[neon/neon/livecd-rootfs/Neon/release] live-build: feat(ubuntu-cpc): sbom generation everywhere
John Chittum
null at kde.org
Wed Feb 19 22:35:44 GMT 2025
Git commit ebff18785cb785fdefca91ad833c738c19c3603d by John Chittum.
Committed on 26/08/2024 at 18:14.
Pushed by carlosdem into branch 'Neon/release'.
feat(ubuntu-cpc): sbom generation everywhere
patch create_manifest to produce an sbom when called by an ubuntu-cpc
project. Patch all the ubuntu-cpc hooks and series files to include the
newly generated manifests, filelists, and sboms. Generates a number of
new artifacts in the builds. the snap utilized, cpc-sbom, is an open
source repo and a provided via a hidden snap. there is no intention of
publisizing the snap or how we generate sboms, however partners require
the ability to audit if required.
defensively checks if the snap is already installed, in the case of
multiple hooks being called in a single build (thus sharing a build
host), and only if called in an ubuntu-cpc project.
(cherry picked from commit 7c7b7df89dc96169db1f255d6bba901ebb63a43c)
M +20 -0 live-build/functions
M +2 -2 live-build/ubuntu-cpc/hooks.d/base/create-root-dir.binary
M +2 -0 live-build/ubuntu-cpc/hooks.d/base/disk-image-ppc64el.binary
M +3 -1 live-build/ubuntu-cpc/hooks.d/base/disk-image-uefi.binary
M +2 -0 live-build/ubuntu-cpc/hooks.d/base/disk-image.binary
M +9 -0 live-build/ubuntu-cpc/hooks.d/base/qcow2-image.binary
M +5 -2 live-build/ubuntu-cpc/hooks.d/base/root-squashfs.binary
M +0 -2 live-build/ubuntu-cpc/hooks.d/base/root-xz.binary
M +3 -0 live-build/ubuntu-cpc/hooks.d/base/series/disk-image
M +3 -0 live-build/ubuntu-cpc/hooks.d/base/series/disk-image-uefi
M +3 -0 live-build/ubuntu-cpc/hooks.d/base/series/qcow2
M +1 -0 live-build/ubuntu-cpc/hooks.d/base/series/squashfs
M +1 -0 live-build/ubuntu-cpc/hooks.d/base/series/tarball
M +3 -0 live-build/ubuntu-cpc/hooks.d/base/series/vagrant
M +3 -0 live-build/ubuntu-cpc/hooks.d/base/series/vmdk
M +2 -0 live-build/ubuntu-cpc/hooks.d/base/vagrant.binary
M +10 -0 live-build/ubuntu-cpc/hooks.d/base/vmdk-image.binary
https://invent.kde.org/neon/neon/livecd-rootfs/-/commit/ebff18785cb785fdefca91ad833c738c19c3603d
diff --git a/live-build/functions b/live-build/functions
index 918bd064..bd3c8898 100644
--- a/live-build/functions
+++ b/live-build/functions
@@ -39,6 +39,10 @@ create_empty_disk_image() {
create_manifest() {
local chroot_root=${1}
local target_file=${2}
+ local base_default_sbom_name="ubuntu-cloud-image-$(grep "VERSION_ID" $chroot_root/etc/os-release | cut --delimiter "=" --field 2 | tr -d '"')-${ARCH}-$(date +%Y%m%dT%H:%M:%S)"
+ local sbom_file_name=${3:-"${base_default_sbom_name}.spdx"}
+ local sbom_document_name=${4:-"${base_default_sbom_name}"}
+ local sbom_log=${sbom_document_name}.log
echo "create_manifest chroot_root: ${chroot_root}"
dpkg-query --show --admindir="${chroot_root}/var/lib/dpkg" > ${target_file}
echo "create_manifest call to dpkg-query finished."
