mirror of
https://git.launchpad.net/livecd-rootfs
synced 2025-02-22 19:01:30 +00:00
feat(ubuntu-cpc): sbom generation everywhere
patch create_manifest to produce an sbom when called by an ubuntu-cpc project. Patch all the ubuntu-cpc hooks and series files to include the newly generated manifests, filelists, and sboms. Generates a number of new artifacts in the builds. the snap utilized, cpc-sbom, is an open source repo and a provided via a hidden snap. there is no intention of publisizing the snap or how we generate sboms, however partners require the ability to audit if required. defensively checks if the snap is already installed, in the case of multiple hooks being called in a single build (thus sharing a build host), and only if called in an ubuntu-cpc project. (cherry picked from commit 7c7b7df89dc96169db1f255d6bba901ebb63a43c)
This commit is contained in:
John Chittum
parent
2edc2591a3
commit
6d5b0fefc2
@ -46,6 +46,10 @@ create_empty_disk_image() {
|
||||
create_manifest() {
|
||||
local chroot_root=${1}
|
||||
local target_file=${2}
|
||||
local base_default_sbom_name="ubuntu-cloud-image-$(grep "VERSION_ID" $chroot_root/etc/os-release | cut --delimiter "=" --field 2 | tr -d '"')-${ARCH}-$(date +%Y%m%dT%H:%M:%S)"
|
||||
local sbom_file_name=${3:-"${base_default_sbom_name}.spdx"}
|
||||
local sbom_document_name=${4:-"${base_default_sbom_name}"}
|
||||
local sbom_log=${sbom_document_name}.log
|
||||
echo "create_manifest chroot_root: ${chroot_root}"
|
||||
dpkg-query --show --admindir="${chroot_root}/var/lib/dpkg" > ${target_file}
|
||||
echo "create_manifest call to dpkg-query finished."
|
||||
@ -54,7 +58,23 @@ create_manifest() {
|
||||
if [ "$PROJECT" = ubuntu-cpc ]; then
|
||||
echo "create_manifest creating file listing."
|
||||
local target_filelist=${2%.manifest}.filelist
|
||||
(cd "${chroot_root}" && find -xdev) > "${target_filelist}"
|
||||
(cd "${chroot_root}" && find -xdev) | sort > "${target_filelist}"
|
||||
# only creating sboms for CPC project at this time
|
||||
if [[ ! $(which cpc-sbom) ]]; then
|
||||
# ensure the tool is installed
|
||||
sudo snap install --classic --edge cpc-sbom
|
||||
fi
|
||||
# generate the SBOM
|
||||
cpc-sbom --rootdir ${chroot_root} --ignore-copyright-parsing-errors --ignore-copyright-file-not-found-errors --document-name ${sbom_document_name} >"${sbom_file_name}" 2>"${sbom_log}"
|
||||
SBOM_GENERATION_EXIT_CODE=$?
|
||||
if [[ ${SBOM_GENERATION_EXIT_CODE} != "0" ]]; then
|
||||
# check for failure and print log
|
||||
echo "ERROR: SBOM generation failed. See ${sbom_log}"
|
||||
cat "$sbom_log"
|
||||
exit 1
|
||||
else
|
||||
echo "SBOM generation succeeded. see ${sbom_log} for details"
|
||||
fi
|
||||
fi
|
||||
echo "create_manifest finished"
|
||||
}
|
||||
|
||||
@ -24,6 +24,6 @@ rm -rf $rootfs_dir/boot/grub
|
||||
# Keep this as some derivatives mount a tempfs here
|
||||
mkdir -p $rootfs_dir/lib/modules
|
||||
|
||||
teardown_mountpoint $rootfs_dir
|
||||
create_manifest $rootfs_dir "livecd.ubuntu-cpc.rootfs.manifest" "livecd.ubuntu-cpc.rootfs.spdx" "cloud-image-rootfs-$ARCH-$(date +%Y%m%dT%H:%M:%S)"
|
||||
|
||||
create_manifest "${rootfs_dir}" "${rootfs_dir}.manifest"
|
||||
teardown_mountpoint $rootfs_dir
|
||||
|
||||
@ -75,6 +75,11 @@ make_ext4_partition "${rootfs_dev_mapper}"
|
||||
