Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Fix SBOM team permission handling #1499

Merged
merged 3 commits into from
Jan 30, 2025
Merged

Fix SBOM team permission handling #1499

merged 3 commits into from
Jan 30, 2025

Conversation

ryanlink
Copy link
Contributor

@ryanlink ryanlink commented Jan 26, 2025
edited by zlav
Loading

Overview

  • Include team information in SBOM analyze metadata
  • Add test coverage for team-scoped permissions
  • Update documentation to clarify team permission behavior

This change allows users with team-scoped permissions to use fossa sbom analyze --team when they are members of the specified team, matching the behavior of fossa analyze --team.

Currently, users with None permissions but Team Admin status are unable to upload SBOM projects to their team.

Acceptance criteria

  • Users without org-level permissions are able to analyze an SBOM using fossa sbom analyze --team [team-name] for any team of which they are a member.

Testing plan

  • [Zach] I built this example locally and tested it. It succeeds.

I spent time investigating how to write tests for this example and unfortunately found that while we do test preflight checks, we aren't able to test at this level of integration. For example, we have tests for AnalyzeChecks which SBOM analysis uses, however, the issue was that the team argument was omitted. AnalyzeChecks is properly tested, however ,I believe that writing a test to prevent this scenario would require a higher-level integration test over the sbom analyze workflow. I am open to ideas here!

Risks

Very low risk. This only impacts pre-flight checks. The worst thing that can happen is that people have to wait ~20 seconds to see an API call fail.

References

ANE-2241: Implement SBOM team analyze preflight check errors

Checklist

  • I added tests for this PR's change (or explained in the PR description why tests don't make sense).
  • If this PR introduced a user-visible change, I added documentation into docs/.
  • If this PR added docs, I added links as appropriate to the user manual's ToC in docs/README.ms and gave consideration to how discoverable or not my documentation is.
  • If this change is externally visible, I updated Changelog.md. If this PR did not mark a release, I added my changes into an ## Unreleased section at the top.
  • If I made changes to .fossa.yml or fossa-deps.{json.yml}, I updated docs/references/files/*.schema.json AND I have updated example files used by fossa init command. You may also need to update these if you have added/removed new dependency type (e.g. pip) or analysis target type (e.g. poetry).
  • If I made changes to a subcommand's options, I updated docs/references/subcommands/<subcommand>.md.

ryan link and others added 3 commits January 25, 2025 21:10
Fix SBOM team permission handling
eb1029c 
- Include team information in SBOM analyze metadata
- Add test coverage for team-scoped permissions
- Update documentation to clarify team permission behavior

This change allows users with team-scoped permissions to use
fossa sbom analyze --team when they are members of the specified team,
matching the behavior of fossa analyze --team.
@zlav
delete test file because this is technically already tested
528c5bf
@zlav
add changelog
4bff2e3
@zlav zlav requested a review from csasarak January 30, 2025 00:57
@ryanlink ryanlink marked this pull request as ready for review January 30, 2025 15:39
@ryanlink ryanlink requested a review from a team as a code owner January 30, 2025 15:39
@ryanlink ryanlink requested a review from jssblck January 30, 2025 15:39
@ryanlink ryanlink merged commit c029a41 into master Jan 30, 2025
18 of 19 checks passed
@ryanlink ryanlink deleted the fix/sbom-team-permissions branch January 30, 2025 16:19
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@csasarak csasarak csasarak approved these changes

@jssblck jssblck Awaiting requested review from jssblck jssblck is a code owner automatically assigned from fossas/analysis

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@ryanlink @csasarak @zlav