Add platform generate subcommand that lazy-installs MikeBOM#247
Add platform generate subcommand that lazy-installs MikeBOM#247nchelluri wants to merge 6 commits into
Conversation
kusari platform generate invokes "mikebom sbom scan" under the hood with defaults "--offline" and "--output project.cdx.json". Either default can be overridden by passing the corresponding flag after "--" (e.g. "--output other.json", "--offline=false"). MikeBOM is downloaded and verified on first use against SHA256 hashes embedded in pkg/mikebom/versions.go, cached at ~/.kusari/bin/mikebom-<version>, and exec'd. Anything after "--" is passed verbatim as flags to "sbom scan". When --upload is set, the SBOM is uploaded to the Kusari platform after generation. All "kusari platform upload" flags except --file-path (derived from --output) are accepted on generate too; flag registration is shared via the new addUploadFlags helper. KUSARI_MIKEBOM_BIN points at a pre-installed binary (air-gapped envs, local dev). KUSARI_NO_AUTO_INSTALL=1 fails instead of downloading. scripts/bump-mikebom.sh regenerates versions.go from the upstream release's SHA256SUMS so the pinned version and hash table stay in lockstep.
There was a problem hiding this comment.
LGTM overall. lint is unhappy, but I'm not sure these are the worst things to have (although cleaning that up wouldn't be bad, either) Edit: the lint check is blocking, so I guess you'll have to clean that up first 😄
One thing with this approach is that we'll need to release a new CLI version every time there's a new MikeBOM version that we want to use. That's good for "avoid breaking changes", but it might be a little churn-y in the short term.
The other concern is that we don't seem to be removing unused MikeBOM binaries. This isn't a blocker. The binaries are small and we won't have more than a few over time, probably, but it's conceivable that eventually we'll be leaving a lot of unused files on disk
Yup... this is intentional. It's got some tradeoffs as you mention, but I think it's good for now.
I think this is a good point, but agree it's not a blocker. We can add a cache cleaner at some point that deletes old binaries, maybe. Also, I fixed the lint errors. |
| if err != nil { | ||
| return "", err | ||
| } | ||
| resp, err := http.DefaultClient.Do(req) |
There was a problem hiding this comment.
We should add a timeout here in case of any issues and the download hanging indefinitely in CI.
viper holds one *pflag.Flag per key, so binding at init() time can only satisfy whichever command's init runs last. With upload's flags shared between 'platform upload' and 'platform generate --upload', the loser's CLI flag values were silently dropped (or env/config values were ignored entirely on the generate path). Extract bindUploadFlagsToViper + loadUploadFromViper + a shared uploadPreRun, and attach the PreRun to both commands. Each command rebinds to its own flag instances and materializes env/config/CLI values in correct precedence just before its RunE runs. Incidental fix: the original upload PreRun was missing 'commit-sha' from its viper.GetString reads, so KUSARI_COMMIT_SHA / .env values were dropped on the upload path too. Included now.
uploadStringVars and uploadBoolVars now map each viper key to its backing variable pointer; bindUploadFlagsToViper and loadUploadFromViper both iterate these maps. Adding a flag is a one-place change, and a new TestLoadUploadFromViper guards against drift between the maps and the package-level vars.
- Short-circuit uploadPreRun when --upload is false so the pure-generate path doesn't bind+load 17 viper keys it'll never use. - Hide --openvex from 'platform generate' help; the flag was inherited from addUploadFlags but doesn't make sense for an SBOM (would hit repo.Upload's OpenVEX validation downstream with a confusing error). - Factor the deprecated --component-name warning into a helper and call it from generate too, so config-sourced component-name values surface the same warning on both code paths.
4 participants
kusari platform generateinvokesmikebom sbom scanunder the hood with defaults--offlineand--output project.cdx.json. Either default can be overridden by passing the corresponding flag after--(e.g.--output other.json,--offline=false).MikeBOM is downloaded and verified on first use against SHA256 hashes embedded in
pkg/mikebom/versions.go, cached at~/.kusari/bin/mikebom-<version>, and exec'd. Anything after--is passed verbatim as flags tosbom scan.When
--uploadis set, the SBOM is uploaded to the Kusari platform after generation. Allkusari platform uploadflags except--file-path(derived from--output) are accepted on generate too; flag registration is shared via the newaddUploadFlagshelper.KUSARI_MIKEBOM_BINpoints at a pre-installed binary (air-gapped envs, local dev).KUSARI_NO_AUTO_INSTALL=1fails instead of downloading.scripts/bump-mikebom.shregenerates versions.go from the upstream release'sSHA256SUMSso the pinned version and hash table stay in lockstep.