feat(materials): extract main component info from SPDX files#2984
Open
waveywaves wants to merge 3 commits intochainloop-dev:mainfrom
Open
feat(materials): extract main component info from SPDX files#2984waveywaves wants to merge 3 commits intochainloop-dev:mainfrom
waveywaves wants to merge 3 commits intochainloop-dev:mainfrom
Conversation
waveywaves
force-pushed
the
feat/spdx-main-component
branch
2 times, most recently
from
143b790 to
76e2477
Compare
![cubic-dev-ai[bot]](https://avatars.githubusercontent.com/in/1082092?s=60&v=4){kind=small}
Follow the CycloneDX pattern to extract and populate MainComponent in SBOMArtifact for SPDX JSON materials. Uses spdxlib.GetDescribedPackageIDs to find the described package, then extracts name, version, and kind (PrimaryPackagePurpose). Container names are standardized via go-containerregistry. Gracefully skips when no described package is found. Fixes chainloop-dev#2580 Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> Signed-off-by: Vibhav Bobade <vibhav.bobde@gmail.com>
The Id field is deprecated in crafting_state.proto (kept only for server-side compatibility). Remove the test assertion to fix the SA1019 staticcheck lint failure. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> Signed-off-by: Vibhav Bobade <vibhav.bobde@gmail.com>
waveywaves
force-pushed
the
feat/spdx-main-component
branch
from
76e2477 to
9e0f4dc
Compare
Contributor
Author
jiparis
reviewed
Apr 8, 2026
Member
jiparis
left a comment
jiparis
left a comment
There was a problem hiding this comment.
Thanks @waveywaves. Please check my comments.
| // since we cannot determine the component kind. | ||
| kind := strings.ToLower(describedPkg.PrimaryPackagePurpose) | ||
| if kind == "" { | ||
| return fmt.Errorf("described package %q has no PrimaryPackagePurpose set", describedPkg.PackageName) |
Member
There was a problem hiding this comment.
In this case, as a best effort, it could just return name and version. Not sure if Kind is expected in other parts of the code.
Contributor
Author
There was a problem hiding this comment.
Good point — now returns name and version as best effort when PrimaryPackagePurpose is absent. Kind will be empty string.
| // For container packages, standardize the name via go-containerregistry | ||
| // to get the full repository name and strip any tag (matching CycloneDX behavior) | ||
| if kind == containerComponentKind { | ||
| ref, err := remotename.ParseReference(name) |
Member
There was a problem hiding this comment.
Here it's likely that chainloop doesn't have the credentials for this query in most cases. Instead of returning, I'd just continue and return the existing values.
Contributor
Author
There was a problem hiding this comment.
Makes sense — chainloop likely won't have registry credentials in most cases. Now logs at debug level and continues with the original name instead of returning an error.
Address review feedback: - Return name and version even when PrimaryPackagePurpose is absent (kind will be empty string instead of erroring out) - When OCI image reference parsing fails (e.g. missing registry credentials), log at debug level and continue with the original name instead of returning an error Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> Signed-off-by: Vibhav Bobade <vibhav.bobde@gmail.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
spdxlib.GetDescribedPackageIDsto identify the described package, then populateSBOMArtifact.MainComponentwith the package's name, version, and lowercasedPrimaryPackagePurposego-containerregistry(same as CycloneDX) and gracefully skip when no described package is foundFixes #2580
Test plan
go vetpasses cleanly🤖 Generated with Claude Code