Merge branch 'feat/manifest_check_v5.1' into 'release/v5.1'

feat: use esp-idf-sbom pre-commit plugin (v5.1) See merge request espressif/esp-idf!27749
2025-08-01 03:34:32 +02:00 · 2023-12-08 16:55:54 +08:00
parent ffeb545260 db25ec2a37
commit bcf1645e44
5 changed files with 4 additions and 105 deletions
--- a/.gitlab/ci/host-test.yml
+++ b/.gitlab/ci/host-test.yml
@@ -223,14 +223,6 @@ test_mkuf2:
    - cd ${IDF_PATH}/tools/test_mkuf2
    - ./test_mkuf2.py

-test_sbom:
-  extends:
-    - .host_test_template
-    - .rules:patterns:sbom
-  script:
-    - cd ${IDF_PATH}/tools/test_sbom
-    - pytest
-
 test_autocomplete:
  extends:
    - .host_test_template
--- a/.gitlab/ci/rules.yml
+++ b/.gitlab/ci/rules.yml
@@ -54,9 +54,6 @@
  - "tools/ci/ci_build_apps.py"
  - "tools/test_build_system/**/*"

-.patterns-sbom: &patterns-sbom
-  - "tools/test_sbom/*"
-
 .patterns-custom_test: &patterns-custom_test
  - "tools/ci/python_packages/gitlab_api.py"
  - "tools/ci/python_packages/tiny_test_fw/**/*"
@@ -427,14 +424,6 @@
    - <<: *if-dev-push
      changes: *patterns-sonarqube-files

-.rules:patterns:sbom:
-  rules:
-    - <<: *if-protected
-    - <<: *if-dev-push
-      changes: *patterns-sbom
-    - <<: *if-dev-push
-      changes: *patterns-submodule
-
 # !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
 # DO NOT place comments or maintain any code from this line
 #
--- a/.pre-commit-config.yaml
+++ b/.pre-commit-config.yaml
@@ -162,3 +162,7 @@ repos:
    hooks:
      - id: check-copyright
        args: ['--ignore', 'tools/ci/check_copyright_ignore.txt', '--config', 'tools/ci/check_copyright_config.yaml']
+  - repo: https://github.com/espressif/esp-idf-sbom.git
+    rev: v0.11.0
+    hooks:
+      - id: validate-sbom-manifest
--- a/tools/test_sbom/pytest.ini
+++ b/tools/test_sbom/pytest.ini
@@ -1,12 +0,0 @@
-[pytest]
-addopts = -s -p no:pytest_embedded
-
-# log related
-log_cli = True
-log_cli_level = INFO
-log_cli_format = %(asctime)s %(levelname)s %(message)s
-log_cli_date_format = %Y-%m-%d %H:%M:%S
-
-## log all to `system-out` when case fail
-junit_logging = stdout
-junit_log_passing_tests = False
--- a/tools/test_sbom/test_submodules.py
+++ b/tools/test_sbom/test_submodules.py
@@ -1,74 +0,0 @@
-# SPDX-FileCopyrightText: 2023 Espressif Systems (Shanghai) CO LTD
-# SPDX-License-Identifier: Apache-2.0
-import os
-from subprocess import run
-from typing import Dict, List
-
-
-def run_cmd(cmd: List[str]) -> str:
-    """Simple helper to run command and return it's stdout."""
-    proc = run(cmd, capture_output=True, check=True, text=True)
-    return proc.stdout.strip()
-
-
-def get_gitwdir() -> str:
-    """Return absolute path to the current git working tree."""
-    return run_cmd(['git', 'rev-parse', '--show-toplevel'])
-
-
-def get_submodules_config() -> Dict[str,Dict[str,str]]:
-    """Return dictionary, where key is submodule name and value
-    is a dictionary with variable:value pairs."""
-    gitmodules_fn = os.path.join(get_gitwdir(), '.gitmodules')
-    gitmodules_data = run_cmd(['git', 'config', '--list', '--file', gitmodules_fn])
-    prefix = 'submodule.'
-    config: Dict[str, Dict[str,str]] = {}
-    for line in gitmodules_data.splitlines():
-        if not line.startswith(prefix):
-            continue
-        splitted = line.split('=', maxsplit=1)
-        if len(splitted) != 2:
-            continue
-        section, val = splitted
-        # remove "submodule." prefix
-        section = section[len(prefix):]
-        # split section into module name and variable
-        splitted = section.rsplit('.', maxsplit=1)
-        if len(splitted) != 2:
-            continue
-        module_name, var = splitted
-        if module_name not in config:
-            config[module_name] = {}
-        config[module_name][var] = val
-
-    return config
-
-
-def test_sha() -> None:
-    """ Check that submodule SHA in git-tree and .gitmodules match
-    if sbom-hash variable is available in the .gitmodules file.
-    """
-    submodules = get_submodules_config()
-
-    for name, variables in submodules.items():
-        sbom_hash = variables.get('sbom-hash')
-        if not sbom_hash:
-            continue
-        module_path = variables.get('path')
-        if not module_path:
-            continue
-        output = run_cmd(['git', 'ls-tree', 'HEAD', module_path])
-        if not output:
-            continue
-        module_hash = output.split()[2]
-        msg = (f'Submodule \"{name}\" SHA \"{module_hash}\" in git '
-               f'tree does not match SHA \"{sbom_hash}\" recorded in .gitmodules. '
-               f'Please update \"sbom-hash\" in .gitmodules for \"{name}\" '
-               f'and also please do not forget to update version and other submodule '
-               f'information if necessary. It is important to keep this information '
-               f'up-to-date for SBOM generation.')
-        assert module_hash == sbom_hash, msg
-
-
-if __name__ == '__main__':
-    test_sha()