From 377617b946edf4339daef91e7a8df30cbfaa1cfe Mon Sep 17 00:00:00 2001 From: John Chittum Date: Thu, 15 Aug 2024 11:40:27 -0400 Subject: [PATCH] feat(ubuntu-cpc): sbom generation everywhere patch create_manifest to produce an sbom when called by an ubuntu-cpc project. Patch all the ubuntu-cpc hooks and series files to include the newly generated manifests, filelists, and sboms. Generates a number of new artifacts in the builds. the snap utilized, cpc-sbom, is an open source repo and a provided via a hidden snap. there is no intention of publisizing the snap or how we generate sboms, however partners require the ability to audit if required. defensively checks if the snap is already installed, in the case of multiple hooks being called in a single build (thus sharing a build host), and only if called in an ubuntu-cpc project. (cherry picked from commit 7c7b7df89dc96169db1f255d6bba901ebb63a43c) --- live-build/functions | 20 +++++++++++++++++++ .../hooks.d/base/create-root-dir.binary | 4 ++-- .../hooks.d/base/disk-image-ppc64el.binary | 2 ++ .../hooks.d/base/disk-image-uefi.binary | 4 +++- .../ubuntu-cpc/hooks.d/base/disk-image.binary | 2 ++ .../hooks.d/base/qcow2-image.binary | 9 +++++++++ .../hooks.d/base/root-squashfs.binary | 7 +++++-- .../ubuntu-cpc/hooks.d/base/root-xz.binary | 2 -- .../ubuntu-cpc/hooks.d/base/series/disk-image | 3 +++ .../hooks.d/base/series/disk-image-uefi | 3 +++ .../ubuntu-cpc/hooks.d/base/series/qcow2 | 3 +++ .../ubuntu-cpc/hooks.d/base/series/squashfs | 1 + .../ubuntu-cpc/hooks.d/base/series/tarball | 1 + .../ubuntu-cpc/hooks.d/base/series/vagrant | 3 +++ .../ubuntu-cpc/hooks.d/base/series/vmdk | 3 +++ .../ubuntu-cpc/hooks.d/base/vagrant.binary | 2 ++ .../ubuntu-cpc/hooks.d/base/vmdk-image.binary | 10 ++++++++++ 17 files changed, 72 insertions(+), 7 deletions(-) diff --git a/live-build/functions b/live-build/functions index 918bd064..bd3c8898 100644 --- a/live-build/functions +++ b/live-build/functions @@ -39,6 +39,10 @@ create_empty_disk_image() { create_manifest() { local chroot_root=${1} local target_file=${2} + local base_default_sbom_name="ubuntu-cloud-image-$(grep "VERSION_ID" $chroot_root/etc/os-release | cut --delimiter "=" --field 2 | tr -d '"')-${ARCH}-$(date +%Y%m%dT%H:%M:%S)" + local sbom_file_name=${3:-"${base_default_sbom_name}.spdx"} + local sbom_document_name=${4:-"${base_default_sbom_name}"} + local sbom_log=${sbom_document_name}.log echo "create_manifest chroot_root: ${chroot_root}" dpkg-query --show --admindir="${chroot_root}/var/lib/dpkg" > ${target_file} echo "create_manifest call to dpkg-query finished." @@ -48,6 +52,22 @@ create_manifest() { echo "create_manifest creating file listing." local target_filelist=${2%.manifest}.filelist (cd "${chroot_root}" && find -xdev) | sort > "${target_filelist}" + # only creating sboms for CPC project at this time + if [[ ! $(which cpc-sbom) ]]; then + # ensure the tool is installed + sudo snap install --classic --edge cpc-sbom + fi + # generate the SBOM + cpc-sbom --rootdir ${chroot_root} --ignore-copyright-parsing-errors --ignore-copyright-file-not-found-errors --document-name ${sbom_document_name} >"${sbom_file_name}" 2>"${sbom_log}" + SBOM_GENERATION_EXIT_CODE=$? + if [[ ${SBOM_GENERATION_EXIT_CODE} != "0" ]]; then + # check for failure and print log + echo "ERROR: SBOM generation failed. See ${sbom_log}" + cat "$sbom_log" + exit 1 + else + echo "SBOM generation succeeded. see ${sbom_log} for details" + fi fi echo "create_manifest finished" } diff --git a/live-build/ubuntu-cpc/hooks.d/base/create-root-dir.binary b/live-build/ubuntu-cpc/hooks.d/base/create-root-dir.binary index 6ba4fe9c..46d9479a 100755 --- a/live-build/ubuntu-cpc/hooks.d/base/create-root-dir.binary +++ b/live-build/ubuntu-cpc/hooks.d/base/create-root-dir.binary @@ -24,6 +24,6 @@ rm -rf $rootfs_dir/boot/grub # Keep this as some derivatives mount a tempfs here mkdir -p $rootfs_dir/lib/modules -teardown_mountpoint $rootfs_dir +create_manifest $rootfs_dir "livecd.ubuntu-cpc.rootfs.manifest" "livecd.ubuntu-cpc.rootfs.spdx" "cloud-image-rootfs-$ARCH-$(date +%Y%m%dT%H:%M:%S)" -create_manifest "${rootfs_dir}" "${rootfs_dir}.manifest" +teardown_mountpoint $rootfs_dir diff --git a/live-build/ubuntu-cpc/hooks.d/base/disk-image-ppc64el.binary b/live-build/ubuntu-cpc/hooks.d/base/disk-image-ppc64el.binary index e02c6338..f393482b 100755 --- a/live-build/ubuntu-cpc/hooks.d/base/disk-image-ppc64el.binary +++ b/live-build/ubuntu-cpc/hooks.d/base/disk-image-ppc64el.binary @@ -80,6 +80,8 @@ cp -a chroot/* mountpoint/ chroot mountpoint dpkg-query -W > binary/boot/filesystem.packages (cd mountpoint && find -xdev) | sort > binary/boot/filesystem.filelist +create_manifest "mountpoint/" "$PWD/livecd.ubuntu-cpc.disk-image.manifest" "$PWD/livecd.ubuntu-cpc.disk-image.spdx" "cloud-image-$ARCH-$(date +Y%m%dT%H:%M:%S)" + umount mountpoint rmdir mountpoint diff --git a/live-build/ubuntu-cpc/hooks.d/base/disk-image-uefi.binary b/live-build/ubuntu-cpc/hooks.d/base/disk-image-uefi.binary index d4ec5f0c..474b145b 100755 --- a/live-build/ubuntu-cpc/hooks.d/base/disk-image-uefi.binary +++ b/live-build/ubuntu-cpc/hooks.d/base/disk-image-uefi.binary @@ -184,7 +184,8 @@ install_grub() { mount # create sorted filelist as the very last step before unmounting - (cd mountpoint && find -xdev) | sort > binary/boot/filesystem.filelist + # explicitly generate manifest and sbom + create_manifest "mountpoint/" "$PWD/livecd.ubuntu-cpc.disk-uefi.manifest" "$PWD/livecd.ubuntu-cpc.disk-uefi.spdx" "cloud-image-$ARCH-$(date +%Y%m%dT%H:%M:%S)" umount_partition mountpoint rmdir mountpoint @@ -201,6 +202,7 @@ make_ext4_partition "${rootfs_dev_mapper}" mkdir mountpoint mount "${rootfs_dev_mapper}" mountpoint cp -a chroot/* mountpoint/ + umount mountpoint rmdir mountpoint diff --git a/live-build/ubuntu-cpc/hooks.d/base/disk-image.binary b/live-build/ubuntu-cpc/hooks.d/base/disk-image.binary index ba577ef5..63d28ab0 100755 --- a/live-build/ubuntu-cpc/hooks.d/base/disk-image.binary +++ b/live-build/ubuntu-cpc/hooks.d/base/disk-image.binary @@ -158,6 +158,8 @@ EOF $ZIPL_EXTRA_PARAMS fi +create_manifest "mountpoint/" "$PWD/livecd.ubuntu-cpc.disk-image.manifest" "$PWD/livecd.ubuntu-cpc.disk-image.spdx" "cloud-image-$ARCH-$(date +%Y%m%dT%H:%M:%S)" + if [ -n "$BOOT_MOUNTPOINT" ]; then umount "mountpoint/$BOOT_MOUNTPOINT" fi diff --git a/live-build/ubuntu-cpc/hooks.d/base/qcow2-image.binary b/live-build/ubuntu-cpc/hooks.d/base/qcow2-image.binary index 8dbbb9ae..4a8e321a 100755 --- a/live-build/ubuntu-cpc/hooks.d/base/qcow2-image.binary +++ b/live-build/ubuntu-cpc/hooks.d/base/qcow2-image.binary @@ -2,8 +2,17 @@ . config/functions +qcow_file=${PWD}/livecd.ubuntu-cpc.qcow if [ -f binary/boot/disk-uefi.ext4 ]; then convert_to_qcow2 binary/boot/disk-uefi.ext4 livecd.ubuntu-cpc.img + uefi_file="livecd.ubuntu-cpc.disk-uefi" + cp ${uefi_file}.manifest ${qcow_file}.manifest + cp ${uefi_file}.filelist ${qcow_file}.filelist + cp ${uefi_file}.spdx ${qcow_file}.spdx elif [ -f binary/boot/disk.ext4 ]; then convert_to_qcow2 binary/boot/disk.ext4 livecd.ubuntu-cpc.img + disk_file="livecd.ubuntu-cpc.disk-image" + cp ${disk_file}.manifest ${qcow_file}.manifest + cp ${disk_file}.filelist ${qcow_file}.filelist + cp ${disk_file}.spdx ${qcow_file}.spdx fi diff --git a/live-build/ubuntu-cpc/hooks.d/base/root-squashfs.binary b/live-build/ubuntu-cpc/hooks.d/base/root-squashfs.binary index bc56bc42..ab90c963 100755 --- a/live-build/ubuntu-cpc/hooks.d/base/root-squashfs.binary +++ b/live-build/ubuntu-cpc/hooks.d/base/root-squashfs.binary @@ -15,8 +15,11 @@ rootfs_dir=rootfs.dir squashfs_f="$PWD/livecd.ubuntu-cpc.squashfs" -cp $rootfs_dir.manifest $squashfs_f.manifest +cp livecd.ubuntu-cpc.rootfs.manifest ${squashfs_f}.manifest +cp livecd.ubuntu-cpc.rootfs.filelist ${squashfs_f}.filelist +cp livecd.ubuntu-cpc.rootfs.spdx ${squashfs_f}.spdx + # fstab is omitted from the squashfs -grep -v '^/etc/fstab$' $rootfs_dir.filelist >$squashfs_f.filelist +grep -v '^/etc/fstab$' livecd.ubuntu-cpc.rootfs.filelist >$squashfs_f.filelist create_squashfs $rootfs_dir $squashfs_f diff --git a/live-build/ubuntu-cpc/hooks.d/base/root-xz.binary b/live-build/ubuntu-cpc/hooks.d/base/root-xz.binary index c8aad906..9c5db0b8 100755 --- a/live-build/ubuntu-cpc/hooks.d/base/root-xz.binary +++ b/live-build/ubuntu-cpc/hooks.d/base/root-xz.binary @@ -11,6 +11,4 @@ fi # This is the directory created by create-root-dir.binary rootfs_dir=rootfs.dir -cp $rootfs_dir.manifest livecd.ubuntu-cpc.rootfs.manifest -cp $rootfs_dir.filelist livecd.ubuntu-cpc.rootfs.filelist (cd $rootfs_dir/ && tar -c --sort=name --xattrs *) | xz > livecd.ubuntu-cpc.rootfs.tar.xz diff --git a/live-build/ubuntu-cpc/hooks.d/base/series/disk-image b/live-build/ubuntu-cpc/hooks.d/base/series/disk-image index 8e6e9726..4e269aca 100644 --- a/live-build/ubuntu-cpc/hooks.d/base/series/disk-image +++ b/live-build/ubuntu-cpc/hooks.d/base/series/disk-image @@ -6,3 +6,6 @@ provides livecd.ubuntu-cpc.initrd-generic provides livecd.ubuntu-cpc.kernel-generic provides livecd.ubuntu-cpc.manifest provides livecd.ubuntu-cpc.filelist +provides livecd.ubuntu-cpc.disk-image.manifest +provides livecd.ubuntu-cpc.disk-image.filelist +provides livecd.ubuntu-cpc.disk-image.spdx diff --git a/live-build/ubuntu-cpc/hooks.d/base/series/disk-image-uefi b/live-build/ubuntu-cpc/hooks.d/base/series/disk-image-uefi index 2faa4aa1..ac0bf936 100644 --- a/live-build/ubuntu-cpc/hooks.d/base/series/disk-image-uefi +++ b/live-build/ubuntu-cpc/hooks.d/base/series/disk-image-uefi @@ -4,3 +4,6 @@ provides livecd.ubuntu-cpc.initrd-generic provides livecd.ubuntu-cpc.kernel-generic provides livecd.ubuntu-cpc.manifest provides livecd.ubuntu-cpc.filelist +provides livecd.ubuntu-cpc.disk-uefi.manifest +provides livecd.ubuntu-cpc.disk-uefi.filelist +provides livecd.ubuntu-cpc.disk-uefi.spdx diff --git a/live-build/ubuntu-cpc/hooks.d/base/series/qcow2 b/live-build/ubuntu-cpc/hooks.d/base/series/qcow2 index 745adb9b..0fdbc81c 100644 --- a/live-build/ubuntu-cpc/hooks.d/base/series/qcow2 +++ b/live-build/ubuntu-cpc/hooks.d/base/series/qcow2 @@ -1,3 +1,6 @@ depends disk-image base/qcow2-image.binary provides livecd.ubuntu-cpc.img +provides livecd.ubuntu-cpc.qcow.manifest +provides livecd.ubuntu-cpc.qcow.filelist +provides livecd.ubuntu-cpc.qcow.spdx diff --git a/live-build/ubuntu-cpc/hooks.d/base/series/squashfs b/live-build/ubuntu-cpc/hooks.d/base/series/squashfs index b9f0d8db..991bf12e 100644 --- a/live-build/ubuntu-cpc/hooks.d/base/series/squashfs +++ b/live-build/ubuntu-cpc/hooks.d/base/series/squashfs @@ -3,3 +3,4 @@ base/root-squashfs.binary provides livecd.ubuntu-cpc.squashfs provides livecd.ubuntu-cpc.squashfs.manifest provides livecd.ubuntu-cpc.squashfs.filelist +provides livecd.ubuntu-cpc.squashfs.spdx \ No newline at end of file diff --git a/live-build/ubuntu-cpc/hooks.d/base/series/tarball b/live-build/ubuntu-cpc/hooks.d/base/series/tarball index 8e2bc766..293fc4a5 100644 --- a/live-build/ubuntu-cpc/hooks.d/base/series/tarball +++ b/live-build/ubuntu-cpc/hooks.d/base/series/tarball @@ -3,3 +3,4 @@ base/root-xz.binary provides livecd.ubuntu-cpc.rootfs.tar.xz provides livecd.ubuntu-cpc.rootfs.manifest provides livecd.ubuntu-cpc.rootfs.filelist +provides livecd.ubuntu-cpc.rootfs.spdx diff --git a/live-build/ubuntu-cpc/hooks.d/base/series/vagrant b/live-build/ubuntu-cpc/hooks.d/base/series/vagrant index 6e5fcf39..0e4d8dd4 100644 --- a/live-build/ubuntu-cpc/hooks.d/base/series/vagrant +++ b/live-build/ubuntu-cpc/hooks.d/base/series/vagrant @@ -1,3 +1,6 @@ depends disk-image base/vagrant.binary provides livecd.ubuntu-cpc.vagrant.box +provides livecd.ubuntu-cpc.vagrant.manifest +provides livecd.ubuntu-cpc.vagrant.filelist +provides livecd.ubuntu-cpc.vagrant.spdx \ No newline at end of file diff --git a/live-build/ubuntu-cpc/hooks.d/base/series/vmdk b/live-build/ubuntu-cpc/hooks.d/base/series/vmdk index c583fe96..855063e3 100644 --- a/live-build/ubuntu-cpc/hooks.d/base/series/vmdk +++ b/live-build/ubuntu-cpc/hooks.d/base/series/vmdk @@ -3,3 +3,6 @@ base/vmdk-image.binary base/vmdk-ova-image.binary provides livecd.ubuntu-cpc.vmdk provides livecd.ubuntu-cpc.ova +provides livecd.ubuntu-cpc.vmdk.manifest +provides livecd.ubuntu-cpc.vmdk.filelist +provides livecd.ubuntu-cpc.vmdk.spdx \ No newline at end of file diff --git a/live-build/ubuntu-cpc/hooks.d/base/vagrant.binary b/live-build/ubuntu-cpc/hooks.d/base/vagrant.binary index 19e8738b..3c679929 100755 --- a/live-build/ubuntu-cpc/hooks.d/base/vagrant.binary +++ b/live-build/ubuntu-cpc/hooks.d/base/vagrant.binary @@ -93,6 +93,8 @@ EOF chroot ${mount_d} chown -R vagrant:vagrant /home/vagrant/.ssh chroot ${mount_d} chmod 700 /home/vagrant/.ssh +create_manifest $mount_d "livecd.ubuntu-cpc.vagrant.manifest" "livecd.ubuntu-cpc.vagrant.spdx" "cloud-image-vagrant-$ARCH-$(date +%Y%m%dT%H:%M:%S)" + umount_disk_image "$mount_d" rmdir "$mount_d" diff --git a/live-build/ubuntu-cpc/hooks.d/base/vmdk-image.binary b/live-build/ubuntu-cpc/hooks.d/base/vmdk-image.binary index 3c2a6449..f4c0ade8 100755 --- a/live-build/ubuntu-cpc/hooks.d/base/vmdk-image.binary +++ b/live-build/ubuntu-cpc/hooks.d/base/vmdk-image.binary @@ -20,8 +20,18 @@ esac . config/functions +vmdk_file="$PWD/livecd.ubuntu-cpc.vmdk" + if [ -e binary/boot/disk-uefi.ext4 ]; then create_vmdk binary/boot/disk-uefi.ext4 livecd.ubuntu-cpc.vmdk + uefi_file="livecd.ubuntu-cpc.disk-uefi" + cp ${uefi_file}.manifest ${vmdk_file}.manifest + cp ${uefi_file}.filelist ${vmdk_file}.filelist + cp ${uefi_file}.spdx ${vmdk_file}.spdx elif [ -f binary/boot/disk.ext4 ]; then create_vmdk binary/boot/disk.ext4 livecd.ubuntu-cpc.vmdk + disk_file="livecd.ubuntu-cpc.disk-image" + cp ${disk_file}.manifest ${vmdk_file}.manifest + cp ${disk_file}.filelist ${vmdk_file}.filelist + cp ${disk_file}.spdx ${vmdk_file}.spdx fi