@@ -48,6 +52,22 @@ create_manifest() {
echo "create_manifest creating file listing."
local target_filelist=${2%.manifest}.filelist
(cd "${chroot_root}" && find -xdev) | sort > "${target_filelist}"
+ # only creating sboms for CPC project at this time
+ if [[ ! $(which cpc-sbom) ]]; then
+ # ensure the tool is installed
+ sudo snap install --classic --edge cpc-sbom
+ fi
+ # generate the SBOM
+ cpc-sbom --rootdir ${chroot_root} --ignore-copyright-parsing-errors --ignore-copyright-file-not-found-errors --document-name ${sbom_document_name} >"${sbom_file_name}" 2>"${sbom_log}"
+ SBOM_GENERATION_EXIT_CODE=$?
+ if [[ ${SBOM_GENERATION_EXIT_CODE} != "0" ]]; then
+ # check for failure and print log
+ echo "ERROR: SBOM generation failed. See ${sbom_log}"
+ cat "$sbom_log"
+ exit 1
+ else
+ echo "SBOM generation succeeded. see ${sbom_log} for details"
+ fi
fi
echo "create_manifest finished"
}
diff --git a/live-build/ubuntu-cpc/hooks.d/base/create-root-dir.binary b/live-build/ubuntu-cpc/hooks.d/base/create-root-dir.binary
index 6ba4fe9c..46d9479a 100755
--- a/live-build/ubuntu-cpc/hooks.d/base/create-root-dir.binary
+++ b/live-build/ubuntu-cpc/hooks.d/base/create-root-dir.binary
@@ -24,6 +24,6 @@ rm -rf $rootfs_dir/boot/grub
# Keep this as some derivatives mount a tempfs here
mkdir -p $rootfs_dir/lib/modules
-teardown_mountpoint $rootfs_dir
+create_manifest $rootfs_dir "livecd.ubuntu-cpc.rootfs.manifest" "livecd.ubuntu-cpc.rootfs.spdx" "cloud-image-rootfs-$ARCH-$(date +%Y%m%dT%H:%M:%S)"
-create_manifest "${rootfs_dir}" "${rootfs_dir}.manifest"
+teardown_mountpoint $rootfs_dir
diff --git a/live-build/ubuntu-cpc/hooks.d/base/disk-image-ppc64el.binary b/live-build/ubuntu-cpc/hooks.d/base/disk-image-ppc64el.binary
index e02c6338..f393482b 100755
--- a/live-build/ubuntu-cpc/hooks.d/base/disk-image-ppc64el.binary
+++ b/live-build/ubuntu-cpc/hooks.d/base/disk-image-ppc64el.binary
@@ -80,6 +80,8 @@ cp -a chroot/* mountpoint/
chroot mountpoint dpkg-query -W > binary/boot/filesystem.packages
(cd mountpoint && find -xdev) | sort > binary/boot/filesystem.filelist
+create_manifest "mountpoint/" "$PWD/livecd.ubuntu-cpc.disk-image.manifest" "$PWD/livecd.ubuntu-cpc.disk-image.spdx" "cloud-image-$ARCH-$(date +Y%m%dT%H:%M:%S)"
+
umount mountpoint
rmdir mountpoint
diff --git a/live-build/ubuntu-cpc/hooks.d/base/disk-image-uefi.binary b/live-build/ubuntu-cpc/hooks.d/base/disk-image-uefi.binary
index d4ec5f0c..474b145b 100755
--- a/live-build/ubuntu-cpc/hooks.d/base/disk-image-uefi.binary
+++ b/live-build/ubuntu-cpc/hooks.d/base/disk-image-uefi.binary
@@ -184,7 +184,8 @@ install_grub() {
mount
# create sorted filelist as the very last step before unmounting
- (cd mountpoint && find -xdev) | sort > binary/boot/filesystem.filelist
+ # explicitly generate manifest and sbom
