From 2db8a8fce8d6db072282ba7f74b446a5cd0eccfd Mon Sep 17 00:00:00 2001 From: John Chittum Date: Thu, 15 Aug 2024 11:40:27 -0400 Subject: [PATCH 1/3] feat(ubuntu-cpc): sbom generation everywhere patch create_manifest to produce an sbom when called by an ubuntu-cpc project. Patch all the ubuntu-cpc hooks and series files to include the newly generated manifests, filelists, and sboms. Generates a number of new artifacts in the builds. the snap utilized, cpc-sbom, is an open source repo and a provided via a hidden snap. there is no intention of publisizing the snap or how we generate sboms, however partners require the ability to audit if required. defensively checks if the snap is already installed, in the case of multiple hooks being called in a single build (thus sharing a build host), and only if called in an ubuntu-cpc project. (cherry picked from commit 7c7b7df89dc96169db1f255d6bba901ebb63a43c) --- live-build/functions | 22 ++++++++++++++++++- .../hooks.d/base/create-root-dir.binary | 4 ++-- .../hooks.d/base/disk-image-ppc64el.binary | 4 ++++ .../hooks.d/base/disk-image-uefi.binary | 6 +++++ .../ubuntu-cpc/hooks.d/base/disk-image.binary | 2 ++ .../hooks.d/base/qcow2-image.binary | 9 ++++++++ .../hooks.d/base/root-squashfs.binary | 7 ++++-- .../ubuntu-cpc/hooks.d/base/root-xz.binary | 2 -- .../ubuntu-cpc/hooks.d/base/series/disk-image | 3 +++ .../hooks.d/base/series/disk-image-uefi | 3 +++ .../ubuntu-cpc/hooks.d/base/series/qcow2 | 3 +++ .../ubuntu-cpc/hooks.d/base/series/squashfs | 1 + .../ubuntu-cpc/hooks.d/base/series/tarball | 1 + .../ubuntu-cpc/hooks.d/base/series/vagrant | 3 +++ .../ubuntu-cpc/hooks.d/base/series/vmdk | 3 +++ .../ubuntu-cpc/hooks.d/base/vagrant.binary | 2 ++ .../ubuntu-cpc/hooks.d/base/vmdk-image.binary | 10 +++++++++ 17 files changed, 78 insertions(+), 7 deletions(-) diff --git a/live-build/functions b/live-build/functions index aa1c1e76..2431ee6e 100644 --- a/live-build/functions +++ b/live-build/functions @@ -37,6 +37,10 @@ create_empty_disk_image() { create_manifest() { local chroot_root=${1} local target_file=${2} + local base_default_sbom_name="ubuntu-cloud-image-$(grep "VERSION_ID" $chroot_root/etc/os-release | cut --delimiter "=" --field 2 | tr -d '"')-${ARCH}-$(date +%Y%m%dT%H:%M:%S)" + local sbom_file_name=${3:-"${base_default_sbom_name}.spdx"} + local sbom_document_name=${4:-"${base_default_sbom_name}"} + local sbom_log=${sbom_document_name}.log echo "create_manifest chroot_root: ${chroot_root}" dpkg-query --show --admindir="${chroot_root}/var/lib/dpkg" > ${target_file} echo "create_manifest call to dpkg-query finished." @@ -45,7 +49,23 @@ create_manifest() { if [ "$PROJECT" = ubuntu-cpc ]; then echo "create_manifest creating file listing." local target_filelist=${2%.manifest}.filelist - (cd "${chroot_root}" && find -xdev) > "${target_filelist}" + (cd "${chroot_root}" && find -xdev) | sort > "${target_filelist}" + # only creating sboms for CPC project at this time + if [[ ! $(which cpc-sbom) ]]; then + # ensure the tool is installed + sudo snap