All notable changes to Plugfest will be documented in this file.
The format is based on Keep a Changelog and this project adheres to Semantic Versioning.
- If select all was pressed first on compare than it would always compare all sboms even if one was unchecked
DiffReportnow tracks similarity and difference count for metadata and components- Download button added to compare and metrics
- Header on metrics to display passed/total tests as well as which tests are currently displayed
package.jsonupdated app name to plugfest
- Plugfest can now be launched as either a web app or a standalone application
- Added the following startup commands for frontend:
web-start: Runs an angular instance of the application for development purposesweb-build: Generates an index.html and build folder for the angular application for web deploymentelectron-start: Launches an electron instance of the applicationwindows-build: Generates a standalone application (.exe) file and directory for deployment with the backend built and included withbackend-build: Builds the backend with no tests, used for windows build scriptcopy-jar: Copies the latest backend jar built from the backend to the build directory, used for windows build script
TranslatorSPDXNow filters out duplicate CPEs, PURLs, and SWIDsTranslatorCDXJSONtests to make sure if a JSON SBOM is CycloneDX.- If not, a more descriptive error message is thrown to prevent SPDX JSON SBOMs from causing errors.
- Note:
TranslatorCDXXMLalready handles this for SPDX XML SBOMs.
- Fixed SBOMS from JSON files not having hashes
- Fixed SBOMS from SPDX files not having hashes
- New SPDX Metrics Processor. New tests include:
HasDataLicenseSPDXTest- checks to see if the SPDX SBOM DataLicense field in metadata contains the CC0-1.0 licenseHasSPDXIDTest- checks to see if each component has a valid SPDXID ("SPDXRef:-[idstring]")HasDocumentNamespaceTest- checks to see if the SPDX SBOM contains a valid document namespaceHasDownloadLocationTest- checks to see if each component contains a download locationHasCreationInfoTest- checks to see if the SPDX SBOM contains creation info (Creator and Created fields in metadata)HasVerificationCodeTest- checks to see if each component has a package verification code (FilesAnalyzed is true) or is omitted (FilesAnalyzed if false)HasExtractedLicensesTest- check if there are any extracted licenses not on the SPDX license listExtractedLicenseMinElementTest- check any extracted licenses for the required fields: LicenseName, LicenseID, LicenseCrossReference
- Method in Utils.java to ensure components with no licenses have no null components
- Added additional exceptions thrown in
TranslatorCDXXMLto increase verbosity of error messages.
TranslatorSPDXNow filters out duplicate CPEs, PURLs, and SWIDs
- Fixed broken SBOM file transfers by adding back the
@RequestBodydecorators to allSBOMFileAPI request parameters. - Fixed issue with CDXJSON translator regarding translating null license objects to components without licenses
- Fixed errors caused by
TranslatorPlugFest.getTranslator()method incorrectly determining filetype.- We now check for file extension only, since SPDX JSON and XML are not supported translators.
- Properly remove
SBOMobject from QA pipeline
CDX Metrics processor is not complete, see issue #183
- New CDX Metrics Processor. New tests include:
HasBomRefTest- checks to see if a component has a unique bom-ref to reference inside the BOMHasBomVersionTest- check if the SBOM has a version number declared
- Fixed broken SBOM file transfers by adding back the
@RequestBodydecorators to allSBOMFileAPI request parameters.
Uniqueness processor is not complete, see issue #160
- New Uniqueness Processor. New tests include:
HasHashDataTest- checks to see if component contains HashesValidHashDataTest- checks to see if component Hashes are a supported typeAccuratePURLTest- checks to see if a component's PURL(s) matches stored component dataAccurateCPETest- checks to see if a component's CPE(s) matches stored component data
Completeness processor is not complete, see issue #159
- Several fields to
Component:group- The group of the component, found either in the PURL or the CycloneDX component itself.downloadLocation- SPDX-only fieldfilesAnalyzed- SPDX-only fieldverificationCode- SPDX-only fieldextractedLicenses- SPDX-only field - this is a map from a license ID to its attributes, and contains all extracted licenses found in the component. These licenses are not contained in the normallicensesset.
SBOM.getName()method to get the name of the project described by the SBOM.- New Completeness Processor. New tests include:
ValidCPETest- checks to see if valid CPEValidPurlTest- checks to see if valid CPE
- New CPE object for testing
- Updated
TranslatorSPDXandTranslatorSPDXTestto reflect the added translation of the above fields. - Refactored
EmptyOrNullTestintoMinElementTest- Missing Relationships check
- Temporary removed
ValidSWIDTestandHasRelationshipsTest
TranslatorCDXXML.java- Now creates the SBOM object and top component after components have been parsed
- Top component defaulting changed to execute upon empty top component data collection
- resolveMetadata now returns before assigning top component data if the top component collection is empty
- Updated the Quick Start guide in README.md.
- Fixed
UTF-8 Not Supported Errorcaused by using the@RequestBodyannotation with a class object. Debug.log()had an unchecked cast toException; this was fixed by checking the type.
- Added test file cdxgen-8.4.6-source.json .
- Added test data entry for the Authors of the metadata in the downloaded file above.
- Stringify the
authorsobject inTranslatorCDXJSON.java. - Modified
TranslatorCDXJSONTestto run the newly added test source file cdxgen-8.4.6-source.json .
Debugclass from SVIP and replace (most) system calls with this to improve verbosity of our output.TranslatorExceptionclass to catch translator errors at the top-level.- This allows error handling at the API level with a simple failure message.
