feat(ubuntu-cpc): sbom generation everywhere

patch create_manifest to produce an sbom when called by an ubuntu-cpc
project. Patch all the ubuntu-cpc hooks and series files to include the
newly generated manifests, filelists, and sboms. Generates a number of
new artifacts in the builds. the snap utilized, cpc-sbom, is an open
source repo and a provided via a hidden snap. there is no intention of
publisizing the snap or how we generate sboms, however partners require
the ability to audit if required.

defensively checks if the snap is already installed, in the case of
multiple hooks being called in a single build (thus sharing a build
host), and only if called in an ubuntu-cpc project.

(cherry picked from commit 7c7b7df89dc96169db1f255d6bba901ebb63a43c)

live-build/functions

@@ -46,6 +46,10 @@ create_empty_disk_image() {
 create_manifest() {
     local chroot_root=${1}
     local target_file=${2}
+    local base_default_sbom_name="ubuntu-cloud-image-$(grep "VERSION_ID" $chroot_root/etc/os-release | cut --delimiter "=" --field 2 | tr -d '"')-${ARCH}-$(date +%Y%m%dT%H:%M:%S)"
+    local sbom_file_name=${3:-"${base_default_sbom_name}.spdx"}
+    local sbom_document_name=${4:-"${base_default_sbom_name}"}
+    local sbom_log=${sbom_document_name}.log
     echo "create_manifest chroot_root: ${chroot_root}"
     dpkg-query --show --admindir="${chroot_root}/var/lib/dpkg" > ${target_file}
     echo "create_manifest call to dpkg-query finished."
@@ -54,7 +58,23 @@ create_manifest() {
     if [ "$PROJECT" = ubuntu-cpc ]; then
         echo "create_manifest creating file listing."
         local target_filelist=${2%.manifest}.filelist
-        (cd "${chroot_root}" && find -xdev) > "${target_filelist}"
+        (cd "${chroot_root}" && find -xdev) | sort > "${target_filelist}"
+        # only creating sboms for CPC project at this time
+        if [[ ! $(which cpc-sbom) ]]; then
+            # ensure the tool is installed
+            sudo snap install --classic --edge cpc-sbom
+        fi
+        # generate the SBOM
+        cpc-sbom --rootdir ${chroot_root} --ignore-copyright-parsing-errors --ignore-copyright-file-not-found-errors --document-name ${sbom_document_name} >"${sbom_file_name}" 2>"${sbom_log}"
+        SBOM_GENERATION_EXIT_CODE=$?
+        if [[ ${SBOM_GENERATION_EXIT_CODE} !=  "0" ]]; then
+        # check for failure and print log
+            echo "ERROR: SBOM generation failed. See ${sbom_log}"
+            cat "$sbom_log"
+            exit 1
+        else
+            echo "SBOM generation succeeded. see ${sbom_log} for details"
+        fi    
     fi
     echo "create_manifest finished"
 }

live-build/ubuntu-cpc/hooks.d/base/create-root-dir.binary

@@ -24,6 +24,6 @@ rm -rf $rootfs_dir/boot/grub
 # Keep this as some derivatives mount a tempfs here
 mkdir -p $rootfs_dir/lib/modules
 
-teardown_mountpoint $rootfs_dir
+create_manifest $rootfs_dir "livecd.ubuntu-cpc.rootfs.manifest" "livecd.ubuntu-cpc.rootfs.spdx"  "cloud-image-rootfs-$ARCH-$(date +%Y%m%dT%H:%M:%S)"
 
-create_manifest "${rootfs_dir}" "${rootfs_dir}.manifest"
+teardown_mountpoint $rootfs_dir

live-build/ubuntu-cpc/hooks.d/base/disk-image-ppc64el.binary

@@ -75,6 +75,11 @@ make_ext4_partition "${rootfs_dev_mapper}"
 mkdir mountpoint
 mount "${rootfs_dev_mapper}" mountpoint
 cp -a chroot/* mountpoint/
+
+# the image has been modified from its disk-image-uefi base so the manifest and filelist should be regenerated
+# explicitly generate manifest and sbom
+create_manifest  "mountpoint/" "$PWD/livecd.ubuntu-cpc.disk-image.manifest" "$PWD/livecd.ubuntu-cpc.disk-image.spdx"  "cloud-image-$ARCH-$(date +Y%m%dT%H:%M:%S)"
+
 umount mountpoint
 rmdir mountpoint
 

