From 37d194c8cd747017bbfd9871c4cc8ce8fd17f187 Mon Sep 17 00:00:00 2001 From: Tim Waugh Date: Tue, 10 Sep 2024 12:05:40 +0100 Subject: [PATCH 1/6] Add parent images for containers Use BUILD_TOOL_OF for multi-stage builds, and DESCENDANT_OF for direct ancestors. --- ...perator-container-1.1.2-25_amd64.spdx.json | 28 ++++++++++ ...perator-container-1.1.2-25_arm64.spdx.json | 28 ++++++++++ ...rator-container-1.1.2-25_ppc64le.spdx.json | 28 ++++++++++ ...container-9.4-6.1716471860_amd64.spdx.json | 14 +++++ ...container-9.4-6.1716471860_arm64.spdx.json | 14 +++++ ...ntainer-9.4-6.1716471860_ppc64le.spdx.json | 14 +++++ ...container-9.4-6.1716471860_s390x.spdx.json | 14 +++++ .../container_image/release/from_catalog.py | 56 +++++++++++++++++-- ...perator-container-1.1.2-25_amd64.spdx.json | 28 ++++++++++ ...perator-container-1.1.2-25_arm64.spdx.json | 28 ++++++++++ ...rator-container-1.1.2-25_ppc64le.spdx.json | 28 ++++++++++ ...container-9.4-6.1716471860_amd64.spdx.json | 14 +++++ ...container-9.4-6.1716471860_arm64.spdx.json | 14 +++++ ...ntainer-9.4-6.1716471860_ppc64le.spdx.json | 14 +++++ ...container-9.4-6.1716471860_s390x.spdx.json | 14 +++++ 15 files changed, 331 insertions(+), 5 deletions(-) diff --git a/sbom/examples/container_image/build/kernel-module-management-operator-container-1.1.2-25_amd64.spdx.json b/sbom/examples/container_image/build/kernel-module-management-operator-container-1.1.2-25_amd64.spdx.json index 59ba1b3..d907c16 100644 --- a/sbom/examples/container_image/build/kernel-module-management-operator-container-1.1.2-25_amd64.spdx.json +++ b/sbom/examples/container_image/build/kernel-module-management-operator-container-1.1.2-25_amd64.spdx.json @@ -3991,6 +3991,24 @@ "checksumValue": "abcd1234abcd1234abcd1234abcd1234abcd1234abcd1234abcd1234abcd1234" } ] + }, + { + "SPDXID": "SPDXRef-parent-image-0-amd64", + "name": "rhel9-go-toolset:1.19.4-18_amd64", + "versionInfo": "NOASSERTION", + "supplier": "Organization: Red Hat", + "downloadLocation": "NOASSERTION", + "licenseDeclared": "NOASSERTION", + "externalRefs": [] + }, + { + "SPDXID": "SPDXRef-parent-image-1-amd64", + "name": "rhel:9.2-1191_amd64", + "versionInfo": "NOASSERTION", + "supplier": "Organization: Red Hat", + "downloadLocation": "NOASSERTION", + "licenseDeclared": "NOASSERTION", + "externalRefs": [] } ], "relationships": [ @@ -3999,6 +4017,16 @@ "relationshipType": "DESCRIBES", "relatedSpdxElement": "SPDXRef-kernel-module-management-operator-container-amd64" }, + { + "spdxElementId": "SPDXRef-parent-image-0-amd64", + "relationshipType": "BUILD_TOOL_OF", + "relatedSpdxElement": "SPDXRef-kernel-module-management-operator-container-amd64" + }, + { + "spdxElementId": "SPDXRef-kernel-module-management-operator-container-amd64", + "relationshipType": "DESCENDANT_OF", + "relatedSpdxElement": "SPDXRef-parent-image-1-amd64" + }, { "spdxElementId": "SPDXRef-kernel-module-management-operator-container-amd64", "relationshipType": "CONTAINS", diff --git a/sbom/examples/container_image/build/kernel-module-management-operator-container-1.1.2-25_arm64.spdx.json b/sbom/examples/container_image/build/kernel-module-management-operator-container-1.1.2-25_arm64.spdx.json index 676175a..e693f52 100644 --- a/sbom/examples/container_image/build/kernel-module-management-operator-container-1.1.2-25_arm64.spdx.json +++ b/sbom/examples/container_image/build/kernel-module-management-operator-container-1.1.2-25_arm64.spdx.json @@ -3991,6 +3991,24 @@ "checksumValue": "abcd1234abcd1234abcd1234abcd1234abcd1234abcd1234abcd1234abcd1234" } ] + }, + { + "SPDXID": "SPDXRef-parent-image-0-arm64", + "name": "rhel9-go-toolset:1.19.4-18_arm64", + "versionInfo": "NOASSERTION", + "supplier": "Organization: Red Hat", + "downloadLocation": "NOASSERTION", + "licenseDeclared": "NOASSERTION", + "externalRefs": [] + }, + { + "SPDXID": "SPDXRef-parent-image-1-arm64", + "name": "rhel:9.2-1191_arm64", + "versionInfo": "NOASSERTION", + "supplier": "Organization: Red Hat", + "downloadLocation": "NOASSERTION", + "licenseDeclared": "NOASSERTION", + "externalRefs": [] } ], "relationships": [ @@ -3999,6 +4017,16 @@ "relationshipType": "DESCRIBES", "relatedSpdxElement": "SPDXRef-kernel-module-management-operator-container-arm64" }, + { + "spdxElementId": "SPDXRef-parent-image-0-arm64", + "relationshipType": "BUILD_TOOL_OF", + "relatedSpdxElement": "SPDXRef-kernel-module-management-operator-container-arm64" + }, + { + "spdxElementId": "SPDXRef-kernel-module-management-operator-container-arm64", + "relationshipType": "DESCENDANT_OF", + "relatedSpdxElement": "SPDXRef-parent-image-1-arm64" + }, { "spdxElementId": "SPDXRef-kernel-module-management-operator-container-arm64", "relationshipType": "CONTAINS", diff --git a/sbom/examples/container_image/build/kernel-module-management-operator-container-1.1.2-25_ppc64le.spdx.json b/sbom/examples/container_image/build/kernel-module-management-operator-container-1.1.2-25_ppc64le.spdx.json index 09b2db2..12e3814 100644 --- a/sbom/examples/container_image/build/kernel-module-management-operator-container-1.1.2-25_ppc64le.spdx.json +++ b/sbom/examples/container_image/build/kernel-module-management-operator-container-1.1.2-25_ppc64le.spdx.json @@ -3991,6 +3991,24 @@ "checksumValue": "abcd1234abcd1234abcd1234abcd1234abcd1234abcd1234abcd1234abcd1234" } ] + }, + { + "SPDXID": "SPDXRef-parent-image-0-ppc64le", + "name": "rhel9-go-toolset:1.19.4-18_ppc64le", + "versionInfo": "NOASSERTION", + "supplier": "Organization: Red Hat", + "downloadLocation": "NOASSERTION", + "licenseDeclared": "NOASSERTION", + "externalRefs": [] + }, + { + "SPDXID": "SPDXRef-parent-image-1-ppc64le", + "name": "rhel:9.2-1191_ppc64le", + "versionInfo": "NOASSERTION", + "supplier": "Organization: Red Hat", + "downloadLocation": "NOASSERTION", + "licenseDeclared": "NOASSERTION", + "externalRefs": [] } ], "relationships": [ @@ -3999,6 +4017,16 @@ "relationshipType": "DESCRIBES", "relatedSpdxElement": "SPDXRef-kernel-module-management-operator-container-ppc64le" }, + { + "spdxElementId": "SPDXRef-parent-image-0-ppc64le", + "relationshipType": "BUILD_TOOL_OF", + "relatedSpdxElement": "SPDXRef-kernel-module-management-operator-container-ppc64le" + }, + { + "spdxElementId": "SPDXRef-kernel-module-management-operator-container-ppc64le", + "relationshipType": "DESCENDANT_OF", + "relatedSpdxElement": "SPDXRef-parent-image-1-ppc64le" + }, { "spdxElementId": "SPDXRef-kernel-module-management-operator-container-ppc64le", "relationshipType": "CONTAINS", diff --git a/sbom/examples/container_image/build/ubi9-micro-container-9.4-6.1716471860_amd64.spdx.json b/sbom/examples/container_image/build/ubi9-micro-container-9.4-6.1716471860_amd64.spdx.json index eccfbed..4d9625e 100644 --- a/sbom/examples/container_image/build/ubi9-micro-container-9.4-6.1716471860_amd64.spdx.json +++ b/sbom/examples/container_image/build/ubi9-micro-container-9.4-6.1716471860_amd64.spdx.json @@ -476,6 +476,15 @@ "checksumValue": "abcd1234abcd1234abcd1234abcd1234abcd1234abcd1234abcd1234abcd1234" } ] + }, + { + "SPDXID": "SPDXRef-parent-image-0-amd64", + "name": "ubi9:9.4-947_amd64", + "versionInfo": "NOASSERTION", + "supplier": "Organization: Red Hat", + "downloadLocation": "NOASSERTION", + "licenseDeclared": "NOASSERTION", + "externalRefs": [] } ], "relationships": [ @@ -484,6 +493,11 @@ "relationshipType": "DESCRIBES", "relatedSpdxElement": "SPDXRef-ubi9-micro-container-amd64" }, + { + "spdxElementId": "SPDXRef-ubi9-micro-container-amd64", + "relationshipType": "DESCENDANT_OF", + "relatedSpdxElement": "SPDXRef-parent-image-0-amd64" + }, { "spdxElementId": "SPDXRef-ubi9-micro-container-amd64", "relationshipType": "CONTAINS", diff --git a/sbom/examples/container_image/build/ubi9-micro-container-9.4-6.1716471860_arm64.spdx.json b/sbom/examples/container_image/build/ubi9-micro-container-9.4-6.1716471860_arm64.spdx.json index 8aa07bd..526d5dc 100644 --- a/sbom/examples/container_image/build/ubi9-micro-container-9.4-6.1716471860_arm64.spdx.json +++ b/sbom/examples/container_image/build/ubi9-micro-container-9.4-6.1716471860_arm64.spdx.json @@ -476,6 +476,15 @@ "checksumValue": "abcd1234abcd1234abcd1234abcd1234abcd1234abcd1234abcd1234abcd1234" } ] + }, + { + "SPDXID": "SPDXRef-parent-image-0-arm64", + "name": "ubi9:9.4-947_arm64", + "versionInfo": "NOASSERTION", + "supplier": "Organization: Red Hat", + "downloadLocation": "NOASSERTION", + "licenseDeclared": "NOASSERTION", + "externalRefs": [] } ], "relationships": [ @@ -484,6 +493,11 @@ "relationshipType": "DESCRIBES", "relatedSpdxElement": "SPDXRef-ubi9-micro-container-arm64" }, + { + "spdxElementId": "SPDXRef-ubi9-micro-container-arm64", + "relationshipType": "DESCENDANT_OF", + "relatedSpdxElement": "SPDXRef-parent-image-0-arm64" + }, { "spdxElementId": "SPDXRef-ubi9-micro-container-arm64", "relationshipType": "CONTAINS", diff --git a/sbom/examples/container_image/build/ubi9-micro-container-9.4-6.1716471860_ppc64le.spdx.json b/sbom/examples/container_image/build/ubi9-micro-container-9.4-6.1716471860_ppc64le.spdx.json index 4ba99a1..5bf55ac 100644 --- a/sbom/examples/container_image/build/ubi9-micro-container-9.4-6.1716471860_ppc64le.spdx.json +++ b/sbom/examples/container_image/build/ubi9-micro-container-9.4-6.1716471860_ppc64le.spdx.json @@ -476,6 +476,15 @@ "checksumValue": "abcd1234abcd1234abcd1234abcd1234abcd1234abcd1234abcd1234abcd1234" } ] + }, + { + "SPDXID": "SPDXRef-parent-image-0-ppc64le", + "name": "ubi9:9.4-947_ppc64le", + "versionInfo": "NOASSERTION", + "supplier": "Organization: Red Hat", + "downloadLocation": "NOASSERTION", + "licenseDeclared": "NOASSERTION", + "externalRefs": [] } ], "relationships": [ @@ -484,6 +493,11 @@ "relationshipType": "DESCRIBES", "relatedSpdxElement": "SPDXRef-ubi9-micro-container-ppc64le" }, + { + "spdxElementId": "SPDXRef-ubi9-micro-container-ppc64le", + "relationshipType": "DESCENDANT_OF", + "relatedSpdxElement": "SPDXRef-parent-image-0-ppc64le" + }, { "spdxElementId": "SPDXRef-ubi9-micro-container-ppc64le", "relationshipType": "CONTAINS", diff --git a/sbom/examples/container_image/build/ubi9-micro-container-9.4-6.1716471860_s390x.spdx.json b/sbom/examples/container_image/build/ubi9-micro-container-9.4-6.1716471860_s390x.spdx.json index 4f3d611..0ea63da 100644 --- a/sbom/examples/container_image/build/ubi9-micro-container-9.4-6.1716471860_s390x.spdx.json +++ b/sbom/examples/container_image/build/ubi9-micro-container-9.4-6.1716471860_s390x.spdx.json @@ -476,6 +476,15 @@ "checksumValue": "abcd1234abcd1234abcd1234abcd1234abcd1234abcd1234abcd1234abcd1234" } ] + }, + { + "SPDXID": "SPDXRef-parent-image-0-s390x", + "name": "ubi9:9.4-947_s390x", + "versionInfo": "NOASSERTION", + "supplier": "Organization: Red Hat", + "downloadLocation": "NOASSERTION", + "licenseDeclared": "NOASSERTION", + "externalRefs": [] } ], "relationships": [ @@ -484,6 +493,11 @@ "relationshipType": "DESCRIBES", "relatedSpdxElement": "SPDXRef-ubi9-micro-container-s390x" }, + { + "spdxElementId": "SPDXRef-ubi9-micro-container-s390x", + "relationshipType": "DESCENDANT_OF", + "relatedSpdxElement": "SPDXRef-parent-image-0-s390x" + }, { "spdxElementId": "SPDXRef-ubi9-micro-container-s390x", "relationshipType": "CONTAINS", diff --git a/sbom/examples/container_image/release/from_catalog.py b/sbom/examples/container_image/release/from_catalog.py index 93738fd..c3ca2dc 100644 --- a/sbom/examples/container_image/release/from_catalog.py +++ b/sbom/examples/container_image/release/from_catalog.py @@ -1,6 +1,7 @@ import json import sys +import koji import requests # These container images (identified by their NVR) are known to contain only RPM packages and no @@ -14,6 +15,8 @@ nvr_api = catalog_url + "images/nvr/" rpm_manifest_api = catalog_url + "images/id/{catalog_image_id}/rpm-manifest" +profile = koji.get_profile_module("brew") +koji_session = koji.ClientSession(profile.config.server) def get_image_data(image_nvr): response = requests.get(nvr_api + image_nvr) @@ -29,14 +32,16 @@ def get_rpms(image_id): return sorted(response.json()["rpms"], key=lambda rpm: rpm["nvra"]) -def create_sbom(image_id, root_package, packages, rel_type): - relationships = [ +def create_sbom(image_id, root_package, packages, rel_type, other_pkgs=[], other_rels=[]): + relationships = list(other_rels) + relationships.insert( + 0, { "spdxElementId": "SPDXRef-DOCUMENT", "relationshipType": "DESCRIBES", "relatedSpdxElement": root_package["SPDXID"], - } - ] + }, + ) for pkg in packages: lhs = root_package["SPDXID"] rhs = pkg["SPDXID"] @@ -63,7 +68,7 @@ def create_sbom(image_id, root_package, packages, rel_type): }, "name": image_id, "documentNamespace": f"https://www.redhat.com/{image_id}.spdx.json", - "packages": [root_package] + packages, + "packages": [root_package] + packages + other_pkgs, "relationships": relationships, } @@ -83,6 +88,8 @@ def generate_sboms_for_image(image_nvr): for image in get_image_data(image_nvr): packages = [] + other_pkgs = [] + other_rels = [] catalog_image_id = image["_id"] image_digest = image["image_id"] @@ -185,6 +192,43 @@ def generate_sboms_for_image(image_nvr): image_pkg["externalRefs"].append(ref) per_arch_images.append(image_pkg) + # Add in parent images + parent_images = koji_session.getBuild(image_nvr) + for key in ("extra", "typeinfo", "image", "parent_images"): + parent_images = parent_images.get(key, {}) + + parent_images = [img.rsplit("/")[-1] for img in parent_images if img != "scratch"] + direct_parent_index = len(parent_images) - 1 + for index, parent_image in enumerate(parent_images): + parent_spdx_id = f"SPDXRef-parent-image-{index}-{image['architecture']}" + parent_pkg = { + "SPDXID": parent_spdx_id, + "name": f"{parent_image}_{image['architecture']}", + "versionInfo": "NOASSERTION", + "supplier": "Organization: Red Hat", + "downloadLocation": "NOASSERTION", + "licenseDeclared": "NOASSERTION", + "externalRefs": [], + } + other_pkgs.append(parent_pkg) + + if index == direct_parent_index: + other_rels.append( + { + "spdxElementId": spdx_image_id, + "relationshipType": "DESCENDANT_OF", + "relatedSpdxElement": parent_spdx_id, + } + ) + else: + other_rels.append( + { + "spdxElementId": parent_spdx_id, + "relationshipType": "BUILD_TOOL_OF", + "relatedSpdxElement": spdx_image_id, + } + ) + for rpm in get_rpms(catalog_image_id): rpm_purl = ( f"pkg:rpm/redhat/{rpm['name']}@{rpm['version']}-{rpm['release']}?" @@ -225,6 +269,8 @@ def generate_sboms_for_image(image_nvr): root_package=image_pkg, packages=packages, rel_type="CONTAINS", + other_pkgs=other_pkgs, + other_rels=other_rels, ) create_sbom( diff --git a/sbom/examples/container_image/release/kernel-module-management-operator-container-1.1.2-25_amd64.spdx.json b/sbom/examples/container_image/release/kernel-module-management-operator-container-1.1.2-25_amd64.spdx.json index db4c3d2..b892820 100644 --- a/sbom/examples/container_image/release/kernel-module-management-operator-container-1.1.2-25_amd64.spdx.json +++ b/sbom/examples/container_image/release/kernel-module-management-operator-container-1.1.2-25_amd64.spdx.json @@ -3991,6 +3991,24 @@ "checksumValue": "abcd1234abcd1234abcd1234abcd1234abcd1234abcd1234abcd1234abcd1234" } ] + }, + { + "SPDXID": "SPDXRef-parent-image-0-amd64", + "name": "rhel9-go-toolset:1.19.4-18_amd64", + "versionInfo": "NOASSERTION", + "supplier": "Organization: Red Hat", + "downloadLocation": "NOASSERTION", + "licenseDeclared": "NOASSERTION", + "externalRefs": [] + }, + { + "SPDXID": "SPDXRef-parent-image-1-amd64", + "name": "rhel:9.2-1191_amd64", + "versionInfo": "NOASSERTION", + "supplier": "Organization: Red Hat", + "downloadLocation": "NOASSERTION", + "licenseDeclared": "NOASSERTION", + "externalRefs": [] } ], "relationships": [ @@ -3999,6 +4017,16 @@ "relationshipType": "DESCRIBES", "relatedSpdxElement": "SPDXRef-kernel-module-management-operator-container-amd64" }, + { + "spdxElementId": "SPDXRef-parent-image-0-amd64", + "relationshipType": "BUILD_TOOL_OF", + "relatedSpdxElement": "SPDXRef-kernel-module-management-operator-container-amd64" + }, + { + "spdxElementId": "SPDXRef-kernel-module-management-operator-container-amd64", + "relationshipType": "DESCENDANT_OF", + "relatedSpdxElement": "SPDXRef-parent-image-1-amd64" + }, { "spdxElementId": "SPDXRef-kernel-module-management-operator-container-amd64", "relationshipType": "CONTAINS", diff --git a/sbom/examples/container_image/release/kernel-module-management-operator-container-1.1.2-25_arm64.spdx.json b/sbom/examples/container_image/release/kernel-module-management-operator-container-1.1.2-25_arm64.spdx.json index fa1def6..6c609d2 100644 --- a/sbom/examples/container_image/release/kernel-module-management-operator-container-1.1.2-25_arm64.spdx.json +++ b/sbom/examples/container_image/release/kernel-module-management-operator-container-1.1.2-25_arm64.spdx.json @@ -3991,6 +3991,24 @@ "checksumValue": "abcd1234abcd1234abcd1234abcd1234abcd1234abcd1234abcd1234abcd1234" } ] + }, + { + "SPDXID": "SPDXRef-parent-image-0-arm64", + "name": "rhel9-go-toolset:1.19.4-18_arm64", + "versionInfo": "NOASSERTION", + "supplier": "Organization: Red Hat", + "downloadLocation": "NOASSERTION", + "licenseDeclared": "NOASSERTION", + "externalRefs": [] + }, + { + "SPDXID": "SPDXRef-parent-image-1-arm64", + "name": "rhel:9.2-1191_arm64", + "versionInfo": "NOASSERTION", + "supplier": "Organization: Red Hat", + "downloadLocation": "NOASSERTION", + "licenseDeclared": "NOASSERTION", + "externalRefs": [] } ], "relationships": [ @@ -3999,6 +4017,16 @@ "relationshipType": "DESCRIBES", "relatedSpdxElement": "SPDXRef-kernel-module-management-operator-container-arm64" }, + { + "spdxElementId": "SPDXRef-parent-image-0-arm64", + "relationshipType": "BUILD_TOOL_OF", + "relatedSpdxElement": "SPDXRef-kernel-module-management-operator-container-arm64" + }, + { + "spdxElementId": "SPDXRef-kernel-module-management-operator-container-arm64", + "relationshipType": "DESCENDANT_OF", + "relatedSpdxElement": "SPDXRef-parent-image-1-arm64" + }, { "spdxElementId": "SPDXRef-kernel-module-management-operator-container-arm64", "relationshipType": "CONTAINS", diff --git a/sbom/examples/container_image/release/kernel-module-management-operator-container-1.1.2-25_ppc64le.spdx.json b/sbom/examples/container_image/release/kernel-module-management-operator-container-1.1.2-25_ppc64le.spdx.json index b22fbeb..789e024 100644 --- a/sbom/examples/container_image/release/kernel-module-management-operator-container-1.1.2-25_ppc64le.spdx.json +++ b/sbom/examples/container_image/release/kernel-module-management-operator-container-1.1.2-25_ppc64le.spdx.json @@ -3991,6 +3991,24 @@ "checksumValue": "abcd1234abcd1234abcd1234abcd1234abcd1234abcd1234abcd1234abcd1234" } ] + }, + { + "SPDXID": "SPDXRef-parent-image-0-ppc64le", + "name": "rhel9-go-toolset:1.19.4-18_ppc64le", + "versionInfo": "NOASSERTION", + "supplier": "Organization: Red Hat", + "downloadLocation": "NOASSERTION", + "licenseDeclared": "NOASSERTION", + "externalRefs": [] + }, + { + "SPDXID": "SPDXRef-parent-image-1-ppc64le", + "name": "rhel:9.2-1191_ppc64le", + "versionInfo": "NOASSERTION", + "supplier": "Organization: Red Hat", + "downloadLocation": "NOASSERTION", + "licenseDeclared": "NOASSERTION", + "externalRefs": [] } ], "relationships": [ @@ -3999,6 +4017,16 @@ "relationshipType": "DESCRIBES", "relatedSpdxElement": "SPDXRef-kernel-module-management-operator-container-ppc64le" }, + { + "spdxElementId": "SPDXRef-parent-image-0-ppc64le", + "relationshipType": "BUILD_TOOL_OF", + "relatedSpdxElement": "SPDXRef-kernel-module-management-operator-container-ppc64le" + }, + { + "spdxElementId": "SPDXRef-kernel-module-management-operator-container-ppc64le", + "relationshipType": "DESCENDANT_OF", + "relatedSpdxElement": "SPDXRef-parent-image-1-ppc64le" + }, { "spdxElementId": "SPDXRef-kernel-module-management-operator-container-ppc64le", "relationshipType": "CONTAINS", diff --git a/sbom/examples/container_image/release/ubi9-micro-container-9.4-6.1716471860_amd64.spdx.json b/sbom/examples/container_image/release/ubi9-micro-container-9.4-6.1716471860_amd64.spdx.json index cc16687..080a3c7 100644 --- a/sbom/examples/container_image/release/ubi9-micro-container-9.4-6.1716471860_amd64.spdx.json +++ b/sbom/examples/container_image/release/ubi9-micro-container-9.4-6.1716471860_amd64.spdx.json @@ -476,6 +476,15 @@ "checksumValue": "abcd1234abcd1234abcd1234abcd1234abcd1234abcd1234abcd1234abcd1234" } ] + }, + { + "SPDXID": "SPDXRef-parent-image-0-amd64", + "name": "ubi9:9.4-947_amd64", + "versionInfo": "NOASSERTION", + "supplier": "Organization: Red Hat", + "downloadLocation": "NOASSERTION", + "licenseDeclared": "NOASSERTION", + "externalRefs": [] } ], "relationships": [ @@ -484,6 +493,11 @@ "relationshipType": "DESCRIBES", "relatedSpdxElement": "SPDXRef-ubi9-micro-container-amd64" }, + { + "spdxElementId": "SPDXRef-ubi9-micro-container-amd64", + "relationshipType": "DESCENDANT_OF", + "relatedSpdxElement": "SPDXRef-parent-image-0-amd64" + }, { "spdxElementId": "SPDXRef-ubi9-micro-container-amd64", "relationshipType": "CONTAINS", diff --git a/sbom/examples/container_image/release/ubi9-micro-container-9.4-6.1716471860_arm64.spdx.json b/sbom/examples/container_image/release/ubi9-micro-container-9.4-6.1716471860_arm64.spdx.json index 178d2b6..b486323 100644 --- a/sbom/examples/container_image/release/ubi9-micro-container-9.4-6.1716471860_arm64.spdx.json +++ b/sbom/examples/container_image/release/ubi9-micro-container-9.4-6.1716471860_arm64.spdx.json @@ -476,6 +476,15 @@ "checksumValue": "abcd1234abcd1234abcd1234abcd1234abcd1234abcd1234abcd1234abcd1234" } ] + }, + { + "SPDXID": "SPDXRef-parent-image-0-arm64", + "name": "ubi9:9.4-947_arm64", + "versionInfo": "NOASSERTION", + "supplier": "Organization: Red Hat", + "downloadLocation": "NOASSERTION", + "licenseDeclared": "NOASSERTION", + "externalRefs": [] } ], "relationships": [ @@ -484,6 +493,11 @@ "relationshipType": "DESCRIBES", "relatedSpdxElement": "SPDXRef-ubi9-micro-container-arm64" }, + { + "spdxElementId": "SPDXRef-ubi9-micro-container-arm64", + "relationshipType": "DESCENDANT_OF", + "relatedSpdxElement": "SPDXRef-parent-image-0-arm64" + }, { "spdxElementId": "SPDXRef-ubi9-micro-container-arm64", "relationshipType": "CONTAINS", diff --git a/sbom/examples/container_image/release/ubi9-micro-container-9.4-6.1716471860_ppc64le.spdx.json b/sbom/examples/container_image/release/ubi9-micro-container-9.4-6.1716471860_ppc64le.spdx.json index 3fb551a..bfb4e12 100644 --- a/sbom/examples/container_image/release/ubi9-micro-container-9.4-6.1716471860_ppc64le.spdx.json +++ b/sbom/examples/container_image/release/ubi9-micro-container-9.4-6.1716471860_ppc64le.spdx.json @@ -476,6 +476,15 @@ "checksumValue": "abcd1234abcd1234abcd1234abcd1234abcd1234abcd1234abcd1234abcd1234" } ] + }, + { + "SPDXID": "SPDXRef-parent-image-0-ppc64le", + "name": "ubi9:9.4-947_ppc64le", + "versionInfo": "NOASSERTION", + "supplier": "Organization: Red Hat", + "downloadLocation": "NOASSERTION", + "licenseDeclared": "NOASSERTION", + "externalRefs": [] } ], "relationships": [ @@ -484,6 +493,11 @@ "relationshipType": "DESCRIBES", "relatedSpdxElement": "SPDXRef-ubi9-micro-container-ppc64le" }, + { + "spdxElementId": "SPDXRef-ubi9-micro-container-ppc64le", + "relationshipType": "DESCENDANT_OF", + "relatedSpdxElement": "SPDXRef-parent-image-0-ppc64le" + }, { "spdxElementId": "SPDXRef-ubi9-micro-container-ppc64le", "relationshipType": "CONTAINS", diff --git a/sbom/examples/container_image/release/ubi9-micro-container-9.4-6.1716471860_s390x.spdx.json b/sbom/examples/container_image/release/ubi9-micro-container-9.4-6.1716471860_s390x.spdx.json index 0ce6df1..a6bffa6 100644 --- a/sbom/examples/container_image/release/ubi9-micro-container-9.4-6.1716471860_s390x.spdx.json +++ b/sbom/examples/container_image/release/ubi9-micro-container-9.4-6.1716471860_s390x.spdx.json @@ -476,6 +476,15 @@ "checksumValue": "abcd1234abcd1234abcd1234abcd1234abcd1234abcd1234abcd1234abcd1234" } ] + }, + { + "SPDXID": "SPDXRef-parent-image-0-s390x", + "name": "ubi9:9.4-947_s390x", + "versionInfo": "NOASSERTION", + "supplier": "Organization: Red Hat", + "downloadLocation": "NOASSERTION", + "licenseDeclared": "NOASSERTION", + "externalRefs": [] } ], "relationships": [ @@ -484,6 +493,11 @@ "relationshipType": "DESCRIBES", "relatedSpdxElement": "SPDXRef-ubi9-micro-container-s390x" }, + { + "spdxElementId": "SPDXRef-ubi9-micro-container-s390x", + "relationshipType": "DESCENDANT_OF", + "relatedSpdxElement": "SPDXRef-parent-image-0-s390x" + }, { "spdxElementId": "SPDXRef-ubi9-micro-container-s390x", "relationshipType": "CONTAINS", From 442b1fcfcf6faac6c6a26077ade93917b7549f57 Mon Sep 17 00:00:00 2001 From: Tim Waugh Date: Wed, 11 Sep 2024 11:16:17 +0100 Subject: [PATCH 2/6] Fix create_sbom parameters --- sbom/examples/container_image/release/from_catalog.py | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/sbom/examples/container_image/release/from_catalog.py b/sbom/examples/container_image/release/from_catalog.py index c3ca2dc..190b4f0 100644 --- a/sbom/examples/container_image/release/from_catalog.py +++ b/sbom/examples/container_image/release/from_catalog.py @@ -32,8 +32,8 @@ def get_rpms(image_id): return sorted(response.json()["rpms"], key=lambda rpm: rpm["nvra"]) -def create_sbom(image_id, root_package, packages, rel_type, other_pkgs=[], other_rels=[]): - relationships = list(other_rels) +def create_sbom(image_id, root_package, packages, rel_type, other_pkgs=None, other_rels=None): + relationships = list(other_rels or []) relationships.insert( 0, { @@ -68,7 +68,7 @@ def create_sbom(image_id, root_package, packages, rel_type, other_pkgs=[], other }, "name": image_id, "documentNamespace": f"https://www.redhat.com/{image_id}.spdx.json", - "packages": [root_package] + packages + other_pkgs, + "packages": [root_package] + packages + (other_pkgs or []), "relationships": relationships, } From f0dcf7b3c6d285f7746f61d37a1c64abbba47268 Mon Sep 17 00:00:00 2001 From: Tim Waugh Date: Wed, 11 Sep 2024 12:31:35 +0100 Subject: [PATCH 3/6] Include purls for parent images --- ...perator-container-1.1.2-25_amd64.spdx.json | 24 ++++++-- ...perator-container-1.1.2-25_arm64.spdx.json | 24 ++++++-- ...rator-container-1.1.2-25_ppc64le.spdx.json | 24 ++++++-- ...container-9.4-6.1716471860_amd64.spdx.json | 18 ++++-- ...container-9.4-6.1716471860_arm64.spdx.json | 18 ++++-- ...ntainer-9.4-6.1716471860_ppc64le.spdx.json | 18 ++++-- ...container-9.4-6.1716471860_s390x.spdx.json | 18 ++++-- .../container_image/release/from_catalog.py | 59 +++++++++++++++---- ...perator-container-1.1.2-25_amd64.spdx.json | 24 ++++++-- ...perator-container-1.1.2-25_arm64.spdx.json | 24 ++++++-- ...rator-container-1.1.2-25_ppc64le.spdx.json | 24 ++++++-- ...container-9.4-6.1716471860_amd64.spdx.json | 18 ++++-- ...container-9.4-6.1716471860_arm64.spdx.json | 18 ++++-- ...ntainer-9.4-6.1716471860_ppc64le.spdx.json | 18 ++++-- ...container-9.4-6.1716471860_s390x.spdx.json | 18 ++++-- 15 files changed, 251 insertions(+), 96 deletions(-) diff --git a/sbom/examples/container_image/build/kernel-module-management-operator-container-1.1.2-25_amd64.spdx.json b/sbom/examples/container_image/build/kernel-module-management-operator-container-1.1.2-25_amd64.spdx.json index d907c16..4c07357 100644 --- a/sbom/examples/container_image/build/kernel-module-management-operator-container-1.1.2-25_amd64.spdx.json +++ b/sbom/examples/container_image/build/kernel-module-management-operator-container-1.1.2-25_amd64.spdx.json @@ -3994,21 +3994,33 @@ }, { "SPDXID": "SPDXRef-parent-image-0-amd64", - "name": "rhel9-go-toolset:1.19.4-18_amd64", - "versionInfo": "NOASSERTION", + "name": "rhel9-go-toolset_amd64", + "versionInfo": "1.19.4-18", "supplier": "Organization: Red Hat", "downloadLocation": "NOASSERTION", "licenseDeclared": "NOASSERTION", - "externalRefs": [] + "externalRefs": [ + { + "referenceCategory": "PACKAGE-MANAGER", + "referenceType": "purl", + "referenceLocator": "pkg:oci/rhel9-go-toolset@sha256:354b40a0fdcd1a9dd9af1b88f9a45fc2b0c8065980dfd9b5097e137a7db6e0bd" + } + ] }, { "SPDXID": "SPDXRef-parent-image-1-amd64", - "name": "rhel:9.2-1191_amd64", - "versionInfo": "NOASSERTION", + "name": "rhel_amd64", + "versionInfo": "9.2-1191", "supplier": "Organization: Red Hat", "downloadLocation": "NOASSERTION", "licenseDeclared": "NOASSERTION", - "externalRefs": [] + "externalRefs": [ + { + "referenceCategory": "PACKAGE-MANAGER", + "referenceType": "purl", + "referenceLocator": "pkg:oci/rhel@sha256:8759d95740eb14a6b6253a574edeea7de6840be30d38c630675ae2a0c76b9f93" + } + ] } ], "relationships": [ diff --git a/sbom/examples/container_image/build/kernel-module-management-operator-container-1.1.2-25_arm64.spdx.json b/sbom/examples/container_image/build/kernel-module-management-operator-container-1.1.2-25_arm64.spdx.json index e693f52..29ad3e4 100644 --- a/sbom/examples/container_image/build/kernel-module-management-operator-container-1.1.2-25_arm64.spdx.json +++ b/sbom/examples/container_image/build/kernel-module-management-operator-container-1.1.2-25_arm64.spdx.json @@ -3994,21 +3994,33 @@ }, { "SPDXID": "SPDXRef-parent-image-0-arm64", - "name": "rhel9-go-toolset:1.19.4-18_arm64", - "versionInfo": "NOASSERTION", + "name": "rhel9-go-toolset_arm64", + "versionInfo": "1.19.4-18", "supplier": "Organization: Red Hat", "downloadLocation": "NOASSERTION", "licenseDeclared": "NOASSERTION", - "externalRefs": [] + "externalRefs": [ + { + "referenceCategory": "PACKAGE-MANAGER", + "referenceType": "purl", + "referenceLocator": "pkg:oci/rhel9-go-toolset@sha256:355b1d0a6e12250247d157949dcdc68d8a9508fc027223515a6d4662f4ec03f6" + } + ] }, { "SPDXID": "SPDXRef-parent-image-1-arm64", - "name": "rhel:9.2-1191_arm64", - "versionInfo": "NOASSERTION", + "name": "rhel_arm64", + "versionInfo": "9.2-1191", "supplier": "Organization: Red Hat", "downloadLocation": "NOASSERTION", "licenseDeclared": "NOASSERTION", - "externalRefs": [] + "externalRefs": [ + { + "referenceCategory": "PACKAGE-MANAGER", + "referenceType": "purl", + "referenceLocator": "pkg:oci/rhel@sha256:8d79ed0aaf36d7bf914411aab26e3a78308fe6217ca865ad7cc107c9078bfb12" + } + ] } ], "relationships": [ diff --git a/sbom/examples/container_image/build/kernel-module-management-operator-container-1.1.2-25_ppc64le.spdx.json b/sbom/examples/container_image/build/kernel-module-management-operator-container-1.1.2-25_ppc64le.spdx.json index 12e3814..071c495 100644 --- a/sbom/examples/container_image/build/kernel-module-management-operator-container-1.1.2-25_ppc64le.spdx.json +++ b/sbom/examples/container_image/build/kernel-module-management-operator-container-1.1.2-25_ppc64le.spdx.json @@ -3994,21 +3994,33 @@ }, { "SPDXID": "SPDXRef-parent-image-0-ppc64le", - "name": "rhel9-go-toolset:1.19.4-18_ppc64le", - "versionInfo": "NOASSERTION", + "name": "rhel9-go-toolset_ppc64le", + "versionInfo": "1.19.4-18", "supplier": "Organization: Red Hat", "downloadLocation": "NOASSERTION", "licenseDeclared": "NOASSERTION", - "externalRefs": [] + "externalRefs": [ + { + "referenceCategory": "PACKAGE-MANAGER", + "referenceType": "purl", + "referenceLocator": "pkg:oci/rhel9-go-toolset@sha256:a6b2fd68651aa7d544e53676f99f9017cf241b855bcdc2400d81081bba6f329a" + } + ] }, { "SPDXID": "SPDXRef-parent-image-1-ppc64le", - "name": "rhel:9.2-1191_ppc64le", - "versionInfo": "NOASSERTION", + "name": "rhel_ppc64le", + "versionInfo": "9.2-1191", "supplier": "Organization: Red Hat", "downloadLocation": "NOASSERTION", "licenseDeclared": "NOASSERTION", - "externalRefs": [] + "externalRefs": [ + { + "referenceCategory": "PACKAGE-MANAGER", + "referenceType": "purl", + "referenceLocator": "pkg:oci/rhel@sha256:cb23b09712fa36dfa2cd39ea60afb439c17fd0fec60a26a59e122618c8a33379" + } + ] } ], "relationships": [ diff --git a/sbom/examples/container_image/build/ubi9-micro-container-9.4-6.1716471860_amd64.spdx.json b/sbom/examples/container_image/build/ubi9-micro-container-9.4-6.1716471860_amd64.spdx.json index 4d9625e..bdeaba9 100644 --- a/sbom/examples/container_image/build/ubi9-micro-container-9.4-6.1716471860_amd64.spdx.json +++ b/sbom/examples/container_image/build/ubi9-micro-container-9.4-6.1716471860_amd64.spdx.json @@ -479,12 +479,18 @@ }, { "SPDXID": "SPDXRef-parent-image-0-amd64", - "name": "ubi9:9.4-947_amd64", - "versionInfo": "NOASSERTION", + "name": "ubi9_amd64", + "versionInfo": "9.4-947", "supplier": "Organization: Red Hat", "downloadLocation": "NOASSERTION", "licenseDeclared": "NOASSERTION", - "externalRefs": [] + "externalRefs": [ + { + "referenceCategory": "PACKAGE-MANAGER", + "referenceType": "purl", + "referenceLocator": "pkg:oci/ubi9@sha256:11d5b4a77bfc15341d4b6dffa3d6ed510189fec9583db77cfc107067b5f906c5" + } + ] } ], "relationships": [ @@ -494,9 +500,9 @@ "relatedSpdxElement": "SPDXRef-ubi9-micro-container-amd64" }, { - "spdxElementId": "SPDXRef-ubi9-micro-container-amd64", - "relationshipType": "DESCENDANT_OF", - "relatedSpdxElement": "SPDXRef-parent-image-0-amd64" + "spdxElementId": "SPDXRef-parent-image-0-amd64", + "relationshipType": "BUILD_TOOL_OF", + "relatedSpdxElement": "SPDXRef-ubi9-micro-container-amd64" }, { "spdxElementId": "SPDXRef-ubi9-micro-container-amd64", diff --git a/sbom/examples/container_image/build/ubi9-micro-container-9.4-6.1716471860_arm64.spdx.json b/sbom/examples/container_image/build/ubi9-micro-container-9.4-6.1716471860_arm64.spdx.json index 526d5dc..be6e73f 100644 --- a/sbom/examples/container_image/build/ubi9-micro-container-9.4-6.1716471860_arm64.spdx.json +++ b/sbom/examples/container_image/build/ubi9-micro-container-9.4-6.1716471860_arm64.spdx.json @@ -479,12 +479,18 @@ }, { "SPDXID": "SPDXRef-parent-image-0-arm64", - "name": "ubi9:9.4-947_arm64", - "versionInfo": "NOASSERTION", + "name": "ubi9_arm64", + "versionInfo": "9.4-947", "supplier": "Organization: Red Hat", "downloadLocation": "NOASSERTION", "licenseDeclared": "NOASSERTION", - "externalRefs": [] + "externalRefs": [ + { + "referenceCategory": "PACKAGE-MANAGER", + "referenceType": "purl", + "referenceLocator": "pkg:oci/ubi9@sha256:cad979d0a2eb78699b62efaf4797f51c4781dfc2a17d9bef5a3a2f5d67cc8e8c" + } + ] } ], "relationships": [ @@ -494,9 +500,9 @@ "relatedSpdxElement": "SPDXRef-ubi9-micro-container-arm64" }, { - "spdxElementId": "SPDXRef-ubi9-micro-container-arm64", - "relationshipType": "DESCENDANT_OF", - "relatedSpdxElement": "SPDXRef-parent-image-0-arm64" + "spdxElementId": "SPDXRef-parent-image-0-arm64", + "relationshipType": "BUILD_TOOL_OF", + "relatedSpdxElement": "SPDXRef-ubi9-micro-container-arm64" }, { "spdxElementId": "SPDXRef-ubi9-micro-container-arm64", diff --git a/sbom/examples/container_image/build/ubi9-micro-container-9.4-6.1716471860_ppc64le.spdx.json b/sbom/examples/container_image/build/ubi9-micro-container-9.4-6.1716471860_ppc64le.spdx.json index 5bf55ac..fe48584 100644 --- a/sbom/examples/container_image/build/ubi9-micro-container-9.4-6.1716471860_ppc64le.spdx.json +++ b/sbom/examples/container_image/build/ubi9-micro-container-9.4-6.1716471860_ppc64le.spdx.json @@ -479,12 +479,18 @@ }, { "SPDXID": "SPDXRef-parent-image-0-ppc64le", - "name": "ubi9:9.4-947_ppc64le", - "versionInfo": "NOASSERTION", + "name": "ubi9_ppc64le", + "versionInfo": "9.4-947", "supplier": "Organization: Red Hat", "downloadLocation": "NOASSERTION", "licenseDeclared": "NOASSERTION", - "externalRefs": [] + "externalRefs": [ + { + "referenceCategory": "PACKAGE-MANAGER", + "referenceType": "purl", + "referenceLocator": "pkg:oci/ubi9@sha256:8a3b5f66fcf8335ba23cd4d7210faf794bcf1f05c19ef6365459852f51d06b49" + } + ] } ], "relationships": [ @@ -494,9 +500,9 @@ "relatedSpdxElement": "SPDXRef-ubi9-micro-container-ppc64le" }, { - "spdxElementId": "SPDXRef-ubi9-micro-container-ppc64le", - "relationshipType": "DESCENDANT_OF", - "relatedSpdxElement": "SPDXRef-parent-image-0-ppc64le" + "spdxElementId": "SPDXRef-parent-image-0-ppc64le", + "relationshipType": "BUILD_TOOL_OF", + "relatedSpdxElement": "SPDXRef-ubi9-micro-container-ppc64le" }, { "spdxElementId": "SPDXRef-ubi9-micro-container-ppc64le", diff --git a/sbom/examples/container_image/build/ubi9-micro-container-9.4-6.1716471860_s390x.spdx.json b/sbom/examples/container_image/build/ubi9-micro-container-9.4-6.1716471860_s390x.spdx.json index 0ea63da..56241c0 100644 --- a/sbom/examples/container_image/build/ubi9-micro-container-9.4-6.1716471860_s390x.spdx.json +++ b/sbom/examples/container_image/build/ubi9-micro-container-9.4-6.1716471860_s390x.spdx.json @@ -479,12 +479,18 @@ }, { "SPDXID": "SPDXRef-parent-image-0-s390x", - "name": "ubi9:9.4-947_s390x", - "versionInfo": "NOASSERTION", + "name": "ubi9_s390x", + "versionInfo": "9.4-947", "supplier": "Organization: Red Hat", "downloadLocation": "NOASSERTION", "licenseDeclared": "NOASSERTION", - "externalRefs": [] + "externalRefs": [ + { + "referenceCategory": "PACKAGE-MANAGER", + "referenceType": "purl", + "referenceLocator": "pkg:oci/ubi9@sha256:dee3c77221eab321e79ad2b0277b91856879a8f5b675a48ad83af26c7a774fb3" + } + ] } ], "relationships": [ @@ -494,9 +500,9 @@ "relatedSpdxElement": "SPDXRef-ubi9-micro-container-s390x" }, { - "spdxElementId": "SPDXRef-ubi9-micro-container-s390x", - "relationshipType": "DESCENDANT_OF", - "relatedSpdxElement": "SPDXRef-parent-image-0-s390x" + "spdxElementId": "SPDXRef-parent-image-0-s390x", + "relationshipType": "BUILD_TOOL_OF", + "relatedSpdxElement": "SPDXRef-ubi9-micro-container-s390x" }, { "spdxElementId": "SPDXRef-ubi9-micro-container-s390x", diff --git a/sbom/examples/container_image/release/from_catalog.py b/sbom/examples/container_image/release/from_catalog.py index 190b4f0..c96ae70 100644 --- a/sbom/examples/container_image/release/from_catalog.py +++ b/sbom/examples/container_image/release/from_catalog.py @@ -163,10 +163,11 @@ def generate_sboms_for_image(image_nvr): } image_index_pkg["externalRefs"].append(ref) - spdx_image_id = f"SPDXRef-{image_nvr_name}-{image['architecture']}" + arch = image["architecture"] + spdx_image_id = f"SPDXRef-{image_nvr_name}-{arch}" image_pkg = { "SPDXID": spdx_image_id, - "name": f"{image_nvr_name}_{image['architecture']}", + "name": f"{image_nvr_name}_{arch}", "versionInfo": image_nvr_version, "supplier": "Organization: Red Hat", "downloadLocation": "NOASSERTION", @@ -182,7 +183,7 @@ def generate_sboms_for_image(image_nvr): for name, repo_url, tag in sorted(repos): purl = ( f"pkg:oci/{name}@sha256%3A{image_index_digest}?" - f"arch={image['architecture']}&repository_url={repo_url}&tag={tag}" + f"arch={arch}&repository_url={repo_url}&tag={tag}" ) ref = { "referenceCategory": "PACKAGE-MANAGER", @@ -193,22 +194,56 @@ def generate_sboms_for_image(image_nvr): per_arch_images.append(image_pkg) # Add in parent images - parent_images = koji_session.getBuild(image_nvr) - for key in ("extra", "typeinfo", "image", "parent_images"): - parent_images = parent_images.get(key, {}) + image_data = koji_session.getBuild(image_nvr) + for key in ("extra", "typeinfo", "image"): + image_data = image_data.get(key, {}) - parent_images = [img.rsplit("/")[-1] for img in parent_images if img != "scratch"] + parent_image_builds = image_data.get("parent_image_builds", {}) + parent_images = image_data.get("parent_images", []) direct_parent_index = len(parent_images) - 1 for index, parent_image in enumerate(parent_images): - parent_spdx_id = f"SPDXRef-parent-image-{index}-{image['architecture']}" + try: + parent_image_build_id = parent_image_builds[parent_image]["id"] + except KeyError: + # Skip scratch builds + continue + + parent_archives = koji_session.listArchives(parent_image_build_id) + parent_digests = [ + list(a["extra"]["docker"]["digests"].values())[0] + for a in parent_archives + if a["btype"] == "image" and a["extra"]["docker"]["config"]["architecture"] == arch + ] + if parent_digests: + version = f"@{parent_digests[0]}" + else: + version = "" + + registry, rest = parent_image.split("/", maxsplit=1) + use_registry = registry in ("registry.redhat.io", "registry.access.redhat.com") + name, tag = rest.rsplit(":", maxsplit=1) + if "/" in name: + namespace, name = name.rsplit("/", maxsplit=1) + registry += "/" + namespace + + registry_q = f"&repository_url={registry}" if use_registry else "" + parent_spdx_id = f"SPDXRef-parent-image-{index}-{arch}" + purl = f"pkg:oci/{name}{version}?tag={tag}{registry_q}" + parent_pkg = { "SPDXID": parent_spdx_id, - "name": f"{parent_image}_{image['architecture']}", - "versionInfo": "NOASSERTION", + "name": f"{name}_{arch}", + "versionInfo": f"{tag}", "supplier": "Organization: Red Hat", "downloadLocation": "NOASSERTION", "licenseDeclared": "NOASSERTION", - "externalRefs": [], + "externalRefs": [ + { + "referenceCategory": "PACKAGE-MANAGER", + "referenceType": "purl", + "referenceLocator": purl, + }, + ], } other_pkgs.append(parent_pkg) @@ -265,7 +300,7 @@ def generate_sboms_for_image(image_nvr): packages.append(rpm_pkg) create_sbom( - image_id=f"{image_nvr}_" f"{image['architecture']}", + image_id=f"{image_nvr}_" f"{arch}", root_package=image_pkg, packages=packages, rel_type="CONTAINS", diff --git a/sbom/examples/container_image/release/kernel-module-management-operator-container-1.1.2-25_amd64.spdx.json b/sbom/examples/container_image/release/kernel-module-management-operator-container-1.1.2-25_amd64.spdx.json index b892820..e35aa03 100644 --- a/sbom/examples/container_image/release/kernel-module-management-operator-container-1.1.2-25_amd64.spdx.json +++ b/sbom/examples/container_image/release/kernel-module-management-operator-container-1.1.2-25_amd64.spdx.json @@ -3994,21 +3994,33 @@ }, { "SPDXID": "SPDXRef-parent-image-0-amd64", - "name": "rhel9-go-toolset:1.19.4-18_amd64", - "versionInfo": "NOASSERTION", + "name": "rhel9-go-toolset_amd64", + "versionInfo": "1.19.4-18", "supplier": "Organization: Red Hat", "downloadLocation": "NOASSERTION", "licenseDeclared": "NOASSERTION", - "externalRefs": [] + "externalRefs": [ + { + "referenceCategory": "PACKAGE-MANAGER", + "referenceType": "purl", + "referenceLocator": "pkg:oci/rhel9-go-toolset@sha256:354b40a0fdcd1a9dd9af1b88f9a45fc2b0c8065980dfd9b5097e137a7db6e0bd?tag=1.19.4-18" + } + ] }, { "SPDXID": "SPDXRef-parent-image-1-amd64", - "name": "rhel:9.2-1191_amd64", - "versionInfo": "NOASSERTION", + "name": "rhel_amd64", + "versionInfo": "9.2-1191", "supplier": "Organization: Red Hat", "downloadLocation": "NOASSERTION", "licenseDeclared": "NOASSERTION", - "externalRefs": [] + "externalRefs": [ + { + "referenceCategory": "PACKAGE-MANAGER", + "referenceType": "purl", + "referenceLocator": "pkg:oci/rhel@sha256:8759d95740eb14a6b6253a574edeea7de6840be30d38c630675ae2a0c76b9f93?tag=9.2-1191&repository_url=registry.redhat.io/rhel9-2-els" + } + ] } ], "relationships": [ diff --git a/sbom/examples/container_image/release/kernel-module-management-operator-container-1.1.2-25_arm64.spdx.json b/sbom/examples/container_image/release/kernel-module-management-operator-container-1.1.2-25_arm64.spdx.json index 6c609d2..679b600 100644 --- a/sbom/examples/container_image/release/kernel-module-management-operator-container-1.1.2-25_arm64.spdx.json +++ b/sbom/examples/container_image/release/kernel-module-management-operator-container-1.1.2-25_arm64.spdx.json @@ -3994,21 +3994,33 @@ }, { "SPDXID": "SPDXRef-parent-image-0-arm64", - "name": "rhel9-go-toolset:1.19.4-18_arm64", - "versionInfo": "NOASSERTION", + "name": "rhel9-go-toolset_arm64", + "versionInfo": "1.19.4-18", "supplier": "Organization: Red Hat", "downloadLocation": "NOASSERTION", "licenseDeclared": "NOASSERTION", - "externalRefs": [] + "externalRefs": [ + { + "referenceCategory": "PACKAGE-MANAGER", + "referenceType": "purl", + "referenceLocator": "pkg:oci/rhel9-go-toolset@sha256:355b1d0a6e12250247d157949dcdc68d8a9508fc027223515a6d4662f4ec03f6?tag=1.19.4-18" + } + ] }, { "SPDXID": "SPDXRef-parent-image-1-arm64", - "name": "rhel:9.2-1191_arm64", - "versionInfo": "NOASSERTION", + "name": "rhel_arm64", + "versionInfo": "9.2-1191", "supplier": "Organization: Red Hat", "downloadLocation": "NOASSERTION", "licenseDeclared": "NOASSERTION", - "externalRefs": [] + "externalRefs": [ + { + "referenceCategory": "PACKAGE-MANAGER", + "referenceType": "purl", + "referenceLocator": "pkg:oci/rhel@sha256:8d79ed0aaf36d7bf914411aab26e3a78308fe6217ca865ad7cc107c9078bfb12?tag=9.2-1191&repository_url=registry.redhat.io/rhel9-2-els" + } + ] } ], "relationships": [ diff --git a/sbom/examples/container_image/release/kernel-module-management-operator-container-1.1.2-25_ppc64le.spdx.json b/sbom/examples/container_image/release/kernel-module-management-operator-container-1.1.2-25_ppc64le.spdx.json index 789e024..22b3b7a 100644 --- a/sbom/examples/container_image/release/kernel-module-management-operator-container-1.1.2-25_ppc64le.spdx.json +++ b/sbom/examples/container_image/release/kernel-module-management-operator-container-1.1.2-25_ppc64le.spdx.json @@ -3994,21 +3994,33 @@ }, { "SPDXID": "SPDXRef-parent-image-0-ppc64le", - "name": "rhel9-go-toolset:1.19.4-18_ppc64le", - "versionInfo": "NOASSERTION", + "name": "rhel9-go-toolset_ppc64le", + "versionInfo": "1.19.4-18", "supplier": "Organization: Red Hat", "downloadLocation": "NOASSERTION", "licenseDeclared": "NOASSERTION", - "externalRefs": [] + "externalRefs": [ + { + "referenceCategory": "PACKAGE-MANAGER", + "referenceType": "purl", + "referenceLocator": "pkg:oci/rhel9-go-toolset@sha256:a6b2fd68651aa7d544e53676f99f9017cf241b855bcdc2400d81081bba6f329a?tag=1.19.4-18" + } + ] }, { "SPDXID": "SPDXRef-parent-image-1-ppc64le", - "name": "rhel:9.2-1191_ppc64le", - "versionInfo": "NOASSERTION", + "name": "rhel_ppc64le", + "versionInfo": "9.2-1191", "supplier": "Organization: Red Hat", "downloadLocation": "NOASSERTION", "licenseDeclared": "NOASSERTION", - "externalRefs": [] + "externalRefs": [ + { + "referenceCategory": "PACKAGE-MANAGER", + "referenceType": "purl", + "referenceLocator": "pkg:oci/rhel@sha256:cb23b09712fa36dfa2cd39ea60afb439c17fd0fec60a26a59e122618c8a33379?tag=9.2-1191&repository_url=registry.redhat.io/rhel9-2-els" + } + ] } ], "relationships": [ diff --git a/sbom/examples/container_image/release/ubi9-micro-container-9.4-6.1716471860_amd64.spdx.json b/sbom/examples/container_image/release/ubi9-micro-container-9.4-6.1716471860_amd64.spdx.json index 080a3c7..960259e 100644 --- a/sbom/examples/container_image/release/ubi9-micro-container-9.4-6.1716471860_amd64.spdx.json +++ b/sbom/examples/container_image/release/ubi9-micro-container-9.4-6.1716471860_amd64.spdx.json @@ -479,12 +479,18 @@ }, { "SPDXID": "SPDXRef-parent-image-0-amd64", - "name": "ubi9:9.4-947_amd64", - "versionInfo": "NOASSERTION", + "name": "ubi9_amd64", + "versionInfo": "9.4-947", "supplier": "Organization: Red Hat", "downloadLocation": "NOASSERTION", "licenseDeclared": "NOASSERTION", - "externalRefs": [] + "externalRefs": [ + { + "referenceCategory": "PACKAGE-MANAGER", + "referenceType": "purl", + "referenceLocator": "pkg:oci/ubi9@sha256:11d5b4a77bfc15341d4b6dffa3d6ed510189fec9583db77cfc107067b5f906c5?tag=9.4-947" + } + ] } ], "relationships": [ @@ -494,9 +500,9 @@ "relatedSpdxElement": "SPDXRef-ubi9-micro-container-amd64" }, { - "spdxElementId": "SPDXRef-ubi9-micro-container-amd64", - "relationshipType": "DESCENDANT_OF", - "relatedSpdxElement": "SPDXRef-parent-image-0-amd64" + "spdxElementId": "SPDXRef-parent-image-0-amd64", + "relationshipType": "BUILD_TOOL_OF", + "relatedSpdxElement": "SPDXRef-ubi9-micro-container-amd64" }, { "spdxElementId": "SPDXRef-ubi9-micro-container-amd64", diff --git a/sbom/examples/container_image/release/ubi9-micro-container-9.4-6.1716471860_arm64.spdx.json b/sbom/examples/container_image/release/ubi9-micro-container-9.4-6.1716471860_arm64.spdx.json index b486323..427897a 100644 --- a/sbom/examples/container_image/release/ubi9-micro-container-9.4-6.1716471860_arm64.spdx.json +++ b/sbom/examples/container_image/release/ubi9-micro-container-9.4-6.1716471860_arm64.spdx.json @@ -479,12 +479,18 @@ }, { "SPDXID": "SPDXRef-parent-image-0-arm64", - "name": "ubi9:9.4-947_arm64", - "versionInfo": "NOASSERTION", + "name": "ubi9_arm64", + "versionInfo": "9.4-947", "supplier": "Organization: Red Hat", "downloadLocation": "NOASSERTION", "licenseDeclared": "NOASSERTION", - "externalRefs": [] + "externalRefs": [ + { + "referenceCategory": "PACKAGE-MANAGER", + "referenceType": "purl", + "referenceLocator": "pkg:oci/ubi9@sha256:cad979d0a2eb78699b62efaf4797f51c4781dfc2a17d9bef5a3a2f5d67cc8e8c?tag=9.4-947" + } + ] } ], "relationships": [ @@ -494,9 +500,9 @@ "relatedSpdxElement": "SPDXRef-ubi9-micro-container-arm64" }, { - "spdxElementId": "SPDXRef-ubi9-micro-container-arm64", - "relationshipType": "DESCENDANT_OF", - "relatedSpdxElement": "SPDXRef-parent-image-0-arm64" + "spdxElementId": "SPDXRef-parent-image-0-arm64", + "relationshipType": "BUILD_TOOL_OF", + "relatedSpdxElement": "SPDXRef-ubi9-micro-container-arm64" }, { "spdxElementId": "SPDXRef-ubi9-micro-container-arm64", diff --git a/sbom/examples/container_image/release/ubi9-micro-container-9.4-6.1716471860_ppc64le.spdx.json b/sbom/examples/container_image/release/ubi9-micro-container-9.4-6.1716471860_ppc64le.spdx.json index bfb4e12..e66c029 100644 --- a/sbom/examples/container_image/release/ubi9-micro-container-9.4-6.1716471860_ppc64le.spdx.json +++ b/sbom/examples/container_image/release/ubi9-micro-container-9.4-6.1716471860_ppc64le.spdx.json @@ -479,12 +479,18 @@ }, { "SPDXID": "SPDXRef-parent-image-0-ppc64le", - "name": "ubi9:9.4-947_ppc64le", - "versionInfo": "NOASSERTION", + "name": "ubi9_ppc64le", + "versionInfo": "9.4-947", "supplier": "Organization: Red Hat", "downloadLocation": "NOASSERTION", "licenseDeclared": "NOASSERTION", - "externalRefs": [] + "externalRefs": [ + { + "referenceCategory": "PACKAGE-MANAGER", + "referenceType": "purl", + "referenceLocator": "pkg:oci/ubi9@sha256:8a3b5f66fcf8335ba23cd4d7210faf794bcf1f05c19ef6365459852f51d06b49?tag=9.4-947" + } + ] } ], "relationships": [ @@ -494,9 +500,9 @@ "relatedSpdxElement": "SPDXRef-ubi9-micro-container-ppc64le" }, { - "spdxElementId": "SPDXRef-ubi9-micro-container-ppc64le", - "relationshipType": "DESCENDANT_OF", - "relatedSpdxElement": "SPDXRef-parent-image-0-ppc64le" + "spdxElementId": "SPDXRef-parent-image-0-ppc64le", + "relationshipType": "BUILD_TOOL_OF", + "relatedSpdxElement": "SPDXRef-ubi9-micro-container-ppc64le" }, { "spdxElementId": "SPDXRef-ubi9-micro-container-ppc64le", diff --git a/sbom/examples/container_image/release/ubi9-micro-container-9.4-6.1716471860_s390x.spdx.json b/sbom/examples/container_image/release/ubi9-micro-container-9.4-6.1716471860_s390x.spdx.json index a6bffa6..83311b8 100644 --- a/sbom/examples/container_image/release/ubi9-micro-container-9.4-6.1716471860_s390x.spdx.json +++ b/sbom/examples/container_image/release/ubi9-micro-container-9.4-6.1716471860_s390x.spdx.json @@ -479,12 +479,18 @@ }, { "SPDXID": "SPDXRef-parent-image-0-s390x", - "name": "ubi9:9.4-947_s390x", - "versionInfo": "NOASSERTION", + "name": "ubi9_s390x", + "versionInfo": "9.4-947", "supplier": "Organization: Red Hat", "downloadLocation": "NOASSERTION", "licenseDeclared": "NOASSERTION", - "externalRefs": [] + "externalRefs": [ + { + "referenceCategory": "PACKAGE-MANAGER", + "referenceType": "purl", + "referenceLocator": "pkg:oci/ubi9@sha256:dee3c77221eab321e79ad2b0277b91856879a8f5b675a48ad83af26c7a774fb3?tag=9.4-947" + } + ] } ], "relationships": [ @@ -494,9 +500,9 @@ "relatedSpdxElement": "SPDXRef-ubi9-micro-container-s390x" }, { - "spdxElementId": "SPDXRef-ubi9-micro-container-s390x", - "relationshipType": "DESCENDANT_OF", - "relatedSpdxElement": "SPDXRef-parent-image-0-s390x" + "spdxElementId": "SPDXRef-parent-image-0-s390x", + "relationshipType": "BUILD_TOOL_OF", + "relatedSpdxElement": "SPDXRef-ubi9-micro-container-s390x" }, { "spdxElementId": "SPDXRef-ubi9-micro-container-s390x", From cf20fd9d29dd6d009519e6e8ff3709f17a66e4a5 Mon Sep 17 00:00:00 2001 From: Tim Waugh Date: Thu, 12 Sep 2024 11:25:57 +0100 Subject: [PATCH 4/6] Include checksums for parent images --- ...ement-operator-container-1.1.2-25_amd64.spdx.json | 12 ++++++++++++ ...ement-operator-container-1.1.2-25_arm64.spdx.json | 12 ++++++++++++ ...ent-operator-container-1.1.2-25_ppc64le.spdx.json | 12 ++++++++++++ ...-micro-container-9.4-6.1716471860_amd64.spdx.json | 6 ++++++ ...-micro-container-9.4-6.1716471860_arm64.spdx.json | 6 ++++++ ...icro-container-9.4-6.1716471860_ppc64le.spdx.json | 6 ++++++ ...-micro-container-9.4-6.1716471860_s390x.spdx.json | 6 ++++++ .../examples/container_image/release/from_catalog.py | 10 +++++++++- ...ement-operator-container-1.1.2-25_amd64.spdx.json | 12 ++++++++++++ ...ement-operator-container-1.1.2-25_arm64.spdx.json | 12 ++++++++++++ ...ent-operator-container-1.1.2-25_ppc64le.spdx.json | 12 ++++++++++++ ...-micro-container-9.4-6.1716471860_amd64.spdx.json | 6 ++++++ ...-micro-container-9.4-6.1716471860_arm64.spdx.json | 6 ++++++ ...icro-container-9.4-6.1716471860_ppc64le.spdx.json | 6 ++++++ ...-micro-container-9.4-6.1716471860_s390x.spdx.json | 6 ++++++ 15 files changed, 129 insertions(+), 1 deletion(-) diff --git a/sbom/examples/container_image/build/kernel-module-management-operator-container-1.1.2-25_amd64.spdx.json b/sbom/examples/container_image/build/kernel-module-management-operator-container-1.1.2-25_amd64.spdx.json index 4c07357..c66d347 100644 --- a/sbom/examples/container_image/build/kernel-module-management-operator-container-1.1.2-25_amd64.spdx.json +++ b/sbom/examples/container_image/build/kernel-module-management-operator-container-1.1.2-25_amd64.spdx.json @@ -4005,6 +4005,12 @@ "referenceType": "purl", "referenceLocator": "pkg:oci/rhel9-go-toolset@sha256:354b40a0fdcd1a9dd9af1b88f9a45fc2b0c8065980dfd9b5097e137a7db6e0bd" } + ], + "checksums": [ + { + "algorithm": "SHA256", + "checksumValue": "354b40a0fdcd1a9dd9af1b88f9a45fc2b0c8065980dfd9b5097e137a7db6e0bd" + } ] }, { @@ -4020,6 +4026,12 @@ "referenceType": "purl", "referenceLocator": "pkg:oci/rhel@sha256:8759d95740eb14a6b6253a574edeea7de6840be30d38c630675ae2a0c76b9f93" } + ], + "checksums": [ + { + "algorithm": "SHA256", + "checksumValue": "8759d95740eb14a6b6253a574edeea7de6840be30d38c630675ae2a0c76b9f93" + } ] } ], diff --git a/sbom/examples/container_image/build/kernel-module-management-operator-container-1.1.2-25_arm64.spdx.json b/sbom/examples/container_image/build/kernel-module-management-operator-container-1.1.2-25_arm64.spdx.json index 29ad3e4..03c91d4 100644 --- a/sbom/examples/container_image/build/kernel-module-management-operator-container-1.1.2-25_arm64.spdx.json +++ b/sbom/examples/container_image/build/kernel-module-management-operator-container-1.1.2-25_arm64.spdx.json @@ -4005,6 +4005,12 @@ "referenceType": "purl", "referenceLocator": "pkg:oci/rhel9-go-toolset@sha256:355b1d0a6e12250247d157949dcdc68d8a9508fc027223515a6d4662f4ec03f6" } + ], + "checksums": [ + { + "algorithm": "SHA256", + "checksumValue": "355b1d0a6e12250247d157949dcdc68d8a9508fc027223515a6d4662f4ec03f6" + } ] }, { @@ -4020,6 +4026,12 @@ "referenceType": "purl", "referenceLocator": "pkg:oci/rhel@sha256:8d79ed0aaf36d7bf914411aab26e3a78308fe6217ca865ad7cc107c9078bfb12" } + ], + "checksums": [ + { + "algorithm": "SHA256", + "checksumValue": "8d79ed0aaf36d7bf914411aab26e3a78308fe6217ca865ad7cc107c9078bfb12" + } ] } ], diff --git a/sbom/examples/container_image/build/kernel-module-management-operator-container-1.1.2-25_ppc64le.spdx.json b/sbom/examples/container_image/build/kernel-module-management-operator-container-1.1.2-25_ppc64le.spdx.json index 071c495..797c278 100644 --- a/sbom/examples/container_image/build/kernel-module-management-operator-container-1.1.2-25_ppc64le.spdx.json +++ b/sbom/examples/container_image/build/kernel-module-management-operator-container-1.1.2-25_ppc64le.spdx.json @@ -4005,6 +4005,12 @@ "referenceType": "purl", "referenceLocator": "pkg:oci/rhel9-go-toolset@sha256:a6b2fd68651aa7d544e53676f99f9017cf241b855bcdc2400d81081bba6f329a" } + ], + "checksums": [ + { + "algorithm": "SHA256", + "checksumValue": "b2fd68651aa7d544e53676f99f9017cf241b855bcdc2400d81081bba6f329a" + } ] }, { @@ -4020,6 +4026,12 @@ "referenceType": "purl", "referenceLocator": "pkg:oci/rhel@sha256:cb23b09712fa36dfa2cd39ea60afb439c17fd0fec60a26a59e122618c8a33379" } + ], + "checksums": [ + { + "algorithm": "SHA256", + "checksumValue": "cb23b09712fa36dfa2cd39ea60afb439c17fd0fec60a26a59e122618c8a33379" + } ] } ], diff --git a/sbom/examples/container_image/build/ubi9-micro-container-9.4-6.1716471860_amd64.spdx.json b/sbom/examples/container_image/build/ubi9-micro-container-9.4-6.1716471860_amd64.spdx.json index bdeaba9..77646b4 100644 --- a/sbom/examples/container_image/build/ubi9-micro-container-9.4-6.1716471860_amd64.spdx.json +++ b/sbom/examples/container_image/build/ubi9-micro-container-9.4-6.1716471860_amd64.spdx.json @@ -490,6 +490,12 @@ "referenceType": "purl", "referenceLocator": "pkg:oci/ubi9@sha256:11d5b4a77bfc15341d4b6dffa3d6ed510189fec9583db77cfc107067b5f906c5" } + ], + "checksums": [ + { + "algorithm": "SHA256", + "checksumValue": "11d5b4a77bfc15341d4b6dffa3d6ed510189fec9583db77cfc107067b5f906c5" + } ] } ], diff --git a/sbom/examples/container_image/build/ubi9-micro-container-9.4-6.1716471860_arm64.spdx.json b/sbom/examples/container_image/build/ubi9-micro-container-9.4-6.1716471860_arm64.spdx.json index be6e73f..e33529c 100644 --- a/sbom/examples/container_image/build/ubi9-micro-container-9.4-6.1716471860_arm64.spdx.json +++ b/sbom/examples/container_image/build/ubi9-micro-container-9.4-6.1716471860_arm64.spdx.json @@ -490,6 +490,12 @@ "referenceType": "purl", "referenceLocator": "pkg:oci/ubi9@sha256:cad979d0a2eb78699b62efaf4797f51c4781dfc2a17d9bef5a3a2f5d67cc8e8c" } + ], + "checksums": [ + { + "algorithm": "SHA256", + "checksumValue": "cad979d0a2eb78699b62efaf4797f51c4781dfc2a17d9bef5a3a2f5d67cc8e8c" + } ] } ], diff --git a/sbom/examples/container_image/build/ubi9-micro-container-9.4-6.1716471860_ppc64le.spdx.json b/sbom/examples/container_image/build/ubi9-micro-container-9.4-6.1716471860_ppc64le.spdx.json index fe48584..489267d 100644 --- a/sbom/examples/container_image/build/ubi9-micro-container-9.4-6.1716471860_ppc64le.spdx.json +++ b/sbom/examples/container_image/build/ubi9-micro-container-9.4-6.1716471860_ppc64le.spdx.json @@ -490,6 +490,12 @@ "referenceType": "purl", "referenceLocator": "pkg:oci/ubi9@sha256:8a3b5f66fcf8335ba23cd4d7210faf794bcf1f05c19ef6365459852f51d06b49" } + ], + "checksums": [ + { + "algorithm": "SHA256", + "checksumValue": "8a3b5f66fcf8335ba23cd4d7210faf794bcf1f05c19ef6365459852f51d06b49" + } ] } ], diff --git a/sbom/examples/container_image/build/ubi9-micro-container-9.4-6.1716471860_s390x.spdx.json b/sbom/examples/container_image/build/ubi9-micro-container-9.4-6.1716471860_s390x.spdx.json index 56241c0..14abdf3 100644 --- a/sbom/examples/container_image/build/ubi9-micro-container-9.4-6.1716471860_s390x.spdx.json +++ b/sbom/examples/container_image/build/ubi9-micro-container-9.4-6.1716471860_s390x.spdx.json @@ -490,6 +490,12 @@ "referenceType": "purl", "referenceLocator": "pkg:oci/ubi9@sha256:dee3c77221eab321e79ad2b0277b91856879a8f5b675a48ad83af26c7a774fb3" } + ], + "checksums": [ + { + "algorithm": "SHA256", + "checksumValue": "dee3c77221eab321e79ad2b0277b91856879a8f5b675a48ad83af26c7a774fb3" + } ] } ], diff --git a/sbom/examples/container_image/release/from_catalog.py b/sbom/examples/container_image/release/from_catalog.py index c96ae70..b0defeb 100644 --- a/sbom/examples/container_image/release/from_catalog.py +++ b/sbom/examples/container_image/release/from_catalog.py @@ -214,8 +214,9 @@ def generate_sboms_for_image(image_nvr): for a in parent_archives if a["btype"] == "image" and a["extra"]["docker"]["config"]["architecture"] == arch ] + parent_digest = parent_digests[0] if parent_digests else "" if parent_digests: - version = f"@{parent_digests[0]}" + version = f"@{parent_digest}" else: version = "" @@ -245,6 +246,13 @@ def generate_sboms_for_image(image_nvr): }, ], } + if parent_digest: + parent_pkg["checksums"] = [ + { + "algorithm": "SHA256", + "checksumValue": parent_digest.lstrip("sha256:"), + } + ] other_pkgs.append(parent_pkg) if index == direct_parent_index: diff --git a/sbom/examples/container_image/release/kernel-module-management-operator-container-1.1.2-25_amd64.spdx.json b/sbom/examples/container_image/release/kernel-module-management-operator-container-1.1.2-25_amd64.spdx.json index e35aa03..c6b55ad 100644 --- a/sbom/examples/container_image/release/kernel-module-management-operator-container-1.1.2-25_amd64.spdx.json +++ b/sbom/examples/container_image/release/kernel-module-management-operator-container-1.1.2-25_amd64.spdx.json @@ -4005,6 +4005,12 @@ "referenceType": "purl", "referenceLocator": "pkg:oci/rhel9-go-toolset@sha256:354b40a0fdcd1a9dd9af1b88f9a45fc2b0c8065980dfd9b5097e137a7db6e0bd?tag=1.19.4-18" } + ], + "checksums": [ + { + "algorithm": "SHA256", + "checksumValue": "354b40a0fdcd1a9dd9af1b88f9a45fc2b0c8065980dfd9b5097e137a7db6e0bd" + } ] }, { @@ -4020,6 +4026,12 @@ "referenceType": "purl", "referenceLocator": "pkg:oci/rhel@sha256:8759d95740eb14a6b6253a574edeea7de6840be30d38c630675ae2a0c76b9f93?tag=9.2-1191&repository_url=registry.redhat.io/rhel9-2-els" } + ], + "checksums": [ + { + "algorithm": "SHA256", + "checksumValue": "8759d95740eb14a6b6253a574edeea7de6840be30d38c630675ae2a0c76b9f93" + } ] } ], diff --git a/sbom/examples/container_image/release/kernel-module-management-operator-container-1.1.2-25_arm64.spdx.json b/sbom/examples/container_image/release/kernel-module-management-operator-container-1.1.2-25_arm64.spdx.json index 679b600..2e07dbe 100644 --- a/sbom/examples/container_image/release/kernel-module-management-operator-container-1.1.2-25_arm64.spdx.json +++ b/sbom/examples/container_image/release/kernel-module-management-operator-container-1.1.2-25_arm64.spdx.json @@ -4005,6 +4005,12 @@ "referenceType": "purl", "referenceLocator": "pkg:oci/rhel9-go-toolset@sha256:355b1d0a6e12250247d157949dcdc68d8a9508fc027223515a6d4662f4ec03f6?tag=1.19.4-18" } + ], + "checksums": [ + { + "algorithm": "SHA256", + "checksumValue": "355b1d0a6e12250247d157949dcdc68d8a9508fc027223515a6d4662f4ec03f6" + } ] }, { @@ -4020,6 +4026,12 @@ "referenceType": "purl", "referenceLocator": "pkg:oci/rhel@sha256:8d79ed0aaf36d7bf914411aab26e3a78308fe6217ca865ad7cc107c9078bfb12?tag=9.2-1191&repository_url=registry.redhat.io/rhel9-2-els" } + ], + "checksums": [ + { + "algorithm": "SHA256", + "checksumValue": "8d79ed0aaf36d7bf914411aab26e3a78308fe6217ca865ad7cc107c9078bfb12" + } ] } ], diff --git a/sbom/examples/container_image/release/kernel-module-management-operator-container-1.1.2-25_ppc64le.spdx.json b/sbom/examples/container_image/release/kernel-module-management-operator-container-1.1.2-25_ppc64le.spdx.json index 22b3b7a..1fa38be 100644 --- a/sbom/examples/container_image/release/kernel-module-management-operator-container-1.1.2-25_ppc64le.spdx.json +++ b/sbom/examples/container_image/release/kernel-module-management-operator-container-1.1.2-25_ppc64le.spdx.json @@ -4005,6 +4005,12 @@ "referenceType": "purl", "referenceLocator": "pkg:oci/rhel9-go-toolset@sha256:a6b2fd68651aa7d544e53676f99f9017cf241b855bcdc2400d81081bba6f329a?tag=1.19.4-18" } + ], + "checksums": [ + { + "algorithm": "SHA256", + "checksumValue": "b2fd68651aa7d544e53676f99f9017cf241b855bcdc2400d81081bba6f329a" + } ] }, { @@ -4020,6 +4026,12 @@ "referenceType": "purl", "referenceLocator": "pkg:oci/rhel@sha256:cb23b09712fa36dfa2cd39ea60afb439c17fd0fec60a26a59e122618c8a33379?tag=9.2-1191&repository_url=registry.redhat.io/rhel9-2-els" } + ], + "checksums": [ + { + "algorithm": "SHA256", + "checksumValue": "cb23b09712fa36dfa2cd39ea60afb439c17fd0fec60a26a59e122618c8a33379" + } ] } ], diff --git a/sbom/examples/container_image/release/ubi9-micro-container-9.4-6.1716471860_amd64.spdx.json b/sbom/examples/container_image/release/ubi9-micro-container-9.4-6.1716471860_amd64.spdx.json index 960259e..39ee7b5 100644 --- a/sbom/examples/container_image/release/ubi9-micro-container-9.4-6.1716471860_amd64.spdx.json +++ b/sbom/examples/container_image/release/ubi9-micro-container-9.4-6.1716471860_amd64.spdx.json @@ -490,6 +490,12 @@ "referenceType": "purl", "referenceLocator": "pkg:oci/ubi9@sha256:11d5b4a77bfc15341d4b6dffa3d6ed510189fec9583db77cfc107067b5f906c5?tag=9.4-947" } + ], + "checksums": [ + { + "algorithm": "SHA256", + "checksumValue": "11d5b4a77bfc15341d4b6dffa3d6ed510189fec9583db77cfc107067b5f906c5" + } ] } ], diff --git a/sbom/examples/container_image/release/ubi9-micro-container-9.4-6.1716471860_arm64.spdx.json b/sbom/examples/container_image/release/ubi9-micro-container-9.4-6.1716471860_arm64.spdx.json index 427897a..c0ce3eb 100644 --- a/sbom/examples/container_image/release/ubi9-micro-container-9.4-6.1716471860_arm64.spdx.json +++ b/sbom/examples/container_image/release/ubi9-micro-container-9.4-6.1716471860_arm64.spdx.json @@ -490,6 +490,12 @@ "referenceType": "purl", "referenceLocator": "pkg:oci/ubi9@sha256:cad979d0a2eb78699b62efaf4797f51c4781dfc2a17d9bef5a3a2f5d67cc8e8c?tag=9.4-947" } + ], + "checksums": [ + { + "algorithm": "SHA256", + "checksumValue": "cad979d0a2eb78699b62efaf4797f51c4781dfc2a17d9bef5a3a2f5d67cc8e8c" + } ] } ], diff --git a/sbom/examples/container_image/release/ubi9-micro-container-9.4-6.1716471860_ppc64le.spdx.json b/sbom/examples/container_image/release/ubi9-micro-container-9.4-6.1716471860_ppc64le.spdx.json index e66c029..7526df3 100644 --- a/sbom/examples/container_image/release/ubi9-micro-container-9.4-6.1716471860_ppc64le.spdx.json +++ b/sbom/examples/container_image/release/ubi9-micro-container-9.4-6.1716471860_ppc64le.spdx.json @@ -490,6 +490,12 @@ "referenceType": "purl", "referenceLocator": "pkg:oci/ubi9@sha256:8a3b5f66fcf8335ba23cd4d7210faf794bcf1f05c19ef6365459852f51d06b49?tag=9.4-947" } + ], + "checksums": [ + { + "algorithm": "SHA256", + "checksumValue": "8a3b5f66fcf8335ba23cd4d7210faf794bcf1f05c19ef6365459852f51d06b49" + } ] } ], diff --git a/sbom/examples/container_image/release/ubi9-micro-container-9.4-6.1716471860_s390x.spdx.json b/sbom/examples/container_image/release/ubi9-micro-container-9.4-6.1716471860_s390x.spdx.json index 83311b8..258d1f5 100644 --- a/sbom/examples/container_image/release/ubi9-micro-container-9.4-6.1716471860_s390x.spdx.json +++ b/sbom/examples/container_image/release/ubi9-micro-container-9.4-6.1716471860_s390x.spdx.json @@ -490,6 +490,12 @@ "referenceType": "purl", "referenceLocator": "pkg:oci/ubi9@sha256:dee3c77221eab321e79ad2b0277b91856879a8f5b675a48ad83af26c7a774fb3?tag=9.4-947" } + ], + "checksums": [ + { + "algorithm": "SHA256", + "checksumValue": "dee3c77221eab321e79ad2b0277b91856879a8f5b675a48ad83af26c7a774fb3" + } ] } ], From 065db6237b439cc96eee30133c4d220a9189ab10 Mon Sep 17 00:00:00 2001 From: Tim Waugh Date: Mon, 7 Oct 2024 16:28:17 +0100 Subject: [PATCH 5/6] Regenerate with fixes from main --- ...ule-management-operator-container-1.1.2-25_amd64.spdx.json | 4 ++-- ...ule-management-operator-container-1.1.2-25_arm64.spdx.json | 4 ++-- ...e-management-operator-container-1.1.2-25_ppc64le.spdx.json | 4 ++-- .../ubi9-micro-container-9.4-6.1716471860_amd64.spdx.json | 2 +- .../ubi9-micro-container-9.4-6.1716471860_arm64.spdx.json | 2 +- .../ubi9-micro-container-9.4-6.1716471860_ppc64le.spdx.json | 2 +- .../ubi9-micro-container-9.4-6.1716471860_s390x.spdx.json | 2 +- 7 files changed, 10 insertions(+), 10 deletions(-) diff --git a/sbom/examples/container_image/build/kernel-module-management-operator-container-1.1.2-25_amd64.spdx.json b/sbom/examples/container_image/build/kernel-module-management-operator-container-1.1.2-25_amd64.spdx.json index c66d347..b87b911 100644 --- a/sbom/examples/container_image/build/kernel-module-management-operator-container-1.1.2-25_amd64.spdx.json +++ b/sbom/examples/container_image/build/kernel-module-management-operator-container-1.1.2-25_amd64.spdx.json @@ -4003,7 +4003,7 @@ { "referenceCategory": "PACKAGE-MANAGER", "referenceType": "purl", - "referenceLocator": "pkg:oci/rhel9-go-toolset@sha256:354b40a0fdcd1a9dd9af1b88f9a45fc2b0c8065980dfd9b5097e137a7db6e0bd" + "referenceLocator": "pkg:oci/rhel9-go-toolset@sha256%3A354b40a0fdcd1a9dd9af1b88f9a45fc2b0c8065980dfd9b5097e137a7db6e0bd" } ], "checksums": [ @@ -4024,7 +4024,7 @@ { "referenceCategory": "PACKAGE-MANAGER", "referenceType": "purl", - "referenceLocator": "pkg:oci/rhel@sha256:8759d95740eb14a6b6253a574edeea7de6840be30d38c630675ae2a0c76b9f93" + "referenceLocator": "pkg:oci/rhel@sha256%3A8759d95740eb14a6b6253a574edeea7de6840be30d38c630675ae2a0c76b9f93" } ], "checksums": [ diff --git a/sbom/examples/container_image/build/kernel-module-management-operator-container-1.1.2-25_arm64.spdx.json b/sbom/examples/container_image/build/kernel-module-management-operator-container-1.1.2-25_arm64.spdx.json index 03c91d4..02a2fca 100644 --- a/sbom/examples/container_image/build/kernel-module-management-operator-container-1.1.2-25_arm64.spdx.json +++ b/sbom/examples/container_image/build/kernel-module-management-operator-container-1.1.2-25_arm64.spdx.json @@ -4003,7 +4003,7 @@ { "referenceCategory": "PACKAGE-MANAGER", "referenceType": "purl", - "referenceLocator": "pkg:oci/rhel9-go-toolset@sha256:355b1d0a6e12250247d157949dcdc68d8a9508fc027223515a6d4662f4ec03f6" + "referenceLocator": "pkg:oci/rhel9-go-toolset@sha256%3A355b1d0a6e12250247d157949dcdc68d8a9508fc027223515a6d4662f4ec03f6" } ], "checksums": [ @@ -4024,7 +4024,7 @@ { "referenceCategory": "PACKAGE-MANAGER", "referenceType": "purl", - "referenceLocator": "pkg:oci/rhel@sha256:8d79ed0aaf36d7bf914411aab26e3a78308fe6217ca865ad7cc107c9078bfb12" + "referenceLocator": "pkg:oci/rhel@sha256%3A8d79ed0aaf36d7bf914411aab26e3a78308fe6217ca865ad7cc107c9078bfb12" } ], "checksums": [ diff --git a/sbom/examples/container_image/build/kernel-module-management-operator-container-1.1.2-25_ppc64le.spdx.json b/sbom/examples/container_image/build/kernel-module-management-operator-container-1.1.2-25_ppc64le.spdx.json index 797c278..504b426 100644 --- a/sbom/examples/container_image/build/kernel-module-management-operator-container-1.1.2-25_ppc64le.spdx.json +++ b/sbom/examples/container_image/build/kernel-module-management-operator-container-1.1.2-25_ppc64le.spdx.json @@ -4003,7 +4003,7 @@ { "referenceCategory": "PACKAGE-MANAGER", "referenceType": "purl", - "referenceLocator": "pkg:oci/rhel9-go-toolset@sha256:a6b2fd68651aa7d544e53676f99f9017cf241b855bcdc2400d81081bba6f329a" + "referenceLocator": "pkg:oci/rhel9-go-toolset@sha256%3Aa6b2fd68651aa7d544e53676f99f9017cf241b855bcdc2400d81081bba6f329a" } ], "checksums": [ @@ -4024,7 +4024,7 @@ { "referenceCategory": "PACKAGE-MANAGER", "referenceType": "purl", - "referenceLocator": "pkg:oci/rhel@sha256:cb23b09712fa36dfa2cd39ea60afb439c17fd0fec60a26a59e122618c8a33379" + "referenceLocator": "pkg:oci/rhel@sha256%3Acb23b09712fa36dfa2cd39ea60afb439c17fd0fec60a26a59e122618c8a33379" } ], "checksums": [ diff --git a/sbom/examples/container_image/build/ubi9-micro-container-9.4-6.1716471860_amd64.spdx.json b/sbom/examples/container_image/build/ubi9-micro-container-9.4-6.1716471860_amd64.spdx.json index 77646b4..0a5e455 100644 --- a/sbom/examples/container_image/build/ubi9-micro-container-9.4-6.1716471860_amd64.spdx.json +++ b/sbom/examples/container_image/build/ubi9-micro-container-9.4-6.1716471860_amd64.spdx.json @@ -488,7 +488,7 @@ { "referenceCategory": "PACKAGE-MANAGER", "referenceType": "purl", - "referenceLocator": "pkg:oci/ubi9@sha256:11d5b4a77bfc15341d4b6dffa3d6ed510189fec9583db77cfc107067b5f906c5" + "referenceLocator": "pkg:oci/ubi9@sha256%3A11d5b4a77bfc15341d4b6dffa3d6ed510189fec9583db77cfc107067b5f906c5" } ], "checksums": [ diff --git a/sbom/examples/container_image/build/ubi9-micro-container-9.4-6.1716471860_arm64.spdx.json b/sbom/examples/container_image/build/ubi9-micro-container-9.4-6.1716471860_arm64.spdx.json index e33529c..131c2d7 100644 --- a/sbom/examples/container_image/build/ubi9-micro-container-9.4-6.1716471860_arm64.spdx.json +++ b/sbom/examples/container_image/build/ubi9-micro-container-9.4-6.1716471860_arm64.spdx.json @@ -488,7 +488,7 @@ { "referenceCategory": "PACKAGE-MANAGER", "referenceType": "purl", - "referenceLocator": "pkg:oci/ubi9@sha256:cad979d0a2eb78699b62efaf4797f51c4781dfc2a17d9bef5a3a2f5d67cc8e8c" + "referenceLocator": "pkg:oci/ubi9@sha256%3Acad979d0a2eb78699b62efaf4797f51c4781dfc2a17d9bef5a3a2f5d67cc8e8c" } ], "checksums": [ diff --git a/sbom/examples/container_image/build/ubi9-micro-container-9.4-6.1716471860_ppc64le.spdx.json b/sbom/examples/container_image/build/ubi9-micro-container-9.4-6.1716471860_ppc64le.spdx.json index 489267d..21af89e 100644 --- a/sbom/examples/container_image/build/ubi9-micro-container-9.4-6.1716471860_ppc64le.spdx.json +++ b/sbom/examples/container_image/build/ubi9-micro-container-9.4-6.1716471860_ppc64le.spdx.json @@ -488,7 +488,7 @@ { "referenceCategory": "PACKAGE-MANAGER", "referenceType": "purl", - "referenceLocator": "pkg:oci/ubi9@sha256:8a3b5f66fcf8335ba23cd4d7210faf794bcf1f05c19ef6365459852f51d06b49" + "referenceLocator": "pkg:oci/ubi9@sha256%3A8a3b5f66fcf8335ba23cd4d7210faf794bcf1f05c19ef6365459852f51d06b49" } ], "checksums": [ diff --git a/sbom/examples/container_image/build/ubi9-micro-container-9.4-6.1716471860_s390x.spdx.json b/sbom/examples/container_image/build/ubi9-micro-container-9.4-6.1716471860_s390x.spdx.json index 14abdf3..9f350e4 100644 --- a/sbom/examples/container_image/build/ubi9-micro-container-9.4-6.1716471860_s390x.spdx.json +++ b/sbom/examples/container_image/build/ubi9-micro-container-9.4-6.1716471860_s390x.spdx.json @@ -488,7 +488,7 @@ { "referenceCategory": "PACKAGE-MANAGER", "referenceType": "purl", - "referenceLocator": "pkg:oci/ubi9@sha256:dee3c77221eab321e79ad2b0277b91856879a8f5b675a48ad83af26c7a774fb3" + "referenceLocator": "pkg:oci/ubi9@sha256%3Adee3c77221eab321e79ad2b0277b91856879a8f5b675a48ad83af26c7a774fb3" } ], "checksums": [ From 0896f037394ab1370c7c69258c98981999f8eb16 Mon Sep 17 00:00:00 2001 From: Tim Waugh Date: Mon, 7 Oct 2024 16:33:58 +0100 Subject: [PATCH 6/6] Reformat with black --- sbom/examples/container_image/release/from_catalog.py | 1 + 1 file changed, 1 insertion(+) diff --git a/sbom/examples/container_image/release/from_catalog.py b/sbom/examples/container_image/release/from_catalog.py index b0defeb..37ddda3 100644 --- a/sbom/examples/container_image/release/from_catalog.py +++ b/sbom/examples/container_image/release/from_catalog.py @@ -18,6 +18,7 @@ profile = koji.get_profile_module("brew") koji_session = koji.ClientSession(profile.config.server) + def get_image_data(image_nvr): response = requests.get(nvr_api + image_nvr) response.raise_for_status()