install --classic --edge cpc-sbom + fi + # generate the SBOM + cpc-sbom --rootdir ${chroot_root} --ignore-copyright-parsing-errors --ignore-copyright-file-not-found-errors --document-name ${sbom_document_name} >"${sbom_file_name}" 2>"${sbom_log}" + SBOM_GENERATION_EXIT_CODE=$? + if [[ ${SBOM_GENERATION_EXIT_CODE} != "0" ]]; then + # check for failure and print log + echo "ERROR: SBOM generation failed. See ${sbom_log}" + cat "$sbom_log" + exit 1 + else + echo "SBOM generation succeeded. see ${sbom_log} for details" + fi fi echo "create_manifest finished" } diff --git a/live-build/ubuntu-cpc/hooks.d/base/create-root-dir.binary b/live-build/ubuntu-cpc/hooks.d/base/create-root-dir.binary index 6ba4fe9c..46d9479a 100755 --- a/live-build/ubuntu-cpc/hooks.d/base/create-root-dir.binary +++ b/live-build/ubuntu-cpc/hooks.d/base/create-root-dir.binary @@ -24,6 +24,6 @@ rm -rf $rootfs_dir/boot/grub # Keep this as some derivatives mount a tempfs here mkdir -p $rootfs_dir/lib/modules -teardown_mountpoint $rootfs_dir +create_manifest $rootfs_dir "livecd.ubuntu-cpc.rootfs.manifest" "livecd.ubuntu-cpc.rootfs.spdx" "cloud-image-rootfs-$ARCH-$(date +%Y%m%dT%H:%M:%S)" -create_manifest "${rootfs_dir}" "${rootfs_dir}.manifest" +teardown_mountpoint $rootfs_dir diff --git a/live-build/ubuntu-cpc/hooks.d/base/disk-image-ppc64el.binary b/live-build/ubuntu-cpc/hooks.d/base/disk-image-ppc64el.binary index b5b7cffc..67d97140 100755 --- a/live-build/ubuntu-cpc/hooks.d/base/disk-image-ppc64el.binary +++ b/live-build/ubuntu-cpc/hooks.d/base/disk-image-ppc64el.binary @@ -75,6 +75,10 @@ make_ext4_partition "${rootfs_dev_mapper}" mkdir mountpoint mount "${rootfs_dev_mapper}" mountpoint cp -a chroot/* mountpoint/ + +# the image has been modified from its disk-image-uefi base so the manifest and filelist should be regenerated +create_manifest "mountpoint/" "$PWD/livecd.ubuntu-cpc.disk-image.manifest" "$PWD/livecd.ubuntu-cpc.disk-image.spdx" "cloud-image-$ARCH-$(date +Y%m%dT%H:%M:%S)" + umount mountpoint rmdir mountpoint diff --git a/live-build/ubuntu-cpc/hooks.d/base/disk-image-uefi.binary b/live-build/ubuntu-cpc/hooks.d/base/disk-image-uefi.binary index 76e67ef1..db9a8460 100755 --- a/live-build/ubuntu-cpc/hooks.d/base/disk-image-uefi.binary +++ b/live-build/ubuntu-cpc/hooks.d/base/disk-image-uefi.binary @@ -452,6 +452,11 @@ EOF rm mountpoint/tmp/device.map umount mountpoint/boot/efi mount + + # create sorted filelist as the very last step before unmounting + # explicitly generate manifest and sbom + create_manifest "mountpoint/" "$PWD/livecd.ubuntu-cpc.disk-uefi.manifest" "$PWD/livecd.ubuntu-cpc.disk-uefi.spdx" "cloud-image-$ARCH-$(date +%Y%m%dT%H:%M:%S)" + umount_partition mountpoint rmdir mountpoint } @@ -467,6 +472,7 @@ make_ext4_partition "${rootfs_dev_mapper}" mkdir mountpoint mount "${rootfs_dev_mapper}" mountpoint cp -a chroot/* mountpoint/ + umount mountpoint rmdir mountpoint diff --git a/live-build/ubuntu-cpc/hooks.d/base/disk-image.binary b/live-build/ubuntu-cpc/hooks.d/base/disk-image.binary index 