Skip to content

Commit

Permalink
Add CDX examples for openssl and mandrel container
Browse files Browse the repository at this point in the history
  • Loading branch information
mprpic committed Nov 20, 2024
1 parent b3819bf commit 3996ecc
Show file tree
Hide file tree
Showing 6 changed files with 1,838 additions and 96 deletions.
9 changes: 8 additions & 1 deletion docs/sbom.md
Original file line number Diff line number Diff line change
Expand Up @@ -477,9 +477,16 @@ purl identifiers
they should only ever differ in their qualifier values, not the main components such as package type, name, or
version; multiple package objects should be used if those values differ.

[`checksums`](https://spdx.github.io/spdx-spec/v2.3/package-information/#710-package-checksum-field)
: Minimally, the list of checksums must include the SHA256 checksum of the RPM file or source archive itself.
All other checksums should be specified as annotations (see below).

[`annotations`](https://spdx.github.io/spdx-spec/v2.3/annotations/)
: A list of annotations may provide additional information that is specific to the RPM format. In the example
above, the MD5 checksum the signed header of the RPM package is included.
above, two checksum values are included:
- The MD5 checksum of the signed header of the RPM package is included.
- The SHA256 checksum of the RPM header (this value does not change when an RPM is signed; unlike the file SHA256 \
checksum used in `checksums`).

Each set of architecture-specific RPMs also have an associated source RPM (SRPM) that bundles all the source code
that was used to build those RPMs. SRPMs should be represented as a separate package object in an SBOM, and their
Expand Down
Original file line number Diff line number Diff line change
@@ -0,0 +1,113 @@
{
"bomFormat": "CycloneDX",
"serialNumber": "urn:uuid:930fffb2-c807-4b92-9029-228a5cf711aa",
"specVersion": "1.6",
"version": 1,
"metadata": {
"component": {
"name": "quarkus/mandrel-for-jdk-21-rhel8",
"publisher": "Red Hat",
"purl": "pkg:oci/mandrel-for-jdk-21-rhel8@sha256%3A65c139d16564a14b6832d1a393d18146e2fd921b8d263bf214df5720c1c79b19?arch=amd64&os=linux&tag=23.1-16",
"supplier": {
"name": "Red Hat",
"url": [
"https://www.redhat.com"
]
},
"type": "container"
},
"timestamp": "2024-10-17T17:34:08Z"
},
"components": [
{
"bom-ref": "d9851388f78c0ae4",
"name": "quarkus/mandrel-for-jdk-21-rhel8",
"purl": "pkg:oci/mandrel-for-jdk-21-rhel8@sha256%3A65c139d16564a14b6832d1a393d18146e2fd921b8d263bf214df5720c1c79b19?arch=amd64&tag=23.1-16",
"type": "container",
"version": "sha256:65c139d16564a14b6832d1a393d18146e2fd921b8d263bf214df5720c1c79b19"
},
{
"bom-ref": "pkg:rpm/redhat/[email protected]?arch=noarch",
"licenses": [
{
"license": {
"name": "OFL"
}
}
],
"name": "abattis-cantarell-fonts",
"properties": [
{
"name": "sbomer:package:type",
"value": "rpm"
},
{
"name": "sbomer:location:0:path",
"value": "/var/lib/rpm/Packages"
}
],
"publisher": "Red Hat, Inc.",
"purl": "pkg:rpm/redhat/[email protected]?arch=noarch",
"type": "library",
"version": "0.0.25-6.el8"
},
{
"bom-ref": "pkg:maven/collections/[email protected]",
"hashes": [
{
"alg": "MD5",
"content": "c4337f3611f7bcb5c4253d1cbcec9796"
},
{
"alg": "SHA-1",
"content": "7af5cbeab522cea32d12779b9e4920f2acc943d5"
},
{
"alg": "SHA-256",
"content": "feae3a06020d1d33be26f469ca9d96c6f253bb807a581ea145b77b11561aec4c"
}
],
"name": "collections",
"properties": [
{
"name": "sbomer:package:language",
"value": "java"
},
{
"name": "sbomer:package:type",
"value": "java-archive"
},
{
"name": "sbomer:location:0:path",
"value": "/usr/share/java/quarkus-mandrel-java/collections.jar"
},
{
"name": "sbomer:metadata:virtualPath",
"value": "/usr/share/java/quarkus-mandrel-java/collections.jar"
}
],
"publisher": "Red Hat",
"purl": "pkg:maven/org.graalvm.sdk/[email protected]?type=jar",
"type": "library",
"version": "23.1.5.0-1-redhat-00001"
}
],
"dependencies": [
{
"dependsOn": [
"pkg:rpm/redhat/[email protected]?arch=noarch&upstream=abattis-cantarell-fonts-0.0.25-6.el8.src.rpm&distro=rhel-8.10&package-id=a91121201ed3be00",
"pkg:maven/collections/[email protected]?package-id=a7c3ff6d3594e20f",

