From baeb3865010e93532116cb3ece09d8d2f836a036 Mon Sep 17 00:00:00 2001 From: Tim Waugh Date: Wed, 11 Sep 2024 15:42:24 +0100 Subject: [PATCH 1/2] Build-time container image SBOM purls will have a tag qualifier, just not repository_url --- sbom/examples/container_image/build/remove_release_data.py | 1 - 1 file changed, 1 deletion(-) diff --git a/sbom/examples/container_image/build/remove_release_data.py b/sbom/examples/container_image/build/remove_release_data.py index 9f9f17b..70b30a2 100644 --- a/sbom/examples/container_image/build/remove_release_data.py +++ b/sbom/examples/container_image/build/remove_release_data.py @@ -14,7 +14,6 @@ for purl_ref in [ref for ref in pkg.get("externalRefs", []) if ref["referenceType"] == "purl"]: purl = PackageURL.from_string(purl_ref["referenceLocator"]) if purl.type == "oci": - purl.qualifiers.pop("tag", None) purl.qualifiers.pop("repository_url", None) purl_ref["referenceLocator"] = purl.to_string() From 3c814ef791215c2c238603fa7aa160eaa72f16a0 Mon Sep 17 00:00:00 2001 From: Tim Waugh Date: Wed, 11 Sep 2024 15:54:13 +0100 Subject: [PATCH 2/2] Fix build-time container image SBOM synthesis from release-time --- ...ment-operator-container-1.1.2-25.spdx.json | 8 ++++---- ...perator-container-1.1.2-25_amd64.spdx.json | 2 +- ...perator-container-1.1.2-25_arm64.spdx.json | 2 +- ...rator-container-1.1.2-25_ppc64le.spdx.json | 2 +- .../build/remove_release_data.py | 18 ++++++++++++++++- ...micro-container-9.4-6.1716471860.spdx.json | 20 +++++++++---------- ...container-9.4-6.1716471860_amd64.spdx.json | 4 ++-- ...container-9.4-6.1716471860_arm64.spdx.json | 4 ++-- ...ntainer-9.4-6.1716471860_ppc64le.spdx.json | 4 ++-- ...container-9.4-6.1716471860_s390x.spdx.json | 4 ++-- 10 files changed, 42 insertions(+), 26 deletions(-) diff --git a/sbom/examples/container_image/build/kernel-module-management-operator-container-1.1.2-25.spdx.json b/sbom/examples/container_image/build/kernel-module-management-operator-container-1.1.2-25.spdx.json index c625f7d..cb6b6f9 100644 --- a/sbom/examples/container_image/build/kernel-module-management-operator-container-1.1.2-25.spdx.json +++ b/sbom/examples/container_image/build/kernel-module-management-operator-container-1.1.2-25.spdx.json @@ -22,7 +22,7 @@ { "referenceCategory": "PACKAGE-MANAGER", "referenceType": "purl", - "referenceLocator": "pkg:oci/kernel-module-management-rhel9-operator@sha256:d845f0bd93dad56c92c47e8c116a11a0cc5924c0b99aed912b4f8b54178efa98" + "referenceLocator": "pkg:oci/kernel-module-management-rhel9-operator@sha256:d845f0bd93dad56c92c47e8c116a11a0cc5924c0b99aed912b4f8b54178efa98?tag=1.1.2-25" } ], "checksums": [ @@ -43,7 +43,7 @@ { "referenceCategory": "PACKAGE-MANAGER", "referenceType": "purl", - "referenceLocator": "pkg:oci/kernel-module-management-rhel9-operator@sha256:d845f0bd93dad56c92c47e8c116a11a0cc5924c0b99aed912b4f8b54178efa98?arch=amd64" + "referenceLocator": "pkg:oci/kernel-module-management-rhel9-operator@sha256:d845f0bd93dad56c92c47e8c116a11a0cc5924c0b99aed912b4f8b54178efa98?arch=amd64&tag=1.1.2-25" } ], "checksums": [ @@ -64,7 +64,7 @@ { "referenceCategory": "PACKAGE-MANAGER", "referenceType": "purl", - "referenceLocator": "pkg:oci/kernel-module-management-rhel9-operator@sha256:d845f0bd93dad56c92c47e8c116a11a0cc5924c0b99aed912b4f8b54178efa98?arch=arm64" + "referenceLocator": "pkg:oci/kernel-module-management-rhel9-operator@sha256:d845f0bd93dad56c92c47e8c116a11a0cc5924c0b99aed912b4f8b54178efa98?arch=arm64&tag=1.1.2-25" } ], "checksums": [ @@ -85,7 +85,7 @@ { "referenceCategory": "PACKAGE-MANAGER", "referenceType": "purl", - "referenceLocator": "pkg:oci/kernel-module-management-rhel9-operator@sha256:d845f0bd93dad56c92c47e8c116a11a0cc5924c0b99aed912b4f8b54178efa98?arch=ppc64le" + "referenceLocator": "pkg:oci/kernel-module-management-rhel9-operator@sha256:d845f0bd93dad56c92c47e8c116a11a0cc5924c0b99aed912b4f8b54178efa98?arch=ppc64le&tag=1.1.2-25" } ], "checksums": [ diff --git a/sbom/examples/container_image/build/kernel-module-management-operator-container-1.1.2-25_amd64.spdx.json b/sbom/examples/container_image/build/kernel-module-management-operator-container-1.1.2-25_amd64.spdx.json index 8cd8185..76638d6 100644 --- a/sbom/examples/container_image/build/kernel-module-management-operator-container-1.1.2-25_amd64.spdx.json +++ b/sbom/examples/container_image/build/kernel-module-management-operator-container-1.1.2-25_amd64.spdx.json @@ -22,7 +22,7 @@ { "referenceCategory": "PACKAGE-MANAGER", "referenceType": "purl", - "referenceLocator": "pkg:oci/kernel-module-management-rhel9-operator@sha256:d845f0bd93dad56c92c47e8c116a11a0cc5924c0b99aed912b4f8b54178efa98?arch=amd64" + "referenceLocator": "pkg:oci/kernel-module-management-rhel9-operator@sha256:d845f0bd93dad56c92c47e8c116a11a0cc5924c0b99aed912b4f8b54178efa98?arch=amd64&tag=1.1.2-25" } ], "checksums": [ diff --git a/sbom/examples/container_image/build/kernel-module-management-operator-container-1.1.2-25_arm64.spdx.json b/sbom/examples/container_image/build/kernel-module-management-operator-container-1.1.2-25_arm64.spdx.json index 9c8eaff..ec79273 100644 --- a/sbom/examples/container_image/build/kernel-module-management-operator-container-1.1.2-25_arm64.spdx.json +++ b/sbom/examples/container_image/build/kernel-module-management-operator-container-1.1.2-25_arm64.spdx.json @@ -22,7 +22,7 @@ { "referenceCategory": "PACKAGE-MANAGER", "referenceType": "purl", - "referenceLocator": "pkg:oci/kernel-module-management-rhel9-operator@sha256:d845f0bd93dad56c92c47e8c116a11a0cc5924c0b99aed912b4f8b54178efa98?arch=arm64" + "referenceLocator": "pkg:oci/kernel-module-management-rhel9-operator@sha256:d845f0bd93dad56c92c47e8c116a11a0cc5924c0b99aed912b4f8b54178efa98?arch=arm64&tag=1.1.2-25" } ], "checksums": [ diff --git a/sbom/examples/container_image/build/kernel-module-management-operator-container-1.1.2-25_ppc64le.spdx.json b/sbom/examples/container_image/build/kernel-module-management-operator-container-1.1.2-25_ppc64le.spdx.json index d4a08cc..8688ccb 100644 --- a/sbom/examples/container_image/build/kernel-module-management-operator-container-1.1.2-25_ppc64le.spdx.json +++ b/sbom/examples/container_image/build/kernel-module-management-operator-container-1.1.2-25_ppc64le.spdx.json @@ -22,7 +22,7 @@ { "referenceCategory": "PACKAGE-MANAGER", "referenceType": "purl", - "referenceLocator": "pkg:oci/kernel-module-management-rhel9-operator@sha256:d845f0bd93dad56c92c47e8c116a11a0cc5924c0b99aed912b4f8b54178efa98?arch=ppc64le" + "referenceLocator": "pkg:oci/kernel-module-management-rhel9-operator@sha256:d845f0bd93dad56c92c47e8c116a11a0cc5924c0b99aed912b4f8b54178efa98?arch=ppc64le&tag=1.1.2-25" } ], "checksums": [ diff --git a/sbom/examples/container_image/build/remove_release_data.py b/sbom/examples/container_image/build/remove_release_data.py index 70b30a2..84e098c 100644 --- a/sbom/examples/container_image/build/remove_release_data.py +++ b/sbom/examples/container_image/build/remove_release_data.py @@ -10,7 +10,23 @@ sbom = json.load(fp) -for pkg in sbom["packages"]: +relationships = sbom["relationships"] + +# Find the described packages +described = [ + rel["relatedSpdxElement"] + for rel in relationships + if rel["spdxElementId"] == "SPDXRef-DOCUMENT" and rel["relationshipType"] == "DESCRIBES" +] +# Find any packages that are VARIANT_OF the described packages +variants = [ + rel["spdxElementId"] + for rel in relationships + if rel["relatedSpdxElement"] in described and rel["relationshipType"] == "VARIANT_OF" +] +print(f"Described: {described}\nVariants: {variants}") +built = described + variants +for pkg in [pkg for pkg in sbom["packages"] if pkg["SPDXID"] in built]: for purl_ref in [ref for ref in pkg.get("externalRefs", []) if ref["referenceType"] == "purl"]: purl = PackageURL.from_string(purl_ref["referenceLocator"]) if purl.type == "oci": diff --git a/sbom/examples/container_image/build/ubi9-micro-container-9.4-6.1716471860.spdx.json b/sbom/examples/container_image/build/ubi9-micro-container-9.4-6.1716471860.spdx.json index bbfa06d..9c16218 100644 --- a/sbom/examples/container_image/build/ubi9-micro-container-9.4-6.1716471860.spdx.json +++ b/sbom/examples/container_image/build/ubi9-micro-container-9.4-6.1716471860.spdx.json @@ -22,12 +22,12 @@ { "referenceCategory": "PACKAGE-MANAGER", "referenceType": "purl", - "referenceLocator": "pkg:oci/ubi-micro@sha256:1c8483e0fda0e990175eb9855a5f15e0910d2038dd397d9e2b357630f0321e6d" + "referenceLocator": "pkg:oci/ubi-micro@sha256:1c8483e0fda0e990175eb9855a5f15e0910d2038dd397d9e2b357630f0321e6d?tag=9.4-6.1716471860" }, { "referenceCategory": "PACKAGE-MANAGER", "referenceType": "purl", - "referenceLocator": "pkg:oci/ubi9-micro@sha256:1c8483e0fda0e990175eb9855a5f15e0910d2038dd397d9e2b357630f0321e6d" + "referenceLocator": "pkg:oci/ubi9-micro@sha256:1c8483e0fda0e990175eb9855a5f15e0910d2038dd397d9e2b357630f0321e6d?tag=9.4-6.1716471860" } ], "checksums": [ @@ -48,12 +48,12 @@ { "referenceCategory": "PACKAGE-MANAGER", "referenceType": "purl", - "referenceLocator": "pkg:oci/ubi-micro@sha256:1c8483e0fda0e990175eb9855a5f15e0910d2038dd397d9e2b357630f0321e6d?arch=ppc64le" + "referenceLocator": "pkg:oci/ubi-micro@sha256:1c8483e0fda0e990175eb9855a5f15e0910d2038dd397d9e2b357630f0321e6d?arch=ppc64le&tag=9.4-6.1716471860" }, { "referenceCategory": "PACKAGE-MANAGER", "referenceType": "purl", - "referenceLocator": "pkg:oci/ubi9-micro@sha256:1c8483e0fda0e990175eb9855a5f15e0910d2038dd397d9e2b357630f0321e6d?arch=ppc64le" + "referenceLocator": "pkg:oci/ubi9-micro@sha256:1c8483e0fda0e990175eb9855a5f15e0910d2038dd397d9e2b357630f0321e6d?arch=ppc64le&tag=9.4-6.1716471860" } ], "checksums": [ @@ -74,12 +74,12 @@ { "referenceCategory": "PACKAGE-MANAGER", "referenceType": "purl", - "referenceLocator": "pkg:oci/ubi-micro@sha256:1c8483e0fda0e990175eb9855a5f15e0910d2038dd397d9e2b357630f0321e6d?arch=s390x" + "referenceLocator": "pkg:oci/ubi-micro@sha256:1c8483e0fda0e990175eb9855a5f15e0910d2038dd397d9e2b357630f0321e6d?arch=s390x&tag=9.4-6.1716471860" }, { "referenceCategory": "PACKAGE-MANAGER", "referenceType": "purl", - "referenceLocator": "pkg:oci/ubi9-micro@sha256:1c8483e0fda0e990175eb9855a5f15e0910d2038dd397d9e2b357630f0321e6d?arch=s390x" + "referenceLocator": "pkg:oci/ubi9-micro@sha256:1c8483e0fda0e990175eb9855a5f15e0910d2038dd397d9e2b357630f0321e6d?arch=s390x&tag=9.4-6.1716471860" } ], "checksums": [ @@ -100,12 +100,12 @@ { "referenceCategory": "PACKAGE-MANAGER", "referenceType": "purl", - "referenceLocator": "pkg:oci/ubi-micro@sha256:1c8483e0fda0e990175eb9855a5f15e0910d2038dd397d9e2b357630f0321e6d?arch=arm64" + "referenceLocator": "pkg:oci/ubi-micro@sha256:1c8483e0fda0e990175eb9855a5f15e0910d2038dd397d9e2b357630f0321e6d?arch=arm64&tag=9.4-6.1716471860" }, { "referenceCategory": "PACKAGE-MANAGER", "referenceType": "purl", - "referenceLocator": "pkg:oci/ubi9-micro@sha256:1c8483e0fda0e990175eb9855a5f15e0910d2038dd397d9e2b357630f0321e6d?arch=arm64" + "referenceLocator": "pkg:oci/ubi9-micro@sha256:1c8483e0fda0e990175eb9855a5f15e0910d2038dd397d9e2b357630f0321e6d?arch=arm64&tag=9.4-6.1716471860" } ], "checksums": [ @@ -126,12 +126,12 @@ { "referenceCategory": "PACKAGE-MANAGER", "referenceType": "purl", - "referenceLocator": "pkg:oci/ubi-micro@sha256:1c8483e0fda0e990175eb9855a5f15e0910d2038dd397d9e2b357630f0321e6d?arch=amd64" + "referenceLocator": "pkg:oci/ubi-micro@sha256:1c8483e0fda0e990175eb9855a5f15e0910d2038dd397d9e2b357630f0321e6d?arch=amd64&tag=9.4-6.1716471860" }, { "referenceCategory": "PACKAGE-MANAGER", "referenceType": "purl", - "referenceLocator": "pkg:oci/ubi9-micro@sha256:1c8483e0fda0e990175eb9855a5f15e0910d2038dd397d9e2b357630f0321e6d?arch=amd64" + "referenceLocator": "pkg:oci/ubi9-micro@sha256:1c8483e0fda0e990175eb9855a5f15e0910d2038dd397d9e2b357630f0321e6d?arch=amd64&tag=9.4-6.1716471860" } ], "checksums": [ diff --git a/sbom/examples/container_image/build/ubi9-micro-container-9.4-6.1716471860_amd64.spdx.json b/sbom/examples/container_image/build/ubi9-micro-container-9.4-6.1716471860_amd64.spdx.json index 04e94b4..c58d7c3 100644 --- a/sbom/examples/container_image/build/ubi9-micro-container-9.4-6.1716471860_amd64.spdx.json +++ b/sbom/examples/container_image/build/ubi9-micro-container-9.4-6.1716471860_amd64.spdx.json @@ -22,12 +22,12 @@ { "referenceCategory": "PACKAGE-MANAGER", "referenceType": "purl", - "referenceLocator": "pkg:oci/ubi-micro@sha256:1c8483e0fda0e990175eb9855a5f15e0910d2038dd397d9e2b357630f0321e6d?arch=amd64" + "referenceLocator": "pkg:oci/ubi-micro@sha256:1c8483e0fda0e990175eb9855a5f15e0910d2038dd397d9e2b357630f0321e6d?arch=amd64&tag=9.4-6.1716471860" }, { "referenceCategory": "PACKAGE-MANAGER", "referenceType": "purl", - "referenceLocator": "pkg:oci/ubi9-micro@sha256:1c8483e0fda0e990175eb9855a5f15e0910d2038dd397d9e2b357630f0321e6d?arch=amd64" + "referenceLocator": "pkg:oci/ubi9-micro@sha256:1c8483e0fda0e990175eb9855a5f15e0910d2038dd397d9e2b357630f0321e6d?arch=amd64&tag=9.4-6.1716471860" } ], "checksums": [ diff --git a/sbom/examples/container_image/build/ubi9-micro-container-9.4-6.1716471860_arm64.spdx.json b/sbom/examples/container_image/build/ubi9-micro-container-9.4-6.1716471860_arm64.spdx.json index f006027..17011c0 100644 --- a/sbom/examples/container_image/build/ubi9-micro-container-9.4-6.1716471860_arm64.spdx.json +++ b/sbom/examples/container_image/build/ubi9-micro-container-9.4-6.1716471860_arm64.spdx.json @@ -22,12 +22,12 @@ { "referenceCategory": "PACKAGE-MANAGER", "referenceType": "purl", - "referenceLocator": "pkg:oci/ubi-micro@sha256:1c8483e0fda0e990175eb9855a5f15e0910d2038dd397d9e2b357630f0321e6d?arch=arm64" + "referenceLocator": "pkg:oci/ubi-micro@sha256:1c8483e0fda0e990175eb9855a5f15e0910d2038dd397d9e2b357630f0321e6d?arch=arm64&tag=9.4-6.1716471860" }, { "referenceCategory": "PACKAGE-MANAGER", "referenceType": "purl", - "referenceLocator": "pkg:oci/ubi9-micro@sha256:1c8483e0fda0e990175eb9855a5f15e0910d2038dd397d9e2b357630f0321e6d?arch=arm64" + "referenceLocator": "pkg:oci/ubi9-micro@sha256:1c8483e0fda0e990175eb9855a5f15e0910d2038dd397d9e2b357630f0321e6d?arch=arm64&tag=9.4-6.1716471860" } ], "checksums": [ diff --git a/sbom/examples/container_image/build/ubi9-micro-container-9.4-6.1716471860_ppc64le.spdx.json b/sbom/examples/container_image/build/ubi9-micro-container-9.4-6.1716471860_ppc64le.spdx.json index 98ffbd0..ddcb9df 100644 --- a/sbom/examples/container_image/build/ubi9-micro-container-9.4-6.1716471860_ppc64le.spdx.json +++ b/sbom/examples/container_image/build/ubi9-micro-container-9.4-6.1716471860_ppc64le.spdx.json @@ -22,12 +22,12 @@ { "referenceCategory": "PACKAGE-MANAGER", "referenceType": "purl", - "referenceLocator": "pkg:oci/ubi-micro@sha256:1c8483e0fda0e990175eb9855a5f15e0910d2038dd397d9e2b357630f0321e6d?arch=ppc64le" + "referenceLocator": "pkg:oci/ubi-micro@sha256:1c8483e0fda0e990175eb9855a5f15e0910d2038dd397d9e2b357630f0321e6d?arch=ppc64le&tag=9.4-6.1716471860" }, { "referenceCategory": "PACKAGE-MANAGER", "referenceType": "purl", - "referenceLocator": "pkg:oci/ubi9-micro@sha256:1c8483e0fda0e990175eb9855a5f15e0910d2038dd397d9e2b357630f0321e6d?arch=ppc64le" + "referenceLocator": "pkg:oci/ubi9-micro@sha256:1c8483e0fda0e990175eb9855a5f15e0910d2038dd397d9e2b357630f0321e6d?arch=ppc64le&tag=9.4-6.1716471860" } ], "checksums": [ diff --git a/sbom/examples/container_image/build/ubi9-micro-container-9.4-6.1716471860_s390x.spdx.json b/sbom/examples/container_image/build/ubi9-micro-container-9.4-6.1716471860_s390x.spdx.json index 2f6d11f..98cf031 100644 --- a/sbom/examples/container_image/build/ubi9-micro-container-9.4-6.1716471860_s390x.spdx.json +++ b/sbom/examples/container_image/build/ubi9-micro-container-9.4-6.1716471860_s390x.spdx.json @@ -22,12 +22,12 @@ { "referenceCategory": "PACKAGE-MANAGER", "referenceType": "purl", - "referenceLocator": "pkg:oci/ubi-micro@sha256:1c8483e0fda0e990175eb9855a5f15e0910d2038dd397d9e2b357630f0321e6d?arch=s390x" + "referenceLocator": "pkg:oci/ubi-micro@sha256:1c8483e0fda0e990175eb9855a5f15e0910d2038dd397d9e2b357630f0321e6d?arch=s390x&tag=9.4-6.1716471860" }, { "referenceCategory": "PACKAGE-MANAGER", "referenceType": "purl", - "referenceLocator": "pkg:oci/ubi9-micro@sha256:1c8483e0fda0e990175eb9855a5f15e0910d2038dd397d9e2b357630f0321e6d?arch=s390x" + "referenceLocator": "pkg:oci/ubi9-micro@sha256:1c8483e0fda0e990175eb9855a5f15e0910d2038dd397d9e2b357630f0321e6d?arch=s390x&tag=9.4-6.1716471860" } ], "checksums": [