Skip to content

Make PR check fails when find invalid SPDX 2.x SBOM #115

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
goneall merged 13 commits into from
Apr 29, 2025
Merged

Make PR check fails when find invalid SPDX 2.x SBOM #115

goneall merged 13 commits into from
Apr 29, 2025

Conversation

@bact
Copy link
Contributor

@bact bact commented Apr 8, 2025
edited
Loading

This PR fix two issues in SPDX 2.x validation step in the PR check workflow:

  1. tools-java behavior is not stable:
  2. Check marked as "Passed" even some validations failed:
    • To fix that, this PR changes the workflow to run tools-java.jar Verify outside find -exec, so the Verify exit code is not hidden and can be used to failed workflow.
    • The validation step will not failed immediately once find an invalid SBOM but will collect all invalid ones, report a summary at the end of the step, and exit with non-zero value to eventually failed the check.

This PR also add --quiet option to spdx3-validate to disable its spinner and make the run log more compact and easier to read.

--

Note that this PR currently failed the PR check because there are 3 SBOMs that don't pass the SBOM validation. These following issues have to be fixed before the check can get a pass:

bact and others added 9 commits April 8, 2025 04:24
@bact @goneall
Use released tools-java
b5fff2b 
Instead of build it from latest source

Signed-off-by: Arthit Suriyawongkul <arthit@gmail.com>
Co-Authored-By: Gary O'Neall <gary@sourceauditor.com>
@bact
Stop workflow if command returns non-zero
6c151f4 
Add set -e

Signed-off-by: Arthit Suriyawongkul <arthit@gmail.com>
@bact
Stop workflow if validation failed
043b46d 
Signed-off-by: Arthit Suriyawongkul <arthit@gmail.com>
@bact
Continue to check SPDX 3.0 docs
b962779 
Signed-off-by: Arthit Suriyawongkul <arthit@gmail..com>
@bact
Continue validate 3.0 even 2.x validation failed
a4edb85 
Signed-off-by: Arthit Suriyawongkul <arthit@gmail.com>
@bact
Remove continue-on-error
30d8801 
Signed-off-by: Arthit Suriyawongkul <arthit@gmail.com>
@bact
Format
674d9a6 
Signed-off-by: Arthit Suriyawongkul <arthit@gmail.com>
@bact
Simplify script
590ac05 
Signed-off-by: Arthit Suriyawongkul <arthit@gmail.com>
@bact
Fix typo
bfaaed8 
Signed-off-by: Arthit Suriyawongkul <arthit@gmail.com>
@bact bact changed the title Use released tools-java Make PR check fails when find invalid SPDX 2.x SBOM Apr 8, 2025
@bact
spdx3-validate --quiet
72c6d87 
Use --quiet option to disable spinner and make the log smaller

Signed-off-by: Arthit Suriyawongkul <arthit@gmail.com>
@bact
Copy link
Contributor Author

bact commented Apr 9, 2025

Reviewed during 2025-04-08 Tech Team meeting .

goneall
goneall approved these changes Apr 9, 2025
View reviewed changes
Copy link
Member

@goneall goneall left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@bact
Copy link
Contributor Author

bact commented Apr 29, 2025

Update tools-java version to 2.0.1

@bact bact mentioned this pull request Apr 29, 2025
Closed
@bact
Use setup-java
4d41194 
Signed-off-by: Arthit Suriyawongkul <arthit@gmail.com>
@goneall goneall merged commit c4938ed into spdx:master Apr 29, 2025
1 check failed
@bact bact deleted the use-stable-tools-java branch April 29, 2025 22:02
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@goneall goneall goneall approved these changes

+1 more reviewer

@JPEWdev JPEWdev JPEWdev approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@bact @goneall @JPEWdev