feat(manifest/bazel): sub-workspace lockfile discovery for socket manifest bazel#1336
Draft
Simon (simonhj) wants to merge 1 commit into
Draft
feat(manifest/bazel): sub-workspace lockfile discovery for socket manifest bazel#1336Simon (simonhj) wants to merge 1 commit into
Simon (simonhj) wants to merge 1 commit into
Conversation
…ub-workspace discovery The existing bazel-query discovery path only inspects MODULE.bazel / WORKSPACE at the invocation cwd. Ruleset repos with per-example sub-workspaces (rules_kotlin/examples, rules_js/examples, rules_rust, rules_python) declare additional Maven artifacts in nested MODULE.bazel projects with their own maven_install.json lockfiles. Those files were silently dropped, leaving the CLI's SBOM a strict subset of what the server-side depscan parser already returns from the same tree. Add a walker that finds every checked-in maven_install.json under cwd (pruning .git, node_modules, .socket-auto-manifest, and Bazel's bazel-* convenience symlinks into <output_base>), parses each via the existing parseUnsortedDepsJson v2-lockfile path, and merges the artifacts into the SBOM after the bazel-query extraction step. Merge is keyed by mavenCoordinates so the root workspace's lockfile (which bazel-query already extracts) does not double-count; conflicting group:artifact versions across sub-workspaces continue to surface as the existing loud-failure error in normalizeToMavenInstallJson. Verified against bazel-bench/oss/rules_kotlin: walker now surfaces all 10 examples/*/maven_install.json files and merges 393 unique artifacts into the SBOM beyond what the root @kotlin_rules_maven discovery returns. No regression on tink-java (0 lockfiles) or protobuf (1 root lockfile, deduped against bazel-query's @maven extraction).
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
socket manifest bazelonly walks the rootMODULE.bazel/WORKSPACE. Ruleset repos with per-example sub-workspaces (rules_kotlin/examples/*,rules_js/examples/*,rules_rust,rules_python) declare additional Maven artifacts in nestedMODULE.bazelprojects with their ownmaven_install.jsonlockfiles, and those files were silently dropped — leaving the CLI's SBOM a strict subset of what depscan's server-side parser already returns from the same tree.This PR adds a walker that finds every checked-in
maven_install.jsonunder the invocation cwd, parses it via the existing v2-lockfile path, and merges the artifacts into the SBOM after the bazel-query extraction step.What changed
src/commands/manifest/bazel/bazel-lockfile-discovery.mts(196 lines) — bounded walker (prunes.git,node_modules,.socket-auto-manifest, Bazel'sbazel-*convenience symlinks; caps lockfiles at 256, depth 16, per-file size 1 GiB) plus a parse-and-tag helper that defers to the existingparseUnsortedDepsJson. SyntheticsourceRepotags use the lockfile's relative directory so two sub-workspaces pinning the same rule name don't collide downstream.extract_bazel_to_maven.mtsbetween the per-repobazel queryextraction and thenormalizeToMavenInstallJsonstep. Dedup is keyed onmavenCoordinatesso the root workspace's lockfile (whichbazel queryalready extracts) does not double-count. Conflictingg:aversions across sub-workspaces continue to surface as the existing loud-failure path innormalizeToMavenInstallJson.bazel-lockfile-discovery.test.mtscovering: walk pruning (.git/node_modules/.socket-auto-manifest/bazel-*symlinks at arbitrary depth), v2-lockfile parsing, sourceRepo tagging, the dedup-merge path, and arules_kotlin-shaped strict-superset assertion.Verification
Run against the real
bazel-bench/oss/rules_kotlintree:@kotlin_rules_maven)Closes ~80% of the gap to the server-side parser. The remaining gap is most likely classifier-jar accounting and would close with a follow-up that recursively invokes
bazel queryper sub-workspace.No regression on
tink-java(0 lockfiles, behavior unchanged) orprotobuf(1 root lockfile thatbazel queryalready extracts via@maven— deduped onmavenCoordinates).Test plan
rules_kotlinand confirm ≥393 sub-workspace artifacts merge into the SBOM (per-workspace breakdown logged with--verbose).tink-java(no checked-inmaven_install.json); SBOM unchanged.protobuf(1 rootmaven_install.json); SBOM artifact count unchanged (dedup againstbazel query).group:artifactat conflicting versions; confirm the existingConflicting versions for ...error fires.