From 688c65f6b6acea634f67d0709adaf5e63146ad99 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Adrian=20Schr=C3=B6ter?= Date: Fri, 26 Jan 2024 09:22:45 +0100 Subject: [PATCH] generate_sbom: add help option Also add the option --tar for container tar balls. But without enforcing it to stay backward compatible. --- build-recipe-docker | 2 +- build-recipe-kiwi | 2 +- generate_sbom | 48 +++++++++++++++++++++++++++++++++++++++++++-- 3 files changed, 48 insertions(+), 4 deletions(-) diff --git a/build-recipe-docker b/build-recipe-docker index d97e58a8a..bbf973084 100644 --- a/build-recipe-docker +++ b/build-recipe-docker @@ -319,7 +319,7 @@ recipe_build_docker() { # create sbom if requested for format in $(queryconfig --dist "$BUILD_DIST" --configdir "$CONFIG_DIR" --archpath "$BUILD_ARCH" buildflags+ sbom | sort -u) ; do echo "Generating $format sbom file" - generate_sbom --format "$format" "$TOPDIR/DOCKER/$FILENAME.tar" > "$BUILD_ROOT$TOPDIR/DOCKER/$FILENAME.${format/cyclonedx/cdx}.json" + generate_sbom --format "$format" --container-archive "$TOPDIR/DOCKER/$FILENAME.tar" > "$BUILD_ROOT$TOPDIR/DOCKER/$FILENAME.${format/cyclonedx/cdx}.json" test -s "$BUILD_ROOT$TOPDIR/DOCKER/$FILENAME.${format/cyclonedx/cdx}.json" || rm -f "$BUILD_ROOT$TOPDIR/DOCKER/$FILENAME.${format/cyclonedx/cdx}.json" done diff --git a/build-recipe-kiwi b/build-recipe-kiwi index ad907cc73..2225bacfc 100644 --- a/build-recipe-kiwi +++ b/build-recipe-kiwi @@ -712,7 +712,7 @@ postprocess_kiwi_containers() { # create sbom if requested for format in $(queryconfig --dist "$BUILD_DIST" --configdir "$CONFIG_DIR" --archpath "$BUILD_ARCH" buildflags+ sbom | sort -u) ; do echo "Generating $format sbom file for ${r##*/}" - generate_sbom --format "$format" "$r" > "${r%.tar}.${format/cyclonedx/cdx}.json" + generate_sbom --format "$format" --container-archive "$r" > "${r%.tar}.${format/cyclonedx/cdx}.json" test -s "${r%.tar}.${format/cyclonedx/cdx}.json" || rm -f "${r%.tar}.${format/cyclonedx/cdx}.json" done else diff --git a/generate_sbom b/generate_sbom index 5d84dc436..0528dad9a 100755 --- a/generate_sbom +++ b/generate_sbom @@ -546,6 +546,7 @@ sub spdx_encode_header { my $wrap_intoto; my $isproduct; my $isdir; +my $istar; my $distro; my $rpmmd; my $format; @@ -562,8 +563,13 @@ while (@ARGV && $ARGV[0] =~ /^-/) { $isdir = 1; } elsif ($opt eq '--rpmmd') { $rpmmd = 1; + } elsif ($opt eq '--container-archive') { + $istar = 1; } elsif ($opt eq '--format') { $format = shift @ARGV; + } elsif ($opt eq '--help') { + echo_help(); + exit(0); } else { last if $opt eq '--'; die("unknown option: $opt\n"); @@ -572,7 +578,45 @@ while (@ARGV && $ARGV[0] =~ /^-/) { $format ||= 'spdx'; die("unknown format $format\n") unless $format eq 'spdx' || $format eq 'cyclonedx'; -die("usage: generate_sbom [--distro NAME] [--format spdx|cyclonedx] [--intoto] [--product DIRECTORY]|[--rpmmd DIRECTORY|CONTAINER_TAR]\n") unless @ARGV == 1; +sub echo_help { + print "\n +The Software Bill of Materials (SBOM) generation tool +===================================================== + +This tool generates SBOM data based on data from rpm packages. + +Output formats +============== + + --format spdx + Generates SPDX 2.3 formated data. This is the default. + + --format cyclonedx + Generates CycloneDX 1.4 formated data + + --intoto + Can be used optional to wrap the generated data into in-toto.io + specified format. + +Supported content +================= + + --dir DIRECTORY + The RPM database of the system below DIRECTORY will be evaluated, also all + files will be referenced in the SBOM. + + --product DIRECTORY + An installation medium. All .rpm files in any sub directory will be scanned. + + --rpmmd DIRECTORY + A directory providing rpm-md meta data. A 'repodata/repomd.xml' file is expected. + + --container-archive CONTAINER_ARCHIVE + An container providing a system + +"; +} +die("usage: generate_sbom [--distro NAME] [--format spdx|cyclonedx] [--intoto] [--dir DIRECTORY]|[--product DIRECTORY]|[--rpmmd DIRECTORY]|[--container-archive CONTAINER_ARCHIVE]\n") unless @ARGV == 1; my $toprocess = $ARGV[0]; my $tmpdir = File::Temp::tempdir( CLEANUP => 1 ); @@ -603,7 +647,7 @@ if ($isproduct) { $files = gen_filelist($toprocess) if $format eq 'spdx'; $pkgs = read_pkgs_rpmdb("$tmpdir/rpmdb"); $dist = read_dist($toprocess); -} else { +} else { # no check for $istar to stay backward compatible # container tar case my $unpackdir = unpack_container($tmpdir, $toprocess); dump_rpmdb($unpackdir, "$tmpdir/rpmdb");