Skip to content

avoid "Restoring original project mainline states" during "project update" #122

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
tngraf merged 5 commits into from
May 6, 2025
Merged

avoid "Restoring original project mainline states" during "project update" #122

tngraf merged 5 commits into from
May 6, 2025

Conversation

@gernot-h
Copy link
Collaborator

@gernot-h gernot-h commented Feb 5, 2025

This changes the release state handling during "project update". Instead of storing project release states from SW360 and restoring it release by release at the end, we pass on full release data to REST API endpoint for updating linked releases.

As an SBOM has to be provided during "project update" or "project create --copy_from" anyways, we take the release states stored in the SBOM instead of keeping the state in SW360.

Note that this requires also the change from sw360/sw360python#41 for correct "project update" support.

Fixes #121

@gernot-h gernot-h force-pushed the gernot/project-update-pms-fix branch 3 times, most recently from 1df7aaa to 3f8d543 Compare February 5, 2025 19:43
@tngraf
Copy link
Collaborator

tngraf commented Feb 7, 2025

Hm, --copy_from does not work any longer:

  • yes, the project is successfully copied, including all project mainline states
  • But update_project_releases() gets as input a list that does not contain any project mainline states and so all
    existing states are overwritten by OPEN.
  • Reason for this is, that the input is created by bom_to_release_list(). This method only knows the SBOM read from file.
    The SBOM file does not contain any mainline state information. How should it - it is an SBOM created by any kind
    of CycloneDX SBOM generator.
  • Even calling update_project_releases() with add=True would not help, because bom_to_release_list() returns a list
    of all releases in the SBOM and not of all releases that have changed.

Sorry, this is like the parameter --copy_from would not exist...

@tngraf
Copy link
Collaborator

tngraf commented Feb 7, 2025

My method get_release_project_mainline_states() extracted the project mainline state out of the existing (=copied) project.
And you removed all this code...

@gernot-h
Copy link
Collaborator Author

gernot-h commented Feb 7, 2025
edited
Loading

Yes, this was by intention and I tried to describe this in my initial comment and that's exactly the point I wanted to discuss with you. ;) Probably I don't completely get your use case.

My assumption was that the SBOM you'll use in --copy-from would be created by CaPyCli from the original project and then be modified as needed by the user - and I also added code to "project createbom" so that created SBOMs now also contain the release-project relation, so that all data is preserved.

I can see your point, but on the other hand, I considered it quite unintuitive, if you pass an SBOM to overwrite the releases during the copy process, that the actual release data would be used from SBOM, but the meta data from the existing project. In general, I wonder if it's a good idea to have --copy-from take an SBOM to modify releases at the same time. Perhaps it would be clearer to have a "just copy" operation, followed by "project update" to modify the releases as needed? And the latter should probably than consider current state plus the information in the SBOM, with clearly described priority, but that's also some work to get the implementation right...

@gernot-h gernot-h assigned gernot-h and unassigned t-graf Feb 11, 2025
@gernot-h
Copy link
Collaborator Author

gernot-h commented Feb 11, 2025

@tngraf and me agreed that I will restore the functionality to retain project mainline states and project relations from SW360, but also that the data in the SBOM will have priority if included.

Main intended use case here is to run "project --create --copy-from" with an SBOM created fresh by "capycli getdependencies" or from another scanner which doesn't have the project mainline states included. However, if the SBOM contains these details, we shall use it.

@gernot-h gernot-h marked this pull request as draft February 11, 2025 11:57
@gernot-h gernot-h mentioned this pull request Feb 19, 2025
Closed
@gernot-h gernot-h mentioned this pull request Mar 23, 2025
Closed
@gernot-h gernot-h force-pushed the gernot/project-update-pms-fix branch 3 times, most recently from 0b76318 to ed9cc94 Compare April 9, 2025 18:48
@SUMITKC1 SUMITKC1 mentioned this pull request Apr 11, 2025
Closed
@SUMITKC1 SUMITKC1 mentioned this pull request Apr 19, 2025
Closed
@gernot-h gernot-h force-pushed the gernot/project-update-pms-fix branch 6 times, most recently from e249cdd to e87e471 Compare April 28, 2025 14:19
gernot-h added 4 commits May 5, 2025 12:29
@gernot-h
test(project): adapt/add tests for #121
441f1c6 
Existing test case did't trigger get_release_project_mainline_states
due to incomplete/wrong JSON response. Also add a new test case for
"project create --copy_from".
@gernot-h
test(project): fix mocked JSON response for projects
65c9b94 
SW360 REST API loves surprises in JSON encoding. It uses different ways
to describe linked releases in request and response bodies. The mocked
responses were seemingly copy&pasted from the requests, so they used the
wrong structure. This also fixes some copy&paste errors in the
release IDs so that `sw360:releases` and `linkedReleases` are
consistent.

While all of this had no effect on the test cases, it was confusing for
me when reading the code.
@gernot-h
fix(project create): unnecessary get_project() on copy
974eb52 
If args.copy_from is set, data of new project is already available, no
need to get_project() again.
@gernot-h
feat(project createbom): store release relation data
38d7087
@gernot-h gernot-h force-pushed the gernot/project-update-pms-fix branch 2 times, most recently from 08de316 to 9fea462 Compare May 5, 2025 12:53
@gernot-h gernot-h marked this pull request as ready for review May 5, 2025 12:59
@gernot-h
Copy link
Collaborator Author

gernot-h commented May 5, 2025
edited
Loading

@tngraf, I now changed the code as discussed to respect the release states provided in the SBOM and maintaining state from SW360 if SBOM doesn't contain information about it.

So from my side, this can be merged. Please have a look. :)

@gernot-h gernot-h requested a review from tngraf May 5, 2025 13:00
@gernot-h gernot-h removed their assignment May 5, 2025
@gernot-h
fix(project create): optimize release state handling on update
a128897 
Instead of restoring all release states after project update in a big
loop, SW360 REST API also allows to pass full release information during
release update. For large projects, this is much faster and avoids
timeouts or even crashes due to REST API rate limiting.

This also respects states provided in the SBOM which will overwrite
existing states.

Fixes #121
@gernot-h gernot-h force-pushed the gernot/project-update-pms-fix branch from 9fea462 to a128897 Compare May 6, 2025 05:33
@tngraf tngraf merged commit 54f7b28 into main May 6, 2025
7 checks passed
@gernot-h gernot-h deleted the gernot/project-update-pms-fix branch May 6, 2025 10:07
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@tngraf tngraf tngraf approved these changes

Assignees

@tngraf tngraf

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

"project update" will always do "Restoring original project mainline states" leading to crash for large projects

4 participants

@gernot-h @tngraf @t-graf