From mboxrd@z Thu Jan 1 00:00:00 1970 Delivery-date: Wed, 13 Sep 2023 18:08:08 +0200 Received: from metis.whiteo.stw.pengutronix.de ([2a0a:edc0:2:b01:1d::104]) by lore.white.stw.pengutronix.de with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.94.2) (envelope-from ) id 1qgSPR-00DxMB-9S for lore@lore.pengutronix.de; Wed, 13 Sep 2023 18:08:08 +0200 Received: from localhost ([127.0.0.1] helo=metis.whiteo.stw.pengutronix.de) by metis.whiteo.stw.pengutronix.de with esmtp (Exim 4.92) (envelope-from ) id 1qgSPO-00028U-Sf; Wed, 13 Sep 2023 18:08:06 +0200 Received: from mail-gv0che01on2061.outbound.protection.outlook.com ([40.107.23.61] helo=CHE01-GV0-obe.outbound.protection.outlook.com) by metis.whiteo.stw.pengutronix.de with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.92) (envelope-from ) id 1qgSPE-00027p-Q9 for ptxdist@pengutronix.de; Wed, 13 Sep 2023 18:08:00 +0200 ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=JFj85v6TVQ+pmtZ7bUfyfP+97/uMl88smPkfWAJcAOETdNUxnWE3ZJe0CjssyiugjdZZs8qTHhbGWlBKJAEBo20KmP5eD5KqrhFtz1KkvNfIa5br2NGtdcBRODieSMbi6D/ehV/0nV50eMV7MV5V/x/WD8TsXnDsLfrGecXz18H/eSEouAsUhw7/fY7Rqa3Qw4Ma5rZ8PLT2QLB4rClk2xZHAFAQZOhXM5PdHvkLyrT5Tt3Xr8GWg7BTne6m3TJsH+bC/PrBtpN//ew+iRnLWgG9vMM5fgc0Nbu/ZnhELuuLkXWpUJG5OSQk3oXB7GuQCqTnTpM3ddYH8Ml47iUhmQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=GK/6zjBJK7UGKWOg7kSmUJDd4UKIObj74alNMZnIWeM=; b=ZHy5Ra4fYOU71/L+97+tsXhraMDjbn0eXNBrPYf1tPkuvD2bY5mO+rtsotszFbp9uiK2QF1GuiHIpo8fTMcEZGfqZ1Crh5a/6OnoT2C1KFsr2vOXIfVI1Ck0I/iPd8bctHE9QcY9AKs62nwRScdcgnAJlffmBsjizfm67yZmaRrFtPhDctRzthhyilN3H9lUmRtzrClW8or8WjeMwNVkAawrIYwMCfd5IqTG/NXeQcTnisfYzUClmJVnkW52FFs3yJInrSvgb61zdtt/IkbV9Cco8lZTNxDTstHw9uafOl6lbex8MicRXkmjv6oKWAJpGzIurgx4wkYvRRqATr+jYA== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=verity.net; dmarc=pass action=none header.from=verity.net; dkim=pass header.d=verity.net; arc=none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=verity.net; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=GK/6zjBJK7UGKWOg7kSmUJDd4UKIObj74alNMZnIWeM=; b=OAmtzdzQI72rIHMN8i0c/+Xuba1X6XPb/9vWmqc3PYh1uLY97ntzfKi/cByIaIzVJIZoZQnzKbiHIvO0s73fgIU38TaploI/r6GIAvZHu+qBEGo+kcFwTcopG+7YFz6kUbqhv33roK6Xs2xN+TgSATp4REZCkXoEWtpBHgr0iU61eMx3s9yMbv+2cEXcpyWPCqqvQHSr39hkGoYx+N0IT2fmx3Cw6oJ1JRlM8I47Eqvm+jEzFSuXLM7RVPobDvUuZlMJQawAlv0CG6sL2APoqlVAQu7n4/KC50rcuy29rDKEsOPlKTQcHV+ggCZ24sFl/Ko/v9y9okqV7VkkayLrEA== Authentication-Results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=verity.net; Received: from GVAP278MB0795.CHEP278.PROD.OUTLOOK.COM (2603:10a6:710:57::12) by GV0P278MB0736.CHEP278.PROD.OUTLOOK.COM (2603:10a6:710:53::8) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.6792.19; Wed, 13 Sep 2023 16:07:54 +0000 Received: from GVAP278MB0795.CHEP278.PROD.OUTLOOK.COM ([fe80::3fdd:a1c:220:48ba]) by GVAP278MB0795.CHEP278.PROD.OUTLOOK.COM ([fe80::3fdd:a1c:220:48ba%7]) with mapi id 15.20.6792.019; Wed, 13 Sep 2023 16:07:53 +0000 From: Simon Falsig To: ptxdist@pengutronix.de Date: Wed, 13 Sep 2023 18:05:46 +0200 Message-Id: <20230913160546.71046-3-sfalsig@verity.net> X-Mailer: git-send-email 2.25.1 In-Reply-To: <20230913160546.71046-1-sfalsig@verity.net> References: <20230913160546.71046-1-sfalsig@verity.net> Content-Transfer-Encoding: 8bit Content-Type: text/plain X-ClientProxiedBy: ZR2P278CA0003.CHEP278.PROD.OUTLOOK.COM (2603:10a6:910:50::6) To GV0P278MB0784.CHEP278.PROD.OUTLOOK.COM (2603:10a6:710:53::9) MIME-Version: 1.0 X-MS-PublicTrafficType: Email X-MS-TrafficTypeDiagnostic: GVAP278MB0795:EE_|GV0P278MB0736:EE_ X-MS-Office365-Filtering-Correlation-Id: 9245863c-c6f7-4dbb-fed9-08dbb4738a27 X-MS-Exchange-SenderADCheck: 1 X-MS-Exchange-AntiSpam-Relay: 0 X-Microsoft-Antispam: BCL:0; X-Microsoft-Antispam-Message-Info: /0F6EgjkBw5ZGym5W6PVw95O/jUTVhIX1IQXi33Tl7ZRS5iwMrbZ8X5p/7JPqN7UaW/uo+NH7GL3KkaNQwCroIDWAU+kLyK93nSGlw3KqEl03/2JmyK2fs1qBEXjmJYX1TbKLad56aHmYjO8BjJw3o2RhtC50a6T0IXxDiu4xWHIgV+I+B8rRviRsnw67T+jTa2wVucHwWxJdthAIbE3kMcvOb70RR2IH5tW78Okq+db8keh4tQ9BR1pfpvifKryXifU687YMV1F8vA8SprhomL3bYTG70Gkz2QqPvMm1Qua8v3IBXFAfFHFlLyr6XDZmhjBVC5dYU6GfGOifX2JbImf0UT1ubKV41hMgkQa65rXzDODOr676v48XKDgeSQpX8WKz0fyScbvAv1OG+k0OpiBaM4ef2ucyTzWEXBjDsY+FnfOGUA16sHcUSDIebjJgkHcQ2Z/VSoAD9t5RcbVEmY8oxydb6RMK6G6zG1+QHeuR5+dlP0mAXp5ByzwqhAsrQh1MP6vH/CtN+gYo98CRKxMQmC9gICDlLPg1uZnwZgOXlw2LiZy2TzMrFa3AL5N2mYWEcHWWKF4boNZE1IGZYZJS0gMCCghw/cnzKbOBDWJLYMGyeXBbMJ9R34aE3NL X-Forefront-Antispam-Report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:GVAP278MB0795.CHEP278.PROD.OUTLOOK.COM; PTR:; CAT:NONE; SFS:(13230031)(366004)(396003)(39850400004)(376002)(136003)(346002)(1800799009)(186009)(451199024)(2906002)(36756003)(86362001)(5660300002)(38350700002)(38100700002)(4326008)(8936002)(8676002)(6666004)(316002)(41300700001)(83380400001)(6916009)(26005)(66476007)(1076003)(66556008)(66946007)(2616005)(107886003)(6512007)(52116002)(6486002)(6506007)(478600001); DIR:OUT; SFP:1101; X-MS-Exchange-AntiSpam-MessageData-ChunkCount: 1 X-MS-Exchange-AntiSpam-MessageData-0: =?us-ascii?Q?d2AvS3bpRZSiGCvMq71JGq8umsU7fMQ/1+ICKWYHFd/0NnHQWTxv1IeuZs02?= =?us-ascii?Q?VflDLa+2dvfi6YLAtvEt6h3pcriT7HrPb8dg+IOhCqmTB97uflF411NvRRei?= =?us-ascii?Q?sDFBKfSLKIc9OlOhXL2yunzT6YYTViueHbV9u3s5NmaWKo5Io02GqIIdd1D7?= =?us-ascii?Q?4MAT5xqF123PCtFciGBzvbZgkVBkQ8K262tDb4+70MjJrNd65onmv2h0U8IY?