Skip to content

Commit 3857313

Browse files
aclark4lifeCopilot
aclark4life
and
Copilot
committed
Track raqm vendored modifications in SBOM pedigree
The vendored raqm files are from v0.10.3 (not v0.10.5 as previously stated) and contain two Pillow-specific modifications. Document these via the CycloneDX pedigree field as requested in the review: - Correct version: 0.10.3 (raqm-version.h says 0.10.3; raqm.c matches upstream 0.10.3 + one local patch) - Add pedigree.ancestors pointing to the upstream v0.10.3 release - Add two pedigree.patches with base64-encoded unified diffs: 1. type=generated: raqm-version.h.in pre-processed into raqm-version.h (template placeholders replaced with literal 0.10.3 values) 2. type=unofficial: raqm.c wrapped the <fribidi.h> include in an #ifdef HAVE_FRIBIDI_SYSTEM guard to support Pillow's fribidi-shim - Update notes to accurately describe both modifications - Update all bom-ref/purl/dependsOn references from 0.10.5 to 0.10.3 Addresses: https://cyclonedx.org/use-cases/pedigree/ Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
1 parent ad0debe commit 3857313

1 file changed

Lines changed: 77 additions & 7 deletions

File tree

.github/generate-sbom.py

Lines changed: 77 additions & 7 deletions
Original file line numberDiff line numberDiff line change
@@ -79,28 +79,98 @@ def generate(version: str) -> dict:
7979

