Skip to content

Add command to remove dependencies from SPDX source SBOM #9653

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
wants to merge 4 commits into
base: master
Choose a base branch
from

Conversation

kikofernandez
Copy link
Contributor

Adds command to remove dependencies from SPDX source SBOM.

For example, removing the SPDX package SPDXRef-otp-xmerl implies

  • Removing all files from the files section of the SPDX document
  • Removing the SPDX package
  • Removing depends on this package (reflexive and transitive closure of dependencies)

To facilitate removing dependents, we provide the following command, where the removed.json file contains a list of strings with the packages to be removed.

.github/scripts/otp-compliance.es sbom remove-packages --sbom-file otp.spdx.json --input_file removed.json

Copy link
Contributor

github-actions bot commented Mar 28, 2025

CT Test Results

  1 files   11 suites   3m 38s ⏱️
 95 tests  91 ✅ 4 💤 0 ❌
111 runs  107 ✅ 4 💤 0 ❌

Results for commit 7696b12.

♻️ This comment has been updated with latest results.

To speed up review, make sure that you have read Contributing to Erlang/OTP and that all checks pass.

See the TESTING and DEVELOPMENT HowTo guides for details about how to run test locally.

Artifacts

// Erlang/OTP Github Action Bot

@garazdawi
Copy link
Contributor

Would it not be better if we did it the other way around? That is give the tool a list of which applications to keep?

@kikofernandez
Copy link
Contributor Author

We could. My assumption would be that many apps from Erlang/OTP are used.

I am not sure what is best... since this is only for source SBOM, whoever clones our repo probably needs all of it, I would think.
Someone should only remove SPDX packages if they are not part of the clone of Erlang/OTP that they work on...

I do not mind to change it the other way around. I think we need feedback from internal customers or Erlang users to understand what is better.

@kikofernandez
Copy link
Contributor Author

I can always add one more command call keep-packages instead of remove-packages.
TBH, I am not really sure what are the most common use cases, so maybe it is better to wait until we gather feedback of the most common use case and how we can help them?

@IngelaAndin IngelaAndin added the team:VM Assigned to OTP team VM label Mar 31, 2025
kikofernandez and others added 2 commits May 20, 2025 11:08
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
team:VM Assigned to OTP team VM
Projects
None yet
Development

Successfully merging this pull request may close these issues.

3 participants