Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

feat: Implement dependency review and dependency submission APIs #2932

Merged
merged 1 commit into from
Jun 14, 2024
Merged

feat: Implement dependency review and dependency submission APIs #2932

merged 1 commit into from
Jun 14, 2024

Conversation

awedist
Copy link
Contributor

@awedist awedist commented Jun 13, 2024

Relates to #2825

Before the change?

Octokit did not support the Dependency Graph APIs.

After the change?

  • Ability to request dependency diffs between two commits.
  • Ability to create a dependency snapshot for a given repository.
  • Ability to request a Software Bill of Materials for a given repository.

I could not implement the SBOM functionality because the SBOM GitHub API provides a JSON where the keys are in camel case.
If there is a way to configure the deserializer to accept camel case, please let me know.

Pull request checklist

  • Tests for the changes have been added (for bug fixes / features)
  • Docs have been reviewed and added / updated if needed (for bug fixes / features)

Does this introduce a breaking change?

Please see our docs on breaking changes to help!

  • Yes
  • No

@nickfloyd
Copy link
Contributor

Hey @awedist Thank you for the changes here ❤️ . The SPDX format and the rigidity of how serialization has been implemented will make things a bit more challenging here. We'll need to look to see if the model properties can be annotated to cover the SBOM APIs - I'm pretty sure we could implement a custom naming strategy for the serializer to be able to use or add serializer options. We'd most likely have to modify the implementation in SimpleJson.cs.

I'll approve and merge this in as is and we can revisit the other API once we've taken some time to look.

@nickfloyd nickfloyd changed the title Implement dependency review and dependency submission APIs feat: Implement dependency review and dependency submission APIs Jun 14, 2024
@nickfloyd nickfloyd added the Type: Feature New feature or request label Jun 14, 2024
@nickfloyd nickfloyd merged commit 7d54cb0 into octokit:main Jun 14, 2024
6 checks passed
@raduorban
Copy link

Hi all. I am using Octokit.net in a project atm, great job all by the way :) .
I needed the sbom feature so until it is available in Octokit I made a quick implementation for it, on top of Octokit. Had the same issue with the Json, solved it with annotations.
I generated the sbom net classes from the json schema (https://docs.github.com/en/rest/dependency-graph/sboms?apiVersion=2022-11-28) using https://quicktype.io/csharp. The resulting classes look like below:

public partial class Package
{
    /// <summary>
    /// The copyright holders of the package, and any dates present with those notices, if
    /// available.
    /// </summary>
    [JsonProperty("copyrightText", NullValueHandling = NullValueHandling.Ignore)]
    public string CopyrightText { get; set; }

    /// <summary>
    /// The location where the package can be downloaded,
    /// or NOASSERTION if this has not been determined.
    /// </summary>
    [JsonProperty("downloadLocation", NullValueHandling = NullValueHandling.Ignore)]
    public string DownloadLocation { get; set; }

    [JsonProperty("externalRefs", NullValueHandling = NullValueHandling.Ignore)]
    public ExternalRef[] ExternalRefs { get; set; }

    /// <summary>
    /// Whether the package's file content has been subjected to
    /// analysis during the creation of the SPDX document.
    /// </summary>
    [JsonProperty("filesAnalyzed", NullValueHandling = NullValueHandling.Ignore)]
    public bool? FilesAnalyzed { get; set; }

    /// <summary>
    /// The license of the package as determined while creating the SPDX document.
    /// </summary>
    [JsonProperty("licenseConcluded", NullValueHandling = NullValueHandling.Ignore)]
    public string LicenseConcluded { get; set; }

    /// <summary>
    /// The license of the package as declared by its author, or NOASSERTION if this information
    /// was not available when the SPDX document was created.
    /// </summary>
    [JsonProperty("licenseDeclared", NullValueHandling = NullValueHandling.Ignore)]
    public string LicenseDeclared { get; set; }

    /// <summary>
    /// The name of the package.
    /// </summary>
    [JsonProperty("name", NullValueHandling = NullValueHandling.Ignore)]
    public string Name { get; set; }

    /// <summary>
    /// A unique SPDX identifier for the package.
    /// </summary>
    [JsonProperty("SPDXID", NullValueHandling = NullValueHandling.Ignore)]
    public string Spdxid { get; set; }

    /// <summary>
    /// The distribution source of this package, or NOASSERTION if this was not determined.
    /// </summary>
    [JsonProperty("supplier", NullValueHandling = NullValueHandling.Ignore)]
    public string Supplier { get; set; }

    /// <summary>
    /// The version of the package. If the package does not have an exact version specified,
    /// a version range is given.
    /// </summary>
    [JsonProperty("versionInfo", NullValueHandling = NullValueHandling.Ignore)]
    public string VersionInfo { get; set; }
}

Using Newtonsoft ( JsonConvert.DeserializeObject(sbomJson) ) produces a correct deserialization.
Hope it helps :)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@nickfloyd nickfloyd nickfloyd approved these changes

Assignees
No one assigned
Labels
Type: Feature New feature or request
Projects
🧰 Octokit Active
Archived in project
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@awedist @nickfloyd @raduorban