8080
vendored_components = [
8181
{
82-
"bom-ref": "pkg:github/HOST-Oman/libraqm@0.10.5",
82+
"bom-ref": "pkg:github/HOST-Oman/libraqm@0.10.3",
8383
"type": "library",
8484
"name": "raqm",
85-
"version": "0.10.5",
85+
"version": "0.10.3",
8686
"description": "Complex text layout library "
8787
"(vendored in src/thirdparty/raqm/)",
8888
"licenses": [{"license": {"id": "MIT"}}],
89-
"purl": "pkg:github/HOST-Oman/libraqm@0.10.5",
89+
"purl": "pkg:github/HOST-Oman/libraqm@0.10.3",
9090
"hashes": [
9191
{
9292
"alg": "SHA-256",
9393
"content": sha256_file(thirdparty / "raqm" / "raqm.c"),
9494
}
9595
],
9696
"pedigree": {
97-
"notes": "Vendored unmodified from upstream HOST-Oman/libraqm v0.10.5."
97+
"ancestors": [
98+
{
99+
"bom-ref": "pkg:github/HOST-Oman/libraqm@0.10.3#upstream",
100+
"type": "library",
101+
"name": "raqm",
102+
"version": "0.10.3",
103+
"purl": "pkg:github/HOST-Oman/libraqm@0.10.3",
104+
"externalReferences": [
105+
{
106+
"type": "distribution",
107+
"url": "https://github.com/HOST-Oman/libraqm/releases/tag/v0.10.3",
108+
}
109+
],
110+
}
111+
],
112+
"patches": [
113+
{
114+
"type": "generated",
115+
"diff": {
116+
"text": {
117+
# raqm-version.h.in → raqm-version.h:
118+
# template @RAQM_VERSION_*@ placeholders replaced
119+
# with literal 0.10.3 values; filename changed to
120+
# drop the .in suffix; minor indentation fix.
121+
"content": (
122+
"LS0tIGEvc3JjL3JhcW0tdmVyc2lvbi5oLmluCisrKyBiL3NyYy9yYXFtLXZlcnNpb24uaApAQCAt"
123+
"MzEsMTQgKzMxLDE0IEBACiAjaWZuZGVmIF9SQVFNX1ZFUlNJT05fSF8KICNkZWZpbmUgX1JBUU"
124+
"1fVkVSU0lPTl9IXwogCi0jZGVmaW5lIFJBUU1fVkVSU0lPTl9NQUpPUiBAUkFRTV9WRVJTSU9O"
125+
"X01BSk9SQAotI2RlZmluZSBSQVFNX1ZFUlNJT05fTUlOT1IgQFJBUU1fVkVSU0lPTl9NSU5PUkAK"
126+
"LSNkZWZpbmUgUkFRTV9WRVJTSU9OX01JQ1JPIEBSQVFNX1ZFUlNJT05fTUlDUk9ACisjZGVmaW5l"
127+
"IFJBUU1fVkVSU0lPTl9NQUpPUiAwCisjZGVmaW5lIFJBUU1fVkVSU0lPTl9NSU5PUiAxMAorI2Rl"
128+
"ZmluZSBSQVFNX1ZFUlNJT05fTUlDUk8gMwogCi0jZGVmaW5lIFJBUU1fVkVSU0lPTl9TVFJJTkcg"
129+
"IkBSQVFNX1ZFUlNJT05AIgorI2RlZmluZSBSQVFNX1ZFUlNJT05fU1RSSU5HICIwLjEwLjMiCiAK"
130+
"ICNkZWZpbmUgUkFRTV9WRVJTSU9OX0FUTEVBU1QobWFqb3IsbWlub3IsbWljcm8pIFwKLSgobWFq"
131+
"b3IpKjEwMDAwKyhtaW5vcikqMTAwKyhtaWNybykgPD0gXAotIFJBUU1fVkVSU0lPTl9NQUpPUiox"
132+
"MDAwMCtSQVFNX1ZFUlNJT05fTUlOT1IqMTAwK1JBUU1fVkVSU0lPTl9NSUNSTykKKyAgICAoKG1h"
133+
"am9yKSoxMDAwMCsobWlub3IpKjEwMCsobWljcm8pIDw9IFwKKyAgICAgUkFRTV9WRVJTSU9OX01B"
134+
"Sk9SKjEwMDAwK1JBUU1fVkVSU0lPTl9NSU5PUioxMDArUkFRTV9WRVJTSU9OX01JQ1JPKQogCiAj"
135+
"ZW5kaWYgLyogX1JBUU1fVkVSU0lPTl9IXyAqLwo="
136+
),
137+
"encoding": "base64",
138+
}
139+
},
140+
},
141+
{
142+
"type": "unofficial",
143+
"diff": {
144+
"text": {
145+
# raqm.c: wrap the <fribidi.h> include in an
146+
# #ifdef HAVE_FRIBIDI_SYSTEM guard so that when
147+
# building without a system FriBiDi Pillow's own
148+
# fribidi-shim is used instead.
149+
"content": (
150+
"LS0tIGEvc3JjL3JhcW0uYworKysgYi9zcmMvcmFxbS5jCkBAIC0zNiw3ICszNiwxMSBAQAogI2lu"
151+
"Y2x1ZGUgPFNoZWVuQmlkaS5oPgogI2VuZGlmCiAjZWxzZQorI2lmZGVmIEhBVkVfRlJJQklESV9T"
152+
"WVNURU0KICNpbmNsdWRlIDxmcmliaWRpLmg+CisjZWxzZQorI2luY2x1ZGUgIi4uL2ZyaWJpZGkt"
153+
"c2hpbS9mcmliaWRpLmgiCisjZW5kaWYKICNlbmRpZgogCiAjaW5jbHVkZSA8aGIuaD4K"
154+
),
155+
"encoding": "base64",
156+
}
157+
},
158+
},
159+
],
160+
"notes": (
161+
"Vendored from upstream HOST-Oman/libraqm v0.10.3 with two "
162+
"Pillow-specific modifications: (1) raqm-version.h.in was "
163+
"pre-processed into raqm-version.h with version placeholders "
164+
"replaced by literal values; (2) raqm.c wraps the <fribidi.h> "
165+
"include in an #ifdef HAVE_FRIBIDI_SYSTEM guard so Pillow's "
166+
"bundled fribidi-shim is used when a system FriBiDi is absent."
167+
),
98168
},
99169
"externalReferences": [
100170
{"type": "vcs", "url": "https://github.com/HOST-Oman/libraqm"},
101171
{
102172
"type": "distribution",
103-
"url": "https://github.com/HOST-Oman/libraqm/releases/tag/v0.10.5",
173+
"url": "https://github.com/HOST-Oman/libraqm/releases/tag/v0.10.3",
104174
},
105175
],
106176
},
@@ -385,7 +455,7 @@ def generate(version: str) -> dict:
385455
"ref": f"{purl}#c-ext/PIL._imagingft",
386456
"dependsOn": [
387457
"pkg:generic/freetype2",
388-
"pkg:github/HOST-Oman/libraqm@0.10.5",
458+
"pkg:github/HOST-Oman/libraqm@0.10.3",
389459
f"{purl}#thirdparty/fribidi-shim",
390460
"pkg:generic/harfbuzz",
391461
"pkg:generic/fribidi",
@@ -408,7 +478,7 @@ def generate(version: str) -> dict:
408478
"dependsOn": ["pkg:pypi/pybind11"],
409479
},
410480
{
411-
"ref": "pkg:github/HOST-Oman/libraqm@0.10.5",
481+
"ref": "pkg:github/HOST-Oman/libraqm@0.10.3",
412482
"dependsOn": [
413483
f"{purl}#thirdparty/fribidi-shim",
414484
"pkg:generic/harfbuzz",

0 commit comments

Comments
 (0)