mkdir mountpoint
|
||||
mount "${rootfs_dev_mapper}" mountpoint
|
||||
cp -a chroot/* mountpoint/
|
||||
|
||||
# the image has been modified from its disk-image-uefi base so the manifest and filelist should be regenerated
|
||||
# explicitly generate manifest and sbom
|
||||
create_manifest "mountpoint/" "$PWD/livecd.ubuntu-cpc.disk-image.manifest" "$PWD/livecd.ubuntu-cpc.disk-image.spdx" "cloud-image-$ARCH-$(date +Y%m%dT%H:%M:%S)"
|
||||
|
||||
umount mountpoint
|
||||
rmdir mountpoint
|
||||
|
||||
|
||||
@ -236,6 +236,11 @@ EOF
|
||||
rm mountpoint/tmp/device.map
|
||||
umount mountpoint/boot/efi
|
||||
mount
|
||||
|
||||
# create sorted filelist as the very last step before unmounting
|
||||
# explicitly generate manifest and sbom
|
||||
create_manifest "mountpoint/" "$PWD/livecd.ubuntu-cpc.disk-uefi.manifest" "$PWD/livecd.ubuntu-cpc.disk-uefi.spdx" "cloud-image-$ARCH-$(date +%Y%m%dT%H:%M:%S)"
|
||||
|
||||
umount_partition mountpoint
|
||||
rmdir mountpoint
|
||||
}
|
||||
@ -251,6 +256,7 @@ make_ext4_partition "${rootfs_dev_mapper}"
|
||||
mkdir mountpoint
|
||||
mount "${rootfs_dev_mapper}" mountpoint
|
||||
cp -a chroot/* mountpoint/
|
||||
|
||||
umount mountpoint
|
||||
rmdir mountpoint
|
||||
|
||||
|
||||
@ -175,6 +175,8 @@ EOF
|
||||
$ZIPL_EXTRA_PARAMS
|
||||
fi
|
||||
|
||||
create_manifest "mountpoint/" "$PWD/livecd.ubuntu-cpc.disk-image.manifest" "$PWD/livecd.ubuntu-cpc.disk-image.spdx" "cloud-image-$ARCH-$(date +%Y%m%dT%H:%M:%S)"
|
||||
|
||||
if [ -n "$BOOT_MOUNTPOINT" ]; then
|
||||
umount "mountpoint/$BOOT_MOUNTPOINT"
|
||||
fi
|
||||
|
||||
@ -15,8 +15,17 @@ esac
|
||||
|
||||
. config/functions
|
||||
|
||||
qcow_file=${PWD}/livecd.ubuntu-cpc.qcow
|
||||
if [ -f binary/boot/disk-uefi.ext4 ]; then
|
||||
convert_to_qcow2 binary/boot/disk-uefi.ext4 livecd.ubuntu-cpc.img
|
||||
uefi_file="livecd.ubuntu-cpc.disk-uefi"
|
||||
cp ${uefi_file}.manifest ${qcow_file}.manifest
|
||||
cp ${uefi_file}.filelist ${qcow_file}.filelist
|
||||
cp ${uefi_file}.spdx ${qcow_file}.spdx
|
||||
elif [ -f binary/boot/disk.ext4 ]; then
|
||||
convert_to_qcow2 binary/boot/disk.ext4 livecd.ubuntu-cpc.img
|
||||
disk_file="livecd.ubuntu-cpc.disk-image"
|
||||
cp ${disk_file}.manifest ${qcow_file}.manifest
|
||||
cp ${disk_file}.filelist ${qcow_file}.filelist
|
||||
cp ${disk_file}.spdx ${qcow_file}.spdx
|
||||
fi
|
||||
|
||||
@ -13,8 +13,12 @@ rootfs_dir=rootfs.dir
|
||||
|
||||
squashfs_f="$PWD/livecd.ubuntu-cpc.squashfs"
|
||||
|
||||
cp $rootfs_dir.manifest $squashfs_f.manifest
|
||||
cp $rootfs_dir.filelist $squashfs_f.filelist
|
||||
cp livecd.ubuntu-cpc.rootfs.manifest ${squashfs_f}.manifest
|
||||
cp livecd.ubuntu-cpc.rootfs.filelist ${squashfs_f}.filelist
|
||||
cp livecd.ubuntu-cpc.rootfs.spdx ${squashfs_f}.spdx
|
||||
|
||||
# fstab is omitted from the squashfs
|
||||
grep -v '^/etc/fstab$' livecd.ubuntu-cpc.rootfs.filelist >$squashfs_f.filelist
|
||||
|
||||
(cd $rootfs_dir &&
|
||||
mksquashfs . $squashfs_f \
|
||||
|
||||
@ -11,6 +11,4 @@ fi
|
||||
# This is the directory created by create-root-dir.binary
|
||||
rootfs_dir=rootfs.dir
|
||||
|
||||
cp $rootfs_dir.manifest livecd.ubuntu-cpc.rootfs.manifest
|
||||
cp $rootfs_dir.filelist livecd.ubuntu-cpc.rootfs.filelist
|
||||
(cd $rootfs_dir/ && tar -c --sort=name --xattrs *) | xz > livecd.ubuntu-cpc.rootfs.tar.xz