= =?us-ascii?Q?QXhKtopqIUfgTvJLA76Pzy7CeFJF5YKlxap2LqEpKSnht2W3o/PQ6Abp59Rr?= =?us-ascii?Q?uK1T69vDIijH9xZUzk7zPOreegrTVB2qY/1FoXty6CejlWr2Y47eT2l/u7xC?= =?us-ascii?Q?4Zhp8gy1U7rcz5+knjIgpEq/Ne2V/9DZdXjlAFzmpMH/dwiNtgu7V2LQ1zTt?= =?us-ascii?Q?Xo/iriUYpcBmQjsfWx/MkN7wwu/JwubrnaRERKclckAuxtT5gVC0EjRfQzki?= =?us-ascii?Q?boh/mFgIDbajHOA9TNO7NUGrxsaPRLafCNJtmK0Ss6cky2yfdOwmMoKQnFiL?= =?us-ascii?Q?XN963xlgViiUQGfdYY6P7TaUGy4pzeGO5OxbsZuv5T0WpNQOjryZ0fLUeCRi?= =?us-ascii?Q?YtT/ZtcZ7cmAd4AC82eWPow8EOhjOIEC8XRaY+ytYMzGwwA8xaBzTM7h6S6V?= =?us-ascii?Q?ioVUpdgBLDOguJLOX03ymgyLAVgQg+MkuIUucwr2M6DEa0+rtEkatS/+JFkh?= =?us-ascii?Q?KK0GYbknz59gawsiovuLLg6GH9+Uqwtbq8q8yuAiXWA8OAjVkMFPVNFgTNsU?= =?us-ascii?Q?uRIUyYNmPk/deQpjpSfzun4hkcfs9D2sRGsFeMN//XtU3RPSzbaWs4aDMMEX?= =?us-ascii?Q?kS0n9hk4zT8zR79OORFMDXwzUabRujXj9O0/+Q3GcclbOEklnhsxtFkDEaIl?= =?us-ascii?Q?vYcw9XmRSuguKbGAjLHmkdQMjSfRiOfKGwtYKR6cJradLTg7UPX2es5i/7bR?= =?us-ascii?Q?LYqdh2X8wDylBvUtVvwDlUaISyA/cWDvbnmSedqsrHAxKgKdngxSlbvwJiIZ?= =?us-ascii?Q?ds/vKDj1ryPsi5+0gZKr8Qo6l7jYKtcdGDfEcVWC1Q00GWvS6gqfKvuFY/Tw?= =?us-ascii?Q?2KWVPKpJPCcsKH5sUqA/EeNM5KMfNJ8okG5bF57VmUSfgjYG3fDceByeyDia?= =?us-ascii?Q?DhCPT5dJ6BuUY/9xxYl9nMUd2CJb29AQ2agzEmfD3iFByLErGBmAr1P0mPcm?= =?us-ascii?Q?JGQmZY3OjIDOINR+U3O4/GoO30C/c1lLStLnhxmQqkZHbrWmsUcRC13Oy2Gm?= =?us-ascii?Q?YSplJCvinI0j+JKMg2u8rqqBZsuI9fLPKAy3x9BFzUC911RDfPAdzNLQdH47?= =?us-ascii?Q?NkwYLUwlGfcO/t7totx6E1F0gdWTq/CK1SuIclrqtz72uX+idtum1QlW2Tvd?= =?us-ascii?Q?vcq4AZvAGuXOF383MZVLw4SYiM0eJCH/GrlakH3EzEUAiWmD4KMi+KUoNKTb?= =?us-ascii?Q?mn8VZGzfIxqNUfR5AFez8OgRm800BTqo4wuaob/+OUHgpASn8rSAT87iHtxD?= =?us-ascii?Q?tTF28kR3ckthD9gaGrC8OGfAM3ysHIbpfixaIh61x3VtTb+5fIkAfImpk9sD?= =?us-ascii?Q?TFjWizG3pTHzPuVvCsp+GpG8vTELJn8GC+sYDrNA?= X-OriginatorOrg: verity.net X-MS-Exchange-CrossTenant-Network-Message-Id: 9245863c-c6f7-4dbb-fed9-08dbb4738a27 X-MS-Exchange-CrossTenant-AuthSource: GV0P278MB0784.CHEP278.PROD.OUTLOOK.COM X-MS-Exchange-CrossTenant-AuthAs: Internal X-MS-Exchange-CrossTenant-OriginalArrivalTime: 13 Sep 2023 16:07:53.8360 (UTC) X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted X-MS-Exchange-CrossTenant-Id: 06487c72-7d88-4632-bf56-071603defa0a X-MS-Exchange-CrossTenant-MailboxType: HOSTED X-MS-Exchange-CrossTenant-UserPrincipalName: XSJqtP0fOKApfKueVxvJBPAz3kM2iAcZvRr/hNKGsIdUtVuHjFwjCK3zGEyVhjN4k2eBYFdz4JMTkhWIZjc5sQ== X-MS-Exchange-Transport-CrossTenantHeadersStamped: GV0P278MB0736 X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on metis.whiteo.stw.pengutronix.de X-Spam-Level: X-Spam-Status: No, score=-1.9 required=4.0 