-
-
Notifications
You must be signed in to change notification settings - Fork 25
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Last repository tag picked over first reachable when determining version #419
Comments
Hi, this is indeed custom logic on cdx-gomod's side. However, it will (should) only pick the tag when the current cyclonedx-gomod/internal/gomod/version.go Lines 69 to 106 in da20ca2
Are you able to provide a bash script or GitHub repo something that resembles the situation you're describing? That would help a lot with reproducing this. |
Hey, @nscuro! Surely! The repository in question is git.zabbix.com/scm/ap/plugin-support. The There was an attempt at one point to start properly versioning these with tags, for publishing to the module index, but that got canceled, hence why the tags are in a bit of a disarray. If you check out the If you look at the metadata.component and metadata.version fields jq '.metadata.component | .["bom-ref"], .version' sbom.json the version that is detected is The version I would expect to be detected for that branch is The
This would then make sense, as if you issue I'm reading the version detection code in ( |
Hey, @nscuro! Sorry for the lack of activity; I was ill the last couple of weeks, so this didn't really move along anywhere during that time. What I've found is the following: In In We then iterate over the list, skipping those tags that do not conform to the SemVer specification. For the tags that do, we then determine whether it occurs before or at the commit pointed to by We determine whether the the tagged commit object occurs before or at the The additional issue here is that we process a list of all tags, regardless of whether they are reachable from the I briefly looked at the The only option I see here, with what is available to us, is requesting a full log of the repository, up to the commit object That seems like quite a hack to me, just to get an appropriate tag list. Maybe this should be filed as an issue/feature request with the |
Hi,
I have the following situation:
I have a Git repository, where the master branch serves as the development head, with tags for release points, and maintenance branches for previous major releases that receive bugfixes and tags for updates.
Where
A
,B
andC
are releases (let's presume v1.0.0, v2.0.0 and v3.0.0 respectively), andA'
andB'
are maintenance commits for the respective releases (let's assume v1.0.1 and v2.0.1).When I generate an SBOM document for the module, as it is at
B'
, the version detection malfunctions, and determines the version of the module to be whatever the latest tag is (in the example, this isC
, i.e. v3.0.0). I've verified that it is the version control system tags that affect this, as after removing all tags from the repository, the result was a pseudo-version.Is this the Go tooling that's doing this, or the
cyclonedx-gomod
utility incorrectly determining the version of the module?Apologies in advance if this isn't the
cyclonedx-gomod
utilities fault - my Go-fu isn't great, and I'm just managing this aspect of the subject project.The text was updated successfully, but these errors were encountered: