feat: add generated SPDX file on bottling

[SMillerDev]

• Have you followed the guidelines in our Contributing document?
• Have you checked to ensure there aren't other open Pull Requests for the same change?
• Have you added an explanation of what your changes do and why you'd like us to include them?
• Have you written new tests for your changes? Here's an example.
• Have you successfully run brew style with your changes locally?
• Have you successfully run brew typecheck with your changes locally?
• Have you successfully run brew tests with your changes locally?

---

Attached is an example SBOM.
spdx.sbom.json

This should allow us to have some more tracking of what goes into our bottles, but also allow others to have some insight into it.

[MikeMcQuaid]

Thanks for the PR!

• feels a bit weird this living on Tab when it's got little in common there
• do we have requests for these files anywhere you can link to?

[MikeMcQuaid]

Is this an officially defined format somewhere? If so: we should be using some sort of validator here ideally both at brew bottle and brew tests times.

[woodruffw]

I believe the SPDX spec is defined here: https://spdx.github.io/spdx-spec/v2.3/

In terms of a Ruby validator, I'm not sure. I can look into this 🙂

[jkowalleck]

full ack. get the results validated. the current implementation produces invalid data.
see #16594 (comment)

[SMillerDev]

feels a bit weird this living on Tab when it's got little in common there

Yeah, I was considering splitting it out of tab, but it is sort of the same thing so wanted to get it public first.

do we have requests for these files anywhere you can link to?

No, but I can see the tooling being available in the larger ecosystem be useful. And I chatted with some people about this and they seemed interested.
@gdams for example.

[MikeMcQuaid]

Yeah, I was considering splitting it out of tab, but it is sort of the same thing so wanted to get it public first.

Cool, all good, as long as done before merged 👍🏻

No, but I can see the tooling being available in the larger ecosystem be useful. And I chatted with some people about this and they seemed interested.
@gdams for example.

I think this is the sort of thing I'd like to see some more requests for before we consider integration here.

[gdams]

Yeah this is certainly something that I see to be useful in homebrew. With the significant pressure companies/projects are being put under to provide SBOMs it would be useful for projects to be able to easily determine the exact set of deps in homebrew formulas.

[github-actions]

This pull request has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs.

[jkowalleck]

Attached is an example SBOM.
spdx.sbom.json

The resulting data structure seams invalid to the SPDX 2.3 JSON schema.
Tested with https://www.jsonschemavalidator.net/ and https://www.liquid-technologies.com/online-json-schema-validator

[SMillerDev]

New generated SBOM:
sbom.spdx.json

That should pass validation and have some more information than the previous one.

[MikeMcQuaid]

Looking better!

Blockers needed before merge:

• tests, ideally with 100% coverage of sbom.rb
• uses JSONSchemer.schema (like github_packages.rb) to do schema validation on write

[SMillerDev]

uses JSONSchemer.schema (like github_packages.rb) to do schema validation on write

Didn't know we had that, it sounds awesome. Do we use that for the API already? Otherwise I'm adding that to my list.

[MikeMcQuaid]

Didn't know we had that, it sounds awesome.

It is good for catching problems for sure.

Do we use that for the API already?

No(t yet). We'd need to create and publish a schema, too. Might want to sync up with @apainintheneck and save this for API v3 rather than create a v2 schema that won't be around in a year.

[apainintheneck]

I sent @SMillerDev some info but honestly API v3 still seems a ways off since the way we handle dependencies for formulae is still undecided and cask v3 is currently blocked by potential scope creep. Either we hold off on validating API v2 for now or we add validation knowing it might get removed in a few months.

[SMillerDev]

Does anyone know where stdlib information comes from in the install tab etc? Or is that only for Linux and that's why I can't find it?

[SMillerDev]

Any suggestions to fix this?

  Error: bottling failed
  Error: cannot load such file -- json_schemer

[MikeMcQuaid]

@SMillerDev This will only be available for dev-cmd so may need to get moved into a method call instead. I suspect that's needed to fix CI failures.

[SMillerDev]

I'm not sure what you mean by a method call, do you mean to make a command to generate an SBOM?

[MikeMcQuaid]

Move the require inside a def something

[SMillerDev]

Now this is in the test

  Error: cannot load such file -- json_schemer

[MikeMcQuaid]

@Bo98 may be able to help out here

[Bo98]

Because json_schemer is only a part of the pr_upload group. You would need to create a bottle group, add it to there too and update brew bottle to install_bundler_gems! that group (and potentially update test-bot's install for that too).

[SMillerDev]

Since we want to use it for bottle and also for API generation, wouldn't a broader install be better?

[Bo98]

We cannot vendor it for all as it unfortunately depends on a native extension (via simpleidn -> unf -> unf_ext).

We already have rexml in multiple groups so it isn't really a problem having it in potentially many groups.

[SMillerDev]

I think/hope this is ready for a final review