7c8bc9b7..e2fd0993 100755 --- a/live-build/ubuntu-cpc/hooks.d/base/disk-image.binary +++ b/live-build/ubuntu-cpc/hooks.d/base/disk-image.binary @@ -179,6 +179,8 @@ EOF $ZIPL_EXTRA_PARAMS fi +create_manifest "mountpoint/" "$PWD/livecd.ubuntu-cpc.disk-image.manifest" "$PWD/livecd.ubuntu-cpc.disk-image.spdx" "cloud-image-$ARCH-$(date +%Y%m%dT%H:%M:%S)" + if [ -n "$BOOT_MOUNTPOINT" ]; then umount "mountpoint/$BOOT_MOUNTPOINT" fi diff --git a/live-build/ubuntu-cpc/hooks.d/base/qcow2-image.binary b/live-build/ubuntu-cpc/hooks.d/base/qcow2-image.binary index 8dbbb9ae..4a8e321a 100755 --- a/live-build/ubuntu-cpc/hooks.d/base/qcow2-image.binary +++ b/live-build/ubuntu-cpc/hooks.d/base/qcow2-image.binary @@ -2,8 +2,17 @@ . config/functions +qcow_file=${PWD}/livecd.ubuntu-cpc.qcow if [ -f binary/boot/disk-uefi.ext4 ]; then convert_to_qcow2 binary/boot/disk-uefi.ext4 livecd.ubuntu-cpc.img + uefi_file="livecd.ubuntu-cpc.disk-uefi" + cp ${uefi_file}.manifest ${qcow_file}.manifest + cp ${uefi_file}.filelist ${qcow_file}.filelist + cp ${uefi_file}.spdx ${qcow_file}.spdx elif [ -f binary/boot/disk.ext4 ]; then convert_to_qcow2 binary/boot/disk.ext4 livecd.ubuntu-cpc.img + disk_file="livecd.ubuntu-cpc.disk-image" + cp ${disk_file}.manifest ${qcow_file}.manifest + cp ${disk_file}.filelist ${qcow_file}.filelist + cp ${disk_file}.spdx ${qcow_file}.spdx fi diff --git a/live-build/ubuntu-cpc/hooks.d/base/root-squashfs.binary b/live-build/ubuntu-cpc/hooks.d/base/root-squashfs.binary index bc56bc42..ab90c963 100755 --- a/live-build/ubuntu-cpc/hooks.d/base/root-squashfs.binary +++ b/live-build/ubuntu-cpc/hooks.d/base/root-squashfs.binary @@ -15,8 +15,11 @@ rootfs_dir=rootfs.dir squashfs_f="$PWD/livecd.ubuntu-cpc.squashfs" -cp $rootfs_dir.manifest $squashfs_f.manifest +cp livecd.ubuntu-cpc.rootfs.manifest ${squashfs_f}.manifest +cp livecd.ubuntu-cpc.rootfs.filelist ${squashfs_f}.filelist +cp livecd.ubuntu-cpc.rootfs.spdx ${squashfs_f}.spdx + # fstab is omitted from the squashfs -grep -v '^/etc/fstab$' $rootfs_dir.filelist >$squashfs_f.filelist +grep -v '^/etc/fstab$' livecd.ubuntu-cpc.rootfs.filelist >$squashfs_f.filelist create_squashfs $rootfs_dir $squashfs_f diff --git a/live-build/ubuntu-cpc/hooks.d/base/root-xz.binary b/live-build/ubuntu-cpc/hooks.d/base/root-xz.binary index c8aad906..9c5db0b8 100755 --- a/live-build/ubuntu-cpc/hooks.d/base/root-xz.binary +++ b/live-build/ubuntu-cpc/hooks.d/base/root-xz.binary @@ -11,6 +11,4 @@ fi # This is the directory created by create-root-dir.binary rootfs_dir=rootfs.dir -cp $rootfs_dir.manifest livecd.ubuntu-cpc.rootfs.manifest -cp $rootfs_dir.filelist livecd.ubuntu-cpc.rootfs.filelist (cd $rootfs_dir/ && tar -c --sort=name --xattrs *) | xz > livecd.ubuntu-cpc.rootfs.tar.xz diff --git a/live-build/ubuntu-cpc/hooks.d/base/series/disk-image b/live-build/ubuntu-cpc/hooks.d/base/series/disk-image index 3b356075..e1d5284c 100644 --- a/live-build/ubuntu-cpc/hooks.d/base/series/disk-image +++ b/live-build/ubuntu-cpc/hooks.d/base/series/disk-image @@ -8,3 +8,6 @@ provides