live-build/ubuntu-cpc/hooks.d/base/disk-image-uefi.binary

@@ -236,6 +236,11 @@ EOF
     rm mountpoint/tmp/device.map
     umount mountpoint/boot/efi
     mount
+
+    # create sorted filelist as the very last step before unmounting
+    # explicitly generate manifest and sbom
+    create_manifest  "mountpoint/" "$PWD/livecd.ubuntu-cpc.disk-uefi.manifest" "$PWD/livecd.ubuntu-cpc.disk-uefi.spdx"  "cloud-image-$ARCH-$(date +%Y%m%dT%H:%M:%S)"
+
     umount_partition mountpoint
     rmdir mountpoint
 }
@@ -251,6 +256,7 @@ make_ext4_partition "${rootfs_dev_mapper}"
 mkdir mountpoint
 mount "${rootfs_dev_mapper}" mountpoint
 cp -a chroot/* mountpoint/
+
 umount mountpoint
 rmdir mountpoint
 

live-build/ubuntu-cpc/hooks.d/base/disk-image.binary

@@ -175,6 +175,8 @@ EOF
         $ZIPL_EXTRA_PARAMS
 fi
 
+create_manifest  "mountpoint/" "$PWD/livecd.ubuntu-cpc.disk-image.manifest" "$PWD/livecd.ubuntu-cpc.disk-image.spdx"  "cloud-image-$ARCH-$(date +%Y%m%dT%H:%M:%S)"
+
 if [ -n "$BOOT_MOUNTPOINT" ]; then
 	umount "mountpoint/$BOOT_MOUNTPOINT"
 fi

live-build/ubuntu-cpc/hooks.d/base/qcow2-image.binary

@@ -15,8 +15,17 @@ esac
 
 . config/functions
 
+qcow_file=${PWD}/livecd.ubuntu-cpc.qcow
 if [ -f binary/boot/disk-uefi.ext4 ]; then
     convert_to_qcow2 binary/boot/disk-uefi.ext4 livecd.ubuntu-cpc.img
+    uefi_file="livecd.ubuntu-cpc.disk-uefi"
+    cp ${uefi_file}.manifest ${qcow_file}.manifest
+    cp ${uefi_file}.filelist ${qcow_file}.filelist
+    cp ${uefi_file}.spdx ${qcow_file}.spdx
 elif [ -f binary/boot/disk.ext4 ]; then
     convert_to_qcow2 binary/boot/disk.ext4 livecd.ubuntu-cpc.img
+    disk_file="livecd.ubuntu-cpc.disk-image"
+    cp ${disk_file}.manifest ${qcow_file}.manifest
+    cp ${disk_file}.filelist ${qcow_file}.filelist
+    cp ${disk_file}.spdx ${qcow_file}.spdx
 fi

live-build/ubuntu-cpc/hooks.d/base/root-squashfs.binary

@@ -13,8 +13,12 @@ rootfs_dir=rootfs.dir
 
 squashfs_f="$PWD/livecd.ubuntu-cpc.squashfs"
 
-cp $rootfs_dir.manifest $squashfs_f.manifest
+cp livecd.ubuntu-cpc.rootfs.manifest ${squashfs_f}.manifest
-cp $rootfs_dir.filelist $squashfs_f.filelist
+cp livecd.ubuntu-cpc.rootfs.filelist ${squashfs_f}.filelist
+cp livecd.ubuntu-cpc.rootfs.spdx ${squashfs_f}.spdx
+
+# fstab is omitted from the squashfs
+grep -v '^/etc/fstab$' livecd.ubuntu-cpc.rootfs.filelist >$squashfs_f.filelist
 
 (cd $rootfs_dir &&
       mksquashfs . $squashfs_f \

live-build/ubuntu-cpc/hooks.d/base/root-xz.binary

@@ -11,6 +11,4 @@ fi
 # This is the directory created by create-root-dir.binary
 rootfs_dir=rootfs.dir
 
-cp $rootfs_dir.manifest livecd.ubuntu-cpc.rootfs.manifest
-cp $rootfs_dir.filelist livecd.ubuntu-cpc.rootfs.filelist
 (cd $rootfs_dir/ && tar -c --sort=name --xattrs *) | xz > livecd.ubuntu-cpc.rootfs.tar.xz

live-build/ubuntu-cpc/hooks.d/base/series/disk-image

@@ -8,3 +8,6 @@ provides livecd.ubuntu-cpc.kernel-generic
 provides livecd.ubuntu-cpc.kernel-generic-lpae
 provides livecd.ubuntu-cpc.manifest
 provides livecd.ubuntu-cpc.filelist
+provides livecd.ubuntu-cpc.disk-image.manifest
+provides livecd.ubuntu-cpc.disk-image.filelist
+provides livecd.ubuntu-cpc.disk-image.spdx

live-build/ubuntu-cpc/hooks.d/base/series/disk-image-uefi

@@ -6,3 +6,6 @@ provides livecd.ubuntu-cpc.kernel-generic
 provides livecd.ubuntu-cpc.kernel-generic-lpae
 provides livecd.ubuntu-cpc.manifest
 provides livecd.ubuntu-cpc.filelist
+provides livecd.ubuntu-cpc.disk-uefi.manifest
+provides livecd.ubuntu-cpc.disk-uefi.filelist
+provides livecd.ubuntu-cpc.disk-uefi.spdx

live-build/ubuntu-cpc/hooks.d/base/series/qcow2

@@ -1,3 +1,6 @@
 depends disk-image
 base/qcow2-image.binary
 provides livecd.ubuntu-cpc.img
+provides livecd.ubuntu-cpc.qcow.manifest
+provides livecd.ubuntu-cpc.qcow.filelist
+provides livecd.ubuntu-cpc.qcow.spdx

live-build/ubuntu-cpc/hooks.d/base/series/squashfs

@@ -3,3 +3,4 @@ base/root-squashfs.binary
 provides livecd.ubuntu-cpc.squashfs
 provides livecd.ubuntu-cpc.squashfs.manifest
 provides livecd.ubuntu-cpc.squashfs.filelist
+provides livecd.ubuntu-cpc.squashfs.spdx

live-build/ubuntu-cpc/hooks.d/base/series/tarball

@@ -3,3 +3,4 @@ base/root-xz.binary
 provides livecd.ubuntu-cpc.rootfs.tar.xz
 provides livecd.ubuntu-cpc.rootfs.manifest
 provides livecd.ubuntu-cpc.rootfs.filelist
+provides livecd.ubuntu-cpc.rootfs.spdx

live-build/ubuntu-cpc/hooks.d/base/series/vagrant

@@ -1,3 +1,6 @@
 depends disk-image
 base/vagrant.binary
 provides livecd.ubuntu-cpc.vagrant.box
+provides livecd.ubuntu-cpc.vagrant.manifest
+provides livecd.ubuntu-cpc.vagrant.filelist
+provides livecd.ubuntu-cpc.vagrant.spdx

live-build/ubuntu-cpc/hooks.d/base/series/vmdk

@@ -3,3 +3,6 @@ base/vmdk-image.binary
 base/vmdk-ova-image.binary
 provides livecd.ubuntu-cpc.vmdk
 provides livecd.ubuntu-cpc.ova
+provides livecd.ubuntu-cpc.vmdk.manifest
+provides livecd.ubuntu-cpc.vmdk.filelist
+provides livecd.ubuntu-cpc.vmdk.spdx

live-build/ubuntu-cpc/hooks.d/base/vagrant.binary

@@ -86,6 +86,8 @@ EOF
 chroot ${mount_d} chown -R vagrant:vagrant /home/vagrant/.ssh
 chroot ${mount_d} chmod 700 /home/vagrant/.ssh
 
+create_manifest $mount_d "livecd.ubuntu-cpc.vagrant.manifest" "livecd.ubuntu-cpc.vagrant.spdx"  "cloud-image-vagrant-$ARCH-$(date +%Y%m%dT%H:%M:%S)"
+
 umount_disk_image "$mount_d"
 rmdir "$mount_d"
 

live-build/ubuntu-cpc/hooks.d/base/vmdk-image.binary

@@ -20,8 +20,18 @@ esac
 
 . config/functions
 
+vmdk_file="$PWD/livecd.ubuntu-cpc.vmdk"
+
 if [ -e binary/boot/disk-uefi.ext4 ]; then
     create_vmdk binary/boot/disk-uefi.ext4 livecd.ubuntu-cpc.vmdk
+    uefi_file="livecd.ubuntu-cpc.disk-uefi"
+    cp ${uefi_file}.manifest ${vmdk_file}.manifest
+    cp ${uefi_file}.filelist ${vmdk_file}.filelist
+    cp ${uefi_file}.spdx ${vmdk_file}.spdx
 elif [ -f binary/boot/disk.ext4 ]; then
     create_vmdk binary/boot/disk.ext4 livecd.ubuntu-cpc.vmdk
+    disk_file="livecd.ubuntu-cpc.disk-image"
+    cp ${disk_file}.manifest ${vmdk_file}.manifest
+    cp ${disk_file}.filelist ${vmdk_file}.filelist
+    cp ${disk_file}.spdx ${vmdk_file}.spdx
 fi