Adding note to sbom-validate about the output path #922
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Added a note to the sbom-tool validate command to warn users not to output their validation file in the same folder as the drop path. The output path needs to be outside of your drop path. Otherwise on subsequent validations you'll receive a FAILURE even though nothing changed in your project dependencies. This is because the validate file gets added to your drop path and it's messed up the hash comparison because you added a file into drop path. Hopefully this makes sense.
DaveTryon
reviewed
Feb 6, 2025
| @@ -132,6 +132,8 @@ This sample command provides the minimum mandatory arguments required to validat | |||
| `-o` is the output path where the tool will write the validation results. This path can be any file path on the system. In this case the tool will look for the validationOutputPath directory, create a file named output.json, and write the validation output. | |||
| `-mi` is the ManifestInfo, which provides the user's desired name and version of the manifest format. | |||
|
|
|||
| NOTE: The output path should not be in the same drop path as specified in the generate command, otherwise the validation file will be added to the files to validate. The first validation will report SUCCESS but then other validate commands after it will fail. This is because the validation file has been added in the drop path location and it will no longer validate because it detects that your validate output file has been injected into your drop path. | |||
There was a problem hiding this comment.
Great callout, @Ninja4Code! This feels like something that we should treat as an error condition in a future breaking change. Here's a suggested rewording that also follows our "one space after a period" standard that we try to maintain:
Suggested change
| NOTE: The output path should not be in the same drop path as specified in the generate command, otherwise the validation file will be added to the files to validate. The first validation will report SUCCESS but then other validate commands after it will fail. This is because the validation file has been added in the drop path location and it will no longer validate because it detects that your validate output file has been injected into your drop path. | |
| NOTE: Do not specify an output path that is within the drop path, because the resulting output file will _change the set of files in the drop path_. The first validation will succeed, but subsequent validations will fail because the newly added file is not reflected in the SBOM. This may be treated as an error condition in future versions of the tool. |
If you would also update the wording for the tool itself, that would be great. Instead of The path where the output json should be written. ex: Path/output.json, let's go with The path where the output json should be written. Do not specify a path within your BuildDropPath. ex: Path/output.json. in the following locations:
|
Dave,
I'll take your suggestions and work on the areas you listed.
Thanks,
Charles
________________________________
From: Dave Tryon ***@***.***>
Sent: Thursday, February 6, 2025 12:24 PM
To: microsoft/sbom-tool ***@***.***>
Cc: Charles Owen ***@***.***>; Mention ***@***.***>
Subject: Re: [microsoft/sbom-tool] Adding note to sbom-validate about the output path (PR #922)
@DaveTryon commented on this pull request.
________________________________
In docs/sbom-tool-cli-reference.md<#922 (comment)>:
@@ -132,6 +132,8 @@ This sample command provides the minimum mandatory arguments required to validat
`-o` is the output path where the tool will write the validation results. This path can be any file path on the system. In this case the tool will look for the validationOutputPath directory, create a file named output.json, and write the validation output.
`-mi` is the ManifestInfo, which provides the user's desired name and version of the manifest format.
+NOTE: The output path should not be in the same drop path as specified in the generate command, otherwise the validation file will be added to the files to validate. The first validation will report SUCCESS but then other validate commands after it will fail. This is because the validation file has been added in the drop path location and it will no longer validate because it detects that your validate output file has been injected into your drop path.
Great callout, @Ninja4Code<https://github.com/Ninja4Code>! This feels like something that we should treat as an error condition in a future breaking change. Here's a suggested rewording that also follows our "one space after a period" standard that we try to maintain:
⬇️ Suggested change
…-NOTE: The output path should not be in the same drop path as specified in the generate command, otherwise the validation file will be added to the files to validate. The first validation will report SUCCESS but then other validate commands after it will fail. This is because the validation file has been added in the drop path location and it will no longer validate because it detects that your validate output file has been injected into your drop path.
+NOTE: Do not specify an output path that is within the drop path, because the resulting output file will _change the set of files in the drop path_. The first validation will succeed, but subsequent validations will fail because the newly added file is not reflected in the SBOM. This may be treated as an error condition in future versions of the tool.
If you would also update the wording for the tool itself, that would be great. Instead of The path where the output json should be written. ex: Path/output.json, let's go with The path where the output json should be written. Do not specify a path within your BuildDropPath. ex: Path/output.json. in the following locations:
* https://github.com/microsoft/sbom-tool/blob/main/src/Microsoft.Sbom.Api/Config/Args/ValidationArgs.cs#L36-L37
* https://github.com/microsoft/sbom-tool/blob/main/docs/sbom-tool-arguments.md?plain=1#L23
—
Reply to this email directly, view it on GitHub<#922 (review)>, or unsubscribe<https://github.com/notifications/unsubscribe-auth/ACYCAVTN6ET7EIEQNJR2RE32OOLFLAVCNFSM6AAAAABWR4P2VGVHI2DSMVQWIX3LMV43YUDVNRWFEZLROVSXG5CSMV3GSZLXHMZDKOJZGQYDQOBXG4>.
You are receiving this because you were mentioned.Message ID: ***@***.***>
|
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Added a note to the sbom-tool validate command to warn users not to output their validation file in the same folder as the drop path. The output path needs to be outside of your drop path. Otherwise on subsequent validations you'll receive a FAILURE even though nothing changed in your project dependencies. This is because the validate file gets added to your drop path and it's messed up the hash comparison because you added a file into drop path. Hopefully this makes sense.