livecd.ubuntu-cpc.kernel-generic provides livecd.ubuntu-cpc.kernel-generic-lpae provides livecd.ubuntu-cpc.manifest provides livecd.ubuntu-cpc.filelist +provides livecd.ubuntu-cpc.disk-image.manifest +provides livecd.ubuntu-cpc.disk-image.filelist +provides livecd.ubuntu-cpc.disk-image.spdx diff --git a/live-build/ubuntu-cpc/hooks.d/base/series/disk-image-uefi b/live-build/ubuntu-cpc/hooks.d/base/series/disk-image-uefi index 438930b7..d8b7ad44 100644 --- a/live-build/ubuntu-cpc/hooks.d/base/series/disk-image-uefi +++ b/live-build/ubuntu-cpc/hooks.d/base/series/disk-image-uefi @@ -6,3 +6,6 @@ provides livecd.ubuntu-cpc.kernel-generic provides livecd.ubuntu-cpc.kernel-generic-lpae provides livecd.ubuntu-cpc.manifest provides livecd.ubuntu-cpc.filelist +provides livecd.ubuntu-cpc.disk-uefi.manifest +provides livecd.ubuntu-cpc.disk-uefi.filelist +provides livecd.ubuntu-cpc.disk-uefi.spdx diff --git a/live-build/ubuntu-cpc/hooks.d/base/series/qcow2 b/live-build/ubuntu-cpc/hooks.d/base/series/qcow2 index 745adb9b..0fdbc81c 100644 --- a/live-build/ubuntu-cpc/hooks.d/base/series/qcow2 +++ b/live-build/ubuntu-cpc/hooks.d/base/series/qcow2 @@ -1,3 +1,6 @@ depends disk-image base/qcow2-image.binary provides livecd.ubuntu-cpc.img +provides livecd.ubuntu-cpc.qcow.manifest +provides livecd.ubuntu-cpc.qcow.filelist +provides livecd.ubuntu-cpc.qcow.spdx diff --git a/live-build/ubuntu-cpc/hooks.d/base/series/squashfs b/live-build/ubuntu-cpc/hooks.d/base/series/squashfs index b9f0d8db..991bf12e 100644 --- a/live-build/ubuntu-cpc/hooks.d/base/series/squashfs +++ b/live-build/ubuntu-cpc/hooks.d/base/series/squashfs @@ -3,3 +3,4 @@ base/root-squashfs.binary provides livecd.ubuntu-cpc.squashfs provides livecd.ubuntu-cpc.squashfs.manifest provides livecd.ubuntu-cpc.squashfs.filelist +provides livecd.ubuntu-cpc.squashfs.spdx \ No newline at end of file diff --git a/live-build/ubuntu-cpc/hooks.d/base/series/tarball b/live-build/ubuntu-cpc/hooks.d/base/series/tarball index 8e2bc766..293fc4a5 100644 --- a/live-build/ubuntu-cpc/hooks.d/base/series/tarball +++ b/live-build/ubuntu-cpc/hooks.d/base/series/tarball @@ -3,3 +3,4 @@ base/root-xz.binary provides livecd.ubuntu-cpc.rootfs.tar.xz provides livecd.ubuntu-cpc.rootfs.manifest provides livecd.ubuntu-cpc.rootfs.filelist +provides livecd.ubuntu-cpc.rootfs.spdx diff --git a/live-build/ubuntu-cpc/hooks.d/base/series/vagrant b/live-build/ubuntu-cpc/hooks.d/base/series/vagrant index 6e5fcf39..0e4d8dd4 100644 --- a/live-build/ubuntu-cpc/hooks.d/base/series/vagrant +++ b/live-build/ubuntu-cpc/hooks.d/base/series/vagrant @@ -1,3 +1,6 @@ depends disk-image base/vagrant.binary provides livecd.ubuntu-cpc.vagrant.box +provides livecd.ubuntu-cpc.vagrant.manifest +provides livecd.ubuntu-cpc.vagrant.filelist +provides livecd.ubuntu-cpc.vagrant.spdx \ No newline at end of file diff --git a/live-build/ubuntu-cpc/hooks.d/base/series/vmdk b/live-build/ubuntu-cpc/hooks.d/base/series/vmdk index c583fe96..855063e3 100644 --- a/live-build/ubuntu-cpc/hooks.d/base/series/vmdk +++ b/live-build/ubuntu-cpc/hooks.d/base/series/vmdk @@ -3,3 +3,6 @@ base/vmdk-image.binary base/vmdk-ova-image.binary provides livecd.ubuntu-cpc.vmdk provides livecd.ubuntu-cpc.ova +provides livecd.ubuntu-cpc.vmdk.manifest +provides livecd.ubuntu-cpc.vmdk.filelist +provides livecd.ubuntu-cpc.vmdk.spdx \ No newline at end of file diff --git a/live-build/ubuntu-cpc/hooks.d/base/vagrant.binary b/live-build/ubuntu-cpc/hooks.d/base/vagrant.binary index 49746926..21948394 100755 --- a/live-build/ubuntu-cpc/hooks.d/base/vagrant.binary +++ b/live-build/ubuntu-cpc/hooks.d/base/vagrant.binary @@ -80,6 +80,8 @@ EOF chroot ${mount_d} chown -R vagrant:vagrant /home/vagrant/.ssh chroot ${mount_d} chmod 700 /home/vagrant/.ssh +create_manifest $mount_d "livecd.ubuntu-cpc.vagrant.manifest" "livecd.ubuntu-cpc.vagrant.spdx" "cloud-image-vagrant-$ARCH-$(date +%Y%m%dT%H:%M:%S)" + umount_disk_image "$mount_d" rmdir "$mount_d" diff --git a/live-build/ubuntu-cpc/hooks.d/base/vmdk-image.binary b/live-build/ubuntu-cpc/hooks.d/base/vmdk-image.binary index 3c2a6449..f4c0ade8 100755 --- a/live-build/ubuntu-cpc/hooks.d/base/vmdk-image.binary +++ b/live-build/ubuntu-cpc/hooks.d/base/vmdk-image.binary @@ -20,8 +20,18 @@ esac . config/functions +vmdk_file="$PWD/livecd.ubuntu-cpc.vmdk" + if [ -e binary/boot/disk-uefi.ext4 ]; then create_vmdk binary/boot/disk-uefi.ext4 livecd.ubuntu-cpc.vmdk + uefi_file="livecd.ubuntu-cpc.disk-uefi" + cp ${uefi_file}.manifest ${vmdk_file}.manifest + cp ${uefi_file}.filelist ${vmdk_file}.filelist + cp ${uefi_file}.spdx ${vmdk_file}.spdx elif [ -f binary/boot/disk.ext4 ]; then create_vmdk binary/boot/disk.ext4 livecd.ubuntu-cpc.vmdk + disk_file="livecd.ubuntu-cpc.disk-image" + cp ${disk_file}.manifest ${vmdk_file}.manifest + cp ${disk_file}.filelist ${vmdk_file}.filelist + cp ${disk_file}.spdx ${vmdk_file}.spdx fi From 4c11d71655fd467ce5c490d4c4aa7de93eb7618f Mon Sep 17 00:00:00 2001 From: John Chittum Date: Wed, 28 Aug 2024 07:57:46 -0400 Subject: [PATCH 2/3] add changelog entry --- debian/changelog | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/debian/changelog b/debian/changelog index 48009f6e..0ca2e705 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,9 @@ +livecd-rootfs (2.765.47) jammy; urgency=medium + + * add cpc-sbom to create_manifest calls to generate sboms (LP: #2077105) + + -- jchittum Wed, 28 Aug 2024 07:57:11 -0400 + livecd-rootfs (2.765.46) jammy; urgency=medium * Add 6.8 kernel apparmor features' preseeds. (LP: #2074204) From 27cc166f5842eaa33452ea178d39b03e5aba5166 Mon Sep 17 00:00:00 2001 From: Michael Hudson-Doyle Date: Thu, 26 Sep 2024 21:27:35 +1200 Subject: [PATCH 3/3] update version number --- debian/changelog | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/debian/changelog b/debian/changelog index 0ca2e705..ddd7ff29 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,4 +1,4 @@ -livecd-rootfs (2.765.47) jammy; urgency=medium +livecd-rootfs (2.765.51) jammy; urgency=medium * add cpc-sbom to create_manifest calls to generate sboms (LP: #2077105)