-
Notifications
You must be signed in to change notification settings - Fork 37
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Affirm that correct event is fired for invalid SBOM #363
Comments
I think avoiding loading the SBOM into memory is important, though maybe less so assuming we trust any authenticated user. Perhaps an option would be to rely on the indexer posting 'failed to parse' events, which it currently does, to the sbom-failed topic? The test could then consume from that topic to verify that the invalid document gets the correct treatment. |
jcrossley3
added a commit
to jcrossley3/trustification
that referenced
this issue
Aug 11, 2023
Fixes trustification#363 Signed-off-by: Jim Crossley <[email protected]>
jcrossley3
added a commit
to jcrossley3/trustification
that referenced
this issue
Aug 11, 2023
Fixes trustification#363 Signed-off-by: Jim Crossley <[email protected]>
jcrossley3
added a commit
to jcrossley3/trustification
that referenced
this issue
Aug 12, 2023
Un-ignores the remaining tests relating to trustification#363 The additional tests triggered some "too many open files" errors (due to a low-ish default ulimit of 1024) that can be mitigated by limiting the number of test threads. Signed-off-by: Jim Crossley <[email protected]>
jcrossley3
added a commit
to jcrossley3/trustification
that referenced
this issue
Aug 14, 2023
Fixes trustification#363 Signed-off-by: Jim Crossley <[email protected]>
jcrossley3
added a commit
to jcrossley3/trustification
that referenced
this issue
Aug 14, 2023
Un-ignores the remaining tests relating to trustification#363 The additional tests triggered some "too many open files" errors (due to a low-ish default ulimit of 1024) that can be mitigated by limiting the number of test threads. Signed-off-by: Jim Crossley <[email protected]>
jcrossley3
added a commit
to jcrossley3/trustification
that referenced
this issue
Aug 14, 2023
Fixes trustification#363 Signed-off-by: Jim Crossley <[email protected]>
jcrossley3
added a commit
to jcrossley3/trustification
that referenced
this issue
Aug 14, 2023
Un-ignores the remaining tests relating to trustification#363 The additional tests triggered some "too many open files" errors (due to a low-ish default ulimit of 1024) that can be mitigated by limiting the number of test threads. Signed-off-by: Jim Crossley <[email protected]>
jcrossley3
added a commit
to jcrossley3/trustification
that referenced
this issue
Aug 15, 2023
Fixes trustification#363 Signed-off-by: Jim Crossley <[email protected]>
jcrossley3
added a commit
to jcrossley3/trustification
that referenced
this issue
Aug 15, 2023
Un-ignores the remaining tests relating to trustification#363 The additional tests triggered some "too many open files" errors (due to a low-ish default ulimit of 1024) that can be mitigated by limiting the number of test threads. Signed-off-by: Jim Crossley <[email protected]>
jcrossley3
added a commit
that referenced
this issue
Aug 15, 2023
Fixes #363 Signed-off-by: Jim Crossley <[email protected]>
jcrossley3
added a commit
that referenced
this issue
Aug 15, 2023
Un-ignores the remaining tests relating to #363 The additional tests triggered some "too many open files" errors (due to a low-ish default ulimit of 1024) that can be mitigated by limiting the number of test threads. Signed-off-by: Jim Crossley <[email protected]>
Relevant JIRA ticket: https://issues.redhat.com/browse/TC-385 |
This issue was closed.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Related to #7
This is a tricky one, because we don't validate the content of the SBOM on the upload. To mitigate the risk of a DoS attack, we avoid loading the entire SBOM into memory -- we stream chunks directly to S3, and the indexer serially loads (and validates, eventually) them once notified that all the chunks have been streamed successfully.
I guess we have to decide if this test is worth the additional code complexity to "peek" at the payload to see if it's small enough to validate. Any thoughts @lulf?
Originally posted by @jcrossley3 in #356 (comment)
The text was updated successfully, but these errors were encountered: