Skip to content

Commit

Permalink
Include purls for parent images
Browse files Browse the repository at this point in the history
  • Loading branch information
@twaugh
twaugh committed Sep 12, 2024
1 parent 2689251 commit c01907d
Show file tree
Hide file tree
Showing 15 changed files with 251 additions and 96 deletions.
24 changes: 18 additions & 6 deletions ...ontainer_image/build/kernel-module-management-operator-container-1.1.2-25_amd64.spdx.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -3994,21 +3994,33 @@
},
{
"SPDXID": "SPDXRef-parent-image-0-amd64",
"name": "rhel9-go-toolset:1.19.4-18_amd64",
"versionInfo": "NOASSERTION",
"name": "rhel9-go-toolset_amd64",
"versionInfo": "1.19.4-18",
"supplier": "Organization: Red Hat",
"downloadLocation": "NOASSERTION",
"licenseDeclared": "NOASSERTION",
"externalRefs": []
"externalRefs": [
{
"referenceCategory": "PACKAGE-MANAGER",
"referenceType": "purl",
"referenceLocator": "pkg:oci/rhel9-go-toolset@sha256:354b40a0fdcd1a9dd9af1b88f9a45fc2b0c8065980dfd9b5097e137a7db6e0bd"
}
]
},
{
"SPDXID": "SPDXRef-parent-image-1-amd64",
"name": "rhel:9.2-1191_amd64",
"versionInfo": "NOASSERTION",
"name": "rhel_amd64",
"versionInfo": "9.2-1191",
"supplier": "Organization: Red Hat",
"downloadLocation": "NOASSERTION",
"licenseDeclared": "NOASSERTION",
"externalRefs": []
"externalRefs": [
{
"referenceCategory": "PACKAGE-MANAGER",
"referenceType": "purl",
"referenceLocator": "pkg:oci/rhel@sha256:8759d95740eb14a6b6253a574edeea7de6840be30d38c630675ae2a0c76b9f93"
}
]
}
],
"relationships": [
Expand Down
24 changes: 18 additions & 6 deletions ...ontainer_image/build/kernel-module-management-operator-container-1.1.2-25_arm64.spdx.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -3994,21 +3994,33 @@
},
{
"SPDXID": "SPDXRef-parent-image-0-arm64",
"name": "rhel9-go-toolset:1.19.4-18_arm64",
"versionInfo": "NOASSERTION",
"name": "rhel9-go-toolset_arm64",
"versionInfo": "1.19.4-18",
"supplier": "Organization: Red Hat",
"downloadLocation": "NOASSERTION",
"licenseDeclared": "NOASSERTION",
"externalRefs": []
"externalRefs": [
{
"referenceCategory": "PACKAGE-MANAGER",
"referenceType": "purl",
"referenceLocator": "pkg:oci/rhel9-go-toolset@sha256:355b1d0a6e12250247d157949dcdc68d8a9508fc027223515a6d4662f4ec03f6"
}
]
},
{
"SPDXID": "SPDXRef-parent-image-1-arm64",
"name": "rhel:9.2-1191_arm64",
"versionInfo": "NOASSERTION",
"name": "rhel_arm64",
"versionInfo": "9.2-1191",
"supplier": "Organization: Red Hat",
"downloadLocation": "NOASSERTION",
"licenseDeclared": "NOASSERTION",
"externalRefs": []
"externalRefs": [
{
"referenceCategory": "PACKAGE-MANAGER",
"referenceType": "purl",
"referenceLocator": "pkg:oci/rhel@sha256:8d79ed0aaf36d7bf914411aab26e3a78308fe6217ca865ad7cc107c9078bfb12"
}
]
}
],
"relationships": [
Expand Down
24 changes: 18 additions & 6 deletions ...tainer_image/build/kernel-module-management-operator-container-1.1.2-25_ppc64le.spdx.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -3994,21 +3994,33 @@
},
{
"SPDXID": "SPDXRef-parent-image-0-ppc64le",
"name": "rhel9-go-toolset:1.19.4-18_ppc64le",
"versionInfo": "NOASSERTION",
"name": "rhel9-go-toolset_ppc64le",
"versionInfo": "1.19.4-18",
"supplier": "Organization: Red Hat",
"downloadLocation": "NOASSERTION",
"licenseDeclared": "NOASSERTION",
"externalRefs": []
"externalRefs": [
{
"referenceCategory": "PACKAGE-MANAGER",
"referenceType": "purl",
"referenceLocator": "pkg:oci/rhel9-go-toolset@sha256:a6b2fd68651aa7d544e53676f99f9017cf241b855bcdc2400d81081bba6f329a"
}
]
},
{
"SPDXID": "SPDXRef-parent-image-1-ppc64le",
"name": "rhel:9.2-1191_ppc64le",
"versionInfo": "NOASSERTION",
"name": "rhel_ppc64le",
"versionInfo": "9.2-1191",
"supplier": "Organization: Red Hat",
"downloadLocation": "NOASSERTION",
"licenseDeclared": "NOASSERTION",
"externalRefs": []
"externalRefs": [
{
"referenceCategory": "PACKAGE-MANAGER",
"referenceType": "purl",
"referenceLocator": "pkg:oci/rhel@sha256:cb23b09712fa36dfa2cd39ea60afb439c17fd0fec60a26a59e122618c8a33379"
}
]
}
],
"relationships": [
Expand Down
18 changes: 12 additions & 6 deletions sbom/examples/container_image/build/ubi9-micro-container-9.4-6.1716471860_amd64.spdx.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -479,12 +479,18 @@
},
{
"SPDXID": "SPDXRef-parent-image-0-amd64",
"name": "ubi9:9.4-947_amd64",
"versionInfo": "NOASSERTION",
"name": "ubi9_amd64",
"versionInfo": "9.4-947",
"supplier": "Organization: Red Hat",
"downloadLocation": "NOASSERTION",
"licenseDeclared": "NOASSERTION",
"externalRefs": []
"externalRefs": [
{
"referenceCategory": "PACKAGE-MANAGER",
"referenceType": "purl",
"referenceLocator": "pkg:oci/ubi9@sha256:11d5b4a77bfc15341d4b6dffa3d6ed510189fec9583db77cfc107067b5f906c5"
}
]
}
],
"relationships": [
Expand All @@ -494,9 +500,9 @@
"relatedSpdxElement": "SPDXRef-ubi9-micro-container-amd64"
},
{
"spdxElementId": "SPDXRef-ubi9-micro-container-amd64",
"relationshipType": "DESCENDANT_OF",
"relatedSpdxElement": "SPDXRef-parent-image-0-amd64"
"spdxElementId": "SPDXRef-parent-image-0-amd64",
"relationshipType": "BUILD_TOOL_OF",
"relatedSpdxElement": "SPDXRef-ubi9-micro-container-amd64"
},
{
"spdxElementId": "SPDXRef-ubi9-micro-container-amd64",
Expand Down
18 changes: 12 additions & 6 deletions sbom/examples/container_image/build/ubi9-micro-container-9.4-6.1716471860_arm64.spdx.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -479,12 +479,18 @@
},
{
"SPDXID": "SPDXRef-parent-image-0-arm64",
"name": "ubi9:9.4-947_arm64",
"versionInfo": "NOASSERTION",
"name": "ubi9_arm64",
"versionInfo": "9.4-947",
"supplier": "Organization: Red Hat",
"downloadLocation": "NOASSERTION",
"licenseDeclared": "NOASSERTION",
"externalRefs": []
"externalRefs": [
{
"referenceCategory": "PACKAGE-MANAGER",
"referenceType": "purl",
"referenceLocator": "pkg:oci/ubi9@sha256:cad979d0a2eb78699b62efaf4797f51c4781dfc2a17d9bef5a3a2f5d67cc8e8c"
}
]
}
],
"relationships": [
Expand All @@ -494,9 +500,9 @@
"relatedSpdxElement": "SPDXRef-ubi9-micro-container-arm64"
},
{
"spdxElementId": "SPDXRef-ubi9-micro-container-arm64",
"relationshipType": "DESCENDANT_OF",
"relatedSpdxElement": "SPDXRef-parent-image-0-arm64"
"spdxElementId": "SPDXRef-parent-image-0-arm64",
"relationshipType": "BUILD_TOOL_OF",
"relatedSpdxElement": "SPDXRef-ubi9-micro-container-arm64"
},
{
"spdxElementId": "SPDXRef-ubi9-micro-container-arm64",
Expand Down
18 changes: 12 additions & 6 deletions sbom/examples/container_image/build/ubi9-micro-container-9.4-6.1716471860_ppc64le.spdx.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -479,12 +479,18 @@
},
{
"SPDXID": "SPDXRef-parent-image-0-ppc64le",
"name": "ubi9:9.4-947_ppc64le",
"versionInfo": "NOASSERTION",
"name": "ubi9_ppc64le",
"versionInfo": "9.4-947",
"supplier": "Organization: Red Hat",
"downloadLocation": "NOASSERTION",
"licenseDeclared": "NOASSERTION",
"externalRefs": []
"externalRefs": [
{
"referenceCategory": "PACKAGE-MANAGER",
"referenceType": "purl",
"referenceLocator": "pkg:oci/ubi9@sha256:8a3b5f66fcf8335ba23cd4d7210faf794bcf1f05c19ef6365459852f51d06b49"
}
]
}
],
"relationships": [
Expand All @@ -494,9 +500,9 @@
"relatedSpdxElement": "SPDXRef-ubi9-micro-container-ppc64le"
},
{
"spdxElementId": "SPDXRef-ubi9-micro-container-ppc64le",
"relationshipType": "DESCENDANT_OF",
"relatedSpdxElement": "SPDXRef-parent-image-0-ppc64le"
"spdxElementId": "SPDXRef-parent-image-0-ppc64le",
"relationshipType": "BUILD_TOOL_OF",
"relatedSpdxElement": "SPDXRef-ubi9-micro-container-ppc64le"
},
{
"spdxElementId": "SPDXRef-ubi9-micro-container-ppc64le",
Expand Down
18 changes: 12 additions & 6 deletions sbom/examples/container_image/build/ubi9-micro-container-9.4-6.1716471860_s390x.spdx.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -479,12 +479,18 @@
},
{
"SPDXID": "SPDXRef-parent-image-0-s390x",
"name": "ubi9:9.4-947_s390x",
"versionInfo": "NOASSERTION",
"name": "ubi9_s390x",
"versionInfo": "9.4-947",
"supplier": "Organization: Red Hat",
"downloadLocation": "NOASSERTION",
"licenseDeclared": "NOASSERTION",
"externalRefs": []
"externalRefs": [
{
"referenceCategory": "PACKAGE-MANAGER",
"referenceType": "purl",
"referenceLocator": "pkg:oci/ubi9@sha256:dee3c77221eab321e79ad2b0277b91856879a8f5b675a48ad83af26c7a774fb3"
}
]
}
],
"relationships": [
Expand All @@ -494,9 +500,9 @@
"relatedSpdxElement": "SPDXRef-ubi9-micro-container-s390x"
},
{
"spdxElementId": "SPDXRef-ubi9-micro-container-s390x",
"relationshipType": "DESCENDANT_OF",
"relatedSpdxElement": "SPDXRef-parent-image-0-s390x"
"spdxElementId": "SPDXRef-parent-image-0-s390x",
"relationshipType": "BUILD_TOOL_OF",
"relatedSpdxElement": "SPDXRef-ubi9-micro-container-s390x"
},
{
"spdxElementId": "SPDXRef-ubi9-micro-container-s390x",
Expand Down
59 changes: 47 additions & 12 deletions sbom/examples/container_image/release/from_catalog.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -164,10 +164,11 @@ def generate_sboms_for_image(image_nvr):
}
image_index_pkg["externalRefs"].append(ref)

