From 6d5b0fefc2e2b5fae89927d5d4832773e218d70a Mon Sep 17 00:00:00 2001 From: John Chittum Date: Thu, 15 Aug 2024 11:40:27 -0400 Subject: [PATCH] feat(ubuntu-cpc): sbom generation everywhere patch create_manifest to produce an sbom when called by an ubuntu-cpc project. Patch all the ubuntu-cpc hooks and series files to include the newly generated manifests, filelists, and sboms. Generates a number of new artifacts in the builds. the snap utilized, cpc-sbom, is an open source repo and a provided via a hidden snap. there is no intention of publisizing the snap or how we generate sboms, however partners require the ability to audit if required. defensively checks if the snap is already installed, in the case of multiple hooks being called in a single build (thus sharing a build host), and only if called in an ubuntu-cpc project. (cherry picked from commit 7c7b7df89dc96169db1f255d6bba901ebb63a43c) --- live-build/functions | 22 ++++++++++++++++++- .../hooks.d/base/create-root-dir.binary | 4 ++-- .../hooks.d/base/disk-image-ppc64el.binary | 5 +++++ .../hooks.d/base/disk-image-uefi.binary | 6 +++++ .../ubuntu-cpc/hooks.d/base/disk-image.binary | 2 ++ .../hooks.d/base/qcow2-image.binary | 9 ++++++++ .../hooks.d/base/root-squashfs.binary | 8 +++++-- .../ubuntu-cpc/hooks.d/base/root-xz.binary | 2 -- .../ubuntu-cpc/hooks.d/base/series/disk-image | 3 +++ .../hooks.d/base/series/disk-image-uefi | 3 +++ .../ubuntu-cpc/hooks.d/base/series/qcow2 | 3 +++ .../ubuntu-cpc/hooks.d/base/series/squashfs | 1 + .../ubuntu-cpc/hooks.d/base/series/tarball | 1 + .../ubuntu-cpc/hooks.d/base/series/vagrant | 3 +++ .../ubuntu-cpc/hooks.d/base/series/vmdk | 3 +++ .../ubuntu-cpc/hooks.d/base/vagrant.binary | 2 ++ .../ubuntu-cpc/hooks.d/base/vmdk-image.binary | 10 +++++++++ 17 files changed, 80 insertions(+), 7 deletions(-) diff --git a/live-build/functions b/live-build/functions index ca09e81e..28b2c289 100644 --- a/live-build/functions +++ b/live-build/functions @@ -46,6 +46,10 @@ create_empty_disk_image() { create_manifest() { local chroot_root=${1} local target_file=${2} + local base_default_sbom_name="ubuntu-cloud-image-$(grep "VERSION_ID" $chroot_root/etc/os-release | cut --delimiter "=" --field 2 | tr -d '"')-${ARCH}-$(date +%Y%m%dT%H:%M:%S)" + local sbom_file_name=${3:-"${base_default_sbom_name}.spdx"} + local sbom_document_name=${4:-"${base_default_sbom_name}"} + local sbom_log=${sbom_document_name}.log echo "create_manifest chroot_root: ${chroot_root}" dpkg-query --show --admindir="${chroot_root}/var/lib/dpkg" > ${target_file} echo "create_manifest call to dpkg-query finished." @@ -54,7 +58,23 @@ create_manifest() { if [ "$PROJECT" = ubuntu-cpc ]; then echo "create_manifest creating file listing." local target_filelist=${2%.manifest}.filelist - (cd "${chroot_root}" && find -xdev) > "${target_filelist}" + (cd "${chroot_root}" && find -xdev) | sort > "${target_filelist}" + # only creating sboms for CPC project at this time + if [[ ! $(which cpc-sbom) ]]; then + # ensure the tool is installed + sudo snap install --classic --edge cpc-sbom + fi + # generate the SBOM + cpc-sbom --rootdir ${chroot_root} --ignore-copyright-parsing-errors --ignore-copyright-file-not-found-errors --document-name ${sbom_document_name} >"${sbom_file_name}" 2>"${sbom_log}" + SBOM_GENERATION_EXIT_CODE=$? + if [[ ${SBOM_GENERATION_EXIT_CODE} != "0" ]]; then + # check for failure and print log + echo "ERROR: SBOM generation failed. See ${sbom_log}" + cat "$sbom_log" + exit 1 + else + echo "SBOM generation succeeded. see ${sbom_log} for details" + fi fi echo "create_manifest finished" } diff --git a/live-build/ubuntu-cpc/hooks.d/base/create-root-dir.binary b/live-build/ubuntu-cpc/hooks.d/base/create-root-dir.binary index 6ba4fe9c..46d9479a 100755 --- a/live-build/ubuntu-cpc/hooks.d/base/create-root-dir.binary +++ b/live-build/ubuntu-cpc/hooks.d/base/create-root-dir.binary @@ -24,6 +24,6 @@ rm -rf $rootfs_dir/boot/grub # Keep this as some derivatives mount a tempfs here mkdir -p $rootfs_dir/lib/modules -teardown_mountpoint $rootfs_dir +create_manifest $rootfs_dir "livecd.ubuntu-cpc.rootfs.manifest" "livecd.ubuntu-cpc.rootfs.spdx" "cloud-image-rootfs-$ARCH-$(date +%Y%m%dT%H:%M:%S)" -create_manifest "${rootfs_dir}" "${rootfs_dir}.manifest" +teardown_mountpoint $rootfs_dir diff --git a/live-build/ubuntu-cpc/hooks.d/base/disk-image-ppc64el.binary b/live-build/ubuntu-cpc/hooks.d/base/disk-image-ppc64el.binary index dc87a361..cce4cae1 100755 --- a/live-build/ubuntu-cpc/hooks.d/base/disk-image-ppc64el.binary +++ b/live-build/ubuntu-cpc/hooks.d/base/disk-image-ppc64el.binary @@ -75,6 +75,11 @@ make_ext4_partition "${rootfs_dev_mapper}" mkdir mountpoint mount "${rootfs_dev_mapper}" mountpoint cp -a chroot/* mountpoint/ + +# the image has been modified from its disk-image-uefi base so the manifest and filelist should be regenerated +# explicitly generate manifest and sbom +create_manifest "mountpoint/" "$PWD/livecd.ubuntu-cpc.disk-image.manifest" "$PWD/livecd.ubuntu-cpc.disk-image.spdx" "cloud-image-$ARCH-$(date +Y%m%dT%H:%M:%S)" + umount mountpoint rmdir mountpoint diff --git a/live-build/ubuntu-cpc/hooks.d/base/disk-image-uefi.binary b/live-build/ubuntu-cpc/hooks.d/base/disk-image-uefi.binary index 130d9b7a..cd02b607 100755 --- a/live-build/ubuntu-cpc/hooks.d/base/disk-image-uefi.binary +++ b/live-build/ubuntu-cpc/hooks.d/base/disk-image-uefi.binary @@ -236,6 +236,11 @@ EOF rm mountpoint/tmp/device.map umount mountpoint/boot/efi mount + + # create sorted filelist as the very last step before unmounting + # explicitly generate manifest and sbom + create_manifest "mountpoint/" "$PWD/livecd.ubuntu-cpc.disk-uefi.manifest" "$PWD/livecd.ubuntu-cpc.disk-uefi.spdx" "cloud-image-$ARCH-$(date +%Y%m%dT%H:%M:%S)" + umount_partition mountpoint rmdir mountpoint } @@ -251,6 +256,7 @@ make_ext4_partition "${rootfs_dev_mapper}" mkdir mountpoint mount "${rootfs_dev_mapper}" mountpoint cp -a chroot/* mountpoint/ + umount mountpoint rmdir mountpoint diff --git a/live-build/ubuntu-cpc/hooks.d/base/disk-image.binary b/live-build/ubuntu-cpc/hooks.d/base/disk-image.binary index ed383109..3771881b 100755 --- a/live-build/ubuntu-cpc/hooks.d/base/disk-image.binary +++ b/live-build/ubuntu-cpc/hooks.d/base/disk-image.binary @@ -175,6 +175,8 @@ EOF $ZIPL_EXTRA_PARAMS fi +create_manifest "mountpoint/" "$PWD/livecd.ubuntu-cpc.disk-image.manifest" "$PWD/livecd.ubuntu-cpc.disk-image.spdx" "cloud-image-$ARCH-$(date +%Y%m%dT%H:%M:%S)" + if [ -n "$BOOT_MOUNTPOINT" ]; then umount "mountpoint/$BOOT_MOUNTPOINT" fi diff --git a/live-build/ubuntu-cpc/hooks.d/base/qcow2-image.binary b/live-build/ubuntu-cpc/hooks.d/base/qcow2-image.binary index 5b38fe69..1101a1f2 100755 --- a/live-build/ubuntu-cpc/hooks.d/base/qcow2-image.binary +++ b/live-build/ubuntu-cpc/hooks.d/base/qcow2-image.binary @@ -15,8 +15,17 @@ esac . config/functions +qcow_file=${PWD}/livecd.ubuntu-cpc.qcow if [ -f binary/boot/disk-uefi.ext4 ]; then convert_to_qcow2 binary/boot/disk-uefi.ext4 livecd.ubuntu-cpc.img + uefi_file="livecd.ubuntu-cpc.disk-uefi" + cp ${uefi_file}.manifest ${qcow_file}.manifest + cp ${uefi_file}.filelist ${qcow_file}.filelist + cp ${uefi_file}.spdx ${qcow_file}.spdx elif [ -f binary/boot/disk.ext4 ]; then convert_to_qcow2 binary/boot/disk.ext4 livecd.ubuntu-cpc.img + disk_file="livecd.ubuntu-cpc.disk-image" + cp ${disk_file}.manifest ${qcow_file}.manifest + cp ${disk_file}.filelist ${qcow_file}.filelist + cp ${disk_file}.spdx ${qcow_file}.spdx fi diff --git a/live-build/ubuntu-cpc/hooks.d/base/root-squashfs.binary b/live-build/ubuntu-cpc/hooks.d/base/root-squashfs.binary index 873cee59..53dd5d8b 100755 --- a/live-build/ubuntu-cpc/hooks.d/base/root-squashfs.binary +++ b/live-build/ubuntu-cpc/hooks.d/base/root-squashfs.binary @@ -13,8 +13,12 @@ rootfs_dir=rootfs.dir squashfs_f="$PWD/livecd.ubuntu-cpc.squashfs" -cp $rootfs_dir.manifest $squashfs_f.manifest -cp $rootfs_dir.filelist $squashfs_f.filelist +cp livecd.ubuntu-cpc.rootfs.manifest ${squashfs_f}.manifest +cp livecd.ubuntu-cpc.rootfs.filelist ${squashfs_f}.filelist +cp livecd.ubuntu-cpc.rootfs.spdx ${squashfs_f}.spdx + +# fstab is omitted from the squashfs +grep -v '^/etc/fstab$' livecd.ubuntu-cpc.rootfs.filelist >$squashfs_f.filelist (cd $rootfs_dir && mksquashfs . $squashfs_f \ diff --git a/live-build/ubuntu-cpc/hooks.d/base/root-xz.binary b/live-build/ubuntu-cpc/hooks.d/base/root-xz.binary index c8aad906..9c5db0b8 