Skip to content

Enhance SBOM handling with new types, resolvers, and tests#439

Open
ybelMekk wants to merge 19 commits into
mainfrom
feat/sbom-status
Open

Enhance SBOM handling with new types, resolvers, and tests#439
ybelMekk wants to merge 19 commits into
mainfrom
feat/sbom-status

Conversation

@ybelMekk
Copy link
Copy Markdown
Contributor

@ybelMekk ybelMekk commented May 18, 2026

A new GraphQL type for SBOM (Software Bill of Materials) metadata on container images, providing detailed SBOM pipeline status and processing information. The changes add a new sbom field to the ContainerImage type, deprecate the previous hasSBOM Boolean in favor of this richer status, and update the schema, resolvers, and integration tests accordingly.

GraphQL Schema and API Changes

  • Added a new ContainerImageSBOM type with fields id, status, and processingStartedAt, and a new SBOMStatus enum to represent SBOM pipeline states (PROCESSING, READY, NO_SBOM, FAILED). The sbom field is now available on ContainerImage and returns this type, replacing the old hasSBOM Boolean (now deprecated).
  • Marked the hasSBOM field as deprecated on both ContainerImage and WorkloadVulnerabilitySummary, instructing clients to use the new sbom.status field instead.

Resolver and Backend Implementation

  • Added new resolver interfaces and implementations for the ContainerImageSBOM type and its fields, including wiring up complexity and field resolution logic in the generated backend code.

Integration Tests

  • Updated integration tests to query the new sbom field and check for the correct SBOM status in test responses, ensuring the new API contract is exercised.

Dependency Updates

  • Updated the dependency on github.com/nais/v13s/pkg/api to a newer version in go.mod.

ybelMekk added 10 commits May 15, 2026 10:33
@ybelMekk
chore: add local replace directive for v13s/pkg/api
9b425c7
@ybelMekk
feat(vulnerability): add SBOMStatus type, ContainerImageSBOM, dataloa…
bcd1329 
…der and queries
@ybelMekk
feat(graphql): add ContainerImageSBOM type, SBOMStatus enum and depre…
2d88781 
…cate hasSBOM
@ybelMekk
feat(graphql): add resolvers for ContainerImageSBOM status and proces…
0817ed2 
…singStartedAt
@ybelMekk
refactor(issue): migrate SBOM check from HasSbom to SbomStatus
0f03055
@ybelMekk
test: update fake and integration test for SbomStatus
d1355e2
@ybelMekk
refactor(vulnerability): update fake and queries for repeated Workloa…
4600bc8 
…d in GetVulnerabilitySummaryForImage
@ybelMekk
refactor(vulnerability): update to workload_refs=2 and sbom_status=3
2cb006e
@ybelMekk
fix: update WorkloadRefs to WorkloadRef after v13s proto rename
6769a6d
@ybelMekk
chore: use latest v13s main instead of local replace
0c147e2
@ybelMekk ybelMekk requested a review from a team as a code owner May 18, 2026 08:40
@ybelMekk ybelMekk requested a review from Copilot May 18, 2026 08:40
Copilot AI reviewed May 18, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR enhances the vulnerability/SBOM GraphQL API by introducing a richer SBOM model on ContainerImage (status + processing timestamp), deprecating the legacy hasSBOM boolean, and wiring the new types through resolvers plus integration test updates.

Changes:

  • Add ContainerImage.sbom (new ContainerImageSBOM node + SBOMStatus enum) and deprecate hasSBOM usages in the schema.
  • Introduce SBOM status/started-at resolver functions backed by a request-scoped dataloader for image summary fetching.
  • Update fakes, issue checker logic, generated GraphQL code, and integration tests; bump github.com/nais/v13s/pkg/api.

Reviewed changes

Copilot reviewed 11 out of 16 changed files in this pull request and generated 4 comments.

Show a summary per file
File Description
internal/vulnerability/transform.go Adjusts workload summary transformation (now conditionally builds vulnerability summary).
internal/vulnerability/queries.go Routes v13s calls through new loader context; adds SBOM status and processing-start accessors.
internal/vulnerability/node.go Registers ContainerImageSBOM as a Node type and provides ident parsing/lookup.
internal/vulnerability/models.go Adds ContainerImageSBOM model and introduces SBOMStatus GraphQL enum plumbing.
internal/vulnerability/fake/v13s.go Extends fake v13s responses with SBOM status info.
internal/vulnerability/dataloader.go Introduces request-scoped loaders and an image summary dataloader.
internal/issue/checker/workload_v13s.go Updates fake data + missing-SBOM detection logic to use SBOM status fields.
internal/graph/vulnerability.resolvers.go Adds resolvers for ContainerImage.sbom and ContainerImageSBOM fields.
internal/graph/schema/vulnerability.graphqls Defines ContainerImageSBOM and SBOMStatus; deprecates hasSBOM fields.
internal/graph/gengql/workloads.generated.go Generated support for ContainerImage.sbom.
internal/graph/gengql/vulnerability.generated.go Generated support for ContainerImageSBOM and SBOMStatus.
internal/graph/gengql/schema.generated.go Generated Node union handling + schema updates for new types/fields.
internal/graph/gengql/root_.generated.go Generated resolver root + complexity wiring for new SBOM fields.
integration_tests/vulnerabilities.lua Updates integration query/expectations to include sbom { status }.
go.mod / go.sum Bumps github.com/nais/v13s/pkg/api dependency to a newer revision.
Files not reviewed (4)
  • internal/graph/gengql/root_.generated.go: Language not supported
  • internal/graph/gengql/schema.generated.go: Language not supported
  • internal/graph/gengql/vulnerability.generated.go: Language not supported
  • internal/graph/gengql/workloads.generated.go: Language not supported

Comment thread internal/vulnerability/transform.go Outdated
Comment thread internal/vulnerability/dataloader.go
Comment thread internal/vulnerability/fake/v13s.go
Comment thread internal/vulnerability/models.go Outdated
@ybelMekk ybelMekk requested a review from Copilot May 18, 2026 11:05
Copilot AI reviewed May 18, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Copilot reviewed 11 out of 16 changed files in this pull request and generated 2 comments.

Files not reviewed (4)
  • internal/graph/gengql/root_.generated.go: Language not supported
  • internal/graph/gengql/schema.generated.go: Language not supported
  • internal/graph/gengql/vulnerability.generated.go: Language not supported
  • internal/graph/gengql/workloads.generated.go: Language not supported

Comment thread internal/vulnerability/transform.go Outdated
Comment thread internal/vulnerability/dataloader.go Outdated
@ybelMekk ybelMekk requested a review from Copilot May 18, 2026 11:35
Copilot AI reviewed May 18, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Copilot reviewed 11 out of 16 changed files in this pull request and generated 2 comments.

Files not reviewed (4)
  • internal/graph/gengql/root_.generated.go: Language not supported
  • internal/graph/gengql/schema.generated.go: Language not supported
  • internal/graph/gengql/vulnerability.generated.go: Language not supported
  • internal/graph/gengql/workloads.generated.go: Language not supported

Comment thread internal/vulnerability/models.go
Comment thread integration_tests/vulnerabilities.lua
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

Assignees

No one assigned

Labels

graphql-review-required

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@ybelMekk