],
"ref": "d9851388f78c0ae4"
},
{
"dependsOn": [],
"ref": "pkg:rpm/redhat/[email protected]?arch=noarch&upstream=abattis-cantarell-fonts-0.0.25-6.el8.src.rpm&distro=rhel-8.10&package-id=a91121201ed3be00"
},
{
"dependsOn": [],
"ref": "pkg:maven/collections/[email protected]?package-id=a7c3ff6d3594e20f"
}
]
}
37 changes: 22 additions & 15 deletions sbom/examples/rpm/build/from-koji.py
Original file line number Diff line number Diff line change
Expand Up @@ -89,6 +89,14 @@ def get_rpm_sigmd5(filename):
return sha256.stdout.decode("utf-8")


def get_sha256_checksum(filename):
h = hashlib.sha256()
with open(filename, "rb") as f:
for chunk in iter(lambda: f.read(4096), b""):
h.update(chunk)
return h.hexdigest()


def run_syft(builddir):
syft = subprocess.run(
cwd=os.path.dirname(builddir),
Expand Down Expand Up @@ -163,8 +171,7 @@ def mock_midstream(digest, alg, source, sname, sver, url, ext):
{
"referenceCategory": "PACKAGE-MANAGER",
"referenceType": "purl",
"referenceLocator":
f"pkg:generic/{sname}@{sver}?download_url={url}&checksum={alg}:{digest}",
"referenceLocator": f"pkg:generic/{sname}@{sver}?download_url={url}",
}
],
}
Expand Down Expand Up @@ -288,20 +295,11 @@ def handle_srpm(filename, name):
upstream_url = "github.com/openshift-pipelines/opc"
url = mock_midstream(digest, alg, source, sname, sver, upstream_url, "")

# Calculate checksum
sha256 = hashlib.sha256()
with open(os.path.join(srcdir, "SOURCES", sfn), "rb") as sfp:
while True:
data = sfp.read()
if not data:
break
sha256.update(data)

if url is None or ":" not in url:
url = "NOASSERTION"

sref = f"SPDXRef-{source}"
digest = sha256.hexdigest()
digest = get_sha256_checksum(os.path.join(srcdir, "SOURCES", sfn))
spackage = {
"SPDXID": sanitize_spdxid(sref),
"name": sname,
Expand Down Expand Up @@ -367,7 +365,8 @@ def handle_srpm(filename, name):
spdxid = sanitize_spdxid(f"SPDXRef-{arch}-{name}")

license = get_license(filename)
digest = get_rpm_sha256header(filename)
file_checksum = get_sha256_checksum(filename)
sha256header = get_rpm_sha256header(filename)
sigmd5 = get_rpm_sigmd5(filename)
package = {
"SPDXID": spdxid,
Expand All @@ -387,7 +386,7 @@ def handle_srpm(filename, name):
"checksums": [
{
"algorithm": "SHA256",
"checksumValue": digest,
"checksumValue": file_checksum,
},
],
"annotations": [
Expand All @@ -398,7 +397,15 @@ def handle_srpm(filename, name):
# Same as document.creationInfo.created
"annotationDate": "2006-08-14T02:34:56Z",
"comment": f"sigmd5: {sigmd5}",
}
},
{
"annotationType": "OTHER",
# Same as document.creationInfo.creators
"annotator": "Tool: example SPDX document only",
# Same as document.creationInfo.created
"annotationDate": "2006-08-14T02:34:56Z",
"comment": f"sha256header: {sha256header}",
},
],
}
pkgs_by_arch.setdefault(arch, []).append(package)
Expand Down
Loading

0 comments on commit 3996ecc

Please sign in to comment.