Skip to content

Generate-sbom #900

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
spoorcc merged 4 commits into from
Jan 1, 2026
Merged

Generate-sbom #900

spoorcc merged 4 commits into from
Jan 1, 2026

Conversation

@spoorcc
Copy link
Contributor

@spoorcc spoorcc commented Jan 1, 2026
edited by coderabbitai bot
Loading

Summary by CodeRabbit

  • New Features
    • Automated SBOM generation is now integrated into the build pipeline; versioned CycloneDX JSON SBOMs are produced as part of releases.
  • Chores
    • CI updated to include SBOM JSON files with binary release artifacts.
    • Repository ignore rules updated so generated SBOM JSON files are not tracked in source control.

✏️ Tip: You can customize this high-level summary in your review settings.

@coderabbitai
Copy link

coderabbitai bot commented Jan 1, 2026
edited
Loading

📝 Walkthrough

Walkthrough

Adds CycloneDX SBOM generation: a new script creates a JSON SBOM using a temporary virtualenv; CI runs that script during the build and uploads *.cdx.json artifacts; pyproject.toml adds SBOM deps and .gitignore ignores generated SBOM files.

Changes

Cohort / File(s) Summary
CI/CD & Build
/.github/workflows/build.yml		 Invoke script/create_sbom.py during the Create binary step and expand artifact upload glob to include *.cdx.json.
Project config
pyproject.toml (two locations)		 Add SBOM extras/dependency entry (sbom = ["cyclonedx-bom==7.2.1"]) to project metadata.
VCS ignores
/.gitignore		 Add *.cdx.json to ignore generated SBOM files.
SBOM generation script
script/create_sbom.py		 New script that creates a temporary venv, installs the project with the [sbom] extras, runs cyclonedx_py to emit a versioned JSON SBOM, logs the output, and cleans up the venv.

Sequence Diagram

sequenceDiagram
    autonumber
    participant CI as CI Workflow
    participant Script as script/create_sbom.py
    participant Venv as Temporary Venv
    participant Pip as pip (in venv)
    participant CycloneDX as cyclonedx_py
    participant Artifacts as SBOM (*.cdx.json)

    CI->>Script: run create_sbom.py
    Script->>Venv: create temporary venv
    Script->>Pip: pip install project[ sbom ] (in venv)
    Pip-->>Script: deps installed
    Script->>CycloneDX: run cyclonedx_py to generate SBOM
    CycloneDX->>Artifacts: write versioned .cdx.json
    Script->>Venv: remove temporary venv
    Script-->>CI: exit (SBOM ready for upload)
Loading

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~22 minutes

Poem

🐇 I hopped in a venv, tidy and small,
I piped up the deps and answered the call,
CycloneDX spun and wrote JSON bright,
A tiny .cdx.json gleamed in the night,
Build whiskers twitch — the SBOM’s all right.

Pre-merge checks and finishing touches

✅ Passed checks (3 passed)
Check name Status Explanation
Description Check ✅ Passed Check skipped - CodeRabbit’s high-level summary is enabled.
Title check ✅ Passed The title 'Generate-sbom' directly relates to the main change: implementing SBOM (Software Bill of Materials) generation functionality for the dfetch tool.
Docstring Coverage ✅ Passed Docstring coverage is 100.00% which is sufficient. The required threshold is 80.00%.
✨ Finishing touches
  • 📝 Generate docstrings
📜 Recent review details

Configuration used: defaults

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 846e410 and 129da0f.

📒 Files selected for processing (1)
  • script/create_sbom.py
🚧 Files skipped from review as they are similar to previous changes (1)
  • script/create_sbom.py
⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (19)
  • GitHub Check: Publish Python distribution 📦 to TestPyPI
  • GitHub Check: Codacy Static Code Analysis
  • GitHub Check: test
  • GitHub Check: test (windows-latest, 3.14)
  • GitHub Check: test (windows-latest, 3.12)
  • GitHub Check: test (macos-latest, 3.14)
  • GitHub Check: test (windows-latest, 3.10)
  • GitHub Check: test (windows-latest, 3.13)
  • GitHub Check: test (windows-latest, 3.9)
  • GitHub Check: test (macos-latest, 3.12)
  • GitHub Check: test (ubuntu-latest, 3.10)
  • GitHub Check: test (macos-latest, 3.9)
  • GitHub Check: test (ubuntu-latest, 3.9)
  • GitHub Check: test (ubuntu-latest, 3.12)
  • GitHub Check: test-cygwin
  • GitHub Check: build (macos-latest)
  • GitHub Check: build (ubuntu-latest)
  • GitHub Check: build (windows-latest)
  • GitHub Check: DevContainer Build & Test

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands and usage tips.

