feat(sbom): conformance scoring wired into SBOM ingest + read API (model 3)#410
Merged
Conversation
…model 3) Wires the conformance scorer (sbom_conformance, merged in #409) into the existing CycloneDX ingest pipeline (#406) and exposes the verdict: - models/sbom_conformance.py + alembic 0033: one sbom_conformance row per ingested scan (scan_id UNIQUE FK CASCADE, denormalised project_id), holding result (pass|warn|fail), n_fail/n_warn, component_count, PURL/license/hash coverage, and the per-check JSONB array. Forward-only. - tasks/ingest_sbom.py: a 'conformance' stage (progress 20) scores the ORIGINAL uploaded bytes and persists the verdict before component persistence. Verdict is advisory — a 'fail' is recorded + surfaced but does NOT abort matching. Persist is delete-then-insert so a Celery acks_late re-entry replaces the row (uq_sbom_conformance_scan_id) — _reset_scan_for_rerun does not touch it. - GET /v1/projects/{project_id}/scans/{scan_id}/conformance (api/v1/sbom.py) + SbomConformanceRead schema. Existence-hide 404 for outsiders; the (scan_id, project_id) predicate rejects cross-project reads. OpenAPI snapshot updated. - Tests: pipeline asserts the verdict row (result/coverage/checks) + a forced re-entry REPLACES it (no dupe). API tests cover the happy read, cross-team 404 (permission-before-state), missing-verdict 404, wrong-project 404. - docs (EN/KO): a 'conformance verdict' section on the SBOM-upload guide — endpoint, pass/warn/fail meaning, thresholds, advisory (non-blocking) note.
![github-code-quality[bot]](https://avatars.githubusercontent.com/u/9919?s=60&v=4){kind=small}
|
|
||
| from alembic import op | ||
|
|
||
| revision: str = "0033" |
| from alembic import op | ||
|
|
||
| revision: str = "0033" | ||
| down_revision: str | None = "0032" |
|
|
||
| revision: str = "0033" | ||
| down_revision: str | None = "0032" | ||
| branch_labels: str | Sequence[str] | None = None |
| revision: str = "0033" | ||
| down_revision: str | None = "0032" | ||
| branch_labels: str | Sequence[str] | None = None | ||
| depends_on: str | Sequence[str] | None = None |
This was referenced Jun 14, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
모델 3 (받은 SBOM) — conformance 채점·저장·노출
#409에서 머지된 conformance 채점기(
services/sbom_conformance.py)를 #406이 만든 기존 CycloneDX 인제스트 파이프라인에 배선하고, 결과를 저장·노출한다. (동시 세션이 CycloneDX 업로드 배관을 이미 끝냈으므로, 이 PR은 빠져 있던 "품질 검증" 조각을 채운다.)포함
sbom_conformance테이블. 인제스트 스캔당 1행(scan_idUNIQUE FK CASCADE + denormalizedproject_id):result(pass·warn·fail),n_fail/n_warn,component_count, PURL·라이선스·해시 커버리지, 체크별 JSONB 배열. forward-only.tasks/ingest_sbom.py—conformance스테이지(진행률 20)가 원본 업로드 바이트를 채점해 컴포넌트 적재 전에 결과를 저장. 등급은 자문(advisory) —fail이어도 기록·노출만 하고 매칭을 중단하지 않음. persist는 delete-then-insert라 Celeryacks_late재진입 시 행을 교체(_reset_scan_for_rerun는 이 테이블을 건드리지 않음).GET /v1/projects/{project_id}/scans/{scan_id}/conformance+SbomConformanceRead스키마. 외부인 404 존재은닉,(scan_id, project_id)술어로 교차 프로젝트 읽기 차단. OpenAPI 스냅샷 갱신.검증
남은 모델 3