+ create_manifest "mountpoint/" "$PWD/livecd.ubuntu-cpc.disk-uefi.manifest" "$PWD/livecd.ubuntu-cpc.disk-uefi.spdx" "cloud-image-$ARCH-$(date +%Y%m%dT%H:%M:%S)"
umount_partition mountpoint
rmdir mountpoint
@@ -201,6 +202,7 @@ make_ext4_partition "${rootfs_dev_mapper}"
mkdir mountpoint
mount "${rootfs_dev_mapper}" mountpoint
cp -a chroot/* mountpoint/
+
umount mountpoint
rmdir mountpoint
diff --git a/live-build/ubuntu-cpc/hooks.d/base/disk-image.binary b/live-build/ubuntu-cpc/hooks.d/base/disk-image.binary
index ba577ef5..63d28ab0 100755
--- a/live-build/ubuntu-cpc/hooks.d/base/disk-image.binary
+++ b/live-build/ubuntu-cpc/hooks.d/base/disk-image.binary
@@ -158,6 +158,8 @@ EOF
$ZIPL_EXTRA_PARAMS
fi
+create_manifest "mountpoint/" "$PWD/livecd.ubuntu-cpc.disk-image.manifest" "$PWD/livecd.ubuntu-cpc.disk-image.spdx" "cloud-image-$ARCH-$(date +%Y%m%dT%H:%M:%S)"
+
if [ -n "$BOOT_MOUNTPOINT" ]; then
umount "mountpoint/$BOOT_MOUNTPOINT"
fi
diff --git a/live-build/ubuntu-cpc/hooks.d/base/qcow2-image.binary b/live-build/ubuntu-cpc/hooks.d/base/qcow2-image.binary
index 8dbbb9ae..4a8e321a 100755
--- a/live-build/ubuntu-cpc/hooks.d/base/qcow2-image.binary
+++ b/live-build/ubuntu-cpc/hooks.d/base/qcow2-image.binary
@@ -2,8 +2,17 @@
. config/functions
+qcow_file=${PWD}/livecd.ubuntu-cpc.qcow
if [ -f binary/boot/disk-uefi.ext4 ]; then
convert_to_qcow2 binary/boot/disk-uefi.ext4 livecd.ubuntu-cpc.img
+ uefi_file="livecd.ubuntu-cpc.disk-uefi"
+ cp ${uefi_file}.manifest ${qcow_file}.manifest
+ cp ${uefi_file}.filelist ${qcow_file}.filelist
+ cp ${uefi_file}.spdx ${qcow_file}.spdx
elif [ -f binary/boot/disk.ext4 ]; then
convert_to_qcow2 binary/boot/disk.ext4 livecd.ubuntu-cpc.img
+ disk_file="livecd.ubuntu-cpc.disk-image"
+ cp ${disk_file}.manifest ${qcow_file}.manifest
+ cp ${disk_file}.filelist ${qcow_file}.filelist
+ cp ${disk_file}.spdx ${qcow_file}.spdx
fi
diff --git a/live-build/ubuntu-cpc/hooks.d/base/root-squashfs.binary b/live-build/ubuntu-cpc/hooks.d/base/root-squashfs.binary
index bc56bc42..ab90c963 100755
--- a/live-build/ubuntu-cpc/hooks.d/base/root-squashfs.binary
+++ b/live-build/ubuntu-cpc/hooks.d/base/root-squashfs.binary
@@ -15,8 +15,11 @@ rootfs_dir=rootfs.dir
squashfs_f="$PWD/livecd.ubuntu-cpc.squashfs"
-cp $rootfs_dir.manifest $squashfs_f.manifest
+cp livecd.ubuntu-cpc.rootfs.manifest ${squashfs_f}.manifest
+cp livecd.ubuntu-cpc.rootfs.filelist ${squashfs_f}.filelist
+cp livecd.ubuntu-cpc.rootfs.spdx ${squashfs_f}.spdx
+
# fstab is omitted from the squashfs
-grep -v '^/etc/fstab$' $rootfs_dir.filelist >$squashfs_f.filelist
+grep -v '^/etc/fstab$' livecd.ubuntu-cpc.rootfs.filelist >$squashfs_f.filelist
create_squashfs $rootfs_dir $squashfs_f
diff --git a/live-build/ubuntu-cpc/hooks.d/base/root-xz.binary b/live-build/ubuntu-cpc/hooks.d/base/root-xz.binary
index c8aad906..9c5db0b8 100755
