asf-tooling commented on issue #938: URL: https://github.com/apache/tooling-trusted-releases/issues/938#issuecomment-4409952251
<!-- gofannon-issue-triage-bot v2 --> **Automated triage** — analyzed at `main@2da7807a` **Type:** `discussion` • **Classification:** `no_action` • **Confidence:** `high` **Application domain(s):** `distribution_tracking`, `sbom_analysis`, `automated_checks` ### Summary This issue is a collaboration proposal from the Erlang Ecosystem Foundation ([email protected]) discussing multiple areas of potential integration between ATR and the Erlang/Elixir ecosystem: SBOM generation (rebar3_sbom, mix_sbom), vulnerability handling (EEF CNA), trusted publishing (Hex.pm - not yet ready), and source analysis (ORT). It's not a single actionable feature request but rather an open-ended discussion about community alignment. A key blocker is that trusted publishing for Hex.pm doesn't exist yet (hexpm/hexpm#1193 is in progress upstream). ### Where this lives in the code today #### `atr/shared/distribution.py` — `DistributionPlatform` (lines 78-102) _extension point_ This enum defines supported distribution platforms - Hex.pm would need to be added here when ready. ```python class DistributionPlatform(enum.Enum): """Wrapper enum for distribution platforms.""" ARTIFACT_HUB = "Artifact Hub" DOCKER_HUB = "Docker Hub" MAVEN = "Maven Central" NPM = "npm" NPM_SCOPED = "npm (scoped)" PYPI = "PyPI" def to_sql(self) -> sql.DistributionPlatform: """Convert to SQL enum.""" match self: case DistributionPlatform.ARTIFACT_HUB: return sql.DistributionPlatform.ARTIFACT_HUB case DistributionPlatform.DOCKER_HUB: return sql.DistributionPlatform.DOCKER_HUB case DistributionPlatform.MAVEN: return sql.DistributionPlatform.MAVEN case DistributionPlatform.NPM: return sql.DistributionPlatform.NPM case DistributionPlatform.NPM_SCOPED: return sql.DistributionPlatform.NPM_SCOPED case DistributionPlatform.PYPI: return sql.DistributionPlatform.PYPI ``` #### `atr/shared/distribution.py` — `distribution_upload_date` (lines 186-197) _extension point_ This function would need a new case for Hex.pm to extract the upload date from the Hex.pm API response. ```python def distribution_upload_date( # noqa: C901 platform: sql.DistributionPlatform, data: basic.JSON, version_key: safe.VersionKey, ) -> datetime.datetime | None: version = str(version_key) match platform: case sql.DistributionPlatform.ARTIFACT_HUB: ... case sql.DistributionPlatform.PYPI: ... raise NotImplementedError(f"Platform {platform.name} is not yet supported") ``` ### Where new code would go - `atr/models/distribution.py` — after existing response models A HexResponse model would be needed to parse the Hex.pm API response format. - `atr/shared/distribution.py` — after DistributionPlatform enum HEX entry would be added to the DistributionPlatform enum and corresponding to_sql/from_sql methods. ### Proposed approach This issue is currently a discussion/collaboration proposal rather than an actionable feature request. Several areas are identified: 1. **Already supported**: EEF CNA vulnerabilities are recognized in the OSV source database names. CycloneDX SBOMs from rebar3_sbom/mix_sbom should work with the existing SBOM pipeline since ATR already handles CycloneDX format. 2. **Straightforward when ready**: Adding Hex.pm as a distribution platform (similar to PyPI/npm) requires adding enum values, API URL templates, response models, and upload date extraction logic. However, this is blocked on trusted publishing support in Hex.pm (hexpm/hexpm#1193). 3. **Potential quick wins**: Adding `pkg:hex/` to KNOWN_PURL_SUPPLIERS or KNOWN_PURL_PREFIXES for supplier detection in SBOM conformance checking. No immediate code changes should be made until the scope is clarified with the EEF collaborators and the Hex.pm trusted publishing dependency is resolved. ### Open questions - What is the Hex.pm API format for querying package versions and upload dates? Needed to implement the distribution platform integration. - Should pkg:hex/ purls map to 'Erlang Ecosystem Foundation' as supplier in SBOM conformance? - Is hexpm/hexpm#1193 (trusted publishing) a hard prerequisite for adding Hex.pm as a distribution channel, or can manual recording be supported first? - Does CouchDB's rebar3_sbom/mix_sbom output conform to what ATR expects from CycloneDX SBOMs (spec version, required fields)? - What is the scope of this issue - just Hex.pm distribution channel, or the full collaboration across SBOM/CNA/trusted publishing? _The agent reviewed this issue and is not proposing patches in this run. Review the existing-code citations and open questions above before deciding next steps._ ### Files examined - `atr/tasks/sbom.py` - `atr/sbom/__init__.py` - `atr/sbom/cli.py` - `atr/sbom/conformance.py` - `atr/sbom/constants/conformance.py` - `atr/sbom/osv.py` - `atr/shared/distribution.py` - `atr/storage/writers/distributions.py` --- *Draft from a triage agent. A human reviewer should validate before merging any change. The agent did not run tests or verify diffs apply.* -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected] --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
