee_participant(args.project_name)
- async with wacp.revision.create_and_manage(
- args.project_name, args.version_name, args.asf_uid or
"unknown", description=description
- ) as creating:
- new_full_path = os.path.join(str(creating.interim_path),
args.file_path)
- # Write to the new revision
- log.info(f"Writing updated SBOM to {new_full_path}")
- await aiofiles.os.remove(new_full_path)
- async with aiofiles.open(new_full_path, "w", encoding="utf-8")
as f:
- await f.write(merged.dumps())
-
- if creating.new is None:
- raise RuntimeError("Internal error: New revision not found")
+ new_version, merged = sbom.utilities.apply_patch("osv-scan",
args.revision_number, bundle, patch_ops)
Review Comment:
apply_patch will create its own patch_op to mark that it was carried out. In
the case of an osv_scan, I wanted to indicate in the SBOM that a scan was
carried out and found no vulnerabilities. In the case of the augment I left it
guarded.
However, there's a drawback because if you scan it again you'll get another
revision with no changes - but then you have done another scan and found
nothing again. Happy either way - what do you think?
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