tests=AWL,BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,RCVD_IN_DNSWL_NONE, RCVD_IN_MSPIKE_H2,SPF_HELO_PASS,SPF_PASS autolearn=ham autolearn_force=no version=3.4.2 Subject: [ptxdist] [PATCH 3/3] RFC: sbom_report: Add support X-BeenThere: ptxdist@pengutronix.de X-Mailman-Version: 2.1.29 Precedence: list List-Id: PTXdist Development Mailing List List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Reply-To: ptxdist@pengutronix.de Cc: Simon Falsig Sender: "ptxdist" X-SA-Exim-Connect-IP: 127.0.0.1 X-SA-Exim-Mail-From: ptxdist-bounces@pengutronix.de X-SA-Exim-Scanned: No (on metis.whiteo.stw.pengutronix.de); SAEximRunCond expanded to false From: Simon Falsig This provides support for building SBOMs in CycloneDX format. A target is added alongside the other reports, that (based on the fast-bsp-report) extracts name, version, cpe and license of each target package, and puts these into a final sbom-report in CycloneDX/JSON format. This requires a working Python3 setup with the cyclonedx-bom package installed. --- bin/ptxdist | 3 ++- rules/post/ptxd_make_report.make | 15 ++++++++++-- scripts/lib/ptxd_make_report.sh | 16 +++++++++++++ scripts/lib/ptxd_make_sbom_report.py | 35 ++++++++++++++++++++++++++++ 4 files changed, 66 insertions(+), 3 deletions(-) create mode 100644 scripts/lib/ptxd_make_sbom_report.py diff --git a/bin/ptxdist b/bin/ptxdist index dfb619cbd..15be851f5 100755 --- a/bin/ptxdist +++ b/bin/ptxdist @@ -780,6 +780,7 @@ Misc: full-bsp-report generate a yaml file that describes the BSP and all packages. More data but will build all packages if necessary. + sbom-report generate a CycloneDX json SBOM print print the contents of a variable, in the way it is known by "make" printnext assumes that the contents of is another @@ -1807,7 +1808,7 @@ EOF ptxd_make_log export_src EXPORTDIR="${1}" exit ;; - fast-bsp-report|full-bsp-report) + fast-bsp-report|full-bsp-report|sbom-report) check_premake_compiler && ptxd_make_log "${cmd}" exit diff --git a/rules/post/ptxd_make_report.make b/rules/post/ptxd_make_report.make index eecd2a577..ffa398c95 100644 --- a/rules/post/ptxd_make_report.make +++ b/rules/post/ptxd_make_report.make @@ -10,7 +10,9 @@ ptx/report-env = \ $(image/env) \ ptx_report_target="$(strip $(1))" \ ptx_packages_selected="$(filter-out $(IMAGE_PACKAGES),$(PTX_PACKAGES_SELECTED))" \ - ptx_image_packages="$(IMAGE_PACKAGES)" + ptx_image_packages="$(IMAGE_PACKAGES)" \ + ptx_target_packages="$(PACKAGES)" + PHONY += full-bsp-report full-bsp-report: $(RELEASEDIR)/full-bsp-report.yaml @@ -26,13 +28,22 @@ $(RELEASEDIR)/full-bsp-report.yaml: \ @$(call ptx/report-env, $@) ptxd_make_full_bsp_report @$(call finish) + PHONY += fast-bsp-report