INTPYTHON-821 Add workflow to update SBOM #451
Conversation
timgraham
changed the title
|
Need to update this to use cyclonedx-py plugin instead. Will move to ready review once finish. |
|
You write that "This triggers on changes to any of the requirements and toml files on the master branch.", however, it's also obsoleted whenever a new version of pymongo or Django is released that matches the requirements. For example, we have the dependency "django>=5.2,<6.0" and generally a new version of Django 5.2.x is released each month. Does the SBOM need to be updated each time? |
| paths: | ||
| - 'pyproject.toml' | ||
| - 'requirements.txt' |
There was a problem hiding this comment.
It's possible for these files to have changes that don't involve any dependency changes. Is there logic in this job that prevents a PR from being opened in this case? (I guess GitHub may disallow a PR with no changes, or possibly it would be closed immediately; just want to confirm.)
There was a problem hiding this comment.
I'm not sure myself, but I would say that if it:
- Has no changes, it wouldn't populate
- Does make a new one, we just close it. The SBOM generation matters most right before we push a release.
There was a problem hiding this comment.
Depending on the answer to #451 (comment), it might be better to simply make this part of the pre-release process.
There was a problem hiding this comment.
If the file changes at all, it will trigger the action to run and make an sbom PR. you'd just see the dates/metadata of the sbom.json to be changed. In that scenario the team can just close the PR.
Our team does require that the master branch have an up-to-date sbom for tracking. I can definitely add the logic if you think it's worth the extra step (actions will still get ran regardless, but we'd just compare the sbom files to see if any components actually got changed)
There was a problem hiding this comment.
If it's straightforward, I think it would be valuable to avoid useless PRs, especially if this script has to be applied to many repositories.
There was a problem hiding this comment.
And incidentally, we don't have any dependencies in pyproject.toml (besides the optional ones for building the docs which your script doesn't install, so won't be detected anyway) so do we need to have this job watch that file?
There was a problem hiding this comment.
pyproject.toml stores the info for the actual django-mngodb-backend. Changes to meta data will be reflected into sbom (description, versions, etc). With the new check for component diff check, this should solve the false positive change issue if you're modifying something that won't update the sbom.
There was a problem hiding this comment.
Just to clarify: we do have dependencies in pyproject.toml. The fact that pyproject.toml is configured to read requirements.txt via tool.hatch.metadata.hooks.requirements_txt is an implementation detail. In fact, we may want to consider moving those dependencies to pyproject.toml and removing requirements.txt because we have so few dependencies and don't really need a separate file to list them.
There was a problem hiding this comment.
@thanhnguyen-mdb FYI, see what pymongo did: mongodb/mongo-python-driver#2647 removing pyproject.toml from the watched paths). If I understand correctly, maybe it would have been better to use the alternative approach you implemented here (although I'm not sure if there's any practical difference).
The SBOM doesn't become stale when new patch versions are released. The SBOM captures the minimum required versions from the dependency ranges in requirements.txt (e.g., Django 5.2 from django>=5.2,<6.0), not whatever latest version happens to be available. The workflow triggers only when dependency specifications actually change in the requirements files (based on what runtime users would install). When release branches are cut, it should automatically snapshot the sbom.json from main at that point in time, which ships with that release. It does become stale in release branch if you are making one off requirements change in those branch though if that's what you're referring to? If that's the case then those branch sbom would need to be updated as well. |
![github-advanced-security[bot]](https://avatars.githubusercontent.com/in/57789?s=60&v=4){kind=small}
This doesn't seem true. In thanhnguyen-mdb#4, I see a refernce to "Django==5.2.8" which was the latest Django release at the time that job ran.
You'll have to explain more about how this works. Our release process doesn't use release branches. Currently, the main branch corresponds to Django MongoDB Backend 5.2.x which works with Django 5.2.x. We have for older versions, e.g. the 5.1.x corresponds to Django MongoDB Backend 5.1.x and Django 5.1.x. |
Sorry, got info a bit mixed up. It's the minimum version/installed version when a user runs pip install -r requirements.txt (runtime version for their python version).
Ah that makes more sense then! If I make it trigger a PR on master/release branch (5.1.x, etc), would that suffice then? This would be a bit more PR but will keep all branch updated. Welcome to suggestions here. I'll add extra logic to avoid false positive PR in the meantime. |
|
Here's how I foresee this script working:
It seems very arbitrary to make these sort of updates based on when changes to these files are made. Do you see my point? |
It doesn't seem correct. An update to the dependencies on the main branch doesn't mean they changed on other branches. |
|
@timgraham I've added in the update as discuss yesterday. Will now only do PRs if the sbom content actually changes by using cyclondx-cli tool diff options on components. See here for a test run in my fork: I've also tested on a diff branch trigger to make sure PR submits to that branch: thanhnguyen-mdb#9 This PR only has main for now. Please add new release versions to it that you want to track later. Let me know if you need any other changes |
timgraham
changed the title
| on: | ||
| workflow_dispatch: {} | ||
| push: | ||
| branches: ['main', '5.2.x'] |
There was a problem hiding this comment.
I added the 5.2.x branch here, but I'm not sure if it works correctly. Will the job checkout this branch and send the PR to it?
4 participants
INTPYTHON-821
Summary
Added in Github action workflow for SBOM automation. This triggers on changes to any of the requirements and toml files on the master branch. A new branch will be created for the PR and closed on merge.
Sample PR for the SBOM: thanhnguyen-mdb#4
Changes in this PR
New sbom.yml file for the Github action workflow
Testing Plan
Tested through Github Action triggers
Checklist
Checklist for Author
Checklist for Reviewer {@primary_reviewer}