spdx_image_id = f"SPDXRef-{image_nvr_name}-{image['architecture']}"
arch = image["architecture"]
spdx_image_id = f"SPDXRef-{image_nvr_name}-{arch}"
image_pkg = {
"SPDXID": spdx_image_id,
"name": f"{image_nvr_name}_{image['architecture']}",
"name": f"{image_nvr_name}_{arch}",
"versionInfo": image_nvr_version,
"supplier": "Organization: Red Hat",
"downloadLocation": "NOASSERTION",
Expand All @@ -183,7 +184,7 @@ def generate_sboms_for_image(image_nvr):
for name, repo_url, tag in sorted(repos):
purl = (
f"pkg:oci/{name}@sha256%3A{image_index_digest}?"
f"arch={image['architecture']}&repository_url={repo_url}&tag={tag}"
f"arch={arch}&repository_url={repo_url}&tag={tag}"
)
ref = {
"referenceCategory": "PACKAGE-MANAGER",
Expand All @@ -194,22 +195,56 @@ def generate_sboms_for_image(image_nvr):
per_arch_images.append(image_pkg)

# Add in parent images
parent_images = koji_session.getBuild(image_nvr)
for key in ("extra", "typeinfo", "image", "parent_images"):
parent_images = parent_images.get(key, {})
image_data = koji_session.getBuild(image_nvr)
for key in ("extra", "typeinfo", "image"):
image_data = image_data.get(key, {})

parent_images = [img.rsplit("/")[-1] for img in parent_images if img != "scratch"]
parent_image_builds = image_data.get("parent_image_builds", {})
parent_images = image_data.get("parent_images", [])
direct_parent_index = len(parent_images) - 1
for index, parent_image in enumerate(parent_images):
parent_spdx_id = f"SPDXRef-parent-image-{index}-{image['architecture']}"
try:
parent_image_build_id = parent_image_builds[parent_image]["id"]
except KeyError:
# Skip scratch builds
continue

parent_archives = koji_session.listArchives(parent_image_build_id)
parent_digests = [
list(a["extra"]["docker"]["digests"].values())[0]
for a in parent_archives
if a["btype"] == "image" and a["extra"]["docker"]["config"]["architecture"] == arch
]
if parent_digests:
version = f"@{parent_digests[0]}"
else:
version = ""

registry, rest = parent_image.split("/", maxsplit=1)
use_registry = registry in ("registry.redhat.io", "registry.access.redhat.com")
name, tag = rest.rsplit(":", maxsplit=1)
if "/" in name:
namespace, name = name.rsplit("/", maxsplit=1)
registry += "/" + namespace

registry_q = f"&repository_url={registry}" if use_registry else ""
parent_spdx_id = f"SPDXRef-parent-image-{index}-{arch}"
purl = f"pkg:oci/{name}{version}?tag={tag}{registry_q}"

parent_pkg = {
"SPDXID": parent_spdx_id,
"name": f"{parent_image}_{image['architecture']}",
"versionInfo": "NOASSERTION",
"name": f"{name}_{arch}",
"versionInfo": f"{tag}",
"supplier": "Organization: Red Hat",
"downloadLocation": "NOASSERTION",
"licenseDeclared": "NOASSERTION",
"externalRefs": [],
"externalRefs": [
{
"referenceCategory": "PACKAGE-MANAGER",
"referenceType": "purl",
"referenceLocator": purl,
},
],
}
other_pkgs.append(parent_pkg)

Expand Down Expand Up @@ -266,7 +301,7 @@ def generate_sboms_for_image(image_nvr):
packages.append(rpm_pkg)

create_sbom(
image_id=f"{image_nvr}_" f"{image['architecture']}",
image_id=f"{image_nvr}_" f"{arch}",
root_package=image_pkg,
packages=packages,
rel_type="CONTAINS",
Expand Down
24 changes: 18 additions & 6 deletions ...tainer_image/release/kernel-module-management-operator-container-1.1.2-25_amd64.spdx.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -3994,21 +3994,33 @@
},
{
"SPDXID": "SPDXRef-parent-image-0-amd64",
"name": "rhel9-go-toolset:1.19.4-18_amd64",
"versionInfo": "NOASSERTION",
"name": "rhel9-go-toolset_amd64",
"versionInfo": "1.19.4-18",
"supplier": "Organization: Red Hat",
"downloadLocation": "NOASSERTION",
"licenseDeclared": "NOASSERTION",
"externalRefs": []
"externalRefs": [
{
"referenceCategory": "PACKAGE-MANAGER",
"referenceType": "purl",
"referenceLocator": "pkg:oci/rhel9-go-toolset@sha256:354b40a0fdcd1a9dd9af1b88f9a45fc2b0c8065980dfd9b5097e137a7db6e0bd?tag=1.19.4-18"
}
]
},
{
"SPDXID": "SPDXRef-parent-image-1-amd64",
"name": "rhel:9.2-1191_amd64",
"versionInfo": "NOASSERTION",
"name": "rhel_amd64",
"versionInfo": "9.2-1191",
"supplier": "Organization: Red Hat",
"downloadLocation": "NOASSERTION",
"licenseDeclared": "NOASSERTION",
"externalRefs": []
"externalRefs": [
{
"referenceCategory": "PACKAGE-MANAGER",
"referenceType": "purl",
"referenceLocator": "pkg:oci/rhel@sha256:8759d95740eb14a6b6253a574edeea7de6840be30d38c630675ae2a0c76b9f93?tag=9.2-1191&repository_url=registry.redhat.io/rhel9-2-els"
}
]
}
],
"relationships": [
Expand Down
Loading

0 comments on commit c01907d

Please sign in to comment.