[spdx] Add installed package files to SPDX SBOM file #1744
Conversation
Also remove repetition of relationships. These are no longer present in v3 of the SPDX spec. Keeping these relationships would also make the SBOM very noisy.
ras0219-msft
left a comment
ras0219-msft
left a comment
There was a problem hiding this comment.
Overall, this looks great -- thank you for the PR!
Because this is changing the output packages, it needs to change the output package ABI (so we'll regenerate all packages with the new SBOM information). Can you add a new entry after AbiTagPostBuildChecks for this?
https://github.com/microsoft/vcpkg-tool/blob/main/src/vcpkg/commands.build.cpp#L1458
ekilmer
force-pushed
the
ek/spdx-track-installed-files
branch
from
7a0abc4 to
d589226
Compare
Because this is changing the output packages, it needs to change the output package ABI (so we'll regenerate all packages with the new SBOM information)
Thank you for the review and for pointing out the ABI change. Honestly, I'm not sure what's expected there, but I attempted something. I'm happy to change it to something else if you can help guide me towards a better alternative implementation. |
| // Gather all the files in the package directory | ||
| // Note: For packages with many files, this sequential hashing may be slow | ||
| const auto relative_package_files = | ||
| fs.get_regular_files_recursive_lexically_proximate(package_dir, VCPKG_LINE_INFO); |
There was a problem hiding this comment.
:sigh: We really need to start doing this once per port and then feeding it into everything downstream.
No change requested.
|
Thanks! |
3 participants
Also remove repetition of relationships. These are no longer present in v3 of the SPDX spec. Keeping these relationships would also make the SBOM very noisy.