TranslatorSPDXnow uses regex and string manipulation to parse through an SPDX tag-value file instead of attempting to read it line-by-line.TranslatorCDXJSONTestnow adds UIDs to each component only if they are not null.Componentconstruction was changed to only use the constructor withname,version, andpublisherattributes.
- Most translator error logs now throw a
TranslatorException
- Removed
PURLclass usage fromComponentand replaced it with a simple string. ThePURlclass should now only be used in metric tests.
- Tests in
TranslatorCDXJSONTest,TranslatorCDXXMLest, &TranslatorSPDXTestto check for null UIDs in all translated components and ensure correct processing of SBOMs with no metadata. TranslatorSPDXnow has the capability to read in multiple external licenses. See the specification for details.- New License processor. New tests include:
HasLicenseDataTest- checks to see if has license dataValidSPDXLicenseTest- validates SPDX Licensing informationChecks to see if the SPDX License Name/ID is valid and if it's depreciated
TranslatorPlugfestnow checks for key tokens in file contents as well as the file extension to determine the translator to use.TranslatorCDXJSONTestnow adds UIDs to each component only if they are not null.Componentconstruction was changed to only use the constructor withname,version, andpublisherattributes.
- New QA Refactor
- Unified Metric testing process
UniquenessProcessor- Collection of Tests for checking a component's UIDs (Hashes, PURLs, etc)HasHashDataTest- Test if a component has any hash values and the number of hashes if presentValidTestDataTest- Test hashes if they match a valid hash schemaAccuratePURLTest- Test a component's PURL(s) if its data matches the component's stored data
RegisteredProcessor- Collection of Tests for checking if components are registered in their package managerIsRegisteredTest- Using a component's purl(s), check if package is registered with their package manager
- Unified Metric testing process
- Add
devlauncher that launches just the front end. - When internal failure occurs, Translators throw a top-level
TranslatorExceptionwhich contains information regarding the specific error /comparetests are implemented that check for user input that will produce aHttpStatus.BAD_REQUESTresponse
DiffReportis now more JSON friendly object- Consolidated
Comparer,Comparison, andComponentVersion
- Consolidated
Utils.javanow holdsSBOMFileclass
- Consolidate SBOM object and removed redundant classes
- New QA Refactor
- Unified Metric testing process
CompletenessProcesser- Collection of Tests for checking for SBOM contentNullOrEmptyTest- Test if field isnullor empty string
- Unified Metric testing process
- Modified API Plugfest endpoints to use HTTP Body for data
- Removed Stateful
QAPipeline - Removed old QAPipeline and all previously existing Processors/Metrics
See issue #92
- updated PURL object to have more robust fields and utility
TODO: Add
devlauncher that launches just the front end. See issue #118
- Frontend launches backend and kills process on exit
- removed full filepath from upload screen
- Allow marking of components as appearing in target SBOM
- Added individual loading spinners for each uploaded SBOM in GUI
- Fixed API bug preventing non-ASCII characters from being processed during request
- Fix bug causing formatting issues with the data verification test
- Added support for non-ASCII characters when pulling from package manager databases
- Display which SBOM an identifier or quality came from in GUI
- Remove all empty tests to prevent duplicated component lists
- Fix Comparison bug that showed duplicate UIDs in the comparison report
- Translators support translating from a file's contents without needing the file on the system
- Opened an API endpoint for QualityReport generating
- Opened an API endpoint for ComparisonReport generating
- Report objects can now be Jacksonized and sent to frontend
- Comparison now maintains the list of SBOMs in which a quality appeared
- Reformatted project into API and Core
- General documentation and cleanup
- Hotfix to allow translating SBOMs that have non-ASCII characters
- Build a comparison report object to send to the frontend which will compare a list of SBOMs to some target SBOM
- Built a comparison function which generates the report from a target SBOM and list of SBOMs
- Built a new metrics object to send to frontend for displaying SBOM quality
- Added an
ActionableTestto preliminarily check if an SBOM is actionable - Created sidebar and component display for SBOM differences with mockup data.
- added Documented
TimelinessTestTimelinessTestnow checks to see if version numbers and publishers match the resource (package manager database)
- Added
changelog.mdto track weekly changes to the project - Added
README.mdto hold usage instructions and project breakdown - Removed quality metrics from the SBOM class
- Added
PURLclass to allow for easier PURL parsing
- Differ
- Add support for comparing across SBOM formats
- Metrics
- Developed QA Pipeline structure from start to finish
- Developed several Custom Metrics
ContextualProcessorCompletenessTestAppropriateAmountTestRelevancyTest
- Implement
TestandTestResultsto standardize test results returned from metrics- All metrics are now ran on one component at a time for a more informative per-component output
- Integrated several OS Metrics
SPDXProcessorCDXProcessor
- Developed several Custom Metrics
- Developed QA Pipeline structure from start to finish
- SBOM
- Add supplier information to SBOMs to store the manufacturer of the software
- Created a new Translator package that can now be integrated into plugfest
- Includes CDX Translator, SPDX Translator, SVIP Translator Driver, PlugFest Translator Driver
- Created Wireframe GUI for Plugfest
- Differ
- Rewrite the line-by-line system to digest SBOM data into an object for comparison
- Differ now does not display differences for differently ordered components
- Use the SVIP SBOM and SVIP Translators to find differences in SBOMs
- SBOM
- Replace SBOM object with the SBOM object from SVIP
- Represent SBOM information agnostically rather than in a specified format
- Translators
- Translators have received a slight rework.
- Integrated different google Multimap over Glassfish.
- Now more accurately extracts data from SBOMs.