-
Notifications
You must be signed in to change notification settings - Fork 113
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add initial support for generating SPDX SBOM documents (COMPOSER-2274) #1818
Conversation
5c7a37e
to
c76616a
Compare
097e707
to
e24a5b4
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Wow, this must have been A LOT of work.
It all looks great to me.
I had a tiny debate with myself about whether reading the root tree was the best approach vs:
- Having a stage that takes a giant list of RPM metadata objects to generate the SBOM without reading the tree.
- Getting the SBOM straight from the depsolver and just feeding it into a file write stage.
But at the end of the day I think the approach in this PR is the more correct one. It guarantees that the generated document is created from the rpm db of the tree and not an indirect representation of it that might diverge due to bugs.
9a80483
to
eea7bfa
Compare
There's another issue with running the enhanced
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I tried very hard but couldn't come up with any good nitpicks.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Partial review.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This is a herculean effort I have added a few minor nits but feel free to ignore them.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
And my axe!
3d6d889
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM but linter is sad
This will be useful for testing SBOM implementations. Signed-off-by: Tomáš Hozza <[email protected]>
'dnf' Python package can't be installed using pip in the tox environment. In order to test the code which uses it, we need to use the system version. Our testing environment uses Fedora as the system, therefore we can reasonably use the system version of 'dnf' only with Python version which is on Fedora. Enable site packages in tox for Python 3.12 when testing osbuild internals. Signed-off-by: Tomáš Hozza <[email protected]>
Add implementation of standard-agnostic model for SBOM, and simple SPDX v2.3 model. Also add convenience functions for converting DNF4 package set to the standard-agnostic model and for converting it to SPDX model. Cover the functionality with unit tests. Signed-off-by: Tomáš Hozza <[email protected]>
Verify the documents generated by the internal implementation of SPDX v2.3 model against the upstream spec JSON schema. The schema has been downloaded from: https://github.com/spdx/spdx-spec/blob/development/v2.3.1/schemas/spdx-schema.json Signed-off-by: Tomáš Hozza <[email protected]>
This will allow validating request arguments in the solver method in a different way for dnf4 and dnf5 and raising an exception if needed. Signed-off-by: Tomáš Hozza <[email protected]>
Extend osbuild-depsolve-dnf, to return JSON with SPDX SBOM that corresponds to the depsolved package set, if it has been requested. For now, only DNF4 is supported. Cover the new functionality with unit test. Signed-off-by: Tomáš Hozza <[email protected]>
Add a new stage, which allows analyzing the installed packages in a given filesystem tree using DNF4 API and generating an SPDX v2.3 SBOM document for it. One can provide the filesystem tree to be analyzed as a stage input. If no input is provided, the stage will analyze the filesystem tree of the current pipeline. Add tests cases for both usage variants of the stage, as well as the unit test for stage schema validation. Signed-off-by: Tomáš Hozza <[email protected]>
Instead of hard-coding the Python version that the installed python3-dnf has been built against on the latest Fedora, read the value from the osbuild-ci container. The container now has the version written in /osb/libdnf-python-version. Signed-off-by: Tomáš Hozza <[email protected]>
Since the `with_sbom` variable was used only in a single place, we can simplify the code (and remove one extra line of it) to just directly use the if condition. Signed-off-by: Tomáš Hozza <[email protected]>
'_hawkey.Reldep' object has no attribute 'name' in the version shipped on RHEL-8. Add code to handle this situation in case it happens. Default to using named attributes if these are available. Signed-off-by: Tomáš Hozza <[email protected]>
This PR adds:
osbuild-depsolve-dnf
extension to return SPDX JSON document for depsolved package set, if requested.org.osbuild.dnf4.sbom.spdx
stage, which can generate an SPDX JSON document for the package set installed in a filesystem tree (of the current pipeline or one passed as an input).I considered using
spdx_tools
Python package, instead of implementing the model on my own. However, there were good reasons to not use it:Open questions:
osbuild/images
andosbuild/osbuild-composer
?