@spoorcc spoorcc marked this pull request as ready for review January 1, 2026 16:42
coderabbitai[bot]
coderabbitai bot reviewed Jan 1, 2026
View reviewed changes
Copy link

@coderabbitai coderabbitai bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 0

🧹 Nitpick comments (2)
script/create_sbom.py (2)

11-11: Clarify the version import location.

The __version__ import occurs before dfetch is installed in the temporary virtual environment (Line 38). This means the version is read from the host environment rather than from the package being built in the temporary venv. While this is likely intentional (to capture the version of the code under build), it could be confusing to future maintainers.

Consider adding a comment explaining this design choice:

+# Import version from host environment (the code being built)
+# before creating the temporary venv for SBOM generation
 from dfetch import __version__

37-43: Consider enhancing error visibility.

The subprocess calls use check_call, which will raise an exception on failure but doesn't capture output for debugging. If the SBOM generation fails in CI, diagnosing the issue might be difficult.

🔎 Optional improvements for better error visibility 
 with temporary_venv() as python:
+    logging.info(f"Installing dependencies: {DEPS}")
-    subprocess.check_call([python, "-m", "pip", "install", DEPS])  # nosec
+    subprocess.check_call(
+        [python, "-m", "pip", "install", DEPS],
+        stdout=sys.stdout,
+        stderr=sys.stderr
+    )  # nosec
+    
+    logging.info(f"Generating SBOM to {OUTPUT_FILE}")
-    subprocess.check_call(  # nosec
+    subprocess.check_call(
         [python, "-m", "cyclonedx_py", "environment", "-o", str(OUTPUT_FILE)],
+        stdout=sys.stdout,
+        stderr=sys.stderr
-    )
+    )  # nosec

 logging.info(f"SBOM generated at {OUTPUT_FILE}")
📜 Review details

Configuration used: defaults

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between d8546f0 and 9788a02.

📒 Files selected for processing (4)
  • .github/workflows/build.yml
  • .gitignore
  • pyproject.toml
  • script/create_sbom.py
🧰 Additional context used
🧠 Learnings (1)
📚 Learning: 2025-12-25T23:53:05.742Z 
Learnt from: spoorcc
Repo: dfetch-org/dfetch PR: 861
File: .github/workflows/build.yml:120-125
Timestamp: 2025-12-25T23:53:05.742Z
Learning: When building macOS PKG installers with fpm in CI, account for the known issue (fpm #1996) where --prefix can be duplicated (e.g., /opt/dfetch becomes /opt/dfetch/opt/dfetch). In the workflow at .github/workflows/build.yml, verify install paths and PATH entries do not assume a single-prefix layout. Adjust packaging scripts or fpm arguments to normalize the final install location and update PATH references accordingly. Add a test step to validate the expected runtime paths after installation.

Applied to files:

  • .github/workflows/build.yml
🧬 Code graph analysis (1)
script/create_sbom.py (1)
features/environment.py (1)
  • tmpdir (12-24)
⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (7)
  • GitHub Check: Codacy Static Code Analysis
  • GitHub Check: test (windows-latest, 3.10)
  • GitHub Check: test (windows-latest, 3.12)
  • GitHub Check: build (windows-latest)
  • GitHub Check: build (ubuntu-latest)
  • GitHub Check: test-cygwin
  • GitHub Check: DevContainer Build & Test
🔇 Additional comments (5)
.gitignore (1)

15-15: LGTM!

The ignore pattern correctly excludes generated CycloneDX SBOM files from version control.

script/create_sbom.py (1)

21-35: LGTM!

The temporary virtual environment implementation is clean and handles platform differences correctly. The context manager pattern ensures proper cleanup.

.github/workflows/build.yml (2)

83-83: LGTM!

The SBOM generation is correctly integrated into the build workflow. It runs after dependencies are installed but before the binary is created, which is appropriate timing.

96-96: LGTM!

The artifact upload pattern correctly includes the generated SBOM files (*.cdx.json) alongside the platform-specific packages.

pyproject.toml (1)

108-108: No action needed—cyclonedx-bom version 7.2.1 is valid and current.

Version 7.2.1 is the latest release on PyPI (released October 29, 2025) with no known security vulnerabilities. The pinned version is appropriate.

@spoorcc spoorcc merged commit 50765ba into main Jan 1, 2026
39 checks passed
@spoorcc spoorcc deleted the generate-sbom branch January 1, 2026 19:04
@coderabbitai coderabbitai bot mentioned this pull request Jan 2, 2026
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@coderabbitai coderabbitai[bot] coderabbitai[bot] left review comments

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@spoorcc