-
Notifications
You must be signed in to change notification settings - Fork 107
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add initial support for generating SPDX SBOM documents (COMPOSER-2274) #4359
Conversation
f5da6bb
to
4d44504
Compare
d7945ea
to
16a0b40
Compare
Update the ref to the v129, which supports SBOM documents. Signed-off-by: Tomáš Hozza <thozza@redhat.com>
This is needed to be able to install osbuild RPM builds, because that repo uses newer snapshots. Signed-off-by: Tomáš Hozza <thozza@redhat.com>
Signed-off-by: Tomáš Hozza <thozza@redhat.com>
Adjust all paces that call `Solver.Depsolve()`, to cope with the changes that enabled SBOM support. Fix loading of testing repositories in the CloudAPI unit tests. Signed-off-by: Tomáš Hozza <thozza@redhat.com>
This is needed for the SBOM support Signed-off-by: Tomáš Hozza <thozza@redhat.com>
Signed-off-by: Tomáš Hozza <thozza@redhat.com>
Add support to the `DepsolveJob` for requesting SBOM documents and returning the results from the job. Signed-off-by: Tomáš Hozza <thozza@redhat.com>
Signed-off-by: Tomáš Hozza <thozza@redhat.com>
For Koji composes, all files are uploaded to Koji as part of the osbuild job (specifically as part of handling the Koji target). So in order to be able to upload SBOM documents to Koji as part of Koji compose, the osbuild job needs to to be able to access the depsolve job result, which contains the SBOM documents. For this, the osbuild job must depend on the depsolve job. For Koji composes, make sure that osbuild job depends on the depsolve job and set the DepsolveDynArgsIdx. Signed-off-by: Tomáš Hozza <thozza@redhat.com>
Extend the Koji target result struct with an optional slice for uploaded SBOM documents. Signed-off-by: Tomáš Hozza <thozza@redhat.com>
If the Koji target result contains information about any uploaded SBOM documents, import them to Koji as part of the finalize task. Signed-off-by: Tomáš Hozza <thozza@redhat.com>
Extend the Koji target handling in the osbuild job, to also upload SBOM documents attached to the related depsolve job result. Signed-off-by: Tomáš Hozza <thozza@redhat.com>
Adjust the test case to cope with the SPDX SBOM documents uploaded to the Koji. Also explicitly check that there is the expected number of SBOM documents uploaded as the image build output. Signed-off-by: Tomáš Hozza <thozza@redhat.com>
We have been testing builds of RHEL-9 on RHEL-8 for the Koji use case. However, all of our workers are now running the latest GA RHEL-9 version. Therefore we should flip the test and test building of RHEL-8 on RHEL-9. Signed-off-by: Tomáš Hozza <thozza@redhat.com>
This is what is currently happening on our Brew workers. Signed-off-by: Tomáš Hozza <thozza@redhat.com>
None of our worker is running RHEL-8 any more. There's no value in testing the Koji scenario on RHEL-8, RHEL-9 is fully sufficient. Signed-off-by: Tomáš Hozza <thozza@redhat.com>
Extend the `manifestJobResultsFromJobDeps()` function to also return the manifest `JobInfo`. This will be useful to inspect the job dependencies and eliminate the need to add a specialized function for getting only the `JobInfo`. Signed-off-by: Tomáš Hozza <thozza@redhat.com>
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Great work. This is a lot.
Couple of notes and nitpicks. I think there's a bug in the sbomsFromOSBuildJob()
function (noted below) but I'm not entirely sure if I'm reading it right so not Requesting changes.
Add a new /sboms API endpoint, for getting SBOM documents for a given compose ID. The endpoint returns an array of SBOM documents for each image built as part of the compose. For each image, there is an SBOM document for each osbuild pipeline, which installs RPM packages. This is usually one 'buildroot' and one 'image' pipeline. Signed-off-by: Tomáš Hozza <thozza@redhat.com>
Extend the unit test for regular (non-Koji) composes, to verify that the newly added /sboms endpoint works correctly. Signed-off-by: Tomáš Hozza <thozza@redhat.com>
Extend the API unit test for Koji composes, to verify that the newly added /sboms endpoint works correctly. Signed-off-by: Tomáš Hozza <thozza@redhat.com>
This is needed for GPG key import to work on RHEL-9, because the key uses SHA-1. This results in the following error when importing the key during the build of the build container: "Signature not supported. Hash algorithm SHA1 not available." We do not need the AUX key in our RHEL-8 repo definitions used for testing. Signed-off-by: Tomáš Hozza <thozza@redhat.com>
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
All good!
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Also LGTM
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
lgtm
Depends on:
Add initial support for generating SPDX SBOM documents (COMPOSER-2274) osbuild#1818
Add initial support for generating SPDX SBOM documents (COMPOSER-2274) images#930
Extend the worker
Depsolve
job to allow requesting an SBOM document for each transaction. The SBOM documents are returned in theDepsolveJobResult
.CloudAPI:
Depsolve
job./composes/{id}/sboms
API endpoint for requesting SBOM documents for composes./composes/{id}/sboms
API endpoint.There's no support for SBOMs added to Weldr API.
Koji:
KojiFinalize
job to import all SBOM documents uploaded to the Koji build and listed in the Koji target result.OSBuild
job, to upload all SBOM documents, related to theOSBuild
job, to the Koji build and list them in theKoji
target result. Uploaded SBOM documents use the following filenames:<image_filename>.<pipeline_purpose>-<pipeline_name>.spdx.json
.koji.sh
test case to verify the uploaded SBOM documents in Koji builds.koji.sh
. Specifically, test the main scenario on RHEL-9 and in addition, test building of RHEL-8 and RHEL-10 on RHEL-9.Details
SBOM documents are attached to
DepsolveJobResult
. For each package set that was depsolved, there will be a corresponding SBOM document.DepsolveJob
usually contains at least two package sets for any image type - for the at least oneimage
pipeline and for thebuildroot
pipeline.Koji composes may contain multiple image builds as part of a single compose request. Therefore the
/composes/{id}/sboms
endpoint returns multiple SBOM documents for each image build. The returned value may look as follows for a Koji compose that consists of two image builds:pipeline_purpose
describes the purpose of a pipeline.image
means that the content described in the SBOM document is installed in the actual image.buildroot
means that the content described in the SBOM document was installed in the environment used to build the image. This terminology is consistent with how we name thing internally.pipeline_name
is the actual name of the osbuild pipeline, in which the described content got installed.sbom
is the actual SBOM document.sbom_type
describes the SBOM standard / type of the SBOM document. Currently, it will be alwaysspdx
.