Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add compliance policy for empty name and version #3257

Open
wants to merge 3 commits into
base: main
Choose a base branch
from
Open

Add compliance policy for empty name and version #3257

wants to merge 3 commits into from
+547 −47

Conversation

wagoodman
Copy link
Contributor

@wagoodman wagoodman commented Sep 19, 2024
edited
Loading

Adds a new compliance configuration to handle what to do when there is a missing name or version:

compliance:
  # action to take when a package is missing a name (env: SYFT_COMPLIANCE_MISSING_NAME)
  missing-name: 'drop'
  
  # action to take when a package is missing a version (env: SYFT_COMPLIANCE_MISSING_VERSION)
  missing-version: 'stub'

Above are the default values, but the possible values a user can put in are:

  • keep, add a trace log but the non-compliant package is still added to the SBOM
  • drop, exclude the package from results, add a debug log
  • stub, replace the non-compliant empty value with UNKNOWN

Open questions:

  1. configuration-wise should this land within the pkgcataloging package? (instead of the cataloging package?)

Closes #2132
Closes #2652
Closes #2038
Closes #2039

@kzantow
Copy link
Contributor

kzantow commented Sep 19, 2024

One observation: once the known-unknowns lands perhaps some of these options would go away / change? E.g. a user could surface something in the files section with something like:

/package.json
  unknowns: dropped package due to missing name

@wagoodman

This comment was marked as outdated.

Sign in to view
@wagoodman
default stub version
4f0132a 
Signed-off-by: Alex Goodman <[email protected]>
@wagoodman wagoodman mentioned this pull request Sep 19, 2024
Open
@wagoodman wagoodman marked this pull request as ready for review September 19, 2024 20:54
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
2 participants
@wagoodman @kzantow