Add initial support for generating SPDX SBOM documents (COMPOSER-2274) #1818
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
thozza
changed the title
thozza
force-pushed
the
sbom-poc
branch
11 times, most recently
from
5c7a37e
to
c76616a
Compare
thozza
force-pushed
the
sbom-poc
branch
3 times, most recently
from
097e707
to
e24a5b4
Compare
mvo5
reviewed
Jul 29, 2024
achilleas-k
previously approved these changes
Aug 5, 2024
There was a problem hiding this comment.
Wow, this must have been A LOT of work.
It all looks great to me.
I had a tiny debate with myself about whether reading the root tree was the best approach vs:
- Having a stage that takes a giant list of RPM metadata objects to generate the SBOM without reading the tree.
- Getting the SBOM straight from the depsolver and just feeding it into a file write stage.
But at the end of the day I think the approach in this PR is the more correct one. It guarantees that the generated document is created from the rpm db of the tree and not an indirect representation of it that might diverge due to bugs.
thozza
force-pushed
the
sbom-poc
branch
5 times, most recently
from
9a80483
to
eea7bfa
Compare
|
There's another issue with running the enhanced |
achilleas-k
previously approved these changes
Sep 16, 2024
supakeen
previously approved these changes
Sep 16, 2024
thozza
dismissed stale reviews from kingsleyzissou, supakeen, and achilleas-k
via
3d6d889
This will be useful for testing SBOM implementations. Signed-off-by: Tomáš Hozza <thozza@redhat.com>
'dnf' Python package can't be installed using pip in the tox environment. In order to test the code which uses it, we need to use the system version. Our testing environment uses Fedora as the system, therefore we can reasonably use the system version of 'dnf' only with Python version which is on Fedora. Enable site packages in tox for Python 3.12 when testing osbuild internals. Signed-off-by: Tomáš Hozza <thozza@redhat.com>
Add implementation of standard-agnostic model for SBOM, and simple SPDX v2.3 model. Also add convenience functions for converting DNF4 package set to the standard-agnostic model and for converting it to SPDX model. Cover the functionality with unit tests. Signed-off-by: Tomáš Hozza <thozza@redhat.com>
Verify the documents generated by the internal implementation of SPDX v2.3 model against the upstream spec JSON schema. The schema has been downloaded from: https://github.com/spdx/spdx-spec/blob/development/v2.3.1/schemas/spdx-schema.json Signed-off-by: Tomáš Hozza <thozza@redhat.com>
This will allow validating request arguments in the solver method in a different way for dnf4 and dnf5 and raising an exception if needed. Signed-off-by: Tomáš Hozza <thozza@redhat.com>
Extend osbuild-depsolve-dnf, to return JSON with SPDX SBOM that corresponds to the depsolved package set, if it has been requested. For now, only DNF4 is supported. Cover the new functionality with unit test. Signed-off-by: Tomáš Hozza <thozza@redhat.com>
Add a new stage, which allows analyzing the installed packages in a given filesystem tree using DNF4 API and generating an SPDX v2.3 SBOM document for it. One can provide the filesystem tree to be analyzed as a stage input. If no input is provided, the stage will analyze the filesystem tree of the current pipeline. Add tests cases for both usage variants of the stage, as well as the unit test for stage schema validation. Signed-off-by: Tomáš Hozza <thozza@redhat.com>
Instead of hard-coding the Python version that the installed python3-dnf has been built against on the latest Fedora, read the value from the osbuild-ci container. The container now has the version written in /osb/libdnf-python-version. Signed-off-by: Tomáš Hozza <thozza@redhat.com>
Since the `with_sbom` variable was used only in a single place, we can simplify the code (and remove one extra line of it) to just directly use the if condition. Signed-off-by: Tomáš Hozza <thozza@redhat.com>
'_hawkey.Reldep' object has no attribute 'name' in the version shipped on RHEL-8. Add code to handle this situation in case it happens. Default to using named attributes if these are available. Signed-off-by: Tomáš Hozza <thozza@redhat.com>
supakeen
approved these changes
Sep 18, 2024
achilleas-k
approved these changes
Sep 18, 2024
kingsleyzissou
approved these changes
Sep 18, 2024
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This PR adds:
osbuild-depsolve-dnfextension to return SPDX JSON document for depsolved package set, if requested.org.osbuild.dnf4.sbom.spdxstage, which can generate an SPDX JSON document for the package set installed in a filesystem tree (of the current pipeline or one passed as an input).I considered using
spdx_toolsPython package, instead of implementing the model on my own. However, there were good reasons to not use it:Open questions:
osbuild/imagesandosbuild/osbuild-composer?