--- a/live-build/ubuntu-cpc/hooks.d/base/root-xz.binary
+++ b/live-build/ubuntu-cpc/hooks.d/base/root-xz.binary
@@ -11,6 +11,4 @@ fi
# This is the directory created by create-root-dir.binary
rootfs_dir=rootfs.dir
-cp $rootfs_dir.manifest livecd.ubuntu-cpc.rootfs.manifest
-cp $rootfs_dir.filelist livecd.ubuntu-cpc.rootfs.filelist
(cd $rootfs_dir/ && tar -c --sort=name --xattrs *) | xz > livecd.ubuntu-cpc.rootfs.tar.xz
diff --git a/live-build/ubuntu-cpc/hooks.d/base/series/disk-image b/live-build/ubuntu-cpc/hooks.d/base/series/disk-image
index 8e6e9726..4e269aca 100644
--- a/live-build/ubuntu-cpc/hooks.d/base/series/disk-image
+++ b/live-build/ubuntu-cpc/hooks.d/base/series/disk-image
@@ -6,3 +6,6 @@ provides livecd.ubuntu-cpc.initrd-generic
provides livecd.ubuntu-cpc.kernel-generic
provides livecd.ubuntu-cpc.manifest
provides livecd.ubuntu-cpc.filelist
+provides livecd.ubuntu-cpc.disk-image.manifest
+provides livecd.ubuntu-cpc.disk-image.filelist
+provides livecd.ubuntu-cpc.disk-image.spdx
diff --git a/live-build/ubuntu-cpc/hooks.d/base/series/disk-image-uefi b/live-build/ubuntu-cpc/hooks.d/base/series/disk-image-uefi
index 2faa4aa1..ac0bf936 100644
--- a/live-build/ubuntu-cpc/hooks.d/base/series/disk-image-uefi
+++ b/live-build/ubuntu-cpc/hooks.d/base/series/disk-image-uefi
@@ -4,3 +4,6 @@ provides livecd.ubuntu-cpc.initrd-generic
provides livecd.ubuntu-cpc.kernel-generic
provides livecd.ubuntu-cpc.manifest
provides livecd.ubuntu-cpc.filelist
+provides livecd.ubuntu-cpc.disk-uefi.manifest
+provides livecd.ubuntu-cpc.disk-uefi.filelist
+provides livecd.ubuntu-cpc.disk-uefi.spdx
diff --git a/live-build/ubuntu-cpc/hooks.d/base/series/qcow2 b/live-build/ubuntu-cpc/hooks.d/base/series/qcow2
index 745adb9b..0fdbc81c 100644
--- a/live-build/ubuntu-cpc/hooks.d/base/series/qcow2
+++ b/live-build/ubuntu-cpc/hooks.d/base/series/qcow2
@@ -1,3 +1,6 @@
depends disk-image
base/qcow2-image.binary
provides livecd.ubuntu-cpc.img
+provides livecd.ubuntu-cpc.qcow.manifest
+provides livecd.ubuntu-cpc.qcow.filelist
+provides livecd.ubuntu-cpc.qcow.spdx
diff --git a/live-build/ubuntu-cpc/hooks.d/base/series/squashfs b/live-build/ubuntu-cpc/hooks.d/base/series/squashfs
index b9f0d8db..991bf12e 100644
--- a/live-build/ubuntu-cpc/hooks.d/base/series/squashfs
+++ b/live-build/ubuntu-cpc/hooks.d/base/series/squashfs
@@ -3,3 +3,4 @@ base/root-squashfs.binary
provides livecd.ubuntu-cpc.squashfs
provides livecd.ubuntu-cpc.squashfs.manifest
provides livecd.ubuntu-cpc.squashfs.filelist
+provides livecd.ubuntu-cpc.squashfs.spdx
\ No newline at end of file
diff --git a/live-build/ubuntu-cpc/hooks.d/base/series/tarball b/live-build/ubuntu-cpc/hooks.d/base/series/tarball
index 8e2bc766..293fc4a5 100644
--- a/live-build/ubuntu-cpc/hooks.d/base/series/tarball
+++ b/live-build/ubuntu-cpc/hooks.d/base/series/tarball