fast-bsp-report: $(RELEASEDIR)/fast-bsp-report.yaml - $(RELEASEDIR)/fast-bsp-report.yaml: $(addprefix $(STATEDIR)/,$(addsuffix .fast-report,$(PTX_PACKAGES_SELECTED))) @$(call targetinfo) @$(call ptx/report-env, $@) ptxd_make_fast_bsp_report @$(call finish) + +PHONY += sbom-report +sbom-report: $(RELEASEDIR)/sbom-report.json + +$(RELEASEDIR)/sbom-report.json: $(addprefix $(STATEDIR)/,$(addsuffix .fast-report,$(PACKAGES))) + @$(call targetinfo) + @$(call ptx/report-env, $@) ptxd_make_sbom_report + @$(call finish) + # vim: syntax=make diff --git a/scripts/lib/ptxd_make_report.sh b/scripts/lib/ptxd_make_report.sh index a363ca5b3..e2da4c05f 100644 --- a/scripts/lib/ptxd_make_report.sh +++ b/scripts/lib/ptxd_make_report.sh @@ -144,3 +144,19 @@ ptxd_make_fast_bsp_report() { } export -f ptxd_make_fast_bsp_report +ptxd_make_sbom_report() { + local -a ptxd_reply + local pkg_lic pkg + + ptxd_make_layer_init || return + + echo "Generating $(ptxd_print_path "${ptx_report_target}") ..." + echo + + mkdir -p "$(dirname "${ptx_report_target}")" && + python3 ${PTXDIST_LIB_DIR}/ptxd_make_sbom_report.py "${ptx_report_dir}/fast/" ${ptx_target_packages} > ${PTXDIST_TEMPDIR}/sbom-report && + mv "${PTXDIST_TEMPDIR}/sbom-report" "${ptx_report_target}" || + ptxd_bailout "failed to create SBOM report" +} +export -f ptxd_make_sbom_report + diff --git a/scripts/lib/ptxd_make_sbom_report.py b/scripts/lib/ptxd_make_sbom_report.py new file mode 100644 index 000000000..aecb4fae5 --- /dev/null +++ b/scripts/lib/ptxd_make_sbom_report.py @@ -0,0 +1,35 @@ +from cyclonedx.factory.license import LicenseFactory +from cyclonedx.factory.license import LicenseChoiceFactory +from cyclonedx.model.bom import Bom +from cyclonedx.model.component import Component +from cyclonedx.output.json import JsonV1Dot4 +import sys +import re + +lFac = LicenseFactory() +lcFac = LicenseChoiceFactory(license_factory=lFac) +bom = Bom() + +for i in range(2,len(sys.argv)): + pkg_report = sys.argv[1] + sys.argv[i] + ".yaml" + with open(pkg_report, 'r') as file: + content = file.read() + name_ = re.search("name: \'(.+)\'", content).group(1) + version_ = re.search("version: \'(.+)\'", content).group(1) + cpeMatch = re.search("cpe: \'(.+)\'", content) + cpe_ = None + if cpeMatch is not None: + cpe_ = cpeMatch.group(1) + licenses_ = re.search("licenses: \'(.+)\'", content).group(1) + comp = Component( + name = name_, + version = version_, + cpe = cpe_, + licenses = [lcFac.make_with_license(licenses_)], + bom_ref = name_ + "@" + version_ + ) + bom.components.add(comp) + +serializedJSON = JsonV1Dot4(bom).output_as_string() +print(serializedJSON) + -- 2.25.1