Skip to content

feat(materials): extract main component info from SPDX files#2984

Open
waveywaves wants to merge 2 commits intochainloop-dev:mainfrom
waveywaves:feat/spdx-main-component
Open

feat(materials): extract main component info from SPDX files#2984
waveywaves wants to merge 2 commits intochainloop-dev:mainfrom
waveywaves:feat/spdx-main-component

Conversation

@waveywaves
Copy link
Copy Markdown
Contributor

@waveywaves waveywaves commented Apr 3, 2026

Summary

  • Extract main component information (name, version, kind) from SPDX JSON SBOM files, following the existing CycloneDX pattern
  • Use spdxlib.GetDescribedPackageIDs to identify the described package, then populate SBOMArtifact.MainComponent with the package's name, version, and lowercased PrimaryPackagePurpose
  • Standardize container image names via go-containerregistry (same as CycloneDX) and gracefully skip when no described package is found

Fixes #2580

Test plan

  • Existing SPDX tests continue to pass (no described package case handled gracefully)
  • New test case: SPDX with described APPLICATION package extracts name, version, kind
  • New test case: SPDX with described CONTAINER package standardizes image name
  • go vet passes cleanly
  • Full materials test suite passes

🤖 Generated with Claude Code

@waveywaves waveywaves force-pushed the feat/spdx-main-component branch 2 times, most recently from 143b790 to 76e2477 Compare April 7, 2026 08:16
@waveywaves waveywaves marked this pull request as ready for review April 7, 2026 08:16
cubic-dev-ai[bot]
cubic-dev-ai bot reviewed Apr 7, 2026
View reviewed changes
Copy link
Copy Markdown

@cubic-dev-ai cubic-dev-ai bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

No issues found across 5 files

@migmartri migmartri requested a review from javirln April 7, 2026 19:25
waveywaves and others added 2 commits April 8, 2026 15:50
@waveywaves @claude
feat(materials): extract main component info from SPDX files
732b95a 
Follow the CycloneDX pattern to extract and populate MainComponent in
SBOMArtifact for SPDX JSON materials. Uses spdxlib.GetDescribedPackageIDs
to find the described package, then extracts name, version, and kind
(PrimaryPackagePurpose). Container names are standardized via
go-containerregistry. Gracefully skips when no described package is found.

Fixes chainloop-dev#2580

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Signed-off-by: Vibhav Bobade <vibhav.bobde@gmail.com>
@waveywaves @claude
fix(materials): remove assertion on deprecated Artifact.Id field
9e0f4dc 
The Id field is deprecated in crafting_state.proto (kept only for
server-side compatibility). Remove the test assertion to fix the
SA1019 staticcheck lint failure.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Signed-off-by: Vibhav Bobade <vibhav.bobde@gmail.com>
@waveywaves waveywaves force-pushed the feat/spdx-main-component branch from 76e2477 to 9e0f4dc Compare April 8, 2026 10:20
@waveywaves
Copy link
Copy Markdown
Contributor Author

waveywaves commented Apr 8, 2026

@jiparis Ready for review — GPG-signed and rebased. Extracts main component info from SPDX SBOMs (matching the existing CycloneDX behavior), issue #2977. Also fixed the SA1019 staticcheck lint for the deprecated Artifact.Id field.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@cubic-dev-ai cubic-dev-ai[bot] cubic-dev-ai[bot] left review comments

@javirln javirln Awaiting requested review from javirln

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Include main component information from SPDX files

1 participant

@waveywaves