@@ -3,3 +3,4 @@ base/root-xz.binary
provides livecd.ubuntu-cpc.rootfs.tar.xz
provides livecd.ubuntu-cpc.rootfs.manifest
provides livecd.ubuntu-cpc.rootfs.filelist
+provides livecd.ubuntu-cpc.rootfs.spdx
diff --git a/live-build/ubuntu-cpc/hooks.d/base/series/vagrant b/live-build/ubuntu-cpc/hooks.d/base/series/vagrant
index 6e5fcf39..0e4d8dd4 100644
--- a/live-build/ubuntu-cpc/hooks.d/base/series/vagrant
+++ b/live-build/ubuntu-cpc/hooks.d/base/series/vagrant
@@ -1,3 +1,6 @@
depends disk-image
base/vagrant.binary
provides livecd.ubuntu-cpc.vagrant.box
+provides livecd.ubuntu-cpc.vagrant.manifest
+provides livecd.ubuntu-cpc.vagrant.filelist
+provides livecd.ubuntu-cpc.vagrant.spdx
\ No newline at end of file
diff --git a/live-build/ubuntu-cpc/hooks.d/base/series/vmdk b/live-build/ubuntu-cpc/hooks.d/base/series/vmdk
index c583fe96..855063e3 100644
--- a/live-build/ubuntu-cpc/hooks.d/base/series/vmdk
+++ b/live-build/ubuntu-cpc/hooks.d/base/series/vmdk
@@ -3,3 +3,6 @@ base/vmdk-image.binary
base/vmdk-ova-image.binary
provides livecd.ubuntu-cpc.vmdk
provides livecd.ubuntu-cpc.ova
+provides livecd.ubuntu-cpc.vmdk.manifest
+provides livecd.ubuntu-cpc.vmdk.filelist
+provides livecd.ubuntu-cpc.vmdk.spdx
\ No newline at end of file
diff --git a/live-build/ubuntu-cpc/hooks.d/base/vagrant.binary b/live-build/ubuntu-cpc/hooks.d/base/vagrant.binary
index 19e8738b..3c679929 100755
--- a/live-build/ubuntu-cpc/hooks.d/base/vagrant.binary
+++ b/live-build/ubuntu-cpc/hooks.d/base/vagrant.binary
@@ -93,6 +93,8 @@ EOF
chroot ${mount_d} chown -R vagrant:vagrant /home/vagrant/.ssh
chroot ${mount_d} chmod 700 /home/vagrant/.ssh
+create_manifest $mount_d "livecd.ubuntu-cpc.vagrant.manifest" "livecd.ubuntu-cpc.vagrant.spdx" "cloud-image-vagrant-$ARCH-$(date +%Y%m%dT%H:%M:%S)"
+
umount_disk_image "$mount_d"
rmdir "$mount_d"
diff --git a/live-build/ubuntu-cpc/hooks.d/base/vmdk-image.binary b/live-build/ubuntu-cpc/hooks.d/base/vmdk-image.binary
index 3c2a6449..f4c0ade8 100755
--- a/live-build/ubuntu-cpc/hooks.d/base/vmdk-image.binary
+++ b/live-build/ubuntu-cpc/hooks.d/base/vmdk-image.binary
@@ -20,8 +20,18 @@ esac
. config/functions
+vmdk_file="$PWD/livecd.ubuntu-cpc.vmdk"
+
if [ -e binary/boot/disk-uefi.ext4 ]; then
create_vmdk binary/boot/disk-uefi.ext4 livecd.ubuntu-cpc.vmdk
+ uefi_file="livecd.ubuntu-cpc.disk-uefi"
+ cp ${uefi_file}.manifest ${vmdk_file}.manifest
+ cp ${uefi_file}.filelist ${vmdk_file}.filelist
+ cp ${uefi_file}.spdx ${vmdk_file}.spdx
elif [ -f binary/boot/disk.ext4 ]; then
create_vmdk binary/boot/disk.ext4 livecd.ubuntu-cpc.vmdk
+ disk_file="livecd.ubuntu-cpc.disk-image"
+ cp ${disk_file}.manifest ${vmdk_file}.manifest
+ cp ${disk_file}.filelist ${vmdk_file}.filelist
+ cp ${disk_file}.spdx ${vmdk_file}.spdx
fi
More information about the Neon-commits
mailing list