100755 --- a/live-build/ubuntu-cpc/hooks.d/base/root-xz.binary +++ b/live-build/ubuntu-cpc/hooks.d/base/root-xz.binary @@ -11,6 +11,4 @@ fi # This is the directory created by create-root-dir.binary rootfs_dir=rootfs.dir -cp $rootfs_dir.manifest livecd.ubuntu-cpc.rootfs.manifest -cp $rootfs_dir.filelist livecd.ubuntu-cpc.rootfs.filelist (cd $rootfs_dir/ && tar -c --sort=name --xattrs *) | xz > livecd.ubuntu-cpc.rootfs.tar.xz diff --git a/live-build/ubuntu-cpc/hooks.d/base/series/disk-image b/live-build/ubuntu-cpc/hooks.d/base/series/disk-image index 3b356075..e1d5284c 100644 --- a/live-build/ubuntu-cpc/hooks.d/base/series/disk-image +++ b/live-build/ubuntu-cpc/hooks.d/base/series/disk-image @@ -8,3 +8,6 @@ provides livecd.ubuntu-cpc.kernel-generic provides livecd.ubuntu-cpc.kernel-generic-lpae provides livecd.ubuntu-cpc.manifest provides livecd.ubuntu-cpc.filelist +provides livecd.ubuntu-cpc.disk-image.manifest +provides livecd.ubuntu-cpc.disk-image.filelist +provides livecd.ubuntu-cpc.disk-image.spdx diff --git a/live-build/ubuntu-cpc/hooks.d/base/series/disk-image-uefi b/live-build/ubuntu-cpc/hooks.d/base/series/disk-image-uefi index 438930b7..d8b7ad44 100644 --- a/live-build/ubuntu-cpc/hooks.d/base/series/disk-image-uefi +++ b/live-build/ubuntu-cpc/hooks.d/base/series/disk-image-uefi @@ -6,3 +6,6 @@ provides livecd.ubuntu-cpc.kernel-generic provides livecd.ubuntu-cpc.kernel-generic-lpae provides livecd.ubuntu-cpc.manifest provides livecd.ubuntu-cpc.filelist +provides livecd.ubuntu-cpc.disk-uefi.manifest +provides livecd.ubuntu-cpc.disk-uefi.filelist +provides livecd.ubuntu-cpc.disk-uefi.spdx diff --git a/live-build/ubuntu-cpc/hooks.d/base/series/qcow2 b/live-build/ubuntu-cpc/hooks.d/base/series/qcow2 index 745adb9b..0fdbc81c 100644 --- a/live-build/ubuntu-cpc/hooks.d/base/series/qcow2 +++ b/live-build/ubuntu-cpc/hooks.d/base/series/qcow2 @@ -1,3 +1,6 @@ depends disk-image base/qcow2-image.binary provides livecd.ubuntu-cpc.img +provides livecd.ubuntu-cpc.qcow.manifest +provides livecd.ubuntu-cpc.qcow.filelist +provides livecd.ubuntu-cpc.qcow.spdx diff --git a/live-build/ubuntu-cpc/hooks.d/base/series/squashfs b/live-build/ubuntu-cpc/hooks.d/base/series/squashfs index b9f0d8db..991bf12e 100644 --- a/live-build/ubuntu-cpc/hooks.d/base/series/squashfs +++ b/live-build/ubuntu-cpc/hooks.d/base/series/squashfs @@ -3,3 +3,4 @@ base/root-squashfs.binary provides livecd.ubuntu-cpc.squashfs provides livecd.ubuntu-cpc.squashfs.manifest provides livecd.ubuntu-cpc.squashfs.filelist +provides livecd.ubuntu-cpc.squashfs.spdx \ No newline at end of file diff --git a/live-build/ubuntu-cpc/hooks.d/base/series/tarball b/live-build/ubuntu-cpc/hooks.d/base/series/tarball index 8e2bc766..293fc4a5 100644 --- a/live-build/ubuntu-cpc/hooks.d/base/series/tarball +++ b/live-build/ubuntu-cpc/hooks.d/base/series/tarball @@ -3,3 +3,4 @@ base/root-xz.binary provides livecd.ubuntu-cpc.rootfs.tar.xz provides livecd.ubuntu-cpc.rootfs.manifest provides livecd.ubuntu-cpc.rootfs.filelist +provides livecd.ubuntu-cpc.rootfs.spdx diff --git a/live-build/ubuntu-cpc/hooks.d/base/series/vagrant b/live-build/ubuntu-cpc/hooks.d/base/series/vagrant index 6e5fcf39..0e4d8dd4 100644 --- a/live-build/ubuntu-cpc/hooks.d/base/series/vagrant +++ b/live-build/ubuntu-cpc/hooks.d/base/series/vagrant @@ -1,3 +1,6 @@ depends disk-image base/vagrant.binary provides livecd.ubuntu-cpc.vagrant.box +provides livecd.ubuntu-cpc.vagrant.manifest +provides livecd.ubuntu-cpc.vagrant.filelist +provides livecd.ubuntu-cpc.vagrant.spdx \ No newline at end of file diff --git a/live-build/ubuntu-cpc/hooks.d/base/series/vmdk b/live-build/ubuntu-cpc/hooks.d/base/series/vmdk index c583fe96..855063e3 100644 --- a/live-build/ubuntu-cpc/hooks.d/base/series/vmdk +++ b/live-build/ubuntu-cpc/hooks.d/base/series/vmdk @@ -3,3 +3,6 @@ base/vmdk-image.binary base/vmdk-ova-image.binary provides livecd.ubuntu-cpc.vmdk provides livecd.ubuntu-cpc.ova +provides livecd.ubuntu-cpc.vmdk.manifest +provides livecd.ubuntu-cpc.vmdk.filelist +provides livecd.ubuntu-cpc.vmdk.spdx \ No newline at end of file diff --git a/live-build/ubuntu-cpc/hooks.d/base/vagrant.binary b/live-build/ubuntu-cpc/hooks.d/base/vagrant.binary index 504c667e..fe281d9c 100755 --- a/live-build/ubuntu-cpc/hooks.d/base/vagrant.binary +++ b/live-build/ubuntu-cpc/hooks.d/base/vagrant.binary @@ -86,6 +86,8 @@ EOF chroot ${mount_d} chown -R vagrant:vagrant /home/vagrant/.ssh chroot ${mount_d} chmod 700 /home/vagrant/.ssh +create_manifest $mount_d "livecd.ubuntu-cpc.vagrant.manifest" "livecd.ubuntu-cpc.vagrant.spdx" "cloud-image-vagrant-$ARCH-$(date +%Y%m%dT%H:%M:%S)" + umount_disk_image "$mount_d" rmdir "$mount_d" diff --git a/live-build/ubuntu-cpc/hooks.d/base/vmdk-image.binary b/live-build/ubuntu-cpc/hooks.d/base/vmdk-image.binary index 3c2a6449..f4c0ade8 100755 --- a/live-build/ubuntu-cpc/hooks.d/base/vmdk-image.binary +++ b/live-build/ubuntu-cpc/hooks.d/base/vmdk-image.binary @@ -20,8 +20,18 @@ esac . config/functions +vmdk_file="$PWD/livecd.ubuntu-cpc.vmdk" + if [ -e binary/boot/disk-uefi.ext4 ]; then create_vmdk binary/boot/disk-uefi.ext4 livecd.ubuntu-cpc.vmdk + uefi_file="livecd.ubuntu-cpc.disk-uefi" + cp ${uefi_file}.manifest ${vmdk_file}.manifest + cp ${uefi_file}.filelist ${vmdk_file}.filelist + cp ${uefi_file}.spdx ${vmdk_file}.spdx elif [ -f binary/boot/disk.ext4 ]; then create_vmdk binary/boot/disk.ext4 livecd.ubuntu-cpc.vmdk + disk_file="livecd.ubuntu-cpc.disk-image" + cp ${disk_file}.manifest ${vmdk_file}.manifest + cp ${disk_file}.filelist ${vmdk_file}.filelist + cp ${disk_file}.spdx ${vmdk_file}.spdx fi