[GH] Update outdated tool scanners and add ATR tool metadata to the SBOM (tooling-trusted-releases)

Fri, 19 Dec 2025 08:30:40 -0800 


sbp commented on code in PR #430:
URL: 
https://github.com/apache/tooling-trusted-releases/pull/430#discussion_r2635623996


##########
atr/tasks/sbom.py:
##########
@@ -145,31 +144,29 @@ async def osv_scan(args: FileArgs) -> results.Results | 
None:
     components = [results.OSVComponent(purl=v.ref, 
vulnerabilities=v.vulnerabilities) for v in vulnerabilities]
 
     new_full_path: str | None = None
-    if patch_ops:
-        sbom.utilities.record_task("osv-scan", args.revision_number, 
bundle.doc, patch_ops)
-        patch_data = sbom.utilities.patch_to_data(patch_ops)
-        merged = bundle.doc.patch(yyjson.Document(patch_data))
-        description = "SBOM vulnerability scan through web interface"
-        async with storage.write(args.asf_uid) as write:
-            wacp = await 
write.as_project_committee_participant(args.project_name)
-            async with wacp.revision.create_and_manage(
-                args.project_name, args.version_name, args.asf_uid or 
"unknown", description=description
-            ) as creating:
-                new_full_path = os.path.join(str(creating.interim_path), 
args.file_path)
-                # Write to the new revision
-                log.info(f"Writing updated SBOM to {new_full_path}")
-                await aiofiles.os.remove(new_full_path)
-                async with aiofiles.open(new_full_path, "w", encoding="utf-8") 
as f:
-                    await f.write(merged.dumps())
-
-            if creating.new is None:
-                raise RuntimeError("Internal error: New revision not found")
+    new_version, merged = sbom.utilities.apply_patch("osv-scan", 
args.revision_number, bundle, patch_ops)

Review Comment:
   Oh yeah, actually that does make sense entirely. "No vulnerabilities found" 
is of course a valid outcome worth recording in the SBOM! Let's leave it like 
this.



-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: [email protected]

For queries about this service, please contact Infrastructure at:
[email protected]


---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to