|
||||
|
||||
@ -8,3 +8,6 @@ provides livecd.ubuntu-cpc.kernel-generic
|
||||
provides livecd.ubuntu-cpc.kernel-generic-lpae
|
||||
provides livecd.ubuntu-cpc.manifest
|
||||
provides livecd.ubuntu-cpc.filelist
|
||||
provides livecd.ubuntu-cpc.disk-image.manifest
|
||||
provides livecd.ubuntu-cpc.disk-image.filelist
|
||||
provides livecd.ubuntu-cpc.disk-image.spdx
|
||||
|
||||
@ -6,3 +6,6 @@ provides livecd.ubuntu-cpc.kernel-generic
|
||||
provides livecd.ubuntu-cpc.kernel-generic-lpae
|
||||
provides livecd.ubuntu-cpc.manifest
|
||||
provides livecd.ubuntu-cpc.filelist
|
||||
provides livecd.ubuntu-cpc.disk-uefi.manifest
|
||||
provides livecd.ubuntu-cpc.disk-uefi.filelist
|
||||
provides livecd.ubuntu-cpc.disk-uefi.spdx
|
||||
|
||||
@ -1,3 +1,6 @@
|
||||
depends disk-image
|
||||
base/qcow2-image.binary
|
||||
provides livecd.ubuntu-cpc.img
|
||||
provides livecd.ubuntu-cpc.qcow.manifest
|
||||
provides livecd.ubuntu-cpc.qcow.filelist
|
||||
provides livecd.ubuntu-cpc.qcow.spdx
|
||||
|
||||
@ -3,3 +3,4 @@ base/root-squashfs.binary
|
||||
provides livecd.ubuntu-cpc.squashfs
|
||||
provides livecd.ubuntu-cpc.squashfs.manifest
|
||||
provides livecd.ubuntu-cpc.squashfs.filelist
|
||||
provides livecd.ubuntu-cpc.squashfs.spdx
|
||||
@ -3,3 +3,4 @@ base/root-xz.binary
|
||||
provides livecd.ubuntu-cpc.rootfs.tar.xz
|
||||
provides livecd.ubuntu-cpc.rootfs.manifest
|
||||
provides livecd.ubuntu-cpc.rootfs.filelist
|
||||
provides livecd.ubuntu-cpc.rootfs.spdx
|
||||
|
||||
@ -1,3 +1,6 @@
|
||||
depends disk-image
|
||||
base/vagrant.binary
|
||||
provides livecd.ubuntu-cpc.vagrant.box
|
||||
provides livecd.ubuntu-cpc.vagrant.manifest
|
||||
provides livecd.ubuntu-cpc.vagrant.filelist
|
||||
provides livecd.ubuntu-cpc.vagrant.spdx
|
||||
@ -3,3 +3,6 @@ base/vmdk-image.binary
|
||||
base/vmdk-ova-image.binary
|
||||
provides livecd.ubuntu-cpc.vmdk
|
||||
provides livecd.ubuntu-cpc.ova
|
||||
provides livecd.ubuntu-cpc.vmdk.manifest
|
||||
provides livecd.ubuntu-cpc.vmdk.filelist
|
||||
provides livecd.ubuntu-cpc.vmdk.spdx
|
||||
@ -86,6 +86,8 @@ EOF
|
||||
chroot ${mount_d} chown -R vagrant:vagrant /home/vagrant/.ssh
|
||||
chroot ${mount_d} chmod 700 /home/vagrant/.ssh
|
||||
|
||||
create_manifest $mount_d "livecd.ubuntu-cpc.vagrant.manifest" "livecd.ubuntu-cpc.vagrant.spdx" "cloud-image-vagrant-$ARCH-$(date +%Y%m%dT%H:%M:%S)"
|
||||
|
||||
umount_disk_image "$mount_d"
|
||||
rmdir "$mount_d"
|
||||
|
||||
|
||||
@ -20,8 +20,18 @@ esac
|
||||
|
||||
. config/functions
|
||||
|
||||
vmdk_file="$PWD/livecd.ubuntu-cpc.vmdk"
|
||||
|
||||
if [ -e binary/boot/disk-uefi.ext4 ]; then
|
||||
create_vmdk binary/boot/disk-uefi.ext4 livecd.ubuntu-cpc.vmdk
|
||||
uefi_file="livecd.ubuntu-cpc.disk-uefi"
|
||||
cp ${uefi_file}.manifest ${vmdk_file}.manifest
|
||||
cp ${uefi_file}.filelist ${vmdk_file}.filelist
|
||||
cp ${uefi_file}.spdx ${vmdk_file}.spdx
|
||||
elif [ -f binary/boot/disk.ext4 ]; then
|
||||
create_vmdk binary/boot/disk.ext4 livecd.ubuntu-cpc.vmdk
|
||||
disk_file="livecd.ubuntu-cpc.disk-image"
|
||||
cp ${disk_file}.manifest ${vmdk_file}.manifest
|
||||
cp ${disk_file}.filelist ${vmdk_file}.filelist
|
||||
cp ${disk_file}.spdx ${vmdk_file}.spdx
|
||||
fi
|
||||
|
||||
Loading…
x
Reference in New Issue
Block a user